When the White House released its review and recommendations for the current state of cybersecurity policy, CDT applauded the Administration for showing attentiveness to the concerns of privacy and civil liberties groups by constructing the report in a collaborative and open manner. The level of transparency and knowledge sharing demonstrated in the creation of the report will need to be illustrated in the implementation of these recommendations as well. Now comes the hard part, living up to the hype and honoring the “action items� contained in that report while ensuring that a cybersecurity policy is implemented that keeps the nation safe from threats without jeopardizing the openness of the Internet or the privacy of its citizens.

To help keep the process moving, CDT has created a report tracking the progress of this “cybersecurity to-do list.�  The action items outlined in our report were derived from the Administration’s review as well as the President’s remarks on the document.  The original document is based on three broad, though essential themes.

The first of those themes is promoting the value of privacy.  As the report notes, protections for individual privacy are essential to reaping the benefits from advancements in informational technology.  The second is that privacy rights must be clearly defined and enumerated.  Clear, detailed policies are needed, as privacy rights are extremely vulnerable to advances in technology.  Lastly, making sure that any plan aimed at protecting privacy rights be the product of a coordinated effort between the technology side and the policy side.

Using the report we released today as a benchmark, CDT will continue to push the Administration to honor the pledges made in that report and to maintain the same openness and attention to privacy concerns as were shown during the information gathering phase of he report.

There’s been a lot of buzz over the last few days about the new iPhone 3.0 software that was released this week. You might have seen reviews of a new service offered as part of the update called Find my iPhone, which shows you your iPhone’s location on an online map should you misplace it. But while Find my iPhone may be getting all of the location buzz, the new iPhone software includes another feature which, I think, will ultimately prove to be much more significant for location – and for location privacy.

With the release of the new software, the latest version of the Safari web browser running on the iPhone will be location-enabled. This means that any Web site can ask Safari for the user’s location, and Safari can provide it by using the location positioning technologies built into the phone (including GPS, among others). Apple has implemented a simple interface (based on a draft of a W3C standard that Web sites can use to request location.

Location-savvy users will realize that Safari isn’t the first browser to make the location-enabled leap. Google has been providing this capability in Google Chrome, the Android browser and Google Gears for months; the current beta version of Firefox is location-enabled; and Opera has released a location-enabled version of its browser. Even before the browsers jumped into the game, Web sites have for years been using reverse-IP address lookups to obtain the approximate locations (think city-level precision) of Web users. But with 40 million iPhone users, Apple’s foray into geolocation marks the true beginning of an era when pinpointing many Internet users on a map – with the precision of a few meters, not a few miles – goes from complicated and onerous to simple and fast.  This won’t work for all users, but 40 million is a pretty significant start.

What does this mean for privacy, you ask?  It’s CDT’s belief that location information should only be used on individual Internet users’ own terms. Individuals should get to decide with whom they share their location, what that information is used for, whether or not it gets shared, and how long it’s retained. Location-enabled technologies – including Web browsers – should be designed with privacy in mind from the beginning and with built-in user controls to allow individuals to manage their location data as it’s collected. CDT has been working for years to incorporate some of these concepts into technical standards, originally in the IETF’s Geopriv working group and more recently within the W3C Geolocation working group, which created the draft standard that Apple, Google, Mozilla and Opera are all using.

(more…)

This Saturday, June 20th in Washington, DC is PrivacyCampDC, an opportunity for researchers, developers, practitioners, citizens and other enthusiasts to connect, collaborate and share knowledge with a particular focus on electronic privacy and government policy.

When:  Saturday, June 20th, 2009 from 8am to 5pm (the weekend prior to the Department of Homeland Security’s Government 2.0: Privacy and Best Practices conference).
Where: Center for American Progress Action Fund, 1333 H Street, NW, DC 20005
Metro access: Metro Center
Happy Hour:  5:45pm at Le Bar. (Sofitel).  806 15th Street NW, Washington DC 20005, USA | (202) 730-8700

(more…)

Ari Schwartz recently spoke with Information Security Media Group’s Eric Chabrow about updates needed to the federal Privacy Act and how Internet users can get involved in the discussion by visiting www.eprivacyact.org and making their own edits to the legislation.

The interview is available in streaming audio online, which you can list to here.  Enjoy!

Today legislation was introduced in Congress to provide a much needed overhaul of the REAL ID program by Senators Akaka (D-HI), Baucus (D-MT), Carper (D-DE), Tester (D-MT), and Voinovich (R-OH) the new bill is known as the Providing for Additional Security in States’ Identification (PASS ID) Act of 2009.

Since its inception in 2005, REAL ID has long been a pariah among the states and civil rights/civil liberties groups alike. At last count this year, thirteen states have passed legislation prohibiting REAL ID implementation, and another ten have passed resolutions denouncing REAL ID’s approach. CDT has repeatedly pointed out at every step of REAL ID’s development the serious risks to privacy and security the program creates.
(more…)

There’s a lot of talk in the online privacy world about first parties and third parties. Generally speaking, when you surf to abc.com, that site is considered to be a first party during the time that you’re on the site. If abc.com contains ads, content, scripts, or other stuff being delivered by xyz.com, then xyz.com is considered a third party.

The distinction matters because privacy norms and rules usually apply differently for first parties than for third parties. Consumers are likely to have relationships with first parties, or at the very least they know that when they visit abc.com, they’re interacting with abc.com. That’s not always so clear for third parties – consumers may have no idea which third parties are active on a particular site.

Because of this difference, first parties don’t always have the same privacy obligations as third parties. For example, the guidelines for behavioral advertising self-regulation that the FTC put out earlier this year apply only to third-party behavioral advertising, not to first parties doing the same thing.
(more…)

Personal health records (PHRs) have the potential to move our health care system toward a more patient-centered model by enabling individuals to store and share copies of their health information. However, many consumers hesitate to use PHRs because of privacy concerns. These concerns are justified by the uncertainty that characterizes our current system: there are no consistent rules protecting PHRs, and there are arguably no national privacy and security standards governing PHRs provided by entities outside the coverage of the Health Insurance Portability and Accountability Act (HIPAA).

When doctors, hospitals, and health insurers (or their business associates) offer PHRs, the HIPAA Privacy Rule applies. When independent entities provide PHRs—like many of the ones available online—no substantive standards apply except that a company must comply with whatever privacy policy it creates or risk Federal Trade Commission (FTC) action. Unsurprisingly, a 2007 study commissioned by the Department of Health and Human Services (HHS) found many PHR privacy policies lacking.

A seemingly intuitive solution to the problem is to apply the HIPAA Privacy Rule to all PHRs. However, HIPAA was drafted to address the privacy issues raised by traditional health records, not consumer-oriented PHRs. The broad application of HIPAA could actually make personal health information less safe due to two major deficiencies.
(more…)

CDT recently signed on to an amicus brief being spearheaded by Electronic Frontier Foundation in the second round of United States v. Warshak, a case that could have major ramifications for email privacy rights and electronic search and seizure processes. The court is deciding whether the government can evade probable cause standards through the use of mandatory data preservation requests.

The Electronic Communications Privacy Act permits the government to require an ISP to “preserve� communications in its possession pending issuance of a court order or other legal process. To require preservation, the government has to prove nothing and it need not involve a court. It just has to ask the provider to hold onto the communications.

But, under ECPA, if the government wants access to emails not yet in the possession of a provider – communications that haven’t yet occurred – it has to get a court order under the Wiretap Act and has to prove it has probable cause of crime, and then some. In this case, the government got a “back-door wiretap� by asking the ISP to “preserve� communications it hadn’t yet received. The government followed up that request much later with a subpoena, then a court order issued under a lesser standard, for the email it sought. In other words, it circumvented the requirement that it prove to a judge it has probable cause.

The lower court ruled that this is OK. If the Sixth Circuit court agrees, it would give the government a road map for collecting up email without having to prove strong evidence of criminal activity to a judge.

Internet users can clearly expect their email to be private, but the government argues that emails stored on a webmail provider or an ISP are not protected under the Fourth Amendment. CDT has long advocated for an update in the laws governing government access to communications and if the court does not make it clear that back door wiretaps are not permitted, then Congress will need to step in.

In a win for free speech and openness online, the Minnesota Department of Public Safety has come to its senses and dropped its campaign to force ISPs in the state to block access to overseas gambling sites. The letter rescinding the earlier demand cited a lawsuit challenging the demand’s legality, filed by the Interactive Media and Gaming Association.

The lawsuit, in which CDT believes iMEGA would likely have prevailed, has been dismissed. As CDT wrote last month, officials had misinterpreted a federal statute in concluding that they had the authority to force the ISPs to filter the gambling sites from their Internet offerings, and that such demands raise serious constitutional concerns. While a spokesman insists that Minnesota has not “folded its hand,� the decision to drop the matter suggests a recognition that the effort would not have held up in court.

We at CDT applaud this reversal; it should serve as a cautionary tale for other government authorities that try to muscle up on ISPs using tenuous legal arguments. We hope the South Carolina Attorney General is paying attention to the lesson learned in Minnesota as he considers the wisdom of his crusade against Craigslist.

The Chinese government has quietly mandated that any personal computer sold in the country be pre-installed with government-approved software that blocks access to a government-created black list of “harmful� sites.

The alleged intent of such a move is to protect children and provide them with a safer online environment. The question of how to do that effectively and not trample on Internet freedom is a difficult issue that is being debated everyday in countries around the world.

But it strains credulity to believe that the latest effort of the Chinese government is anything more than an effort to further choke over access to information and free expression. Savvy Internet users in China are increasingly finding ways to circumvent the Great Firewall and government mandates to censor content on chat rooms, blogs and search engines are hardly airtight. Now the government is adding the software mandate to bring censorship directly to the desktop.
(more…)