Over the past several years, there has been a debate internationally about who “governs� the Internet. The debate has at various times displayed a deep confusion about what Internet governance is. Too much of the debate has focused on the Internet Corporation for Assigned Names and Numbers (ICANN), which has responsibility for only a very small portion of Internet governance. Too little has focused on the policies of national governments, which hold many of the keys to Internet success or failure in their national policies on innovation, competition and the trust environment.

A UN-sponsored gathering called the Internet Governance Forum has helped channel the debate in a positive direction. In the broadest sense, the IGF is a yearly meeting, which has taken place 3 times since 2006. The most recent, in Hyderabad, India in December 2008, attracted 1280 participants from 94 countries. The IGF is due to meet again this November in Egypt.

Yesterday, CDT filed comments as the IGF considers its future. We said that, overall, the IGF has been remarkably successful. In particular, the IGF has raised awareness of Internet governance among a broad range of stakeholders – awareness as to what Internet governance is, how the Internet has been “governed� from its inception by a wide range of bodies and institutions (governmental, intergovernmental and non-governmental), and how participation in those governance bodies can be expanded to reflect the interests and needs of non-governmental stakeholders and stakeholders from developing countries.
(more…)

Recently, I attended the Personal Democracy Forum in New York City and, it being New York, I took a lot of cabs. While distances and speeds of trips varied, the one constant was each cab having a television monitor in the backseat, which in addition to displaying news and city information ran a constant carousel of product advertisements. After taking three separate trips that involved me seeing the same product advertisement for a men’s suit sale in all three cabs (after all, I was dressed in business attire) I began to wonder if this could be chalked up to coincidence or just another day in the era of digital signage. I asked myself: “Do these ads have eyes?”

As noted by CDT’s Harley Geiger in a recent op-ed for CBS, today’s marketers are creating signs that can display targeted ads based on information extracted from hidden facial-recognition cameras. While marketing and advertising companies tout the desire to constantly create the most unique experience possible for a viewer, this type of technology is growing and begs the question “What are you doing with my face after I’ve already seen the ad?” Or more correctly, the digital image of my face. Concerns surround how long this information is stored and what is done with it after ads are targeted and aired.
(more…)

In March of this year, a Belgian court entered judgment in a criminal case against Yahoo! and fined the company for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.

The catch? Yahoo! has no subsidiary, employees or localized website in Belgium. The request — sent via email by a Belgian prosecutor to Yahoo!’s U.S. offices — was for user data held in the U.S. and associated with Yahoo! Mail accounts. Yahoo! Mail users sign up for this service under an agreement governed by U.S. law. The prosecutor did not allege that the specific Mail accounts were actually used by Belgian residents. Instead, the prosecutor’s sole theory for jurisdiction over Yahoo! Inc., and user data held by the company in the U.S., seems to be that Belgian residents can access Yahoo! services through the global Internet.

The court agreed: It found that the availability of Yahoo! Mail to Belgian residents, combined with what it believed to be the use of Mail in connection with criminal purposes within Belgium, was sufficient to find that Yahoo! Inc. has a commercial presence in Belgium. Therefore, Yahoo! was subject to Belgian laws, and thus in violation of a telecommunications statute that compelled disclosure of the requested data.

The implications of this ruling are profound and far-reaching. Following the court’s logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.

The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.

In addition, it is important to note that the U.S. and Belgium have a Mutual Legal Assistance Treaty (MLAT) in place, which allows Belgian law enforcement authorities to request production of this user data through diplomatic channels. Belgian authorities have refused to pursue this option, despite outreach from the Department of Justice and Yahoo! to facilitate the process. This disregard for treaty agreements, carefully negotiated between states, undermines such legitimate law enforcement cooperation efforts. If a court in Belgium or any other state is able to assert jurisdiction over user information or U.S. companies and citizens themselves based merely on web presence and availability of a service in that state, then why bother with an MLAT at all?

Companies should be paying close attention here, too: it isn’t difficult to imagine how lax jurisdictional requirements on the global Internet could invite all sorts of abuse. Competitors, governments, or other bad actors could concoct weak legal claims under local law to get a hold of proprietary information or trade secrets; nothing seems to limit this possibility under the Belgian prosecutor’s theory.

Yahoo! has caught a lot of flak over the past few years about how the company and its affiliates should protect user data when a government demands it. Importantly, this firestorm of public criticism has pushed Yahoo! to think about corporate responsibility more critically, particularly in markets where rule of law is weak and suppression of dissent online is common: what responsibility do Internet companies owe to their users, whose human rights and basic freedoms may be put at risk if user data is handed over to authorities? In response, Yahoo! has committed to implementing certain policies about how it responds to government requests, including a requirement that requests must come through appropriate and official channels.

In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.

Yahoo! is currently appealing this decision. Let’s file this one under: no good deed goes unpunished.

A report released today by the Inspectors General of key intelligence agencies shows that the warrantless surveillance program authorized by President Bush was overly secret, its importance overstated, and its product underutilized. While the report reveals new tidbits about the President’s personal involvement in the surveillance activities, it leaves unanswered many questions about the scope of the program, its lawfulness, and whether the surveillance could have been conducted under the Foreign Intelligence Surveillance Act from the outset.

Background for the IGs’ Report
In October 2001, President Bush authorized warrantless surveillance of the communications people in the United States were having with people abroad. Under the program, later dubbed the “Terrorist Surveillance Program,� at least one party to the intercepted communication had to be in the United States and at least one other party had to be abroad, and one of the communicants had to be a member of al-Qaeda or an affiliated terrorist organization. Ever since the program was revealed in December 2005, CDT and others roundly criticized the TSP as unlawful under the Foreign Intelligence Surveillance Act, which requires a court order based on probable cause for surveillance of any person in the U.S. Also in late 2001, the President authorized “Other Intelligence Activities� that even to this day have not been publicly acknowledged. The report released today by the Inspectors General of the Department of Defense, CIA, Department of Justice, National Security Agency and the Office of the Director of National Intelligence covers, and critiques, both surveillance programs, collectively referred to as the “President’s Surveillance Program� or PSP. The report was required by the July 2008 FISA Amendments Act.
(more…)

The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week” posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

The Social Security Number: Legal Developments Affecting Its Collection, Disclosure, and Confidentiality
#RL30318
October 2nd, 2008

It is well known that Social Security Numbers (SSNs) should not be used as authenticators. A new study demonstrating the ease with which SSNs can be predicted serves as further evidence to this fact.  Simply put, SSNs weren’t designed to be authenticators. The problem with SSNs is that they have become both the de facto national identifier and authenticator for private industry.  This is analogous to using your name (an identifier) as your password (an authenticator). Identifiers are simply a reference to who you are and, thus, are often public.  Authenticators, on the other hand, are used to prove identity, and should not be known publicly.  These dual uses of SSNs as identifiers and authenticators has worried identity experts for some time because of this difference in security levels.  The new research steps over those concerns and suggest that SSNs should never be used as authenticators not just because of the risk an individual’s SSN might be disclosed, but because SSNs are predictable based upon publicly available information.  Ultimately, it does not matter how vigilant one is in protecting his or her SSN.  It can easily be discovered.

(more…)

Three weeks ago, the PASS ID Act [S. 1261] was introduced in an effort to move beyond the REAL ID stalemate that has dragged on for over three years. CDT supports PASS ID because it mitigates key privacy flaws in the REAL ID program and is a notable improvement over current law. While the privacy provisions in PASS ID can still be strengthened, the bill incorporates nearly all the privacy requirements that the last Congress’s REAL ID repeal act included [S. 717, 110^th] and was even introduced by the same Senator, Daniel Akaka (D-HI).

Putting aside for a moment the question of whether repeal of REAL ID is a political possibility, it is important to realize that repeal is not necessarily better than REAL ID:

1) Senator Akaka’s repeal act would not have stopped the creation of new licensing standards, it would simply have created a negotiated rulemaking body that would have had to use exactly the same standards that are in his PASS ID Act to help increase privacy;

2) If we could re-write the repeal bill to not incorporate any new standards, it would still not address the problem that state driver’s license programs have already been moving towards greater standardization of design and interoperability of technological features for quite some time with limited privacy and security protections. CDT remains concerned about three main trends happening at the state level:

· States are incorporating machine-readable zones (MRZ) in driver’s licenses and ID cards, without encryption or other protections for the information contained in the zone.

· Because personally identifiable information (PII) contained in the MRZ is unprotected and the technologies interoperable, information in the MRZ can be read, stored, and re-used with few limitations by commercial and governmental entities.

· ID card systems have increasingly centralized back-end information systems containing vast amounts of identity data, vulnerable to theft or internal abuse if not properly protected. States are also turning to private, non-governmental agencies such as AAMVA to manage such systems.

(more…)

Perhaps we finally have the last piece of evidence to help everyone admit that, in regards to the use of social security numbers as an authenticator, the emperor has no clothes.

The National Academy of Science today published a study from Alessandro Acquisti of Carnegie Mellon University demonstrating that Social Security Numbers (SSNs) issued after 1988 can be predicted with relative ease if you have the person’s birth date and place of birth.  It seems that, in 1988, the Social Security Administration (SSA) started issuing the numbers sequentially. Given that fact, Acquisti was able to take death records published by the SSA and identify a possible range of SSNs that were issued to a person on any given birth date. If you are born in a smaller town, the odds are pretty high that Acquisti could get your SSN on the nose.  As this population ages, it will be even easier for anyone to do this.

When I first read Acquisti’s paper, I was mortified by the implications, but thinking about it more it simply confirms what all experts in identity policy have known for a long time — the SSN is a pretty good identifier, but a horrible authenticator.  In other words, the number is good in a case when you have two people named John Smith in making sure that you don’t confuse one for the other, but not good at all in helping you assess that one John Smith is who he says he is (eg, the bank that asks for his SSN when he doesn’t have his bank account number readily available).

The SSN is just not the secret that we’ve been taught it was and, at some point, we are all (in particular, corporate entities) going to have to stop treating it as though it were.

The social and political impact of the Internet is growing at a rapid pace.  After all of the successes credited to President Obama’s social media campaign network in last fall’s election, we still find ourselves at the earliest stages of development of the social layer of the Net.  Still, some are quick to dismiss the activist power of the Internet and still are not convinced that this medium will continue to change the way the world organizes around issues.

Take a piece in today’s Washington Post by Monica Hesse, which commented on the “trendiness� of online activism and discounted these “click to join� groups as nothing more than numbers on a Facebook page.  This completely misses the impact that social networks have had on increasing the awareness of many issues and building communities around these issues.  As we gear up for our nation’s 233rd birthday, we are reminded of how colonists planted seeds of activism and organized against oppressors from abroad.  Instead of Facebook fan pages, they had militiamen; instead of asking others to click a link, they asked them to help gather supplies; instead of Twitter feeds, they used horses to get messages across.  From top to bottom, they created organization that allowed supporters to thrive in any role or level they chose.  The mother who allowed soldiers to sleep in her cabin, was as vital to their success as the soldiers themselves.  It didn’t matter what a supporter of the revolution was doing, their support alone was enough.

Today there are groups on Facebook aimed at gathering supporters for just about any cause.  Just like any other advocacy effort, supporters join for a variety of different reasons.  That’s where the Hesse piece really misses the mark.  The assumption is made that to participate in any activism online, one must be willing to fight hard and organize physical results to be “worthy� of being a supporter.  This claim ignores the power of community building and the very essence of grassroots advocacy.  My support of a specific issue is not measured by how much I donate or how many rallies I attend.   To discount followers of causes on social networks engaging in conduct that is a “trendy and easy virtue� ignores the impact that supporters have on social networks at every level of involvement.  The person simply receiving message updates on the issue is just as vital to the success of the cause as the top-level organizer who sends tasks and ideas to the group’s followers.
(more…)

News stories are reporting that the federal judge in the Lori Drew “MySpace suicide” case has thrown out Ms. Drew’s conviction under the Computer Fraud and Abuse Act.  Although what Ms. Drew did was horrible, we have long thought that her federal indictment was a gross distortion of the law.

The judge will issue a written order soon, and then we will know exactly why the case was tossed out.  But based on comments the judge made a few weeks ago, we are hopeful that the court will broadly reject the government’s effort to criminalize violations of “terms of service.”  We will report back once the opinion comes out.

A couple of weeks ago I wrote about one of the upgrades in the iPhone 3.0 software update that allows the Safari browser on iPhone to be location-enabled. Firefox had previously implented something similar in a beta version of the browser, and now that functionality has been released to the world. Firefox 3.5, released on Wednesday, is fully “location-enabled.�?

What this means is that Web sites can now ask Firefox for your location, and the browser can now deliver it. Initially, Google has signed on as the default “location provider�? for Firefox. As a Firefox user, suppose you pull up a Web site that wants to use your location. Firefox will gather some information about WiFi access points near you and send that information to Google. Because Google maintains a database that maps WiFi access points to actual physical locations, it can use this information to calculate your location. That location gets sent back to your Firefox browser, and the browser forwards it on to the Web site that originally requested it. The accuracy of the location depends on a number of factors, but can be within a handful of meters in densely populated areas.

Firefox and Google have taken a couple of excellent steps to protect the privacy of Firefox users throughout this process. The location information gets transmitted over an encrypted connection so it can’t be sniffed en route between the browser and Google or vice versa. Firefox doesn’t provide Google with any information about the site that made the location request, so Google doesn’t learn anything extra about your browsing habits. Google also de-identifies the information it receives from Firefox two weeks after it’s collected.
(more…)