Mark Lloyd has devoted his long and distinguished public interest life to fighting for media diversity and free speech for all of us. In recognition of his career and expertise, he has been appointed Associate General Counsel at the FCC. Congratulations Mark! From all of us who served with you on the board of the Center for Democracy & Technology and all of those who have worked with you over the years.

Now Lloyd has been paid another honor: an attack from none other than Glenn Beck, one of our leading media voices of rage and distortion who spends his time 24/7 working to smear anyone associated with progressive policies.

Art Brodsky of Public Knowledge has written a careful deconstruction of Beck’s distorted attack on Lloyd’s character and public record to set the record straight and it is worth a read at for anyone interested in the facts and truth. Unfortunately, we don’t think Beck or his followers are interested… but many will be.

The irony of this episode however does deserve mention. Lloyd helped to frame the legal and policy positions that has made cable programming more diverse and the Internet a true zone of free speech, unburdened from the regulatory regime that burdens traditional broadcasting. Lloyd has helped to give broad freedom of speech to everyone, including the Glen Becks of this world. And this is the reward he gets!
(more…)

The FTC recently announced approval of the terms of a settlement with Sears Holding Corp. (which owns Sears and K-Mart stores) over charges that the company failed to “adequately disclose” that it was collecting personal information using a spyware program secretly installed on consumers’ computers.

Between 2007 and 2008, 15 of every 100 visitors to sears.com or kmart.com were presented with a pop-up window that offered the opportunity to “talk directly to a retailer” and become part of “a place where your voice is heard and your opinion matters, and what you want and need counts!” No mention was made that this “opportunity” also installed detailed tracking software on the user’s computer.

Customers who asked for more information were offered a $10 coupon in exchange for downloading – and keeping on their computer for at least one month – software from Sears or K-mart that would allow them to become “part of something new, something different[.]” Consumers probably didn’t realize that by “new” and “different,” the advertisement meant “all-seeing” and “invasive.” Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers’ email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts.

Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small “scroll box”; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking.

The FTC found that the software’s function was not fairly represented and that the “failure to disclose these facts…was, and is, a deceptive practice.” As remedy, the FTC has required that “if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit.” Moreover, this disclosure must occur separately from any general terms of service or user license agreement and, if data will be accessed by a third party, must include a notification that data will be available to a third party. The FTC has also required that Sears Holding Management Corporation delete all data collected by the software.
(more…)

Testimony by the Register of Copyrights last week expressed concern that the Google Books settlement improperly wades into matters that are the domain of Congress and would impair congressional efforts to enact orphan works legislation.

I certainly agree that the Google Books settlement goes much farther than a typical class action settlement. It uses the class action mechanism to achieve unusually broad goals — in particular, the creation of what amounts to a kind of collective license. In light of that breadth, the settlement warrants the extensive scrutiny it has been getting. And yes, in an ideal world, Congress would take up the matter and provide a generally applicable (rather than Google-specific) path to creating the online equivalent of a comprehensive library.

But it seems odd to characterize the resulting license-like arrangement as “compulsory,” as the Register of Copyrights did in the testimony, when rightsholders remain free to opt out (or, for that matter, to exercise more fine-grained control over what uses Google will or will not be allowed to make of their works). Whatever your view on how appropriate or inappropriate it may be to allow works to be included on an opt-out rather than an opt-in basis, participation is hardly “compulsory” within the normal meaning of that word.

I also see little reason to conclude that the settlement will interfere with Congress’s effort to craft orphan works legislation. The orphan works bill and the Google Books settlement address fundamentally different questions. The orphan works bill addresses the problem of how to enable some use of works whose rightsholders simply cannot be found, even with a diligent search. The Google Books settlement addresses the problem that, for the specific purpose of creating the online equivalent of a comprehensive library, the cost of conducting diligent searches and rights negotiations on a book-by-book basis would very likely be prohibitive. So even if the orphan works bill considered in Congress last year were to pass, it wouldn’t much help Google’s effort to build a comprehensive book search tool. Conversely, even if the Google Books settlement were approved, it wouldn’t much help anyone who wants to make use of a particular work but is unable to locate the rightsholder to seek permission. For true orphans — works whose rightsholders can’t be found — we need orphan works legislation. Nothing in the Google Books settlement precludes Congress from moving ahead on that front. Meanwhile, for out-of-print works — works whose rightsholders often could be found, at the cost of some book-by-book inquiry — we need some arrangement that eases the costs of facilitating large-scale online searchability and access.
(more…)

In two letters sent to Congress today, the Obama Department of Justice announced its support for reauthorization of three expiring provisions of the 2001 Patriot Act and its willingness to consider civil liberties amendments that do not diminish the effectiveness of the expiring provisions. Its openness to amendments is a good sign, and we look forward to working with Congress and the Administration on inserting checks and balances on surveillance authority.

Unless Congress acts by December 31, the Patriot Act “library records provision” (Section 215), its provision authorizing roving intelligence wiretaps (Section 206), and a provision of a related intelligence law that permits intelligence surveillance of “lone wolves” who have no ties to foreign terrorist organizations, will all expire. The December 31 deadline will likely prompt Congressional action this fall. Both the Senate and House Judiciary Committees have announced Patriot Act hearings this week, and Senators Feingold and Durbin are seeking support for Patriot Act reform legislation they intend to introduce soon.
(more…)

In a much-hyped launch this afternoon, Apps.gov was introduced as a centralized service for federal agencies to obtain cloud-based IT services. These services range from productivity and management applications for internal use to free social media plugins for agency websites. US CIO Vivek Kundra has often noted that taking the government into the cloud was a priority for him for many reasons, among them cost saving and increased security among agencies, as well as furthering interagency collaboration.

Apps.gov is billed as a storefront for cloud services for government agencies. Many of these are apps for internal use only, and the website notes that internal agency users have no expectation of privacy. However, there are some external facing social media tools that are listed within the Apps.gov catalog, and I hope that they make it clear as they work with these social media sites that user privacy is important. While amended terms of service for the social media tools are included on the site, we’d also like to see the contracts that GSA has entered into with third party vendors. Of particular interest are details about what types of social media tools will be available to interact with citizens. Apps.gov’s social media section would be an excellent place to put a repository of tips and best practices for user privacy, for example- an example Privacy Impact Assessment for agency use of Facebook could be one of the resources at Apps.gov.

We are excited to see government begin to harness the cloud, and begin to take advantage of centralized services within agencies. Hopefully we’ll see Apps.gov turn into a repository of information on how to use cloud tools internally and with the public as well as serving as a storefront for agencies.

Last week, the federal government announced a pilot project to develop digital identity solutions for federal websites, working with OpenID and Information Cards technologies. This will allow government agencies authenticate the public (for low and no security uses) and provide personalization and services. Online industry leaders have signed up as identity providers, and will allow citizens to use their existing identity online to interact with the government. Even six years ago, one third of online users logged in to government sites. The proliferation of online services and websites surely means that the identity program is something that agencies will be quick to take advantage of. Using a federated identity solution will allow agencies to stop developing and investing in independent solutions and instead use a plug-and-play system for identity. However, linking identities across the .gov web – let alone with the commercial web – carries new issues to be addressed.

There are 300 million Americans, any number of whom may want to do business with government at any time of the day or night. Often, this may just be looking up an address or printing forms, but many interactions will require some way to identify the citizen who is asking for services from the website.

Last week at the Gov 2.0 Summit, federal CIO Vivek Kundra noted that identity is crucial if government websites are to move beyond ‘brochureware” and provide services to and interact with the public. Making government websites more interactive and useful is a key component to the Open Government Initiative, and identity is a step towards that goal.
(more…)

Check out CDT’s Gregory Nojeim on ABC News’ “Ahead of the Curve” discussing cybersecurity legislation in Congress. The YouTube clip of this is available here.

In late August, the Dept. of Health and Human Services (HHS) released an interim final rule on health data breach notification. Through the rule, HHS establishes data security standards that HHS believes are strong enough to eliminate the need to notify consumers of a data breach. That is, if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients. Some of the rule’s security processes are quite good, such as strong encryption standards. Unfortunately, however, HHS packed an overly broad and unreliable standard in with the good ones: the “harm standard.”

(CDT had issued comments to the HHS rulemaking in May 09. For more information about the interim final rule and CDT’s comments, please see our earlier blog post.)

The American Recovery and Reinvestment Act of 2009 (ARRA) required HHS to issue a rule on breach notification. In its interim final rule, HHS established a harm standard: breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to individual.” In the event of a breach, HHS’ rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.

The primary purpose for mandatory breach notification is to provide incentives for health care companies to protect data. Breach notification is costly to health care companies, both in financial and reputational terms. Therefore, health care companies naturally seek to avoid this expense. In its interim final rule, HHS gave health care companies the opportunity to avoid notification if the companies protect the data through strong encryption or destruction methodologies.
(more…)

The digital signage industry is rapidly becoming aware of the privacy issues raised by interactivity and audience measurement techniques. There is, however, no industry-wide consensus about how to address those concerns. Some industry figures agree that privacy guidelines need to be adopted if audience measurement and other digital signage applications are to progress. Others, though, have referred to calls for the industry to be sensitive to privacy as “attacks” and have condemned privacy concerns as a lot of hype over nothing.

(What is digital signage? Please see my earlier post, Digital Wallpaper.)

It is true that no one should blow the privacy issue out of proportion. The industry’s present level of privacy infringement is not especially high because only a small percentage of digital signage units have audience measurement, identification or interactive capabilities. Nonetheless, the privacy issue is real, particularly if one considers the big picture of where digital out-of-home (DOOH) media is headed.

The industry trend is clearly towards greater identification and surveillance capability, not less. It is very likely that DOOH media will one day routinely identify individual consumers for the simple reason that it will be profitable to do so. If that prediction is correct, it puts the digital signage industry on a collision course with consumer privacy. All parties would be best served by setting credible, transparent privacy standards before digital signage becomes a center-stage problem.
(more…)