If you haven’t been to www.cdt.org lately, you’ve been missing a lot, as we’ve launched a whole new website! Policy Beta is now integrated with all the work we do at the Center for Democracy & Technology in an effort to help you find more information on the subjects that matter to you.

Just head to the new Policy Beta and see for yourself! This version of Policy Beta will no longer be updated and will soon disappear, so for all the latest news and commentary, head on over.

The revised Google Books settlement submitted for Court approval late on Friday still does very little to protect reader privacy. When the settlement was withdrawn for revisions last month, CDT and other advocates proposed that Google use the opportunity to more fully address the privacy risks we had identified in the original settlement—and effectively take privacy concerns off the table. While the amended settlement does include one positive revision on the privacy front, it appears Google for the most part did not take our advice. Reader privacy remains very much on the table.

As many expected, the revisions narrowly address the copyright and antitrust problems raised by the Department of Justice. The affected class of authors and publishers has been reduced; the pricing structures have been made negotiable; and the dispersal of unclaimed funds has been revised. For more explanation and analysis of these changes, see James Grimmelmann’s blog.
(more…)

CDT is now accepting applications for interns and law clerks for both the spring and summer. Law clerks and interns contribute substantially to CDT’s work by conducting legal and policy research; drafting reports and legal analyses; assisting in the preparation of testimony, presentations, legislation and briefs; and by helping create online and other educational resources. The small size of our organization guarantees close interaction with staff attorneys and policy experts. Law clerks and interns have the opportunity to work on a broad array of issues, including online free expression, electronic surveillance, digital copyright, cybersecurity, Internet governance, and a range of privacy issues from spyware to health privacy to RFID technology to government ID programs.

We encourage students from all majors and degree programs to apply. Applicants should have an interest in Internet and technology policy and/or civil liberties, strong research and writing skills, the ability to take initiative and prioritize responsibilities in a fast-paced office environment, and a solid academic record. Please see our job posting page for application details.

In addition, CDT is pleased to host a Google Policy Fellow, who will join our 2010 summer program. Interested candidates should apply directly with Google here.

Help us keep the Internet open, innovative and free!

I will be speaking on Thursday at the European Commission’s Workshop on the Economic Benefits of Privacy-enhancing Technologies in Brussels. With many calling for a revamping of ideas using metadata to help protect privacy, I felt that it was important to use the occasion to write a short paper entitled “Looking Back at P3P: Lessons for the Future,” which details the successes and failures of P3P (The Platform for Privacy Preferences).

P3P is a standard of the World Wide Web Consortium (W3C), the main standard setting body for the Web. It was created to allow privacy policies to be expressed as machine-readable statements. The history of P3P dates to a period when the privacy debate, in the United States and elsewhere, began to focus on encouraging companies to post human-readable privacy policies. As criticism increased about the complexity of those notices, there was a call to simplify them through standardization. If policies could be narrowed down to the equivalent of a multiple-choice set of options, then they could be made machine-readable.

The theory held considerable promise, if such statements would provide a clear, standardized means of rendering potentially complex privacy policies into a format that could be automatically parsed and instantly acted upon. Consumers could compare policies, enterprising companies or individuals could use P3P to develop more accurate means of rating and blocking sites, and governments could use the policies to instantaneously enforce data privacy laws.
(more…)

Today, CDT and 28 other organizations sent a letter to the White House asking that the Privacy and Civil Liberties Oversight Board (PCLOB) be reconstituted. The 9/11 Commission recommended the creation of PCLOB in order to oversee the protections to civil liberties and privacy within the federal government, but the board has not been active since early last year. The board has a vital role as an independent advisor to the President and executive branch agencies in policy matters around privacy and civil liberties and providing oversight. However, the board has not been active since early 2008.

PCLOB was established in 2004 and had one term, starting in 2006 – but the terms of the members of the board expired in January of last year, and President Obama has not nominated new members to the board. This letter asks President Obama to nominate members to the board quickly. Once members to the board are nominated, they must be confirmed by the Senate, and the office will need to be set up and staff must be hired. All in all, it will take months to reconstitute the board before it can begin advising the President and agencies.

Currently, the federal government lacks independent privacy oversight. Reconstituting PCLOB is one of the ways that privacy and civil liberties can be better protected by the federal government. In fact, the Cybersecurity Policy Review specifically called for PCLOB to be reconstituted, and possibly to expand its purview to include more cybersecurity topics, as an important oversight body. As an existing mechanism to protect privacy and civil liberties, it is an important and relatively simple way to provide oversight and advice for the government.

Last week, I attended the 31st International Conference of Data Protection and Privacy Commissioners in Madrid. Government data privacy officials representing 46 countries were there, as well as hundreds of lawyers, corporate privacy officers and advocates from around the globe.

There were plenary sessions and panels on every possible privacy issue but at the center of much of the discussion were the complex and seemingly unanswerable questions about global data flows in an era of cloud computing: What is the right way to protect privacy in an Internet cloud where data flows don’t respect borders? When consumers from around the world place their data in a social networking site based in the United States, which data protection laws should apply? Who should be accountable for data privacy and security when data is collected by one entity and then stored with cloud providers offering storage, processing and software as a service? When those cloud providers move data from server to server, often in multiple jurisdictions, which data protection rules apply and which country may assert jurisdiction over the data when other substantive legal questions arise?
(more…)

Late Thursday evening, European lawmakers agreed on language in the Telecoms Package that is supposed to safeguard the fundamental rights to freedom of expression and access to information online as governments seek harsher penalties to address IP infringement. France recently approved a graduated response (or “three strikes”) law that would cut off Internet access for repeat copyright infringers. The UK is debating a similar proposal.

Civil liberties advocates first introduced “Amendment 138” in 2008 to protect Internet access as an exercise of the right to freedom of expression in the face of these graduated response proposals. In its original conception, the amendment required member states to provide strong legal and procedural safeguards where states or private parties impose Internet access restrictions for alleged repeat offenders. Few are happy with the final negotiated text, which retreats from this position:

(more…)

CDT and other advocates sent a letter to President Obama today once again urging greater transparency as the US negotiates a new Anti-Counterfeiting Trade Agreement (ACTA). While the administration has permitted some advocates (including my colleague David Sohn) to review the US-authored Internet portion of the current draft under strict non-disclosure rules, such limited access does not allow for full analyses of the agreement and its implications (even by other CDT staff members, much less the broader public interest community). Some leaks have surfaced which suggest that ACTA could require DMCA-style notice-and-takedown and anti-circumvention laws, or even graduated-response obligations on ISPs (see coverage here and here). The fact remains, though, that we don’t know what we don’t know, and a full discussion of whatever obligations ACTA would impose is impossible unless the Obama administration draws back the curtain on the drafting and negotiations. Any proposal that could lead to the denial of people’s Internet access—even if they have violated copyright law—would raise very serious constitutional problems under our First Amendment, and should not be even considered without a broad and open public discussion.

An eye-opening new study out of Fordham Law’s Center on Law and Information Privacy finds that state educational databases are lacking when it comes to protecting the personal information of K-12 children. Some states hand off the storage of this information to outside firms and do so without any restrictions on use or confidentiality for the children’s information, the study found.

The information on children collected in these electronic data warehouses includes matters related to teen pregnancies, mental health and juvenile crime; the report says that this information is often stored in a manner that “violates federal privacy mandates,” the study says.

From the report’s summary:

“Some striking examples are that at least 32% of the states warehouse children’s social security numbers, at least 22% of the states record children’s pregnancies, at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records, and almost all states with known programs collect family wealth indicators.”

The study isn’t all finger pointing, it also outlines several critical recommendations to help increase the privacy, transparency and accountability of these databases. The study comes just as Congress is considering expanding and integrating the data collection process among the 43 states that currently collect this type of information on K-12 children.

CDT’s Sheel Pandya, Policy Counsel for the Health Privacy Project wrote a guest blog post on American Constitution Society’s blog discussing a comprehensive privacy and security framework as the key to health IT’s success. The passage of the American Recovery and Reinvestment Act of 2009 (ARRA) in February has helped shine a brighter spotlight on health IT especially within the overall health care reform debate. The post talks about what is needed to see the marriage of health technology and health policy work to the greatest extent while protecting patient privacy. Check it out and leave your feedback.