CDT’s recent paper on digital watermarks and privacy got some positive reviews here and here; however, it also prompted criticism from Timothy Lee on ars technica. Lee argues that the paper “misses the point” because it does not come out and say that individualized watermarks — watermarks that correspond to individual users, devices, or transactions — pose an “inherent threat to privacy” and should be avoided.

Certainly it is true that the simplest way for a company to steer clear of privacy issues is to refrain from using individualized watermarks in the first place. If a company would rather avoid the effort and hassle of working through the list of our proposed privacy principles, it can limit itself to what the paper terms “generic” watermarks — watermarks that are not specific to individual copies of the content. (The same point applies to other areas where CDT has worked on privacy best practices; for example, if you don’t want to wrestle with the privacy questions relating to RFID, you can always avoid the technology altogether.)
(more…)

Political affiliation and rhetoric aside, there is an undeniable excitement underlying this election cycle. The political process has finally found the alchemy of the Internet that has eluded all previous attempts and found a way to draw in voters.

The Internet is largely responsible for putting a sense of empowerment for people back into the political process and that comes not from just being an active part of the whole process but from a sense of being able to drive it, mold it, and actually impact the end game. That’s heady stuff for what has been an apathetic electorate.

We often take the Internet for granted. In a short time, it has become a powerful engine for innovation, economic growth and democratization. The Internet has changed the way we “do” politics. Ordinary Americans are making their voices heard and organizing online. Political candidates are building networks of supporters, raising unprecedented funds from small donors, and educating the public on their policies and visions.

That’s why it’s vital that our political leaders and lawmakers pay attention to the challenges—both domestic and international—confronting the Internet today.
(more…)

Last week, the European Commission issued an answer to several queries regarding Phorm, a U.K. company that uses Internet traffic data to serve targeted advertisements. Phorm has proposed partnerships with some of the United Kingdom’s largest ISPs that allow Phorm to use deep packet inspection (DPI) to create profiles of individual consumers’ Web habits. Several members of the European Parliament asked the European Commission whether Phorm’s actions constitute an invasion of privacy contrary to European Union privacy protections.

In its response to these questions, the European Commission explained how the Phorm system intersects with the EU ePrivacy Directive. The Commission declared that, under the directive, the Web traffic information collected by Phorm is “traffic data” and the content of search queries intercepted by Phorm constitutes “communication,” both of which are protected from interception or surveillance without consumer consent.

The Commission noted that the U.K. Information Commissioner’s Office (ICO) — which enforces U.K. data privacy laws — is responsible for monitoring Phorm’s actions. In a review of Phorm’s DPI plans, the ICO said that Phorm’s system “does not appear to be” harming consumers. The ICO will be scrutinizing Phorm’s actions, however, to ensure that the company delivers on its promises to not violate consumer privacy rights.

The Commission itself is also taking ICO’s wait-and-see attitude, promising to remain vigilant in continuing to observe the situation and to “take appropriate action, should the need arise.”

The European Commission’s comments come on the heels of recent inquiries in Canada and the United States into ISPs using DPI for network monitoring and targeted advertising. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with Canada’s Privacy Commissioner in early May regarding broadband provider Bell Canada’s alleged use of DPI to monitor network traffic. And as we discussed in a recent blog post, two members of the United States Congress have sent a letter to broadband provider Charter Communications’ CEO about the legality of its proposed business relationship with NebuAd, an advertising company similar to Phorm. As ISPs continue to negotiate with DPI-based targeted advertising companies, such government oversight may intensify given the privacy and legal concerns with intercepting customers’ Internet traffic.

The year was 1995 and the biggest threat to Internet free speech was a bill called the “Communications Decency Act.” If passed, the bill threatened to criminalize all manner of constitutionally protected speech under the guise of keeping “indecent” material from being viewed by children.

Momentum for passage of the bill was enormous. The bill passed House with barely a hint of opposition. The vote in the Senate was little better; only 16 Senators bucked the political headwinds and remained steadfast in their vision of the Internet as a new and exciting ground for free expression and innovation. Among those voting against the CDA was Senator Joe Lieberman. And he proved to be right about the CDA — a federal court immediately enjoined the enforcement of the new law, and 18 months later the Supreme Court ruled that it was unconstitutional.

What a difference a decade makes.

Last week Senator Lieberman sent a letter demanding that the Google-owned video site YouTube scour its user contributed online offerings and remove any that smacked of supporting terrorism or carrying threatening messages fomenting terrorism. Google appropriately reviewed the YouTube videos and removed 80 of them from the site because they violated YouTube’s long-established terms of service agreement. But Lieberman demanded more. He insisted that YouTube begin to proactively censor content based on its origin alone, regardless of what the video contained. It is an outlandish request and cuts against First Amendment freedoms.

Beyond the clear constitutional prohibition against mandating content restrictions, Internet censorship is, frankly, highly unlikely to be effective. Internet-based content isn’t like the open ranges of the Wild West, able to be fenced off with barb wire. Shutting off one particular access point is likely to spawn two or three more and all outside the reach of the government trying to shut off access. When you come right down to it, Internet censorship is little more than virtual game of Whack-A-Mole.

Senator Lieberman should realize this, especially considering his courageous vote against the CDA. Let’s hope that courage, once found, is found again, and the Senator regains his vision of the Internet as a platform for openness, innovation and free expression.

Expanded reading on Lieberman’s letter in our Huffington Post blog entry.

CFP2008 in New Haven

I was fortunate to serve on the Program Committee for the 18th Computers, Freedom and Privacy Conference in New Haven, CT. It was Chaired by EFF’s Eddan Katz who put on a smaller, but very engaging conference. One of the best programs in my memory actually.

I arrived too late for a tutorial on voting discrimination put on by Lillie Coney of the Electronic Privacy Information Center, but everyone that I spoke to who attended had rave reviews despite the fact that left more frightened than when they came. Ars Technica had a write up on that one.

A panel that I moderated on the presidential campaign tech policy with Danny Weitzner from MIT (and CDT Board Member) representing the Obama Campaign and Chuck Fish representing the McCain Campaign was covered in Wired and the LA Times. I’d really like to thank both campaigns for preparing and participating despite their obviously busy schedules.

Ryan Singel at Wired also covered a panel where a law professor and former prosecutor suggested that ISPs run the risk of criminal penalties including jail time for deep packet inspection in certain cases.

I think that the conference Web site will have video and audio of the event up eventually and I’m already looking forward to next year conference where NNEDV’s Cindy Southworth and the ACLU’s Jay Stanley will Co-Chair in Washington, DC.

What do you do when a couple of spammers send almost a million deceptive and spammy emails to your users? You sue them! Under the CAN-SPAM Act, MySpace asked for - and was granted - a massive $230 million in damages from the spammers that were taking advantage of the site’s users and breaking the site’s terms of service by ‘phishing’ and spamming.

This case is just the latest in “Spam King” Sanford Wallace’s spammy history. Wallace has been spamming since the early 1990’s, and apparently he just can’t seem to get out of the junk mail business. The MySpace case is just one in a long line of enforcement actions against Wallace’s companies. In 2004, CDT filed a complaint with the FTC, who then brought suit against Wallace in the first major FTC suit in spyware.

The MySpace decision is the largest award since the CAN-SPAM Act’s 2003 enactment, though its not likely that the spammers will pay up- they didn’t show up for their court date, and haven’t paid previous fines.

We’ve been keeping track of spyware enforcement actions since the beginning of our spyware war; in fact, it has just been updated. In just over three and a half years, we’ve added 25 pages of case summaries. The MySpace judgment won’t be added to the enforcement report- we don’t add cases unless the activity falls within the Anti-Spyware Coalition’s definition of Spyware. Even so, phishing is clearly a related area and it’s great to see that scammers are pursued.

Enforcement against spyware is alive and well but so are spyware and other online deceptions. The spyware problem will be around for a long time. Fortunately legislation and other tools have enabled litigation at the federal and state levels, giving enforcement officials solid, workable tools to hit scammers were it hurts most, in their wallets.

This week broadband provider Charter Communications revealed its plans to begin sharing its customers’ Web traffic with NebuAd, an advertising network. NebuAd’s service works by monitoring individuals’ online activities and creating profiles of those individuals’ interests. NebuAd then uses the profiles to serve targeted advertisements on the Web. Charter, with over 5 million subscribers, is the largest U.S. ISP to announce a deal with NebuAd thus far.

As we discussed in our comments to the FTC last month, this model – where an ad network strikes a deal with an ISP that allows the network to conduct “deep packet inspection” (or “DPI”) of individual Web traffic streams – raises numerous privacy questions. The main difference between these new ad networks and other kinds of online ad networks is that DPI-based ad networks may potentially gain access to all or substantially all of an individual’s Web traffic as it traverses the ISP’s infrastructure, including traffic to all political, religious, and other non-commercial sites (even those that do not use cookies and those that do not deliver ads). The prospect of having a third party handling all of this data likely defies most users’ expectations that the entire body of their Web surfing habits is not generally monitored by anyone, much less a third-party ad network they’ve never heard of.

One of the biggest outstanding questions about DPI-based ad networks is the legal basis that ISPs are using to justify the transfer of their subscribers’ data to a third-party ad network. In a letter addressed to Charter’s CEO, Rep. Ed Markey and Rep. Joe Barton have inquired about how the NebuAd deal can be reconciled with the Cable Act of 1984, which allows cable operators to share subscriber data with third parties only when subscribers give their prior approval. We are anxious to see Charter’s response.
(more…)

Proving again the adage that “bad cases make bad law,” the federal U.S. Attorney in Los Angeles today obtained an indictment of a woman named Lori Drew, a mother in Missouri who is alleged to have created a false profile on MySpace (posing as a teenage boy) that led a neighboring girl to commit suicide. Background on the case can be found in the Washington Post.

The incident is a horrible and tragic one, and if the allegations are true, Ms. Drew could certainly face civil liability for her actions, and – at least under some states’ laws – she could face state criminal liability as well. But just because a grievous wrong may have been committed does not mean under our system that there should be a federal case to address the wrong.

If the theory of today’s indictment is allowed to stand, it would represent a gross and inappropriate expansion of federal power to regulate speech and communications over the Internet. It is important to understand the underlying “crime” here. The indictment does not really have anything to do with the alleged mistreatment of the girl in this case – the alleged crime is the asserted fact that Ms. Drew did not follow MySpace’s “terms of service.” The charges are based on an anti-hacker statute, and in this indictment, the “victim” is MySpace, not the girl. (more…)

Earlier this month Yahoo! launched a new Business & Human Rights Program, intended to formalize its commitment to human rights, starting with full-fledged support at the highest levels of the company. The program also aims to build a culture within the company to identify and manage human rights risk associated with delivery of its services in difficult markets.

Yahoo! learned the hard way that inattention to human rights can have devasting consequences. While some may see the new program as no more than an effort to restore the company’s reputation, we strongly applaud this new effort. Companies have an obligation to respect human rights and rigorous due diligence and risk assessment are the right place to start. Recently, John Ruggie, the U.N. Special Reporter on Business and Human Rights released a proposed framework for Business and Human Rights which strongly endorses this approach.
(more…)

Back in April, I blogged about how Department of Homeland Security Secretary Michael Chertoff was “dead wrong” when he testified before the Senate that personal information can’t be “skimmed” from an unencrypted barcode, which all driver’s licenses will have under the REAL ID program. Chertoff completely denied that there are any privacy risks associated with the REAL ID card’s “machine-readable zone.”

Sen. Feingold, D-WI, was right to question Chertoff’s testimony that day and followed up with a letter asking the Secretary to further explain why he thought citizens’ personal information wasn’t at risk or why they couldn’t be tracked by scanning REAL ID cards during a multitude of transactions. Just this week, DHS responded to Sen. Feingold via letter. The Department again shirked responsibility for ensuring that Americans’ personal information stored on REAL ID cards is protected and not accessible by unauthorized parties – businesses and government agencies alike.

As with virtually all REAL ID privacy issues, DHS has punted the security of the machine-readable zone (i.e., barcode) to the states. CDT has consistently highlighted this as a key privacy issue (among many), arguing that the REAL ID program in total should be scrapped. Or, at the very least, the privacy and security shortfalls should be addressed by new legislation. Congress must act soon because DHS clearly can’t be trusted to meaningfully protect personal privacy.

Chertoff did not sign the DHS response letter. This saved the Secretary the embarrassment of admitting that he was the one who was wrong on this matter and not the privacy advocates seeking to protect the security of Americans from identity theft and other threats by raising the issue.