The US government today agreed to loosen the sway it has long held over the Internet Corporation for Assigned Names and Numbers, the private, non-profit body that oversees administration of the Internet’s addressing system. Allowing an 11 year old and much revised “Joint Project Agreement” between the Commerce Department and ICANN to lapse, the two signed an “Affirmation of Commitments” in which ICANN agreed to create international review teams to assess its transparency and accountability, its protection of the security of the domain name system, its approval of new domain names and domain names using non-Latin characters, and its management of a database identifying the owners of domain names.

CDT is pleased to see this reaffirmation of the bottom-up, private sector led model for governance of the domain names system. We’re also pleased to see that this new document describes ICANN’s role solely in terms of the technical management of the domain name system and does not speak more broadly of other Internet issues that should be outside ICANN’s purview.

The big remaining questions of accountability are how can we create a system whereby anyone – a government, a business, an individual — can appeal the decisions of the ICANN Board and by what standard will such appeals be judged. Those key questions could not have been answered at this time, but they do need to be answered.

CDT was involved in the process by which ICANN was created in 1998 and has been involved in the debate over its role and accountability ever since. In June of this year, we issued detailed recommendations on ICANN’s future, in which we spelled out how an appeals process would work without governmental intervention.

The FTC recently announced approval of the terms of a settlement with Sears Holding Corp. (which owns Sears and K-Mart stores) over charges that the company failed to “adequately disclose” that it was collecting personal information using a spyware program secretly installed on consumers’ computers.

Between 2007 and 2008, 15 of every 100 visitors to sears.com or kmart.com were presented with a pop-up window that offered the opportunity to “talk directly to a retailer” and become part of “a place where your voice is heard and your opinion matters, and what you want and need counts!” No mention was made that this “opportunity” also installed detailed tracking software on the user’s computer.

Customers who asked for more information were offered a $10 coupon in exchange for downloading – and keeping on their computer for at least one month – software from Sears or K-mart that would allow them to become “part of something new, something different[.]” Consumers probably didn’t realize that by “new” and “different,” the advertisement meant “all-seeing” and “invasive.” Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers’ email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts.

Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small “scroll box”; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking.

The FTC found that the software’s function was not fairly represented and that the “failure to disclose these facts…was, and is, a deceptive practice.” As remedy, the FTC has required that “if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit.” Moreover, this disclosure must occur separately from any general terms of service or user license agreement and, if data will be accessed by a third party, must include a notification that data will be available to a third party. The FTC has also required that Sears Holding Management Corporation delete all data collected by the software.
(more…)

The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week�? posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping and Electronic Eavesdropping
Report Number: 98-327
Date: September 02, 2008

Wiretapping and electronic eavesdropping laws are important knowledge for anyone concerned about privacy. This CRS Report offers a brief introduction to what the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) actually mean. The report covers what is prohibited, the procedure for court ordered wiretapping (and how FISA is different), and the Protect America Act. The section on the history on the evolution of wiretapping is particularly interesting as it shows the piecemeal development of wiretap law. This provides a glimmer of insight into how the current situation of incomplete protections developed. CDT’s work on warrantless surveillance and wiretap can offer information on the most recent developments in the area.

The detail-oriented may have noticed that this CRS Report is an abbreviated outline. For the determined, the original 164 page overview is available here.

Earlier this week, CDT co-hosted an appearance by the nation’s new Chief Technology Officer, Aneesh Chopra. Speaking at the Computer History Museum in Silicon Valley, Chopra outlined how he wants to use technology to address the critical issues facing the nation and how he thinks the federal government can best support innovation. The video of Chopra’s remarks is up courtesy of our co-host, the Churchill Club.

Tim O’Reilly explained at length earlier this year why Chopra was such a good choice to shape technology policy in Washington, and it was impossible not to agree after hearing Chopra speak this week. Chopra is an opportunist in the best sense of the word. He has a grand vision of how technology can contribute to issues ranging from health care to education to the environment, but he also understands the value of incremental steps and short-term results. His talk was peppered with examples from his tenure as Virginia’s Secretary of Technology and his first months in the White House, where he is already in charge of an overhaul of the case status system for the US Citizenship and Immigration Services, among other projects promising immediate pay-out.

CDT is working on many of the issues Chopra mentioned, including health IT, cyber-security, broadband deployment, and, of course, government transparency. At times, we will be pushing the Administration to go further that it might otherwise be inclined to go in terms of openness and privacy, and we will criticize the Administration when it falls short, but we couldn’t want a smarter, more receptive official to engage with than Aneesh Chopra.

If I had one criticism of Chopra’s remarks, it would be his repeated emphasis on accomplishing things without changing the underlying laws. On the one hand, working within existing frameworks is consistent with his attractive opportunism. However, it is clear that some laws need to be updated to ensure deep, government-wide change. One example is the Privacy Act, which applies to federal databases; CDT has a major project underway to bring this 1974 law into the 21st century. Getting legislation passed will require White House leadership, and we hope that Chopra, while developing practical tools to make government more transparent and participatory, will also lend his credibility to improving the legislative framework for privacy in government systems.

Update: Here are the slides Aneesh Chopra used in his August 4, 2009 presentation in Silicon Valley. [pdf]

Over the past several years, there has been a debate internationally about who “governs� the Internet. The debate has at various times displayed a deep confusion about what Internet governance is. Too much of the debate has focused on the Internet Corporation for Assigned Names and Numbers (ICANN), which has responsibility for only a very small portion of Internet governance. Too little has focused on the policies of national governments, which hold many of the keys to Internet success or failure in their national policies on innovation, competition and the trust environment.

A UN-sponsored gathering called the Internet Governance Forum has helped channel the debate in a positive direction. In the broadest sense, the IGF is a yearly meeting, which has taken place 3 times since 2006. The most recent, in Hyderabad, India in December 2008, attracted 1280 participants from 94 countries. The IGF is due to meet again this November in Egypt.

Yesterday, CDT filed comments as the IGF considers its future. We said that, overall, the IGF has been remarkably successful. In particular, the IGF has raised awareness of Internet governance among a broad range of stakeholders – awareness as to what Internet governance is, how the Internet has been “governed� from its inception by a wide range of bodies and institutions (governmental, intergovernmental and non-governmental), and how participation in those governance bodies can be expanded to reflect the interests and needs of non-governmental stakeholders and stakeholders from developing countries.
(more…)

Three weeks ago, the PASS ID Act [S. 1261] was introduced in an effort to move beyond the REAL ID stalemate that has dragged on for over three years. CDT supports PASS ID because it mitigates key privacy flaws in the REAL ID program and is a notable improvement over current law. While the privacy provisions in PASS ID can still be strengthened, the bill incorporates nearly all the privacy requirements that the last Congress’s REAL ID repeal act included [S. 717, 110^th] and was even introduced by the same Senator, Daniel Akaka (D-HI).

Putting aside for a moment the question of whether repeal of REAL ID is a political possibility, it is important to realize that repeal is not necessarily better than REAL ID:

1) Senator Akaka’s repeal act would not have stopped the creation of new licensing standards, it would simply have created a negotiated rulemaking body that would have had to use exactly the same standards that are in his PASS ID Act to help increase privacy;

2) If we could re-write the repeal bill to not incorporate any new standards, it would still not address the problem that state driver’s license programs have already been moving towards greater standardization of design and interoperability of technological features for quite some time with limited privacy and security protections. CDT remains concerned about three main trends happening at the state level:

· States are incorporating machine-readable zones (MRZ) in driver’s licenses and ID cards, without encryption or other protections for the information contained in the zone.

· Because personally identifiable information (PII) contained in the MRZ is unprotected and the technologies interoperable, information in the MRZ can be read, stored, and re-used with few limitations by commercial and governmental entities.

· ID card systems have increasingly centralized back-end information systems containing vast amounts of identity data, vulnerable to theft or internal abuse if not properly protected. States are also turning to private, non-governmental agencies such as AAMVA to manage such systems.

(more…)

The social and political impact of the Internet is growing at a rapid pace.  After all of the successes credited to President Obama’s social media campaign network in last fall’s election, we still find ourselves at the earliest stages of development of the social layer of the Net.  Still, some are quick to dismiss the activist power of the Internet and still are not convinced that this medium will continue to change the way the world organizes around issues.

Take a piece in today’s Washington Post by Monica Hesse, which commented on the “trendiness� of online activism and discounted these “click to join� groups as nothing more than numbers on a Facebook page.  This completely misses the impact that social networks have had on increasing the awareness of many issues and building communities around these issues.  As we gear up for our nation’s 233rd birthday, we are reminded of how colonists planted seeds of activism and organized against oppressors from abroad.  Instead of Facebook fan pages, they had militiamen; instead of asking others to click a link, they asked them to help gather supplies; instead of Twitter feeds, they used horses to get messages across.  From top to bottom, they created organization that allowed supporters to thrive in any role or level they chose.  The mother who allowed soldiers to sleep in her cabin, was as vital to their success as the soldiers themselves.  It didn’t matter what a supporter of the revolution was doing, their support alone was enough.

Today there are groups on Facebook aimed at gathering supporters for just about any cause.  Just like any other advocacy effort, supporters join for a variety of different reasons.  That’s where the Hesse piece really misses the mark.  The assumption is made that to participate in any activism online, one must be willing to fight hard and organize physical results to be “worthy� of being a supporter.  This claim ignores the power of community building and the very essence of grassroots advocacy.  My support of a specific issue is not measured by how much I donate or how many rallies I attend.   To discount followers of causes on social networks engaging in conduct that is a “trendy and easy virtue� ignores the impact that supporters have on social networks at every level of involvement.  The person simply receiving message updates on the issue is just as vital to the success of the cause as the top-level organizer who sends tasks and ideas to the group’s followers.
(more…)

The Privacy Act of 1974—the law designed to protect your rights as the government collects, uses, and shares your data—fails to consistently protect of citizens’ privacy because circuit courts disagree on how to interpret its language. Different interpretations and decisions based on this law have come out of circuit courts and have helped support the notion that a consistent and updated set of federal privacy regulations is needed. The Eleventh Circuit’s recent ruling against two Vietnam veterans who sued under the Privacy Act is a prime example of a claim that could have prevailed if it were brought elsewhere, highlighting the need for a clear and consistent set of privacy rules across the board.

In January 2007, a hard drive containing the unencrypted names, social security numbers, birth dates, and health records of over 198,000 living veterans went “missing” from a Department of Veterans Affairs (VA) medical center in Birmingham, Alabama (a different incident than the Spring 2006 theft of a laptop from a VA employee’s house in Maryland). The United States Court of Appeals for the Eleventh Circuit and the VA both agree that security in the facility was inadequate and that the VA violated both the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) through its failure to adequately supervise the IT Specialist in charge of the hard drive. Yet the court affirmed last week in Fanin v. U.S. Dep’t of Veterans Affairs that two veterans whose data was stolen have no recourse under the Privacy Act.
(more…)

This post was originally made on the PrivacyCamp Blog.

PrivacyCampDC is in the books and it was fantastic! A collection of people representing interests in both the public and private sector gathered together to share knowledge and expertise on a number of topics including (but certainly not limited to) the future of privacy rights in a Government 2.0 world, surveillance technologies, digital signage, updating the 1974 federal Privacy Act (something CDT is pushing for citizen feedback on with their Privacy Act Wiki if you want to check it out), and how we achieve a greater level of transparency and openness without compromising ones privacy. With attendees representing privacy organizations, federal agencies, security companies, information technology and even Congress, there were a lot of great ideas shared during the event.

One of the most important takeaways that nearly everyone walked away with was the notion that collaborative discussion is vital to protecting privacy in the digital age. The more voices and interests at the table from the beginning, the more likely concerns will be addressed as legislation is crafted, regulations are made, and the intersection between government and new and emerging technologies grows.

The event was tweeted under the hashtag #privacydc and a video slideshow featuring photos from the event’s Flickr page is available. Can’t wait for the next one!

In the last six months, two of the most popular social networking platforms -Facebook and Twitter – announced policy changes, only to be forced to do an about-face less than 24 hours later due to an overwhelming backlash from users unhappy with the “behind closed doors” style of policy changes.

In February, Facebook attempted to change its terms of service overnight without broadly notifying users.  A blog post on The Consumerist drew attention to the changes and urged account users to express their disappointment in the lack of disclosure and transparency demonstrated by the social network in crafting and ultimately implementing these major privacy changes.  User frustration spread in the form of Twitter hashtags like #TOS, blog posts, and, ironically, Facebook groups where users voiced their opinion and held the company accountable.  Within 72 hours of this backlash, Facebook had made a statement saying they would revert to the old terms of service and announced they would solicit public comments and third party opinions in crafting a new Terms of Service.  They even allowed users to vote on which set of policies would be enacted; those crafted by Facebook alone or those that included third-party opinion.

Twitter dealt with a similar situation yesterday when a “tweak” to its @replyname policy was made which many advanced users argued drastically limited their ability to network and meet new people with shared interests.  Immediately, users began a barrage of “tweets” voicing objections by using the hashtag #fixreplies until Twitter management reversed itself and announced it would look into developing a better solution to the problem, and that while technical issues prevent the Twitter platform from going back to the old system of @replyname, they could restore some of the old functionalities that users had requested.
(more…)