Take a piece in today’s Washington Post by Monica Hesse, which commented on the “trendiness” of online activism and discounted these “click to join” groups as nothing more than numbers on a Facebook page.  This completely misses the impact that social networks have had on increasing the awareness of many issues and building communities around these issues.  As we gear up for our nation’s 233rd birthday, we are reminded of how colonists planted seeds of activism and organized against oppressors from abroad.  Instead of Facebook fan pages, they had militiamen; instead of asking others to click a link, they asked them to help gather supplies; instead of Twitter feeds, they used horses to get messages across.  From top to bottom, they created organization that allowed supporters to thrive in any role or level they chose.  The mother who allowed soldiers to sleep in her cabin, was as vital to their success as the soldiers themselves.  It didn’t matter what a supporter of the revolution was doing, their support alone was enough.

Today there are groups on Facebook aimed at gathering supporters for just about any cause.  Just like any other advocacy effort, supporters join for a variety of different reasons.  That’s where the Hesse piece really misses the mark.  The assumption is made that to participate in any activism online, one must be willing to fight hard and organize physical results to be “worthy” of being a supporter.  This claim ignores the power of community building and the very essence of grassroots advocacy.  My support of a specific issue is not measured by how much I donate or how many rallies I attend.   To discount followers of causes on social networks engaging in conduct that is a “trendy and easy virtue” ignores the impact that supporters have on social networks at every level of involvement.  The person simply receiving message updates on the issue is just as vital to the success of the cause as the top-level organizer who sends tasks and ideas to the group’s followers.

It’s especially disheartening to read about Anders Colding-Jorgensen and his little social experiment of creating a fictional Facebook cause and group just to “prove” how little the followers of a social media group matter.  The time spent on rounding up supporters for a fake issue could have been better spent organizing supporters for a real global issue.

While not all social media activist campaigns are built with the same number of leaders and organizers, every level of involvement in these mediums is important.  These networks are valuable at even the base level of getting information to hundreds of thousands of new supporters, regardless of how involved those supporters might ultimately be.

Rather than simply dismiss the power of social network organizing, we should focus on developing its use further as we have only begun to explore the possibilities of organizing masses online around global issues.  If several thousand people can use a Facebook group to save an outdoor movie festival in Washington and one man can organize millions to take to the streets in Columbia against the FARC then there’s no telling what the future holds for social networking.

The judge will issue a written order soon, and then we will know exactly why the case was tossed out.  But based on comments the judge made a few weeks ago, we are hopeful that the court will broadly reject the government’s effort to criminalize violations of “terms of service.”  We will report back once the opinion comes out.

What this means is that Web sites can now ask Firefox for your location, and the browser can now deliver it. Initially, Google has signed on as the default “location provider” for Firefox. As a Firefox user, suppose you pull up a Web site that wants to use your location. Firefox will gather some information about WiFi access points near you and send that information to Google. Because Google maintains a database that maps WiFi access points to actual physical locations, it can use this information to calculate your location. That location gets sent back to your Firefox browser, and the browser forwards it on to the Web site that originally requested it. The accuracy of the location depends on a number of factors, but can be within a handful of meters in densely populated areas.

Firefox and Google have taken a couple of excellent steps to protect the privacy of Firefox users throughout this process. The location information gets transmitted over an encrypted connection so it can’t be sniffed en route between the browser and Google or vice versa. Firefox doesn’t provide Google with any information about the site that made the location request, so Google doesn’t learn anything extra about your browsing habits. Google also de-identifies the information it receives from Firefox two weeks after it’s collected.

This seems like a pretty solid set of standards that all location-enabled browsers and location providers should be able to meet. While it’s nice to see Google and Firefox take these steps, we’re hopeful that Firefox will be able to expand its pool of location providers, and that new location providers will be able to meet these same standards. There are actually a diversity of ways in which Web users can or will soon be able to obtain their own locations, and as new location providers crop up, users should have the ability to choose their preferred provider.

On the user experience side, the story is somewhat mixed. While Firefox will prompt you for your permission before passing your location on to a Web site, there’s no easy way to see a list of sites you’ve given your location to. If you lose trust in a particular site, you have to go back to the site itself to revoke its permission, which is probably precisely what you won’t want to do. And the mechanism for disabling location-awareness altogether is somewhat complex. We expect to see some more intuitive user controls for these kinds of features as more and more Web sites become location-enabled.

In comments filed in April, CDT urged that broadband services supported by stimulus money should connect users to the full Internet and the full range of Internet-based content and applications, as selected by users and without discrimination.  After all, the core policy rationale for supporting broadband is that it serves as crucial basic infrastructure, much like roads or electricity.  Basic infrastructure is so important precisely because it enables so much other activity, much of which cannot be anticipated at the time the infrastructure is laid and is initiated by users of the infrastructure rather than the infrastructure’s operators.

In a “Notice of Funding Availability” (NOFA) released yesterday, the agencies (NTIA and RUS) handling the broadband grant programs embraced the view of CDT and other advocates that broadband grantees should be subject to nondiscrimination requirements that go beyond the FCC’s 2005 broadband Policy Statement.  The NOFA says that grantees must “not favor any lawful Internet applications or content over others,” a requirement that “ensures neutral routing.”  This explicit nondiscrimination requirement should provide much better protection against the risk of network operators playing favorites than relying exclusively on the FCC Policy Statement, as some parties had urged the agencies to do.

The NOFA goes on to permit reasonable network management, as it should.  It doesn’t try to spell out precisely what this entails, but the language suggests that technical measures aimed at service quality should be “generally accepted” — perhaps a hint that, as CDT has argued, congestion management techniques should be consistent with basic networking standards.  The NOFA also points to caching and “application-neutral bandwidth allocation” as examples of techniques that would be permitted; hopefully this is meant to suggest that application-specific tactics, like Comcast’s interference with BitTorrent traffic, will be frowned upon.

In any event, however, the agencies will require grantees to clearly disclose their network management tactics.  This too is an important safeguard.

Beyond the actual requirements, the NOFA embraces openness by stating a preference for applicants that pledge to exceed the minimum requirements for openness and nondiscrimination.  In particular, the grant scoring system awards extra points for applicants that provide services on a wholesale basis, enabling consumers to have a choice of retail providers.  This echoes a specific recommendation from CDT’s comments.

Finally, it is worth noting that the openness requirements apply only to Internet applications and content.  Grantees will be required to provide connections to the Internet, but may also provide “managed services such as telemedicine, public safety communications, and distance learning,” to which nondiscrimination requirements would not apply.  This position is consistent with a point CDT has been making from the beginning of its involvement in the Internet neutrality debate.  It is crucial to preserve the open nature of Internet service, but that doesn’t meant that all non-Internet services should be forbidden.  Internet services coexist with cable television services, for example.  So long as they provide a robust level of “plain vanilla” Internet capacity, there is nothing wrong with a future in which broadband providers experiment with more specialized, dedicated-purpose services as well.

It is good to see the broadband stimulus program get off on the right foot regarding openness.  Naturally, administering the program may pose challenges, and the nondiscrimination provisions announced yesterday apply only to facilities built with stimulus funds.  But it is an excellent start, and a strong sign that the Obama Administration’s endorsement of Internet neutrality will be carried forward into actual policies.

It’s encouraging to see the advertisers move into the privacy fray here (although not entirely surprising). For nearly a decade, the self-regulatory space has been dominated by the Network Advertising Initiative, which has historically included only third-party ad networks, which comprise just a small sliver of the industry. But when the FTC issued its own suggested self-regulatory principles earlier this year, the guidance from the agency wasn’t limited to any particular advertising sector. The advertising associations appear to have gotten the message, and have tailored their principles in rough accordance with the FTC’s recommendations.

The advertiser principles incorporate many of the ideas that we and others have previously suggested to both the FTC and the NAI. The transparency principle includes a robust framework for providing notice outside of privacy policies, and lays the groundwork for development of a uniform link or icon that would appear on any web site or advertisement where data is collected or used for behavioral advertising. The principles explicitly address business models that may rely on the collection of all or substantially all of a consumer’s Web traffic for behavioral advertising (including ISP-based models), requiring a higher standard for choice than is required of the more traditional Web-based model. And the principles provide for strong enforcement through existing and to-be-created compliance programs.

In some areas, though, the principles don’t go far enough. For example, we had suggested to both the FTC and the NAI that the notion of “sensitive information” needed to cover a broad array of data types, including health information and location data. The advertiser principles cover only a very limited subset of medical information and leave out location data altogether. The principles are also silent about consumer access to the behavioral data collected about them. Google has demonstrated that providing profile access is possible, and we would expect the rest of the industry to follow suit.

But the real test for these principles lies not in their ability to withstand the scrutiny of CDT and others, but in how the advertising industry actually implements them. The advertising and privacy communities have been talking and writing about improving self-regulation for months and years on end. Here at CDT, we’re ready to see how the industry puts all of those words into action. Six months from now is when we’ll know how good or bad these guidelines really are.

Since the Green Dam directive was made public, we have learned that the filtering software does not work as proposed or publicized, may create serious security vulnerabilities, may contain stolen code, and likely violates China’s WTO obligations. The filter targets far more than sexually explicit material and is capable of shutting down a variety of applications when politically sensitive keywords are triggered. Independent analysis has also revealed that security flaws in the software could make millions of PC users in China vulnerable to a variety of malicious attacks

It comes as no surprise, then, that the mandate has encountered widespread domestic resistance, including criticism from mainstream Internet users and state-controlled media. Several prominent Chinese bloggers called for a July 1 Internet boycott if the government stood firm on the original implementation deadline, while other online activists have promised far more confrontational countermeasures.

For their part, trade groups representing a wide array of technology companies subject to the directive have worked in concert to push back, pointing out the many issues that such a product mandate raises regarding security, privacy, system reliability, the free flow of information, and user choice. However, some companies have already taken substantial steps to comply, and it is unclear what additional steps such companies have taken to mitigate the potential harm the software could cause to the privacy and security of their customers.

This directive has been a big test for the ICT sector. Trade associations are right to be concerned about the precedent their response may set: It is not hard to imagine even more intrusive technology mandates down the line aimed at perfecting the Chinese panopticon—directed not only at computer manufacturers but also mobile phone equipment and service providers. And many other countries that strictly control expression and access to information look to China as the shining example of how such technologies can be used as tools for maintaining greater political and social control.

The current combination of domestic outrage, embarrassing technical flaws, and concerted industry push back may (hopefully) persuade Chinese authorities to quietly scrap Green Dam altogether. However, ICT companies should expect that issues that invoke the corporate responsibility to respect human rights will only get harder, not easier. Many governments will continue to enlist companies in acts of censorship and surveillance; companies must have a thoughtful, systematic, and proactive approach in how they will respond. At stake is not only their customers’ faith and trust in their products, but also the human rights of Internet users all over the world.

I noted at the beginning of the month that the Solicitor General had advised the Supreme Court not to reconsider the important Second Circuit case giving the green light to Cablevision’s “remote storage digital video recorder” (RS-DVR). I’m very happy to report that the Supreme Court has followed that advice. Yesterday the Court “denied cert” — meaning that it won’t take the case and that the Second Circuit’s decision will remain the final word on the matter.

This effectively puts an end to the serious threat posed by the original 2007 District Court decision, which held that the RS-DVR would infringe copyright based on the physical location of data storage. As CDT explained in a 2007 policy post and legal brief (http://www.cdt.org/copyright/20070608cdt-cablevision.pdf), the implications of that ruling for cloud computing could have been hugely damaging. Ditto the court’s finding of liability based on transitory buffering — something all digital devices do.

CDT and its allies spent a great deal of time to make sure the Second Circuit Court of Appeals and later the Solicitor General’s office would understand and appreciate what was at stake here. Thankfully, the final outcome is a strong appeals court decision rejecting the idea that using remote storage and buffers should expose service providers to extensive copyright liability. This was a big win, and a major bullet dodged!

Comprehensive National Cybersecurity Initiative: Legal Authorities, Policy Considerations
#R40427
March 10th, 2009

A standing question about cybersecurity is the respective roles of the executive and legislative branches. President Obama has made cybersecurity a priority in the White House; his commitment to the issue came early when he asked for top-to-bottom governmental review of cybersecurity efforts. Another example of Obama’s interest in making cybersecurity a primary issue is his announcement to create a “Cybersecurity Czar” in the White House. Meanwhile, some in Congress have gone their own way, for example, with the introduction of the Cybersecurity Act of 2009. Although the executive branch might seem like the logical place to have cybersecurity authority, this CRS Report suggests that the President’s cybersecurity authority could be disrupted (or reaffirmed) by Congressional action.

The central idea is that cybersecurity defies categorization and that it is unclear where authority for executive action is given. The significance of this report is not only that it serves as an excellent introduction to executive action on cybersecurity like the Comprehensive National Cybersecurity Initiative (CNCI), but that this is the report Members of Congress read to understand their own authority on the issue. As the report states, “to be legally authorized, the CNCI and any executive-branch action must have some basis in statutory or constitutional law.” The problem is that cybersecurity objectives are likely to be “broad governmental reforms and enhanced partnerships with the private sector.” Current statutory law does not grant these powers. For instance, the Federal Information Security Management Act of 2002 deals with mostly administrative measures on a smaller scale than what the CNCI needs, while criminal provisions do not deal with preventing cyber attacks. There are holes in the statutory framework–some of the CNCI’s objectives might be covered under the President’s statutory authority, some may not.

The alternative is that cybersecurity could fall under the constitutionally given executive powers–the President is the Commander in Chief and during the inauguration, swears to protect the nation from imminent threats. If cybersecurity is categorized as national security, then the President and Congress share powers. To illuminate this area, the report refers to Justice Robert Jackson’s concurring opinion in Youngstown Steel & Tube Co. Jackson provides a framework for the President’s constitutional authority in relation to Congress. Under the Youngstown framework, the President may implement cybersecurity policy until Congress takes action, due to their shared authority. Cybersecurity legislation could grant or restrain Presidential power. Regardless of legislation, Congress maintains oversight authority.

The case involved a less familiar aspect of Section 230, which is commonly applied in free speech rulings that shield (for example) a social network from liability based on content posted by its users. Section 230 also protects service providers from liability from efforts to control offensive content. The Zango v. Kaspersky decision, however, dealt with a third and lesser well-known component of 230 – protection afforded to companies that make tools that users can use to control their own online experiences (such as filtering software).

The Zango case raised the question of whether an anti-spyware vendor (Kaspersky) would be shielded from liability under this third part of Section 230. Zango had argued that 230 only applied to tools that filter adult content, rather than more broadly applying to tools that allow users to control content such as spyware.

On behalf of the Anti-Spyware Coalition, BSA, EFF and others, CDT filed a “friend of the court” brief arguing that Section 230 should protect anti-spyware software makers, and the court reached the exact result that we supported. Even more satisfying was the fact that the court used some of the precise analysis that we urged – half of our brief was intended to get the court to focus on the statutory “findings” in Section 230, and on how Section 230 has three very distinct and independent goals and purposes. Unfortunately, some courts in the past few years have conflated the differing goals, and so have muddied some decisions about Section 230. As the Zango court considered the third (and less familiar) component of 230, we thought it essential that the court crisply understand the nuances of law. And the court nailed it.

We also were pleased to see that the court walked a fine line on one aspect of Section 230 – whether the third component of the law had an implicit “good faith” requirement. We argued in our brief for such a requirement. The court appropriately decided that it did not need to decide that question right now, but the court’s decision (as well as one judge’s extra concurring opinion) highlighted that in another case good faith might be an important issue (there really is no doubt that the provider in the Zango case – Kaspersky – is a legitimate vendor acting in good faith). This means that bad guys – say, spyware makers who install malware and then turn around and offer to remove the malware – cannot use Section 230 to shield their devious actions from legal challenge.

The Ninth Circuit has taken a few missteps recently in the area of Section 230, so it is good to see a clear and correct decision from that court.

Computer experts that have examined the Chinese developed Web-filtering software have found a laundry list of problems, from security holes to questions about the breadth of the filtering process. U.S. computer makers are rightly concerned about having to pre-install a piece of virtually unknown and untested software that could damage their product on every machine sold into China.

In letters to the Chinese government, both the U.S. Trade Representative Ron Kirk and Commerce Secretary Gary Locke linked China’s mandate to install the web filtering software, known as “Green Dam,” to U.S. trade policy.

USTR Kirk is quoted in the Post piece saying the Chinese demand “poses a serious barrier to trade.”

We have long held the position that there is an important role for Congress to play in ensuring that Internet freedom be fully incorporated into U.S. human rights and foreign policy and that it is a central focus of diplomacy, trade and foreign aid. However, there is considerable “policy incoherence” between the U.S. positions on human rights and its policies on trade and aid.

A good example of this “policy incoherence” is giving “most favored nation” trade status to countries such as China and Vietnam, both with poor human rights records that relentlessly pursue state-sponsored campaigns of Internet surveillance and censorship.

If Internet freedom is to be given a high priority in foreign policy and trade, as we believe it should (Secretary Locke and USTR Kirk’s statement to China are encouraging steps), then it will be critical for the U.S. to have the political will to take on its current culture of “policy incoherence” and deliver a message that doesn’t reprimand with one hand and reward with the other.