Just head to the new Policy Beta and see for yourself! This version of Policy Beta will no longer be updated and will soon disappear, so for all the latest news and commentary, head on over.

As many expected, the revisions narrowly address the copyright and antitrust problems raised by the Department of Justice. The affected class of authors and publishers has been reduced; the pricing structures have been made negotiable; and the dispersal of unclaimed funds has been revised. For more explanation and analysis of these changes, see James Grimmelmann’s blog.

On the privacy front, CDT had urged Google to make specific privacy commitments enforceable by the court overseeing the settlement. We believe the settlement should be approved because it promised greatly increased access to books, but also that it should be improved to preserve readers’ right to privacy. Specifically, we recommended that Google set a high standard for disclosure of reader information to law enforcement and to civil litigants (i.e., get a warrant first), that Google use information collected about readers and which books they read only for the narrow purposes laid out in the settlement, and that Google commit not to share personal information with the Books Rights Registry, the organization set up to administer payment to copyright holders.

The revised settlement addresses the last of these recommendations, making a commitment to share only anonymized data with the Registry. Google had previously made such a commitment in its privacy policy, but inclusion in the settlement makes it enforceable. This is a positive step, but it leaves the other concerns untouched. This means that it falls once again to the court to ensure that reader privacy is protected as the settlement and the new services it establishes move forward. That’s what CDT will continue to advocate.

We encourage students from all majors and degree programs to apply. Applicants should have an interest in Internet and technology policy and/or civil liberties, strong research and writing skills, the ability to take initiative and prioritize responsibilities in a fast-paced office environment, and a solid academic record. Please see our job posting page for application details.

In addition, CDT is pleased to host a Google Policy Fellow, who will join our 2010 summer program. Interested candidates should apply directly with Google here.

Help us keep the Internet open, innovative and free!

P3P is a standard of the World Wide Web Consortium (W3C), the main standard setting body for the Web. It was created to allow privacy policies to be expressed as machine-readable statements. The history of P3P dates to a period when the privacy debate, in the United States and elsewhere, began to focus on encouraging companies to post human-readable privacy policies. As criticism increased about the complexity of those notices, there was a call to simplify them through standardization. If policies could be narrowed down to the equivalent of a multiple-choice set of options, then they could be made machine-readable.

The theory held considerable promise, if such statements would provide a clear, standardized means of rendering potentially complex privacy policies into a format that could be automatically parsed and instantly acted upon. Consumers could compare policies, enterprising companies or individuals could use P3P to develop more accurate means of rating and blocking sites, and governments could use the policies to instantaneously enforce data privacy laws.

In the end, P3P was never fully implemented as its creators had hoped. When the second working draft of the P3P specification was released in October 2000, Microsoft built P3P capabilities into Internet Explorer 6. However, those features mostly focused on utilizing cookie-blocking tools by default. Because of these decisions, one optional type of P3P policy is in widespread use among companies that place third-party cookies, demonstrating the power of a single implementation in the browser. Unfortunately, there are still no good tools that make use of the metadata, and this is why the main portion of the P3P specification is only used by a minority of Web sites today.

There have, however, been many positive stories about companies that instituted new privacy-friendly policies when confronted with having to implement P3P. The transparency that P3P offers clearly had an impact on companies when they realized P3P would make their privacy policies much more public. (During the development of the standard, two Citibank employees published a paper arguing that P3P was too transparent and expressing “concern that P3P would let ordinary users see, in full gory detail, how their personal information might be misused by less trusted or responsible web site operators.”).

A lot of good work went into P3P and as those who use third-party cookies can tell you, it is far from dead. But P3P was ultimately far too complex and there was no direct user interface built to use all of the metadata. Also, those who suggested that P3P was the answer to all privacy woes left the standard open to unnecessary attack.

Machine-readable policies, like P3P and other PETs, hold considerable promise and deserve attention. However, to create machine-readable policies that work, we need to learn from how P3P was created and promoted, study its shortcomings, and draw from the immense amount of effort put into the project, where possible. And of course, any one privacy-enhancing tool needs to be used in concert with effective legislation, policy oversight and other privacy enhancing tools.

PCLOB was established in 2004 and had one term, starting in 2006 – but the terms of the members of the board expired in January of last year, and President Obama has not nominated new members to the board. This letter asks President Obama to nominate members to the board quickly. Once members to the board are nominated, they must be confirmed by the Senate, and the office will need to be set up and staff must be hired. All in all, it will take months to reconstitute the board before it can begin advising the President and agencies.

Currently, the federal government lacks independent privacy oversight. Reconstituting PCLOB is one of the ways that privacy and civil liberties can be better protected by the federal government. In fact, the Cybersecurity Policy Review specifically called for PCLOB to be reconstituted, and possibly to expand its purview to include more cybersecurity topics, as an important oversight body. As an existing mechanism to protect privacy and civil liberties, it is an important and relatively simple way to provide oversight and advice for the government.

There were plenary sessions and panels on every possible privacy issue but at the center of much of the discussion were the complex and seemingly unanswerable questions about global data flows in an era of cloud computing: What is the right way to protect privacy in an Internet cloud where data flows don’t respect borders? When consumers from around the world place their data in a social networking site based in the United States, which data protection laws should apply? Who should be accountable for data privacy and security when data is collected by one entity and then stored with cloud providers offering storage, processing and software as a service? When those cloud providers move data from server to server, often in multiple jurisdictions, which data protection rules apply and which country may assert jurisdiction over the data when other substantive legal questions arise?

Even in the European Union, where the data controller remains accountable for privacy and security pursuant to the European Data Protection Directive, there is a growing consensus that the Directive’s underlying assumption that data has a fixed location is making the Directive increasingly difficult to apply. There seems to be a growing agreement that there needs to be some international standards or binding instrument that will help to reconcile conflicting data protection regimes.

With this background, the main order of business at the closed session of the data protection commissioners was to consider and adopt the resolution “International Standards on the Protection of Personal Data and Privacy,” which some would like to constitute as the basis for a binding international agreement on data privacy; just this morning an English translation of the final resolution went online. Peter Hustinx, the European Data Protection Supervisor, made clear in remarks at an earlier panel that the document was not intended to address the question of which law applied to data as it moved from one country to another, but rather would define a set of principles and rights that would guarantee the effective and internationally uniform protection of privacy and facilitate the international flows of personal data needed in a globalized world. But there appears to be considerable disagreement as to what such standards will mean in practice. According to the Spanish data commissioner who led the effort, the standards are “soft law” intended to guide the development of privacy protections in countries without protection and build consensus toward a future binding agreement.

However, many others have expressed doubt that such an agreement is either possible or appropriate. And some have criticized the standards as too closely aligned with the European Directive rather than taking the best from other data protection frameworks. In any event, it’s an important start to a needed conversation.

Civil liberties advocates first introduced “Amendment 138” in 2008 to protect Internet access as an exercise of the right to freedom of expression in the face of these graduated response proposals. In its original conception, the amendment required member states to provide strong legal and procedural safeguards where states or private parties impose Internet access restrictions for alleged repeat offenders. Few are happy with the final negotiated text, which retreats from this position:

3a. Measures taken by Member States regarding end-users’ access to or use of services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law.

Any of these measures regarding end-users’ access to or use of service and applications through electronic communications networks liable to restrict those fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and with general principles of Community law, including effective judicial protection and due process. Accordingly, these measures may only be taken with due respect for the principle of presumption of innocence and the right to privacy. A prior fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with European Convention for the Protection of Human Rights and Fundamental Freedoms. The right to an effective and timely judicial review shall be guaranteed.

See how the language evolved here. Civil rights group European Digital Rights aptly points out that the final language does not require a prior formal adjudication of alleged infringement before access restrictions are imposed, merely a “procedure”. The provision also does not apply to restrictions imposed by private actors (only states), leaving open the danger that ISPs may be pressured into “voluntary” agreements by law enforcement or rights holders to accomplish what governments themselves cannot impose.

Regardless of the specific language, however, the debate highlights the core principle that Internet access has become essential for the exercise of fundamental human rights. The Internet and other new media have become primary sources of news and information, as well as essential platforms for communication, not only between individuals, but also between citizens and their government. As more of our everyday lives are “lived online” (finding a job, finding housing, finding a date, filing taxes, participating in the political process, interacting with any number of government functions), access to the Internet becomes all the more necessary for the exercise of our rights to freedom of expression and access to information.

Of course, recognizing the importance of Internet access to freedom of expression certainly doesn’t give Internet users free rein to break the law. However, government efforts to address bad behavior online must give full recognition to just how fundamental Internet access has become: to cut off access entirely is to drastically curtail the exercise of core human rights. While governments may decide that there are some crimes that are so egregious and harmful to society as to warrant such punishment — and we don’t believe civil violations including unauthorized file sharing comes close — then proportionality, due process, and a full and open debate must be central to the policy analysis, given the potential impact on human rights.

Stay tuned for more on this issue – especially since graduated response could be headed our way very soon.

The information on children collected in these electronic data warehouses includes matters related to teen pregnancies, mental health and juvenile crime; the report says that this information is often stored in a manner that “violates federal privacy mandates,” the study says.

From the report’s summary:

“Some striking examples are that at least 32% of the states warehouse children’s social security numbers, at least 22% of the states record children’s pregnancies, at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records, and almost all states with known programs collect family wealth indicators.”

The study isn’t all finger pointing, it also outlines several critical recommendations to help increase the privacy, transparency and accountability of these databases. The study comes just as Congress is considering expanding and integrating the data collection process among the 43 states that currently collect this type of information on K-12 children.