Blumenthal and Bono Mack Discuss Privacy, Cybersecurity Legislation

Last Thursday morning, Politico Pro presented a briefing focused on cyberprivacy and cybersecurity. Participating in the discussion were Sen. Richard Blumenthal (D-CT), Rep. Mary Bono Mack (R-CA), Dr. Thomas M. Lenard (President and Senior Fellow at the Technology Policy Institute), and Tim Sparanpani (Principal at SPQR Strategies, PLLC).

The briefing began with a discussion of the pending Cyber Intelligence and Sharing Act (CISPA). This pending legislation would increase the ability of the government and private sector to share cyber threat information. While both Sen. Blumenthal and Rep. Bono Mack agreed that the cyber threat is significant and real, they disagreed about provisions of CIPSA. While Bono Mack supports the bill in its current form, Blumenthal believes that the bill needs greater privacy protections and should include a private right of action. Blumenthal also broached the idea of creating a new cybersecurity agency to protect the country against cyber attacks. Bono Mack responded that creating a new agency would not be a panacea, and that the best solution is to empower the private sector to find solutions.

Blumenthal and Bono Mack also expressed differing opinions about privacy legislation. Blumenthal voiced his support for baseline privacy legislation. He said that people understand privacy, and they should have knowledge of data practices and the option to give consent to data collection. Bono Mack, on the other hand, said people frequently choose convenience over privacy, and there should be more Congressional hearings on privacy. Her first choice, she said, was for industry self-regulation; only if this failed, should Congress pass privacy legislation. Tim Sparanpani meanwhile voiced optimism that app developers are taking privacy seriously. He also noted the importance of data minimization and warned against legislation that would inhibit the ability of the private sector to develop new, innovative products and solutions.

One area where Blumenthal and Bono Mack did agree was on data breach legislation. They both voiced their support for data breach legislation, and such legislation has strong bipartisan support.

Overall, the participants were in broad agreement about what needs to be done; all agreed that privacy is very important, and the U.S. urgently needs to increase cybersecurity.  However, as with so many events on cybersecurity and cyberprivacy legislation, the participants held divergent opinions about the best way to accomplish these goals. The discussion, while informative, did not seem to indicate an immediate compromise solution.

 

-Steven Beale

Apr. 23, 2012 – Facebook Apps Scored For Privacy, RedOrbit

PCLOB Nomination Hearing

Last Wednesday the Senate Judiciary Committee held a confirmation hearing for nominees to the Privacy and Civil Liberties Oversight Board (PCLOB). The Board, created in response to the 9/11 Commission, is charged with making sure privacy and civil rights are protected for executive branch activities and measures. It consists of five members appointed by the President, and all five of these nominees were present at Wednesday’s hearing. The nominee for Chairman of the PCLOB is David Medine, and the other nominees are James Xavier Dempsey, Elisebeth Collins Cook, Rachel L. Brand, and Patricia M. Wald. The nominees are bipartisan, and all are recognized thought leaders on privacy and civil rights.

The hearing showcased significant common ground between the senators present and the nominees. All agreed that civil rights are fundamental; as Senator Leahy put it, safeguarding liberties is not a partisan issue, it is an American issue. At the same time, everyone agreed that privacy controls should not impede security. Rather, there was consensus that that privacy and security are not mutually exclusive, and that it is possible to simultaneously have both strong security and privacy.

One topic that surfaced multiple times was cybersecurity and information sharing. Senators Leahy, Whitehouse, and Franken all asked the nominees questions about pending cybersecurity legislation. In particular, the senators were interested in how to encourage the sharing of cybersecurity threat information while also protecting the privacy of U.S. citizens. The nominees agreed that this is an important issue, and Mr. Dempsey expressed the opinion that increased information sharing would be beneficial and could be done in a privacy-friendly manner.

Another theme that surfaced several times was how to ensure privacy in an era of rapid technological change. GPS, facial recognition technology, data aggregation, and other new technologies allow the government track and gather significant data about citizens. This data can be used both to protect our nation’s security, but, if proper rules are not in place, it can also infringe the privacy and civil liberties of innocent Americans. Ms. Cook noted that, if confirmed, she would work with her colleagues to use new privacy enhancing technologies. Ms. Wald also noted the important role the PCLOB can play by working to ensure privacy and civil liberties are protected during the policy design phase.

The hearing demonstrated that if and when the nominees are confirmed, they will have to carefully prioritize their important work. The hearing did not feature any harsh questions or significant criticisms of the nominees, so the path may be clear for proceeding to confirmation.

 

-Steven Beale

Apr. 22, 2012 – Facebook apps rated on privacy protection, Tucson Citizen

Swire Cybersecurity Op-Ed in The Hill

FPF Senior Fellow Peter Swire just published an op-ed in The Hill titled “Moving Too Fast on Cybersecurity.” In the piece, Swire cautioned against rushing cybersecurity legislation through Congress. To see the full op-ed, click here.

Tracking Progress on Do Not Track

The Tracking Protection Working Group of the World Wide Web Consortium (W3C) met last week in Washington, D.C. to further its efforts in developing industry standards for Do Not Track (DNT) measures. As deadlines for public release of the specifications near, the pressure is on for the group to come to agreement on critical policy questions around Do Not Track. The group has made a lot of progress on some issues such as reaching general agreement that DNT is primarily aimed at third parties who collect data at sites. However, substantial debate continues around the definition of a third party and what those third parties can do with data when the DNT header is “on.”

Some stakeholder participants maintain that DNT should give consumers the ability to block most data collection by third parties, and only allow collection and retention for limited specified purposes, such as fraud and security. Other participants maintain that they need to be able to collect more data under DNT in order to perform business functions such as frequency capping, auditing, financial logging, and market research.

FTC Commissioner Julie Brill made a guest appearance to show the FTC’s support for the W3C’s efforts, identifying it as one of three major DNT processes underway-the other accompanying processes are the advertising trade groups’ self-regulatory program and popular browsers that have implemented do not track mechanisms. The FTC set the stage for a future DNT framework in its Final Privacy Report released last month. The report called for a Do Not Track standard to mean more than just “Do Not Target” and to have elements of “Do Not Collect.” Failing the inclusion of this, the FTC indicated it would support DNT legislation. However, Commissioner Brill stated that she, along with FTC Chairman Jon Leibowitz, is confident that there will be an effective DNT framework by the end of the year.

Why is tracking so important for companies, if they have already agreed to allow users to opt-out of behavioral advertising? Tiny banner ads are a poor way to influence users compared to the richness of TV, radio, and magazines. But banner ads and their effectiveness can be precisely measured in ways that the other media cannot be (yet!). Advertisers still spend the bulk of their dollars offline, even though users increasingly spend large chunks of their day on the web. The big value add for many web publishers is their ability to report which ads on which sites were successful in causing users to transact on other sites and later in time.

For some, allowing the logging of data needed for such cross-site tracking creates too many risks. They worry the government might seek the data or they do not trust companies to refrain from using it for profiling or for discriminatory purposes. Others argue that consumers who are promised that they will not be tracked expect not to be tracked at all.

We believe that the potential compromise solution will need to allow for the basics of analytics and ad reporting, while relying on de-identification and retention limits as well as contractual and policy commitments to minimize privacy risks.

We were surprised to see Yahoo called out yesterday by the WSJ as “leading the charge” against DNT. If a DNT compromise is reached, no individual on the industry side will be more deserving of credit than Yahoo’s Shane Wiley. He and his team at Yahoo have spent countless hours on proposals seeking to bridge the differences among companies and other stakeholders. The volume of emails in our inbox and on the W3C listserv is a testament to that.

There is still much work to be done and the next weeks will be critical.

For a detailed analysis of the Do Not Track debate, read Jules Polonetsky and Omer Tene’s paper, “To Track or Do Not Track.”

 

-Lia Sheena

Apr. 19, 2012 – Banjo hits 1 million users, signaling mainstream interest in social location apps, ComputerWorld

Smart Security and Privacy for the Smart Grid

Last week, security researcher Brian Krebs reported on an FBI bulletin warning that criminals are hacking smart meters. In the bulletin, the FBI warns that former employees of smart meter manufacturers and utilities have been reprograming residential and commercial smart meters to lower power bills. The FBI identifies one particular instance where a utility may have lost hundreds of millions of dollars due to this type of hacking.

While it is unfortunate that hacking of smart meters has taken place, it is not surprising. Where there is data and money, criminals will find a way to hack and steal. Indeed, criminals have been stealing from analog meters for decades as well.

However, criminal activity should not impede our adoption of important new technologies. For example, ATMs and online banking accounts are hacked today, but nobody is suggesting we should forgo the benefits provided by banks and retail websites. Similarly, smart meters offer consumers and society significant benefits, namely increased reliability, potentially smaller electric bills, and lower carbon emissions. These benefits should not be surrendered simply because digital progress comes with a risk of digital misuse.

Rather, the appropriate response is to focus on improving security and protecting privacy. With good policies and safety measures, we can minimize the risk and protect against loss. We need to recognize that absolute security is not possible. If the bar for technology adoption was set at 100% perfect, we would still be in the Dark Ages. We should take the FBI warning seriously and examine the research needed to minimize intrusions. By instituting reasonable security and privacy measures and building privacy and security into the design process, we can ensure that consumers reap the benefits of progress.

Google Glasses and the Do Not See List?

Release of new details about the Google Glass project deservedly is getting great attention from a range of tech and privacy writers.  The idea of smart glasses is familiar to fans of Vernor Vinge’s book Rainbow’s End, which won the 2007 Hugo Award for best science fiction novel of the year.  It’s safe to say that most people, however, have not deeply imagined what it will be like to have the equivalent of a computer screen super-imposed on their vision as they go through daily life.

Reporters have been asking whether to foresee advertisements on the smart glasses of the near future.  My assumption is that we will see ads.  Ads exist on television, radio, magazines, smartphones, and the Internet, so they will almost certainly exist on smart glasses.

Will there also be privacy debates about those advertisements?  Yes, of course.  Marketing companies will emphasize that the ads are incredibly useful – you look at the restaurant when walking down the street and a coupon pops up.  Privacy advocates will emphasize the intrusiveness of seeing the world through a series of distracting and perhaps-unwanted ads.  Advocates are also likely to express concern about the power of advertising to literally shape a person’s “world view” – to alter what a person sees moment-by-moment when traveling through life.

As the privacy debates commence, I think we can even announce a likely title for a regulatory debate about smart glasses – the “Do Not See List.”  We have had “Do Not Call” for phones and “Do Not Track” for web surfing.  Should individuals have the right to opt out of targeted ads on their glasses?  It will be overwhelmingly tempting to call the privacy debate about smart glasses the “Do Not See” debate. I hereby give in to the temptation early.

For me, it is unbelievably exciting to imagine the range of new applications that will emerge to see the world differently.  It is hard to predict the killer aps for this space, except to predict that there will be many of them.  (As a professor, I immediately think how wonderful it would be to get prompts of student names when I forget them.)  It is easy to predict, though, that privacy and other tech experts will debate long and hard about who gets to affect what I see, as I look out through my new pair of smart glasses.

 

-Peter Swire

Apr. 3, 2012 – What the FTC's Privacy Recommendations Mean for Consumers & Business, Web Pro News