Wednesday, September 30, 2009

Senators Introduce Bill to Repeal Telecom Immunity - Majority Leader Hoyer Proclaims His Opposition

By now, I think most everyone has a working knowledge of the warrantless wiretapping program under the Bush Administration. Similarly, I think we all probably remember the promises made from candidate Obama about his opposition to giving telecommunication companies immunity for their participation in Bush and company's crimes.

As we now all know, President Obama (and Attorney General Holder for that matter) has completely reversed himself, by not only refusing to prosecute or investigate the program and/or those that carried it out, but even expanding their defense of the program in some important key respects.

But now, finally, we may get a chance to see just where a lot of Democrats, and the President too, really stand on this issue. Remember, many proclaimed at the time that they voted for the new FISA bill that granted immunity to telecoms because it was critically needed to protect Americans, but that they would support going back and "fixing" it in the future.

Well, how much do you want to bet there are a whole lot of weak kneed Democrats coming up with a slew of phony reasons why they now can't back the bill just introduced by Democratic Chris Dodd (D-CT), Patrick Leahy (D-VT), Russ Feingold (D-WI), and Jeff Merkley (D-OR))?

The legislation, if passed, would repeal the legal immunity afforded the telecommunications industry for their participation in President Bush's warrantless wiretapping program.

Before I get to the article in Raw Story about the legislation, and House Majority Leader Hoyer's immediate announcement that he opposes the effort, let me provide some more recent revelations regarding the wiretapping program that we should all remember as this debate unfolds.

It was just a few months ago that a government report disclosed that President Bush authorized secret surveillance activities that went beyond the previously disclosed NSA program – raising the prospect of additional unlawful conduct. This new information has led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis.

Supporting that conclusion was the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.

This report, mandated by Congress last year and produced by the inspectors general of five federal agencies, also found that other intelligence tools used in assessing security threats posed by terrorists provided more timely and detailed information.

In fact, NOT ONE instance could be cited that demonstrated the wiretapping program prevented any attack of any kind, ever. Nor did it lead to the capture of any terrorists. In light of these facts, one would think that the Obama Administration would come down somewhere at least close to the position that candidate Obama espoused on the campaign trail. Sadly, the opposite has been true.

In fact, all we have to show as a nation since this program was exposed is additional protections (and retroactive immunity) to telecom companies for sharing our private information with the government, and more legal cover for the Executive Branch to carry out similar efforts in the future.

Giving telecom companies immunity serves the dual purpose of protecting the politicians from having the telecom companies share what they know about THEIR crimes!

This very subject is in fact still working its way through the courts. A few months back, Chief U.S. District Judge Vaughn Walker threw out more than three dozen lawsuits claiming that the nation’s major telecommunications companies had illegally assisted in the wiretapping without warrants program approved by President Bush after the 2001 terrorist attacks. But, while he said the objections of the privacy groups were not strong enough to override the wishes of Congress, Judge Walker did show some sympathy for the plaintiffs’ claims.

He had refused the government’s efforts to invoke the “state secrets” privilege and had moved toward compelling the Justice Department to turn over documents. The Electronic Frontier Foundation and the ACLU are appealing the case, and, Judge Walker kept intact related claims against the government over the wiretapping program, as well as a suit by an Oregon charity that says it has evidence it was a target of wiretapping without warrants.

So, its important to remember the context in which this effort to repeal telecom immunity finds itself. I personally think its a disgrace that ANY legislator of any party could be opposed to following the only real avenue to the truth: discover what the telecommunication companies know and hold them accountable for their actions.

RawStory reports:

The four senators, all liberal Democrats, emphasized that they believed granting the industry immunity violated the law and due process.

“I believe we best defend America when we also defend its founding principles,” Dodd said in the release. “We make our nation safer when we eliminate the false choice between liberty and security. But by granting retroactive immunity to the telecommunications companies who may have participated in warrantless wiretapping of American citizens, the Congress violated the protection of our citizen’s privacy and due process right and we must not allow that to stand.”

...

Wisconsin Democrat Russ Feingold asserted that the telecom immunity provision, contained in a revision to the Foreign Intelligence Surveillance Court Act (FISA), short-circuited the US legal system. “Granting retroactive immunity to companies that went along with the illegal warrantless wiretapping program was unjustified and undermined the rule of law,” Feingold said in a statement. “Congress should not have short-circuited the courts’ constitutional role in assessing the legality of the program. This bill is about ensuring that the law is followed and providing accountability for the American people.”

Click here to read the article in its entirety.

Seems perfectly reasonable doesn't it? Well, it took Congressman Steny Hoyer all of a day to run to the press and let his feelings known: I Oppose Accountability!:

"I don't think that revisiting that issue is really going to get us anyplace." While Hoyer admitted he had not seen Dodd's bill, he went ahead and dropped this waffling gem: "I am not going to make a decision on that at this point in time. I think there was a determination to move on on that issue and I think that determination is a good one."

Wow what ironclad logic! I guess we should say that about other crimes too then? Look, robbing that bank is in the past, what do we get from running down criminals after they've broken the law? What's done is done. What do we achieve by punishing wrongdoers?"

Gee, what do we achieve by doing this? How about accountability, avoiding the establishment of a dangerous precedent, and upholding the rule of law (to name a few)?

I'll be keeping an eye on this bills progress right here!

Tuesday, September 29, 2009

New York Times Editorial: An Incomplete State Secrets Fix

While the States Secrets provision, and its abuse by the Bush and Obama Administration's is about a whole lot more than privacy, I think this editorial in the New York Times is still worth posting here.

Its a good sign that the Times has decided to take such a strong stand on this issue. I'll get to discussing it more in future posts, but today time simply doesn't permit.

The Editorial Board writes:

One of the ways that the Bush administration tried to avoid accountability for its serious misconduct in the name of fighting terrorism was the misuse of an evidentiary rule called the state secrets privilege. The Obama administration has essentially embraced the Bush approach in existing cases, trying to toss out important lawsuits alleging kidnapping, torture and unlawful wiretapping without any evidence being presented.

The other day, Attorney General Eric Holder Jr. issued new guidelines for invoking the state secrets privilege in the future. They were a positive step forward, on paper, but did not go nearly far enough. Mr. Holder’s much-anticipated reform plan does not include any shift in the Obama administration’s demand for blanket secrecy in pending cases. Nor does it include support for legislation that would mandate thorough court review of state secrets claims made by the executive branch.

...

In any event, while more stringent self-policing of executive branch secrecy claims is welcome, it is hardly a total fix. Senator Russ Feingold, a Wisconsin Democrat, noted that without a clear, permanent mandate for independent court review of the administration’s judgment calls, Mr. Holder’s policy “still amounts to an approach of ‘just trust us.’”

If the Obama team is sincere about wanting to end state secrets abuses, it will support the State Secrets Protection Act sponsored in the Senate by Patrick Leahy, the Judiciary Committee chairman, and in the House by Representative Jerrold Nadler, a Democrat of New York. The measure contains safeguards to ensure protection of legitimate secrets. But before ruling on a secrets claim, and possibly dismissing a lawsuit, judges would be required to review the documents or evidence in question instead of just accepting assertions in government affidavits.

Click here to read the rest of the editorial.

Friday, September 25, 2009

Rotenberg Op-Ed: What's Privacy in the Age of Facebook?

With the explosion in popularity of social networking sites like Facebook and Myspace the ability to protect ones personal privacy has become increasingly challenging. It goes without saying that Facebook and Myspace pages have the potential to reveal a considerable amount of information about a user's lifestyle, interests, and goals. Depending on the user's settings, co-workers, employers, and certain family members could have access to information about the user that may be better left unknown.

Recent Facebook flaps highlights growing concerns about the increasingly sophisticated technologies used to track online activities in an effort to more precisely target advertising. What has also become apparent is that these social networking sites have not exactly been forthcoming about how much user information they harvest, share, and with whom.

However, in recent months users have been becoming more and more conscious of privacy concerns, as Facebook has been criticized for not allowing people to permanently delete their accounts and personal information from the site as well as their use of "Beacon" (no longer in use by Facebook) - a technology that tracks user's online purchases and informs their friends.

The controversy raised by Facebook's use of the Beacon technology - and the subsequent victory of privacy advocates - has helped ignite a larger debate regarding the largely hidden and growing problem of online consumer-tracking and information-sharing.

And this larger discussion - like what privacy means in the age of Facebook - was expertly articulated today by Marc Rotenberg, Executive Director of the Electronic Privacy Information Center in an article entitled "What's Privacy in the Age of Facebook?".

He writes:

Make no mistake, this is all about privacy. Not the old-fashioned parchment scroll, carried by courier on horseback from the castle to the king's army. This is modern-day privacy, about digital identity, the control of personal information, and the brewing battle between what we post and its commercial value.

Modern privacy begins with the understanding that personal information will be widely accessible. That's as true for web 2.0 as it was for the early Internet, and for the telephone. It's a paradox to be sure. Someone once said, "we must protect privacy to ensure the free flow of information." That's exactly right.

...

Modern privacy is about what happens to information once it's held by others -- whether it's a government agency, a bank, a cell phone company, or a social network site. We give up personal information all the time, but that doesn't end the discussion over privacy. That's where it begins.

Is the government going to use our data as it is supposed to or is it going to spy on us? Does the bank have good security or do we have to worry about breaches? If I give an email address to a cell phone company, am I going to get spammed? And is that quiz that just told me which European capital city I'm most like really trying to figure out who my friends are?

Of course, there is still some interest in secrecy, as just about any parent who has tried to friend their kids on Facebook knows. In fact, everywhere around us, the digital anthropologists will observe, are the cultural artifacts of privacy -- privacy polices on web sites, privacy settings on social network services, privacy features in web browsers and email. What is the purpose of these techniques? To provide people with some control over the information they disclose to others.

...

I smile every time someone says, "Privacy is dead" or the "Facebook generation doesn't care about privacy." If there is one issue that people feel passionately about today, that literally unites everyone who goes online, it is the interest in privacy.

Click here to read the article in The Huffington Post.

As I wrote a few days ago, I think what a lot of privacy advocates would like to see Web sites do - and the government should require them to do - is give users as much control over their identities online as they have offline (as far as that is possible). In other words, if I'm online, I'd like to be asked if I want my personal information to be viewable by others, and by whom, be it their friends or be it everyone in the world.

Privacy settings, which allow for this kind of screening, should be prominent, clear and easily managed. Again, it's really about making the "opt-in" principle the Golden Rule of the web. That means that BEFORE the users information is disseminated he/she should be notified and should have to affirmatively “opt in".

As Mr. Rotenberg correctly concludes his editorial: "...the battle is just beginning."

Thursday, September 24, 2009

Patriot Act's "Sneak-and-Peek" Authority Exposed! Feingold Grills Assistant AG

Let's take a stroll down nightmare lane, shall we? If you remember, in the fear tainted debate over the PATRIOT Act, the Bush Administration insisted it needed the authority to search people's homes without their permission or knowledge so that terrorists wouldn't be tipped off that they're under investigation. Now that the authority is law, and now that the Obama Administration has asked for its extension, how has the Department of Justice used the new power?

Answer: To go after drug dealers...and nearly NO "TERRORISTS".

Only three of the 763 "sneak-and-peek" requests in fiscal year 2008 involved terrorism cases, according to a July 2009 report from the Administrative Office of the U.S. Courts. Sixty-five percent were drug cases.

Just so we're REALLY CLEAR on this, let me quote the Fourth Amendment...and then you tell me if the governments "Sneak and Peek" requests have passed the old Constitutional "smell test":

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Two years ago I gave an interview to NPR on the issue of creating a giant prescription drug database - funded by private pharmaceutical and health insurance interests - that would give immediate access to all of our prescription drug records not just for doctors (which is still problematic) but to the police and government as well.

Now, while its a different issue, I believe the response I gave was telling, and correct, particularly in hindsight. Essentially I made the point, which I believe these new revelations strongly back up, that we should all be skeptical any time the "war on drugs" is used to rationalize the increasing deterioration of our right to privacy.

But I don't think I could even have predicted that 65% of the "sneak-and-peek" orders - a provision sold to us as necessary to protect us from terrorism - would be used to fight the phony, destructive "war on drugs".

AS I also told NPR at the time, if we really wanted to reduce drug dependency we should focus on fully funding our schools, offering first class drug counseling and rehabilitation services, and stopping the advertising of prescription drugs on television every night (among many other tactics).

On that note, watch Sen. Feingold grill Assistant Attorney General David Kris about this discrepancy at a hearing on the PATRIOT Act Wednesday. If you have trouble watching the video down below, here are the highlights courtesy of the the Huffington Post, "One might expect Kris to argue that there is a connection between drug trafficking and terrorism or that the administration is otherwise justified to use the authority by virtue of some other connection to terrorism. He didn't even try."

Instead, Kris states, "This authority here on the sneak-and-peek side, on the criminal side, is not meant for intelligence. It's for criminal cases. So I guess it's not surprising to me that it applies in drug cases."

As I recall it was in something called the USA PATRIOT Act," Feingold quipped, "which was passed in a rush after an attack on 9/11 that had to do with terrorism it didn't have to do with regular, run-of-the-mill criminal cases. Let me tell you why I'm concerned about these numbers:

That's not how this was sold to the American people. It was sold as stated on DoJ's website in 2005 as being necessary - quote - to conduct investigations without tipping off terrorists."

Kris responded by saying that some courts had already granted the Justice Department authority to conduct sneak-and-peeks. But Feingold countered that the PATRIOT Act codified and expanded that authority -- all under the guise of the war on terror.


Feingold, the lone vote against the PATRIOT Act when it was first passed, is introducing an amendment to curb its reach. "I'm going to say it's quite extraordinary to grant government agents the statutory authority to secretly break into Americans homes," he said.

Watch!



It goes without saying that these new revelations should give Senator Feingold's JUSTICE Act a better chance of being enacted. As I also mentioned in a post earlier in the week, Feingold's legislation provides a kind of privacy litmus test for the President, because candidate Obama was essentially supportive of what the Senator is now proposing...but its unclear where he is now on these issues.

We now know, without a shadow of a doubt, that the "the sneak and peak" authority given to the Government under the false premise of fighting terrorism, was in fact used to break into homes of alleged drug dealers and users...and who knows who else (political activists, peace protesters?). It is hard to think of a graver violation of our Constitution and the rights of those Americans that had their homes broken into.

For these reasons it then becomes apparent that the JUSTICE Act is a monumentally important piece of legislation, both in terms of its concrete and tangible reforms, as well as the barometer for which it will serve as in terms of measuring whether Congress and the President are ready and brave enough to take on some of the most egregious aspects of the Patriot Act.

This is an incredible opportunity to restore some semblance of privacy rights for the American public and a check on Executive Power run amok. It would also go a long way in demonstrating that we are no longer a country in the grips of an irrational fear that overrides common sense and the Constitution itself.

Wednesday, September 23, 2009

A Big Win for Privacy Advocates: Facebook Agrees to Shut Down Beacon

Here's a bit of news everybody can celebrate: Facebook has agreed to shut down its Beacon advertising system. Granted, the company has taken this step to settle a class-action lawsuit filed in August 2008 that alleged Facebook and its Beacon affiliates like Blockbuster and Overstock.com violated a series of laws, including the Electronic Communications Privacy Act, the Video Privacy Protection Act, the California Consumer Legal Remedies Act and the California Computer Crime Law.

The proposed settlement, announced last week, calls not only for Facebook to discontinue Beacon, but also back the creation of an independent foundation devoted to promoting online privacy, safety and security. As reported by Computerwold, the money for the foundation will come from a $9.5 million settlement fund.

The Facebook/Beacon case highlights growing concerns about the increasingly sophisticated technologies that are being used to track online activities in an effort to more precisely target advertising. Another truth highlighted in the case: Social networking sites have not exactly been forthcoming about how much user information they harvest, share, and with whom.

The controversy raised by Facebook's use of the Beacon technology - and the subsequent victory of privacy advocates - has helped ignite a larger debate ot the largely hidden and growing problem of online consumer-tracking and information-sharing.

As Pam Dixon executive director of the World Privacy Forum stated at the outset of the lawsuit: "This Facebook debacle is in one way very good, because it shows people just what is happening. There are other sites and other places where very similar data arrangements exist, but it is all happening...One of the things we have been saying about behavioral advertising is that people don't know it's happening...You have to be tremendously technically savvy to know what is happening under the hood."

Facebook's Beacon was released in early November of 2007 as a part of its Facebook Ads platform. It was ostensibly designed to track the activities of Facebook users on more than 44 participating Web sites, and to report those activities back to the users' Facebook friends, unless specifically told not to do so.

The idea is to give participating online companies a way to monitor the activities of Facebook users on their Web sites and to use that information to then deliver targeted messages to the friends of those Facebook users.

As also originally reported in ComputerWorld, the relative lack of disclosure about what was going on - and the relative difficulty involved in opting out of the program - led to a maelstrom of criticism against Facebook. In addition, there were disclosures by a CA Inc. security researcher that showed that Facebook's tracking was far more invasive and extensive that the company originally let on.

Facebook's Beacon tracked the activities of users even if they had logged off from and had declined the option of having their activities on other sites broadcast back to their friends. Likely to be even more damaging was another disclosure that Beacon's tracking did not stop with just those of Facebook users. Rather, it tracks activities from all users in its third-party partner sites, including IP address data of people who never signed up with Facebook or those who deactivate their accounts.

So with that backdrop, one can understand why privacy advocates are celebrating this long overdue decision by Facebook. Computerworld reports:

"Beacon was a disaster, not because it used people's personal information for commercial marketing purposes," said James Grimmelmann, an associate professor at New York Law School. "It was a disaster because it used people's personal information commercially and then rubbed their faces in it, literally."

...

...the stealthy nature of the service, its intrusive tracking of users and the extensive sharing of user information between Facebook and its Beacon affiliates resulted in an outpouring of protest against the service. Though, Facebook tweaked Beacon several times to make it more user-friendly, the concerns persisted. Grimmelmann, for instance, was among the first to question whether Blockbuster was violating the Video Privacy Protection Act when it shared information about a Facebook's users movie choices to others.

The big problem with Beacon was that the information Facebook collected was not being used to help users but to help affiliates sell goods, Grimmelmann sai8d. "It interfered with people's self-presentation, turning them into shills against their will," he said. "Beacon wasn't just illegal, it was a bad idea -- it made it obvious to users that large, impersonal companies were pushing private data around in order to hijack their identities and mess up relationships of friendship and trust."

...

Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center (EPIC), welcomed Facebook's decision. But he said he hopes the settlement in San Jose does not preclude the litigation in Texas, where EPIC has filed a friend-of-the-court brief supporting the plaintiffs. According to Rotenberg, it is almost certain that federal privacy laws were broken if Blockbuster shared information about an individual's movie rental habits with other Facebook users while participating in Beacon.


Click here to read more from the article.

I think what a lot of privacy advocates would like to see Web sites do - and the government should require them to do - is give users as much control over their identities online as they have offline. In other words, if I'm online, I'd like to be asked if I want my personal information to be viewable by others, and by whom, be it their friends or be it everyone in the world.

Privacy settings, which allow for this kind of screening, should be prominent, clear and easily managed. Again, it's really about making the "opt-in" principle the Golden Rule of the web. That means that BEFORE the users information is disseminated he/she should be notified and should have to affirmatively “opt in".

Monday, September 21, 2009

What About Obama's Promise to Scrap the Patriot Act?

It certainly would appear the answer to this question is "NO". However, as I have pointed out in recent posts, while Obama has asked for the renewal of three key surveillance laws in the Patriot Act, he left the door open for increased privacy protections being added. In addition to that, Senator Russ Feingold has authored his own bill - the JUSTICE Act - which would include more effective checks on government searches of Americans’ personal records and other overly broad authorities.

The bill will also reform the FISA Amendments Act, passed last year, by repealing the retroactive immunity provision, preventing “bulk collection” of the contents of Americans’ international communications, and prohibiting “reverse targeting” of innocent Americans. And the bill enables better oversight of the use of National Security Letters (NSLs) after the Department of Justice Inspector General issued reports detailing the misuse and abuse of the NSLs. The Senate Judiciary Committee will hold a hearing on Wednesday, September 23rd, on reauthorization of the USA PATRIOT Act.

Feingold's legislation provides a kind of privacy litmus test for the President. With that in mind, lets look back at just what in fact candidate Obama promised versus what he now seems to be advocating.

Earl Ofari Hutchinson tackles the issue on the Huffington Post:

Then-Senatorial candidate Obama in 2003 branded the Patriot Act "shoddy and dangerous" and pledged to dump it. He made the pledge in response to a candidate's survey by the National Organization for Women. Obama reneged on the pledge. But he did work to shave off some of the more blatantly outrageous constitutional abuses in the Act by imposing some civil liberties protections in the gathering and use of intelligence, on the use of torture in interrogations, and requiring at least some semblance of due process in court proceedings. But that paled in significance when Obama in a letter and with little fanfare and comment routinely let stand most of the still noxious provisions in the Act.

Business and citizens groups can still have their records examined by the government with minimal checks on how the information can be used and more particularly used against. Individuals often based on flimsiest of evidence can still be targeted for monitoring and surveillance if suspected of being a potential terrorist. Organizations and individuals can still be slapped with so-called roving wiretaps (taps that can be placed on an individual or group anywhere, anytime) again based on the flimsiest evidence or suspicion.

...

Obama justifies keeping nearly all of Bush's terror war provisions in place with the standard rationale that the government must have all the weapons needed to deal with the threat of terrorism, even legally and constitutionally dubious weapons. That, of course, was the Bush and Cheney stock line. The one small difference between them and Obama is that Obama has sought to put a softer casing around those illicit weapons. That's no consolation for those who took candidate Obama and later Senator Obama at his word that he'd scrap or at least radically overhaul the Act.

Click here to read the rest of the article.

Let's hope Senator Feingold, along with Senator's Durbin and Sanders in particular, can persuade enough Democrats to support the bill, which perhaps in turn will remind the President that he did make a promise...and while its clear he's not going to keep it, the least he could do is support basic, common sense legislation like Senator Feingolds.

Friday, September 18, 2009

Senator Feingold Counters the Patriot Act with the "JUSTICE Act"

As I discussed on Wednesday, the Obama administration and the Justice Department have signaled they would like to see a variety of the Patriot Act's provisions renewed...while leaving the door open to privacy improvements from the Congress being added.

Specifically, Congress was asked to reauthorize the use of roving wiretaps, permitting authorities to track multiple communications devices owned by an individual since people can switch devices frequently and quickly. The administration also asked that one particularly controversial intelligence gathering method be reauthorized - accessing personal records.

As I also pointed out, while at first glance, the Administration's embrace of these Patriot Act provisions is bad news, and represents a slight shift from candidate Obama's position, all is not necessarily lost. The fact that the President (and the DOJ) hinted at a willingness to accept additional privacy safeguards, combined with the fact that Senator's Durbin and Feingold (a privacy champion) had taken the lead in advocating for those changes, has given me some hope.

Now - thanks to Senator Russ Feingold's Justice Act - we'll see if the Administration and Department of Justices actions match their words (and just how pro-privacy the Democratic Congress is).

Feingold has been joined by co-sponsors Durbin, Tester, Udall, Bingaman, Sanders, Akaka, and Ron Wyden. The bill would fix problems with three provisions of the Patriot Act that expire at the end of this year...each of which threatens the rights and liberties of American citizens.

According to Feingold's office, "The Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act" would reform the USA PATRIOT Act, the FISA Amendments Act and other surveillance authorities to protect Americans’ constitutional rights, while preserving the powers of our government to fight terrorism.

The JUSTICE Act reforms include more effective checks on government searches of Americans’ personal records, the “sneak and peek” search provision of the PATRIOT Act, “John Doe” roving wiretaps and other overly broad authorities. The bill will also reform the FISA Amendments Act, passed last year, by repealing the retroactive immunity provision, preventing “bulk collection” of the contents of Americans’ international communications, and prohibiting “reverse targeting” of innocent Americans.

And the bill enables better oversight of the use of National Security Letters (NSLs) after the Department of Justice Inspector General issued reports detailing the misuse and abuse of the NSLs. The Senate Judiciary Committee will hold a hearing on Wednesday, September 23rd, on reauthorization of the USA PATRIOT Act.

Feingold stated, "The JUSTICE Act permits the government to conduct necessary surveillance, but within a framework of accountability and oversight. It ensures both that our government has the tools to keep us safe, and that the privacy and civil liberties of innocent Americans will be protected. When he was in the Senate, President Obama was a strong ally on these issues, and I look forward to working with his administration to find common ground on commonsense reforms.

Senator Durbin noted, "The Government must use every legal tool available to protect us from the threat of global terrorism. But when those tools override Americans’ fundamental rights and liberties, we run the very real risk of never getting them back. As we move toward reauthorization of the PATRIOT Act, we’re proposing commonsense changes to better protect our most basic constitutional rights. Our bill strikes a careful balance between the law enforcement powers needed to combat terrorism and the legal protections required to safeguard American liberties.”

And Senator Bernie Sanders said, “Every American understands that we have got to do every single thing we can to protect the American people from terrorist attacks. There is no debate about that. Some of us believe, however, that we can be successful in doing that while we uphold the rule of law, while we uphold the Constitution of this country, which has made us the envy of the world."

Now, earlier this year, the ACLU released a report called Reclaiming Patriotism (PDF), that details the parts of the Patriot Act that need fixing most. Here's what it said about the three provisions that will expire at the end of the year and that are address by Senator Feingold's bill:

Section 206, a.k.a. the "roving wiretap" provision: Section 206 allows the FBI to get an order from the Foreign Intelligence Surveillance Court (FISC) to wiretap a target without having to provide the target’s name or even their phone number. The provision only requires that the target is described "with particularity," and that the FBI tell FISC why it had to tap the phone after it was tapped. It basically lacks any kind of specificity that, you know, a real warrant would need.

Section 6001, a.k.a. the "lone wolf" provision of the Intelligence Reform and Terrorism Prevention Act (IRTPA): Section 6001 authorizes the government to get secret surveillance orders against individuals who are not associated with any international terrorist group or foreign nation. As the report points out, an international terrorist acting independently of any organization or country is pretty pie-in-the-sky unlikely.

Section 215, a.k.a. the "library provision": The term "any tangible thing" should raise your hackles. Like the previous two provisions, Section 215 also lowers the bar on the standard of proof needed to get a court order to surveil. Before the Patriot Act was passed, probable cause showing that the target of surveillance was the agent of a foreign power was required. After Patriot, Section 215 allows the FBI to only claim that the items or information sought is relevant to an investigation. That means the person being surveilled doesn’t necessarily have to be the target of the investigation or even be suspected of involvement in terrorism.

The ACLU makes a few more important points about the bill:

The ACLU is also concerned about provisions of the Patriot Act that are not expiring, but which would be amended under Sen. Feingold’s bill. For example, the National Security Letter statute, which permits the FBI to secretly demand sensitive and private customer records from Internet service providers, banks, and credit companies, without any suspicion or prior judicial approval. To make matters even worse, the statute allows the FBI to put gag orders on NSL recipients, prohibiting them from discussing the record demand. The ACLU have filed three lawsuits on behalf of NSL recipients, and most recently, a federal appeals court upheld a lower court ruling that the NSL statute’s gag provisions violated the First Amendment.

The Justice Act would also fix the worst parts of the FISA Amendments Act (FAA). You remember the FAA, right? That was the law Congress passed last year that immunized telecoms from lawsuits for wiretapping innocent Americans, in collusion with the National Security Agency. In passing the FAA, Congress — with the help of then-Sen. Obama — basically signed away our Fourth Amendment rights by allowing the government to conduct dragnet surveillance of Americans’ international communications.

It goes without saying this is a monumentally important piece of legislation, both in terms of its concrete and tangible reforms, as well as the barometer for which it will serve as in terms of measuring whether Congress and the President are ready and brave enough to take on some of the most egregious aspects of the Patriot Act. This is an incredible opportunity to restore some semblance of privacy rights for the American public...and demonstrating that we are no longer a country that is in the grips of an irrational fear that overrides common sense and the Constitution itself.

Apparently you can watch the debate unfold next week: On Tuesday, the ACLU’s Mike German will testify about the Patriot Act before the House Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties. And the Senate Judiciary Committee will hold a hearing on the Patriot Act next Wednesday.

Wednesday, September 16, 2009

White House Seeks Renewal of Surveillance Laws but Open to Possible Privacy Improvements

It was only a week ago that the Electronic Privacy Information Center (EPIC) released their Privacy Report Card for President Obama, giving him a less than stellar C+ on civil liberties.

Commenting on that grade on Tuesday I wrote, "Not only did the President flip flop on the wiretapping issue before being elected, he has refused to hold anyone accountable for the crimes committed by the Bush Administration or the telecommunication companies that abetted those crimes."

Based on breaking news today, perhaps the report card will need to be updated soon, as the Obama administration and the Justice Department are signaling their apparent embrace of (and request to renew) a variety of Patriot Act provisions.

Specifically, Congress has been asked to reauthorize the use of roving wiretaps, permitting authorities to track multiple communications devices owned by an individual since people can switch devices frequently and quickly. The administration also asked that one particularly controversial intelligence gathering method be reauthorized - accessing personal records.

That last request remains an area of contention because the question becomes whether library and bookstore records could be accessed too? This would clearly be unacceptable to privacy advocates...

So at first glance, this sounds like bad news, but, before I start sounding the alarm bells I would note that the President (and the DOJ) did hint that he's open to additional privacy safeguards being added to the Act, and we do have Senator's Durbin and Feingold (a privacy champion) leading the charge for them.

So before I start wallowing over yet another Obama extension of a Bush era policy let's see how this all pans out.

Of particular note in the articles I've read today is the issue of wiretapping. But before I get to the Washington Post write up let me remind everyone how we got here:

Until exposed by the New York Times, the Bush Administration had an ongoing, four year program that illegally spied on Americans' communications without warrants. Since that time there have been numerous additional revelations regarding this program...with one after the next only adding to the degree to which it subverted our Constitution and most certainly broke the law.

Amazingly, these revelations have CONTINUED to leak out, yet we have had no formal investigations or prosecutions to show for it - only a continuation and expansion of the Executive Branch's power to commit similar acts.

In addition, by giving the telecoms immunity - another one of Obama's flip flops - the dual purpose of protecting the politicians from having these companies share what they know about the program was achieved.

As a United States Senator, Obama was clear and correct in his assertion that the warrantless wiretapping program was illegal. And, the new Attorney General Eric Holder expressed the same view, both as a private citizen and at his confirmation hearing. As we now all know, both Obama and Holder have completely reversed themselves, by not only refusing to prosecute or investigate the program and/or those that carried it out, but have even expanded their defense of the program in some important key respects.

So it seems clear we can all resign ourselves to the fact that there will be no investigations or justice rendered when it comes to the government's wiretapping program. The question now becomes whether anything at all will be done to better protect the privacy of the public against the ever expanding power of the Executive Branch? We may have our answer soon...

This from the Washington Post:

The three provisions set to expire Dec. 31 allow investigators to monitor through roving wiretaps suspects who may be trying to escape detection by switching cellphone numbers, obtain business records of national security targets, and track "lone wolves" who may be acting alone on behalf of foreign powers or terrorist groups. The government has not employed the lone wolf provision, but department officials want to ensure they can do so in the future.

Obama's approach to electronic surveillance has been closely watched since he shifted positions during the presidential campaign last year, casting a vote to update the Foreign Intelligence Surveillance Act over the objections of liberals in his party. That law granted telecommunication companies immunity from lawsuits by Americans who argued that their privacy had been violated in an electronic data collection program.

...

Several civil liberties groups are exhorting Congress to use the expiration to begin debate on an array of domestic surveillance issues. One priority is national security letters, which require disclosure of sensitive information by banks, credit card companies, and telephone and Internet service providers. No judge signs off on these, and recipients are usually barred from talking about the letters.

Durbin and Feingold want to tighten standards for obtaining national security letters so that the government must show some "nexus to terrorism," according to a Senate Democratic aide, heightening the current standard of showing "relevance" to a counterterrorism investigation. The senators also want a judge be able to review the appropriateness of the gag order on the letters' recipients. Such provisions were contained in bipartisan legislation introduced previously by Feingold and Durbin and supported by then-Sen. Barack Obama.

Their new bill, expected to be out this week, will also seek to repeal the legal immunity granted to telecommunications companies included in last year's domestic surveillance legislation. The bill would also ensure that new powers granted under last year's law would not be used as a pretext to target the communications of Americans in the United States without a warrant, another Senate Democratic aide said.

...

The ACLU is also urging a tightening of last year's FISA Amendments Act to ensure that the government is collecting the e-mails and phone calls only of suspected terrorists. It also wants revisions of guidelines that empower FBI agents to use intrusive techniques to gather intelligence within the United States without any evidence that a target has ties to a terrorist organization.

Click here to read the rest of the article.

For the time being I prefer to remain cautiously optimistic - particularly due to my respect for Senator Russ Feingold - that some significant privacy safeguards will find their way into any final agreement. Its also a positive sign that the Justice Department and the Administration have signaled their willingness to work with Congress on addressing and improving these expiring provisions.

As always, the devil will be in the details.

And as noted by the ACLU, other government surveillance activities that did not expire this year also needed fixing, stating, "We must take this opportunity to get it right, once and for all." Amen to that...

Tuesday, September 15, 2009

EPIC Grades Obama on Privacy

The Electronic Privacy Information Center (EPIC) released their Privacy Report Card for President Obama last week, and as one would expect, his scores are less than stellar. Granted, he out performs the Bush Administration, but then, if that's the bar we're going to use we're all in deep, deep trouble.

Unfortunately, the Administration was given an incomplete grade on the issue of Consumer Privacy, an area that is especially of interest to the Consumer Federation of California.

As I have written about on this blog, the Federal Trade Commission (FTC) has gone through some enormous positive changes under President Obama, and appears committed to better protecting Internet users from behavioral targeting and ads as well as other invasive industry practices. What remains to be seen is who will be the two final appointments to the FTC board (the new head of the Bureau of Consumer Protection at the FTC and FTC Chairman Jon Leibowitz both excellent first steps) and how hard will the President push for reform?

As EPIC's report states:

The Obama Administration can protect consumer privacy by supporting new laws, by safeguarding the personal information held by the federal government, and by strengthening the Federal Trade Commission (FTC), the chief agency responsible for protecting U.S. consumers. The FTC assures that free annual credit reports are available to consumers, manages the Do Not Call telephone registry, investigates monopolies, combats identity theft, prevents deceptive practices by businesses, and protects consumer privacy rights. At this time, the Obama Administration has introduced no new consumer privacy legislation and has left two of the five FTC Commissioner slots unfilled. Proposals are also moving forward that would make government information available to the private sector for advertising and marketing.

Other highlights from the report include:

On Cybersecurity: B "The President's commitment to safeguard privacy and network communications in the difficult area of cybersecurity is commendable. But a battle looms over efforts by Congress to extend the government's control of the Internet. The President should have named a point person on cybersecurity to represent his views in that coming debate."

On Civil liberties: C+ "The Obama Administration inherited many troubling programs from the Bush Administration: the Patriot Act, Fusion Centers, No Fly Lists, E_Verify, and REAL ID. So far, there appears to be little change with the new Administration. There is a modified version of REAL ID called "PASS ID." The Patriot Act is still law. No Fly Lists and Fusion Centers are being expanded." The organization did note progress in some areas, "as well as open government and judicial appointments."

On Medical Privacy: A- "EPIC gives the Administration full credit for creating important privacy safeguards as part of the network for electronic health records. The privacy language in the HI‐TECH Act makes the bill one of the best privacy laws in years. Still, implementation of privacy safeguards remains a key challenge."

I would add one more disappointment to the list given under "civil liberties": wiretapping. Not only did the President flip flop on the issue before being elected, he has refused to hold anyone accountable for the crimes committed by the Bush Administration or the telecommunication companies that abetted those crimes. In addition, every expert I have read or spoken with has argued that the current law remains completely inadequate in terms of protecting the privacy of American citizens and restraining the growing authority of the Executive Branch.

All in all, its a rather dismal record all things considered. While again, an improvement over Bush, I think its safe to say that the President's record falls short of his promises as a candidate.

Friday, September 11, 2009

Important Security Breach Bill Moves on to Governor Schwarzenegger's Desk

Similar to my post on Wednesay, another important privacy bill that we (CFC) have vigorously supported this year is on its way to the Governor's desk! In contrast to AB 943 (Mendoza), we are fairly confident (unsure with AB 943) the Governor will sign SB 20 (Simitian) - a bill that would amend and improve California's landmark security breach notification law.

Signifying the importance of this legislation to privacy advocates and consumer groups was it's inclusion - along with AB 943 - in a letter from nine consumer rights organizations outlining legislative priorities during the final month of the 2009 session.

Signing the letter were CALPIRG, California Alliance for Retired Americans, Congress of California Seniors, Consumer Action, Consumer Federation of California, Consumers for Auto Reliability and Safety, Consumers Union, Older Women’s League of California, and Privacy Rights Clearinghouse.

Before I get to the article reporting the good news about SB 20, let me remind readers why CFC supports it so strongly:

The bill would amend California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General.

This measure also requires that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Additionally, SB 20 would amend the substitute notice provisions of California's security breach notification law to require that an entity providing substitute notice also provide notice to the Office of Information Security and Privacy Protection.

California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers.

As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.This leaves consumers uncertain about how to respond to the breach or protect themselves from identity theft.

SB 20 makes relatively modest but helpful changes to the current security breach notification statutes to enhance consumer knowledge about, and understanding of, security breaches.

Now to the good news from the California Chronicle:

SB 20 builds on previous legislation authored by Simitian, AB 700 (2002), which required any company or business that loses unencrypted personal information to send a security breach notification letter to consumers whose privacy was compromised. In the years since Simitian´s original privacy protection law, the measure has been widely praised, and more than 40 states have adopted similar legislation.

...

"Experience over the past half dozen years indicates that too often the information received is confusing, not clarifying," said Simitian. "SB 20 ensures that notice of a security breach will be genuinely helpful to consumers," he said. "No one likes to get the news that information about them has been stolen," said Simitian, "but when it happens, people are entitled to get a letter that helps them decide what to do next." SB 20, according to Simitian, "is designed to make a good law even better."

...

"Identity theft is a difficult problem to deal with," said Richard Holober, Executive Director of the Consumer Federation of California, a consumer rights advocacy organization, which included Simitian´s SB 20 as one of its pro-consumer legislative priorities. "We're confident that SB 20 will help make a complicated situation easier for consumers, and we urge the Governor to sign it into law."

Click here to read more.

Wednesday, September 9, 2009

Bill to restrict credit checks on job seekers headed to Governor's desk

An important privacy bill that we (CFC) have vigorously supported this year is on its way to the Governor's desk. At this juncture, its difficult to predict what Governor Schwarzenegger will do, but certainly his record is one of supporting big business over the rights of average citizens, particularly when it comes to our privacy.

The bill in question - AB 943 (Mendoza) - would prohibit a prospective employer from using consumer credit reports in the hiring process. The bill provides exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement and in other narrow areas. An employer should not have any right to obtain confidential information that is not germane to a prospective employee’s job.

Signifying the importance of this legislation to privacy advocates and consumer groups was it's inclusion in a letter from nine consumer rights organizations outlining legislative priorities during the final month of the 2009 session.

Signing the letter were CALPIRG, California Alliance for Retired Americans, Congress of California Seniors, Consumer Action, Consumer Federation of California, Consumers for Auto Reliability and Safety, Consumers Union, Older Women’s League of California, and Privacy Rights Clearinghouse.

Why is this an important consumer protection? Because credit reports do not have predictive value in determining a worker’s ability to perform job duties, but a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant.

Unemployed workers are more likely to have suffered some downgrading of their credit score due to the circumstances of their unemployment; hence reliance on credit reports as a factor in hiring decisions might adversely impact those most in need of a job. Credit reports are often inaccurate, and could unfairly bias an employer.

Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities. We therefore, are urging the Governor to protect the financial privacy of Californians from unwarranted snooping by prospective employers by signing AB 943.

The bill passed the Senate floor by a vote of 24 to14 on September 3rd and the Assembly floor by a vote of 49 to 30 on May 28th.

Check out the Los Angeles Times write up on the bill in today's edition. Tiffany Hsu reports:

Employers increasingly are using credit checks to screen job applicants, a practice critics say is making it tougher for many unemployed workers to find jobs in the midst of a grinding recession. That could change by the end of this week, when a bill that would prohibit companies from pulling credit reports on most job seekers is scheduled to reach Gov. Arnold Schwarzenegger's desk.

...

Employers increasingly are pulling credit reports on prospective hires; about 43% of employers do so, according to the Society for Human Resource Management. Federal law allows it as long as the job applicant gives authorization.

...

...some academic studies have found little connection between credit history and job performance. Critics contend that the practice perpetuates a vicious cycle in a rough job market: Candidates with dinged credit have a tougher time landing work that would help them out of their financial bind. Civil rights organizations say the practice is particularly disadvantageous to minorities and women.

...

The practice also discriminates against recent immigrants, some critics say, because credit scores are often based in part on the length of a consumer's credit history. And foreclosures, a common occurrence in the recession, can cause scores to dive hundreds of points -- and the information stays on the record for seven years. Divorce, identity theft and medical bills can also contribute to low credit without appearing on a report, supporters of the legislation said.

Click here to read more.

Tuesday, September 8, 2009

The Emerging Privacy Threat Posed by Smart Meters (and their enormous potential)

There is a critically important debate emerging throughout the country regarding the privacy consequences, implications and challenges that smart grid or smart metering technologies pose and how they can most effectively be addressed.

I delved into this subject quite deeply a few months ago in a post entitled The Privacy Challenges and Implications of a "Smart Grid". Since that time I have become more deeply involved in this issue in hopes of ensuring that the corporate interests seeking to maximize profit are not successful in portraying themselves as environmentally conscious stewards of the planet - and that protecting consumer privacy would somehow threaten this great mission.

The fact is that smart and effective environmental policy does not, and should not, conflict with the individuals right to privacy. Our society's transition to a smart grid system epitomizes this emerging and unnecessary "conflict" - and thus critical that we address it now - while this transition is still in the early stages of implementation.

It is because of this emerging false choice between the environment and privacy that we (Consumer Federation of California) are currently engaging the California Public Utilities Commission as they deliberate how to best implement a "smart grid" system.

Let me give some more backdrop in this issue by quoting some of what I wrote back in June of this year:

Transition to a "Smart Grid" system has been trumpeted by former Vice President Al Gore, and started gaining serious traction once President Obama announced his plan to overhaul U.S. infrastructure - including construction of a nationwide "smart grid" that promises to help address many of our current energy challenges.

According to Obama (and other environmental experts), the plan offers the hope that it "will save us money, protect our power sources from blackout or attack, and deliver clean, alternative forms of energy to every corner of our nation." What is especially interesting about this topic - to me anyway - stems from my past work as an environmental advocate versus my current work on privacy related issues. As some of you may have gathered, there are some issues in which these two interests - privacy and environment - clash (all be it more "gently" than other more typical oppositional interests).

Privacy is a concern when talking about a transition to a "smart grid" system because of the kinds of high resolution electricity usage information that it compiles and the intimate details of a consumer's daily life it monitors. This information in turn could then be used in ways potentially invasive to an individuals privacy.On the other hand, the environmental benefits of such a system, specifically the reduction in energy usage and greenhouse gas emissions (among others), represent a critical step forward and an important component to any comprehensive global warming and sustainability strategy.

And therein lies the challenge with a "Smart Grid": How do we balance the privacy concerns of the individual with the important environmental and energy security benefits of a more efficient energy infrastructure? Clearly, this is a challenge that must be worked out, and soon.While climate change threatens our species longterm survival, our right to privacy continues to be subverted by big business interests (esp. marketing and advertisers) and the government (esp. in the age of the phony 'war on terror').

The rapid advancement of technological innovation - without the requisite regulations to go along with them - only adds to this growing privacy protection challenge...which the development of a "Smart Grid" epitomizes.

Now let's get to the article that addresses this very topic in the Philadelphia Inquirer:

The meters could record material so frequently that power flows could be interpreted like DNA to reveal unique electrical signatures of individual appliances. Some experts imagine an Orwellian future in a carbon-constrained world, where consumers are cited for excessive electricity use, or divorce lawyers comb through meter records and ask: Who used the hot tub while the spouse was away?

...

Smart meters also will allow utilities to shut customers off remotely; currently, a crew has to physically disconnect the meter. They also will improve utilities' ability to detect and manage outages. But because they capture so much information, the meters also can reveal intimate details about activity inside a customer's house: when they are home; when they sleep; when they eat.

...

Analysts are only beginning to exploit the flood of data produced by the current generation of digital meters, which utilities such as Peco installed in the last decade to replace manual devices that had to be physically read every month by a meter reader.

Click here to read more.

I will be coming back to this topic a lot in the coming months, as I do feel it will be, and is already becoming, a critical issue for all those that care about privacy. Similarly, I believe it will serve as an opportunity for privacy and environmental advocates to demonstrate that we can work together in a way that protects both of our interests...and therefore those of the public as well.

There is no reason that privacy must be sacrificed at the alter of environmentalism - as protecting it will not reduce the potential of a smart grid system to reduce energy use. The real "enemy" is those that will seek to use these smart meters to gather, and then profit off our private information.

I can assure you that a key strategy that these corporate interests will utilize will be to pit those that advocate for privacy against those that work to address the environmental crisis we all face. We must not let this happen...and there is no better way to do this than by joining forces and working to ensure that our country's transition to a smart grid system is done in a way that protects the individuals right to privacy while helping reduce every households carbon footprint.

If you want to find out more about how this precisely can be done, I'd suggest you check out the recommendations made by Elias Leake Quinn CEES, Uni. Colo. Law School in his paper entitled "Privacy and the New Energy Infrastructure".

In one especially important passage he writes:

...the solution must involve, first and foremost, drawing attention to the potential privacy problem posed by the massive deployment of smart metering technologies and the collection of detailed information about the electricity consumption habits of millions of individuals. From there, efforts to devise potential solutions must progress in parallel paths, the first in search of a regulatory fix, the second a technological one. The first protects against the systematic misuse of collected information by utilities, despite new pressures on their profitability, by ensuring the databases are used only for their principle purposes: informing efficient electricity generation, distribution, and management. Such regulatory fixes are not difficult.

Indeed, Connecticut’s relevant regulations may already provide adequate protection against many of the “troubling implications” of this growing data set. Opt-in regulations are appropriate—at least in the short term—to protect consumers while the market for smart metering data develops and the full capabilities of those with access to that data are laid bare. As many states are taking a fresh look at their relevant regulations in connection with the restructuring of billing rates, swift action on this issue is both possible and easy.

The technological fix is a bit larger an obstacle, and solutions, on my part, more covered in lint. However, some recommendations are apparent even from this discussion. Specifically, the technological answer to these concerns must come in two parts: one addressing the security of the database as aggregated and kept by the utility, and the other addressing the security of transmitted data...One possible approach might be to aggregate and encrypt the data being sent from smart meters back to the utility by putting additional hardware on each transformer. This would basically anonymize an individual’s information to roughly the scale of a city block.

Click here to read the paper.

Wednesday, September 2, 2009

Consumer And Privacy Groups Urge Congress to Enact Consumer Privacy

Some very exciting news to report today! Yesterday a coalition of ten consumer and privacy advocacy organizations called on Congress to enact legislation to protect consumer privacy in response to threats from the growing practices of online behavioral tracking and targeting.

The coalition consists of the Consumer Federation of America, Center for Digital Democracy, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, and The World Privacy Forums.

This is a very impressive coalition speaking out on a very important privacy issue at a very important time.

So let me first give some backdrop on the issue of behavioral targeting on the Internet by quoting a few passages from the coalition's legislative primer entitled "Online Behavioral Tracking and Targeting Concerns and Solutions":

Privacy is a fundamental right in the United States. For four decades, the foundation of U.S. privacy policies has been based on Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.

Those principles ensure that individuals are able to control their personal information, help to protect human dignity, hold accountable organizations that collect personal data, promote good business practices, and limit the risk of identity theft. Developments in the digital age urgently require the application of Fair Information Practices to new business practices. Today, electronic information from consumers is collected, compiled, and sold; all done without reasonable safeguards.

Consumers are increasingly relying on the Internet and other digital services for a wide range of transactions and services, many of which involve their most sensitive affairs, including health, financial, and other personal matters. At the same time many companies are now engaging in behavioral advertising, which involves the surreptitious tracking and targeting of consumers.

Click by click, consumers’ online activities – the searches they make, the Web pages they visit, the content they view, the videos they watch and their other interactions on social networking sites, the content of emails they send and receive, how they spend money online, their physical locations using mobile Web devices, and other data – are logged into an expanding profile and analyzed in order to target them with more "relevant" advertising.

This is different from the "targeting" used in contextual advertising, in which ads are generated by a search that someone is conducting or a page the person is viewing at that moment. Behavioral tracking and targeting can combine a history of online activity across the Web with data derived offline to create even more detailed profiles. The data that is collected through behavioral tracking can, in some cases, reveal the identity of the person, but even when it does not, the tracking of individuals and the trade of personal or behavioral data raise many concerns.

The report also lays out a series of specific concerns:

Tracking people’s every move online is an invasion of privacy. Online behavioral tracking is even more distressing when consumers aren’t aware who is tracking them, that it’s happening, or how the information will be used. Often consumers are not asked for their consent and have no meaningful control over the collection and use of their information, often by third parties with which they have no relationships. Online behavioral tracking and targeting can be used to take advantage of vulnerable consumers.

Information about a consumer’s health, financial condition, age, sexual orientation, and other personal attributes can be inferred from online tracking and used to target the person for payday loans, sub-prime mortgages, bogus health cures and other dubious products and services. Children are an especially vulnerable target audience since they lack the capacity to evaluate ads.

Online behavioral tracking and targeting can be used to unfairly discriminate against consumers. Profiles of individuals, whether accurate or not, can result in "online redlining" in which some people are offered certain consumer products or services at higher costs or with less favorable terms than others, or denied access to goods and services altogether. Online behavioral profiles may be used for purposes beyond commercial purposes.

Internet Service Providers (ISPs), cell phone companies, online advertisers and virtually every business on the web retains critical data on individuals. In the absence of clear privacy laws and security standards these profiles leave individuals vulnerable to warrantless searches, attacks from identity thieves, child predators, domestic abusers and other criminals.

Also, despite a lack of accuracy, employers, divorce attorneys, and private investigators may find the information attractive and use the information against the interests of an individual. Individuals have no control over who has access to such information, how it is secured, and under what circumstances it may be obtained.

Before I get to more of the coalition's specific proposals to address these concerns, let me detail why I think this effort is coming at an ideal time. The Federal Trade Commission (FTC) - as I have written about on this blog - has gone through some enormous positive changes under President Obama, and is apparently now committed to better protecting internet users from behavioral targeting and ads.

In a recent article in Business Week, FTC Chairman Jon Leibowitz, Obama's top consumer watchdog, said he wants to terminate—or at least rein in—delivering ads to individuals based on the Web pages they visit and searches they carry out (supporting the establishment of “opt-in” as the standard rather than “opt-out”).

Similarly, David C. Vladeck - the new head of the Bureau of Consumer Protection at the FCTsaid in a New York Times article this week that the frameworks used historically for privacy on the web are no longer sufficient, and wants to expand the definition of what is considered “harm” to the consumer when a company infringes on their privacy to beyond solely a monetary measurement, but to whether their dignity was violated.

So two important signals (among others articulated in the articles) have been sent by Leibowitz and Vladek indicating the FTC is considering pushing for two essential legislative reforms (among many others) advocated by privacy leaders that would protect consumers: establishing "opt-in" as the standard and precedent and redefining what is considered “harm” to the consumer when his/her privacy is violated.

If ever enacted, each would represent a landmark improvement in protections for consumers against aggressive behavioral marketing techniques and industry data collection practices.

Before I get to the New York Times write up on the coalition's proposals to address behavioral targeting, let me provide some choice clips from their press release outlining some of their specific policy ideas as well as some choice quotes from privacy leaders:

“The rise of behavioral tracking has made it possible for consumer information to be almost invisibly tracked, complied and potentially misused on or offline. It’s critical that government enact strong privacy regulations whose protections will remain with consumers as they interact on their home computer, cell phones, PDAs or even at the store down the street. Clear rules will help consumers understand how their information is used, obtained and tracked,” said Amina Fazlullah of U.S. Public Interest Research Group. “In the event of abuse of consumer information, this legislation could provide consumers a clear pathway for assistance from government agencies or redress in the courts.”

“Respect for human dignity is at the core of our concerns, but we are also worried that online behavioral tracking can be used to target vulnerable consumers for high-price loans, bogus health cures and other potentially harmful products and services,” said Susan Grant, director of Consumer Protection at Consumer Federation of America.

“Limiting commercial tracking of our online activities may also help protect privacy against the government, which often gets information about us from private companies,” said Lee Tien, of the Electronic Frontier Foundation.

The record is clear: industry self-regulation doesn't work,” said Beth Givens, Director of the Privacy Rights Clearinghouse “It is time for Congress to step in and codify the principles into law.”

...

Among the main points that the coalition said should be included in consumer privacy legislation:

· Sensitive information should not be collected or used for behavioral tracking or targeting.
· No behavioral data should be collected or used from anyone under age 18 to the extent that age can be inferred.
· Web sites and ad networks shouldn’t be able to collect or use behavioral data for more than 24 hours without getting the individual’s affirmative consent.
· Behavioral data shouldn’t be used to unfairly discriminate against people or in any way that would affect an individual's credit, education, employment, insurance, or access to government benefits.


Now let's get to the New York Times write up:

Privacy advocates, with their best chance in years to get new legislation limiting Internet targeting passed in Washington, are skipping their summer vacation this year.

...

Among the things they’re asking for: No sensitive information (like health or financial information) should be used for behavioral tracking, no one under 18 should be behaviorally tracked, Web sites and ad networks shouldn’t be able to keep behavioral data for more than a day without getting an OK from the individual they’re tracking, and behavioral data can’t be used for discriminatory purposes.

Some Congress members have indicated they will consider such legislation in the fall. That’s something industry has adamantly opposed. In July, industry groups offered new principles on how they would regulate tracking without government intervention They argue that legislation will lag the technology by a matter of years. Meanwhile, over at the Federal Trade Commission, David Vladeck, the new head of consumer protection, has indicated he has broader definitions of intrusive tracking than his predecessors did.

Click here to read the coalition press release, and here to read their detailed analysis and proposals for Congress to consider.

I don't think there's all that much for me to add here. Clearly these are critically important proposals for Congress to consider that will have an enormously positive impact on the future of consumer privacy on the Internet. There is nothing I can say that is not said better in the documents I have provided.

I can't really overstate how supportive I am of this work, and the proposals therein. Clearly some exhaustive work went into compiling this report and formulating these solutions to a growing problem and threat to individual privacy. A threat that will exponentially increase by the day if nothing is done. Now this will be a story I'll follow for you here!