Friday, February 18, 2011

Legislative Review: "Do Not Track", "Kill Switch", and Body Scanner Images

There was a flurry of federal privacy legislation introduced this past week I thought I'd quickly review.

Jackie Speier's Privacy Bills

Let's begin with the the especially good. In particular, the "Do Not Track" (DNT) and financial privacy legislation being proposed by privacy stalwart, and Congresswoman, Jackie Speier. The bill would essentially allow Internet users to opt-out from "cookies, sniffing, scraping, or any other new and creative methods developed by those looking to profit through these activities."

The "DNT" legislation would allow the Federal Trade Commission to force online advertisers to respect the wishes of users who do not want to be tracked for marketing purposes. Why is this important?

The Center for Digital Democracy explains:

Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.

As I have written in the past, the DNT option is an interesting concept - one that privacy advocates have supported in the past. The feature, which the FTC has said could be located within browsers, would prevent a person from being exposed to behavioural advertising and would function like 'do not call' lists of phone numbers.

This is a sensible component of a much larger web privacy strategy that will ideally put the individual in control, or ownership, of their own data. While I favor the opt-in versus over the opt-out method as a rule of thumb, certainly a visible DNT mechanism in browsers would be an acceptable piece of the internet "privacy puzzle". The bill would give the FTC 18 months to come up with a set of regulations that would require advertisers to allow users to "effectively and easily" choose not to have their online behavior tracked or recorded.

The second bill introduced by Speier would enable consumers to better control financial information collected about them by banks and other institutions. That bill includes a provision that would prevent companies from sharing consumer financial information without explicit pre-approval from the consumer, a process known as opting in.

Speier stated, "These two bills send a clear message — privacy over profit. Consumers have a right to determine what if any of their information is shared with big corporations, and the federal government must have the authority and tools to enforce reasonable protections."

My friend Ryan Calo, director of the Consumer Privacy Project at Stanford Law School, had some important insights I'd like to share, stating "It really is a strong pro-consumer bill," (noting that the bill's teeth included provisions that would allow state prosecutors to go after privacy violators if the FTC didn't have time or resources.) He, as I have argued, also noted that the bill was not a panacea for preserving online privacy, particularly being that it would apply only to consumers who elect not to be tracked — a process called opting out. Anyone who did not opt out, for instance because they did not know how or know that they could, would not be protected.

This goes back to the issue I always raise here: Opt-in should be the privacy standard, not opt-out. If you want my personal information to share and sell, and you want to track what I do and when I do it, than you should have to ask me, period.

Schumer/Nelson Body Scanner Legislation

As some of you may know, I have written extensively about why I believe these airport body scanners and the subsequent aggressive pat downs for those that choose that "option", are grossly ineffective, intrusive, expensive, and unnecessary.

This bill does - at least partly - address just one of the myriad of problems I have with them: the accessing and sharing of these digital strip searches with the public. The bill - approved by the Senate on Tuesday - would make the misusing of body scanner images a federal crime punishable by up to a year in prison.

In other words, its aim is to prohibit anyone with access to the scanned body images, whether security personnel or members of the public, from photographing or disseminating those images. Besides a prison term, violators could be fined up to $100,000 per violation.

A quick sidenote on this issue, the USA Today wrote a blistering editorial this week on what they called the "'Inexcusable' delay on TSA body-scanner safety reports". The article notes that "The Transportation Security Administration has told members of Congress that more than 15 million passengers received full-body scans at airports without any malfunctions that put travelers at risk of an excessive radiation dose. Despite the reassurance, however, the TSA has yet to release radiation inspection reports for its X-ray equipment - two months after lawmakers called for them to be made public following USA TODAY's requests to review the reports.

Fueling concerns about the potential for scanner malfunctions and the TSA's ability to identify problems: TSA and its contractors had failed in the past to detect when some baggage X-ray machines were emitting excessive levels of radiation or had safety features that were missing or disabled. The TSA says that it has made improvements since then and that all of its X-ray scanners - for people and luggage - have passed recent inspections by contractors. The agency in January asked the CDC to repeat its luggage X-ray study "to confirm the progress TSA has made," Lee says.

By the least this is an issue to keep an eye on.

Leiberman/Collins Kill Switch Legislation

It should surprise no one that one of the most anti-civil liberties bill's of the session would come from Senator Joe Lieberman. What's particularly revolting about this bill is we saw, just these past few weeks in Egypt, how government can use such power over the internet and the peoples access to information.

The USA Today has more:

The bill - crafted by Sens. Joseph Lieberman, I-Conn.; Susan Collins, R-Maine; and Tom Carper, D-Del. - aims to defend the economic infrastructure from a cyberterrorist attack. But it has free-speech advocates and privacy experts howling over the prospect of a government agency quelling the communication of hundreds of millions of people.

"This is all about control, an attempt to control every aspect of our existence," says Christopher Feudo, a cybersecurity expert who is chairman of SecurityFusion Solutions. "I consider it an attack on our personal right of free speech. Look what recently occurred in Egypt."


The disruption to communications and economic activity "could be catastrophic," says Marc Rotenberg, executive director of the Electronic Privacy Information Center.


Cyberthreats aside, deep questions persist over what critics claim is the bill's heavy-handed approach, what it means to free speech and whether it can be enforced practically.

The crux of the issue, to computer-law expert Fertik and others, is if the Internet is a national asset, should it be nationalized? "Determining where the Internet connects to infrastructure is hard to define and impose," Kagan says.

"In its current form, the legislation offers no clear means to check that power," says Timothy Karr, campaign director for media-policy group Free Press, a non-profit organization.


A provision in the bill lets the president take limited control during an emergency and decide restrictions. "It, essentially, gives the president a loaded gun," Fertik says.

"Say there is a mounted attack from a terrorist group on the Internet," Fertik says. "(The law) could present the president with a kill switch option. But what are the conditions, and how far does (the law) go?"

The debate extends to minutiae in the bill's wording. It neither expressly calls for the creation of an Internet kill switch nor does it exclude one. It only requires the president to notify Congress before taking action, and it specifically prohibits judicial review of the president's designation of critical infrastructure. The non-profit Center for Democracy and Technology, in a measured letter to Lieberman, Collins and others, wants more specifics on the sweep of "emergency" measures mentioned in the bill.

"In our constitutional system of checks and balances, that concentrates far too much power in one branch of government," says Karr. "The devil is always in the details, and here the details suggest that this is a dangerous bill that threatens our free-speech rights."

Giving the president broad power to "interfere" with the Internet - even bottling up chunks of it in the name of national security - would require him to go to court to stop communications, says Michelle Richardson, legislative counsel for the American Civil Liberties Union. What's more, a new law may be next to impossible to administer widely, technology experts say.
Read more here.

More generally, particularly on the issue of privacy on the internet, as I have written here before, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for some of the bills being offered here - like Speier's for instance.

What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

The argument by some, such as Mark Zuckerberg, is that all information should be public, and as time goes on we'll only be sharing more of it. In addition, we all will benefit from this communal sharing of private information in ways yet to even be discovered. Already, from this sharing, we forge more online friendships and connections, old friends are reconnected, distant parents see pictures of their kids' day-to-day activities, jobs might be more easily found due to our profiles being more public, internet services improve as companies like Facebook and Google learn about peoples' Web browsing histories, sites are able to tailor content to the user, and so on, and so forth.

That last point, has particular resonance with me. What concerns me is what are the side effects of living in a society without privacy? Not just on the next, about our personal habits, but from the watchful eye of government, be it the knowledge that we could be wiretapped, that smart grid monitors are daily in home habits, that our emails can be intercepted, that our naked bodies must be viewed at airports, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, that RFID tags allow for the tracking of clothes, cars, and phones...and the list goes on.

Stay tuned...

No comments: