Center for Democracy & Technology » Blog Posts Keeping the Internet Open, Innovative and Free Fri, 27 Feb 2015 22:01:09 +0000 en-US hourly 1 Important Human Trafficking Laws Advance Without Challenging Free Speech Online Fri, 27 Feb 2015 18:32:08 +0000 …]]> Wiser heads prevailed at yesterday’s Judiciary Committee markup, as Senators moved forward with important human trafficking bills absent dangerous proposals to restrict online advertising. We’re glad to see the Justice for Victims of Trafficking Act and the Stop Exploitation Through Trafficking Act advance without amendments that would chill online expression.

The Judiciary Committee members are doing important and necessary work by taking on the critical issue of ending human trafficking and providing resources for victims. By not taking up provisions that would create new liability risks for online content hosts, whose services may be used by traffickers, the Committee is showing that progress can be made on human trafficking without damaging a fundamental pillar of the Internet.

Holding websites liable for crimes committed by their users would create massive disincentives for hosting user-generated content. It would likely reduce individuals’ access to diverse platforms to express themselves and it would certainly discourage innovation in online services. CDT echoed experts at Tuesday’s hearing in urging the Committee to tread cautiously around intermediary liability issues.

Unfortunately, these well-intentioned but misguided proposals are likely to crop up again. Last session’s SAVE Act has been reintroduced as a standalone bill, and members at the markup session expressed interest in pursuing online advertising at a later date. The Senate should move forward on reforms that target sex trafficking, but they should strongly reject bills that would undermine the legal protections for broader free speech online.

]]> 0
Civil Agencies Want More Consumer Data — Will They Keep Privacy in Mind? Fri, 27 Feb 2015 17:17:11 +0000 …]]> The massive increase in data creation and collection through smartphones, wearables, and other devices has meant that it’s a lot easier to know where individuals go during a regular day, how long it takes them to get there, and what they do when they arrive. From taxi data to public health issues, the range of applications for data generated by individual citizens is quite wide. As a result, it’s not surprising that civil agencies, including transportation commissions, health departments, and housing authorities, may want access to the data that service providers collect on behalf of their users. But balancing the needs of government agencies and the privacy of individuals will be vital in order to ensure that any use of such data doesn’t infringe upon individual rights.

We hope that other companies that collect consumer data follow Uber’s lead, and that governmental agencies recognize the value of such arrangements.

Some companies have begun to develop their own policies concerning how they share data with civil agencies. For example, Uber announced last month that it had agreed to share data with Boston, but that such data would only include the time and duration of a trip, the ZIP code where the trip started and ended, and distance traveled. Such a dataset will be useful for cities looking to better understand traffic patterns, but does not include personal identifiers. This strikes an appropriate balance between protecting privacy while still allowing governments to improve civil services and perform necessary enforcement and oversight. We hope that other companies that collect consumer data follow Uber’s lead, and that governmental agencies recognize the value of such arrangements — rather than attempt to strong arm companies into handing over consumer data.

The applications of consumer data by civil agencies could certainly lead to many societal improvements. Potential uses include using data (like Uber’s datasets) to create a more comprehensive understanding of traffic patterns — a vital component of urban planning. If asthmatics reported inhaler use to the health department, we could develop a better sense of how air pollution affects individuals. Measuring data from smart homes, a la the “smart grid”, could improve energy management and efficiency. Future devices and networks may provide heretofore-unimagined benefits to governmental agencies hoping to improve their understanding of citizens’ lives. But these programs should be limited in scope to the purposes that the agency articulates.

Agencies should require that data be stripped of as much identifying information as possible.

Concerns about unforeseen consequences are not merely academic. Last summer, the New York Taxi and Limousine Commission released a dataset without properly removing identifying information, which allowed the records of an individual’s travel throughout New York City to be tracked over time. By not thinking about privacy when complying with open government laws, the city created a privacy issue that could have been avoided with some forethought. We have some specific suggestions for how agencies can keep privacy in mind, echoing the steps that Uber has taken to promote user privacy when sharing data with cities. For example, collecting location data from individual smartphones and devices to improve traffic flow would necessarily collect a great deal of sensitive information about individual movements over time. If that data isn’t securely transmitted and stripped of as much identifying information as feasible, it could be used for inappropriate purposes — or become a tempting target for malicious hackers. Agencies should require that data be stripped of as much identifying information as possible (such as name, subscriber information, email address, or location, depending on the purpose), and also require that companies transmit the data using encryption. Agencies should also only use the data for limited purposes, and retain it only for as long as necessary.

While civil agencies are no doubt sincere in the efforts for collecting individual data, it is of course possible that the collection could turn into a backdoor for law enforcement to gain access to data without proper judicial oversight. We have long voiced concerns about the expansion of governmental collection of individual data, both for law enforcement and regulatory purposes. As a result, when civil agencies require companies to turn over data, those programs should be limited in scope.

The issues posed by companies sharing data with civil agencies are complex and will necessarily evolve to serve the needs of different agencies, and the characteristics of each data set. CDT will continue to work on this issue and promote best practices for companies and agencies that, above all, protects individual citizens’ privacy while hopefully allowing government to perform necessary oversight and analysis.

]]> 0
Tech Prom To Welcome Giovanni Buttarelli Thu, 26 Feb 2015 21:01:59 +0000 …]]> 2015-02-26-giovanni

As if FCC Chairman Tom Wheeler’s remarks at CDT’s Annual Dinner on the heels of the vote on new Open Internet rules aren’t enough of a reason to attend, we have another exciting speaker to welcome: Giovanni Buttarelli.

Giovanni Buttarelli is the newly appointed European Data Protection Supervisor (EDPS) and he has already announced big plans to ensure data protection reform is adopted this year, stating “the time has come to make privacy and data protection more effective in the digital environment.”

Focusing on the interests of the individual consumer, Buttarelli has called for Big Data Protection and a New Deal on Transparency. He’ll bring the valuable European perspective to our night of networking among the very best in tech policy. Join us for Tech Prom to hear Buttarelli’s remarks firsthand.

Our Annual Dinner, fondly known as Tech Prom, is taking place on March 10, 2015 at the Walter E. Washington Convention Center here in DC.

]]> 0
VIDEO: Harley Geiger at CSM panel – “Cybersecurity legislation shouldn’t create giant backdoor wiretap” Wed, 25 Feb 2015 22:01:24 +0000 …]]> Recently, Harley Geiger – our Advocacy Director & Senior Counsel – spoke on a panel discussion hosted by the Christian Science Monitor’s (CSM) digital privacy and security site, Passcode, and the Center for National Policy.

Entitled Cyber Framework and Critical Infrastructure: A Look Back at Year One, he was joined by Mike Farrell of CSM and John Pescatore of the SANS Institute, discussing information sharing, data breaches, cybersecurity, and more. Check the clip below for a piece of the conversation, and should you be so inclined, you can watch the full discussion here.

“What we don’t want to see happen… is for companies to be able to share any [user data], notwithstanding any privacy law… and then that information, once it goes to the government, can be used for law enforcement purposes. …If it is open for general law enforcement use, then [the cybersecurity program] essentially becomes giant backdoor wiretap.”

]]> 0
Listening to the Experts on Human Trafficking Wed, 25 Feb 2015 19:46:19 +0000 …]]> This week, the Senate Judiciary Committee is considering two pieces of legislation that would help combat sex trafficking in the United States. The Justice for Victims of Trafficking Act, sponsored by Senators Cornyn, Feinstein, and others would (among other things) help to prevent the prosecution of victims of sex trafficking for prostitution offenses. The Stop Exploitation Through Trafficking Act, sponsored by Senators Cornyn, Klobuchar, McCain, and Blumenthal (among others) would enact a National Strategy for Combating Human Trafficking for increased enforcement at the federal, state, local, and tribal levels against those who buy and sell children for sex. In an impressive display of bipartisanship, the Senate’s 20 women members are calling for action from their colleagues across the political spectrum. A number of senators at Tuesday’s hearing expressed their deep commitment to meaningful action to address child trafficking in the United States.

As these bills enter committee markup on Thursday, it’s important that they remain focused on essential victim-centered reforms and providing law enforcement with necessary prosecution and prevention resources – not on measures that infringe on the First Amendment. Congress has recently considered anti-trafficking measures that would raise significant threats to free expression, privacy, and innovation online.  These proposals, including the SAVE Act introduced by Seators Kirk and Feinstein last session, and a similar bill that passed the House earlier this year, would expose online content hosts to potential federal criminal liability for text, images, video, and other content posted by their users. In a recent joint statement, CDT and a coalition of free expression and privacy organizations, trade associations, and law professors explained that creating federal criminal liability for website hosting or publishing of content would be overly broad, unconstitutional, and counterproductive.

At yesterday’s hearing , Senator Feinstein inveighed against the websites that traffickers use to post sex ads, but witnesses at the hearing provided a more nuanced perspective. Advocates described efforts to remove ads from Craigslist or Backpage, only to see them migrate to other sites—and warned that taking down an ad or shutting down a website did not have the same impact as punishing perpetrators who buy and sell children for sex. Victims’ advocate Malika Saada Sar of Human Rights for Girls told the committee that “[t]here’s a culture of impunity,” and these ads will continue to move from site to site until we address the demand side of the equation: “They are not afraid of purchasing a child because we are not arresting and prosecuting buyers of children.”

Iowa’s top Human Trafficking Investigator Officer Michael Ferjack testified about the complex relationship that law enforcement has with websites that host user-generated ads, calling them “one of the best tools that law enforcement currently has available” for investigating human trafficking. Officer Ferjack noted the “ongoing debate within the law enforcement community as to the value of these sites in terms of their intelligence that they offer to law enforcement,” and requested that Senators “move cautiously” in considering any sort of action.

CDT joins this call for caution.  There are measures Congress can take right now to stop human trafficking. Congress should not let problematic Internet proposals impede that momentum.

]]> 0
CDT Launching Common Ground Data Breach Forum Wed, 25 Feb 2015 14:42:28 +0000 …]]> Last Thursday, CDT and law firm Jones Day brought together key industry, government and non-profit leaders at a reception on the hot issue of data breach policies and legislation. At the event, we announced the launch of our new multi-stakeholder effort dedicated to identifying innovative solutions to major data breach questions, the Common Ground Data Breach Forum.

The first meeting of the Data Breach Forum will be March 17, 2015, and it will bring together leaders from CDT’s Internet Privacy Working Group and the Digital Privacy & Security Working Group. If you’re interested in joining, contact me at We’re grateful to Jones Day for helping us launch this forum and starting the important dialogue around data breach.

We’ll be developing a number of resources and briefs around data breach policy, but here’s a quick overview of where CDT is right now:

Data breach has become a daily occurrence, so much so that a September 2014 Ponemon study warned companies of “data breach fatigue,” a term used to describe the apathy felt by many consumers who feel helpless in the face of continuous breaches of their personal information. The study also found that 60% of U.S. companies have experienced more than one breach in the past two years, and that data breaches increased in frequency over the past year. This report, in addition to news of hacks into major retail chains’, entertainment studios’, health insurance providers’ and banks’ databases, underscores the need for a comprehensive, collaborative response to data breach.

Nearly every state has a data breach law that incorporates notification and security provisions. Last Congress saw the introduction of multiple bills that would create a federal standard for data security and breach notification:

Additionally, President Obama revealed a data breach legislative proposal, The Personal Data Notification & Protection Act, in January 2015. In February, CDT submitted a joint letter with various consumer advocacy organizations to the White House and Congress in response to the President’s data breach proposal.

Although baseline consumer privacy legislation is the most appropriate means of addressing data breach, CDT would support creating federal data breach legislation if it were as strong as existing state law and provided consumers with new value-add. CDT’s data breach legislative primer outlines this position in further detail. Additionally, we believe that addressing data breach should not stop at the legislative level.

Risk assessment and liability. What constitutes a data breach?Should companies have to identify specific “harm(s)” resulting from a breach before it is required to notify consumers or regulating agencies about the breach? If so, what should those harms be? If not, what is an appropriate alternative standard? Should companies be required to report a data breach to a regulatory authority regardless of whether it has determined that the breach puts consumers at risk?

Standardization of notification. What is the appropriate consumer notification standard when a breach has occurred? Should there be a fixed deadline for notification or is “as expeditiously as possible” or “within a reasonable time period” sufficient to protect consumers?

Enforcement and Remedies. How and by whom should data breach legislation be enforced? Should the FTC and FCC have joint enforcement powers? Should state attorneys general have the ability to bring suit under a federal act?

Redress. What should a uniform approach to data breach response look like? Can company policies be put in place to help ensure consumers have a means of redress if the law does not adequately protect their interests?

Remediation. What measures can be taken to prevent attendant damages?  How should immunity issues related to government sharing of data be handled?

Pre-emption. Should federal law preempt existing state data breach laws? If so, to what extent? If not, how can companies implement internal procedures that comply with the varied state approaches to data breach?  How can companies reconcile a new federal data breach law with other existing laws?

For more information on data breach legislation, please see CDT’s legislative primer.


]]> 0
Tech Prom to Feature FCC Chairman Tom Wheeler Thu, 19 Feb 2015 20:56:04 +0000 …]]> 2015-02-19-Tom-Wheeler-TP-blog

CDT’s Annual Dinner, known as Tech Prom by the cool kids, is taking place this March 10, 2015 at the Walter E. Washington Convention Center here in DC. It’s a night where the tech policy community comes together for great networking and CDT gets to thank everyone for their support.

While the night really is focused on having a good time and socializing with leaders in tech policy, we do have a short and exciting program during the dinner. This year, FCC Chairman Tom Wheeler will be giving the keynote remarks – which you will not want to miss.

Chairman Wheeler has of course been in the news quite a bit recently, and next week he’ll be grabbing headlines again. On Thursday, February 26, the FCC will vote on proposed Open Internet rules. The Chairmen recently previewed the rules that will be voted on, and at the high-level they are a true victory for advocates of net neutrality and an open, equal Internet.

Tech Prom will be among Chairman Wheeler’s first public remarks following the vote on the Open Internet rules. The keynote will take the form of a conversation with CDT’s President Nuala O’Connor, making it far less formal and stuffy.

We’ll be previewing more of what to expect at our dinner over the next 2 weeks. And if you don’t have your ticket yet, there is still time to get one. Hope to see you March 10!

]]> 0
NetGain: Let’s Work Together to Improve the Internet Fri, 13 Feb 2015 21:09:54 +0000 …]]> 2015-02-13-netgainFB

This week, Nuala and I had the opportunity to take part in the launch of the NetGain Challenge, an exciting new initiative aimed at realizing the full potential of the Internet to “spark the next generation of innovation for social change and progress.”

Launched by the Knight, MacArthur, Mozilla, and Ford Foundations, the NetGain Challenge aims to unite all sectors to find genuine solutions to the challenges of our digital age. At the launch event, several innovative and proactive speakers started the conversation. Many talked about the immense amounts of data we now have and the potential it creates for both incredible good and serious privacy abuses; others spoke of the power of the Internet to facilitate free speech, to connect people, and to spread good ideas; and still others cautioned against censorship and the chilling effect of government surveillance.

The most motivating parts of the launch for me were the discussions around digital inclusion and empowerment, especially of women and minorities. The digital world we build depends on everyone being involved in shaping it – not just those with the most privilege or access to the newest technology.

The great news is that YOU can be a part of finding ways to shape this empowering digital world. The NetGain Challenge is about harnessing the power of the Internet to find solutions. It’s about engaging the global Internet community and generating fresh, new ideas that propel us forward. And with the philanthropic community rallying around these efforts, it is far more than just talk – it is action.

The Center for Democracy & Technology encourages everyone to take part in the NetGain Challenge. Share you voice. Share your ideas. Shape the digital society you want to live in.

]]> 0
Improve Cybersecurity by Allowing Vulnerability Research Fri, 13 Feb 2015 19:07:52 +0000 …]]> 2015-02-13-white-hat-wanted

Today, the White House is bringing together executives of major U.S. technology companies and leaders of technology policy organizations, including CDT’s own Nuala O’Connor, for a summit on cybersecurity and consumer protection.  The agenda will focus on a range of issues brought to the fore by recent high-profile hacks into the networks of Sony Pictures Entertainment and the healthcare provider Anthem.

Unfortunately, one basic issue not on the agenda is removing unnecessary barriers to computer security research.  Throughout the country, academics, engineers, and “white hat” hackers are working to uncover and repair security vulnerabilities in software and networks, and to understand and defang the malicious code that exploits those vulnerabilities.  Paradoxically, some of this work may be illegal under current law.

As CDT explained in an earlier post, Section 1201 of the Digital Millennium Copyright Act makes the circumvention of “technological protection measures” controlling access to copyrighted works unlawful.  That means a researcher who uncovers a software vulnerability by circumventing, for example, digital rights management (DRM) software, is breaking the law.  Concerns over 1201 liability led researchers to delay publicizing information on potential exploits of Sony’s “rootkit” DRM, which ultimately infected half a million computers worldwide.

Last week, CDT filed comments with the U.S. Copyright Office asking it to recognize a 1201 exemption for computer security research.  Noted cryptographer Bruce Schneier, copyright expert Pam Samuelson, law professor Candice Hoke, and computer scientist Douglas Jones joined the filing.  Our comment asked that the Librarian of Congress grant the petition for exemption filed by Professor Matthew D. Green and the petition filed by Professors Bellovin, Blaze, Felten, Halderman, and Heninger.  Both petitioners filed extensive comments in support of their petitions, providing evidence of genuine harm tied to the chilling effect of 1201 liability on computer security research and explaining why Section 1201’s existing exemptions for security testing and reverse engineering are insufficient.

Implementing a computer security research exemption will require certain standards with respect to how research is conducted and results are disclosed.  The petition by Professors Bellovin et. al points toward existing ISO standards used by responsible companies engaged in security research for guidance.  Standards for good-faith research and disclosure should also reflect the views and input of the academic research community.  Unfortunately, the uncertain legality of computer security research under Section 1201 inhibits the full dialogue the research community must have to develop and implement appropriate standards.

As anyone who has had to download a seemingly weekly security update on his or her computer knows all too well, cybersecurity is always something of a cat-and-mouse game between malicious hackers and the individuals and entities trying to protect our devices and networks against them.  Perhaps there is no “winning” this game, but there are some very straightforward steps we can take to improve our defenses.  Among them, the Librarian of Congress, in consultation with the Copyright Office, should ensure that Section 1201 does not unnecessarily impede essential computer security research.

]]> 0
UK Tribunal: Secret Policies on Surveillance Violate Human Rights Mon, 09 Feb 2015 21:45:25 +0000 …]]> 2015-02-12-UK-ruling-long-crop

On February 6, the UK’s Investigatory Powers Tribunal, which handles challenges to the country’s secret-surveillance programs, ruled that the intelligence agency GCHQ had violated human rights when it failed to tell the British public about the kinds of circumstances in which it could conduct warrantless mining of Internet users’ communications that had been collected by the US National Security Agency (NSA).  The NSA intercepts these communications pursuant to the controversial PRISM and Upstream programs, which it operates on the basis of Section 702 of the US’ Foreign Intelligence Surveillance Act—a set of provisions that CDT believes are urgently in need of reform.

It does establish unambiguously that intelligence agencies in Britain are not permitted to conduct surveillance based on laws or legal interpretations that are kept completely secret from the public

Although the ruling will not halt any of the surveillance programs that the NSA, GCHQ, or their “Five Eyes” partners are carrying out, it does establish unambiguously that intelligence agencies in Britain are not permitted to conduct surveillance based on laws or legal interpretations that are kept completely secret from the public.  In that respect, the case—which was brought by our colleagues at Liberty, Privacy International, Amnesty International, and other organizations—is highly significant and will likely lead to further litigation arguing that any data GCHQ collected from the NSA before this year must be deleted.

The tribunal’s decision hinges on a series of prior judgments by the European Court of Human Rights, which are binding on the UK.  Those judgments require that the domestic legal regime that governs surveillance “must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.”  The tribunal found that prior to December 2014, when GCHQ revealed certain basic information about how its warrantless requests for data from the NSA would operate, the intelligence agency had failed to comply with this “foreseeability” requirement and was therefore in breach of the rights to privacy and free expression found in the European Convention on Human Rights.  (To read what the agency revealed about these warrantless requests, see paragraph 47 of this judgment.)   The tribunal further found, however, that GCHQ’s disclosures have now fixed this problem.  The body also previously concluded that the agency’s actual conduct or participation in some of the secret-surveillance programs that Edward Snowden revealed does not violate privacy or other human rights.

Intelligence agencies violate human rights when they operate on the basis of secret laws or completely classified legal interpretations.

Although far from being a sweeping condemnation of GCHQ or NSA behavior, the decision nevertheless represents a step forward, not least because this is reportedly the first time the body has ever upheld a complaint about secret national-security surveillance in the UK.  The decision also represents an acceptance—however minimal—that neither the collection nor the sharing of intelligence can lawfully be conducted in a “black box,” such that members of the public know nothing about the potential invasions of their privacy.  As the European Court has long since established, and as the tribunal has now accepted, intelligence agencies violate human rights when they operate on the basis of secret laws or completely classified legal interpretations.

Unfortunately for the British public, the policies that GCHQ has now disclosed are hardly reassuring: the Secretary of State for the Home Department, a member of the executive branch, is invested with the sole power to authorize these warrantless requests for data; no court order is involved.  (Incidentally, GCHQ claims that it has never actually sought to engage in this warrantless surveillance—at least not through the procedures it has revealed.)  Moreover, the intelligence agency’s powers to obtain and store data that the NSA has vacuumed up through either targeted or mass surveillance remain unchanged.  Meanwhile, its own intelligence collection practices continue to be fundamentally inconsistent with the European Convention, as CDT has pointed out.

The good news is that the claimants in this case are likely to ask the European Court to determine whether GCHQ’s participation in a range of abusive programs violates the Convention, as two other organizations have already done.  The Court has examined the surveillance regimes of many countries over the past four decades, and it is likely to find that at least some of the most egregious aspects of the UK’s programs violate human rights and need to be altered or discontinued.  Those of us who advocate against excessive surveillance in the US context can also take heart from the fact that—as this ruling shows—the NSA can insist on total secrecy, but courts in other countries do not have to agree.

]]> 0