Online privacy

The European Union courts will hear a case with a massive impact on Facebook and other American internet service companies. The case, which an Irish court on Oct 3 referred to the Court of Justice of the European Union, revolves around where companies can store personal information.

Max Schrems is suing Facebook under the claim that, so long as the United States allows bulk surveillance programs, the US cannot guarantee that data stored on servers located on its shores abides by the EU’s stringent personal data protections laws. Currently, Facebook and other companies use what are known as “standard contractual clauses” to assure European users that their personal information is being protected. Schrems launched a similar case against an earlier treaty between the United States and European Union to cover cross-boarder data storage known as Safe Harbor, which the European courts eventually nixed. Safe Harbor was replaced by a new treaty, Privacy Shield, which is undergoing similar challenges. If courts continue to find US protections for European Citizens data insufficient, it could result in US internet service companies being unable to do business with Europe without setting up specialized servers there.

The FBI does not have to reveal the identity of a vendor that helped it unlock the iPhone of one of the shooters in the 2015 San Bernardino terror attack, or the price it paid for the vendor’s services, a federal judge ruled.

In summary judgment issued Sept 30, US District Judge Tanya Chutkan in the District of Columbia wrote that the FBI had shown that releasing the vendor’s name “could be reasonably expected to cause harm to national security interests by limiting the FBI’s present and future ability to gain access to suspected terrorists’ phones.” She also wrote that disclosure of the vendor’s identity would “risk disclosure of a law enforcement technique and create a reasonably expected risk of circumvention of the law.” The judge also ruled that releasing the amount paid could also cause a “reasonably expected risk of harm to national security,” as the price could “logically reveal how much the FBI values gaining access to suspects’ phones, and the breadth of the tool’s capabilities.” The ruling comes in response to a lawsuit filed last year by three news organizations under the Freedom of Information Act.

Rep Ted Lieu (D-CA) is a naturalized American citizen, having emigrated from Taiwan as a young child. Earlier in Sept, under a new proposed policy, the Department of Homeland Security said it will begin collecting public social media information about immigrants—possibly also green card holders and naturalized citizens—and include them as part of their so-called "Alien File."

Because of this ambiguity, Rep Lieu—who is very active on Twitter—has a basic question in a Sept 29 letter for Acting DHS Secretary Elaine Duke: "Does your proposed rule apply to me?" Rep Lieu, who said he has lived in the United States for over four decades and who holds the rank of colonel in the United States Air Force Reserves, also raised concerns that if enacted, the rule will be ineffective. Why does he think this? Because DHS’ own inspector general report found in February 2017 that previous "social media screening" pilot programs "lack criteria for measuring performance to ensure they meet their objectives."

[Commentary] Section 702 of the Foreign Intelligence Surveillance Act illustrates the value of sunsets. Its termination date is December 31, 2017, unless reauthorized by Congress. Experience since its enactment by in 2008 shows that section 702 has created a hole in the Fourth Amendment’s protection of privacy big enough to house the Pentagon.

Chairman of the House Judiciary Committee, Robert Goodlatte (R-VA), has an opportunity to become the James Otis of digital privacy by sponsoring legislation to cure section 702’s constitutional defects revealed by experience by requiring judicial warrants based on probable cause to justify invading the communications privacy of Americans.

[Bruce Fein is a constitutional scholar]

[Commentary] Today’s privacy rules are anything but clear. Internet content providers like Google, Facebook and Amazon are regulated for privacy by the Federal Trade Commission, the historic internet-privacy protection body. Internet-service providers that link consumers to the network, such as Verizon, AT&T and Comcast, were also regulated for privacy by the FTC until 2015, when the Federal Communications Commission classified internet access as a telecommunications service, stripping the FTC of that authority. Privacy is too important to be left to the whims of regulatory agencies.

Instead, Congress should consider taking an approach akin to the Browser Act (HR 2520), sponsored by Rep Marsha Blackburn (R-TN), that would unify privacy rules across the internet under the FTC, from operating systems to browsers to ISPs to edge content providers.

[Rick Boucher was a Democratic member of the US House of Representatives from Virginia for 28 years and chaired the House Communications Subcommittee. He is honorary chairman of the Internet Innovation Alliance (IIA) and head of the government strategies practice at law firm Sidley Austin]

The co-founders of the Congressional Privacy Caucus are concerned about a new Mattel baby monitor's ability to record and transmit sensitive information, as are a bunch of privacy activists. Sen Ed Markey (D-MA) and Rep Joe Barton (R-TX) wrote the toy company Sept 29 about their new, voice-controlled, Aristotle monitor. They described the device as a Wi-Fi enabled talking device with audio and video monitoring that could be in a child's room from birth through adolescence. They want to know how the device will monitor—photos, videos, voice recognition—how the information will be stored and protected, how parents' permission will be obtained, and whether the device is compliant with the Children’s Online Privacy and Protection Act (COPPA), which Sen Markey co-authored.

“In today's connected world, it is crucial we keep an eye on privacy and data security,” said Rep Barton. “That is the exact reason Senator Markey and I founded the Bipartisan Privacy Caucus over a decade ago. Our goal in the letter to Mattel is not to stifle innovation and product development, but to ensure that parents know how their child's data will be protected.”

The DC branch of the American Civil Liberties Union (ACLU) is helping three anti-Trump activists fight what they say is an overly broad government demand for their personal Facebook data. In “motion to quash” court documents filed this month, ACLU lawyers argue that letting federal investigators comb through the contents of individual Facebook pages amounts to an unjustified and unconstitutional invasion of privacy. The motion concerns an ongoing case in which the DOJ has been seeking information related to protests and rioting during the January 20 inauguration of President Trump.

Despite the fact that the case has been going on for months, the activists only recently learned that the US is interested in their Facebook data. While Facebook typically tells users about government warrants, a gag order initially prohibited it from doing so in this case. Facebook challenged that order and the government ultimately agreed to allow it to disclose the warrants.

The Senate majority is charging forward with plans to vote to reconfirm Federal Communications Commission Chairman Ajit Pai for another five years. Rehiring Pai to head the agency that oversees US communications policies would be a boon for the phone and cable companies he eagerly serves. But it would hurt everyone else who needs this agency to put our communications rights before the profits of monopoly-minded media giants. In the coming days, senators have the opportunity to intervene on the public’s behalf and fire Pai. Here are five reasons they should do so:
1. Net Neutrality Lies
2. Widening the Digital Divide
3. Sinclair Quid Pro Quo
4. First Amendment Fail
5. Assault on Online Privacy

The Broadband Internet Technical Advisory Group (BITAG) will review the technical aspects of Internet of data collection and privacy. This review will result in a report with an anticipated publication date in early 2018.

In various contexts, different organizations are studying data collection practices and privacy in the Internet “ecosystem” and public discourse has suggested there is a significant gap between perceived and actual data collection practices. Much of this discourse has also been focused on one set of actors or another, without a more holistic consideration of the significant roles played by a broad cross-section of all those involved, ranging from Internet Service Providers (ISPs) to edge providers, advertising networks, application developers, equipment manufacturers, and others. Often, the discussion is not sufficiently informed by technical information regarding actual practices. BITAG’s report on Internet data collection and privacy will draw on concrete, specific technical information and aims to shed light on the current state of data collection practices, including: what types of data are collected, where and how collection takes place, and for what purposes the data is used (e.g., operational, service related). The report will also investigate and report on how these practices vary across the broader Internet ecosystem; the report will discuss the roles various parts of the Internet ecosystem play in collecting data from and about Internet users, the analytic tools and methods that various stakeholders apply to the collected data, how different stakeholders use the data, and more. BITAG’s technical working group will analyze this topic and issue a report that will describe the issue in depth, highlight technical observations, and suggest appropriate best practices. The lead editors of BITAG’s report on IoT security and privacy are Jason Livingood of Comcast and Nick Feamster, Professor of Computer Science at Princeton University. Douglas Sicker, Executive Director of BITAG, Chair of BITAG’s Technical Working Group, Department Head of Engineering and Public Policy and a professor of Computer Science at Carnegie Mellon University, will chair the review itself.

While some state legislative proposals target internet service providers (ISPs), we are also seeing a steady stream of state bills that seek to regulate broader aspects of internet privacy and cover all online companies. This fragmented approach will only serve to confuse consumers, impede innovation and distort competition.

In 2015, the Federal Communications Commission (FCC) asserted privacy jurisdiction over ISPs and adopted ISP privacy rules that would have favored some online service providers over others. The Federal Trade Commission itself pointed out that these would have subjected consumers to an illogical and confusing array of regulations. The FCC’s actions also served as a warning that other federal agencies could adopt internet privacy regulations for specific sectors that create even more imbalance among internet companies. While Congress wisely repealed the FCC rules before they could take effect later this year, the issue of which agency has jurisdiction over ISP privacy has yet to be resolved.