SIIA Welcomes Tom Wheeler as FCC Chairman

Yesterday Tom Wheeler was sworn in as Chairman of the Federal Communications Commission.  He comes to the FCC after a Washington career that includes previous incarnations as the head of communications industry trade associations, venture capitalist, historian and author and chairman of various governmental advisory commissions. SIIA welcomes his chairmanship and looks forward to working with him and the other commissioners on a range of important issues.  In particular, SIIA urges prompt and effective action to increase support for broadband to schools and libraries across the nation.  As we said in our comments in the current FCC E-rate proceeding:

“SIIA views robust Internet access through high-speed broadband connectivity as critical to a 21st century education system, and to providing educators and students with access to technology-based tools and resources that are mission critical for teaching and learning in today’s digital age.  Learning technologies are needed to increase educational opportunities, improve student engagement and enhance the personalization of learning to meet the needs of an ever more diverse student body.”

The new FCC Chairman has taken some good first steps.  He has appointed a first-class group of senior advisors including long-time Washington public servant and communications lawyer Phil Verveer as special counsel, public interest activist Gigi Sohn as his head of external affairs, communications policy veteran Diane Cornell as special counsel, former Commerce Department official Jonathan Sallet as acting general counsel and former Democratic Chief Counsel on the House Energy and Commerce Roger Sherman as acting head of the wireless bureau. His remarks to the FCC staff contained an attractive vision of the FCC’s role in nurturing the “network revolution” created by dramatic advances in communications and computer technology. SIIA congratulates him on a good beginning.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

Cybersecurity Needs Cooperation, Not Blame

Many of the good actors of cybersecurity are implementing new technical measures to improve information security while they build institutional mechanisms to coordinate government and private sector work throughout the world. These twin steps of technical innovation and institutional reform are the pillars of any successful cybersecurity strategy going forward.

These are the “good guys” of cybersecurity, and it’s important to distinguish players like these from the bad actors of informational security, a point that was highlighted at two recent information security conferences in Washington, D.C. At the Visa Security Summit in early October, Visa’s Ellen Richey promised a regime of “responsible innovation” where new payment products would be introduced with security “built in from the start.” At the Washington Post Live’s Cybersecurity Summit, Microsoft’s Craig Mundie noted the global nature of these evolving threats and called for new international mechanisms, a “World Health Organization for networks,” to coordinate effective government and private sector responses.

Providing good information security is a constant battle between the real bad guys, who want to break into, disable or destroy complex computer systems and networks, and their victims, who must constantly innovate to keep up with a continuously changing threat landscape. The good guys in government and the private sector are playing a deadly game with an implacable foe.

They need public support for their efforts, not public shaming when their reasonable efforts fall short. Unfortunately, many assume that if the bad guys have been good enough to get into a computer system, the good guys must have done something wrong. This uninformed reaction typically follows well-publicized breaches, and some of the reaction to recent revelations involving several major companies is no exception.

This tendency to blame the victim misunderstands the nature of cybesecurity threats and responses. Providing good information security is a risk-based task of assessing threats and vulnerabilities and taking reasonable steps to mitigate them. It is a matter of proportion and balance, not absolutes. Reasonable policies and procedures must be taken in proportion to the size and nature of the threats and the value of the assets that need to be protected. These risks cannot be reduced to zero. As the FTC has asserted, as far back as 2005, “…there is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution.”

The blame-the-victim mentality can do real harm too. As speakers at the Washington Post Live’s Cybersecurity Summit repeatedly pointed out, when companies think they will be the object of public shaming for being the target of a hacker, they often wait until the last minute to be absolutely sure they have a problem before telling other private sector parties or the government. During that delay, the same hackers who have victimized them are victimizing others. Good guys need incentives for sharing information about attacks and vulnerabilities, not punishment. Wider understanding of the difference between the victims and the perpetrators would help, as would government legislative action to limit liability for firms who share cyber threat information with each other and the government. The House has passed such legislation and movement in the Senate is on the horizon.

The fact that valuable computer source code was stolen in one of these attacks suggests an additional coordinating role for government – moving in the international direction suggested by Microsoft’s Mundie at last week’s Washington Post Live conference. The U.S. government needs to take global steps to mitigate the theft of U.S. trade secrets. The elements of an Administration strategy in this area, announced last February, include:

• Increasing U.S. diplomatic engagement. This includes conveying concerns to countries where there are high incidents of trade secret theft with coordinated and sustained messages from the most senior levels of the Administration; building coalitions with countries that share U.S. concerns; urging foreign law enforcement to do more; and using trade policy tools to press other governments for better protection and enforcement.

• Supporting industry-led efforts to develop best practices to protect trade secrets and encouraging companies to share with each other best practices that can mitigate the risk of trade secret theft.

• Continuing to make the investigation and prosecution of trade secret theft by foreign competitors and foreign governments a top priority.

• Providing warnings and threat assessments to the private sector on information and technology that are being targeted for theft by foreign competitors and foreign governments.

• Conducting a review of U.S. laws to determine if further changes are needed to enhance enforcement, and working with Congress to make any necessary changes.

This is still a good strategy and implementing it should be one of the primary reactions to the recent news of the theft of trade secrets and private information from U.S. companies.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

We Can Improve Student Learning and Preserve Student Privacy

The expanded use of educational technology and student information for improving student learning has drawn attention to the issue of student privacy on the state and national policy agenda. The education community is having important discussions about the use of student data while also ensuring its privacy and security.

Many educational service providers, working with schools and universities, use student information to develop and deliver learning software, digital content, web services and related technologies and services that meet their teaching, learning and enterprise management needs. These range from adaptive learning to bus and classroom scheduling software, and from learning management systems to data systems. They are helping to personalize learning, support teachers and instruction, carry out various administrative operations, and improve school productivity and educational performance.

As student information is used to improve learning, schools and service providers have a shared responsibility to protect the privacy and security of student information.

One way they do this is by limiting the collection and uses of student information. Schools and their service providers collect and use student information only for legitimate educational purposes and have policies and procedures in place to prevent unauthorized use.  This is not just a matter of good will.  Schools are required to do this by the federal Family Educational Rights and Privacy Act (FERPA) and often by state laws as well. Service providers are also bound by contract and are subject to significant penalties including the possibility of being restricted from contracting with the school for up to five years for unauthorized disclosure of student information. There’s a market incentive for service providers as well: if they do not live up to their responsibilities, they will lose the confidence of their customers and lose business.

Privacy and security of student information is important to schools and service providers for another reason.  They are essential parts of good information practices. For instance, if student information is inaccurate, out-of-date or incomplete, this renders the use of the information unreliable.

Educational service providers do not have an independent role in the school system. They cannot just use student information as they see fit. They work for educational institutions.  They collect and use student information only with the explicit approval of the schools and other educational institutions that they work for. They use this information only for the purpose authorized by the educational institution.

Parents have an important role too. Federal law requires parental consent (for students under age 18) if schools want to share information with third parties for non-educational purposes.  If schools, school districts, or state educational departments want to use student information beyond the narrowly defined educational purposes in Federal law, they have to get parental consent.

Some have called for parental consent for all uses of student information, even for core educational purposes.  But this is unrealistic.  Schools need to collect information from students to operate their institutions and to provide education to their students.  They must share this information with third-party providers without whom they do not have the capacity to carry out many core functions. They cannot possibly do this if they have to provide an opt-out for all uses of student information. More importantly, a universal opt-out would also create an unfair imbalance by further widening the achievement gap — some students would have access to the best educational resources while those who opt out fall behind.

As our education system continues to transform itself, SIIA looks forward to continued work with educators, policy makers and providers to advance the innovative use of technology and data to drive student success, and the continued use of sound data management practices that protect student privacy.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

How NSA Revelations are Affecting the Tech Industry

Revelations about the National Security Agency’s (NSA) surveillance efforts are continuing to pose serious business challenges for the tech sector. SIIA is tracking the repercussions closely. Here are a few important developments to note:

Market Backlash: Studies and surveys have suggested a possible backlash against cloud providers and technology companies generally.  Here’s a summary of some of them:

  • CSA Survey: In July a survey from the Cloud Security Alliance reported  that  “10% of 207 officials at non-U.S. companies have canceled contracts with U.S. service providers following the revelation of the NSA spy program last month…the survey also found that 56% of non-U.S. respondents are now hesitant to work with any U.S.-based cloud service providers.”
  • ITIF Study: By comparing projected growth of US cloud computing sales with a variety of hypothetical sales losses, ITIF suggests that US cloud companies could miss out on as much as $35 billion in additional overseas sales over the next three years.
  • Forrester Study: Forrester thinks the potential impact could be as high as $180 billion by 2016, taking into account the reactions of U.S. and non-US companies, the impact on non-US cloud providers and the effects on the rest of the hosting and outsourcing market.

Repercussions for Tech: The NSA revelations continue to have larger repercussions for tech companies in the form of localization requirements and new challenges to the multi-stakeholder form of Internet governance.  Here are updates on several of these challenges:

  • Brazil’s controversial new internet plans, calling for server and data localization, a local encrypted email service and a separate transatlantic cable connection to Europe that bypasses the US.
  • UN General Assembly Address: After canceling a US state visit over NSA spying, Brazil’s Dilma Rousseff issued an announcement called the interception of Brazilian communications “illegal” and said such a “grave fact” was an “assault” on sovereignty and “incompatible with a democratic coexistence between friendly countries.”  She then delivered the opening speech at the UN General Assembly today, rejecting U.S. government surveillance programs as inconsistent with human rights and a violation of national sovereignty, and calling for “multilateral mechanisms for the worldwide network that are capable of ensuring principles such as:
  1. Freedom of expression, privacy of the individual and respect for human rights.
  2. Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector
  3. Universality that ensures the social and human development and the construction of inclusive and non-discriminatory societies
  4. Cultural diversity, without the imposition of beliefs, customs and values.
  5. Neutrality of the network, guided only by technical and ethical criteria, rendering it inadmissible to restrict it for political, commercial, religious or any other purposes.

She concludes: “Harnessing the full potential of the Internet requires, therefore, responsible regulation, which ensures at the same time freedom of expression, security and respect for human rights.”

Civil Society Calls for Principles: International civil society groups have issued a call for government surveillance principles consistent with human rights.

EU Response: Viviane Reding’s address in Brussels last week held up the Data Protection regulation as the EU’s response to the fear of US government surveillance, explicitly took privacy issues off the table for discussion in TTIP, and suggested the formation of an EU-area cloud that would compete globally on the basis of better privacy rules and streamlined government regulation.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy



Do Not Track is on Track at W3C

The W3C Tracking Protection Working Group announced today that it would appoint Carl Cargill, from Adobe, and Justin Brookman, from the Center for Democracy and Technology (CDT), to join Intel’s Matthias Schunter as co-chairs of the group’s effort to forge a multi-stakeholder consensus on creating a standard to address Tracking Protection.  The group’s standard setting activity will continue, despite the withdrawal of the Digital Advertising Alliance earlier this week, under the leadership of these three well-qualified experts.

SIIA welcomes this development.  Internet users, the industry, and policymakers here and around the world are looking for a workable standard to address Tracking Protection that can be easily and effectively implemented.  All parties share the goal of creating an effective framework to enable users to express their tracking preferences in a transparent and meaningful fashion with the understanding that these preferences will be respected by the relevant Internet participants. The continuation of this W3C process and the momentum created by the naming of additional co-chairs provide the opportunity to adopt a workable standard that is broadly acceptable to all stakeholders.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

Saving the Safe Harbor: Commissioner Julie Brill to the Rescue!

At the EU Data Protection and Privacy Conference today in Brussels, FTC Commissioner Julie Brill delivered a powerful speech about the way the U.S. protects consumer privacy. Along the way she offered a strong defense of the U.S. Safe Harbor Framework for European privacy:

“In the commercial space, the Safe Harbor Framework facilitates the FTC’s ability to protect the privacy of EU consumers. Without the Safe Harbor, my job to protect EU consumers’ privacy, where appropriate, would be much harder. In an era where we face many threats to privacy, Safe Harbor has been an effective solution, not the problem.”

In the face of so many challenges to the Safe Harbor Framework coming from European public officials, this speech from a prominent U.S. consumer protection official is a crucial reminder of the importance of this cross-border framework for international privacy protection.

Her remarks are also notable for the clear distinction she makes between government surveillance and commercial privacy:

“The issue of the proper scope of government surveillance is a conversation that should happen – and will happen – on both sides of the Atlantic. But it is a conversation that should proceed outside out of the commercial privacy context.”

As I’ve noted in previous blogs, the conflation of the two is damaging to both the need to protect citizens from intrusive government surveillance and in finding the right sort of fair information practices that provides for commercial enterprise, innovation and the preservation of consumer privacy.  Commissioner Brill is exactly right when she insists on keeping these issues separate.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

How to Keep the World Safe for Data Driven Innovation and Cross Border Data Flows

In a major address to the German Marshall Fund yesterday, outgoing Commerce Department General Counsel Cameron Kerry brought some refreshing clarity to the current discussions of privacy and government surveillance.

He started in the right place with a ringing endorsement of the progressive use of big data as a tool for economic and social improvement.  He referred favorably to “breakthroughs in medical research from aggregated health care records that can produce information far more robust than the limited populations of medical trials,” and cited a recent example:    

“The drug Herceptin was developed through identification of the HER-2 oncogene from records of 9,000 breast cancer patients. IBM is working with hospitals and the IBM-WATSON natural language system to collect anonymized medical records in ways that protect privacy and analyze unstructured data applying the power of new analytic technologies across many different text-based medical records previously unintelligible to computers.”

As SIIA noted in a recent whitepaper, the seamless flow of data across borders is important to the growth of data-driven innovation and the global economy. Kerry underscored the economic importance of cross-border data flow:

 “Trans-border trade – and especially transatlantic trade – now relies on the continued open flow of data, and cutting off these flows would cause significant and immediate economic damage. Moreover, it would lead to loss of competitiveness on both sides as other economies around the world that embrace open Internet architectures and freedom to experiment with data analytics offer havens for innovators. Our economic future is at stake in our international engagement.”

Then he noted the importance to transatlantic trade of the Safe Harbor arrangement that has governed transfers of information from the European Union to the United States for well over a decade. He warned of the dangers a weakening of this framework would pose to transatlantic trade:

“Today, more than 4,000 companies have subscribed to the Safe Harbor Framework. Many of these are U.S. subsidiaries of EU companies that also rely on the framework…Safe Harbor is a fundamental building block of the trade relationship between the United States and Europe…Any step back from Safe Harbor would send the trading relationship between the U.S. and the EU backward.”

This worry about a threat to the Safe Harbor Framework is not idle. On July 19, 2013 Viviane Reding, European Commission Vice President, issued a statement  saying, “The Safe Harbour agreement may not be so safe after all.” On July 24, 2013, a statement from the Conference of German Data Protection Commissioners indicated that it would examine whether transatlantic data transfers “should be suspended on the basis of the Safe Harbour framework.” 

The basis for this threat to the Safe Harbor in both cases is the NSA revelations regarding government surveillance–but this is mixing up apples and oranges.

The EU Data Protection Directive and the Safe Harbor both provide an exception for national security purposes.  In the US and EU regime, the law, regulation, and policy considerations that relate to protecting consumer privacy in a commercial context are completely different from the law and policy and constitutional considerations that govern government surveillance. 

Moreover, putting onerous burdens on the commercial transfer of information as a backdoor way to control government surveillance is self-defeating and counterproductive.  It distracts from real measures that might protect citizens from overly intrusive government surveillance and it puts an unnecessary burden on commerce that is not justified by the need to preserve and protect consumer privacy in a commercial context.

Kerry’s remarks yesterday show he grasps these issues clearly.  It might have been his last public statement before leaving his current post at the Commerce Department, but it sets a promising roadmap for Obama administration policy in this area.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @Mark_MacCarthy