Digital Discourse / Policy / Policy - Privacy

Data Broker Briefing Reveals Complex Data Ecosystem

December 18, 2012 By

In a briefing convened by the Congressional Privacy Caucus last week, co-chairs Ed Markey (D-MA) and Joe Barton (R-TX) explored the roles of “data brokers,” along with two chief regulators from the FTC, Chairman Jon Leibowitz and Commissioner Julie Brill. The briefing and discussion was wide-ranging, and if anything, it seemed to raise more questions than provide answers.

If there was one single over-arching takeaway for me, it was that there exists a very complex data ecosystem that includes consumers, businesses and governments, and it’s increasingly difficult to label entities for purposes of creating new laws and regulations. Following is a summary of key themes I took out of this briefing:

(1) There’s no broad agreement on the definition of “data broker.” The discussion did not include a clear articulation of what the lawmakers and regulators believe to be a data broker definition of exactly what is a “data broker,” which seems to be the key question before deciding on new policies. The best articulation was “an entity that collects data but which has no intersection w/ consumers directly.” While this may make sense on the surface, it quickly breaks-down when moving forward to craft rules for data brokers, because it clearly leaves open a wide range of entities that openly characterize themselves as brokers but also provide for direct interaction with consumers.

I wish we could put any discussion about new policies on hold until we can at least clearly know what we’re talking about as a “data broker.”

(2) It’s the “use” stupid. I was constantly reminded of the old refrain, “it’s the economy, stupid,” the now infamous phrase that explained ultimately why Bill Clinton would ultimately be elected President in 1992. If there is one thing that seems to enjoy broad agreement around data privacy, it’s that it is more important — and useful— to look at how a data is used, and the potential for harm, than it is to single out ill-defined entities and try to craft specific legal and regulatory roadmaps for their behavior. While, this was my takeaway and was surely shared by many other present at the briefing, it is the opposite of what leading lawmakers and regulators are thinking.

(3) The FTC will maintain a steady focus on “data brokers.” Regardless of the challenge in clearly defining data brokers, the FTC is sure they don’t like ‘em. As clearly articulated by Commissioners Leibowitz and Brill, the FTC will maintain a heavy focus on “data brokers” – as was a unanimous recommendation from the FTC’s Privacy Paper issued earlier this year. While they did recognize there are significant benefits provided by “data brokers,” they made the following pronouncements: (1) much more needs to be done on the transparency front, (2) industry needs to do more to articulate existing transparency mechanisms; and (3) the Commission is exploring “what can and should be done beyond merely enforcement” of existing laws.

(4) Reps. Markey and Barton will focus this conversation on children, then expand – As the bipartisan team leaders for increased privacy protection for consumers, Reps. Markey and Barton reiterated their commitment to continue moving forward with all deliberate speed in the next Congress, reintroducing their Do Not Track Kids Act (H.R. 1895) and promising to sign-on even more than the 45 cosponsors from the current bill. . While that is surely no surprise to anyone, they went further to effectively outline their strategy to use the conversation on children’s privacy, expand the current age qualification in COPPA, and use this as a gateway to adopting privacy laws more broadly beyond children.

(5) Transparency and industry leadership are key – Another theme that keeps coming up is the need for greater transparency and industry leadership in this area. Similar to the ongoing discussions regarding “mobile transparency,” industry can and will surely continue to improve practices in this area, or we’ll be building the case for regulators and legislators to step in.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Privacy

SIIA Welcomes State Department’s Interventions on Cloud Computing and Privacy

December 14, 2012 By

Last week U.S. Ambassador to the European Union, William Kennard, addressed Forum Europe’s 3rd Annual European Data Protection and Privacy Conference, and responded to the myth that the U. S. system of government access to information is a threat to the privacy rights of citizens of the other countries. He was especially effective in rebutting concerns directed at cloud computing, where the misconception has developed that information stored in cloud computing servers can be accessed by the U.S. government without any effective privacy controls.

His intervention is a welcome attempt to set the record straight before these erroneous beliefs become widespread and entrenched.  It was accompanied the release of State Department white paper that dispels the misconceptions about the U.S. legal system and government access to information.

The fact is that the U.S. has a well-developed and established system to protect individual liberties from government intrusion.  We have a general distrust of a powerful government and are suspicious of anything that advances the growth of government power.  Our bias is in favor of a limited government that lets people chose their own good in their own way.  As a result we are far less tolerant of government intrusion into our private lives than other countries, and have set up a system whereby the U.S. extends privacy protections to non-U.S. citizens as well.

At the same time, the U.S. is more tolerant of the use of information for innovative and productive use by businesses than other countries, to our great advantage in the race for economic growth, business development and job creation.  Our system of protecting the individual privacy in the business context shows that this can be done while maintaining strong and effective protections for consumer privacy. This system also respects the rights of non-U.S. consumers established in other privacy regimes.

None of this means that the U.S. system is perfect.  We think that steps can be taken to improve the consumer privacy system for mobile app notifications and are actively working with the U.S. Commerce Department and other stakeholders on a voluntary code of conduct and an effective system of screen notices.  We have joined with others in the Digital Due Process Coalition to modernize the 1986 U.S. Electronic Communications Privacy Act, which needs updating to fit the realities of email and document storage in the cloud.

But the need for these reforms does not suggest that the current U.S. system is a threat to privacy or justifies a move away from cloud computing as a way to avoid government scrutiny.  Ambassador Kennard is to be commended for his strong defense of the U.S. approach to privacy in the cloud.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Policy, Policy - Cloud Computing, Policy - Privacy Tagged With: , ,

Mobile Privacy: Congress Should Give Multistakeholder Discussions More time

December 6, 2012 By

Today,  the Senate Judiciary Committee is scheduled to consider legislation sponsored by Senator Al Franken (D-MN), the Location Privacy Protection Act of 2011 (S.1223), that would require app providers to seek affirmative “opt-in” consent from consumers before using their location information.

As with all consumer privacy issues, users trust in mobile app privacy is absolutely critical.  Without consumer trust, demand stalls, innovations is stifled and neither businesses nor users interests are served.  Straight-up, a lack of trust is a lose-lose. However, multistakeholder discussions have been ongoing since June of this year, engaging a wide range of industry and civil society in an effort, led by the Department of Commerce NTIA, to develop a voluntary code of conduct for mobile app transparency in information collecting.

This flexible, consensus process is also better able to ensure that policies are not technology or platform specific.  That is, at a time of increasing convergence, where “applications” are seamlessly offered across a wide range of devices, fixed laws such as this would stifle technological evolution by creating a distinct privacy regime based on a specific type of device.

SIIA is very supportive of the effort and confident that it can succeed if given time.  Consumers and businesses are in this together, dependent on each other as this new mobile ecosystem continues to evolve.  With the right consensus-driven framework, mobile app privacy can be a win-win for users and businesses.

Rather than considering rigid legislative mandates on the mobile app industry, Congress should continue to explore how to support this industry.  The House Energy and Commerce Committee did just that earlier this year by holding a hearing focused on this innovative industry and how it can spur economic and job growth.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multistakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road. If we don’t we have only ourselves to blame if state, national or international governments feel compelled to step in to protect the public.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Privacy Tagged With: ,

Do Not Track: Time for DAA to Move Forward

October 2, 2012 By

It is increasingly likely that the W3C process for Do Not Track will reach an impasse.  In a recent note to Federal Trade Commission Chairman Jon Leibowitz several consumer groups described their sense that the process is deadlocked, and asked the Chairman to intervene.  FTC officials are usually at the discussion, which are set to resume in Amsterdam this week, but in his letter to Congress last week Chairman Leibowitz made it clear that it is the private sector group not the government that will adopt any Do Not Track standard.  Even with more direct FTC intervention, however, it is unlikely that parties will act contrary to their perceived fundamental interests.

The key disagreement is an understanding of what the Do Not Track flag means and what actions users can expect from websites and service providers if they turn it on.  Without this, the Do Not Track standard is incompletely specified, and provides less than comprehensive guidance for browser providers, websites and their service providers, and the general public.

If the W3C cannot reach a common understanding, perhaps the industry can.  The Digital Advertising Alliance has been looking at this issue for some time.  Indeed, back in February it indicated to the White House that it was going to address it:

“…the DAA intends to begin work immediately with browser providers to develop the consistent language across browsers regarding the browser based header signal uniform consumer choice mechanism that is simple to use and in a clear manner that describes to consumers the effect of exercising such choice.”

Mozilla proposed an easy-to-understand focused definition of Do Not Track back at the beginning of 2011:  “Tracking is the accumulation and use of a profile by advertising networks through invisible or subtle noting of which sites an individual visits, and the use of the profile data to customize advertisements displayed.”  Or, more succinctly, DNT means “a way for people to opt-out of online behavioral advertising (OBA).”

These definitions make sense.  They focus on the issue that appears to be of most concern to the public and policymakers: cross-site tracking for the purpose of advertising profiling and targeting.  We need to give consumers another mechanism to say no to OBA if they wish.  Of course, the DAA definition should incorporate the current W3C consensus that DNT “on” imposes no obligation on first parties, except that first parties may not help third parties circumvent DNT.

Other uses of tracking should be permitted.  For example, if a website is doing standard analytics, such as keeping track of where their visitors come from and where they go, market research, product debugging and improvements, investigating possible fraud or intellectual property violations or security risks.

DAA is doing great work on OBA. Its AdChoices program already gives consumers a cookie-based mechanism to opt out of OBA.  With DNT, DAA can do the industry and the public a service by bridging the browser DNT flag with the existing AdChoices program.

Customers should be told clearly that they can decline online behavioral advertising and how to do it.  DAA is in a unique position to move forward and break the logjam that is threatening to derail the promising initiative that is DNT.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Policy, Policy - Privacy Tagged With: , ,

COPPA Rulemaking Goes Far Beyond Congressional Intent; Will Harm American Innovation

September 24, 2012 By

SIIA today filed comments with the Federal Trade Commission regarding its notice of proposed rulemaking on the Children’s Online Privacy Protection Act (COPPA). SIIA expressed significant concern that the FTC is creating a burdensome regulatory framework that goes well beyond congressional intent.

The FTC’s proposed COPPA rulemaking takes the effort to protect online privacy and turns it into a harmful barrier to American innovation. For years, we’ve worked closely with industry and government to advance online privacy and security. We’re confident that, with smart regulation and public-private cooperation, both the goal of protecting online privacy of children and the goal of business innovation can be served. Unfortunately, what we’re currently seeing from the FTC is an overly broad and unworkable regulatory framework for implementing COPPA.

To read SIIA’s full comments, please click here. In its comments, SIIA states:

“We are supportive of the goals of the Commission to protect children from third-party plug-ins, social networks and any other third party service that collects personal information.

“However, the inappropriately broad expansion of the statute’s definition of personal information, combined with the increasingly broad definitions of ‘operator’ and ‘web site or online service directed to children’… create a broad regulatory framework that dramatically exceeds the scope of COPPA and will most certainly stifle innovative Internet-based offerings-not just for sites and services directed at children under 13, but much more broadly.”

SIIA addresses six specific areas of concern:

1. Expansion of “Personal Information” to include persistent identifiers creates an unworkable regulatory construct.

2. Modification to the rule’s definition of “operator” is overly-broad, and it places an unworkable responsibility on operators of sites and services well beyond the scope of COPPA.

3. Proposal to make third parties qualify as “operators” under COPPA by creating a “reason to know” standards is an inappropriately broad expansion of the statute and impractical.

4. Requirement for operators of “child-friendly mixed audience sites” to take an affirmative step to attain actual knowledge of child users would inappropriately expand the scope of COPPA.

5. Application platforms should not be characterized as “operators” under COPPA, but the Revised NPRM leaves this unclear.

6. The broad regulatory construct proposed in the Revised NPRM is likely to challenge application of COPPA to Internet-based educational materials and services.

Ken WaschKen Wasch is President of SIIA.

Share|
Filed Under: Policy, Policy - Privacy Tagged With: ,

Do Not Track is at a Crossroad

September 17, 2012 By

The New York Times weekend piece on Do Not Track revived the debate on what the industry should do when users’ online privacy choices are made for them. Our view is that the choice should be left to the user, and not imposed by any platform or service provider. Last week, Google announced that it would make available this user-controlled feature in its Chrome browsers by the end of the year.

In June Microsoft disrupted the industry discussions about how to provide a workable mechanism to empower users to make choices about online privacy and personalization. It announced that it would turn on the Do Not Track (DNT for short) signal in Internet Explorer 10 by default. Mozilla, the maker of the competing browser, Firefox, was critical. SIIA objected. Advertisers announced that this decision ran counter to an agreement struck between the industry and the White House around opt-out as a genuine consumer choice.

Last week, Apache revealed that it will disable the DNT signals coming from Internet Explorer 10. Roy Fielding, an author of the DNT standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10.

The message is that a unilateral action forced on users by one industry player is not a sustainable solution. We as an industry have to do it together, or not at all. If websites powered by Apache do not accept the IE10 DNT signal, it simply won’t reach critical mass. Consumers, mislead by industry announcements and superficial stories from the trade press, might think their browers are giving them privacy over personalization–but the reality will be very different.

The danger is that the collaborative effort that has been building toward real privacy protection collapses. As Peter Bight said in ArsTechnica in August,” …there’s a very real prospect that the Do Not Track header will be both widely used, and widely ignored. In this situation, it would be difficult to describe it as anything other than a failure.”

Do not track is at a crossroad. Now it is up to the industry to create a a simple, easy to use, consumer activated Do Not Track system that all parties can respect.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Policy, Policy - Privacy Tagged With: ,

Mobile Privacy: Time for Collaboration, Not Legislation

September 12, 2012 By

Representative Ed Markey’s proposed mobile legislation, scheduled to be introduced today, is the wrong way to go. It would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism.

And what a loss that would be for such a dynamic, growing industry. According to a recent study, there were over 44,000 app-related positions open in the U.S. in the last quarter of 2011, and overall, there were 45 percent more open app positions than in the previous year. Based on this number, the study found the app economy firms represented 311,000 jobs. Using a standard multiplier, this number grew to nearly a half a million jobs created by the app economy in both direct and indirect jobs since 2007.

Rather than overregulating an industry that holds such potential for economic growth, Congress should be following the House Energy and Commerce Committee’s lead in supporting the industry. The Committee is holding a hearing today focused on apps and where the jobs are.

So if legislation isn’t the answer, what should be done?  Over the summer, the National Telecommunications and Information Administration (NTIA) launched an effort to nudge stakeholders into adopting codes of conduct for mobile transparency.  SIIA was supportive of this effort and remains so.  But after several meetings it appears that things may be starting to drift. Some scheduled meetings have been postponed. Fortunately, discussions between various industry stakeholders, as well as discussion between industry and consumer watchdogs, are ongoing.

The industry needs to get the substantive mobile transparency discussion moving again, if not through NTIA action then separately.

It’s also important to remember that consumers are not passive victims.  If they think they are being abused, they have a healthy capacity for self-defense. As the New York Times wrote last week “many consumers seem to be already taking steps to guard their personal information from data-grabbing apps. A study by the Pew Research Center, released Wednesday, found that among Americans adults who use smartphone apps, half had decided not to install applications on their mobile phones because they demanded too much personal information. Nearly a third uninstalled an application after learning that it was collecting personal information “they didn’t wish to share.” And one in five turned off location tracking “because they were concerned that other individuals or companies could access that information.”

This is good.  In the absence of government mandates, and industry codes of conduct, consumers are doing some sensible things to protect themselves.  But the lack of consumer trust is troubling and can only inhibit growth in the market.  If consumers just say no, the whole industry suffers.

The FTC is trying to help with some guidance.  Last week it published its recommendations for mobile application developers, suggesting that companies seek “express agreement” for consumer data they collect and share.  Nothing is binding on companies, however, and there is no indication that these recommendations are forming the core of industry codes of conduct or best practice.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multi-stakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Mobility, Policy, Policy - Privacy, Software Tagged With: , ,
« Older Posts