Today’s mobile guidance report from the FTC provides some useful input to that end. However, SIIA continues to strongly disagree with some of the high-level conclusions reached by the Commission. Particularly, SIIA strongly disagrees with the FTC’s conclusion that “[m]ore than other types of technology, mobile devices are typically personal to an individual, almost always on, and with the user.”

While this may be true when applied to smartphones and the model for their use today, SIIA strongly believes that this vision misses the mark for tablets, and it most certainly inaccurately portrays the evolving nature of Internet-based technology and new-age devices. On the contrary, SIIA is confident that the larger trend in technology with products and services offered seamlessly across a wide range of platforms and devices, coupled with the increasing saturation of Internet-powered devices reflects the shift to an environment where devices are less “personal” and less linked to a particular individual than personal computers.

For instance, just several years after the introduction of the tablet computer, and less than a decade after the introduction of the the modern smartphone, it is not uncommon for a household to have a wide range of internet-connected devices, with perhaps the majority of those devices being mobile devices shared by numerous users.

SIIA believes that the FTC’s fundamental misunderstanding about the increasing personalization of devices sets an inappropriate basis on which to build a foundation of privacy practices, either voluntary or mandatory. In order to develop an effective privacy framework for rapidly evolving technology, it is critical that we fully understand how this evolution is taking place, and all the opportunities that this innovation brings.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Originally enacted in 1986, ECPA is failing miserably to provide a legal framework for the 21^st Century. Back in the mid-80s, electronic communications were quite different than they are today. Email didn’t even exist, let alone “cloud-based” email. One example of how the current law fails protect citizen’s privacy in the current era: Google‘s Transparency Report, released last week, which highlights the steady increase in government requests for users’ data.

Notably, the Report breaks out the types of requests that Governments entities use when compelling the company to hand over users’ information.  In summary, 68 percent of the requests Google received from government entities in the U.S. were made through subpoenas. These are requests for user-identifying information, issued under ECPA, and they are the easiest to get because they typically don’t involve judges. Only 22 percent were through ECPA search warrants. These warrants are, generally speaking, orders issued by judges under ECPA, based on a demonstration of “probable cause” to believe that certain information related to a crime is presently in the place to be searched.

The conclusion here is very clear, and very disturbing.  The privacy playing field is not level; and it’s a concern for citizens and companies alike.  If government entities want to access your email and communications on your computer in your house, they need to get a warrant, but if they want to access the same information stored remotely by a company like Google, Facebook or others, the standard is MUCH lower.  That’s not good for citizens, and it’s not good for the continued technological evolution towards “cloud computing,” and therefore it’s an impediment to innovation and economic growth.

Support for ECPA reform is extremely broad.  The Digital Due Process Coalition represents a diverse set of nearly 80 privacy advocates, major companies, industry trade associations, and think tanks working together to ensure that private electronic correspondence stored with an Internet company in the “cloud” receive the same protection afforded letters, photos and other private material stored in a drawer or filing cabinet, or on a computer at home.

As a result of this outpouring of support for ECPA reform, there was substantial progress in 2012.  As one of the final acts of the last Congress, Senate Judiciary Chairman Patrick Leahy (D-VT), the champion of legislation to reform ECPA in the last Congress, won approval of his proposal by the Committee in November.  In a nutshell, the law would require law enforcement officials to get a search warrant from a judge in order to obtain content from a communications service provider that holds private electronic messages, photos and other personal records, like Gmail or Facebook. This means having to show the court there is probable cause to believe that the sought-after records may reveal evidence of wronging.

While the clock ran out on the last Congress before the proposed ECPA fix could be enacted, Sen. Leahy has deemed this one of his top priorities for 2013, and House Judiciary Chairman Bob Goodlatte (R-VA) has indicated he will consider this issue this year, too.  So Congress has one clear privacy priority for 2013, and that’s to pass this long-overdue update to ECPA to level the playing field for online communications.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

The book, available here, teaches high school students what they need to know about online reputation management, digital citizenship and cyberbullying. It describes the various privacy risks young people face online, and helps them take steps to protect themselves.

Data Privacy Day is an effort to empower people to protect their privacy and control their digital footprint. It is spearheaded by the National Cybersecurity Alliance and its partners.

Read more about Data Privacy Day and online privacy protection for teens.

Laura Greenback is Communications Director at SIIA. Follow the SIIA Public Policy team at @SIIAPolicy.

A key theme unifying the work of SIIA on behalf of its members is an increased focus on advancing the effective collection and positive use of data. It is essential that public policy recognizes that innovation and business strategies are increasingly driven by data. Importantly, data-driven innovation not only holds the promise of advancing economic opportunity and jobs, but of providing tremendous consumer and societal benefits.

With so much at stake, SIIA is committed to actively promoting the economic and social value of data-driven innovation. Our efforts will involve direct outreach to legislators, along with a White Paper that includes recommendations for policymakers and governments. Our goal is to make certain that public policy helps enable the tremendous societal and economic benefits of data-driven innovation.

With members in both technology and information services, SIIA is uniquely positioned to highlight and address the public policy issues that arise from the increased salience of data-driven innovation. We began to focus more strongly on this issue in 2012, and it will be an even more important part of our work in 2013.

SIIA also announced its general tech policy priorities for 2013, along with policy priorities in the areas of: intellectual property; public sector IT, and; education technology.

Technology Policy Priorities

• Promote and enable the economic and social value of data-driven innovation, including through a White Paper with recommendations for policymakers and governments.
• Actively support voluntary, enforceable codes of conduct to provide enhanced data privacy protections, and oppose legislative and regulatory proposals that lack the flexibility to accommodate rapid technological innovation.
• Promote policies around the world that facilitate cross-border data flows, and develop interoperable legal frameworks that help to advance global implementation of cloud computing.
• Promote critical cybersecurity policies, in the U.S. and around the world, that will help the public and private sectors work together to more effectively mitigate this threat, without stifling innovation.

Intellectual Property Priorities

• Protect the economic interests and creative rights of software and content publishers by responding as appropriate to the Supreme Court opinion in Kirtsaeng v. John Wiley & Sons Inc. and any other cases, policies or legislation relating to the copyright law’s first sale exception/exhaustion principle that may unduly limit their ability to license and control the distribution of their software and content products
• Encourage economic growth and innovation by working for further reform of the patent system to address the ongoing problem of patent trolls, including measures to restrict asymmetric discovery burdens.
• Monitor the ICANN’s domain name expansion process with the goal of enhancing and strengthening online transparency and accountability by working to ensure that domain name and IP address Whois databases remain publicly accessible, accurate, and reliable, as key tools to combat online infringement of copyrights and trademarks, and other fraudulent or criminal acts online.
• Actively monitor for, and act upon as necessary, hearings, legislative or regulatory copyright reform proposals in the United States and abroad, such as issues relating to orphan works, library exceptions and piracy, to ensure that they advance and do not adversely affect the copyright interests of SIIA members.
• Oppose changes to the CFAA that would unduly limit the ability of SIIA members to deter and prevent unauthorized access – and access that exceeds authorized access to databases, subscription services and cloud services.
• Ensure that any international treaty relating to copyright exceptions for the blind and visually impaired that may be adopted by WIPO includes adequate safeguards to protect the copyright interests of SIIA’s publishers.

Public Sector IT Priorities

• Encourage Administration IT initiatives for federal agencies to be more open, transparent and efficient, delivering better services to citizens, while reducing the overall cost of government. Information Technology has and will continue to play a role in the Federal government’s effort to deliver better services to citizens, while reducing the overall cost of government.
• Support a continuation of the effort to move agencies to cloud, consolidate the existing data center infrastructure and better leverage government data.
• Advocate for key administration initiatives that support the overall mission of the SIIA Public Sector Innovation Group including: Cloud First, Big Data, Data Center Consolidation, Digital Government/Mobile, and FedRAMP.
• Support reasonable reform of the Federal acquisition process, which needs to change to keep pace with the rapid pace of technology.
• Intervene to support member interest in the legislative consideration of the proposal by Chairman Daryl Issa to reform federal IT acquisition, which will serve as a basis for a broader discussion around the need to improve IT acquisition to keep pace with technology in 2013.

Ed Tech Priorities

• Seek increased investment in education technology and its integration into teaching and learning, including to personalize learning for each student.
• Reform outdated regulations in favor of 21st Century e-learning policies, especially the shift from seat-time to anytime, everywhere competency-based learning.
• Support education technology research and development through government-industry partnership, not government competition with the private sector.
• Support the value of the for-profit sector in providing education products and services to public schools, agencies and institutions.
• Encourage targeted STEM education, training and other workforce development policies to meet the economy’s needs for a skilled high-tech workforce.
• Actively translate public policies, programs and regulations into actionable market intelligence for SIIA members.

Ken Wasch is President of SIIA.

If there was one single over-arching takeaway for me, it was that there exists a very complex data ecosystem that includes consumers, businesses and governments, and it’s increasingly difficult to label entities for purposes of creating new laws and regulations. Following is a summary of key themes I took out of this briefing:

(1) There’s no broad agreement on the definition of “data broker.” The discussion did not include a clear articulation of what the lawmakers and regulators believe to be a data broker definition of exactly what is a “data broker,” which seems to be the key question before deciding on new policies. The best articulation was “an entity that collects data but which has no intersection w/ consumers directly.” While this may make sense on the surface, it quickly breaks-down when moving forward to craft rules for data brokers, because it clearly leaves open a wide range of entities that openly characterize themselves as brokers but also provide for direct interaction with consumers.

I wish we could put any discussion about new policies on hold until we can at least clearly know what we’re talking about as a “data broker.”

(2) It’s the “use” stupid. I was constantly reminded of the old refrain, “it’s the economy, stupid,” the now infamous phrase that explained ultimately why Bill Clinton would ultimately be elected President in 1992. If there is one thing that seems to enjoy broad agreement around data privacy, it’s that it is more important — and useful— to look at how a data is used, and the potential for harm, than it is to single out ill-defined entities and try to craft specific legal and regulatory roadmaps for their behavior. While, this was my takeaway and was surely shared by many other present at the briefing, it is the opposite of what leading lawmakers and regulators are thinking.

(3) The FTC will maintain a steady focus on “data brokers.” Regardless of the challenge in clearly defining data brokers, the FTC is sure they don’t like ‘em. As clearly articulated by Commissioners Leibowitz and Brill, the FTC will maintain a heavy focus on “data brokers” – as was a unanimous recommendation from the FTC’s Privacy Paper issued earlier this year. While they did recognize there are significant benefits provided by “data brokers,” they made the following pronouncements: (1) much more needs to be done on the transparency front, (2) industry needs to do more to articulate existing transparency mechanisms; and (3) the Commission is exploring “what can and should be done beyond merely enforcement” of existing laws.

(4) Reps. Markey and Barton will focus this conversation on children, then expand – As the bipartisan team leaders for increased privacy protection for consumers, Reps. Markey and Barton reiterated their commitment to continue moving forward with all deliberate speed in the next Congress, reintroducing their Do Not Track Kids Act (H.R. 1895) and promising to sign-on even more than the 45 cosponsors from the current bill. . While that is surely no surprise to anyone, they went further to effectively outline their strategy to use the conversation on children’s privacy, expand the current age qualification in COPPA, and use this as a gateway to adopting privacy laws more broadly beyond children.

(5) Transparency and industry leadership are key – Another theme that keeps coming up is the need for greater transparency and industry leadership in this area. Similar to the ongoing discussions regarding “mobile transparency,” industry can and will surely continue to improve practices in this area, or we’ll be building the case for regulators and legislators to step in.

His intervention is a welcome attempt to set the record straight before these erroneous beliefs become widespread and entrenched.  It was accompanied the release of State Department white paper that dispels the misconceptions about the U.S. legal system and government access to information.

The fact is that the U.S. has a well-developed and established system to protect individual liberties from government intrusion.  We have a general distrust of a powerful government and are suspicious of anything that advances the growth of government power.  Our bias is in favor of a limited government that lets people chose their own good in their own way.  As a result we are far less tolerant of government intrusion into our private lives than other countries, and have set up a system whereby the U.S. extends privacy protections to non-U.S. citizens as well.

At the same time, the U.S. is more tolerant of the use of information for innovative and productive use by businesses than other countries, to our great advantage in the race for economic growth, business development and job creation.  Our system of protecting the individual privacy in the business context shows that this can be done while maintaining strong and effective protections for consumer privacy. This system also respects the rights of non-U.S. consumers established in other privacy regimes.

None of this means that the U.S. system is perfect.  We think that steps can be taken to improve the consumer privacy system for mobile app notifications and are actively working with the U.S. Commerce Department and other stakeholders on a voluntary code of conduct and an effective system of screen notices.  We have joined with others in the Digital Due Process Coalition to modernize the 1986 U.S. Electronic Communications Privacy Act, which needs updating to fit the realities of email and document storage in the cloud.

But the need for these reforms does not suggest that the current U.S. system is a threat to privacy or justifies a move away from cloud computing as a way to avoid government scrutiny.  Ambassador Kennard is to be commended for his strong defense of the U.S. approach to privacy in the cloud.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

As with all consumer privacy issues, users trust in mobile app privacy is absolutely critical.  Without consumer trust, demand stalls, innovations is stifled and neither businesses nor users interests are served.  Straight-up, a lack of trust is a lose-lose. However, multistakeholder discussions have been ongoing since June of this year, engaging a wide range of industry and civil society in an effort, led by the Department of Commerce NTIA, to develop a voluntary code of conduct for mobile app transparency in information collecting.

This flexible, consensus process is also better able to ensure that policies are not technology or platform specific.  That is, at a time of increasing convergence, where “applications” are seamlessly offered across a wide range of devices, fixed laws such as this would stifle technological evolution by creating a distinct privacy regime based on a specific type of device.

SIIA is very supportive of the effort and confident that it can succeed if given time.  Consumers and businesses are in this together, dependent on each other as this new mobile ecosystem continues to evolve.  With the right consensus-driven framework, mobile app privacy can be a win-win for users and businesses.

Rather than considering rigid legislative mandates on the mobile app industry, Congress should continue to explore how to support this industry.  The House Energy and Commerce Committee did just that earlier this year by holding a hearing focused on this innovative industry and how it can spur economic and job growth.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multistakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road. If we don’t we have only ourselves to blame if state, national or international governments feel compelled to step in to protect the public.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

The key disagreement is an understanding of what the Do Not Track flag means and what actions users can expect from websites and service providers if they turn it on.  Without this, the Do Not Track standard is incompletely specified, and provides less than comprehensive guidance for browser providers, websites and their service providers, and the general public.

If the W3C cannot reach a common understanding, perhaps the industry can.  The Digital Advertising Alliance has been looking at this issue for some time.  Indeed, back in February it indicated to the White House that it was going to address it:

“…the DAA intends to begin work immediately with browser providers to develop the consistent language across browsers regarding the browser based header signal uniform consumer choice mechanism that is simple to use and in a clear manner that describes to consumers the effect of exercising such choice.”

Mozilla proposed an easy-to-understand focused definition of Do Not Track back at the beginning of 2011:  “Tracking is the accumulation and use of a profile by advertising networks through invisible or subtle noting of which sites an individual visits, and the use of the profile data to customize advertisements displayed.”  Or, more succinctly, DNT means “a way for people to opt-out of online behavioral advertising (OBA).”

These definitions make sense.  They focus on the issue that appears to be of most concern to the public and policymakers: cross-site tracking for the purpose of advertising profiling and targeting.  We need to give consumers another mechanism to say no to OBA if they wish.  Of course, the DAA definition should incorporate the current W3C consensus that DNT “on” imposes no obligation on first parties, except that first parties may not help third parties circumvent DNT.

Other uses of tracking should be permitted.  For example, if a website is doing standard analytics, such as keeping track of where their visitors come from and where they go, market research, product debugging and improvements, investigating possible fraud or intellectual property violations or security risks.

DAA is doing great work on OBA. Its AdChoices program already gives consumers a cookie-based mechanism to opt out of OBA.  With DNT, DAA can do the industry and the public a service by bridging the browser DNT flag with the existing AdChoices program.

Customers should be told clearly that they can decline online behavioral advertising and how to do it.  DAA is in a unique position to move forward and break the logjam that is threatening to derail the promising initiative that is DNT.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

The FTC’s proposed COPPA rulemaking takes the effort to protect online privacy and turns it into a harmful barrier to American innovation. For years, we’ve worked closely with industry and government to advance online privacy and security. We’re confident that, with smart regulation and public-private cooperation, both the goal of protecting online privacy of children and the goal of business innovation can be served. Unfortunately, what we’re currently seeing from the FTC is an overly broad and unworkable regulatory framework for implementing COPPA.

To read SIIA’s full comments, please click here. In its comments, SIIA states:

“We are supportive of the goals of the Commission to protect children from third-party plug-ins, social networks and any other third party service that collects personal information.

“However, the inappropriately broad expansion of the statute’s definition of personal information, combined with the increasingly broad definitions of ‘operator’ and ‘web site or online service directed to children’… create a broad regulatory framework that dramatically exceeds the scope of COPPA and will most certainly stifle innovative Internet-based offerings-not just for sites and services directed at children under 13, but much more broadly.”

SIIA addresses six specific areas of concern:

1. Expansion of “Personal Information” to include persistent identifiers creates an unworkable regulatory construct.

2. Modification to the rule’s definition of “operator” is overly-broad, and it places an unworkable responsibility on operators of sites and services well beyond the scope of COPPA.

3. Proposal to make third parties qualify as “operators” under COPPA by creating a “reason to know” standards is an inappropriately broad expansion of the statute and impractical.

4. Requirement for operators of “child-friendly mixed audience sites” to take an affirmative step to attain actual knowledge of child users would inappropriately expand the scope of COPPA.

5. Application platforms should not be characterized as “operators” under COPPA, but the Revised NPRM leaves this unclear.

6. The broad regulatory construct proposed in the Revised NPRM is likely to challenge application of COPPA to Internet-based educational materials and services.

Ken Wasch is President of SIIA.

In June Microsoft disrupted the industry discussions about how to provide a workable mechanism to empower users to make choices about online privacy and personalization. It announced that it would turn on the Do Not Track (DNT for short) signal in Internet Explorer 10 by default. Mozilla, the maker of the competing browser, Firefox, was critical. SIIA objected. Advertisers announced that this decision ran counter to an agreement struck between the industry and the White House around opt-out as a genuine consumer choice.

Last week, Apache revealed that it will disable the DNT signals coming from Internet Explorer 10. Roy Fielding, an author of the DNT standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10.

The message is that a unilateral action forced on users by one industry player is not a sustainable solution. We as an industry have to do it together, or not at all. If websites powered by Apache do not accept the IE10 DNT signal, it simply won’t reach critical mass. Consumers, mislead by industry announcements and superficial stories from the trade press, might think their browers are giving them privacy over personalization–but the reality will be very different.

The danger is that the collaborative effort that has been building toward real privacy protection collapses. As Peter Bight said in ArsTechnica in August,” …there’s a very real prospect that the Do Not Track header will be both widely used, and widely ignored. In this situation, it would be difficult to describe it as anything other than a failure.”

Do not track is at a crossroad. Now it is up to the industry to create a a simple, easy to use, consumer activated Do Not Track system that all parties can respect.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy