This new Internet-enabled environment, often referred to as the “Internet of Things,” presents tremendous economic and social value, and is capable of transforming the way we work, communicate, learn and live our lives. Consumers, citizens and society as a whole stand to benefit greatly from innovative uses of data to improve health outcomes, streamlining and enhancing financial services, enhancing education and learning, and improving and maximizing our physical infrastructure.

SIIA proposes the following five recommendations for policymakers to maximize the beneficial outcomes of the Internet of Things:

1. Policymakers should promote technology neutrality and avoid technology mandates.
2. De-identification often provides an opportunity way to balance the needs of DDI and privacy protection.
3. Uniform rules cannot be applied broadly to the role of notice and choice.
4. The principle of data minimization should be re-interpreted.
5. The Internet of Things requires a policy framework that provides for an evolving view of privacy rights based on risk and societal benefits.

I will participate in a panel discussion at the National Press Club today about building trust and confidence with regard to the Internet of Things.  The 2013 M2M & Internet of Things Global Summit, hosted by Forum Europe, will take place in Washington DC today and tomorrow.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

In a letter to Senate and House Judiciary Committee leaders, SIIA joined dozens of tech companies and civil rights and technology groups in support of Sen. Al Franken’s (D-MN) Surveillance Transparency Act of 2013, and Rep. Zoe Lofgren’s (D-CA)Surveillance Order Reporting Act of 2013. The bills would clarify that companies have the right to publish basic statistics about government demands for user data that they receive.

The letter states:

“Such transparency is important not only for the American people, who are entitled to have an informed public debate about the appropriateness of that surveillance, but also for international users of U.S.-based service providers who are concerned about privacy and security.”

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Market Backlash: Studies and surveys have suggested a possible backlash against cloud providers and technology companies generally.  Here’s a summary of some of them:

• CSA Survey: In July a survey from the Cloud Security Alliance reported  that  “10% of 207 officials at non-U.S. companies have canceled contracts with U.S. service providers following the revelation of the NSA spy program last month…the survey also found that 56% of non-U.S. respondents are now hesitant to work with any U.S.-based cloud service providers.”
• ITIF Study: By comparing projected growth of US cloud computing sales with a variety of hypothetical sales losses, ITIF suggests that US cloud companies could miss out on as much as $35 billion in additional overseas sales over the next three years.
• Forrester Study: Forrester thinks the potential impact could be as high as $180 billion by 2016, taking into account the reactions of U.S. and non-US companies, the impact on non-US cloud providers and the effects on the rest of the hosting and outsourcing market.

Repercussions for Tech: The NSA revelations continue to have larger repercussions for tech companies in the form of localization requirements and new challenges to the multi-stakeholder form of Internet governance.  Here are updates on several of these challenges:

• Brazil’s controversial new internet plans, calling for server and data localization, a local encrypted email service and a separate transatlantic cable connection to Europe that bypasses the US.
• UN General Assembly Address: After canceling a US state visit over NSA spying, Brazil’s Dilma Rousseff issued an announcement called the interception of Brazilian communications “illegal” and said such a “grave fact” was an “assault” on sovereignty and “incompatible with a democratic coexistence between friendly countries.”  She then delivered the opening speech at the UN General Assembly today, rejecting U.S. government surveillance programs as inconsistent with human rights and a violation of national sovereignty, and calling for “multilateral mechanisms for the worldwide network that are capable of ensuring principles such as:

1. Freedom of expression, privacy of the individual and respect for human rights.
2. Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector
3. Universality that ensures the social and human development and the construction of inclusive and non-discriminatory societies
4. Cultural diversity, without the imposition of beliefs, customs and values.
5. Neutrality of the network, guided only by technical and ethical criteria, rendering it inadmissible to restrict it for political, commercial, religious or any other purposes.

She concludes: “Harnessing the full potential of the Internet requires, therefore, responsible regulation, which ensures at the same time freedom of expression, security and respect for human rights.”

Civil Society Calls for Principles: International civil society groups have issued a call for government surveillance principles consistent with human rights.

EU Response: Viviane Reding’s address in Brussels last week held up the Data Protection regulation as the EU’s response to the fear of US government surveillance, explicitly took privacy issues off the table for discussion in TTIP, and suggested the formation of an EU-area cloud that would compete globally on the basis of better privacy rules and streamlined government regulation.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

SIIA welcomes this development.  Internet users, the industry, and policymakers here and around the world are looking for a workable standard to address Tracking Protection that can be easily and effectively implemented.  All parties share the goal of creating an effective framework to enable users to express their tracking preferences in a transparent and meaningful fashion with the understanding that these preferences will be respected by the relevant Internet participants. The continuation of this W3C process and the momentum created by the naming of additional co-chairs provide the opportunity to adopt a workable standard that is broadly acceptable to all stakeholders.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

“In the commercial space, the Safe Harbor Framework facilitates the FTC’s ability to protect the privacy of EU consumers. Without the Safe Harbor, my job to protect EU consumers’ privacy, where appropriate, would be much harder. In an era where we face many threats to privacy, Safe Harbor has been an effective solution, not the problem.”

In the face of so many challenges to the Safe Harbor Framework coming from European public officials, this speech from a prominent U.S. consumer protection official is a crucial reminder of the importance of this cross-border framework for international privacy protection.

Her remarks are also notable for the clear distinction she makes between government surveillance and commercial privacy:

“The issue of the proper scope of government surveillance is a conversation that should happen – and will happen – on both sides of the Atlantic. But it is a conversation that should proceed outside out of the commercial privacy context.”

As I’ve noted in previous blogs, the conflation of the two is damaging to both the need to protect citizens from intrusive government surveillance and in finding the right sort of fair information practices that provides for commercial enterprise, innovation and the preservation of consumer privacy.  Commissioner Brill is exactly right when she insists on keeping these issues separate.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

He started in the right place with a ringing endorsement of the progressive use of big data as a tool for economic and social improvement.  He referred favorably to “breakthroughs in medical research from aggregated health care records that can produce information far more robust than the limited populations of medical trials,” and cited a recent example:    

“The drug Herceptin was developed through identification of the HER-2 oncogene from records of 9,000 breast cancer patients. IBM is working with hospitals and the IBM-WATSON natural language system to collect anonymized medical records in ways that protect privacy and analyze unstructured data applying the power of new analytic technologies across many different text-based medical records previously unintelligible to computers.”

As SIIA noted in a recent whitepaper, the seamless flow of data across borders is important to the growth of data-driven innovation and the global economy. Kerry underscored the economic importance of cross-border data flow:

 “Trans-border trade – and especially transatlantic trade – now relies on the continued open flow of data, and cutting off these flows would cause significant and immediate economic damage. Moreover, it would lead to loss of competitiveness on both sides as other economies around the world that embrace open Internet architectures and freedom to experiment with data analytics offer havens for innovators. Our economic future is at stake in our international engagement.”

Then he noted the importance to transatlantic trade of the Safe Harbor arrangement that has governed transfers of information from the European Union to the United States for well over a decade. He warned of the dangers a weakening of this framework would pose to transatlantic trade:

“Today, more than 4,000 companies have subscribed to the Safe Harbor Framework. Many of these are U.S. subsidiaries of EU companies that also rely on the framework…Safe Harbor is a fundamental building block of the trade relationship between the United States and Europe…Any step back from Safe Harbor would send the trading relationship between the U.S. and the EU backward.”

This worry about a threat to the Safe Harbor Framework is not idle. On July 19, 2013 Viviane Reding, European Commission Vice President, issued a statement  saying, “The Safe Harbour agreement may not be so safe after all.” On July 24, 2013, a statement from the Conference of German Data Protection Commissioners indicated that it would examine whether transatlantic data transfers “should be suspended on the basis of the Safe Harbour framework.” 

The basis for this threat to the Safe Harbor in both cases is the NSA revelations regarding government surveillance–but this is mixing up apples and oranges.

The EU Data Protection Directive and the Safe Harbor both provide an exception for national security purposes.  In the US and EU regime, the law, regulation, and policy considerations that relate to protecting consumer privacy in a commercial context are completely different from the law and policy and constitutional considerations that govern government surveillance. 

Moreover, putting onerous burdens on the commercial transfer of information as a backdoor way to control government surveillance is self-defeating and counterproductive.  It distracts from real measures that might protect citizens from overly intrusive government surveillance and it puts an unnecessary burden on commerce that is not justified by the need to preserve and protect consumer privacy in a commercial context.

Kerry’s remarks yesterday show he grasps these issues clearly.  It might have been his last public statement before leaving his current post at the Commerce Department, but it sets a promising roadmap for Obama administration policy in this area.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @Mark_MacCarthy

The code of conduct will make privacy policies for mobile apps simpler and easier to understand. Ken says:

“[We] live in a world where privacy policies are long and complex; they are documents written by lawyers for lawyers.  The new Code, which will lead to clearer, simpler notices, represents a fundamental shift in the paradigm of privacy transparency.”

The companies that sign on to the code will help their users make informed decisions about which apps they want to use by:

• Providing a list of key data elements collected by apps
• Offering a notice about relevant third party sharing

These enhanced privacy tools will be a selling point for companies competing in the mobile app arena. Beyond that, they are an important step toward a win-win approach to privacy protection that protects consumers while leaving room for new ideas and apps. The code of conduct shows we can move forward on privacy protection without burdensome, costly regulation that stifles innovative growth.

Laura Greenback is Communications Director at SIIA. Follow the SIIA Public Policy Team at @SIIAPolicy

Importantly for SIIA members, it is one that poses the following serious business challenges:  (1) enhanced privacy concerns among customers around the world, (2) policymakers around the world seeking to restrict the cross-border flow of data and enact technology localization requirements, and (3) conflation of private sector data collection with government surveillance as an inseparable public-private partnership that necessitates strict new commercial privacy legislation or regulations—FTC Commission Julie Brill has recently made this connection in an op-ed, which has also come from influential thought-leaders such as former White House Chief of Staff John Podesta.

As a preliminary assessment, the Information Technology Innovation Foundation (ITIF) estimates that the U.S. cloud computing industry alone could lose up to $35 billion over the next three years if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits.

SIIA has been very engaged in policy debates surrounding this issue for several months, and we expect to remain highly engaged to combat these challenges for months to come.  Recently, SIIA President Ken Wash was invited to a meeting at the White House in early August, which was one of several consultations leading up to the President’s call for reforms to NSA programs on August 9.

As a follow-up to the discussion with Administration officials and the SIIA this week joined with other leading technology trade associations in sending a letter to Administration officials urging that discussions about national security must be kept separate from conversations about commercial privacy issues, as the policy considerations in these two areas are distinct. In the letter, SIIA and industry partner organizations made the following recommendations for action that are likely to frame our priorities for the remainder of 2013:

1. Implement transparency with respect to national security programs – in order to separate fact from fiction regarding the intersection of private sector IT companies and the U.S. Government, it is critical that the Administration enhance transparency and enable companies to share information publicly about the scope and frequency of Government inquiries;
2. Promote policies that allow for unimpeded cross-border data flows such as the U.S.-EU Safe Harbor Framework – We are already seeing that longstanding and effective cross-border data mechanisms are being questioned in light of the recent disclosures about the U.S. government surveillance programs. For instance, recent statements by government officials in the EU indicate a lack of “trust” in the U.S.-EU Safe Harbor framework, which allows for the transfer of information from the EU to the U.S. for participating companies. This is one of many critical policies that facilitate digital trade for U.S. companies, and it is critical that U.S. government must vigorously engage with the international community to promote cross-border data flows while addressing privacy and civil liberties concerns; and
3. Support reforming the Electronic Communications Privacy Act (ECPA) to enhance privacy in law enforcement investigations – SIIA has been a leading supporter of ECPA, seeking to update the outdated statue by correcting the double-standard that inappropriately provides for a lower level of privacy for communications stored remotely, or “in the cloud.” Currently, the law provides for a challenging legal environment for industry and a disincentive for customers to embrace hosted information and communications technology solutions as an alternative to on-premise solutions.

SIIA believes that these are critical steps to ensuring that concerns about U.S. Government surveillance do not impose an unnecessary impediment to U.S. information technology businesses.  We are also closely monitoring a range of proposals in Congress that would seek to enhance transparency surrounding U.S. Government surveilance.  The  Surveillance Transparency Act of 2013 (S.1452) was introduced by Senator Al Franken on August 1^st, 2013, and the Surveillance Order Reporting Act of 2013 (H.R.3035) was introduced by Congresswoman Zoe Lofgren on August 2^nd, 2013.  SIIA has not endorsed any bill at this point, but the Lofgren-Franken approach goes in the right direction by allowing companies to reveal how many national security requests they have received, how many they have complied with and how many users or accounts are affected.

We will continue to focus heavily on this critical issue to promote the ability of U.S. businesses to thrive in the U.S. and markets around the world.  To that end, we will provide further updates regarding new developments.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

With the passage of this Code of Conduct, consumers will have more information about how their data is being used by mobile apps, and a greater ability to protect their privacy.

We don’t agree completely with all of the elements of the code, and we will continue to work to ensure that companies have substantial flexibility in providing privacy notices.  However, this Code of Conduct empowers consumers and provides an important roadmap for developers to create ‘short form’ privacy notices for consumer apps. We look forward to working with our members and the industry to encourage implementation of the guidelines set out by this Code of Conduct.

In a time of rapidly evolving technology, industry self-regulation is the most effective way to maintain the right balance between consumer confidence and continued innovation.  Without collaborative, voluntary efforts such as this mobile privacy code, we risk heavy-handed legislation or government regulation that would harm tech innovation, job creation and economic progress.

SIIA continues to strongly support the Obama Administration’s commitment to creating voluntary privacy codes of conduct through multistakeholder collaboration, and we look forward to engaging in future initiatives to this end.

Ken Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

Software and apps are now rapidly evolving as new services are offered seamlessly across our devices and appliances. As we recently identified in our white paper on “Data Driven Innovation,” the new Internet-enabled IT ecosystem has unleashed tremendous opportunities for economic growth and social innovation.

First and foremost, SIIA urged the Commission to promote technology neutral policies and avoid technology mandates.  For example, given the range of devices that lead to the collection and utilization of data, it is impractical and ineffective to create policies based solely on a specific type of device, or an arbitrary characteristic of a device, like whether it is mobile like a smartphone or automobile sensor, or whether it is stationary, such as a computer or a refrigerator. While it might seem practical to target specific devices or platforms, this approach is likely to become dated within a matter of months or years due to the rapid evolution of IT.

With respect to privacy, SIIA urged the FTC to support a policy framework that provides for an evolving view of privacy rights based on risk and societal benefits, re-assess long standing principles such as data minimization and encourage de-identification without creating broad mandates to that end.   Read the full comments here.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.