If there was one single over-arching takeaway for me, it was that there exists a very complex data ecosystem that includes consumers, businesses and governments, and it’s increasingly difficult to label entities for purposes of creating new laws and regulations. Following is a summary of key themes I took out of this briefing:

(1) There’s no broad agreement on the definition of “data broker.” The discussion did not include a clear articulation of what the lawmakers and regulators believe to be a data broker definition of exactly what is a “data broker,” which seems to be the key question before deciding on new policies. The best articulation was “an entity that collects data but which has no intersection w/ consumers directly.” While this may make sense on the surface, it quickly breaks-down when moving forward to craft rules for data brokers, because it clearly leaves open a wide range of entities that openly characterize themselves as brokers but also provide for direct interaction with consumers.

I wish we could put any discussion about new policies on hold until we can at least clearly know what we’re talking about as a “data broker.”

(2) It’s the “use” stupid. I was constantly reminded of the old refrain, “it’s the economy, stupid,” the now infamous phrase that explained ultimately why Bill Clinton would ultimately be elected President in 1992. If there is one thing that seems to enjoy broad agreement around data privacy, it’s that it is more important — and useful— to look at how a data is used, and the potential for harm, than it is to single out ill-defined entities and try to craft specific legal and regulatory roadmaps for their behavior. While, this was my takeaway and was surely shared by many other present at the briefing, it is the opposite of what leading lawmakers and regulators are thinking.

(3) The FTC will maintain a steady focus on “data brokers.” Regardless of the challenge in clearly defining data brokers, the FTC is sure they don’t like ‘em. As clearly articulated by Commissioners Leibowitz and Brill, the FTC will maintain a heavy focus on “data brokers” – as was a unanimous recommendation from the FTC’s Privacy Paper issued earlier this year. While they did recognize there are significant benefits provided by “data brokers,” they made the following pronouncements: (1) much more needs to be done on the transparency front, (2) industry needs to do more to articulate existing transparency mechanisms; and (3) the Commission is exploring “what can and should be done beyond merely enforcement” of existing laws.

(4) Reps. Markey and Barton will focus this conversation on children, then expand – As the bipartisan team leaders for increased privacy protection for consumers, Reps. Markey and Barton reiterated their commitment to continue moving forward with all deliberate speed in the next Congress, reintroducing their Do Not Track Kids Act (H.R. 1895) and promising to sign-on even more than the 45 cosponsors from the current bill. . While that is surely no surprise to anyone, they went further to effectively outline their strategy to use the conversation on children’s privacy, expand the current age qualification in COPPA, and use this as a gateway to adopting privacy laws more broadly beyond children.

(5) Transparency and industry leadership are key – Another theme that keeps coming up is the need for greater transparency and industry leadership in this area. Similar to the ongoing discussions regarding “mobile transparency,” industry can and will surely continue to improve practices in this area, or we’ll be building the case for regulators and legislators to step in.

His intervention is a welcome attempt to set the record straight before these erroneous beliefs become widespread and entrenched.  It was accompanied the release of State Department white paper that dispels the misconceptions about the U.S. legal system and government access to information.

The fact is that the U.S. has a well-developed and established system to protect individual liberties from government intrusion.  We have a general distrust of a powerful government and are suspicious of anything that advances the growth of government power.  Our bias is in favor of a limited government that lets people chose their own good in their own way.  As a result we are far less tolerant of government intrusion into our private lives than other countries, and have set up a system whereby the U.S. extends privacy protections to non-U.S. citizens as well.

At the same time, the U.S. is more tolerant of the use of information for innovative and productive use by businesses than other countries, to our great advantage in the race for economic growth, business development and job creation.  Our system of protecting the individual privacy in the business context shows that this can be done while maintaining strong and effective protections for consumer privacy. This system also respects the rights of non-U.S. consumers established in other privacy regimes.

None of this means that the U.S. system is perfect.  We think that steps can be taken to improve the consumer privacy system for mobile app notifications and are actively working with the U.S. Commerce Department and other stakeholders on a voluntary code of conduct and an effective system of screen notices.  We have joined with others in the Digital Due Process Coalition to modernize the 1986 U.S. Electronic Communications Privacy Act, which needs updating to fit the realities of email and document storage in the cloud.

But the need for these reforms does not suggest that the current U.S. system is a threat to privacy or justifies a move away from cloud computing as a way to avoid government scrutiny.  Ambassador Kennard is to be commended for his strong defense of the U.S. approach to privacy in the cloud.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

As with all consumer privacy issues, users trust in mobile app privacy is absolutely critical.  Without consumer trust, demand stalls, innovations is stifled and neither businesses nor users interests are served.  Straight-up, a lack of trust is a lose-lose. However, multistakeholder discussions have been ongoing since June of this year, engaging a wide range of industry and civil society in an effort, led by the Department of Commerce NTIA, to develop a voluntary code of conduct for mobile app transparency in information collecting.

This flexible, consensus process is also better able to ensure that policies are not technology or platform specific.  That is, at a time of increasing convergence, where “applications” are seamlessly offered across a wide range of devices, fixed laws such as this would stifle technological evolution by creating a distinct privacy regime based on a specific type of device.

SIIA is very supportive of the effort and confident that it can succeed if given time.  Consumers and businesses are in this together, dependent on each other as this new mobile ecosystem continues to evolve.  With the right consensus-driven framework, mobile app privacy can be a win-win for users and businesses.

Rather than considering rigid legislative mandates on the mobile app industry, Congress should continue to explore how to support this industry.  The House Energy and Commerce Committee did just that earlier this year by holding a hearing focused on this innovative industry and how it can spur economic and job growth.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multistakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road. If we don’t we have only ourselves to blame if state, national or international governments feel compelled to step in to protect the public.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

The key disagreement is an understanding of what the Do Not Track flag means and what actions users can expect from websites and service providers if they turn it on.  Without this, the Do Not Track standard is incompletely specified, and provides less than comprehensive guidance for browser providers, websites and their service providers, and the general public.

If the W3C cannot reach a common understanding, perhaps the industry can.  The Digital Advertising Alliance has been looking at this issue for some time.  Indeed, back in February it indicated to the White House that it was going to address it:

“…the DAA intends to begin work immediately with browser providers to develop the consistent language across browsers regarding the browser based header signal uniform consumer choice mechanism that is simple to use and in a clear manner that describes to consumers the effect of exercising such choice.”

Mozilla proposed an easy-to-understand focused definition of Do Not Track back at the beginning of 2011:  “Tracking is the accumulation and use of a profile by advertising networks through invisible or subtle noting of which sites an individual visits, and the use of the profile data to customize advertisements displayed.”  Or, more succinctly, DNT means “a way for people to opt-out of online behavioral advertising (OBA).”

These definitions make sense.  They focus on the issue that appears to be of most concern to the public and policymakers: cross-site tracking for the purpose of advertising profiling and targeting.  We need to give consumers another mechanism to say no to OBA if they wish.  Of course, the DAA definition should incorporate the current W3C consensus that DNT “on” imposes no obligation on first parties, except that first parties may not help third parties circumvent DNT.

Other uses of tracking should be permitted.  For example, if a website is doing standard analytics, such as keeping track of where their visitors come from and where they go, market research, product debugging and improvements, investigating possible fraud or intellectual property violations or security risks.

DAA is doing great work on OBA. Its AdChoices program already gives consumers a cookie-based mechanism to opt out of OBA.  With DNT, DAA can do the industry and the public a service by bridging the browser DNT flag with the existing AdChoices program.

Customers should be told clearly that they can decline online behavioral advertising and how to do it.  DAA is in a unique position to move forward and break the logjam that is threatening to derail the promising initiative that is DNT.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

The FTC’s proposed COPPA rulemaking takes the effort to protect online privacy and turns it into a harmful barrier to American innovation. For years, we’ve worked closely with industry and government to advance online privacy and security. We’re confident that, with smart regulation and public-private cooperation, both the goal of protecting online privacy of children and the goal of business innovation can be served. Unfortunately, what we’re currently seeing from the FTC is an overly broad and unworkable regulatory framework for implementing COPPA.

To read SIIA’s full comments, please click here. In its comments, SIIA states:

“We are supportive of the goals of the Commission to protect children from third-party plug-ins, social networks and any other third party service that collects personal information.

“However, the inappropriately broad expansion of the statute’s definition of personal information, combined with the increasingly broad definitions of ‘operator’ and ‘web site or online service directed to children’… create a broad regulatory framework that dramatically exceeds the scope of COPPA and will most certainly stifle innovative Internet-based offerings-not just for sites and services directed at children under 13, but much more broadly.”

SIIA addresses six specific areas of concern:

1. Expansion of “Personal Information” to include persistent identifiers creates an unworkable regulatory construct.

2. Modification to the rule’s definition of “operator” is overly-broad, and it places an unworkable responsibility on operators of sites and services well beyond the scope of COPPA.

3. Proposal to make third parties qualify as “operators” under COPPA by creating a “reason to know” standards is an inappropriately broad expansion of the statute and impractical.

4. Requirement for operators of “child-friendly mixed audience sites” to take an affirmative step to attain actual knowledge of child users would inappropriately expand the scope of COPPA.

5. Application platforms should not be characterized as “operators” under COPPA, but the Revised NPRM leaves this unclear.

6. The broad regulatory construct proposed in the Revised NPRM is likely to challenge application of COPPA to Internet-based educational materials and services.

Ken Wasch is President of SIIA.

In June Microsoft disrupted the industry discussions about how to provide a workable mechanism to empower users to make choices about online privacy and personalization. It announced that it would turn on the Do Not Track (DNT for short) signal in Internet Explorer 10 by default. Mozilla, the maker of the competing browser, Firefox, was critical. SIIA objected. Advertisers announced that this decision ran counter to an agreement struck between the industry and the White House around opt-out as a genuine consumer choice.

Last week, Apache revealed that it will disable the DNT signals coming from Internet Explorer 10. Roy Fielding, an author of the DNT standard and principal scientist at Adobe Systems, wrote a patch for Apache that sets the Web server to disable DNT if the browser reaching it is Internet Explorer 10.

The message is that a unilateral action forced on users by one industry player is not a sustainable solution. We as an industry have to do it together, or not at all. If websites powered by Apache do not accept the IE10 DNT signal, it simply won’t reach critical mass. Consumers, mislead by industry announcements and superficial stories from the trade press, might think their browers are giving them privacy over personalization–but the reality will be very different.

The danger is that the collaborative effort that has been building toward real privacy protection collapses. As Peter Bight said in ArsTechnica in August,” …there’s a very real prospect that the Do Not Track header will be both widely used, and widely ignored. In this situation, it would be difficult to describe it as anything other than a failure.”

Do not track is at a crossroad. Now it is up to the industry to create a a simple, easy to use, consumer activated Do Not Track system that all parties can respect.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

And what a loss that would be for such a dynamic, growing industry. According to a recent study, there were over 44,000 app-related positions open in the U.S. in the last quarter of 2011, and overall, there were 45 percent more open app positions than in the previous year. Based on this number, the study found the app economy firms represented 311,000 jobs. Using a standard multiplier, this number grew to nearly a half a million jobs created by the app economy in both direct and indirect jobs since 2007.

Rather than overregulating an industry that holds such potential for economic growth, Congress should be following the House Energy and Commerce Committee’s lead in supporting the industry. The Committee is holding a hearing today focused on apps and where the jobs are.

So if legislation isn’t the answer, what should be done?  Over the summer, the National Telecommunications and Information Administration (NTIA) launched an effort to nudge stakeholders into adopting codes of conduct for mobile transparency.  SIIA was supportive of this effort and remains so.  But after several meetings it appears that things may be starting to drift. Some scheduled meetings have been postponed. Fortunately, discussions between various industry stakeholders, as well as discussion between industry and consumer watchdogs, are ongoing.

The industry needs to get the substantive mobile transparency discussion moving again, if not through NTIA action then separately.

It’s also important to remember that consumers are not passive victims.  If they think they are being abused, they have a healthy capacity for self-defense. As the New York Times wrote last week “many consumers seem to be already taking steps to guard their personal information from data-grabbing apps. A study by the Pew Research Center, released Wednesday, found that among Americans adults who use smartphone apps, half had decided not to install applications on their mobile phones because they demanded too much personal information. Nearly a third uninstalled an application after learning that it was collecting personal information “they didn’t wish to share.” And one in five turned off location tracking “because they were concerned that other individuals or companies could access that information.”

This is good.  In the absence of government mandates, and industry codes of conduct, consumers are doing some sensible things to protect themselves.  But the lack of consumer trust is troubling and can only inhibit growth in the market.  If consumers just say no, the whole industry suffers.

The FTC is trying to help with some guidance.  Last week it published its recommendations for mobile application developers, suggesting that companies seek “express agreement” for consumer data they collect and share.  Nothing is binding on companies, however, and there is no indication that these recommendations are forming the core of industry codes of conduct or best practice.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multi-stakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

The IT ecosystem is evolving at unprecedented speed, and data is becoming a driver of economic and social growth. Cloud computing, the ubiquity of smartphones, and improved bandwidth are fueling a new era of data-driven innovation, Wasch says.

“A range of previously unimaginable applications of data-driven innovation are already being produced — or will be in the near future. These innovations are making people’s lives better and safer and more prosperous, while also increasing energy efficiency and saving money.”

Wasch’s sentiment echoes a forum hosted earlier this month by the National Institute of Standards and Technology and the University of Maryland. Attendees like Google, the National Institutes of Health, and Lockheed Martin came together to discuss the ways data can help address a range of national priorities. The opportunities are vast.

“Right now, hospitals are providing better care by analyzing data about the triage process and using that information to eliminate wasteful steps that prevent patients from getting to the doctor quickly. Traffic-management centers are processing millions of cellphone and GPS signals, combining them with a wide range of other data about car speeds, weather conditions and more to assess road conditions in real time and avoid traffic jams. And financial services companies can collect and integrate customer transaction information in real time to quickly identify questionable patterns and proactively enact new processing rules to reduce fraud.”

But if this technological and economic evolution is to truly take hold, it needs support from policymakers who can ensure that the conversation stays focused on how to best benefit customers and the economy at large. A fixed regulatory approach would only stifle innovation and hurt consumers. If industry and policymakers can work together, we can safeguard consumers and unleash data’s enormous potential for transformative growth.

Laura Greenback is Communications Director at SIIA. Follow the SIIA Public Policy Team at @SIIAPolicy

Today’s announcement marks the beginning of a multistakeholder process that can contribute significantly to the continuation of interoperable data privacy regimes, including the European Union’s proposed data protection regulations.

SIIA concurs with the Department of Commerce that voluntary, enforceable codes of conduct are the appropriate approach for data privacy protections because they develop faster and provide more flexibility than legislation or regulation.

Continued growth and innovation in the vibrant mobile marketplace depends on consumer confidence in the privacy protections provided by mobile application providers. For this reason, SIIA has been actively working to develop best practices that can help protect personal information while encouraging continued growth and innovation in the mobile marketplace.

In establishing this first multistakeholder process, NTIA was wise to focus on a definable area where stakeholders have begun to collaborate to develop practices, and we look forward to actively participating on behalf of our members and the industry broadly.

View comments SIIA made to NTIA in April here.

Ken Wasch is President of SIIA.

Why is there such agreement on this topic? Well, that’s because customers, businesses and policymakers alike also broadly recognize the need to preserve the economic model that has been propelling the availability of content online: effective advertising. Indeed, targeted advertising is more effective and generates substantially more value that, in turn, provides for much of the valuable content provided on the Web.

In light of the broad consensus emerging around behavioral advertising and consumer choice, it was surprising that Microsoft announced yesterday that Internet Explorer 10 in Windows 8 will have “Do Not Track” (DNT) feature on by default—a move that defies the objective to enable users to make informed decisions.

But of even greater concern, Microsoft’s decision is likely to have the opposite effect. That is, in light of the fact that there is not yet consensus among the advertising industry (including among Microsoft’s own ad networks) on how to implement settings such as this, the end result will be confusion and disappointment from consumers when this ultimately doesn’t do what it says it will do. The Microsoft blog announcing the decision was clear in admitting that a uniform, industry-wide response is still under development:

“Sending a DNT signal from a browser is only part of the process. Obviously, for DNT to be effective, it is also important that websites have a common understanding of what the consumer expects when their browser sends the DNT signal. As well as engineering the world’s most used browser, Microsoft also owns and manages a growing advertising business – including a network that provides advertising to our own and other Web properties, so we have a unique perspective into this discussion.

At the moment there is not yet an agreed definition of how to respond to a DNT signal, and we know that a uniform, industry-wide response will be the best way to provide a consistent consumer experience across the Web.”

Fortunately, in response to Microsoft’s recent decision, Mozilla announced that the user’s choice is absolutely critical on this issue, and they confirmed that it will not set the “Do Not Track” feature in its Firefox browser to turn on by default. As articulated by Mozilla:

“DNT is intended to express an individual’s choice, or preference, to not be tracked. It’s important that the signal represents a choice made by the person behind the keyboard and not the software maker, because ultimately it’s not the browser being tracked, it’s the user.”

Amen, this also reflects the consensus that has emerged within the W3C Tracking Protection that “[k]ey to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.”

So, again, there’s broad consensus on user choice and preference. Hopefully Microsoft will come to recognize this and continue to support the consensus effort.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.