Digital Discourse / Policy / Policy - Privacy

Serious Business Challenges Posed by NSA Surveillance Revelations

August 20, 2013 By

Recent revelations about the National Security Agency’s (NSA) surveillance efforts have clearly changed the privacy landscape for the remainder of 2013, if not much longer. This is a complex policy issue with very broad implications.

Importantly for SIIA members, it is one that poses the following serious business challenges:  (1) enhanced privacy concerns among customers around the world, (2) policymakers around the world seeking to restrict the cross-border flow of data and enact technology localization requirements, and (3) conflation of private sector data collection with government surveillance as an inseparable public-private partnership that necessitates strict new commercial privacy legislation or regulations—FTC Commission Julie Brill has recently made this connection in an op-ed, which has also come from influential thought-leaders such as former White House Chief of Staff John Podesta.

As a preliminary assessment, the Information Technology Innovation Foundation (ITIF) estimates that the U.S. cloud computing industry alone could lose up to $35 billion over the next three years if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits.

SIIA has been very engaged in policy debates surrounding this issue for several months, and we expect to remain highly engaged to combat these challenges for months to come.  Recently, SIIA President Ken Wash was invited to a meeting at the White House in early August, which was one of several consultations leading up to the President’s call for reforms to NSA programs on August 9.

As a follow-up to the discussion with Administration officials and the SIIA this week joined with other leading technology trade associations in sending a letter to Administration officials urging that discussions about national security must be kept separate from conversations about commercial privacy issues, as the policy considerations in these two areas are distinct. In the letter, SIIA and industry partner organizations made the following recommendations for action that are likely to frame our priorities for the remainder of 2013:

  1. Implement transparency with respect to national security programs – in order to separate fact from fiction regarding the intersection of private sector IT companies and the U.S. Government, it is critical that the Administration enhance transparency and enable companies to share information publicly about the scope and frequency of Government inquiries;
  2. Promote policies that allow for unimpeded cross-border data flows such as the U.S.-EU Safe Harbor Framework – We are already seeing that longstanding and effective cross-border data mechanisms are being questioned in light of the recent disclosures about the U.S. government surveillance programs. For instance, recent statements by government officials in the EU indicate a lack of “trust” in the U.S.-EU Safe Harbor framework, which allows for the transfer of information from the EU to the U.S. for participating companies. This is one of many critical policies that facilitate digital trade for U.S. companies, and it is critical that U.S. government must vigorously engage with the international community to promote cross-border data flows while addressing privacy and civil liberties concerns; and
  3. Support reforming the Electronic Communications Privacy Act (ECPA) to enhance privacy in law enforcement investigations – SIIA has been a leading supporter of ECPA, seeking to update the outdated statue by correcting the double-standard that inappropriately provides for a lower level of privacy for communications stored remotely, or “in the cloud.” Currently, the law provides for a challenging legal environment for industry and a disincentive for customers to embrace hosted information and communications technology solutions as an alternative to on-premise solutions.

SIIA believes that these are critical steps to ensuring that concerns about U.S. Government surveillance do not impose an unnecessary impediment to U.S. information technology businesses.  We are also closely monitoring a range of proposals in Congress that would seek to enhance transparency surrounding U.S. Government surveilance.  The  Surveillance Transparency Act of 2013 (S.1452) was introduced by Senator Al Franken on August 1st, 2013, and the Surveillance Order Reporting Act of 2013 (H.R.3035) was introduced by Congresswoman Zoe Lofgren on August 2nd, 2013.  SIIA has not endorsed any bill at this point, but the Lofgren-Franken approach goes in the right direction by allowing companies to reveal how many national security requests they have received, how many they have complied with and how many users or accounts are affected.

We will continue to focus heavily on this critical issue to promote the ability of U.S. businesses to thrive in the U.S. and markets around the world.  To that end, we will provide further updates regarding new developments.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Share|
Filed Under: Content, Education, Education Policy, Policy, Policy - Privacy, PSIG, Software Tagged With: , ,

SIIA Supports Mobile App Code of Conduct

July 25, 2013 By

SIIA today voted in favor of the Short Form Notice Code of Conduct developed as part of the U.S. Department of Commerce’s Privacy Multi-stakeholder Process on Mobile Application Transparency.

With the passage of this Code of Conduct, consumers will have more information about how their data is being used by mobile apps, and a greater ability to protect their privacy.

We don’t agree completely with all of the elements of the code, and we will continue to work to ensure that companies have substantial flexibility in providing privacy notices.  However, this Code of Conduct empowers consumers and provides an important roadmap for developers to create ‘short form’ privacy notices for consumer apps. We look forward to working with our members and the industry to encourage implementation of the guidelines set out by this Code of Conduct.

In a time of rapidly evolving technology, industry self-regulation is the most effective way to maintain the right balance between consumer confidence and continued innovation.  Without collaborative, voluntary efforts such as this mobile privacy code, we risk heavy-handed legislation or government regulation that would harm tech innovation, job creation and economic progress.

SIIA continues to strongly support the Obama Administration’s commitment to creating voluntary privacy codes of conduct through multistakeholder collaboration, and we look forward to engaging in future initiatives to this end.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

Share|
Filed Under: Policy, Policy - Privacy

SIIA to FTC: Internet of Things Requires Technology Neutral Policies and Flexible Privacy Framework

June 3, 2013 By

SIIA on Friday encouraged the FTC to be careful in its analysis of the “Internet of Things”—the growing supply of data inputs, sensors and interfaces that are embedded in our vehicles, household appliances, and beyond. SIIA agrees with the FTC that privacy and security are critical to unleashing the full potential of the growing supply of data inputs from the new sensors and interfaces that are becoming part of our everyday lives. However, in our comments to the Commission, we asked that the FTC proceed cautiously if formulating any new policies, as these are likely to steer the future of DDI and the scope of what is possible for American innovation for decades to come.

Software and apps are now rapidly evolving as new services are offered seamlessly across our devices and appliances. As we recently identified in our white paper on Data Driven Innovation,” the new Internet-enabled IT ecosystem has unleashed tremendous opportunities for economic growth and social innovation.

First and foremost, SIIA urged the Commission to promote technology neutral policies and avoid technology mandates.  For example, given the range of devices that lead to the collection and utilization of data, it is impractical and ineffective to create policies based solely on a specific type of device, or an arbitrary characteristic of a device, like whether it is mobile like a smartphone or automobile sensor, or whether it is stationary, such as a computer or a refrigerator. While it might seem practical to target specific devices or platforms, this approach is likely to become dated within a matter of months or years due to the rapid evolution of IT.

With respect to privacy, SIIA urged the FTC to support a policy framework that provides for an evolving view of privacy rights based on risk and societal benefits, re-assess long standing principles such as data minimization and encourage de-identification without creating broad mandates to that end.   Read the full comments here.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Share|
Filed Under: Policy, Policy - Privacy

Data Driven Innovation Case Study: Pearson-Enabling the Digital Ocean to Improve Student Outcomes

May 20, 2013 By

Data-Driven Innovation (DDI) benefits all sectors of our economy, increases efficiency, saves money and resources, and improves quality of life. From safety and security, to the environment and infrastructure, to health and education, the opportunities for DDI to improve our lives are boundless. In SIIA’s whitepaper, Data-Driven Innovation A Guide for Policymakers: Understanding and Enabling the Economic and Social Value of Data, we explored the ways our member companies are leveraging data to provide cutting edge solutions. Here’s one case study, from Pearson:

Today, we’re in the digital ocean. We can gather information about students’ daily learning activities and interactions with content as they happen in computer-based instruction. The increase of technology-based learning in schools enables us to have all students doing meaningful activity on digital devices. Computers now allow us to capture all kinds of data about what students do as they interact with learning material, seamlessly recorded as they go about their daily learning activity. These interactions can produce an “ocean” of data that, if used correctly, can give us a completely different view of how students progress in acquiring knowledge, skills, and attributes.

This ability to capture data from everyday student learning activity should fundamentally change how we think about assessment.

Invisible assessments allow us to gather information much more frequently without interrupting the flow of instruction, hence the term “invisible.” This lets us provide teachers, students, and parents with feedback about progress immediately and in time to make adjustments to teaching and learning. It also eliminates the common complaint about the heavy time requirements of traditional assessment.

By capturing many, many observations of a student’s learning activity over time, we are able to build models of student learning and proficiency without the pressure of performance on a single test.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Share|
Filed Under: Data-Driven Innovation, Education, Education Policy, Government, Policy, Policy - Privacy, Software

SIIA Releases Policy Roadmap to Allow Data-Driven Innovation to Drive U.S. Innovation & Economic Opportunity

May 20, 2013 By

SIIA released a white paper today that provides an in-depth look at the benefits and challenges of data-driven innovation along with a detailed public policy roadmap. SIIA crafted the white paper to provide guidance to help policymakers understand and enable the economic and social value of data-driven innovation. The full white paper is available here.

Data collection and use is at crossroads, and decisions by policymakers could have an enormous impact on American innovation, jobs and economic growth. It is essential for policymakers to recognize that data-driven innovation presents an economic growth engine that is revolutionizing our lives and will create 1.9 million U.S. jobs by 2015.  At the same time, we have to address the very legitimate questions about the storage and use of data without strict regulation that stifles economic opportunity.  With this paper, we’ve taken a comprehensive look at the issue – providing significant analysis of where the opportunities lie with data and what needs to be done to unlock its full potential.   Our goal is help government and industry enable the transformative power of data-driven innovation.

In the white paper, SIIA writes,

Technologists, privacy advocates and policymakers can work together to foster the societal, governmental and business opportunities created by data-driven innovation, while also meeting the challenge of protecting privacy…SIIA urges policymakers to proceed cautiously and avoid policies that seek to curb the use of data, as they could stifle this nascent technological and economic revolution before it can truly take hold.

SIIA’s fundamental principle for policymakers is to avoid creating broad policies that curb data collection and analysis. More specifically, SIIA outlines 10 essential policy recommendations that it believes will make certain there is an effective balance between ensuring the tremendous economic and technological opportunity of data, and addressing privacy and other concerns:

  1. To meet its full potential, DDI requires a policy framework that provides for an evolving view of privacy rights based on risk and societal benefits.
  2. The principle of data minimization should be re-interpreted in light of DDI.
  3. Policymakers should encourage de-identification as a way to balance the needs of DDI and privacy protection.
  4. Uniform rules should not apply broadly to the collection of personal information and the role of consent.
  5. Policymakers should promote technology neutrality and avoid technology mandates.
  6. Open standards are critical enablers of DDI, but they must continue to evolve through industry-led standards development organizations, not governments.
  7. Policies should allow data collectors and controllers to work with data management and analytics suppliers to comply with privacy and security rules through contracts across varying jurisdictions.
  8. Policies must continue to balance the need of protecting the privacy of students, while enabling DDI to greatly enhance the teaching and learning experience.
  9. Governments should adopt policies that leverage DDI to make government more efficient and effective and reduce government waste.
  10. Governments should continue to embrace open data policies and public-private partnerships that maximize access to critical public data.

As the leading representative of the software and digital content industries, SIIA has long anticipated the opportunities that will arise from the evolution and convergence of information and computing platforms. Many of SIIA’s more than 700 member companies are key enablers of data-driven innovation.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Share|
Filed Under: Data-Driven Innovation, Policy, Policy - Privacy

SIIA Comments on TTIP Address Trade and Privacy

May 10, 2013 By

Today, SIIA filed comments in response to the Federal Register notice of April 1, 2013 from the United States Trade Representative (USTR) regarding a proposed Transatlantic Trade and Investment Agreement.  The comment supported this TTIP initiative.  SIIA is prepared to help both the US government and the EU reach a timely and comprehensive agreement.  

The comments focused on the relationship between the seamless flow of information across borders and trade policy. A recent report on the Future of Trade by a panel convened by outgoing WTO Director General Pascal Lamy addressed this question of the relationship between domestic public policy and trade policy.  Here’s what it said:

Regulations in key areas of the economy, such as health, safety, environmental quality and labour rights are not set in the WTO. What this means is that the WTO must consider how to articulate the relationship between trade opening and the existence of measures outside its remit that are nevertheless relevant to the conditions under which trade takes place. While a convergence of public policy design would facilitate matters from a purely trade perspective, we recognise that respect for differing social preferences is paramount. We must work towards a shared understanding of what constitutes a level playing field. As a matter of principle, we argue that the discriminatory application of NTMs (non-tariff measures) must be avoided where possible and that members should not restrict trade where this is not essential to the pursuit of public policy objectives.

The key idea is that domestic laws should not restrict trade where this is not essential to the pursuit of public policy objectives.  Respect for different social preferences is paramount, but the means of implementing these social preferences have to be the least restrictive of trade possible.  If there is a way to achieve a public policy objective in a way that is less restrictive of trade, countries should take this direction. 

These principles are familiar to us from other contexts: the use of cost-effectiveness analysis to pick the project that achieves a policy goal with the least expenditure of social resources and the constitutional analysis of measures that restrict free speech which calls for an assessment of whether the speech-restricting measure is necessary to achieve a substantial government purpose.  Applying these notions to the trade context ensures that both trade and non-trade social preferences are satisfied to the greatest extent possible.

It is worth paying some attention to these ideas in the context of the revision of the European data protection regulation and its relationship to trade.  A recent report by the European Centre for International Political Economy for the U.S. Chamber of Commerce made the point that the revised EU privacy regulation could have an adverse effect on EU trade and thereby on EU’s domestic growth and employment.  It urged that the EU pay attention to these possible economic effects and stressed the importance of getting data protection regulation right.

What does this have to do with trade negotiations?  In particular, how does it relate to the upcoming TTIP negotiations? 

The SIIA comments addressed this question.  It argued that one goal of the TTIP negotiations should be to ensure that privacy rules do not act as an unnecessary barrier to cross-border flows of information.  But it is important to approach this connection between trade and privacy very carefully. 

A trade agreement is not the place for the US or the EU to set its substantive domestic privacy rules.  SIIA does not endorse the idea of negotiating the specifics of the US or EU privacy regimes as part of TTIP.  These privacy regimes are different, but compatible, attempts to achieve the same protective results through different means.

Still, it is crucial to understand that privacy rules can have an effect on trade and should be carefully crafted to minimally impede the cross–border flow of data.  The standard that local rules should be crafted so as to be least restrictive of trade is well established in trade law and policy.  And this standard specifically applies to privacy rules.  Article 15 of the General Agreement on Trade in Services, for instance, permits, among other things, domestic measures “necessary” to secure compliance with local privacy rules.  The WTO panel on the future of trade was relying on this standard in issuing its report.

In this regard, SIIA urges both the EU and US to recognize that a complete ban on the transfer of data across borders is not necessary to secure compliance with local privacy rules.  If a company participates in an international agreement such as the US-EU Safe Harbor agreement, then its data should be able to flow seamlessly across borders.  In a similar fashion, a company that is in compliance with an enforceable privacy code of conduct or subjects itself to binding corporate privacy rules or has a contract with a data protection authority regarding privacy should be able to transfer information across borders.

TTIP need not constrain the specifics of privacy rules, but it should reaffirm the obligation to provide companies with a usable means to demonstrate compliance with local privacy rules so that information can flow across borders.  In this way, trade policy can help to ensure that privacy protection is done carefully and avoids unintended consequences on innovation and economic growth.

An important initiative in the area of trade and privacy is being run out of the law firm of Hogan Lovells. SIIA intends to work closely with them to ensure that TTIP and other trade negotiations address privacy is a positive way that balances the need for protection and the need for the seamless flow of data.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Policy - Privacy

SIIA Supports COPPA’s Extension of Schools as Consent Providers

April 26, 2013 By

The Federal Trade Commission yesterday released its updated FAQs clarifying the amended rule implementing the Children’s Online Privacy Protection Act (COPPA) released in December, 2012. Included are several clarifications long championed by SIIA regarding the intersection of COPPA and children’s online activities in the school setting.

For those not familiar, in short, COPPA requires parental consent under certain conditions for the online collection of personal information from children under age 13. SIIA has long supported this important law for helping protect children’s privacy and safety, and has also worked with the FTC and other stakeholders to ensure COPPA implementation does not bring inappropriate or unintended consequences that limit technology innovation and the user experience.

According to the new COPPA FAQ:

  • “COPPA does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parent’s agent in the process of collecting personal information online from students in the school context.”
  • “COPPA does not apply where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose.”

These provisions are important to minimize the barriers to student access to instructional technologies and digital learning within the school context. Both extend on the role of schools as trusted agents of student learning, privacy and safety, including that governed by the Family Educational Rights and Privacy Act (FERPA) as well as by Acceptable Use Policies (AUPs) signed between parents and schools. They help provide for student’s seamless access to online teaching and learning opportunities in the timely manner needed to address their educational needs under the guidance of their teacher and school, and governing local school board policies. The alternative of requiring parental consent in each case would present a significant administrative barrier, potentially put certain students at an educational disadvantage when consent cannot be secured in a timely manner, and would often leave students and teachers unable to take advantage of a “teachable moment.”

While the continuation of these school provisions is welcome, the updated FAQs do include some new guidance that will require further analysis and consideration. For example, the FTC guidance now requires that: “. . . the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision.” And the FTC separately describes what information a school “should” seek from an operator, including “What are the operator’s data retention and deletion policies for children’s personal information?”

SIIA members can review a more detailed summary and analysis on new COPPA regulations and guidance. [Updated May 9, 2013]

SIIA looks forward to working further with public officials, families, educators and digital learning providers to ensure that children have access to critical online learning opportunities and applications in an appropriately safe and secure manner. This includes SIIA’s ongoing work around FERPA (the Family Educational Rights and Privacy Act), which governs educational institutions and agencies through the U.S. Department of Education and is referenced in the COPPA FAQ.

Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

Share|
Filed Under: Data-Driven Innovation, Ed Tech Government Forum, Education, Education Policies, Education Policy, Personalized Learning, Policy, Policy - Privacy Tagged With: , , , , , ,
« Older Posts
Newer Posts »