SIIA Welcomes State Department’s Interventions on Cloud Computing and Privacy

Last week U.S. Ambassador to the European Union, William Kennard, addressed Forum Europe’s 3rd Annual European Data Protection and Privacy Conference, and responded to the myth that the U. S. system of government access to information is a threat to the privacy rights of citizens of the other countries. He was especially effective in rebutting concerns directed at cloud computing, where the misconception has developed that information stored in cloud computing servers can be accessed by the U.S. government without any effective privacy controls.

His intervention is a welcome attempt to set the record straight before these erroneous beliefs become widespread and entrenched.  It was accompanied the release of State Department white paper that dispels the misconceptions about the U.S. legal system and government access to information.

The fact is that the U.S. has a well-developed and established system to protect individual liberties from government intrusion.  We have a general distrust of a powerful government and are suspicious of anything that advances the growth of government power.  Our bias is in favor of a limited government that lets people chose their own good in their own way.  As a result we are far less tolerant of government intrusion into our private lives than other countries, and have set up a system whereby the U.S. extends privacy protections to non-U.S. citizens as well.

At the same time, the U.S. is more tolerant of the use of information for innovative and productive use by businesses than other countries, to our great advantage in the race for economic growth, business development and job creation.  Our system of protecting the individual privacy in the business context shows that this can be done while maintaining strong and effective protections for consumer privacy. This system also respects the rights of non-U.S. consumers established in other privacy regimes.

None of this means that the U.S. system is perfect.  We think that steps can be taken to improve the consumer privacy system for mobile app notifications and are actively working with the U.S. Commerce Department and other stakeholders on a voluntary code of conduct and an effective system of screen notices.  We have joined with others in the Digital Due Process Coalition to modernize the 1986 U.S. Electronic Communications Privacy Act, which needs updating to fit the realities of email and document storage in the cloud.

But the need for these reforms does not suggest that the current U.S. system is a threat to privacy or justifies a move away from cloud computing as a way to avoid government scrutiny.  Ambassador Kennard is to be commended for his strong defense of the U.S. approach to privacy in the cloud.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Mobile Privacy: Congress Should Give Multistakeholder Discussions More time

Today,  the Senate Judiciary Committee is scheduled to consider legislation sponsored by Senator Al Franken (D-MN), the Location Privacy Protection Act of 2011 (S.1223), that would require app providers to seek affirmative “opt-in” consent from consumers before using their location information.

As with all consumer privacy issues, users trust in mobile app privacy is absolutely critical.  Without consumer trust, demand stalls, innovations is stifled and neither businesses nor users interests are served.  Straight-up, a lack of trust is a lose-lose. However, multistakeholder discussions have been ongoing since June of this year, engaging a wide range of industry and civil society in an effort, led by the Department of Commerce NTIA, to develop a voluntary code of conduct for mobile app transparency in information collecting.

This flexible, consensus process is also better able to ensure that policies are not technology or platform specific.  That is, at a time of increasing convergence, where “applications” are seamlessly offered across a wide range of devices, fixed laws such as this would stifle technological evolution by creating a distinct privacy regime based on a specific type of device.

SIIA is very supportive of the effort and confident that it can succeed if given time.  Consumers and businesses are in this together, dependent on each other as this new mobile ecosystem continues to evolve.  With the right consensus-driven framework, mobile app privacy can be a win-win for users and businesses.

Rather than considering rigid legislative mandates on the mobile app industry, Congress should continue to explore how to support this industry.  The House Energy and Commerce Committee did just that earlier this year by holding a hearing focused on this innovative industry and how it can spur economic and job growth.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multistakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road. If we don’t we have only ourselves to blame if state, national or international governments feel compelled to step in to protect the public.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

COPPA Rulemaking Goes Far Beyond Congressional Intent; Will Harm American Innovation

SIIA today filed comments with the Federal Trade Commission regarding its notice of proposed rulemaking on the Children’s Online Privacy Protection Act (COPPA). SIIA expressed significant concern that the FTC is creating a burdensome regulatory framework that goes well beyond congressional intent.

The FTC’s proposed COPPA rulemaking takes the effort to protect online privacy and turns it into a harmful barrier to American innovation. For years, we’ve worked closely with industry and government to advance online privacy and security. We’re confident that, with smart regulation and public-private cooperation, both the goal of protecting online privacy of children and the goal of business innovation can be served. Unfortunately, what we’re currently seeing from the FTC is an overly broad and unworkable regulatory framework for implementing COPPA.

To read SIIA’s full comments, please click here. In its comments, SIIA states:

“We are supportive of the goals of the Commission to protect children from third-party plug-ins, social networks and any other third party service that collects personal information.

“However, the inappropriately broad expansion of the statute’s definition of personal information, combined with the increasingly broad definitions of ‘operator’ and ‘web site or online service directed to children’… create a broad regulatory framework that dramatically exceeds the scope of COPPA and will most certainly stifle innovative Internet-based offerings-not just for sites and services directed at children under 13, but much more broadly.”

SIIA addresses six specific areas of concern:

1. Expansion of “Personal Information” to include persistent identifiers creates an unworkable regulatory construct.

2. Modification to the rule’s definition of “operator” is overly-broad, and it places an unworkable responsibility on operators of sites and services well beyond the scope of COPPA.

3. Proposal to make third parties qualify as “operators” under COPPA by creating a “reason to know” standards is an inappropriately broad expansion of the statute and impractical.

4. Requirement for operators of “child-friendly mixed audience sites” to take an affirmative step to attain actual knowledge of child users would inappropriately expand the scope of COPPA.

5. Application platforms should not be characterized as “operators” under COPPA, but the Revised NPRM leaves this unclear.

6. The broad regulatory construct proposed in the Revised NPRM is likely to challenge application of COPPA to Internet-based educational materials and services.


Ken WaschKen Wasch is President of SIIA.

Mobile Privacy: Time for Collaboration, Not Legislation

Representative Ed Markey’s proposed mobile legislation, scheduled to be introduced today, is the wrong way to go. It would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism.

And what a loss that would be for such a dynamic, growing industry. According to a recent study, there were over 44,000 app-related positions open in the U.S. in the last quarter of 2011, and overall, there were 45 percent more open app positions than in the previous year. Based on this number, the study found the app economy firms represented 311,000 jobs. Using a standard multiplier, this number grew to nearly a half a million jobs created by the app economy in both direct and indirect jobs since 2007.

Rather than overregulating an industry that holds such potential for economic growth, Congress should be following the House Energy and Commerce Committee’s lead in supporting the industry. The Committee is holding a hearing today focused on apps and where the jobs are.

So if legislation isn’t the answer, what should be done?  Over the summer, the National Telecommunications and Information Administration (NTIA) launched an effort to nudge stakeholders into adopting codes of conduct for mobile transparency.  SIIA was supportive of this effort and remains so.  But after several meetings it appears that things may be starting to drift. Some scheduled meetings have been postponed. Fortunately, discussions between various industry stakeholders, as well as discussion between industry and consumer watchdogs, are ongoing.

The industry needs to get the substantive mobile transparency discussion moving again, if not through NTIA action then separately.

It’s also important to remember that consumers are not passive victims.  If they think they are being abused, they have a healthy capacity for self-defense. As the New York Times wrote last week “many consumers seem to be already taking steps to guard their personal information from data-grabbing apps. A study by the Pew Research Center, released Wednesday, found that among Americans adults who use smartphone apps, half had decided not to install applications on their mobile phones because they demanded too much personal information. Nearly a third uninstalled an application after learning that it was collecting personal information “they didn’t wish to share.” And one in five turned off location tracking “because they were concerned that other individuals or companies could access that information.”

This is good.  In the absence of government mandates, and industry codes of conduct, consumers are doing some sensible things to protect themselves.  But the lack of consumer trust is troubling and can only inhibit growth in the market.  If consumers just say no, the whole industry suffers.

The FTC is trying to help with some guidance.  Last week it published its recommendations for mobile application developers, suggesting that companies seek “express agreement” for consumer data they collect and share.  Nothing is binding on companies, however, and there is no indication that these recommendations are forming the core of industry codes of conduct or best practice.

Recommendations are good.  Consumer self-help is good.  But the world is looking to us to show that self-regulation can work as a viable alternative to government mandates.  To allow the multi-stakeholder efforts on mobile transparency to falter now would confirm their belief that only the government can set the rules of the road in this area.  It is time for the industry to step up and make progress on setting its own rules of the road.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Mobile Payments Get Currency

The FTC is looking at mobile payments this Thursday, an event that caps several weeks of intense attention to this innovative new technology by policymakers. In March the House Financial Services Committee and the Senate Banking Committee held hearings. And the Internet Caucus held a Congressional briefing, which I chaired.

Several years ago a study by ITIF highlighted mobile payment’s opportunities for efficiencies, growth and innovation. It wondered why it hadn’t taken off in the US, the way it had in other jurisdictions such as Japan and Korea. Since then Square, Intuit, Google, ISIS, PayPal have all ramped up their efforts to bring the new service to consumers and retailers in an attractive easy to use package. The majority of Americans will be embracing mobile payments by 2020, a Pew Internet study found last week.

The benefits are enormous. Mobile payment technology means faster checkout, more through put for merchants, the opportunity to send and receive offers and promotions, greater security, and a platform for new innovative services that haven’t been created yet.

It is worth pausing on the benefits of increased security. Unlike traditional magnetic stripe payment card transactions, mobile payments use a different security code for each transaction. Even if the transaction data is compromised, it cannot be used to make a counterfeit card that would work at the point of sale. This takes the merchant system out of harm’s way and reduces risk to cardholders. Mobile payments implemented on a smartphone can also be protected by a password or PIN number, adding barriers to illicit use of a lost or stolen phone. If asked to choose based on security, shoppers would be smart to use mobile payments over traditional cards.

Some have suggested that mobile payments create increased privacy risks because new information would be available to new players. But these risks are speculative and are being addressed in advance by market players who design their systems to be privacy-protective. They know that the market will only work on the basis of trust, careful handling of personal information, and a compelling user experience.

Mobile payment providers collect location information from their users, but only with affirmative consent. Product specific information isn’t collected at all and so cannot be added to a consumer profile to target ads. Cell phone and email information are available to mobile payment service providers at the time of sign up, but are not transferred to third parties such as retailers. Mobile payment services are savvy enough to avoid the mistake of allowing secret, undesirable acquisition of contact information by third parties. Under the Google Wallet rules, for example, contact information could not be disclosed to a retailer for marketing or advertising purposes without affirmative consent.

The privacy default for mobile payments is that consent is needed for any sharing of consumers’ personal information for marketing purposes. Industry participants have set up their systems with this requirement for consent as the default. This privacy-by-default approach renders concerns about privacy violations more theoretical than real. Mobile payment users can feel confident that they can enjoy the conveniences and added security and usefulness of mobile payments without worrying about privacy violations.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

In Comments on NTIA Multistakeholder Privacy Process, SIIA Applauds Government’s Role as Convener; Calls for Collaboration Instead of Legislation

Today the Software & Information Industry Association submitted comments to the Department of Commerce regarding the National Telecommunications and Information Administration (NTIA) “Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct.”

SIIA applauds the NTIA’s process of bringing together relevant parties in order to gather their collective expertise, and reiterated its call for a collaborative, rather than legislative, approach to addressing consumer data privacy. We believe that the proposed multistakeholder process can contribute significantly to the mutual recognition of data privacy regimes, including the European Union’s proposed data protection regulations.

SIIA looks forward to actively participating on behalf of our members and the industry broadly.

In its submission, SIIA says, “As highlighted by the Privacy and Innovation Blueprint, voluntary, enforceable codes of conduct are the appropriate approach for privacy protections because they develop faster and provide more flexibility than legislation or regulation. SIIA also concurs that the Government’s role in this process is primarily as a coordinator, acting as an active convener of the many stakeholders that share the interest of continued development of the digital marketplace.”

“The Federal Trade Commission has substantial authority to take action against actors it thinks has violated its privacy policies and is able to enforce a company’s promise to abide by a code of conduct through its authority to prevent deceptive practices.  As a result, SIIA believes that the multistakeholder process can and should proceed in the absence of new privacy legislation.”

SIIA goes on to make recommendations in several specific areas, and also calls on NTIA to adhere to several key principles while undertaking the multistakeholder process, including: 1) maintaining a commitment to openness and transparency of process and decision-making; 2) ensuring that the Department of Commerce plays an active role as convener; 3) enforcing a structure that has a timeline for deliverables, clear criteria for what counts as consensus and a division that allows progress to be made in sub-groups, and; 4) ensuring a process that is open to all affected parties, but does not preclude the submission of draft documents for review by the group.

For a copy of SIIA’s complete comments to the agency, click here.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

SIIA Welcomes New FTC Privacy Report

SIIA welcomes today’s clarification of the FTC’s policies in the area of online privacy. This clarification is especially important because of the FTC’s substantial authority to bring cases against the companies it claims are in violation of its policies. SIIA has long supported a collaborative, public-private approach as the best way to ensure consumer privacy, and we cannot endorse the report’s call for new legislation. In light of the FTC’s substantial authority in this area, we do not believe there is a need for new privacy legislation.

Read today’s coverage of SIIA’s stance:

FTC Report Calls for Transparency, Stops Short on Do Not Track Law – E-Commerce Times

FTC privacy: Key excerpts from the report – Washington Post

FTC Pushes ‘Do Not Track’ Privacy Option for Consumers – National Journal

FTC Chairman: Do-Not-Track Law May Not Be Needed – PC World


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.