Day of Action to Demand ECPA Reform

Today, SIIA is joining a nationwide day of action calling for reform of the Electronic Communications Privacy Act (ECPA), the law that says the government can access your email and documents in the cloud without a warrant.

ECPA is one of the Internet’s most outdated laws – it was enacted in 1986, before most people had access to a home computer or email. ECPA says that state and local law enforcement agencies, as well as hundreds of other government agencies—like the IRS, FBI, and DEA—can access many of our stored emails, private social media messages, and documents in the cloud without getting a warrant from a judge. The law flies directly in the face of our Fourth Amendment values and creates an un-level playing field for cloud computing providers; in fact, many companies have fought back and now demand warrants before turning over customers’ communications. Of course, small companies don’t usually have the legal resources to fight this battle, so they are further disadvantaged.

Bills to reform ECPA have gained huge bipartisan support in Congress in recent months. However, legislation is now being blocked by a proposal from the Securities and Exchange Commission, which is pushing for a special carve-out for regulatory agencies to get your documents from online providers without a warrant. The SEC carve-out would neuter ECPA reform.

That’s why we’re calling on the White House to break its silence and stand up for ECPA reform. Today we ask you join us by signing this petition to the White House. It’s time for the President to join tech companies, startups, advocates, and Members of Congress by supporting this commonsense, long overdue reform to ensure our privacy rights online.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

SIIA Welcomes European Commission Report on Commercial Privacy and Government Surveillance

SIIA welcomes the European Commission’s report about privacy and surveillance released today. The report is an important step for advancing the intergovernmental dialogue between Europe and the United States in both commercial privacy and government surveillance.

However, we are concerned about the suggestion that restrictions on data collection and use by commercial entities should be a part of a response to concerns about government surveillance. In particular, we think it a mistake to hold hostage the crucial Safe Habor framework for transatlantic data transfers pending a resolution of government surveillance issues. Modifications of this framework should stand or fall on their own merit and not be looked at as substitute response to concerns about government surveillance.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

SIIA Digital Policy Roundup: SIIA Testifies on Student Privacy, Patent Reform Picking up Speed, and TEACH Act Proposes Guidelines on Instructional Technology

SIIA Testimony Addresses Student Data Use and Privacy
Last week, SIIA’s Mark Schneiderman was invited to testify today before the New York Senate Education Committee (at 1:27:15 of video) as they examine the New York State Regents education reform agenda. The testimony described some of the ways students, families, teachers and schools use technologies and data to improve education, and it addressed some of the questions surrounding student data privacy and security. The privacy and security of student personal data is coming under increased scrutiny by parents, policy makers and the media. SIIA members are encouraged to review the SIIA testimony to be informed and to better understand how you can react to these questions. Read More on SIIA’s Digital Discourse Blog.

Still Hope to Enact Patent Reform Legislation this Year
In a year of historic struggles in Congress to reach bipartisan consensus, recent developments keep hope alive that patent litigation reform legislation could be enacted in the closing weeks of the year, or at least be at the front of the line when Congress returns in 2014.
On Monday, House Judiciary Chairman Bob Goodlatte (R-VA) introduced an amendment to his patent reform bill, the Innovation Act, which he plans to markup in the Committee on Wednesday. Among other things, the amendment would remove language relating to the cover business method program- arguably the most controversial provision in the bill.
On the same day, Goodlatte’s Senate Counterpart Chairman Leahy (D-VT) joined Senator Mike Lee (R-Utah) in introducing long-awaited counterpart legislation. According to Leahy, the Patent Transparency and Improvements Act of 2013 would increase transparency in patent ownership, allow customers who are sued for patent infringement to stay the case against them while the manufacturer litigates the suit, target the widespread sending of frivolous demand letters, and improve resources for small businesses that are targeted in patent infringement suits, among other provisions.
With only a couple weeks left in the year, it’s a long shot, but still possible that Congress could produce one victory by enacting patent reform legislation by year’s end.

TEACH Act Proposes Guidelines for Instructional Technologies
Last week Congressman Tom Petri (R-WI) introduced the Technology, Equality, and Accessibility in College and Higher Education (TEACH) Act to set guidelines for the accessibility of instructional technologies used in postsecondary institutions, and to create a safe harbor for conforming resources. The bill would seemingly allow institutions to use nonconforming resources, provided they make accommodations or modifications so students with disabilities receive equal educational benefits. SIIA has appreciated the opportunity to inform deliberations around the bill’s drafting. The Act could provide important clarity to the sector, but SIIA has several remaining questions we hope can be addressed to ensure the legislation truly creates a learning floor and not a technology ceiling. Read more on SIIA’s Digital Discourse Blog.

For the latest key policy developments affecting the software and digital content industries, subscribe to the Digital Policy Roundup Newsletter.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

SIIA NY State Senate Testimony Addresses Student Data Use and Privacy

I had the opportunity to testify today before the New York Senate Education Committee (at 1:27:15 of video) as they examine the New York State Regents education reform agenda.  My testimony described some of the ways students, families, teachers and schools use technologies and data to improve education, and it addressed some of the questions surrounding student data privacy and security.

Following is a summary of my testimony:

Some 200 SIIA members work with schools and universities to develop and deliver learning software applications, digital content, web services and related technologies. Many involve the use of student information. Uses of technology include: help meet the personalized learning needs of all students; deepen learning and motivate students, support communication and collaboration, and help educators manage the education enterprise.

Essential to this important use of technology is the collection, use and sharing of student information for educational purposes. The use of student information in schools is nothing new.  Our educational system has long collected, managed and applied student and other data to operate and inform educational practices, and has routinely done so by using the services of third-party service providers. From school bus routes to student assessment results and from student lunch accounts to teacher payrolls systems, our schools and agencies have a long history of effectively using information supported by school service providers.

Today, new technology tools and analytical techniques are enhancing that capacity, allowing educators to manage more data in more cost effective and sophisticated ways. Many of these data tools provide educators with the power to better diagnose, and therefore remediate, student performance in a dynamic and ongoing manner. No longer must teachers wait for end of year paper-pencil assessments to be scored and returned the following year; and no longer must administrators pour through endless files in the hopes of identifying some gap or pattern. For example, facing a 48% dropout rate, the Mobile County (Alabama) public school system applied cutting edge analytics to identify which students are at risk, and which interventions would help those students.

Educator interest in effectively using data is strong, but progress is slower and requires the support of policy makers and education leaders.  New York educators responding to SIIA’s annual survey reported an ideal level of 3.8 (on a 1-4 scale) for the use of information systems with student performance data to support their instructional decisions. However, they report their current level of use at only 2.7. They report a similar goal of 3.81 for the use of information systems that track performance and institutional data for school decision making.  However, again, they report their current level as only 2.49.  These numbers mirror the national trend.

As student personal information is used to improve learning, schools and service providers have a shared responsibility to protect the privacy and security of student information. One way they do this is by limiting the collection and uses of student personal information to legitimate educational purposes. They have policies and procedures in place to prevent unauthorized use.

Education leaders recognize this responsibility. SIIA’s educator survey has continually identified the use of security tools to protect student data and privacy as the top reported use of technology. In New York, educators report that their current use of such technologies and practices is 3.43 out of a possible 4.0.

This is not just a matter of good will.  Schools (and therefore their providers) are required to do this by the federal Family Educational Rights and Privacy Act (FERPA) and often by state laws as well. Service providers are also bound by contract and are subject to significant penalties for unauthorized disclosure of personal student information. And there’s a market incentive for service providers: if they do not live up to their responsibilities, they will lose the confidence of their customers.

School service providers do not have an independent role in the school system. They cannot just use personal student information as they see fit. School service providers work for educational institutions.  They collect personal student information only with the explicit approval of the schools and agencies that they work for. They use this information only for the purpose authorized by those educational institutions. Service providers also accept their responsibility to continuously review and improve policies and procedures designed to protect the security, confidentiality and integrity of student information.

Parents have an important role too. If schools and agencies want to share personal student information with third parties for purposes beyond the narrowly defined educational purposes in Federal law, the law requires them to get parental consent.

Some have called for parental consent for all uses of personal student information, even for core educational purposes.  But this is unrealistic.  Schools need to collect information from students to operate their institutions and to provide services to their students. They must share this information with third-party providers they depend on to carry out many important functions. They cannot possibly do this if they have to provide an opt-out for all uses of personal student information. More importantly, a universal opt-out would be unfair — some students would have access to the certain educational resources, while those who opt out could be denied those learning opportunities.

As our education system continues to transform itself, SIIA looks forward to working further with all stakeholders to advance the innovative use of technology and data to improve education, and to continue the use of sound data practices that protect student privacy.


Mark SchneidermanMark Schneiderman is Senior Director of Education Policy at SIIA.

We Can Improve Student Learning and Preserve Student Privacy

The expanded use of educational technology and student information for improving student learning has drawn attention to the issue of student privacy on the state and national policy agenda. The education community is having important discussions about the use of student data while also ensuring its privacy and security.

Many educational service providers, working with schools and universities, use student information to develop and deliver learning software, digital content, web services and related technologies and services that meet their teaching, learning and enterprise management needs. These range from adaptive learning to bus and classroom scheduling software, and from learning management systems to data systems. They are helping to personalize learning, support teachers and instruction, carry out various administrative operations, and improve school productivity and educational performance.

As student information is used to improve learning, schools and service providers have a shared responsibility to protect the privacy and security of student information.

One way they do this is by limiting the collection and uses of student information. Schools and their service providers collect and use student information only for legitimate educational purposes and have policies and procedures in place to prevent unauthorized use.  This is not just a matter of good will.  Schools are required to do this by the federal Family Educational Rights and Privacy Act (FERPA) and often by state laws as well. Service providers are also bound by contract and are subject to significant penalties including the possibility of being restricted from contracting with the school for up to five years for unauthorized disclosure of student information. There’s a market incentive for service providers as well: if they do not live up to their responsibilities, they will lose the confidence of their customers and lose business.

Privacy and security of student information is important to schools and service providers for another reason.  They are essential parts of good information practices. For instance, if student information is inaccurate, out-of-date or incomplete, this renders the use of the information unreliable.

Educational service providers do not have an independent role in the school system. They cannot just use student information as they see fit. They work for educational institutions.  They collect and use student information only with the explicit approval of the schools and other educational institutions that they work for. They use this information only for the purpose authorized by the educational institution.

Parents have an important role too. Federal law requires parental consent (for students under age 18) if schools want to share information with third parties for non-educational purposes.  If schools, school districts, or state educational departments want to use student information beyond the narrowly defined educational purposes in Federal law, they have to get parental consent.

Some have called for parental consent for all uses of student information, even for core educational purposes.  But this is unrealistic.  Schools need to collect information from students to operate their institutions and to provide education to their students.  They must share this information with third-party providers without whom they do not have the capacity to carry out many core functions. They cannot possibly do this if they have to provide an opt-out for all uses of student information. More importantly, a universal opt-out would also create an unfair imbalance by further widening the achievement gap — some students would have access to the best educational resources while those who opt out fall behind.

As our education system continues to transform itself, SIIA looks forward to continued work with educators, policy makers and providers to advance the innovative use of technology and data to drive student success, and the continued use of sound data management practices that protect student privacy.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

SIIA Cites Global Mistrust as Impediment to Economic and National Security

SIIA filed joint comments to the Privacy and Civil Liberties Oversight Board (PCLOB) today in response to its upcoming hearing on U.S. Surveillance Programs. In filing the comments, SIIA highlighted the importance of the board’s review of the government’s intelligence-gathering programs and their forthcoming recommendations to the Obama Administration to balance national security with civil liberties.

The recent revelations about U.S. intelligence programs and concerns about U.S. government access to privately held user data by U.S. companies is eroding trust in U.S. IT products globally. Major trading partners, Brazil and the European Union, are considering strict measures that threaten the ability of U.S. companies to do business in these critical markets.

Specifically, the EU parliament this week approved a new data privacy regulation that creates a Catch 22 for U.S. companies, requiring them to obtain approval from European regulators prior to responding to U.S. government requests for information—under this approach, U.S. companies could not effectively comply with conflicting national laws. And Brazil is considering a proposal to require IT companies to operate within their borders to house all operations there or restrict the transfer of data outside their jurisdiction.

Measures such as these would not only have a significant negative impact on U.S. businesses, but would also undermine IT innovation and economic growth around the world. SIIA believes that economic and national security are deeply connected to civil liberty, and that there are clear steps that the U.S. government can take to accomplish these goals, beginning with a greater commitment to transparency and oversight.


Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

SIIA Digital Policy Roundup: Patent Litigation Reform Legislation, EU Data Privacy Regulation, PTO Strategic Plan & Draft Cybersecurity Framework Released

Judiciary Chairman to Introduce Patent Litigation Reform Legislation
House Judiciary Committee Chairman Bob Goodlatte (R-VA) will introduce his patent reform bill today, and he has scheduled a Committee hearing on the legislation on October 29, entitled “Improving the Patent System to Promote American Innovation and Competitiveness.” The bill is expected to be very similar to the recent discussion draft released in September. SIIA believes that it is essential for Congress to promptly pass legislation that effectively addresses patent litigation abuse without harming the patent protections that spur innovation. We will continue working closely with Chairman Goodlatte and other congressional leaders to accomplish this objective.

European Committee Adopts Stringent Data Privacy Regulation
A key European Parliament Committee, the Committee on Civil Liberties, Justice and Home Affairs (known as the LIBE), was busy on Monday considering the proposed EU Data Protection Regulation. The unofficial text of the regulation as released by the EU Parliament can be found here. After a series of amendments, the version passed by the Committee could pose serious challenges for businesses, including: requiring permission from a state’s national data protection authority before any data could be transferred to the US government; requires users’ explicit consent before processing data; establishing limits to “profiling;” and grants citizens the right to have their personal data erased upon request — what has been referred to as a right to be forgotten is now coined “Right to Erasure.” For enforcement, proposal also includes the potential for fines estimated up to billions of euros for the biggest technology companies if they fail to adhere to rules like limiting the sharing of personal data.

Also of major concern to U.S. companies, the Committee’s action appears to effectively call for the end of the critical EU-U.S. Safe Harbor mechanism. That is, the express consent requirement, which has been referred to as the “anti-FISA clause,” would effectively forbid a U.S. company from complying with U.S. Government requests for data.

For what it is worth, this is not the end of the road for the proposed EU Data Regulation. The new rules will continue to undergo consideration by the EU Commission and Council with the next vote scheduled for 2014, leaving hope for amendment. However, at this point the proposed regulation is every bit unworkable for U.S. companies as feared. SIIA is still assessing the details of the proposed regulation and we will continue to update members as this critical regulation moves forward.

PTO Issues Strategic Plan for 2014-18
Last week, the U.S. Patent and Trademark Office (PTO) issued its draft strategic plan for 2014-2018. Some of the PTO’s key goals outlined in the plan include: establishing optimal pendency and quality levels for patents and trademarks, effectively administering the provisions of the AIA, and continuing to transform the PTO with Next Generation technology and services. In the plan the PTO also states that it intends to “take a lead role” in negotiations on a treaty on copyright exceptions for libraries and education. Public comments will be accepted until November 25, 2013.

Obama Administration Releases Draft Cybersecurity Framework
Yesterday, the Department of Commerce National Institute for Standards and Technology (NIST) officially unveiled its first, formal draft of the Cybersecurity Framework required by President Obama’s executive order in February. The framework outlines a set of best practices and standards for critical infrastructure, and has been described by NIST Director Pat Gallagher as a set of “easily communicated cybersecurity expectations across critical infrastructure sectors.” NIST will open a 45-day public comment period on the Draft Framework and plans and remains committed to releasing the final framework in February 2014.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.