The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Election 2012: Privacy Platforms Compared

The Democratic and Republican Parties unveiled their respective policy platforms at their national conventions this past month. Both platforms address a host of issues related to internet freedoms and security, and differ greatly in some ways and little in others. The starkest contrast lies in the parties’ plans for protecting consumer privacy. However, in other areas such as cybersecurity, the differences seem more imagined than real.

Both party platforms prioritize the civil-liberties aspect of internet freedom but have different prescriptions for achieving achieving it. The Democratic platform envisions information privacy as freedom from private intrusion and public censorship, “protecting an open Internet that fosters investment, innovation, creativity, consumer choice, and free speech, unfettered by censorship or undue violations of privacy.” It later touts the implementation of consumer privacy initiatives taken by the White House as a step in this direction: “That’s why the administration launched the Internet Privacy Bill of Rights and encouraged innovative solutions such as a Do Not Track option for consumers.”

Earlier Secure Times coverage on the White House’s privacy approach and Privacy Bill of Rights is available here.

The Republican platform, on the other hand, specifically promises greater protection of personal data from use by government and law enforcement. In what may be a nod to the holding in United States v. Jones and the ongoing debate over location tracking, the RNC pledges to “ensure that personal data receives full constitutional protection from government overreach.”

The RNC platform goes on to add its support for protection from private actors, such that “individuals retain the right to control the use of their data by third parties.” However, it argues that “the only way to safeguard or improve these systems is through the private sector.”

Both platforms agree on the great importance of cybersecurity. However, the RNC criticizes the Administration for not being proactive enough in its efforts to neutralize new cyberthreats:

The current Administration’s cyber security policies have failed to curb malicious actions by our adversaries, and no wonder, for there is no active deterrence protocol. The current deterrence framework is overly reliant on the development of defensive capabilities and has been unsuccessful in dissuading cyber-related aggression. The U.S. cannot afford to risk the cyber-equivalent of Pearl Harbor.

The platform does not name any specific measures to dissuade rather than defend against cyberthreats, but it goes on to criticize the administration for not enabling enough information-sharing between public and private parties. Nonetheless, the Democratic platform mentions “strengthening private sector and international partnerships” as well.

Both parties roundly agree on the multi-stakeholder policymaking framework. Both statements seem to paraphrase each other. The RNC platform states:
We will resist any effort to shift control away from the successful multi-stakeholder approach of Internet governance and toward governance by international or other in- tergovernmental organizations.

The Secure Times provided earlier coverage of the Multistakeholder Process here.

Links:

National Journal: Dems Part Company With Republicans on Net Neutrality, Online Privacy

2012 Democratic National Platform

2012 Republican National Platform


Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.


Leave a comment

Commerce Department Launches Multistakeholder Process for Consumer Privacy Codes of Conduct

In response to the White House’s February 23, 2012 release of Consumer Data Privacy in a Networked World:  A Framework for Protecting and Promoting Innovation in a Global Digital Economy ("Framework"), the Commerce Department’s National Telecommunications and Information Administration ("NTIA") has issued a request for public comments on the consumer data privacy issues to be addressed through voluntary, yet legally enforceable, codes of conduct that implement the Consumer Privacy Bill of Rights outlined in the Framework.  NTIA is seeking comments from all interested stakeholders, including consumer groups, industry, academia, law enforcement agencies, and international partners.  Comments are due on March 26, 2012.

Interested parties may submit comments on any consumer privacy-related topic, though NTIA’s request indicates that the Framework’s transparency principles in privacy notices for mobile applications ("apps"), particularly apps that feature location-based services, are among the agency’s highest priorities.  Other highlighted areas for comment include cloud computing, online services directed toward teens and children, trusted identity systems, and the use of technologies, such as browser-based cookies, to collect personal data.

NTIA also seeks comment on how the multistakeholder process can be structured to ensure openness, transparency, and consensus-building among a diverse group of interested parties.  These comments represent the initial step of a process aimed at developing voluntary codes of conduct that will be enforced by the Federal Trade Commission.

 

 


Leave a comment

NYU Privacy Law Fellowship Accepting Applications

The Information Law Institute of NYU’s Engelberg Center on Innovation Law and Policy is accepting applications for a one-year fellowship in the area of privacy law, with a focus on issues related to location tracking.  The fellowship is open to law school graduates with excellent credentials and will begin in Fall 2011.  While in residence at NYU School of Law the fellow will be expected to play a leading role in researching and writing a white paper on the subject of location tracking and privacy, disseminating the results of the study, and organizing a conference or workshop on the topic.  The fellow will also be encouraged to pursue his or her own privacy-related research agenda during the fellowship year. The location tracking project will be supervised by Helen Nissenbaum (Professor of Media, Culture, and Communication), Katherine Strandburg (Professor of Law), and Ira Rubinstein (ILI Senior Fellow).  The fellow will have the opportunity to participate in Information Law Institute activities, including the multidisciplinary Privacy Research Group, to interact with other faculty associated with the ILI, and to take part in many other activities at NYU School of Law. 
 
The ILI fellow will receive a stipend of $50,000, along with benefits.  Applications for the fellowship should be sent by email to ILI assistant Nicole Arzt, Nicole.arzt@nyu.edu, and should include:  a cover letter, curriculum vitae, copies of any publications, and the names and contact information of three references.  The fellowship is made possible by a generous grant from Microsoft Corporation.


Leave a comment

59th Antitrust Law Spring Meeting: Zeroing in on Behavioral Targeting

The ABA Antitrust Section spring meeting began March 30, 2011, and features a number of programs focusing on privacy and data security issues. In the “Zeroing in on Behavioral Targeting” program, panelists from the Federal Trade Commission (“FTC”), the Washington state attorney general’s office, and law firm privacy experts discussed current issues and legal actions involving online behavioral targeting.

Panelists included Becky Burr of WilmerHale; Tina Kondo, Deputy Attorney General with the Washington State Office of the Attorney General; Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection; and David Parisi with Parisi & Havens, LLP.

Continue reading


Leave a comment

Privacy – Transparency and the Push to Convert the U.S. Government to the “Cloud”

Have you thought about how many government agencies are transitioning to cloud computing, and what that means for privacy concerns?  The White House released a “25 Point Implementation Plan to Reform Federal Information Technology Management” in December 2010 that advocates a shift to a “cloud first” policy for all agencies. This is after the GAO observed in June 2010 that although “OMB launched a cloud computing initiative in 2009” it “does not yet have an overarching strategy or implementation plan.” The OMB IT Dashboard suggests that numerous federal agencies (perhaps over 100) are pushing to build in cloud computing functions, including. the General Services Administration and the  Department of Health and Human Services.
 
In contrast to the hype surrounding the cloud, NIST’s recently published draft Guidelines on Security and Privacy for government use that provides detailed commentary on key cloud computing concerns, including: cloud system complexity; the shared multi-function environment; and internet-exposure that increases vulnerability to internet attacks such as botnets. Notably, the NIST reported that although the city of Los Angeles made news in 2009 (see, e.g. articles here, here, and here and mention in this report) when it announced it was shifting its email servers to Google’s cloud, the system has not lived up to the hype. As of early 2011 the city was running both its legacy and the cloud systems – hardly a model of cost-efficiency. The police functions had not been successfully outsourced because of security concerns and the report stated that Los Angeles will have to shut down the operation in June 2011 if the situation isn’t resolved. Could Los Angeles be the canary in the coal mine to show that that “cloud first” may not result in dramatic cost savings?
 
Perhaps most troubling is the loss of control over data: According to the draft NIST report “a characteristic of many cloud computing services is that detailed information about location of the data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.” Translation: outsourcing data to the clouds means that often organizations (including the US government) won’t know and/or have any control over where that data is stored or transferred, despite state and federal laws prohibiting transfer of data overseas. Enabling third party service providers to dictate where data flows may not be worth whatever cost-savings may be generated by the new “cloud first” policies.


Leave a comment

Data Privacy Day: January 28, 2011

Mark your calendars for Data Privacy Day – January 28, 2011.  Countries around the world are hosting events in honor of Data Privacy Day (or Data Protection Day).  This year is the thirtieth anniversary of the date on which the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe on January 28, 1981. Some highlights include:

 

– Panel Discussions around the world.  For example, the Council of Europe and European Commission are hosting a joint high-level meeting in Brussels (registration due January 24).  Google is opening its Washington, DC offices for Google breakfast and a panel discussion called “The Technology of Privacy: When Geeks Meet Wonks.”  

 

Local government initiatives – for example, the California Office of Privacy Protection will be launching a social media site: www.privacy.ca.gov. 

 

Happy Hours in many local areas on January 27, 2011, hosted by the International Association of Privacy Professionals (IAPP).

 

Check out  dataprivacyday2011.org, http://www.europeanprivacyday.org/, or http://www.capapa.org/DPD.html for events in your area.