Leslie Harris - Center for Democracy and Technology

An Ill-Conceived Harvest

Leslie Harris — Wed, 14 May 2008 14:31:00 GMT

Your Internet Service Provider may be offering up every click you make online and selling it to a company determined to know any thing and every thing about you, down to the fake name you use when logging on to the “Always ABBA” fan site.

That’s a wiretap by any other name; I apologize for the subtly.

The technique used in this ill-conceived information harvest is called “deep packet inspection” (DPI). In practice it’s used by ad networks engaging in “behavioral tracking,” in principle it is fraught with unresolved privacy, regulatory and legal issues.

Previously, an Internet user’s online information was likely collected by a third party ad network only when visiting web sites participating in the network. Online surfing habits were often combined into profiles to serve up targeted ads geared to a user’s interests. The privacy concerns about this so-called behavioral targeting by web operators are significant. But they pale in comparison to the “always on” collection scheme of DPI recently launched by some ISPs.

Charter Communications this week announced that it was going to start rummaging through each user’s click stream in an effort to provide its subscribers with--I’m not making this up--“[A]n enhanced online experience that is more customized to your interests and activities.”

You’ll love this new intrusion into your life, Charter promises, because now you’ll see ads that are “more likely” in keeping with your “interests.” Browsing the web “can become more like flipping through your favorite magazine,” a promise that should bring chills to those who value the open and free wheeling Internet

Imagine for a moment… perhaps the “magazine” you’re flipping through is a web site dedicated to supporting incest survivors or a cancer research information center or that of a fringe political group. I don’t even want to think about what kind of “targeted ads” might be served up in one of those scenarios. I’m more concerned about what happens to all that information if it has “nowhere to go”? Such information, in the wrong hands, could cripple a person’s life. And while the information collected by itself may not be personally identifiable, it takes no more than a click for an ISP to combine it with billing information (at least name and address) used to set up an account.

At least Charter had the corporate decency to alert its subscribers ahead of time; Other ISPs involved in DPI have been reluctant to own up to the practice or, when discovered, provide only vague explanations as to how and why it’s being used.

The ad companies on the receiving end of this information promise that they respect privacy, that no particular bit of information can actually be tied directly to any unique user.

Charter specifically address this question, telling its users that the service “[S]pecifically and explicitly does not track or display ads related to confidential medical information, racial or ethnic origins, religious beliefs or content of a sexual nature.” Of course, in order to exclude this information, someone (or something) has to riffle through your searches and web browsing to make the cut as to what is over the line. Interestingly, political speech appears to be fair game.

Charter also claims that it doesn’t retain any data, such as the web sites you’ve visited. Likewise, those companies buying your information make similar claims, that they don’t retain your information, nor can it be traced back to any particular users. In addition, those using DPI, including Charter, point to their opt-out policies. OK, fair point. But the existence of an opt-out policy alone, particularly one buried in fine print when you sign up for service, is unlikely to give consumers the choice they deserve.

My organization has researched “DPI-based behavioral ad networks,” for lack of a better phrase, and found that in some cases the data of users that have opted-out still gets passed to the ad network before it’s discarded or ignored. The companies also appear to be using cookies – which are susceptible to deletion especially by privacy-conscious users – to store users’ opt-out status. Given the comprehensiveness of the Web data these companies can potentially collect, we question the effectiveness of these kinds of opt-out procedures in honoring consumers’ choices.

And then there’s that pesky legal issue. The Electronic Communications Privacy Act (ECPA) is intended to protect the privacy of Internet communications. With certain exceptions, ECPA and its amendments to the federal Wiretap Act, prohibit ISPs from intercepting their customers' communications or disclosing the content of those communications to a third party without the customers' permission.

So, how do the ISPs working with DPI-based behavioral ad networks justify under ECPA their role in copying or disclosing the content of their customers’ communications without prior consent? And how do the ad networks justify their obtaining customer communications? The Federal Trade Commission should insist that the ISPs and DPI-based behavioral ad networks already engaged in these practices answer these questions on the record.

If implementations of the DPI model continue on their current path, we do not see how an opt-out requirement alone will protect consumer interests. The burden is on the ISPs and the ad networks to demonstrate that it will. And if ECPA demands it, these DPI-based behavioral ad networks should be held to an opt-in only standard, requiring an individual’s affirmative express consent prior to collecting an his or her full packet stream for behavioral advertising.

When the Right of Publicity is Wrong

Leslie Harris — Mon, 14 Apr 2008 21:16:00 GMT

In the United States, Internet Service Providers and web sites aren’t held legally responsible for the content that flows through their pipes or hosted on their servers; it’s a protection granted to them by Congress under Sec. 230 of the Communications Decency Act.

That immunity is the framework that allows the Internet to thrive as a haven for innovative services and free expression. Without this immunity sites that depend on user content provided risk becoming overly restrictive, timid, and forced to laboriously scrutinize every single posting. These nascent sites that have become part of our everyday lexicon would be quickly shelved, along with every other “good idea,” that never quite made it. But now there are cracks in that immunity.

A federal judge in New Hampshire, for example, allowed a woman to sue an adult oriented web site on the allegation that someone posted a fake profile of her online. The fake persona, the woman claims, violated her “right to publicity.”

The New Hampshire ruling declared that the “right to publicity” is a kind of intellectual property right. That’s a problem because the immunity provided online services doesn’t extend to “any law pertaining to intellectual property,” the statue says.

The New Hampshire court cited a federal appeals court that said there is “no dispute” that the right to publicity is “a type of intellectual property right.” Crack. The “right to publicity,” is generally held to be the right to control how one’s name, likeness or picture is used and to prevent unauthorized commercial use.

But is that what Congress really intended when it carved out intellectual property exception? We don’t think it should. The best reading consistent with Congress’s intent, was that the immunity was supposed to be broad and the exception narrow, meant only to corral the “big three” of intellectual property: copyright, trademark and patent rights.

If the right to publicity is considered an “intellectual property” right it means an innumerable number of web sites could be open to legal torrent of liability for content they didn’t create. The chilling effect on the Internet would be catastrophic. To be sure, the woman involved suffered embarrassment and anxiety, two elements of the “right to publicity” and she should be able to sue the poster of the message. But to permit an action against the site would force Internet sites to review and determine the veracity of each and every posting.

If the case is appealed, let’s hope the court has the foresight to overrule the lower court. Allowing the New Hampshire decision to stand will significantly weaken the wall of immunity online services currently enjoy. And in an era when the Internet is under constant attack, we can’t afford weakness of any kind.

United They Might Stand

Leslie Harris — Fri, 14 Mar 2008 17:21:00 GMT

A signature from an obscure federal judge, ordering an even more obscure domain name registrar, to delete a little-known Web site from the vast Internet lookup directory, set off a firestorm First Amendment protest and shoved all the players into the spotlight of the national and global stage.

Here are the facts. Wikileaks.org is a Web site dedicated to “developing an uncensorable system for untraceable mass document leaking and public analysis,” as stated by its founders, who are not in the United States. Documents leaked onto Wikileaks range from evidence of government corruption in Kenya to documentation of treatment of detainees at the U.S. Guantanamo Bay military base.

A Swiss-based bank – Julius Baer – went to court in the U.S. claiming that Wikileaks had posted confidential bank documents that had been stolen by a “disgruntled ex-employee” and passed on to Wikileaks for publication. The bank alleged that in doing so, Wikileaks involved in unlawful business practices, interference with contract and prospective economic advantage, and conversion. The employee alleged to have stolen the documents is a Swiss citizen who worked in the Cayman Islands, and the Wikileaks site itself is located on web servers in Sweden.

A U.S. federal Judge, at the request of the bank in a proceeding that receive any input from free speech advocates, issued an injunction ordering that the website be “disappeared,” that is removed from the Internet directory of names so that one could not get to the website by typing “www.wikileaks.org” into a web browser. The register, Dynadot, didn’t resist this plainly unconstitutional order, and until the U.S. free expression community raised a ruckus and intervened in the case, the plug was pulled on Wikileaks. Only after intervention by free speech advocates did the judge withdraw his orders and the bank dismissed its entire case.

There is much blame to go around here, starting with a befuddled judge who sparked the constitutional crisis. But little attention has been focused on the behavior of the registrar, which managed to quietly exit stage left, slip into the shadow of the wings, to remain, at best, a historical footnote.

And while the Digerati deserve all the applause for rallying to the cause of Internet free speech, now that high volume blogosphere has leveled off, someone, somewhere, should go looking for that missing actor, the registrar Dynadot, and start asking some hard questions.

Dynadot apparently didn’t even blink when ordered to pull the plug on Wikileaks.org. Instead, the company abandoned its better angels and ran for the tall grass at the first scent of trouble.

And why not? What incentive was there for Dynadot to fight the order? I guess it’s tough to be a hero when there’s only an $8.99 per year registration fee on the line and the only upside is standing on principle, while shouldering the potentially crushing weight of legal bills.

But here’s the rub. Legal experts say Dynadot threw in the towel for no reason at all; that although the company is named as a defendant in the lawsuit, there are no actual charges levied at the company in the complaint, and under clear U.S. law, no charges could have been levied against Dynadot. Perhaps the company did not know, or perhaps it knew and just complied to be rid of the mess.

There is a sense now among some in the legal community that domain name registrars will likely become targets of future litigation. Having seen how easily Dynadot rolled over in the Wikileaks case, plaintiffs may decide that domain name registrars are pushovers. Legal action might not even be needed. Perhaps domain name registrars, with much to lose and little to gain, will start to roll over in private negotiations to wipe a Web site from the cybermap. Dynadot’s self-preservation move has set a dangerous precedent that has only been whispered in small legal forums and among Internet advocates.

The domain name industry, as a whole, needs to grow a spine, and quick. To be sure, there are registrars that would fight with every available resource if faced with an order to abridge free speech, but it is not enough. The industry needs to come together to discuss and agree on a code of conduct that makes clear to all who seek to strong arm them, how they will respond the next time—and there will be a next time—when a judge or corporation or government tries to strong-arm a domain name registrar into making a web site go dark, without full legal process.

A code that says, if a company finds itself facing a half-baked order to wipe out a Web site address that is intended simply to silence speech that a plaintiff disapproves of, it promises to participate in defending the rights of its users. That would allow the industry to put up a united front, which in turn raises the bar for plaintiffs who now see domain registrars as the weak leak in the free expression chain. Hopefully, with some needed pushback from the registrars, it might make some potential plaintiffs sit back and ponder the course of action to take when they are offended by content on a site.

At least in the United States, where the registers have the Constitution and federal law on their side, maybe the next domain name registrar won’t have to exit stage left, and make for the shadows in the wings.

Politics of Fear Breeds Another Season of Secrecy

Leslie Harris — Thu, 14 Feb 2008 14:46:00 GMT

On Tuesday the Senate passed White House backed legislation, giving the nation's spy agencies a free pass to continue snooping on the communications of all Americans without a warrant. Among the Senate bill’s more troubling provisions, is that it gives intelligence agencies, rather than an independent court, the power to authorize surveillance of communications between Americans and people abroad.

Even if innocent Americans are caught up in the snooping, courts would lack adequate authority to cut off the surveillance and take steps to protect their rights. And as if the news couldn’t get worse, the bill does nothing to ensure that the President stay within the bounds of even this law. Amendments to ensure that the President’s powers were cabined off by this legislation failed.

And finally, the Senate gives the President what he wanted most, immunity for telecommunications carriers who cooperated in the illegal wiretapping scheme. That move guarantees that some 40 lawsuits filed against cooperating Telco’s disappear, and the details of the illegal spy program never come to light.

In November, the House of Representatives passed a far more balanced version of the bill. The House version would require courts to approve and supervise any program of surveillance intended to affect the rights of Americans. Notably, that bill contained no immunity for telecoms. For a brief moment, it appeared that Congress had found its moral compass. But that was then and this is now and the House is now poised to accept the Senate bill, put civil liberties and the rule of law on the back burner, and give President Bush exactly what he demands.

How did an unpopular President--- widely assailed for his secret launch of an illegal, warrantless surveillance program ---pull off such an audacious bait and switch?

With a masterful dose of the politics of fear, writ large, no, larger than life, beginning with the President gathering the press to opine, "At this moment, somewhere in the world terrorists are planning attacks on our country. Their goal is to be destruction to our shores that will make September 11 pale by comparison." And with that, he announced that he would brook no delay in finishing the bill and would not accept a short term extension of current law.

So see if you can follow this logic. According to the President, Congress will increase the threat of an attack on the homeland if it extends---even for another week--- the very bad temporary FISA law that the President bullied Congress into enacting right before summer recess. Then as now, the President announced that passage of the temporary bill was imperative. He suggested that failure to do so in the few days before Congress recessed would put the country at grave risk. Congress caved and passed a short-term bill to deal with the perceived danger.

Now the President is arguing that the same short-term bill he signed a few months ago cannot be extended, even to give the House and Senate time to work out their differences. And once again, the threat of imminent danger is being paraded about, wearing the same fashionable mask of fear.

What is driving this charade? At bottom, this isn’t about security; it’s about immunity for the Telco’s and cover up for the spymasters who launched the illegal wiretap program. If all the legal challenges become dust in the wind, we never find out the facts of the illegal wiretapping program.

We never find out who actually pulled the trigger and ordered, knowingly, the illegal program be foisted on the industry. We never find out what objections, if any, the Telco’s made, and how the Administration persuaded them to ignore clearly defined legal requirements. And we never find out the full scope of the program. How much of our communications have been surveilled? How many have found their way into government databases?

By the time this blog is published, Congress will have done great damage to our 4th Amendment rights and the principle of judicial review. That’s what the American people get when their leaders create an environment where fear and trepidation suck all the oxygen out of the room. Reasoned debate and bipartisan compromise are what legislation of this magnitude deserve, not the strong-arm rhetoric from the White House.

Security and freedom can stand shoulder-to-shoulder, if the politics of fear will get just out of the way.

The Boiling Frog Factor of REAL ID

Leslie Harris — Mon, 14 Jan 2008 15:40:00 GMT

Three years after the REAL ID Act, the government's driver's license reform program, became law, the Department of Homeland Security has finally issued its rules for implementing the Act.

Sadly, the rules raise more questions than provide answers. Given the longstanding opposition of many states, it appears that DHS’s first order of business was to diffuse that opposition. Rather than requiring states to implement the Act now, the final rule pushes back full implementation until 2017; however, citizens born after Dec. 1, 1964 will have to start using the REAL ID card by Dec. 1, 2014.

That stretches out implementation over the next six to ten years and leaves many of the hard decisions to the states. What is worse, the rule punts on the privacy issue, saying only that the creation of REAL ID cards should follow a set of "best practices" solutions, which the states are in no way obligated to follow. With the slower rollout, the impact on American’s privacy will be more difficult to track. Like the proverbial frog in boiling water, we may not fully feel the loss until it’s too late.

One of the biggest concerns that we at the Center for Democracy & Technology have about the Act is the strong possibility that Real ID will be implemented using a centralized database to house personal information collected in the course of creating these cards.

But don't look for the phrase "create a centralized database” in the final regulations, it isn't there. However, when you drill down into the tedious government prose it's clear that DHS strongly supports creating a “hub” IT infrastructure. This plan leverages the architecture of the existing commercial driver’s license database, which is centralized and accessible by all 50 states, as a model for setting up the information infrastructure of REAL ID.

A centralized database, containing the personal, private data on hundreds of millions of Americans, would create a tremendous security risk, a mother lode for identity thieves, terrorists and all manner of computer criminals.

At the same time, citizens—starting with those under 50—will be required to present an easy to read Real ID with an insecure, unencrypted standardized barcode for a variety of federal purposes. And it won’t take long before the states and many commercial entities start to demand the REAL ID card for a variety of other purposes, repopulating personal data in a variety of databases.

So now the troubled legacy of this Act will shadow the next administration. And in that, there may be flicker of hope. With a little White House muscle, and a shot of political will from a newly minted Congress, perhaps REAL ID can be repealed and a sensible plan for driver’s license security be enacted in its place. Then we can turn our gaze once again to the horizon, searching for new solutions that don't erode privacy and shred civil liberties in the name of national security.

Technology as Idiot Savant

Leslie Harris — Fri, 14 Dec 2007 15:49:00 GMT

Technology is the idiot savant of the policy world, that’s the only explanation for why anything policy related gets done in the tech world.

The entire tech portfolio of issues--privacy, civil rights, free speech, Internet governance, copyright, security and freedom, among others--is perpetually an afterthought among policy wonks. Yet, tech policy always seems to "take care of itself," for good or for ill, and too often it is the latter.

And perhaps those with their hands on the levers are partly to blame for the technology void that continues to infect Washington. Early in the political awakening of the tech community, two major themes took root: "hands off, we don't need you," and "if you get in our way, we'll ignore you." In 1992, David Clark, in a talk to the Internet Engineering Task Force, uncorked this credo: "We reject kings, presidents and voting. We believe in rough consensus and running code." Not exactly what you'd call a "big tent" platform.

In late 1993 or early 1994, the exact date is a matter of some dispute, Internet digerati and Electronic Frontier Foundation co-founder John Gilmore uttered his iconic line: "The Net interprets censorship as damage and routes around it." Someone later bastardized the quote, substituting "Congress" for "censorship." Although a good deal of suspicion still clings to the tech community's view of policy makers, the head-in-the-sand stance seems to have gone the way of the floppy disc.

I wish I could say the same about the policy makers. There are, perhaps, a dozen lawmakers at any one time that "get it" with regard to technology issues. My organization spends much of its time testifying before Congress in an effort to help legislators craft a solid technical and legal framework that policy proposals can be judged against, rather than the concern of the day. It's an uphill fight, and sometimes the culprit is simply technological apathy, born of a culture of benign ignorance; a philosophical crevasse into which the execution of technological principle falls without a whimper.

A good example of this apathy shows up in a report that CDT recently released that highlights a critical gap in the accessibility of vital, public government information. The E-Government Act of 2002 created a mandate promoting easier access to government information and services. However, as our report shows, federal agencies are falling woefully short of complying with the E-Gov requirements. The report notes that government information appears "invisible" to millions of Americans combing the Internet and looking for answers via the most popular search engines. The information can't be found using a search engine because it hasn't been indexed properly; and the information hasn't been indexed properly because government agencies are failing to install a simple standardized protocol on their web pages.

The fix is an easy, low-cost solution; that such deficiencies are found in the United States in today's globalized Internet age is appalling. Gone are the days when a politician can blow off a Luddite mindset with the cutesy line, "Why, I can't even program the clock on my VCR," yet we appear quite content to let most of the current crop of presidential hopefuls continue to campaign, blissfully unaware of technology issues.

When was the last time you heard any of the candidates answer a question about tech policy? And why have we allowed such a gapping hole in the public debate to open in the first place? Can you imagine not asking candidates about Social Security, or terrorism or immigration? Of course not, so why is it acceptable that none of the candidates have been asked what their stance is when it comes to protecting speech on the Internet? To protecting U.S. citizens' online information from overreaching government and commercial access? To ensure that the Internet remains a neutral, open and innovative platform? To make sure our broadband capabilities keep up with the rest of the world?

If you, and you, and you and we, don't starting asking these questions of the candidates at every turn, in public forums of any kind, electronic or not, we will have to bear some of the blame for why these crucial technology issues fall the margins of presidential politics. We can't leave it to the media to press the issue; even during the ground breaking CNN/YouTube debate not a single question regarding technology was uttered; the closest anyone came was a query about electronic voting.

Each campaign headquarters, in every state, on every social network, needs to be hammered, pestered, annoyed, or goaded into coughing up a coherent platform that address technology. If 50,000 Facebook users can organize within the space of a week and force the company to drastically alter its privacy policy surrounding a poorly implemented marketing scheme, then surely we in the tech community can muster enough muscle to at least make ourselves, and our issues, heard among the warp and woof of public debate during this presidential election cycle.

Judicial Trench Warfare In Fight For Internet Free Speech

Leslie Harris — Tue, 13 Nov 2007 15:59:00 GMT

The battle to keep Internet-based content free from the chilling effect of governmental restrictions has evolved into a kind of judicial trench warfare.

The fight over the constitutionality of the Child Online Protection Act (COPA), a misguided law intended to shield children from inappropriate content online, is now in its ninth year; the law has twice touched the Supreme Court only to be sent back to the lower courts with instructions to buttress its legal footing.

A week's long trial in the fall of 2006 again found COPA unconstitutional; the district court also granted a permanent injunction against Copal's enforcement. Although District Judge Lowell Reed agreed with the principle thrust of COPA, that protecting children from sexually explicit Web content is a compelling government goal, he also held that the government's proposed solution was overly broad and failed the strict scrutiny demanded off any law attempting to collar the tenets of the First Amendment.

Yet like lions in the tall grass, government lawyers immediately jumped once again to appeal to the case to the Third Circuit, as if their flawed justifications in support of COPA would somehow morph into something more acceptable to the judicial palette. CDT filed a "friend of the court" brief on behalf of itself and 17 other groups urging the appeals court uphold the permanent injunction. If COPA were allowed to stand, the chilling effect on Internet content would reduce online speech to a dialog little more robust than the script for Mr. Rogers' Neighborhood.

Actually, this case seems more like we're fighting the Hydra; as soon as we cut off one head, it grows another, only more bizarre and twisted than the first. Each new appeal is an occasion for presenting new legal justification for the law, none of which have swayed the court or provided any meaningful shield to keep children from a glimpse of adult oriented content. All the government money and resources that have been poured into COPA would have better been used for programs that educate children on Internet safety and media literacy, but instead, the government continues to defend an indefensible law.

The government contends that COPA is limited to "commercial pornographers," a conclusion soundly denounced from the bench. "COPA's reach [is] beyond those enterprises that sell services or goods to consumers" and extends to "those persons who sell advertising space on their otherwise non-commercial web sites," the court has said. For example, COPA would ensnare the following Internet content:

An online bookstore's or book publisher's Web site that contains quotes from its books or catalog, including from textbooks about human sexuality.
A recording retailer's Web site that includes clips of songs or videos containing sexually-oriented material.
A medical Web site that carries and is supported by advertisements and that provides "safe sex" information.
An online dictionary that includes definitions of various sexual practices.
Search engines that provide hyperlinks to Web sites that include information about safe sex practices, sexual education, and other sexual content.

Judge Reed also affirmed that other methods available to keep children from accessing sexual content, such as filtering software, provide more effective protection and impose less restrictions on adults' First Amendment rights.

And if those legal hurdles aren't enough to stumble this law, there's this little, inconvenient fact that there is no way to adequately enforce it. Because the Internet is a global enterprise, there is no sound, legal argument that other countries would be held content posted in other countries should be held accountable under COPA. Indeed, if COPA applied to other countries, domestic content providers would suddenly become targets of other countries efforts to criminalize content that is both legal in the U.S., and accessible abroad.

Like fighting the Hydra, dealing with Internet-based content that is inappropriate for kids is simply a messy, and all too often, emotionally charged issue. Parents need to do the heavy lifting here, educating their children on what is or isn't appropriate, based on their own family values, and using content filters, and other software tools to guide their children's online activities.

The government, its good intentions notwithstanding, is handcuffed to a "one-size-fits-all" solution for protecting children online But it's a global village now and promise of instant Internet-based communications is too powerful to stifle under the flawed rubric of COPA.

Burmese Digital Blunder Can’t Hide the Truth

Leslie Harris — Sun, 14 Oct 2007 04:01:00 GMT

In the wake of pro-democracy protests led by Buddhist monks earlier this fall in Burma, the government took aim at the protesters’ most potent weapon- the Internet. Overnight, the country’s military dictatorship shut down the Internet and cell-phone service in an attempt to quell the protests and block the world from viewing the military dictatorship’s appalling response. Almost immediately, there was a sharp drop in reporting on the peaceful demonstrations since that development seems to indicate that the government has been successful in shrouding the country in electronic silence. There are no dramatic pictures of monks being beaten by the military endlessly replayed on television. There are no first-hand accounts of protesters being text-messaged around the world.

Burma has withdrawn from the 21st century and, in doing so, has deprived its citizens of their human rights, and the world a fair account of events. Has the country’s military dictatorship in fact crushed the protests and restored order? Or are the demonstrations still ongoing? What has happened to the countless of people who have been arrested, including scores of monks? By denying Burma’s citizen journalists and activists the tools necessary to communicate with the world through the Internet, the regime hopes that it is free to peddle its own, heavily edited version of events with little fear of the truth ever being revealed.

But in a highly interconnected world, the truth is not so easily disappeared. The words and images that stunned the world last month live on, posted on sites hosted around the world. The world is still watching and Burma is being forced to respond, albeit inadequately.

The Internet is now a central front in the global campaign for human rights. Because of the Internet, free speech, long recognized as a fundamental human right, has been made a reality for people around the world.

Access to free, unmonitored digital technology has become a human rights issue in the purest sense of the term. We cannot afford to balkanize the Internet or to permit repressive regimes to deny their citizens access. As the free world weighs how best to exert its substantial economic and political influence to promote democratic reforms abroad, democratic governments must speak out forcefully for Internet freedom develop meaningful consequences for repressive actions.

In an information age, information technology allows anyone to become a powerful force for freedom and human rights. We can't allow a few bullying totalitarian regimes to turn that dynamic on its head.

One Web Day - An Opportunity to Reflect

Leslie Harris — Fri, 14 Sep 2007 13:50:00 GMT

The Internet is the single most remarkable communications medium ever conceived. Its "many-to-many" communications model has fulfilled the ultimate promise of the marketplace of ideas the founding fathers had in mind when they drafted the Bill of Rights. But even for those of us involved in the day-to-day battles over privacy, free speech and openness, it is all too easy to take the Internet and its revolutionary effect on global communications for granted.

To help us all remember how profoundly the Internet has affected our lives, longtime Internet advocate Susan Crawford last year on September 22 launched One Web Day: one day a year when we can all take a few moments to celebrate the Internet and think about how it has changed the way we communicate, learn about the world and express ourselves. The One Web Day site is keeping track of events happening around the world surrounding One Web Day 2007.

It may seem a little strange to celebrate a piece of technology, until we take a moment to think of all the ways in which the Internet has fundamentally changed how we live. The One Web Day site suggests ways in which we can remember and celebrate how we found jobs or friends online; how we share stories and photos with friends and family; how we discovered a favorite new hotspot or artist and other subtle but profound benefits. The site also recommends celebrating by teaching an older relative or acquaintance how to blog, or use instant messaging or even send an e-mail.

Behind these celebratory suggestions is a serious message: we can't afford to take the remarkable freedom and innovation fostered by the Internet for granted. As I have highlighted in previous posts, those freedoms and that fundamental openness are under constant strain from legal and regulatory pressures in the United States around the world.

The more indispensable the Internet becomes to global commerce, politics and expression, the more attractive a target it has become to regulators seeking to exert greater control over communications and to criminals looking for ways to profit from exploiting the trust of online consumers. All of these threats, whether in the form of intrusive laws or online scams like spyware and phishing, threaten to undermine the freedom and openness that has made the Internet so worthy of celebration.

So on September 22 as we think about how the Internet as improved our lives, we can also take a moment to consider what we can do to ensure that it remains the robust technology of freedom that has made those changes possible.

Some Welcome Progress on Privacy

Leslie Harris — Tue, 14 Aug 2007 13:56:00 GMT

There are times when working on privacy issues resembles nothing more than a game of whack-a-mole: no sooner do you respond to one abusive practice or questionable business model than another one comes out of the woodwork. It can get a little bit depressing, which made it particularly gratifying this month to be able to report some modest progress in the ongoing effort to give consumers greater control of their personal information.

Responding to public concern and regulatory pressure in the United States and abroad, the major search companies appear to be starting to seriously compete with one another over how well they protect their customers' privacy. In the past few months, the five largest Internet search providers have announced significant changes to how they handle the stored records of Internet searches, including deleting old user data, stripping the personally identifiable information out of stored search records, and, in one case, giving users the option to have all of their search records deleted.

Last week, we published a report that tracks the recent announcements and compares the revamped privacy practices of the five largest search providers.

By themselves, these changes don't represent a tectonic shift in the online privacy landscape, but we're hoping that they do signal the dawn of a new competitive market in which vigorous privacy protection becomes as much a selling point as high-quality service.

As recently as 2005, search wasn't a primary focus of the larger Internet privacy debate. Although many people were aware that every time they searched for something, they were creating a small record that could potentially be tracked back to them, few understood the extent to which that information could be construed as "personally identifiable." Then in August 2006, AOL released the search terms from more than 600,000 users as part of an academic experiment. Although the users in question were given pseudonyms, some enterprising journalists were able to go through the search terms and trace them back to real people.

Seemingly overnight, people began to realize that extensive records of all our searches could be used to paint surprisingly detailed pictures of our lives, preferences and movements. Privacy advocates, government watchdogs and individual users also started asking companies what they were doing to safeguard that information.

The answer, until very recently, was that most search providers kept that information for as long as they deemed it useful -- which generally meant forever. In the past few months, those practices have improved from a privacy perspective -- a compelling illustration of the benefit that the combination of regulatory engagement, pubic outcry and competitive pressure can yield for consumers.

Again, this is only a small step. The truth is that no amount of industry self-regulation can supplant the need for a comprehensive federal privacy law that establishes baseline standards for how companies must treat our personally identifiable information. Solving our online privacy dilemma will take a combination of aggressive educational efforts, intelligent policymaking and a serious commitment by industry to better protect consumers. As it stands we're still a long way from our goal, but these recent announcements seem to be a mark of real progress and we applaud them.

An Important Tool for Addressing Domestic Surveillance

Leslie Harris — Sat, 14 Jul 2007 04:01:00 GMT

Late last month, the Senate Judiciary Committee sent subpoenas to the Administration requesting detailed information about the nature and extent of warrantless surveillance conducted on Americans in the United States since the September 11, 2001 terrorist attacks.

With the political climate in Washington being what it is, it may be tempting to write off these subpoenas as just the latest salvo in an entrenched, inside-the-Beltway battle between Congress and the President. That would be a mistake, for the subpoenas are in fact a critical tool for Congress in deciding whether and how to change the rules that protect innocent Americans against undue government snooping.

For the past several months, the Administration has been pressuring Congress to enact legislation amending the Foreign Intelligence Surveillance Act (FISA). The Administration claims that the changes are necessary to "modernize" FISA but in reality the proposed law would go much further: It would permit the Administration to carry out nearly unlimited surveillance without prior judicial approval, a tectonic shift away from the protections that exist under the current law.

Making matters worse, the Administration has yet to tell Congress what sorts of warrantless surveillance it has already conducted -- or may still be conducting -- under the surveillance programs approved by the White House after 2001. In effect, Congress is under heavy pressure to authorize a massive change in the law governing surveillance without knowing how it is currently being used, let alone how it will be used in the future.

Law enforcers and civil libertarians agree that some narrow changes may need to be made to FISA, but lawmakers should not consider the sweeping changes proposed by the Administration without full possession of the facts. Full, on-the-record answers to the questions posed in the subpoenas will go a long way toward providing the understanding lawmakers need in order to decide whether and how to proceed.

Last month CDT released two lists of our own relating to the warrantless wiretapping: "a Most Wanted Documents" list and "a Most Wanted Answers" list, providing a checklist of sorts for Congress and the public.

This is not a game of political "gotcha." At stake are time-tested rules that uphold Americans' core Fourth Amendment protections in the face of government surveillance. By complying with the Congressional subpoenas, the Administration can rebuild some of the trust it has lost and give Congress a true basis for evaluating the laws that affect Americans' privacy and security.

A Key Victory for Free Expression

Leslie Harris — Thu, 14 Jun 2007 18:11:00 GMT

For the last few years, the Federal Communications Commission (FCC) has been on a crusade about indecency on television, broadly interpreting its limited authority to regulate indecency to include an ever-widening swath of content. In one of its most troubling moves, it reversed over thirty years of well-reasoned policy that held that so-called "fleeting" expletives -- single uses of common curse words (such as in a live broadcast) -- would not lead to indecency determinations or fines.

In a significant victory for free expression, the U.S. Court of Appeals for the Second Circuit recently put a stop to the new policy, finding it arbitrary and capricious and unsupported by reasoned explanation. The court also cast doubt on the constitutional underpinnings of the FCC’s indecency authority, saying that it was extremely skeptical that the FCC would ever be able to "provide a reasoned explanation for its 'fleeting expletives' regime that would pass constitutional muster."

The Center for Democracy has been following the escalation in indecency enforcement in the broadcast medium closely because of its implications for media convergence. As TV and TV-like programming migrates to the Internet and network based devices, the high free expression protections afforded the Internet by the Supreme Court appears to be on a collision course with the outdated broadcast indecency rules. But the changes in the Court over the decade since the ACLU v Reno decision (which held the Internet to be fully protected under our First Amendment) and dramatic changes in Internet technology leave the outcome less than assured.

The question is already being addressed in Europe in precisely the way that free expression advocates in the U.S. have most feared. In a recent move, the EU adopted what is commonly known as the "TV without frontiers" directive which seeks to import a wide variety of TV-based content restrictions now aimed at child protection on television into the Internet in order to create a "level playing field" between media. I will skip the details here except to say that the directive's tortured effort to limit the new rules on Internet to audiovisual content that have the characteristics of television is destined to lead to confusion and self-censorship, given the ever evolving nature of the medium.

That is why the Second’s Circuit’s strong rebuke of the FCC here in the United States is so welcome. CDT filed a brief in the case criticizing the FCC's expansive view of its authority and questioning whether that authority makes any constitutional or practical sense in a converged media market where control of content is increasingly in the hands of the user.

What made the Second Circuit ruling so remarkable was not just the legal decision (although welcome) but rather the "dicta" -- discussion that went beyond the specific holding of the case. After the court set out its decision, it spent an additional nine pages setting out the facts that support its conclusion that technological advancements and convergence have eroded the basis of the commission's authority to regulate broadcast content altogether.

Most importantly, the appeals court said: "technological advances may obviate the constitutional legitimacy of the FCC’s robust oversight." The court further explained that the "proliferation of satellite and cable television channels -- not to mention internet-based video outlets -- has begun to erode the 'uniqueness' of broadcast media, while at the same time, blocking technologies such as the V-chip have empowered viewers to make their own choices about what they do, and do not, want to see on television."

In 1996, we successfully argued to the Supreme Court that the Internet did not need a censorship regime, due in large part to the ability of Internet users to control their online experience. The "user empowerment" tools to support user choice have become far more robust since that decision and with convergence, such tools are available for a wide range of digital media. The days of passive "viewers" are fast coming to an end, replaced by an age of active "users" who can control their families' video and other online experiences. In light of these profound changes, the courts are right to question whether the FCC's censorship authority makes any sense at all.

Building Privacy Protections Into Identity Reform

Leslie Harris — Mon, 14 May 2007 04:01:00 GMT

Writing in the Washington Post last week, 9/11 Commissioner John Lehman offered an impassioned defense for the REAL ID Act, urging states to drop their objections to the deeply flawed law and move forward with adoption. While we agree with Lehman's position that driver's license reform is necessary, his suggestion that the REAL ID Act is the best, or indeed the only way to address the problem is way off the mark.

A little bit of background is in order. The REAL ID Act was passed in 2005 after its supporters hijacked a bipartisan administrative and legislative process aimed at developing real solutions to the problems of identification security. In place of a thoughtful, balanced approach that respected the unique privacy and security challenges associated with identification, the American people got a rushed, poorly thought out bill that would do little to secure the nations driver's license systems. Equally troubling, the measure contained nary a mention of the word "privacy."

As written, the REAL ID Act has several troubling ramifications. Although it is true -- as supporters like Lehman argue -- that the law does not directly create a centralized national database of driver's license information, the DHS officials charged with implementing the law have openly discussed changes that would do just that.

DHS had an opportunity -- in drafting regulations to implement REAL ID -- to insert meaningful privacy and security provisions, but so far the agency has shown no interest in doing so. The draft regulations issued by DHS earlier this year perpetuate all of the problems with the flawed law, while doing little to mitigate obvious privacy and security concerns. In written comments submitted earlier this month, we urged DHS to substantially revise its draft to include meaningful privacy and security provisions.

Still, the real problem lies with the law itself. Although DHS could make substantial progress by writing regulations that address clear privacy and security concerns, the best outcome would be for Congress to repeal this unwieldy and unpopular law and to restart the process to address this problem in a thoughtful, comprehensive manner.

The broader issues surrounding how we manage "identity" aren't going anywhere. As information technology improves and governments seek to bolster their capacity to identify individuals, these questions become more and more critical. CDT this month issued our draft of "Privacy Principles for the Digital Age," a document that aims to lay a groundwork for addressing those concerns.

Moving In the Wrong Direction on Open Government

Leslie Harris — Sat, 14 Apr 2007 04:01:00 GMT

Every week, the public is treated to another example of how our government is keeping important information from the American people. The latest developments at the Congressional Research Service are enough to make open government advocates bang their heads in exasperation. After spending years urging Congress to make the reports more readily available to ordinary taxpayers, the open government community was rewarded in recent months by the CRS taking two steps to make its publicly funded resources LESS accessible to the public. Vexing to be sure, but sadly predictable to anyone who has taken in interest in the CRS debate.

American taxpayers spend over $100 million a year to fund the CRS, which generates expert reports relevant to current public policy debates for lawmakers. But while the reports are non-classified, and play a critical role in shaping public policy, they have never been made available in a consistent way to members of the public. Although lawmakers are free to give copies of the reports to their constituents upon request, this is a slow, unreliable process, made slower and less reliable by the fact that there's no real way for an individual taxpayer to know what reports have been published.

If open government advocates thought that the political changes in Congress would lead to CRS reports finally being made available to the public, they've been sadly mistaken, at least thus far. CRS Director Daniel Mulhollan recently issued an internal memo aimed at preventing CRS employees from releasing reports to the sources with which they work. That memo came on the heels of an earlier decision by CRS to make it harder for its analysts to speak publicly about their research. These decisions reflect many lawmakers' deeply entrenched resistance to making these reports readily available.

What is most troubling about that resistance is how little sense it makes in the Internet age. Once, lawmakers could have legitimately argued that it would be too costly to make copies of the detailed reports available to all. In the Internet age, however, that argument is almost laughable. CRS already maintains a fully searchable, password-protected Web site for members of Congress. Increasing capacity and providing public access to that site would constitute a trivial expense for the Library of Congress or for the House in light of their current levels of traffic.

The other argument that often gets tossed out by defenders of the status quo is that making CRS reports available to the public may cause members curtail their use of the service, rather than tip their hands about the issues that they are considering. This argument is also troubling, for a couple of reasons. First, it is anathema to an open society for lawmakers to be arguing for their ability to conduct more policymaking activities away from the the public eye, and second, any notion that the CRS process is somehow "secret" has been long since invalidated by the rise of a large and thriving market for the reports.

Companies like Lexis-Nexis, Penny Hill Press and others charge well-heeled clients a premium to obtain access to the reports, which they obtain through their own private channels. This means that for lobbyists, executives and others who can afford to pay, CRS reports are readily available. It is unconscionable that taxpayers should be forced to pay twice for these reports, but that is the landscape that has been created by this outdated, misguided policy. The CRS's recent internal crackdown against releasing reports will likely only serve to raise the price of the private services, making the inequity even greater

Public demand for these reports has never been higher. In a little more than a year, members of the public have downloaded more than 3.5 million CRS reports from the Center for Democracy & Technology's Open CRS project, an online service that provides a searchable database of CRS reports that have been obtained by various archivists and members of the public. Making the full catalog of these reports readily available over the Internet will sate those demands and help produce a better-informed electorate.

Good Reason to Worry About Data Retention Proposals

Leslie Harris — Wed, 14 Mar 2007 04:01:00 GMT

Recent revelations about widespread violations by the FBI in obtaining sensitive information about American citizens were sobering, if not terribly surprising. These violations are the natural and predictable outcome of the Patriot Act, which made it dramatically easier for the FBI to obtain sensitive personal information on Americans without judicial approval. Under the Patriot Act, the FBI can issue so-called National Security Letters in intelligence investigations to compel the disclosure of information held by banks, credit agencies, telephone companies and Internet service providers, and other entities without obtaining a warrant or any other sort of judicial approval. Before the Patriot Act, NSLs were limited -- only a few categories of records were subject to the letters -- and even then, those records could only be sought if they were believed to be those of spies or terrorists. Under Patriot anyone's records can be seized as long as an agent certifies that they are "relevant" to an intelligence investigation. Patriot also expanded the types of documents that can be obtained with NSLs, even as it lowered the standards for issuing them.

For those of us in the privacy community who follow these issues closely, there was little doubt that the weakening of standards for government access to records, coupled with eliminating judicial oversight was a recipe for widespread abuse. I'd be extremely surprised if last week's revelations are the last of their kind that we see. Our comments about NSL report are here.

Even as the Inspector General was investigating rampant violations in the NSL process, the Department of Justice continued advocating for Congress to adopt potentially sweeping data retention laws to force ISPs and other online service providers to hold on to sensitive subscriber information for years at a time.

Since late in the last Congress, the Justice Department has been sending up trial balloons about the need for a "data retention" statute. While initially styled as a needed tool to track down child abusers, it is now clear that the Department wants to be able to access that data for a wide variety of law enforcement and intelligence purposes. The rationale goes like this: someday, in the context of an investigation, we may want to go back and look at the records of a person whom we only recently identified as relevant to an investigation. We can't do that because ISPs don't always hold on to the information. Therefore, ISPs should collect and store information about the online activities of everyone -- just in case.

As has been the case with many of the new or expanded powers the Justice Department has sought since 9/11, there has been little explanation and no evidence offered for why such a burdensome new requirement is needed. In the case of child pornographers, federal law enforcers already have "data preservation" authority under which they can demand that an ISP keep all of the records about a specific users or addressing block for use in later investigations. Using, and perhaps even strengthening that authority is far preferable to simply forcing ISPs to keep massive records about all of their customers movements. Even worse, it appears that Justice wants Congress to write a blank check on the issue. A senior Congressman, Rep. Lamar Smith (R-Texas) has introduced legislation that would require ISPs to retain unspecified information identifying their subscribers and their Internet Activity. Under that language, the Attorney General would have carte blanche to determine what information must be retained and for how long.

Such a provision would create massive databases of extremely sensitive information ripe for abuse at a time when Americans are justifiably concerned about privacy and security online. The right way to protect privacy is to minimize the amount of personal information that is stored online. Mandatory data retention would aggravate the risk of data breaches, unauthorized use and identity theft. And in the United States, where there is no general privacy law establishing rules for how companies collect and use personal data, and very low standards for governmental access; the thought of amassing large databases on the Internet activity of Americans is truly chilling. Rep. Smith defended his proposal, arguing that law abiding Americans have little to fear from the proposal and that full legal process will be provided when records are sought.

But that promise rings hollow, given this administration's increasingly cavalier attitude toward the privacy rights of Americans. Since 9-11, our government has treated the Fourth Amendment as an impediment to law enforcement and judicial involvement as a nuisance to be avoided. With the release of the IG report on FBI misuse and abuse of NSLs, a data retention mandate ought to be a nonstarter.