The stage is set for a potentially raucous day in the House Judiciary Committee Wednesday as Democrats try to push legislation to modify and reauthorize expiring portions of the USA PATRIOT Act, CongressDaily's AM Edition reported. They are also scheduled to mark up a separate bill to provide courts with specific standards for handling state-secrets claims by the government in civil lawsuits.
House Judiciary ranking member Lamar Smith and other Republicans have unsuccessfully argued that the PATRIOT Act bill introduced two weeks ago by Chairman John Conyers with House Judiciary Constitution Subcommittee Chairman Jerrold Nadler, D-N.Y., and Crime, Terrorism and Homeland Security Subcommittee Chairman Bobby Scott, D-Va., deserves a hearing before it is teed up for a vote.
Smith called the lack of a hearing an "unwarranted departure" from the regular committee process. He chaired a GOP briefing on the bill Tuesday. Smith said Democrats insist on making unnecessary changes to the law that could undermine law enforcement. The Obama administration backed a full reauthorization of the expiring provisions but said it remained open to suggestions for modifications.
Read the full CongressDaily story here (subscription required) and read more coverage in Thursday's AM Edition.
User-centric, federated identity systems have the potential to improve the security and privacy of authentication and services, but if improperly designed, the systems can negatively impact users and become a burden, according to a new report from the Center for Democracy and Technology. The paper by CDT policy analyst Heather West comes as the U.S. government begins a series of pilot programs through the Center for Information Technology, the National Institutes of Health, and the Department of Health and Human Services that will use third-party user credentials to authenticate users of federal Web sites.
The term "user-centric identity" refers to systems where users, rather than service providers, control their identity credentials, CDT said in a Monday press release. A similar concept in the offline world would be using various forms of identification for whichever transaction one chooses. The white paper discusses key components of a user-generated identity system (such as trust frameworks, users and identity providers) as well as the benefits and liabilities of federated identity management. A copy of the CDT document can be found here (PDF).
House Homeland Security Intelligence Subcommittee Chairwoman Jane Harman, D-Calif., and Senate Homeland Security and Governmental Affairs ranking member Susan Collins wrote to President Obama Monday urging him to appoint members to the White House Privacy and Civil Liberties Oversight Board, CongressDaily reported Tuesday. The letter urged Obama to "fulfill the pledge you made earlier this year to reconstitute the board and accelerate the selection process of its members."
A fully engaged and independent privacy panel in the Executive Branch is particularly important as Congress works on reauthorizing expiring provisions of the USA PATRIOT Act and other issues, they wrote. Their message followed a similar effort in April by Senate Judiciary Chairman Patrick Leahy and Sen. Arlen Specter, D-Pa., who called the board "a critical government component" vital to "ushering in a new era of responsibility." Read the Harman-Collins letter here (PDF), the CongressDaily story here and an earlier report on the privacy panel here (subscription required).
A group of privacy watchdogs are pressing for a congressional investigation into the Department of Homeland Security's Chief Privacy Office. According to a letter to the House Homeland Security Committee from the Electronic Privacy Information Clearinghouse, American Civil Liberties Union and many others, DHS is unrivaled in its budget authority to develop and deploy new systems of surveillance. The document cites the agency's use of so-called state-based "fusion centers," whole body imaging, funding of CCTV surveillance, and suspicionless electronic border searches as examples of where DHS is allegedly eroding privacy protections.
The letter to Homeland Security Chairman Bennie Thompson and ranking member Peter King argues that the primary statutory duty of Mary Ellen Callahan, DHS's top privacy official is to assure "that the use of technologies sustain, and do not erode, privacy protections" but the office has not done so, focusing instead almost exclusively on the fourth statutory duty, conducting a "privacy impact assessment" on each department action. "[Callahan] has shown an extraordinary disregard for the statutory obligations of her office and the privacy interests of Americans," the letter states.
House Judiciary Chairman John Conyers joined Reps. Jerrold Nadler, D-N.Y., and Bobby Scott, D-Va., on Tuesday to introduce legislation that would revise and extend expiring sections of the USA PATRIOT Act and related provisions. They also introduced a measure intended to amend the Foreign Intelligence Surveillance Act to safeguard the constitutional rights of Americans while ensuring that the government has the tools it needs to collect foreign intelligence.
Judiciary ranking member Lamar Smith, Minority Whip Eric Cantor and GOP Conference Chairman Mike Pence of Indiana introduced their own version of a PATRIOT Act reauthorization bill in March, which would simply extend the provisions, which sunset Dec. 31, for 10 years. "Over the past eight years, Americans grew tired of the same old scare tactics, designed to fool the public into believing that we needed to give up freedom to be safe from terrorism," Conyers said. "It is a new day and an opportunity for reform."
The Conyers-Nadler-Scott measures include language that would bring sweeping changes to the way controversial administrative subpoenas known as "national security letters" are handled. Americans would be able to use libraries and bookstores "without fear that their choice of books will be monitored by overzealous federal agents," noted Nadler, who chairs the Judiciary Constitution, Civil Rights, and Civil Liberties Subcommittee.
Information broker ChoicePoint will pay a $275,000 fine and has agreed to strengthened data security requirements as part of an FTC settlement announced Monday. The agency charged that the company failed to implement a comprehensive information security program to protect consumers' sensitive information, as required by a previous court order. The failure left the door open to a 2008 data breach that compromised the personal information of 13,750 people and put them at risk of ID theft, the Commission said.
ChoicePoint, now a subsidiary of Reed Elsevier, switched off a key electronic security tool used to monitor access to one of its databases in April 2008, and for four months failed to detect that the security tool was off, the FTC said. During that time, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. After discovering the breach, the firm brought the matter to the FTC's attention.
The FTC's prior action against ChoicePoint involved a data breach in 2005, which compromised information of more than 163,000 consumers and resulted in at least 800 cases of ID theft. The settlement and resulting 2006 court order required the company to pay $10 million in penalties and $5 million in consumer redress. ChoicePoint also agreed to beef up its security operations and obtain independent assessments every other year until 2026. The new court order extends those record-keeping and monitoring requirements.
Privacy watchdogs on Thursday criticized the Senate Judiciary Committee's passage of legislation that would reauthorize expiring portions of the USA PATRTIOT Act, saying the version approved by the panel did not go far enough. The Center for Democracy and Technology argued the Obama administration secured changes to the bill that diminished some of the civil liberties safeguards initially proposed by Judiciary Chairman Patrick Leahy and opposed more sweeping changes that could have bolstered Americans' constitutional rights.
CDT was particularly disappointed in the defeat of an amendment that would have protected privacy by raising the standard for issuing administrative subpoenas known as national security letters. "As a result, NSLs will continue to be used to obtain sensitive records about people who are two or three steps removed from the target of an investigation," CDT senior counsel Gregory Nojeim said. Michael Macleod-Ball, acting director of the American Civil Liberties Union's Washington office called the action "a missed opportunity."
Read full coverage of the Judiciary Committee's mark up in CongressDaily's PM Edition here (subscription required).
The House Energy and Commerce Committee easily approved two bills on Wednesday designed to require companies that store private information to better protect it against security breaches, and to warn consumers about potential dangers of downloading the "peer-to-peer" software that has been implicated in such unauthorized breaches, CongressDaily reports. The Data Accountability and Trust Act and the Informed P2P User Act, passed on voice votes with no individual amendments.
The Data Accountability and Trust Act requires entities that hold personal information to adopt appropriate security measures to protect it. In addition, if a breach occurs, such as inadvertent release of tax records or medical information, they must notify consumers. The FTC would be empowered to enforce the law, with penalties up to $5 million for violations. The Informed P2P User Act requires installers of peer-to-peer software, that allows many people to access information contained on a personal computer, to notify computer users that the software is about to be installed.
Read the full mark up report here (subscription required).
The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.
The committee also plans to take up legislation sponsored by Rep. Mary Bono Mack, R-Calif., that would regulate peer-to-peer programs and educate consumers about privacy and security risks associated with file-sharing. She plans to offer a manager's amendment to narrow the definition of a covered entity to avoid sweeping in legitimate technologies such as Web servers, e-mail and security software. Read more details about tweaks to both measures here, courtesy of CongressDaily.
Sen. Arlen Specter, D-Pa., urged Senate Judiciary Chairman Patrick Leahy in a Tuesday letter to insist on a committee vote Thursday on legislation to protect confidential sources of journalists. "There has been ample time for consideration so that amendments should be presented and voted upon and the bill should be reported to the floor promptly," Specter said. Last week, the panel confronted bipartisan opposition on grounds the bill does not do enough to protect national security.
Specter reintroduced the bill in February and it has been on the committee's agenda since May. Since the introduction of the original measure in 2005, the panel has held multiple hearings and heard from 24 witnesses, he pointed out. In October 2007, the committee reported the previous bill on a 15-4 vote. "If there are objections, let the objectors offer amendments without a continuing filibuster," Specter said.
Senate Intelligence Chairwoman Dianne Feinstein and Judiciary ranking member Jeff Sessions have argued the bill could encourage leaks of classified information. Sessions has also claimed it would impede national security investigations and make it difficult to subpoena source material from reporters, especially where the crime is related to classified information. "I'm going to have a hard time voting for this bill," Feinstein said last week.
A member of the Health and Human Services Department's health IT policy committee is urging the agency to revise what she argues is an overly broad and unreliable provision of an otherwise solid interim final rule on data breach notification. The Center for Democracy and Technology's Deven McGraw voiced her concern with reporters earlier this week ahead of a Friday meeting of the health IT policy panel. The HHS rule, which is set to take effect Sept. 24, sets data security standards that the agency believes are strong enough to eliminate the need to notify consumers of a data breach -- but its so-called "harm standard" is sub-par, she said.
The interim final rule, which was issued last month, states that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to individual." In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.
The language was not handed down as part of the $19 billion health IT section of the economic stimulus package and was expressly rejected by House staffers who helped craft the measure, McGraw said. She noted its inclusion by HHS is likely the result of lobbying on the part of the healthcare industry. CDT and its allies favor the approach taken by the Federal Trade Commission in its own data breach mandate, which takes effect the same day as the HHS rule. The FTC version stipulates that if an individual authorized the discharge of data, its release is not considered a breach.
As Congress contemplates Internet privacy and data security legislation, the FTC will host the first in a series of public roundtable discussions on Dec. 7 to explore challenges posed by the array of 21st century technology and business practices that collect and use consumer information. Such practices include social networking, cloud computing, behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers and third parties, the FTC said in a Tuesday notice. The events will help the Commission determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.
The roundtables will consider the risks and benefits of information collection and use in online and offline contexts, consumer expectations surrounding various information management practices, and the adequacy of existing legal and self-regulatory regimes to address privacy interests, officials said. Invited participants will include stakeholders representing a range of views and experiences, such as academics, privacy experts, consumer advocates, industry participants and associations, technology experts, legislators, international representatives, and others.
Individuals and organizations may submit requests to participate as panelists and may recommend topics for inclusion on the agenda. Those should be submitted electronically to privacyroundtable@ftc.gov no later than Oct. 30. Interested parties can also submit written comments or original research. For more details click here.
A computer hacker who infiltrated the networks of numerous major U.S. retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, and Barnes & Noble, pleaded guilty Friday to multiple charges relating to hacking activity and credit card fraud. Albert Gonzalez, 28, of Miami, faces a minimum of 15 years and a maximum of 25 years in prison, plus hundreds of thousands of dollars in fines, the Justice Department said. His sentencing is scheduled for Dec. 8. More than 40 million credit and debit card numbers were stolen from stores as a result of the hacking.
"Consumers must be able to trust that the credit and debit cards they use everyday in thousands of stores around the world are safe from unlawful access," Assistant Attorney General Lanny Breuer said in a statement. Acting U.S. Attorney for the District of Massachusetts Michael Loucks added that in the past 10 years, there has been a dramatic growth in the transfer and storage of credit and debit card data on computer networks and it is critical that law enforcement works hard to investigate and prosecute the theft of personal identity data.
In addition to his plea agreement, Gonzalez also consented to an order of restitution for the loss suffered by his victims, and forfeiture of more than $2.7 million as well as multiple items of real estate and personal property, including a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches. Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard.
Privacy watchdogs on Wednesday gave the Obama administration an "incomplete" for consumer privacy; an "A" for medical privacy; a "C+" for civil liberties; and a "B" for cybersecurity. The scores from the Electronic Privacy Information Center and a coalition of consumer, educational, library, labor and technology stakeholders were unveiled at a National Press Club event that organizers hoped would act as an "early warning system" for the administration.
The rankings follow a December push by the Center and the Privacy Coalition for then-President-elect Obama to tackle identity theft, security breaches and the commercialization of personal data. The letter lauded Obama's early commitments to strengthen the FTC, to protect sensitive information and make sure homeland security databases are used in limited ways. A similar evaluation is expected soon from the American Civil Liberties Union.
"The administration has made progress in some areas, but it is clear that there is more to do to address the public concerns about privacy," EPIC Executive Director Marc Rotenberg said in a press release. EPIC Associate Director Lillie Coney said the Obama team can improve its grades by appointing "pro-privacy" commissioners to the FTC; making the work of the Homeland Security Department more transparent; requiring federal agencies to comply with the Privacy Act; and extending the Privacy Act to social networking services.
Read Wednesday's CongressDaily AM Edition for more on the topic (subscription required) and click here for EPIC's full report card.
A Tuesday report from transparency watchdog OpenTheGovernment.org illustrates modest decreases in secrecy across a variety of indicators in the last year of former President George W. Bush's administration. The 47-page scorecard from the coalition of more than 70 open government advocates also offered a six-month overview of the Obama administration's promise and practice on openness issues and a section on financial transparency during the economic crisis.
"Promising trends began to develop in the last year of the Bush administration, but we have a long way to go to return to the level of government openness and accountability that existed before the September 11 attacks," OpenTheGovernment.org's Patrice McDermott said in a press release. While very few quantitative indicators of secrecy exist yet to compare the Obama White House to its predecessor, the new administration "has a very mixed record on its promise of unprecedented openness," she added.
Some highlights from the report:
• In 2008, the number of original classification decisions decreased to 203,541, a 13 percent drop from 2007.
• The government spent nearly $200 maintaining secrets already on the books for every one dollar the government spent declassifying documents in 2008, a 2 percent increase in one year; 16 percent fewer pages were declassified than in 2007.
• The FY 2008 budget for the National Intelligence Program was $47.5 billion, a 9.2 percent increase over 2007.
• 19 percent of the Pentagon's FY 2008 acquisition budget is classified or "black"
• Justice Department requests for administrative subpoenas known as "national security letters" decreased from 2006 and reported invocations of the "state secrets" privilege continued to rise.
FTC Chairman Jon Leibowitz on Thursday expressed concern about Google's plan to digitize mass quantities of books, saying it "raises serious privacy challenges because of the vast amount of user information that could be collected." He said he was pleased that Google is taking steps to protect the privacy of Google Books users and noted that the Commission will have an ongoing dialogue with Google and others to ensure consumer privacy is protected when new technologies emerge. "As Google Books evolves we'll work to ensure that the privacy of online readers is fact, not fiction," he said in a statement.
Google recently told the FTC that users of Google Books are not and will not be required to have a Google account or register with Google to use most features although an account will be required to access books that a user has purchased. The application will also adhere to Google's existing privacy policy governing how it handles consumer data. Under that policy, Google only shares "personal information" when the consumer tells Google to do so or in certain other narrow circumstances. Google is also in the process of creating a specialized privacy policy specific to Google Books.
The House Judiciary Committee will hold a hearing to examine "competition and commerce in digital books" next Thursday and a New York federal court has scheduled a fairness hearing for Oct. 7 on the $125 million settlement Google reached in a feud with authors and publishers. The Open Book Alliance says Google's response to the FTC "essentially boils down to this - trust us." "We think it's too important to leave to blind faith that Google would do the right thing for consumers if the settlement is approved," said the group, whose members include Amazon.com, Microsoft, the Internet Archive, Yahoo and others.
Representatives of consumer and privacy advocacy groups on Tuesday will unveil recommendations they are making to Congress for new legislation that is intended to protect Internet users' privacy. Citing growing threats from the increasingly common practice of online behavioral tracking and targeting, the groups will make detailed recommendations for updated fair information practices that they believe would offer adequate consumer privacy for the 21st century.
House Energy and Commerce Communications Subcommittee Chairman Rick Boucher, D-Va., is crafting legislation that policy watchers believe will be introduced soon. "Today, electronic information from consumers is collected, compiled, sold secretly and without reasonable safeguards," the groups said in a media advisory. "Tracking people's every move online is an invasion of privacy. It's like being followed by an invisible stalker." Among those pressing Boucher and others for action include the Center for Digital Democracy, Consumer Federation of America, Consumers Union, Electronic Frontier Foundation and the U.S. Public Interest Research Group.
Boucher told CongressDaily earlier this year that he envisioned language that would give Internet users greater confidence in how information collected about them online is used and would offer some consumer control over that use. "That will encourage people to engage in electronic commerce more readily," he said. Boucher and Communications Subcommittee ranking member Cliff Stearns, R-Fla., introduced legislation four years ago that would have required consumer notification and prominent privacy policies that explain what is being collected and how it could be used, sold or otherwise disclosed.
House Homeland Security Chairman Bennie Thompson on Thursday commended Homeland Security Secretary Janet Napolitano's announcement of new directives for border laptop searches. "With the change in administrations, there was an opportunity to bring greater accountability and transparency to the practices surrounding searches of electronic devices at the border," he said in a statement. He noted the DHS action, which was announced the same day, seems to reflect provisions in legislation he has been working on with Rep. Loretta Sanchez, D-Calif.
The new DHS directives, available at DHS.gov, address the circumstances under which U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement can conduct border searches of electronic media -- consistent with the department's constitutional authority to search other sensitive non-electronic materials, such as briefcases and backpacks. The DHS Privacy Office also released a privacy impact assessment in connection with the directives to enhance public understanding of the authorities, policies, procedures and controls employed by DHS during border searches.
The DHS Office for Civil Rights and Civil Liberties will also conduct a civil liberties impact assessment within 120 days. The agency said it conducts border searches of computers and other electronic media on a small percentage of international travelers seeking to enter the United States. Between Oct. 1, 2008, and Aug. 11, 2009, CBP encountered more than 221 million travelers at U.S. ports of entry. Approximately 1,000 laptop searches were performed in these instances -- of those, just 46 were in-depth.
The American Civil Liberties Union wants federal government records pertaining to the U.S. Customs and Border Protection's policy of searching travelers' laptops without suspicion of wrongdoing. The watchdog group filed a Freedom of Information Act lawsuit Wednesday in a New York federal court to learn how the agency's policy, issued last year, has impacted the civil liberties of travelers during the first year of its implementation. The ACLU made an initial FOIA request for CBP records in June.
"Traveling with a laptop shouldn't mean the government gets a free pass to rifle through your personal papers," ACLU staff attorney Catherine Crump said. "This sort of broad and invasive search is exactly what the Fourth Amendment's protections against unreasonable searches are designed to prevent." According to the ACLU, the CBP policy permits agents to read the information on travelers' laptops "absent individualized suspicion" including personal financial information, photographs and lists of Web sites travelers visited.
CBP's policy extends to suspicionless searches of "documents, books, pamphlets and other printed material, as well as computers, disks, hard drives and other electronic or digital storage devices," the ACLU said. The policy covers all persons, whether or not they are U.S. citizens, crossing the border. Homeland Security Secretary Janet Napolitano announced in January that she was reviewing a range of immigration and border security policies and in May said clarification is needed with respect to the laptop issue. She said a team at DHS will "issue pretty firm guidance and protocol for how you conduct a laptop search."
The FTC on Monday issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached. Congress directed the consumer protection agency to issue the rule as part of the economic stimulus package and it applies to both vendors of personal health records - which provide online repositories that people can use to keep track of their health information - and entities that offer third-party applications for personal health records. Such applications include devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records, the FTC said.
Many existing health IT services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act, which applies to healthcare providers such as doctors' offices, hospitals, and insurance companies. The stimulus package required the Health and Human Services Department to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy and security requirements for vendors. In the meantime, the law required the FTC to issue a breach notification rule. Read details about the rule at www.ftc.gov/healthbreach.
On a related note, security expert Christopher Soghoian is leaving Harvard University's Berkman Center for Internet & Society to work as a technical consultant to FTC's Division of Privacy and Identity Protection in the Bureau of Consumer Protection. On his personal blog, Soghoian noted "the FTC has a lot of really smart lawyers, but they (currently) lack geek skills." He's an interesting hire given his self-admitted penchant for "railing against the oppressive surveillance state and the numerous privacy invasions committed by the law enforcement and intelligence agencies."
Two Russians and a Florida man were charged Monday in what the Justice Department said was the largest alleged credit card and debit card breach ever. The indictment names 28-year-old Albert Gonzalez of Miami, Fla., and two unnamed co-conspirators based in Russia with hacking New Jersey-based Heartland Payment Systems, Texas-based 7-Eleven, and the Maine-based Hannaford Brothers supermarket chain. They allegedly stole data pertaining to more than 130 million credit and debit cards, officials said.
In the two-count indictment alleging conspiracy and conspiracy to engage in wire fraud, Gonzalez, AKA "segvec," "soupnazi" and "j4guar17" and the two others are charged with using a sophisticated hacking technique called an "SQL injection attack," which seeks to exploit computer networks by finding a way around the network's firewall to steal sensitive information. Gonzalez had previously been charged with swiping data related to 40 million credit cards from retailers including TJ Maxx.
The indictment alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. If convicted, Gonzalez could face up to 20 years in prison for wire fraud conspiracy and an additional five years on the conspiracy charge, as well as a hefty fine. Gonzalez is currently in federal custody, DOJ said.
The White House has closed down a short-lived electronic tip box -- flag@whitehouse.gov -- that was created to collect "fishy" claims about President Obama's healthcare plan after privacy concerns were raised. E-mails to that address now bounce back with an error message that reads: "The e-mail address you just sent a message to is no longer in service. We are now accepting your feedback about health insurance reform via http://www.whitehouse.gov/realitycheck." Sen. John Cornyn, R-Texas, challenged the effort shortly after it was launched in early August even though the administration claimed it was not collecting any of the tipsters' names. He argued the White House had not made clear what steps were being taken to purge names, email addresses and other personal data.
The U.S. government's contracts with Internet companies for video, photo sharing and other Web 2.0 services may have ignored key privacy obligations of federal agencies, according the Electronic Privacy Information Center. Documents obtained through a Freedom of Information Act request by the group show that the General Services Administration moved ahead with the agreements even as guidance for President Obama's January open government and transparency directive was delayed.
Google, even after addressing privacy problems associated with the White House's use of embedded YouTube videos, is "still calling the shots on federal privacy policy," EPIC argued in an email. GSA's Google contract asserts that the "provider acknowledges that except as expressly set forth in this agreement Google uses persistent cookies in connection with the YouTube video player." It goes on to state: "To the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with provider content applies to Google, provider expressly waives those rules or guidelines as they may apply to Google."
In the GSA's contract with Yahoo, which owns photo sharing site Flickr, Yahoo acknowledged that the agency was obligated to follow various "laws and regulations," but there is nothing to indicate that Yahoo would be bound by those same laws and regulations, EPIC said. A review of the documents by EPIC's Lillie Coney, who pursued the FOIA request, also revealed a statement on federal policy banning Internet tracking cookies that mentions a waiver and adds that "policy may change." Further, it is unclear whether contracts signed by the GSA complied with the guidance prepared by the agency's general counsel on "GSA's ventures with social media tools," EPIC said.
House Oversight and Government Reform Chairman Edolphus Towns on Wednesday was expected to blame the Bush administration for having a laissez-faire attitude that has allowed privacy and security problems posed by peer-to-peer networks to persist online. At a hearing on the topic, he is likely to call for legislation to guard against inadvertent file-sharing, heightened FCC and FTC involvement and the creation of a public awareness campaign to inform people about the dangers of P2P software. The panel held similar hearings in 2007 and four years earlier. In response, the P2P industry adopted a voluntary code of conduct to prevent unintentional data disclosures, but a new committee investigation showed popular platforms like LimeWire are not living up to their promises.
In his opening remarks, Towns pointed to an analysis by security experts at Tiversa and said specific examples of recent LimeWire leaks "range from appalling to shocking."
• The Social Security numbers and family information for every master sergeant in the Army had been found on LimeWire.
• The medical records of some 24,000 patients of a Texas hospital were inadvertently released and most of the files are still available on LimeWire.
• FBI files, including surveillance photos of an alleged Mafia hit man, were leaked while he was on trial and before he was convicted.
• A security breach involving the Secret Service resulted in the leak of a file on LimeWire containing a safe house location for the First Family.
Read a preview story in CongressDaily's AM Edition here (subscription required).
More than eight months after abandoning its planned advertising partnership with Google amid intense scrutiny from Capitol Hill and the Justice Department, Yahoo is joining forces with Microsoft. The companies announced an agreement Wednesday that they believe will improve the Web search experience for users and advertisers. Under the plan, which they expect to close in early 2010, Microsoft would power Yahoo search while Yahoo will become the exclusive worldwide relationship sales force for both companies' premium search advertisers, according to a press release.
The agreement does not cover each company's Web properties and products, e-mail, instant messaging, display advertising or any other aspect of the companies' businesses. "In those areas, the companies will continue to compete vigorously," they stated. The transaction will be subject to regulatory review and the agreement entered into Wednesday anticipates that the parties will enter into more detailed definitive arrangements prior to closing. The pair acknowledged that their deal will "be closely reviewed by the industry and government regulators" and they welcome questions.
Under the 10-year agreement, Microsoft will acquire an exclusive license to Yahoo's core search technologies, and Microsoft will have the ability to integrate Yahoo search technologies into its existing Web search platforms. Microsoft's new search engine Bing will be the exclusive algorithmic search and paid search platform for Yahoo sites. "Providing a viable alternative to advertisers, this deal will combine Yahoo and Microsoft search marketplaces so that advertisers no longer have to rely on one company that dominates more than 70 percent of all search," the firms said in an indirect jab at Google.
Senate Commerce Chairman John (Jay) Rockefeller issued his first subpoena Tuesday as head of the committee to Vertrue, Inc., for withholding information related to the company's allegedly deceptive online business practices. The subpoena requires the Norwalk, Conn. firm to produce documents that were explicitly requested by Rockefeller in May, including communications Vertrue had with business partners and credit card companies about "mystery charges" passed on to consumers as well as internal discussions regarding complaints about those unauthorized charges. The subpoena demands that Vertrue CEO Gary Johnson provide the files to the committee by Aug. 18.
Vertrue General Counsel George Thomas told Tech Daily Dose that his firm requested that Rockefeller issue the subpoena to better protect the personally identifiable information of consumers. Vertrue previously provided redacted documents that omitted individuals' names, addresses, telephone numbers and financial information. "Without a subpoena that information would not have been adequately protected in our view," he said, adding that if the contents were stolen or misappropriated Vertrue could be liable. Under the subpoena, the committee will have in its possession in a matter of days unredacted documents that include personal details and live credit card account information.
Regarding the panel's broader investigation, Vertrue maintains it has never done anything unlawful. The practices being examined by Rockefeller's staff -- including handling of so-called "pre-acquired account information" and "post-transaction sales" -- are specifically permitted by FTC laws and rules, Thomas argued. Rockefeller also issued letters to e-commerce marketing firm Webloyalty.com to get more details about the controversial business practices. Read Rockefeller's latest letter to Vertrue here and the subpoena here.
Update: A Senate Commerce aide said Vertrue requested a subpoena pertaining to the consumer complaints -- not on the larger issue of e-mail, financial documents and other internal communications. "They would like to make this look like it's a narrow issue, when the actual reason the subpoena was issued was a broader failure to cooperate in the investigation," said the aide, who accused Vertrue of "slow walking" the investigation.
NextGov reports that Bev Godwin, director of online resources and interagency development for the White House new media team, asked the public on Friday to weigh in on the decade-old federal policy that does not allow agencies to use persistent cookies on their Web sites. The reason has to do with privacy, but it makes it harder for agencies to create Web services like those in the private sector. The White House wants the public to tell them what they think. White House Chief Information Officer Vivek Kundra and Michael Fitzpatrick, associate administrator of the Office of Information and Regulatory Affairs, provided details on the administration's Open Government blog and the Office of Science and Technology Policy's blog.
OMB is considering a three-tiered approach to the use of Web tracking technologies on government sites: (1) Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits. (2) Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze Web traffic statistics. (3) Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for analytics. Comments submitted by Aug. 10 will be taken into consideration.
Center for Democracy and Technology President Leslie Harris and Google public policy chief Alan Davidson on Friday dismissed a recent Technology Policy Institute report that argues there is a trade-off between increasing Internet privacy protections for consumers and the free flow of Web-based goods and services. Harris said "In Defense of Data: Information and the Costs of Privacy" should be renamed "In Defense of Straw Men." "Privacy and having a robust marketplace online are not inconsistent," she said at a Capitol Hill event sponsored by TPI.
"It's not true that somehow privacy advocates are anti-advertising or our ultimate goal is to rid the Internet of advertising," said Harris, who appeared alongside Davidson on a panel that included proponents of the paper written by Emory University economist Paul Rubin and TPI's Thomas Lenard. Harris rebuffed the report's "parade of horribles" including the idea that increasing privacy would curtail ads; add difficulty to search engine functionality; and diminish companies' ability to protect against network threats. She and Davidson both argued in favor of baseline privacy legislation, which is currently being drafted by House Energy and Commerce Communications Subcommittee Chairman Rick Boucher, D-Va.
Davidson wants a bill that provides transparency, meaningful choice and security for users. Such a measure would be helpful to companies like his because it gives users some level of confidence that they will be protected online, he said. "Privacy is not about draconian restrictions on companies. It's about providing consumers with some control over their data," Harris added. Rubin defended his report, arguing he did not say "the world would collapse if there were regulation." He believes regulation will lead to more expensive Internet-based services and there will be more barriers to innovation. He also argued that no one has pointed to specific harms to consumers from the statutes already on the books.
Read more about the event in CongressDaily's PM Edition.
Telecommunications analysts at Stifel Nicolaus on Friday said an advertising and search deal between Microsoft and Yahoo would get a close look from the Justice Department and probably the European Union's antitrust authorities. Sources at the two high-tech companies said an agreement in imminent and could be announced as soon as next week. The All Things Digital blog reported that top Microsoft executives traveled Thursday to Silicon Valley to smooth out technical issues and said Microsoft CEO Steve Ballmer is reportedly deeply involved with the talks.
"We have always viewed a Yahoo deal with Microsoft as less risky, from the standpoint of antitrust review, than a deal with Google," Stifel Nicolaus analysts said in an e-mail. Google last year eventually backed off its efforts to do a search transaction with Yahoo in the face of resistance from the DOJ and criticism from Capitol Hill. There are several elements of a Yahoo-Microsoft deal that pose risk, the analysts said. The antitrust review would depend on the precise terms of the deal, which could take the form of a Microsoft acquisition of all of Yahoo, or, more likely, could be another run at some type partnership, they said.
Tech watchdog Jeff Chester warned the companies would not get a free pass from privacy and consumer groups even if the pairing would provide much needed competition to Google. Microsoft and Yahoo have created elaborate data collection services across platforms and applications and they have competing ad targeting businesses in search, display and mobile, he said. "Microsoft and Yahoo should expect privacy and consumer groups to vigorously press regulators to closely and skeptically examine the deal -- and at the very least impose a series of tough conditions on data collection practices," he said.
Several major marketing trade groups will release self-regulatory principles Thursday intended to protect consumer privacy in advertising-supported interactive media. The groups argue the guidelines will require advertisers and Web sites to clearly inform consumers about data collection practices and enable them to exercise control over that information. The issue has gained steam on Capitol Hill lately with a series of hearings by key panels of the House Energy and Commerce Committee. The framework is an effort of the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau, and the Council of Better Business Bureaus. The groups offer seven principles as part of a self-regulatory program that is expected to be implemented in early 2010. Here are the basics:
• The Education Principle: The digital media industry intends, in a major campaign that is expected to exceed 500 million online ad impressions, to educate consumers about online behavioral advertising over the next 18 months.
• The Transparency Principle: Clearer and easily accessible disclosures to consumers about data collection and use practices associated with online behavioral advertising. It will result in enhanced notice practices.
Foreign trade groups and their counterparts in the United States pressed Chinese Premier Wen Jiabao on Friday to halt a July 1 mandate for all computers manufactured and sold in China to be shipped with Internet filtering software, which the government has claimed would help protect children from inappropriate content. The letter from the American Chamber of Commerce in China, Business Software Alliance, Business Roundtable, Consumer Electronics Association, Information Technology Industry Council and others says the requirement "raises serious concerns for us and seems to run counter to China's important goal of becoming a vibrant and dynamic information-based society."
The correspondence comes on the heels of a similar message sent to high-level Chinese government officials by U.S. Trade Representative Ron Kirk and Commerce Secretary Gary Locke earlier this week and a letter from business groups the week before. "The Green Dam mandate raises significant questions of security, privacy, system reliability, the free flow of information and user choice," the most recent document said. The letter points out, however, that "effective and responsible parental controls" are the way to go. "Ensuring that our youth can enjoy the full benefit of the Internet while keeping them out of harm's way... is an important objective we all share." Read related coverage in CongressDaily here (subscription required).
A high-tech watchdog group filed a lawsuit against the Justice Department on Wednesday demanding the public release of the surveillance guidelines that govern investigations of Americans by the FBI. The protocols took effect in December 2008 and detail the bureau's procedures and standards for implementing the attorney general's guidelines on approved surveillance strategies. The Electronic Frontier Foundation's complaint comes after DOJ failed to respond to a Freedom of Information Act request for a complete copy of the document. FBI General Counsel Valerie Caproni has acknowledged that "the expansion of techniques available [to the bureau] has raised privacy and civil liberties concerns."
Investigations can include the electronic collection of information from online sources and computer databases, as well as the use of grand jury subpoenas to obtain telephone and e-mail subscriber information, EFF said in a press release. Other recent policy changes allow the FBI to engage in free-ranging investigation of Internet sites, libraries, and religious institutions, the group said. "Americans have the right to know the basic surveillance policies used by federal investigators and how their privacy is -- or is not -- being protected," EFF senior counsel David Sobel said. Read EFF's full complaint to the U.S. District Court for the District of Columbia here.
Update: An FBI spokesman would not comment on the lawsuit but said: "It is the FBI's job to protect Americans, not only from crime and terrorism, but also from incursions into their constitutional rights. That effort starts with the FBI's commitment to scrupulously protect privacy rights of civil rights and civil liberties in the course of its investigations."
Facebook Chief Privacy Officer Chris Kelly shows a House Energy and Commerce Committee staffer how to adjust privacy settings for her profile on the popular social networking Web site. Kelly, who is also a Democratic candidate for California attorney general, was in Washington testifying before a joint hearing on Internet privacy held by the House Energy and Commerce Communications and Consumer Protection subcommittees. Read more in CongressDaily's PM Edition.
Trade groups representing high-tech, manufacturing, retail, and financial services firms wrote to House Energy and Commerce Committee leaders Wednesday urging them to "use extreme caution" when crafting Internet privacy legislation and refrain from imposing duplicative, inconsistent and ineffective regulations that could hurt consumers and businesses. The letter, sent to leaders of the House Energy and Commerce Communications and Consumer Protection subcommittees on the eve of a high-profile hearing on the topic, acknowledges there are "important issues around online privacy that Congress is looking into, issues that industry takes seriously as well." But during deliberations, lawmakers should take into account the range of industries, companies, and jobs that could be impacted by potential legislative or regulatory action, they said.
"The vast majority of companies of all shapes and sizes are online in some capacity and use the Internet to communicate with consumers, employees, existing customers, potential customers, and business partners around the world," added the letter signed by the U.S. Chamber of Commerce, Computer & Communications Industry Association, Financial Services Roundtable, National Association of Manufacturers, National Retail Federation and others. The FTC also weighed in, sending lawmakers its recent staff report on behavioral advertising. An accompanying letter states the Commission "has actively encouraged industry to embrace new measures relating to behavioral advertising to inform and empower consumers and is monitoring developments" so privacy is protected.
The online marketing practice known as behavioral advertising, which is being employed increasingly by Internet companies that want to tailor Web surfers' content, will come under scrutiny on Capitol Hill on Thursday. Executives from Google, Facebook, and Yahoo will take the hot seat alongside some of their most prominent critics at a joint hearing of the House Energy and Commerce Communications and Consumer Protection subcommittees. House Energy and Commerce Communications Subcommittee Chairman Rick Boucher, D-Va., is preparing legislation that he hopes would give Internet users greater confidence in how information collected about them is used and would offer consumer control over that use. "That will encourage people to engage in electronic commerce more readily," he said earlier this year. At the time, Boucher had not decided what rules could be in the measure.
The rare joint session "is but one hearing along a continuum of legislative activity examining the domains of the online and offline consumer privacy and how companies handle and treat consumers' personal information," Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., said in an excerpt from his opening statement. He will point out there are no federal laws specifically aimed at behavioral advertising nor is there a comprehensive general privacy law on the books. Google Deputy General Counsel Nicole Wong, Facebook Chief Privacy Officer Chris Kelly and Yahoo Vice President of Policy Anne Toth plan to defend their business practices and tell lawmakers that high-tech advances in advertising lead to more enjoyable Internet experiences for users. Read the full preview story in CongressDaily's AM Edition here and look for more coverage in the PM Edition.
A key European Union working group late last week released a report urging social networking sites to conform with the organization's data protection directive and to uphold and strengthen the rights of users. The report, which could have major implications for sites like MySpace and Facebook, comes as U.S. lawmakers prepare to scrutinize Internet companies' privacy and advertising practices at a Thursday hearing on Capitol Hill. The joint hearing of the House Energy and Commerce Communications Subcommittee and Consumer Protection Subcommittee will hear testimony from Google, Yahoo and Facebook executives. "Of paramount importance, [social networking sites] should inform users of their identity from the outset and outline all the different purposes for which they process personal data. Particular care should be taken by SNS providers with regard to the processing of the personal data of minors," the report stated.
The document recommends that users should only upload pictures or information about other individuals with the individual's consent and considers that SNS also have a duty to advise users regarding the privacy rights of others. The paper notes that online communities and, in many cases third party application providers, are data controllers with corresponding responsibilities to users. Robust security and privacy-friendly default settings are advocated throughout the opinion as the ideal starting point with regard to all services and access to profile information emerges as a key area of concern. Topics such as the processing of sensitive data and images, advertising and direct marketing on SNS and data retention issues are also addressed. Read the full report here (PDF).
Telecommunications analyst Scott Cleland, whose work is bankrolled by companies like AT&T, Comcast, and Verizon, also signed on as a hired gun for Microsoft earlier this year, according to a summary of testimony he plans to deliver Thursday at a joint hearing of the House Energy and Commerce Communications Subcommittee and Consumer Protection Subcommittee. The focus of the session is Internet privacy and behavioral advertising. Cleland, a frequent critic of Google, runs Precursor, an industry research and consulting firm, and chairs NetCompetition.org, which he describes as a "a pro-competition e-forum funded by broadband companies."
While Cleland asserts that his testimony reflects his personal views and not the views of his clients, Google sympathizers wonder if his new affiliation with Microsoft might further fuel what they believe is an already staunchly anti-Google agenda. Last December, Precursor issued a report alleging that Google "is by far the largest user of Internet bandwidth," the company's share of bandwidth usage is rising rapidly, and it's bandwidth use "is orders of magnitude greater than its payment for its cost." Google's telecom counsel Richard Whitt responded to the attack, calling the report "payola punditry." Google Associate General Counsel Nicole Wong will testify Thursday, presumably in defense of her firm's practices.
Regardless of who signs Cleland's checks, his testimony concludes that if Congress decides to legislate on Internet privacy, a competition/technology-neutral framework is the way to go. According to Cleland, such a proposal would: emphasize protecting people not technologies; empower consumers with the control/freedom to choose to either protect or exploit their own privacy; prevent competitive arbitrage of asymmetric technology-driven privacy policies with a level playing field; stay current with ever-evolving technological innovation; and accommodate both privacy and public interests by empowering real consumer privacy choice.
Update: Cleland told Tech Daily Dose his work with Microsoft has been focused on Internet security and safety.
Here's a sneak peek at the expected witness line-up for Thursday's eagerly anticipated Internet advertising and privacy hearing to be held jointly by House Energy and Commerce Communications Subcommittee Chairman Rick Boucher, D-Va., and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill. The event is a follow up to a session Boucher held in April that featured broadband providers. He is working on privacy legislation that he hopes will ensure Internet users a secure Web surfing experience. Rush has already introduced a separate data breach notification bill.
• Jeffrey Chester, Executive Director, Center for Digital Democracy
• Scott Cleland, President, Precursor LLC
• Charles Curran, Executive Director, Network Advertising Initiative
• Christopher Kelly, Chief Privacy Officer, Facebook
• Edward Felten, Director, Center for IT Policy, Princeton University
• Anne Toth, Vice President of Policy, Yahoo
• Nicole Wong, Deputy General Counsel, Google
Some Internet policy watchers fear the hearing might strike a decidedly anti-Google tone with Chester and Cleland on deck. Both are prominent critics of the Web giant's growing presence in Washington and in the Web marketplace. Chester's group is funded by philanthropic foundations and individual donors but does not take corporate funding. Cleland runs NetCompetition.org, whose members include AT&T, Comcast, Qwest, Sprint, Time Warner Cable and Verizon. Facebook and Yahoo have also taken heat in recent years for privacy-related practices.
Privacy watchdogs have long questioned whether U.S. Customs and Border Protection policies permit agents to search laptops and other electronic devices of travelers without suspicion of wrongdoing and now the American Civil Liberties Union is trying to find solid answers. On Wednesday, the group filed a Freedom of Information Act with CBP, a component of the Department of Homeland Security, to learn how the agency's search policy, first made public in July 2008, is impacting international travelers' constitutional rights. According to the ACLU's request, giving the government unchecked authority to search travelers' personal documents and devices is a violation of Fourth Amendment privacy rights and the First Amendment freedoms of speech, inquiry and association.
The ACLU FOIA request seeks records related to: CBP's authority to search, review, retain and disseminate information possessed by individuals who are encountered by CBP at the border; the number of documents or electronic devices retained by CBP; the length of retention, reasons for retention and the ultimate disposition of retained material; and the dissemination of documents or electronic devices throughout DHS, other agencies, or to entities outside government. The FOIA also asks for complaints filed by individuals or organizations affected by CBP's search policies; statistics reflecting the number of travelers subject to suspicionless searches; and statistics reflecting the race, ethnicity, country of origin, citizenship and gender of individuals subjected to suspicionless searches.
DHS Secretary Janet Napolitano announced in January that she was reviewing a range of immigration and border security policies and in May said clarification is needed with respect to the laptop issue. She said a team at DHS will "issue pretty firm guidance and protocol for how you conduct a laptop search," but noted that in the course of the few laptop searches that actually have been done, agents have found significant criminal activity. "We are a global society, people going from country to country all the time, they're crossing the border, they need to take their laptops to do business, we need to have a better policy that takes into account some of those IP concerns, some of the privacy concerns. That's what we're drafting now," Napolitano said.
The Future of Privacy Forum is embarking on a research project that will examine different methods for communicating with Internet users about advertising and privacy practices, the think tank announced Tuesday. The study will explore potential tools and notices that companies could use to raise consumer awareness regarding the use of online behavioral advertising data and will offer more transparency about how information is used in relevant advertising practices. The initiative follows a recent FTC report that called on the private sector to examine the issue. FPF launched in 2008 to advance a national privacy agenda that promotes transparency and user control that is practical for businesses and ensures personal autonomy for online users.
In the coming weeks, FPF will work with experts to develop notices and begin to test them with users, officials said in a press release. Assisting in the efforts are AOL, AT&T, eBay, Facebook, Intel Corp., Verizon, Yahoo and others. FPF hopes to release materials from the initial phase of the research by late summer. "Privacy policies will continue to play an important role in legally binding companies to commitments and providing essential details regarding their data practices," FPF Co-Chair Jules Polonetsky said. "Widespread agreement now exists, however, that more candid, prominent, and engaging methods are needed to ensure that trustworthy and meaningful communications are provided to users."
A government civil liberties panel established in 2004 at the behest of the 9/11 Commission that has laid dormant since the terms of its members expired Jan. 31, 2008 could probably not be fully operational as an independent body until mid-2010, the panel's former executive director told Tech Daily Dose. Mark Robbins, who staffed the White House Privacy and Civil Liberties Oversight Board under former President George W. Bush, said the new administration has not nominated any new members and once they are selected, vetted and confirmed by the Senate, it will take time to set up office space and hire a staff. Last Congress, lawmakers statutorily distanced the board from the Executive Office of the President after concern grew it was not fully autonomous.
"We warned Congress before they passed the law making PCLOB independent that they would be killing it well into the next administration -- who's ever it was," said Robbins, now a rule of law advisor for the State Department in Iraq. "Congress killed the imperfect in search of the perfect, and ended up with nothing." "My guess is that the new board will be as welcome to the Obama administration as it was to the Bush administration," he said in an e-mail. Meanwhile, key senators have begun pressing the White House to set up the reconstituted panel. Read more about that effort in CongressDaily's AM Edition here.
CongressDaily's Chris Strohm writes in TechCentral's latest Issue Of The Week that after four years of effort, federal and state officials believe they are finally closing in on new legislation to replace a controversial 2005 law that set national standards for driver's licenses and identification cards. Sen. Daniel Akaka, D-Hawaii, is expected to introduce the bill -- called the PASS ID Act -- that would repeal card requirements set forth under the so-called REAL ID law. State governments -- several of which rejected the REAL ID law outright through acts of their legislatures - are expected to back the new bill because many of its key provisions originated with the National Governors Association.
The Obama administration, while silent about the emerging bill, has been engaged in talks with the NGA over legislative changes to REAL ID. The bill would require the Homeland Security Department to conduct a nine-month rulemaking process to establish security standards for state identification cards. One year after the regulations are issued, state motor vehicle departments would have to begin issuing cards that are in compliance, according to the most recent draft of the bill, obtained by CongressDaily. All states must be in compliance within five years or their citizens could not use those cards for federal purposes, such as entering federal buildings. Read the full story here.
AT&T Chief Privacy Officer Dorothy Attwood responded Wednesday to a recent letter from Rep. Anna Eshoo, D-Calif., to the telecom giant's CEO asking for clarification on whether the company is engaged in any activity that involves tracking its broadband Internet subscribers' online activities to target advertising. The lawmaker was confused by Attwood's testimony at an April hearing of the House Energy and Commerce Communications, Technology and the Internet Subcommittee that focused on "deep packet inspection," a controversial type of network filtering that could be used to build customer profiles and offer specialized content and advertising without consent.
In her letter, Attwood assured Eshoo that AT&T does not engage in behavioral advertising that was the focus of her inquiry and said the company "has articulated at every turn what it does and does not do in the context of any behavioral advertising model that has been the subject of congressional interest." Attwood also addressed AT&T relationship with Audience Science, "one of a number of online marketing firms that assist AT&T in reaching potential customers and placing AT&T's advertisements on other Web sites." She said Audience Science does not use DPI but does use cookie-based methods to offer the most relevant ads to Internet users.
Attwood added that AT&T has not only asked its advertising partners to improve transparency and control for consumers, "we have called on the entire online advertising ecosystem... to adopt a unified, consumer-centric policy framework built on a foundation of transparency, consumer control, privacy protection, and consumer value." That includes ad networks, search engines, Internet service providers, advertisers and publishers, she said. "We are more than willing to work wit hall entities in that ecosystem to create standards that can advance consumer interests," she wrote.
Former Homeland Security Department chief privacy officer Hugo Teufel has joined
PricewaterhouseCoopers as a director in the consulting firm's U.S. advisory practice. Teufel will focus on helping Fortune 500 organizations with issues involving the privacy and security of data, cyber crime and corruption and will be based in PwC's McLean, Va. office. While serving as Homeland Security's privacy czar, Teufel testified regularly before various House and Senate committees and reported annually to Congress on the activities of the department that affect privacy. He was also a principal of the High Level Contact Group, a joint United States-European Union effort on transatlantic exchanges of data. Before assuming that role Teufel served as associate general counsel for general law within the DHS Office of General Counsel. Before that, he served as associate solicitor for general law at the Interior Department. "We are extremely pleased to have Hugo Teufel join our team," PwC's Erik Skramstad said in a press release. "His in-depth experience with government and privacy policies, along with his extensive knowledge of privacy issues and compliance -- as well as identity theft and data loss prevention -- will enhance the value and fact-based counsel we provide to our clients on a daily basis."
Rep. Anna Eshoo, D-Calif., wants to know for sure whether AT&T is engaged in any activity that involves tracking its broadband Internet subscribers' online activities to target advertising and on Friday asked the telecom giant's top executive to clarify. In a letter to AT&T CEO Randall Stephenson, Eshoo asked whether AT&T has used AudienceScience.com or any other behavioral advertiser to place ads on the Web, and if so, whether those firms notify consumers when data is collected. She also asked whether consumers are allowed to control what data is collected by advertising vendors and how it is used. Eshoo asked Stephenson when AT&T began advertising to consumers using behavioral targeting and whether it continues to engage in that activity. If AT&T has stopped, she wants to know when.
Her letter came on the heels of what she believed to be contradictory testimony from AT&T Chief Privacy Officer Dorothy Attwood on Thursday. During a hearing of the House Energy and Commerce Communications, Technology and the Internet Subcommittee, Attwood said AT&T does not use "deep packet inspection," a controversial type of network filtering that could be used to build extensive customer profiles and offer specialized content and advertising without consent. Attwood said AT&T would not use consumer information for that purpose "without an affirmative, advance action by the consumer." In August 2008, Attwood told the House Energy and Commerce Committee that AT&T does not engage in behavioral advertising but the company is listed as a client of AudienceScience, which offers that service.
"As an ISP, we do not track our customer's data across unrelated Web sites to create a profile for behavioral advertising, or hire other firms to do so on our behalf," an AT&T spokesman told Tech Daily Dose. He said his company's relationship with AudienceScience is as an advertiser of AT&T products and services. Suggestions that AT&T is engaging in behavioral advertising by selling customer information are "flat wrong," he said. The spokesman added that AT&T has consistently told Congress it uses ad networks. In related news, a testimonial listed on AudienceScience's Web site from MEC Interaction, which had AT&T as a client, has been removed. The message read: "AudienceScience rocks and I recommend using them for all of your BT campaigns."
The Future of Privacy Forum, one of the newest voices in the sometimes heated digital age privacy debate on Capitol Hill and within the high-tech and telecommunications industries, added a handful of new supporters Wednesday. The AT&T-funded venture is now also backed by AOL, eBay, Facebook, Intel, the Nielsen Company, Verizon and Yahoo. The companies will be working together on "an exciting research project," according to forum officials. Details about the upcoming project as well as an announcement about several additional supporters are coming soon, according to an e-mail and the forum's blog.
The initiative launched in November and is co-chaired by former AOL chief privacy officer Jules Polonetsky and attorney Christopher Wolf. It's intended to advance a national privacy agenda in the Obama administration that promotes transparency and user control that is practical for businesses and ensures personal autonomy for online users. While the think tank's advisory board contains leading experts from industry, academia, law and the advocacy community, some high-tech experts were skeptical of its direction given AT&T's prominent involvement.
Read CongressDaily's story about the launch of the forum here (subscription required).
The Electronic Privacy Information Center asked the FTC on Tuesday to open an investigation into Google's cloud computing services -- including Gmail, Google Docs, and Picasa -- to determine "the adequacy of the privacy and security safeguards." The petition follows the recent report of a breach of Google Docs. The high-tech watchdog group cited the growing dependence of American consumers, businesses, and federal agencies on cloud computing services, and urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google.
A Google spokesman said the company had not yet reviewed the complaint in detail but many cloud computing providers, including Google, "have extensive policies, procedures and technologies in place to ensure the highest levels of data protection." "We are highly aware of how important our users' data is to them and take our responsibility very seriously," the Google spokesman said. Previous EPIC complaints have led the FTC to order Microsoft to revise the security standards for one of its programs and to require Choicepoint to change its business practices and pay $15 million in fines.
For more Google/privacy coverage, read NationalJournal.com's story, "Google Stands To Gain From Cookie Trail" by Neil Munro.
In observance of Sunshine Week, the Electronic Frontier Foundation on Monday launched a sophisticated search tool that lets the public to examine thousands of pages of documents the watchdog group has retrieved from government agencies through Freedom of Information requests and litigation. The documents relate to a range of technology issues and government policies that affect civil liberties and personal privacy. EFF's collection sheds light on controversial government initiatives, including the FBI's Investigative Data Warehouse and the Homeland Security Department's Automated Targeting System.
"Until recently, documents obtained under FOIA often gathered dust in filing cabinets," EFF Senior Counsel David Sobel said in a press release. "We believe that government information should be widely available and easy to research, and our new search engine makes that a reality." "We welcomed President Obama's declaration -- on his first full day in office -- that he will work to make the federal government more open and participatory," EFF attorney Marcia Hofmann said. "There's certainly a lot of work to do -- so much government activity has been hidden from public view in the name of 'national security' and the 'war on terror.'"
FTC Chairman Jon Leibowitz told a data security workshop on Monday that the United States and other countries must "move beyond the 'we agree to disagree' approach" to securing consumers' sensitive information in the global marketplace. Such harmony among nations, which have varying privacy rules and regulations, is "not beyond our reach," Leibowitz said, pointing to the Organization for Economic Cooperation and Development's 1980 privacy guidelines and a set of security guidelines adopted by the group in 2002. "Without adequate data security there really is no privacy," he said.
Corporations must protect their back doors from hackers, malware, spyware and other high-tech intrusion mechanisms and protect their front door by properly storing and disposing of consumers' data, Leibowitz said, noting that the FTC is "not shy about knocking on anyone's door." Since 1999, the agency has brought a number of cases alleging that companies failed to protect data, including a settlement this month with a consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves.
The conference runs through Tuesday. Speakers include: Martin Abrams of the Centre for Information Policy Leadership; Oracle Chief Privacy Officer Joseph Alhadeff; Accenture Data Privacy Director Bojana Bellamy; TRUSTe Chief Privacy Officer Maureen Cooney; Intel Global E-Business Counsel David Hoffman and others. Click here to view the agenda for "Securing Personal Data in the Global Economy."
Sen. Olympia Snowe, R-Maine, on Friday received the International Association of Privacy Professionals' 2009 leadership award for her ongoing efforts on the behalf of U.S. citizens in the area of privacy and data protection. She accepted the award earlier this week in advance of the group's annual summit in Washington where privacy experts from around the globe convened for three days of education and networking. "Senator Snowe is at the forefront of protecting citizens' privacy and raising data protection awareness," IAPP Executive Director Trevor Hughes said. "She clearly prioritizes privacy through her legislative efforts to address and prevent the misuse of information."
During her three terms on Capitol Hill, Snowe has advanced privacy legislation to protect citizens' rights, including a bill to prohibit spyware and privacy-invasive practices such as keylogging and skimming and co-authoring privacy provisions in major healthcare legislation. She also voted for the Consumer Phone Records Act to keep unwelcome hands out of citizens' phone logs and to give the FTC and FCC greater enforcement authority in that area. Snowe also sponsored a recently passed bill that lets people take advantage of genetic testing without fearing negative repercussions from the abuse of such information. "I am proud to be an advocate for patient privacy rights and will continue to work to ensure the safety and protection of all Americans," she said.
Google riled privacy watchdogs on Wednesday when the Internet giant announced that it was venturing into the "interest-based advertising" space. The company said the technology uses information about the Web pages people visit to make the online ads they see more relevant but some argue the real headline is that Google has finally entered the behavioral targeting business -- a practice that has sparked congressional hearings as well as FTC examination. The consumer protection agency released self-regulatory principles for online advertising last month and the Network Advertising Initiative offered its own code of conduct in December.
In a blog post, Google Deputy General Counsel Nicole Wong explained the product has consumer-friendly features to provide meaningful transparency and choice and is "not only consistent with industry groups' privacy principles, but also goes beyond their requirements." Read more about those safeguards here. But the Center for Digital Democracy's Jeff Chester said the move amounts to "the most powerful interactive ad company expanding its data collection and targeting activities whenever we search, view videos or read blogs." He said Google should have adopted an opt-in approach for the new ad service rather than making the default an opt-out scheme.
The Progress and Freedom Foundation's Berin Szoka had a different view, calling the company's announcement groundbreaking because the tracking will be based on a profile of each user's interests created by Web browsing habits -- but not search queries or other user information. Google's program offers "precisely the kind of robust opt-out that privacy advocates have always demanded," he wrote. Szoka said he hoped Google's endeavor will shift the policy debate over user privacy back to an emphasis on the layered approach by supplementing consumer education, industry self-regulation, state laws, and FTC enforcement with technological tools to aid privacy-wary consumers.
A handful of watchdog groups asked FTC Chairman Jon Leibowitz on Monday to appoint a new director of consumer protection for the agency who has "a track record as a genuine champion of consumer rights." The candidate should be someone whose experience reflects not simply a broad familiarity with industry procedures, but a deep commitment to proactively protecting the public from all manner of unfair, deceptive, and fraudulent practices, they wrote in a letter. Lydia Parnes, who had the job for four years, left the agency recently to join law firm Wilson Sonsini Goodrich & Rosati. Her deputy, Eileen Harrington, took over as acting director.
The letter was signed by the Center for Digital Democracy's Jeff Chester; Michael Jacobson of the Center for Science in the Public Interest; the Consumers Union's Ellen Bloom; the Electronic Privacy Information Center's Lillie Coney; Evan Hendricks of Privacy Times; Melissa Ngo of Privacy Lives; and Ed Mierzwinski of the U.S. Public Interest Research Group. They said the bureau's broad mandate -- covering everything from advertising and marketing practices to financial services to privacy and identity protection -- holds great weight in the expanding digital world. The American people "can ill afford any unnecessary delays in appointing a suitable candidate," they wrote.
"The FTC requires someone new," Chester said when asked whether he thought Harrington should remain in the job. "It's time to shake up the bureau." The agency failed to warn consumers that their savings and investments were at risk from financial marketing scams for mortgages and other loans, he argued. "If the FTC had a consumer champion leading the bureau, perhaps someone would have blown the whistle sooner," Chester said.
A European government official expects that President Barack Obama's administration will improve the nation's relationship with the EU on privacy issues. "It may probably be the case that the first changes happen within the U.S. itself, meaning that the respect for data privacy in the fight against terrorism will be much stronger, in general," wrote Ignasi Guardans, a member of the European Parliament and a substitute member of the Committee on Civil Liberties, Justice and Home Affairs, in an email. He added that he believes that the U.S. government "is very much aware that this is just one among the big examples of issues where the 'arrogant' image of the U.S. in the last years can be substantially improved."
Meanwhile, the EU has been engaged in discussions to maintain its own database of passenger name record data and to impose the collection of PNR data for flights that occur within the EU. Currently, the U.S. Department of Homeland Security maintains a database of PNR data between the two bodies. Gaurdans expects the PNR data debate within the EU to last until after the European elections take place in June.
Gaurdans said the European Commission is putting pressure to harmonize PNR data plans to avoid ending up with 27 different plans. He said that only France, Denmark and the U.K. have actually adopted legislation on the use of PNR for law enforcement purposes. "There has been very strong criticism from the European Data Protection Supervisor, the Fundamental Rights Agency and the House of Lords [and] as far as there is no EU legislation in place, U.K. can in principle do what they want as long as they follow national, and to the extent it is relevant, EU data protection legislation," he added. -- Winter Casey
For the ninth year in a row, identity theft was the top consumer complaint reported to the FTC in 2008. Of more than 1.2 complaints received throughout the year, 313,982 or 26 percent were related to ID theft, the agency announced last week. Third-party and creditor debt collection as well as shop-at-home and catalog sales came in second and third place respectively while complaints about Internet services; television and electronic media; and computer equipment were also high on the list.
The FTC report breaks out complaint data on a state-by-state basis and contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the document lists the 50 metropolitan areas reporting the highest incidence of ID theft. Credit card fraud was the most common form of reported ID theft at 20 percent, followed by government documents/benefits fraud at 15 percent, employment fraud at 15 percent and phone or utilities fraud at 13 percent.
A battle between Internet giant Google and a Santa Monica, Calif.-based group that has been pressuring the company to enhance the privacy and security of its various Web applications appears to be getting bloodier. Earlier this month, Bob Boorstin, director of Google's corporate and policy communications, wrote to the head of the Rose Foundation, which funds Consumer Watchdog, complaining the group launched "totally fictitious" attacks on his company. Most recently, Consumer Watchdog accused Google -- absent any evidence and referencing "a rumored lobbying effort" in a press release -- of trying to obtain permission to sell patient medical records.
"I am hoping that as you consider the activities of your grantees and whether to renew your commitments, you will take these kinds of activities into account and consider whether there might be better groups in which to place your trust and resources," Boorstin said in an email to Rose Foundation Executive Director Tim Little. Boorstin also asked Little's permission to write to his board of trustees to highlight Consumer Watchdog's activities. Little replied that his foundation "welcomes feedback and comment on all of its grantmaking programs" but noted the philanthropy has a longstanding policy of not interfering in its grantees' work. He added that the foundation "believes that Consumer Watchdog is raising very fundamental questions about privacy over the Internet."
Consumer Watchdog President Jamie Court wrote to Google CEO Eric Schmidt Monday arguing that his top executives must "have more important priorities than defunding a consumer group critical of your lack of privacy protections." In the letter, he laid out some observations about Google's perceived "less than open corporate culture, its opaque public policymaking division and some suggestions for change and moving forward." Read previous posts about Google and Consumer Watchdog here and here as well as the email exchange between Boorstin and Little here and Court's letter to Schmidt here.
An about-face by social networking site Facebook last week regarding its terms of service headed off a complaint to federal regulators prepared by the Electronic Privacy Information Center. The Wednesday decision to restore Facebook's original policy and its commitment to a more transparent, participatory process regarding future changes to its operating procedure came hours before the watchdog group planned to file a complaint with the FTC. The EPIC filing was supported by more than a dozen consumer and privacy organizations, officials said.
The modified terms of service announced Feb. 4 were widely criticized, EPIC said in a Monday e-e-mail blast. The group argued the company's revised policy "adversely impacted Facebook customers, eviscerated wide-recognized privacy rights, and unilaterally and retroactively transferred control of user generated content to Facebook." The modifications were made without any meaningful notice to Facebook users, EPIC said, noting the transfer of rights was an unfair and deceptive business practice. Under the revised policies, the Web site "asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts," EPIC said.
Previous EPIC complaints at the FTC have related to Microsoft Passport, Choicepoint, and the Google-Doubleclick merger. In response to user concerns, Facebook established a new Bill of Rights and Responsibilities and is seeking comments from users. The page includes these statements from the company:
The Homeland Security Department's first chief privacy officer thinks the agency's pick for that post in the new administration is good one. Nuala O'Connor Kelly, who left DHS in 2005 to become General Electric's senior counsel for information governance and privacy, said Mary Ellen Callahan is a "respected privacy official and attorney" who will continue to grow what she believes is an "already excellent privacy organization" within the federal government. Callahan, a partner at Hogan & Hartson, was appointed by Homeland Security Secretary Janet Napolitano on Thursday.
"Mary Ellen is a friend as well as a colleague, and I wish her tremendous success," O'Connor Kelly told Tech Daily Dose on Friday. "I am sure she will have the full support of the outstanding privacy office team." Callahan, an active member of the International Association of Privacy Professionals, has what it takes to do the job right and will likely find support in her new post from DHS General Counsel Ivan Fong, sources said. Fong, who was tapped by President Barack Obama last month, has a privacy background and most recently served as chief legal officer for Cardinal Health. He was O'Connor's predecessor at GE and previously served as deputy associate attorney general.
Homeland Security Secretary Janet Napolitano on Thursday appointed Hogan & Hartson partner Mary Ellen Callahan as the agency's chief privacy officer. Callahan has counseled clients on online and offline marketing issues as well as Web site privacy policies and terms of use and helped create and implement privacy and security-related compliance strategies and programs. She has written numerous comments on behalf of clients such as the Motion Picture Association of America and the Online Publishers Association on rulemaking related to the FTC, federal anti-spam laws, and the Children's Online Privacy Protection Act, according to her firm bio.
Callahan, who previously worked for the Congressional Research Service, is also co-chair of the Online Privacy Alliance -- a self-regulatory group of corporations and associations to create an environment of trust and foster the protection of individuals' privacy online. "Homeland security and privacy are not mutually exclusive, and having a seasoned professional like Mary Ellen on the team further ensures that privacy is built in to everything we do," Napolitano said in a statement.
The Future of Privacy Forum's Jules Polonetsky lauded the appointment, saying Callahan has "the critical combination of privacy savvy, common sense and backbone needed to help craft the balance between the war on terror and respect for the privacy and personal dignity of individuals." "For an administration that has promised to be both tough on terror and committed to civil liberties, this will be an incredibly critical role," he said. Callahan is a great listener who will be able to ensure that voices of both law enforcement and civil libertarians are heard and respected, Polonetsky added.
The Department of Homeland Security's Data Privacy and Integrity Advisory Committee has offered DHS Secretary Janet Napolitano 16 recommendations on how to best address privacy issues currently facing the department. The panel stressed that "the need to update the government's legal authority to protect and defend cyberspace in the U.S. classified intelligence systems raise specific and sometimes significant privacy issues, including the conflict between transparency and redress."
The committee has asked that each DHS component - such as the Federal Emergency Management Agency and Office of Intelligence and Analysis - have a designated privacy officer that would report to the head of the section. The committee also "encourages DHS to continue to work toward policy and functional interoperability in the development of new systems and when making major modifications to existing systems," according to a letter from the committee hand delivered to Napolitano.
Additionally, the panel said the 1974 Privacy Act has "not kept pace with the evolution of technology and developments in how data is collected, used, shared and stored. To the extent the Secretary is asked to submit recommendations to Congress for making the act more relevant and effective, the committee recommends that the secretary seek guidance from the Privacy Office staff, who are experts in applying the Act's provisions throughout the department." For more on the recommendations, read the committee's letter here.
-- Winter Casey
The FTC unveiled an updated set of recommendations Thursday on how Internet firms can better protect consumer privacy in an age of sophisticated advertising models. The guidance came on the heels of a December report by agency staff that offered proposed principles to steer the development of self-regulation for behavioral advertising, which involves tracking of a consumer's activities online including searches, Web pages visited, and content viewed.
The new staff report summarizes and responds to key issues raised by more than 60 comments received and sets forth revised principles. The document points out that most comments concerned the scope of the proposed principles like it was necessary to provide privacy protections for data that is not personally identifiable. In response, the report states that Web sites should cover any data that reasonably can be associated with a particular consumer or computer or other device.
Commenters also questioned the need to apply privacy principles to "first party" advertising, in which a site collects consumer data to deliver targeted advertising but does not share any information with third parties. The FTC also fielded questions about contextual ads, which involve little or no data storage. The agency concluded those methods pose fewer privacy concerns and do not need to be included within the scope of self-regulatory principles.
Surf on over to CongressDaily's TechCentral for a new "Issue of the Week." Here's a taste:
When President Barack Obama issued "Day One" memos instructing members of his administration to operate under principles of openness, transparency and citizen engagement, government watchdogs cheered. They hailed the early presidential directive as unprecedented and said it was a welcome change from the past eight years. But in the days since Obama's issuance, open government enthusiasts have turned their attention to making sure words become deeds.
Obama's memo stipulated that the heads of OMB and the General Services Administration, as well as his yet-to-be-named chief technology officer, craft an open government directive by May 21 that laid out actions to support his principles. The guidance also stated that all agencies should adopt a presumption in favor of disclosure in Freedom of Information Act decisions, which means making information public in a timely fashion and not waiting for specific requests from the public.
"This is a wonderful window of opportunity for those who care about open government," said Dan Metcalfe, a former Justice Department attorney and head of the Washington College of Law's Collaboration on Government Secrecy. Metcalfe assembled a group of information policy experts last week to draft transparency blueprints for the new administration. "It's been a long time since an administration has come into power with so many competing priorities," Metcalfe said, noting that his community needs to be strategic about what it believes should be addressed first Obama's team.
On the heels of President Barack Obama's "Day One" memos to encourage a more transparent and responsive federal government, the Smithsonian Institution last week formally adopted a new policy for responding to records requests. "It is the policy of the Smithsonian Institution... to respond timely to written requests for Smithsonian information consistent with the principles of disclosure under the Freedom of Information Act and in a manner that fosters openness and accountability and supports the Smithsonian's mission," the new policy states.
The museum complex is not subject to FOIA because of a 1997 federal court ruling but has been using a policy for releasing records modeled on FOIA since November. Monday's announcement made that system official. When considering requests for information, the Smithsonian will apply a "presumption of disclosure" and will provide information "except where disclosure would be harmful to an interest protected by an exemption." The Smithsonian has been criticized for limiting access to files in the past. In June, several senators introduced legislation that would have required the Smithsonian to comply with FOIA, according to the Reporters Committee for Freedom of the Press.
Congress needs to pass comprehensive privacy and data security legislation and make sure companies that store and share individuals' information are held accountable, Rep. Cliff Stearns, R-Fla., said at a Wednesday event recognizing Data Privacy Day, which was being celebrated in Washington, around the United States and in 27 European countries. He said businesses should be required to encrypt data, employ an information security chief and retain an outside auditor to ensure compliance.
During his chairmanship of the House Commerce, Trade and Consumer Protection Subcommittee in the Republican-controlled 109th Congress, Stearns held more than a half-dozen hearings on privacy and technology. Various data privacy bills were introduced last Congress but were overshadowed. This year, consumer privacy has arisen as a hot topic within the multibillion-dollar health information technology provisions in the House and Senate economic stimulus packages.
On Monday, the House passed a resolution Stearns co-sponsored with Rep. David Price, D-N.C., that formally recognized Data Privacy Day in the United States. The Senate approved a companion resolution on Wednesday that was introduced by Sen. Byron Dorgan, D-N.D., and Senate Judiciary Committee ranking member Arlen Specter. Dorgan issued a statement saying that modern technology has connected the world and led to new developments in every aspect of citizens' lives but with those advancements come the potential for people's privacy to be compromised.
On Wednesday, the United States, Canada, and 27 European countries will celebrate Data Privacy Day -- an international effort to raise awareness and generate discussion about data privacy practices and rights. For the second consecutive year, privacy professionals, the business community, government officials, academics and others will host events and take other actions in observance. The House on Monday got the ball rolling by approving a resolution by Rep. David Price, D-N.C., to formally recognize the event.
The Technology Association of America, the recently merged group formed by the Information Technology Association of America and the American Electronics Association, will host a Capitol Hill briefing featuring remarks by Price and Member of European Parliamentarian Alexander Alvaro as well as key representatives of the privacy community. A networking reception will follow.
Other Data Privacy Day activities:
▪ Protecting National Security and Privacy: Approaches of New Administrations in the U.S. and Europe, Sanford Institute of Public Policy, Duke University, Jan. 26-27.
▪ The Privacy by Design Challenge hosted by the Information and Privacy Commissioner of Ontario and the Toronto Board of Trade, Jan. 28
▪ Data Privacy Day Cocktail Event, Brussels, Belgium, organized by European Privacy Officers Forum and International Association of Privacy Professionals, Jan. 28.
▪ Microsoft will host an interactive community event highlighting online privacy concerns and solutions at the San Francisco Public Library, Jan. 28.
Read a comprehensive list of events here.
Former National Security Agency analyst Russell Tice told MSNBC's Keith Olbermann Wednesday night that the agency spied on U.S. news organizations "24/7, 365 days a year." Former President Bush and senior officials insisted repeatedly that the warrantless wiretapping program that came to light in 2005 was legal and only targeted those with suspected ties to terrorist organizations. Tice said he did not know what became of the journalists' collected communications nor did he mention news outlets by name.
He told Olbermann he volunteered his expertise to President Barack Obama's campaign and transition team but they did not take him up on the offer. "They knew my background but they never utilized me," said Tice, who has leaked information about the NSA before and has pushed for whistleblower protection legislation. Before appearing on the show, he sent a handwritten note to Obama's camp saying he planned to speak about the NSA activity in more detail.
A traditionally secret federal intelligence court issued a rare public ruling Thursday that validated the power of the president and Congress to wiretap international phone calls and intercept e-mail messages without a court order. The ruling [opinion/order] was initially made by the Foreign Intelligence Surveillance Court of Review in August and was then released in unclassified, redacted form. The decision marks the first time since the disclosure of the National Security Agency's warrantless surveillance program three years ago that an appellate court has tackled the constitutionality of the government's wiretapping powers. It is only the second public ruling by the panel in its 30 year history.
Justice Department spokesman Dean Boyd said the agency was pleased with the ruling, saying the court upheld the lawfulness of directives issued under 2007's Protect America Act, concluding that the surveillance at issue fell within the foreign intelligence exception to the warrant requirement and was otherwise reasonable under the Fourth Amendment. The case involved a challenge by a private party to directives that were issued under the law to assist the government in conducting foreign intelligence surveillance against targets reasonably believed to be located outside the United States.
The Future of Privacy Forum on Tuesday recommended that President-elect Barack Obama appoint a chief privacy officer to promote fair information practices in the public and private sector and ensure that interactive tools used by government are transparent to citizens. Obama has already expressed interest in naming a chief technology officer within the White House. The recently launched group, which is backed by AT&T, also called for a standard definition of "personal information" and said the FTC should be given more technology and research resources as well as enhanced criminal law enforcement support.
The recommendations follow a December letter to Obama by 30 privacy, consumer and civil liberties groups that stressed the importance of protecting privacy in his administration. Obama has stated support for strengthening of privacy protection by harnessing the power of technology to hold government and businesses accountable for violations of personal privacy. The coalition said in the letter that there "is a clear need to address the spiraling problems of identity theft, security breaches, and the commercialization of personal information."
"We are in an era where the personal use of data brings opportunities for advancements that can improve millions of lives, but the misuse of data can also negatively impact millions of citizens," FPF co-chair Christopher Wolf said in a release. "Traditionally, government privacy protections were intended to limit the collection of data by government about its citizens. In today's web 2.0 environment, citizens expect to interact electronically by exchanging information with government leaders and agencies," added co-chair Jules Polonetsky. "Charting the appropriate user controls around this data is critical."
Sen. Dianne Feinstein, D-Calif., on Tuesday introduced a pair of data security bills -- one that would require businesses to notify consumers in the event of a security breach and another, co-sponsored by Sens. Judd Gregg, R-N.H., and Olympia Snowe, R-Maine, would ban the sale or display of an individual's Social Security number without his or her consent. The legislation, which she also offered in the 110th Congress, was part of a package of "first day" bills she sponsored as members returned to Capitol Hill, according to a release.
Specifically, her breach bill would require a federal agency or business entity to quickly notify an individual of a security breach involving personal data and would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached contains more than a million entries, is owned by the federal government, or involves national security or law enforcement. The Social Security measure would prohibit federal, state and local governments from displaying the numbers on records posted online or from printing them on government checks. It would also place limits on when businesses can ask customers for their Social Security numbers.
Privacy concerns continue to plague state-run intelligence "fusion centers" that the Homeland Security Department has set up around the country despite security provisions contained in a law enacted last year to implement recommendations of the 9/11 Commission, according to an agency analysis released this week. The DHS privacy impact assessment says worries persist in the following areas: 1. Justification for fusion centers 2. Ambiguous lines of authority, rules, and oversight 3. Participation of the military and the private sector. 4. Data mining. 5. Excessive secrecy 6. Inaccurate or incomplete information. 7. Mission creep.
The report goes on to state that "no information sharing regime is free from privacy risks" and says its authors examined a number of those risks and the positive steps both DHS participants in the initiative as well as representatives of fusion centers have taken or should take in the future to mitigate them. As the program matures, the DHS Privacy Office anticipates discovering new privacy challenges that need to be addressed and the PIA will be updated whenever necessary, the document said. Additionally, the Privacy Office called for "a regular and ongoing examination of privacy issues within the fusion centers."
The ACLU has been a leading critic of the centers, which have also been the topic of at least one hearing of the House Homeland Security Intelligence Subcommittee in the 110th Congress. The ACLU's top lobbyist Caroline Fredrickson has complained that the centers differ in significant ways and there is no single model or standards by which their data gathering and sharing activities are governed. Lawmakers must have a discussion about guidelines and the private sector's role in the data swapping, she said. "In a multiagency environment when it's unclear which agencies' rules apply, very quickly, no rules apply," added ACLU policy counsel Mike German.
The latest issue of National Journal magazine features an explosive cover story about how the Chinese -- or someone -- hacked into congressional computers in 2006 and what it will take to keep out the next electronic invader. The article by staff writer Shane Harris cites details from a confidential briefing on the investigation into the incident prepared by the House of Representatives' Information Systems Security Office, which monitors the computers of all members, staffers, and committee offices.
The security office determined that eight members' offices were affected; in most of the offices, the virus had invaded only one machine, but in some offices, it hit multiple computers. It also struck seven committee offices, including Commerce; Transportation and Infrastructure; Homeland Security; and Ways and Means; plus the Commission on China, which monitors human rights and laws in China. Most of the committee offices had one or two infected computers. In the International Relations Committee (now the Foreign Affairs Committee) office, however, the virus had compromised 25 computers and one server, according to the article.
Read the full story here and watch a multimedia slideshow companion to the piece here.
Congress should consider taking legislative steps to strengthen procedures that private-sector organizations use to authenticate their customers' identities, the FTC recommended in a Wednesday report on Social Security numbers and identity theft. Currently, the only private-sector entities subject to nationwide authentication standards are financial institutions regulated by the federal banking agencies and the FTC said lawmakers should ponder imposing similar rules to cover other industries that maintain consumer accounts.
"Such standards would require organizations to adopt reasonable procedures for authenticating customers, but also would allow them to adopt a program that is compatible with their size and the nature of their business," the report states. The FTC report also recommended that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability could unintentionally curtail those functions.
Various bills were introduced in the House and Senate in the 110th Congress that were intended to address problems associated with SSNs as well as larger ID theft issues. Read more about the FTC report here.
House Telecommunications and the Internet Subcommittee Chairman Edward Markey, D-Mass., on Wednesday lauded a decision by Yahoo to decrease the amount of time they keep personal information about online searches and consumer Web use to 90 days, after which that information will be effectively anonymized. "Consumers deserve ample privacy protections in the digital era to ensure trust and freedom on the Internet," Markey said in a statement, noting he has been pressing Internet firms for greater voluntary efforts to rollback "massive, systematic gathering of information about individual consumer Web use and the long term retention of such data in a form that can identify the Web habits, interests, searches, and purchases of individual Americans."
By making the change from 13 months to three months, Yahoo set a new standard for such privacy protection against which Google, Microsoft and others will now be compared, Markey said. Earlier this year, Google halved the amount of time it stores personal data to nine months and Microsoft has said it will cut the time to six months if its rivals followed suit. The European Union has recommended that companies keep data no more than six months. Privacy International's Simon Davies told the BBC that he hoped firms would set an industry-wide standard of 30 days. Ari Schwartz of the Center for Democracy and Technology told Reuters that Yahoo's announcement is significant because "they actually have an implementation plan to get this done."
A trade group representing Google, Time Warner's behavioral advertising subsidiary Tacoda, and Yahoo on Tuesday unveiled an upgraded self-regulatory code of conduct, which has guided Internet advertising providers since 2001. The updates come on the heels of increased scrutiny by lawmakers, the FTC, and privacy watchdogs. But critics argue the Network Advertising Initiative's updates fail to adequately protect consumers because its member companies still rely on obtuse privacy policies and an antiquated definition of "personally identifiable information."
The revisions neither ensure that financial-related information be classified as "sensitive" nor include strict enough restrictions for targeting Web users based on health concerns, according to the Center for Digital Democracy's Jeff Chester. NAI's update says its members will "continue their commitment to respect appropriate fair information practices" and to preserve a self-regulatory environment. But privacy advocates, who were slated to meet with members of President-elect Barack Obama's transition team, said they would press for more government oversight of the industry.
The Center for Democracy and Technology said the Internet advertising industry "took a meaningful step toward protecting consumer privacy" by updating its code of conduct but the effort "falls short on several issues, leaving holes in consumer protection that must be plugged by federal privacy legislation." Like Chester, CDT's staff was disappointed that NAI retained its definition of "opt-out." In eight years, the group had time to develop an easy-to-use and accessible standard that honors consumer choices, the think tank said.
The Identity Theft Resource Center unveiled its predictions for 2009 on Tuesday and real estate and credit card-based scams top the nonprofit's list of potential problems on the horizon. Multiple scams are already circulating on the Internet and through local advertising that attack the equity in a home or which may be used to establish a whole new home loan, the group said. Meanwhile, ID thieves may also take advantage of the tight credit climate by advertising the ability to get credit cards despite a poor credit score or the lack of a Social Security number.
The center warns that job scams are on the rise -- as people seek second sources of income -- and a variety of fake IRS emails have arisen, including tax refund offers, audit information demands and verification of citizenship status. In addition, the center is anticipating an increase in check fraud and sophisticated ways to "mine" personal information, sometimes by organized crime groups. On a positive note, the center predicts increases in the number of state and federal agencies and nonprofits that provide free ID theft victim assistance.
The FBI has identified a new technique used to conduct so-called "vishing" attacks where hackers exploit a known security vulnerability in Asterisk software, the agency said Tuesday in a press release. Asterisk is free and widely used software developed to integrate Private Branch Exchange (PBX) systems with voice-over-Internet protocol communications services. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour, officials said.
Digium, the original creator and primary developer of Asterisk, released a security advisory in March 2008, which contained the information necessary for users to configure a system, patch the software, or upgrade the software to protect against the threat. If users fall victim to this exploit, their personally identifiable information will be compromised, the FBI said. To prevent further loss of consumers’ data and to reduce the spread of this new technique, businesses using Asterisk must upgrade their software to a version that cannot be compromised, officials said.
Consumer Watchdog, a group that has begun to press Google to enhance the privacy and security of its applications (see earlier blog post), is a newcomer to the lets-bash-the-Internet-behemoth brigade so the obvious question is: who bankrolls the Santa Monica, Calif.-based organization? The group's work in the privacy arena, according to its president Jamie Court, is 100 percent funded by the Rose Foundation. The foundation, which believes that "environmental stewardship, community regeneration, consumer protection, robust civic participation and a healthy economy are all inextricably linked," laid down $100,000 this year to fund a so-called "Google Privacy Rights Project."
The grant's description reads: "Few search engine users are aware of the extent to which Google and other leading search engines collect and categorize customers’ personal information, and the extent to which this information may be shared with marketing partners. This vast collection of customer specific data is also an attractive target for hackers, identity thieves, and governmental surveillance. The project will develop a comprehensive set of model privacy protection polices, and conduct a campaign to encourage Google to become the standard-setter in customer privacy protection."
In terms of general funding, Consumer Watchdog (formerly the Foundation for Taxpayer and Consumer Rights) receives about a third of its backing from foundations like Rose; the Nathan Cummings Foundation ("committed to democratic values and social justice, including fairness, diversity, and community"); the California Endowment ("a private health foundation that provides grants to community-based organizations throughout California"); and the Arca Foundation ("empowering real change by empowering people to help shape public policy"). Another third comes from legal fees in court cases the group wins and the final third comes from individual donors.
The Government Accountability Office reported this week that Social Security numbers are widely available in bulk and online records held by government agencies but changes to enhance security are occurring. The agency's letter responded to an inquiry from Sen. Charles Schumer, D-N.Y., who chairs the Senate Judiciary's Subcommittee on Administrative Oversight and the Courts. He had asked the GAO to examine who has access to what records that may contain SSNs and for what reasons they were obtained. The GAO surveyed a sample of 247 counties in 45 states and received responses from 89 percent of those queried.
The GAO found that many counties make public records that may contain SSNs available in bulk to businesses and individuals in response to state open records laws, and also because private companies often request access to these records to support their business operations. The watchdog's sample allowed GAO to estimate that 85 percent of the largest counties make records with full or partial SSNs available in bulk or online while smaller counties are less likely to do so (41 percent).
County officials and businesses told GAO that SSNs are generally found in certain types of records such as property liens and appear relatively infrequently. However, because millions of records are available, many SSNs may be displayed. Counties generally do not control how records are used, GAO found. Of those that make records in bulk or online, about 16 percent place restrictions on the types of entities that can obtain them. Title companies are the most frequent recipients, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well, officials said.
Continue reading Social Security Numbers Widely Available In E-Records.
Nearly 70 percent of U.S. businesses responding to a Justice Department national computer security survey detected at least one cybercrime and over half reported experiencing one or more cyber attacks, the agency announced Wednesday in a Bureau of Justice Statistics report. The findings were released on the same week that Congress sent a major identity theft bill to President Bush for his signature.
The legislation, which would give victims of ID theft the right to seek restitution for the loss of time and money spent restoring credit and would ensure that criminals who impersonate legitimate businesses to steal sensitive personal data can be prosecuted under federal ID theft laws, won House approval Monday. The bill also would make it a felony to use secret, malicious software to damage 10 or more computers regardless of the aggregate amount of damage caused. Sources said Bush was expected to sign the bill later this week or early next week.
The measure passed the House by voice vote after being combined with a proposal to extend Secret Service protection to former vice presidents. The cybercrime bill, sponsored by Senate Judiciary Committee Chairman Patrick Leahy, passed the Senate twice before the House acted. Internet safety crusader Rep. Zoe Lofgren, D-Calif., said the bill "takes a measured and balanced approach to dealing with the growing impact of spyware on our nation’s productivity" and Rep. Bob Goodlatte, R-Va., said it "correctly focuses on criminal behavior rather than imposing technological mandates."
Continue reading DOJ Issues Cyber Report On Heels Of Hill Action.
Google announced late Monday that it will be anonymizing Internet protocol addresses in its search logs after nine months instead of the previous 18-month period to address regulatory concerns and to take another step to improve privacy for users. In March 2007, Google was the first major search engine to agree to anonymize search server logs in the interest of privacy and others followed suit.
Over the last two years, policymakers and regulators -- especially in Europe and the United States -- have continued to ask Google and others to explain and justify the shortened logs retention policy, Google executives wrote on their company blog. Google responded with an open letter and this week filed an official response to EU privacy officials.
"We haven't sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work," they wrote. "While we're glad that this will bring some additional improvement in privacy, we're also concerned about the potential loss of security, quality, and innovation that may result from having less data."
Read the full post here.
The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than four months before the end of 2008, officials said Monday. As of Aug. 22, the number of confirmed data breaches in 2008 stands at 449 but the actual number of breaches is most likely higher due to under-reporting.
ITRC recognizes that 449 breaches in less than a year is a small number when compared to the total number of business, governmental, health, banking and educational entities that have databases. However, for the individuals whose information has been exposed, 449 data exposure events are still too many, the watchdog group said.
The center's founder Linda Foley attributes part of the growth to the ability to access state attorney general notification lists which contain breaches that were not reported via media or other sources. Meanwhile, the number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom, Gartner analyst Avivah Litan said.
In the last few weeks, the U.S. Secret Service announced the investigation of a cybercrime group that may have hacked tens of thousands of credit and debit card accounts from Louisiana and Mississippi restaurants this year. Also, on Aug. 5, the Justice Department announced the indictments of 11 defendants who tapped networks of several major companies.
The American Civil Liberties Union will urge a federal appeals court on Wednesday to uphold a decision striking down the so-called "national security letter" provision of the Patriot Act. The provision gives the FBI the authority to issue letters demanding private information about people within the United States and to place the recipients of the letters under indefinite gag orders. The issue has also been repeatedly scrutinized on Capitol Hill in the 110th Congress.
The ACLU and New York Civil Liberties Union filed a lawsuit in April 2004 on behalf of an Internet Service Provider that received an NSL. Because the FBI imposed a gag order, the suit was filed under seal and the ACLU is banned from disclosing its client’s identity. The ACLU initially challenged both the FBI’s power to demand records without judicial oversight and its power to impose gag orders on NSL recipients.
In September 2004, U.S. District Judge Victor Marrero struck down the statute. The government appealed the ruling but Congress amended the NSL provision before a decision was issued. The ACLU brought a new challenge to the amended version, and in September 2007, Marrero again found the statute unconstitutional. The government appealed that ruling and the parties will now face off before the U.S. Court of Appeals for the Second Circuit in New York City.
President Bush on Tuesday announced his intention to nominate the Center for Democracy and Technology's James X. Dempsey to serve a five year term on the White House Privacy and Civil Liberties Oversight Board, an independent panel within the executive branch that will review the civil liberties impact of anti-terrorism policies and programs, providing advice on policy development and implementation and oversight of government actions relating to terrorism.
In legislation adopted last year, Congress reconstituted the five-member board and made it independent of the White House amid concerns over its autonomy. The board was established in 2004 at the behest of the 9/11 Commission and the posts (two Democrats and three Republicans), which are subject to Senate confirmation, are part-time.
In March, Bush named the Republicans that he wants to serve on the panel: Homeland Security Department civil liberties officer Daniel Sutherland, constitutional law professor Ronald Rotunda and General Electric Chief Security Officer Francis Taylor. The terms of its original members expired in January and the president has not announced the name of the candidate who would fill the remaining Democratic slot.
Watchdog groups Free Press and Public Knowledge slammed online advertising firm NebuAd on Wednesday for allegedly intercepting Web browsing and altering Web site computer codes. The company's relationship with cable and telephone companies has raised privacy questions for House Subcommittee on Telecommunications and the Internet Chairman Ed Markey, D-Mass., and House Energy and Commerce Committee ranking member Joe Barton.
In a new report, “NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking,” Robert Topolski, the chief technical consultant for the organizations, found that NebuAd uses special equipment that “monitors, intercepts and modifies the contents of Internet packets” as consumers go online. Topolski, if you recall, was the network engineer who made public Comcast’s throttling of BitTorrent applications.
“NebuAd commandeers users’ Web browsers” to load tracking cookies and collects information from users in order to place ads from ISPs, the study stated. “Apparently, neither the consumers nor the affected Web sites have actual knowledge of NebuAd’s interceptions and modifications."
Privacy and consumer advocates urged Internet giant Google on Tuesday to post a prominent link on its homepage to its privacy policy. Their letter to CEO Eric Schmidt urges the Mountain View, Calif., company to comply with state law and "the widespread practice for commercial Web sites as soon as possible."
The effort is being spearheaded by the Electronic Privacy Information Center; Privacy Rights Clearinghouse; World Privacy Forum; Consumer Action, the Electronic Frontier Foundation; the American Civil Liberties Union of Northern California; and the Consumer Federation of California. The groups hosted an afternoon conference call with reporters to further articulate their message.
Google has been criticized recently for failing to post the privacy policy link because officials said they did not want to clutter the search engine's homepage. Several experts, including the head of the California Office of Privacy Protection, have said that Google should include the link.
"Consumers should be able to access Google's privacy policy with just one click from its homepage -- this is an industry-wide best practice that Google is not exempt from," WPF Executive Director Pam Dixon said. EPIC's Marc Rotenberg added: "This is not rocket science -- and the word 'privacy' is not going to take up a lot of space."
A Google spokeswoman said her company shares the view that privacy information should be easy to find "and we believe our privacy policy is readily accessible to our users." Privacy information should also be easy to understand, she said. That's why in addition to offering a Privacy Center, Google created a YouTube privacy channel with videos explaining its practices and products.
The American Civil Liberties Union, the Constitution Project and Electronic Privacy Information Center sent a letter Friday to members of the D.C. City Council calling on them to reject Mayor Adrian Fenty's request for more than $900,000 for the Homeland Security and Emergency Management Agency to centralize monitoring of more than 5,000 cameras installed in public schools, public housing, and residential neighborhoods.
The cameras are currently operated under the auspices of several different city agencies, including the Metropolitan Police Department, which has implemented policies governing use and protecting individual privacy that have been heralded by law enforcement officials, public security experts, and privacy advocates as among the nation's best. The policies, developed through hearings in 2002 and 2006, have not been adopted by HSEMA.
Even if the Council determines that some new network would be appropriate, it is important to assess carefully which cameras and how many of them should be part of such a network," the letter said. "Before any funds are appropriated, HSEMA should develop, with public input, a robust privacy policy to govern operation of such a network." The group said it is critical that the city "preserve the important privacy and civil liberties safeguards currently in place."
(Photo Credit: SocTech via Flickr)
A former FBI agent Michael German, who now works for the American Civil Liberties Union, slammed the intelligence agency on Wednesday for ignoring laws and internal guidelines pertaining to the use of national security letters -- administrative subpoenas that allow agents to grab phone, computer and bank records in suspected terrorism cases without warrants.
FBI Director Robert Mueller told the Senate Judiciary Committee on Wednesday that the Justice Department will soon release an audit from 2006 that highlights some problems, many of which predate reforms. He also pledged "continued vigilance in this area." Read CongressDaily's coverage here.
"When it comes to NSLs, there are laws and there are internal guidelines – the FBI ignored both,” said ACLU National Security Policy Counsel Michael German. New guidelines have been introduced, but an IG report from last year "makes clear that internal guidelines are meaningless to the FBI."
Instituting judicial oversight would guarantee that someone would be looking over the shoulder of agents using a tool as invasive as an NSL, German said. Lawmakers also have the power to narrow the scope of the statute and they should use it – especially when the data collected is being stored and not destroyed, he said.
America Online, Hewlett-Packard and Intuit have been named the most trusted companies for privacy of 2007, according to Internet privacy group TRUSTe and the Ponemon Institute, a privacy think tank.
The winners were announced at the Congressional Internet Caucus annual summit. The award is designed to celebrate the companies who take active measures to protect and inform their consumers and to encourage a safer online ecosystem, TRUSTe said.
Firms were judged by rigorous criteria, which included the clarity and readability of privacy statements and notice, account information access and the ability to make changes, cookie practices, in-network and out-of-network data sharing practices, choice, regulation, infrastructure and customer service, among others. Read more here.
"HP realizes the importance of privacy and trust not only to our customers but also to the success of our business," HP Chief Privacy Officer Scott Taylor said in a press release. "It comes down to respecting individuals and their right to privacy, and that's why we hold ourselves accountable to a higher standard."
The American Civil Liberties Union has launched a clever campaign to draw attention to government and private sector data-collection activities that they believe could institute a 24-hour surveillance society.
A new animated video on the group's Web site warns that ordering pizza could be hazardous to your health -- and privacy. In the skit, a man orders a pie on the phone and Pizza Palace instantly knows everything about him -- from his work and home addresses and phone numbers to his travel habits, magazine subscriptions and blood pressure.
The ACLU claims that intelligence initiatives like the now-defunct MATRIX (the Multistate Anti-TeRrorism Information eXchange) and the FBI's Carnivore are destroying citizens' privacy. "They want to track your purchases, your medical records, and even your relationships," the ACLU argues. Makes you wonder how much your Domino's delivery guy really knows -- other than the fact that you like extra cheese and black olives.
When Nuala O’Connor Kelly joined General Electric as the conglomerate's privacy chief in October 2005, she knew there might be some perks. One of them, she told an American Bar Association conference on Friday, is getting a good deal on refrigerators -- and presumably other appliances manufactured by the multinational.
Her role, which she said is considerably less stressful than her previous post as the first Homeland Security Department chief privacy officer, has come with a steep learning curve. "We have so many divisions, I'm still trying to figure out what all of them do," O'Connor Kelly joked.
GE, which owns NBC (as well as businesses that manufacture electrical and lighting equipment, medical devices, aircraft jet engines and plastics), has "one of the biggest consumer databases in the world," she said. But don't worry, O'Connor Kelly is there to make sure that all the information GE collects about you stays safe and secure.
The Department of Homeland Security is hosting a two-day workshop on the privacy and civil liberties implications of closed-circuit television surveillance. Panel discussions involve perspectives from the technology, law enforcement, community, international, and legal and policy arenas. In an age of Web wonders, CCTV, which some think of as an old-school, convenient store security tool, gets lost in the shuffle. But as speakers on Monday noted, CCTV has come a long way in the digital age. Read more in Technology Daily's PM edition. The photo above was taken at the deli on-site at the conference. It just seemed appropriate.
The Justice Department on Monday unveiled $1.7 million in funds for national, regional, state and local organizations and agencies that assist victims of identity theft and financial fraud. Read more about it in Technology Daily's PM Edition.
Betsy Broder, who oversees the FTC's ID theft efforts, lauded the grant-giving, told us that she met with and is providing guidance to the handful of groups that got the money. Every year, her agency responds to about 250,000 ID theft victims, she said.
Many consumers are "able to respond quickly and effectively themselves to recover from ID theft" but others aren’t as lucky, Broder noted. The grant program "contributes to the resources available for those consumers who need help" to recover from ID theft.
While certain forms of ID theft do not always have a financial impact, resolving issues can be time consuming and stressful for consumers, added Andy Serwin, a partner at Foley & Lardner who focuses on privacy and security matters.
Justice's focus on prevention is important, he said: "While identity theft can result from actions by third-parties, in many cases consumers themselves create conditions that increase their odds of being a victim of identity theft."
Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group, also weighed in. He said the grants will "provide critical assistance to some of the small organizations helping ID theft victims clear their names."
"In the long run, the solution to identity theft is to hold data collectors – banks, stores and government agencies – accountable so that they protect information better in the first place," Mierzwinski said.
StopBadware.org, a Web site run by Harvard Law School, Oxford University and Consumer Reports, is weighing in on the controversy over social networking site Facebook's new application that lets users see what other members are buying online.
Upon announcing an opt-out for the controversial tool known as Beacon, Facebook CEO Mark Zuckerberg said: "[I] hope that this new privacy control addresses any remaining issues we’ve heard about from you." StopBadware said it doesn’t.
Facebook offers its partner sites the option of whether or not to use an encrypted connection to send data (e-mail address, item purchased, etc.) from a user's PC to the Facebook's servers. StopBadware wants that action to be mandatory, not optional.
When a user declines to use Beacon or clicks "no thanks" when asked to publish a story in his/her profile, it is not made clear to the user that the data will still be sent to Facebook, the group said. Read more of StopBadware's blog post here.
New Media
Online Politics
Tech Policy
