Privacy issue index (30 May 12)

Abine, Inc., a Boston-based online privacy startup, provided NTIA with a tutorial on: online data collection; the data broker industry; and, "restrictions on developer innovation in the mobile privacy realm".

Topics to discuss

"Due to a lack of consumer awareness of the existence of data brokers, complex opt-outs, severe risks of harm, and an industry history of deceptive behavior, the current state of the data broker industry is unacceptable to consumers," argued Abine in recommending five areas for "clarification and investigation" through the multistakeholder process:

1. data accuracy;
2. opt-out definition and process;
3. transparency of data sources;
4. compliance and compliance assurance; and,
5. special care for high-risk groups, such as law enforcement professionals and individuals who have been stalked, abused or had their identities stolen.

The Federal Trade Commission (FTC), chief privacy policy and enforcement agency in the United States, issued a final report in March 2012 entitled: Protecting Consumer Privacy in an Era of Rapid Change [pdf].

The report expands on a preliminary report from December 2010, and calls on businesses to implement best practices to protect US consumers' information. These practices include making privacy the 'default setting' when handling data, and giving consumers greater control over how their personal data are collected are used.

Implementing these practices, the report says, will enhance trust and stimulate commerce. The FTC also recommends that Congress considers passing legislation covering general privacy, data security and breach notification, and data brokers.
The report urges companies to follow a privacy framework that is split into three main areas:

The lowdown on plans for a pan-European privacy law

What's happening?

In January, the European Commission (which sets regulations for its 27 member states) announced that it was overhauling its data protection legislation. The Commission wants to replace the EU's 1995 Data Protection Directive (on the protection of individuals with regard to the processing of personal data and on the free movement of such data) with a new law that will be enforceable across 27 countries that make up the EU (the proposed legislation in full [pdf]).

What's wrong with the Directive?

A key notion of privacy is becoming increasingly tenuous

Do you agree with the following terms and conditions?

Every week millions of consumers are faced with this question when updating software on their computer or cell phone, or when they log into an online service that stores personal information.

And of course every single person clicks "Agree" having read barely a word of the pages of text that outline what the company can now do you with your data. You have no real choice of course: if you don't agree, it simply ceases to function. Your iPhone becomes a $300 paperweight; Facebook slams shut.

Everyone from consumers to companies to legislators recognize this as a ridiculous state of affairs but it remains a stubborn, if increasingly mocked situation for one simple reason: the globally accepted notion of "consent".

Privacy in the online era means big changes in all our thinking

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people," Facebook's CEO Mark Zuckerberg told an audience in January 2010. "That social norm is just something that has evolved over time."

Zuckerberg's comment came hot on the heels of another from Google's then CEO Eric Schmidt: "If you have something that you don’t want anyone to know," he said in response to privacy concerns over the information his company possesses, "maybe you shouldn’t be doing it in the first place."

Major divisions lead to late-night discussions and bland text

The 15th session of the Commission on Science and Technology for Development (CSTD) in Geneva last week produced two draft resolutions to be presented to the ECOSOC meeting in July:

• Assessment of the progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society (WSIS)
• Science and technology for developments

The WSIS draft resolution was by far the more controversial, containing text on Internet governance matters. In fact, it almost didn't happen at all, with the chair of the drafting group suggesting late on the Friday night that perhaps they needed to report that they couldn't reach agreement on a way forward. The lack of a resolution would reflect badly on all States involved, and so a draft resolution was eventually agreed to that consisted mainly of text from the previous year, with very little in the way of recommendations for going forward.

Last week, I took part in a panel discussion on Enhanced Cooperation at the UN Commission for Science and Technology for Development with Theresa Swinehart of Verizon and Parminder Singh of ICT for Change.

I was a bit surprised to be invited, to be honest, because "Enhanced cooperation" has been a bit quiet recently. It made me reminisce: back in the day, Enhanced Cooperation was Internet governance viagra.

The story goes like this. Imagine you're a government rep in 2003. You hear that this thing called the Internet is going to be really big. When you ask who's in charge, you are given the worrying answer:

"No one. It's a distributed network, that's the point."

So, like any good regulator, you look for choke points and quickly find the domain name system. You are troubled to learn that it's controlled by a California corporation, and the US is the only government in sight.

The US government, and its role in overseeing ICANN became a hot button during the World Summit on the Information Society (WSIS).

ICANN announced that it was on track to close the delayed application window for new Internet extensions on 30 May, and that it now plans to release information on all the applicants for new gTLDs on 13 June. The organization also make clear it intends to move forward with its controversial plan to break the estimated 2,000 applications into batches of around 500. The batching system will use the same software that broke down in April and caused a six-week delay in closing applications.

Chairman of Estonia's registry operator, Marek-Andres Kauts, resigned following accusations of mismanagement and overspending. Kauts was the focus of a newspaper article claiming he had caused several key staff members of the Estonian Internet Foundation to leave and that it had spent unnecessary funds on equipment and resources. The broader Estonian Internet community is reportedly angry that dot-ee domains cost 17 euros wholesale. Kauts rejected the criticism. He will leave the organization at the end of July.

The Netherlands became the latest European country to refuse to sign the controversial Anti-Counterfeiting Trade Agreement (ACTA) when its Parliament decided it could damage privacy and Internet freedom. A government spokeswoman said it was waiting on the European Court of Justice to confirm the agreement did not violate fundamental rights. The news came as details of confidential ACTA meetings in 2009 were leaked and published online. It emerged that the European presidency chose not to brief EU member states about the negotiation's progress. Critics of ACTA claim it was negotiated in secret and put content producers' rights ahead of individual's basic rights.

The annual meeting of the UN's Commission on Science and Technology for Development (CSTD) went badly with delegates finally closing a bad-tempered week-long session at 1.35am on Saturday. Tensions between nations over 'enhanced cooperation' and the role of governments with respect to Internet governance, as well as suggested changes to the Internet Governance Forum (IGF) pitted Western nations against the likes of Iran and Saudi Arabia. In the end most of the text delegates had been working on was thrown out in order to reach agreement. Argument will now move onto the UN General Assembly as well as the WCIT conference in Dubai.

Google was cleared of infringing Java software patents within its Android operating system by a federal jury. The case was brought against Google by Java owner Oracle and had threatened to shake up the smartphone market, in which Android-running handsets are number one. By dismissing the patent infringement claims, Google now only faces a charge of copyright infringement. Oracle is free to appeal but has not yet said whether it will.

"Father of the Internet" Vint Cerf used an opinion piece in the New York Times to raise concerns over discussions at the ITU's WCIT meeting in Dubai in December. "While many governments are committed to maintaining flexible regimes for fast-moving Internet technologies," Cerf noted, "some others have been quite explicit about their desire to put a single UN or other inter-governmental body in control of the Net." Cerf joins a long list of articles published in the US warning about WCIT.

A highly sophisticated computer worm designed for cyber-espionage has been discovered. Called W32.Flame, security specialists Kaspersky Labs, working with the ITU, warned that the worm has been "in the wild" for at least two years but had gone undetected. The worm is able to grab screenshots of infected computer screens, send copies of files and even make audio recordings. Since the worm was located in large numbers in the Middle East and in particular Iran, speculation is that Flame came from the same stable as the Stuxnet worm that very precisely targeted Iranian nuclear centrifugal machines and so was likely engineered by the Israeli and/or US government.

Google published information about which companies have formally requested that the search engine company take down links to infringing material. There was some surprise to find Microsoft at the top of the list with an extraordinary 2.5 million requests to take down links to pirated software over the past year. Following Microsoft came a number of media organizations, as well as organization that specialize in having infringing content removed from the Internet. Each month, Google receives approximately one million requests to remove links on approximately 20,000 different domain names.