Privacy/Security

Online Privacy: It’s Time To Demand Executive Accountability

What if we approached online privacy the way we do financial reporting? That’s the solution that Mike Montgomery proposes in his newly published op-ed for Morning Consult.

According to Montgomery, CALinnovates’ executive director, Europe’s General Data Protection Regulation and the upcoming California Consumer Privacy Act are fundamentally flawed, because they ultimately make the consumer responsible for policing privacy. What we need, says Montgomery, is a law — such as the Sarbanes-Oxley Act that arose from the Enron scandal — that holds individual executives’ feet to the flames when privacy is breeched.

Read the full argument here.

The Dangers of a Geofenced Internet

By Tim Sparapani

A big part of the appeal of the World Wide Web has always been the first two words — “world” and “wide.” The internet represents an almost utopian ideal of a place where people around the globe can come together to share new ideas, create new products and even argue.

But as a privacy advocate, I fear we are rapidly hurtling toward the worst of all future states for the internet: one in which your present location dictates how much online privacy or free speech you enjoy. The current trend of carving up the country, and the globe, into an inconsistent patchwork of privacy and online speech laws benefits few and leaves too many exposed.

I’m a frequent traveler to California, and Assemblymember Ed Chau’s bill to mandate baseline privacy protections for consumers’ data got me thinking about the sorry state of privacy rights and the mistaken direction we are headed. If you are lucky enough to live in a state like California that favors privacy rights, you know that the region also favors policies that support innovation and places few limits on speech online.

But, since most of the world doesn’t live in such a digital utopia as California, many are likely to live, work and spend most of their time in a place that provides, at best, only moderate protections, while limiting what people can see, read or say online.

In the U.S., my fellow privacy advocates are seeking local regulations in reaction to failures at the federal level to enact wise data privacy and online speech policies. But Asm. Chau’s well-intentioned pro-privacy proposal is, unfortunately, only a bandage. It saps energy for the enactment of strong, nationwide policies to protect the privacy of consumers’ data — something we should all favor.

If the bill is enacted, when I visit California the ISPs I’ll encounter will protect my data more rigidly than those I use when I visit family in Wisconsin or am at my home in Washington, D.C. That leaves me less protected everywhere else and gives Californians an inflated sense of security while potentially leaving them exposed when they leave the state. That makes little sense. While I applaud California’s tradition of progressive privacy leadership, I deplore the fact that we don’t have basic privacy nationwide. For example, last year New Mexico became the 48th state to enact basic consumer protections for data breaches that leak consumers’ private data. But what about the residents of Alabama and South Dakota, or all of us when we visit those states for business or pleasure?

The danger of well-intentioned efforts that impose policy restrictions on the structure and content of the internet is real. While these proposals are laudable, personal privacy rights shouldn’t change from state to state. When Californians move around the country for work, to visit family or for vacation, they shouldn’t limit their travel based on states where they can privately and safely transmit medical or financial information, for example.

The same principle should hold true for Californians’ ability to access content or speak online as they travel the world. Restrictions in places like Turkey, Saudi Arabia, China and even across the European Union mangle the internet and make a mockery of the phrase “World Wide Web.”

Don’t mistake my message — I’m not saying we should get rid of all regulations. Instead, wise policies for the internet age — the kind that made California a beacon of innovation — should favor national and global norms that protect data while encouraging free speech. Consumers shouldn’t be left to fend for themselves under the lowest common denominator of protections. Instead, meaningful privacy protections need to be baked into national law.

If anything, the legislation should include more rigorous, broader privacy protections. The legislation should apply to offline businesses as well, instead of singling out ISPs, as retailers routinely obtain similarly sensitive information. The legislation should mandate that an ISP continue protections for Californian customers no matter where they travel to when using the same ISP, so that privacy protections would follow Californians across state lines at least some of the time. It should explicitly prohibit ISPs from obtaining roughly equivalent information about their customers by buying it from other companies that have it.

Most importantly, we need to give the Federal Trade Commission and the Office of the Attorney General of California the resources they need to protect consumer privacy both off- and online. We need robust enforcement of existing privacy laws coupled with a push for strong, nationwide protections.

The real danger in the internet age is states and countries erecting barriers that turn the web into a series of fiefdoms with different rules.

California can lead by example by promoting regulations that are robust and nationwide or global. But by enacting well-intentioned limitations on privacy, it gives encouragement to other well-intentioned rules. It prevents U.S. companies from arguing that rules on the web should be universal. After all, the rules in China to limit Chinese people’s access to the internet in the name of promoting security are also well-intentioned. The same is true for calls from French and Belgian national security agencies to force back doors in encrypted software and to limit speech in the name of potentially preventing radicalization. These types of regulations are always justifiable, but they turn the World Wide Web into a broken map full of unknown consequences.

That’s a destination that none of us wants to visit.

Tim Sparapani is Senior Policy Fellow at CALinnovates, a non-partisan technology advocacy coalition of tech companies, founders, funders and nonprofits.

This Attempt to Protect Internet Users’ Privacy Should Get an Error Message: Guest Commentary

By Mike Montgomery

Sometimes a good idea can come with unintended consequences. Take. for example, Assembly Bill 375, which is working its way through the California Legislature in the last few weeks of the session.

The bill, introduced by Assemblymember Ed Chau, D-Monterey Park, is well intentioned. It aims to limit how internet service providers (also known as ISPs) can use people’s personal data. Consumers would have to give opt-in consent before the ISPs could anonymize their data and then use it to learn about trends in the marketplace or TV viewing patterns.

But here’s the problem. If the Chau bill passes, it sets different standards in California than it does in other states. And implementing a different set of rules for Californians won’t create better online privacy for consumers. If anything, it will give residents in California a false sense of security.

The rules the state Legislature is proposing only apply to ISPs. This piecemeal approach means a website or app that you use frequently or only once can still collect, share and sell your data. Those ads you see after searching for a pair of shoes or a vacation destination online? Well that information is still being tracked by sites and vendors that would not be impacted by this bill.

A patchwork of regulations creates confusion for consumers, 94 percent of whom say they want their online data subject to a consistent set of privacy rules that apply to all reaches of the internet, according to data submitted to the Federal Communications Commission (FCC).

Inconsistent rules create confusion for consumers as well as entrepreneurs building internet companies in California and elsewhere. The startup community, which provides immense value to our state, would prefer to focus on consistent regulations when building and growing their platforms, not whether or not they are abiding by regulations that change from state to state.

That’s why CALinnovates continues to call for a single, federal policy to protect internet privacy across the country with one set of rules for innovators to follow and consumers to understand.

There is some good news, though. Not only does the Federal Trade Commission (FTC) still have oversight of privacy rules, but Californians are already protected by our “Little FTC Act,” which allows California’s attorney general to enforce federal privacy regulations. Additionally, there are numerous federal laws protecting sensitive consumer information around things like children’s data as well as financial and health-care information.

By enacting this legislation, California also risks its position as a progressive policy leader by setting restrictions on internet companies that don’t exist in other states. The law sends a message that our state is more interested in passing laws opposing the current presidential administration than in passing laws that protect consumers and create conditions for an ongoing virtuous cycle of investment, competition and job creation.

Privacy is essential. That’s why it needs to be tackled in a comprehensive manner by Congress. We need consistent regulations around privacy that apply to everyone, and across the entire internet ecosystem, no matter what state they live in or what their business model says about data collection and use.

Mike Montgomery is executive director of CALinnovates, a non-partisan technology advocacy coalition of tech companies, founders, funders and nonprofits.

This piece was originally published in LA Daily News.

WannaCry or WannaFixIt? Time for Action on Data Security

By Tim Sparapani

As we’ve seen from the latest round of WannaCry ransomware attacks, no one is safe from these viruses that have locked up the data of more than 200,000 users in at least 150 countries. When desperate consumers and businesses are hit, they often end up paying to get access to their data, which puts a tangible price on their hassle and inconvenience and makes it clear that safeguards that block attacks are essential.

But we should never waste a good crisis. This attack presents a chance to redouble efforts to stomp out botnets, which take over people’s computers and spread viruses.

There is no legislative silver bullet for cybersecurity. The U.S. Senate can take concrete action by swiftly passing the Modernizing Government Technology Act, which the House passed in May. Federal agencies can begin implementing the president’s executive order on cybersecurity. And, we should codify the Vulnerabilities Equities Process. Yet if government officials pour time and money into “solutions” targeting outdated issues, the public may remain as ill-prepared for the next botnet or malware attack as the last. Clearer thinking by policymakers about cybercrime is critical for improving how consumers and businesses prepare for the next hit.

First, it’s necessary to broaden the scope of concern about the damage these attacks cause. For the last 20 years, online security discussions have focused solely on data breaches and identity theft. But, any introductory textbook on information security will tell you that it’s essential to focus on integrity and availability of the data as well. Before WannaCry, the Mirai botnet attack unleashed billions of phony requests to a few websites, shutting them, and the services that rely on them, down. These attacks show that hackers can use brute force to shut down government services, cripple businesses and hurt consumers. But making users’ data unavailable can do almost as much damage as stealing it. Future attacks that merely alter data — thus undermining faith in the accuracy of things like bank or personal health records — can have similarly devastating effects and cost billions in losses.

It’s a mistake to believe that we can protect the public if the culprits are tracked down and arrested. Cybercrime is lucrative, and the tools of the trade are increasingly sophisticated and readily available. Fewer than 1 percent of all cybercriminals are arrested because it is so hard for law enforcement agencies to find them. Most cybercriminals attack from countries that lack the laws and tools needed to convict them. New technological interventions will be necessary.

Now consider how cybercrime can change and evolve. Spam, for example, is a much smaller problem now than it was 10 years ago. That’s partially because a few of the worst spammers were arrested. It’s also because tech companies competed to come up with technologies to keep their customers’ inboxes free from offers from Nigerian princes or bogus online pharmacies. When companies compete over security, the public wins and crime decreases. Government policies that encourage this kind of innovation and competition would benefit consumers.

WannaCry also showed that more user education does not dramatically reduce the incidence of ransomware, data theft and other cyberattacks. Most people know that patching is important. But it’s still not being implemented at scale, partially because everyone has their own devices, and those devices are increasingly connected to the internet. Instead of relying on users to upgrade their security, the tech industry should automate patching to keep our computers, phones and Internet of Things devices protected.

Fixating on establishing industry standards for proper consumer and corporate “cyberhygiene” is a distraction that may slow down cybersecurity innovation. Standards — when agreement can be reached, which is rare — typically take many years to develop, and this results in internet users relying on outdated software and hardware. Flexible approaches like the National Institute of Standards and Technology cybersecurity framework that raise questions but don’t dictate specific solutions are better.

Fortunately, there are more and more powerful technologies that can help defeat problems like ransomware and botnet attacks — but we’ll have to adopt new thinking on cyberattacks if we are to put them to use. The most important technology is cloud-based services, which can be used for storing and encrypting data, for blocking cyberattacks and for providing applications ranging from social media to specialized business services. Too many people are still reluctant to move their data off their premises, and in some cases they are even prohibited by law from doing so. But, a two-person dental office cannot do a better job of protecting its data and networks than a cloud company with leading-edge technology and best-in-class engineers dedicated to ensuring their systems are secure.

Finally, tech companies can become a first line of defense, particularly if the U.S. government shares any software vulnerabilities it discovers. The president and Congress should work together to codify the Vulnerabilities Equities Process so that national security and law enforcement agencies can provide tech companies with the sort of insights that can help them close gaps before malicious actors exploit them. Our national economic security depends on this. We should enact legislation that favors disclosure of vulnerabilities to U.S. tech companies, and the recently introduced Protecting our Ability to Counter Hacking Act has helped start that conversation.

Artificial intelligence, machine learning and big data are other effective tools for preventing or responding to attacks. But these new solutions will not be adopted if governments and businesses don’t understand that much of the old thinking about cyberthreats and cybercrime has to be reconsidered in light of emerging threats.

Tim Sparapani is a data privacy law and policy expert serving as senior policy fellow with CALinnovates and principal at SPQR Strategies.

This piece was originally published on Morning Consult.

Innovators Need Closure On The Apple v. Samsung Case

By Tim Sparapani

The dispute between Samsung and Apple over allegations that Samsung stole Apple’s mobile phone design is like a piece of gum that you’ve been chewing for way too long. It’s time to spit it out.

There’s an enormous amount at stake for innovators in this fight over mobile phone sales, and as I’ve written many times before, this case truly matters. How, or if, damages are ever calculated for Samsung’s infringement of Apple’s rounded-corner phone design will set precedent that will influence Silicon Valley for years to come.

There’s also a real risk that if the outcome establishes the wrong formulation for calculating patent design damages, it will create a new type of design patent troll —essentially law firms that will sue companies to attempt to extort settlements from them based on allegations that they have infringing product designs.

As a reminder, here’s how we got to the point where a federal court has been told to determine anew potential damages for alleged design patent infringement. Last year, the U.S. Supreme Court decisively reset the rules of design patent cases to prevent them from spinning out of control. The court rejected Apple’s position that it was entitled to the full cost of each iPhone that wasn’t purchased because a consumer had instead opted for the infringing Samsung phone.

If the court had ruled in favor of Apple’s position, Samsung would potentially have been on the hook for an estimated $1 billion. But the court decided (to Silicon Valley’s delight) that this “total profits” damages theory was erroneous because software-powered hardware is routinely filled with hundreds if not thousands of other patented inventions that give those products their value.

While the Supreme Court wisely struck down this total profits standard, it left the job half done by tossing the case back to a lower federal court to determine the appropriate damages. That’s why the upcoming decision from the Federal District Court for the Northern District of California will establish precedent around what portion of a product is attributable to its design as opposed to its functionality.

Drawing that line is easy with something like a shovel, which is a relatively simple tool. It’s much harder to do with a complicated piece of technology like a drone, an autonomous vehicle or a smartphone. The court will need to craft a smart rule that divvies up the pie so future judges and juries can determine damages when these cases invariably come up again.

Full disclosure here: As I’ve written before, I’m an unequivocal Apple fan boy. Since the U.S. Supreme Court’s ruling, my family has bought two more iPhones, and I’m writing this piece on my new Mac. I love the design, durability and functionality of Apple’s products. Simply put, though, the risk to innovators is too high if Apple is allowed to recoup the lion’s share of its alleged losses because a lower court elevates the concept of design over product functionality.

The court’s determination will go beyond the question of how much Samsung has to pay Apple. It will lay the groundwork for rules about how we properly compensate the designers who produce iconic, paradigm-shifting product designs, particularly when those designs are only a portion of the usefulness of the product they are part of. The decision will tell us a lot about where the value lies in any new piece of technology. That’s going to be an important factor in ensuring all innovators in Silicon Valley, including coders and designers, prosper.

The longer this case drags on, the more these questions go unanswered and the more difficult it is for people who might be working on ground-breaking products to move forward.

This piece was originally published in Forbes.

Why the FTC must regain its power as the top cop in online privacy

By Tim Sparapani

There are a few things that are constant in this world: death, taxes, and the fact that every new administration rethinks regulations.

That can be a big problem, especially when it comes to consumer privacy rights. The rules that govern how companies collect, use and share consumers’ data shouldn’t ebb and flow like the tides. They should be cemented in place to give companies and consumers desperately needed assurance that the landscape won’t keep changing.

For years, privacy advocates like me have pushed for protections on consumer data collected on and offline. We urged that the U.S. Federal Trade Commission (FTC) be given additional resources to focus specifically on the misuse of consumer data collected offline and merged with online data.

Unfortunately, the FTC’s wings were clipped when another federal agency, the Federal Communications Commission, expanded its previously narrow privacy authority. While that might sound like something privacy advocates would applaud, it’s a move that’s only muddied the waters and, arguably, reduced protections for consumers’ online privacy.

The U.S. Federal Communications Commission’s (FCC) self-approved expansion of authority actually displaced the FTC entirely. FTC staff had consistently policed online privacy with an impressive level of authority and competency.

That not only left consumers’ privacy in limbo, it pushed innovators and startups into a chaotic, unpredictable regulatory landscape for all online products and services that make use of consumer data.

The confusion that resulted from this was compounded by the election. Before the FCC could even hire privacy experts or prepare policy pronouncements, a new commission was ready to walk through the door. That’s why it is long past time for Congress to impose some order on the privacy landscape. One easy thing Congress can do is return the FTC to its place as the top privacy cop on the internet beat.

Keep Reading

This piece was originally published in The Hill 

CALinnovates Welcomes Call For Fresh Look at Online Consumer Privacy Rules

By Tim Sparapani

Innovators and startups welcome the news that policymakers are taking a fresh look at how to protect consumers’ privacy online.  While the headlines may try to spin this as just another partisan food fight, in truth it’s an incredibly important opportunity to restore balance and clarity to consumer privacy rules in the online ecosystem.

As we’ve said from the start, the privacy rules adopted late last year by the Wheeler FCC were clearly flawed and the ongoing jurisdictional tussle over privacy needs to be resolved for the benefit of consumers and companies alike. The Wheeler rules created an inconsistent, confusing patchwork, in which consumers’ private information on the internet would be protected differently depending on which servers and routers their data happened to be crossing. Yes, the exact same data would arbitrarily enjoy different levels of protection. 94% of consumers believe that all companies collecting their information online should face the same set of rules – and they’re right. The Wheeler rules break from the bipartisan FTC privacy framework that has seen the internet thrive and grow in other ways, introducing new friction and erecting confusing and unjustified new obstacles to even the most mundane uses of data any consumer would see as non-sensitive.  This kind of regulation is bad for consumers, bad for entrepreneurs, and bad for innovation.

In addition, a little known consequence of the Wheeler rules was that they jeopardized the United States’ privacy agreement with the European Union. The Privacy Shield is predicated in part on the United States having a single, lead consumer privacy agency, and the dilution of the FTC’s authority puts this agreement at risk.

We’re glad that policymakers at the FCC and in Congress will have an opportunity to review the rules again and, hopefully, correct these flaws.  A return to the FTC’s role as the lead privacy enforcer would allow innovators to do what they do best: innovate. In addition, a consistent set of rules would do well to assuage consumer advocates’ concern that gaps in enforcement would delay critical privacy actions when companies are ignoring or outright abusing their data responsibilities to their customers.

CALinnovates Statement Regarding the FCC’s Revamped Privacy Proposal

October 7, 2016

“This version, like the first, falls woefully short in its noble goal to safeguard consumer data and increase transparency for the public. Subjecting the exact same data to different and arbitrary rules depending upon a company’s primary offering in today’s era of vertical integration does not increase consumer privacy. It is also blind to the realities of the marketplace. We need 21st Century privacy rules to govern a 21st Century data market.” said Tim Sparapani, CALinnovates’ senior policy counsel.

“Chairman Wheeler has indicated that some favored companies will be allowed to practice permissionless innovation outside the FCC’s jurisdiction while other disfavored entities must operate under the microscope despite the fact that the data is one in the same. Businesses of all types today are data companies first and foremost, whether they make software or deliver internet access – or both. And innovation can and should spring from all types of companies, ISPs included.”

“Today, Verizon owns Yahoo, AOL and Huffington Post, and the line between ISPs and edge providers has been increasingly blurred. Consumers will be no better off under this scheme than the previous one, but they may be worse off than they are today.”

“This is a referendum on innovation and an affront to consumers who expect more and demand better. No matter how Chairman Wheeler tries to spin it, his latest iteration of the FCC’s privacy proposal is nothing more than lipstick on a pig,” said Mike Montgomery, executive director of CALinnovates.

“CALinnovates encourages Chairman Wheeler to return to the drawing board to rewrite the rules one more time. Better yet, the FCC should seek further public input as well as guidance from Congress and the FTC, which has the longstanding privacy expertise the FCC lacks.”

CALinnovates is a non-partisan coalition of tech companies, founders, funders and non-profits determined to make the new economy a reality.