Specter, Leahy introduce Personal Data Privacy and Security Act

Reacting to the current troubling situation regarding data security and privacy in the U.S., two powerful senators introduced legislation yesterday designed to better protect sensitive personal information. Senator Arlen Specter (R-PA) and Senator Patrick Leahy (D-VT) — the two most powerful members of the Senate Judiciary Committee — put forward the “Data Privacy and Security Act of 2005” on Wednesday, stating that “[i]nsecure databases have become the low-hanging fruit for hackers looking to steal identities and commit fraud …” The bill has six main goals:

  • Increase criminal penalties for ID theft involving electronic data;
  • Allow individuals to access and correct the personal information data brokers maintain regarding them;
  • Require entities that maintain personal data to create internal policies for the protection of that data and “vet” third parties that they hire to process that data;
  • Provide notice to individuals when a breach of their personal information occurs;
  • Limit the buying, selling, or displaying of Social Security numbers without an individual’s consent; and
  • Require the federal government to establish privacy and security rules for when it uses information from data brokers.

A press release regarding the bill’s introduction is available here. Also, click here to see a PDF of the complete legislation.

We will have more information here about the bill soon, once we’ve had a little more time to digest it. However, given the status of the bill’s two co-sponsors, this could very well be the data privacy and security bill that moves in the Senate this year.

Proposed Export Rules Could Stifle Innovation

Update: Many organizations filed comments with BIS (the rumor has it around 200). The only one that we have seen so far (besides the CRA link at the bottom) is by the Association of American Universities. Apparently many business groups filed as well, including several IT and trade associations. We’ll post links to the big ones as they come in.

Original Post 6/28/05: Yesterday USACM filed comments with the Department of Commerce expressing deep concern about its proposal to change rules that apply to foreign nationals working in the United States using sensitive equipment. The committee objected to the proposal, stating that it could place new and costly burdens on the information technology sector and universities, and exacerbate an already hostile environment for foreign-born researchers working in the U.S., while providing questionable security gains.
Continue reading “Proposed Export Rules Could Stifle Innovation”

Grokster Ruling: Supremes Preserve Betamax Standard, Turn Toward “Active Inducement”

Update: Press Release from USACM is below.

Original Post 6/27/05: At 10:30 this morning things looked bleak for the technology industry as headlines raced across the wire “Grokster Loses in Unanimous Decision.” Now that the dust has settled a bit, the Supreme Court’s decision actually looks quite balanced. (Justice Souter wrote the opinion of the court, while Justices Breyer and Ginsburg wrote the concurrences 1, 2).

The Justices did rule 9-0 against Grokster by overturning the 9th Circuit’s summary judgment that the Sony “safe-harbor” rule protects Grokster from any liability in this case. In doing so, however, the Court upheld the heart of Sony by not trying to quantify the tipping point of when a technology’s infringing uses outweigh its non-infringing ones, thereby creating liability for the developer. To many in the technology industry, such a vague test would have been devastating. The Justices stated:

” … because we find below that it was error to grant summary judgment to the companies on MGM’s inducement claim, we do not revisit Sony further, as MGM requests, to add a more quantified description of the point of balance between protection and commerce when liability rests solely on distribution with knowledge that unlawful use will occur. It is enough to note that the Ninth Circuit’s judgment rested on an erroneous understanding of Sony and to leave further consideration of the Sony rule for a day when that may be required.”

(The Sony rule was at the heart of this matter, as it states companies that develop technology that can be used both for infringing and non-infringing purposes cannot be held liable strictly for producing the technology. For more background on Sony see the EFF’s website.)

The court did blast both Streamcast and Grokster’s behavior. It made numerous findings that the defendants went out of their way to encourage downloaders to share copyrighted material or be in a position to facilitate this activity. (Streamcast is the other defendant in the case.) In short, the court said bad actors, even if they are not directly infringing on copyright, cannot hide behind Sony, stating:

” … holding that one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties.”

But the court did seek balance in this standard:

“The inducement rule, instead, premises liability on purposeful, culpable expression and conduct, and thus does nothing to compromise legitimate commerce or discourage innovation having a lawful promise.”

In doing so, the court creates an “inducement standard” that seems to be predicated on a company’s specific actions (i.e. sending out e-mails to its customers telling them how to download or use copyrighted material) or its business model. It seems likely that technology companies and innovators may find this standard too vague and still open to debate and interpretation. Further, given the current litigious nature of the copyright environment, the discovery process inherent in determining a company’s or developers intent may still be a burden on innovation. In fact, Ed Felten has some thoughtful things to say on freedom-to-tinker about the issues that this ruling raises for technology developers.

But the court’s decision could have been much worse, and its focus on behavior instead of technology is one that many in the community will likely find comforting, and it is a position that USACM has advocated for on many different technology issues.

This week we will try to post Congress’ take on the issue. Also, rumor has it that there will be a hearing on the subject in the House Judicary Committee on Thursday. We’ll try to cover that hearing as well.

Continue reading “Grokster Ruling: Supremes Preserve Betamax Standard, Turn Toward “Active Inducement””

Grokster Ruling: Supremes Preserve Betamax Standard, Turn Toward "Active Inducement"

Update: Press Release from USACM is below.

Original Post 6/27/05: At 10:30 this morning things looked bleak for the technology industry as headlines raced across the wire “Grokster Loses in Unanimous Decision.” Now that the dust has settled a bit, the Supreme Court’s decision actually looks quite balanced. (Justice Souter wrote the opinion of the court, while Justices Breyer and Ginsburg wrote the concurrences 1, 2).

The Justices did rule 9-0 against Grokster by overturning the 9th Circuit’s summary judgment that the Sony “safe-harbor” rule protects Grokster from any liability in this case. In doing so, however, the Court upheld the heart of Sony by not trying to quantify the tipping point of when a technology’s infringing uses outweigh its non-infringing ones, thereby creating liability for the developer. To many in the technology industry, such a vague test would have been devastating. The Justices stated:

” … because we find below that it was error to grant summary judgment to the companies on MGM’s inducement claim, we do not revisit Sony further, as MGM requests, to add a more quantified description of the point of balance between protection and commerce when liability rests solely on distribution with knowledge that unlawful use will occur. It is enough to note that the Ninth Circuit’s judgment rested on an erroneous understanding of Sony and to leave further consideration of the Sony rule for a day when that may be required.”

(The Sony rule was at the heart of this matter, as it states companies that develop technology that can be used both for infringing and non-infringing purposes cannot be held liable strictly for producing the technology. For more background on Sony see the EFF’s website.)

The court did blast both Streamcast and Grokster’s behavior. It made numerous findings that the defendants went out of their way to encourage downloaders to share copyrighted material or be in a position to facilitate this activity. (Streamcast is the other defendant in the case.) In short, the court said bad actors, even if they are not directly infringing on copyright, cannot hide behind Sony, stating:

” … holding that one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties.”

But the court did seek balance in this standard:

“The inducement rule, instead, premises liability on purposeful, culpable expression and conduct, and thus does nothing to compromise legitimate commerce or discourage innovation having a lawful promise.”

In doing so, the court creates an “inducement standard” that seems to be predicated on a company’s specific actions (i.e. sending out e-mails to its customers telling them how to download or use copyrighted material) or its business model. It seems likely that technology companies and innovators may find this standard too vague and still open to debate and interpretation. Further, given the current litigious nature of the copyright environment, the discovery process inherent in determining a company’s or developers intent may still be a burden on innovation. In fact, Ed Felten has some thoughtful things to say on freedom-to-tinker about the issues that this ruling raises for technology developers.

But the court’s decision could have been much worse, and its focus on behavior instead of technology is one that many in the community will likely find comforting, and it is a position that USACM has advocated for on many different technology issues.

This week we will try to post Congress’ take on the issue. Also, rumor has it that there will be a hearing on the subject in the House Judicary Committee on Thursday. We’ll try to cover that hearing as well.

Continue reading “Grokster Ruling: Supremes Preserve Betamax Standard, Turn Toward "Active Inducement"”

The Supremes Rule Against Grokster

Update: We have a much more in-depth analysis and press release posted here.

This from the SCOTUS blog on the Grokster case (which we have covered in the past):

“Grokster, StreamCast Lose

The Supreme Court ruled unanimously that developers of software violate federal copyright law when they provide computer users with the means to share music and movie files downloaded from the internet.”

Here is the actual decision.

Here is the best story I’ve seen so far from the AP wire.

While this does not bode well for technologists, we have yet to read the actual decision to see the extent to which liability is extended to technology developers. You can be sure that there will be many more posts on the implication of the ruling (and we’ll put the ruling itself up when we get it). In the meantime, there are several good clearinghouses of information on the subject including:

Regular readers may recall that USACM, along with a number of law professors, filed an amicus brief in the case in support of Grokster.

Latest data breach may fuel the push for federal regulation of data security

The NY Times has more information (and two follow-up articles) about the staggering loss of data at a credit card transaction processing company that came to light over the weekend:

The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.

MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been “exported from the system.” CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others […]

An official of the company in question, CardSystems Solutions, has admitted that the company should not have been in possession of the information that was stolen in the first place — Continue reading “Latest data breach may fuel the push for federal regulation of data security”

Senators considering ID theft solutions

Update – June 18: Details are emerging this weekend of a very large scale data breach of credit card data at a transaction processing center affecting some 40 million files. More details are available at the Washington Post and the NY Times.

Yesterday the Senate Commerce, Science & Transportation Committee held a hearing on identity theft. Senators heard testimony from, among others, Senators Schumer and Feinstein, the attorney general of Vermont, and each Federal Trade Commissioner (Deborah Platt Majoras , Orson Swindle, Thomas B. Leary, Pamela Jones Harbour, and Jon Leibowitz).

In his statement, Sen. Schumer described the numerous calls that his office and others are receiving currently from constituents on identity theft concerns, and he described how legislation that he has introduced with Sen. Nelson would empower consumers to cope with ID theft, better protect personal information, and provide for consumer notification in the event of data breaches. He also stated that, in light of the recent Citigroup data loss, language has been added to his bill to require that data in such transfers be encrypted.

EPIC has a good write-up of the hearing in their latest newsletter.

More scrutiny of e-voting in Ireland

EDRi’s latest newsletter informs us about a recent article in the Irish Times [subscription required] describing the Irish government’s plans to subject their e-voting machines to additional security and risk-related scrutiny:

The Government has initiated a new round of assessment and testing of the controversial €60 million electronic voting system currently in storage.

An advertisement for consultants to carry out an “additional security and risk assessment of all aspects of the electronic voting and counting system” was placed on the Government’s e-tendering website yesterday.

After use on a trial basis in the last general election, the electronic voting system was put on hold when questions arose over the ownership of the electronic code underpinning the system […]

EDRi’s newsletter explains how last year the government “decided at the last minute to cancel the usage [of e-voting machines], after the Independent Commission on Electronic Voting concluded in an interim report” that it could not “satisfy itself as to the accuracy and secrecy of the system.” The commission’s full report is available here.

Meanwhile, as regular readers will know, ACM has a study underway currently looking into implementing the statewide voter-registration databases mandated by the Help America Vote Act. Study members are making good progress and expect to release a report this Fall.

Private investigators getting nervous

The Washington Post has an article today about the ongoing work of private investigators to prevent policymakers (and some data brokers) from limiting their access to Social Security numbers, a key tool of their trade for tracking individuals:

Private investigators are working to blunt legislation that cracks down on the active marketplace for Social Security numbers, telling Congress that restricting access to the numbers will hurt their business and hamper their investigations.

Several bills are moving through the Capitol to prevent identity thieves from getting Social Security numbers to gain access to consumers’ financial accounts. In the past year, the Social Security numbers of tens of millions of Americans have been exposed through personal data being lost, stolen or hacked.

But private investigators contend that the rush to protect privacy goes too far and would damage their ability to deliver valuable services, such as locating people who skip out on debts, commit fraud or want to avoid testifying in court […]

However, considering the scope of recent data breaches, the surge in identity thefts, and the growing public awareness and concern over the relatively easy availability of their personal information, this author doubts that private investigators are finding many sympathetic policymakers.

Later this week, the Senate Commerce, Science & Transportation Committee is scheduled to hold a hearing on identity theft, featuring witnesses from the Federal Trade Commission and the National Association of Attorneys General.

Vint Cerf and Bob Kahn Receive Computing’s Highest Honor

On Saturday the storied team of Vint Cerf and Bob Kahn received ACM’s latest Turing Award for their work developing TCP/IP — the networking language of the Internet. The award is ACM’s highest and is considered by many to be the Nobel Prize of Computing. The Mercury News has a good story about the award.

I was able to go to the ceremony, and it was inspiring to see so many people responsible for truly critical innovations in the IT industry. What struck me was seeing different generations of greats at the same event, from Donald E. Knuth (who won the Turing Award in 1974 and wrote Art of Computer Programming) to visionary Larry Page (one of Google’s cofounders). Many spoke about both DARPA’s vision in funding Cerf and Kahn’s work and the importance of federal funding for high-risk/high-reward fundamental research.

These statements were particularly striking in light of all the attention this issue has received of late (see story #2 of our May ’05 newsletter). Of course, the Computing Research Association has extensively covered these funding issues.