Feeds:
Posts
Comments

Who has your back?

Companies’ responses to government requests for user data is a critically important, but historically overlooked, component of privacy and data security.  At least in the U.S.  I’ve been told that Europeans are more sensitive to government overreach in this regard given their experiences in World War II.

A few years ago, I began working with companies to consider ways to respond to government requests.  At the time, it wasn’t always considered very significant nor important to users.  Sometimes, I was shot down for these reasons by folks that I considered to be progressive thinkers.

But like so many dimensions of the privacy conversation, the issue is no longer obscure nor as minimized.  I just read the EFF’s report entitled “Who’s Got Your Back?,” which illustrates this point.  For me, it was fascinating to see how much has changed over the last few years.

For any company considering how to address government requests, this is a valuable set of data points.  Because often times, C-suite executives want to know what other companies in their space are doing before they commit to a certain path, especially when dealing with nebulous and cutting-edge issues like privacy.  It’s too bad though, because a lot of companies that have taken the lead here have reaped the rewards in terms of marketing and goodwill.

Lately, I’ve spent some time thinking about personal vulnerability.  And what it means to really live your life as you want to, not how you are “supposed to.”  A myriad of pressures, expectations, and influences align to keep us living a certain way even when it’s not what our soul really feels or longs for.  It’s scary to live truly honestly, let it all hang out, and damn the consequences.

Given this mindset, I was particularly touched by Jason Collins’ outstanding letter in Sports Illustrated today, which is getting a lot of coverage.  I can’t say I had ever heard of Jason Collins before today but his words deeply moved me.  I believe it is one of those sacred shared human experiences to yearn to be true to our deepest selves and to live our lives fully even when it seems daunting.  With all the recent press coverage around the vulnerability that will likely surround the first professional male athlete(s) to come out, all I heard in Jason’s voice was strength.  And pride.  And peace.

I was really proud to be a former Stanford varsity athlete today.  Way to go, Jason!

I haven’t blogged for a while, and several recent items have sparked my desire to write.  One is to say how much I enjoyed speaking at the recent Robots Conference at Stanford Law School.  I am by no means a robotics expert (either legally or technologically), but it was interesting to me to see how so many of the most cutting edge legal issues really come down to traditional legal concepts like agency and product liability, which are age old, while also fueling conversations around some of the most current legal topics like privacy and data security.  Professor Ryan Calo chaired the conference and always puts on first-rate legal conferences.   Anything he organizes is worth attending in my view.  I am glad to see that even with his recent hire at University of Washington, he is still gracing Stanford’s Law School with his thinking and presence.

Which reminds me of Professor Eric Goldman’s Section 230 conference from a few years ago, which was the best legal conference I have ever attended.  I had meant to blog about it at the time but the time got away from me.  So here it goes, better late than never:  It was amazing for both it’s depth and breadth.  The day opened with a conversation with one of the bill’s sponsors, Sen. Wyden, explaining the environment in and strategy under which he introduced the bill.  Then the audience was treated to discussions of the significance and impact of this law from the perspective of  judges, lawmakers, in-house counsel, litigators, and academics, with each constituency comprising its own panel.

Apart from Sen. Wyden’s opening, the highlight for me was hearing from Kenneth Zeran, a man who sued AOL over  postings he wanted taken down.  I don’t remember the specifics of his case, but I vividly recall him sharing, from a true first-person perspective, how a free internet that includes an ability for platforms to avoid liability for third party postings directly and personally impacted his life.  While his views were directly contradictory to many in the audience, and his thinly veiled opinions contrary to the political sensibilities of many in the Bay Area, it felt to me that most everyone in the audience appreciated his perspective, his passion, and his authenticity, not only despite his position, but because of it.  I found it very powerful to both hear him speak and witness how the audience held him and his message.  It took a lot of courage to bring that message to this assembly of folks.

iTunes has the videos from the conference available for free download.  For anyone interested in internet law, these are worth watching.

Moving on to my day-to-day practice.   I was intrigued by a term that was recently introduced to me:  TaaS, or Talent as a Service.  A colleague sent me an article, which suggests that geographically distributed, highly specialized, on-demand, as-needed labor is the wave of the future.  It certainly is how I run my practice, so I found this somewhat validating.  While I’m not sure all the ramifications are good for workers, I certainly am intrigued by the proliferation of this trend and what it means for people searching for alternatives to the cubicle experience.  It would be great if this trend was a win both for the workers and the corporations and other entities hiring them.

Finally, pulling together my interests in both FLOSS and privacy, there was a recent article in TechCrunch about the latest efforts in Europe to promote open data.  While I strongly support openness, I will be watching closely to see how they address reidentification concerns, which are notoriously tricky.

Cheers.

Pulitzers

It feels like a number of good developments are afoot in the privacy space, prompting me to post.  First off, congratulations are in order to the Wall Street Journal for their finalist nod in this year’s Pulitizer Prize.  Frankly, I know I wasn’t the only one a bit surprised it didn’t happen last year but maybe that’s how this prize works.

I can’t say it wasn’t a bit tough to be on the other side of some of those articles trying to explain and defend practices (and Julia Angwin in particular is a tough and shrewd reporter whom I really respect), but I always respected what her team was doing and believe that the What They Know series has truly moved forward privacy in this country.   So much of the log jam in creating change is the lack of knowledge and transparency in what is really happening “under the hood.”  This series was unique in beginning to crack things open and expose practices in a way that was really illuminating for many, including those of us that practice in this space.

On a more personal note, I am proud to count as my colleagues both Ashkan Soltani and Dave Campbell, both of whom were/are an integral part of this team and a big part of the “cracking open” and exposing of what was really happening on a technology level.  Way to go, guys!

(And not surprisingly, this isn’t the first, nor is it likely to be the last, time Ashkan has been recognized by the Pulitzer team.)

Taking Privacy to the People

As various regulations and legislation wind their way through legislatures around the globe, the reality is that legal solutions are slow and usually imperfect (it’s rare to have the kind of foresight and long-term success that legislation like Sec. 230 of the Communications Decency Act enjoys).  Such laws and regs take a long time to enact and are hard to do well, especially in a rapidly evolving technology space.  And in a space like the web that is truly global, add to the mix the interoperability complexity.  Which is not to say that I don’t think that legislation has it’s place, I do.  I very much hope that some useful guidance can be provided on the privacy front from lawmakers and regulators.  And if it can be even half as well drafted as Sec. 230, we’ll all be the better for it.

But even in the best case scenario, private solutions will be, at a minimum, an important piece of the solution.  And an informed citizenry is ultimately the most crucial piece to making this work (which provides a nice tie-in to my Pulitzer news above.)  This is why I was interested and encouraged to see some private initiatives recently in the news.

The first is the beginnings of a private, non-profit ISP called Calyx dedicated to a privacy-sensitive service offering.  As the vision is described in cNet, it sounds like a true privacy-by-design ISP, with things like end-to-end encryption so that only users control their data.  Working to design and implement similar products at Mozilla, like Sync, is one of the feats I was most proud of at Mozilla.

And the leader, Nicholas Merrill, is even crowd sourcing its funding, which I love on lots of levels.  I’d be thrilled to see models of funding like this take off for entrepreneurs, especially where there is a public-interest element to the venture.  But for privacy purposes, avoiding the usual funding routes, could be really valuable in helping Calyx keep to its vision.

Although much of the press coverage is focused on government surveillance and the founder’s efforts in rebuking extrajudicial (ie, not reviewed or overseen by any judge) and potentially unconstitutional requests like NSA letters, I’ve long talked about the need for more privacy-competitive IT offerings and I would welcome this on many levels for clients for privacy reasons beyond government surveillance.  I can’t say I know anything about Merrill or his offering, but I’m excited to hear about what he’s doing, and I hope to see efforts like this succeed.  I have made my own small contribution to the venture and hope you will too.  I think these competitive and free market solutions should be welcome by those on all sides of the political spectrum.

The second development I wanted to call out was a site, call Priveazy, designed to inform users about their online privacy.  Again, I don’t know the team and haven’t even gone through the site fully, but, really, that’s not the point.  The win is in the fact that folks are out there designing and making available products to help educate and empower people.

I hope you can check these sites out and let me know about other developments you are aware of that are trying to bring privacy directly to the people.

Privacy Happenings

I think it’s becoming undeniable that privacy is an important issue right now for the web and for society.  A couple of developments over the past few days struck me as worth highlighting since they cut to some core issues as I see the privacy landscape.

The first is FTC Commissioner Julie Brill’s recent statements that without addressing data collection itself, “do not track” is really just “do not target.”  At a recent privacy conference in DC, Commissioner Brill said she wants more clarity on whether the advertising industry is pledging not to collect information about consumers or whether it is only agreeing not to target some ads to consumers (while using the data for other purposes).  I am glad to see her keep the focus on that critical distinction.  After all, the relevancy of ads is not the issue that concerns users.  If we can’t address data collection as part of do-not-track but allow do-not-track legislation/regulations/self-regulations to gain traction, it will obfuscate the real issue and provide a sense of protection when none (or very little) actually exists.

The second highlight relates to an issue that I see come up a lot in my law practice.  In fact, I blogged about this a few years ago here.  I think where the “rubber hits the road” for a lot of the data security issues is in company’s contracts with IT vendors (ISP’s, colocation facilities, CDN’s, etc.).  Few companies, even huge companies, don’t rely on a variety of IT service providers to store, transmit, and otherwise handle user data.  And those service providers usually want to disclaim or greatly limit liability if the data is breached and otherwise limit their obligations to provide adequate security and other protections.  Awareness of this issue is starting to get more attention, recently in the EU and also this week in the US, where a Network World article highlights the significance that liability for data breaches is taking on in IT outsourcing agreement negotiations.  I am glad to see this issue get more visibility because I think it has a lot of impact on user data security and privacy even though it’s not necessarily a sexy topic the way mobile apps and other privacy topics may be.  IT vendor contracts are not headline grabbers.  But they matter (and the data breaches that may result from them ARE headline grabbers), and I hope they continue to get the attention they deserve in the privacy debate and from IT service provider customers.

SOPA and PIPA

Happy New Year!  It’s been a while since I posted and there’s been a lot I’ve wanted to discuss (like the recent lawsuit over PCI rules), but what seemed impossible to ignore was SOPA and PIPA.    I am particularly proud today to say that I work with Wikipedia on legal and privacy matters.  To see the impact of their black out is really awe inspiring and a testament to the contribution Wikimedia and collaborative web projects generally make to society.  In fact, the nature of the response to SOPA and PIPA even beyond Wikimedia highlights the very power and value of a distributed internet where numerous individuals, organizations (big and small), and communities around the world can both individually and collectively create, distribute, and benefit from content.  It is that “decentralized” form of internet that is threatened by these bills.

So here is my voice being added to the chorus to urge lawmakers to consider ways to leverage the internet rather than weaken it by, among other things, removing procedures and other protections to ensure that legal process isn’t abused.  I have called my lawmakers and urge you to do the same.

For a more lengthy description of my views of the value of the internet, you can check out my post from November 2010, which I submitted to the U.S. government on behalf of Mozilla.

Cinco de Mayo

I love these two quotes and how they work well together: one about respecting others and the other about respecting oneself.

“Respect for the rights of others means peace.”

–Benito Juárez,
Mexican politician

“It is better to die on your feet than to live on your knees.”

–Emiliano Zapata,
Mexican revolutionary

Follow

Get every new post delivered to your Inbox.