Last Wednesday, Federal Trade Commission (FTC) Chairwoman Edith Ramirez announced that on September 9 the FTC will hold the first seminar of its “Start with Security” campaign (which we previewed in March). The campaign is aimed at helping small and medium sized companies improve their data security practices based on the knowledge the FTC has accumulated over a decade of enforcement action. Also last week, the FTC launched IdentityTheft.gov, a website that offers victims of identity theft tools to report and recover from identity theft and data breaches.
The FTC’s recent focus on privacy issues, particularly identity theft and data security, is a recognition of the priority consumers place on trust in the Internet. Trust in the integrity and security of the Internet and associated products and services is essential to its success as a platform for digital communication and commerce. One of the earliest government reports on the viability of the Internet for commerce said, in 1997, “[i]f Internet users do not have confidence that their communications and data are safe from unauthorized access or modification, they will be unlikely to use the Internet on a routine basis for commerce.”
Internet users continue to prioritize confidence in the security of digital services above all other privacy concerns online. In late 2013, CCIA commissioned a survey of Internet users that aimed to better identify the priorities and concerns of Internet users with respect to the handling of the information they share online. As far as privacy risks go, the study found that nothing is more important to Internet users than the security of their information online, in particular ensuring that their personal data is out of the hands of those who would do them harm.
Earlier this month, the Federal Trade Commission (“FTC” or “the Commission”) announced a new “Start with Security” campaign. Announced in a speech by Chairwoman Edith Ramirez, the campaign she described will be centered on a series of resources and presentations that the FTC’s Consumer Protection Bureau will deliver to corporate groups to provide companies, especially small to medium sized businesses, with best practices and other guidance on specific data security topics.
This is a welcome development. The “Start with Security” presentations are intended to fill a gap presented by the FTC’s current method of protecting consumers and ensuring good corporate data security practices, which embodies light-touch regulatory principles. Today, the FTC’s primary tool for recommending and enforcing reasonable behavior in the data security space is through the enforcement authority granted to it by Section 5 of the FTC Act, which allows it to stop unfair or deceptive acts or practices.
With unfair practices, the FTC brings a case when a particular company’s data security practices caused, or were likely to cause, a substantial injury that consumers could not reasonably avoid and were not outweighed by benefits to consumers or competition. In the case of deceptive acts, the FTC brings cases when it believes a company has failed to support a promise to keep information secure with reasonable and appropriate processes.
Through settlements and guidances informed by the last decade of data security cases, the Commission has developed a set of commercially reasonable security practices that companies should implement in a manner appropriate for their respective businesses. This case-by-case approach allows for the flexible development of policy that reflects what companies are actually doing with consumers’ information and points to areas for improvement or minimum standards.
The need for innovation and start-up cultures is a given in the tech world: tech companies that don’t innovate don’t last very long. Outside this environment many companies and governments prefer to paint themselves as victims of the intense changes wrought by Internet and high technology. These parallel cultures mean most companies, and especially governments, find it hard to disrupt themselves (examples like gov.uk are relatively few). Where many governments fight innovations, Estonia decided to embrace them.
In this small Northern European state, the government is fostering a start-up culture and marrying it with radical administrative disruption. The President is a geek and the job of the few bureaucrats that exist is to “exploit the dynamic forces of private competition.“ Here digital technology breeds opportunity and jobs instead of chafing against red tape.
You’ve undoubtedly heard about Skype; perhaps Estonia’s 13 year old eID system is a flicker in your memory. But are there shared ingredients? Can it be copied?
The first ingredient is hard to copy. Estonia has a population of 1.3 million – a close-knit community half the size of Brooklyn, which is easier to shape than a decentralized Germany or a mammoth United States.
The second is a historical legacy of both tech and direct action. The Soviet Union’s Institute of Cybernetics (still running today) was founded in the Estonian capital Tallinn in 1960. It’s no coincidence that the parents of some of Skype’s founders worked there or that its headquarters is next door. Meanwhile citizens each year participate in “Let’s Do It” day – banding together to fix things in their community with their own hands.
That’s related to the third ingredient, the #EstonianMafia start-up scene – where names like Toggl and GrabCad are racing to be the next TransferWise.
But it’s the fourth ingredient that matters most: partnerships for achieving scale.
Yesterday, the Federal Trade Commission (“FTC” or “the Commission”) released its long-awaited staff report on the Internet of Things (“IoT”), which was announced by Chairwoman Ramirez in her keynote at the 2015 State of the Net conference. Building on a workshop held in 2013, the Commission’s report is a comprehensive look at the promise of Internet-connected everyday objects, the risks that they might pose to consumers, and the Commission’s recommended regulatory and legislative paths forward. Fortunately for consumers, the Commission’s suggestions, born of a collaborative workshop with privacy groups and industry, do not approach the onerous attempts by the EU to regulate the IoT well-before it gained a market foothold, which DisCo covered way back in 2012.
First, a short primer. The Internet of Things constitutes the growing wave of innovative technologies set to revolutionize the interactivity of the mundane products that we use every day. Smartwatches and other wearable devices get the most press, but introducing connectivity to other traditionally “dumb” devices in our environments will make them all more personal, adaptive, and efficient. Learning thermostats, networked refrigerators, Internet-enabled dog collars that track your pet’s location and wearable fitness trackers are already on sale, with driverless cars, wireless pacemakers, and home automation systems making their way to the main floor of this year’s Consumer Electronics Show (“CES”).
The FTC highlighted the array of benefits of connected devices early in its report. Connected health devices can provide richer sources of data and improve preventative care for physicians and patients. An adaptive thermostat coupled with automated lighting and security can reduce energy costs for homeowners and allow for remote monitoring of homes. Connected cars can offer on-demand vehicle diagnostics to drivers and service facilities, real-time traffic information, and provide automatic alerts to first responders when airbags are deployed. Eventually, self-driving cars may one day be widely available. Each additional type of connected device can provide another convenience or efficiency in the everyday lives of users.
Besides cold temperatures, inevitable musings about an Ovechkin-led Capitals being positioned to make a run at the Stanley Cup (followed by them falling off a cliff), and the occasional wayward arctic fowl, January in the District of Columbia comes with at least one constant ritual: the time honored tradition of speculating on what will be included in the State of the Union. (And, in recent times, the SOTU-themed drinking games that flow from the anticipation… even the Washington Post has one this year). Although some of the suspense has been dampened with media leaks and a multi-week presidential tour highlighting important SOTU themes, some surprises remain.
With political watchers fixated on what President Obama will and will not include in this year’s SOTU, I thought it was a good time for DisCo to lay out a potential tech policy roadmap for what to watch for this year in the President’s annual “setting priorities” exercise.
(Originally published at and cross-posted from CircleID)
On December 17th a US proposal for online commerce in a major trade negotiation, the Trade in Services Agreement (“TISA”) leaked. A flurry of press releases and opinion pieces claim that TISA is a threat to the Internet. The headlines are lurid: “TISA leak: EU Data Protection and Net Neutrality Threatened” and “Leaked TISA text exposes US threat to privacy, civil rights”. Yet the authors of these screeds are far removed from the negotiations and not actively following them; their comments generally assume the 8-month-old text from one country is a reliable base to use to make assumptions about the end result of unfinished negotiations involving more than 40 countries. Because I’ve spent years in Geneva regularly meeting with and advising negotiators on the networked economy I have a very different perspective. Frankly, I believe most commenters have got the main issues wrong and largely missed the significance of the worst feature of the proposal – the extremely broad national security exception.
New Year’s is always a time for remembrance and nostalgia, with lots of “top” lists. This is another, focused on the most important, entertaining and reverberating technology law cases of 2014.
1. Apple’s iPod Class Action Win. Near the end of the year, a decade-old antitrust class action against Apple Inc. finally went to trial in early December. The gist of the claim was that by reconfiguring its DRM system for the then new (now iconic) iPod MP3 players in a way that broke compatibility with RealNetworks’ protocol back in 2006, Apple monopolized the market for digital music. Although the Sherman Act theory was questionable, at best, the presiding federal judge refused to dismiss the complaint or enter summary judgment for either side. After just three hours of deliberations, the jury returned a unanimous verdict for Apple, finding that the new software was a meaningful product improvement over previous versions. (This was also the case where the late Steve Jobs testified, by way of videotaped deposition, from the grave.) Lesson: even monopolists get the blues.
2. Software & Business Methods Patents Narrowed. In one of several precedent-setting Supreme Court cases involving intellectual property, the Court ruled in Alice Corp. v. CLS Bank that vague or generic patents, which do little more than operate mathematical algorithms on a general purpose computer, are not “patentable subject matter.” CLS Bank has already had a profound effect on the Court of Appeals for the Federal Circuit, which for nearly the first time invalidated some business method patents on patentablity grounds in its wake, and the the U.S. Patent & Trademark Office, which was far more aggressive in rejecting patent applications during the second half of the year. The longer term consequences in the ongoing debate over patent trolls and patent reform legislation remain to be seen. Lesson: the era of easy patents may be ending. MORE »
Last Friday, President Obama signed an executive order announcing the “BuySecure Initiative” to jump-start the adoption of enhanced security measures for financial transactions and sensitive data. The goal is for financial institutions to implement tools like “chip-and-pin,” which would secure credit, debit, and other payment cards with microchips in lieu of basic magnetic strips, and PINs (like those standard on consumer ATM cards). While the PIN feature speaks for itself, the microchips soon to be embedded in payment cards allow for dynamic authentication of the card’s validity and account information through strong encryption.
The new executive order was announced during the ongoing National Cyber Security Awareness Month, and comes on the heels of a massive data breach at JP Morgan. The cyber threat landscape is not pleasant, particularly in the financial sector, but we at DisCo are an optimistic bunch. We’d like to focus on the silver lining—the proliferation of methods of mobile and online payment, in addition to the long-awaited shift to chip-and-pin, partly spurred by consumer desire for enhanced security in the face of data breaches associated with traditional means of payment.
If you haven’t had your daily fill of irony yet, let me tell you about the Euro-skeptic, free marketeer news organization appealing to European regulators to guarantee “fair returns” in the wake of Internet-driven disruption.
On Wednesday, News Corp released a letter from its CEO Robert Thomson to the EU competition commissioner Joaquín Almunia, criticizing Google and championing regulators to act against the search provider, following similar demands by the news publisher’s European peers. Unfortunately, Thomson’s letter received about as much fact-checking as a News Corp tabloid. (Jeff Jarvis has already annotated the letter’s “staggering” “willful blindness to irony” on the News Genius platform).
News Corp publications have championed tech disruption before, but apparently those principles go out the window when News Corp is the one being disrupted. In fact, News Corp’s own Wall Street Journal previously complained that Google had become its competitors’ “piñata,” who were demanding “a regulatory veto” notwithstanding the fact that they “haven’t demonstrated any economic harm” stemming from the search provider. Yet this week, News Corp itself jumps into the piñata party, waving the European banner. MORE »
Earlier this month, at the Black Hat 2014 conference, Yahoo announced that it would implement end-to-end encryption in its Mail service by 2015. This announcement came on the heels of Google’s June announcement of a Chrome browser extension that would make it easier to do the same for data leaving the browser for a specific recipient (Yahoo’s implementation is a fork of Google’s publicly released source code).
End-to-end encryption of message content through OpenPGP, even as implemented by the savvy engineers at Yahoo and Google, is by no means a privacy cure-all on its own. However, when end-to-end is viewed along with earlier developments, like an always-on secure connection (via HTTPS) for Gmail or multi-factor authentication, it’s becoming clear that the tech industry is taking improved consumer privacy seriously, both in word and deed. MORE »