Lawmakers To Introduce New Internet Privacy Bill : NPR

Rick Boucher (D-VA) has released draft legislation to significantly increase required privacy notifications for Internet users.

Many websites are fighting the proposed bill, claiming it would hurt their business. I am unsympathetic to complaint that their business would suffer if people actually knew what they were doing with your information. Given that this would apply to all websites, if a policy is no worse than average it should not drive people to other sites.

I would very much like to see the market start to enable competition on the basis of privacy policies.

We shall see how this actually turns out once it has been through the sausage making process. My experience is that most bills about technology end up doing more damage through unintended consequences than they actually help.

Apparently the legislators in Louisiana feel that crimes committed with an electronic map are much more serious than those committed with the aid of paper maps. Not just some of them, the vote in the Louisiana House approved it unanimously (89-0).

If a “virtual street-level map” is used in the commission of ordinary crimes, a mandatory additional year must be added to the sentence. In cases of terrorism, the penalty is 10 years.

This should prove a boon to the sellers of Thomas Bros. high resolution map books.

The unanimous nature of this decision makes it clear the degree to which our leaders lack any political spine. They are obviously concerned that voting against this will appear “soft on crime” despite the fact that this will have no real impact at all, and is trivial to circumvent. It is a waste of time and attention on what Bruce Schneier calls “Security Theater”.

I have been following a number of stories like this,Congress Follows Email Trail - WSJ.com, about the Whitehouse use of RNC controlled email accounts to discuss the firings of federal prosecutors. The law appears quite clear. Official Whitehouse email is a document that must be retained. Discussions of firing federal prosecutors sounds official to me. Therefore the Whitehouse was wrong to use outside email addresses to keep the discussions secret.

I am not comfortable with the law in the first place. Email and other electronic communication media like chat and IM are often used more like casual conversation than formal memos. Few would argue that the President’s every word should be recorded at all times. It would make discussion and debate next to impossible. In the process of thinking through an issue one may consider many potentially unpopular ideas, if only for the purpose of argument. Free and unconstrained give and take generally leads to be best understanding and decisions. Free and unconstrained debate can not take place with the world looking over your shoulder and scrutinizing every word.

If we accept that email and chat are used like conversation to hash out ideas, then it is very damaging to the process to place heavy recording and monitoring requirements on it. At the same time, having no oversight substantially reduces accountability. It might even facilitate corruption.

This really shows in a microcosm the greater question of general communications privacy vs. law enforcement access. It is a hard balancing act because there is very little middle ground. Basically you are either monitored or not. Having monitoring of a random half of the messages is going to make everyone unhappy.

I have seen a couple of articles recently on the third attempt by Congress to pass an anti-spyware bill (this time H.R.964 aka “The Spy Act”).

False Sense Of Security?
Even if the law is needed to intervene, it is unlikely to impact a significant fraction of the offenders, who are operating in countries and jurisdictions that are uncooperative with US law enforcement. Foreign criminal elements will laugh at these laws, and there may be a danger if the passage of a law lulls people into a sense of false security, causing them to lower their guard.

It is interesting to see the Direct Marketing Association (DMA) fighting this legislation so aggressively. The plea for self regulation clearly indicates a desire to continue using these kinds of tactics. Specifically, Dave Morgan of the Interactive Advertising Bureau (IAB) described “consent” and “prescriptive notice” as “extreme measures.” while to me these seem the least requirement for “informed consent” and should form the baseline of privacy policy.

The core principle is that people need to have the ability to know when their information is being captured, know how it will be used, and have some ability to avoid this if they so choose. Legislation that effectively embodies this will be robust against the fast changing technological background, while narrowly tailored laws are likely to be easily bypassed by new technical tricks.