So Tomorrow is “The Day We Fight Back”?

February 11 is supposed to be a day of mass protest against NSA surveillance. Named ‘The Day We Fight Back’ it is reportedly the brainchild of a 34 year old former Congressman from Rhode Island, David Segal, and supported by “hundreds” of internet companies and various other political, civil and digital rights groups – both conservative and liberal.

The intent seems to be to evoke the same kind of digital ground swell that emerged 2 years ago around the Stop Online Privacy Act (SOPA) and Protect Intellectual Property Act (PIPA), in which the Congress was so caught off guard by the power of major websites going dark or posting protest messages for a single day that the proposed legislation was immediately killed. [See my post from Jan 26, 2012]

Tomorrow’s event, from what I can find online as of today, has some fairly significant differences from the Stop SOPA/PIPA movement.

For one, I don’t see the NSA bending to public will like Congress did – votes are not at stake, the intelligence community moves in a totally different (and mysterious) way, and the White House has already outlined its plan for NSA reform.

Tomorrow’s action also has mixed goals – along with people just generally stating that they think NSA surveillance is evil and unAmerican (which is rather vague), apparently some of the protesting organizations will also “ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act [how many Americans even know what those are?] and also use the event as an opportunity to commemorate Aaron Swartz, a controversial figure. While Swartz was a leader in the anti-SOPA/PIPA effort, his later prosecution for computer fraud and abuse, and subsequent suicide left a conflicted reputation.

Further, this is supposed to be an international event for others around the globe to express their outrage with the NSA reaching into their borders. I’m feeling like the message is mixed. Without a single firm goal, this effort could go the way of the Occupy movement.

But I’m curious. None of us likes the idea of the NSA or any other government entity collecting information on us. The privacy issue has been building steam for a long while, and Snowden pushed it out into the open. Tomorrow is the first real organized effort, and maybe something will come out of it.  I find it interesting that the more radical Electronic Frontier Foundation is a main sponsor of the event, yet DC’s Center for Democracy and Technology, perhaps more practiced in the ways to get things done on The Hill, is not even connected with it.

I’ve been predicting [hoping for?] some sort of privacy legislation for the past couple of years. The issue is gathering steam, but change doesn’t come without the people’s voice. How many will actually feel outraged enough to call or email their Congressperson tomorrow? How many are more interested in the Olympics? Should be an interesting day.

Cyber Movement

In time for the SOTU, the Obama Administration late yesterday finally issued the much anticipated Executive Order to strengthen cybersecurity protection. It had been in the works since last October.  

Some key provisions:

• Within 120 days, DHS, the Office of the Director of Nat’l Intelligence and Dept of Justice will issue instructions to ensure the timely production and dissemination of unclassified cyber threat reports that can be more broadly shared than they can be today
• Security clearances for critical infrastructure employees will be expedited
• The Enhanced Cybersecurity Services program will be expanded – this program allows sharing of classified cyber threat information by and with defense contractors and other cleared personnel. It will now be open to a wider array of critical infrastructure companies
• The National Institute of Standards and Technology will work with other government agencies and private industry in developing the Cybersecurity Framework – a new risk framework and best practices – due out within a year; DHS will oversee voluntary adoption

However, since EOs aren’t the law, the cyber EO can’t require threat reporting to the government or eliminate possible privacy-related and antitrust liability for sharing information with the government or other companies.  It still will rely on voluntary cooperation, until such time as Congress may act.

The White House intends for the EO to motivate Congress action. Unfortunately, all we’ve seen so far this year is the re-introduction of last year’s CISPA bill (Cyber Intelligence Sharing and Protection Act), which failed due to privacy concerns, coming back in identical form. Since the new Executive Order offers greater privacy protection (its leadership point of view), we obviously have a ways to go in getting to middle ground – if that will be at all possible with this Congress. Given the critical nature of this situation (witness the recent spate of attacks on US banks), we at least now have a starting place.

Another View on Vulnerability (I Still Want to Go Back to the Bubble)

OK, I seem to be in a cyber security phase.  If the defense guys and wonks are rabid about the lack of policies to address this issue, the lawyers are grappling with a different angle.  At today’s Nebraska U Law conference, four big brains debated the slippery slope of domestic vs. international law, crime vs. espionage, kinetic vs. ‘soft’ attack, information sharing vs. security concerns, and the constant challenge of balancing diplomatic restraint and policy trade-offs in the face of known attacks from sovereign state actors (like China and Russia).

One of the panelists quoted a 3rd party who said “we’re the walking dead and don’t know it yet.”  This echo’d something I heard at last week’s seminar – “They could shut us down any time they want to; they just don’t want to.”  Who is ‘they?’ I pondered with some concern. The exposure of our electrical grid has become a common topic of conversation. Apparently there is a rumor that China has put something called logic bombs in it, which have the sole purpose of destroying the system.  BUT, China is our biggest creditor – so can we really force this suspicion?  Does this seem like an urgent problem to anyone but me???

Civil, criminal, conflict (war), and espionage attacks fall under the jurisdiction of different governmental authorities – perhaps at the federal or international level, but possibly at the state or even more local level. (And we all know how well these agencies share with each other.) This imposes different protective and prosecutorial statutes, but also creates an enormous grey area over terminology, definitions and boundaries around what constitutes what kind of cyber ‘activity’ (apparently even the word ‘attack’ is loaded and has a strict context. ) The complexity of digital technologies makes cyber aggression difficult to trace and even more difficult to prosecute. Short of a clear instance of physical harm, building a legal case that will stand up with the appropriate adjudicating authority seems quite challenging.

Best to prevent such incidents in the first place, right?  I come back again to the defense issue.  The list of vulnerable apps was long – mobile, cloud, IPv6, medical devices, smart grid, supply chain reliability, and behavioral advertising…doesn’t that cover just about EVERYTHING that makes the modern world run?  As at last week’s Potomac conference, I saw an enormous  disconnect between Silicon Valley and Washington. Today’s legal experts also described Silicon Valley as just overwhelmingly concerned with making as much money as possible, with security and data privacy as afterthoughts.  Well it would seem to me there is enormous financial opportunity (and a fair bit of glory) for the innovator that figures out real protection for the digital infrastructure that runs today’s world.  The point of view of today’s panelists certainly reinforces the growing urgency for policy makers and high tech innovators to somehow come together – fast – in figuring this out.

Digital Deja Vu

Big headline today that the US DOJ has filed an anti-trust suit to block AT&T’s acquisition of T-Mobile. Haven’t we been here before with AT&T? Wasn’t this company busted up by the government in the not-that-distant past for the same anti-trust issue?

Apparently AT&T has claimed that it needs the acquisition to compete with Verizon’s 4G network.  Wait a minute!  Didn’t Verizon have the foresight and wherewithall to build its own?  Was AT&T just asleep while its biggest competitor noticed this market opportunity and actually did something about it?  AT&T has for some time gotten hammered for its inadequate mobile coverage and dropped calls. The need to expand and upgrade couldn’t have been a surprise.  The DOJ’s position is that the company could deploy next-generation technology ‘by simply investing in its own network.’

Since this intended deal was announced last March, it has widely been seen as anti-competitive – just not good for other carriers or for consumers. In my March 25 post, I pondered this merger as a test case for the FCC’s new kinder, gentler, business friendly demeanor regarding mergers. FCC Commissioner Baker had  even challenged whether telecomm mergers should be subject to FCC and Dept of Justice reviews at all, noting that imposed merger conditions, which could extend to public interest, should be equally applied to all parties and not subject to competitive lobbying influence. Clearly the DOJ does not align with most of her position, although, it does seem that the Department’s study of this merger’s market environment was done fairly quickly by government standards – 5 months – and speeding up the review process was one of the FCC’s key goals.  Interestingly, Sprint, not Verizon, is seen as the major plaintiff. With no other acquisitions of this nature in the offing (at least publicly), there is no application of equal conditions in the field.

It’s not that I’m advocating for Verizon. They are another monolithic company, and as one of their customers, I can certainly see their shortcomings. BUT … I give them credit for taking the initiative to grab 4G by the horns and build a next generation business.  If we’re going to believe in free markets, then let free markets prevail – those who build a better mouse trap should earn the spoils.  My association with AT&T has been that of a customer as well as a vendor. I have seen no evidence of cutting edge innovation in that organization in decades. Maybe today’s development will be a wake-up call.  Let’s see how the counter-suit plays out.

Privacy in a Mobile App World

I attended a thought provoking seminar yesterday put on by PRSA’s DC chapter. ( A shout out to Microsoft for hosting it in their beautiful Innovation and Policy Center facility at 9th and K. )  The speakers were great, and their often differing opinions created an interesting tension that perhaps yielded more useful insight than one typically gets at these sorts of events. 

One speaker was a goddess of all the shiny new social media tools, emphasizing the growing importance of group aggregation apps and social proximity networks. I must admit the idea of strangers being able to locate me on the street because of personal preference information I shared online was unnerving. I’ve yet to check out some of the tools she mentioned – Sonar, Blu, Nerd Nearby – but the clear trend was toward people aligning themselves via mobile tools. Instinctively I associate this with 20 somethings, but no demographic data was provided so I really don’t know.

Another speaker had formal education in animal behavior (among his many degrees and other talents). He observed that people who have become online influencers are actually pulling back on their use of social media tools due to overwhelming demand to always be ‘on’ and to have too many people wanting a little piece of them.  He particularly noted that the elites of social media were also looking to newer tools such as Quora and Namesake that have not been tainted by the invasion of ‘brands’ – read that, don’t think about using them for marketing – now that Twitter and Facebook were over-run by such activities.  He also noted that the conversation about social media hadn’t really changed in 3 years – many people now use Facebook or are still learning the basics of Twitter, but they don’t have time or interest in taking on any more.

While there was some polite sparring back and forth about the trends toward or away from further engagement, two things stood out to me: 1) Elites have a different experience curve for this social phenomenon, and in a compressed cycle, fundamental human nature kicks in – even influential, attention seeking people ultimately want and need a boundary that limits how much they’re available to the world. The masses always follow, and it still takes a long time for them to move up the adoption bell curve – but will they ultimately reach the same pull-back point if social media demands get too invasive?  2) Privacy is a core issue for both leaders and followers. While the implications of things such as social proximity networks are a bit frightening to me, the issue goes beyond finding strangers nearby with whom in reality I might actually want to interact if we have some relevant things in common. But —who is aggregating data about my physical movement? What are the implications if, for instance, an entity can figure out that I visit a certain shopping district three times per week, usually on Tuesday and Wednesday nights and Saturday mornings?

The application of these technologies to PR needs (the purpose of yesterday’s seminar) can obviously be beneficial to practitioners targeting audiences on their client’s behalf – and in many ways, that’s a good and useful thing. The implications go way beyond, however, and take the current legislative discussion about online privacy to a vastly different level. I would expect some action to protect personal data in this area soon (although with this Congress, can even something this important be accomplished?) but with technology evolving so fast, can slow, bureacratic legislative bodies keep up?  Mind your data.

The Approach of Internet Regulation [and the End of the World as We Know It]

 

The March 2 Communications Summit, put on by the Institute for Policy Innovation, presented some diverse and compelling perspectives on key issues in the Communications industry, particularly relating to government regulation. While I’d expect an anti-regulation stance from the sponsor, they did a credible job of civilly presenting a variety of perspectives in a town known of late for less than civil discourse. 

‘Communications’ in this context means what most of the world now refers to as ‘ICT’ – Information and Communications Technology – but many in the US still think of as ‘telecomm’.  Communications includes the ecosystem of internet-centric businesses, hardware vendors, software vendors, networks, content providers, and the data-gathering and advertising machinery that pervades much of the online world.

Given the aggregation of mountains of personal data about all of us who dwell online, the implications of such data moving freely around the world in nanoseconds, and the increasing incidence of taking content without paying for it [music, movies, etc.], regulation is coming—soon.

Keynote speaker Rick Boucher, Former Chairman of the House Commerce Communications Subcommittee and co-author of draft legislation on internet regulation, prefaced his remarks by stating that net neutrality as an issue is dead. The Senate and President Obama are not going to allow any overturn or spend any more time on it. So, he advocates focusing on what’s feasible at this point.

He predicts real action by Congress, perhaps in as little as a year, on extending privacy rights to internet users. This could include mandating ‘do not track’ options on web sites, providing ‘opt in ‘or ‘opt out’ options for data collection, compelling full disclosure of how your gathered data is collected and used, and variations thereof for certain kinds of data—social security numbers, passport numbers, geo-location info, etc. Boucher likened this movement to other major privacy protection legislation of recent times such as HIPAA and Gramm-Leach-Bliley.

It’s a complex issue that’s going to require hard-wired technical adjustment as well as changes to business practices. The implications for advertisers and aggregators are obvious, but these changes will also extend to other aspects of marketing and communications. Lest corporations fear too much, Boucher also predicts that if/when this is legislated, grievance handling would be managed by the FCC and NOT by allowing individuals to sue companies for a potential breach of their privacy. I suppose I could live with that.

As another of the Summit’s speakers put it, transformational change is when the technology is so pervasive you no longer notice it [like fish not noticing the ocean]. The ever-connected Millenials are certainly there. If privacy concerns prove enough to get even this contentious Congress to agree and act, you can bet the times are a-changing.

Official US Policy on the Internet

I was privileged to be among a couple hundred students and press who attended Hillary Clinton’s on campus speech today about Internet Freedom. After the happenings in Egypt, the new protests in Iran, Yemin and elsewhere, and the whole Wikileaks broohaha, she came forward with a clear, firm policy position on keeping the Internet free. Regardless of what one thinks of Hillary, it was very exciting to be in the room. She is totally in command of her space, polished, poised and on point. A heckler was tackled by police a few feet away from her, yet she never even glanced. In the wake of the Tuscon shootings, I was impressed [although security at today’s venue was tight!].

She referenced 3 key Internet challenges – 1) Achieving libery and security; 2)protecting transparency and confidentiality; and 3) protecting free expression while fostering civility. All of these are obviously timely and are big issues associated with the Internet that are only going to increase. Her point, of course, was that the U.S. was trying to balance all of these.  With regard to Wikileaks, she flat out called it a theft akin to smuggling confidential documents in a briefcase. It was interesting to see her directly address this issue, which caused the State Dept so much embarrassment and trouble. She contended, and in my opinion rightly, that governments need to keep some secrets for good reason – security, safety of those working in risky positions, etc. She also offered that a better answer to ‘offensive’ speech online was more speech – but of the nature to express what’s right, rather than ignoring or brushing what’s wrong under the rug.

Of the many points she made, the speech was obviously a timely policy statement on how the Administration is regarding and approaching Internet Freedom in this incredibly tumultuous time. The fact that such a speech was made by so prominent a person was indicative of the importance of the issue. The State Dept has an enhanced public diplomacy campaign of tweeting in Arabic, with Chinese, Farsi and other languages spoken in internet-repressed areas being added soon. Fascinating stuff.