InsideSources

While 2020 Democratic contender Joe Biden hasn’t announced an official stance on hot-button tech issues like breaking up Big Tech or net neutrality, his privacy record may give Democrats pause.

Joe Biden’s record on privacy issues extends back to at least 1994 when, as a US Senator from Delaware, he introduced the Communications Assistance for Law Enforcement Act (CALEA). It required telecom carriers and manufacturers to design their equipment and services to ensure that they were accessible to surveillance by law enforcement. It was later expanded to cover broadband Internet and VoIP traffic.

CALEA also forces communications equipment manufacturers — like Apple, or Samsung — to hand over hardware and software designs to law enforcement with a warrant.

Privacy advocates often decry laws like this CALEA, arguing that they give the federal government too much discretion and leeway as to how, when and why it can intercept or extract American citizens’ communications.

After CALEA, Biden continued to push similar laws and policies.

In response to the Oklahoma City terrorist bombing in 1995, Biden introduced the Omnibus Counterterrorism Act of 1995. Congress never voted on the bill, but Biden said the controversial 2001 USA PATRIOT Act — which allows the FBI to wiretap and search American citizens’ phone calls, emails and financial records without a court order — copied his 1995 bill.

During the George W. Bush presidency, the issue of government surveillance became more partisan, and Biden walked back his views. In 2006, Biden joined his fellow Democrats in vehemently condemning surveillance policies of the Bush administration, comments that came back to haunt him when the Electronic Frontier Foundation (EFF) juxtaposed them with comments from President Obama in 2013 defending his administration’s mass surveillance policies.

There are more examples of controversial, privacy-related legislation sponsored by Biden: in 1991, he introduced the Comprehensive Counterterrorism Act and the Violent Crime Control Act, both which included anti-encryption language that privacy advocates argued effectively banned encryption.

Phil Zimmerman, who created Pretty Good Privacy (PGP), an encryption program to secure communications, said he created PGP in response to Biden’s CALEA, the Comprehensive Counterterrorism Act, and the Violent Crime Control Act.

“[The Comprehensive Counterterrorism Act] would have forced manufacturers of secure communications equipment to insert special ‘trap doors’ in their products, so that the government could read anyone’s encrypted messages,” Zimmerman wrote. “It reads, ‘It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.’ It was this bill that led me to publish PGP electronically for free that year, shortly before the measure was defeated after vigorous protests by civil libertarians and industry groups.”

According to Zimmerman, “If we do nothing, new technologies will give the government new automatic surveillance capabilities that Stalin could never have dreamed of. The only way to hold the line on privacy in the information age is strong cryptography.”

Given the Obama administration’s cozy relationship with Silicon Valley (Google, IBM and Microsoft were three of Obama’s top funders), Obama’s former vice president is unlikely to take a hardline stance on Big Tech, or to be sympathetic toward Congress’ efforts to create an effective federal privacy law.

Some industry observers describe Biden as a “net neutrality skeptic,” a notion reinforced when his first campaign event after entering the race was a fundraiser at the home of a Comcast lobbyist. While Biden didn’t take money from Silicon Valley as a senator — most of his funding came from law firms — his track record indicates he would likely follow in the footsteps of  Bush and Obama when it comes to privacy issues.

Follow Kate on Twitter

A think tank and a senator both just released draft legislation aimed at strengthening consumer data and privacy protections, but experts already fear they are too limited in scope or too vague.

The Center for Democracy and Technology (CDT) announced a privacy bill draft that preempts state privacy laws (like the California Consumer Privacy Act, or CCPA), grants consumers the right to data portability and deletion (similar to the European Union’s GDPR), and restricts tech companies from collecting personal data that is unnecessary to complete the transaction or provide the service.

The privacy bill advocates for the Federal Trade Commission (FTC) to enforce any potential privacy law and advises adding 100 additional personnel to undertake privacy enforcement and consumer data protection issues. It would also grant the FTC civil penalty authority to crack down on tech companies that violate the law.

During a press briefing announcing the legislation, the CDT’s Director of the Privacy and Data Project Michelle Richardson said CDT considers the draft to be a work in progress, and said she wants to “get it out there” to inspire conversation, debate and, she hopes, improvements to the proposed legislation.

Richardson’s apparently getting her wish. The proposal is already drawing criticism.

Allie Bohm, policy counsel at Public Knowledge, told InsideSources that while the CDT’s draft is very specific in some areas, there are “serious gaps.”

According to Bohm, the draft assumes that consumers agree to a company’s “Terms of Service” in order to receive the service or product from the company. But by adjusting language in the “Terms of Service,” tech companies could find ways around some of the privacy protections the bill highlights, like restrictions on sharing personal data with third parties.

For example, she said, if you have HIV and don’t want tech companies to know that but have to reveal that information to comply with the “Terms of Service,” you’re basically being forced to give up your data. This is predicated on the argument that there is so little competition in the tech industry right now — as Apple, Facebook and Google own and administer most of the apps and services consumers use — that consumers don’t have a legitimate way to “opt out” of certain services.

“I don’t want you to be able to sell my HIV status to third parties, so lack of a consent mechanism is a problem,” she said. “There are very large carve outs in the bill — so even when it has good ideas and protections, it has some serious gaps.”

The American Enterprise Institute’s Roslyn Layton, a visiting fellow specializing in tech policy issues, told InsideSources the draft’s focus on the FTC and defining its role as primary enforcer with civil penalty authority is good, as well as the state law preemption clause.

But she worries about the lack of a safe harbor for small to medium-sized companies “to provide assurance for [those] that abide by the law,” and notes that government entities are not covered in the bill even though they are “leading processors of [consumer] data.”

Meanwhile, Hawaii Democrat Sen. Brian Schatz’s (D-Hawaii) has released the  Data Care Act, which mimics the CDT’s privacy bill in terms of consumer data protection. It highlights rights to portability and deletion, but it also strictly prohibits companies from sharing or selling consumer data to third parties (unlike the CDT’s privacy bill, which allows sharing or “licensing” under certain conditions).

Bohm said Schatz’s bill could also be more specific, especially with regard to how companies should respond to a data breach.

Schatz’s bill only requires companies to notify consumers of a data breach depending on the size of the company and the sensitivity of the data.

“This list is too limited to be effective,” Bohm said. “In fact, under the bill, Facebook would not have had to notify end users about Cambridge Analytica. Furthermore, the bill does not address how to handle conflicts between companies’ duties to their end users and their duties to their shareholders.”

Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF), told InsideSources in an email that the “narrower” scope of the CDT’s privacy bill doubles its impact, which is a “credit” to the draft proposal.

By getting drafts are on the table, these consumer-focused privacy bills are already ahead of the tech companies in setting the terms for a final privacy bill — even though experts say there’s room for much improvement.

“Putting together legislation is hard,” Bohm said. “I think [the CDT’s] bill falls short in some really critical ways — I just think they have too many exceptions.”

Follow Kate on Twitter

Digital rights advocates asked the U.S. Supreme Court Thursday to review the case of an American convicted with evidence gathered under FISA Section 702 — warrantless National Security Agency surveillance authority meant to spy on foreign nationals.

Privacy and digital rights groups including the Electronic Frontier Foundation (EFF) filed a petition Thursday with the nation’s highest court seeking review of the case of Mohammed Mohamud, an American citizen who was charged in 2012 with planning to car-bomb a Christmas tree lighting ceremony in Portland, Oregon. Information used to prosecute Mohamud was gathered using Section 702 of the 2008 Foreign Intelligence Surveillance Amendments Act.

Section 702 authorizes NSA to tap the physical infrastructure of internet service providers, like fiber connections, to intercept foreign emails, instant messages, and other communications belonging to foreign nationals as they exit and enter the U.S. But according to NSA, the program also “incidentally” sweeps up the communications of Americans corresponding with, and until recently, merely even mentioning foreign targets.

NSA is legally barred from searching through Americans’ communications without a warrant, but that wasn’t the case with Mohamud. His emails were intercepted specifically by a program dubbed PRISM, the existence of which was leaked to the press by former NSA contractor Edward Snowden in 2013. PRISM gives NSA access to communications transmitted over internet edge services like Google, Yahoo, or Facebook.

Mohamud learned after his conviction that his emails were gathered under Section 702 and sought to suppress the evidence, arguing its gathering violated his Fourth Amendment rights against search and seizure without a warrant. The U.S. Court of Appeals for the Ninth Circuit noted the government’s conduct was “quite aggressive at times” but upheld the search, a move EFF, the Center for Democracy and Technology and New America’s Open Technology Institute call “dangerous and unprecedented.”

“The ruling provides an end-run around the Fourth Amendment, converting sweeping warrantless surveillance directed at foreigners into a tool for spying on Americans,” Mark Rumold, a staff attorney for EFF, said Thursday. “Section 702 is unlike any surveillance law in our country’s history, it is unconstitutional, and the Supreme Court should take this case to put a stop to this surveillance.”

The groups add weight to a Supreme Court petition filed by Mohamud’s attorneys in July, and join a long list of battles from the courts to Congress over the legality of Section 702. Wikimedia and the ACLU are suing the government over the use of Section 702 in the Fourth Circuit Court of Appeals, and Congress has held several hearings this year to debate the law’s renewal ahead of its expiration at the end of December.

Section 702 is at the heart of a dispute between Oregon Democratic Sen. Ron Wyden and Director of National Intelligence Dan Coats, the nation’s top spy chief. Wyden has pressed Coats and his predecessor to provide an estimate of the number of Americans incidentally swept up in Section 702 that both claim is impossible to produce. The senator has further suggested the authority could be used to warrantlessly target Americans directly.

Congress’s concerns over Section 702 have become a point of rare bipartisanship for some. Kentucky Republican Sen. Rand Paul has fought alongside Wyden to peel back the curtain on Section 702. South Carolina Republican Sen. Lindsay Graham is grilling intelligence officials for information about what Section 702 gathers on lawmakers and other members of government, and if those intercepts can and are used to politically target government officials like former National Security Adviser Michael Flynn.

In testimony to Congress intelligence chiefs including NSA Director Mike Rogers have admitted Section 702 programs have a history of compliance issues, some highlighted by the Foreign Intelligence Surveillance Court, which approves more than 99 percent of the government’s secret surveillance requests.

The typically intel-friendly court chastised the government for an “institutional lack of candor” on a “very serious Fourth Amendment issue.” One such opinion said NSA has engaged in “significant overcollection . . . including the content of communications of non-target U.S. persons and persons in the U.S.”

As a result, NSA in April suspended a Section 702 practice known as “about” collection — when NSA sweeps up American emails and text messages exchanged with overseas users that simply mention search terms — like an email address belonging to a target — but isn’t to or from a target.

The agency recently told Congress it’s working on a technical solution to reengage about collection.

All of the pushback comes as intelligence leaders pressure Congress not just to renew Section 702 but implement it permanently. Top Republicans and Democrats have endorsed the idea, including Senate Majority Whip John Cornyn of Texas and Intelligence Committee Ranking Member Dianne Feinstein of California.

In a recent interview, Snowden said using Section 702 to surveil Americans requires the agency to engage in little more than “word games.” Privacy advocates suspect the loophole created by Section 702 likely amounts to millions or even hundreds of millions of warrantless interceptions belonging to Americans.

Follow Giuseppe on Twitter

Senators’ ongoing investigation into Backpage.com’s sex advertisements and verbal flogging of the site’s executives Tuesday threaten free speech online, an influential digital rights groups says.

According to the Center for Democracy & Technology (CDT), a Washington-based digital rights non-profit, a report released by lawmakers Monday concluding the site facilitated child sex trafficking acted as a “blow” to free speech by forcing the site to shut down its adult ads section.

“This development is a direct blow to the freedom of speech we enjoy online,” CDT said. “Backpage, like Craigslist before it, has faced a long-running campaign from government officials at every level seeking to force the website to restrict lawful speech as a way to pursue criminal activity by some of the site’s users.”

The group’s comments come the same day Backpage executives CEO Carl Ferrer, COO Andrew Padilla, former owners Michael Lacey and James Larkin, and general counsel Elizabeth McDougall appeared under subpoena before the Senate Homeland Security Committee’s subcommittee on investigations. All declined to answer lawmakers’ questions, citing their First and Fifth Amendment rights not to self-incriminate.

“After consultation with counsel, I decline to answer your question based on the rights provided by the First and Fifth Amendments,” Ferrer said in response to multiple questions from Ohio Republican Sen. Rob Portman, who chairs the subcommittee.

Portman’s committee released a damning Monday report that found Backpage knowingly facilitated pimping and child sex trafficking by editing ads to appear less suspicious. Hours after, Backpage pulled down its adult services section “[a]s the direct result of unconstitutional government censorship,” according to an announcement on the site.

“Backpage.com has removed its Adult content section from the highly popular classified website, effective immediately,” the announcement reads. “For years, the legal system protecting freedom of speech prevailed, but new government tactics, including pressuring credit card companies to cease doing business with Backpage, have left the company with no other choice but to remove the content in the United States.”

Backpage hosts 80 percent of all online sex ads, according to the report. The National Center for Missing and Exploited Children said in 2015 that 71 percent of all child sex trafficking reports submitted by the public are tied to Backpage ads.

The subcommittee’s year-plus investigation found emails showing Backpage outsourced its ad screening to India between 2010 and 2012, where moderators removed words, phrases and images that would have flagged ads to authorities. Witnesses, including the parents of minors whose pictures appeared on Backpage, said the site was reticent to remove sex ads featuring underage children.

Portman said the move by Backpage confirmed the report’s findings.

“Backpage has not denied a word of these findings. Instead, several hours after the report was issued yesterday afternoon, the company announced the closure of its adult section, claiming ‘censorship,’’ Portman said. “But that’s not censorship, that’s validation of our findings.”

Ferrer, who declined to appear before the same committee last year despite being under subpoena, was arrested in October on charges that his website accepted money in the prostitution of minors. The charges were eventually dismissed by a court in California.

The Supreme Court declined Monday to hear an appeal of a case bought by three victims of the site’s sex-trafficking ads in Massachusetts. The decision upholds the lower court ruling’s defense of Backpage based on the Communications Decency Act of 1996. The law shields websites from liability for content posted by users.

Other digital rights groups including the Electronic Frontier Foundation filed briefs in support of Backpage, a position CDT supports.

“This is an important reminder that our online freedoms remain under threat,” CDT President Nuala O’Connor said Tuesday. “While the fundamental legal framework protecting free speech remains strong, too often we see government officials attempt to circumvent these protections to achieve their censorship goals.”

Emma Llansó, CDT’s director of free expression, added government tactics used against sites like Backpage and Craigslist “threaten speech far beyond what’s posted on online classified ad sites.”

“When government officials move beyond the bully pulpit and conduct persistent pressure campaigns to achieve a result repeatedly denied to them in court, we’re in the territory of unaccountable government censorship that is anathema to First Amendment values,” she said.

David Greene, director of EFF’s civil liberties division, drew a distinction between the allegations against Backpage and the law.

“We don’t support trafficking,” Greene told The Boston Globe Monday. “We support full enforcement of the laws. You just have to enforce them against the people who are breaking the law.”

Follow Giuseppe on Twitter