Regulatory Shorts – July 2016

Scale_of_justice_2_newThere are some interesting things happening in courts lately that will be of concern to ISPs.

ISPs Might be Liable for Customer Piracy. In two court decisions, courts have said that ISPs can be held responsible by piracy committed by ISP customers. In the Alexandria, VA district court a jury found Cox Communications liable of copyright infringement from a lawsuit brought by BMG, the music publisher. BMG had argued that Cox should have disconnected customers who violate copyrights. There was a similar ruling in Manhattan district court against RCN, also brought by BMG. Both companies are currently vigorously fighting the rulings. This kind of ruling could have a chilling impact on ISPs. Net neutrality rules would make it hard, and maybe illegal, to block sites like BitTorrent. And yet ISPs might somehow be liable for what customers do on piracy sites.

Internet Firms Not Necessarily Liable for False Information. On May 16 the FCC handed down a narrow victory to Spokeo.com. The company had been sued by a Virginia resident who said that the site contained errors about his age, education, employment, and marital status. The court said that the plaintiff could not sue without having proven any real damage from the bad information.

The case was watched closely by Facebook, Google, and other internet firms that are worried about a negative impact from having inaccurate data. The court ruling seems to make it unlikely that class action suits could be brought against internet companies, but it did open the door to individual suits when real damage could be claimed.

Fourth Amendment Does Not Protect Home Computers. The federal district court in Virginia ruled that a criminal defendant had no ‘reasonable expectation of privacy’ for information stored on his home computer. The particular case came out of an FBI sting of Playpen – a TOR site on the dark web used to host child pornography. It’s a complicated and unprecedented case where the FBI seized the server and continued to operate the site, and to eventually arrest numerous users.

But the ruling is a bit troublesome because it implies that police have the power to remotely access the files on somebody’s computer without a warrant. That runs contrary to recent rulings about the security of information on a cell phone. Police have searched computers before of people who have been charged with crimes, but the ability to search the computers of people who have not been accused of any crime without a warrant is scary. I expect this to be appealed.

FBI says Location of Surveillance Cameras Must be Kept Secret. The FBI was successful in getting a judge to block Seattle City Light from divulging the location of FBI security cameras. City Light is part of the city government and would normally be required to respond to requests for information like this from the public.

One thing the court process revealed is that the majority of police surveillance cameras are installed without a warrant, which raises the issue of violating the Fourth Amendment. The judge in this case did say that he thought the FBI needed warrants to install cameras.

Europe Proposes Requiring an Online ID. Officials in the European Commission have suggested that European citizens be required to use a government issued ID when online. The purpose of this is supposedly to provide a trustworthy environment online for merchants and people to be able to know who they are dealing with.

The White House had proposed a similar voluntary system a few years ago in response to cyberbullying and other online issues. They suggested that if people adopted a verified and trustworthy identity online that they could be safer by only dealing with others who did the same. There are still a few states considering trials of the idea. But that proposal was very far away from being the mandatory requirements suggested in Europe.

The Best Explanation of Network Neutrality Yet. And finally, Stephen Colbert discusses net neutrality while on a roller coaster.

 

 

 

The Security / Privacy Battle

SpyVsSpyEvery time there is some traumatic terrorism event like what just happened in Paris there is a renewed call by governments for better surveillance and security measures. And every time that happens, the advocates of privacy sound a loud warning. What I find most interesting about this back and forth between the two sides is that it’s not events or even public policies that are driving the battle between security and privacy, but technology.

Just during the last decade there has been a number of technologies that have assaulted our privacy – encryption, big data, cloud computing, and advertising spyware. And we are fast approaching new threats from drones and from Internet of Things sensors everywhere.

The real battle between security and privacy happens when we introduce new innovations that can invade our privacy followed by countermeasures against those new technologies. There are plenty of politicians on both sides of the privacy issue who think that creating new laws is the way to protect privacy. But there are no laws that are going to flexible enough to keep up with the new threats we are constantly seeing in the real world.

Consider the traditional privacy laws. There have been wire-tapping laws on the books for decades which are now completely obsolete. The FBI convinced the FCC a few decades ago to create a set of laws called CALEA that gives the FBI the right to subpoena ISPs and get the records of suspected law breakers. ISPs and telcos spend a lot of money to stay compliant with these rules and yet I can’t think of one of my clients that has actually gotten a CALEA request from the FBI. ISPs do often get requests from local law enforcement asking for calling records under older wire-tapping laws, but not a peep out of the CALEA folks.

And this is because those laws were obsolete before the ink was dry on them. The CALEA rules were written not long after we had migrated from dial-up to DSL and there was no such thing as the dark web and disposable cell phones and all of the other ways that serious criminals use to avoid law enforcement.

What typically happens with a new technology is that it gives one side – the police or the bad guys – a temporary advantage. But there is always a technological counterpunch as somebody on the other side figures out how to defeat and neutralize each new technological development.

Edward Snowden showed us that law enforcement sometimes is so desperate for an edge that they collect data illegally in violation of the basic rights granted to US citizens by the fourth amendment. But even that is only a temporary edge. There are now numerous groups developing strategies to counteract widespread government surveillance.

There have been numerous attempts to pass surveillance and security laws starting with the Patriot Act. But industry experts say that most of the laws that try to give the government more power are ineffective, again because technology moves a lot faster than legislative bodies.

So what we see is a cat and mouse game. The NSA spies on us and so companies like Apple develop encryption that makes it hard or impossible for the NSA to gather anything useful. And there are more and more web services that either automatically encrypt or which offer that as an option.

It seems that the privacy advocates are winning the long term fight, and this is because there are ways around almost any tool the government or big business can use to spy on people. I’ve read several articles recently that talk about how even in China people are finding ways to bypass the strict security of the Great Firewall of China. But the fight is a long way from over because there are always going to be tools that come out that can be used to spy on people and there will then be ways to defeat those measures. We are likely to see this battle for decades to come.