Here's more background on the Specter-Leahy data security bill. The last two messages in this thread are a mini-debate I had with Lauren Weinstein. I neglected to add that in the event of a Politech email address breach, I'd be required to "offer" to "cover the cost of" monthly access to a credit report for each U.S. subscriber one year and also pick up the tab for "credit-monitoring services" for one year. That seems to be around $15 a month per person, or $300,000 a month if I had 20,000 subscribers (or a blogger had 20,000 registered users). Extend that to the one year requirement and it would cost me $3.6 million. Does anyone think that Politech would continue to operate given that kind of liability? I mean, I think the list is reasonably secure from someone snagging the email addresses of subscribers, but I'm not willing to be completely bankrupted if I'm wrong. EPIC today posted a message on its web site applauding the Specter-Leahy bill -- but I wonder if the person who wrote that notice read the bill carefully enough to realize it applies to non-profit groups. If we assume EPIC has 50,000 subscribers to its EPIC Alert mailing list, and my $15-a-month figure is correct, an email security breach could cost them $9 million. EPIC is engaged in interstate commerce (its Alert serves in large part to sell books for $20-$40 each) and it "stores" e-mail addresses of its users, so the definitions would seem to fit. (If growing marijuana for your own use is interstate commerce, selling books across state lines would be.) I'd like to invite my friends from EPIC to reply. As fans of the bill, it seems that they have two obvious choices: 1. Argue that there's no way any state prosecutor could ever apply the bill to them under any circumstances. 2. Say that even though it does, such Draconian provisions still are necessary: Privacy must be protected at all costs! Even if it means censoring discussion groups and blogs devoted to privacy, that is. -Declan PS: Previous Politech message, with text of bill: http://www.politechbot.com/2005/06/30/preliminary-analysis-of/ -------- Original Message -------- Subject: Re: [Politech] Preliminary analysis of new Specter-Leahy data security bill: opinions? [priv] Date: Thu, 30 Jun 2005 03:50:53 -0700 From: Anthony Mournian <mournian@private> To: Declan McCullagh <declan@private> References: <42C37F93.7000203@private> Declan, I'm from the Government, and I'm here to help you. Tony mournian@private -------- Original Message -------- Subject: Re: [Politech] Preliminary analysis of new Specter-Leahy data security bill: opinions? [priv] Date: Thu, 30 Jun 2005 01:38:08 -0400 From: Dave Lindbergh To: Declan McCullagh <declan@private> References: <42C37F93.7000203@private> Hm. Given that you're running a mailing list, you might have a 1st Amendment defense. I suspect there is precedent that the government can't make you jump thru hoops to exercise your 1st Amendment rights. Just a thought. But I agree - sounds like SarbOx all over again. :-( (If you use this, please don't post my email address.) --Dave -------- Original Message -------- Subject: Re: [Politech] Preliminary analysis of new Specter-Leahy data security bill: opinions? [priv] Date: Thu, 30 Jun 2005 08:42:25 -0400 From: Robert Gellman <rgellman@private> To: Declan McCullagh <declan@private> References: <42C37F93.7000203@private> Declan McCullagh wrote: > I recognize that senators Specter and Leahy are trying to target > ChoicePoint and Acxiom and so on. But their bill, as written, does not > appear to be written to include just those data warehouses. And given > that they've had months and (presumbly) very bright people drafting it, > that makes me worried. I haven't read the bill, but you have put your finger squarely on the main problem. Defining data brokers is extremely challenging. It is easy for a definition to include almanacs, encyclopedias, sports statistics services, telephone books, and a zillion other traffickers in personal information. I doubt that the political process is capable of producing a definition that is constitutional and precise. I think that the government should consider another approach. Instead of trying to regulate the data broker world, it should establish procurement rules that require companies selling personal information services to the government to follow specified fair information practices as a condition of doing business with the government. This avoids the definitional problem entirely. The requirements are only included in those contracts when appropriate. The big data brokers do business with the government so they can be brought under the rules. And this idea works just as well for the states as for the feds. The ChoicePoints of the world cannot walk away from government business. This approach will not cover every company. But is passes the 80-20 test. You can solve 80% of a problem easily. Trying to solve the last 20% is what creates all the difficulties. Finally, I observe that an EU style privacy law would avoid the problem entirely by establishing common rules that apply to everyone. I am not pushing that idea for the US, but is evades the maddening problems that we have of deciding who is a financial institution, health care provider, data broker, credit bureau, etc. The so-called US sectoral approach either leaves major gaps or has regulatory overlap. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 419 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 <rgellman@private> + + + + + + + + + + + + + + + + + + + + + + + + -------- Original Message -------- Subject: Re: [IP] Internet Mailing Lists vs. Specter-Leahy data security bill Date: Thu, 30 Jun 2005 12:11:59 -0400 From: Steven Champeon <schampeo@private> To: David Farber <dave@private> CC: lauren@private, declan@private References: <200506301548.j5UFmJVf016893@private> <98241C20-54F2-4293-B3C9-446F0D782DF0@private> > On the other hand, there may well be applicability of such a "data > broker" law to many spammers, who often collect e-mail addresses > without the permission of the persons involved, send unsolicited > mailings, and frequently buy and sell those mailings lists like bags > of potatos. Not to mention that every last one of them also claims that the list members are "self-subscribed", that they "voluntarily signed themselves up to review [their] electronic mailings", and that their mailings are a "service" provided for free to the willing recipients. I'm also concerned about this bill, as I provide, and have provided for the last eight years, a mailing list community for roughly 2300 people (webdesign-l) - note I have no way to track how many real people are behind whatever aliases and exploders that may be signed up for the list; for all I know, half of the "members" are actually aliases at Web design companies with fifty people behind them. I know I've had to crack down on various unofficial and unapproved archives of the list from time to time. I have no way of knowing how many private archives exist. I do know that I've seen more than 5K members of the list over the course of its (relatively) long life, though for many I have no way of knowing whether one address represents one person or many, or whether many addresses all represent the same person. The irony is that the only thing I collect about these people is voluntarily given when they join/leave (via email, so I know where they sent the admin messages from), post (whatever the volunteer in their .sigs and otherwise via the content of their messages). And then by virtue of the fact that it's a discussion, everything they send is then forwarded to at least 2300 more people every time they post. Granted, I'm not asking for special protection for email list communities if it also means that spammers can hide under the same legal language. But its worrisome just the same. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us! antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/ -------- Original Message -------- From: Lauren Weinstein <lauren@private> Date: June 30, 2005 11:48:18 AM EDT To: dave@private Cc: lauren@private Subject: Internet Mailing Lists vs. Specter-Leahy data security bill > From: Declan McCullagh <declan@private> > Date: June 30, 2005 1:13:55 AM EDT > To: politech@private > ... > That's defined as a "business entity" that it's in the > regular business of "collecting, transmitting, or otherwise providing > personally identifiable information" of 5,000 or more people that are > not "customers" or "employees." > I suspect that as far as self-subscribed Internet mailing lists are concerned, "customers" is a key word. The sorts of mailing lists that we (Declan, Dave, me, etc.) run are all self-subscribed lists where persons have voluntarily signed themselves up to receive our electronic mailings, which we provide as a free service. Even though no money is changing hands in our cases, those recipients can still be viewed as "customers" of our mailings -- at the very least they fulfill the key aspect of having a direct relationship with us that they have initiated by signing up. Nor do we provide or sell our mailing lists to other entities. So I believe that it would be a considerable stretch to extend the "data broker" rules to this situation. On the other hand, there may well be applicability of such a "data broker" law to many spammers, who often collect e-mail addresses without the permission of the persons involved, send unsolicited mailings, and frequently buy and sell those mailings lists like bags of potatos. --Lauren-- Lauren Weinstein lauren@private or lauren@private or lauren@private Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, EEPI - Electronic Entertainment Policy Initiative - http://www.eepi.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com -------- Original Message -------- Subject: Why e-mail list operators might worry about Specter-Leahy data security bill Date: Thu, 30 Jun 2005 12:20:44 -0400 From: Declan McCullagh <declan@private> To: dave@private CC: lauren@private References: <200506301548.j5UFmJVf016893@private> <98241C20-54F2-4293-B3C9-446F0D782DF0@private> David Farber wrote, forwarding a comment from Lauren Weinstein: > I suspect that as far as self-subscribed Internet mailing lists are > concerned, "customers" is a key word. The sorts of mailing lists > that we (Declan, Dave, me, etc.) run are all self-subscribed lists > where persons have voluntarily signed themselves up to receive our > electronic mailings, which we provide as a free service. Even > though no money is changing hands in our cases, those recipients can > still be viewed as "customers" of our mailings -- at the very least > they fulfill the key aspect of having a direct relationship with > us that they have initiated by signing up. Nor do we provide or > sell our mailing lists to other entities. All of this is true, except that the proposed law (a) does not require that any money change hands and (b) does not require that any mailing lists be sold, just that email addresses be "collected." So my only defense to an onerous lawsuit would be your suggestion of arguing with my state attorney general in court over how to define "customer" -- so pardon me if I'm not as blase as you are. Still, let's assume that you're right and that Title III of the bill doesn't apply to me or to Dave's IP list. But what about the rest? Title IV is more regulatory and would seem to apply to a much larger group of people. It regulates a sole proprietor who collects, accesses, transmits, uses, stores, *OR* disposes of personal info in digital form. Note that's an OR clause, not an AND clause, and Dave and I would probably fit into this broader definition. If we fall into that definition, Subtitle B requires Dave or me to: * In the case of a security breach of our mailing lists, we must notify the U.S. Secret Service and the state attorney general. * And we must notify individual subscribers * And we must notify consumer reporting agencies * For individual subscribers, we must notify via physical mail to home address, or if we can't, via telephone call to home numbers. There's no provision for e-mail contact. But if we don't follow that procedures we violate the law. * We also must post this notice publicly on the Web and notify "major media outlets" Subtitle A is slightly narrower and only applies to larger lists of 10,000 or more "U.S. persons." Anyone running such a mailing list must: * "Implement a comprehensive personal data privacy and security program" * Create a "risk assessment" to "identify reasonably foreseeable" vulnerabilities * "Assess the likelihood" of security breaches * "Assess the sufficiency" of our policies to protect against them * Protect information by encrypting it * Publish the "terms of such program" * Do "regular testing of key controls" to test security * Select only superior "service providers" after doing "due diligence" * Regularly "monitor, evaluate, and adjust" our security policies If we don't comply, we can be fined up to $10,000 a day per violation, and in some cases imprisoned for up to five years. > On the other hand, there may well be applicability of such a "data > broker" law to many spammers, who often collect e-mail addresses > without the permission of the persons involved, send unsolicited > mailings, and frequently buy and sell those mailings lists like bags > of potatos. I think you're right and spammers would be covered. But what most spammers do is probably illegal anyway so I'm not sure why we care. And again, I'm not sure if you've digested the legislation: there's nothing in the bill that (a) exempts individuals who have properly obtained permission through double-opt-in, (b) who send only solicited mailings, or (c) who don't buy and sell lists. There's not even any way to contract around it -- Dave or I couldn't say "If you want to sign up to our list, you agree not to enforce the Specter-Leahy law against us." Sure, we all agree that security and privacy are good things. And the section of the Specter-Leahy bill that regulates government privacy practices seems decent enough. But let's not permit our enthusiasm for those "good things" to stop us from looking critically at what the other requirements would actually do in practice. Much harm can be done in the name of federally-mandated "security and privacy" rules, and it's about time we recognize it. -Declan PS: The text of the bill and statements are here: http://www.politechbot.com/2005/06/30/preliminary-analysis-of/ _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 11:37:48 PDT