[Politech] Why Specter-Leahy "data security" bill should alarm bloggers, list operators [priv]

From: Declan McCullagh (declan@private)
Date: Thu Jun 30 2005 - 12:01:24 PDT


Here's more background on the Specter-Leahy data security bill. The last 
two messages in this thread are a mini-debate I had with Lauren Weinstein.

I neglected to add that in the event of a Politech email address breach, 
I'd be required to "offer" to "cover the cost of" monthly access to 
a credit report for each U.S. subscriber one year and also pick up the 
tab for "credit-monitoring services" for one year.

That seems to be around $15 a month per person, or $300,000 a month if I 
had 20,000 subscribers (or a blogger had 20,000 registered users). 
Extend that to the one year requirement and it would cost me $3.6 million.

Does anyone think that Politech would continue to operate given that 
kind of liability? I mean, I think the list is reasonably secure from 
someone snagging the email addresses of subscribers, but I'm not willing 
to be completely bankrupted if I'm wrong.

EPIC today posted a message on its web site applauding the Specter-Leahy 
bill -- but I wonder if the person who wrote that notice read the bill 
carefully enough to realize it applies to non-profit groups.

If we assume EPIC has 50,000 subscribers to its EPIC Alert mailing list, 
and my $15-a-month figure is correct, an email security breach could 
cost them $9 million. EPIC is engaged in interstate commerce (its Alert 
serves in large part to sell books for $20-$40 each) and it "stores" 
e-mail addresses of its users, so the definitions would seem to fit. (If 
growing marijuana for your own use is interstate commerce, selling books 
across state lines would be.)

I'd like to invite my friends from EPIC to reply. As fans of the bill, 
it seems that they have two obvious choices:
1. Argue that there's no way any state prosecutor could ever apply the 
bill to them under any circumstances.
2. Say that even though it does, such Draconian provisions still are 
necessary: Privacy must be protected at all costs! Even if it means 
censoring discussion groups and blogs devoted to privacy, that is.

-Declan

PS: Previous Politech message, with text of bill:
http://www.politechbot.com/2005/06/30/preliminary-analysis-of/



-------- Original Message --------
Subject: Re: [Politech] Preliminary analysis of new Specter-Leahy data 
security bill: opinions? [priv]
Date: Thu, 30 Jun 2005 03:50:53 -0700
From: Anthony Mournian <mournian@private>
To: Declan McCullagh <declan@private>
References: <42C37F93.7000203@private>

Declan,

I'm from the Government, and I'm here to help you.

Tony
mournian@private



-------- Original Message --------
Subject: Re: [Politech] Preliminary analysis of new Specter-Leahy data 
security bill: opinions? [priv]
Date: Thu, 30 Jun 2005 01:38:08 -0400
From: Dave Lindbergh
To: Declan McCullagh <declan@private>
References: <42C37F93.7000203@private>

Hm.  Given that you're running a mailing list, you might have a 1st
Amendment defense.  I suspect there is precedent that the government can't
make you jump thru hoops to exercise your 1st Amendment rights.

Just a thought.  But I agree - sounds like SarbOx all over again.  :-(

(If you use this, please don't post my email address.)

--Dave




-------- Original Message --------
Subject: Re: [Politech] Preliminary analysis of new Specter-Leahy data 
security bill: opinions? [priv]
Date: Thu, 30 Jun 2005 08:42:25 -0400
From: Robert Gellman <rgellman@private>
To: Declan McCullagh <declan@private>
References: <42C37F93.7000203@private>

Declan McCullagh wrote:

 > I recognize that senators Specter and Leahy are trying to target
 > ChoicePoint and Acxiom and so on. But their bill, as written, does not
 > appear to be written to include just those data warehouses. And given
 > that they've had months and (presumbly) very bright people drafting it,
 > that makes me worried.

I haven't read the bill, but you have put your finger squarely on the
main problem.  Defining data brokers is extremely challenging.  It is
easy for a definition to include almanacs, encyclopedias, sports
statistics services, telephone books, and a zillion other traffickers in
personal information.  I doubt that the political process is capable of
producing a definition that is constitutional and precise.

I think that the government should consider another approach.  Instead
of trying to regulate the data broker world, it should establish
procurement rules that require companies selling personal information
services to the government to follow specified fair information
practices as a condition of doing business with the government.  This
avoids the definitional problem entirely.  The requirements are only
included in those contracts  when appropriate.  The big data brokers do
business with the government so they can be brought under the rules.
And this idea works just as well for the states as for the feds.  The
ChoicePoints of the world cannot walk away from government business.

This approach will not cover every company.  But is passes the 80-20
test.  You can solve 80% of a problem easily.  Trying to solve the last
20% is what creates all the difficulties.

Finally, I observe that an EU style privacy law would avoid the problem
entirely by establishing common rules that apply to everyone.  I am not
pushing that idea for the US, but is evades the maddening problems that
we have of deciding who is a financial institution, health care
provider, data broker, credit bureau, etc.  The so-called US sectoral
approach either leaves major gaps or has regulatory overlap.

Bob

-- 
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman                            +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE			    +
+ Washington, DC 20003			    +
+ 202-543-7923        <rgellman@private> +
+ + + + + + + + + + + + + + + + + + + + + + +






-------- Original Message --------
Subject: Re: [IP] Internet Mailing Lists vs. Specter-Leahy data security 
bill
Date: Thu, 30 Jun 2005 12:11:59 -0400
From: Steven Champeon <schampeo@private>
To: David Farber <dave@private>
CC: lauren@private, declan@private
References: <200506301548.j5UFmJVf016893@private> 
<98241C20-54F2-4293-B3C9-446F0D782DF0@private>

 > On the other hand, there may well be applicability of such a "data
 > broker" law to many spammers, who often collect e-mail addresses
 > without the permission of the persons involved, send unsolicited
 > mailings, and frequently buy and sell those mailings lists like bags
 > of potatos.

Not to mention that every last one of them also claims that the list
members are "self-subscribed", that they "voluntarily signed themselves
up to review [their] electronic mailings", and that their mailings are
a "service" provided for free to the willing recipients.

I'm also concerned about this bill, as I provide, and have provided for
the last eight years, a mailing list community for roughly 2300 people
(webdesign-l) - note I have no way to track how many real people are
behind whatever aliases and exploders that may be signed up for the
list; for all I know, half of the "members" are actually aliases at Web
design companies with fifty people behind them. I know I've had to crack
down on various unofficial and unapproved archives of the list from time
to time. I have no way of knowing how many private archives exist. I do
know that I've seen more than 5K members of the list over the course of
its (relatively) long life, though for many I have no way of knowing
whether one address represents one person or many, or whether many
addresses all represent the same person.

The irony is that the only thing I collect about these people is
voluntarily given when they join/leave (via email, so I know where they
sent the admin messages from), post (whatever the volunteer in their
.sigs and otherwise via the content of their messages). And then by
virtue of the fact that it's a discussion, everything they send is then
forwarded to at least 2300 more people every time they post.

Granted, I'm not asking for special protection for email list
communities if it also means that spammers can hide under the same
legal language. But its worrisome just the same.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!
antispam news, solutions for sendmail, exim, postfix: 
http://enemieslist.com/






-------- Original Message --------
From: Lauren Weinstein <lauren@private>
Date: June 30, 2005 11:48:18 AM EDT
To: dave@private
Cc: lauren@private
Subject: Internet Mailing Lists vs. Specter-Leahy data security bill


 > From: Declan McCullagh <declan@private>
 > Date: June 30, 2005 1:13:55 AM EDT
 > To: politech@private
 >
...

 > That's defined as a "business entity" that it's in the
 > regular business of "collecting, transmitting, or otherwise providing
 > personally identifiable information" of 5,000 or more people that are
 > not "customers" or "employees."
 >

I suspect that as far as self-subscribed Internet mailing lists are
concerned, "customers" is a key word.  The sorts of mailing lists
that we (Declan, Dave, me, etc.) run are all self-subscribed lists
where persons have voluntarily signed themselves up to receive our
electronic mailings, which we provide as a free service.  Even
though no money is changing hands in our cases, those recipients can
still be viewed as "customers" of our mailings -- at the very least
they fulfill the key aspect of having a direct relationship with
us that they have initiated by signing up.  Nor do we provide or
sell our mailing lists to other entities.

So I believe that it would be a considerable stretch to extend the
"data broker" rules to this situation.

On the other hand, there may well be applicability of such a "data
broker" law to many spammers, who often collect e-mail addresses
without the permission of the persons involved, send unsolicited
mailings, and frequently buy and sell those mailings lists like bags
of potatos.

--Lauren--
Lauren Weinstein
lauren@private or lauren@private or lauren@private
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
   - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com



-------- Original Message --------
Subject: Why e-mail list operators might worry about Specter-Leahy data 
security bill
Date: Thu, 30 Jun 2005 12:20:44 -0400
From: Declan McCullagh <declan@private>
To: dave@private
CC: lauren@private
References: <200506301548.j5UFmJVf016893@private> 
<98241C20-54F2-4293-B3C9-446F0D782DF0@private>

David Farber wrote, forwarding a comment from Lauren Weinstein:
> I suspect that as far as self-subscribed Internet mailing lists are
> concerned, "customers" is a key word.  The sorts of mailing lists
> that we (Declan, Dave, me, etc.) run are all self-subscribed lists
> where persons have voluntarily signed themselves up to receive our
> electronic mailings, which we provide as a free service.  Even
> though no money is changing hands in our cases, those recipients can
> still be viewed as "customers" of our mailings -- at the very least
> they fulfill the key aspect of having a direct relationship with
> us that they have initiated by signing up.  Nor do we provide or
> sell our mailing lists to other entities.

All of this is true, except that the proposed law (a) does not require
that any money change hands and (b) does not require that any mailing
lists be sold, just that email addresses be "collected." So my only
defense to an onerous lawsuit would be your suggestion of arguing with
my state attorney general in court over how to define "customer" -- so
pardon me if I'm not as blase as you are.

Still, let's assume that you're right and that Title III of the bill
doesn't apply to me or to Dave's IP list. But what about the rest?

Title IV is more regulatory and would seem to apply to a much larger
group of people. It regulates a sole proprietor who collects, accesses,
transmits, uses, stores, *OR* disposes of personal info in digital form.
Note that's an OR clause, not an AND clause, and Dave and I would
probably fit into this broader definition.

If we fall into that definition, Subtitle B requires Dave or me to:
* In the case of a security breach of our mailing lists, we
must notify the U.S. Secret Service and the state attorney general.
* And we must notify individual subscribers
* And we must notify consumer reporting agencies
* For individual subscribers, we must notify via physical mail to home
address, or if we can't, via telephone call to home numbers. There's no
provision for e-mail contact. But if we don't follow that procedures we
violate the law.
* We also must post this notice publicly on the Web and notify "major
media outlets"

Subtitle A is slightly narrower and only applies to larger lists of
10,000 or more "U.S. persons." Anyone running such a mailing list must:
* "Implement a comprehensive personal data privacy and security program"
* Create a "risk assessment" to "identify reasonably foreseeable"
vulnerabilities
* "Assess the likelihood" of security breaches
* "Assess the sufficiency" of our policies to protect against them
* Protect information by encrypting it
* Publish the "terms of such program"
* Do "regular testing of key controls" to test security
* Select only superior "service providers" after doing "due diligence"
* Regularly "monitor, evaluate, and adjust" our security policies

If we don't comply, we can be fined up to $10,000 a day per violation,
and in some cases imprisoned for up to five years.

> On the other hand, there may well be applicability of such a "data
> broker" law to many spammers, who often collect e-mail addresses
> without the permission of the persons involved, send unsolicited
> mailings, and frequently buy and sell those mailings lists like bags
> of potatos.

I think you're right and spammers would be covered. But what most
spammers do is probably illegal anyway so I'm not sure why we care. And
again, I'm not sure if you've digested the legislation: there's nothing
in the bill that (a) exempts individuals who have properly obtained
permission through double-opt-in, (b) who send only solicited mailings,
or (c) who don't buy and sell lists. There's not even any way to
contract around it -- Dave or I couldn't say "If you want to sign up to
our list, you agree not to enforce the Specter-Leahy law against us."

Sure, we all agree that security and privacy are good things. And the
section of the Specter-Leahy bill that regulates government privacy
practices seems decent enough. But let's not permit our enthusiasm for
those "good things" to stop us from looking critically at what the other
requirements would actually do in practice. Much harm can be done in the
name of federally-mandated "security and privacy" rules, and it's about
time we recognize it.

-Declan

PS: The text of the bill and statements are here:
http://www.politechbot.com/2005/06/30/preliminary-analysis-of/

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 11:37:48 PDT