Static Signal: 2012's Contradictory, Confusing Technology-Law Decisions
As 2012 draws to a close, it's a good time to look back over the past 12 months and revisit some of the ways government decisions and legislative activity affected, or failed to affect, online privacy and cybersecurity.
Congress and state legislatures tried to pass laws beefing up, or weakening, privacy and information sharing. They mostly failed.
The Supreme Court handed down a privacy decision that seemed clear at first, but only raised questions on how similar issues would be treated in the future. Federal agencies defined how they would regulate Internet privacy, and also issued new rules.
"When looking back on 2012 with regards to privacy, I think it is the year the sleeping giant began to stir," said Chester Wisniewski, a senior security advisor in the Vancouver, B.C., office of British anti-virus firm Sophos.
"While Europe has had clearly defined legislation in place for some time, and even Canada has a privacy commissioner," Wisniewski said, "the USA has let the free market have its way with Americans' personal information."
Legally, a lot of cybersecurity issues were addressed in 2012, but, arguably, not always for the better.
Anti-piracy bills fail
Parallel anti-piracy bills in the House of Representatives and the Senate, the Stop Online Piracy Act (SOPA)and the Protect IP Act (PIPA), were first introduced in 2011.
But the general public was not really aware of ramifications of the bills until Google, Wikipedia and other popular websites brought them into the news in early 2012.
Before the public-awareness campaign, opponents of SOPA and PIPA had criticized the bills for what they characterized as draconian measures that could stifle innovation and communication online, as well as granting copyright holders unnecessarily broad powers to target pirates.
As the legislation wound its way through Congress, most of the amendments which would have removed some of the more objectionable aspects of the bills were defeated, and proponents were fairly confident each would pass.
Then on Jan. 18, over 7,000 sites, including Wikipedia, went entirely or partly offline in a voluntary Internet blackout.
Wikipedia's front page redirected users to a page explaining the bills. Google prominently displayed a link to a petition asking lawmakers to reject SOPA and PIPA. Other sites, such as Wired, blacked out sections of their sites and linked users to petitions protesting the bills.
By the end of the week, all the bills' initial sponsors had withdrawn their support, and neither SOPA nor PIPA ever reached full House or Senate for a vote.
Deadlock on comprehensive cybersecurity legislation
Even after many hearings, opposing versions, negotiations and amendments, the patchwork of cyber-security legislation that was the Cyber-Security Act of 2012failed to pass.
The proposed bill touched upon several issues, the most pressing of which was securing the country's critical infrastructure, such as transportation systems, power grids and other networks, from cyberattacks.
In August, the bill's sponsors, Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W. Va.), Dianne Feinstein (D-Calif.), and Tom Carper (D-Del.), were unable to muster enough votes to end debate on the bill and to bring it to a full-Senate floor vote.
After a few more weeks of negotiations, they finally brought the bill to a floor vote in November, shortly after Election Day. The result was 51 for and 47 against — nine votes shy of the 60 needed to break a threatened Republican filibuster.
The Republicans in the House preferred the Cyber Intelligence Sharing and Protection Act(CISPA), which would have made the sharing of security information among companies and government agencies entirely voluntary — and would shield companies from fines and lawsuits associated with violations of privacy laws.
Citing concerns that the bill would override decades of privacy legislation, the White House on April 25 announced that President Obama would veto CISPA if it came to his desk in its current form. CISPA passed the House anyway the next day, but has since stalled in the Senate.
The SECURE IT Act, a bill that was intended to bridge the gap between CISPA and the Cyber-Security Act, was introduced by Republicans in both chambers in March, but got nowhere.
In response to the lack of legislative movement, the White House on Dec. 19 it issued a National Strategy for Information Sharing and Safeguarding to address how the federal government can responsibly share information for national-security purposes while protecting civil liberties and maintaining privacy.
Not really stealing if you already have access
In April, in a case called United States v. Nosal, the U.S. Court of Appeals for the Ninth Circuit in San Francisco issued a surprising ruling.
Nine of the 11 judges on the panel agreed that a company employee who uses his or her own login credentials to obtain confidential information and take it off company premises is not actually committing a crime under federal computer-fraud law.
The Computer Fraud and Abuse Act of 1986 only applies to computer users who access data without authorization, the Ninth Circuit ruling said. If the user had already been given valid login access, then taking the information may have violated company policy, but it did not constitute a federal crime.
Barry G. Silverman, one of the circuit judges disagreeing with the surprising decision, wrote in his dissent, "A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself."
New FTC rules for children's online privacy
On Dec. 19, the Federal Trade Commission updated the rules regarding the Children's Online Privacy Protection Act (COPPA) for the first time since the law was passed in 1998.
The changes to the COPPA rules, which go into effect on July 1, 2013, will restrict what kind of data websites, online games, apps, ad networks and plug-in developers can collect from children younger than 13.
To HD Moore, chief security officer of Boston-based vulnerability-management firm Rapid7 and chief architect of the open-source penetration-testing tool Metasploit, such activism on the part of a government agency represents a major shift.
"The FTC and FCC now seem to have privacy on their radar," Moore said, "where prior to 2012 many efforts in this area seemed like an afterthought, or simply a side effect of another goal."
"Personal information" will be expanded to include pictures, videos, IP addresses, mobile device identifiers and geographical information. Websites and applications will no longer be able collect those items without parental consent.
Until now, third parties have been able to collect data about children through browser plug-ins and ads without parental consent. That loophole will now be closed.
Internet service providers and website operators will have to “make a reasonable effort” to ensure the information collected from children is kept secure and confidential.
However, that “reasonable effort” does not apply to providers of platforms where many third parties operate, such as Google Play or Apple's App Store.
Location privacy – two steps back, one step forward
The year started off well for location-privacy advocates when the U.S. Supreme Court delivered its verdict in U.S. v. Jones. All nine justices agreed to vacate a conviction based on data from a GPS tracker that had been placed on a suspect's car without a warrant.
But while the Supreme Court justices were unanimous that Jones should be freed, they differed on why. The majority opinion, with five out of nine justices agreed, was so narrowly written that it disallowed only the warrantless physical placement of the police tracker on the vehicle – not the tracking information itself.
A dissenting opinion, signed by four justices, would have extended Fourth Amendment protection against unreasonable search and seizure to cover location data. The swing vote was Justice Sonia Sotomayor, who sympathized with the minority opinion even as she concurred with the majority.
"It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties," Sotomayor wrote. "This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."
The high court's reluctance to settle the matter only spurred further court rulings and legislation.
"The courts have done an excellent job of muddling the issue in 2012," Moore said. "Conflicting rulings and unrelated rulings having substantial impacts on privacy have been the norm."
In August, the California state legislature passed the Location Privacy Act of 2012, which would have made it mandatory for law-enforcement agencies to obtain warrants before they collected GPS or other location-tracking data from a suspect's cellphone, tablet, vehicle navigation system or other device.
The bill passed with strong support from both parties, but Gov. Jerry Brown vetoed it.
“It may be that legislative action is needed to keep the law current in our rapidly evolving electronic age,” Brown wrotein his veto statement. “But I am not convinced that this bill strikes the right balance between the operational needs of law enforcement and the individual expectation of privacy.”
Also in August, in the case of U.S. v. Skinner, the U.S. Circuit Court of Appeals for the Sixth Circuit in Cincinnati ruled that law enforcement has the right to obtain location data from a cellphone in order to track a suspect without a warrant.
In a 2-1 decision, the judges rejected the argument that using location data from the user's cellphone constitutes a warrantless search under the Fourth Amendment. The majority opinion stated that the Fourth Amendment wasn't an issue because there was no “reasonable expectation of privacy” in cellphone data.
Finally, on Dec. 13, the Senate Judiciary Committee approved Sen. Al Franken, D-Minn.'s, Location Privacy Protection Act.
The bill would require companies to explicitly receive user permission before logging or sharing user-location data, and would forbid secret monitoring of the user's location.
"The companies that collect our location information are not protecting it the way they should," Franken said in his statement to the committee. "Half of the top apps for iPhone and Android give out their users' location to third parties – without their users' knowledge."
There's little chance Franken's bill will be put to a floor vote in either chamber before the current Congress expires on Jan. 3, but he plans to keep the bill alive by returning it to the Senate Judiciary Committee for markup in the next session.
'Do Not Track' goes nowhere
In February, the White House gave “Do Not Track,” the broadly-based privacy initiative that would give consumers the ability to easily tell Internet companies whether or not they want their online activity to be tracked, a boost when it proposed a “bill of rights” for consumer privacy online.
The Digital Advertising Alliance, which represents 90 percent of the advertisers associated with Google, Yahoo, and Microsoft's ad networks, agreed to work with browser makers to implement a “Do Not Track” button.
It seemed like things were on track for consumers to easily be able to declare their tracking preferences and actually making them stick.
Eleven months later, Do Not Track still has a long way to go. Microsoft enabled “Do Not Track” by default in Internet Explorer 10 on Windows 8. However, a number of advertisers said it would ignore the setting because there was no way to tell if the user really wanted to not be tracked.
Do Not Track still has no enforcement teeth, leaving it mired in a sea of good intentions with no resolution in sight.
"I think it was significant for both how the government looked at privacy, but also how the general public started to become more aware of what is going on behind the curtain," Wisniewski said. "The cloud isn't 'free' and emails aren't private — quite disturbing to many gadget-loving folks."