Location, Data Retention Bills Could Move Through Legislative Process This Congress, CDT Says

The Protect IP Act from Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., passed the committee, but remains controversial for several groups, including CDT, NetCoalition, Visa and PayPal, said David Sohn, CDT lawyer. A House bill is expected soon, he said. As the House bill comes out, one thing to look for is whether it includes “the domain name filtering provisions that drew the fire from the Internet engineers and that CDT is so concerned about,” he said. These are provisions that “we feel won’t work effectively to stop piracy, but at the same time risk undermining domain name systems and security provisions, like domain name system security extensions.” Another component to look for is whether it ensures that only bad actors are targeted, he said: As a private right of action, “it’s hard to make sure that only the real bad actors are getting targeted and that legitimate companies can’t get swept in."

The White House cybersecurity proposal could be problematic due to its terms around the Computer Fraud and Abuse Act, said Greg Nojeim, senior counsel with the CDT. The terms aren’t well-defined in the legislation, he said. The result of the failure “to define those terms well is that the legislation can be used to prosecute people who merely violate terms of service” or violate a company’s computer use policies, he said. It’s important to look at whether penalties are enhanced under the CFAA without addressing its overbreadth and its vagueness, he said.

Terms concerning law enforcement access to location data should be scrutinized in Leahy’s bill to reform the Electronic Communications Privacy Act and the bill from Wyden and Chaffetz, Nojeim said. The Leahy bill, S-1011, requires a “probable cause for law enforcement access to real time location information generated by use of a mobile device, like a cellphone,” he said. The Wyden bill goes further, he said: It would impose a probable cause requirement for law enforcement access to location information “regardless of whether it was generated in real time or retrieved from storage and it would also require a warrant for accessing location information by law enforcement when it doesn’t use a provider.”

CDT prefers to see a bill that has a comprehensive approach and gives consumers control over all their information, said Justin Brookman, CDT consumer privacy project director. Franken’s bill does a pretty good job of requiring opt-in permissions “both from the person collecting the information in the first place … and disclosing the company who it’s disclosed to,” he said. While wireless carriers and companies like Google and Apple do fairly well at informing consumers about data collection, “it’s what happens downstream that we have questions about,” he said. “The Franken bill addresses this and we're supportive of that.” However, Wyden’s bill “doesn’t get as concrete into what a permission needs to be, whether opt-in or opt-out,” he said. It’s not entirely clear that all applications would be covered by it, he added.

Smith’s bill should be on the House floor this fall, Nojeim said. CDT urged Congress not to pass this legislation, he said: It would harm privacy and free speech and “the standard for law enforcement access to information is very low.” One important aspect to look for is “what do the tea partiers do about it” and a companion bill in the Senate, he said. “It is a new authority for the government to invade privacy,” and it was opposed by Chaffetz, a key Tea Party supporter, he added. Although it’s being sold as an anti-child pornography measure, “everyone knows it will be used primarily toward other crimes,” he said.