andyblair.com

With its report on protecting consumer privacy, the FTC proposed a multistakeholder process for developing industry self-regulation. The NTIA published a request for comments to solicit ideas on how the multistakeholder process should work.

The RFC has received quite a bit of attention, receiving over 80 comments so far. The US Chamber of Commerce submitted its comments on April 2nd, which go directly to the heart of why SOPA failed and why Internet users are resisting CISPA and skeptical of other Internet-related laws coming out of Congress. The Chamber’s comments are only about 5 pages, making only about five points, but most of their effort is spent on the first comment, which is the most telling. Read the rest of this entry »

So apparently we don’t need CISPA to be the “new SOPA.”  According to MPAA chief Chris Dodd, SOPA itself may rise from the grave, telling the Hollywood Reporter that he is “confident” conversations are occurring that could result in “an understanding” between the technology industry and Hollywood.

The striking thing here is that the underlying assumption is that SOPA was a battle between Silicon Valley and Hollywood.  The problem is that this really wasn’t the case.  The protests and Internet blackout day was really user driven.  It started on the Internet bulletin board site Reddit and was picked up by other tech firms, but the driving force was not Google or Wikipedia but Internet users.  Industry insiders and Capitol Hill types don’t seem to understand this and will keep bumbling into PR disasters until they do.

Dodd’s comment on discussions around SOPA emphasize this point.  A “deal” between Silicon Valley and Hollywood is almost guaranteed to fail.  The SOPA uprising was not just a protest against the text of the bill but a protest against backroom deals that ignore interests critical to the biggest stakeholder involved – the public.  You can’t fix that with a backroom “deal” with Silicon Valley.

While “the Internet” does not wake often, it is paying attention to the SOPA issue.  Until the rightsholder lobby understands that it is not an industry v. industry fight they are going to continue to have serious problems with enforcement legislation.  The rightsholder lobby’s inability to understand the SOPA backlash is unfortunate.  There are productive things that could be done to protect content without trampling on the rights of Internet users but these solutions are not going to happen while rightsholders are viewing this as a Silicon Valley v. Hollywood battle.

Maybe a SOPA rehash supported by the tech industry would be a good thing.  It might be a good platform for the lesson that the public is an independent stakeholder that needs to be considered.  If Silicon Valley supports a bill but “the Internet” nonetheless rebels against it rightsholders may finally get the idea and we can get to working on productive solutions.

Agitation is brewing once again over a proposed law on Capitol Hill that could affect millions of Internet users.  The Cyber Intelligence Sharing and Protection Act (CISPA), HR 3523, is designed to facilitate sharing between private entities and the government.  However, the bill has caused significant concern over ISPs sharing the private communications of their users with the NSA or DoD.

According to the EFF, the bill “effectively creates a ‘cybersecurity exemption’” to laws that restrict sharing private information with the government.  The CDT joins in, stating that the bill “permit[s] ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls.  The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.”

News of the bill is bubbling around the blogosphere, being tagged as the “new SOPA” or “son of SOPA” in many cases.  Major news media have not yet taken notice, but this is the first controversial technology bill since SOPA so it seems likely that at some point the mainstream will pick the story.

After drawing extensive media attention, the practice of employers asking job candidates to divulge social networking passwords looks to be on its way out.  Congress has taken interest, Facebook has threatened litigation, and states have introduced bills to ban the practice.

While clearly destined to cause controversy, the prospect of digging in to candidate’s profiles was too tempting to resist.  Personality tests and applications can only tell you so much about a candidate – who is certainly answering questions how they think the employer wants them to be answered.  Seeing the “real” candidate is a potential gold mine to weed out potentially problematic employees.

The question I have is why even mess with this?  Looking through a facebook is almost never going to give any indication of whether an employee is reliable or not.  HR managers are not trained as sociologists or psychologists.  Any conclusions are basically pure speculation.  Plus, if the candidate happens to be a protected class, you run into the problem of knowing that – potentially exposing yourself to discrimination liability.

And practically, are the employers really any different?  If they had their personal lives rummaged through how would they compare?  Yet the prospect of getting a “real” look at job candidates’ personalities and potential skeletons in their closet has proven too tempting.

Hopefully employers get the message and voluntarily stop the practice, but legislation seems likely in at least some states.  Unfortunately this might end up in a patchwork of laws similar to data breach notification laws where 46 states have 46 similar but not identical laws that causes headaches for anyone trying to comply nationwide.

It looks like both Facebook and legislators are taking notice of the increasing practice of asking job applicants for online passwords.

Senators Schumer and Blumenthal have asked for a DoJ investigation.  Facebook has also spoken out against the practice, going so far as to threaten legal action.  Illinois now has proposed legislation banning the practice.

If the recent responses are any indication, this practice may not be long for this world.

Techdirt has an article today on a proposed law prohibiting companies from asking for login information (I haven’t read the text of the bill so not sure exactly what it prohibits). One

An “anonymous coward” commenter poses an interesting question:

Here’s the real question:
If I have my marital status, my religion, my age, or DoB listed on my Facebook page, and I give my login to an HR person screening me, could it be argued that because they not have access to that information prior to employment, they in effect “asked” for it, which is a violation of discrimination laws as it relates to employment?

I don’t know whether or not asking for social media credentials actually violates discrimination laws.  If so it seems like an interesting argument to try.  Again – no idea if this would work (read: not legal advice) but a creative approach.

A “John Doe” follows up pointing out that many companies’ IT security policies prohibit sharing corporate user IDs with anyone (which from a non-legal security perspective should be universal).  Would the company be ok with someone else demanded your corporate credentials in exchange for something?  There are all sorts of “it’s different” arguments citing corporate secrets, duties of loyalty, personal info isn’t valuable, etc… but frankly none of them fly with me.

If it were the CIA or another very security-conscious organization this would be an interesting test of applicants.  If the applicant says absolutely not, perhaps that indicates the sort of security awareness and integrity you want.  If they give up secrets because they think it’s the “right” answer or might get them the job perhaps they are more vulnerable to bribery/extortion of secrets.  Hardly conclusive but I would not be surprised to see the strategy used.

A couple of weeks back, a Minnesota girl sued her school district for forcing her to divulge her Facebook password so the school could look at her private posts.  There are similar stories of job candidates, college applicants, and intercollegiate athletes being required to share their passwords so their accounts can be screened or monitored for disagreeable content.

The wrinkle in all this that doesn’t seem to get much press is that sharing your password with anyone is a violation of Section 4.8 of Facebook’s terms of service.  Many other social networks have similar provisions.

At this point, most people are probably just relenting because it just isn’t worth risking losing a job opportunity or athletic scholarship.  There is a natural imbalance of power at work that creates pressure to not fight the authoritative request.

The practical implications of this sort of breach of contract are probably minimal.  The worst Facebook would do is terminate your account, something they have little incentive to do given all the money you make them as a user.  However, given the Lori Drew case, there is at least the potential for severe consequences.  (tl;dr the Lori Drew argument was that by breaking the terms of service the user loses authorization to access the service and as such is hacking – it didn’t work but the argument will probably be used again)

It seems like a valid response to refuse to provide your password on the grounds that doing so would necessitate breaching a contract.  I’d like to see (and will try and look up if I have some time) whether you can be forced to break a contract in order to get a job/play a sport/get into college/etc…  Perhaps the argument is really that you can’t get punished for refusing to break a legally binding contract.  Is there a difference if it is a government request (1A/4A/14A considerations)?

Per my last post assessing whether or not cybersecurity legislation has any chance of solving all of the problems that are being cited in support of the bills (hint – it doesn’t), the Hillicon Valley blog has this:

“Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another,” Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. “Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington.” Read the rest of this entry »

Still on the cybersecurity legislation kick.  One big issue I have with the rhetoric surrounding both of the Senate bills (S.2105 and S.2151) is that it is highly unlikely that either one of them will do much to prevent the catastrophic doom their supporters are predicting in support of passing cybersecurity legislation.

For example, the testimony at the Senate hearing on S.2105 (Cybersecurity Act of 2012) saw repeated warnings of catastrophic potential harm if we don’t act now.  Commerce Secretary John Dyson wrote a recent op-ed in Politico playing up the threat of corporate espionage to support the passage of “cybersecurity reform.”  But let’s take a quick look at what the bill does to see if it could actually stop the corporate espionage, cyber warfare capabilities, and other hacks that are all about to bring down the country.

The Cybersecurity Act basically sets minimum “performance requirements” for critical infrastructure owners and creates some educational and awareness programs around cybersecurity.  The regulatory regime is based around third party annual assessments testing compliance with applicable sector-specific performance requirements.   Read the rest of this entry »

Listening to NPR talk about the Republican presidential candidates talk about getting back to $2.50/gal gas and President Obama saying that isn’t going to happen, I wondered about the cost of an all-electric tank of gas.

This all depends on developing battery technology that would support long-range driving and improvement in recharge times (or some sort of battery pack swap out system) – the Chevy Volt has an EPA estimated range of 35 miles electric-only and the Tesla Roadster claims over 200, but some question that assertion.

So, assuming technology works out the kinks of range and recharge, how much would it cost to “fill up” an electric car to drive 350 miles (guesstimate at average range of gas-powered cars)?  At current rates, electricity runs consumers somewhere around $.10/kWh.  The Chevy Volt range estimates are based on a 36 kWh/100 miles calculation and the soon-to-be-released Tesla S hovers around 25.

Using the less generous Volt calculations, it takes about 126 kWh to go 350 miles.  At $.10/kWh, that would be about $12.60 in electricity to fill your tank.  It would take almost 12 gallons for a 30mpg car to go the same distance.  At a generous $3.50/gal, that is about $42.00 for a gas car to go the same distance.

When you add in that electric cars don’t need spark plugs, hoses, belts, oil changes, or muffler work, the maintenance costs should be considerably less (or at least less frequent) over the lifetime of an electric vehicle.

So why aren’t we putting our full weight behind converting to an all-electric fleet of cars in the US rather than arguing over whether and where we need to drill and who can keep gas prices lowest?  It will probably take a good 20 years to fully covert, but it seems like a no-brainer.  The sooner we start the sooner we get there and get to stop worrying about gas prices.