114 posts categorized "Legislation" Feed

FCC Announced Approval ot LTE-U Mobile Devices

On Wednesday, the Office of Engineering and Technology (OET) within the U.S. Federal Communications announced the authorization of unlicensed wireless (a/k/a LTE-U) devices to operate in the 5 GHz band:

"This action follows a collaborative industry process to ensure LTE-U with Wi-Fi and other unlicensed devices operating in the 5 GHz band. The Commission’s provisions for unlicensed devices are designed to prevent harmful interference to radio communications services and stipulate that these devices must accept any harmful interference they receive. Industry has developed various standards within the framework of these rules such as Wi-Fi, Bluetooth and Zigbee that are designed to coexist in shared spectrum. These and other unlicensed technologies have been deployed extensively and are used by consumers and industry for a wide variety of applications.

LTE-U is a specification that was developed and supported by a group of companies within the LTE-U Forum... The LTE-U devices that were certified today have been tested to show they meet all of the FCC’s rules. We understand that the LTE-U devices were evaluated successfully under the co-existence test plan. However, this is not an FCC requirement and similar to conformity testing for private sector standards the co-existence test results are not included in the FCC’s equipment certification records."

ComputerWorld explained in 2015 the strain on existing wireless capabilities and why several technology companies pursued the technology:

"According to the wireless providers and Qualcomm, the technology will make use of the existing unlicensed spectrum most commonly used for Wi-Fi. LTE-U is designed to deliver a similar capability as Wi-Fi, namely short-range connectivity to mobile devices.

As billions of mobile devices and Web video continue to strain wireless networks and existing spectrum allocations, the mobile ecosphere is looking for good sources of spectrum. The crunch is significant, and tangible solutions take a long time to develop... as former FCC Chairman Julius Genachowski and FCC Commissioner Robert McDowell recently remarked, “mobile data traffic in the U.S. will grow sevenfold between 2014 and 2019” while “wearable and connected devices in the U.S. will double” in that same period."

Some cable companies, such as Comcast, opposed LTE-U based upon concerns about the technology conflicting with existing home WiFi. According to Computerworld:

"In real-world tests so far, LTE-U delivers better performance than Wi-Fi, doesn’t degrade nearby Wi-Fi performance and may in fact improve the performance of nearby Wi-Fi networks."

Reportedly, in August 2016 Verizon viewed the testing as "fundamentally unfair and biased." Ajit Pai, the new FCC Chairman, said in a statement on Wednesday:

"LTE-U allows wireless providers to deliver mobile data traffic using unlicensed spectrum while sharing the road, so to speak, with Wi-Fi. The excellent staff of the FCC’s Office of Engineering and Technology has certified that the LTE-U devices being approved today are in compliance with FCC rules. And voluntary industry testing has demonstrated that both these devices and Wi-Fi operations can co-exist in the 5 GHz band. This heralds a technical breakthrough in the many shared uses of this spectrum.

This is a great deal for wireless consumers, too. It means they get to enjoy the best of both worlds: a more robust, seamless experience when their devices are using cellular networks and the continued enjoyment of Wi-Fi, one of the most creative uses of spectrum in history..."


GOP Legislation In Congress To Revoke Consumer Privacy And Protections

Logo for Republican Party, also known as the GOP The MediaPost Policy Blog reported:

"Republican Senator Jeff Flake, who opposes the Federal Communications Commission's broadband privacy rules, says he's readying a resolution to rescind them, Politico reports. Flake's confirmation to Politico comes days after Rep. Marsha Blackburn (R-Tennessee), the head of the House Communications Subcommittee, said she intends to work with the Senate to revoke the privacy regulations."

Blackburn's name is familiar. She was a key part of the GOP effort in 2014 to keep state laws in place to limit broadband competition by preventing citizens from forming local broadband providers. To get both higher speeds and lower prices compared to offerings by corporate internet service providers (ISPs), many people want to form local broadband providers. They can't because 20 states have laws preventing broadband competition. A worldwide study in 2014 found the consumers in the United States get poor broadband value: pay more and get slower speeds. Plus, the only consumers getting good value were community broadband customers. In June 2014, the FCC announced plans to challenge these restrictive state laws that limit competition, and keep your Internet prices high. That FCC effort failed. To encourage competition and lower prices, several Democratic representatives introduced the Community Broadband Act in 2015.That legislation went nowhere in a GOP-controlled Congress.

Pause for a moment and let that sink in. Blackburn and other GOP representatives have pursued policies where we consumers all pay more for broadband due to the lack of competition. The GOP, a party that supposedly dislikes regulation and prefers free-market competition, is happy to do the opposite to help their corporate donors. The GOP, a party that historically has promoted states' rights, now uses state laws to restrict the freedoms of constituents at the city, town, and local levels. And, that includes rural constituents.

Too many GOP voters seem oblivious to this. Why Democrats failed to capitalize on this broadband issue, especially during the Presidential campaign last year, is puzzling. Everyone needs broadband: work, play, school, travel, entertainment.

Now, back to the effort to revoke the FCC's broadband privacy rules. Several cable, telecommunications, and advertising lobbies sent a letter in January asking Congress to remove the broadband privacy rules. That letter said in part:

"... in adopting new broadband privacy rules late last year, the Federal Communications Commission (“FCC”) took action that jeopardizes the vibrancy and success of the internet and the innovations the internet has and should continue to offer. While the FCC’s Order applies only to Internet Service Providers (“ISPs”), the onerous and unnecessary rules it adopted establish a very harmful precedent for the entire internet ecosystem. We therefore urge Congress to enact a resolution of disapproval pursuant to the Congressional Review Act (“CRA”) vitiating the Order."

The new privacy rules by the FCC require broadband providers (a/k/a ISPs) to obtain affirmative “opt-in” consent from consumers before using and sharing consumers' sensitive information; specify the types of information that are sensitive (e.g., geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications); stop using and sharing information about consumers that have opted out of information sharing; meet transparency requirements to clearly notify customers about the information collection sharing and how to change their opt-in or opt-out preferences, prohibit "take-it-or-leave-it" offers where ISPs can refuse to serve customers who don't consent to the information collection and sharing; and comply with "reasonable data security practices and guidelines" to protect the sensitive information collected and shared.

The new FCC privacy rules are common sense stuff, but clearly these companies view common-sense methods as a burden. They want to use consumers' information however they please without limits, and without consideration for consumers' desire to control their own personal information. And, GOP representatives in Congress are happy to oblige these companies in this abuse.

Alarmingly, there is more. Lots more.

The GOP-led Congress also seeks to roll back consumer protections in banking and financial services. According to Consumer Reports, the issue arose earlier this month in:

"... a memo by House Financial Services Committee Chairman Rep. Jeb Hensarling (R-Tex), which was leaked to the press yesterday... The fate of the database was first mentioned [February 9th] when Bloomberg reported on a memo by Hensarling, an outspoken critic of the CFPB. The memo outlined a new version of the Financial CHOICE Act (Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs), a bill originally advanced by the House Financial Services Committee in September. The new bill would lead to the repeal of the Consumer Complaint Database. It would also eliminate the CFPB's authority to punish unfair, deceptive or abusive practices among banks and other lenders, and it would allow the President to handpick—and fire—the bureau's director at will."

Banks have paid billions in fines to resolve a variety of allegations and complaints about wrongdoing. Consumers have often been abused by banks. You may remember the massive $185 million fine for the phony accounts scandal at Wells Fargo. Or, you may remember consumers forced to use prison-release cards. Or, maybe you experienced debt collection scams. And, this blog has covered extensively much of the great work by the CFPB which has helped consumers.

Does these two legislation items bother you? I sincerely hope that they do bother you. Contact your elected officials today and demand that they support the FCC privacy rules.


The State of Massachusetts Data Breach Archive Is Available Online

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced the public availability online of its data breach notification archive. To comply with Massachusetts state laws enacted in 2007, companies and entities must notify both the OCABR and the Attorney General's Office anytime personal information is accidentally or intentionally compromised.

Consumer Affairs Undersecretary John Chapman stated:

“The Data Breach Notification Archive is a public record that the public and media have every right to view... Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

The OCABR breach archive includes a tabular listing of data breaches in Adobe PDF format. Each listing includes the following data elements: date the breach was reported, organization name, breach type, number of residents affected, types of sensitive personal data (e.g., Social Security Number, account number, driver's license identifier, credit card number) exposed or stolen, whether the organization offered free credit monitoring to affected residents, if the data was encrypted, and if the breach included mobile devices. The archive does not include the full text of the breach notification letters received. The breach archive also includes summary information:

Breaches and Residents Affected By Year
Year # Notifications # Affected Residents
2007 (Nov to Dec) 30 8,499
2008 413 700,918
2009 437 357,869
2010 473 1,015,693
2011 614 1,163,917
2012 1,139 326,411
2013 1,829 1,163,643
2014 1,603 354,130
2015 1,834 1,338,048
2016 1,866 188,809
Total 10,238 5,454,294

According to the Census Bureau, Massachusetts' population was just under 6.8 million in 2015. So, the total number of affected residents equals about 80 percent of the state's population.

Nebraska, Nevada, Rhode Island, and Tennessee recently strengthened their breach laws with expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days. While most states -- 46 have some type of breach laws, some (California, Indiana, Iowa, Maryland, Montana, New Hampshire, Oregon, Vermont, Washington, Wisconsin) post online breach notices they have received.

Some states' sites provide their breach archives using static Adobe PDF file formats. The better-designed sites make it easy for residents to search and view information about specific breach incidents. these sites feature interactive search mechanisms that allow users to enter the name of company or state agency, date range filters, and file download options compatible with spreadsheet software. Some states -- California, South Carolina, and Washington -- produce detailed breach reports explaining the breaches by industry, type, and cause.

Without the full text, interactive search, and filter mechanisms, the OCABR breach archive is a marginally helpful resource. Consumers can still use it to verify the breach notices they have received via postal mail, since identity thieves often send fake breach notices trying to trick consumers into revealing their sensitive personal information. Using the OCABR breach archive is slow and awkward, since users must download each PDF file and perform a text search for an organization with each file. Plus, the archive lacks both street address and company business unit information, making it impossible for users to distinguish between entries with the same organization name.

Basically, something is better than nothing.

What are your opinions of the breach archive by Massachusetts? If I missed any states that provide beach notices online, please share below.


Disenfranchised By Bad Design

[Editor's Note: Today's guest post was originally published by ProPublica on October 20, 2016. It is reprinted with permission. Some towns, municipalities, and cities -- such as Boston -- use paper ballots that are scanned. (This facilitates recounts, when needed.) The city provides AutoMARK machines at polling locations to help voters requiring assistance. The machines use audio cues, magnification, and several languages to mark ballots correctly, especially for low-vision and disabled voters. Inquire about this automation or other assistance when you vote.]

by Lena Groeger, ProPublica

This November 8, even if you manage to be registered in time and have the right identification, there is something else that could stop you from exercising your right to vote.

The ballot. Specifically, the ballot's design.

Bad ballot design gained national attention almost 16 years ago when Americans became unwilling experts in butterflies and chads. The now-infamous Palm Beach County butterfly ballot, which interlaced candidate names along a central column of punch holes, was so confusing that many voters accidentally voted for Patrick Buchanan instead of Al Gore.

Pal Beach Country butterfly ballot
Palm Beach county’s infamous butterfly ballot. (Wikimedia Commons)

We've made some progress since then, but we still likely lose hundreds of thousands of votes every election year due to poor ballot design and instructions. In 2008 and 2010 alone, almost half a million people did not have their votes counted due to mistakes filling out the ballot. Bad ballot design also contributes to long lines on election day. And the effects are not the same for all people: the disenfranchised are disproportionately poor, minority, elderly and disabled.

In the predominantly African American city of East St. Louis, the race for United States senator in 2008 was missing a header that specified the type or level of government (Federal, Congressional, Legislative, etc). Almost 10 percent of East St. Louis voters did not have their vote counted for U.S. Senate, compared to the state average of 4.4 percent. Merely adding a header could have solved the problem. Below you can see the original ballot and the Brennan Center redesign.

Brennan Center ballot redesign
Before: no header for the Senate race, after: consistent headers for all contests. (Brennan Center, Better Design Better Elections)

"When we design things in a way that doesn't work for all voters, we degrade the quality of democracy," said Whitney Quesenbery, a ballot expert and co-director of the Center for Civic Design, an organization that uses design to ensure voters vote the way they want to on Election Day.

Many mistakes can be avoided with tiny tweaks
Designer Marcia Lausen, who directs the School of Design at the University of Illinois at Chicago, wrote a whole book about how democracy can be improved with design. She even tackles the infamous butterfly ballot. The 2000 Chicago Cook County judicial retention ballot crammed 73 candidates into 10 pages of a butterfly layout punch card ballot, with punch holes packed much more tightly together than in previous elections. As in Palm Beach, Yes/No votes for the candidates on the left page were confusingly interlaced with Yes/No votes for the right page.

Lausen's proposed redesign eliminates the interlaced Yes/No votes, introduces a more legible typeface, uses shading and outlines to connect names and Yes/No's with the appropriate punch holes, and removes redundant language.

Democracy For Action butterfly ballot image

Democracy For Action butterfly ballot after redesign image
Before and after butterfly ballots. (Design for Democracy)

In the 2002 midterm election in Illinois' Hamilton County, each column of candidate names was next to a series of incomplete arrows. Voters were supposed to indicate their choice of candidate by completing the arrow on the left of the candidate name. But because we read left to right and the candidate names in two races lined up perfectly, many voters marked the arrow to the right. As presented in a Brennan Center analysis, setting the columns a bit further apart and adding borders would have cleared up this confusion:

Suggested redesign of Illinois' Hamilton County ballot
  Illinois’ Hamilton county confusing ballot, and suggested redesign. (Brennan Center)

In Minnesota in 2008, Al Franken beat Norm Coleman for the U.S. Senate seat by a sliver, less than 300 votes. In that race, almost 4,000 absentee ballots were not counted because the envelope was not signed. The Minnesota Secretary of State's office decided to redesign the mailing envelope. After a series of usability tests, they added a big X to mark where people should sign. In the following election in 2010, the rate of missing signatures dropped to 837.

Minnesota's mailing envelope is a good example of how designers can solve design problems well before any election actually happens 2014 by testing those ballots beforehand.

"Test and test and test," recommends Don Norman, a designer and cognitive scientist who wrote the the book on designing objects for everyday life. The most important aspect of ballot design, he says, is considering the needs of the voters. He suggests doing extensive testing of ballots on a sample of people, which should include those who are "blind, deaf, or people with physical disabilities as well as people with language difficulties."

Bad instructions are a design problem, too
Beyond layout and ordering, the unanimous winner for worst part of ballot design? Instructions.

"The instructions are uniformly horrible!" said usability expert Dana Chisnell, who co-directs the Center for Civic Design with Quesenbery. Confusing jargon, run-on sentences, old-fashioned language left over from 100 years ago: all of these plague ballots across the country. Here are a few example instructions (the first from Kansas, the second from Ohio) along with the Brennan Center's redesign:

Brennan Center suggested redesign of Kansas ballot instructions
(Brennan Center, Better Ballots)

Brennan Center suggested redesign of Ohio ballot instructions
(Brennan Center, Better Ballots)

Even if the instructions are clear, placement of instructions has a huge effect on whether people understand them. In usability tests conducted in Florida's Sarasota and Duval counties in 2008, the majority of participants got to the end of the ballot and stopped. Which was a problem, because the ballot continued on the other side. Despite instructions specifically telling people to vote both sides of the ballot, they didn't.

Designers have already put together guidelines for making better ballots
Luckily, there are resources for how to help avoid these predictable problems. In addition to Lausen's book, the Design for Democracy initiative has worked for years at applying design principles to improve elections. A few years ago the design association AIGA combined forces with Whitney Quesenbery and Dana Chisnell to condense their best practices into a set of handy field guides.

The ballot-specific guide, Designing Usable Ballots, has this advice:

  1. Use lowercase letters.
  2. Avoid centered type.
  3. Use big enough type.
  4. Pick one sans-serif font.
  5. Support process and navigation.
  6. Use clear, simple language.
  7. Use accurate instructional illustrations.
  8. Use informational icons (only).
  9. Use contrast and color to support meaning.
  10. Show what’s most important.

For the designers, these recommendations may seem obvious. But election officials 2014 the ones responsible for laying out a ballot 2014 are not designers.

Sometimes, reality thwarts good design
Even if officials wanted to follow every design best practice, they probably wouldn't be able to.

That's because ballots are as complicated as the elections they represent. Elections in the U.S. are determined at the local level, and so each ballot must be uniquely crafted to its own jurisdiction. Ballots must combine federal, state, and local contests, display measures and propositions, and sometime require voters to express their choices in various formats 2014 for example ranking their choices versus selecting one candidate for the job.

"There will always be special circumstances that present new problems for ballot design," said David Kimball, a political science professor at the University of Missouri-St. Louis who has written extensively on voting behavior and ballot design.

Take what happened this summer in California's Senate race primary. A record number of 34 candidates were running to replace incumbent Democrat Barbara Boxer, and the ballot needed to fit them all. In many counties, elections officials simply couldn't follow the good design recommendation of "Put all candidate names in one column."

To make matters worse, bad design is written right into the law
Election officials are often constricted in what they can and can't do by specific language in their local election code. More often than not, the law is to blame for bad design.

For example, numerous jurisdictions require that candidate names and titles be written in capital letters. This goes against huge amounts of evidence that lowercase letters are easier to read. Other requirements like setting a specific font size, making sections bold or center-aligning headers make it next to impossible to follow all the design best practices.

Image of Illinois Election Code
Illinois Election Code used to require candidate names to be printed in capital letters. (Statutes of the State of Illinois)

Some election code requirements just seem to invite clutter. In Kansas, a candidate's hometown must be listed under their name. In California, the candidate's occupation. Designers argue that this additional text complicates the ballot with needless information, but they can't get rid of it without breaking the law.

"It's amazing how many design prescriptions are written into law by non-designers," said designer Drew Davies, who has worked with numerous jurisdictions to improve their ballots and voting materials and is design director of AIGA's Design for Democracy.

Some of those prescriptions border on the comical. In New York, election law requires that each candidate name must be preceded by "the image of a closed fist with index finger extended pointing to the party or independent row." Here's how that actually looks on real New York ballots:

[insert ny closed fist image]

In design, everything matters 2014 even the order of the candidate names
Some design problems are not as obvious as a pointing finger. Take something as simple as the order of the candidates' names. There is a well known advantage for being listed first on the ballot. The "primacy effect" can significantly sway elections, especially in smaller races not widely covered in the media where there is no incumbent. One study of the 1998 Democratic primary in New York found that in seven races the advantage from being listed first was bigger than the margin of victory. In other words, if the runner-up candidates in those races had been listed first on the ballot, they likely would have won.

As one report puts it, "a non-negligible portion of local governmental policies are likely being set by individuals elected only because of their ballot position." To combat this unconscious bias, some states have already mandated that names are randomly ordered on the ballot. Still, many states and jurisdictions do not have a standard system for organizing these names.

The future will bring new design challenges --but also new ways to make voting more accessible
As more and more states adopt absentee and vote-by-mail systems, they make voting more accessible and convenient 2014 but they also introduce new ways of making mistakes. And those errors are only caught after the ballot has been mailed in, too late to change. A polling place acts as a fail-safe, giving you the opportunity to ask a poll worker for help or letting you fill out a new ballot if yours gets rejected by the voting machine. But on an absentee ballot, if you made a mistake and your vote isn't counted, you'll never know.

There are several current efforts to overhaul the ballot entirely. Los Angeles County, for example, has teamed up with the design company IDEO to create an easier and more accessible way to vote. Their customizable device would let people fill out a sample ballot on their own time from a computer or mobile device, and then scan a code at the polling place to automatically transfer their choices to a real ballot.

The Anywhere Ballot is another open-source project that's designed to create a better voting experience for everyone 2014 including voters with low literacy or mild cognitive issues. Their digital ballot template, which came out of extensive user testing and follows all the current ballot design best practices, lets anyone use their own electronic device to mark a ballot.

But of course, the design problems that plague ballots affect all aspects of the voting process.

Voter registration materials, mailed voter guides and education booklets, election department websites and online instructions, poll worker materials 2014 all of these have problems that can be improved with better design.

"Ballots are where all the drama happens," said designer Lausen, "but there is much more to election design."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Proposed Legislation in Michigan For Driverless Cars

The Stanford Center For Internet & Society (CIS) analyzed several draft driverless-car bills under consideration by legislators in Michigan. The analysis highlighted the issues and inconsistencies by the proposed legislation. First, the good news. While SB 995 repeals existing laws that ban driverless cars, it:

"... would return Michigan law to flexible ambiguity on the question of the legality of automated driving in general. The bill probably goes even further by expressly authorizing automated driving: It provides that "[a]n automated motor vehicle may be operated on a street or highway on this state," and the summary of the bill as reported from committee similarly concludes that SB 995 would "[a]llow an automated motor vehicle to be operated on a street or highway in Michigan." (This provision is somewhat confusing because it would be added to an existing statutory section that currently addresses only research and testing and because it would seem to subvert many restrictions on research tests and "on-demand automated motor vehicle networks.") Regardless, this bill would also exempt groups of closely spaced and tightly coordinated vehicles from certain following-distance requirements that are incompatible with platooning."

Platooning is a method for several driverless vehicles to operate together on highways with less space in between, than otherwise. Advocates claim this maximizes the capacity of highways. What does this mean for safety? Do consumers want platooning? Can drivers opt out? If platooning is allowed, then the driverless vehicle you ultimately buy must be outfitted with that software feature.

The drawbacks of the draft legislation:

"... The currently proposed language could mean that automated driving is lawful only in the context of research and development and "on-demand motor vehicle networks." Or it could mean that automated driving is lawful generally and that these networks are subject to more restrictive requirements. It could mean that any company could run a driverless taxi service, including motor vehicle manufacturers that might otherwise face unrelated and unspecified legal impediments. Or it could mean that a company seeking to run a driverless taxi service must partner with a motor vehicle manufacturer -- or that such a company must at least purchase production vehicles, the modification of which might then be restricted by SB 927 and 928 (see below). It could also mean that municipalities could regulate and tax only those driverless taxi services that do not involve a manufacturer..."

And:

"... SB 995 and 996 understandably struggle to reconcile an existing vehicle code with automated driving. Under existing Michigan law, a "driver" is "every person who drives or is in actual physical control of a vehicle," an "operator" is "a person, other than a chauffeur, who "[o]perates" either "a motor vehicle" or "an automated motor vehicle," and "operate" means either "[b]eing in actual physical control of a vehicle" or "[c]ausing an automated motor vehicle to move under its own power in automatic mode," which "includes engaging the automated technology of that automated motor vehicle for that purpose." The new bills would not change this language, but they would further complicate these concepts in several ways..."

I encourage you to read the long list of complications in the CIS analysis. Another key issue:

"Consider the provision that "an automated driving system ... shall be considered the driver or operator ... for purposes of determining conformance to any applicable traffic or motor vehicle laws." This provision says nothing about who or what the driver is for purposes of determining liability for a violation of those laws, particularly when there is no crash. SB 996 does provide that "a motor vehicle manufacturer shall assume liability for each incident in which the automated driving system is at fault," subject to the state's existing insurance code..."

The proposed legislation is important for several reasons. Besides platooning and the list of complications, it decides: a) which types of companies can operate driverless-car networks, b) who is liable and under what conditions, and c) who can repair driverless cars. All items affect consumers rights. A narrow definition of "A" (e.g., only automakers) would mean fewer competitors, and probably higher prices due to a lack of competition. Similarly, a narrow definition of "C" could mean fewer options and choices for consumers, with higher repair prices. Liability must be clear for instances when a driverless vehicle violates road laws; and especially when there is a crash and/or fatality.

Consistency and clarity matter, too. The final legislation and definitions also should be forward-thinking. It's not just driverless vehicles but also remotely-operated vehicles. Companies want remotely-operated ships on the oceans, and remotely-operated trucks are already used off-road for mining purposes. It seems wise to anticipate that off-road use will probably migrate to roads and highways.

Clearly, the proposed legislation in Michigan is not ready yet for prime time. This topic definitely bears monitoring.


4 States Strengthen Their Breach Notification Laws

The National Law Review summarized breach notification laws strengthened in four states: Nebraska, Nevada, Rhode Island, and Tennessee. The stronger laws include several changes: expanded definitions, encryption, requirements to notify the state's attorney general, and requirements to notify affected persons within forty-five (45) days.

Several states expanded their definitions of "personal information" to better protect consumers:

"Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account. Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account..."

Some of the expanded definitions made by Tennessee:

"Tennessee broadened its definition of “unauthorized persons” to include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Tennessee also removed the word “unencrypted” from its definition of “Breach of the security system” in order to ensure that partial encryption of compromised personal information does not evade the statute."

Read the rest of the changes in the National Law Review article.


FDA Releases Guidelines For Apps And Wearables For Fitness And Health

The U.S. Food and Drug Administration (FDA) released guidelines about mobile apps and wearable devices for health and fitness (Adobe PDF). The guidelines document stated that it is for clarity for industry and FDA staff, and include "nonbinding recommendations." The federal agency will not regulate mobile apps and wearables that promote general wellness or a healthy lifestyle, and are classified as "low risk." The guidelines do not apply to products (e.g., drugs, biologics, dietary supplements, foods, or cosmetics) regulated by other FDA Centers or to combination products.

The FDA's Center For Devices and Radiological Health (CDRH) defines general wellness products as:

"... products that meet the following two factors: (1) are intended for only general wellness use, as defined in this guidance, and (2) present a low risk to the safety of users and other persons. General wellness products may include exercise equipment, audio recordings, video games, software programs4 and other products that are commonly, though not exclusively, available from retail establishments (including online retailers and distributors that offer software to be directly downloaded), when consistent with the two factors above."

The guidelines provide further definitions:

"A general wellness product, for the purposes of this guidance, has (1) an intended use that relates to maintaining or encouraging a general state of health or a healthy activity, or (2) an intended use that relates the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition. If the product’s intended uses are not limited to the above general wellness intended uses, this guidance does not apply."

The guidelines provide a list of general wellness health outcomes: weight management, physical fitness (including recreational uses), relaxation or stress management, mental acuity, self-esteem, sleep management, and sexual function.

Typically, regulation is used to ensure that products actually do what their manufacturers and developers claim to do. The guidelines specified which claims are general wellness (e.g., the FDA will not regulate) and which claims are not (e.g., the FDA will continue to regulate). General wellness claims include claims to:

  1. Promote or maintain a healthy weight, encourage healthy eating, or assist
    with weight loss goals;
  2. Promote relaxation or manage stress;
  3. Increase, improve, or enhance the flow of qi “energy;”
  4. Improve mental acuity, instruction following, concentration, problem solving, multitasking, resource management, decision-making, pattern recognition or eye-hand coordination;
  5. Enhance learning capacity;
  6. Promote physical fitness (e.g., log, track, or trend exercise activity, measure aerobic fitness, develop or improve endurance, strength or coordination;
  7. Promote sleep management (e.g., track sleep trends);
  8. Promote self-esteem
  9. Address a specific body structure or function (e.g., increase or improve muscle size or body tone, enhance or improve sexual performance);
  10. Improve general mobility; and
  11. Enhance participation in recreational activities by monitoring the consequences (e.g., heart rate).

Some claims are categorized as "disease related." The new FDA guidelines list disease-related general wellness claims and how companies should reference those claims in product packaging and advertisements:

"A claim that a product will treat or diagnose obesity; a claim that a product will treat an eating disorder, such as anorexia; a claim that a product helps treat an anxiety disorder; a claim that a computer game will diagnose or treat autism; a claim that a product will treat muscle atrophy or erectile dysfunction; a claim to restore a structure or function impaired due to a disease or condition, e.g., a claim that a prosthetic device enables amputees to walk... disease-related general wellness claims should only be based on references where it is well understood that healthy lifestyle choices may reduce the risk or impact of a chronic disease or medical condition..."

Since the new FDA guidelines apply only to products categorized as "low risk," it is important to understand that definition:

"If the answer to any of the following questions is YES, the product is not low risk and is not covered by this guidance: 1) Is the product invasive? 2) Is the product implanted? 3) Does the product involve an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied, such as risks from lasers or radiation exposure? In assessing whether a product is low risk for purposes of this guidance, FDA recommends that you also consider whether CDRH actively regulates products of the same type as the product in question. For example, CDRH actively regulates external penile rigidity devices, which are devices intended to create or maintain sufficient penile rigidity for sexual intercourse, under 21 CFR 876.5020 as class II devices exempt from premarket notification with special controls..."

The guidelines listed examples of products that are low risk and those which are not. Products that are not low risk:

"Sunlamp products promoted for tanning purposes, due to risks to a user’s safety from the ultraviolet radiation, including, without limitation, an increased risk of skin cancer.

Implants promoted for improved self-image or enhanced sexual function. Implants pose risks to users such as rupture or adverse reaction to implant materials and risks associated with the implantation procedure.

A laser product that claims to improve confidence in user’s appearance by rejuvenating the skin. Although the claims of rejuvenating the skin and improving confidence in user’s appearance are general wellness claims, laser technology presents risks of skin and eye burns.

A neuro-stimulation product that claims to improve memory, due to the risks to a user’s safety from electrical stimulation.

A product that claims to enhance a user’s athletic performance by providing suggestions based on the results of relative lactic acid testing, when the product uses venipuncture to obtain the blood samples needed for testing. Such a product is not low risk because it is invasive (e.g., obtains blood samples by piercing the skin) and also because the product involves an intervention that may pose a risk to the safety of the user and other persons if specific regulatory controls are not applied (e.g., venipuncture may pose a risk of infection transmission)."

Companies and individuals can submit feedback to the FDA about these guidelines. See the guidelines document for instructions for submitting feedback. Fierce Healthcare reported:

"Epstein Becker Green health attorney Brad Thompson, who had previously commented to FierceHealthIT on the draft guidance, said in an email the final version "strikes the right balance between regulation and innovation... Over the intervening year and a half, I have talked to a lot of developers of wearable technologies and associated mobile apps and have used the draft guidance as a roadmap for how to assess FDA jurisdiction. I have found it to be extremely practical..."

A copy of the guidance document is also available here (Adobe PDF). What guidance or clarity does it provide for consumers? I guess not much regarding low risk apps and wearables. Consumers are on their own, so shop wisely and carefully. Whenever I read a document that describes itself as "nonbinding recommendations," that is worrisome.


Senate Narrowly Rejected Bill To Expand Government Surveillance

While consumers may have been distracted with votes in the U.S. Senate about gun reform or the sit-in within the U.S. House, a key vote also happened last week regarding government surveillance. The U.S. Senate narrowly voted down a bill to grant expanded surveillance powers to the Federal Bureau of Investigation.

According to Reuters, the legislation sought to:

"... broaden the type of telephone and internet records the FBI could request from companies such as the Google unit of Alphabet Inc and Verizon Communications Inc without a warrant... filed as an amendment to a criminal justice funding bill, would widen the FBI’s authority to use so-called National Security Letters, which do not require a warrant and whose very existence is usually a secret. Such letters can compel a company to hand over a user's phone billing records. Under the Senate's change, the FBI would be able to demand electronic communications transaction records such as time stamps of emails and the emails' senders and recipients, in addition to some information about websites a person visits and social media log-in data. It would not enable the FBI to use national security letters to obtain the actual content of electronic communications."

Perhaps, more importantly the bill would have made:

"... permanent a provision of the USA Patriot Act that lets the intelligence community conduct surveillance on “lone wolf” suspects who do not have confirmed ties to a foreign terrorist group. That provision, which the Justice Department said last year had never been used, expires in December 2019."

Senate Amendment 4787 was introduced by Senators John McCain and Richard Burr. It failed by two votes: 58-38. Before the vote on Wednesday, Senator Ron Wyden (Dem.-Oregon) had warned:

"If this proposal passes, FBI agents will be able to demand the records of what websites you look at online, who you email and chat with, and your text message logs, with no judicial oversight whatsoever. The reality is the FBI already has the power to demand these electronic records with a court order under the Patriot Act. In emergencies the FBI can even obtain the records right away and go to a judge after the fact. This isn’t about giving law-enforcement new tools, it’s about the FBI not wanting to do paperwork.”

Yep. That rejected bill sounds like an erosion of privacy rights. Senate Majority Leader Mitch McConnell (Rep.-Kentucky) has already filed a motion to reconsider the amendment.


U.S. Chamber of Commerce Opposes Proposed FCC Broadband Privacy Rules

U.S. Chamber of Commerce logo Some companies don't want consumers to have privacy when using high-speed Internet services. Just before the long Memorial Day holiday weekend, the U.S. Chamber of Commerce (USCOC) submitted comments about the broadband privacy rules proposed by the U.S. Federal Communications Commission (FCC) in April. Portions of the USCOC's comments to the FCC:

"... the Chamber opposes the proposed broadband privacy rule because it is unnecessary, exceeds statutory authority, furthers a regulatory digital divide between edge and telecommunications providers, and threatens innovation by stifling the already thriving Internet ecosystem... I. Current broadband provider privacy practices and the market do not justify the proposed rule... II. The Commission is engaging in a regulatory overreach with its proposed rule... III. The NPRM furthers a regulatory digital divide The proposed rule creates regulatory imbalance in which broadband service providers will be subject to highly restrictive and prescriptive “opt-in” privacy regulations while other content and edge providers — like Netflix — remain under the light-touch regulatory framework of the FTC... The Chamber strongly supports voluntary self-regulation as the appropriate mechanism for online data protection... IV. The proposed FCC privacy rule threatens innovation and the current digital ecosystem..."

What is the USCOC? It is a political lobbying organization representing businesses. According to the organization's website:

"The U.S. Chamber of Commerce is the world’s largest business organization representing the interests of more than 3 million businesses of all sizes, sectors, and regions. Our members range from mom-and-pop shops and local chambers to leading industry associations and large corporations. They all share one thing—they count on the Chamber to be their voice in Washington, D.C."

Let's unpack this a bit. In its comments to the FCC, the USCOC is arguing for the interests of Internet Service Providers (ISPs), and not small mom-and-pop shops, and definitely not the interests of consumers. The USCOC's view is that opt-in privacy approaches is "highly restrictive" and a burden. Instead, they want to collect whatever consumer information ISPs desire and place the entire burden on consumers to opt-out of programs. Think about that for a moment. They believe it is burdensome to explain a program's privacy policy and display an "opt-in" (or "register" or "I accept these terms") button so that consumers stay in control of their personal information.

The USCOC's submission claims that the FCC's proposed rules unfairly places restrictions on ISPs compared to "edge providers' or companies that produce content and advertising networks:

"The proposed rule creates regulatory imbalance in which broadband service providers will be subject to highly-restrictive and prescriptive “opt-in” privacy regulations while other content and edge providers — like Netflix — remain under the light-touch regulatory framework of the FTC. The same customer data about Internet usage will be regulated by two very different agencies. Content and edge providers will continue to operate under FTC’s jurisdiction to regulate “unfair and deceptive” trade practices under Section 5 of the Federal Trade Commission Act. 21 Under Section 5, in the case of unfair and deceptive trade practice violations, the FTC generally issues a cease and desist order that does not immediately impose penalties on alleged violators. This practice gives companies notice and a chance to clean up their act. Conversely, broadband providers under section 222 would not be entitled to a notice to correct mistakes and would be subject to the highly-prescriptive regulations imposed by the NPRM. The decision to regulate broadband providers under two different regulatory regimes is entirely arbitrary..."

Huh? Really? Internet access is not content. Content is content. Of course, the two should be treated differently. Internet access includes the connections for devices a consumer uses online: phones, tablets, laptops, desktops, smart televisions, smart thermometers, smart home-security systems, fitness bands, smart watches, connected refrigerators, and more. Consuming content from Netflix, or another provider, may involve a few, one, or none of these devices -- the choice of the consumer.

In its comments to the FCC, the USCOC also said:

The Commission has also failed to offer any evidence that edge and content providers are respecting consumers’ privacy more than broadband providers or that Internet service providers have any meaningful advantage over content and edge providers with respect to personal data."

MediaPost reported:

"Consumer advocacy groups disagree, pointing out that ISPs have access to all unencrypted traffic in their networks. While more sites now encrypt data than in the past, much remains unencrypted. Consider, a recent study by Upturn found that more than 85% of the top 50 sites in health, news and shopping don't fully support encryption. Upturn also noted in its report that ISPs can glean information about consumers even when they visit encrypted sites... Consumer advocacy groups also argue that broadband providers should be subject to tougher privacy rules because consumers have only limited options about which ISP to use, but many choices about which Web sites to visit."

Well said. I would add to this that the industry historically has repeatedly abused consumers' privacy. This blog has covered many of those abuses:

Historically, ISPs have sought increased revenues and viewed targeted (behavioral) advertising as the means. To do this, they partnered with several technology companies (some went out of business after class-action lawsuits) to spy on consumers without notice, without consent, and without providing opt-out  mechanisms. Consumers should control their privacy, not ISPs.

Now you know who if fighting for consumers' interests, and who is not.


Pending Rule 41 Changes Facilitate Government Spying, So Senators Introduce Legislation To Protect Citizens

Late last week, MacDailyNews reported (links added):

"U.S. Senators Ron Wyden, D-Ore., and Rand Paul, R-Ky., yesterday introduced the Stopping Mass Hacking (SMH) Act to protect millions of law-abiding Americans from government hacking. The Stopping Mass Hacking (SMH) Act prevents recently approved changes to Rule 41 from going into effect. The changes would allow the government to get a single warrant to hack an unlimited number of Americans’ computers if their computers had been affected by criminals, possibly without notifying the victims."

This news story caught my attention because you don't often see Senators Wyden and Paul working together. It raises several questions: what is so important? What is going on?

Last summer, this blog briefly discussed Rule 41 changes the U.S. Justice Department (DOJ) sought. The rule governs how search, seizure, and arrest warrants are obtained by prosecutors for criminal cases. Given sophisticated computer viruses (e.g., malware) that can take over multiple computers in multiple areas and coordinate attacks by those infected computers (a/k/a botnets), the DOJ sought changes where judges could approve warrants where the botnet location is unknown or located in another area, state, or jurisdiction. The Tech Dirt blog covered this well on April 29:

"The DOJ is one step closer to being allowed to remotely access computers anywhere in the world using a normal search warrant issued by a magistrate judge. The proposed amendments to Rule 41 remove jurisdiction limitations, which would allow the FBI to obtain a search warrant in, say, Virginia, and use it to "search" computers across the nation using Network Investigative Techniques (NITs)."

The Tech Dirt blog post also published the relevant section of the pending Rule 41changes approved by the U.S. Supreme Court (SCOTUS):

"Rule 41. Search and Seizure

(b) Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
"

The document also says the following about electronic searches:

"(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
* * * * *
(C) Receipt. The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property. For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person."

So, the remote, electronic searching of computers doesn't target only the computers of the defendant suspected of committing a crime, but it also targets innocent people whose computers may or may not have been infected by the computer virus or botnet. How? Government prosecutors can easily craft broad warrants, and/or computer-illiterate judges can approve them.

And, innocent people won't necessarily receive any notice (e.g., the "reasonable efforts") about remote electronic searches of their devices (e.g., desktops, laptops, phones or tablets) located inside or outside their homes. And, that notice might be after the remote electronic searches were completed. Huh? When the government performs broad searches like this, that is called surveillance... spying.

Were you aware of Rule 41? Of the pending changes? Probably not. And, you'd probably agree that innocent persons' computers shouldn't be searched; and if so, advance notice should be provided. This troubles me and I hope that it troubles you, too.

I also find it troubling that the proposed Rule 41 changes weren't discussed nor debated publicly in Congress. Using the proposed Rule 41 changes, the government has found slick, stealth way to gain broader powers to spy on U.S. citizens while conveniently ignoring the Fourth Amendment of the U.S. Constitution.

Senator Paul said in a statement:

"The Fourth Amendment wisely rejected general warrants and requires individualized suspicion before the government can forcibly search private information. I fear this rule change will make it easier for the government to search innocent Americans’ computers and undermine the requirement for individual suspicion..."

Senator Wyden said in a statement:

"This is a dramatic expansion of the government’s hacking and surveillance authority. Such a substantive change with an enormous impact on Americans’ constitutional rights should be debated by Congress, not maneuvered through an obscure bureaucratic process... Unless Congress acts before December 1, Americans’ security and privacy will be thrown out the window and hacking victims will find themselves hacked again - this time by their own government."

Proponents of the Rule 41 changes will often argue that the changes are needed to fight child predators and terrorists. A wise person once told me, "you can't just run away from the Fourth Amendment." The ends don't justify the means.

The Computer & Communications Industry Association (CCIA) said:

"The proposed rule change has gone largely unnoticed by the public via a behind-the-scenes process usually reserved for procedural updates. The CCIA has voiced its concern about the government’s requested change for the past two years and we invite other technology advocates to join us in supporting this important legislation... We welcome Senators Wyden and Paul’s efforts to prevent this highly controversial rule change from taking effect. They recognize that the far-reaching implications of the government’s proposed changes merit the full attention of their colleagues in Congress. There are Constitutional, international, and technological questions that ought to be addressed transparently... The government’s proposal is a substantive expansion of its ability to conduct electronic searches, and it deserves a public debate in Congress..."

Peter Goldberger, the Co-Chair of Committee on Rules of Procedure at the National Association of Criminal Defense Lawyers (NACDL) said:

"This is a significant and substantive change to the law masquerading as a procedural rule change.. While it is surely possible to craft a constitutional procedure for digital searches, the rule making process is not sufficient for addressing such fundamental constitutional questions. Only a comprehensive legislative approach, crafted after full public hearings, could possibly deal with all the complex aspects of this issue."

You can read the Stopping Mass hacking Act (Adobe PDF) text. It's short. I wish that it went further and, a) cited prior legal cases to prevent the remote electronic searches of innocent persons' devices, b) included stronger language to prevent innocent persons from the burden of responding to court orders, subpoenas, and searches, and c) prevent the government from hiring a third-party to perform the remote electronic searches.

So, now you know. Thankfully, Senators Wyden and Paul are paying attention and have decided to work together. The seriousness demands such. Senators Tammy Baldwin (D-Wisconsin), Steve Daines (R-Montana), and Jon Tester (D-Montana) are co-sponsors of the Senate bill. Contact your Senator and ask why he/she does not support the Stopping Mass Hacking (SMH) Act. Then, contact your Representative and demand that he/she support a similar bill in the House of Representatives. Tell them that rules changes should not masquerade as changes in laws.

Opinions? Comments?


Open Letter By Tech Industry Associations Calls The Burr-Feinstein Anti-Encryption Proposal 'Unworkable'

Several technology industry associations have sent a joint, open letter to U.S. Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.) about proposed legislation the Senators drafted. The Compliance with Court Orders Act of 2016 (CCOA) would force companies to de-encrypt communications on demand for law enforcement agencies.

The industry associations described the proposed legislation as "unworkable" in that it would "create government mandated security vulnerabilities" in digital products and services. The letter stated in part:

"We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm. We believe it is critical to the safety of the nation’s, and the world’s, information technology infrastructure for us all to avoid actions that will create government-mandated security vulnerabilities in our encryption systems... Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences. The effect of such a requirement will force companies to prioritize government access over other considerations, including digital security. As a result, when designing products or services, technology companies could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers... The bill would force those providing digital communication and storage to ensure that digital data can be obtained in “intelligible” form by the government, pursuant to a court order. This mandate would mean that when a company or user has decided to use some encryption technologies, those technologies will have to be built to allow some third party to potentially have access.  This access could, in turn, be exploited by bad actors... such a technological mandate fails to account for the global nature of today’s technology. For example, no accessibility requirement can be limited to U.S. law enforcement; once it is required by the U.S., other governments will surely follow. In addition, the U.S. has no monopoly on these security measures. A law passed by Congress trying to restrict the use of data security measures will not prevent their use. It will only serve to push users to non-U.S. companies, in turn undermining the global competitiveness of the technology industry in the United States..."

Four groups signed the open letter: Reform Government Surveillance (RGS), the Computer & Communications Industry Association (CCIA), the Internet Infrastructure Coalition (I2C), and the Entertainment Software Association (ESA). RGS members include Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and others. CCIA members include Amazon, Ebay, Google, Microsoft, Netflix, Pandora, PayPal, Samsung, Sprint, and others. I2C members include Amazon, Google, GoDaddy, HostGator, Verisign, and many more companies worldwide. ESA members include Activision, Disney Interactive Studios, EA, Konami, Nintendo, and others.

Privacy and security advocates itemized several problems with the CCOA. Some experts warn that the proposed legislation makes encryption illegal:

"... if the court orders you to provide the contents of a phone you made, a conversation on your messaging service, an account on your social network, or basically anything that has been made “unintelligible” using encryption, you are required by law to decrypt that information... the very foundation of encrypted communication is the deliberate and transparent impossibility of a third party listening in, service providers and manufacturers included. If it can be accessed, it isn’t encrypted. If it can’t be accessed, it isn’t legal..."

Earlier this month, Congressman Darrell Issa (R-CA), Chairman of the House Judiciary subcommittee responsible for the nation’s Internet policy, described the CCOA as:

“... about as flawed and technically-naive as a piece of legislation can get. Mandating that companies weaken our security to give government secret backdoor access into our devices would be a massive blow to American’s right to privacy and frankly would also be downright dangerous...”

The The full text of the CCOA discussion draft is available at Senator Burr's website and here (Adobe PDF, 35k).


5 Things Wrong With the Burr-Feinstein Anti-Encryption Bill

If you haven't heard, two U.S. Senators proposed a bill that forces technology companies to assist law enforcement and break the encryption built into their products and services. The Just Security blog analyzed the proposed bill, called the Compliance with Court Orders Act of 2016 (CCOA).

The CCOA draft was written by Senators Richard Burr (R-NC) and Dianne Feinstein (D-Calif.), leaders of the Senate Intelligence Committee. It's chief provisions:

"Upon receipt of a court order or warrant for “information or data” sought by a federal, state, local, or tribal government in specific types of investigations or prosecutions, the CCOA requires covered entities to give the government the information or data in an “intelligible” (i.e., unencrypted) format, or to provide any “necessary” technical assistance to render it intelligible. The CCOA only kicks in if the data is “unintelligible” (i.e., encrypted) due to “a feature, product, or service” that is “owned, controlled, created, or provided” by the entity (or by a third party on its behalf). The bill says that no government officer can dictate or prohibit specific design requirements to comply with the law."

Covered entities include tech companies: software developers, device manufacturers, communications providers (wired and wireless), and "remote computing services (RCS)." There are several major things wrong with this proposed legislation:

"In short, the bill prohibits covered entities from designing encryption and other security features so encrypted data is accessible only to the user, not law enforcement nor the entity itself. This is what I would call “effective encryption,” but law enforcement derisively calls “warrant-proof” encryption."

Effective encryption makes sense. It is precisely what is needed by both consumers and businesses to protect and keep private sensitive information, proprietary information, and banking transactions. The Burr-Feinstein proposed bill forces tech companies to build products and services with weaker security:

"...The CCOA would prohibit covered entities in the US from implementing state-of-the-art data security in their products and services... effectively outlaw such cornerstone security concepts as end-to-end encryption, forward secrecy, and HTTPS, which encrypts web traffic against hackers, state-sponsored attackers, and other snoops... It makes covered “license distributors” responsible for the compliance of the software being distributed, meaning Apple’s and Google’s app stores would be on the hook for ensuring every app on offer has weak enough security to meet government standards. It would chill innovation by rendering it largely pointless to work on making software and hardware more secure, because only CCOA-compliant security architectures would be legal."

Think of CCOA-compliant security architectures as GovtOS. The government is forcing tech companies to build a GovtOS. That's wrong. Some of the things wrong with the CCOA:

"2. It can’t stop terrorists and criminals from hiding their activities. The joke in the infosec community used to be that “when crypto is outlawed, only outlaws will use crypto.” The joke’s on Burr and Feinstein... Not only are effective encryption offerings readily available from entities based outside the US, there are already millions upon millions of devices, apps, and software programs presently in use that employ the encryption to be banned going forward. The crypto cat is out of the bag, as New America’s Open Technology Institute put it, and law enforcement’s alarmist and unsupported “going dark” rhetoric can’t hide that fact."

"3. There is no “middle ground” on encryption. This one-sided bill tries to hold itself out as the “middle ground” on encryption... But as cryptography experts have repeatedly explained over the last two decades, there is no middle ground on this issue. Mandating a means of access for law enforcement simply isn’t “appropriate” data security. It is a vulnerability, whose use can’t be limited to “good guys” bearing a court order. This was true 20 years ago and it’s still true today."

That's why many security experts call the CCOA an "anti-encryption" proposal. There's plenty more that's wrong with the CCOA. Read the entire Just Security article.

The CCOA is myopic and wrong. It forces tech companies to build inferior products and services with weaker security; and places U.S.-based tech companies at a disadvantage in the world market. It forces tech companies to do, for free, the investigative work law enforcement should do themselves. The CCOA forces tech companies to build GovtOS, regardless of the negative economic consequences to industry and jobs.

If the CCOA bothers you (and I sincerely hope that it does), tell your elected representatives.


FBI vs. Apple: Cancelled Hearing, Draft Legislation, New Decryption Capabilities, And An Outside Party

Federal Bureau of Investigation logo A lot happened this week. A lot. Below is a recap of key headlines and events involving Apple, Inc. and the U.S. Federal Bureau of Investigation (FBI).

Late during the day on Monday, the government's lawyers got U.S. Magistrate Sheri Pym to cancel a Tuesday March 22 hearing between Apple and the FBI about an earlier court decision forcing Apple to unlock the iPhone used by one of the San Bernardino attackers. Apple did not object to the cancelled hearing. The FBI was ordered to file a status by April 5, 2016. The government filed court papers on Monday explaining why:

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone. Testing is required whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. set forth in the All Writs Act Order in this case."

So, on or before April 5 we will learn if this outside party successfully demonstrated the ability to unlock and decrypt information stored on this newer model iPhone without any loss of damage to the information stored on it.

Are these decryption capabilities a good thing? Ars Technica reported:

"Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, said that these new government decryption capabilities are not good for privacy and ever-expanding government surveillance. "The DOJ doesn't want bad precedent, and I think Apple had the better side in this argument," she told Ars. "Being able to hack helps DOJ for a while. Apple could upgrade beyond the capability..."

Meanwhile, two U.S. Senators have drafted proposed legislation giving federal judges broad powers to force technology companies like Apple to help law enforcement break into encrypted devices. Prior proposals died in Congress. The latest proposal was drafted by Senators Richard Burr (Rep.-North Carolina) and Dianne Feinstein (Dem.-California), leading members of the Senate Intelligence Committee.

Apple Inc. logo Who is this mysterious outside party helping the FBI unlock and decrypt information on newer model iPhones? There has been speculation that the National Security Agency (NSA) was helping the FBI. One would expect the NSA to have the decryption capabilities. BGR explored this on March 4:

"... the NSA can hack into the device but that it doesn’t want to tell that to the FBI because it never likes to reveal what it’s capable of doing. If that were the case, however, why wouldn’t the NSA help the FBI behind the scenes before the FBI went public with its request for Apple’s assistance? And besides, as The Intercept notes, “courts have affirmed the NSA’s legal right to keep its investigative methods secret.” In fact, security experts explained to Wired earlier this week that the FBI could recruit the NSA to connect the iPhone 5c to a Stingray-like rogue cellular network as it’s booting up, which could give the agency the ability to control the device before it even gets to the unlock screen..."

However, Inverse reported on Thursday who else it might be and why:

"Sun Corporation, the company currently getting rich off public speculation that it can help the FBI break into the notorious San Bernardino iPhone was not always such a fierce competitor. While it’s seen the value of its stock rise 36 percent since Reuters reported that the FBI had enlisted its subsidiary, an Israeli-firm called Cellebrite, to unlock the iPhone..."

NPR reported that it might be a publicity stunt by Cellebrite. Will the FBI meet its April 5 deadline? The NPR report discussed a possible decryption approach:

"Computer forensics researcher Jonathan Zdziarski argues that because the FBI has asked courts for only two weeks to test the viability of the new method, it's likely not highly experimental. It's also likely not something destructive, like the "decapping" method that relies on physically shaving off tiny layers of the microprocessor inside the phone to reveal a special code that would let investigators move the data and crack the passcode. The idea that's garnering the most focus is something called chip cloning, or mirroring or transplantation..."

During a press conference on Friday, FBI Director James Comey wouldn't disclose the name of the outside party. USA Today also reported:

"Law enforcement officials Thursday threw cold water on two recent theories on how the FBI was attempting to hack into an iPhone used by one of the San Bernardino terrorists... FBI Director James Comey, in response to a reporter's question at a briefing, said making a copy of the iPhone’s chip in an effort to circumvent the password lockout “doesn’t work”... A widely discussed scenario in the security world, put forward by a staff technologist at the ACLU, has been that the FBI had found a way to remove crucial chips from the iPhone, make digital copies of them and then run multiple passcode attempts against the digital copies, while keeping the phone's software itself untouched. That would avoid tripping the self-erase program built into the iPhone..."

So, who is helping the FBI -- Cellebrite, the NSA, or both? Or another entity?

Another line of speculation is that the FBI has received assistance from the NSA and has decided to use Cellebrite as a false front. Why might this be true? It allows the FBI to reveal (some) investigation methods without revealing the NSA's real methods. I'm no legal expert, but if this is true, I can't see any judge being pleased about being lied to.

We shall see on or before April 5. What are your opinions? Speculation?


Updated Laws And Protections Needed Regarding Drone Privacy

Image of a drone or unmanned aircraft Consumer Reports explored the issues with drone privacy: what privacy protections consumers have, if any, and who enforces them. A 70-year-old lawsuit involving a farmer in North Carolina has now taken on new importance:

"The case made it all the way to the Supreme Court in 1946. And one result of United States v. Causby was that the Court set the limits of private airspace: If you own a house, your property rights extend 83 feet up into the air... the 70-year-old ruling has new importance in the age of drones. It remains the only clear federal statement of law on how far above the ground your property ends..."

Basically, the Federal Aviation Administration (FAA) is responsible for setting rules and enforcement. Drones (also referred to as unmanned aircraft) have many valid uses, including faster, easier safety inspections of infrastructure, such as bridges, residential roofs, towers, and stacks; plus commercial package delivery. Thankfully, drone pilots have been required to register with the FAA since December.

To improve things, the Electronic Privacy Information Center (EPIC) filed a federal lawsuit, to try to force the FAA to set rules protecting citizens from privacy intrusions by drones:

"... EPIC wants the FAA to make it easy for citizens to find out whether drones flying overhead have surveillance capabilities. The group also wants to protect the privacy rights of drone pilots..."

While some states have "paparazzi" laws that apply when photos or video are taken, improvements are needed to help consumers distinguish between drones flying overhead versus drones performing unauthorized recording:

"... existing nuisance and invasion-of-privacy statutes would apply to drone owners. If you could prove you were being harassed by a drone flying over your house, or even that one was spying on you from afar, you might have a case against the drone operator. But proof is difficult to obtain... and not everyone agrees on how to define harassment."

Other legislative efforts:

"A law proposed by Massachusetts Senator Ed Markey, the Drone Aircraft Privacy and Transparency Act, would require the agency to ensure baseline privacy and transparency safeguards, which would apply to both private drone operators and law enforcement. The ACLU, which supports the Markey bill, argued as far back as 2011 that a lack of oversight could lead to excessive surveillance by law enforcement using drones."

Related blog posts:


FCC Proposes New Rule To Unlock Set-Top Cable Boxes To Encourage Innovation, Competition, Choice And Lower Prices

Federal communications Commission logo During an open Commission meeting on Thursday February 18, 2016, the U.S. Federal Communications Commission (FCC) discussed and approved several agenda items including a proposal to encourage competition with the cable television set-top boxes that many consumers lease from their cable-TV providers:

"The Notice of Proposed Rulemaking (NPRM) will create a framework for providing innovators, device manufacturers, and app developers the information they need to develop new technologies, reflecting the many ways consumers access their subscription video programming today. Ninety-nine percent of pay-TV subscribers have limited choices today and lease set-top boxes from their cable and satellite operators. Lack of competition has meant few choices and high prices for consumers – on average, $231 in rental fees annually for the average American household. Altogether, U.S. consumers spend $20 billion a year to lease these devices. Since 1994, according to a recent analysis, the cost of cable set-top boxes has risen 185 percent while the cost of computers, televisions, and mobile phones has dropped by 90 percent. Congress recognized the importance of a competitive marketplace and directed the Commission to adopt rules that will ensure consumers will be able to use the device they prefer for accessing programming they’ve paid for."

The NPRM recommends that Multi-channel Video Programming Distributors (MVPD), including legacy cable-TV providers, TV networks, and others that provide programming via cable and/or the Internet, be required to deliver three core information streams:

"1. Service discovery: Information about what programming is available to the consumer, such as the channel listing and video-on-demand lineup, and what is on those channels.
2. Entitlements: Information about what a device is allowed to do with content, such as recording,
3. Content delivery: The video programming itself."

Consumers can keep their current cable set-top boxes, or switch to newer solutions when available. The FCC did not dictate standards for the solutions. Instead the FCC recommended that:

"... these three streams be available to the creators of competitive solutions using any published, transparent format that conforms to specifications set by an independent, open standards body... The Notice of Proposed Rulemaking also recommends content protection rules... The proposed rules do not mandate a single security system but simply require MVPDs to offer at least one content protection system that is openly licensed on reasonable and non-discriminatory terms. This gives MVPDs the ability to create their own content protection system to prevent theft and misuse, while ensuring that manufacturers will be able to build devices that can access protected content from a variety of MVPDs."

The proposed rules also include the following requirements for MVPDs:

"Ensure that children’s programming advertising limits and emergency alerts apply regardless of whether the consumer leases the MVPD’s set-top box or uses a competitive solution to access video programming;

Include a billing transparency rule to ensure that consumers understand their monthly charges for both programming services and equipment lease fees in accordance with section 629; and

Retain the Commission’s rules adopted in a 2010 Report and Order to improve support for consumer-owned CableCARD devices."

Much needs to happen before competitive set-top box solutions are available in the marketplace. The next step includes a comment period where interested parties (e.g., companies, consumers) -- supporters and opponents -- submit feedback about the proposed rules. Then, the FCC reviews the feedback and may adjust its rules based upon that feedback. After finalized rules, companies will then develop set-top box solutions. The proposed rules document lists several topics the FCC seeks feedback about. Some of those topics:

"... ways to address any licensing and consumer protection issues... how best to align our rules on device billing and subsidies... whether the rules the Commission adopted in a 2010 Report and Order to improve support for consumer-owned CableCARD devices have continued relevance and should remain valid and enforceable... statistics show, however, that almost all consumers have one source for access to the multichannel video programming to which they subscribe: the leased set-top box, or the MVPD-provided application. Therefore, we tentatively conclude that the market for navigation devices is not competitive, and that we should adopt new regulations to further Section 629. We invite comment on this tentative conclusion... the process that an MVPD uses to decide whether to allow such a device to access its services... it appears that consumers have downloaded proprietary MVPD applications many times; we seek comment on whether consumers actually use those applications to access multichannel video programming..."

Regardless, the proposed set-top box rules will disrupt the revenue streams cable-TV operators have enjoyed for decades. So, you can expect them, and their allies, to put up a fight. Wired magazine reported:

"Each consumer has invested thousands of dollars into the box without having any ownership,” says Chip Pickering, CEO of Incompas, a trade association for “competitive networks” backed by Google, Amazon, Netflix, and others. “That’s a monopoly business model.” The distribution of set-top boxes, then, is essentially a monopoly within an already monopolistic industry..."

One argument opponents have used is to blame Google:

"Google has become a popular bogeyman for entrenched cable interests for good reason. The company has actively supported set-top box disruption, both through its involvement with Incompas and through direct contact with the FCC. AT&T went so far as to call it “Google’s Set-Top Box Proposal” in a corporate blog post opposing the rules..."

Despite the hype and spin that has been presented (and will be presented), it's important for consumers to remember that:

“Nothing in the [FCC] proposal changes linear TV or traditional TV’s advertising. Their programming, their advertising, nothing that they do today will be changed,” says Pickering. What could change is that the traditional programming would be served up alongside Internet programming..."

View the FCC "Unlock the Box" press release (Adobe PDF) or here. View the FCC "Unlock the Box" NPRM (Adobe PDF) or here.

The FCC set-top proposal is is good news for consumers. It starts to break the monopolistic strangle-hold. Cable-TV providers have had decades to recoup their infrastructure investments. It's time to move forward with solutions more friendly for consumers. Kudos to the FCC for encouraging competition to lower cable prices for consumers.


CFPB Considers Proposal to Ban Some Arbitration Clauses

Logo for Consumer Financial Protection Bureau On Wednesday, the Consumer Financial Protection Bureau (CFPN) announced a proposal to ban arbitration clauses which many companies use to prevent consumers from joining class-action lawsuits. In its announcement, the CFPB explained the problem:

"Many contracts for consumer financial products and services include arbitration clauses. These clauses typically state that either the company or the consumer can require disputes about that product to be resolved by privately appointed individuals (arbitrators), rather than through the court system. Where such a clause exists, either side can generally block lawsuits from proceeding in court. These clauses also typically bar consumers from bringing group claims through the arbitration process. There are arbitration clauses in all kinds of consumer financial products, from bank accounts to private student loans. They affect tens of millions of consumers. As a result, no matter how many consumers are injured by the same conduct, consumers must resolve their claims individually against the company, which few consumers do."

The Dodd-Frank Wall Street Reform and Consumer Protection Act, passed by Congress, required the CFPB to study the use of arbitration clauses in consumer financial markets and provide remedies. The CFPB released the results of its study in March 2015:

"... arbitration clauses restrict consumers’ relief for disputes with financial service providers by allowing companies to block group lawsuits... very few consumers individually seek relief through arbitration or the federal courts, while millions of consumers are eligible for relief each year through group settlements. According to the study, more than 75 percent of consumers surveyed in the credit card market did not know whether they were subject to an arbitration clause in their contract. Fewer than 7 percent of those consumers covered by arbitration clauses realized that the clauses restricted their ability to sue in court."

The proposal would not ban arbitration clauses, but limit and monitor their use instead:

"... the clauses would have to say explicitly that they do not apply to cases filed as class actions unless and until the class certification is denied by the court or the class claims are dismissed in court. The proposals under consideration would also require that companies that choose to use arbitration clauses for individual disputes submit to the CFPB the arbitration claims filed and awards issued. This will allow the Bureau to monitor consumer finance arbitrations to ensure that the process is fair for consumers. The Bureau is also considering publishing the claims and awards on its website so the public can monitor them."

This is really good because the playing field is heavily tilted against consumers. A friend (who asked to remain anonymous) experienced a very lengthy arbitration process with a big bank that stretched out for more than 12 years. The process should have been resolved a lot faster, and the bank still refused to pay after the arbiter's decision. That's one way companies abuse consumers, knowing that most consumers have limited financial resources and legal options.

Readers of this blog are familiar with the problem. I discussed it during a 2014 review of the Vanilla Visa Prepaid Card, which includes arbitration in its terms. Bankrate published in 2004:

"Binding arbitration, a little noticed clause in many agreements and contracts, strips consumers of their fundamental rights, including the right to sue individually or join a class-action suit if they have a problem with a company. Under binding arbitration, a consumer can be forced to pay thousands of dollars upfront to pursue a complaint, travel thousands of miles to a location of the company's choosing for the hearing, argue their case before an arbitrator who depends on the company for future business and surrender such basic legal weapons as the right to discovery and the right to appeal a decision... Labeled by the National Consumer Law Center as "astonishingly unfair and undemocratic," these clauses affect millions of consumers across the country. Corporations insert them into employment and home building contracts, in agreements for credit cards, computer software and hardware purchases, and many types of loans."

And, arbitration can cost more than a traditional court trial:

"Consumers' costs for arbitration vary widely and depend on the arbitration company, the type of dispute and the cost of the proposed remedy. The American Arbitration Association offers a streamlined process for consumer disputes that limits costs, but limits your rights too. While the American Arbitration Association is an umbrella group for arbitration companies, not all arbitration companies follow its suggested rules. Under these consumer rules, there is a filing fee of $125 if your dispute is under $10,000 and $350 if it is over that amount... However, in exchange for the low filing fees and streamlined process, you must give up some of your rights... There is no contingency in arbitration. Also, these costs don't include costs for an attorney if you want one..."

According to the National Association of Consumer Advocates (NACA):

"One of the alleged benefits of arbitration is that it costs less than litigation, but frequently this is not true for consumers and employees. Forced arbitration frequently costs more than taking a case to court and can cost thousands of dollars. Individuals often have to pay a large fee simply to initiate the arbitration process. If they are able to get an in-person hearing, individuals sometimes have to travel thousands of miles on their own dime to attend the arbitration. In the end, the loser (usually the individual) often pays the company’s legal fees."

The benefits of the CFPB arbitration proposal:

  1. Consumers get their day in court. With current arbitration clauses, consumers don't.
  2. A deterrent against wrongdoing and bad actors. The CFPB proposal encourages companies to comply with the law to avoid lawsuits.
  3. Increased transparency. Arbitration processes and results shouldn't be secret. CFPB monitoring would help consumers determine whether or not they're getting a good deal in arbitration.

So, the CFPB proposal to ban arbitration clauses is very good and welcomed news for consumers. You probably already use a service that includes arbitration clauses. The Public Citizen website lists the banks, retail stores, entertainment, online shopping, telecommunications, consumer electronics, software, nursing homes, and health care companies that include binding arbitration clauses in their contracts with customers.

If this bothers you (and I hope that it does), you can take action at the NACA website. And, tell your elected officials you support the CFPB's arbitration proposal. What are your opinions of the CFPB arbitration proposal?


Charts: Gun vs. Terrorism Deaths, Comparisons By State

In a news conference yesterday after the latest shooting at a school, President Obama challenged the news media to report facts comparing gun versus terrorism deaths in the USA. Vox published an interactive chart comparing deaths:

Chart comparing gun versus terrorism deaths in the USA. Click to view larger image

And, there's plenty more. Vox provided several charts and statistics about gun violence and gun ownership in the United States:

"America's unique problem with gun violence: American has six times as many firearm homicides as Canada, and 15 times as many as Germany... America has 4.4 percent of the world's population, but almost half of the civilian-owned guns around the world... There is a mass shooting almost every day in America... States with more guns have more gun deaths... States with tighter gun control laws have fewer gun-related deaths... In states with more guns, more police officers are also killed on duty..."

The chart comparing gun ownership and gun-related deaths by state:

Chart comparing gun ownership versus gun deaths by state. Click to view larger image

To learn more, browse the charts Vox has assembled.


U.S. Senator Calls For Geo-Fencing To Keep Drones Away From High Value Targets

Image of a drone or unmanned aircraft Most people like to travel. That includes airplane trips for business or for pleasure. And, everyone wants to travel safely. Newsday reported:

"The FAA reported 52 instances of pilots spotting drones in June and July 2014, but the rate of such sightings has risen to 275 in June and July 2015, the senator said. Schumer said he fears a drone may eventually be sucked into the engine of a plane or otherwise collide with aircraft."

This blog reported in August about two near misses in New York. For safety, U.S. Senator Chuck Schumer (Democrat-New York) proposed an amendment to Federal Aviation Administration Re-authorization bill to require all remote-controlled aircraft sold in the United States to have tracking mechanisms installed. The mechanisms would use geo-fencing technology to keep drones away from high-value targets, such as airports, major parades, the Pentagon, major sporting events, and sports stadiums.

The Federal Aviation Administration (FAA) is responsible for maintaining the safety of our skies in the United States. The incident highlights the need for continued and stronger enforcement of aviation safety laws by drone operators:

"Unmanned aircraft systems are neither supposed to fly within five miles of an airport without notifying the airport operator and control tower nor are they supposed to go above 400 feet."

There will likely be a fight in Washington about the FAA Re-authorization bill. General Aviation News reported in July 2015:

"The House Transportation and Infrastructure Committee has delayed plans to release its proposed FAA reauthorization legislation. That occurred after the House majority leader informed the committee that consideration of the FAA reauthorization bill has been moved to September. The current FAA authorization expires Sept. 30. It was put into place after an agonizing 23 short-term extensions that stretched from September 2007 to February 2012. While some lawmakers had promised that wouldn’t happen with this reauthorization, a short-term extension of the authorization may be needed while lawmakers pound out the final bill."

About his bill amendment, the Senator said in a statement:

"There needs to be a clear strategy to address the public safety dilemma of reckless drone use because a future drone crash could spell real trouble. That’s why I am unveiling brand new federal language in Congress that would virtually eliminate any chance of drones crashing into planes and causing serious danger... If geo-fencing technology were mandated in every drone sold in America, it would go a long way toward preventing the kinds of near-misses that have occurred over the past few months, and still allow hobbyists to fly drones in safe places.”

I agree. What are your opinions?


Location Privacy. Does Your State Allow Warrantless Searches Of Cellphones?

Does your state's laws allow law enforcement to perform warrantless searches for cellphone location data? The American Civil Liberties Union (ACLU) released a report where it researched each state's current laws to determine whether residents' location privacy is protected or not:

"... 18 states now require law enforcement to get a probable cause warrant before obtaining people’s cell phone location information. Six of those states protect both historical and real-time location information from warrantless search... This year alone, legislation was introduced in 17 states. Instead of waiting for Congress or the courts to act, state legislatures are leading the way..."

Metadata about your phone calls reveals who you called, who called you, when the call happened, and how long you talked. Geo-location data reveals your travel patterns: where you went, when you left, when you returned, how long you stayed, places you passed by and didn't enter, and travel patterns (e.g., places you visit frequently and/or at certain times or on certain days).

The report included what's known (so far) about stingrays, the technology using fake cellular phone towers to spy and collect your phone usage and geo-location data:

"... New Hampshire has joined the ranks of states offering full probable-cause warrant protection to both historical and real-time cell phone location information. The Washington legislature unanimously passed a law requiring a warrant for use of “StingRay” cell phone tracking equipment, and Virginia enacted a similar law."

You can browse the report to read detail about the laws (or lack thereof) in the state where you live. For example, the state where I live:

ACLU report on warrantless search laws by state. Massachusetts. Click to view larger version

Besides stingrays, the use of other technologies threaten consumers' location privacy. The ACLU of Southern California and the Electronic Frontier Foundation (EFF) asked the California Supreme Court to review their lawsuit seeking access to automated license plate-reader (ALPR) data collected by the Los Angeles Police and Sheriff’s Departments. The EFF said in July:

"This case has significant precedential impact, setting a troubling standard allowing police to keep these records and details of its surveillance of ordinary, law-abiding citizens from ever being scrutinized. The appeals court ruling may apply not only to records collected with license plate cameras, but to data collected using other forms of automatic and indiscriminate surveillance systems, from body cameras and dash cameras to public surveillance cameras and drones. Without access to these records, we can’t ensure police accountability."

The case started in 2012 when local law enforcement refused to disclose ALPR data after the EFF filed a public records request:

"... cameras mounted on patrol cars and at fixed locations around the city and county of Los Angeles. ALPRs automatically take a picture of all license plates that come into view and record the time, date, and location where the vehicle was photographed. Because the agencies store the data for two to five years, they have been able to collect a massive amount of sensitive location-based information on mostly innocent Los Angeles residents..."

Reportedly, the reasons given by local law enforcement agencies:

"The agencies refused to turn over the records, claiming they could withhold the millions of license plate data points as “records of law enforcement investigations,” which are exempt from public review under the California Public Records Act. Incredibly, they argued that all drivers in Los Angeles are under criminal investigation at all times—whether or not the police suspect them of being involved in any criminal activity. The ACLU has estimated that as many as 99.8% of the vehicles photographed by ALPR cameras are never linked to any ongoing criminal investigation..."

Sadly, both the trial and appeal courts sided with the law enforcement agencies. So, the threat to consumers is two-fold: a) collection of law-abiding citizens without notice nor consent, and b) lack of accountability of government surveillance programs that could extend into more technologies such as body cameras.

Last, all of this does not minimize nor condone surveillance by corporations, which is arguably more extensive than government surveillance. Terms such as behavioral advertising, geo-fencing, and targeted advertising are often used to describe private-sector surveillance, with vague promises of relevant advertising benefits. At the end of the day, surveillance is surveillance; tracking is tracking. Many law enforcement and spy executives have probably looked at the extensive private-sector surveillance with weak consumer protections and concluded, "if they can do it, so should we."

View the ACLU report and status of warrantless search laws in your state.


Can You Legally Shoot Down a Drone Hovering Over Your Property?

Image of a drone or unmanned aircraft During the coming months and years, this is a question more and more people will ask: can citizens shoot down a drone hovering over your property? Many drones are outfitted with surveillance cameras. One person outfitted a drone with a handgun (video). Some hobbyists outfitted their drones with paintball handguns. Newsweek explored the problem:

"A New Jersey resident who shot down a neighbor’s drone was arrested and charged with possession of a weapon for an unlawful purpose and criminal mischief. After a Californian shot down a neighbor’s drone thinking “it was a CIA surveillance device, ”the drone’s owner won a suit in a small claims court that found the man “acted unreasonably... regardless of whether it was over his property or not." "

Last month, a Kentucky homeowner was arrested after shooting down a camera-equipped drone that hovered directly over his property while his teenage daughter sunbathed in the back yard. You might think that the case should have favored the homeowner, but it didn't. Why? Keep reading.

The legality of shooting down a drone depends upon whether or not it is threatening. The Newsweek article explored the legal issues:

"... unlike pedestrian trespass, your options for removing drones from your property are limited. More troubling is this: How do you know when a drone is truly threatening? As Michael Froomkin, a professor at the University of Miami School of Law, writes, neither the law nor technology has developed far enough to clarify what constitutes a threat and what measure of self-help is appropriate."

So, there is ambiguity about what constitutes a threat and what a reasonable response is. Our laws both lag behind the rapidly advancing technology and inconsistency treat crime versus privacy:

"Ryan Calo, a professor at the University of Washington School of Law, writes, “[T]he lack of a coherent mental model of privacy harm helps account for the lag between the advancement of technology and privacy law.” But not so in criminal law, where tough-on-crime mania routinely drives quick application of broadly phrased statutes to new contexts."

Reportedly, the Federal Aviation Administration (FAA) has responsibility for all civil airspace (e.g., non military) above cities and towns. Based upon the 2012 FAA Modernization and Reform Act, there are different rules for government, non-government, and recreational operators of Unmanned Aircraft Systems (UAS), commonly referred to as drones. The FAA rules for recreational or hobby drone usage:

"Fly below 400 feet and remain clear of surrounding obstacles; Keep the aircraft within visual line of sight at all times; Remain well clear of and do not interfere with manned aircraft operations; Don't fly within 5 miles of an airport unless you contact the airport and control tower before flying; Don't fly near people or stadiums; Don't fly an aircraft that weighs more than 55 lbs; Don't be careless or reckless with your unmanned aircraft – you could be fined for endangering people or other aircraft"

How close is "near" -- 3 feet, 30 feet, 30 yards? That seems vague. Nor do the rules mention privacy, so i guess it is legal to film anyone without consent. And, I guess you can modify your recreational drone with any attachment, as long as you stay under the 55-pound limit.

Some people have used drones to record natural sights, such as a volcano and lava river, that would be too dangerous to record otherwise. Some local governments have used drones to inspect building rooftops after snowstorms for damage or collapse risks. Other local governments want to use camera-equipped drones to inspect structures, such as bridges, that otherwise would be costly or inaccessible. Both make sense.

There already are film festivals for drone operators. The New York City Drone Film Festival debuted in March, and the Flying Robot International Film Festival is scheduled for November 19. Some consumers have already used drones to record landmarks such as the Golden Gate Bridge near San Francisco. Predictably, one recreational drone crashed into the bridge's roadway. While it didn't cause a traffic accident, the risk is there. I'd hate to think that legislators waited until a catastrophe before taking action.

Does this bother you? I hope so. Contact your elected officials and demand updated, effective drone laws that protect both your safety and privacy.

What are your opinions?