In a post on Tuesday entitled “First they came for WikiLeaks, then the New York Times,” we wrote about how there is growing evidence that Congress and the Justice Department may be considering legal sanctions against traditional journalists who publish classified information — in other words, extending the kind of legal attacks they have been making on WikiLeaks to the traditional media such as the New York Times. In an emailed response to that post, former NYT executive editor Bill Keller said he strongly agrees that an attack on WikiLeaks’ right to publish such leaked documents is an implicit attack on the media as a whole, and that the mainstream media should protest any prosecution of the organization as a betrayal of the First Amendment.

In my post, I described how some members of a House Judiciary subcommittee seemed to be looking to experts for legal grounds under which they could charge journalists for publishing leaked classified information. The Department of Justice has also reportedly been warning reporters that if they publish such documents they could face prosecution — in the same way the DoJ is said to be pursuing a case against WikiLeaks and its controversial founder Julian Assange under the Espionage Act, (despite the fact that the government’s own researchers say using the act to go after journalists instead of leakers is a questionable strategy).

If WikiLeaks is under attack, journalism is under attack

My point was that if WikiLeaks, which I have argued before is a media entity — although one very different from the New York Times — is subject to that kind of prosecution for publishing classified information, then the NYT or any other traditional media outlet is in danger of being prosecuted as well. I also said that most mainstream media companies had been relatively silent on this point until now, but Keller noted in his email that he has repeatedly agreed that an attack on WikiLeaks is an implicit attack on media and journalism. As he put it:

I’ve said repeatedly, in print and in a variety of public forums, that I would regard an attempt to criminalize WikiLeaks’ publication of these documents as an attack on all of us, and I believe the mainstream media should come to his defense.

Keller went on to say that despite the rumblings from Congress that I referred to in my post, the government so far hasn’t made an official move against either Julian Assange or WikiLeaks. If a prosecution under the Espionage Act did in fact occur, Keller said he hoped to see news organizations of all kinds and press-freedom advocacy groups “filing briefs and otherwise objecting.” The NYT’s former executive editor also admitted that the newspaper’s relationship with Assange had been fractious, but said that personal feelings about the WikiLeaks founder shouldn’t prevent media organizations from coming to his defense:

You don’t have to embrace Julian Assange as a kindred spirit to believe that what he did in publishing those cables falls under the protection of the First Amendment.

Even if it isn’t journalism, it deserves protection

In a follow-up email, Keller also noted that he had made similar statements about the necessity of defending Assange and WikiLeaks’ publication of classified documents in a New York Times magazine piece excerpted from the introduction to “Open Secrets: WikiLeaks, War and American Diplomacy,” a book about the organization’s publication of thousands of diplomatic cables and the NYT’s role in that effort. In the piece, he said:

While I do not regard Assange as a partner, and I would hesitate to describe what WikiLeaks does as journalism, it is chilling to contemplate the possible government prosecution of WikiLeaks for making secrets public, let alone the passage of new laws to punish the dissemination of classified information, as some have advocated… criminalizing the publication of such secrets by someone who has no official obligation seems to me to run up against the First Amendment and the best traditions of this country.

As I wrote at the time Keller’s excerpt was published, it seemed as though the former NYT editor was grudgingly coming to admit that what WikiLeaks did was close enough to being journalism that — even if it wasn’t journalism with a capital J, or published by professional journalists — it deserved the full protection of the First Amendment. That’s a message it would be nice to hear from more journalists of Keller’s calibre.

Post and thumbnail images via Charlie Rose and Flickr user jphilipg

The criticism that, by including a provision for the protection of intellectual property, CISPA is little more than a less-conspicuous form of the draconian SOPA bill seems misguided. CISPA is vague and unnecessarily broad, but it’s not SOPA. In fact, the very same Internet companies that were so adamantly opposed to SOPA might support CISPA. Facebook already does. So does outspoken SOPA critic Darrell Issa (R-CA). Here’s why.

1. CISPA is actually good, in theory. The idea of sharing cybersecurity information between private companies and the government has merit, especially in a world of increased cyberattacks against organizations in both sectors. If you’re trying to discover patterns in attacks, more data is always better, and web sites are attacked constantly. That they also could have access to classified government data is particularly beneficial.
2. CISPA doesn’t require service providers to do anything. SOPA all but forced service providers to monitor user behavior to the benefit of media companies (or to avoid being shut down by them), but CISPA only allows those providers to act in their own best interests. It’s unclear to me, at this point, why any company like Facebook, Google or Twitter would do anything other than obtain information on activity that directly affects the security of their platforms or their proprietary data.
3. I’m not certain the inclusion of intellectual property protection was driven by ulterior motives. For one, CISPA actually reads as if private parties can only gather information relating to their own rights and property, which would mean ISPs can’t go about monitoring for copyright infringement because they don’t own any copyright. There’s a strong argument that the bill primarily targets cyberattacks aimed at stealing data or files from a company’s servers (CISPA co-author Mike Rogers (R-MI) said as much in a press conference yesterday), although existing cybersecurity law certainly target some of that activity.

Probably the biggest problem is what a company is able to do to “protect” itself from such threats. As the EFF points out, CISPA allows companies to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity.” It also grants companies immunity from lawsuits if they exercise their rights under the bill in good faith.

If the EFF is correct, companies could bypass existing laws regarding the monitoring of communications, claim good faith and — if they have a solid case — be free from liability. The EFF also talks a lot about CISPA allowing service providers to “block” sites, although it’s unclear what type of activity the bill actually allows in response to information gathered. Does it allow them to obtain information and take shutdown actions like those SOPA would allow, or just to react to information only within the bounds of what’s already legal?

It’s a little scary, then, that CISPA has such strong support in the House of Representatives. Whereas SOPA had only 23 co-sponsors, CISPA has 106, including Issa. That web companies such as Microsoft and Facebook have signed off on it isn’t too promising, either. It likely will take some powerful voices to at least clear up the vagaries of the bill, but it’s hard to see where they’ll come from this time around.

Feature image courtesy of Rob Allday.

Senator Herb Kohl–the chairman of the Senate committee that deals with antitrust law–sent a letter today to U.S. Attorney General Eric Holder, saying that the deal would just replace the monopoly that AT&T used to have over the phone system “with a near-duopoly of AT&T and Verizon.” The letter was also sent to FCC Chairman Julius Genachowski, according to a Reuters (NYSE: TRI) report.

Critically, Kohl said that regulators looking at the deal should be look at the telecommunications market as a single, national market–not a series of local markets, as often happens in regulatory review.

It’s important to note that while Kohl may be powerful when it comes to antitrust policy in the U.S. generally, he doesn’t have any direct control over whether this merger is approved. That will be up to the usual antitrust regulators at the Department of Justice and the Federal Trade Commission.

But Kohl’s statement will influence the public debate on the issue; and as chairman, he could hold hearings on the issue and make more of a ruckus.

AT&T told Politico that it thinks the deal will still get approved. The company also made Kohl’s view sound like a minority opinion, stating: “[W]e feel his view is inconsistent with antitrust law, is shared by few others and ignores the many positive benefits and numerous supporters of the transaction.”

AT&T’s spin is sounding a bit stretched there. The merger does have some important supporters, including a coalition of big tech companies like Microsoft (NSDQ: MSFT) and Facebook, as well as certain labor unions. But the pool of supporters wasn’t large to begin with and seems to be shrinking, not growing.

The proposal, a summary [PDF] of which is available on Franken’s website, would require companies to notify consumers when they collect location information and when they share it with third parties, like advertising networks.

It isn’t yet clear how specific the disclosures would have to be; and there’s a big difference between asking smartphone users if they don’t mind information sharing in a general sense, and asking something like: “May we share your location data with advertising network X?”

In addition, the bill would impose data security requirements for companies that have location information for more than 5,000 devices. They’d have to take “reasonable steps” to protect the data, and most interesting, would have to delete the information of individual consumers who requested their data be removed.

There have been several bills proposed in Washington over online privacy this year, and one failed proposal in California, but this is the first one to focus specifically on location.

Remarkably, today there is no general-purpose federal privacy or data security law on the books. Certain sensitive areas of information are governed by federal law-financial institutions have to follow the Gramm-Leach-Bliley Act, for instance, while health care providers have to worry about abiding by HIPAA guidelines. But when companies experience data breaches like the repeated hacking attacks against Sony, there’s no federal law to follow.

That’s not to say the companies don’t have to worry about the law at all. There are 47 different state laws a company that experiences a data breach has to worry about it. The confusion and expense of it all can be a big headache, and that’s why the FTC’s proposal may well find support in the business community.

The FTC proposal would basically mirror state laws, in that it would require companies to have “reasonable data security policies and procedures” as well as notify consumers if there’s a data breach that affects them. Allowing the FTC to bring enforcement actions against companies that don’t have “reasonable” policies would enhance the agency’s power, because right now the FTC can only bring actions against companies that violate one of the information-specific laws, or violate their own published guidelines about how they’ll handle data security. That’s similar to the online privacy area, where the FTC has been able to prosecute some cases-including one against Google-because the company launched a product that broke its own guidelines.

During its testimony, Commissioner Ramirez also noted that the FTC announced today two enforcement actions in the area of data security, against Ceridian Corp. and Lookout Services Inc. Since 2001, the FTC has brought a total of 34 actions against companies that violated data-security laws.

During a discussion about personal information and privacy at the pii2011 conference, Evidon CEO Scott Meyer suggested that the tone of the WSJ series about digital privacy, called “What They Know,” was over the top and inflammatory. “When you use words like ‘surveillance’ and ‘spying,’ it freaks people out,” Meyer said to Julia Angwin, one of the WSJ reporters who has worked on the series. “If it weren’t for you, we wouldn’t be here,” he said, referring to the panel of behavioral advertising companies that he was on, which Angwin was moderating.

A questioner from the audience, Morgan Reed of the Association for Competitive Technology, agreed, noting that the WSJ series had directly influenced the comments made by Congressional representatives. “The question addressed to me [by Congress] was, ‘Look at these apps the Wall Street Journal found — so you, app developer, tell us why we shouldn’t be afraid of these,” said Reed.

“What we’re doing is reporting the facts,” Angwin responded. “The fact is, we tested a bunch of apps, and this is the data they were sending,” she said. “And this is pretty revolutionary in the news business.” (Laughter in the audience.) “Most often, data written about in the newspaper is provided to them, as in, ‘a Brooking Institution report says this.’ We decided to test things ourselves. It was expensive, it was difficult. And it turns out, we now have the best data available about what apps are doing. It’s hard to replicate that study. You have to hack the phones, and measure the traffic.”

She continued: “There are some loaded words in those stories, I agree. But I also think that this is actually what is happening–you are being tracked,” she said. “How did this all get turned onto me?”

After some more chuckles from the audience, Reed suggested that Meyer should thank Angwin and the Journal for its focus on privacy, because it’s focused the attention of advertisers on the importance of doing better disclosure. “If it wasn’t for her you wouldn’t have a business right now.”

Everything above was said in a pretty friendly way. Still, the exchange was telling. It reflects the perception of advertisers and many online service providers that at this particular moment, the privacy debate has become very driven by media coverage, and by the WSJ in particular.

Evidon is in charge of implementing the self-regulatory policy that online ad companies are pursuing, and recently began showing icons to viewers that indicate the presence of behavioral ads. Users can click on those icons to learn more about ad targeting, or to opt-out if they choose.

During other parts of the discussion, Meyer talked about Evidon’s explosive recent growth. Evidon is currently serving 10 billion ad impressions per month, he said, and while that’s “a single digit percentage” of total behavioral ad impressions, it’s possible that Evidon could be having its icon appear in 50 percent or more of those ads within 6 to 12 months. “We will probably grow 100 percent month over month in May,” said Meyer. “That may seem like it’s not realistic, but that’s the way the internet scales.”

The main problem with the ECPA is that it’s been interpreted by courts to allow cops to snoop on email without a warrant. That development has been disturbing to public interest groups, but has also begun to bother large corporations that the government has begun to treat as an easy source for evidence, even without a court order.

A coalition of entities interested in reforming the ECPA came together last year, in a group called Digital Due Process. The coalition includes privacy advocacy groups, but many big tech companies have joined Digital Due Process, including AOL (NYSE: AOL), AT&T (NYSE: T), Microsoft (NSDQ: MSFT), Google (NSDQ: GOOG), Facebook, and eBay (NSDQ: EBAY).

The most important change the bill would make would be to require a search warrant for both reading emails and GPS tracking of suspects, and police who want such evidence will have to make a showing of “probable cause.” Remarkably, in many situations today, neither of those acts of surveillance require court supervision.

The bill is-for the most part-winning praise from privacy advocates. Jim Dempsey of the Center for Democracy and Technology noted that the bill still allows the government to get records tracking a person’s past location without a warrant. “In some ways, the bill does not provide full protection, and we will work to improve it, but as it stands now it is clearly a big leap forward.”

Kevin Bankston, a privacy lawyer for the Electronic Frontier Foundation, told CNET that he was concerned about the same gap in the bill. But it’s such an improvement over the current situation that he’s happy with it, he said: “We think this is an absolutely necessary and critical update of the law to protect privacy adequately in a cloud-based Internet economy.”

The new bill, in true Washington style, stretches its name to fit into a “clever” acronym; it’s called the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property” Act-the PROTECT IP Act. Mike Masnick of Techdirt has acquired a leaked summary of the bill from a Congressional source; and an activist website called “Don’t Censor the Net” has now posted the full text of the bill.

Here are the key points of the bill:

»  The essence of the bill would allow the government to quickly shut down websites that are deemed to be pirate websites, or in the words of the bill, sites “dedicated to infringing activities.” The Justice Department could go to court and get an order without any kind of trial, and without the defendant having any say. That’s an enormous difference from how pirate sites are dealt with now; some websites have certainly been shut down for breaking copyright laws-take a look at Grokster and Limewire, two high-profile examples-but it can take years of litigation (and that has traditionally been paid for by content owners, not by taxpayer-funded government attorneys.)

»  The Justice Department would be empowered to dismantle websites thought to be piracy sites, by 1) seizing domain names; 2) block payment processors and ad networks from working with the site; and 3) require search engines to delete the results from their listings.

While all of those changes represent unprecedented government intervention in the operation of the internet, the idea of government lawyers forcing changes in search results in particular would seem to raise some First Amendment concerns. A page of Google (NSDQ: GOOG) or Bing results is really just an editorial judgment; a “front page” akin to that of newspapers, but created by software rather than human editors.

»  The bill would allow copyright and trademark owners to directly engage the same activity, but only against payment processors or advertisers. Internet companies have been willing to work with the government on some of these changes but they’ve been opposed to a private right of action. Top lawyers from both Verizon and Google, for example, have explicitly told Congress they oppose a private right of action.

»  The third parties affected by this law would not be required to take action “beyond what is technically feasible or reasonable,” according to the bill summary. Service providers would never be required to modify their networks or facilities to help the government shut off these infringing sites.

»  The changes would affect both copyright and trademark owners. Large content companies are primarily concerned here with the websites that illegally stream their content. Such sites continue to pop up prominently in search results, despite the availability of legal alternatives like Netflix (NSDQ: NFLX) and Hulu, and in hearings Congressional representatives have shown real concern about that.

»  Similar actions could also be taken against sites that violate trademark law by selling counterfeit or unauthorized goods, whether it’s handbags, sports jerseys, or pharmaceuticals.

The big concern here is how the government would define these pirate sites that could be quickly shut down. According to the bill’s text, such a site would have to have no substantial use other than enabling the unauthorized “reproduction, distribution, or performance” of “subtantially complete” copyrighted works. The problem is, there’s always plenty of gray area in this area. Last year the government seized a few music blogs that had an array of editorial content, but also had dozens of links to music files not authorized by record companies. They’ve also seized the domain name of rojadirecta.org, a streaming website that broadcasts the content of U.S. companies without permission, but has been deemed legal by courts in its home country of Spain.

Apple Vice President Bud Tribble emphasized that the company went above and beyond in getting user permission before any smartphone apps accessed location data. He also repeated Steve Jobs’ assertion that iPhones don’t actually track their users-(somehow Apple employees believe that collecting a long list of cell tower information and WiFi hotspots doesn’t amount to tracking.)

Google was represented by its head of publicy policy, Alan Davidson. Davidson emphasized that location services on Android are all opt-in, and also repeated the party line about how valuable location services are for the tens of thousands of Americans that routinely use them. “It’s not just about convenience,” said Davidson. “Location-based services can let you know where to fill a prescription at one in the morning for a sick child.”

The hearing began with Franken hammering Steve Jobs’ double-talk on the location privacy issue. On the one hand, Jobs has been asying that the iPhone tracking file doesn’t really track users-but at the same time, the company has noted that the reason for the cache file is to speed up a phone’s ability to tell a user their location. “Mr. Tribble, it doesn’t appear to me that both of those statements can be true at the same time,” said Franken. “Does this data indicate anything about your location or doesn’t it?” Tribble answered that the location data sent to Apple “does not contain any customer information at all,” but simply lets that a user’s phone does “know” which hotspots and cell phone towers are in range.

And as for Apple’s talking point about how the cell phone tower could be 100 miles from a user-that’s only going to be true for a tiny subset of rural users. More typically, in urban areas, the phones can use public WiFi data to locate a user within 100 feet or less; and Ashkan Soltani, an independent privacy consultant who was at the hearing, pointed that out effectively.

But overall, Senators at the hearing seemed to want to harp on a broad range of grievances with Apple and Google-only some of which related to smartphones or privacy at all.

Sen. Richard Blumenthal (D-CT) went ahead and hammered Google over its accidental collection of private WiFi data, a privacy scandal that’s now more than two years old. He actually pulled out a Google patent application and seemed to be saying that it demonstrated Google intended to pull the private “payload” data as part of its plan to build better mapping services. Davidson was put on the spot because, no surprise, he hadn’t seen the patent application before, since Google files hundreds of patents each year. He emphasized that the company wasn’t ever going to use the data it had accidentally collected. “We intend to dispose of it in whatever form regulators tell us to,” he said. Ashkani and another independent privacy researcher both testified that the payload data wouldn’t be useful in map-building.

Update: A Google spokesman contacted me shortly after this post was published, offering this statement: “The technology in that patent has nothing to do with the collection and storage of payload data and is entirely unrelated to the software code used to collect WiFi information with Street View cars.”

Then it was Sen. Chuck Schumer’s (D-NY) chance to go off-he went on a tirade against apps he said were enabling drunk driving. (Apparently these are apps that let smartphone users warn each other about the location of police checkpoints.) Blackberry maker Research In Motion had pulled these apps from their app store, but Schumer wanted to know why Apple and Google had refused to do so. Google representative Davidson said he would relay Schumer’s concerns to Google HQ, but that “apps that share information about sobriety checkpoints are not a violation of our content policy.”

Schumer asked: “Would you allow an app that offered specific directions on how to cook methamphetamine?”

Davidson: “It would be fairly fact specific. Apps that are unlawful or are directly related to unlawful activity, we do take those down.”

Schumer: “You agree this [drunk driving app] is a bad thing? And that it probably causes death?”

Davidson agreed that “it is a bad thing.”

Apple’s Tribble, meanwhile, assured Schumer that he “shares your abhorrence of drunk driving,” but said that some of the apps are publishing the same data that’s actually put out by police departments. “I’ve seen a map, for example, that says 9th and Geary in San Francisco, we’re going to be having a checkpoint. Schumer scoffed at that excuse. “I don’t know of a police department that, in real time, would publish where all the checkpoints would be. It would make no sense.”

Schumer: “You’ve pulled one [app] that has tasteless jokes. This is worse than that, don’t you think?”

Tribble: “If they intend to encourage people to break the law, our policy is to pull them off the store.”

Schumer’s shout-down was probably one of the tougher barrages of questions an Apple executive has ever faced from a lawmaker. It’s too bad it had nothing to do with mobile privacy.

»  After the major data breach on Sony’s PlayStation Network, some members of Congress most concerned with tech policy are asking to hear more from Sony (NYSE: SNE). As Rep. Ed Markey (D-Mass.) told Boradcasting & Cable: “Hackers and data thieves shouldn’t be able to play ‘Grand Theft Info’ with millions of addresses, emails, and other sensitive information, some of which belongs to children.” Markey as well as Rep. Bobby Rush (D-Ill.) are calling for hearings on the matter, although since they’re in the minority, they’ll have to find some Republican colleagues who are also interested in the issue to move forward.

»  Apple (NSDQ: AAPL) has been called to talk about the iPhone tracking file-which the company denies is doing any “tracking,” it just happens to hold a year or so of data about where you’ve been. Jobs said in an interview yesterday the company will be showing up to D.C. Sen. Al Franken, who has been outspoken on the issue of online privacy, has scheduled a hearing for May 10 on the issue of mobile tracking and privacy.

»  Rep. Jay Inslee (D-Wash.) has said he isn’t going to be satisfied with Apple and Google (NSDQ: GOOG) just showing up and deflecting a few questions about mobile privacy issues. Inslee wants the Federal Trade Commission to investigate the matter, CNET has reported.