http://www.cdt.org The Center for Democracy and Technology works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media. en http://www.cdt.org/headlines/1228 CDT, the Electronic Frontier Foundation, and Public Knowledge filed a "friend of the court" brief on Wednesday opposing efforts by the music licensing organization ASCAP to impose additional licensing payments on providers of musical ringtones for mobile phones. The brief urges the court to reject ASCAP's argument that ringtones are "public performances" under copyright law simply because a phone may ring when the user happens to be in a public place. ASCAP's position implies that numerous ordinary mobile phone users are copyright infringers and would expand copyright liability in ways that would chill innovation in products far beyond the relatively narrow context of ringtones. http://www.cdt.org/headlines/1227 The Supreme Court today declined to reconsider a 2nd U.S. Circuit Court of Appeals decision holding that Cablevision's "remote storage digital video recorder" would not infringe copyright. CDT and a number of others had argued to the 2nd Circuit that a finding of copyright infringement had the potential to chill innovation in a wide range of emerging products that use the Internet to provide storage and computing functions from remote locations. The Supreme Court's action effectively ends the significant threat posed by a lower court's 2007 ruling of infringement. http://www.cdt.org/headlines/1226 CDT's Health Privacy Project today released a paper advocating the need for stronger standards for "de-identified" personal health information when used for medial research, to promote public health, or other specialized purposes. The paper notes that stronger standards are needed to ensure the "de-identified" data cannot be re-identified in order to maintain patient privacy and build trust in the health care system. CDT's paper makes several policy recommendations on how to strengthen current de-identification standards found in the Health Insurance Portability and Accountability Act Privacy Act and increase the use of anonymized data for many health care purposes. http://www.cdt.org/headlines/1225 At the urging of CDT, the 9th U.S. Circuit Court of Appeals issued an "amended" decision in the Barnes v. Yahoo! case, correcting two serious errors that had been included in the court's initial decision. CDT and others had filed a "friend of the court" brief urging the court to delete language that limited service providers' ability to be protected by "Section 230," a provision which enhances free speech online by protecting service providers from liability for content posted by their users. The court made the exact changes that both Yahoo! (as a party) and CDT, Public Citizen, and others that had signed onto the original brief had urged. http://www.cdt.org/headlines/1224 CDT today released a report to help track the progress of the privacy "action items" contained in the Administration's recently released Cyberspace Policy Review. The Review discusses a wide range of issues that the country needs to address in order to ensure that national security, economic and civil liberties interests are adequately protected. The action items outlined in the CDT report were derived from the Review and President’s subsequent remarks on the document. The action items that develop from these themes are offered to supplement the Review’s broader near and mid-term Action Plan for the incoming Cybersecurity Policy Official. http://www.cdt.org/headlines/1223 CDT supports the introduction of the Providing for Additional Security in States’ Identification (PASS ID) Act of 2009 today. CDT has long promoted the goal of making driver’s license and ID card issuance more secure, as recommended by the 9/11 Commission. The PASS ID Act mitigates or corrects critical privacy and security flaws introduced by REAL ID while still establishing minimum federal standards for the issuance of driver’s licenses and ID cards. CDT supports the reforms proposed by PASS ID as a much-needed improvement over current law. http://www.cdt.org/headlines/1222 CDT filed comments with the Department of Health and Human Services (HHS) regarding the proper role of regional extension centers in supporting privacy and security protections for health data. This year's stimulus legislation called for the creation of nonprofit extension centers to disseminate best practices and offer training and technical assistance to health care providers seeking to adopt health information technology systems. In the comments, CDT urged HHS to explicitly require the extension centers to include privacy and security as components of their training and assistance services. CDT's comments also urged HHS to position extension centers as an interface between health care providers and newly-established HHS regional privacy officers. http://www.cdt.org/headlines/1220 In comments submitted to the FCC on Monday, CDT stressed that a national broadband plan should include a commitment to maintain and indeed strengthen the legal and policy framework that has enabled the Internet to become such a dynamic and innovative medium. CDT also recommended that the plan feature further measures to safeguard the Internet's open character, promote online privacy, harness broadband to achieve greater transparency in government, and more. http://www.cdt.org/headlines/1221 CDT testified today before the National Committee on Vital and Health Statistics (NCVHS) to advocate consistent and comprehensive privacy and security protections for all personal health records (PHRs). CDT recommends that a consistent set of regulations apply to all PHRs, regardless of whether the vendor is covered under HIPAA, and warns that the HIPAA Privacy Rule is not an appropriate safeguard for PHRs because it does not adequately address the unique privacy concerns raised by these records. CDT further recommends that policymakers start with the Markle Common Framework for Networked Personal Health Information, which was endorsed by a broad range of stakeholders, in developing recommendations to safeguard PHRs. http://www.cdt.org/headlines/1219 CDT today laid out its most detailed roadmap yet for the transition to full independence of the body that oversees the Internet's domain name system (DNS). Since its creation in 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) has operated under contract with the U.S. government. CDT has long argued that ICANN should be freed of U.S. control, but only if it is accountable to the global Internet community and protected from interference by other governments. In comments filed today with the Commerce Department, CDT set out five steps that must be taken before ICANN can become fully independent. Central among these is limiting ICANN's mission solely to matters affecting competition, security and stability of the DNS and requiring consensus among affected stakeholders for the adoption of ICANN rules. http://www.cdt.org/headlines/1218 CDT, together with the Markle Foundation and others, filed comments with the Federal Trade Commission (FTC) regarding new requirements on how to notify patients when unsecured personal health record (PHR) data has been breached. In the comments, CDT called on FTC to work with the Department of Health and Human Services to ensure consistency between their respective breach notification rules. CDT also recommended that FTC narrow the discretion of entities to determine whether an unauthorized party has acquired breached data. In addition, the comments urged FTC to incorporate major Internet news outlets as acceptable media vehicles for notifying patients of data breaches. http://www.cdt.org/headlines/1217 CDT welcomed recommendations laid out in the Administration's cybersecurity report released today. The recommendations show attentiveness to the concerns of privacy and civil liberties groups and a commitment by the White House to develop its cybersecurity privacy policies in a collaborative manner. CDT was most encouraged by the recommendation of a cybersecurity official being based in the White House as opposed to having NSA shoulder the primary responsibilities for critical non-military networks. The report gives the government enough flexibility to carry out its recommendations without resorting to the blunt instrument of heavy-handed regulation; however, there are many policy decisions still to come and each deserves a watchful eye. CDT also hopes for a continued commitment to the open and transparent process that guided the creation of the report. http://www.cdt.org/headlines/1216 CDT unveiled an in-depth proposal to update the federal Privacy Act and related federal privacy policy to address the challenges of the digital age. The announcement coincided with the release of the federal Information Security and Privacy Advisory Board’s own report recommending changes to government privacy rules. CDT is also encouraging the public’s participation in helping craft privacy legislation via an interactive "wiki." The “wiki” allows anyone to read any part of the bill, change the language, provide feedback or simply open a discussion on any provision of the bill. CDT will edit and moderate this open process and, if appropriate, incorporate suggestions in the final bill it submits to Congress. http://www.cdt.org/headlines/1212 CDT has joined Public Citizen and other groups on a "friend of the court" brief urging a U.S. Appeals Court to correct a point in a recent decision regarding "Section 230," a provision which enhances free speech online by protecting service providers from liability for content posted by their users. Section 230 is vital because without it, private sites such as Yahoo! or Youtube could not risk allowing Internet users to freely post content. In its recent decision in Barnes v. Yahoo!, the court incorrectly limited the ability of service providers to assert the protection of Section 230. The brief supports Yahoo's request to remove the incorrect section of the decision. http://www.cdt.org/headlines/1215 CDT, together with the Markle Foundation, the Center for American Progress and others, filed comments with the Department of Health and Human Services (HHS) in response to new requirements on how health care organizations notify patients about breaches of "unsecured" health data. The HHS guidance listed techniques that could "secure" data and remove the breach notification requirement. In the comments, CDT supported strong cryptographic solutions and destruction standards, but argued against HHS including the "limited data set," where certain identifiers are stripped from patient health data, because the risk of re-identification is too great. CDT also urged HHS to ensure consistent privacy protections for personal health records (PHR) regardless of whether or not the entity offering the PHR is covered by HIPAA.