Sept. 16, 2011 -- Few Americans are aware that there is an active tech agenda pending before this Congress that carries enormous implications for technological innovation, for the privacy and free expression rights of Internet users and, ultimately, for the openness of the Internet.
This slate of issues is largely flying under the radar screen as the president and Congress grapple with a stagnating economy, the national debt and the first skirmishes of a prolonged presidential campaign season.
I retired my crystal ball some years ago; I know better than to predict whether and when Congress might act on any particular measure. But that doesn't mean that we shouldn't take a moment to understand what is at stake and let members of Congress know where we stand -- firmly on the side of the open Internet.
So here are some of the top tech bills to watch:
1) Consumer Privacy
Sens. John Kerry, D-Mass., and John McCain, R-Ariz., Rep. Bobby Rush, D-Ill. and Rep. Cliff Stearns, R-Fla., have introduced versions of comprehensive privacy laws. A narrower bill on location privacy has also been introduced by Sen. Al Franken, D-Minn.
There is good reason for Congressional attention to privacy. The U.S. remains one of only two industrialized democracies -- the other being Turkey -- that have failed to enact a comprehensive privacy law protecting consumer data. Instead, the U.S. has a patchwork of sector-specific privacy laws for sensitive information like health and financial data, while leaving most other personal data without legal protection. It's a bad deal for consumers and for businesses as they seek to maintain their edge over international competitors in the Internet cloud.
It has been 10 years since Congress first considered a privacy bill. The Obama administration recently called for a consumer privacy law. Major tech companies have come on board. It is way past time to act.
2) Government Privacy
The ECPA Amendments Act, sponsored by Sen. Patrick Leahy, D-Vt., is a landmark piece of legislation that would provide much needed updates to the Electronic Communications Privacy Act (ECPA), a 25-year-old law that sets rules for government access to email and other Internet communications.
Advances in technology have far outstripped ECPA's privacy protections, allowing the government to access personal data stored in the cloud under a low legal threshold and a patchwork of confusing standards that have been interpreted inconsistently by the courts.
The ECPA Amendments Act would require the government to obtain a warrant from a judge before reading someone's email or gaining access to private communications and other content stored in the cloud. It would also require a warrant for access to location information, whether the government is tracking people in real time using their mobile phones or accessing location records. A stand-alone bill to strengthen location privacy, the "Geolocation, Privacy and Security Act," has also been introduced in both houses by Sen. Ron Wyden, D-Ore., and Rep. Jason Chaffetz, R-Utah.
A remarkable consensus has emerged among industry and civil liberties groups on the right and the left about the need for ECPA reform, leading to the creation last year of the Digital Due Process Coalition to press Congress to update ECPA. The coalition includes Microsoft, AT&T, Intel, Salesforce, Facebook and Google and groups as diverse as CDT, the ACLU, EFF, Freedom Works and Americans for Tax Reform. If these strange bedfellows can find common ground on ECPA reform, Congress should be able to do it as well.
3) The PROTECT IP Act (PIPA)
PIPA aims to target websites that enable copyright and trademark infringement, a goal worthy of congressional attention.
Encouragingly, PIPA is an improvement over similar legislation introduced last session; among other things, it does not lay the burden of blocking infringing websites on domain names registries and registrars.
But PIPA does require Internet service providers (ISPs) to block domain name lookup requests of sites found to be infringing. This is no small thing. It would cross a line that U.S. law has thus far eschewed: government mandated ISP blocking and filtering.
Experts agree that the law won't be effective and may harm security. A group of noted technologists in the domain name space have warned that if PIPA becomes law it could undermine the security of the domain name system. That ought to be enough to get Congress to move cautiously in this area.
4) Data Retention
In July, the House Judiciary Committee passed a bill titled the "Protecting Children from Internet Pornographers Act."
Despite its name, the bill has little if anything to do with porn and everything to do with the privacy of Internet users. The bill would require those who offer Internet service for a fee -- wireless and wire line ISPs, hotels, coffee shops and others -- to retain the IP addresses of each of their customers (not just those suspected of child pornography) and the data would be available to all government agents for all investigations, not just those related to child pornography.
One congresswoman on the Judiciary Committee proposed changing the name of bill to the "Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act." Elsewhere, it has been called the "Legislation That Could Kill Internet Privacy for Good."
The bill has its share of congressional critics and there was strong bi-partisan opposition to the bill in the committee, including the chairman of the crime subcommittee, Rep. James Sensenbrenner, R-Wis., who argued, "It should be defeated and put in the dustbin of history."
The European Union has had a wildly unpopular data retention law for several years; the law has been successfully challenged on constitutional or human rights grounds in three national courts (in Germany, Romania and the Czech Republic). With that powerful precedent before them and strong opposition among influential House members, maybe the House leadership will think twice before bringing the bill to the floor.
Cybersecurity has been on the congressional agenda for several years. In the Senate, the leading comprehensive cybersecurity package was introduced in February by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, and Tom Carper, D-Del. and is being reconciled with a cybersecurity bill out of the Commerce Committee.
In the House, Speaker Boehner tapped Rep. Mac Thornberry, R-Texas, to chair a cybersecurity task force consisting of Republican chairmen of key committees and subcommittees, and asked them to report in October.
In May the White House released its long-awaited cybersecurity legislative proposal, so now all of the legislative gears are turning.
There are a number of difficult issues raised by cybersecurity legislation that legislators have to work through. How much power should the government have to direct the cybersecurity responses of private networks as compared to government networks? What companies and assets should be deemed "critical infrastructure" subject to government regulation? Should the government have the power to monitor or order the shut down private networks? How can Congress best encourage information sharing between companies and the government without jeopardizing user privacy? The different proposals have drawn somewhat different lines on these difficult questions and more.
Congressional leadership wants to deal with the cybersecurity threat and both chambers have brought together members from key committees to work out differences and come up with common approaches. I am not unpacking my crystal ball, but this is one issue where Congress may find both the will and the way to get a bill to the president's desk.
6) Data Breach
This summer saw a continuing number of high-profile data breaches at major companies including Sony and Epsilon. While most states have data breach laws, current federal law requires notification of consumers in the event of a breach only in limited circumstances, such as when health information is involved. The twofold question before Congress is whether it should enact a federal data breach bill providing one national set of rules for companies that would preempt state laws and whether the federal law will provide consumers with the same high level of protection as the best state laws.
There are currently a slew of data breach bills pending in Congress, including proposals from Sen. Leahy; Rep. Rush; Rep. Mary Bono Mack, R-Calif., and Sens. Mark Pryor, D-Ark., and Jay Rockefeller, D-W.Va. All would create an overarching federal standard for data breach notification, as would a data breach provision in the White House cybersecurity bill.
Tech Agenda Has Big Footprint
Congress is only one important venue for critical technology issues. The U.S. Supreme Court this fall will hear perhaps the most important Fourth Amendment case in decades concerning whether the government can use GPS to track a person 24/7 without a warrant. Also, the FCC's net neutrality rules will take a step closer to being implemented this fall when they are published in the Federal Register, an event sure to trigger legal challenge. And the Federal Trade Commission and the Commerce Department are poised to release the final versions their respective privacy reports.
Leslie Harris is President and CEO of the Center for Democracy & Technology.