US bolsters AI ambitions with Open Government Data Act

President Trump has signed the Open Government Data Act into law, potentially unleashing a tsunami of data for AI applications to be trained with.

The bill itself has been bouncing around Washington for some time now, though it has officially been signed into law. Within one year, all government agencies will have to ensure data sets are open and accessible to the general public and businesses, as well as being presented in a format that can be easily processed by a computer without human intervention. The act also hopes to make the data more accessible through smartphones.

“The government-wide law will transform the way the government collects, publishes, and uses non-sensitive public information,” said Sarah Joy Hays, Acting Executive Director of the Data Coalition, a public interest group which promotes transparency in government and business.

“Title II, the Open Government Data Act, which our organization has been working on for over three and a half years, sets a presumption that all government information should be open data by default: machine-readable and freely-reusable.”

For the digital ecosystem, such a bill should be welcomed with open arms. For any AI application to work effectively it needs to be trained. For years, many have claimed data is the new oil, although we suspect they did not mean in this manner. If the US is to create a leadership position in the developing AI ecosystem, its applications will need to be the best around and therefore will have to have the appropriate data sets to improve performance and accuracy.

Open data is of course not a new idea however. Back in September during Broadband World Forum in Berlin, we sat through several entertaining presentations from individual cities laying out their smart city ambitions. There was one common theme throughout the session; open data. These local governments realise the potential of empowering local digital ecosystems through open data, and the initiatives are proving to be successful.

This new law will force all federal agencies to make all non-sensitive data public in a machine-readable format and catalogue it online. New individuals must be appointed as Chief Data Officers to oversee the process, and new procedures will be introduced. While it seems incredibly obvious, when proposing new laws or regulations agencies will now have to justify the changes with supporting data. As it stands, only a handful of agencies are required to do this, the FCC is one of them, though this law ensures the validation and justification of new rules through data is rolled out across the board.

As with everything to do with data, there are of course privacy concerns. The text of the bill does seem to take this into account, one clause states any data released to the public will have to adhere to the Privacy Act of 1974, though there is bound to be a few blunders. Such a tangent should compound the importance of hiring a Chief Data Officer and a team of individuals who are appropriately trained. We suspect there will be few current employees in the agencies who could ensure compliance here.

Of course, this is not a law which will make an immediate impact. With any fundamental changes, such as this, procedures and systems will have to be updated. The procurement process is most likely, or at least we hope, underway and there will certainly be growing pains.

That said, if the US wants to make a meaningful dent on the AI world, the right tools and data need to be put in the hands of the right people. This is a step in the right direction.

Judge says no to police forcing phone unlocks with face

A judge in the District Court for the Northern District of California has denied the police a warrant which would force suspects to open their phones through biometric authentication.

While it might seem like somewhat of an unusual scenario, we’re sure many of you are imagining a man pinned to the ground with a phone being waved in his face, it is important to set precedent in these matters. Just as law enforcement agencies cannot be granted a warrant forcing an individual to hand over his/her password, suspects or criminals cannot be forced to open devices through the biometric sensors according to the ruling.

The case itself focuses on two individuals, who are suspected of attempting to extort money from a third person through Facebook Messenger. The pair are threatening to release an embarrassing video of the third person should the funds not be transferred.

Northern California Federal District Judge Kandis Westmore ruled the authorities did not have probable cause for the warrant, perhaps due to the reason said messages and threats could be read through the third persons account, and the request was too broad. This is another example of authorities over reaching and not being specific, leaving too much room for potential abuse.

While this case might sound odd, the world should be prepared for more such rulings in the future.

“The challenge facing the courts is that technology is far outpacing the law,” the ruling from Judge Westmore states. “In recognition of this reality, the United States Supreme Court recently instructed courts to adopt rules that ‘take account of more sophisticated systems that are already in use or in development’.

“Courts have an obligation to safeguard constitutional rights and cannot permit those rights to be diminished due to the advancement of technology.”

In short, the rules and regulations of the land are not in fitting with today’s technology and society, but this does not mean law enforcement authorities can take advantage of the grey areas. This is perhaps an obvious statement to make, but it does hammer home the need for reform to ensure rules and regulations are contextually relevant.

While progress has been slow, there have been a few breakthroughs for privacy advocates in recent months. Last June, the US Supreme Court ruled in Carpenter versus US case that the collection of mobile location data on individuals without a warrant was a violation of data privacy and the Fourth Amendment of the US constitution.

The issue which many courts are facing is precedent. Lawyers are arguing for certain cases and warrants using precedent which is from another era. Theoretically, these rules can be applied, but when you consider the drastic and fundamental changes which have occurred in the communications world, you have to wonder whether anything from previous decades is relevant anymore.

As Judge Westmore points out, technology is vastly outpacing the pace of change in public sector institutions. This presents a massive risk of abuse, but slowing innovation is not a reasonable option. A tricky catch-22.

US starts whispering to Germany about China ban

The anti-China road-trip has finally made it to Europe as representatives of the US government have met with German counterparts to argue the case to ban Chinese vendors from the 5G deployment.

The Trump administration has quickly been working away around the world to spread anti-China propaganda, and it has been successful. Australia was the first domino to fall, but New Zealand has seemingly followed, as has Japan. South Korea will evade China’s grasp for other reasons, and it looks like Taiwan’s public sector is off limits as well. Now the parade has entered Europe and Germany.

According to Bloomberg, a US delegation has been meeting with officials from the Foreign Ministry to discuss a ban. These talks will of course be very hushed, but whether any concrete evidence is going to be presented remains to be seen. Earlier this week, Germany stepped forward and said it would need to see evidence before any actions would be taken against China.

“For such serious decisions like a ban, you need proof,” said Arne Schoenbohm, President of Germany’s Federal Office for Information Security (BSI).

This is the big question. Has the Trump administration masterminded a campaign of hate in the interest of national security, or does it believe crippling the prospects of Huawei and ZTE will protect the US position of dominance as the 5G dawn breaks. We are slightly pessimistic about the intentions of the Oval Office and believe the national security element is a thinly veiled disguise to push China’s tech leaderships challenge off-course.

What is worth noting is this meeting has taken almost immediately after Deutsche Telekom’s decision to re-examine its use of Huawei equipment in its network. DT has gone big on Huawei in previous years, therefore any ban against Chinese companies could have potentially impacted the speed of 5G rollout across Germany, perhaps explaining why the government is slightly resistant to joining the anti-China gang. That said, with DT potentially shunning Huawei in pursuit of White House favour (the Sprint/T-Mobile merger is reaching a critical point), the pressure might be lifted from the government.

This is also a government which might be swayed to the anti-China gang under the right conditions. The government has been discussing new legislation which would impact the role of Chinese service providers in the country, while reports of someone tapping Chancellor Angela Merkel in by-gone years are still fresh. Espionage is a sensitive subject.

While we will not defend the Chinese government, and we strongly suspect there are some nefarious activities going on behind the Great Firewall to extend the government’s eyes internationally, no proof has been tabled. The countries which are condemning China are acting without proof and assuming guilt without trial, betraying one of the base foundations of a democratic society; innocent until proven guilty.

In fact, ‘innocent until proven guilty’ it is an international human right under the UN’s Universal Declaration of Human Rights, Article 11. Admittedly this is directed towards criminal law, however the same principles apply. If there is evidence, this needs to be presented to the world. If there is no evidence, some needs to be found. We suspect the US government does not have the evidence yet, but it is out there somewhere.

Banning countries and presuming guilt on suspicions and paranoia is a dangerous path to walk, and you have to question whether we are any better than the freedom-crushing Chinese government. Supposed Democratic nations are betraying their own values in pursuit of punishing the ‘enemy’; two wrongs do not make a right.

Huawei: an awkward state-of-affairs – Infographic

With Huawei continuing to be the world’s bogey man, we thought it might be useful to figure out how high the rising water has gotten.

As you can see below, it’s not the healthiest situation in the industry thought there are certainly some markets where the vendor can make headway. If you feel we’ve missed anything out, let us know in the comments section below.

Huawei State of Affairs

Aussies determined to undermine security with anti-encryption law

Ten of the world’s largest tech brands have banded together to denounce a recent law passed by the Australian government which could be viewed as the first step towards a Big Brother government.

With the world turning against China and Chinese companies due to the threat of espionage, you have to question whether the Australian’s have a leg to stand on anymore, as personal privacy takes a heavy blow with this legislation.

The signs have certainly been worrying over the last 18 months. Australia might well be one of the first to pass such controversial legislation, but it is certainly not alone. France, Germany, the UK and the US have all made it clear they all have ambitions to make our world less secure and less private with their own attempts. The privacy damn was set to burst, and the Aussies caved. Privacy has taken a backwards step down-under.

The statement below, signed by Apple, Evernote, Dropbox, Facebook, Google, LinkedIn, Microsoft, Oath, Snap and Twitter, signals the opposition from the technology industry.

“One of the core principles of the Reform Government Surveillance coalition (RGS) is that strong encryption of devices and services protects the privacy and data security of our users, while also promoting free expression and the free flow of information around the world,” a joint statement declares.

“RGS has consistently opposed any government action that would undermine the cybersecurity, human rights, or the right to privacy of our users – unfortunately, the Assistance and Access Bill that was just passed through the Australian Parliament will do just that. The new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities. RGS urges the Australian Parliament to promptly address these flaws when it reconvenes.”

The law itself will allow the Australian police to issue technical notices, compelling technology companies to assist the government to hack, implant malware, undermine encryption and even insert backdoors into security software. Those who resist would face financial penalties. The justified concerns with the legislation are two-fold.

Firstly, the idea of a backdoor or writing algorithms which allow encryption software to be undermined completely defeats the purpose. The presence of such features should be seen as nothing more than a weakness in the software, a weak link in the chain. Whenever there is a vulnerability, nefarious individuals always expose it. It is just a matter of time before cyber criminals identify these vulnerabilities and it doesn’t matter how well they are hidden. It might happen after months of searching, or it might happen by accident.

Secondly, the law is flawed in that it is full of loop-holes and contradictions which leave it open to abuse and mission creep.

The initial remit of the technical notices will be for serious crimes, such as sex offenders, terrorists, homicide and drug offenses, though critics have pointed towards weak and vague language which opens the door for mission creep. And when there is an opportunity to push the boundaries of acceptable, there are people who will do this.

Another example of the problematic rules is the difference between Technical Capability Notices (TCNs) and Technical Assistance Notices (TANs). Both are used to compel technology companies into assistance for pretty much the same exercises and violations of privacy, though TCNs require approval by the Attorney-General, a consultation period and can only be used by the agency which submitted the request. TANs do not but can wield almost exactly the same amount of power.

“As Government and Labor MPs work today to craft amendments to the Assistance and Access Bill, it appears that one of the biggest flaws in the proposed legislation will not be addressed,” said Communications Alliance CEO, John Stanton on the differences between TCNs and TANs.

These are only a couple of examples of the criticism which the bill has faced over the last couple of weeks, though even after public consultation (which attracted 15,000 comments) few amendments were made to the original draft before being passed into law.

“The Australian government has ignored the expertise of researchers, developers, major tech companies, and civil liberties organizations by charging forward with a disastrous proposal to undermine trust and security for technology users around the world,” the Electronic Frontier Foundation said it a statement.

“The issue isn’t whether the Australian government read the 15,000 comments and ignored them or refused to read them altogether. The issue is that the Australian government couldn’t have read the 15,000 comments in such a short time period. Indeed, the bill’s few revisions reflect this—no security recommendations are included.”

In the pursuit of making life easier for the Australian police force, the government has betrayed the consumer and made the digital landscape a haven for hackers. We are unable to think of any examples of genuine encryption software being hacked or compromised to date, but the Australian government has just made life a lot easier for nefarious actors by voluntarily introducing vulnerabilities.

And this is without addressing the opportunity for abuse and violation of individuals human right to privacy.

There have been countless examples from around the world of individuals, either in private organizations or government agencies, being able to respect privacy rights when given the opportunity. Uber employees used the location tracking features of the app to stalk ex’s and celebrities, while Edward Snowden exposed how the CIA illegally undermined the privacy of thousands of its own citizens.

The Australian government has not done anywhere near enough to ensure the rights of citizens will be maintained, or that actions will be entirely justified. This is a very worrying sign for the world, especially with the likes of the US and UK watching very carefully.

Australia is part of the Five Eyes intelligence fraternity, which traces its origins back to the 50s. This intelligence alliance, comprising of Australia, Canada, New Zealand, the UK and the US, generally work hand-in-hand when it comes to intelligence and security, and tend to implement very similar legislation. With Australia setting the pace of making the world a less safe place, it would not be a surprise to see other nations follow suit.

International politics is generally like a dominoes set. All ‘Western’ governments have similar laws, and when one breaks rank usually it back-tracks or the rest get in line. In this case with governments around the world all showing Big Brother ambitions, we suspect it might not be too long before more of these bills are being discussed elsewhere.

UK government eyes up Silicon Valley for tax raid

Chancellor of the Exchequer Phillip Hammond has confirmed a ‘digital tax’ in the autumn budget aimed at holding the internet players accountable to reasonable tax rates.

In recent years, the internet giants of the US have become known as much for creatively sidestepping the tax man as they have for innovative products and services, but the playing field is shifting. The European Commission is currently attempting to align the interests of all member states to impose its own tax regime, though Hammond isn’t waiting for the boresome Brussels bureaucrats.

“The UK has been leading attempts to deliver international corporate tax reform for the digital age,” said Hammond in the House of Commons while unveiling the budget. “A new global agreement is the best long-term solution. But progress is painfully slow. We cannot simply talk forever.

“So we will now introduce a UK Digital Services Tax. This will be a narrowly-targeted tax on the UK-generated revenues of specific digital platform business models. It will be carefully designed to ensure it is established tech giants – rather than our tech start-ups – that shoulder the burden of this new tax.”

This is the tricky aspect of the new tax; how do you hold the internet giants accountable within placing too much of a burden on the start-ups? These are companies which need assistance to thrive, and an important segment for the UK. Start-ups, most importantly technology start-ups, have been targeted by the UK government to stimulate the economy in a post-Brexit world, but with the threat of digital tax, will these companies want to choose the UK?

The tax will be targeted at revenues generated through search engines, social media platforms and online marketplaces. Long story short, 2% of total revenues generated in the UK will be claimed by the tax man, generated £400 million a year, in theory. The new tax regime will come into place in April 2020, though should the European Commission come up with its own approach, the whole scheme might be scrapped.

For years the internet giants have been shifting profits around and claiming suspect charges to reduce exposure to the tax man. According to a Tax Watch UK study looking at Apple, Google, Facebook, Cisco Systems and Microsoft, the tax liability in 2017 was estimated at £1.26 billion, though only £191 million was paid.

Politically the digital tax is a win for the Conservative government, though at a time where the UK needs to make as many friends as possible while going through an expensive divorce, it is an interesting approach. With a no-deal Brexit looking increasingly likely, the UK needs to attract new investment into the economy and build relationships with trade partners. Taking a combative approach to tax is hardly going to get the internet giants on side, and might well irritate the US government.

Tackling the creative accountants in Silicon Valley has been a government discussion for years, though whether the aggressive approach from the UK will stimulate any progress through the rest of the world remains to be seen.

Democrats eye up Bill of Rights for the Internet

With Silicon Valley seemingly not doing enough to empower the consumer in the digital era, Congressman Ro Khanna is working on new proposals to more tightly regulate the technology industry.

Congressman Khanna, the Democratic representative of California is suggest a new Bill of Rights for the Internet, which would provide more rights for the consumer in controlling how personal information is collected, transferred and utilised. The aim here is simple; pull the balance of power over to the side of the consumer.

While this does sound like a logical idea, the technology industry has largely slipped through the legislative grey areas for years, before such proposals could even be considered the Democrats would have to win the November mid-term elections.

The idea for the Bill would focus on the following principles. Individuals should have the right:

  1. To have access to and knowledge of all collection and uses of personal data by companies;
  2. To opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;
  3. Where context appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honoured by third parties;
  4. To have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;
  5. To move all personal data from one network to the next;
  6. To access and use the internet without internet service providers blocking, throttling, engaging in paid prioritization or otherwise unfairly favouring content, applications, services or devices;
  7. To internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;
  8. To have access to multiple viable, affordable internet platforms, services and providers with clear and transparent pricing;
  9. Not to be unfairly discriminated against or exploited based on your personal data; and
  10. To have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.

Of course, many of these principles are ideas which should have been implemented before the internet ball got rolling. Now it is travelling at such a speed it might be difficult. Another factor to consider is the power of the internet giants. These are massive organizations, with heavy-hitting financial punches and an influential lobby. They won’t like the idea of such principles being written into law, so expect some notable resistance.

But first, to even consider such proposals, the Democrats would have to win the mid-term elections. All 435 seats in the House of Representatives are up for election, though 147 and 182 seats are considered safe for the Republicans and Democrats respectively. A further 51 will probably be won by the Republicans and 10 by the Democrats. The interesting battles are the ones which could go either way; 42 of these are currently held by the Republicans and 3 by the Democrats. A majority here has been set as a target, though to pass any new legislation, the Democrats would also have to win the Senate over.

In the Senate, 35 out of the 100 seats are being contested. Three of the contested seats are considered safe for the Republicans and 14 for the Democrats. 2 will probably be held by the Republicans and 8 probably held by the Democrats. 8 seats, four of which are held by either party, could go either way. Here it still looks like the Republicans will maintain control, dampening the potential for any new technology regulations.

The internet giants should have more regulations dictating the field of play, though with the current political landscape it does look like that will be difficult. Even if the Democrats win in the House, a scenario which some believe to be realistic, a Republican Senate will mean gridlock for future legislation.

State versus federal battle looms as California signs net neutrality into law

California Governor Jerry Brown has been busy; 31 state bills vetoed and 34 signed into law, including the controversial net neutrality rulings, kicking off another state versus federal battle.

State Bill 822, claimed to be the strongest net neutrality laws in the country, has officially been signed into law in the State of California, but it only took the US Department of Justice a few minutes to throw a wobbly. Before the army of busybodies and privacy advocates could even get their own press releases out, the Justice Department filed a lawsuit alleging that Senate Bill 822 unlawfully imposes burdens on the Federal Government’s deregulatory approach to the Internet.

“Under the Constitution, states do not regulate interstate commerce – the federal government does,” said Attorney General Jeff Sessions in the filing. “Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy. The Justice Department should not have to spend valuable time and resources to file this suit today, but we have a duty to defend the prerogatives of the federal government and protect our Constitutional order.  We will do so with vigour. We are confident that we will prevail in this case – because the facts are on our side.”

Democrat FCC Commissioner Jessica Rosenworcel is clearly excited despite the legal complications:

After being passed back in February 2015, the appointment of FCC Chairman Ajit Pai saw a Republican led assault, with the telcos playing a supporting roles in the wings, on the rules. It didn’t take long for Pai to dismantle net neutrality, the vote to repeal the rules was won on 14 December 2017, though the backlash was almost immediate. Washington State was the first to pass local net neutrality rules, though with 23 Attorney Generals throwing their weight behind the cause it was only going to be a matter of time before other got involved. California is a different beast however, a worthy opponent of the US government.

With a population of roughly 39 million and a gross state product (GSP) of roughly $2.6 trillion, it is the largest in the US in terms of population and economic output. Globally, the economy is only smaller than the GDP of the US, UK, China, Germany and Japan. It is also home to Silicon Valley and the lobby power of the likes of Facebook, Google and Twitter.

While we do have sympathy with California and the internet giants, we do not feel net neutrality is the right way to go. Pai’s approach, reinstating the wild-west internet with the telcos as the tyrants of terror, is equally wrong. Both approaches are too extreme, the right answer lies in the middle, with the telcos afforded the opportunity to make money but still held accountable ensuring the consumer and businesses are not held to ransom. Taking the sensible, middle-ground is the logical approach, but set against the backdrop of such a combative political environment, it will be some time before fairness sets in.

But why is this such an important battle?

In its law suit, the Department of Justice is completely correct in stating California has overstepped its jurisdiction. No state should have the right to impose its own rules on another and the internet by definition is an interstate (international would be more accurate) playground. For these rules to be accepted on a legal basis in the US, California would have to ensure it was only applying the rules to traffic which originated, remained and terminated in California. Not only would this be pretty much impossible, but it would likely only account for a very small percentage of the total.

The stickiness is the clauses in the Communications Act, the piece of legislation which acts as the foundation of all communications orientated rules and precedents in the US. One clause dictates a state is entitled to draft its own rules, assuming it does not contradict that of the federal government. This is the very scenario which California has crafted. If SB 822 is allowed to stand it undermines the whole Communications Act; who is to say other states, businesses or advocacy groups could not use this example as a means to ignore other clauses, aspects of the Communications Act or precedent which has been set. In legalising the contradiction, the risk is to undermine the very basis of the communications industry across the country.

With California retaliating against the FCC’s decision to reverse net neutrality, the consequences are much more significant than they appear on the surface. This is now much more than a battle of technology regulations.

Google attempts damage control on privacy regulations

Google has unveiled its ideas on the regulatory framework of tomorrow in what looks like an attempt to influence legislation and restrict the long-arm of government intervention.

On the whole, the internet players of Silicon Valley have largely been left to do what they want. This is not to say there are no regulations or consumer protections, but the breadth and depth of regulatory red-tape is no-where near the same scale as the telco industry. In airing its ideas on what the regulatory environment of the data economy should look like, Google is seemingly trying to maintain this status quo.

“Today, we’re sharing our view on the requirements, scope, and enforcement expectations that should be reflected in all responsible data protection laws,” said Keith Enright, Chief Privacy Officer at Google. “This framework is based on established privacy frameworks, as well as our experience providing services that rely on personal data and our work to comply with evolving data protection laws around the world.”

The three page document, which you can see here, is largely what you would expect from one of the internet players. Commitments to collect data responsibly, transparency for the user, limitations on collection and usage, offering control to the user, accountability of third-parties and interoperability are all aspects, but this is not what the helpful commentary is about. This is not about protecting the user, it is about Silicon Valley maintaining control of its own destiny.

With the US Department of Commerce’s National Telecommunications and Information Administration evaluating new legislation, the Senate about to start grilling tech executives and the White House preparing meetings with industry, the future is clear. The US Government intends to take a firmer grasp of activities in Silicon Valley, offering a more stringent rulebook and more protections to the consumer. This is not good news for the internet players.

To date, the internet players have made fortunes in the grey areas. There are more freedoms to use personal information and create advertising solutions as these are organizations which have slipped between the regulatory cracks. They have resisted the same rules as telcos, much to the frustration of the traditional communications industry, though this is not necessarily a bad thing. These are different types of businesses, applying the same rules as telcos is the square-peg-round-hole situation. These are businesses which are creating new services and innovating with data in ways some could not imagine, and need the flexibility to do so. That said, they should still be held accountable to regulation.

In releasing its ideas, Google is seemingly practising its own version of damage control. If new rules are on the horizon they’ll need to be influenced. A number of these practises are already in place at Google, meaning the business can continue to generate billions without a huge disruption to operations. That cannot be said its neighbours in Silicon Valley, but this is of little concern to the Do-No-Evilers.

Another interesting aspect to this announcement is perception. The industry has been hit hard by privacy scandals over the last few months, the Facebook/Cambridge Analytica saga is the biggest example, though Google has been collecting location data on users who have opted-out; it is far from innocent. In making these suggestions public, Google is putting a friendly face back onto the brand; its helping with the data privacy issue, not compounding it, will be the PR message here.

While this perception of helpfulness will help with its consumer reputation, it will also aid its grilling from the Senate. Enright is one of several executives who have been summoned to testify in front of several politicians to discuss how social media companies work and data privacy is secured. In demonstrating proactive enthusiasm prior to the grilling it might gain some much needed favour after Google left its chair empty during the Senate Intelligence Committee testimony.

The wild-west internet is slowly being swallowed up by the steady progress of regulation. The rules will never get in front of technological advancements, but to protect its billions, Google and its Silicon Valley neighbours will have to put on big smiles to influence rule makers.

US contemplates its own version of GDPR

The U.S. National Telecommunications and Information Administration has started a 30-day public hearing process to gather comments on its policy options towards consumer privacy protection.

Shortly after Europe’s General Data Protection Regulation (GDPR) came into force in late May, “a global tidal wave of new and updated privacy regulations” have followed hot on the heels of GDPR as it was called at the recent Digital Futures conference (see the picture). Regulations and laws passed in jurisdictions from India to California with other markets in between have largely modelled after the European legislation.

In the latest move, on Tuesday September 25, the US federal government, through the National Telecommunications and Information Administration (NTIA), kick-started a month-long process to hear from the public on the approach towards privacy protection.

“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” said David Redl, NTIA Administrator and Assistant Secretary of Commerce for Communications and Information. “The Trump Administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

The feedback requested is two-fold. The first part is on the outcome of any future privacy legislation. This includes:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.

All these are rather similar to what GDPR and the up-coming e-Privacy regulation are designed to achieve.

Meanwhile the NTIA is also requesting comments on the overall “High-Level Goals for Federal Action”, the key points including:

  • “Harmonize the regulatory landscape” between existing and future legislations;
  • “Legal clarity while maintaining the flexibility to innovate” to enable new business models and technologies while privacy is protected;
  • “Comprehensive application” to “all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws”;
  • “Incentivize privacy research” in technologies and services that improve privacy protections.
  • FTC should be the enforcement agency

However a few other points stand out that deserve a closer look. One probably deserves a full quote:

Employ a risk and outcome-based approach.  Instead of creating a compliance model that creates cumbersome red tape—without necessarily achieving measurable privacy protections—the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes.  Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.  Outcome-based approaches also enable innovation in the methods used to achieve privacy goals.  Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance.

NTIA’s focus is clearly to avoid heavy-handed measures to regulate what can be done, but rather giving flexibility to businesses to make their own judgement what measures to take. This is also in the same spirit as the first part of the consultation which is “focuses on the desired outcomes of organizational practices, rather than dictating what those practices should be.”

Another point that draws our attention is related to “Scalability”, which stresses that small companies operating in good faith, and 3rd party processing data on behalf of other organisations should be treated differently from big companies that own and control personal data.

The two points above combined make a balanced message for the internet giants, which are not necessarily the biggest fans of privacy regulations. While they are afforded more flexibility, they are also going to be treated more strictly if they contravene. However as we wrote earlier, because of their size, the Googles and Facebooks of the world are much quicker in ticking the compliance boxes.

One more point that worth highlighting, probably for entertainment purposes than anything else, relates to “Interoperability” with other major global legislations. Here, for whatever reason it pointedly does not refer to GDPR but uses the example of “APEC Cross-Border Privacy Rules System.”

In general, the NTIA’s approach is balanced and measured, which is largely in line with our attitude towards privacy protection. On one hand we deplore the blatant abuse of privacy by companies like Facebook and Cambridge Analytics. On the other hand, we also sympathise with the small and medium-sized businesses operating in Europe, most of which had to scramble some policies at the eleventh hour, but may still fall foul of consumers. France’s private data protection agency CNIL (Commission nationale de l’informatique et des libertés) registered a 64% increase in consumer complaints after GDPR came to force over the same four months last year.

As Mary Meeker highlighted, draconian laws could limit the exploratory nature of tech innovators. That many countries model their privacy legislation after GDPR confirmed that Europe’s policymakers are “world-class in setting standards”, as a recent article in The Economist put it. But in the same article the newspaper also highlighted the gap between Europe and the AI leaders, China and US, neither of which is role model in guarding individual privacy, though for entirely different purposes.

In a recent Telecoms.com online poll, a third of the respondents agreed with the statement that there should be “flexible rules to allow users to trade privacy for benefits”. An optimal regulatory environment should give this minority group the freedom to do so while providing the other two third consumers with strict privacy protection.