Tech Policy Summit blog

A U.S. District Court judge in Boston decided yesterday not to lift a temporary restraining order imposed against three Massachusetts Institute of Technology (MIT) undergrads who reportedly uncovered security flaws in the Massachusetts Bay Transportation Authority's e-ticketing system. He also ordered them to provide more documentation about their research into how the Boston subway system can be hacked.

The 10-day gag order was issued last Saturday after the transit agency filed a lawsuit against the MIT students in an effort to prevent them from discussing their findings at the annual DEFCON conference in Las Vegas. The students are being represented in the case by the Electronic Frontier Foundation (EFF), which argues that the order violates their First Amendment rights.

According to Computerworld, yesterday's "ruling reopened the schism in the IT security community over the issue of how vulnerabilities should be publicly disclosed." Read more here.

California's Senate voted yesterday in favor of a bill that would allow schools to suspend or expel students who engage in cyberbullying. The State Assembly must now reconcile the Sentate's version with its own before deciding to send the legislation to Governor Arnold Schwarzenegger for signature. If enacted, California will join other states like Iowa, New Jersey, Oregon, Minnesota and Missouri that have passed laws to try and prevent cyberbullying and harrassment.

In late June, Missiouri's Governor Matt Blunt signed a new law that makes electronic harassment by an adult over the age of 21 a felony punishable with up to four years in prison (those under the age of 21 face misdemeanor charges if convicted).

According to a report in the St. Louis Post-Dispatch, the Missiouri law was 'inspired by' the death of 13-year-old Megan Meier, who committed suicide after allegedly being harassed on MySpace.com. The case received national media attention when federal authorities accused Megan's 49-year-old neighbor Lori Drew of being the one behind the electronic bullying.

The case also led to the introduction of a federal bill known as the Megan Meier Cyberbullying Prevention Act, or HR 6123, that was sponsored by Rep. Linda Sanchez (D-CA) and Rep. Kenny Hulshof (R-MO) in May. Like the Missouri law, the federal bill would make it a crime to engage in electronic harassment with penalties including fines and/or up to two years in prison.

For more info on other states' cyber bullying laws, check out this February 2008 USA Today report.

The 3rd U.S. Circuit Court of Appeals upheld a lower court's ruling today, affirming that the Child Online Protection Act (COPA) is unconstitutional.

It's the latest development in the legal saga surrounding COPA, the 1998 law that would make it a crime to publish online content that is deemed harmful to minors unless it's protected behind an age-verification or credit card screen. According to the Associated Press, the appeals court found COPA to be "overly broad and vague" and agreed with opponents who claimed it violates First Amendment protections.

The Center for Democracy and Technology (CDT), which had filed a briefing in the case opposing COPA, released a statement praising the ruling. Meanwhile, the AP reports that the Department of Justice will review the ruling before deciding what to do next, which may include taking COPA back to the Supreme Court.

Internet service providers (ISPs) Sprint, Verizon and Time Warner Cable are the latest Net companies to respond to pressure from state lawmakers involved in combating child porn. Following a lengthy investigation by his office, New York attorney general Andrew Cuomo announced today that he's reached "landmark agreements" with the three companies to "shut down major sources of online child pornography."

As part of the agreements, the companies will for the first time ban customers' access to all child porn newsgroups. In addition, they will delete known child porn sites from their servers using data provided by the National Center for Missing & Exploited Children (NCMEC), and they'll increase the speed with which they react to customer complaints about offensive material.

New York's attorney general's office and NCMEC will also receive a total of $1.125 million in funding from the three ISPs. NCMEC chief exec Ernie Allen applauded attorney general Cuomo and credited his office with developing a "new and effective system that cuts online child porn off at the source, and stops it from spreading across the Internet."

As for the Attorney General's investigation, it remains "ongoing." Which means other companies may be making similar moves in the future.

TechCrunch broke the news this morning that Facebook is adopting a set of "Key Principles Of Social Networking Safety" as part of an agreement with attorneys general from 49 states and the District of Columbia that will require the social networking site to take steps to better protect kids (Texas is the only state not signed on). You may remember that MySpace made a similar announcement last January.

The policy was announced by Connecticut attorney general Richard Blumenthal as part of the ongoing efforts of a coalition called the Multi-State Attorney General Executive Committee. Mr. Blumenthal gave the following statement in a press release:

"We are raising the safety bar, first for MySpace and now Facebook, and soon for other sites as we fight for an industry gold standard. Facebook and MySpace are showing how to aim higher and keep kids safer. Our ultimate goal is age and identity verification technology -- safeguards against child molesters and inappropriate material. Checking ages and identities is vital to better shielding underage users from predators and pornography."

It's that last point about using age verification technology that concerned Internet safety expert Adam Thierer when the MySpace agreement was made earlier this year. As he wrote in this January post on the Progress and Freedom Foundation blog, "even assuming we could find a way to make it [age verficiation] work, there are many other considerations that must be taken into account, such as the burden it might impose on freedom of speech or individual privacy."

More details on Facebook's agreement are available at TechCrunch.

According to The Washington Post, Virginia is taking the lead in promoting Internet safety education by incorporating online safety lessons in its public school curriculum as a part of new statewide program that will take effect in September. As the Post explains, "even though today's students have known no life without the Internet, only a couple of states have laws that recommend schools teach online safety."

Virginia is the first state to pass a law mandating such an effort at all grade levels, and child safety expert Adam Thierer of the Progress and Freedom Foundation believes it is a model that other state and local officials should follow (Illinois and Texas have passed laws as well).

One of the things that makes Virginia's program unique, beyond the fact that it's mandated, is that it's designed to integrate Internet safety into students' overall educational experience. So, rather than having a special assembly or one-off lecture, the goal is to weave the lessons into the curriculum so that students "have to think about [Internet safety] all the time."

In addition to teaching kids how to protect themselves from online predators, the article suggests that coursework will cover other topics like cyber bullying, copyright infringement and safe use of text messaging and social networking sites. There are also efforts to include parents through public service announcements and school meetings.

The issue of online child safety was raised several times during yesterday's FCC hearing on broadband network management practices.

For example, in her opening remarks, Commissioner Deborah Taylor Tate emphasized the need to keep Internet safety in mind when considering regulatory actions that would encourage greater openness of the Internet. She expressed concern about the role of P2P networks in enabling illegal content distribution, including child pornography. Others at the hearing defended P2P technology as a neutral protocol, explaining that it's how it is used and not the technology itself that is the problem.

As it turns out, while we were watching the FCC meeting at Stanford, there was a Senate Judiciary subcommittee hearing about online child exploitation taking place on Capitol Hill. And P2P again was part of the discussion. According to a report by News.com's Anne Broache, Senator Joe Biden (D-Del.) called for passage of a bill known as the Combating Child Exploitation Act that would authorize $1 billion over the next eight years.

Among other things, the money would be spent on expanding use of a Wyoming-based monitoring system called Operation Fairplay that is being used by law enforcement officers fighting child pornography to "conduct undercover operations involving peer-to-peer file-sharing applications, chat rooms, Web sites, and mobile telephones." For more details on how Operation Fairplay works, and what the legislation would do, check out News.com.

In the Who's Who section of Tech Policy Central, we do our best to keep tabs on the many organizations that make the tech policy world go round. So far, Who's Who includes almost 100 profiles of think tanks, coalitions and industry associations, and the list continues to grow.

To get a glimpse at what's new, check out these recent press releases from some of the orgs we're watching:

• Free Press has elected Columbia University professor Tim Wu, credited with coining the term 'net neutrality,' as chairman of its board of directors. Professor Wu replaces Robert W. McChesney.
• The Progress and Freedom Foundation (PFF) released a new report Friday titled "The Perils of Mandatory Controls and Restrictive Defaults." PFF senior fellow Adam Thierer, who spoke about Internet safety at last month's Tech Policy Summit, is the paper's author.
• The Business Software Alliance (BSA) announced today that it settled a software piracy claim against a California manufacturing company accused of using unauthorized copies of Adobe, Autodesk and Microsoft software. The firm, Acorn Engineering Company, has agreeed to pay BSA $250,000 as part of the settlement.
• The Computer and Communications Industry Association (CCIA) published a study on The Benefits and Costs of I-File, a proposed government-run electronic tax preparation system. The report commissioned by CCIA and written by Robert Litan, Jeffrey Eisenach and Kevin Caves concludes the IRS should not invest in the system.

The fight to make the Internet a safer place for kids and teens made headlines this week.

First, the European Union announced on Wednesday that it plans to spend over $83 million on Internet safety programs between 2009 and 2013, extending a program it began several years ago. The money will be spent on a variety of research and educational projects designed to keep kids in the EU safe from cyber bullying and illegal content.

Stateside, the Harvard Berkman Center for Internet & Society launched its Internet Safety Technical Task Force, which includes experts from Google, Microsoft, Facebook, Bebo, MySpace, Center for Democracy & Technology, Progress & Freedom Foundation and other organizations.

Together, they will evaulate technology-based solutions to the online safety challenge, including age-verification and authentication tools. For more info, check out this post by PFF's Adam Thierer. CDT's Leslie Harris also wrote an ABC News editorial about the privacy implications of online age verification. Both will be among the speakers at next month's Tech Policy Summit.

Citing data from Gartner that about 3.5 million computer users were tricked by phishing scams between 2006 and 2007, resulting in a financial loss of over $3 billion, Senators Bill Nelson (D-FL), Olympia Snowe (R-WA) and Ted Stevens (R-Alaska) introduced a bill earlier this week called the Anti-Phishing Consumer Protection Act of 2008 (APCPA).

APCPA is designed to crack down on online fraud and identity theft by creating "multiple enforcement mechanisms" and instituting strong civil and criminal penalties. Not everyone is convinced that the bill is a step in the right direction though.

According to The Iconoclast writer Declan McCullagh, who will be among the speakers at next month's Tech Policy Summit, there are plenty of anti-phishing laws already on the books and APCPA "appears to serve no useful purpose."

Declan writes: "If their bill merely duplicated existing criminal laws, it would be more redundant than worrisome. Except that one section is actively harmful to the privacy of Americans who own domain names and want to protect their privacy."

He's referring to provisions that would make it illegal for an individual to use false or misleading information when registering a domain name in a WHOIS database if that domain is used for commercial purposes, as well as a rule that would require domain name registrars who use proxy services to keep registrant.data private to make that info public if they receive notice that the domain name was used for phishing purposes.

You can read the full text of the bill here.