InsideSources

No one in the tech industry wants to deal with a patchwork of state privacy laws regulating their industry, but companies that don’t collect large amounts of consumer information and sell or share it — the “good actors” — also don’t want a want a new federal privacy law that lumps them in with “bad actors” like Google and Facebook.

The Wikimedia Foundation, for example, filed comments with the National Telecommunications and Information Administration (NTIA) asking for a privacy law that is “reasonable” and “proportional.”

The foundation — a nonprofit that hosts information websites like Wikipedia, Wikimedia Commons, Wiktionary, Wikibooks, Wikisource and others —  collects very little information on its users and requires its editors to use pseudonyms to protect their personal identity and information.

Unlike Google, “these important protections mean that we hold a unique place as one of the few large internet platforms that do not rely on tracking or sale of user data to generate revenue,” the foundation stated in its filing.

The foundation believes it is important for a federal privacy law to preempt a patchwork of state laws because dealing with 50 different privacy laws is exceedingly difficult for a smaller companies and nonprofits.

The foundation also wants any new NTIA regulations to be both “flexible” and “proportional,” and has expressed concerns that the former might trump the latter.

“Flexibility in a regulation ensures that everyone has the ability to address privacy concerns in a way that is most intuitive to them,” the foundation states. “This is an important goal and should remain in the NTIA’s framework. However, proportionality in a regulation ensures that the burdens are not equally placed on every actor, despite vast differences in their operations.”

The Wikimedia Foundation’s priority is a federal privacy law that is reasonable and proportional so that it doesn’t burden tech companies of different types and sizes.

“We strongly believe that the goal should not only be ‘reasonable’ minimization [of data collected], but simply ‘minimization,'” the foundation states. “After all, minimization does not mean that no data must be collected, but that what is collected is as little as possible. At the Wikimedia Foundation, we intentionally minimize the data we collect on users in order to encourage free and open participation on our projects.”

The foundation’s point is that what is a “minimization” of data collection for the Wikimedia Foundation may look very different from what is a “minimization” of data collection for Google.

“I think it comes down to context,” SiteLock’s Research Security Analyst Jessica Ortega told InsideSources. “Transparency could mean something really different for Google. For a company like Wikimedia, transparency could mean an email or a public link to all their records sent out to all their customers.”

One way to fulfill the foundation’s wish for proportionality is to create a privacy law with purposefully vague language, Ortega said.

But a vague law could let the bad actors off the hook and fail to adequately protect consumers. While a more specific law could better protect consumers, it could also stifle innovation and hurt companies like the Wikimedia Foundation.

“It’s not inherently bad for consumers, because it could mean stronger security measures, but it could also become weaker security measures,” Ortega said. “So there’s definitely a case for being more specific, but when you make it more specific you lose innovation.”

Roslyn Layton, a visiting scholar at the American Enterprise Institute (AEI) specializing in tech policy, told InsideSources that there are ways to ensure the kind of proportionality the Wikimedia Foundation wants in a privacy law while still cracking down on the bad actors like Google and Facebook.

“One way is a safe harbor,” Layton said. “If you have a checklist and do a certain set of things, then you shouldn’t worry about the law coming after you. A safe harbor could address that proportionality issue. When they do enforcements and look at antitrust issues, the Federal Trade Commission (FTC) takes this perspective: if you are 0.001% of the marketplace, they’re not going to look at you. You need to have a sizable impact on the market.”

Because bad actors like Google and Facebook are the reason for privacy talks, formulating a law to address their vices while being fair to good actors will be a substantial challenge for Congress.

“On the one hand you want a comprehensive approach but not comprehensive enforcement,” Layton said. “If in fact you only want to go after the big players, then why do you want comprehensive legislation?”

Follow Kate on Twitter

A federal court on Friday dismissed a lawsuit brought by the American Civil Liberties Union, Wikimedia and others against the National Security Agency over mass surveillance practices revealed by NSA whistleblower Edward Snowden in 2013.

The U.S. District Court for the District of Maryland granted a government motion to dismiss the case on the grounds the plaintiffs “had not plausibly alleged that their communications were being monitored by the NSA,” according to the ACLU.

The ACLU represented plaintiffs the Wikimedia Foundation — the nonprofit organization behind Wikipedia — Amnesty International, Human Rights Watch and others in the case to challenge the NSA’s surveillance of the content of Americans’ communications as they cross the global Internet’s backbone.

“The court has wrongly insulated the NSA’s spying from meaningful judicial scrutiny,” ACLU attorney Patrick Toomey, who argued the case last month, said Friday. “The decision turns a blind eye to the fact that the government is tapping into the Internet’s backbone to spy on millions of Americans. The dismissal of the lawsuit’s claims as ‘speculative’ is at odds with an overwhelming public record of warrantless surveillance.”

Plaintiffs filed the case in March to challenge NSA’s “upstream” surveillance, when the signals intelligence agency taps the physical infrastructure of the Internet, such as undersea fiber cables, to surveil the content of foreigners’ communications, like emails, instant messages, etc., as they exit and enter the U.S.

Upstream surveillance is legal under Section 702 of the 2008 FISA Amendments Act, and allows NSA to surveil Americans communications with foreign targets overseas. According to rights groups, it also facilitates a loophole that lets NSA “incidentally” sweep up unrelated data belonging to Americans in the process.

“If people look over their shoulders before searching, pause before contributing to controversial articles, or refrain from sharing verifiable but unpopular information, Wikimedia and the world are poorer for it,” Wikipedia founder Jimmy Wales said in March when the ACLU filed the case.

The groups claim such surveillance, revealed via leaks from Snowden, violate Internet users’ First and Fourth Amendment rights, arguing the knowledge that they’re being surveilled will produce a chilling, self-censoring effect on their activity, and that collecting their communications constitutes unreasonable searches and seizures.

The ACLU previously challenged the FISA Amendments Act in Amnesty v. Clapper, which the Supreme Court dismissed in 2013. At the time the court said the ACLU lacked standing to establish parties in the case were surveilled or harmed.

Wikimedia and others mounted a new challenge after slides from Snowden detailing Section 702 programs like “Prism” and “Muscular” showed NSA targeted Wikipedia and its users, and even included the website’s logo.

“[T]he volume of Wikimedia’s communications is so incredibly large that there is simply no way the government could conduct upstream surveillance without sweeping up a substantial number of those communications,” ACLU lawyer Jameel Jaffer wrote during a Reddit AMA session about the case earlier this year.

Despite the seeming evidence this time around, the lawsuit produced the same result Friday as Amnesty v. Clapper in 2013.

Though the ACLU suffered a loss, the subject of domestic surveillance has not gone unnoticed since the case was filed. Another federal court declared the NSA’s bulk collection of Americans’ telephone metadata illegal earlier this year, and Congress passed the long-stalled USA Freedom Act to dismantle the database earlier this summer.

And lawmakers and activists alike haven’t forgotten about Section 702. The authority, up for renewal in 2017, came up again this week as the Senate mulls passing the Cybersecurity Information Sharing Act, currently dividing surveillance hawks and privacy advocates in the upper chamber.

“Congress should also reform FISA Amendments Act Section 702, which is set to sunset at the end of 2017, to bring elements of the National Security Agency’s spying in line with international human rights standards,” digital rights group Access said in a statement opposing CISA earlier this week.

“The [Court of Justice of the European Union] based its decision on two programs operated under 702  —  PRISM and Upstream  —  which most egregiously affect non-U.S. persons. The NSA uses PRISM to obtain internet communications from U.S. tech companies and Upstream to query data entering the U.S. through fiber optic cables.”

Two weeks ago the EU court cited Section 702 programs in its decision to nullify the U.S.-EU “Safe Harbor” agreement, which previously allowed U.S. Internet companies like Facebook to self-certify they were transferring and processing the data of EU citizens in compliance with EU privacy standards.

Absent the agreement, companies face legal uncertainty in transferring data across the Atlantic until the two sides ink a new deal, in the works for the last year and a half.

RELATED: Could CISA Derail Safe Harbor 2.0?

“We also need to reform the FISA Amendments Act, which sunsets in 2017,” Senate Judiciary Committee ranking Democrat and USA Freedom Act author Sen. Patrick Leahy said at CATO’s annual surveillance conference Wednesday.

“This law, also known as Section 702, has significant privacy implications for innocent Americans. And with the European Court of Justice’s decision, it continues to have significant implications for American businesses in the global economy. I look forward to working with you to reform Section 702 and other surveillance authorities.”

Follow Giuseppe on Twitter