Politics and Law

WASHINGTON--The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes.

FBI Director Robert Mueller supports storing Internet users' "origin and destination information," a bureau attorney said at a federal task force meeting on Thursday.

FBI director Robert Mueller

(Credit: Anne Broache/CNET)

As far back as a 2006 speech, Mueller had called for data retention on the part of Internet providers, and emphasized the point two years later when explicitly asking Congress to enact a law making it mandatory. But it had not been clear before that the FBI was asking companies to begin to keep logs of what Web sites are visited, which few if any currently do.

The FBI is not alone in renewing its push for data retention. As CNET reported earlier this week, a survey of state computer crime investigators found them to be nearly unanimous in supporting the idea. Matt Dunn, an Immigration and Customs Enforcement agent in the Department of Homeland Security, also expressed support for the idea during the task force meeting.

Greg Motta, the chief of the FBI's digital evidence section, said that the bureau was trying to preserve its existing ability to conduct criminal investigations. Federal regulations in place since at least 1986 require phone companies that offer toll service to "retain for a period of 18 months" records including "the name, address, and telephone number of the caller, telephone number called, date, time and length of the call."

At Thursday's meeting (PDF) of the Online Safety and Technology Working Group, which was created by Congress and organized by the U.S. Department of Commerce, Motta stressed that the bureau was not asking that content data, such as the text of e-mail messages, be retained.

"The question at least for the bureau has been about non-content transactional data to be preserved: transmission records, non-content records...addressing, routing, signaling of the communication," Motta said. Director Mueller recognizes, he added "there's going to be a balance of what industry can bear...He recommends origin and destination information for non-content data."

Motta pointed to a 2006 resolution from the International Association of Chiefs of Police, which called for the "retention of customer subscriber information, and source and destination information for a minimum specified reasonable period of time so that it will be available to the law enforcement community."

Recording what Web sites are visited, though, is likely to draw both practical and privacy objections.

"We're not set up to keep URL information anywhere in the network," said Drew Arena, Verizon's vice president and associate general counsel for law enforcement compliance.

And, Arena added, "if you were do to deep packet inspection to see all the URLs, you would arguably violate the Wiretap Act."

Another industry representative with knowledge of how Internet service providers work was unaware of any company keeping logs of what Web sites its customers visit.

If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant.

What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html.

While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States.

The technical challenges also may be formidable. John Seiver, an attorney at Davis Wright Tremaine who represents cable providers, said one of his clients had experience with a law enforcement request that required the logging of outbound URLs.

"Eighteen million hits an hour would have to have been logged," a staggering amount of data to sort through, Seiver said. The purpose of the FBI's request was to identify visitors to two URLs, "to try to find out...who's going to them."

A Justice Department representative said the department does not have an official position on data retention.

Disclosure: The author of this story participated in the meeting of the Online Safety and Technology Working Group, though after the law enforcement representatives spoke.

Although the amended settlement agreement for Google's Book Search addressed some concerns the U.S. Justice Department had, it still could give the company anticompetitive advantages in the digital book marketplace, the agency said on Thursday.

The Department of Justice advised the U.S. District Court for the Southern District of New York that "class certification, copyright, and antitrust issues remain" in a court filing.

The settlement--reached between Google and the Authors Guild and Association of America Publishers--would allow Google to partially display in-copyright but out-of-print books alongside books authorized by publishers and public domain works in Google Books. It was weeks away from being approved by the court when the Justice Department intervened in September, citing a host of concerns.

The agency suggested that the agreement should impose limitations on the most open-ended provisions for future licensing so it would eliminate potential conflicts among authors and publishers, provide additional protections for unidentified rights holders, address concerns voiced by foreign authors and publishers, eliminate the joint-pricing mechanisms among publishers and authors, and provide a way for Google rivals to gain comparable access to the digital works.

The sides offered up an amended agreement in November, which still drew complaints from critics.

Now the Justice Department has weighed in again, concluding that the modified agreement still faces the same core problem as the original agreement did: "it is an attempt to use the class action mechanism to implement forward-looking business arrangements that go far beyond the dispute before the court in this litigation."

"The proposed amended settlement agreement eliminates certain open-ended provisions that would have allowed Google to engage in certain unspecified future uses, appoints a fiduciary to protect rights holders of unclaimed works, reduces the number of foreign works in the settlement class, and eliminates the most-favored nation provision that would have guaranteed Google optimal license terms into the future," the agency said.

However, the amended settlement agreement "still confers significant and possibly anticompetitive advantages on Google as a single entity, thereby enabling the company to be the only competitor in the digital marketplace with the rights to distribute and otherwise exploit a vast array of works in multiple formats," the agency added.

The agreement retains Google's ability to sell full access to books in a variety of ways, which grants Google "sweeping control over the digital commercialization of millions and millions of books," the filing said.

The amended agreement gives Google defacto exclusivity to rights to the digital books because the company has a huge lead over competing efforts at Amazon and the Internet Archive, who in order to catch up would have to scan books without permission from rights holders, as Google has been doing, the agency said in its filing.

The exclusive access to the books that Google will get is likely to benefit Google's existing online search business and further entrench its dominance in that market, according to the filing.

Meanwhile, by requiring that rights holders opt out of the program, the amended agreement seeks what would be an exception to normal rules under the Copyright Act that rights holders must affirmatively grant permission for uses of their work, the document said.

If an opt-out provision is maintained, the court should require a waiting period before Google can commercially exploit out-of-print works without getting rights holder permission, such as two years from the time the book is publicly listed in the online registry to be created under the agreement, the filing suggests.

The Justice Department said it is still committed to working with Google and the Authors Guild on the settlement agreement, particularly to "develop solutions through which copyright holders could allow for digital use of their works by Google and others, whether through legislative or market-based activities."

The agency said it believes that a "properly structured" agreement could provide "important societal benefits."

A Google spokesperson provided this comment: "The Department of Justice's filing recognizes the progress made with the revised settlement, and it once again reinforces the value the agreement can provide in unlocking access to millions of books in the U.S. We look forward to Judge Chin's review of the statement of interest from the Department and the comments from the many supporters who have filed submissions with the court in the last months. If approved by the court, the settlement will significantly expand online access to works through Google Books, while giving authors and publishers new ways to distribute their works."

The nonprofit advocacy group Consumer Watchdog praised the Justice Department's stance.

"The settlement still abuses the class-action mechanism and purports to enroll absent class members automatically into new business 'opportunities,' in violation of current copyright laws," Consumer Watchdog reiterated from its friend-of-the-court brief opposing the agreement as modified. "This scheme acts to the disadvantage of absent class members and would result in unfair competitive advantages to Google in the search engine, electronic book sales, and other markets, to the detriment of the public interest. Along the way, the settlement raises significant international law and privacy concerns."

Updated 6:30 p.m. PST with more details from the DOJ filing and 6:07 p.m. PST with Google comment and 5:22 p.m. PST with Consumer Watchdog comment.

Comcast and NBC Universal executives went to Washington, D.C., on Thursday to answer lawmakers' questions about the proposed deal for Comcast to buy a controlling stake in the media and network TV giant.

In separate subcommittee hearings, lawmakers in the House of Representatives and the Senate questioned Comcast CEO Brian Roberts and NBC Universal President and CEO Jeff Zucker. Specifically, they asked how the $37 billion proposed merger between the nation's largest cable company and the TV network and movie studio would affect consumers' cable prices, the budding online TV business, and the distribution of cable and broadcast TV content.

Sparks flew during the Senate subcommittee hearing on antitrust issues when Sen. Al Franken (D-Minn.) said he didn't trust his former bosses at NBC to live up to their promises. Franken, a former comedian, worked for several years on NBC's Saturday Night Live, and he even had a short-lived sitcom on NBC in the early 1990s called "Lateline."

"I worked for NBC for many years," he said. "And what I know from my previous career has given me reason to be concerned--let me rephrase that, very concerned--about the potential merger of Comcast and NBC Universal."

Franken said he was most concerned about Comcast withholding NBC content from competitors, or prioritizing its TV shows and movies over those of other content providers.

He pointed to promises made and broken by NBC in the early 1990s, when it promised government regulators that allowing networks to own more of their own programming content would not hurt independent producers. What actually happened, Franken said, is that the networks came to own the majority of the programming they air, demanding ownership in any independently produced shows that come to them.

"Today, if an independent producer wants to get its show on a network's schedule, it's a routine practice for the network to demand at least part ownership of the show," he said. "This is completely contrary to what NBC and the other networks said they would do when they were trying to get fin-syn (Financial Interest and Syndication Rules) rescinded. So while I commend NBCU and Comcast for making voluntary commitments as part of this merger, you'll have to excuse me if I don't just trust their promises."

Comcast and NBC have proposed their own conditions on the merger to ensure that they protect the public interest and preserve competition. Executives from the companies say they don't believe the FCC or other government regulators need to add more conditions to the merger.

But public-interest watchdogs say the merger should be rejected without more conditions to protect the public from higher prices and fewer choices.

During the House hearing, Rep. Ed Markey (D-Mass.) expressed fears that the deal would stifle competition and end up costing consumers.

Colleen Abdoulah, chief executive of small Midwest cable provider WideOpenWest, or WOW, offered the House subcommittee a few suggestions for conditions that could help prevent this. She suggested that regulators require Comcast and NBC to offer sports and entertainment programming to all of its competitors, including those online.

The Federal Communications Commission recently shut the "terrestrial loophole," a special provision in regulation that required cable operators to share only programming that gets transmitted via satellite. The loophole had enabled the cable companies to prevent many competitors, such as phone companies and satellite providers, from offering programming of local sports events controlled by cable operators. Cable companies have said they will appeal the decision.

Also during the House hearing, NBC's affiliate stations voiced concern that Comcast would move its most valuable sports and entertainment programming to its cable stations. They are concerned about Comcast putting NBC content on the Web and bypassing local transmission.

Comcast's Roberts tried to allay fears that a combined Comcast and NBC would be anticompetitive by pointing out growing competition for TV content online. He said that together, Comcast and NBC would result in "a more creative and innovative company."

NBC's Zucker told the House subcommittee that the deal with Comcast would help save TV broadcasting, which he said is currently under a certain amount of duress.

The FCC and Department of Justice have just begun reviewing the merger and are expected to reach a final decision on the outcome in the fourth quarter of this year.

The U.S. House of Representatives overwhelmingly approved a cybersecurity bill that calls for beefing up training, research, and coordination so the government can be better prepared to deal with cyberattacks.

The Cyber Security Research and Development Act of 2009, which passed by a vote of 422 to 5, authorizes the National Institute of Standards and Technology (NIST) to develop a cybersecurity education program that can help consumers, businesses, and government workers keep their computers secure.

It also creates cybersecurity scholarship programs for college students and research centers, and asks NIST to boost development of identity management systems used to control access to buildings, computer networks, and data.

Federal agencies spend $6 billion a year on cybersecurity to protect the government's IT infrastructure and $356 million on research, according to the Office of Management and Budget. Despite that funding, a government review of its cybersecurity efforts last year concluded that they are not adequate to prepare the country against cyberattacks.

Under the measure, if it becomes law, NIST would have one year to deliver a plan to Congress detailing its plans to participate in international cybersecurity technical standards development and 90 days to deliver a plan describing a cybersecurity awareness and education program.

Alan Paller, director of research at the SANS Institute computer security training organization, said the bill is vital to improving the country's cybersecurity defenses, but said the Appropriations Committee needs to provide for the necessary funding for it to have impact. Funding could be affected if schools don't upgrade their security programs and graduate students with key technical skills, and if NIST doesn't prove it can be a good partner with the agencies that have the necessary skills.

"NIST has 'grasped defeat from the jaws of victory' once too often (because of their lack of operational knowledge) to give that agency sole responsibility for something as important as the first line of defense (configuration standards, et al)," Paller wrote in an e-mail.

"This bill will help improve the security of cyberspace by ensuring federal investments in cybersecurity are better focused, more effective, and that research into innovative, transformative security technologies is fully supported," said Symantec CTO Mark Bregman. "HR 4061 represents a major step forward towards defining a clear research agenda that is necessary to stimulate investment in both the private and academic worlds, resulting in the creation of jobs in a badly understaffed industry."

The vote comes two days after Dennis Blair, White House director of national intelligence, warned the Senate that the U.S. is under severe threat from cyberattacks, and a week after nearly 50 House and Senate Web sites were defaced.

There has been a heightened level of interest in cybersecurity since Google announced last month that its network had been attacked and intellectual property stolen. More than 20 (now more than 30) other companies were also targeted and the attacks appeared to come from China, Google said. Separately, Gmail users who are human rights activists were targeted. As a result of the attacks, Google said it would stop censoring its Web search results in China as it has been doing and may even stop doing business in the country.

Updated 3:54 p.m. PST with SANS Institute comment.

In a decision that deprives open-source foes of some rhetorical fodder, the group that licenses patents for the widely used H.264 video-encoding technology chose to renew a streaming-media freebie through 2015.

MPEG LA licenses more than 1,000 H.264-related patents on behalf of 26 companies that hold the patents. The group's existing policy, which runs through the end of 2010, has been not to charge royalties to Internet sites that streamed video using the technology--as long as the video was free for viewers.

Many have been waiting to hear what MPEG LA would announce for the licensing terms beyond 2010. On Tuesday, the group said it extended the free-streaming policy until December 31, 2015.

That extension could help encourage Web sites to use it instead of rivals such as Ogg Theora, which isn't encumbered by patents, or On2 Technologies' VP7 or VP8.

H.264, Ogg Theora, and VP8 are what's called codecs--technology that encodes and decodes digital information. In the case of digital video, codecs compress the original material for storage or transmission, then expand it again for viewing. The highest-profile Web streaming site using H.264 is a doozy: Google's YouTube.

H.264 opposition
Given some significant opposition to H.264 in Web streaming that contrasts with its widespread use, it's not too surprising MPEG LA chose not to add the new royalty.

Google is trying to acquire On2 but hasn't disclosed in detail what it hopes to accomplish beyond saying, "We believe high-quality video compression technology should be a part of the web platform."

But the more overt rival at this stage is Mozilla, which has been agitating against H.264 and promoting Ogg Theora, which it uses for handling video built into Web sites with new HTML5 technology under development. Mozilla had been raising the specter of new streaming video royalty payments, but the MPEG LA decision defangs that argument for the time being.

Still, the rhetoric continued Wednesday, when Mozilla Chief Executive John Lilly tweeted, "Regarding that MPEG LA announce: it's good they did it, but they sort of had to. But it's like 5 more years of free to lock you in 4ever."

Why so opposed? Patents on Web plumbing raise a big red flag for those who remember when Unisys started seeking licensing revenue for the GIF format based on its image compression patents. The didn't start until 1999, years after the format grew popular. Mozilla wants to steer clear of patents

But the ambitions of HTML5 video fans is complicated by this codec issue. Firefox supports Ogg Theora, and Opera Software is working on following suit. But Apple's Safari supports H.264. Google's Chrome supports both, and Microsoft's Internet Explorer supports neither.

Consequently, in 2009, HTML5 specification editor and Google employee Ian Hickson reluctantly decided that HTML5 couldn't specify a particular codec.

Not just about the money
MPEG LA offers the patents under what it calls the AVC/H.264 Patent Portfolio License. It's also known as MPEG-4 Part 10.

Although that's been royalty-free in the Internet-streaming context, it costs money for commercial streaming, cameras, video editing software, media players, and Web browsers. MPEG LA plans to announce later this year the new royalty rates for those uses, it said.

And browsers is one area H.264 gets complicated: open-source software typically may not use patented technology unless license agreements explicitly permit it. That's not the case with H.264, which is one reason Mozilla doesn't support the technology in Firefox, which is distributed not just by Mozilla but also by Linux companies and others who use Firefox derivatives.

Even if Mozilla wanted to license the code, it's not a simple matter: Mozilla said the H.264 license would cost $5 million.

Open-source software such as Firefox or free software such as Adobe Systems' Flash Player, which includes H.264 support get no special treatment, according to a comment by Allen Harkness, MPEG LA's director of global licensing.

"Licenses do not make any distinction for products offered for free (whether open source or otherwise)," he said.

And although companies making products with H.264 support must pay royalties, Harkness raised the specter of much broader consequences for those using unlicensed H.264 technology. "While our licenses are not concluded by end users, anyone in the product chain has liability if an end product is unlicensed," Harkness said.

Among the companies whose patents are licensed through the H.264 policy are Apple, with a single patent, Microsoft, with dozens, and several consumer electronics companies that also have dozens of patents involved. A full H.264 patent list in PDF form is available on the MPEG LA site.

Update 1:48 a.m. PST: Added more detail about H.264 licensing and open-source software.

A forthcoming survey of computer crime investigators suggests that electronic surveillance is a bit more commonplace than most people might expect.

Even a relatively small group of 100 police working on online investigations reports submitting as many as 22,800 legal requests for information a year to Internet and e-mail providers, a category that includes both subpoenas and search warrants.

CNET has reviewed a presentation scheduled to be given at a federal task force meeting on Thursday, which says that the survey respondents said they submitted a total of anywhere from 2,868 to 22,800 requests for information a year. (See one excerpt and another.)

"Most Internet users do not realize how often the government is demanding personal information from companies, often without judicial oversight, and how often companies turn it over," says Nicole Ozer, technology director for the ACLU of Northern California. "Companies are refusing to disclose to the public how many demands they get. It appears that the government is demanding that Internet companies turn over so much personal information about users, so often, that companies can't keep up."

No law requires that the number of subpoenas and search warrants sent to Internet and e-mail providers be made public. Federal law does require the disclosure of certain types of wiretaps--in 2004, for instance, there were 1,442 nonterrorism-related wiretaps, and only 4 percent targeted computers and electronic devices.

Sixty-one of survey respondents reported that their investigations were "detrimentally" affected because data were not retained long enough, and 47 percent said they had to end an investigation because data were not retained. The survey was conducted in late October 2009. (In general, subscriber information such as billing addresses can be obtained with a subpoena, and content information such as the contents of an e-mail message can be obtained with a search warrant.)

The survey, according to two people with knowledge of the situation, is part of a broader push from law enforcement agencies to alter the ground rules of online investigations. Other components include renewed calls for laws requiring Internet companies to store data about their users for up to five years, and a push for a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically instead of via fax.

The survey's author is Frank Kardasz, who is scheduled to present it at a meeting of the Online Safety and Technology Working Group, organized by the U.S. Department of Commerce. Kardasz, a sergeant in the Phoenix police department and a project director of Arizona's Internet Crimes Against Children task force, said in an e-mail exchange on Tuesday that he is still revising the document and was unable to discuss it.

White House Director of National Intelligence Dennis Blair says the U.S. is severely under the threat of greater cyberattacks but believes we can rise to the challenge.

Blair appeared before a Senate panel on Tuesday to deliver the Annual Threat Assessment of the U.S. Intelligence Community (PDF). A statement of Blair's remarks to the Senate Select Committee on Intelligence was released for the record. While he focused mostly on non-cyberterrorism and similar threats, he led off with a stark report on the growing dangers and challenges of cyberwarfare.

Seeing the recent attacks against Google as a "wake-up call," Blair cautioned those who may treat the problem lightly. He also praised companies who report such incidents as they help Washington better understand the nature of cyberthreats that can affect the entire nation.

Blair detailed a laundry list of adversaries on the cyberwarfare front, including other nations, terrorist networks, and organized crime groups, all of whom have the knowledge and means to attack U.S. networks to disrupt operations and steal sensitive information.

"Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens," said Blair. "Criminal elements continue to show growing sophistication in their technical capability and targeting. Today, cyber criminals operate a pervasive, mature on-line service economy in illicit cyber capabilities and services, which are available to anyone willing to pay."

Blair described how cybercriminals have gotten more savvy and sophisticated in their attacks. He pointed out the use of self-modifying malware, which sneaks past traditional security tools. The use of cell phones to conduct financial business has opened another target for criminals. Finally, the bad guys themselves are better organized, he said, as they continue to set up global networks to exchange information.

In his remarks, Blair highlighted two new global trends that leave us vulnerable. Network convergence, or the melding of voice, video, and data over a common network, should be nearly complete on a national scale within the next five years, he noted. But this convergence creates new opportunities for cyberattacks that could affect other parts of the country's infrastructure. Channel consolidation, or the ability to grab data on an individual through e-mails, search engines, social networks, and geotagging, increases the risk that our personal information and privacy can be exploited.

With all the mounting threats, what is Washington doing to protect the country? Blair pointed out that neither the government nor business can fully safeguard our vast digital information. But he feels confident that an increased focus on and greater investment in security can help the U.S. better meet this challenge.

Toward that end, Blair touted some recent initiatives. He noted that his intelligence team has been helping to develop a strategy that can be effective but still mindful of national freedoms. By integrating cybersecurity with counterintelligence, Blair believes the government is becoming better able to track and counteract cyberthreats. He also believes that the president's Cyberspace Policy Review has helped unify the key players and agencies in Washington responsible for cybersecurity.

Combating cyberterrorism has been a growing concern for the Obama Administration. Last spring, President Obama conceded that the country was not fully prepared to defend itself against this serious threat. As a result, the president ordered a shake-up of the government's cybersecurity efforts. One priority called for a new cybersecurity czar to help coordinate the nation's efforts. After a months-long search, the job was eventually handed to former security adviser Howard Schmidt in December.

Anyone with an e-mail account likely knows that police can peek inside it if they have a paper search warrant.

But cybercrime investigators are frustrated by the speed of traditional methods of faxing, mailing, or e-mailing companies these documents. They're pushing for the creation of a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically.

CNET has reviewed a survey scheduled to be released at a federal task force meeting on Thursday, which says that law enforcement agencies are virtually unanimous in calling for such an interface to be created. Eighty-nine percent of police surveyed, it says, want to be able to "exchange legal process requests and responses to legal process" through an encrypted, police-only "nationwide computer network." (See one excerpt and another.)

The survey, according to two people with knowledge of the situation, is part of a broader push from law enforcement agencies to alter the ground rules of online investigations. Other components include renewed calls for laws requiring Internet companies to store data about their users for up to five years and increased pressure on companies to respond to police inquiries in hours instead of days.

But the most controversial element is probably the private Web interface, which raises novel security and privacy concerns, especially in the wake of a recent inspector general's report (PDF) from the Justice Department. The 289-page report detailed how the FBI obtained Americans' telephone records by citing nonexistent emergencies and simply asking for the data or writing phone numbers on a sticky note rather than following procedures required by law.

Some companies already have police-only Web interfaces. Sprint Nextel operates what it calls the L-Site, also known as the "legal compliance secure Web portal." The company even has offered a course that "will teach you how to create and track legal demands through L-site. Learn to navigate and securely download requested records." Cox Communications makes its price list for complying with police requests public; a 30-day wiretap is $3,500.

The police survey is not exactly unbiased: its author is Frank Kardasz, who is scheduled to present it at a meeting (PDF) of the Online Safety and Technology Working Group, organized by the U.S. Department of Commerce. Kardasz, a sergeant in the Phoenix police department and a project director of Arizona's Internet Crimes Against Children task force, said in an e-mail exchange on Tuesday that he is still revising the document and was unable to discuss it.

In an incendiary October 2009 essay, however, Kardasz wrote that Internet service providers that do not keep records long enough "are the unwitting facilitators of Internet crimes against children" and called for new laws to "mandate data preservation and reporting." He predicts that those companies will begin to face civil lawsuits because of their "lethargic investigative process."

"It sounds very dangerous," says Lee Tien, an attorney with the Electronic Frontier Foundation, referring to the police-only Web interface. "Let's assume you set this sort of thing up. What does that mean in terms of what the law enforcement officer be able to do? Would they be able to fish through transactional information for anyone? I don't understand how you create a system like this without it."

What police see in ISPs
Kardasz's survey, based on questionnaires completed by 100 police investigators, says that 61 percent of them had their investigations harmed "because data was not retained" and only 40 percent were satisfied with the timeliness of responses from Internet providers.

It also says: "89 percent of investigators agreed that a nationwide computer network should be established for the purpose of linking ISPs with law enforcement agencies so that they may exchange legal process requests and responses to legal process. Authorized users would communicate through encrypted virtual private networks in order to maintain the security of the data."

Some of the responses to other questions: "AT&T is very prompt." "Cox Communications seems to be the worst." "Places like Yahoo can take a month for basic subscriber info which is also a problem." "AT&T Mobility does not keep a log at all." "MySpace give (sic) me the quickest response and they have been very pro-police."

Hemanshu (Hemu) Nigam, MySpace's chief security officer, said in an interview with CNET on Tuesday that: "You can be very supportive of law enforcement investigations and at the same time be very cognizant and supportive of the privacy rights of our users. Every time a legal process comes in, whether it's a subpoena or a search order, we do a legal review to make sure it's appropriate."

Nigam said that MySpace accepts law enforcement requests through e-mail, fax, and postal mail, and that it has a 24-hour operations center that tries to respond to requests soon after they've been reviewed to make sure state and federal laws are being followed. MySpace does not have a police-only Web interface, he said.

Creating a national police-only network would be problematic, Nigam said. "I wish I knew the number of local police agencies in the country, or even police officers in the country," he said. "Right there that would tell you how difficult it would be to implement, even though ideally it would be a good thing."

Another obstacle to creating a nation-wide Web interface for cops--one wag has dubbed it "DragNet," and another "Porknet"--is that some of its thousands of users could be infected by viruses and other malware. Once an infected computer is hooked up to the national network, it could leak confidential information about ongoing investigations.

Jim Harper, a policy analyst at the free-market Cato Institute, says that he welcomes the idea of a police-only Web interface as long as it's designed carefully. "A system like this should have strong logins, should require that the request be documented fully, and should produce statistical information so there can be strong oversight," he says. "I think that's a good thing to have."

Unless you speak lawyerese as a second language, a Web site's privacy policy can seem as incomprehensible as the loudspeakers on New York City subways.

The organization behind Firefox, the world's second most popular Web browser, has embarked on an ambitious project to change this. Instead of forcing people concerned about privacy to scroll through pages of "notwithstanding anything to the contrary," the Mozilla Foundation is designing a standard set of colored icons to reveal how data-protective--or how intrusive--Web sites are.

It does seem a bit odd that, in the era of the iPad and cars that nearly drive themselves, technologists have been unable to puzzle out a better way to display that privacy information. The Mozilla Foundation's tentative solution is to employ the leverage it has through Firefox, used by something like 350 million people worldwide, to convince publishers to disclose their privacy practices in a standard way that would be displayed in a Web browser's address bar.

"The most important thing we can be doing now is to create the information architecture which defines what people should care about privacy," said Aza Raskin, head of user experience for Mozilla Labs. A list of eight categories used for brainstorming includes whether the Web site shares information with third parties, whether data are retained after use, whether data are encrypted, and whether collected data are personally identifiable.

A preliminary suggestion that has been submitted to the Mozilla Foundation as a set of privacy icons for Firefox.

(Credit: Mozilla.org)

The Mozilla Foundation's eventual goal is to create icons as easy to understand as care labels on a shirt that say whether it should be dry cleaned or washed in cold water. Using the letter P inside a circle has been discussed, even if it bears an unfortunate resemblance to the ubiquitous blue signs for parking lots, as has borrowing icon ideas from Creative Commons. (The project is unrelated to the ad industry's recent announcement of a blue "i" icon for behavioral advertising.)

At a meeting last week in Mozilla's headquarters in Mountain View, Calif., a few dozen attendees including representatives from the Federal Trade Commission began to sketch out how a standard for privacy icons would work. "They were thinking that you might have several icons in the address bar for each site," said Seth Schoen, staff technologist at the Electronic Frontier Foundation. "Maybe they would be showing things that were good about that site's privacy practices, and maybe they would be showing things that were bad about that site's privacy practices."

Mozilla Labs' Raskin has been forthright about using privacy icons in the Web browser as a tool to reward and punish. Raskin wrote last month that: "If Firefox encounters a privacy policy that doesn't have Privacy Icons, we'll automatically display the icons with the poorest guarantees: your data may be sold to third parties, your data may be stored indefinitely, and your data may be turned over to law enforcement without a warrant, etc."

Didn't P3P do this already?
The challenge for the organization will be avoiding the problems that plagued P3P, or Platform for Privacy Preferences, an earlier effort to convince publishers to rate their own sites in a standard manner. Almost from the moment of its launch more than a decade ago, P3P began a long slide into irrelevance, and today major sites like Google.com, Apple.com, CNN.com, and Twitter.com do not use P3P to summarize their privacy policies.

At the time of its creation, though, P3P enjoyed the enthusiastic support of the World Wide Web Consortium and Internet icons like Tim Berners-Lee, who predicted that the technology will become the "keystone to resolving larger issues of both privacy and security on the Web." In an echo of what's being planned for Firefox today, Microsoft said in 2001 that Internet Explorer 6 would require ad networks to adopt P3P if they wanted their Web technology to continue to work with the new browser.

This is a recent, unrelated attempt to let people know when a Web site is using behavioral advertising, also known as interest-based advertising

(Credit: Future of Privacy Forum)

One explanation for why P3P died is that it was too complicated; the final specification tops out at a novel-length weight of 49,000 words, while the complete text of Lewis Carroll's Alice in Wonderland is only 29,000.

Or perhaps there was little actual demand on the part of Internet users, who have been known to divulge their account passwords for a chocolate bar. P3P's backers did include tech firms that hoped it would head off burdensome government regulation; when the early threat faded, so did P3P's support. (Lending credence to that theory are the vicious attacks on P3P by privacy activists clamoring for new laws, who dubbed it "pretty poor privacy" at the time.)

Few noticed when a P3P working group officially abandoned the idea in 2007, admitting in a note that "there was insufficient support from current browser implementers." An August 2009 article quoted Rigo Wenning, the editor of the final P3P draft, as saying: "We did not manage to convince the browsers, that is the big failure."

How three privacy categories grew to 17
Lorrie Cranor, a member of the P3P working group who has done extensive work on privacy statements as a faculty member at Carnegie Mellon University, says that the challenge of distilling complex and customized privacy policies into a few icons could be insurmountable. Cranor should know: At AT&T, she once created an Internet Explorer plug-in called Privacy Bird--it looks like the offspring of a duck and a parrot--that turns green when a Web site is privacy-protective and red when it is not.

"No matter where you draw the line about what's in and what's out, there are companies that just miss, and they argue that their practices aren't really so bad they should be labeled as 'bad,'" Cranor said. "And they have some unique business model that requires using data in some way that makes perfect sense to them--and consumers would understand it too if only we created a special category for them to use to explain it."

Then, Cranor says, the next thing you know is that the original two or three categories have ballooned to 15 or 17 categories to account for all of those situations. "And then the categories are so fine grained and confusing that companies misclassify themselves and users can't distinguish them anyway." (If firms agree to a few simple categories, Cranor adds, the Mozilla plan would be "feasible.")

"Privacy Bird," a 2002 browser plug-in that attempted to warn users of intrusive Web sites.

(Credit: Lorrie Cranor)

The privacy icon project is part of a broader effort to ensure that Web users can control their own online experience, and is still "embryonic," says Mark Surman, executive director of the Mozilla Foundation. The plan is to "bring lawyers and product people together, but also as this unfolds it will be designers, user testing," Surman said. "Our bigger interest is that users take control of their online lives."

Mozilla is acutely aware of the problems that bedeviled P3P. Not having industry adoption is "a fail condition," says Mozilla Labs' Raskin. "Our thinking right now is that unlike P3P or the Creative Commons approach (when) you force everyone to use a template privacy policy...when you use a privacy icon, it's only making a very small tangible scope-able claim about use of data."

Another possible obstacle is inherent in self-rating: major Web sites like Google, Yahoo, and Facebook may decide that their own privacy policies drafted by their own lawyers are fine even though they trigger red warning icons in Firefox. Meanwhile, a phishing site run by the Russian mafia could falsely claim that it protects your privacy absolutely and be recommended in green by a Web browser. Or the privacy ratings may not be broad enough to capture reality.

Some of these issues can be glimpsed through PrivacyFinder.org, a P3P Web search tool created by Cranor's group at Carnegie Mellon. It awards the U.S. Department of Homeland Security a perfect rating of four out of four green boxes. But Yahoo receives a horrible rating of one of four green boxes. (FDIC.gov is awarded three out of four; National Public Radio receives two of four.)

Mozilla still has yet to resolve "the question of whose privacy policies the icon is for," said Berin Szoka, director of the center for Internet freedom at the Progress and Freedom Foundation. "Is it the publisher, or third-party ad networks on the page?"

"If you rely on the publisher to do this, they can only describe their own practices," said Szoka, who attended last week's meeting. "The problem is if you actually expect a publisher or first party to do that, you're making them responsible for knowing, and liable for, whatever any third party such as a Web analytics firm, a cookie, or an ad network is doing. It's not just as simple as describing what kind of data collection that's going on with your page."