E-Commerce Law Week, Issue 410

NSA and Telcos Continue To Face Heat; Financial Industry Joins Them on Government Surveillance Hot-Seat
The National Security Agency continues to draw fire over allegations that three major telecommunications carriers provided it with the non-content call records of millions of customers for datamining purposes, as well as over its warrantless wiretapping program.  On June 21, the House Judiciary Committee approved a resolution "requesting" the President and "directing" the Attorney General to provide lawmakers with all documents relating to requests made by NSA and other agencies for customer records held by telephone service providers.  Also last week, two Missouri Public Service Commissioners served a series of subpoenas to determine whether AT&T violated the state's privacy laws by providing the government with customer calling records. Meanwhile, it is becoming clearer that companies in other industries will soon begin to feel the heat, too. On June 23, the New York Times broke news that the U.S. government used administrative subpoenas to access huge volumes of records of the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, to examine money transfers. And Ron Suskind's new book about the Bush Administration's national security policies, The One Percent Solution, reveals that First Data Corporation, a major processor of credit card transactions and the parent company of Western Union, provided the FBI with "real-time" information on credit card transactions and wire transfers around the world shortly after 9/11.

One can expect that other financial and communications companies may also have cooperated with the government by providing data in unorthodox ways.  If their cooperation leaks out, which seems inevitable these days, those companies will also find themselves under the white-hot lights of media scrutiny and lawsuits as well. Such companies would be well advised to begin thinking hard about how they will deal with the likely onslaught.

Caster of Stones Catches One in the Eye: FTC Suffers Data Security Breach
The Federal Trade Commission, famous in these parts for zealously applying the "unfair or deceptive ... practices" clause of the FTC Act to companies with data security practices it deems inadequate, found the shoe on the other foot on June 22 when it revealed that laptops containing personal information had been stolen from an FTC employee's car. According to the FTC's statement, one of the two laptops stolen contained personal information "gathered in law enforcement investigations," including "names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers." The Commission is notifying "approximately 110 individuals" -- some of whom "are defendants in current and past FTC cases" -- that their personal information has been compromised. The statement does not say, but poetic justice would seem to demand that at least some of those defendants have been under investigation for their own data security failings.

Pataki Promulgates Privacy Protection Package
New York Gov. George Pataki signed a trio of privacy-related measures into law earlier this month that -- combined with the state's breach notification law enacted last year -- will give New Yorkers one of the nation's most comprehensive anti-identity theft regimes. Once in effect, A. 8456, A. 8025, and A. 7349 will amend the state's general business law to, respectively, require proper destruction of records containing identifying information, outlaw phishing, and allow consumers to put security freezes on their credit reports. The data destruction law is particulary important for companies that do business in New York, as it imposes a broad new privacy obligation on them. It also makes it more likely that appropriate data destruction will be regarded as a necessary element of any "adequate" security policy when it comes to the emerging standard of "reasonable care" in data security breach cases.

Interconnected VoIP Providers Must Contribute to Universal Service Fund
The FCC adopted an order on June 21 requiring "interconnected" Voice over Internet Protocol (VoIP) providers to contribute to the universal service fund ("USF"), at least on an interim basis while the FCC considers more fundamental reform. The USF is a program administered by the FCC to subsidize the provision of communications services to low-income consumers and high-cost areas, as well as to eligible schools, libraries and health care providers. Telecommunications carriers and certain other providers of interstate telecommunications must contribute a percentage of their gross end-user revenues to the USF. While subjecting interconnected VoIP providers to USF liability will increase the revenue base for universal service funding, as the FCC intended, it will also likely increase the rates that interconnected VoIP providers charge for their services. The FCC's order, which has yet to be released, also raises important questions as to the regulatory classification of VoIP services under the Communications Act.

ITAA Warns of the Risks of Applying CALEA to VoIP
When two of the fathers of the Internet and public key encryption talk, people tend to take notice. At least, that's what some VoIP providers may be hoping. In a recent study by the Information Technology Association of America (ITAA), Vinton Cerf, Whitfield Diffie, and seven other well-respected technologists examine the "potentially dangerous" consequences of "blindly" applying the wiretapping requirements of the Communications Assistance for Law Enforcement Act (CALEA) to "all forms of VoIP, regardless of the technology involved in its implementation." According to the study, such a blanket approach could "introduce serious security risks to domestic VoIP implementations" and significantly impair the United State's "ability to innovate." But the authors provide no advice on how law enforcement's wiretapping needs might actually be addressed without creating such problems.  Indeed, they don't even appear to recognize that law enforcement has legitimate concerns.  This will make the report less influential in the power corridors of Washington than it might otherwise have been, meaning the paper will probably do little to delay the extension of CALEA to VoIP, starting with VoIP that "interconnects" with the Public Switched Telephone Network.

European Online Strategy Declaration Contains a Possible Gold Nugget for ISPs
Governmental ministers of the 25 EU member states and 9 countries potentially eligible for EU membership, meeting in Riga, Latvia, earlier this month, unanimously adopted a ministerial declaration on "ICT [information and communications technologies] for an inclusive society" (the "eInclusion Declaration"). As in many other EU declarations, concrete proposals for action are rather thin on the ground in this document. But this appears not to be true in at least one significant respect -- the eInclusion Declaration proposes the use of EU budgetary funds to expand EU broadband coverage, primarily in rural areas, including the use "where appropriate" of EU Structural Funds (which are longstanding funds used for a variety of purposes -- including road building, for example) and the new EU Rural Development Fund (which is aimed at re-directing some of the EU rural development budget away from agricultural subsidies to other areas). The goal is to "increas[e] the availability of broadband in under-served locations [and] aim[] for broadband coverage to reach at least 90% of the EU population by 2010." The apparently real possibility that the eInclusion Declaration will lead to the EU's budgeting significant funds for broadband services in under-served areas promises a potentially significant boon for ISPs that serve such areas.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.