E-Commerce Law Week, Issue 490

January 2008: The Beginning of the End of Anonymity on the Internet?

How do you know the cutie you met online isn't a serial killer?  And how do you know your kid's new online pal is really another kid -- and not a 40-year old pervert (or a twisted neighbor).  The fact is, you don't.  But as social networking and dating sites have boomed in popularity, so has concern about the ability of predators to hide behind Internet pseudonyms.  Two events so far this month could mark the beginning of serious government efforts to start limiting users' ability to stay anonymous on the Internet.  First, MySpace and attorneys general from 49 states and the District of Columbia agreed on a set of principles that social networking sites should follow to help protect minors from "exposure to inappropriate content and unwanted contact by adults," along with a list of steps that MySpace is taking to comply with these principles.  Among other things, MySpace agreed to organize an industry-wide Internet Safety Technical Task Force that will "explore and develop age and identity verification tools for social networking web sites."  Second, New Jersey's new Internet Dating Safety Act, requires any Internet dating service offering its services in the Garden State to inform New Jersey users whether it performs criminal background screenings and to educate them about the dangers of Internet dating.  (These actions follow a settlement between Facebook and New York's attorney general last October, in which Facebook agreed to appoint an Independent Safety and Security Examiner, respond to complaints about inappropriate material within 24 hours, and revise its representations regarding user safety.)  While these are modest steps, one day we may look back on 2008 as the beginning of the end of the Internet's Wild West phase, when anonymous communication and unfiltered content were done in by posses of angry parents and state lawmen (and women).  The hoary days (2000) when the U.S. Attorney General got slammed by civil libertarians simply for stating that Internet anonymity is a "thorny issue" are long past.  

President and Congress in FISA Face-Off Once Again

With last summer's temporary amendment to the Foreign Intelligence Surveillance Act (FISA) slated to sunset February 1, the President and Congress are squaring off for another last-minute showdown over the future of FISA.  The main sticking point remains the question of whether to provide retroactive immunity for telecoms that allegedly cooperated with the government's Terrorist Surveillance Program, which involved warrantless wiretapping that was not authorized under FISA.  As we previously reported, H.R. 3773, which passed the House last November, does not grant telecoms retroactive immunity.  In the Senate, the question remains up in the air, with the Intelligence Committee's bill (S. 2248) providing retroactive immunity, but the Judiciary Committee's amendment not providing it.  The Bush administration has expressed strong opposition to any version that lacks a retroactive immunity provision, but Senator Christopher Dodd (D-CT) continues to threaten to filibuster any legislation that contains such a provision.  The Administration also opposes other provisions of the Senate bill, but it does not seem likely that those provisions would draw a veto if the final bill provides retroactive immunity.

Massachusetts Proposes Strict Data Security Measures, Including the Use of Encryption

The Massachusetts Office of Consumer Affairs and Business Regulation has released proposed regulations for implementing data security requirements contained in a Massachusetts breach notification law enacted last August.  As we previously reported, the Office was tasked with preparing regulations "to safeguard the personal information of [ Massachusetts] residents."  The proposed regulations interpret this mandate broadly.  They would require any entity that holds personal information about a Massachusetts resident not only to develop and maintain a written information security program, but also to use a firewall, antispyware, and antivirus software, and physical access restrictions to protect the information.  In addition, the regulations would require such entities to use strong encryption when transmitting personal information "across public networks," making Massachusetts the second state (after Nevada) to specifically require encryption.  The Massachusetts regulations thus continue a significant trend toward governments' specifying the means that businesses must use to implement data security.

EC to Member States on Data Retention:  HURRY UP PLEASE IT'S TIME

The European Commission in late November sent formal letters to 19 EU member states, asking them to explain their failure to meet a September deadline for notifying the EC of their "transposition" of portions of the EU Data Retention Directive (EEC/24/06) into national law.  Eight member states -- France, the United Kingdom, Spain, Belgium, Latvia, Denmark, the Czech Republic, and Estonia -- had notified the Commission of their transposition measures before the EC's winter holiday.  The EC asked the remaining 19 member states to respond to its letters by January 27, 2008.  As we have previously reported, the Directive requires EU providers of publicly available electronic communications services and public communications networks to retain traffic and location data (but not communications content) for six to 24 months.  While EU member states were required to implement some provisions of the Directive by September 15, 2007, most chose to exercise a right to extend this deadline to March 15, 2009 for Internet access, Internet telephony, and Internet email services.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.