Senator Rockefeller dismisses "cybersecurity" claims as "red herring"

At a hearing yesterday, the Senate Commerce Committee took up the issue of online tracking, the browser-based Do Not Track flag, and, in an unlikely turn of events, cybersecurity. The hearing included testimony from Ohio State University Law School’s Prof. Peter Swire, Mozilla’s Alex Fowler, the Association of National Advertisers’ Bob Liodice, and TechFreedom’s Berin Szoka. While there were a number of heated moments in the hearing, the most surprising was the advertising industry’s claim that respecting consumer choice will harm "cybersecurity." This new argument from the advertising industry only raises more concerns for the civil liberties implications of online tracking and was, as Rockefeller aptly noted, little more than a "red herring."

Quick Recap: What’s Do Not Track and What’s at Stake

Do Not Track is a signal that users can set in their browsers to tell websites they don’t want their online web browsing tracked by companies with whom they have no relationship. Momentum for Do Not Track has been building over several years, inspired in part by high-profile privacy scandals as well as a comprehensive expose series by the Wall Street Journal showing that the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning. Do Not Track has been endorsed by the FTC and is the cornerstone of legislation proposed by Senator Rockefeller.

The Digital Advertising Alliance (DAA), an advertising industry consortium, has adopted principles for online data collection that fall far short of Do Not Track. According to Prof. Swire’s written testimony, the exceptions in the 2011 DAA principles "are so open-ended that I have not been able to discern any limits on collection under them."  For example, he notes that the "market research" exemption includes "research about consumers," which "would seem to include keeping track of every click made by a consumer."

Senate hearing: industry argues tracking necessary for cybersecurity

The issue of cybersecurity arose when the advertising industry’s Bob Liodice struggled under questioning from Senator Rockefeller. Abandoning the meme that the advertising industry was adequately self-regulating to assuage the privacy concerns of users, Liodice switched tactics and began to argue that widespread data collection about our everyday Internet browsing habits was necessary for cybersecurity. When asked whether this included issues such as online sexual predators and identity theft, Liodice agreed.

Frankly, we’re puzzled by the purported connection between online behavioral tracking for advertising industry purposes and online sexual predators or ID theft. But Liodice’s argument raises a larger point. As a society, we’re currently grappling with the role we want our online service providers to play in policing our Internet activity. Whether it’s efforts to turn registrars into copyright police, asking ISPs to collect data on Internet users not accused of any crime, or letting companies share sensitive data with the government without a warrant, the digital age has raised a plethora of questions about the role of intermediaries working with the government. In yesterday’s Senate hearing, we heard the advertising industry admit that their near-ubiquitous online tracking program is being used for issues that are the purview of law enforcement. That raises a host of questions all on its own, but one thing is certain: with these statements we have even more reason to stand up for a surveillance-free Internet.

Senator Rockefeller was skeptical about the advertising industry’s claims that they needed to engage in pervasive online tracking for cybersecurity purposes. In response to Liodice’s pronouncement, he stated: “I just want to declare the whole cybersecurity matter a total red herring.” We certainly agree that strong cybersecurity does not necessitate surveillance of our online browsing habits by unaccountable third parties. And it’s also important to note that the DNT compromise proposal that EFF, Stanford, and Mozilla submitted to the W3C creates a special exception for security and click-fraud.

At the end of they day, strong cybersecurity is not antithetical to online privacy.  In an open letter to Congress, prominent academics, experienced engineers, and cybersecurity professionals stated this unequivocally:

We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties

If you’re worried about Congress’s attempts to undermine our online privacy through misguided cybersecurity programs, please send them an email through our action center asking them to safeguard our online privacy in the cybersecurity debates.  Also check out the @EFFLive Twitter account for more coverage of yesterday’s hearing and our Do Not Track page to read more about online tracking. If you haven’t done so already, here’s a quick guide to turning on Do Not Track.