March 11, 2015
Vol. 19, Issue 2
ACM Washington Update
ACM Washington Update recaps ACM’s initiatives in the U.S. technology policy arena monthly. Please forward this newsletter to friends and colleagues in the computing community. View more details on each item below, as well as on the blog. Follow USACM on Twitter and Facebook.
- USACM submitted comments to the U.S. Copyright Office in support of a proposed exemption from the prohibition against circumventing technological measures that control access to copyrighted works.
- USACM sent letters to the new Commissioners of the Election Assistance Commission before its latest meeting.
- During the White House Cybersecurity and Consumer Protection Summit, President Obama spoke and signed an Executive Order intended to improve private sector cybersecurity information sharing.
- President Obama and the Federal Aviation Administration are taking action on drone use in the United States.
- The White House released a legislative proposal for a Consumer Privacy Bill of Rights.
to the top
On February 6, USACM submitted comments
to the U.S. Copyright Office in support of a proposed exemption to the prohibitions against circumvention outlined in the Digital Millennium Copyright Act (DMCA). USACM's comments were in support of an exemption for software security research, identified in these rulemaking proceedings as Class 25. The Copyright Office is considering exemptions for 27 proposed classes of works
. This is part of a triennial rulemaking process that determines exemptions to the circumvention prohibitions for the following three years.
This first comment period closed on February 6, and was for commenters in support of, or neutral to, exemptions for the proposed classes. The second round, closing on March 27, is for those opposed to the exemptions for the proposed classes. There then will be a third round of comments closing on May 1. The final round will be for supporters of exemptions for the proposed classes, or those neutral to them. Comments in this round must be in reply to comments previously submitted to the record.
to the top
USACM sent letters to each of the three newly sworn-in Commissioners of the Election Assistance Commission (EAC
): Thomas Hicks, Matthew Masterson, and Christy McCormick. In the letters
, USACM congratulated the new Commissioners and made the following recommendations to the EAC:
- Reestablish the Technical Guidelines Development Committee
- Update the Voluntary Voting System Guidelines, the Voting System Testing and Certification Program Manual, and the Voting System Test Laboratory Program Manual (this was recommended by the former Co-Chairs of the Presidential Commission on Election Administration); and
- Set standards for online delivery of blank ballots and blank voter registration forms.
The EAC held its first meeting of 2015
on February 24 at its headquarters in Silver Spring, Maryland. The EAC discussed the need to update the Voluntary Voting Systems Guidelines and the program manuals for the EAC voting testing and certification programs. The EAC also accredited a testing lab. At the meeting, the Commission entered the USACM letter into the record.
to the top
On February 13, the White House hosted a Cybersecurity and Consumer Protection Summit
at Stanford University. The event was announced in January as part of the Administration's rollout of cybersecurity initiatives in advance of the State of the Union address. Discussions during the Summit touched on secure payments (part of the Administration's BuySecure Initiative
, public-private collaboration, and improving cybersecurity practices.
In his remarks
, the President covered several computing-related topics, including work the Administration has already done on the Cybersecurity Framework. The President called for legislation on public-private information sharing and highlighted two of his Administration's legislative proposals - the Consumer Data Privacy Bill of Rights and the Student Digital Privacy Act. When discussing cyber threats, he identified four basic principles to emphasize when addressing those threats:
- Shared mission between the private sector and government
- Focus on what each sector does best
- Constantly evolve defenses
- Protect privacy and civil liberties
The Executive Order
focuses on three major items to support increased cybersecurity information sharing related to critical infrastructure:
- It encourages the development of Information Sharing and Analysis Organizations (ISAOs), for-profit or nonprofit entities organized around particular affinities (such as geographic area or field of activity) that would share cybersecurity threat information with their members and with the government.
- The ISAOs will coordinate with the Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center, which is now a critical infrastructure protection program under the Executive Order.
- DHS will work with other agencies in developing the National Industrial Security Program Operating Manual and will issue the portion pertaining to classified information shared under a designated critical infrastructure protection program.
All federal agencies' activities under this order must be conducted in consultation with senior agency personnel for privacy and civil liberties protection.
to the top
On February 15, the President issued a Presidential Memorandum
on the domestic use of unmanned aircraft systems (UAS/drones). That same day, the Federal Aviation Administration (FAA) proposed new regulations
for the non-hobby or non recreational use of small UAS. The FAA is accepting comments on the proposed regulations until April 24.
The Presidential Memorandum focuses on government use of drones and the establishment of a multistakeholder process to engage commercial and private users of UAS in developing and communicating best practices in commercial and private UAS use in the National Air Space.
Government agencies shall, prior to deployment of new UAS technology, and every three years thereafter, examine their UAS policies to ensure that privacy, civil rights, and civil liberties are protected within the collection, use, retention, and dissemination of information obtained by UAS. Such policies must incorporate the following elements:
- Collection and/or use of information must be done consistent with and relevant to an authorized purpose.
- Information that may contain personally identifiable information shall not be retained for more than 180 days unless necessary to an authorized mission of the agency, required by law, or maintained in a system of records covered by the Privacy Act.
- Unless collected information is maintained in a system of records covered by the Privacy Act, it shall not be disseminated outside of the agency unless required by law or unless dissemination fulfills an authorized purpose and complies with agency requirements.
Federal agencies will need to implement policies and procedures that address accountability for those with access to UAS-collected information, promote transparency about government UAS activity in the United States, ensure nondiscriminatory data practices, and provide adequate complaint procedures for privacy, civil liberties, and civil rights concerns.
The multistakeholder engagement process will be initiated by the National Telecommunications and Information Administration (NTIA) at the Department of Commerce. The NTIA will conduct the multistakeholder process in consultation with other interested government agencies. The process also will include stakeholders from the private sector. The multistakeholder process seeks to promote the responsible commercial and private use of UAS technology and to develop a framework that considers the implications for privacy, civil rights, and civil liberties.
The FAA's proposed regulations
) focus on non-hobby or non recreational operations of small UAS, defined as under 55 pounds. The FAA rules target how these UAS are flown and the criteria for certifying their operators, whereas the Presidential Memorandum addresses how UAS use can affect privacy, civil liberties, and civil rights. Under the proposed regulations, UAS operations would be restricted to daytime, and operators would need to remain within visual line-of-sight of the UAS. While acknowledging concerns about privacy, civil rights, and civil liberties in UAS operations, the FAA is deferring to the Presidential Memorandum on these issues and will participate in the multistakeholder process.
to the top
On February 27, the Obama Administration released its discussion draft
for a Consumer Privacy Bill of Rights. The Administration released a framework
for a Consumer Privacy Bill of Rights in 2012, calling on Congress to enact it into law. The discussion draft uses some elements of the framework.
The Consumer Privacy Bill of Rights would require covered entities to:
- Provide individuals notice of the entity's privacy and security policies, including changes to those policies.
- Provide individuals with reasonable means to control the processing of information about them, consistent with context.
- Conduct a privacy risk analysis for any processing of personal data that is not reasonable in light of the context and mitigate any identified privacy risks.
- Conduct any privacy risk analysis under the supervision of a Privacy Review Board approved by the FTC or in accordance with heightened individual transparency and individual control connected to the underlying data processing.
- Destroy, de-identify, or delete personal data within a reasonable time after it was used for the purpose(s) for which it was collected. Exceptions would be granted if a privacy risk analysis or heightened individual transparency and control were in place.
- Provide reasonable security safeguards for collected personal data.
- On request from an individual, provide access to the collected information on that person or an accurate representation of that information.
The enforcement mechanisms for the Consumer Privacy Bill of Rights would be the Federal Trade Commission (FTC) and states' attorneys general. The FTC could enforce violations of this law as unfair or deceptive trade practices. A state's attorney general could initiative a civil action if he or she believes a company has caused harm to a substantial number of that state's citizens. The FTC would need to be notified before any state action is initiated.
Companies could find a safe harbor from enforcement by complying with codes of conduct developed by an open multistakeholder process and approved by the FTC.
to the top
About Washington Update -- ACM Washington Update is produced by the ACM Public Policy Office. It highlights activities of the ACM U.S. Public Policy Council (USACM) and the ACM Education Policy Committee (EPC), as well as other events in Washington that affect the computing community.
About USACM -- The ACM U.S. Public Policy Council (USACM) is the focal point for ACM's interactions with U.S. government organizations, the computing community, and the U.S. public in all matters of U.S. public policy related to information technology.
About EPC -- The ACM Education Policy Committee (EPC) engages policymakers and the public on public policy issues that relate to computer science and computing-related education, including the importance of high-quality education at all levels to the labor market and the economy.
Views expressed are not necessarily those of ACM. To send comments, please write to firstname.lastname@example.org.
To subscribe to ACM’s Washington Update newsletter, send an e-mail to email@example.com with “subscribe WASHINGTON-UPDATE “First Name” “Last Name” (no quotes) in the body of the message.
To unsubscribe, simply include the “SIGNOFF WASHINGTON-UPDATE” command in an email to firstname.lastname@example.org.
As an alternative, enter your email address at: http://optout.acm.org/listserv_index.cfm?ln=washington-update and we’ll remove you.
If in the future you’d like to re-subscribe, please enter your address at
You can also subscribe or unsubscribe by clicking the links on the right-hand column of the web edition of this newsletter.
to the top