Just in case anyone is curious, here’s some background on the current battle in America over regulating privacy and identity information:

Schwarzenegger just vetoed AB 1656, the Consumer Data Protection Act. The bill passed by 34-3 in the Senate, and 74-1 in the Assembly. Here are his main arguments from the veto statement:

1. notification requirement too broad, which will cost business
2. too static, best practices change
3. distraction/confusing with more comprehensive industry standards
4. penalty laws already exist and should be modified if necessary, instead of replaced

Basically he said (again) the Payment Card Industry is ok self-regulating:

In a statement explaining his reasons for refusing to sign the bill last fall, Schwarzenegger in fact appeared to agree with such arguments. The bill – which was known as AB 779 in its previous incarnation – “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” Schwarzenegger said.

The point of the bill was to give the public more pressure to coax payment card entities into compliance, especially retailers and merchants, but merchants argued it was too much in the favor of financial entities (true, and the reason consumer advocates liked it).

Incidentally, Avivah Litan at Gartner is completely 100% wrong on this and her quotes in the above article are awful.

It’s also a bad idea for states to legislate data security issues in the first place, according to Litan. “Governments should stay out of the security business,” she said.

No, no, no. I cringe when I read her analysis, and am happy to explain how/why, but I’ll leave it alone for now.

The Governor also vetoed SB 364, “Personal information: privacy” because “this bill could lead consumers to believe that all data breaches result in identity theft. Further, this would place an additional unnecessary cost on businesses without a corresponding consumer benefit”

On the other hand, following disclosure that Schwarzenegger and his wife had their personal health records exposed in a UCLA breach, the Governor signed new legislation issuing fines:

“Repeated violations of patient confidentiality are potentially harmful to Californians, which is why financial penalties are needed to ensure employees and facilities do not breach confidential medical information,” Schwarzenegger said in a statement.Assemblyman Dave Jones (D-Sacramento), the author of one of the bills, AB 211, emphasized that they protect all patients, not just famous ones. “Your private medical information shouldn’t be flapping in the breeze like an open hospital gown,” he said. The other measure, SB 541, was written by Sen. Elaine Alquist (D-Santa Clara).

Similarly, President Bush just signed the Identity Theft Enforcement and Restitution Act of 2008 into law, which allows courts to prosecute across state lines, lowers the bar for damages that can be used to bring charges (used to be $5K minimum), and aims restitution money more toward victims.

So in conclusion, the California Governor and American President have agreed to stronger penalties and fines in some cases but not others and they remain weak on detection and prevention guidance for public safety.

GovTrack.us provides some interesting details on H.R. 876: SAFE Act of 2007:

To modernize and expand the reporting requirements relating to child pornography, to expand cooperation in combating child pornography, and for other purposes.

Here are my thoughts, after reading the full text of the bill:

1. I have to give the usual disclaimer: I am not a lawyer and can not give legal advice so these are just my opinions.
2. This bill has only just been introduced. It has not even been to committee let alone a house vote yet, so it’s far from becoming law and subject to change.
3. The bill uses language like “as soon as reasonably possible, make a report of such facts or circumstances to the CyberTipline”. In other words, this bill affects “electronic communication service provider or a remote computing service provider” who become aware of child pornography, which seems hardly different than existing laws that already deal with aiding and abetting. Here are the two primary differences I see from current laws:

— Increased financial penalties for failure to report

— Detailed data retention language — “An electronic communication service provider or a remote computing service provider shall store any image and other information relating to the facts or circumstances of any incident reported under subsection (a)(1) for not less than 180 days after the date that the report is transmitted to the National Center for Missing and Exploited Children through the CyberTipline, or for such longer period of time as may be requested by a law enforcement agency.”

I think it would be better to set the retention requirement to “not less than 180 days after the date that the incident is discovered” rather than start after a report is transmitted.

4. The terms “electronic communication service provider or a remote computing service provider” are not defined. Would a home with free wifi count? Is a business like a hotel or hospital responsible, or would it fall on the shoulders of their upstream “provider”? What if there is a disclaimer on the wifi launch page? Not clear.

Make-Believe Maverick : Rolling Stone

A closer look at the life and career of John McCain reveals a disturbing record of recklessness and dishonesty

Frightening.

In its broad strokes, McCain’s life story is oddly similar to that of the current occupant of the White House. John Sidney McCain III and George Walker Bush both represent the third generation of American dynasties. Both were born into positions of privilege against which they rebelled into mediocrity. Both developed an uncanny social intelligence that allowed them to skate by with a minimum of mental exertion. Both struggled with booze and loutish behavior. At each step, with the aid of their fathers’ powerful friends, both failed upward. And both shed their skins as Episcopalian members of the Washington elite to build political careers as self-styled, ranch-inhabiting Westerners who pray to Jesus in their wives’ evangelical churches.

In one vital respect, however, the comparison is deeply unfair to the current president: George W. Bush was a much better pilot.

What was the lesson from Nixon?

“I’m sure John McCain loves his country,” says Richard Clarke, the former counterterrorism czar under Bush. “But loving your country and lying to the American people are apparently not inconsistent in his view.”