A new consumer privacy proposal in California, while well intentioned, would have a chilling effect on the innovative companies that fuel the state’s startup ecosystem, which is the envy of the world.
A Call for Cross-Border Cooperation
Engine Supports Pro-Privacy Online Surveillance Reforms
Section 702 Spying and Its Impact on Startups
Engine Applauds Senators Lee and Leahy for Introduction of ECPA Modernization Act of 2017
Engine applauds Senators Lee and Leahy for their continued work on updating the Electronic Communications Privacy Act (ECPA). The Lee-Leahy bill will modernize the nation’s electronic privacy laws and bring protections against warrantless searches into harmony with the technological realities of today.
Event Recap: Private Solutions for Public Problems
Earlier this month, Engine held its first briefing of the year: a conversation around the ways that startups are harnessing big data to drive innovation and develop targeted solutions for some of society’s greatest challenges. The event was headlined by Reps. Blake Farenthold (R-TX) and Derek Kilmer (D-WA), who were joined by a distinguished panel of startup leaders and policy analysts.
Engine Statement on House Passage of Email Privacy Act
Today, the U.S. House of Representatives passed the widely supported, broadly bipartisan Email Privacy Act, making this the second consecutive year that this common-sense update to the Electronic Communications Privacy Act (ECPA) has passed the House. The bill makes a critical update to existing digital privacy laws that clarifies that law enforcement must obtain a warrant—except in certain clearly defined emergencies—before accessing an individual's electronic communications.
Engine Welcomes House Reintroduction of the Email Privacy Act
Engine commends Congressman Kevin Yoder (R-KS), Congressman Jared Polis (D-CO), Congressman Bob Goodlatte (R-VA), Congressman John Conyers (D-MI), and the bill’s other cosponsors for today’s reintroduction of the Email Privacy Act, legislation that would make critical reforms to our nation’s outdated outdated digital privacy laws.
2016 Year in Review: Privacy + Security
Privacy and security issues were top of mind for policymakers once again in 2016: the Apple-FBI battle pushed questions around encryption to the forefront; massive data breaches and cyberattacks called attention to cybersecurity issues; uncertainty around data transfers between the U.S. and EU persisted; and the heated debate around government access to digital communications thrust electronic privacy reform back into the spotlight. But even with all of these prominent debates, 2016 did not see much actual legislative movement. It’s unclear what will come to pass next year, but we are hopeful that any policies Congress or the new Administration pursue take into account the unique needs and realities of the evolving startup ecosystem.
Startup News Digest 12/23/16
A Big Year for Startup Policy in 2016. The Startup News Digest will be taking a hiatus over the holidays, but you can still get your startup policy fill on our blog. Yesterday, we began publishing Year in Review posts on some of 2016’s most notable debates in tech and entrepreneurship. Watch this space for reports on capital access, intellectual property, net neutrality, emerging technologies, and more over the coming days. Thanks for all of your support in 2016, and we’ll catch you in the new year!
Republicans Release Their Party Platform
As the Republican National Convention kicked off this Monday, the GOP also released the final draft of their party’s platform. The platform, which was written with input from the party’s base sourced via www.platform.gop, included generous mentions of issues important to the startup community.
Statement on Approval of EU-U.S. Privacy Shield Agreement
In the months since the original Safe Harbor agreement was invalidated by the European Court of Justice, the startup community has been in legal limbo awaiting resolution. The approval of this revised trans-Atlantic data-transfer framework brings much needed certainty for American startups with European users.
40 Startups Tell Congress: Encryption Matters
Tech Companies Take Stock of the Brexit
As the dust settles from last week’s stunning Brexit vote, the broader tech community, which staunchly supported remaining a part of the European Union (EU), is taking stock of the potential repercussions of the decision. While the United Kingdom (UK) and the EU still have to negotiate the exact terms of the deal (assuming the British can cobble together a new government committed to the Brexit), uncertainty surrounds several key issues important to the tech community.
Engine Statement on House Passage of Email Privacy Act
Today, the U.S. House of Representatives passed the widely supported, broadly bipartisan Email Privacy Act by a unanimous vote of 419-0. The bill would make long overdue updates to the Electronic Communications Privacy Act (ECPA) to bring our digital privacy laws into the 21st century. Specifically, the bill would clarify that law enforcement must obtain a warrant—except in certain clearly defined emergencies—before accessing individuals’ electronic communications.
The Tech Community Is Mobilizing Against the Burr-Feinstein Encryption Bill
It is hard to overstate how incredibly dangerous and foolish the Burr-Feinstein “Compliance with Court Orders Act of 2016” draft legislation is and even harder to believe it was coauthored by California’s senior senator, Dianne Feinstein, D-Calif., and Sen. Richard Burr, R-N.C.
Engine Statement on House Judiciary Committee Approval of ECPA Reform Bill
Apple, Encryption, and the Future of Digital Security
This week, a U.S. District Court judge ruled that Apple must assist the Federal Bureau of Investigation (FBI) by providing technical assistance to help the Bureau unlock the iPhone used by one of the San Bernardino shooters. While a resolution to this litigation is far off (due to likely appeals), the case has suddenly catapulted the debate over privacy, security, and encryption into the headlines of nearly every major news outlet in the United States and beyond. And though this case is specific to Apple—the manufacturer and licensor of the hardware and embedded software—the ramifications of the final decision in the case may have a profound impact, both in the technology industry and beyond.
While this isn’t the first time that policymakers have grappled with serious questions related to encryption and digital security—just last year, the White House backed away from a proposal seeking “backdoors” into encrypted devices after a multitude of stakeholders spoke out about the dangers of such anti-security measures—it is likely the most difficult case yet involving such issues. Certainly, the FBI has a strong interest in thoroughly investigating terrorist activity and preventing such acts in the future. Technology companies also care deeply about stopping criminal activity, which is why this is such a difficult problem: though the FBI’s request is tailored to investigating a specific terrorist activity, it will ultimately weaken security standards and may lead to serious vulnerabilities that will put countless consumers at risk.
In the past, Apple has cooperated with law enforcement to unlock phones in order to gain access to information, at least when doing so was technologically feasible. This situation is slightly different, as the court order requires Apple to create an entirely new version of Apple’s operating system (OS) to allow the government to circumvent security features that Apple built into its OS to prevent brute force attacks. This software will effectively make brute force attacks on encrypted devices possible—whether it’s the FBI attempting to brute force the phone or anyone else that has access to the software. Though the FBI says it intends to use this modified OS in this situation only, the spate of high-profile hacks and data breaches over the past year (including a breach of sensitive government information) should cast doubt on any such guarantees.
And, while some may argue that Apple’s strong opposition to the FBI’s request in this case demonstrates that any future requests for similar security circumvention activities will be limited to only the most extreme circumstances, that only holds true if the company being tasked with providing access to encrypted information has the resources to mount such a robust legal challenge. The startups that are responsible for so much of the tech sector’s growth have nowhere near the legal resources needed to fight spurious requests for dangerous encryption backdoors. Establishing a precedent that obligates companies to undermine the security measures that keep millions of consumers and their data safe from criminals will only increase the chances that these security circumvention technologies are employed in spurious cases or, worse, fall into the wrong hands.
Law enforcement is fully justified in attempting to do everything possible to prevent future terrorist attacks, just as Apple is fully justified in arguing that what the FBI wants could have serious negative repercussions for the security of its users. But, the security vulnerabilities that could arise by forcing Apple to undermine the strong encryption technologies it has built into its products should make anyone think twice about establishing such a dangerous precedent.
EU and U.S. Policymakers Agree on Safe Harbor 2.0, Ending Months of Uncertainty for Startups
The European Court of Justice’s rejection last October of the European Commission’s so-called “safe harbor” agreement with the U.S. forced many American startups to grapple with a difficult choice: spend considerable time and money trying to find a different mechanism to legally import EU consumer data or sit tight and hope regulators worked it out before member states started filing lawsuits. Neither option was particularly appealing, and thankfully, the EC’s announcement this morning that negotiators had reached a framework agreement on Safe Harbor 2.0 (rebranded as “Privacy Shield”) removes some of the uncertainty startups have faced over the past three months. But does this tentative framework provide the future-proof, legal certainty that is essential for startups operating in the EU?
For those of you who are just tuning in, here’s a quick refresher: the EU’s Data Protection Directive imposes certain obligations on how entities in different countries can handle data from EU consumers. To help streamline compliance, the EC and U.S. entered into an agreement that allowed U.S. companies to self-certify compliance with the Directive and thereby legally transfer data across the Atlantic. This system worked quite well in facilitating EU-U.S. data flows, until the ECJ issued a ruling in October that U.S. laws permitting the NSA to conduct mass surveillance of consumer data violated the Data Protection Directive, thereby voiding the safe harbor and opening up the door to potential legal action against companies that continued to import EU consumer data without a different legal justification.
Policymakers in the EC and the U.S. Department of Commerce promptly got to work on a new safe harbor agreement but faced considerable time pressure, as European Data Protection Agencies were set to commence enforcement proceedings against non-compliant companies if the parties could not reach an agreement by January 31. Crafting an important international agreement in such a relatively short time frame was a challenging endeavor, and as Sunday’s deadline approached, the possibility of a world without safe harbor began to set in.
For many U.S. companies that had previously relied on the safe harbor, failing to finalize a new agreement would be an inconvenience, but hardly insurmountable. Large multinationals had many alternative data transfer pathways at their disposal, like Binding Corporate Rules or Model Contractual Clauses. Others could simply set up servers overseas and process EU consumer data locally. But, these strategies were only feasible for those with enormous financial resources and a legal staff sufficient to navigate 28 different state data agencies and regulations—resources that small, cash-strapped startups just don’t have.
Consequently, startups faced a much more dire situation, and many simply had no idea how to proceed. Some mature, better-funded startups followed the lead of larger tech companies, working up model contract clauses, often at the behest of international partners that wouldn’t proceed without such agreements. Other hoped that updates to their privacy policies and consent processes would suffice, though this was something of a legal gamble and a potential disruption to business (how many consumers enjoy having to click through new popup consent forms?). Some companies, devoid of other sensible options, planned to continue business as usual, expecting that policymakers would eventually craft a solution and hoping they were too small to draw the ire of member state regulators if no agreement could be reached.
The EC’s Tuesday announcement of a “political agreement” was therefore met with cautious optimism and relief. The hard work that the EC and the U.S. Department of Commerce put in over the past few months paid off, pulling out an agreement at the eleventh hour and returning stability and some certainty to the international data flows that make the Internet work. Going forward, consumers and companies on both sides of the Atlantic should hope that this newly formulated “Privacy Shield” will provide a simple, well-defined framework for data exchange, so long as it remains in force. But this difficult experience should serve as a reminder of how the heavy burden of regulatory uncertainty often falls hardest on the smallest players. Startups that made user security and privacy a central part of their companies were nevertheless caught in an international dispute between national governments and multinational companies with few feasible options to stay square with laws that quickly became unclear. In the end, the drama surrounding Safe Harbor 2.0 is both a win for prompt, sensible policymaking and a lesson of how policy disputes can impact the startup sector in unexpected ways.
Startup News Digest: 1/22/2015
Our weekly take on some of the biggest stories in startup and tech policy.
Safe Harbor Agreement Nears Deadline. With a January 31st deadline looming, there is more pressure than ever for the U.S. and EU to wrap up negotiations around a “Safe Harbor 2.0” agreement. In a letter sent to U.S. and EU leaders last Friday, industry stakeholders emphasized that “the consequences could be enormous for the thousands of businesses and millions of users impacted” if a deal is not reached. But another setback came this week when the Senate Judiciary Committee postponed consideration of the Judicial Redress Act. The bill, which would extend rights to judicial redress to citizens of the EU and other designated countries, is seen as essential to advancing an updated safe harbor agreement. This delay makes it even less likely that a deal will be reached in time, the ramifications of which could disproportionately impact startups.
Another Proposal to Weaken Encryption. Another week, another misguided state bill seeking to weaken encryption. The legislation comes from a California Assemblymember whose proposal would prohibit the sale of smartphones in the state with unbreakable encryption. A similar New York bill requiring a “backdoor” for encrypted technologies was covered in last week's digest. In an opinion piece, Christian Dawson of the i2Coalition does a good job breaking down why policies like these would stifle the Internet economy. He writes, “If the U.S. government were to institutionalize backdoors, it would be a heavy burden to businesses, and an operational lift that would likely force a large number of small companies to shut their doors.” We couldn’t agree more.
Verizon Joins the Zero Rating Crowd. Tuesday morning, Verizon announced a new sponsored data program, FreeBee Data, renewing debate around “zero rating” programs and whether they violate net neutrality principles. Under the FreeBee program, content providers have the option to pay Verizon a fee to exempt their content from customers’ monthly data caps. Verizon is the third wireless provider to offer a cap-exempt data program—AT&T has been running a similar sponsored data program since 2014 and T-Mobile has its own video-specific service, BingeOn (which has come under intense fire in recent weeks). The FCC’s Open Internet rules don’t explicitly outlaw “zero rating” programs, but the agency reviews them on a case-by-case basis whether the service harms consumers or businesses. They recently requested meetings with both AT&T and T-Mobile on their programs, and have said that they were notified by Verizon about FreeBee. We’re tracking.
A Grim Outlook for Startup Financing? Recent turbulence in the global stock market may have an impact on 2016 startup financing, the Washington Post reported this week. Volatility in the public markets has many investors considering whether some growing tech startups have been overvalued, a concern that's "likely to trigger a wider pause, denying funds for the innovators that disrupt industries and create new markets." Not good. And while 2015 was a banner year for VC investment, with $72.3 billion going into venture-backed companies in the U.S., (the highest since the dot-com boom), activity slowed by the fourth quarter, suggesting changing investor sentiment. Further, tech IPOs were significantly down in 2015 as companies are treading cautiously into the public markets. 2016 may prove to be an especially important year for policy that promotes greater capital access.
VC Sets New Diversity Standards. Kapor Capital, a longtime leader in its commitment to diversity in the tech industry, announced a new set of standards for its portfolio companies this week. TechCrunch calls it a “a four-part roadmap for startups to foster diverse and inclusive cultures early on.” This commitment will soon become one of the terms in all Kapor’s future investment agreements. Portfolio companies will be required to establish diversity and inclusion goals, invest in tools and resources that assist in mitigating bias, organize volunteer opportunities for employees, and participate in Kapor’s diversity and inclusion workshops. Way to put their money where their mouth is!
