Privacy & Data Security

The Tech Community Is Mobilizing Against the Burr-Feinstein Encryption Bill

The Tech Community Is Mobilizing Against the Burr-Feinstein Encryption Bill

It is hard to overstate how incredibly dangerous and foolish the Burr-Feinstein “Compliance with Court Orders Act of 2016” draft legislation is and even harder to believe it was coauthored by California’s senior senator, Dianne Feinstein, D-Calif., and Sen. Richard Burr, R-N.C.

Engine Statement on House Judiciary Committee Approval of ECPA Reform Bill

Engine Statement on House Judiciary Committee Approval of ECPA Reform Bill

Engine applauds the House Judiciary Committee’s action today to approve the Email Privacy Act, which makes much needed reforms to the outdated Electronic Communications and Privacy Act (ECPA) by explicitly requiring law enforcement to obtain a warrant before accessing digital communications.

Apple, Encryption, and the Future of Digital Security

Data1-540x310-1.jpg

This week, a U.S. District Court judge ruled that Apple must assist the Federal Bureau of Investigation (FBI) by providing technical assistance to help the Bureau unlock the iPhone used by one of the San Bernardino shooters. While a resolution to this litigation is far off (due to likely appeals), the case has suddenly catapulted the debate over privacy, security, and encryption into the headlines of nearly every major news outlet in the United States and beyond. And though this case is specific to Apple—the manufacturer and licensor of the hardware and embedded software—the ramifications of the final decision in the case may have a profound impact, both in the technology industry and beyond.

While this isn’t the first time that policymakers have grappled with serious questions related to encryption and digital security—just last year, the White House backed away from a proposal seeking “backdoors” into encrypted devices after a multitude of stakeholders spoke out about the dangers of such anti-security measures—it is likely the most difficult case yet involving such issues. Certainly, the FBI has a strong interest in thoroughly investigating terrorist activity and preventing such acts in the future. Technology companies also care deeply about stopping criminal activity, which is why this is such a difficult problem: though the FBI’s request is tailored to investigating a specific terrorist activity, it will ultimately weaken security standards and may lead to serious vulnerabilities that will put countless consumers at risk.

In the past, Apple has cooperated with law enforcement to unlock phones in order to gain access to information, at least when doing so was technologically feasible. This situation is slightly different, as the court order requires Apple to create an entirely new version of Apple’s operating system (OS) to allow the government to circumvent security features that Apple built into its OS to prevent brute force attacks. This software will effectively make brute force attacks on encrypted devices possible—whether it’s the FBI attempting to brute force the phone or anyone else that has access to the software. Though the FBI says it intends to use this modified OS in this situation only, the spate of high-profile hacks and data breaches over the past year (including a breach of sensitive government information) should cast doubt on any such guarantees.

And, while some may argue that Apple’s strong opposition to the FBI’s request in this case demonstrates that any future requests for similar security circumvention activities will be limited to only the most extreme circumstances, that only holds true if the company being tasked with providing access to encrypted information has the resources to mount such a robust legal challenge. The startups that are responsible for so much of the tech sector’s growth have nowhere near the legal resources needed to fight spurious requests for dangerous encryption backdoors. Establishing a precedent that obligates companies to undermine the security measures that keep millions of consumers and their data safe from criminals will only increase the chances that these security circumvention technologies are employed in spurious cases or, worse, fall into the wrong hands.

Law enforcement is fully justified in attempting to do everything possible to prevent future terrorist attacks, just as Apple is fully justified in arguing that what the FBI wants could have serious negative repercussions for the security of its users. But, the security vulnerabilities that could arise by forcing Apple to undermine the strong encryption technologies it has built into its products should make anyone think twice about establishing such a dangerous precedent.

EU and U.S. Policymakers Agree on Safe Harbor 2.0, Ending Months of Uncertainty for Startups

Open_Internet-540x3102.jpg

The European Court of Justice’s rejection last October of the European Commission’s so-called “safe harbor” agreement with the U.S. forced many American startups to grapple with a difficult choice: spend considerable time and money trying to find a different mechanism to legally import EU consumer data or sit tight and hope regulators worked it out before member states started filing lawsuits. Neither option was particularly appealing, and thankfully, the EC’s announcement this morning that negotiators had reached a framework agreement on Safe Harbor 2.0 (rebranded as “Privacy Shield”) removes some of the uncertainty startups have faced over the past three months. But does this tentative framework provide the future-proof, legal certainty that is essential for startups operating in the EU?

For those of you who are just tuning in, here’s a quick refresher: the EU’s Data Protection Directive imposes certain obligations on how entities in different countries can handle data from EU consumers. To help streamline compliance, the EC and U.S. entered into an agreement that allowed U.S. companies to self-certify compliance with the Directive and thereby legally transfer data across the Atlantic. This system worked quite well in facilitating EU-U.S. data flows, until the ECJ issued a ruling in October that U.S. laws permitting the NSA to conduct mass surveillance of consumer data violated the Data Protection Directive, thereby voiding the safe harbor and opening up the door to potential legal action against companies that continued to import EU consumer data without a different legal justification.

Policymakers in the EC and the U.S. Department of Commerce promptly got to work on a new safe harbor agreement but faced considerable time pressure, as European Data Protection Agencies were set to commence enforcement proceedings against non-compliant companies if the parties could not reach an agreement by January 31. Crafting an important international agreement in such a relatively short time frame was a challenging endeavor, and as Sunday’s deadline approached, the possibility of a world without safe harbor began to set in.

For many U.S. companies that had previously relied on the safe harbor, failing to finalize a new agreement would be an inconvenience, but hardly insurmountable. Large multinationals had many alternative data transfer pathways at their disposal, like Binding Corporate Rules or Model Contractual Clauses. Others could simply set up servers overseas and process EU consumer data locally. But, these strategies were only feasible for those with enormous financial resources and a legal staff sufficient to navigate 28 different state data agencies and regulations—resources that small, cash-strapped startups just don’t have.

Consequently, startups faced a much more dire situation, and many simply had no idea how to proceed. Some mature, better-funded startups followed the lead of larger tech companies, working up model contract clauses, often at the behest of international partners that wouldn’t proceed without such agreements. Other hoped that updates to their privacy policies and consent processes would suffice, though this was something of a legal gamble and a potential disruption to business (how many consumers enjoy having to click through new popup consent forms?). Some companies, devoid of other sensible options, planned to continue business as usual, expecting that policymakers would eventually craft a solution and hoping they were too small to draw the ire of member state regulators if no agreement could be reached.

The EC’s Tuesday announcement of a “political agreement” was therefore met with cautious optimism and relief. The hard work that the EC and the U.S. Department of Commerce put in over the past few months paid off, pulling out an agreement at the eleventh hour and returning stability and some certainty to the international data flows that make the Internet work. Going forward, consumers and companies on both sides of the Atlantic should hope that this newly formulated “Privacy Shield” will provide a simple, well-defined framework for data exchange, so long as it remains in force. But this difficult experience should serve as a reminder of how the heavy burden of regulatory uncertainty often falls hardest on the smallest players. Startups that made user security and privacy a central part of their companies were nevertheless caught in an international dispute between national governments and multinational companies with few feasible options to stay square with laws that quickly became unclear. In the end, the drama surrounding Safe Harbor 2.0 is both a win for prompt, sensible policymaking and a lesson of how policy disputes can impact the startup sector in unexpected ways.

Startup News Digest: 1/22/2015

Our weekly take on some of the biggest stories in startup and tech policy. 

Safe Harbor Agreement Nears Deadline. With a January 31st deadline looming, there is more pressure than ever for the U.S. and EU to wrap up negotiations around a “Safe Harbor 2.0” agreement. In a letter sent to U.S. and EU leaders last Friday, industry stakeholders emphasized that “the consequences could be enormous for the thousands of businesses and millions of users impacted” if a deal is not reached. But another setback came this week when the Senate Judiciary Committee postponed consideration of the Judicial Redress Act. The bill, which would extend rights to judicial redress to citizens of the EU and other designated countries, is seen as essential to advancing an updated safe harbor agreement. This delay makes it even less likely that a deal will be reached in time, the ramifications of which could disproportionately impact startups.

Another Proposal to Weaken Encryption. Another week, another misguided state bill seeking to weaken encryption. The legislation comes from a California Assemblymember whose proposal would prohibit the sale of smartphones in the state with unbreakable encryption. A similar New York bill requiring a “backdoor” for encrypted technologies was covered in last week's digest. In an opinion piece, Christian Dawson of the i2Coalition does a good job breaking down why policies like these would stifle the Internet economy. He writes, “If the U.S. government were to institutionalize backdoors, it would be a heavy burden to businesses, and an operational lift that would likely force a large number of small companies to shut their doors.” We couldn’t agree more.

Verizon Joins the Zero Rating Crowd. Tuesday morning, Verizon announced a new sponsored data program, FreeBee Data, renewing debate around “zero rating” programs and whether they violate net neutrality principles. Under the FreeBee program, content providers have the option to pay Verizon a fee to exempt their content from customers’ monthly data caps. Verizon is the third wireless provider to offer a cap-exempt data program—AT&T has been running a similar sponsored data program since 2014 and T-Mobile has its own video-specific service, BingeOn (which has come under intense fire in recent weeks). The FCC’s Open Internet rules don’t explicitly outlaw “zero rating” programs, but the agency reviews them on a case-by-case basis whether the service harms consumers or businesses. They recently requested meetings with both AT&T and T-Mobile on their programs, and have said that they were notified by Verizon about FreeBee. We’re tracking.

A Grim Outlook for Startup Financing? Recent turbulence in the global stock market may have an impact on 2016 startup financing, the Washington Post reported this week. Volatility in the public markets has many investors considering whether some growing tech startups have been overvalued, a concern that's "likely to trigger a wider pause, denying funds for the innovators that disrupt industries and create new markets." Not good. And while 2015 was a banner year for VC investment, with $72.3 billion going into venture-backed companies in the U.S., (the highest since the dot-com boom), activity slowed by the fourth quarter, suggesting changing investor sentiment. Further, tech IPOs were significantly down in 2015 as companies are treading cautiously into the public markets. 2016 may prove to be an especially important year for policy that promotes greater capital access.

VC Sets New Diversity Standards. Kapor Capital, a longtime leader in its commitment to diversity in the tech industry, announced a new set of standards for its portfolio companies this week. TechCrunch calls it a “a four-part roadmap for startups to foster diverse and inclusive cultures early on.” This commitment will soon become one of the terms in all Kapor’s future investment agreements. Portfolio companies will be required to establish diversity and inclusion goals, invest in tools and resources that assist in mitigating bias, organize volunteer opportunities for employees, and participate in Kapor’s diversity and inclusion workshops. Way to put their money where their mouth is!

Startup News Digest: 1/15/2016

Our weekly take on some of the biggest stories in startup and tech policy. 

Obama’s Final SOTU. President Obama addressed Congress Tuesday evening in his seventh and final State of the Union, which included a few nods to the tech industry and startups, too. He remarked on some upcoming proposals from the White House, including a push to bring computer science education to more schools. The president also spoke of the country's rich history of innovation, as well as the challenges workers face in the new technology-driven economy. "In this new economy, workers and start-ups and small businesses need more of a voice, not less. The rules should work for them."

Encryption Debate Continues. A new bill was introduced in the New York State Assembly this week that would essentially disable strong encryption on all smartphones sold in the state. If passed, it would be the first state law requiring a “backdoor” for encrypted technologies—something that is not only constitutionally questionable, but also not technically feasible without undermining the security of the system as a whole. The tech industry has been pushing back against these “backdoors” at all levels of government. Just last week at a counterterrorism discussion between high-level federal officials and tech leaders, Apple CEO Tim Cook called on the administration to issue a statement defending the use of unbreakable encryption. The White House has yet to take an official position on encryption.

New Regs and Report for Ride-Sharing in NYC. The New York City Council will soon introduce new legislation regulating for-hire vehicles, the Wall Street Journal reported last week. The proposed legislation would require for-hire vehicle services such as Uber and Lyft to make their cars more accessible to the disabled, among other regulations that may address surge pricing. These new laws could be introduced as soon as next week, following today’s release of the highly anticipated traffic congestion report from the Mayor's office. The study, which examines the impact of new ride-sharing services on the city’s traffic, was commissioned by New York City Mayor Bill de Blasio last summer after proposals to cap the number of for-hire vehicles were defeated. We’ve just started digging into it, but among other things, it claims “For-hire vehicles are a vital part” of the city’s transportation mix and does not blame any one company for local congestion. We’ll be watching whether the report’s findings will influence the city council’s new legislation.

Big News for Autonomous Vehicles. 2016 is shaping up to be the year of the autonomous vehicle. At last week’s Consumer Electronics Show, a number of automakers announced their forays into this rising market. Then, on Thursday the Obama Administration unveiled plans to include $4 billion for autonomous vehicle R&D in the proposed 2017 budget. The Administration also promised to issue regulatory guidance for companies around compliance with safety standards within six months. The federal government has remained relatively hands off in this new market, but the Administration’s announcement this week represents a new level of involvement and a huge win for proponents of this growing technology.

The Size of the Sharing Economy. The results are in. A recent and first-of-its-kind poll conducted this fall found 44 percent of American adults have participated in the sharing and on-demand economy—that's over 90 million people who've booked a room on Airbnb, hopped in an Uber, or ordered groceries from Instacart. The poll also found that 22 percent of American adults have offered goods or services through these new platforms in exchange for income. And despite a spate of recent lawsuits over worker classification, the vast majority of these workers describe their experiences as positive.

The State of Computer Science. Code.org, a national organization dedicated to expanding computer science education, published its 2015 report, revealing K-12 student enrollment in computer sciences courses is growing nationwide. Today, 25 percent of U.S. schools teach computer science and programming and several major school districts including New York and Chicago have made recent pledges to the subject in every school. Computer science is also the fastest-growing AP course of the past decade.

Americans Online. Last week, the Federal Communications Commission released updated numbers on broadband access in the U.S. While the percentage of Americans with access to advanced broadband has improved over the past year, there are still 34 million Americans (or about 10 percent of the country) who lack access to broadband at sufficient speeds. While this report suggests improvements in the broadband ecosystem, more needs to be done to connect the 34 million currently cut off from broadband opportunity.

2015 Year in Review: Regulating the New Economy

This post is one in a series of reports on significant issues for startups in 2015. In the past year, the startup community’s voice helped drive notable debates in tech and entrepreneurship policy, but many of the tech world’s policy goals in 2015, such as immigration and patent reform, remain unfulfilled. Check back for more year-end updates and continue to watch this space in 2016 as we follow policy issues affecting the startup community.

by Anna Duning and Evan Engstrom

The ever-increasing pace of technological development and expanding reach of innovative enterprises into well-regulated industries has put considerable strain on the nation’s policymaking apparatus. As new technologies (such as recreational drones) become more popular and new platforms integrate everyday activities (such as transit) with technology, policymakers are faced with difficulties in crafting forward-thinking policies or adapting existing regimes to new technologies. In 2015, we saw this phenomena play out in a variety of ways all across the country at the municipal, state, and federal levels.

New Devices, New Rules

In 2015, the drone market grew exponentially, with more than 400,000 drones sold. The increasing presence of unmanned aircrafts—and the corresponding rise in reports of rogue drones posing safety hazards to commercial aircrafts and stoking privacy concerns—prompted the Feds to introduce new regulations for recreational drones this year. The Federal Aviation Administration, along with the Transportation Security Administration, ultimately came up with a drone registry for hobbyists, requiring recreational pilots enter their devices into a new national database. Commercial drones from the likes of Google, Amazon, and even Wal-Mart are also expected to take to the skies in the new year. These companies have all been part of a lobbying effort to keep new regulations limited and reasonable.

As the age of widely-available autonomous vehicles nears (Tesla says within two years), state lawmakers are grappling with how to establish the appropriate safety and regulatory standards for what will surely be one of the most disruptive technologies deployed in recent memory. Cybersecurity, accident liability, and basic road rules are all pressing concerns. Several states have already approved the testing of autonomous vehicles with varying degrees of regulations. Most recently, California introduced proposed rules that would require a licensed driver to be present in the vehicle. This requirement could limit some of the more promising uses of these new vehicles (such as transportation for the young or disabled) and even threaten the vehicle’s safety, but the state will take comments before instituting the final standards. We’ll be monitoring closely as state governments continue craft new regulations. These new rules won’t just impact the big manufacturers, as autonomous vehicles could spawn an entirely new sector of startups creating software for these cars.

Blockchain Rising

Though Bitcoin and the blockchain technology that powers it are relatively old developments by tech standards (2009!), cryptographically-secure distributed ledger technologies came to the attention of the mainstream in a big way this year, drawing interest from large financial institutions and regulators alike. While this increased scrutiny may rankle some of Bitcoin’s techno-libertarian old guard, the relatively cautious approach policymakers have taken to regulating the Bitcoin sector is a promising sign for the future growth of cryptocurrencies and blockchain technologies.

As Federal regulators have been content to monitor the development of cryptocurrencies, state policymakers have taken more proactive steps to regulate the sector. New York enacted its BitLicense rules this summer, which obligate financial intermediaries that hold or control virtual currencies on behalf of New York residents to obtain a license and follow certain customer monitoring and reporting requirements. The rules were meant to apply to just those companies that handle funds on behalf of customers and not impact software developers and entrepreneurs that don’t actually control customer money, but since the Bitcoin system looks so radically different from traditional financial systems, the rules necessarily have created some confusion as to how they will apply in practice. Fortunately, New York regulators appear to be cognizant of the need to avoid overregulating this nascent industry and will hopefully work to rectify any overbroad regulatory issues that may arise. As other states begin to consider regulations like New York’s regime (California for one debated a similar Bitcoin license bill this year before it died in the legislature), the need for a more uniform Federal standard will quickly become a priority for the sector. With more and more money pouring into blockchain startups ($500 million in 2015 alone), digital currency regulation will likely become a more pressing issue in 2016 and beyond.

The New Sharing/Gig/On-Demand Economy

No one seems to have agreed upon the best term to describe the collection of technology startups building platforms that connect customers to workers, homeowners, and drivers. Call it the sharing economy, the gig economy, or the on-demand economy; regardless, this new technology is shaking up well-established industries and the regulatory frameworks in which they’ve long operated.

Startups including Uber, Lyft, TaskRabbit, Handy, and Instacart (to name just a few) are restructuring how a wide variety of services are provided, and with that, challenging the existing labor standards that by and large rely on two narrow designations—employee or independent contractor. Many of these companies now face a slew of lawsuits about that classification, including a class action against Uber in California. Just weeks ago, Seattle became the first city in the nation to allow on-demand drivers to unionize. This legislation, too, will likely be contested in courts. The outcomes of these cases could dramatically reshape the 1099 economy and will surely impact the startups who’ve built their companies around existing worker classification rules. We’ll be paying close attention as they’re debated into 2016 and beyond.

Beyond the labor market, many of these startups are providing new (and in many ways, better, faster, and more efficient) services within highly regulated industries. This year, ridesharing companies, came up against major challenges in cities throughout the world. The New York City Council proposed rules this summer that could have put a freeze on all for-hire vehicles. Another requirement—that ride-sharing apps pass government approval before making changes—was also floated, though ultimately struck down. Meanwhile, San Francisco voted on a ballot proposition to limit Airbnb rentals in the company’s home city, a measure that ultimately failed, but cost the company $8 million to fight.

Ultimately, the trend of startups beginning to compete in heavily-regulated sectors of the economy accelerated in 2015 faster than many had predicted, resulting in an all too common struggle to fit the square peg of new innovations into the round hole of existing regulations. Not surprisingly, given the slow pace at which our nation’s regulatory bodies operate, the many policy debates that came to the fore in 2015 are nowhere near resolution. Next year will almost certainly see these policy debates escalate, and it is imperative that the startup community engage in this policymaking to ensure that the incredible potential of new technologies isn’t stifled by ill-fitting regulations.

 

Startup Policy Digest: 12/18/2015

Our weekly take on some of the biggest stories in startup and tech policy. 

CISA Sneaks into Omnibus. As Congress scrambled to clear its legislative calendar before leaving DC for the year, it packed a bunch of unrelated bills together into a 2,000 page omnibus spending bill that will need to pass in order to adequately fund the government. This potpourri approach to legislation raises serious concerns about government transparency and access, as all but the most well-connected groups are effectively blocked from the closed-door dealmaking that resulted in the omnibus. This year’s omnibus produced one notably terrible outcome: the resurrection of the much-maligned Cyber Intelligence Sharing Act (CISA), which is meant to allow companies to share information on cyber attacks with government in order to help prevent future hacks. Critics argue that the bill creates more problems than it solves by jeopardizing user privacy, incentivizing companies to secretly monitor user activity, and allowing the government to obtain consumer data without a warrant. With the ECJ’s nullification of the EU/U.S. data transfer safe harbor so fresh in policymakers’ minds, it is a particularly inopportune time to pass a bill that many believe is effectively an expansion of government surveillance authority.

EU Sets New Data Privacy Rules. On Tuesday, the European Parliament and Council effectively agreed upon a negotiated version of the EU Data Protection Reform originally drafted in 2012. The measures will be formally adopted in early 2016 and go into effect in 2018. US businesses are concerned with several of the law’s provisions that make compliance challenging and also expensive. Among their concerns: Companies that violate the rules could face fines of up to 4 percent of global sales; the law also formalizes the “right to be forgotten” statute, allowing users to not only correct inaccurate personal data, but also the right to remove irrelevant or outdated information; the age of consent for data processing is set at 16 years; companies must alert authorities within three days of a reported data breach; and larger “data-processing” companies must designate a data protection officer.

An Uber Union? Seattle has become the first city in the nation to allow on-demand drivers for companies like Uber and Lyft to unionize. The legislation, passed by Seattle’s city council on Monday, is seen as a test case for the changing 21st century workforce and will likely be contested in court. While some have argued that the new policy conflicts with federal law and raises antitrust concerns, others insist that the local law has teeth. Regardless of its merits, the law further complicates the broader debate around worker classification in the emerging “gig economy” and whether policies can support both innovation and workers.

California’s New Self-Driving Car Laws. A month after a study by California’s Department of Motor Vehicles, the state released proposed rules for driverless cars. Some of the rules came as no surprise to driverless car manufacturers such as Google, Tesla, and Ford: consumers must receive special training certificates and the autonomous vehicles must meet certain cybersecurity standards. However, one proposal, if passed, could significantly impede innovations in this emerging industry. The California DMV wants a licensed driver present in the vehicle, preventing the kinds of functions—package-delivering vehicles or transportation for the blind—that could truly revolutionize transit. This rule also complicates the liability question by making the licensed driver legally on the hook for any accidents. Google, on the other hand, has thus far stated that it is willing to take responsibility for any accidents on the road. There’s still room for debate though; these rules open for public comment next month.

BingeOn? Maybe Not Says FCC. In its net neutrality rules from earlier this year, the FCC declined to enact a flat ban on “zero rating” programs whereby ISPs exempt certain data from user data caps. Instead the FCC decided to tackle such issues on a case-by-case basis. Since then, ISPs have begun to test the FCC’s willingness to regulate data exemption policies, such as T-Mobile’s Music Freedom and BingeOn plans. While T-Mobile’s programs do not implicate the most concerning net neutrality problems by allowing any music or video streaming company to take advantage of the data exemption without payment, some net neutrality advocates have taken aim at T-Mobile’s policy of throttling all video traffic regardless of whether it is a part of the BingeOn program. FCC Chairman Tom Wheeler has previously applauded T-Mobile’s programs as creative, pro-consumer innovations, but now, the FCC wants to take a closer look. With the Commission’s data cap inquiry and the DC Circuit’s pending decision on the validity of the FCC’s net neutrality, 2016 looks to be an important year for the future of the open Internet.

Drone Registration Goes Live. The Federal Aviation Administration unveiled new recreational drone requirements this week. Starting December 21, drone hobbyists must register their unmanned aircrafts and pay a $5 fee through a new FAA web page. The registration requirements represent a mostly uncontroversial attempt to maintain safety and accountability in national airspace as more and more drones populate the skies.

GOP Misses on Tech Issues. While many observers called this week’s Republican debate the most “substantive” yet, tech experts heard uninformed positions and misconstrued information on issues such as surveillance, the operation of the Internet, and encryption. For instance, Gov. Kasich inaccurately assumed that encryption prevented law enforcement from collecting information that could have foiled the San Bernardino shootings. Yet, whether encryption played any role in law enforcement’s access to important digital communications has not been confirmed. Meanwhile, Mr. Trump suggested that parts of the Internet should be “closed,” a preposterous suggestion that would not only hinder communication amongst bad guys, but also the good guys who drive ambulances, operate hospitals, and alert the world to vital information. Such superficial positions on high-impact tech policy are disconcerting - legislating these areas will require thoughtful (and, frankly, more complicated) solutions.

Prisoners Turned Coders. San Quentin State Prison just graduated 21 inmates from its tech incubator, which teaches inmates to code as well as the skills it takes to design and pitch a business to investors and peers. The program,  made possible by The Last Mile organization, has become so popular that inmates are requesting transfers to San Quentin. Next up: A new program from The Last Mile will provide inmates with paid coding jobs for businesses outside prison walls.

CISA Resurrected: Bad Policy, Broken Process

Data1.jpg

News yesterday that a dormant and much maligned cybersecurity bill—the Cyber Information Sharing Act—had not only resurfaced but was on a fast track towards becoming law by virtue of being appended to a large spending bill came as an unfortunate surprise for the tech sector, privacy advocates, and anyone who cares in transparent policymaking. In the last few weeks of 2015, all of Congress’s remaining legislative capacity was directed towards passing the bloated mish-mash of policies known as the “omnibus.” In theory, the omnibus is a “must-pass” spending bill (“must-pass” in the sense that signing it into law is necessary in order to fund the government) that combines a number of different appropriations bills into one, streamlining what could otherwise be a tedious effort to pass spending bills piece-by-piece. But, in what has become a commonplace practice in DC, this year’s omnibus crams in piles of unrelated legislation (more than 2,000 pages in all), effectively ensuring the passage of controversial bills that would likely have faltered if exposed to the normal legislative process, public debate, or a straightforward Presidential veto.

Ultimately, this means that groups and individuals without significant influence or lobbying power often find themselves pushed out of closed-door conversations about what unrelated bills get appended to the omnibus. While this closed process doesn’t always result in terrible legislation (the removal of anti-net neutrality riders to this year’s omnibus being a prime example of good policy emerging from the omnibus mess), when bad legislation does find its way into the omnibus, it’s almost impossible to get it out. It is through just this backwards process that the ill-fated Cyber Information Sharing Act (CISA) found its way into the omnibus and on a seemingly unstoppable course towards a Presidential signature.

CISA essentially creates a framework for companies to collect and share user data with government in a way that may circumvent basic privacy protections. While the bill is supposed to help government and industry cooperate to prevent cyber attacks like the high-profile hacks that targeted Sony, Target, and the federal Office of Personnel Management, critics argue that the bill creates more problems than it solves by jeopardizing user privacy, incentivizing companies to secretly monitor user activity, and allowing the government to obtain consumer data without a warrant. By moving CISA through the omnibus, these critics have been shut out of the recent negotiations. It’s no surprise then that the language that ultimately made it into the omnibus is worse in terms of privacy protections than other iterations of the bill.

For startups, CISA’s inclusion in the omnibus is bad for a few reasons. First, enacting significant legislation via amendment to unrelated must-pass bills limits the voice of small business in government. As this becomes more commonplace, startups who do not have the resources or relationships to participate in closed-door discussions are boxed out. Second, any bill that weakens privacy protections for user data threatens to undermine consumer confidence in Internet services. This, in turn, decreases the market for startups that provide such services. Finally, considering the European Court of Justice recently invalidated a crucial safe harbor by which US companies—startups included—were permitted to import EU consumer data precisely because of US laws that gave government access to user data without any real privacy protections, pushing a bill like CISA only threatens to make things harder for US companies operating overseas.  

As policymakers consider a variety of cybersecurity and privacy issues, it’s crucial that the startups and technologists that understand how key technologies actually work are a part of these conversations. Congress’s decision to move CISA through the omnibus spending bill is a move in the wrong direction for the startup sector’s participation in DC.

Startup News Digest: 12/11/2015

Our weekly take on some of the biggest stories in startup and tech policy. 

Net Neutrality Has its Day in Court. The net neutrality debate that has dominated tech policy headlines for the past two years finally got its day in court last Friday. A panel of three judges from the DC Circuit heard oral arguments in the lawsuit brought by a consortium of ISPs to invalidate the FCC’s net neutrality rules. Proponents of the FCC’s rules came away from the hearing fairly optimistic. A majority of judges seemed to side with the FCC in the most crucial aspect of the dispute: whether or not the Commission had adequate authority to reclassify Internet access as a “telecommunications service.” The court pushed back more significantly on the FCC’s authority to reclassify mobile broadband and the adequacy of the notice the FCC provided about the final rules it adopted. While we remain optimistic about the Court’s ultimate decision, the net neutrality debate will almost certainly not go away when the Court issues its ruling early next year. It seems likely that the case will ultimately end up before the Supreme Court, and Congress continues to ponder whether it should pass anti-net neutrality legislation.

Feinstein Wants Tech to Report Terrorist Activity. As terrorists attempt to use Internet platforms to mobilize followers, disseminate propaganda, and coordinate attacks, working to diminish militants’ capacity to organize through social media is critical. But the Requiring Reporting of Online Terrorist Activity Act, introduced by Senator Dianne Feinstein (D-CA) earlier this week, is not the answer. The bill would require tech companies to report “any terrorist activity” that they have knowledge of to law enforcement. This obligation seems innocuous on its face, but as often happens, difficulties arise in determining how to actually apply this standard. Emma elaborates on all of the reasons the bill’s controversial (and previously rejected) framework could potentially do more harm than good here.

Computer Science in Classrooms. An education bill signed into law on Thursday acknowledges computer science as a foundational academic subject. By doing so, the bill puts computer science “on equal footing with other subjects when state and local policymakers decide how to dole out federal funds.” This new designation could potentially accelerate computer science's introduction into classrooms across the U.S. and ultimately help address the country's growing tech talent shortage.

Bill Would Cut Back H-1Bs. Senators Bill Nelson (D-FL) and Jeff Sessions (R-AL) introduced a bill this week that would reduce the number of H-1B visas available by 15,000 and also modify the way those visas are allocated—requiring they go to workers who will earn the highest wages. The H-1B program allows companies to hire foreign high-skilled employees, including those with expertise in science, engineering, and computer programming. While these visas are highly coveted within the tech industry, accounts of program abuse have galvanized members of Congress to restructure the program. “This bill directly targets outsourcing companies that rely on lower-wage foreign workers to replace equally-qualified U.S. workers,” Sen. Nelson said in a statement. While attempting to prevent bad practices by specific outsourcing companies, this bill would unduly harm the wider tech industry by further limiting global talent from contributing to U.S. companies, big and small. 2015 saw a record number of H-1B applications: 233,000 for the current 85,000 spots.

Investment Crowdfunding for Tech? Not So Fast. An article in this week’s Wall Street Journal highlighted a few of the shortcomings of investment crowdfunding, a new fundraising tool for startups made legal last month with the release of SEC rules. Those rules contain numerous burdensome requirements for companies raising equity from the crowd, potentially deterring high-growth technology startups. For instance, once a company takes on over 500 investors or grows to a certain size, it must file regular disclosures with the SEC: “It is all the pain of an IPO without the benefits of the IPO.” We’ve previously detailed some of the other issues with those rules, concluding that policymakers must continue to work to lower the cost of raising seed capital through crowdfunding or the impact of investment crowdfunding for startups will be modest.

What We Heard in Iowa: Earlier this week, Engine teamed up with the Technology Association of Iowa to discuss technology policy with Iowa entrepreneurs, caucus goers and two of the 2016 presidential candidates in Cedar Rapids. As the Cedar Rapids Gazette reported, the candidates agreed that education is “vital to innovation” but, not surprisingly, disagreed on the federal government’s role. O’Malley’s address focused on his track record as governor of Maryland. While Fiorina took a different approach, focusing on national security and technology “as a tool and a weapon” in those efforts. The forum offered a glimpse on where at least two candidates stand on a handful of important tech issues and as we look to 2016, we hope to hear a lot more.

Patent Suits Cost Universities. Universities have been getting more involved in patent reform policy and a recent Brookings article explains why. Its author also emphasizes that universities are turning observers off by engaging in offensive litigious actions, which is seen as contrary to the public mission of a university. Furthermore, it doesn’t make sense for universities to be involved in patent reform conversations since universities as a group do not have a financial interest in patenting: 87 percent of tech transfer offices operate in the red. Since there is a false belief among some that without patents there would be no innovation, it is important that the public voice of universities acknowledge “that the debate on the impact of patents on innovation is not settled and that this impact cannot be observed in the aggregate, but must be considered in the context of each specific economic sector, industry, or even market.”

Where are the Women in Tech? A new list was published on the “Best Cities for Women in Tech” and Washington, DC topped it, with women making up about 37 percent of the tech workforce (New York, NY comes in at number five and San Francisco, CA at 23). Kansas City, Missouri (at number two) was one of the only two cities in the study where women in tech don’t face a gender pay gap. Recruitment of women and underrepresented groups in the tech community remains a large part of the diversity conversation: language used in outreach and job descriptions could be turning well-qualified applicants off from even applying. One startup, Textio, is trying to address this problem with their product that “applies a form of artificial intelligence (AI) called natural language processing (NLP) to study the verbiage in documents” and can help highlight words with certain negative connotations.

Startup News Digest: 12/4/2015


Our weekly take on some of the biggest stories in startup and tech policy.

Trade Secrets Bill Resurfaces. On Wednesday, the Senate Judiciary Committee held a hearing on the Defend Trade Secrets Act (DTSA), a bill purportedly meant to help curb international trade secret theft by creating a federal cause of action for trade secret appropriation. However, like most intellectual property laws, trade secret litigation is rife with abuse as companies regularly use trade secret claims to stifle competitors and hinder employee movement. The proposed legislation would exacerbate these problems by creating an ex parte seizure procedure whereby a party can—without detailed factual inquiry and without a presentation of both sides of the case—ask a judge to seize a defendant’s property. In this regard, the DTSA goes well beyond what state trade secret law provides, making it a potent tool for incumbents to use the courts to unfairly hinder legitimate competition. And, international trade secret thieves will be able to avoid this federal law as they have avoided prior state laws by simply being outside of the US, it’s hard to see how this bill would actually address the problem it claims to address.

Net Neutrality Hearing. The DC Circuit Court of Appeals heard oral arguments today in the challenge to the FCC’s net neutrality rules. A group of telecom companies filed suit against the FCC shortly after the Commission issued its net neutrality rules this spring, arguing that the decision to reclassify violated administrative rules and exceeded the FCC’s delegated authority. While most net neutrality supporters believe that the Commission’s rulemaking is likely to withstand legal challenge, the DC Circuit is notoriously unpredictable. The hearing itself was not broadcast due to the DC Circuit’s strict rules on recording proceedings, so we’ll have to wait for reports from those in the room to get a read on how the judges received each side’s arguments. We’ll be tracking closely.

Starting Up the Broadband Economy. In an op-ed in re/code, Engine Policy Director Evan Engstrom elaborates on why policies that encourage a competitive broadband market are essential to the continued success of the startup economy. Increasing competition ensures America’s entrepreneurs can use their limited funds to build their businesses, rather than lining the pockets of a few huge incumbent providers. There is still a long way to go towards a robust, healthy Internet ecosystem. But we are working to ensure that startup voices are heard and that real reform happens now.

Trouble for ECPA Reform? The broadly supported Email Privacy Act ran into opposition from law enforcement authorities at a House Judiciary Committee hearing on Tuesday. Calls for an emergency exception and a carve out for civil agencies are nothing new, but they are preventing the committee’s chairman, Rep. Bob Goodlatte, from backing the legislation. Despite being one of the most popular bills in Congress with over 300 bipartisan cosponsors, it won’t move until Rep. Goodlatte gives the go-ahead. We’re tracking.

Add “Lobbying” to List of Startup CEO Responsibilities. Engaging with lawmakers is just another part of being a startup leader now, reports the New York Times. “In addition to knowing the language of computer code, founders are speaking the language of Washington, keenly aware of the potential regulatory battles that could be on the horizon.” In a shift from the historical status quo, startups are no longer eschewing politics, but increasingly embracing a dialogue with D.C. instead.

Patent Lawsuits Filed Set New Record. On November 30, 257 new patent litigation cases were filed—a new one day record. Furthermore, 196 of these cases were filed in the Eastern District of Texas, a notoriously plaintiff (and troll) friendly court. This is clear proof of forum shopping and further evidence that patent reform legislation should also address venue abuse. The mass amount of filings are likely tied to the fact that December 1 marks the effective date of significant changes in the Federal Rules of Civil Procedure for patent cases—i.e. going forward, plaintiffs may be required to provide more information in their initial claims.

Women in STEM. Michelle Lee, the Director of the US Patent Office, authored an op ed in which she cites a study that found that only 15% of all inventors are women. She writes, “The lack of gender parity is not just a social issue, it is an economic imperative.” In response, the Patent Office has launched, in partnership with Invent Now, an “All in STEM” initiative to get more girls interested in STEM and more women in flourishing STEM careers. Meanwhile, the latest diversity numbers from tech companies demonstrate the continuing need: women employed globally by Microsoft decreased from 29% to 26.8%.

Cities and Innovation Ecosystems. It takes years for cities to build up a “critical mass” of tech companies and workers to the likes of the Bay Area. But in some of the nation’s smaller cities, the environment has proven conducive to small companies and large companies cooperating in a way that has become engrained in the DNA of Silicon Valley—where startups are built off the API of large companies and interoperability is part of the culture. A recent report by the World Bank discusses what factors affect the growth of entrepreneurship ecosystems across different cities.

Conversations Around Capital Access. Before taking a break for Thanksgiving, Engine attended a forum hosted by the SEC on capital access issues for startups. Participants honed in on the JOBS Act rules: how they’re playing out in practice and whether there are policy modifications that could facilitate their success. Read Emma’s run-down of the discussions here.

Startup News Digest: 11/20/2015

Our weekly take on some of the biggest stories in startup and tech policy. 

Encryption Debates Resurface. Last week’s terrorists attacks in Paris reignited debates over encryption. Officials suspect the attackers may have used encrypted messaging systems to coordinate the plots, (though nothing has been confirmed.) Policymakers are again considering whether the law should require tech companies create “backdoors” for law enforcement, making it easier for officials to track and disrupt threats. Many in the tech community, including Apple, have publicly opposed such backdoors for government, arguing these restricted access points could make their systems more vulnerable.  

$100 Million in Grants for Tech Training. This week, White House representatives were in Baltimore to announce the expansion of its TechHire initiative with the launch of a $100 million grant competition. TechHire, which launched in March, involves education and employer partnerships in dozens of regions across the U.S., all dedicated to training, recruiting, and placing more Americans in tech jobs. Awards from this new grant will go to programs across the country that serve Americans who face barriers to entering the tech sector, whether those are educational, geographical or income-based.

Startup Equity in Highway Bill. A little known piece of startup-friendly legislation has made its way onto the highway bill, the massive federal transportation bill that lawmakers in the House and Senate are scrambling to finalize. This unrelated legislation is the RAISE Act, which would more easily allow startup employees to sell company equity to accredited investors. In October, the House passed the bill unanimously, but it hasn’t yet made its way to the Senate floor. We won’t know until December whether these new rules will remain in the highway bill - federal funding for roads has been extended to December 4 while Congress hashes out the details of the new bill.

Chicago Limits Drones. Chicago’s city council passed a bill banning certain uses of drones. The first bill of its kind, the rules will potentially hinder hobbyist use. Chicago’s ordinance, in line with FAA regulations, prohibits drones from flying above 400 feet, flying within five miles of and flying over schools, churches, hospitals, police stations, and any private property without consent. Chicago has experienced some uncomfortably close encounters with drones: one crashed Midway airport’s runway and another flew frightening close to crowds gathered at Lollapalooza.

Patent Reform will Encourage Innovation. Executive Director Julie Samuels was featured in a series of perspectives on patent reform in the Washington Post. Her perspective: if Congress does not pass patent reform legislation, patents will inhibit the innovation they set out to incentivize. Innovative inventors and young companies are being threatened by “patent trolls” that are wielding bad patents, frivolous infringement allegations, and exploiting loopholes in an expensive patent litigation system. Unfortunately, legislation that would help relieve startups and stop trolls is stalled in Congress - largely because of incumbent interests, e.g. the pharmaceutical industry (PhRMA). The bottom line: the one-size-fits-all patent system that has long worked for PhRMA is not working for software.

ICYMI: November is National Entrepreneurship Month. In other news from the White House, President Obama has issued an official presidential proclamation designating the month of November as National Entrepreneurship Month. “Since our Nation's founding, our progress has been fueled by an inherent sense of purpose and ingenuity in our people. Americans have more opportunities now than ever before to carry forward this legacy - to create something, to raise capital in creative ways, and to pursue aspirations,” states the proclamation. While we’re always celebrating the work of entrepreneurs, it’s great to see policymakers and organizations across the country rally behind them this month.

Startup News Digest: 11/6/2015

Our weekly take on some of the biggest stories in startup and tech policy.

More Eyes on EU Data Laws. Congress examined international data issues at two separate hearings this week, covering everything from cross-border data flows to U.S. surveillance reform. But the main focus was the recent EU safe harbor decision. Negotiators have until the end of January 2016 to find a replacement for safe harbor. However, businesses of all sizes are already beginning to weigh whether they should simply move their data to European servers over concerns that alternative compliance mechanisms may not be valid. We’ve noted on our blog (and others agree), forced data localization would be incredibly costly - especially for smaller companies - and would have a chilling effect on internet innovation. We’re tracking.

Pros and Cons in SEC’s Crowdfunding Rules. The release of the SEC’s long-awaited investment crowdfunding rules is a huge victory in itself: it facilitates an entirely new form of fundraising for cash-strapped startups. But, are the rules themselves any good? We’ve written previously about changes we wanted to see to the proposed crowdfunding framework, and the SEC’s rules incorporate a few of the items on our wishlist. Specifically, funding portals are now allowed to subjectively decide whether or not to list certain companies on their platforms and may take an equity stake in issuers, too. But, while the new rules ease some of the high disclosure burdens of the proposed framework, they do not go far enough to make investment crowdfunding affordable for small companies. A more detailed look here.

Comprehensive Immigration Reform: Not Happening. Earlier this week, newly elected Speaker of the House Paul Ryan confirmed a suspicion most immigration reform advocates have sensed for years now: that the House will once again refuse to consider comprehensive immigration reform legislation. “I do not believe we should advance comprehensive immigration legislation with a president who’s proven himself untrustworthy on this issue,” Speaker Ryan announced emphatically on “Meet the Press” and repeated in an op-ed Tuesday. But while we won’t expect to see immigration reform on the legislative agenda, we at least expect to hear about it in the 2016 election cycle.

Anti-Airbnb Measures Fails in SF. On Tuesday, San Francisco voters struck down a measure that aimed to curb Airbnb rentals (and those offered by other homesharing services) in their city, where the convoluted conflict between tech and housing is alive and well. Winning the the vote 55-45, Airbnb far outspent its opposition with an $8 million television, billboard, and canvassing campaign against the measure. Among the lessons learned from its victory? Airbnb representatives have said its user base of hosts and guests is willing and ready to mobilize on the company’s behalf, a movement we could see in more cities as Airbnb and other companies come up against new regulatory challenges.

Internet for Everyone in Arkansas. The Arkansas legislature has promised it will have a plan to deliver high speed broadband access to every home, business, and institution in the state by October 2016.  The “call to action” was inspired by similar broadband expansion efforts in nearby states like Kentucky and Tennessee. Arkansas’ House speaker noted that broadband “has become the 4th rail of economic development. It is just as important as your transportation infrastructure, your educational and workforce infrastructure, your tax structure.” We couldn’t agree more and are pleased to see states acting to ensure all of their citizens have access this essential resource.

Former Twitter Engineer: Diversity is Difficult. An essay by a former lead engineer at Twitter is gaining momentum and attention, highlighting the challenges the tech industry continues to confront in making its workforce more inclusive. Leslie Miley recounts his efforts to increase employee diversity at the company, describing frustrating conversations with senior engineers who referred to diversity efforts as “lowering the bar.” The tipping point for Miley was when he pitched his proposal for hiring a ”Diversity Engineering Manager” and was met with suggestions from higher-ups that underscored “the unconscious tendency to ignore the complex forces of history, colonization, slavery and identity.” It was the culmination of these conversations and the refusal by leadership to acknowledge their own “blind spots” that drove Miley to leave.

Podcasting Tech Policy on a16z. Engine Executive Director, Julie Samuels, spoke with Techdirt’s Mike Masnick and the host of the Andreessen Horowitz podcast earlier this week. Together, they covered a “whirlwind tour of current policy issues in tech  -  from patents and IP in China to cybersecurity, privacy, and Safe Harbor in Europe…And the gig economy, talent, and immigration.” That’s a lot of tech policy, and all in under 60 minutes. Listen here!

#VetsWhoTech. In anticipation of veterans day, Engine is highlighting the success stories of veterans who’ve made strides as developers and founders in the tech industry. These stories showcase the great potential of this community to become leaders in the industry, as well as the ways in which government support for their efforts is falling short. Follow the series on Medium.

Startup News Digest 10/30/2015

Our weekly take on some of the biggest stories in startup and tech policy.

SEC Finalizes Crowdfunding Rules. At today’s SEC open meeting, the Commission voted to adopt Title III crowdfunding rules, finalizing the last and most highly-anticipated provision of the 2012 JOBS Act. Once the rules go into effect, (180 days after they’re enter in the Federal Register,) any investor can buy equity shares from companies raising capital online, marking a new era of financing for startups and investors alike. As Engine and industry experts have commented, the rules aren’t perfect, but their long-delayed release is the first critical phase in working with policymakers to improving and expanding the crowdfunding ecosystem.

Cybersecurity Bill Passes Senate. On Tuesday, lawmakers voted 74-21 to pass the Cybersecurity Information Sharing Act (CISA). The bill has been largely opposed by the tech community over concerns that the bill’s core information-sharing mechanism would compromise user privacy. Amendments aimed at providing additional privacy protections  didn't garner sufficient support, leaving industry stakeholders and civil liberties advocates frustrated. But the debate will not end here—there is a chance these issues will come up again as the Senate’s bill goes to conference with the House.  We’re tracking.

EU Passes (Bad) Net Neutrality Rules: The tech world's focus shifted to the EU this week, as the European Parliament voted on net neutrality rules that have caused consternation amongst open Internet advocates worldwide. Though the new European-wide rules look similar to rules the FCC passed earlier this year, the EU's regime contains many vague definitions that will allow ISPs to create and exploit loopholes that could render the EU's nominal ban on so-called "fast lanes" ineffective. For example, the rules create an exception allowing ISPs to prioritize "specialized services," but define that exception so broadly that ISPs could effectively create the types of fast lanes that the rules nominally ban. Similarly, while the U.S. rules allow the FCC to evaluate the legitimacy of zero-rating plans on a case-by-case basis, the new EU protocols allow zero-rating. While there may still be opportunities to correct these loopholes going forward, the future of an open Internet in Europe looks uncertain.

EU and US Close on New Safe Harbor: After the European Court of Justice’s rejection of the “safe harbor” that allowed U.S. companies to easily import EU customer data to the U.S., the tech world was left in a state of confusion as to what exactly was supposed to happen next. While the EU and U.S. had been hammering out a new safe harbor framework even before the old one was rejected, news this week that negotiators agreed in principle upon a new frameworks came as a pleasant surprise. Whether the new framework satisfies the ECJ’s concerns and what companies should do in the meantime remain open questions.

New Copyright Exemptions. In what has become a triennial reminder that it's impossible for the law to properly keep up to date with changing technology, the Librarian of Congress this week granted a number of exemptions to a rule in the DMCA that outlaws "circumventing" certain digital locks. This year's exemptions include rules allowing the public to tinker with car software and to jailbreak devices in order to run third party software. Of course, the exemption for security research on cars came way too late to prevent the VW emissions scandal, and the jailbreaking rule was perhaps most notable for fixing an absurd distinction between jailbreaking phones (already legal) and tablets (now legal). It's great that there is a mechanism for updating the law to reflect technological realities, but a system in which you have to wait three years before finding out whether it's legal to install third party software on your tablet needs an overhaul rather than a triennial tweak.

Can Tech Help Copyright? In an op-ed this week, Mike Masnick explores the potential for technology to solve the entertainment industry’s copyright woes. Take Sweden, for instance, where not long ago, piracy was rampant. But with the rise of forward-looking services like Spotify, which calls Sweden home, piracy rates have steadily declined. Policy lessons from other countries, detailed in a recent report, demonstrate that “attempts to reduce piracy by passing strict anti-piracy laws...had little long-term impact on piracy rates.” Instead, policymakers should embrace and support innovative ways to support the creative industry through new technologies.

Amazon Faces Worker Classification Suit. Four former Amazon Prime Now delivery drivers have sued the company, arguing that they were misclassified as contract workers instead of employees with full benefits. The suit is the latest in a long list of ongoing legal battles between on-demand workers and their employers (see Uber & Lyft, Grubhub & others, Postmates & others). As the debate continues around how to best support this growing class of workers, these cases have the potential to completely reshape the 1099 economy and the companies that operate within it.

Campaigns to Talk Tech in Iowa. Engine joins the Cedar Rapids Gazette and the Technology Association of Iowa in inviting Democrat and Republican Presidential contenders to the Iowa Presidential Tech Town Hall in Cedar Rapids this December. Candidates will share their agendas for supporting the innovation economy and take questions from a panel of tech policy leaders and local entrepreneurs. Potential topics include technology innovation, STEM education, broadband access, and entrepreneurship. More information and tickets to this event at PresTechTownHall.org.

Startups on the Hill for Patent Reform. Engine and the Consumer Electronics Association hosted a Capitol Hill fly-in Thursday where we were joined by four startups that have battled patent trolls first-hand. Together, we spoke with eleven Senate offices, including directly with Senators Heinrich (R- NM) and Peters (D-MI), about our support for the Senate’s PATENT Act. We also delivered the letter signed by nearly 200 startups in support of the Innovation Act (House bill) and PATENT Act (Senate bill). These bills would help disincentivize bad actors in the patent system and give startups tools to defend themselves against frivolous patent litigation.

Better Broadband Competition. Startups depend on internet connectivity and benefit from greater competition among providers. Over the next few weeks, we will be highlighting a number of policies that would improve competition in the broadband market and better encourage entrepreneurial activity. Read our first post outlining the series here and stay tuned for more.

Startup News Digest 10/23/2015

Our weekly take on some of the biggest stories in startup and tech policy.

Judicial Redress Act Heads to Senate. On Tuesday, the House passed the Judicial Redress Act, which would extend rights to judicial redress to citizens of the EU and other designated countries. The bill has broad support within the tech community, where it is seen as both a sensible next step in surveillance reform and essential to advancing an updated safe harbor agreement between the U.S. and the EU. The bill was slated for Senate consideration as an amendment to the Cyber Information Sharing Act (CISA), but was pulled on Thursday for procedural reasons. The bill’s sponsors are working with Senate leadership to schedule a vote and we will continue to track. Meanwhile, the White House chose to endorse CISA, but also criticized it for allowing companies to share data with any agency, rather than having a centralized clearinghouse.

A National Drone Registry: Recreational drone users will soon be required to register their unmanned aircrafts, federal agencies announced this week. The decision comes amidst national airspace safety concerns from the Federal Aviation Administration and the Transportation Security Administration as reports from piloted aircrafts of drone sightings of or close calls with rogue drones have mounted in the past year. The details of the registration system are still being worked out and the FAA is currently seeking input from the public. Hobbyists and drone users can submit their comments here until November 20.

Bitcoin Teams up with the Feds. A new technology-government alliance is bringing together Bitcoin experts and advocates with government officials. The Block Chain Alliance was established to help federal authorities better understand the complexities of bitcoin transactions, and to change the perception of bitcoin as a "currency for criminals". The alliance will also offer digital currency companies an opportunity to demonstrate power and potential of these new technologies, especially for law enforcement agencies. The Justice Department and Secret Service and are already exploring how to use Bitcoin to more securely track the flow of digital currency across borders.

‘Dig Once’ Bill Introduced in House. On Thursday, Reps. Walden and Eshoo introduced the Broadband Conduit Deployment Act of 2015, which would mandate installing broadband conduit pipes during federal road construction. This would allow service providers to easily install fiber lines years down the road without having to excavate the road to re-dig a channel. The Federal Highway Administration has reported that ‘dig once’ policies like these can reduce broadband deployment costs by as much as 90%.

Code.org letter on CS education. Code.org and several major tech industry players sent a letter to the legislators leading education reform efforts this week. The letter urges lawmakers to include provisions that promote computer science education in any revision of the Elementary and Secondary Education Act (ESEA). Among their requests: maintain computer science as a “core academic subject” and retain resources that would improve teaching and learning in STEM subjects. You can read the full letter here.

Coding Behind Bars. This week Vice reported on the first and only coding bootcamp behind bars. Non-profit The Last Mile, runs Code.3730, a six-month coding course for inmates at San Quentin prison. The curriculum - Java Script, HTML, CSS, and Python - is similar to other code academies, but it’s taught on on dry-erase boards, without Internet. In January, students in the program will be eligible to get paid for entry-level front-end coding work for companies on the outside.

Data Security for Startups. As startups generate, collect, and use data at an increasing rate, state and federal regulators expect them to have security protocols in place. On Tuesday, Engine co-hosted a data security panel at the Nasdaq Entrepreneurial Center in downtown San Francisco to dig into these security issues. Read our blog post recapping the event and unpacking existing resources, including the FTC’s “Startup with Security” guide, to help startups navigate data security regulation and ensure they are adequately prepared for a breach.

Navigating Data Security Policy: a Primer for Startups

Data1-540x310-1.jpg

For most startups, it’s not a matter of whether you’ll have a data breach, it’s whether you’ll know about it and how well you’ve prepared for it. That’s been the main takeaway at two recent events highlighting the importance of data security protocols for startups. Last month, the Federal Trade Commission (FTC) held a “Start with Security” conference in San Francisco, the first in a series of events under the Commission’s new initiative aimed at providing businesses with resources for navigating the world of security (you can watch the full event here). And yesterday, Engine co-hosted a data security panel at the Nasdaq Entrepreneurial Center in downtown San Francisco. The conversation began with a presentation by Jim Dempsey of the Berkeley Center for Law & Technology, followed by a panel featuring several experts on how technology companies, especially new ones, should manage and protect their users’ data.

These conversations are particularly timely, as companies are generating, collecting, and using more data than ever—and regulators are taking notice. Every day, even a one-person startup can handle sensitive data from hundreds of thousands of users and is expected to have security protocols in place.

The principal federal body that oversees companies’ data practices is the FTC, which has the authority to police “unfair or deceptive practices” under section 5 of the FTC Act. At its recent conference, FTC Chairwoman Edith Ramirez remarked that “in the rush to innovate, privacy and security cannot be overlooked—even in the fast-paced startup environment.” Ignorance is no longer an excuse in the eyes of the Commission. Startups should take this admonition to heart because the FTC can—and will—bring lawsuits against companies that fail to meet cybersecurity standards. Just last month, this authority was cemented by a federal court in FTC v. Wyndham. While the FTC cannot create new industry security regulations without direction from Congress, it now has explicit authority to police companies’ cybersecurity practices using its consumer-protection mandate.

This presents a conundrum for startups. As Josephine Wolff unpacks in a recent post in Slate, even “experts disagree on which computer security practices are reasonable and which are unreasonable.”

So how should startups ensure they’re not upsetting the FTC? One option is to look to the agency itself for some guidance. Published in conjunction with its outreach initiative, the FTC’s “Start with Security” paper outlines ten data security principles they advise companies to adopt, from data encryption to password policies.

At Tuesday’s event, Dempsey expounded on this document, arguing that the overarching takeaway is security by design: companies should build security into their products at every stage of development. The panelists, including a privacy lawyer, agreed emphatically, suggesting that companies of all sizes develop several security and privacy guidelines, implement them, and most importantly, document them. These include an internal IT security policy, a privacy security policy that specifically addresses how users’ personal information is handled, and finally, an incident response plan to refer to if and when a data breach occurs.

But data security requirements don’t stop at the FTC. Any startup operating in a regulated industry such as finance, healthcare, or education is likely well aware that additional laws apply in managing sensitive financial, health, and student data respectively. And to further complicate the process, there are additional state laws regulating data issues. Dempsey explained at least 47 states have their own requirements for companies’ treatement and security of user data. California, for instance, is one of the many states that have breach notification-specific laws, requiring companies to notify residents whose unencrypted personal information was acquired in an attack.

While all these laws can create a compliance nightmare for startups who lack the internal capacity to decode these various guidelines, they’re not going away. Congress has debated questions around data security for years now. Should a data security bill include enumerated, prescriptive standards or take a more loose, industry-specific “best practices” approach? Should a bill include specific requirements or should those be left to the FTC to write? We’ve seen more than six federal data security proposals already in 2015, each of which takes a different approach to answering the above questions. While it is not yet clear which (if any) of these bills will become law, the increasing momentum behind passing something sends a clear message—startups can no longer defer addressing security issues until it is convenient.

The tech community should be engaging in more conversations like the one Engine hosted today. They provide clarity around best practices so that when Congress finally passes a data security law or when a breach eventually happens and the FTC comes knocking, startups already have security protocols in place that will pass muster. Further, as our technology improves, our privacy expectations evolve, and our lawmakers better understand the extent to which policy can dictate practices, startups voices should be heard in the debate around better policies that work for both companies and users around the world.

Startup News Digest 10/16/15

Our weekly take on some of the biggest stories in startup and tech policy.

Federal Aid for Coding Bootcamps. On Wednesday, the U.S. Department of Education announced a new pilot program that will make it easier for a more diverse range of people to attend alternative education programs like coding bootcamps. Until now, students enrolled in “nontraditional” educational programs have not been eligible for federal financial aid.  The new EQUIP (Educational Quality Through Innovative Partnerships) program will waive existing restrictions to allow federal aid dollars to be used towards approved alternative programs. While the scope of the pilot will be relatively small, this initiative is a great move by the Dept. of Ed towards making these popular and essential programs more accessible to all.

White House Opts Against Legislating Back Door for Encryption. At the end of last week, the White House made a long awaited decision: they would not push for legislation that would mandate companies be able to decode messages at the request of law enforcement. At least, that’s what they’ve decided for now. Even if the White House’s decision maintains status quo, advocacy groups worry about the White House’s definition of “strong encryption” and whether the Administration will “weaken security through other methods.”

EU Safe Harbor Ruling. Ars technica takes a deeper look at the far-reaching consequences of the EU’s safe harbor ruling in an article published on Thursday. Evan covered the impact this ruling will have on startups in a blog post last week, noting that “while larger companies have quickly moved to establish new legal pathways for importing EU data or have secured data centers in the EU, smaller companies face a more daunting task in trying to comply with now unclear data protection rules.” Ars goes even further, arguing that this ruling will have a dramatic effect beyond short-term global commerce—it will likely impact future trade agreements between the U.S. and EU, as well as the UK’s surveillance practices.

Evidence of “Over-Removal” by Intermediaries. When intermediaries receive a take-down request, the easiest, least risky response is to take down the cited material - especially for small companies that don’t have the resources to hire a legal team to thoroughly evaluate each request. A literature review by Stanford revealed growing amounts of empirical evidence of “over-removal” by intermediaries (e.g. Google, Twitter, Facebook), further defining a problem that puts free-expression at risk.

Wyden Calls for Greater DMCA Exemptions. As the U.S. Copyright conducts its periodic review of requests for exemptions under the Digital Millennium Copyright Act (DMCA), the agency should consider the importance of these exemptions to the  continued expansion and improvement of American technologies, Sen. Ron Wyden explained in this week’s Wall Street Journal. Wyden expressed his concerns about the EPA and FDA’s pleas to limit exemptions for new software in cars and medical devices, thereby prohibiting such new technologies from being legally tinkered with under the DMCA. Sen. Wyden and Rep. Jared Polis (D-CO) have introduced the Breaking Down Barriers to Innovation Act, a bill that aims to streamline “the process to obtain exemptions to the DMCA to promote scientific research, innovation and the fair use of copyrighted works.”

Better Crowdfunding Policy. In anticipation of the SEC’s impending release of the Title III crowdfunding rules, Engine published a white paper this week, “Financing the New Innovation Economy: Making Investment Crowdfunding Work Better for Startups and Investors.” The paper analyzes trends in U.S. and U.K. crowdfunding markets, which offer important lessons for U.S. regulators and lawmakers as we move closer to launching investment crowdfunding for retail investors.

In Celebration of Ada Lovelace. On Tuesday we commemorated Ada Lovelace Day and celebrated the achievements of the first programmer and women in science and technology everywhere. News from Stanford emphasized progress: 214 women have enrolled as computer science majors, 30% of all enrolled computer science students.

Startup News Digest 10/9/2015

Our weekly take on some of the biggest stories in startup and tech policy.

ECJ Invalidates Data Safe Harbor. On Tuesday, the European Court of Justice (ECJ) invalidated the European Commission’s “safe harbor” rules that permitted U.S. companies to self-certify compliance with European data protection rules in order to legally transfer EU customer data to the U.S. The court determined that U.S. legislation permitting the NSA to secretly collect and review consumer data was inconsistent with the EU’s Data Protection Directive. Consequently, the safe harbor framework was itself inconsistent with the Directive, as U.S. companies could not claim to have adequate data security protections in place. While larger companies have quickly moved to establish new legal pathways for importing EU data or have secured data centers in the EU, smaller companies face a more daunting task in trying to comply with now unclear data protection rules.

Governor Brown Signs CalECPA. In a huge victory for startups and digital privacy, Governor Jerry Brown signed the California Electronic Communications Privacy Act (SB178), now the nation’s best digital privacy law, on Thursday. This landmark bill (which we’ve covered in past digests) updates digital privacy laws by requiring law enforcement to obtain a warrant before accessing an individual’s electronic communications. We are hopeful that this action by California will prompt similar movement in other states or at the federal level.

Closing the Gender Gaps. California passed a (another) landmark piece of legislation that would require women to be paid the same as men for doing “substantially similar work.” Though the governor acknowledges that this bill won’t solve the problem, he expects it to “help accelerate [the] progress.” It’s an interesting development in light of the dialogue in Silicon Valley regarding the promotion and retainment of women in the tech industry. Meanwhile, on the federal level, Senators Maria Cantwell (D-WA), David Vitter (R-LA) and Jeanne Shaheen (D-NH) introduced a bill that would reauthorize and increase funding for the Women’s Business Center Program, which improves business training and counseling opportunities for women entrepreneurs.

Capital Formation Bills Pass in House. The House passed two bills earlier this week aimed at making raising capital just slightly easier for startups. H.R. 1525, the Disclosure Modernization and Simplification Act and H.R. 1839, the Reforming Access for Investments in Startup Enterprises Act, contain measures that simplify and codify some of the regulations that govern how growing private companies raise capital. It’s encouraging to see members of Congress seek out ways to support capital formation for our country’s emerging companies and we hope our senators follow suit.

Marco Rubio Addresses Tech in NYC. Civic Hall hosted Senator Marco Rubio this week to talk about the on-demand economy. He spoke to the advantages of working for on-demand services, (flexibility of hours, mobility of work,) and recognized the need for a middle ground status between W-2 employees and independent contractors. He also called out incumbents, such as the taxi and hotel industries, for hindering innovation. It is the role of the government, Rubio said, to help those displaced by the new economy access the new economy through education and other opportunities.

Regulating Drones. As the popularity and pervasiveness of drones, (or unmanned aerial systems, UAS,) increases, lawmakers are grappling with the best way to ensure safety and privacy without needlessly inhibiting innovation in this growing industry. On Wednesday, Representative John Garamendi (D-CA) and Senator Barbara Boxer (D-CA) introduced the SAFE DRONE Act of 2015, which prohibits drone flights within two miles of an airport or active fire. While some argue these sorts of rules should be left to the Federal Aviation Administration to craft, others are growing tired of waiting on the agency to act after it missed a Sep. 30 deadline to implement drone rules.

What the EU Data Safe Harbor Ruling Means for Startups

Data1.jpg

This week’s decision from the European Court of Justice (ECJ) vacating the European Commission’s “safe harbor” rule that allowed U.S. companies to quickly and easily import consumer data from European users has left many in the tech community unsure about exactly what went down and what happens next. While the ultimate impact of the ECJ’s ruling is hard to predict, the incident serves as an interesting lesson on the often poor fit between policy and technology.

What exactly happened?

Unless you’ve recently taken a course in EU civics, figuring out precisely how things got to this point and what it all means is rather difficult. To summarize: the EU’s data protection laws are more stringent than those in the much of the rest of the world—the U.S. included. Under the EU’s Data Protection Directive, data from EU citizens can only be transferred to countries that provide certain protections for said data. Recognizing that compliance with these data protection rules could create a giant bureaucratic headache for companies and countries, in 2000, the European Commission created a “safe harbor” that allowed any U.S. companies to self-certify that they complied with the Directive and thereby legally import EU consumer data into the U.S. This safe harbor rule is at the heart of the present dispute.

In 2014, an Austrian citizen filed a lawsuit in Ireland, claiming that U.S. laws permitting the NSA to surreptitiously collect and analyze vast amounts of consumer data violate the Directive. The Irish court then referred the case to the ECJ, the highest court in the EU, to consider the application of the safe harbor rule. Ultimately, this week, the ECJ held that the safe harbor doesn’t prevent individual member states from considering whether U.S. rules allowing government data collection render U.S. companies in violation of the Data Protection Directive and that the safe harbor itself fails to provide adequate data protections. With the ruling, the most commonly used legal pathway for importing EU data to the U.S. disappeared.

So what happens now?

With the rule allowing U.S. companies to import EU consumer data eviscerated, do EU-U.S. data transfers suddenly stop altogether? Did EU citizens wake up to find they couldn’t access their email accounts run by American companies? Not quite. The ruling will impact different companies in different ways.

Different legal pathways for data transfers

The safe harbor isn’t the only way that U.S. companies can import EU customer data. For example, companies can craft “binding corporate rules” (essentially, intra-company privacy policies) that, once approved by the data protection authorities in EU member states, allow for EU to U.S. data transfers outside of the safe harbor. But, since crafting such policies and getting member state approval is an arduous, time-consuming process, only large, well-funded companies can afford to explore these alternate data transfer protocols, leaving startups functionally unable to comply with data transfer rules.

Local data storage

If a company can’t legally transfer data from the EU to the U.S., the other option is to simply keep the data in Europe by building or leasing new data storage facilities overseas. Some companies, like Box and Pick1 are taking this approach, but this strategy comes at significant financial and time costs for companies, and startups operating on tight budgets may not have the resources to relocate servers or the time to develop new ways to handle foreign data.

Do nothing?

If a startup can’t find alternate legal mechanisms to import data or European data centers to handle EU data, it’s left with a difficult choice: stop handling EU customer data or continue to do so and face legal risk. The former tactic has obvious drawbacks. For one, it can be challenging to determine whether or not particular data belong to an EU-based user, rendering compliance nearly impossible. And, even if it is possible to altogether stop handling EU data, losing such a huge market will likely doom a great number of companies.

Startups could (and many probably will) simply continue business as usual and hope that they don’t get sued. A company that struggles to find the resources to establish alternative data importation frameworks or overseas servers may be too small for regulators and plaintiffs to worry about. Obviously, this isn’t a particularly comforting option for a company that wants to follow the rules. But, with such a sudden and dramatic shift in the rules, it may be the only course forward for some companies.

How long will this problem persist?

While the decision came as a surprise to many, policymakers in the EU and U.S. have been trying to shore up the safe harbor framework for a while. The ECJ’s ruling will add some urgency to their work, and U.S. and EU officials have given assurances that alternative data export pathways will soon become available. Of course, “soon” means something very different to bureaucrats than it does to entrepreneurs. And, even if the EU and U.S. can craft a new safe harbor framework, it’s unclear how these new rules will avoid the same fate as the prior safe harbor. That is, if the ECJ’s decision was predicated largely on the U.S.’s NSA-enabling legislation, any new safe harbor framework will similarly run afoul of the Data Protection Directive unless and until the U.S. passes significant surveillance reform legislation that limits the NSA’s reach. But, since a new ECJ ruling throwing out this replacement safe harbor could take several years, it may buy enough time for the U.S. or EU to craft other sensible data transfer rules.

Broader Lessons

The ECJ’s elimination of the safe harbor could pose an existential threat to some companies or it may simply end up being a temporary distraction, but it has helped crystalize a few issues facing the Internet economy. First, the notion of enforcing territorial data restrictions makes little sense in a globally interconnected digital world. Sure, national governments have an interest in making sure that their users’ data are protected, but trying to restrict the flow of information across national boundaries creates more problems than it solves, particularly for the startups that are responsible for building the global Internet. Creating insurmountable bureaucratic hurdles for companies that want to comply with their international obligations serves no one.

Second, the ruling highlights the need for surveillance reform in the U.S. Simply put, if users do not feel that their data are adequately protected, they will be less inclined to use online services—services often provided by fledgling startups. While the logic of the ECJ’s decision itself seems peculiar (if the U.S. fails to adequately protect user data because it allows the NSA to obtain authorization from FISA courts to secretly collect data, why are countries like France, Germany, and the U.K.—which do not require intelligence agencies to get court approval before collecting data for national security purposes—exempt from scrutiny? Is consumer data really any safer from NSA collection if it’s stored in the EU rather than in the U.S.?), the notion that consumer data should be protected from government surveillance is difficult to dispute.

Finally, the safe harbor fiasco is a prime example of how policy struggles to keep up with technological realities and the problems that arise when regulatory compliance becomes too complicated for otherwise upstanding companies to easily navigate. Many companies simply have no idea what they’re supposed to do while national governments try to hammer out an interim fix to data transfer rules, and even this temporary uncertainty can cause companies to go under altogether. As the Internet economy becomes ever more global, policymakers should strive to make the rules governing global commerce as frictionless as possible.

Entrepreneurs are Building a Better Baltimore

ROTR-Baltimore.jpg

 

This week Engine is traveling with Steve Case on the Rise of the Rest road trip to celebrate entrepreneurship, in all its forms, across America. Every day we’ll post dispatches from the cities we’ve seen. For more updates follow #RiseofRest on Twitter.

This week marks the fourth Rise of the Rest road trip, and our first stop was Baltimore, Maryland. While we often hear about the challenges facing Baltimore, during our full day tour we saw another Baltimore story—a story about opportunity, innovation and economic development. Baltimore is one of the busiest ports in the United States and has a thriving healthcare sector, in large part driven by Johns Hopkins University’s hospitals and world class research facilities. Baltimore has 11 more universities and it’s just miles away from from major federal agencies like the National Institutes of Health and the National Security Agency which draws technology security talent to the region.

On our visit to Baltimore, we caught a glimpse of how entrepreneurs are capitalizing on the city’s leading industries. In the security space, we stopped by ZeroFox, a young, but fast-growing company with a cloud-based security platform that blocks malicious content from social applications. TechCrunch called its team “a who’s-who of some of the best and brightest security technologists.” We visited Fast Forward, an accelerator at Johns Hopkins that advances and commercializes technologies developed at the university. Many of the companies at yesterday’s culminating pitch competition also focused on new technologies in the health sector. ShapeU is a data-driven application digitizing the personal trainer, Sonavex offers a platform to detect blood clots, and Edessa is an automated hand washing system. The winner of the $100,000 investment from Steve Case was Sisu Global Health, a medical device company with an innovative blood transfusion product for healthcare providers in emerging markets.

We also saw some signs of entrepreneurial success in Baltimore, first and foremost at Under Armour headquarters. Under Armour has called Baltimore home since its inception. The company now has over over 1,000 employees, making it one of the city’s biggest employers. Their campus spans the Baltimore harbour and, unsurprisingly, includes a state-of-the-art fitness center complete with Under Armour’s newest wearable technology and health-tracking devices. Though Under Armour is no longer a startup, Baltimore entrepreneurs commented on how supportive the fitness-wear company has been of the ecosystem. The last startup tour of the day was at OrderUp, a food delivery platform acquired this summer by the Chicago-based Groupon—a sign to many of Baltimore’s competitive consumer technology sector.

We also sensed the broader commitment to fostering greater and more inclusive economic prosperity in Baltimore. The cries for justice after the killing of Freddie Gray this summer resonated deeply with the community and local leaders here, and many entrepreneurs are thinking about how to create new economic opportunity that’s accessible to more of Baltimore’s residents. One promising sign is the opening of Baltimore’s own Impact Hub—a local outpost for social business leaders that will open its doors within months. During a sneak peek of the space we heard from one young company making it easier for the formerly incarcerated to find jobs, as well as from a new local ice cream maker employing some of Baltimore’s youth.

Overall, we sensed great optimism in Baltimore about the potential to build on the city’s existing talent pool and create new solutions where challenges remain. From here, we’re traveling up the Northeast corridor to Philadelphia. Stay tuned for more dispatches from the road.