Do The Tech Watchdog Groups Need Watching?

Advocacy groups have become influential voices on some of the biggest tech policy issues. There's homeland security, where the likes of the Center for Democracy and Technology and the American Civil Liberties Union helped stall the Transportation Security Administration's Secure Flight airline passenger-screening program by raising concerns about privacy. There's the Electronic Frontier Foundation's ongoing litigation against AT&T, alleging improper cooperation with government surveillance efforts, and its support of efforts to give Web-based e-mail the same protection from warrantless searches it won in the early 1990s for e-mail on a hard drive. There's the Electronic Privacy Information Center's call for legislation to stipulate how radio frequency identification can and can't be used in passports and retail stores.

Whether they're testifying before Congress, suing government agencies and businesses, or relentlessly courting the news media, tech-savvy advocacy groups have stamped their feet enough to have left a sizable footprint in the debate over how technology is applied and governed. The Center for Democracy and Technology has testified before Congress more than any other advocacy group this decade--tech or otherwise.

Seen as necessary cyberwatchdogs by many, these advocacy groups have earned their reputations as headline-hogging alarmists. And while they can come off as a pack of wolves, they differ in their relationships with businesses--some rely heavily on corporate funding and will advise companies on potential product pitfalls, while others are more arm's length and confrontational.

Businesses needn't kowtow to these groups, but managers of business technology ignore them and the differences among them at their peril. It can be inconvenient and expensive to answer public charges about how securely RFID sensors wirelessly transmit information, or whether a business practice puts customer data at risk. But be assured that the advocates will continue grabbing headlines. It's only a question of whether it's your organization they're dragging along for the ride.

Love-Hate-Solicit

The funding behind these advocacy groups helps explain how they work with businesses differently. The Center for Democracy and Technology expects to receive $2 million in funding this year, more than triple its budget in 1995, the year it launched. The money comes from foundations such as the security-oriented SANS Institute, trade associations such as the Business Software Alliance, direct tech company contributions, and law firms. Big tech company contributors include AOL, Google, and Microsoft; less than 2% of its funds comes from individuals.

That helps explain why the CDT works more closely with businesses than some other advocacy groups, often meeting with a company before it launches a product or service. "Companies want to gauge the public reaction to their technology and discuss ethical considerations and legal implications," says Ari Schwartz, the CDT's deputy director. For example, eBay met with the CDT before releasing its toolbar, designed to protect users from phishing scams by alerting them when they've clicked to a known phishing site. "Their issues with privacy are very complex because they're in between the buyer and the seller," Schwartz says. Microsoft says it briefs the CDT and other advocacy groups on specific technologies and policies to keep them informed and gather feedback, but not to seek legal or regulatory guidance.

In contrast, the Electronic Privacy Information Center doesn't take money from tech vendors, nor does it offer them advice. Its funding in 2005 was nearly $1 million, mostly from private donors and foundations. "Some companies have contacted EPIC to have a meeting before launching a project to make sure it addresses a privacy problem," says Marc Rotenberg, the group's executive director. "We don't take meetings like that."

But the organization, formed in 1994, isn't anti-technology or anti-business, Rotenberg insists. Its advisory board is packed with law professors and security consultants, but it also includes Internet pioneer (and now Google VP) Vinton Cerf and Sun Microsystems chief security officer Whitfield Diffie. "What we are is pro-privacy. That's our guiding principle," Rotenberg says. "Technology companies get upset with us, but I hope at the same time they respect us."

The Center for Democracy and Technology relies on business funding, but it's no errand boy for the tech industry. The CDT's hard line in support of network neutrality--opposing telecom carriers that want to charge Web companies higher rates for certain kinds of content--cost it money from some corporate donors, says CDT executive director Leslie Harris. "The people who give us money should be giving us money because we're aggressively defending openness and the opportunity for innovation," says Harris, who worked for 13 years at the ACLU before joining the CDT. "They should not be giving us money to get a specific result. Those who do give us money for a result and don't get that result often leave."

Openness is a double-edged sword. In 2004, the CDT and the ACLU fought a Pennsylvania law that required ISPs to block access to Web sites the state attorney general had cited for child pornography. They successfully fought the law as unconstitutional and ineffective, a position in the interests of the CDT's telecom and ISP backers.

The Electronic Frontier Foundation will discuss issues with businesses, but it's also the most litigious of the tech-centric advocacy groups. It's also the granddaddy, founded in 1990 by Lotus founder Mitch Kapor, Grateful Dead lyricist John Perry Barlow, and others. The EFF is now in court alleging that AT&T helped the National Security Agency tap customer calls. (AT&T is keeping mum on the matter, citing national security reasons.) The EFF bucked the entertainment industry in the peer-to-peer file-sharing debate, backing the company behind Morpheus in a losing battle that went all the way to the Supreme Court. The EFF gets its funding mostly from individual donors, though some is from company sources. Its largest recent individual contribution was $1.2 million from the estate of software developer Leonard Zubkoff, partially to create an endowment fund for the organization.

The EFF's budget and salary numbers are far from lavish. Executive director Shari Steele is one of three EFF employees who make more than $100,000 annually. And for a group that has taken on some of the biggest U.S. companies, the EFF's planning process is surprisingly informal--or frighteningly haphazard, depending on your viewpoint. "Usually around the sofa, a group gets together, and we hash out what are the ramifications of this and if this is something we should weigh in with," Steele says.

The advocacy groups' legal battles can be costly, but they can recoup some of that expense when they win. In 2004, for example, about 26% of the CDT's revenue came from recovered attorneys' fees, mostly from winning the Pennsylvania case.

Rise To Prominence

The 80-year-old Markle Foundation only began focusing heavily on emerging IT in 1998 under the direction of president Zoë Baird. Though a relative newcomer, it quickly became a powerful tech policy influencer, particularly related to health care's use of IT, by taking a different approach from the likes of the EFF and CDT.

Money is the Markle Foundation's source of influence, and it relies mostly on mutual funds that have matured over a century after the original seed funding from financier and coal-mine operator John Markle. It uses that money to fund research and pilot projects in areas it considers ripe for tech innovation and advancement. "Independence is really valuable for the role that we play," says David Lansky, executive director of Markle's personal health initiative. In 2005, the foundation had $151 million in assets, including $145 million in securities, with $5.4 million in investment returns that year. It spent $7 million in 2005 on its main initiatives, which include one to improve the use of IT in national security efforts, one to develop common standards for digital health care information, and another to accelerate the deployment of digital personal health records.

Congress Is Listening
The strategy of the EFF and its ilk--take on numerous hot button issues at once--can rub a lot of people the wrong way. But some in the tech industry think they provide a valuable check on the system by pointing out potential problems. "The function of these groups is to look at what's going on and try to hold people accountable," says John Gage, Sun's chief research officer and co-founder. "If you can't see it, you don't know what to change."

Washington is certainly listening. CDT says its staffers have testified before Congress more than 25 times since 2004, weighing in on spyware, RFID, voice over IP, and other issues. EPIC's Rotenberg, who teaches law at Georgetown University, says he's testified more than 50 times before Congress over the past 15 years on emerging technologies and civil liberties. While the ACLU, formed in 1920, testified before Congress more than any other advocacy group in the 1980s and 1990s, the CDT is Congress's most-requested such group since 2000, according to the Convergence Center, part of Syracuse University's School of Information Studies. The CDT testified at nearly 12% of all congressional hearings since 2000 that involved advocacy groups, according to the Convergence Center, while the ACLU and EPIC each appeared at about 7% of those hearings.

The pervasiveness of IT has created a role for tech-specialized advocates, who say they're fighting to find a balance between public security and privacy. "I've been a longtime believer that the technology we're using, some of which I've played a role in developing, has the potential of eroding privacy in a number of ways," says EPIC adviser Cerf, co-designer of the TCP/IP protocols and the Internet's architecture, whose title at Google is chief Internet evangelist.

One role advocates should play is keeping Congress from demonizing a technology, and instead keeping the focus on how people use it. "It's not all technology's fault," says Cerf, who's also the chairman of the board of the Internet Corporation for Assigned Names and Numbers. "Decisions are made by the companies using that information as to how the information is used and how it's protected."

Who's Involved, And Why
1984

Cerf has similar convictions, but he disagrees with EPIC's views at times. In 2004, EPIC called for federal privacy legislation over the use of RFID in retail. "I don't think that every use of RFID is an abuse or even threatens abuse, whereas some of the rhetoric from these groups might lead one to think otherwise," Cerf says. Yet, simply having the privacy debate is more important than always agreeing with the advocacy groups. Without them, he says, "we might be living in a society that I'm not sure we'd want to live in."

The groups have helped their causes of late by learning how to work together. When these organizations were young, they often tripped over one another, says Farber, who works with the EFF, is on the board at EPIC, and is a task force member at the Markle Foundation. Now they've learned how to cooperate. For example, EPIC and the EFF will often co-sign position papers sent to Capitol Hill, and groups often file amicus briefs on the same court cases.

The CDT last month joined other privacy groups, including EPIC, in urging Homeland Security to curtail its Automated Targeting System, created to assess the risk that inbound and outbound cargo and travelers pose to national security. They contend that the system is inaccurate and that a flawed assessment can follow people for years without their knowing it.

In December, the CDT and StopBadware filed a complaint urging the Federal Trade Commission to shut down FastMP3Search.com.ar, a spyware scam site that self-installs adware and Trojan horse apps, disables security software, sabotages the Web addresses of information security companies, changes home page settings, and impairs computer speed and performance.

The increased cooperation isn't surprising, considering that many tech advocacy groups come from the same small gene pool. CDT founder and president Jerry Berman spent 10 years as chief legislative counsel at the ACLU, creating its Projects on Privacy and Information Technology group. He then became director of the EFF's Washington office. Different interpretations of the Clinton administration's Communications Assistance for Law Enforcement Act in 1994 led to a splintering of the EFF, with Berman eventually breaking off to found the CDT.

Advocacy Inc. And The Tech Exec

Even those who acknowledge the groups' watchdog role see them alienating well-meaning businesspeople with their confrontational approach. "My problem with a lot of these groups is that they tend to be, 'We don't like most of IT, and we're going to impose a lot of regulations on innovation,'" says Rob Atkinson, president of the Information Technology and Innovation Foundation, a Washington policy group formed last year to advise lawmakers on IT issues. Atkinson also is a member of the Task Force on National Security in the Information Age, co-chaired by Markle president Baird and former Netscape Communications chairman James Barksdale.

Don't expect advocacy groups to change their approaches, including their over-the-top tactics. "We do take a fairly highly principled position, and in some cases that does involve pointing out some of the more dramatic and disturbing elements of things we find," says EFF chairman Templeton. "But we do see it as our job to show where things could go and to stop those things from happening. What we're really saying is that there need to be checks and balances on power."

Says Cerf: "Sometimes you have to be colorful to get attention, but I worry that overly dramatic warnings can backfire if they weaken credibility."

It's a good point. The CDTs, EFFs, and EPICs of the world are most effective when they question authority rather than use scare tactics to command the spotlight. Regardless of their approach, though, business technologists shouldn't tune them out.

Illustration by Viktor Koen

Continue to the sidebars:
How To Get Vendors To Share Their Plans
and
Fixing The E-Voting Mess