InfoTech & Public Policy

I’d like to return to an issue I wrote about earlier this semester, how visa processes affect U.S. technology companies. During President Bush’s trip to India in March, he promoted the benefits of outsourcing. Outsourcing is critical for U.S. businesses, but U.S. industry still needs to attract highly qualified foreign personnel to work inside the United States. The post-9/11 environment has significantly slowed the process of “worker visas” (AKA H-1B visas). Students who previously wanted to study in the U.S. for advanced degrees are now considering other countries because of the difficulty in qualifying for U.S. student visas.

U.S. businesses have been lobbying Congress to increase the caps on the number of H1-B visas that can be issued in a year. According to Information Week, “The United States received the maximum number of allowable petitions for H-1B visas in fiscal 2006 six weeks before the fiscal year even began.” But recent focus on larger questions of immigration has threatened to derail progress on raising the H-1B caps. As a result, last week Texas Senator John Cornyn proposed the “SKIL (Securing Knowledge, Innovation and Leadership) Bill” which will allow industries to continue competitive hiring while the immigration debate rages on. Why should lawmakers address the worker visa issue immediately?

An industry group called Compete America is focuses on promoting competitiveness for American industry. Their website cites the following troubling trends, “Misguided immigration policies for highly educated foreign talent, combined with our foreign competitors’ increased efforts to attract that talent, have resulted in American brain drain. Fewer of the world’s top minds are coming to the United States to study. International applications to U.S. graduate programs are down 23 percent from 2003. Foreign student immigration to Australia has doubled since the year 2000 while the same type of immigration to the United States has not increased at all. After receiving a U.S. graduate degree, fewer foreign students are staying to work and contribute to the United States, finding better opportunities back home. While 25 years ago 70 to 80 percent of foreign students stayed in the United States after receiving a graduate degree, today only 50 percent do.”

The SKIL Bill, according to Compete America, will accomplish the following:
* Exemptions for U.S. educated foreign professionals with a master’s or higher degree from the H-1B and EB quotas so their talent can be retained in the United States.
* Creation of a flexible, market-based H-1B cap so that U.S. employers are not locked out of hiring critical talent.
* Extension of foreign students’ post curricular optional practical training from 12 to 24 months to allow them to go more easily from student to green card.
* Exemptions for spouses and minor children of EB green card professionals from the annual cap, thus making more visas available for the professionals U.S. employers need.

The United States can not afford to stand by idly and watch a brain drain develop. Congress should act now – admittedly difficult during an election year – to insure the next generation of technology is led by U.S. companies and research institutes. Allowing the cap to be lifted while other issues involving immigrations are debated is critical.

I was intrigued by a recent article on spam which I found at a website called CIO-today.com. The author basically argues that spam is invincible. She writes, “Although better technological controls have provided some measure of relief, spam still is responsible for about 70 percent of mail to consumers, according to the security firm Commtouch. For businesses, who tend to have better protections in place, the statistic is better, but not by much: 46 percent of the entire e-mail traffic into a company is spam, spam, spam.”

70 percent? That’s shocking. So we’re apparently now caught in an unending battle between the innovators on the spam side and the opposing forces trying to defeat spam. But the author makes an incredibly important point – emails are not being sent by a defect in the internet – spam is being sent by real people selling real products. Why?

I found a great book on this question called “Inside the SPAM Cartel: Trade Secrets from the Dark Side.” It’s by an anonymous author who calls himself “Spammer-X.” The tag line on the front cover reads, “You may hate Spammer-X, but can you afford to ignore him?” The book is partly designed for security types to learn about those sending spam, and partly an inspirational how-to guide for aspiring spammer-types (read: anyone with something to sell). In one class discussion someone suggested that no one is opening spam. But the statistics tell a different story.

Spammer-X describes one spam “case”: he bought two million email addresses for $200.00 (chapter 2). He runs the email addresses against a list of known “bad/filterable” lists and then sends 10,000 spam emails, using eight proxy servers, in 17 minutes. He’s able to track how many people whom he emailed visit the site he’s promoting (which happens to be a porn site in the case he describes). After 12 hours, he’s got 967 people to click onto his link. Many of those clicked from a “bulk mail” folder. And nearly all clicked to another page within the site. Out of the 967, one registers for monthly membership on the site. Spammer-X suggests that this case is fairly typical.

Nearly ten percent of the recipients clicked on a link from an unknown source. Spammer-X claims he made nearly $3000 for about 30 minutes of work. So his motivations are clear. But why are individuals responding? Spammer-X claims that he’s providing email readers with links they want but won’t admit they want.

So the basic answer to the spam question may be a lot like the war on drugs – as long as the spammers are selling what people want (as evidenced by the fact that people click through), we’ll keep spam. If we stop opening them, the spammers will stop sending them.

Throughout our project on CPNI, we, as a class, have focused on protection of consumers. FCC is one way to protect consumers, although not always the most effect. An interesting new website, www.SiteAdvisor.com provides a way for consumers to protect themselves – and, if it were used broadly – could create incentives for web site operators to reconsider the way they treat visitors to web sites.

SiteAdvisor.com describes itself on its web site, “SiteAdvisor is a consumer software company founded in April 2005 by a group of MIT engineers who wanted to make the Web safer for their family and friends. Having spent one too many holiday breaks trying to clean a mess of spam, adware, and spyware from our families’ computers, we decided to take action. We realized there was a gaping hole in existing Web security products. While traditional security companies had gotten relatively good at addressing technical threats like viruses, they were failing to prevent a new breed of “social engineering” tricks like spyware infections, identity theft scams, and sites which send excessive e-mail.”

In a February posting on his Washington Post blog , Brian Krebs outlines the benefits of SiteAdvisor’s web browser add-on. He notes, “For the past few weeks I’ve been surfing the Web with the help of the beta version of a browser add-on called SiteAdvisor, a tool that offers users a fair amount of information about the relative safety and security of sites that show up in Internet searches. As I played around with this program, it became clear that this is a tool that not only allows users to make informed security decisions about a site before they click on a search result link, but it also holds the potential to fuel a more informed public dialogue about the often murky relationship between Fortune 500 companies and the spyware and adware industry.”

If you play around on SiteAdvisor, you’ll find that it rates web sites in several categories: amount of email generated, spyware, adware and other less than desirable attributes. Test a few sites: Princeton.edu, Verizon.com and washingtonpost.com. You’ll find they all get positive reviews. Google gets a green light, but is criticized for levels of spam and phishing. Check www.180solutions.com and you’ll see an example of a site that is loading visitors up with spyware, adware and spam. But what’s even more interesting, as Krebs notes, is that many Fortune 500 companies are benefiting from the spyware and adware.

Imagine the possibilities for other applications – what if the web site could rate privacy protection capability? In class we debated whether or not consumers are generally interested in privacy protection. While it is difficult to generalize, it appears that consumers and corporations alike find a balance between privacy protection and convenience. Tools like SiteAdvisor.com allow consumers to make informed choices without excessive inconvenience. Definitely a step in the right direction.

Below is a draft of the notification section.  I’ve included draft sections from the other members of the group.  As we come to agreement on a final, we’ll update the posting.

Notification — DRAFT

Public reaction to the release of CPNI has show that the public should be dissatisfied with the wireless carriers protection of consumer information.  The failure of the company’s to protect that information suggests that – at a minimum – if the information can not be protected, consumers should at least have a right to know when their CPNI has been fraudulently transferred, even when that notification is ex post facto.  Our study of notification policies has focused on the idea that notification of security breaches involving CPNI is useful to prevent pre-texting – or future pretexting, but notification to consumers is unlikely to prevent the rogue insider, cyber attack or physical theft security breaches.  A consumer who understands his commonly used password has been stolen is empowered to protect himself against future uses of his identity.  For this reason, we support EPIC’s proposal that notification be used as a tool to protect CPNI.

CTIA and the wireless carriers generally failed to provide comment on the costs or possible benefits of providing consumers notification of any level, other than to note that they believe additional FCC rules to be unnecessary.  CTIA urged stricter enforcement of existing laws and, naturally this group concurs.  But stricter law enforcement is not enough.   

Several key questions must be addressed:  in which cases should consumers be notified and by what means.  Our review suggests that consumers should be notified in the event of a security breach – in other words, not when CPNI is transferred for legitimate business development purposes but when the transfer has been deemed wrongful, as in the types of breaches described above.  We believe that requiring carriers to notify customers of routine CPNI transfers is too burdensome and adds little value to the consumer who wants to protect his CPNI.  For the purposes of commenting to the FCC, we believe that CPNI can be divided into two areas:  call service records and personal records.  Only the transfer of personal information or personal information tagged with the call records constitutes the necessity of notifying the consumer. 

Carriers have several readily available means for notifying consumers of a breach.  First, consumers can opt-in/opt-out of receiving such information.  Second, notification could be a simple as a line item on a billing statement (electronic or hard copy) or via direct communication – voicemail, email, or letter. 

There is a strong case to be made for regular notice, on the grounds that it creates incentives for carriers to act more securely and with greater vigilance. Further, there is a normative claim that end users have a right to know when their data has been wrongly transferred, irrespective of whether or not they can get it back. Finally, for certain types of sensitive data that should not be regularly transferred (for example detailed call logs), we recommend notice for preauthorization can reduce leaks and should not be overly burdensome.

I’ve reviewed the CTIA — The Wireless Association comments and reply comments to EPIC’s proposed rule making in order to learn the wireless industry’s position on notification in the case of CPNI security breaches.  The “notification group” is reviewing the comments filed by industry representatives in order to incorporate them into our proposal.

CTIA Comments to EPIC’s Filing from FCC Website

http://gullfoss2.fcc.gov/prod/ecfs/retrieve.cgi?native_or_pdf=pdf&id_document=6518177454
 

Specifically, on notification:

• CTIA notes that more than 20 states are considering some type of notification requirement regarding security breaches that involve the compromise of personal information.  Further, Congress is considering federal legislation that would create uniform requirements.  None would require notification upon disclosure of calling records alone – only when that information includes personal information.
• CTIA reports “very few complaints” about disclosure of CPNI to unauthorized recipients, particularly considering that wireless carriers hold account information for approximately 200 million subscribers.  CTIA notes no disclosed complaints have been registered with the FCC.
• CTIA then states that the Fair and Accurate Credit Transactions Act (FACT Act) provides sufficient coverage to consumers who become victims of identity theft.  They argue that fraudulent schemes targeted against businesses and consumers are not unique to the wireless industry.  CTIA notes several cases of wireless carriers’ cooperation with law enforcement.

From CTIA’s reply comments on notification:

http://gullfoss2.fcc.gov/prod/ecfs/retrieve.cgi?native_or_pdf=pdf&id_document=6518180437
The reply comments are more general and do not specifically address notification, but make the following key points:

• Additional rules are unnecessary
• Carriers comply with CPNI and state privacy laws
• EPIC’s proposals are redundant, inflexible and expensive (nothing further on the expenses)
• CTIA urges stricter law enforcement efforts against offenders and suggests a joint task force “to track and combat persons who unlawfully obtain and sell customer information.” 
• By the time any new rules are implemented, criminals will have improved their methods, thereby making the rules obsolete

I also reviewed the testimony of CTIA President and CEO Steve Largent to House and Senate committees considering CPNI issues.  Largent did not address notification issues in either testimony.

Much of our class discussion last week focused on the hyper-sensitive efforts of the copyright-holding associations to enforce their copyrights within the United States.  But consider the question beyond our borders and the task becomes overwhelming.  I’d like to take a look at the intellectual property challenges the United States faces in Russia.

One quickly moves beyond the absurdity of collecting copyright fees from Girl Scouts when you consider the massive piracy that takes place in Russia.  The scope of the piracy is extensive – we’re not just talking about a few CDs.  Every kind of software, hardware, print materials and more.  And the “pirates” are diverse – some are large scale operations but most are just single individuals with inexpensive, readily available equipment.  Add to that that the retail sector is underdeveloped and it’s a copyright-holders nightmare. 

Association groups such as RIAA have played a critical role in ensuring that the United States takes a hard line with countries that have a poor record for enforcing intellectual property rights.  Because of their intense efforts and education, officials in Washington and have come to understand the significant costs involved and are working to minimize the damage. 

Russia’s stance on IPR threatens its entry into the World Trade Organization.  It’s poor record has placed it on the U.S. Trade Representative’s  (USTR) Priority Watch List (http://www.ustr.gov/assets/Document_Library/Reports_Publications/2005/2005_Special_301/.pdf)  According to a USTR report, “Enforcement in Russia remains weak and caused substantial losses for the U.S. copyright, trademark, and patent industries in the last year. Piracy in all copyright sectors continues unabated, and the U.S. copyright industry estimated losses of $1.7 billion in 2004. The U.S. copyright industry reports that unauthorized domestic production of optical media has increased in Russia: there are over 30 known optical disc plants now in operation, approximately 21 of which are believed to be engaged at least part-time in the illegal production of pirated goods. The U.S. copyright industry reports the following levels of piracy: 66 percent in the recording industry, 80 percent in the motion picture industry, 87 percent for business software, and 73 percent for entertainment software.”

RIAA executive vice president Neil Turkewitz recently stated, “…Russia has emerged in recent years as one the world’s leading producers and exporters of pirate discs. The Russian government has failed to respond appropriately to this open lawlessness. Many of the plants currently producing pirate product are actually located on government premises – a form of tacit government involvement that we have not witnessed since China in the mid-1990s.” (http://www.riaa.com/news/newsletter/021306.asp)

Keep in mind that this “open lawlessness” is occurring in Vladimir Putin’s Russia, considered to have a strict sense of control throughout society.  If Putin truly wanted to tackle the problem, he surely could do so effectively. The agenda between the United States and Russia is long list of issues of terrorism, security and non-proliferation.  But it is critical that policy makers find time to protect the critical intellectual property from which Russia has been illegally profiting for years.   

I know the topic of technology workers isn’t one we’ve discussed in class, but it’s in the headlines this week, so I thought I’d branch out a bit.

President Bush visited India this week and in a major address announced his plan to continue to support increasing globalization by resisting protectionist measures against Indian software and services exports and promises to increase the number of H1-B visas which allow qualified workers to work legally in the United States. (http://www.infoworld.com/article/06/03/03/76072_HNprotectionism_1.html)

Some groups, such as the Washington Alliance of Technology Workers believe that competition from India threatens jobs in America – particularly engineers, scientists and physicists.  President Bush and Prime Minister Singh signaled their intent to overcome these barriers in the U.S. India Joint Statement, “As two dynamic economies with many complementary interests, the U.S. and India will seek to enhance bilateral trade and investment ties by expanding private sector contacts, dismantling barriers to trade, building trade capacities and strengthening trade-promoting institutions.”  (http://www.whitehouse.gov/news/releases/2006/03/20060302-6.html)
Many observers outside the political sphere may chose to read such statements as political fluff.  But there a long term implications for those in the technology sector in the United States as well as India.  Protectionists claim a certain loss of jobs for Americans, but a Cato Institute report seeks to debunk some of the popular myths.  “Fears that H-1B workers cause unemployment and depress wages are unfounded. H-1B workers create jobs for Americans by enabling the creation of new products and spurring innovation. High-tech industry executives estimate that a new H-1B engineer will typically create demand for an additional 3–5 American workers.”  (http://www.freetrade.org/pubs/briefs/tbp-007es.html)

The President pledged to seek increases in the ceiling of H1-B visas, but he needs action from Congress.  Congress will need to approve a permanent increase – currently 65,000 H1-B visas can be issued in a year – and Cato suggests that demand for technology workers can not be met by domestic labor forces and the shortage could be as much as 150,000 workers in the coming years. 

Traditional labor groups are fighting the increase – but in doing so they threaten the growth of American technology companies and the jobs they create for American workers.  Congress should act quickly to adjust he H1-B cap and meet the needs of the U.S.