Privacy & Data Security

Navigating Data Security Policy: a Primer for Startups


For most startups, it’s not a matter of whether you’ll have a data breach, it’s whether you’ll know about it and how well you’ve prepared for it. That’s been the main takeaway at two recent events highlighting the importance of data security protocols for startups. Last month, the Federal Trade Commission (FTC) held a “Start with Security” conference in San Francisco, the first in a series of events under the Commission’s new initiative aimed at providing businesses with resources for navigating the world of security (you can watch the full event here). And yesterday, Engine co-hosted a data security panel at the Nasdaq Entrepreneurial Center in downtown San Francisco. The conversation began with a presentation by Jim Dempsey of the Berkeley Center for Law & Technology, followed by a panel featuring several experts on how technology companies, especially new ones, should manage and protect their users’ data.

These conversations are particularly timely, as companies are generating, collecting, and using more data than ever—and regulators are taking notice. Every day, even a one-person startup can handle sensitive data from hundreds of thousands of users and is expected to have security protocols in place.

The principal federal body that oversees companies’ data practices is the FTC, which has the authority to police “unfair or deceptive practices” under section 5 of the FTC Act. At its recent conference, FTC Chairwoman Edith Ramirez remarked that “in the rush to innovate, privacy and security cannot be overlooked—even in the fast-paced startup environment.” Ignorance is no longer an excuse in the eyes of the Commission. Startups should take this admonition to heart because the FTC can—and will—bring lawsuits against companies that fail to meet cybersecurity standards. Just last month, this authority was cemented by a federal court in FTC v. Wyndham. While the FTC cannot create new industry security regulations without direction from Congress, it now has explicit authority to police companies’ cybersecurity practices using its consumer-protection mandate.

This presents a conundrum for startups. As Josephine Wolff unpacks in a recent post in Slate, even “experts disagree on which computer security practices are reasonable and which are unreasonable.”

So how should startups ensure they’re not upsetting the FTC? One option is to look to the agency itself for some guidance. Published in conjunction with its outreach initiative, the FTC’s “Start with Security” paper outlines ten data security principles they advise companies to adopt, from data encryption to password policies.

At Tuesday’s event, Dempsey expounded on this document, arguing that the overarching takeaway is security by design: companies should build security into their products at every stage of development. The panelists, including a privacy lawyer, agreed emphatically, suggesting that companies of all sizes develop several security and privacy guidelines, implement them, and most importantly, document them. These include an internal IT security policy, a privacy security policy that specifically addresses how users’ personal information is handled, and finally, an incident response plan to refer to if and when a data breach occurs.

But data security requirements don’t stop at the FTC. Any startup operating in a regulated industry such as finance, healthcare, or education is likely well aware that additional laws apply in managing sensitive financial, health, and student data respectively. And to further complicate the process, there are additional state laws regulating data issues. Dempsey explained at least 47 states have their own requirements for companies’ treatement and security of user data. California, for instance, is one of the many states that have breach notification-specific laws, requiring companies to notify residents whose unencrypted personal information was acquired in an attack.

While all these laws can create a compliance nightmare for startups who lack the internal capacity to decode these various guidelines, they’re not going away. Congress has debated questions around data security for years now. Should a data security bill include enumerated, prescriptive standards or take a more loose, industry-specific “best practices” approach? Should a bill include specific requirements or should those be left to the FTC to write? We’ve seen more than six federal data security proposals already in 2015, each of which takes a different approach to answering the above questions. While it is not yet clear which (if any) of these bills will become law, the increasing momentum behind passing something sends a clear message—startups can no longer defer addressing security issues until it is convenient.

The tech community should be engaging in more conversations like the one Engine hosted today. They provide clarity around best practices so that when Congress finally passes a data security law or when a breach eventually happens and the FTC comes knocking, startups already have security protocols in place that will pass muster. Further, as our technology improves, our privacy expectations evolve, and our lawmakers better understand the extent to which policy can dictate practices, startups voices should be heard in the debate around better policies that work for both companies and users around the world.

Startup News Digest 10/16/15

Our weekly take on some of the biggest stories in startup and tech policy.

Federal Aid for Coding Bootcamps. On Wednesday, the U.S. Department of Education announced a new pilot program that will make it easier for a more diverse range of people to attend alternative education programs like coding bootcamps. Until now, students enrolled in “nontraditional” educational programs have not been eligible for federal financial aid.  The new EQUIP (Educational Quality Through Innovative Partnerships) program will waive existing restrictions to allow federal aid dollars to be used towards approved alternative programs. While the scope of the pilot will be relatively small, this initiative is a great move by the Dept. of Ed towards making these popular and essential programs more accessible to all.

White House Opts Against Legislating Back Door for Encryption. At the end of last week, the White House made a long awaited decision: they would not push for legislation that would mandate companies be able to decode messages at the request of law enforcement. At least, that’s what they’ve decided for now. Even if the White House’s decision maintains status quo, advocacy groups worry about the White House’s definition of “strong encryption” and whether the Administration will “weaken security through other methods.”

EU Safe Harbor Ruling. Ars technica takes a deeper look at the far-reaching consequences of the EU’s safe harbor ruling in an article published on Thursday. Evan covered the impact this ruling will have on startups in a blog post last week, noting that “while larger companies have quickly moved to establish new legal pathways for importing EU data or have secured data centers in the EU, smaller companies face a more daunting task in trying to comply with now unclear data protection rules.” Ars goes even further, arguing that this ruling will have a dramatic effect beyond short-term global commerce—it will likely impact future trade agreements between the U.S. and EU, as well as the UK’s surveillance practices.

Evidence of “Over-Removal” by Intermediaries. When intermediaries receive a take-down request, the easiest, least risky response is to take down the cited material - especially for small companies that don’t have the resources to hire a legal team to thoroughly evaluate each request. A literature review by Stanford revealed growing amounts of empirical evidence of “over-removal” by intermediaries (e.g. Google, Twitter, Facebook), further defining a problem that puts free-expression at risk.

Wyden Calls for Greater DMCA Exemptions. As the U.S. Copyright conducts its periodic review of requests for exemptions under the Digital Millennium Copyright Act (DMCA), the agency should consider the importance of these exemptions to the  continued expansion and improvement of American technologies, Sen. Ron Wyden explained in this week’s Wall Street Journal. Wyden expressed his concerns about the EPA and FDA’s pleas to limit exemptions for new software in cars and medical devices, thereby prohibiting such new technologies from being legally tinkered with under the DMCA. Sen. Wyden and Rep. Jared Polis (D-CO) have introduced the Breaking Down Barriers to Innovation Act, a bill that aims to streamline “the process to obtain exemptions to the DMCA to promote scientific research, innovation and the fair use of copyrighted works.”

Better Crowdfunding Policy. In anticipation of the SEC’s impending release of the Title III crowdfunding rules, Engine published a white paper this week, “Financing the New Innovation Economy: Making Investment Crowdfunding Work Better for Startups and Investors.” The paper analyzes trends in U.S. and U.K. crowdfunding markets, which offer important lessons for U.S. regulators and lawmakers as we move closer to launching investment crowdfunding for retail investors.

In Celebration of Ada Lovelace. On Tuesday we commemorated Ada Lovelace Day and celebrated the achievements of the first programmer and women in science and technology everywhere. News from Stanford emphasized progress: 214 women have enrolled as computer science majors, 30% of all enrolled computer science students.

Startup News Digest 10/9/2015

Our weekly take on some of the biggest stories in startup and tech policy.

ECJ Invalidates Data Safe Harbor. On Tuesday, the European Court of Justice (ECJ) invalidated the European Commission’s “safe harbor” rules that permitted U.S. companies to self-certify compliance with European data protection rules in order to legally transfer EU customer data to the U.S. The court determined that U.S. legislation permitting the NSA to secretly collect and review consumer data was inconsistent with the EU’s Data Protection Directive. Consequently, the safe harbor framework was itself inconsistent with the Directive, as U.S. companies could not claim to have adequate data security protections in place. While larger companies have quickly moved to establish new legal pathways for importing EU data or have secured data centers in the EU, smaller companies face a more daunting task in trying to comply with now unclear data protection rules.

Governor Brown Signs CalECPA. In a huge victory for startups and digital privacy, Governor Jerry Brown signed the California Electronic Communications Privacy Act (SB178), now the nation’s best digital privacy law, on Thursday. This landmark bill (which we’ve covered in past digests) updates digital privacy laws by requiring law enforcement to obtain a warrant before accessing an individual’s electronic communications. We are hopeful that this action by California will prompt similar movement in other states or at the federal level.

Closing the Gender Gaps. California passed a (another) landmark piece of legislation that would require women to be paid the same as men for doing “substantially similar work.” Though the governor acknowledges that this bill won’t solve the problem, he expects it to “help accelerate [the] progress.” It’s an interesting development in light of the dialogue in Silicon Valley regarding the promotion and retainment of women in the tech industry. Meanwhile, on the federal level, Senators Maria Cantwell (D-WA), David Vitter (R-LA) and Jeanne Shaheen (D-NH) introduced a bill that would reauthorize and increase funding for the Women’s Business Center Program, which improves business training and counseling opportunities for women entrepreneurs.

Capital Formation Bills Pass in House. The House passed two bills earlier this week aimed at making raising capital just slightly easier for startups. H.R. 1525, the Disclosure Modernization and Simplification Act and H.R. 1839, the Reforming Access for Investments in Startup Enterprises Act, contain measures that simplify and codify some of the regulations that govern how growing private companies raise capital. It’s encouraging to see members of Congress seek out ways to support capital formation for our country’s emerging companies and we hope our senators follow suit.

Marco Rubio Addresses Tech in NYC. Civic Hall hosted Senator Marco Rubio this week to talk about the on-demand economy. He spoke to the advantages of working for on-demand services, (flexibility of hours, mobility of work,) and recognized the need for a middle ground status between W-2 employees and independent contractors. He also called out incumbents, such as the taxi and hotel industries, for hindering innovation. It is the role of the government, Rubio said, to help those displaced by the new economy access the new economy through education and other opportunities.

Regulating Drones. As the popularity and pervasiveness of drones, (or unmanned aerial systems, UAS,) increases, lawmakers are grappling with the best way to ensure safety and privacy without needlessly inhibiting innovation in this growing industry. On Wednesday, Representative John Garamendi (D-CA) and Senator Barbara Boxer (D-CA) introduced the SAFE DRONE Act of 2015, which prohibits drone flights within two miles of an airport or active fire. While some argue these sorts of rules should be left to the Federal Aviation Administration to craft, others are growing tired of waiting on the agency to act after it missed a Sep. 30 deadline to implement drone rules.

What the EU Data Safe Harbor Ruling Means for Startups


This week’s decision from the European Court of Justice (ECJ) vacating the European Commission’s “safe harbor” rule that allowed U.S. companies to quickly and easily import consumer data from European users has left many in the tech community unsure about exactly what went down and what happens next. While the ultimate impact of the ECJ’s ruling is hard to predict, the incident serves as an interesting lesson on the often poor fit between policy and technology.

What exactly happened?

Unless you’ve recently taken a course in EU civics, figuring out precisely how things got to this point and what it all means is rather difficult. To summarize: the EU’s data protection laws are more stringent than those in the much of the rest of the world—the U.S. included. Under the EU’s Data Protection Directive, data from EU citizens can only be transferred to countries that provide certain protections for said data. Recognizing that compliance with these data protection rules could create a giant bureaucratic headache for companies and countries, in 2000, the European Commission created a “safe harbor” that allowed any U.S. companies to self-certify that they complied with the Directive and thereby legally import EU consumer data into the U.S. This safe harbor rule is at the heart of the present dispute.

In 2014, an Austrian citizen filed a lawsuit in Ireland, claiming that U.S. laws permitting the NSA to surreptitiously collect and analyze vast amounts of consumer data violate the Directive. The Irish court then referred the case to the ECJ, the highest court in the EU, to consider the application of the safe harbor rule. Ultimately, this week, the ECJ held that the safe harbor doesn’t prevent individual member states from considering whether U.S. rules allowing government data collection render U.S. companies in violation of the Data Protection Directive and that the safe harbor itself fails to provide adequate data protections. With the ruling, the most commonly used legal pathway for importing EU data to the U.S. disappeared.

So what happens now?

With the rule allowing U.S. companies to import EU consumer data eviscerated, do EU-U.S. data transfers suddenly stop altogether? Did EU citizens wake up to find they couldn’t access their email accounts run by American companies? Not quite. The ruling will impact different companies in different ways.

Different legal pathways for data transfers

The safe harbor isn’t the only way that U.S. companies can import EU customer data. For example, companies can craft “binding corporate rules” (essentially, intra-company privacy policies) that, once approved by the data protection authorities in EU member states, allow for EU to U.S. data transfers outside of the safe harbor. But, since crafting such policies and getting member state approval is an arduous, time-consuming process, only large, well-funded companies can afford to explore these alternate data transfer protocols, leaving startups functionally unable to comply with data transfer rules.

Local data storage

If a company can’t legally transfer data from the EU to the U.S., the other option is to simply keep the data in Europe by building or leasing new data storage facilities overseas. Some companies, like Box and Pick1 are taking this approach, but this strategy comes at significant financial and time costs for companies, and startups operating on tight budgets may not have the resources to relocate servers or the time to develop new ways to handle foreign data.

Do nothing?

If a startup can’t find alternate legal mechanisms to import data or European data centers to handle EU data, it’s left with a difficult choice: stop handling EU customer data or continue to do so and face legal risk. The former tactic has obvious drawbacks. For one, it can be challenging to determine whether or not particular data belong to an EU-based user, rendering compliance nearly impossible. And, even if it is possible to altogether stop handling EU data, losing such a huge market will likely doom a great number of companies.

Startups could (and many probably will) simply continue business as usual and hope that they don’t get sued. A company that struggles to find the resources to establish alternative data importation frameworks or overseas servers may be too small for regulators and plaintiffs to worry about. Obviously, this isn’t a particularly comforting option for a company that wants to follow the rules. But, with such a sudden and dramatic shift in the rules, it may be the only course forward for some companies.

How long will this problem persist?

While the decision came as a surprise to many, policymakers in the EU and U.S. have been trying to shore up the safe harbor framework for a while. The ECJ’s ruling will add some urgency to their work, and U.S. and EU officials have given assurances that alternative data export pathways will soon become available. Of course, “soon” means something very different to bureaucrats than it does to entrepreneurs. And, even if the EU and U.S. can craft a new safe harbor framework, it’s unclear how these new rules will avoid the same fate as the prior safe harbor. That is, if the ECJ’s decision was predicated largely on the U.S.’s NSA-enabling legislation, any new safe harbor framework will similarly run afoul of the Data Protection Directive unless and until the U.S. passes significant surveillance reform legislation that limits the NSA’s reach. But, since a new ECJ ruling throwing out this replacement safe harbor could take several years, it may buy enough time for the U.S. or EU to craft other sensible data transfer rules.

Broader Lessons

The ECJ’s elimination of the safe harbor could pose an existential threat to some companies or it may simply end up being a temporary distraction, but it has helped crystalize a few issues facing the Internet economy. First, the notion of enforcing territorial data restrictions makes little sense in a globally interconnected digital world. Sure, national governments have an interest in making sure that their users’ data are protected, but trying to restrict the flow of information across national boundaries creates more problems than it solves, particularly for the startups that are responsible for building the global Internet. Creating insurmountable bureaucratic hurdles for companies that want to comply with their international obligations serves no one.

Second, the ruling highlights the need for surveillance reform in the U.S. Simply put, if users do not feel that their data are adequately protected, they will be less inclined to use online services—services often provided by fledgling startups. While the logic of the ECJ’s decision itself seems peculiar (if the U.S. fails to adequately protect user data because it allows the NSA to obtain authorization from FISA courts to secretly collect data, why are countries like France, Germany, and the U.K.—which do not require intelligence agencies to get court approval before collecting data for national security purposes—exempt from scrutiny? Is consumer data really any safer from NSA collection if it’s stored in the EU rather than in the U.S.?), the notion that consumer data should be protected from government surveillance is difficult to dispute.

Finally, the safe harbor fiasco is a prime example of how policy struggles to keep up with technological realities and the problems that arise when regulatory compliance becomes too complicated for otherwise upstanding companies to easily navigate. Many companies simply have no idea what they’re supposed to do while national governments try to hammer out an interim fix to data transfer rules, and even this temporary uncertainty can cause companies to go under altogether. As the Internet economy becomes ever more global, policymakers should strive to make the rules governing global commerce as frictionless as possible.

Entrepreneurs are Building a Better Baltimore



This week Engine is traveling with Steve Case on the Rise of the Rest road trip to celebrate entrepreneurship, in all its forms, across America. Every day we’ll post dispatches from the cities we’ve seen. For more updates follow #RiseofRest on Twitter.

This week marks the fourth Rise of the Rest road trip, and our first stop was Baltimore, Maryland. While we often hear about the challenges facing Baltimore, during our full day tour we saw another Baltimore story—a story about opportunity, innovation and economic development. Baltimore is one of the busiest ports in the United States and has a thriving healthcare sector, in large part driven by Johns Hopkins University’s hospitals and world class research facilities. Baltimore has 11 more universities and it’s just miles away from from major federal agencies like the National Institutes of Health and the National Security Agency which draws technology security talent to the region.

On our visit to Baltimore, we caught a glimpse of how entrepreneurs are capitalizing on the city’s leading industries. In the security space, we stopped by ZeroFox, a young, but fast-growing company with a cloud-based security platform that blocks malicious content from social applications. TechCrunch called its team “a who’s-who of some of the best and brightest security technologists.” We visited Fast Forward, an accelerator at Johns Hopkins that advances and commercializes technologies developed at the university. Many of the companies at yesterday’s culminating pitch competition also focused on new technologies in the health sector. ShapeU is a data-driven application digitizing the personal trainer, Sonavex offers a platform to detect blood clots, and Edessa is an automated hand washing system. The winner of the $100,000 investment from Steve Case was Sisu Global Health, a medical device company with an innovative blood transfusion product for healthcare providers in emerging markets.

We also saw some signs of entrepreneurial success in Baltimore, first and foremost at Under Armour headquarters. Under Armour has called Baltimore home since its inception. The company now has over over 1,000 employees, making it one of the city’s biggest employers. Their campus spans the Baltimore harbour and, unsurprisingly, includes a state-of-the-art fitness center complete with Under Armour’s newest wearable technology and health-tracking devices. Though Under Armour is no longer a startup, Baltimore entrepreneurs commented on how supportive the fitness-wear company has been of the ecosystem. The last startup tour of the day was at OrderUp, a food delivery platform acquired this summer by the Chicago-based Groupon—a sign to many of Baltimore’s competitive consumer technology sector.

We also sensed the broader commitment to fostering greater and more inclusive economic prosperity in Baltimore. The cries for justice after the killing of Freddie Gray this summer resonated deeply with the community and local leaders here, and many entrepreneurs are thinking about how to create new economic opportunity that’s accessible to more of Baltimore’s residents. One promising sign is the opening of Baltimore’s own Impact Hub—a local outpost for social business leaders that will open its doors within months. During a sneak peek of the space we heard from one young company making it easier for the formerly incarcerated to find jobs, as well as from a new local ice cream maker employing some of Baltimore’s youth.

Overall, we sensed great optimism in Baltimore about the potential to build on the city’s existing talent pool and create new solutions where challenges remain. From here, we’re traveling up the Northeast corridor to Philadelphia. Stay tuned for more dispatches from the road.

Startup News Digest 9/25/15


Our weekly take on some of the biggest stories in startup and tech policy:

Startups Defend Net Neutrality Order. The FCC is facing ongoing litigation in the DC Circuit Court of Appeals over the net neutrality rules it passed earlier this year, and on Monday, the court received briefs from a variety of companies and organizations supporting the FCC’s rules. Engine filed a brief along with a group of innovative startups that included Dwolla, Fandor, Foursquare, General Assembly, GitHub, Imgur, Keen IO, Mapbox, and Shapeways. We argue that the FCC’s decision to reclassify broadband as a telecommunications service was necessary to preserve the continued growth of the startup sector, which has in turn driven consumer demand for broadband and incentivized companies to invest in their networks. The court will hear oral arguments in the case on December 4 and will likely render its decision sometime next year.

SEC To Finalize Crowdfunding Rules. Sources at the Securities and Exchange Commission have told Politico the agency is likely to finalize long-awaited crowdfunding rules in late October or early November. SEC rulemaking will put Title III of the JOBS Act into effect, which could radically expand capital access for startups—though the statute does contain some burdensome requirements for companies. While the startup community will be excited to see any action from the SEC in light of an extended delay, we need to ensure that whatever regulatory regime the SEC adopts is well-calibrated and accessible to the small, emerging companies that could most benefit from new sources of capital.

Bush Campaigns Against Open Internet. Most of the Republican candidates in the 2016 presidential race have come to realize that an overwhelming majority of the public supports net neutrality rules (including 81% of Republicans) and have refrained from loudly criticising the FCC’s Open Internet Order. But this week, Former Governor Jeb Bush expressed his opposition to net neutrality (a policy he onced called “one of the craziest ideas [he’s] ever heard”), arguing that preventing ISPs from abusing their gatekeeper power does nothing to enhance consumer welfare. Bush’s comments run counter to both the FCC and the conservative DC Circuit Court of Appeals, which have recognized that net neutrality rules and foster the growth of the edge providers and promotes investment in broadband networks, resulting in better and more affordable service for consumers. It’s a reminder that startups, consumers, and everyone else who benefits from the open Internet should keep a close eye on this presidential race. 

Administration Taking Steps to Promote High-Speed Broadband Access. On Monday, the Broadband Opportunity Council published its first report, which includes 36 actions that federal agencies will take to encourage broadband deployment.  These actions require no new funding, “but existing sources of funding are being opened up and barriers to deployment are being brought down.”  Of particular note is that the White House refers to broadband as a “core utility,” like electricity or water. We tend to agree - broadband is no longer a luxury. Connectivity is core to innovation and the ability of startups to reach customers and scale, and we are pleased to see the Administration taking these steps to bring access to underserved populations and areas of the country.  

White House Considers Encryption. Thanks to some leaked documents from the White House, it’s rumored that President Obama may come out in opposition to a law that would require firms be able to unlock their customer’s encrypted smartphones and applications. Up to this point, law enforcement has argued the need for backdoors to encryption to ensure national security and safety. This sort of advocacy from the White House would help repair global trust in the US government, countering the narrative in Europe that the US is trying to expand its surveillance activities. Meanwhile, the American Civil Liberties Union (ACLU) and other privacy advocates continue to push the importance of US government’s use of encryption to promote both personal privacy and national security.

“Facebook giveth and Facebook taketh away.”  The Wall Street Journal reported this week that dozens of startups have “shut down, been acquired or overhauled their business” as a result of Facebook’s new policies limiting outsider access to some of its users’ date. Facebook’s rules, which went into place in May, restrict what data can be used by third parties like startups, academics, politicians or organizations.  Other social media giants like LinkedIn and Twitter have enacted similar policies, signaling to the startup world that if you are building a product or service that relies on data from social media sites, that data may not always be available...

ECJ Advisor Deals Blow to U.S. Tech Companies.  In other data related news, a European Court of Justice (ECJ) advisor issued an opinion this week that the “safe harbour” agreement allowing for data transfers between the EU and the U.S. is “invalid” due to growing concerns around U.S. surveillance practices.  While the lawyer’s opinion is not legally binding, if cemented by a formal ruling it would create a headache for U.S. tech companies who could face data localization requirements in any EU countries.

Women Tech Leaders. Fortune profiles some of the powerful female talent Google has been able to attract at the executive level, including Ruth Porat, a recent addition who has led the transition from Google to Alphabet. Many of these executives after building their experience at Google have left to grow smaller tech companies. Meanwhile, Mary Lou Jepsen of Facebook has a different take: she sees many senior women leaving because they feel isolated by the tech industry.




Startup News Digest 9/18/15

Our weekly take on some of the biggest stories in startup and tech policy.

Tech and 2016. In case you missed it, check out Julie talking about tech and the 2016 election on KCRW’s Press Play with Madeleine Brand.

FCC Opens Up Business Broadband Data to New Eyes. On Thursday, the Federal Communications Commission (FCC) announced that it will release data on the little-understood special access market. While most consumers have never heard of special access lines, you probably unknowingly use them every day. They are the high capacity business broadband lines that allow ATMs to connect directly to your bank or cell phone towers to connect back to the network. Competition in this industry is sorely lacking, with just two providers covering most of the U.S. and jacking up prices for the startups, universities, hospitals, and other businesses that use them. While the data will only be accessible to analysts approved by the FCC, its release represents a step in the right direction towards more transparency, increased competition, and lower broadband prices.

Senate Committee Considers ECPA Updates. The Senate Judiciary Committee held a hearing on reforming the Electronic Communications Privacy Act (ECPA) on Wednesday morning. As we’ve covered in past digests, it's still legal for law enforcement to access your emails and other digital data without a warrant. Last week, the California legislature passed a bill to modernize these outdated digital privacy laws at the state level. Still, a federal overhaul of ECPA would be an even better fix, bringing these laws out of the digital dark ages.  Sens. Lee (R-UT) and Leahy (D-VT) have proposed a bill in the Senate, and there is similar legislation in the House. We’ll be tracking reform efforts.  

Dancing Baby Wins Victory For Copyright Fairness. The courts ruled this week in Lenz v. Universal, the famous “dancing baby” case. As Evan writes, “The Lenz ruling is important for a few reasons. First, it should make it much harder for content owners to abuse the takedown process. […] Second, the decision should serve as a loud reminder that the tech world needs to get to work rebalancing our copyright laws to ensure that they’re actually promoting creativity and expression.”  Read the whole post here.

$81M for CS in NYC. On Wednesday, New York City Mayor Bill de Blasio announced an $81 million public private partnership to make computer science education available to every student in city public schools by 2025. Substantial contributions have come from the Wilson family foundation, the AOL Charitable Foundation, and the Robin Hood Foundation. New York joins Chicago and San Francisco in terms of large cities that have made similar commitments, and we hope to see other cities, states, and the federal government continue to build on such efforts to prepare students for jobs in the growing innovation economy.

The Fight Is On Over Chicago’s Streaming Tax.  A group of Chicago residents have sued the city over its controversial application of the 9% Amusement Tax to online streaming services like Netflix, Hulu, and Spotify.  The Amusement Tax, which applies to events like concerts and sporting games, has been in existence for a while, but was only recently expanded to cover streaming services. And Chicagoans’ bills are already increasing.  As Ars Technica reports, one reader’s Spotify bill went from $7.99 to $8.71 this month. We’ll be watching, as the outcome of this case could have a national impact on the power of cities and states to tax the internet economy.

“Cool clock, Ahmed”. When a Texas middle-schooler’s homemade invention was mistaken for a bomb this week, prompting an outlandish response by his school and local law enforcement, it caught the tech world’s - and the President’s - attention. As a New Yorker writer points out, “His arrest comes at a moment when some of the world’s most influential people...have argued that there aren’t enough U.S. students gaining the math and science skills that will get them jobs in the tech sector."

A Different Kind of Tech Event. We were impressed and encouraged by the conversation at last week’s Tech Inclusion conference in San Francisco, which brought together leaders in Silicon Valley and the national tech community to discuss the challenge of making the tech industry more diverse. Read our take on why this wasn’t your typical tech event and what we took away.



Startup News Digest 9/11/15

Our weekly take on some of the biggest stories in startup and tech policy.

CalECPA Letter to Governor Brown Urgently Needs Your Signature. On Wednesday, the California Assembly passed the California Electronic Communications Privacy Act (CalECPA) with broad, bipartisan support. The bill (which we covered in last week’s digest) would update digital privacy laws by requiring law enforcement to obtain a warrant before accessing an individual’s electronic communications. The bill now heads to Governor Jerry Brown for signature, but opponents are campaigning aggressively for a veto. We’re sending a letter to Governor Brown urging him to sign the bill and modernize an absurdly outdated privacy law. If you are a startup and would like to lend your voice to this fight, please fill out this form by noon on Monday, September 14.

Upcoming Tech Events. Catch our webinar on September 23, “How can startups work with government to promote innovation and new technologies?” Co-sponsored with Gide Public Affairs and ConnecTech, the webinar will look at how to incorporate a government relations strategy and leverage government resources to grow your startup, and how we can all advocate to protect the startup community. Click here to RSVP.

Intelligence Reauthorization Bill Still Held Up Over Terrorist Reporting Provision. As Congress returns to session, a bill to reauthorize funding for intelligence agencies continues to be held up in the U.S. Senate over a provision that would require social media and internet companies to police the speech of their users and report apparent “terrorist activity.” Opponents argue that the bill’s vague legislative language will result in a compliance nightmare for the wide range of companies that will be subject to the bill’s requirements.  Senator Ron Wyden (R-OR) has vowed to block the bill until these concerns are addressed.  We will be monitoring closely, as the currently ill-defined requirements could be overly burdensome and difficult to navigate for many startups.  

An Immigrant Entrepreneur’s Story. "Our immigration system hinders entrepreneurship, innovation and productivity," writes tech entrepreneur, Amit Paka, and we couldn't agree more. Paka shares his story of patiently navigating the irrationally complex immigration system to at long last obtain residency status and become a U.S. citizen. And in that time he also founded two companies, despite significant obstacles. This broken system impedes opportunities for entrepreneurs - the men and women creating new technologies and jobs in this country every day - yet it remains to be seen whether real solutions are in sight.

Patent Reform. Lot’s of news on patents this week. House Judiciary Chairman Bob Goodlatte expressed confidence that patent reform legislation would get a vote in the weeks ahead. The NY Times wrote in an editorial that “patent law should not be used to prevent consumers from reselling, altering or fixing technology products.” And the patent research platform Patexia launched a new initiative using crowdsourcing to help companies share some of the burdens associated with patent litigation. In case you missed it, check out our recent post on the status of patent reform efforts in Congress.

A Safety Net for the On-Demand Economy.  As lawmakers continue to grapple with the gig economy’s dramatic transformation of the American workforce, recommendations are emerging around which policies will best serve the growing class of on-demand workers. On Wednesday, the National Employment Law Project published a report calling on lawmakers to classify on-demand workers as employees and extend a number of protections and benefits to them. Freelancers Union founder Sara Horowitz proposed additional solutions in a New York Times op-ed published Wednesday, arguing for the creation of a “new system of portable benefits” to better provide a safety net for workers in the freelance economy. These are important conversations for the startup community to take part in as the debate continues around how to best support this new class of workers.

Diversity in Tech. African Americans face serious challenges in entering the tech field, even if they live just miles from Silicon Valley. Profiling several new organizations including the Hidden Genius Project, based in Oakland, the New York Times highlights how the tech community’s debates about its lack of diversity have spurred initiatives to educate, train and support underrepresented minorities to enter into and succeed in the industry. African Americans have become an especially important focus: they currently make up only 7 percent of the tech workforce and receive only 1 percent of VC funding. See more on Engine’s work to diversify tech here.

Tech Leaders in Politico 50. The Politico 50 is out, recognizing some of the people transforming American politics this year. The list includes a number of tech leaders, including Engine board member Marvin Ammori, along with Susan Crawford, Tim Wu, Michelle Lee and Chris Soghoian. Congrats to everyone who made the list!

Startup News Digest 9/4/15

Our weekly take on some of the biggest stories in startup and tech policy:

Growing Support for CalECPA.  Right now it's still legal for law enforcement to access your emails and other digital data without a warrant. SB 178, the California Electronic Communications Privacy Act (“CalECPA”), would change that on the state level by modernizing outdated digital privacy laws. The bill passed the California Senate back in June, but still faces a couple of hurdles, including a vote in the Assembly that should take place in the next couple of weeks.  The LA Times just endorsed SB 178, noting that “Californians need the protections offered by SB 178, and the bill deserves the Legislature's support.”  A poll published this week found similar support among California voters, with 82% of participants agreeing that law enforcement should get a warrant before accessing an individual’s digital data.  Engine echoes this endorsement of SB 178 and hopes to see California take the lead on updating its privacy laws to keep pace with the changing digital landscape.

The Future of Higher Education. Daniel Pianko of University Ventures writing in TechCrunch argues that the lack of innovation in higher education is due to a lack of commitment from Silicon Valley billionaires. “Today’s current generation of entrepreneurs are spending their energy and resources lobbying for band-aid solutions like H-1B visas, when they could be reimagining the current pipeline to address the lack of female and minority engineers in their companies.” Pianko points out that it was investment from 20th century titans of industry like Johns Hopkins and Andrew Carnegie that created the modern research university, and forced schools like Harvard and Yale to evolve in order to compete. He also points to non-traditional education models being pioneered at places like Galvanize. Here’s a look back at a deep dive we did on education policy and its impact on innovation.

New White House Hire. The White House announced that they are hiring their first Director of Product this week. Josh Miller, a startup founder who sold his company to Facebook last year will lead efforts to improve their existing digital products and look to develop new ones. Miller has a history of bringing a tech perspective to civic engagement. This marks yet another move from an administration that seems determined to engage with startups to improve the way government functions.  

Diversity in Tech. Troubling new data from the Pew Research Center shows that “businesses owned by women and minorities bring in far less revenue than firms with male or non-minority owners.” The research finds that even when you look at sectors where women tend to fare better, the problem persists. This Fortune article hypothesizes that one big factor may be a lack of investors--a problem that has been documented before. Engine will continue to work on access to capital issues, particularly as it affects founders from underrepresented groups. Stay tuned for more on that in September….  

Drones. The National Journal reports that in the absence of federal regulations, 26 states have now passed local legislation to limit the operation of drones. This patchworks of regulation is causing concerns for operators and commercial users. Hopefully the months ahead will see a thoughtful approach to protecting safety and privacy that doesn’t needlessly throttle innovation in this growing industry.

Car Hacking. The debate over how to make Internet-connected vehicles more resistant to cyber attacks is heating up in Washington. Much of the discussion will center around whether these are problems that can be solved within the industry, or if government action will be necessary to spur automakers to act.

ECPA Pushes Past 235 Co-Sponsors


For the last few months, we’ve closely watched the progress of a bill in Congress seeking to reform and update the Electronic Communications Privacy Act. We’ve discussed the current law’s outdated regulations of our communications infrastructure, but a piece of that could be updated very quickly through Kansas Congressman Kevin Yoder and Colorado Congressman Jared Polis’ Email Privacy Act. Essentially, as we’ve noted before, law enforcement currently doesn’t currently need a warrant to read your email--leaving many startups in the unenviable position of not being able to protect their customers. We think this is wrong, and it turns out a bunch of our elected representatives agree.

Less than a month ago, we noted that the bill had reached 218 co-sponsors, fully half of the House of Representatives, and which, let’s face it, is a monumental achievement with such a divided Congress, and a testament to ECPA reform’s popularity. With this week’s announcement that six more Republican co-sponsors are signing on, that number has now ballooned to 235 and is threatening to climb even higher.

Even as we creep closer and closer to mid-term elections, there are certain things Congress can still do while it’s in session. The Email Privacy Act, which would drastically enhance both privacy and security for Internet users and bring our laws into the 21st Century, is a great example of the “art of the possible” and we encourage the House to listen to itself and pass this much-needed reform swiftly.

ECPA Reform Bill Attracts Majority Support in House


This morning, Congress has taken a significant step towards defining privacy for the digital age in a way that will benefit startup companies and their users. The Email Privacy Act -- a common-sense piece of legislation that would bring ECPA (the Electronic Communications Privacy Act of 1986) better in line with how the Internet actually works -- is supported by a majority of the House of Representatives. This kind of support, before a bill even comes to a vote, is an important sign that policymakers and their constituents understand that something must be done.

The Email Privacy Act gives online documents the same privacy protections granted to physical documents. Specifically, the bill would require government agencies to obtain warrants from a judge in order to force service providers to disclose private emails and documents they store online for their customers.

Since data play an increasingly important role for many startups, any uncertainty over compliance increases the burden of time and resources needed to handle the issue. The current status quo also disenfranchises businesses and consumers, and places an added strain on user trust. Under the current law, a complex legal request from law enforcement would force businesses to chose between facing fines and legal action while protecting their users, or complying with the government at the cost of alienating users.


The Email Privacy Act clarifies existing law, and provides a much-needed update to bring regulations in line with the digital age. We thank Reps. Yoder and Polis for their leadership on this important issue, and with majority support we look now to House leadership to move this bill, and we hope they act swiftly to pass this common sense reform.

Big Day for Open DATA


The Federal Government has taken a big step towards reforming the way it buys, uses, maintains, and publishes data with the unanimous passage of the Digital Accountability and Transparency or DATA Act.

The bipartisan measure, which now goes to President Obama for his signature, would open up the way we track spending across government agencies, and was sponsored originally in the House by Oversight and Reform by Chairman Darrell Issa (R-CA) and Ranking Member Representative Elijah Cummings (D-MD). A companion Senate measure was sponsored by Senators Mark Warner (D-VA) and Rob Portman (R-OH).

What does this mean in practice? Hudson Hollister, Executive Director of the Data Transparency Coalition, explained what the DATA act will do for government transparency in Forbes earlier this month:

If the DATA Act is fully enforced, citizens will be able to track government spending on a particular contractor or from a particular program, payment by payment. Agencies will be able to deploy sophisticated Big Data analytics to illuminate, and eliminate, waste and fraud. And states and universities will be able to automate their complex federal grant reporting tasks, freeing up more tax dollars for their intended use.

This sort of transparency in government allows ordinary citizens to better track how government is using technology, and it will also allow government to better source information technology projects, and understand how tax dollars are being spent in an effort to streamline those multifaceted processes.

Of course, there will also be benefits for the startup community. Understanding how government money is being spent could make it easier for our most innovative companies to break through the procurement process.

We applaud the work of Chairman Issa, Ranking Member Cummings, Senators Warner and Portman, and everyone else who helped shepherd this vital legislation through the Congress. We look forward to continued efforts to leverage data in productive ways. 

Why You Should Care About ECPA Reform


This piece was originally published in Venture Beat

The law that governs our interactions with the Internet was passed in 1986. Yes, the Electronic Communications Privacy Act — ECPA — became law before the Internet was widely used and at a time when most people did not have computers in their homes.

ECPA is out of date and out of its depth. But changing a law that touches as many industries and interactions as ECPA does takes a lot of political appetite and will. So why should you care?

Despite original intentions, ECPA is the touchstone privacy law protecting and governing our information and interactions online. So, among other things, it has been used by the government to argue that anything stored online for longer than 180 days has been“discarded” and therefore does not qualify for Fourth Amendment protection — the freedom from unwarranted search and seizure, and the right to privacy.

In other words, all those emails and Dropbox documents you’ve had for over six months can be obtained by law enforcement without a probable cause warrant. This includes the IRS, FBI, and DEA, as well as state and local law enforcement agencies.

So there’s the personal problem of having our online data unprotected by the Fourth Amendment — but that’s just the beginning. Since ECPA is being used to tackle questions outside of its original scope, and is therefore interpreted at will and applied unevenly, the ensuing uncertainty has an adverse impact on startups (read: small, fast-growing companies that are creating economic value and jobs).

Since data plays an increasingly important role for many technology startups, any uncertainty over compliance increases the burden of time and resources needed to unravel the issue. In addition, laws like this that disempower businesses and consumers place an added strain on user trust. Under ECPA, a complex legal request from law enforcement would force businesses to chose between facing fines and legal action while protecting their users, or complying with the government at the cost of alienating users. During the Occupy Wall Street protests last year, Twitter was caught up in all this while trying to protect a user’s Fourth Amendment rights against the unwarranted seizure of tweets over 180 days old. In the end, however, Twitter surrendered the data to avoid hefty fines.

This obvious disparity between the statute books and reality of how we use the Internet to communicate has already led to a bi-partisan push for reform, championed by the original ECPA author — Senator Patrick Leahy. Senator Leahy is joined by co-sponsor Senator Lee who explained that “when ECPA was enacted, email was primarily a means of communicating information, not storing it. Today, we use our email accounts as digital filing cabinets, where we store many of the personal documents and sensitive information that the Fourth Amendment was meant to protect. This bill takes an essential step toward ensuring that the private life of Americans remains private.”

There is also a reform bill in the House sponsored by Representative Kevin Yoder. The Email Privacy Act has 137 co-sponsors, but if it’s actually going to pass this do-nothing Congress, we need to take action. It’s worth noting here that the 113th Congress is on course to pass less legislation than any Congress in history. So far, it’s passed only 49 laws. The original “Do Nothing’’ Congress denounced by President Harry Truman in 1947, however, passed 906 laws.

And if that’s not a big enough hurdle, all reform legislation is now being blocked by the Securities and Exchange Commission in the hope of a special carve-out so regulatory agencies can continue to access our online documents without a warrant. Clearly, any such exception would undercut the purpose of reform.

So what can you do?

1. Sign the White House petition. Call on the White House to break its silence and stand up for ECPA reform. We need President Obama to tell the SEC to back down in its demands and make clear that the time for ECPA reform is now. The petition needs 100,000 signatures by December 12th. That’s next Thursday!

2. Join the TechFreedom Thunderclap to show your support and raise awareness about the need for reform.

3. Do your own evangelizing on social media using #ECPA and #GetAWarrant. You can also share these infographics from the ACLU and TechFreedom to educate others.

The right to privacy and the freedom from unwarranted search and seizure are not to be taken lightly. And as we live more of our lives online, it is essential that the law catches up.

What Startups Should Know About TPP

What Startups Should Know About TPP

In the name of “individual rights and free expression,” WikiLeaks has released the draft text of the Trans-Pacific Partnership Agreement. Negotiations over this trade agreement began in secret between 12 Pacific Rim countries in December 2012, and despite the secrecy, we know (from a previous leak) that discussions have covered intellectual property, competition and State-owned enterprises, environmental policy, services and investment, and government procurement, among other issues. But how will this impact startups?

Startups Speak: Democracy Requires a Right to Privacy

Startups Speak: Democracy Requires a Right to Privacy

To date I have been operating on a rather simple premise. If democracy equals freedom and freedom equals privacy then - by the transitive property of mathematics - democracy and privacy must be intricately linked. Like all constitutional queries, the discussions we are having about privacy - and those yet to be had - are centered around a single question: what kind of country do we want to live in?

California Law Lets Minors Erase Online ‘Overshares’

California Law Lets Minors Erase Online ‘Overshares’

This week, California Governor Jerry Brown signed into law a bill that aims to protect the online privacy of minors in California by fashioning a right to erase content posted on the internet. The new law is specifically designed to protect "the teenager who says something on the Internet that they regret five minutes later," but it also leads to questions about broader online privacy issues.

Right to Know or Right to Innovate?


In recent weeks, California legislators have shown renewed interest in redrafting online privacy regulations, leading to the introduction of over a dozen bills and the creation of a Select Committee on Privacy to help “update California privacy from the brick and mortar world.” Most efforts have been focused on AB1291 -- the Right to Know Act. While supporters of this two-year  bill -- including EFF and the ACLU -- claim it offers more transparency and much needed updates to privacy laws, there are almost no additional protections to users, and the bill imposes significant hardship on startups.

As we spend more time on the internet, conducting more of the business of our lives, online privacy has rightfully come to the forefront of efforts by government regulators and advocacy organizations. Regulations are necessary to protect children, prevent abusive marketing, and allow consumers to make informed choices about the products they use. Unfortunately, Right to Know does none of that.

This bill offers few, if any, improvements to the existing “Shine the Light” law, which already requires businesses to provide information to consumers about direct disclosures of personal information to third parties. At the heart of Right to Know is a new requirement that businesses make all “reasonably available” user data available upon request -- thousands and thousands of pages of it. This ‘give us everything’ mentality might feel right from an intuitive perspective, but it does not improve transparency (what does “reasonably available” even mean?), and it makes data more costly.

For a small startup, this bill is like a regulatory DDoS attack -- there just aren’t enough resources to hunt down all the data about users, especially when you consider the ever-changing nature of databases in growing companies. The beauty of startups is that we collect every piece of information until we can determine what is useful, allowing us to innovate and improve products along the way.

As more consumer-facing services live online, there is a continued need for trust between users and service providers. Startups -- the pioneers of the next great technologies -- need to foster that trust, but giving users thousands of pages of data will not do much to help consumers make informed choices. Right to Know, though well intentioned, will not help consumers make smarter decisions about products, but it could stifle the innovation of startups.

Bill to Amend 1986 Communications Privacy Law Goes to Senate


Senator Patrick Leahy (D-VT.), author of the original Electronic Communications Privacy Act (or ECPA), is once again pushing for amendments that take into account rapid advances in technology since, er, 1986. Passing the Senate Judiciary Committee today, the bill will soon be debated by the Senate.

In Leahy’s own words, the “bill takes several important steps to improve Americans’ digital privacy rights, while also promoting new technologies -- like cloud computing -- and accommodating the legitimate needs of law enforcement.”

Engine, together with a coalition of tech companies, is pleased with the clarity this new act brings to how content can be accessed by government; excluding emergencies, law enforcement must obtain a warrant in order to compel a service provider to disclose the private content of users.

Since data plays an increasingly important role for many startups, uncertainty about compliance increases the burden of time and resources, and puts a strain on user trust. Currently, a complex legal request from law enforcement would force startups to chose between legal action and alienating users.

The bipartisan Amendment Act is co-sponsored by Senator Mike Lee (R-UT). “When ECPA was enacted”, Senator Lee explained, “email was primarily a means of communicating information, not storing it. Today, we use our email accounts as digital filing cabinets, where we store many of the personal documents and sensitive information that the Fourth Amendment was meant to protect. This bill takes an essential step toward ensuring that the private life of Americans remains private.”

Here’s a rundown of this new bill:

  • Search warrant required for email and other electronic communications, when those communications are stored with a third-party service provider.
  • Requirement does not apply to other Federal crimina or national security laws including Wiretap Act and Foreign Intelligence Surveillance Act of 1978
  • Government can use administrative, civil discovery and grand jury subpoena to obtain corporate email and other electronic communications directly from a corporate entity, when the content is on an internal email systemGovernment can use civil discovery subpoenas to obtain non-content information
  • Bill eliminates the outdated “180-day” rule that calls for different legal standards for the government to obtain email content depending upon the age of an email
  • Government must notify an individual whose electronic communications have been disclosed within 10 days of obtaining a search warrant, but they can also seek a court order to delay this notice in order to protect integrity of ongoing investigations

Tweet at any or all of the members of the Senate Judiciary Committee listed below to tell them that protecting data matters to startups.

Chairman Patrick Leahy @SenatorLeahy

Sen. Michael Lee @SenMikeLee

Ranking Member Charles Grassley @ChuckGrassley

Sen. Dianne Feinstein @SenFeinstein

Sen. Orrin Hatch @Orrin Hatch

Sen. Chuck Schumer @ChuckSchumer

Sen. Dick Durbin @SenatorDurbin

Sen. Jeff Sessions @SenatorSessions

Sen. Sheldon Whitehouse @SenWhitehouse

Sen. Lindsey Graham @GrahamBlog

Sen. Amy Klobuchar @amyklobuchar

Sen. John Cornyn @JohnCornyn

Sen. Al Franken @alfranken

Sen. Christopher Coons @ChrisCoons

Sen. Richard Blumenthal @SenBlumenthal

Sen. Ted Cruz @TedCruz

Sen. Jeff Flake @JeffFlake

Sen. Mazie Hirono @maziehirono

Photo courtesy of Talk Radio News Service.