Author Archive
Joe Barton, Meet Alessandro Acquisti
We were all very excited about the Facebook IPO last week (I guess), and Washington, D.C. wants to have its part in the action. This Politico article, “Facebook IPO Pits Privacy vs. Profits,” is a good illustration. It is the organs of government saying we are relevant, you know.
I was particularly intrigued by the comment of Rep. Joe Barton (R-TX). He’s playing against type—if we’re still to believe that Republicans stand for limited government—where he’s quoted saying: “I believe in free market principles, but there are some things the market can’t put a price on because they lack a monetary value. Privacy is one of those things.”
Aha! Washington does have a role the market can’t provide.
Except that the observation isn’t valid. There are lots of things in markets that “lack a monetary value.” You don’t think that every dimension of every good and service has a price tag on it, do you? Markets still deliver these things through the decision-making of their participants.
Alessandro Acquisti at Carnegie Mellon University has been studying how consumers value privacy for years. Crucially, he’s been studying how they value privacy when confronted with real and simulated trade-offs. (What consumers and politicians say isn’t very informative.) He sometimes puts a price tag on privacy in his studies.
It’s often a low price. Consumers don’t value privacy as much as many of us would like. But markets do implicitly price privacy. You make a little bit more—not a lot—if you deliver privacy. You stand to lose—sometimes a lot—if you don’t protect privacy.
Stand down, Mr. Barton. Stand down, Washington, D.C. You are not relevant to the Facebook IPO. Free market principles suggest leaving markets free to serve consumers’ actual preferences as determined by market processes. This is the case whether you think of privacy as having a “monetary value” or not.
It’s Illegal to Say ‘None of Your Damn Business’
The government’s troops are rallying behind the Census Bureau’s American Community Survey. “After the House voted this month to defund a major part of the U.S. Census Bureau, the agency is taking the threat very seriously,” reports the Washington Times, “with its supporters in both business and government rallying to preserve the annual questionnaire.”
Wait. Who could be against the Census Bureau? Its constitutional charter is to enumerate citizens every ten years for the purpose of apportioning representation in Congress. This is a necessary and unremarkable administrative function.
Oh, wait—again. Government bloat is a law of gravity, and the Census Bureau does far, far more than count noses. Its American Community Survey has made the Census Bureau the research arm for the welfare/redistribution state and a source of corporate welfare in the form of demographic data about Americans.
So Census goes around asking people dozens of questions that have nothing to do with the agency’s constitutional purpose.
The ACS is controversial enough among the strongly principled that Census has a Web page entitled: “Is the American Community Survey legitimate?” Their answer: “Yes. The American Community Survey is legitimate. It is a survey conducted by the U.S. Census Bureau.” (Did you know there’s a whole class on the “appeal to authority” at Fallacy University?…)
The real authority they cite is Title 13 of the U.S. code, which, in section 221, allows the government to fine people who refuse to answer the Census Bureau’s questions. It’s illegal to say “none of your damn business” when a government official comes around asking about your toilet. I’ve written many times, in long form and short, that the helping hand of government strips away privacy before it goes to work.
So it’s nice to see that Rand Paul (R-KY) in the Senate and Ted Poe (R-TX) in the House have introduced a bill to make the American Community Survey voluntary, unless it’s a question that the Census actually needs for its constitutional purposes. Reading public comments on the House bill is particularly interesting. There is a good number of people who want to be left well enough alone. They shouldn’t be subject to penalties for saying so. It’s a matter of principle and privacy.
I Second That Skepticism
The ACLU’s Chris Calabrese notes that nominations to the Privacy and Civil Liberties Board were forwarded from the Senate Judiciary Committee to the full Senate this morning. Congress created the Board in August 2007, and we have waited, and waited, and waited while the Bush and Obama administrations neglected to appoint anyone to it.
Calabrese is rightly skeptical that the “PCLOB” can make a difference:
[T]he national security establishment is huge, with tens of thousands of employees and a budget of more than $60 billion. The NSA alone has more than 30,000 employees. Contrast that with the PCLOB. It’s currently authorized (if it finally gets filled) to spend a whopping $900,000 and hire ten full-time employees for the 2012 fiscal year. With this level of staffing, it’s hard to imagine that the Board and its investigators can even begin to understand this vast national security infrastructure, never mind properly oversee it.
I have a fair amount of experience with privacy oversight in the U.S. government, having served on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. That experience has fairly well validated my thinking in 2001, before there were “privacy officers”:
The appointment of a privacy czar or creation of a privacy office is a poor substitute for directly addressing the voraciousness of many government programs for citizens’ personal information. Political leaders themselves should incorporate privacy into their daily consideration of policy options, rather than farming out that responsibility to officials who may or may not have a say in government policy.
To see how the PCLOB fits into government thinking, we can look at a 2007 speech given by Donald Kerr, principal deputy director of National Intelligence. To him, “privacy” is giving the government access to all the data it wants, subject to oversight.
[P]rivacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.
That’s not privacy.
So don’t think for a minute that privacy will be better protected with a PCLOB in place, except perhaps marginally in the few programs that the Board dips into.
The membership of the board is slated to be: Jim Dempsey of the Center for Democracy and Technology, a sincere and knowledgeable privacy player, whose “player” role I find incompatible with producing good privacy outcomes; Elisebeth Collins Cook, a former Department of Justice lawyer who I had never heard of before her nomination; Rachel Brand, an attorney for the U.S. Chamber of Commerce also unknown to me; Patricia Wald, a former federal judge for the D.C. Circuit whose privacy work is unknown to me; and David Medine, currently a WilmerHale partner who will chair the board. Medine is unquestionably government-friendly. He was a Federal Trade Commission bureaucrat who helped draft the Gramm-Leach-Bliley financial privacy and the Children’s Online Privacy Protection Act (COPPA) regulations.
New Underwear Bomb, New Threat Information
It’s a good bet that news of a new thwarted underwear bomber will underlie more than one argument for the strip-search machines American travelers encounter even at the domestic terminals of our airports. According to the AP:
The plot involved an upgrade of the underwear bomb that failed to detonate aboard a jetliner over Detroit on Christmas 2009. This new bomb was also designed to be used in a passenger’s underwear, but this time al-Qaida developed a more refined detonation system, U.S. officials said. … The would-be suicide bomber, based in Yemen, had not yet picked a target or bought his plane tickets when the CIA stepped in and seized the bomb, officials said.
Reading this, you’ve been reminded of the fact that, somewhere in a remote Middle Eastern backwater, someone would like to bomb an aircraft flying into the United States. For many, this will induce a bout of probability neglect, making it very hard to process the upshot of this news: This type of attack, which was already very unlikely to succeed, has been made even less likely to succeed.
How did it become less likely to succeed? Let’s use the Transportation Security Administration’s layered security concept to examine things.
In December 2009, the underwear bomber (well—he failed: the “underwear bomb plotter“), managed to get a deformed bomb onto a plane. It was so deformed that he could not cause it to explode. Instead, he burned himself while other passengers subdued him. In the TSA’s formulation, the plot was foiled by the last security layer (it’s hard to read in the graphic): passengers.
(This is not actually the last security layer. The design of planes to withstand shocks to the fuselage is a preventive against downings that small smuggled bombs will have a hard time overcoming.)
The latest news has it that an updated underwear bomb was seized in Yemen by the CIA. That’s the first layer of security in the TSA’s graphic. Intelligence—the first layer.
(This is not actually the first security layer. A benign, phlegmatic foreign policy would produce fewer people worldwide wishing to do the United States harm and more people intolerant of those who do.)
Now, it is not all 100%, unalloyed good security news. As the AP report says:
The FBI is examining the latest bomb to see whether it could have passed through airport security and brought down an airplane, officials said. They said the device did not contain metal, meaning it probably could have passed through an airport metal detector. But it was not clear whether new body scanners used in many airports would have detected it.
There may be an innovation in underwear bombs that make them easier to smuggle on to planes. At its best, this innovation may render the body scanners useless against them. (Again, watch for arguments that, despite their impotence, this news makes body scanners all the more essential. A news report yesterday said that new vulnerabilities in the machines have been unearthed by government investigators.)
On balance, I think this news shows just how much the threat is diminished. Innovations in bomb-making, happening on the far outskirts of modern society, are being thwarted at their source, long before they begin the journey through the many other security layers that protect aviation and air travelers. You may continue to move about the country even more confident of your safety than you did before. I’m hopping on a plane again Friday morning, and I will be just as polite and cheerful as ever in declining to go through the strip-search machines.
New Hampshire Says No to National ID
New Hampshire has been a bellwether state in national ID debates before. I wrote about its push-back against the E-Verify federal background check system in a recent post entitled “Cardless National ID and the E-Verify Rebellion.”
The bill that was the subject of that post, HB 1549 by Rep. Seth Cohn (R-Merrimack 6), has now passed the Senate, and it is on its way to Governor John Lynch’s desk for his signature.
It is pared down from its original version, but it now makes clear that state driver’s license records cannot be used in a national identification system. That is what E-Verify is rapidly becoming, and New Hampshire has rapidly said “No.”
Because Every Dumb Idea Should Be Illegal
Congress is considering H.R. 5050, the Social Networking Online Protection Act, which would prohibit employers from requiring or requesting that employees provide a user name, password, or other means for accessing a personal account on a social networking website.
On Breach of Decorum and Government Growth
Last week, the Center for Democracy and Technology changed its position on CISPA, the Cyber Intelligence Sharing and Protection Act, two times in short succession, easing the way for House passage of a bill profoundly threatening to privacy.
Declan McCullagh of C|Net wrote a story about it called “Advocacy Group Flip-Flops Twice Over CISPA Surveillance Bill.” In it, he quoted me saying: “A lot of people in Washington, D.C. think that working with CDT means working for good values like privacy. But CDT’s number one goal is having a seat at the table. And CDT will negotiate away privacy toward that end.”
That comment netted some interesting reactions. Some were gleeful about this “emperor-has-no-clothes” moment for CDT. To others, I was inappropriately “insulting” to the good people at CDT. This makes the whole thing worthy of further exploration. How could I say something mean like that about an organization whose staff spend so much time working in good faith on improving privacy protections? Some folks there absolutely do. This does not overcome the institutional role CDT often plays, which I have not found so creditable. (More on that below. Far below…)
First, though, let me illustrate how CDT helped smooth the way for passage of the bill:
Plain Language Regulation?
Now where have we seen this before? S. 2337 would require that federal regulations use plain writing that is clear, concise, well-organized, and appropriate for the subject matter and intended audience.
Well, according to the “Plain Writing Association,” efforts to produce plain writing in government go back as far as the 1977 issuance of a report on federal paperwork. President Carter commanded simple and clear regulations in 1978.
Twenty years later, President Clinton issued a memorandum calling for “Plain Language in Government Writing.”
There’s even a “PlainLanguage.gov” Web site already. Because the last Congress passed Public Law 111-274, the Plain Language Act of 2009.
Maybe passing another law will do it. Maybe the search for locution that provides a level of clarity sufficient for public consumption comes from alternate changes in public policy than to amend the expression of their societal impact. (ahem)
Cybersecurity Bills? No, Thanks
Prominent academics, experienced engineers, and professionals published an open letter to Congress yesterday, stating their opposition to CISPA and other overly broad cybersecurity bills. Highlight:
We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties. The bills currently under consideration, including Rep. Rogers’ Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523) and Sen. McCain’s SECURE IT Act (S. 2151), are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users’ private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security.
Cato’s recent Capitol Hill briefing on cybersecurity covered many similar points, and additional ones, too. CISPA and three other bills are scheduled for consideration on the House floor this week.
Cybersecurity: Talking Points vs. Substance
In the late stages of a legislative battle, it often comes down to “talking points.” Whoever puts out the message that sticks wins the debate—damn the substance.
Rep. Mike Rogers (R-MI) is prioritizing talking points over substance if a CQ report about a speech he gave to the Ripon Society is accurate. (He put it up on his Web site, from which one could infer endorsement. Rogers is not a cosponsor of SOPA, the Stop Online Piracy Act, so let’s not have the government taking down the house.gov domain just now, mkay?)
From the report:
“We’re finding language we can agree on,” he said in a speech to the Ripon Society, a moderate Republican group. “Are we going to agree on everything? Probably not. They don’t want anything, anytime, ever.” But, Rogers said, he hopes to give the groups “language that at least allows them to sleep at night, because I can’t sleep at night over these threats.”
This seems to suggest that a few tweaks to language, well in the works with the privacy community, will make his version of cybersecurity legislation a fait accompli. I’m a keen observer of the privacy groups, and I see no evidence that this is so. The bill is so broadly written that it is probably unrepairable.
And that is a product of Congress’s approach to this problem: Congress does not know how to address the thousands of difference problems that fall under the umbrella term “cybersecurity,” so it has fixed on promiscuous (and legally immunized) “information sharing” with government security agencies as the “solution.” Privacy can rightly be traded for other goods such as security, but with no benefits discernible from wanton information sharing, one shouldn’t expect sign-off from the privacy community.
That is not actually the message of the privacy community, who, on average, trust the government more than most conservatives and libertarians. The mainstream privacy community probably would accept highly regulatory and poorly formed cybersecurity legislation if it had enough privacy protections. But Rogers’ talking points try to push privacy folk onto the “unreasonable” part of the chess board, saying, “They don’t want anything, anytime, ever.”
That’s closer to my view than anything the orthodox privacy advocates are saying. Cybersecurity is not an area where the federal government can do much to help. But even I said in my 2009 testimony to the House Science Committee that the federal government has a role in improving cybersecurity: being a smart consumer that influences technology markets for the better.
What Representative Rogers—and all advocates for cybersecurity legislation—have failed to do is to make the affirmative case for their bills. “I can’t sleep at night” is not an answer to the case, carefully made by Jerry Brito of the Mercatus Center at Cato’s recent Hill briefing, that the threat from cyberattacks is overblown.
The briefing was called “Cybersecurity: Will Federal Regulation Help?” That’s a place one can go for substance.
‘How an E-Verify Requirement Can Help’
I know little about a House Judiciary Committee hearing tomorrow on E-Verify, but the title of it has a peculiar odor: “Document Fraud in Employment Authorization: How an E-Verify Requirement Can Help.”
You see, the immigration policies Congress has set are the source of the problem. Document fraud is made more likely by employment authorization requirements meant to enforce them, which are also—let’s remember—intrusive and costly business regulation.
In my Cato Policy Analysis “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration,” I wrote about restrictive immigration policies and the intrusive “internal enforcement” programs they have spawned. In a section titled “Counterattacks and Complications,” I examined how workers and employers will collude to avoid and frustrate worker verification. Mandatory E-Verify will increase identity and document fraud because it makes these frauds profitable. Trying to solve this problem, the government will naturally gravitate toward more powerful identity systems, including biometric identity cards and tracking.
Sure enough, House Judiciary Committee chairman Lamar Smith’s bill, the “Legal Workforce Act,” has a “pilot program” for a biometric national identity card.
When committing fraud is the pathway to productive employment, you know something is out of whack. Among the things out of whack are: too-restrictive immigration policy, internal enforcement, and E-Verify. This is supposed to be a free country where willingness and ability are the keys to employment.
Data Transparency Coalition Debuts Today
Meet the Data Transparency Coalition.
The Washington Post‘s Capitol Business blog reports this morning:
A small but growing collection of companies has formed a coalition that will push the federal government to establish a standard system by which agencies categorize their data. …
“Our members understand that if the government identified its data elements in consistent ways, there would be vast new opportunities for the tools that they are building,” Executive Director Hudson Hollister said.
Early supporters include Microsoft and data analysis and management firms Level One Technologies, Teradata, and BrightScope. I’m on their Board of Advisors. One of their early priorities will be to pass H.R. 2146, the DATA Act.
Cato has worked extensively on government transparency, beginning with our December 2008 policy forum entitled, “Just Give Us the Data! Prospects for Putting Government Information to Revolutionary New Uses.”
We have modeled much of the data that the government should be publishing in standardized formats (much more cheaply than CBO has estimated it would cost) and graded the quality of current data publication in the areas of congressional process and budgeting, appropriating, and spending. Expect improvements to come with this new organization joining other efforts.
Follow the coalition‘s founder and executive director on Twitter @hudsonhollister, and you can Like their Facebook page, as well, to get updates that way.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
