Author Archive
The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy
The Daily Caller reports that Senator Harry Reid (D-NV) is planning another effort at Internet regulation—right on the heels of the SOPA/PIPA debacle. The article seems calculated to insinuate that a follow-on to SOPA/PIPA might slip into cybersecurity legislation the Senate plans to take up. Whether that’s in the works or not, I’ll detail here the privacy threats in cybersecurity language being circulated on the Hill.
A Senate draft currently making the rounds is called the “Cybersecurity Information Sharing Act of 2012.” It sets up “cybersecurity exchanges” at which government and corporate entities would share threat information and solutions.
Sharing of information does not require federal approval or planning, of course. Information sharing happens all the time according to market processes. But “information sharing” is the solution Congress has seized upon, so federal information sharing programs we will have. Think of all this as a “see something, say something” campaign for corporate computer security people. Or perhaps “e-fusion centers.”
Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:
No Budget in 1,000 Days? No Budget Ever!
Around the time of President Obama’s State of the Union speech two weeks ago, Republicans and their allies came out arguing that the Democratic Senate hadn’t produced a budget in 1,000 days. Senate Budget Committee chairman Kent Conrad (D-ND) disputes the charge.
Is it true? The new budget season started Monday, so it’s a great time to examine that question.
Budget season really did start Monday. The Congressional Budget Act has a timetable in it (at section 300) that says the president submits his budget on or before the first Monday in February. We’re underway!
But I hope you weren’t holding your breath waiting to get a glimpse of the president’s budget. The White House has kicked back its release by a week—an unfortunate symbol of how both ends of Pennsylvania Avenue flout budget processes in ways large and small.
Now to the question: When was the last Senate budget?
Let’s start with a preliminary question: What is a “budget”?
Cardless National ID and the E-Verify Rebellion
New Hampshire was the state where the “REAL ID rebellion” got its start. There, in 2006, Rep. Neal Kurk (R-Weare) took to the floor of the New Hampshire House to talk about his principled opposition to the federal national ID law.
In stirring words, Kurk urged his colleagues to overturn a committee recommendation that no action should be taken on his bill to have New Hampshire reject REAL ID. The House went on to pass his bill and half the states in the nation soon followed suit.
Now a bill pending in the New Hampshire House responds to a more insidious version of the federal government’s national ID plans: E-Verify.
E-Verify is a federal background check system that its proponents intend to be used on every person seeking work in the United States. Once in place, E-Verify would expand to new uses, giving the federal government direct regulatory control of all Americans’ lives through control of proof of identity. It’s being fitted to operate using only databases, so I’ve been referring to it as a “cardless national ID.”
New Hampshire Rep. Seth Cohn (R-Merrimack 6) has introduced a bill to prevent his state from contributing New Hampshirites personal data to the E-Verify system. HB 1549 would not only prohibit the state from allowing citizens’ personal data to be used in E-Verify. It would prohibit the state from requiring employers to participate in the E-Verify system.
It’s an appropriate response to the Department of Homeland Security’s latest move. You see, a branch of E-Verify is called the “RIDE” program. That stands for “Records and Information from Department of Motor Vehicles for E-Verify” (Yeah, it’s a stretch…) Basically, RIDE is the conduit through which the states are going to start passing data to the federal government, weaving together that national ID outside of the REAL ID Act.
In their desire to bring illegal immigration under control, a lot of people have convinced themselves over many years that growing the federal government and conscripting businesses into “internal enforcement” of immigration law was the way to go. Unfortunately, that route costs a lot of money, it bloats the federal government, and it requires a national ID system, which is a threat to liberty that Americans reject. My paper, “Franz Kafka’s Solution to Illegal Immigration,” goes through many of the details.
Is this the beginning of the E-Verify rebellion? It’s a welcome addition to the national debate from the “Live Free or Die” state.
Photo ID Laws Mean Some Won’t Vote
Because all of us are with ourselves all day every day, we naturally tend to think that our own lives are pretty standard fare. But that’s just not so in a country of 300+ million people ranging over a vast expanse. So I found worthwhile this NPR story on people who don’t have IDs, people who face difficulty with laws requiring IDs to vote. Not everyone trundles down to the DMV and plunks down money and paperwork for an ID whenever they please.
The voter ID issue is a hot one. Some are strongly committed to the idea that identification requirements are needed to suppress voter fraud. There isn’t much evidence of that problem, and to worry about impersonation fraud at polling places, one has to put aside absentee ballot fraud, which is probably much easier, as well as election fraud—rigged vote counts, for example—which is much more efficient.
States should tinker with their voting rules and processes, each seeking for itself the methods that optimally secure elections while facilitating voting. It’s a big country, and different states may require different rules. My emphasis has always been on avoiding a national voter ID system, which would inevitably be a national ID system, paving the way for greater federal control of individuals’ lives.
Kashmir Hill Has It Right…
…on the Google privacy policy change.
The idea that people should be able to opt out of a company’s privacy policy strikes me as ludicrous.
Plus she embeds a valuable discussion among her Xtranormal friends. Highlight:
“Well, members of Congress don’t send angry letters about privacy issues very often.”
“Oh, well, actually, they do.”
Read the whole thing. Watch the whole thing. And, if you actually care, take some initiative to protect your privacy from Google, a thing you are well-empowered to do by the browser and computer you are using to view this post.
Helping the House Advance Data Transparency
The House of Representatives is poised to make great strides forward in transparency, and our work over the last year aims to help them do that. Here’s how this spreadsheet (.xls) will do that.
In December, the House Administration Committee announced a plan to improve the publication of House documents. In January, a new site—docs.house.gov—went live. (It’s attractive looking, but still bare-bones.) On Thursday this week, the Committee is hosting a “Legislative Data and Transparency Conference” to examine what data is out there and what data should be out there. Little information is on the Web yet, but you can sign up to attend at the link just above.
I’ll be speaking on the last panel of the day, which deals with measuring transparency success. Likely, they chose me for this panel because I’ve already been grading the government on its publication practices.
Last September, you see, we graded Congress on how well it publishes data that would assist the public in computer-aided oversight. The summary blog post is called “Needs Improvement.” And then in December, we graded the government on publication of budget, appropriations, and spending data. That’s a joint legislative-executive responsibility, but mostly executive. The message was: “‘Needs Improvement’ is Understatement.”
How do you grade Congress and the government on their data publication?
You start out by modeling the data government should publish. We put together a data model for legislative process, for example, and then a data model for budgeting, appropriating, and spending. We got a great deal of help from folks at the Sunlight Foundation, OMB Watch, and others such as the National Priorities Project, as well as data guru Josh Tauberer, whose latest project is PopVox.
Even with all this help, these models won’t be the last word—there is much to learn yet about the data structure that will serve every use the public may want to make of information. But it’s a strong start.
Then we compared the data that’s actually out there to the practices described in my paper, “Publication Practices for Transparent Government,” and out popped the grades! They were pretty bad…
The House of Representatives aims to fix that—for its part, at least.
Now to this spreadsheet: it’s a list of the things that should be identified in congressional documents so that computers can find the most salient information in them. It also indicates the “vocabularies” that already exist for identifying many of them: members of Congress, bills, laws, statutes, committees, agencies, programs, and so on. We’ve talked about how to identify “budget authority” and appropriations (spending) so that computers can capture that information from bills and committee reports. Locations, state and foreign governments, times, meetings—all these things can be put into electronic versions of documents to allow computer-aided public oversight.
Once documents contain data like this in the proper structures, literally thousands of questions about Congress will be answered instantly.
- How much new budget authority has each member of Congress proposed? Voted for? Voted against? Allowed to go through on voice vote or unanimous consent? How about this same information by state? By region? Or by seniority?
- What title of the U.S. code do members of Congress most often propose to amend? What title do they actually amend the most?
- What bills affect my state specifically, such as by naming buildings, creating wilderness areas, changing boundaries on parks, or giving land to localities?
- How often do my member of Congress and senators break with their party?
These are just a few examples. In the hands of varied users, the data will be converted to hundreds or thousands of uses. It will go into studies performed by political scientists and it will supercharge news reporting. But more importantly, it will go into services that inform people directly and quickly about how their own representatives in Congress are acting and what they’re saying.
It will give people insight into where the money goes—from the moment new spending is proposed all the way through to when Congress spends it—or declines to spend.
Credit is due to the leadership in the House of Representative for starting this work. There is a lot to do before they show clear success. But they are way ahead of President Obama, whose Sunlight Before Signing transparency promise lags badly, and who has yet to put together a machine-readable organization chart for the executive branch of the federal government. He can easily do the latter, and coordination with Congress is essential for transparency success. The sooner that happens the better.
‘Destroy America’ = Suspicion Fail
News that incautious comments on “tweeter” got British tourists excluded from the United States had Twitter alight yesterday. (Paperwork given to one of the two, on display in this news story, refers to the popular social networking site as a “Tweeter website account,” betraying some ignorance of what Twitter is.)
It’s a good chance to review how suspicion is properly—and, here, improperly—generated.
The Department of Homeland Security has been vague as yet about what actually happened. It may have been some kind of “social media analysis” like this that turned up “suspicious” Tweets leading to the exclusion, though the betting is running toward a suspicious-activity tipline. (What “turned up” the Tweets doesn’t affect my analysis here.) The boastful young Britons Tweeted about going to “destroy America” on the trip—destroy alcoholic beverages in America was almost certainly the import of that line—and dig up the grave of Marilyn Monroe.
Profoundly stilted literalism took this to be threatening language. And a failure of even brief investigation prevented DHS officials from discovering the absurdity of that literalism. It would be impossible to “dig up” Marilyn Monroe’s body, which is in a crypt at Westwood Memorial Park in Los Angeles.
I testified to the Senate Judiciary Committee in 2007 about how one might mine data for terrorists and terrorism planning, in terms that apply equally well to Twitter banter and to any criminality or wrongdoing. For valid suspicion to arise, the information collected must satisfy two criteria:
(1) It is consistent with bad behavior, such as terrorism planning or crime; and (2) it is inconsistent with innocent behavior. In . . . the classic Fourth Amendment case, Terry v. Ohio, . . . a police officer saw Terry walking past a store multiple times, looking in furtively. This was (1) consistent with criminal planning (“casing” the store for robbery), and (2) inconsistent with innocent behavior — it didn’t look like shopping, curiosity, or unrequited love of a store clerk. The officer’s “hunch” in Terry can be described as a successful use of pattern analysis before the age of databases.
Similarly, using the phrase “destroy America” is consistent with planning to destroy America. (You want to be literal? Let’s be literal!) But it’s also consistent with talking smack, which is innocent behavior. These Tweets fail the second criterion for generating suspicion.
Twitter is nothing if not an unreliable source of people’s thinking and intentions. It’s a hotbed of irony, humor, and inside jokes. Witness this Tweet of mine from yesterday, which failed to garner the social media guffaw I sought (which is why I link to it here). Things said on Twitter will almost never be suspicious enough to justify even the briefest interrogation.
Other facts could combine with Twitter commentary to create a suspicious circumstance on extremely rare occasions, but for proper suspicion to arise, the Tweet or Tweets and all other facts must be consistent with criminal planning and inconsistent with lawful behavior. No information so far available suggests that the DHS did anything other than take Tweets literally in the face of plausible explanations by their authors that they were using hyperbole and irony. This is simple investigative incompetence.
If indeed it is a “social media analysis” program that produced this incident, the U.S. government is paying money to cause U.S. government officials to waste their time on making the United States an unattractive place to visit. That’s a cost-trifecta in the face of essentially zero prospect for any security benefit. I slept no more soundly last night knowing that some Brits were denied a chance to paint the town red in L.A.
In case it needs explaining, “paint the town red” is archaic slang. It does not imply an intention or plan to apply pigments to any building or infrastructure in Los Angeles, whether by brush, roller, or spray can.
Sunlight Before Signing, Year Three
In last night’s State of the Union speech, President Obama called for tax law reforms he says we need. Cato scholars have their doubts about much of what was in the speech, but my interest was piqued by the fact that he said, “Send me these tax reforms, and I will sign them right away.”
You see signing them “right away” would again violate his 2008 campaign promise to post the bills sent him by Congress online for five days before signing them.
That’s a cheeky point, but it is time to focus on campaign promises and their honesty. The beginning of President Obama’s fourth year in office is roughly the beginning of his campaign for another term.
When I first began tracking President Obama’s Sunlight Before Signing promise, I joked with friends that it was career gold because I could write hundreds of blog posts for the next four years without thinking a new thought. Well, it’s not quite that good. This is post thirty-six in the SBS series.
(Each character in that last sentence was a link to a previous post. You can spend a whole day reviewing them!)
Last Thursday, January 19th, was the end of President Obama’s third year, so it’s time to review how he’s been doing with Sunlight Before Signing. It was the president’s first broken promise, and at the mid-point of the term he had popped just above 50% in his compliance.
How has he done in the ensuing year?
Well … meh.
SOPA/PIPA: Harbinger or Aberration?
He’s not unrestrained, but Larry Downes sees the remarkable downfall of legislation to regulate the Internet’s engineering as a harbinger of things to come. Jerry Brito, meanwhile, tells us “Why We Won’t See Many Protests like the SOPA Blackout.”
They’re both right—over different time-horizons. The information environment and economics of political organization today are still quite stacked against public participation in our unwieldy federal government. But in time this will change. Congress and Washington, D.C.’s advocacy and lobbying groups now have some idea what the future will feel like.
The Second-Day Story on U.S. v. Jones
Does a more careful reading of the Supreme Court’s decision in U.S. v. Jones turn up a lurking victory for the government?
Modern media moves so fast that the second-day story happens in the afternoon of the first. The Supreme Court ruled unanimously Monday morning that government agents conduct a Fourth Amendment search when they place a GPS device on a private vehicle and use it to monitor a suspect’s whereabouts for weeks at a time. Monday afternoon, a couple of commentators suggested that the case is less a win than many thought because it didn’t explicitly rule that a warrant is required to attach a GPS device to a vehicle.
Writing on the Volokh Conspiracy blog, George Washington University law professor Orin Kerr noted “What Jones Does Not Hold.”
The Court declined to reach when the installation of the device is reasonable or unreasonable. … So we actually don’t yet know if a warrant is required to install a GPS device; we just know that the installation of the device is a Fourth Amendment “search.”
And over on Scotusblog, Tom Goldstein found that “The Government Fared Much Better Than Everyone Realizes“:
[D]oes the “search” caused by installing a GPS device require a warrant? The answer may be no, given that no member of the Court squarely concludes it does and four members of the Court (those who join the Alito concurrence) do not believe it constitutes a search at all.
So there is a constitutional search when the government attaches a GPS device to a vehicle, but the Court conspicuously declined to say that such a search requires a warrant. Do we have an “a-ha” moment?
U.S. v. Jones: A Big Privacy Win
The Supreme Court has delivered a big win for privacy in U.S. v. Jones. That’s the case in which government agents placed a GPS device on a car and used it to track a person round-the-clock for four weeks. The question before the Court was whether the government may do this in the absence of a valid warrant. All nine justices say No.
That’s big, important news. The Supreme Court will not allow developments in technology to outstrip constitutional protections the way it did in Olmstead.
Olmstead v. United States was a 1928 decision in which the Court held that there was no Fourth Amendment search or seizure involved in wiretapping because law enforcement made “no entry of the houses or offices of the defendants.” It took 39 years for the Court to revisit that restrictive, property-based ruling and find that Fourth Amendment interests exist outside of buildings. “[T]he Fourth Amendment protects people, not places” went the famous line from Katz v. United States (1967), which has been the lodestar ever since.
For its good outcome, though, Katz has not served the Fourth Amendment and privacy very well. The Cato Institute’s brief argued to the Court that the doctrine arising from Katz “is weak as a rule for deciding cases.” As developed since 1967, “the ‘reasonable expectation of privacy’ test reverses the inquiry required by the Fourth Amendment and biases Fourth Amendment doctrine against privacy.”
Without rejecting Katz and reasonable expectations, the Jones majority returned to property rights as a basis for Fourth Amendment protection. “The Government physically occupied private property for the purpose of obtaining information” when it attached a GPS device to a private vehicle and used it to gather information. This was a search that the government could not conduct without a valid warrant.
The property rationale for deciding the case had the support of five justices, led by Justice Scalia. The other four justices would have used “reasonable expectations” to decide the same way, so they concurred in the judgement but not the decision. They found many flaws in the use of property and “18th-century tort law” to decide the case.
Justice Sotomayor was explicit in supporting both rationales for protecting privacy. With Justice Scalia, she argued, “When the Government physically invades personal property to gather information, a search occurs.” This language—more clear, and using the legal term of art “personal property,” which Justica Scalia did not—would seem to encompass objects like cell phones, the crucial tool we use today to collect, maintain, and transport our digital effects. Justice Sotomayor emphasized in her separate concurrence that the majority did not reject Katz and “reasonable expectations” in using property as the grounds for this decision.
Justice Sotomayor also deserves special notice for mentioning the pernicious third-party doctrine. “[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” The third-party doctrine cuts against our Fourth Amendment interests in information we share with ISPs, email service providers, financial services providers, and so on. Reconsidering it is very necessary.
Justice Alito’s concurrence is no ringing endorsement of the “reasonable expectation of privacy” test. But he and the justices joining him see many problems with applying Justice Scalia’s property rationale as they interpreted it.
Along with the Scalia-authored Kyllo decision of 2001, Jones is a break from precedent. It may seem like a return to the past, but it is also a return to a foundation on which privacy can be more secure.
More commentary here in the coming days and weeks will explore the case’s meaning more fully. Hopefully, more Supreme Court cases in coming years and decades will clarify and improve Fourth Amendment doctrine.
“You could use it at a specific event. You could use it at a shooting-prone location…”
That’s NYPD Commissioner Ray Kelly touting a new technology called “terahertz imaging detection” to a local news outlet.
Terahertz radiation is electromagnetic waves at the high end of the infrared band, just below the microwave band. The waves can penetrate a wide variety of non-conducting materials, such as clothing, paper, cardboard, wood, masonry, plastic, and ceramics, but they can’t penetrate metal or water. Thus, directing terahertz radiation at a person and capturing the waves that bounce off them can reveal what is under their clothes without the discomfort and danger of going “hands-on” in a search for weapons. Many materials have unique spectral “fingerprints” in the terahertz range, so terahertz imaging can be tuned to reveal only certain materials. (In case you’re wondering, I got this information off the top of my head…)
Will the machines be tuned to display only particular materials? Or will they display images of breasts, buttocks, and crotches? The TSA’s “strip-search machines” got the moniker they have because they did the latter—until the agency tardily re-configured them.
Then there’s the flip-side of not going “hands-on.” Terahertz imaging detection doesn’t natively reveal to the person being searched that law enforcement has picked him or her out for scrutiny. A pat-down certainly lets the individual know he or she is being searched, positioning one to observe and challenge one’s treatment as a suspect. Terahertz imaging lacks this natural—if insufficient—check on abuse.
So terahertz imaging is not just a “hi-tech pat-down.” Its potential takes what would be a pat-down and makes it into a secret, but intimate, visual examination—a surreptitious strip-search. Pat-downs and secret strip-searches are very different things, and it is not necessarily reasonable, where a pat-down might be called for, to use terahertz imaging.
And that brings us to the fundamental problem with Commissioner Kelly’s proffer to use this technology at a “specific event” or at a “shooting-prone location.” These contexts do not create the individualized suspicion that Fourth Amendment law demands when government agents are going to examine intimate details of a person’s body and concealed possessions.
It is certainly possible to devise a terahertz imaging device and a set of use protocols that are constitutional and appropriate for routine, domestic law enforcement, but Commissioner Kelly hasn’t thought of one, and I can’t either.
Consider the dollar costs and potential health effects of terahertz imaging detection, it might just be that the pat-downs pass muster far better than the high-tech gadgetry.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
