Author Archive
The TSA Won’t Be Reformed
Why is it that the head of the Transportation Security Administration comes out with his ideas for reform three years after leaving office? Is it the book he’s got coming out next week? That’s part of it. But he supplies the real answer: “TSA’s bureaucratic momentum and political pressures.”
It’s possible to imagine an agency that isn’t directed by bureaucratic momentum and political pressures, but it isn’t possible to produce one. The litany of nonsensical procedures, indignities, and privacy invasions at the airport will not go away until the TSA does.
From Cybercrime Statistics to Cyberspying
Someone finally decided to examine “cybercrime” statistics, and here’s what they found:
The cybercrime surveys we have examined exhibit [a] pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined. This is not simply a failure to achieve perfection or a matter of a few percentage points; it is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias.
That’s Dinei Florêncio and Cormac Herley of Microsoft Research in a New York Times piece entitled: “The Cybercrime Wave That Wasn’t.”
You see, cybercrime statistics have been generated using surveys of individuals and businesses, but you can’t generate valid numerical results that way. An opinion poll’s errors will naturally cancel out—there are a roughly equal number of wrongly stated “thumbs-up”s and “thumbs-down”s.
When you ask people to estimate losses, though, they can never estimate less than zero, so errors will always push results to the high side. High-side errors extrapolated society-wide drive the perception that cybercrime is out of control.
There are more drivers of excess insecurity than just bad loss estimates. There are also data breach notification laws, which require data holders to report various kinds of personal data spillage. These reports are the high-tech, grown-up version of a favorite schoolyard taunt: “Your epidermis is showing!” Epidermis is, of course, a scientific name for skin. It often doesn’t matter that one’s epidermis is showing. The questions are: What part of the epidermis? And what social or economic consequences does it have?
Most breached data is put to no use whatsoever. A 2005 study of data breaches found the highest fraudulent misuse rate for all breaches under examination to be 0.098 percent—less than one in 1,000 identities. (The Government Accountability Office concurs that misuse of breached data is rare.) Larger breaches tend to have lower misuse rates, which makes popular reporting on gross numbers of personal data breaches misleading. Identity frauds are limited by the time and difficulty of executing them, not by access to data.
Why does excess cyber-insecurity matter? Doesn’t it beneficially drive companies to adopt better security practices for personal data?
It undoubtedly does, but security is not costless, and money driven to data security measures comes from other uses that might do more to make consumers better off. More importantly, though, data breach agitation and distended crime statistics have joined with other cybersecurity hype to generate a commitment in Congress to pass cybersecurity legislation.
Cybersecurity bills pending in both the House and Senate could have gruesome consequences for privacy because of “information sharing” provisions that immunize companies sharing data with the government for cybersecurity purposes. The potential for a huge, lawless cyberspying operation is significant if anyone can feed data to the government free of liability, including the privacy protections in property law, torts, and contract. Congress would not improve things by regulating in the name of cybersecurity, and it just might make things a lot worse.
It is ironic that overwrought claims about cybercrime and data breach could be privacy’s undoing, but they just might.
Democracy EXPOSED!
I found a release put out by the American Legislative Exchange Council today a little too meek. So let’s talk about the debate around ALEC, a group I’ve been involved with as a volunteer advisor since before I joined Cato. (The Communications and Technology Task Force used to be called “Telecommunications and Information Technology,” but that didn’t work well in our acronym-happy world.) ALEC is under seige because of alleged ties between its backing of “Stand Your Ground” laws and the Trayvon Martin case, in which a young black man was killed by a neighborhood watch officer of…uncertain ethnic background.
Tim Lynch and Walter Olson have made us aware that the Martin tragedy does not actually implicate Stand Your Ground. Tim has also made us aware of a case in which Stand Your Ground is implicated, that of an elderly Detroit man who shot and killed an 18-year-old entering his home armed with a handgun at 1:30 a.m.
There’s no question, as Tim said, that Zimmerman’s taking of Trayvon Martin’s life warrants intense scrutiny. (The very latest: Prosecutors intend to charge Zimmerman.) While that plays out, Cato will address self-defense law and gun rights at an event entitled “‘Stand Your Ground’ Laws: Self-Defense or License to Kill?” on April 23rd, which I encourage you to attend or watch.
But ALEC is an odd target for scrutiny of the quality it’s getting. ALEC describes itself as dedicated to “the Jeffersonian principles of free markets, limited government, federalism, and individual liberty.” Toward this end it “enlist[s] state legislators from all parties and members of the private sector who share ALEC’s mission.”
Anti-ALEC site ALECExposed.org characterizes things differently: Read the rest of this post »
Will Pennsylvania Join the REAL ID Rebellion?
Since Congress passed a national ID law called the REAL ID Act in 2005, states have been registering their objections. The law tries to coerce states into implementing the feds’ national ID and would have them issue uniform drivers’ licenses and put drivers’ personal information into a federal data exchange. By 2009, fully half the states had barred themselves from implementing REAL ID or passed resolutions denouncing the law.
The states continue to play their constitutional role in counterbalancing federal overreach. I noted a few weeks ago how New Hampshire is resisting E-Verify, the federal background check system. But—as I also recently wrote—federal “bureaucrats and big-governmenters” are working to revive their national ID.
Pennsylvania may soon join the REAL ID rebellion. The legislature there has sent Governor Tom Corbett (R) a bill to opt the state out of REAL ID’s national ID system.
As we often see, though, there is confusion about the relevance of IDs and a national ID to national security. In the story linked above, state representative Greg Vitali (D) is cited saying that the 9-11 hijackers were carrying multiple phony drivers’ licenses. “And I’m just concerned with regard to the message that we send by backing away from more secure IDs,” he says.
Representative Vitali is mistaken on the facts. The 9/11 hijackers did not have false identification documents. The 9/11 Commission report said: “All but one of the 9/11 hijackers acquired some form of U.S. identification document, some by fraud.” Those “frauds” were things like fibbing about the length of their residency in Virginia, not their names.
The security issues are complicated. I dealt with them in my book, Identity Crisis: How Identification is Overused and Misunderstood. But here’s what it boils down to: Had REAL ID been the law prior to 9/11 and operating perfectly—100% compliance, no corruption at DMVs, and no forgery of breeder documents or licenses—that might have required the 9/11 attackers to keep their visas current. That’s the extent of its security value.
How many hundreds of millions of taxpayer dollars should we spend, how much of Americans’ privacy should we give up, and how much power should we transfer to the federal government when the only benefit is to mildly inconvenience some future attacker?
Many of the threats we imagined in the years after 9/11 were not real. Sleeper cells? Osama bin Laden sleeps with the fishes.
Terrorism didn’t get its start on 9/11, and it will never be non-existent. But our strong nation can celebrate its victory over terrorism by deep-sixing the national ID card. That’s the “message” that would come from defeating the federal government’s national ID law.
The Census’ Broken Privacy Promise
When the 1940 census was collected, the public was reassured that the information it gathered would be kept private. “No one has access to your census record except you,” the public was told. President Franklin Roosevelt said: “There need be no fear that any disclosure will be made regarding any individual or his affairs.”
Apparently the limits of what the government can do with census information have their limits. Today the 1940 census goes online.
When the Census Bureau transferred the data to the National Archives, it agreed to release of the data 72 years after its collection. So much for those privacy promises.
Adam Marcus of Tech Freedom writes on C|Net:
Eighty-seven percent of Americans can find a direct family link to one or more of the 132+ million people listed on those rolls. The 1940 census included 65 questions, with an additional 16 questions asked of a random 5 percent sample of people. You can find out what your father did, how much he made, or if he was on the dole. You may be able to find out if your mother had an illegitimate child before she married your father.
To be sure, this data will open a fascinating trove for researchers into life 70 years ago. But the Federal Trade Commission would not recognize a “fascinating trove” exception if a private company were to release data it had collected under promises of confidentiality.
Government officials endlessly point the finger at the private sector for being a privacy scourge. Senator Al Franken did last week in a speech to the American Bar Association last week (text; Fisking). He’s the chairman of a Senate subcommittee dedicated to examining the defects in private sector information practices. Meanwhile, the federal government is building a massive data and analysis center to warehouse information hoovered from our private communications, and the Obama Administration recently extended to five years the amount of time it can retain private information about Americans under no suspicion of ties to terrorism.
Marcus has the bare minimum lesson to take from this episode: “Remember this in 2020.”
Supreme Court: No Privacy Act Liability for Mental and Emotional Distress
Back in July of last year, I wrote about a case in the Supreme Court called FAA v. Cooper. In that Privacy Act case, a victim of a government privacy invasion had alleged “actual damages” based on evidence of mental and emotional distress.
Cooper, a recreational pilot who was HIV-positive, had chosen to conceal his health status generally, but revealed it to the Social Security Administration for the purposes of pursuing disability payments. When the SSA revealed that he was HIV-positive to the Department of Transportation, which was investigating pilot’s licenses in the hands of the medically unfit, the SSA violated the Privacy Act. Cooper claimed that he suffered mental and emotional distress at learning of the disclosure of his health status and inferentially his sexual orientation, which he had kept private.
The question before the Court was whether the Privacy Act’s grant of compensation for “actual damages” included damages for mental and emotional distress. This week the Court held … distressingly … [sorry, I had to] … NO. Under the doctrine of sovereign immunity, the Privacy Act has to be explicit about providing compensation for mental and emotional distress. Justice Alito wrote for a Court divided 5-3 along traditional ideological lines (Justice Kagan not participating).
The decision itself is a nice example of two sides contesting how statutory language should be interpreted. My preference would have been for the Court to hold that the Privacy Act recognizes mental and emotional distress. After all, a privacy violation is the loss of confident control over information, which, depending on the sensitivity and circumstances, can be very concerning and even devastating.
The existence of harm is a big elephant in the privacy room. Many advocates seem to be trying to lower the bar in terms of what constitutes harm, arguing that the creation of a risk is a harm or that worrisome information practices are harmful. But I think harm rises above doing things someone might find “worrisome.” Harm may occur, as in this case, when one’s (hidden) HIV status and thus sexual orientation is revealed. Harm has occurred when one records and uploads to the Internet another’s sexual activity. But I don’t think it’s harmful if a web site or ad network gathers from your web surfing that you’ve got an interest in outdoor sports.
The upshot of Cooper is this: Congress can and should amend the Privacy Act so that the damages it must compensate when it has harmed someone include real and proven mental and emotional distress.
Biometrics—and the Curious Relevance of Occupational Licensing
Yesterday, I testified (by remote communications) in the Alaska House of Representatives’ Health and Social Services Committee, which is considering a bill to heavily regulate the collection and use of biometrics. The bill is inspired by a man who was denied entry into the CPA exam when he refused to have his fingerprints scanned for that purpose. You can read more about his campaign at the PrivacyNOWalaska.org site.
I’m entirely sympathetic to his concerns about potential overcollection of biometrics in digital form, and what may happen to biometric data after it is collected. As I said in my testimony, “a digital record of a biometric can be stored indefinitely, copied an infinite number of times, and transmitted around the globe at the speed of light. This creates security and privacy concerns cutting against the use of machine-biometrics.” On the other hand, the CPA exam apparently has a problem with imposter fraud and faux test-takers who go simply to memorize questions and sell them on a test-prep black market.
Unfortunately, the bill is not callibrated to balance the competing interests at stake. It would create a “notice and consent” regime for biometrics collection, an idea that has failed to produce privacy protection in other areas. It would require massive and expensive re-tooling of data systems to provide consumers a right to amend or revoke their permission to use biometrics or order destruction of biometric data. And it would flatly outlaw marketing that uses biometric information—not just the stuff we learned to be spooked about in the film Minority Report, but knowingly agreed-to tailoring of discounts at the grocery store if we used a biometrically-secured payment system, for example.
I urged the Alaska legislators to ensure that biometrics collectors account for and prevent potential harm to Alaskans when they design and use their systems, but not to constrain biometrics so much that their security benefits never materialize.
There are a number of things Alaska and other states could do to help society callibrate the use of biometrics. They could ensure that biometrics collectors are liable and subject to jurisdiction in the state of collection when contract violations and harms arise from the use or misuse of biometric data.
Alaska could also establish that there is no “third-party doctrine” under its state constitution. A person sharing data under contractual or regulatory protections should maintain his or her search-and-seizure rights in that data. The government should not be able to access such data—though shared—without proper suspicion, warrants, and subpoenas.
Alaska has rejected the REAL ID Act, and it could do more to prevent the emergence of national identity systems by rejecting any E-Verify mandate. I encouraged the Alaskans to follow the lead of New Hampshire and bar state identity data from being shared with any national ID system.
The root of the problem in Alaska, though, may be the accountancy cartel. This is an area I know precious little about, but it appears that you must take the CPA exam to act as an accountant in the state. This positions the administrators of the CPA exam to make unreasonable, privacy-invasive demands for biometric data on a take-it-or-leave-it basis.
Oh what a tangled web we weave, when first we practise to … restrict the right to earn a living!
My testimony starts with a primer on biometrics. We have much to learn yet about biometric technologies, their uses, and their consequences. Banning them would deny the public many benefits. Using them promiscuously would have many costs.
Bureaucrats and Big-Governmenters Work to Revive Their National ID
There are some rich ironies in a recent Stewart Baker blog post touting the slow crawl toward REAL ID compliance he believes states are making. One of the choicest is that his cheerleading for a national ID appears under a Hoover Institution banner that says “ADVANCING A FREE SOCIETY.”
No, having a national ID would not advance a free society. You could say “ADVANCING A SECURE SOCIETY” but even then you’d be overstating the case. A national ID would reduce the security of individuals massively in the aggregate in exchange for modest and arguable state security gains.
Speaking of which, Baker posts a picture of Mohammed Atta’s Florida driver’s license in his post. The implication is that having a national ID would have prevented the 9/11 attacks. In fact, having a national ID would have caused a mild inconvenience to the 9/11 attackers. Billions of dollars spent, massive aggregate inconvenience to law-abiding American citizens, and a much-more-powerful federal government so that terrorists could be mildly inconvenienced?
One of the greatest ironies is that Baker doesn’t—as he never has—takes on the merits of how and how well a national ID would advance security goals. But the merits don’t matter. Baker’s post provides a nice reminder that the bureaucrats will use their big-government allies to restart their moribund national ID plans if they can. Despite massive public opposition to REAL ID, they’ll try to build it anyway.
An anti-immigration group recently issued a report saying that states are getting on board with REAL ID. (They’re meeting massively reduced REAL ID “milestones” coincidentally, not to meet federal demands.) National ID advocate Jim Sensenbrenner (R-WI) put on a lop-sided show-hearing in the House Judiciary Committee last week, hoping to prop up REAL ID’s decaying body.
As if anyone would believe it, a DHS official said at the hearing that the January 2013 deadline for state compliance would not be extended. Book your tickets now, because there won’t be a damn thing different on the airport come January. The Department of Homeland hasn’t stood by any of its deadlines for REAL ID compliance. If it did, by refusing IDs from non-compliant states at the airport, the public outcry would be so large that REAL ID would be repealed within the week.
REAL ID will never be implemented. That doesn’t stop the federal government from spending money on it, so the bureaucrats keep trying to corral you into their national ID. They get occassional help, and sometimes it even travels under the false flag of “ADVANCING A FREE SOCIETY.”
FTC Issues Groundhog Report on Privacy
The Federal Trade Commission issued a report today calling on companies “to adopt best privacy practices.” In related news, most people support airline safety… The report also “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.”
This is regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago. In May of 2000, the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet.
By “humming along,” I don’t mean that all privacy problems have been solved. (And they certainly wouldn’t have been solved if Congress had passed a law saying they should be.) “Humming along” means that ongoing push-and-pull among companies and consumers is defining the information practices that best serve consumers in all their needs, including privacy.
Congress won’t be enacting legislation this year, and there doesn’t seem to be any groundswell for new regulation in the next Congress, though President Obama’s reelection would leave him unencumbered by future elections and so inclined to indulge the pro-regulatory fantasies of his supporters.
The folks who want regulation of the Internet in the name of privacy should explain how they will do better than Congress did with credit reporting. In forty years of regulating credit bureaus, Congress has not come up with a system that satisfies consumer advocates’ demands. I detail that government failure in my recent Cato Policy Analysis, “Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate.”
Sweet Repeal
Look at this legislative language. It’s the stuff of beauty:
(a) In general.—The following sections of the Communications Act of 1934 (47 U.S.C. 151 et seq.) are hereby repealed:
(1) Section 339 (47 U.S.C. 339).
(2) Section 340 (47 U.S.C. 340).
(3) Section 341 (47 U.S.C. 341).
(4) Section 342 (47 U.S.C. 342).
(5) Section 612 (47 U.S.C. 532).
(6) Section 614 (47 U.S.C. 534).
(7) Section 712 (47 U.S.C. 612).
And there’s more.
It’s from H.R. 3675, The Next Generation Television Marketplace Act, introduced by Rep. Steve Scalise (R-LA), and its Senate counterpart, S. 2008, from Sen. Jim DeMint (R-SC).
Cato alum Adam Thierer’s recent Forbes column has the low-down:
There’s a common myth heard frequently in communications policy circles that America’s video marketplace was largely deregulated in the 1980s and ’90s, and that we now have a free market nirvana. Nothing could be further from the truth. When it comes to television programming, many layers of red tape still encumber this sector and prevent a truly free market in video programming from developing.
Adam goes on to discuss all the ways that players in this marketplace are working to maintain the advantages they see coming from regulation. It’s a gruesome pile-up of rent-seeking that the Scalise-DeMint bill is trying to clear up.
It sure is cool to see a bill that repeals existing regulations, for a change. Ten or fifteen thousand more like this would be a good start.
The Country’s Biggest Spy Center
Under insufficiently sharp questioning, the head of the National Security Agency, Keith Alexander, has denied the substance of a Wired report on the agency’s massive new computer facility and the capabilities the government has to monitor our communications—even heavily encrypted communications.
If you want a sense of how Congress, still panicked by 9/11, has abdicated its responsibilities and permitted the construction of a “turnkey totalitarian state,” read the whole thing.
National Surveillance Programs and Their State Impediments
Having originally come to Washington to defend federalism, I am always delighted to see the division of powers among the states and the federal government have its proper effect: to protect liberty and limited government.
As with REAL ID, the E-Verify federal background check system is meeting up with state resistance. The Republican Liberty Caucus of New Hampshire reported yesterday:
This afternoon, the House passed HB 1549, which would prohibit the state’s participation in the E-Verify system, with a nearly unanimous voice vote. The House also killed HB 1492, which would require employers to verify an employee’s eligibility to work in the United States using the E-Verify System, with a 226-59 vote.
E-Verify is essentially a national identification system that requires employers to verify all job applicants’ citizenship in a national database system before they can employ them. If the state agreed to participate, all citizens would have to be listed in this national database as a U.S. citizen in order to get a job.
You want to fix immigration, feds? You do it without putting American citizens into a national ID system. Good message.
Here’s the clear language of HB 1549, which the New Hampshire House has approved to govern release of motor vehicle records. It embraces legitimate law enforcement while rejecting national identification schemes.
III. Motor vehicle records may be made available pursuant to a court order or in response to a request from a state, a political subdivision of a state, the federal government, or a law enforcement agency for use in official business. The request shall be on a case-by-case basis. Any records received pursuant to this paragraph shall not be further transferred or otherwise made available to any other person or listed entity not authorized under this paragraph. No records made available under this section shall be used, directly or indirectly, for any federal identification database. (New language in bold.)
To learn more about E-Verify and its role as a nascent national identification scheme, read my Cato Policy Analysis: “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration.”
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
