Author Archive
Viral Video Strips Down Strip-Search Machines
The TSA’s response yesterday to a video challenging strip-search machines was so weak that it acts as a virtual confession to the fact that objects can be snuck through them.
In the video, TSA strip-search objector Jonathan Corbett demonstrates how he put containers in his clothes along his sides where they would appear the same as the background in TSA’s displays. TSA doesn’t refute that it can be done or that Corbett did it in his demonstration. More at Wired’s Threat Level blog.
More than six months ago, the D.C. Circuit Court of Appeals required the Transportation Security Administration to commence a rulemaking to justify its strip-search machine/prison-style pat-down policy. TSA has not done so. The result is that the agency still does not have a sturdy security system in place at airports. It’s expensive, inconvenient, error-prone, and privacy-invasive.
Making airline security once again the responsibility of airlines and airports would vastly improve the situation, because these actors are naturally inclined to blend security, cost-control, and convenience with customer service and comforts, including privacy.
I have a slight difference with Corbett’s characterization of the problem. The weakness of body scanners does not put the public at great danger. The chance of anyone exploiting this vulnerability and smuggling a bomb on board a domestic U.S. flight is very low. The problem is that these machines impose huge costs in dollars and privacy that do not foreclose a significant risk any better than the traditional magnetometer.
Corbett is right when he urges people to “demand of your legislators and presidential candidates that they get rid of this eight billion-dollar-a-year waste known as the TSA and privatize airport security.”
The REAL ID Fight Continues in the States
Federal programs almost never die. Bureaucrats and their big-government allies are still trying to cobble together an American national ID.
But leaders in the states continue to fight. In this case, it’s Michigan state representative and House transportation committee chairman Paul Opsommer (R-DeWitt). In response to a recent report citing state compliance with REAL ID “benchmarks,” he’s put out a scathing report that was written up in the River Country (MI) Journal.
“The things we have done in Michigan, like making sure illegal aliens cannot get driver’s licenses, we are doing independently of REAL ID, and we are not interested in allowing the federal government to have permanent control over our licenses,” said Opsommer. “You can bet your bottom dollar that at some point if Obamacare is not repealed that the federal government will adopt new rules in the future requiring the cards’ use for access to healthcare. You can bet they will require it to buy a firearm. You can bet they ultimately want to put RFID chips into all these and share our full data with Canada, Mexico, and beyond. If we don’t repeal Title II of the REAL ID Act, all we are doing is putting off the ‘I told you so’ moment for a few years down the road.”
The tensions that the Framers of the Constitution designed into our governmental structure are doing their work through Rep. Opsommer.
“State documents should be state documents, and federal documents should be federal documents,” he says.
“If the federal government is bent on having a national ID card, they need to get their own house in order and start to make federal passports more secure and more affordable. Quit trying to outsource your own mismanagement of the federal passport system onto the states and let us get onto the business of issuing our own safe and secure sovereign driver’s licenses.”
The bureaucrats will keep at it at least until the Congress defunds REAL ID. But they’ll keep bumping into the likes or Rep. Paul Opsommer.
A ‘Privacy Bill of Rights’: Second Verse, Same as the First
The White House announces a “privacy bill of rights” today. We went over this a year ago, when Senators Kerry (D-MA) and McCain (R-AZ) introduced their “privacy bill of rights.”
The post is called “The ‘Privacy Bill of Rights’ Is in the Bill of Rights,” and its admonitions apply equally well today:
It takes a lot of gall to put the moniker “Privacy Bill of Rights” on legislation that reduces liberty in the information economy while the Fourth Amendment remains tattered and threadbare. Nevermind “reasonable expectations”: the people’s right to be secure against unreasonable searches and seizures is worn down to the nub.
Senators Kerry and McCain [and now the White House] should look into the privacy consequences of the Internal Revenue Code. How is privacy going to fare under Obamacare? How is the Department of Homeland Security doing with its privacy efforts? What is an “administrative search”?
Cybersecurity Hype
The approving response of an IT security professional last week pointed me to a story about cybersecurity in which I’m featured. The story and accompanying video are called: “Is Cyberwar Hype Fuelling a Cybersecurity-Industrial Complex?” It’s a really good look at how government contractors, many former government officials, are working Washington to generate an issue.
How rare is it that a cybersecurity news report includes even a word of doubt about the nature and scope of the threat? How rare is it that any news report includes a word of doubt about the nature and scope of threats?
My correspondent, who works at a public utility in IT security, said some things that are fascinating and important.
We are being asked to do things that have no practical risk reduction value purely for the perceived benefit. It takes no effort to say that the cyber world is about to end yet it takes tremendous effort to continually demonstrate that we are prepared for anything.
In other words, operators of so-called “critical infrastructure” are already wasting effort on things that look like improved security because they’re in the position of proving that nothing could ever go wrong. This is because cybersecurity fear-mongerers are spinning apocalyptic tales. Imagine what it will be like when varied government bureaucracies are calling on the private sector to prove they are implementing endlessly varying, imagination-based federal cybersecurity dictates.
Now, a few caveats are in order: Cybersecurity is a real problem, and there are many challenges presented to all organs of society in securing computers, networks, and data. I’m quoted in the story saying there is “no chance whatsoever” that nuclear power plants and electric infrastructure would be hacked and taken down for any significant period of time. The more accurate phrasing would have been that the chance is “exceedingly small.” The point remains that these problems have nothing of the scale or significance of the war or terrorism (except to the extent that terrorism is also an important but entirely manageable problem).
In the event of some future, modest-consequence event, I fully expect to be called out as having been a Panglossian cybersecurity naysayer. (It’s a tactic one would expect from advocates who misstate basic math to hype threats.) Not so. I expect some bad things to occur. I don’t believe that centralizing our country’s cybersecurity efforts with the federal government would position us better to prevent them or respond to them.
Soviet-Style Cybersecurity Regulation
Reading over the cybersecurity legislative package recently introduced in the Senate is like reading a Soviet planning document. One of its fundamental flaws, if passed, would be its centralizing and deadening effect on society’s responses to the many and varied problems that are poorly captured by the word “cybersecurity.”
But I’m most struck by how, at every turn, this bill strains to release cybersecurity regulators—and their regulated entities—from the bonds of law. The Department of Homeland Security could commandeer private infrastructure into its regulatory regime simply by naming it “covered critical infrastructure.” DHS and a panel of courtesan institutes and councils would develop the regulatory regime outside of ordinary administrative processes. And—worst, perhaps—regulated entities would be insulated from ordinary legal liability if they were in compliance with government dictates. Regulatory compliance could start to usurp protection of the public as a corporate priority.
The bill retains privacy-threatening information-sharing language that I critiqued in no uncertain terms last week (Title VII), though the language has changed. (I have yet to analyze what effect those changes have.)
The news for Kremlin Beltway-watchers, of course, is that the Department of Homeland Security has won the upper-hand in the turf battle. (That’s the upshot of Title III of the bill.) It’s been a clever gambit of Washington’s to make the debate which agency should handle cybersecurity, rather than asking what the government’s role is and what it can actually contribute. Is it a small consolation that it’s a civilian security agency that gets to oversee Internet security for us, and not the military? None-of-the-above would have been the best choice of all.
Ah, but the government has access to secret information that nobody else does, doesn’t it? Don’t be so sure. Secrecy is a claim to authority that I reject. Many swoon to secrecy, assuming the government has 1) special information that is 2) actually helpful. I interpret secrecy as a failure to put facts into evidence. My assumption is the one consistent with accountable government and constitutional liberty. But we’re doing Soviet-style cybersecurity here, so let’s proceed.
Title I is the part of the bill that Sovietizes cybersecurity. It brings a welter of government agencies, boards, and institutes together with private-sector owners of government-deemed “critical infrastructure” to do sector-by-sector “cyber risk assessments” and to produce “cybersecurity performance requirements.” Companies would be penalized if they failed to certify to the government annually that they have “developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements.” Twenty-first century paperwork violations. But in exchange, critical infrastructure owners would be insulated from liability (sec. 105(e))—a neat corporatist trade-off.
Should a Congress that Doesn’t Understand Math Regulate Cybersecurity?
There’s a delicious irony in some of the testimony on cybersecurity that the Senate Homeland Security and Governmental Affairs Committee will hear today (starting at 2:30 Eastern — it’s unclear from the hearing’s page whether it will be live-streamed). Former National Security Agency general counsel Stewart Baker flubs a basic mathematical concept.
If Congress credits his testimony, is it really equipped to regulate the Internet in the name of “cybersecurity”?
Baker’s written testimony (not yet posted) says, stirringly, “Our vulnerabilities, and their consequences, are growing at an exponential rate.” He’s stirring cake batter, though. Here’s why.
Exponential growth occurs when the growth rate of the value of a mathematical function is proportional to the function’s current value. It’s nicely illustrated with rabbits. If in week one you have two rabbits, and in week two you have four, you can expect eight rabbits in week three and sixteen in week four. That’s exponential growth. The number of rabbits each week dictates the number of rabbits the following week. By the end of the year, the earth will be covered in rabbits. (The Internet provides us an exponents calculator, you see. Try calculating 2^52.)
The vulnerabilities of computers, networks, and data may be growing. But such vulnerabilities are not a function of the number of transistors that can be placed on an integrated circuit. Baker is riffing on Moore’s Law, which describes long-term exponential growth in computing power.
The Government’s Surveillance-Security Fantasies
If two data points are enough to draw a trend line, the trend I’ve spotted is government seeking to use data mining where it doesn’t work.
A comment in the Chronicle of Higher Education recently argued that universities should start mining data about student behavior in order to thwart incipient on-campus violence.
Existing technology … offers universities an opportunity to gaze into their own crystal balls in an effort to prevent large-scale acts of violence on campus. To that end, universities must be prepared to use data mining to identify and mitigate the potential for tragedy.
No, it doesn’t. And no, they shouldn’t.
Jeff Jonas and I wrote in our 2006 Cato Policy Analysis, “Effective Counterterrorism and the Limited Role of Predictive Data Mining,” that data mining doesn’t have the capacity to predict rare events like terrorism or school shootings. The precursors of such events are not consistent the way, say, credit card fraud is.
Data mining for campus violence would produce many false leads while missing real events. The costs in dollars and privacy would not be rewarded by gains in security and safety.
The same is true of foreign uprisings. They have gross commonality—people rising up against their governments—but there will be no pattern in data from past events in, say, Egypt, that would predict how events will unfold in, say, China.
But an AP story on Military.com reports that various U.S. security and law enforcement agencies want to mine publicly available social media for evidence of forthcoming terror attacks and uprisings. The story is called “US Seeks to Mine Social Media to Predict Future.”
Gathering together social media content has privacy costs, even if each bit of data was released publicly online. And it certainly has dollar costs that could be quite substantial. But the benefits would be slim indeed.
I’m with the critics who worry about overreliance on technology rather than trained and experienced human analysts. Is it too much to think that the U.S. might have to respond to events carefully and thoughtfully as they unfold? People with cultural, historical, and linguistic knowledge seem far better suited to predicting and responding to events in their regions of focus than any algorithm.
There’s a dream, I suppose, that data mining can eliminate risk or make the future knowable. It can’t, and—the future is knowable in one sense—it won’t.
Silicon Valley Doesn’t Care About Privacy, Security
That’s the buzz in the face of the revelation that a mobile social network called Path was copying address book information from users’ iPhones without notifying them. Path’s voluble CEO David Morin dismissed this as a problem until, as Nick Bilton put it on the New York Times‘ Bits blog, he “became uncharacteristically quiet as the Internet disagreed and erupted in outrage.”
After Morin belatedly apologized and promised to destroy the wrongly gotten data, some of Silicon Valley’s heavyweights closed ranks around him. This raises the question whether “the management philosophy of ‘ask for forgiveness, not permission’ is becoming the ‘industry best practice’” in Silicon Valley.
Since the first big privacy firestorm (which I put in 1999, with DoubleClick/Abacus), cultural differences have been at the core of these controversies. The people inside the offending companies are utterly focused on the amazing things they plan to do with consumer data. In relation to their astoundingly (ahem) path-breaking plans, they can’t see how anyone could object. They’re wrong, of course, and when they meet sufficient resistance, they and their peers have to adjust to the reality that people don’t see the value they believe they’ll provide nor do people consent to the uses of data they’re making.
This conversation—the push and pull between innovative-excessive companies and a more reticent public made up of engineers, advocates, and ordinary people—is where the privacy policies of the future are being set. When we see legislation proposed in Congress and enforcement action from the FTC, these things are whitecaps on much more substantial waves of societal development.
An interesting contrast is the (ahem) innovative lawsuit that the Electronic Privacy Information Center filed against the Federal Trade Commission last week. EPIC is asking the court to compel the FTC to act against Google, which recently changed and streamlined its privacy policies. EPIC is unlikely to prevail—the court will be loathe to deprive the agency of discretion this way—but EPIC is working very hard to make Washington, D.C. the center of society when it comes to privacy and related values.
Washington, D.C. has no capacity to tune the balances between privacy and other values. And Silicon Valley is not a sentient being. (Heck, it’s not even a valley!) If a certain disregard for privacy and data security has developed among innovators over-excited about their plans for the digital world, that’s wrong. If a company misusing data has harmed consumers, it should pay to make those consumers whole. Path is, of course, paying various reputation costs for getting it crosswise to consumer sentiment.
And that’s the right thing. The company should answer to the community (and no other authority). This conversation is the corrective.
The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy
The Daily Caller reports that Senator Harry Reid (D-NV) is planning another effort at Internet regulation—right on the heels of the SOPA/PIPA debacle. The article seems calculated to insinuate that a follow-on to SOPA/PIPA might slip into cybersecurity legislation the Senate plans to take up. Whether that’s in the works or not, I’ll detail here the privacy threats in cybersecurity language being circulated on the Hill.
A Senate draft currently making the rounds is called the “Cybersecurity Information Sharing Act of 2012.” It sets up “cybersecurity exchanges” at which government and corporate entities would share threat information and solutions.
Sharing of information does not require federal approval or planning, of course. Information sharing happens all the time according to market processes. But “information sharing” is the solution Congress has seized upon, so federal information sharing programs we will have. Think of all this as a “see something, say something” campaign for corporate computer security people. Or perhaps “e-fusion centers.”
Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:
No Budget in 1,000 Days? No Budget Ever!
Around the time of President Obama’s State of the Union speech two weeks ago, Republicans and their allies came out arguing that the Democratic Senate hadn’t produced a budget in 1,000 days. Senate Budget Committee chairman Kent Conrad (D-ND) disputes the charge.
Is it true? The new budget season started Monday, so it’s a great time to examine that question.
Budget season really did start Monday. The Congressional Budget Act has a timetable in it (at section 300) that says the president submits his budget on or before the first Monday in February. We’re underway!
But I hope you weren’t holding your breath waiting to get a glimpse of the president’s budget. The White House has kicked back its release by a week—an unfortunate symbol of how both ends of Pennsylvania Avenue flout budget processes in ways large and small.
Now to the question: When was the last Senate budget?
Let’s start with a preliminary question: What is a “budget”?
Cardless National ID and the E-Verify Rebellion
New Hampshire was the state where the “REAL ID rebellion” got its start. There, in 2006, Rep. Neal Kurk (R-Weare) took to the floor of the New Hampshire House to talk about his principled opposition to the federal national ID law.
In stirring words, Kurk urged his colleagues to overturn a committee recommendation that no action should be taken on his bill to have New Hampshire reject REAL ID. The House went on to pass his bill and half the states in the nation soon followed suit.
Now a bill pending in the New Hampshire House responds to a more insidious version of the federal government’s national ID plans: E-Verify.
E-Verify is a federal background check system that its proponents intend to be used on every person seeking work in the United States. Once in place, E-Verify would expand to new uses, giving the federal government direct regulatory control of all Americans’ lives through control of proof of identity. It’s being fitted to operate using only databases, so I’ve been referring to it as a “cardless national ID.”
New Hampshire Rep. Seth Cohn (R-Merrimack 6) has introduced a bill to prevent his state from contributing New Hampshirites’ personal data to the E-Verify system. HB 1549 would not only prohibit the state from allowing citizens’ personal data to be used in E-Verify. It would prohibit the state from requiring employers to participate in the E-Verify system.
It’s an appropriate response to the Department of Homeland Security’s latest move. You see, a branch of E-Verify is called the “RIDE” program. That stands for “Records and Information from Department of Motor Vehicles for E-Verify” (Yeah, it’s a stretch…) Basically, RIDE is the conduit through which the states are going to start passing data to the federal government, weaving together that national ID outside of the REAL ID Act.
In their desire to bring illegal immigration under control, a lot of people have convinced themselves over many years that growing the federal government and conscripting businesses into “internal enforcement” of immigration law was the way to go. Unfortunately, that route costs a lot of money, it bloats the federal government, and it requires a national ID system, which is a threat to liberty that Americans reject. My paper, “Franz Kafka’s Solution to Illegal Immigration,” goes through many of the details.
Is this the beginning of the E-Verify rebellion? It’s a welcome addition to the national debate from the “Live Free or Die” state.
Photo ID Laws Mean Some Won’t Vote
Because all of us are with ourselves all day every day, we naturally tend to think that our own lives are pretty standard fare. But that’s just not so in a country of 300+ million people ranging over a vast expanse. So I found worthwhile this NPR story on people who don’t have IDs, people who face difficulty with laws requiring IDs to vote. Not everyone trundles down to the DMV and plunks down money and paperwork for an ID whenever they please.
The voter ID issue is a hot one. Some are strongly committed to the idea that identification requirements are needed to suppress voter fraud. There isn’t much evidence of that problem, and to worry about impersonation fraud at polling places, one has to put aside absentee ballot fraud, which is probably much easier, as well as election fraud—rigged vote counts, for example—which is much more efficient.
States should tinker with their voting rules and processes, each seeking for itself the methods that optimally secure elections while facilitating voting. It’s a big country, and different states may require different rules. My emphasis has always been on avoiding a national voter ID system, which would inevitably be a national ID system, paving the way for greater federal control of individuals’ lives.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
