Archive for the ‘Telecom, Internet & Information Policy’ Category
The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy
The Daily Caller reports that Senator Harry Reid (D-NV) is planning another effort at Internet regulation—right on the heels of the SOPA/PIPA debacle. The article seems calculated to insinuate that a follow-on to SOPA/PIPA might slip into cybersecurity legislation the Senate plans to take up. Whether that’s in the works or not, I’ll detail here the privacy threats in cybersecurity language being circulated on the Hill.
A Senate draft currently making the rounds is called the “Cybersecurity Information Sharing Act of 2012.” It sets up “cybersecurity exchanges” at which government and corporate entities would share threat information and solutions.
Sharing of information does not require federal approval or planning, of course. Information sharing happens all the time according to market processes. But “information sharing” is the solution Congress has seized upon, so federal information sharing programs we will have. Think of all this as a “see something, say something” campaign for corporate computer security people. Or perhaps “e-fusion centers.”
Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:
Cardless National ID and the E-Verify Rebellion
New Hampshire was the state where the “REAL ID rebellion” got its start. There, in 2006, Rep. Neal Kurk (R-Weare) took to the floor of the New Hampshire House to talk about his principled opposition to the federal national ID law.
In stirring words, Kurk urged his colleagues to overturn a committee recommendation that no action should be taken on his bill to have New Hampshire reject REAL ID. The House went on to pass his bill and half the states in the nation soon followed suit.
Now a bill pending in the New Hampshire House responds to a more insidious version of the federal government’s national ID plans: E-Verify.
E-Verify is a federal background check system that its proponents intend to be used on every person seeking work in the United States. Once in place, E-Verify would expand to new uses, giving the federal government direct regulatory control of all Americans’ lives through control of proof of identity. It’s being fitted to operate using only databases, so I’ve been referring to it as a “cardless national ID.”
New Hampshire Rep. Seth Cohn (R-Merrimack 6) has introduced a bill to prevent his state from contributing New Hampshirites personal data to the E-Verify system. HB 1549 would not only prohibit the state from allowing citizens’ personal data to be used in E-Verify. It would prohibit the state from requiring employers to participate in the E-Verify system.
It’s an appropriate response to the Department of Homeland Security’s latest move. You see, a branch of E-Verify is called the “RIDE” program. That stands for “Records and Information from Department of Motor Vehicles for E-Verify” (Yeah, it’s a stretch…) Basically, RIDE is the conduit through which the states are going to start passing data to the federal government, weaving together that national ID outside of the REAL ID Act.
In their desire to bring illegal immigration under control, a lot of people have convinced themselves over many years that growing the federal government and conscripting businesses into “internal enforcement” of immigration law was the way to go. Unfortunately, that route costs a lot of money, it bloats the federal government, and it requires a national ID system, which is a threat to liberty that Americans reject. My paper, “Franz Kafka’s Solution to Illegal Immigration,” goes through many of the details.
Is this the beginning of the E-Verify rebellion? It’s a welcome addition to the national debate from the “Live Free or Die” state.
Photo ID Laws Mean Some Won’t Vote
Because all of us are with ourselves all day every day, we naturally tend to think that our own lives are pretty standard fare. But that’s just not so in a country of 300+ million people ranging over a vast expanse. So I found worthwhile this NPR story on people who don’t have IDs, people who face difficulty with laws requiring IDs to vote. Not everyone trundles down to the DMV and plunks down money and paperwork for an ID whenever they please.
The voter ID issue is a hot one. Some are strongly committed to the idea that identification requirements are needed to suppress voter fraud. There isn’t much evidence of that problem, and to worry about impersonation fraud at polling places, one has to put aside absentee ballot fraud, which is probably much easier, as well as election fraud—rigged vote counts, for example—which is much more efficient.
States should tinker with their voting rules and processes, each seeking for itself the methods that optimally secure elections while facilitating voting. It’s a big country, and different states may require different rules. My emphasis has always been on avoiding a national voter ID system, which would inevitably be a national ID system, paving the way for greater federal control of individuals’ lives.
Kashmir Hill Has It Right…
…on the Google privacy policy change.
The idea that people should be able to opt out of a company’s privacy policy strikes me as ludicrous.
Plus she embeds a valuable discussion among her Xtranormal friends. Highlight:
“Well, members of Congress don’t send angry letters about privacy issues very often.”
“Oh, well, actually, they do.”
Read the whole thing. Watch the whole thing. And, if you actually care, take some initiative to protect your privacy from Google, a thing you are well-empowered to do by the browser and computer you are using to view this post.
Helping the House Advance Data Transparency
The House of Representatives is poised to make great strides forward in transparency, and our work over the last year aims to help them do that. Here’s how this spreadsheet (.xls) will do that.
In December, the House Administration Committee announced a plan to improve the publication of House documents. In January, a new site—docs.house.gov—went live. (It’s attractive looking, but still bare-bones.) On Thursday this week, the Committee is hosting a “Legislative Data and Transparency Conference” to examine what data is out there and what data should be out there. Little information is on the Web yet, but you can sign up to attend at the link just above.
I’ll be speaking on the last panel of the day, which deals with measuring transparency success. Likely, they chose me for this panel because I’ve already been grading the government on its publication practices.
Last September, you see, we graded Congress on how well it publishes data that would assist the public in computer-aided oversight. The summary blog post is called “Needs Improvement.” And then in December, we graded the government on publication of budget, appropriations, and spending data. That’s a joint legislative-executive responsibility, but mostly executive. The message was: “‘Needs Improvement’ is Understatement.”
How do you grade Congress and the government on their data publication?
You start out by modeling the data government should publish. We put together a data model for legislative process, for example, and then a data model for budgeting, appropriating, and spending. We got a great deal of help from folks at the Sunlight Foundation, OMB Watch, and others such as the National Priorities Project, as well as data guru Josh Tauberer, whose latest project is PopVox.
Even with all this help, these models won’t be the last word—there is much to learn yet about the data structure that will serve every use the public may want to make of information. But it’s a strong start.
Then we compared the data that’s actually out there to the practices described in my paper, “Publication Practices for Transparent Government,” and out popped the grades! They were pretty bad…
The House of Representatives aims to fix that—for its part, at least.
Now to this spreadsheet: it’s a list of the things that should be identified in congressional documents so that computers can find the most salient information in them. It also indicates the “vocabularies” that already exist for identifying many of them: members of Congress, bills, laws, statutes, committees, agencies, programs, and so on. We’ve talked about how to identify “budget authority” and appropriations (spending) so that computers can capture that information from bills and committee reports. Locations, state and foreign governments, times, meetings—all these things can be put into electronic versions of documents to allow computer-aided public oversight.
Once documents contain data like this in the proper structures, literally thousands of questions about Congress will be answered instantly.
- How much new budget authority has each member of Congress proposed? Voted for? Voted against? Allowed to go through on voice vote or unanimous consent? How about this same information by state? By region? Or by seniority?
- What title of the U.S. code do members of Congress most often propose to amend? What title do they actually amend the most?
- What bills affect my state specifically, such as by naming buildings, creating wilderness areas, changing boundaries on parks, or giving land to localities?
- How often do my member of Congress and senators break with their party?
These are just a few examples. In the hands of varied users, the data will be converted to hundreds or thousands of uses. It will go into studies performed by political scientists and it will supercharge news reporting. But more importantly, it will go into services that inform people directly and quickly about how their own representatives in Congress are acting and what they’re saying.
It will give people insight into where the money goes—from the moment new spending is proposed all the way through to when Congress spends it—or declines to spend.
Credit is due to the leadership in the House of Representative for starting this work. There is a lot to do before they show clear success. But they are way ahead of President Obama, whose Sunlight Before Signing transparency promise lags badly, and who has yet to put together a machine-readable organization chart for the executive branch of the federal government. He can easily do the latter, and coordination with Congress is essential for transparency success. The sooner that happens the better.
‘Destroy America’ = Suspicion Fail
News that incautious comments on “tweeter” got British tourists excluded from the United States had Twitter alight yesterday. (Paperwork given to one of the two, on display in this news story, refers to the popular social networking site as a “Tweeter website account,” betraying some ignorance of what Twitter is.)
It’s a good chance to review how suspicion is properly—and, here, improperly—generated.
The Department of Homeland Security has been vague as yet about what actually happened. It may have been some kind of “social media analysis” like this that turned up “suspicious” Tweets leading to the exclusion, though the betting is running toward a suspicious-activity tipline. (What “turned up” the Tweets doesn’t affect my analysis here.) The boastful young Britons Tweeted about going to “destroy America” on the trip—destroy alcoholic beverages in America was almost certainly the import of that line—and dig up the grave of Marilyn Monroe.
Profoundly stilted literalism took this to be threatening language. And a failure of even brief investigation prevented DHS officials from discovering the absurdity of that literalism. It would be impossible to “dig up” Marilyn Monroe’s body, which is in a crypt at Westwood Memorial Park in Los Angeles.
I testified to the Senate Judiciary Committee in 2007 about how one might mine data for terrorists and terrorism planning, in terms that apply equally well to Twitter banter and to any criminality or wrongdoing. For valid suspicion to arise, the information collected must satisfy two criteria:
(1) It is consistent with bad behavior, such as terrorism planning or crime; and (2) it is inconsistent with innocent behavior. In . . . the classic Fourth Amendment case, Terry v. Ohio, . . . a police officer saw Terry walking past a store multiple times, looking in furtively. This was (1) consistent with criminal planning (“casing” the store for robbery), and (2) inconsistent with innocent behavior — it didn’t look like shopping, curiosity, or unrequited love of a store clerk. The officer’s “hunch” in Terry can be described as a successful use of pattern analysis before the age of databases.
Similarly, using the phrase “destroy America” is consistent with planning to destroy America. (You want to be literal? Let’s be literal!) But it’s also consistent with talking smack, which is innocent behavior. These Tweets fail the second criterion for generating suspicion.
Twitter is nothing if not an unreliable source of people’s thinking and intentions. It’s a hotbed of irony, humor, and inside jokes. Witness this Tweet of mine from yesterday, which failed to garner the social media guffaw I sought (which is why I link to it here). Things said on Twitter will almost never be suspicious enough to justify even the briefest interrogation.
Other facts could combine with Twitter commentary to create a suspicious circumstance on extremely rare occasions, but for proper suspicion to arise, the Tweet or Tweets and all other facts must be consistent with criminal planning and inconsistent with lawful behavior. No information so far available suggests that the DHS did anything other than take Tweets literally in the face of plausible explanations by their authors that they were using hyperbole and irony. This is simple investigative incompetence.
If indeed it is a “social media analysis” program that produced this incident, the U.S. government is paying money to cause U.S. government officials to waste their time on making the United States an unattractive place to visit. That’s a cost-trifecta in the face of essentially zero prospect for any security benefit. I slept no more soundly last night knowing that some Brits were denied a chance to paint the town red in L.A.
In case it needs explaining, “paint the town red” is archaic slang. It does not imply an intention or plan to apply pigments to any building or infrastructure in Los Angeles, whether by brush, roller, or spray can.
Sunlight Before Signing, Year Three
In last night’s State of the Union speech, President Obama called for tax law reforms he says we need. Cato scholars have their doubts about much of what was in the speech, but my interest was piqued by the fact that he said, “Send me these tax reforms, and I will sign them right away.”
You see signing them “right away” would again violate his 2008 campaign promise to post the bills sent him by Congress online for five days before signing them.
That’s a cheeky point, but it is time to focus on campaign promises and their honesty. The beginning of President Obama’s fourth year in office is roughly the beginning of his campaign for another term.
When I first began tracking President Obama’s Sunlight Before Signing promise, I joked with friends that it was career gold because I could write hundreds of blog posts for the next four years without thinking a new thought. Well, it’s not quite that good. This is post thirty-six in the SBS series.
(Each character in that last sentence was a link to a previous post. You can spend a whole day reviewing them!)
Last Thursday, January 19th, was the end of President Obama’s third year, so it’s time to review how he’s been doing with Sunlight Before Signing. It was the president’s first broken promise, and at the mid-point of the term he had popped just above 50% in his compliance.
How has he done in the ensuing year?
Well … meh.
SOPA and Skepticism
Over at Libertarianism.org I have a new blog post on the lesson the technology community should have learned from their campaign against SOPA.
Imagine you’re an expert in some field of technical knowledge. Your field impacts quite a lot of people but most of them don’t understand the details the way you do. One day, Congress proposes legislation called the Make Things Better Act, which, its sponsors say, will make things better.
But wait. The Act happens to deal with exactly the field you’re knowledgeable about. And you know what? It won’t make things better. In fact, it will make things far, far worse. Not only will it make things worse, but any benefits the legislation does create will accrue exclusively to a small but powerful interest group.
So you and your other technically-minded friends mobilize against the Make Things Better Act and, through coordination and outcry, succeed in killing it. Two days later, Congress proposes another piece of legislation called the It’s Good for the Children Act. Except this time the law deals with an area outside your expertise. If you applied the lesson learned from the Make Things Better Act, you might react to this new proposal with skepticism. After all, when you were in a position to evaluate what Congress was really up to, you discovered that it wasn’t working in the interests of the American public but, instead, of a tiny and powerful minority. Couldn’t it be possible the new bill is just be more of the same?
Most likely, though, based on the way people typically react in these situations, you won’t apply that lesson. Instead you’ll say, “Boy this new law is great because my favored political party wrote it and, well, it’s good for the children.”
SOPA/PIPA: Harbinger or Aberration?
He’s not unrestrained, but Larry Downes sees the remarkable downfall of legislation to regulate the Internet’s engineering as a harbinger of things to come. Jerry Brito, meanwhile, tells us “Why We Won’t See Many Protests like the SOPA Blackout.”
They’re both right—over different time-horizons. The information environment and economics of political organization today are still quite stacked against public participation in our unwieldy federal government. But in time this will change. Congress and Washington, D.C.’s advocacy and lobbying groups now have some idea what the future will feel like.
The Second-Day Story on U.S. v. Jones
Does a more careful reading of the Supreme Court’s decision in U.S. v. Jones turn up a lurking victory for the government?
Modern media moves so fast that the second-day story happens in the afternoon of the first. The Supreme Court ruled unanimously Monday morning that government agents conduct a Fourth Amendment search when they place a GPS device on a private vehicle and use it to monitor a suspect’s whereabouts for weeks at a time. Monday afternoon, a couple of commentators suggested that the case is less a win than many thought because it didn’t explicitly rule that a warrant is required to attach a GPS device to a vehicle.
Writing on the Volokh Conspiracy blog, George Washington University law professor Orin Kerr noted “What Jones Does Not Hold.”
The Court declined to reach when the installation of the device is reasonable or unreasonable. … So we actually don’t yet know if a warrant is required to install a GPS device; we just know that the installation of the device is a Fourth Amendment “search.”
And over on Scotusblog, Tom Goldstein found that “The Government Fared Much Better Than Everyone Realizes“:
[D]oes the “search” caused by installing a GPS device require a warrant? The answer may be no, given that no member of the Court squarely concludes it does and four members of the Court (those who join the Alito concurrence) do not believe it constitutes a search at all.
So there is a constitutional search when the government attaches a GPS device to a vehicle, but the Court conspicuously declined to say that such a search requires a warrant. Do we have an “a-ha” moment?
The Megaupload Chilling Effects Hit
As I noted on Friday, the seizure of popular cyberlocker Megaupload demonstrates that, even without controversial new legislation, our government already has extraordinarily broad powers to take down U.S.-registered websites (including any site in the .com and .org domains) before anyone has been tried for illegal conduct, let alone convicted. While the evidence presented in the indictment charging Megaupload’s executives with criminal racketeering and copyright infringement certainly seems damning, I also worried about the broader chilling effect such seizures could have on cloud storage services generally.
It didn’t take long for those effects to become apparent. The cyberlocker Filesonic has now disabled file sharing functionality: Users can still upload files for personal storage, but can’t create public links to enable others to access those files. (Though I’m not sure what prevents someone from simply creating a dummy account, uploading files, and then publicly posting the login information.) Another cyberlocker, Uploaded.to, is just blocking all traffic from U.S. Internet addresses, though it’s not at all clear how much legal protection that’s likely to afford them. You can hardly blame them for being skittish: The Megaupload indictment suggests that the U.S. government considers a wide array of cyberlocker business practices to be ipso facto evidence of criminal intentions, even though there are arguably legitimate reasons for many of them. Yet the government doesn’t think it has to wait for a trial, or give the folks who run a site an opportunity to explain their practices, before seizing an entire domain—which would be an effective death sentence for many startups.
If you think all cyberlockers are nothing more than piracy tools, and there’s no legitimate reason to make use of cloud storage for anything but personal backups, this might sound like an entirely healthy development. It’s a little more worrying to those of us who see many valid reasons that law abiding individuals—even those who lack contracts with major record labels and movie studios, or the funds and tech savvy to run their own servers—might want to share large files with friends and colleagues, or distribute them to the general public.
To be sure, such services aren’t going to vanish entirely. Established corporations like Google have sophisticated filter algorithms that can help identify copyrighted content—though those are trivially defeated by file compression and encryption—and large, well paid legal teams to handle copyright compliance and fend off lawsuits, like the one Google’s own YouTube continues to fight with content behemoth Viacom. The question is whether these are the only companies we want offering such services. Is the market for cloud-based platforms that enable sharing (which is one of the big selling points of cloud computing) a market we’re prepared to see effectively closed off to startups that can’t preemptively police every user-uploaded file to Hollywood’s satisfaction? Because that is the predictable effect of a regulatory environment where investors know a nascent site can be summarily yanked offline by a district judge who thinks a Tumblr is some sort of gymnastics aficionado.
If you’re only thinking about current, known uses of the Internet, this might not seem like that big a deal: Why do we need lots of different platforms for sharing large files? But then, just a few years ago it was hard to envision why we might want a platform for sharing streams of 140-character messages (“Just a bunch of people gabbing about what they had for lunch, ho-ho-ho!”) or a platform where anyone, not just Professional Content Creators, could upload short videos (“Amateur videos? Sounds like an excuse to steal movies!”) or half the other technologies that are so profoundly shaping 21st century life.
The last innovation is always safe. That’s why it’s easy to claim concrete examples of the harm regulation might do are hyperbolic fearmongering: Nobody’s going to shut down YouTube or Twitter now, because we’ve already seen the incredible value creation they enable, even if they also make it a bit easier to infringe copyrights. And anyway, the success stories eventually get big enough to afford their own fancy lawyers. It’s the next platform that we risk strangling in the cradle, because every new medium starts out recapitulating old media content before it becomes truly generative. Early radio is full of people reading newspapers and books out loud. Early TV and film looks like what you get when someone points a camera at a stage play.
File lockers still look like nothing but piracy tools to a lot of people, because most of us aren’t yet generating and sharing gigabytes worth of content on a daily basis. But it doesn’t take a whole lot of imagination to imagine a world where that’s not at all the case, a world where cheap, ubiquitous, powerful computing and rising bandwidth and falling storage costs make collaborative creation of high definition sound, video, and—who knows—maybe entire 3D environments a nigh universal recreational activity. (Like TV has been for the last couple generations, only with fewer dead brain cells.)
That world can be run by Google and Sony and a few other behemoths capable of negotiating byzantine licensing deals (and filtering protocols), with incumbents ill-disposed to see the value in anything that isn’t easily shoehorned into their existing business models. Or we can have a more dynamic, open world where someone with a cool idea for a platform can give it a try without spending more money on lawyers than servers first. The interesting, important question isn’t—as regulatory advocates want to make it—whether Megaupload should go out of business. Odds are it will and should, after a proper trial. It isn’t even whether sites like Rapidshare or Hotfile ought to follow suit. The interesting, important question is whether we’re going to have a legal climate that’s capable of giving rise to the second kind of cultural ecosystem, or one that’s only hospitable to the first kind.
“Jones”ing for a Fourth Amendment Upgrade
Today’s unanimous Supreme Court ruling in United States v. Jones makes it clear that government installation and use of GPS tracking devices is a Fourth Amendment “search”—but it may be the concurring opinions, rather than Justice Scalia’s majority opinion, that are most significant for Americans’ privacy in the 21st century.
As Jim Harper notes, Justice Scalia ruled on the relatively narrow grounds that installing the tracking device involved physical intrusion on the suspect’s property, triggering Fourth Amendment protections. Yet as Justices Alito and Sotomayor observe in separate concurrences—and as I pointed out in a previous post on this case—there are plenty of means for tracking a target’s location in public that don’t require such intrusion. One of the most popular with law enforcement is cell-phone tracking, either by means of a court order demanding records from the phone company directly, or through the use of devices known as “Stingrays” or “Triggerfish.” There’s also the use of license-plate recognition cameras, and even aerial surveillance drones. The broader question that’s crucial to determining the extent of our privacy rights in the long term, then, is the one Scalia’s opinion pointedly declines to reach: Does prolonged, technologically-assisted location surveillance impinge on a citizen’s “reasonable expectation of privacy,” even when it does not require physical intrusion?
Justice Alito, joined by three other justices, says that it can indeed—and in this case, did. The placement of a tiny device on the undercarriage of a car parked in a public place, Alito argues, does not sufficiently “interfere” with a suspect’s property interests to constitute a Fourth Amendment “seizure,” nor is it a “search” until police activate and begin monitoring the device. If the police had simply slipped a business card into the tire, after all, the physical intrusion would be too minor in itself to count as an actionable trespass. Instead, Alito insists, it is necessary to proceed to the harder question of whether such intensive location monitoring violates our reasonable social expectations of privacy, even as we move around in public. Though the concurrence is reluctant to say exactly when that expectation is breached, Alito notes that round-the-clock surveillance over a full month would be so costly to carry out by conventional physical observation that it exceeds what reasonable people expect—and so triggers the Fourth Amendment’s warrant requirement.
Perhaps most intriguing is Sotomayor’s brief concurrence. For Sotomayor, either the property rationale relied on by Scalia or the “expectations” analysis deployed by Alito would suffice to find a Fourth Amendment violation here. That’s crucial, because it means that there are at least five votes on the current Court for the view that we have some Fourth Amendment protection against intensive, high-tech location tracking, even in public, and even when the method doesn’t require physical intrusion. Yet even more important than that may be this passage:
More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. [...] This approach is ill suited to the digital age, in which people reveal a greatdeal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. [...] But whatever the societal expectations, they can attain constitutionally protectedstatus only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.
This is a pretty big deal. Fourth Amendment scholars have been warning for decades—and with increasing alarm—that modern communications technology could turn constitutional privacy protections into an empty formality if we’re regarded as waiving those protections whenever we “expose” information to a third party. It is inherent to the nature of the Internet and mobile telecommunications, after all, that almost everything we do online—and, increasingly, much that we do offline as well—leaves a trace in the vast databases of one corporation or another.
Sotomayor’s concurrence signals a recognition that we need to move beyond what privacy scholar Daniel Solove has called “The Secrecy Paradigm,” which assumes that whatever is not totally secret (or very nearly so) is effectively “public.” In other words, if your Internet provider has a record of every Web site you visit, there’s no invasion of privacy when the government decides to have a look at the list. At least one Justice, evidently, recognizes that this is an indefensible inference—and one hopes she’s not alone.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
