The Daily Caller reports that Senator Harry Reid (D-NV) is planning another effort at Internet regulation—right on the heels of the SOPA/PIPA debacle. The article seems calculated to insinuate that a follow-on to SOPA/PIPA might slip into cybersecurity legislation the Senate plans to take up. Whether that’s in the works or not, I’ll detail here the privacy threats in cybersecurity language being circulated on the Hill.

A Senate draft currently making the rounds is called the “Cybersecurity Information Sharing Act of 2012.” It sets up “cybersecurity exchanges” at which government and corporate entities would share threat information and solutions.

Sharing of information does not require federal approval or planning, of course. Information sharing happens all the time according to market processes. But “information sharing” is the solution Congress has seized upon, so federal information sharing programs we will have. Think of all this as a “see something, say something” campaign for corporate computer security people. Or perhaps “e-fusion centers.”

Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:

We live in a free country where all that is not forbidden is allowed. There is no need in such a country for “affirmative” authority to act. So what does this section do as it in purports to permit private and governmental entities to monitor their information systems, operate active defenses, and such? It sweeps aside nearly all other laws controlling them.

“Consistent with the Constitution of the United States and notwithstanding and other provision of law,” it says (emphasis added), entities may act to preserve the security of their systems. This means that the only law controlling their actions would be the Constitution.

It’s nice that the Constitution would apply</sarcasm>, but the obligations in the Privacy Act of 1974 would not. The Electronic Communications Privacy Act would be void. Even the requirements of the E-Government Act of 2002, such as privacy impact assessments, would be swept aside.

The Constitution doesn’t constrain private actors, of course. This language would immunize them from liability under any and all regulation and under state or common law. Private actors would not be subject to suit for breaching contractual promises of confidentiality. They would not be liable for violating the privacy torts. Anything goes so long as one can make a claim to defending “information systems,” a term that refers to anything having to do with computers.

Elsewhere, the bill creates an equally sweeping immunity against law-breaking so long as the law-breaking provides information to a “cybersecurity exchange.” This is a breath-taking exemption from the civil and criminal laws that protect privacy, among other things.

(1) IN GENERAL.—No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any non-Federal governmental or private entity, or any officer, employee, or agent of such an entity, and any such action shall be dismissed promptly, for the disclosure of a cybersecurity threat indicator to—
(A) a cybersecurity exchange under subsection (a)(1); or
(B) a private entity under subsection, (b)(1), provided the cybersecurity threat indicator is promptly shared with a cybersecurity exchange.

In addition to this immunity from suit, the bill creates an equally sweeping “good faith” defense:

Where a civil or criminal cause of action is not barred under paragraph (1), a good faith reliance by any person on a legislative authorization, a statutory authorization, or a good faith determination that this Act permitted the conduct complained of, is a complete defense against any civil or criminal action brought under this Act or any other law.

Good faith is a question of fact, and a corporate security official could argue successfully that she acted in good faith if a government official told her to turn over private data. This language allows the corporate sector to abandon its responsibility to follow the law in favor of following government edicts. We’ve seen attacks on the rule of law like this before.

A House Homeland Security subcommittee marked up a counterpart to this bill last week. It does not have similar language that I could find.

In 2009, I testified in the House Science Committee on cybersecurity, skeptical of the government’s ability to tackle cybersecurity but cognizant that the government must secure its own systems. “Cybersecurity exchanges” are a blind stab at addressing the many challenges in securing computers, networks, and data, and I think they are unnecessary at best. According to current plans, cybersecurity exchanges come at a devastating cost to our online privacy.

Congress seems poised once again to violate the rule from the SOPA/PIPA disaster: “First, do no harm to the Internet.”

The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy is a post from Cato @ Liberty - Cato Institute Blog

New Hampshire was the state where the “REAL ID rebellion” got its start. There, in 2006, Rep. Neal Kurk (R-Weare) took to the floor of the New Hampshire House to talk about his principled opposition to the federal national ID law.

In stirring words, Kurk urged his colleagues to overturn a committee recommendation that no action should be taken on his bill to have New Hampshire reject REAL ID. The House went on to pass his bill and half the states in the nation soon followed suit.

Now a bill pending in the New Hampshire House responds to a more insidious version of the federal government’s national ID plans: E-Verify.

E-Verify is a federal background check system that its proponents intend to be used on every person seeking work in the United States. Once in place, E-Verify would expand to new uses, giving the federal government direct regulatory control of all Americans’ lives through control of proof of identity. It’s being fitted to operate using only databases, so I’ve been referring to it as a “cardless national ID.”

New Hampshire Rep. Seth Cohn (R-Merrimack 6) has introduced a bill to prevent his state from contributing New Hampshirites personal data to the E-Verify system. HB 1549 would not only prohibit the state from allowing citizens’ personal data to be used in E-Verify. It would prohibit the state from requiring employers to participate in the E-Verify system.

It’s an appropriate response to the Department of Homeland Security’s latest move. You see, a branch of E-Verify is called the “RIDE” program. That stands for “Records and Information from Department of Motor Vehicles for E-Verify” (Yeah, it’s a stretch…) Basically, RIDE is the conduit through which the states are going to start passing data to the federal government, weaving together that national ID outside of the REAL ID Act.

In their desire to bring illegal immigration under control, a lot of people have convinced themselves over many years that growing the federal government and conscripting businesses into “internal enforcement” of immigration law was the way to go. Unfortunately, that route costs a lot of money, it bloats the federal government, and it requires a national ID system, which is a threat to liberty that Americans reject. My paper, “Franz Kafka’s Solution to Illegal Immigration,” goes through many of the details.

Is this the beginning of the E-Verify rebellion? It’s a welcome addition to the national debate from the “Live Free or Die” state.

Cardless National ID and the E-Verify Rebellion is a post from Cato @ Liberty - Cato Institute Blog

Because all of us are with ourselves all day every day, we naturally tend to think that our own lives are pretty standard fare. But that’s just not so in a country of 300+ million people ranging over a vast expanse. So I found worthwhile this NPR story on people who don’t have IDs, people who face difficulty with laws requiring IDs to vote. Not everyone trundles down to the DMV and plunks down money and paperwork for an ID whenever they please.

The voter ID issue is a hot one. Some are strongly committed to the idea that identification requirements are needed to suppress voter fraud. There isn’t much evidence of that problem, and to worry about impersonation fraud at polling places, one has to put aside absentee ballot fraud, which is probably much easier, as well as election fraud—rigged vote counts, for example—which is much more efficient.

States should tinker with their voting rules and processes, each seeking for itself the methods that optimally secure elections while facilitating voting. It’s a big country, and different states may require different rules. My emphasis has always been on avoiding a national voter ID system, which would inevitably be a national ID system, paving the way for greater federal control of individuals’ lives.

Photo ID Laws Mean Some Won’t Vote is a post from Cato @ Liberty - Cato Institute Blog

…on the Google privacy policy change.

The idea that people should be able to opt out of a company’s privacy policy strikes me as ludicrous.

Plus she embeds a valuable discussion among her Xtranormal friends. Highlight:

“Well, members of Congress don’t send angry letters about privacy issues very often.”

“Oh, well, actually, they do.”

Read the whole thing. Watch the whole thing. And, if you actually care, take some initiative to protect your privacy from Google, a thing you are well-empowered to do by the browser and computer you are using to view this post.

Kashmir Hill Has It Right… is a post from Cato @ Liberty - Cato Institute Blog

The House of Representatives is poised to make great strides forward in transparency, and our work over the last year aims to help them do that. Here’s how this spreadsheet (.xls) will do that.

In December, the House Administration Committee announced a plan to improve the publication of House documents. In January, a new site—docs.house.gov—went live. (It’s attractive looking, but still bare-bones.) On Thursday this week, the Committee is hosting a “Legislative Data and Transparency Conference” to examine what data is out there and what data should be out there. Little information is on the Web yet, but you can sign up to attend at the link just above.

I’ll be speaking on the last panel of the day, which deals with measuring transparency success. Likely, they chose me for this panel because I’ve already been grading the government on its publication practices.

Last September, you see, we graded Congress on how well it publishes data that would assist the public in computer-aided oversight. The summary blog post is called “Needs Improvement.” And then in December, we graded the government on publication of budget, appropriations, and spending data. That’s a joint legislative-executive responsibility, but mostly executive. The message was: “‘Needs Improvement’ is Understatement.”

How do you grade Congress and the government on their data publication?

You start out by modeling the data government should publish. We put together a data model for legislative process, for example, and then a data model for budgeting, appropriating, and spending. We got a great deal of help from folks at the Sunlight Foundation, OMB Watch, and others such as the National Priorities Project, as well as data guru Josh Tauberer, whose latest project is PopVox.

Even with all this help, these models won’t be the last word—there is much to learn yet about the data structure that will serve every use the public may want to make of information. But it’s a strong start.

Then we compared the data that’s actually out there to the practices described in my paper, “Publication Practices for Transparent Government,” and out popped the grades! They were pretty bad…

The House of Representatives aims to fix that—for its part, at least.

Now to this spreadsheet: it’s a list of the things that should be identified in congressional documents so that computers can find the most salient information in them. It also indicates the “vocabularies” that already exist for identifying many of them: members of Congress, bills, laws, statutes, committees, agencies, programs, and so on. We’ve talked about how to identify “budget authority” and appropriations (spending) so that computers can capture that information from bills and committee reports. Locations, state and foreign governments, times, meetings—all these things can be put into electronic versions of documents to allow computer-aided public oversight.

Once documents contain data like this in the proper structures, literally thousands of questions about Congress will be answered instantly.

• How much new budget authority has each member of Congress proposed? Voted for? Voted against? Allowed to go through on voice vote or unanimous consent? How about this same information by state? By region? Or by seniority?
• What title of the U.S. code do members of Congress most often propose to amend? What title do they actually amend the most?
• What bills affect my state specifically, such as by naming buildings, creating wilderness areas, changing boundaries on parks, or giving land to localities?
• How often do my member of Congress and senators break with their party?

These are just a few examples. In the hands of varied users, the data will be converted to hundreds or thousands of uses. It will go into studies performed by political scientists and it will supercharge news reporting. But more importantly, it will go into services that inform people directly and quickly about how their own representatives in Congress are acting and what they’re saying.

It will give people insight into where the money goes—from the moment new spending is proposed all the way through to when Congress spends it—or declines to spend.

Credit is due to the leadership in the House of Representative for starting this work. There is a lot to do before they show clear success. But they are way ahead of President Obama, whose Sunlight Before Signing transparency promise lags badly, and who has yet to put together a machine-readable organization chart for the executive branch of the federal government. He can easily do the latter, and coordination with Congress is essential for transparency success. The sooner that happens the better.

Helping the House Advance Data Transparency is a post from Cato @ Liberty - Cato Institute Blog

News that incautious comments on “tweeter” got British tourists excluded from the United States had Twitter alight yesterday. (Paperwork given to one of the two, on display in this news story, refers to the popular social networking site as a “Tweeter website account,” betraying some ignorance of what Twitter is.)

It’s a good chance to review how suspicion is properly—and, here, improperly—generated.

The Department of Homeland Security has been vague as yet about what actually happened. It may have been some kind of “social media analysis” like this that turned up “suspicious” Tweets leading to the exclusion, though the betting is running toward a suspicious-activity tipline. (What “turned up” the Tweets doesn’t affect my analysis here.) The boastful young Britons Tweeted about going to “destroy America” on the trip—destroy alcoholic beverages in America was almost certainly the import of that line—and dig up the grave of Marilyn Monroe.

Profoundly stilted literalism took this to be threatening language. And a failure of even brief investigation prevented DHS officials from discovering the absurdity of that literalism. It would be impossible to “dig up” Marilyn Monroe’s body, which is in a crypt at Westwood Memorial Park in Los Angeles.

I testified to the Senate Judiciary Committee in 2007 about how one might mine data for terrorists and terrorism planning, in terms that apply equally well to Twitter banter and to any criminality or wrongdoing. For valid suspicion to arise, the information collected must satisfy two criteria:

(1) It is consistent with bad behavior, such as terrorism planning or crime; and (2) it is inconsistent with innocent behavior. In . . . the classic Fourth Amendment case, Terry v. Ohio, . . .  a police officer saw Terry walking past a store multiple times, looking in furtively. This was (1) consistent with criminal planning (“casing” the store for robbery), and (2) inconsistent with innocent behavior — it didn’t look like shopping, curiosity, or unrequited love of a store clerk. The officer’s “hunch” in Terry can be described as a successful use of pattern analysis before the age of databases.

Similarly, using the phrase “destroy America” is consistent with planning to destroy America. (You want to be literal? Let’s be literal!) But it’s also consistent with talking smack, which is innocent behavior. These Tweets fail the second criterion for generating suspicion.

Twitter is nothing if not an unreliable source of people’s thinking and intentions. It’s a hotbed of irony, humor, and inside jokes. Witness this Tweet of mine from yesterday, which failed to garner the social media guffaw I sought (which is why I link to it here). Things said on Twitter will almost never be suspicious enough to justify even the briefest interrogation.

Other facts could combine with Twitter commentary to create a suspicious circumstance on extremely rare occasions, but for proper suspicion to arise, the Tweet or Tweets and all other facts must be consistent with criminal planning and inconsistent with lawful behavior. No information so far available suggests that the DHS did anything other than take Tweets literally in the face of plausible explanations by their authors that they were using hyperbole and irony. This is simple investigative incompetence.

If indeed it is a “social media analysis” program that produced this incident, the U.S. government is paying money to cause U.S. government officials to waste their time on making the United States an unattractive place to visit. That’s a cost-trifecta in the face of essentially zero prospect for any security benefit. I slept no more soundly last night knowing that some Brits were denied a chance to paint the town red in L.A.

In case it needs explaining, “paint the town red” is archaic slang. It does not imply an intention or plan to apply pigments to any building or infrastructure in Los Angeles, whether by brush, roller, or spray can.

‘Destroy America’ = Suspicion Fail is a post from Cato @ Liberty - Cato Institute Blog

In last night’s State of the Union speech, President Obama called for tax law reforms he says we need. Cato scholars have their doubts about much of what was in the speech, but my interest was piqued by the fact that he said, “Send me these tax reforms, and I will sign them right away.”

You see signing them “right away” would again violate his 2008 campaign promise to post the bills sent him by Congress online for five days before signing them.

That’s a cheeky point, but it is time to focus on campaign promises and their honesty. The beginning of President Obama’s fourth year in office is roughly the beginning of his campaign for another term.

When I first began tracking President Obama’s Sunlight Before Signing promise, I joked with friends that it was career gold because I could write hundreds of blog posts for the next four years without thinking a new thought. Well, it’s not quite that good. This is post thirty-six in the SBS series.

(Each character in that last sentence was a link to a previous post. You can spend a whole day reviewing them!)

Last Thursday, January 19th, was the end of President Obama’s third year, so it’s time to review how he’s been doing with Sunlight Before Signing. It was the president’s first broken promise, and at the mid-point of the term he had popped just above 50% in his compliance.

How has he done in the ensuing year?

Well … meh.

Of the 90 bills that became law in the last year, 55 got the Sunlight Before Signing treatment. That’s a 61.1% average, good enough to earn a middle-school student a D.

At the end of the second year, we did some analysis and graphing to explore the hunch that inconsequential bills get plenty of sunlight and the more important ones do not. We return to that analysis.

Our first look is at compliance with Sunlight Before Signing over time. The updated numbers show essentially the same as they did before. After a first year of outright failure, there has been improvement—nowhere near perfection, just improvement.

(You can also see that Congress’ output dropped dramatically in 2011. That’s a matter of indifference in terms of Sunlight Before Signing—and a good thing if you like limited government.)

Click on the image at right to see a chart of compliance and non-compliance by number of bills over time, then compliance as a percentage of bills over time, and, in the pie chart, that overall compliance figure.

We also investigated previously the hunch that important bills get less sunlight, while unimportant bills get more. Our first proxy for importance—a rough one—was the number of pages in the bills coming to the president. Generally speaking, longer bills are more important than shorter ones. The second set of charts (click on the left) show Sunlight Before Signing compliance and non-compliance over time by number of pages, compliance by percentage of pages, and overall compliance by number of pages. You can see that overall compliance drops well below 50% to about 36%.

Another proxy for importance is the number of final passage votes a bill got in the House and Senate. Generally speaking—and it’s definitely not always true—more important bills are voted on in the House, the Senate, or both. Less important bills go through on voice vote, unanimous consent, and so on. (Sometimes important bills go through without votes because the political balances are so carefully struck. That’s good for Congress “getting things done,” but not good for transparency or your ability to oversee the government.)

Go ahead and click on the image to the right and you can see the charts reflecting Sunlight Before Signing compliance and non-compliance over time with multipliers given to bills getting one or two final votes. That result is not so decisive: compliance drops by a small amount to about 50%.

There’s still time for President Obama to execute on Sunlight Before Signing. He could make a real run at transparency by signalling right now—today—that all bills will get five-days online before he signs them. If Congress wants to finish appropriations this year at the last minute. They had better do that at the last minute plus five days or else the government will shut down.

Maybe that’s a silly idea. Maybe no president in his right mind would do something like that. If so, consider that President Obama promised to do exactly that when he campaigned for the presidency. If he was being fanciful during his last campaign, voters might consider that during his next campaign, just as they consider the credibility of all candidates. President Obama’s transparency promises have been unparalleled. His results … quite paralleled.

Perhaps President Obama is going to limp to the next election without fulfilling Sunlight Before Signing. The president could still score some real transparency points by publishing a machine-readable organization chart for the executive branch, with agencies, bureaus, programs, and projects all uniquely identified for computer processing. That would be big, and it would not be that hard.

In the meantime, here are the Sunlight Before Signing results for all the bills signed into law during President Obama’s third year.

[Brackets indicate a link from Whitehouse.gov to Thomas legislative database]

Sunlight Before Signing, Year Three is a post from Cato @ Liberty - Cato Institute Blog

Over at Libertarianism.org I have a new blog post on the lesson the technology community should have learned from their campaign against SOPA.

Imagine you’re an expert in some field of technical knowledge. Your field impacts quite a lot of people but most of them don’t understand the details the way you do. One day, Congress proposes legislation called the Make Things Better Act, which, its sponsors say, will make things better.

But wait. The Act happens to deal with exactly the field you’re knowledgeable about. And you know what? It won’t make things better. In fact, it will make things far, far worse. Not only will it make things worse, but any benefits the legislation does create will accrue exclusively to a small but powerful interest group.

So you and your other technically-minded friends mobilize against the Make Things Better Act and, through coordination and outcry, succeed in killing it. Two days later, Congress proposes another piece of legislation called the It’s Good for the Children Act. Except this time the law deals with an area outside your expertise. If you applied the lesson learned from the Make Things Better Act, you might react to this new proposal with skepticism. After all, when you were in a position to evaluate what Congress was really up to, you discovered that it wasn’t working in the interests of the American public but, instead, of a tiny and powerful minority. Couldn’t it be possible the new bill is just be more of the same?

Most likely, though, based on the way people typically react in these situations, you won’t apply that lesson. Instead you’ll say, “Boy this new law is great because my favored political party wrote it and, well, it’s good for the children.”

Read the rest here.

SOPA and Skepticism is a post from Cato @ Liberty - Cato Institute Blog

He’s not unrestrained, but Larry Downes sees the remarkable downfall of legislation to regulate the Internet’s engineering as a harbinger of things to come. Jerry Brito, meanwhile, tells us “Why We Won’t See Many Protests like the SOPA Blackout.”

They’re both right—over different time-horizons. The information environment and economics of political organization today are still quite stacked against public participation in our unwieldy federal government. But in time this will change. Congress and Washington, D.C.’s advocacy and lobbying groups now have some idea what the future will feel like.

SOPA/PIPA: Harbinger or Aberration? is a post from Cato @ Liberty - Cato Institute Blog

Does a more careful reading of the Supreme Court’s decision in U.S. v. Jones turn up a lurking victory for the government?

Modern media moves so fast that the second-day story happens in the afternoon of the first. The Supreme Court ruled unanimously Monday morning that government agents conduct a Fourth Amendment search when they place a GPS device on a private vehicle and use it to monitor a suspect’s whereabouts for weeks at a time. Monday afternoon, a couple of commentators suggested that the case is less a win than many thought because it didn’t explicitly rule that a warrant is required to attach a GPS device to a vehicle.

Writing on the Volokh Conspiracy blog, George Washington University law professor Orin Kerr noted “What Jones Does Not Hold.”

The Court declined to reach when the installation of the device is reasonable or unreasonable. … So we actually don’t yet know if a warrant is required to install a GPS device; we just know that the installation of the device is a Fourth Amendment “search.”

And over on Scotusblog, Tom Goldstein found that “The Government Fared Much Better Than Everyone Realizes“:

[D]oes the “search” caused by installing a GPS device require a warrant? The answer may be no, given that no member of the Court squarely concludes it does and four members of the Court (those who join the Alito concurrence) do not believe it constitutes a search at all.

So there is a constitutional search when the government attaches a GPS device to a vehicle, but the Court conspicuously declined to say that such a search requires a warrant. Do we have an “a-ha” moment?

When the Supreme Court granted certiorari in the case, it took the unusual step of adding to the questions it wanted addressed. In addition to “[w]hether the warrantless use of a tracking device on respondent’s vehicle to monitor its movements on public streets violated the Fourth Amendment,” the Court wanted to know “whether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.” These are both compound questions, but the dimension added by the second is the Fourth Amendment meaning of attaching a device to a vehicle. The case was about attaching a device to a vehicle, and if the Court didn’t walk through every clause in each of the questions presented, that’s why.

On that central question in the case, the government argued the following: “Attaching the GPS tracking device to respondent’s vehicle was not a search or seizure under the Fourth Amendment.” The government lost, full stop.

Now, it’s true that the Court’s majority opinion didn’t explictly find that the “search” that occurs when attaching and using a GPS device requires a warrant, but look at its characterization of the opinion it affirmed: “The United States Court of Appeals for the District of Columbia Circuit reversed [Jones's] conviction because of admission of the evidence obtained by warrantless use of the GPS device which, it said, violated the Fourth Amendment.”

The Court did decline to consider the argument that the government might be able to attach a device based on reasonable suspicion or probable cause—that argument was “forfeited” by the government’s failure to raise it in the lower courts—but if the Supreme Court were limiting its holding to the attachment-as-search issue, it would have remanded the case back to the lower courts for further proceedings consistent with the opinion. It did not, and the sensible inference to draw from that is that the general rule applies: a warrant is required in the absence of one of the customary exceptions. Failing to make that explicit was not “opening a door” to a latent government victory. U.S. v. Jones was a unanimous decision rejecting the government’s warrantless use of outré technology to defeat the natural privacy protections provided by law and physics.

At least one serious lawyer I know has raised the point that I address here, and it is a real one, but some in the commentariat are a little too showy with their analysis and far too willing to go looking for a government victory in what is nothing other than a government defeat.

The Second-Day Story on U.S. v. Jones is a post from Cato @ Liberty - Cato Institute Blog

As I noted on Friday, the seizure of popular cyberlocker Megaupload demonstrates that, even without controversial new legislation, our government already has extraordinarily broad powers to take down U.S.-registered websites (including any site in the .com and .org domains) before anyone has been tried for illegal conduct, let alone convicted. While the evidence presented in the indictment charging Megaupload’s executives with criminal racketeering and copyright infringement certainly seems damning, I also worried about the broader chilling effect such seizures could have on cloud storage services generally.

It didn’t take long for those effects to become apparent. The cyberlocker Filesonic has now disabled file sharing functionality: Users can still upload files for personal storage, but can’t create public links to enable others to access those files. (Though I’m not sure what prevents someone from simply creating a dummy account, uploading files, and then publicly posting the login information.) Another cyberlocker, Uploaded.to, is just blocking all traffic from U.S. Internet addresses, though it’s not at all clear how much legal protection that’s likely to afford them. You can hardly blame them for being skittish: The Megaupload indictment suggests that the U.S. government considers a wide array of cyberlocker business practices to be ipso facto evidence of criminal intentions, even though there are arguably legitimate reasons for many of them. Yet the government doesn’t think it has to wait for a trial, or give the folks who run a site an opportunity to explain their practices, before seizing an entire domain—which would be an effective death sentence for many startups.

If you think all cyberlockers are nothing more than piracy tools, and there’s no legitimate reason to make use of cloud storage for anything but personal backups, this might sound like an entirely healthy development. It’s a little more worrying to those of us who see many valid reasons that law abiding individuals—even those who lack contracts with major record labels and movie studios, or the funds and tech savvy to run their own servers—might want to share large files with friends and colleagues, or distribute them to the general public.

To be sure, such services aren’t going to vanish entirely. Established corporations like Google have sophisticated filter algorithms that can help identify copyrighted content—though those are trivially defeated by file compression and encryption—and large, well paid legal teams to handle copyright compliance and fend off lawsuits, like the one Google’s own YouTube continues to fight with content behemoth Viacom. The question is whether these are the only companies we want offering such services. Is the market for cloud-based platforms that enable sharing (which is one of the big selling points of cloud computing) a market we’re prepared to see effectively closed off to startups  that can’t preemptively police every user-uploaded file to Hollywood’s satisfaction? Because that is the predictable effect of a regulatory environment where investors know a nascent site can be summarily yanked offline by a district judge who thinks a Tumblr is some sort of gymnastics aficionado.

If you’re only thinking about current, known uses of the Internet, this might not seem like that big a deal: Why do we need lots of different platforms for sharing large files? But then, just a few years ago it was hard to envision why we might want a platform for sharing streams of 140-character messages (“Just a bunch of people gabbing about what they had for lunch, ho-ho-ho!”) or a platform where anyone, not just Professional Content Creators, could upload short videos (“Amateur videos? Sounds like an excuse to steal movies!”) or half the other technologies that are so profoundly shaping 21st century life.

The last innovation is always safe. That’s why it’s easy to claim concrete examples of the harm regulation might do are hyperbolic fearmongering: Nobody’s going to shut down YouTube or Twitter now, because we’ve already seen the incredible value creation they enable, even if they also make it a bit easier to infringe copyrights. And anyway, the success stories eventually get big enough to afford their own fancy lawyers. It’s the next platform that we risk strangling in the cradle, because every new medium starts out recapitulating old media content before it becomes truly generative. Early radio is full of people reading newspapers and books out loud. Early TV and film looks like what you get when someone points a camera at a stage play.

File lockers still look like nothing but piracy tools to a lot of people, because most of us aren’t yet generating and sharing gigabytes worth of content on a daily basis. But it doesn’t take a whole lot of imagination to imagine a world where that’s not at all the case, a world where cheap, ubiquitous, powerful computing and rising bandwidth and falling storage costs make collaborative creation of high definition sound, video, and—who knows—maybe entire 3D environments a nigh universal recreational activity. (Like TV has been for the last couple generations, only with fewer dead brain cells.)

That world can be run by Google and Sony and a few other behemoths capable of negotiating byzantine licensing deals (and filtering protocols), with incumbents ill-disposed to see the value in anything that isn’t easily shoehorned into their existing business models. Or we can have a more dynamic, open world where someone with a cool idea for a platform can give it a try without spending more money on lawyers than servers first. The interesting, important question isn’t—as regulatory advocates want to make it—whether Megaupload should go out of business. Odds are it will and should, after a proper trial. It isn’t even whether sites like Rapidshare or Hotfile ought to follow suit. The interesting, important question is whether we’re going to have a legal climate that’s capable of giving rise to the second kind of cultural ecosystem, or one that’s only hospitable to the first kind.

The Megaupload Chilling Effects Hit is a post from Cato @ Liberty - Cato Institute Blog

Today’s unanimous Supreme Court ruling in United States v. Jones makes it clear that government installation and use of GPS tracking devices is a Fourth Amendment “search”—but it may be the concurring opinions, rather than Justice Scalia’s majority opinion, that are most significant for Americans’ privacy in the 21st century.

As Jim Harper notes, Justice Scalia ruled on the relatively narrow grounds that installing the tracking device involved physical intrusion on the suspect’s property, triggering Fourth Amendment protections.  Yet as Justices Alito and Sotomayor observe in separate concurrences—and as I pointed out in a previous post on this case—there are plenty of means for tracking a target’s location in public that don’t require such intrusion. One of the most popular with law enforcement is cell-phone tracking, either by means of a court order demanding records from the phone company directly, or through the use of devices known as “Stingrays” or “Triggerfish.” There’s also the use of license-plate recognition cameras, and even aerial surveillance drones.  The broader question that’s crucial to determining the extent of our privacy rights in the long term, then, is the one Scalia’s opinion pointedly declines to reach: Does prolonged, technologically-assisted location surveillance impinge on a citizen’s “reasonable expectation of privacy,” even when it does not require physical intrusion?

Justice Alito, joined by three other justices, says that it can indeed—and in this case, did. The placement of a tiny device on the undercarriage of a car parked in a public place, Alito argues, does not sufficiently “interfere” with a suspect’s property interests to constitute a Fourth Amendment “seizure,” nor is it a “search” until police activate and begin monitoring the device. If the police had simply slipped a business card into the tire, after all, the physical intrusion would be too minor in itself to count as an actionable trespass. Instead, Alito insists, it is necessary to proceed to the harder question of whether such intensive location monitoring violates our reasonable social expectations of privacy, even as we move around in public. Though the concurrence is reluctant to say exactly when that expectation is breached, Alito notes that round-the-clock surveillance over a full month would be so costly to carry out by conventional physical observation that it exceeds what reasonable people expect—and so triggers the Fourth Amendment’s warrant requirement.

Perhaps most intriguing is Sotomayor’s brief concurrence. For Sotomayor, either the property rationale relied on by Scalia or the “expectations” analysis deployed by Alito would suffice to find a Fourth Amendment violation here. That’s crucial, because it means that there are at least five votes on the current Court for the view that we have some Fourth Amendment protection against intensive, high-tech location tracking, even in public, and even when the method doesn’t require physical intrusion. Yet even more important than that may be this passage:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. [...] This approach is ill suited to the digital age, in which people reveal a greatdeal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. [...] But whatever the societal expectations, they can attain constitutionally protectedstatus only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

This is a pretty big deal. Fourth Amendment scholars have been warning for decades—and with increasing alarm—that modern communications technology could turn constitutional privacy protections into an empty formality if we’re regarded as waiving those protections whenever we “expose” information to a third party. It is inherent to the nature of the Internet and mobile telecommunications, after all, that almost everything we do online—and, increasingly, much that we do offline as well—leaves a trace in the vast databases of one corporation or another.

Sotomayor’s concurrence signals a recognition that we need to move beyond what privacy scholar Daniel Solove has called “The Secrecy Paradigm,” which assumes that whatever is not totally secret (or very nearly so) is effectively “public.” In other words, if your Internet provider has a record of every Web site you visit, there’s no invasion of privacy when the government decides to have a look at the list. At least one Justice, evidently, recognizes that this is an indefensible inference—and one hopes she’s not alone.

“Jones”ing for a Fourth Amendment Upgrade is a post from Cato @ Liberty - Cato Institute Blog

The Supreme Court has delivered a big win for privacy in U.S. v. Jones. That’s the case in which government agents placed a GPS device on a car and used it to track a person round-the-clock for four weeks. The question before the Court was whether the government may do this in the absence of a valid warrant. All nine justices say No.

That’s big, important news. The Supreme Court will not allow developments in technology to outstrip constitutional protections the way it did in Olmstead.

Olmstead v. United States was a 1928 decision in which the Court held that there was no Fourth Amendment search or seizure involved in wiretapping because law enforcement made “no entry of the houses or offices of the defendants.” It took 39 years for the Court to revisit that restrictive, property-based ruling and find that Fourth Amendment interests exist outside of buildings. “[T]he Fourth Amendment protects people, not places” went the famous line from Katz v. United States (1967), which has been the lodestar ever since.

For its good outcome, though, Katz has not served the Fourth Amendment and privacy very well. The Cato Institute’s brief argued to the Court that the doctrine arising from Katz “is weak as a rule for deciding cases.” As developed since 1967, “the ‘reasonable expectation of privacy’ test reverses the inquiry required by the Fourth Amendment and biases Fourth Amendment doctrine against privacy.”

Without rejecting Katz and reasonable expectations, the Jones majority returned to property rights as a basis for Fourth Amendment protection. “The Government physically occupied private property for the purpose of obtaining information” when it attached a GPS device to a private vehicle and used it to gather information. This was a search that the government could not conduct without a valid warrant.

The property rationale for deciding the case had the support of five justices, led by Justice Scalia. The other four justices would have used “reasonable expectations” to decide the same way, so they concurred in the judgement but not the decision. They found many flaws in the use of property and “18th-century tort law” to decide the case.

Justice Sotomayor was explicit in supporting both rationales for protecting privacy. With Justice Scalia, she argued, “When the Government physically invades personal property to gather information, a search occurs.” This language—more clear, and using the legal term of art “personal property,” which Justica Scalia did not—would seem to encompass objects like cell phones, the crucial tool we use today to collect, maintain, and transport our digital effects. Justice Sotomayor emphasized in her separate concurrence that the majority did not reject Katz and “reasonable expectations” in using property as the grounds for this decision.

Justice Sotomayor also deserves special notice for mentioning the pernicious third-party doctrine. “[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” The third-party doctrine cuts against our Fourth Amendment interests in information we share with ISPs, email service providers, financial services providers, and so on. Reconsidering it is very necessary.

Justice Alito’s concurrence is no ringing endorsement of the “reasonable expectation of privacy” test. But he and the justices joining him see many problems with applying Justice Scalia’s property rationale as they interpreted it.

Along with the Scalia-authored Kyllo decision of 2001, Jones is a break from precedent. It may seem like a return to the past, but it is also a return to a foundation on which privacy can be more secure.

More commentary here in the coming days and weeks will explore the case’s meaning more fully. Hopefully, more Supreme Court cases in coming years and decades will clarify and improve Fourth Amendment doctrine.

U.S. v. Jones: A Big Privacy Win is a post from Cato @ Liberty - Cato Institute Blog

Online activists were still busy celebrating a successful day of protest against proposed (and now shelved) Internet censorship legislation when the Justice Department pulled the popular cyberlocker site Megaupload offline Thursday, and indicted its owners on charges of criminal copyright infringement. It was a serendipitously timed demonstration of two important facts.

First, the U.S. legal system is perfectly capable of reaching criminal suspects overseas. Megaupload is incorporated in Hong Kong, and its CEO was arrested (along with three employees) in New Zealand. That’s significant because supporters of laws like the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA) typically claim they’re helpless to do anything about overseas sites by more conventional means, necessitating aggressive new enforcement powers with streamlined hearings that give short shrift to due process. Now, if the people behind Megaupload are, in fact, guilty of criminal activity—and the indictment certainly looks damning—the government will have the opportunity to prove it beyond a reasonable doubt before a jury, which will also get to hear any exculpatory facts or arguments the defendants are able to offer. It can be a slow process, but it’s also how we’re supposed to do things in the United States: we don’t just issue orders branding people or sites as “rogues,” we convict them.

Second, if you’re worried about the government taking down U.S.-registered sites, which include any site in the .com and .org domains, wherever their servers might be located, then SOPA and PIPA aren’t really what you should be concerned about: the government already has that power under the PRO-IP Act of 2008. There are good reasons SOPA and PIPA attracted more attention: Instead of “seizing” domains directly at the registry, they would have imposed blocking and filtering obligations on thousands of ISPs and search engines, creating a whole host of technological and security problems. There was also the private right of action, which seemed more susceptible to abuse by overzealous copyright owners who were able to find a friendly judge. But the central power of the government to shut down web domains is already there in PRO-IP, and has been used to seize hundreds of sites already—wrongfully in at least some cases. Incidentally, those absurdly inflated phony statistics I wrote about earlier this month—the ones the Government Accountability Office has debunked, which even the content industries have finally stopped using—were heavily cited as evidence for why PRO-IP was needed, featuring prominently in press releases by the bill’s authors.

The owners of Megaupload don’t seem like particularly sympathetic characters, but the abrupt seizure of the domain before trial ought to give us a bit of pause. The site was plainly used to enable an enormous amount of copyright infringement—and judging by the indictment, the site’s operators appear to not only have known about this, but encouraged it in order to bolster their ad revenues. But that doesn’t mean that’s all the site was used for. Plenty of people made legitimate use of the site for cloud storage, or to (legally) share large files with friends, family, or colleagues. Indeed, no small number of major-label recording artists declared in song  that they used the site for just such purposes. Journalist Adam Penenberg tweeted this morning that he was in the habit of using the site to share recordings of his interviews with a transcription service. If you Google around, of course, you’ll mostly see evidence of the more illicit uses—but that’s because people don’t post a link publicly on the Internet when they’re trying to share a file in a more limited way. Taking the entire domain down has affected all those legitimate uses along with the illicit ones.

Civil forfeiture laws have, frankly, always been subject to abuse. But when a suspected drug dealer’s car is seized, the effects are at least limited to the suspect and his family. The de facto seizure of an entire online platform, by contrast, affects all the users of that site, including many thousands who were using it to engage in legitimate, protected speech. And precisely because the non-pirate uses are less likely to involve public links, it’s extremely hard to know in advance exactly how much collateral damage is inflicted on legitimate activity by the seizure. In this specific case, I’d wager the proportion of illicit to legitimate content was quite high, but I can guarantee there’s also a whole lot of copyright-infringing videos posted to YouTube at any given instant as well; most people, presumably, recognize that shutting down YouTube in order to disable access to those videos would not be worth the enormous cost to protected speech.

There are also some troubling arguments offered by the government in the indictment. They suggest, for instance, that Megaupload shouldn’t be eligible for “safe harbor” under the Digital Millennium Copyright Act because though the firm would disable specific URLs linking to “infringing content” upon notice by copyright owners, it did not remove the underlying file entirely. (Megaupload was designed, like many other cloud storage services, to only keep one underlying copy of a file that many different users had uploaded, though it would create a different virtual address for each user’s “own” instance of the file.)  This may sound like shameless flouting of the DMCA takedown process, but it’s a bit more complicated than that, because in reality “infringing content” is something of a misnomer. Content is content. It’s what you do with it that infringes copyright.

Just about everyone’s hard drive these days is full of copyrighted music in MP3 format.  But it isn’t necessarily “infringing content.” In my case, it’s music I’ve downloaded from legal venues like the iTunes store or ripped from CDs I purchased back when one still bought music in shiny-plastic-disc form. Many people will put their legal MP3 files in a private Dropbox folder, or some other cloud storage service, so they can access the music from the office as well as their home desktops, or from their networked mobile devices. Creating a public link to those files, and distributing them to anyone on the Internet who wants them, would clearly be copyright infringement.  But that doesn’t mean the files themselves are suddenly “infringing content,” and it doesn’t mean that every user should lose his own access to the same files because other users tried to publicly distribute them.

This is another reason the takedown-before-trial model is disturbing. Again, there’s strong evidence in the indictment that Megaupload’s conduct here was anything but innocent. But now imagine some other cloud storage site that comes under the crosshairs of the government or content industries. As I suggest above, they might have very good reason for only disabling specific, publicly distributed links to a copyrighted file in response to a takedown notice, rather than cutting off access to every user who has remotely stored the file, regardless of how they’re using it. At a trial, they’d get to explain that.  If the site is shut down before its operators have an opportunity to even make the argument … well, that doesn’t bode well for investment in innovative cloud services.

FBI Reminds Us Government Already Has MegaPower to Take Down Websites is a post from Cato @ Liberty - Cato Institute Blog

That’s NYPD Commissioner Ray Kelly touting a new technology called “terahertz imaging detection” to a local news outlet.

Terahertz radiation is electromagnetic waves at the high end of the infrared band, just below the microwave band. The waves can penetrate a wide variety of non-conducting materials, such as clothing, paper, cardboard, wood, masonry, plastic, and ceramics, but they can’t penetrate metal or water. Thus, directing terahertz radiation at a person and capturing the waves that bounce off them can reveal what is under their clothes without the discomfort and danger of going “hands-on” in a search for weapons. Many materials have unique spectral “fingerprints” in the terahertz range, so terahertz imaging can be tuned to reveal only certain materials. (In case you’re wondering, I got this information off the top of my head…)

Will the machines be tuned to display only particular materials? Or will they display images of breasts, buttocks, and crotches? The TSA’s “strip-search machines” got the moniker they have because they did the latter—until the agency tardily re-configured them.

Then there’s the flip-side of not going “hands-on.” Terahertz imaging detection doesn’t natively reveal to the person being searched that law enforcement has picked him or her out for scrutiny. A pat-down certainly lets the individual know he or she is being searched, positioning one to observe and challenge one’s treatment as a suspect. Terahertz imaging lacks this natural—if insufficient—check on abuse.

So terahertz imaging is not just a “hi-tech pat-down.” Its potential takes what would be a pat-down and makes it into a secret, but intimate, visual examination—a surreptitious strip-search. Pat-downs and secret strip-searches are very different things, and it is not necessarily reasonable, where a pat-down might be called for, to use terahertz imaging.

And that brings us to the fundamental problem with Commissioner Kelly’s proffer to use this technology at a “specific event” or at a “shooting-prone location.” These contexts do not create the individualized suspicion that Fourth Amendment law demands when government agents are going to examine intimate details of a person’s body and concealed possessions.

It is certainly possible to devise a terahertz imaging device and a set of use protocols that are constitutional and appropriate for routine, domestic law enforcement, but Commissioner Kelly hasn’t thought of one, and I can’t either.

Consider the dollar costs and potential health effects of terahertz imaging detection, it might just be that the pat-downs pass muster far better than the high-tech gadgetry.

“You could use it at a specific event. You could use it at a shooting-prone location…” is a post from Cato @ Liberty - Cato Institute Blog

With popular sites all over the Internet “going dark” to protest well-intentioned but ill-considered antipiracy legislation, the Stop Online Piracy Act and PROTECT-IP Act are shedding supporters faster than Anthony Weiner on a Twitter spree. But as I explain in a Cato podcast today, neither is dead yet: Rep. Lamar Smith has pledged to continue marking up SOPA next month, and PIPA is still set for a cloture vote next week.

In a huge about-face, given their prior intransigence on this point, both have said they’re prepared to remove, at least temporarily, an onerous and controversial provision to require DNS blocking of accused “rogue sites,” which is an encouraging sign. But if DNS blocking was the worst piracy-fighting proposal on the table, it’s hardly the only one.

The Justice Department and private copyright owners can still seek to have entire foreign sites branded as infringers, triggering an array of remedies that would still deter technological investment and innovation, and still impose serious burdens on American companies and ordinary Internet users. Contrary to the claims of SOPA and PIPA supporters, copyright holders have often been perfectly able to sue the foreign “rogue sites” they cite as evidence new legislation is needed… the problem is that sometimes, they lose. Instead of all that messy litigation, SOPA and PIPA would establish one-sided hearing mechanism that mocks true due process. Any site a single friendly judge deems “rogue” would still be starved of advertising and subscription revenue. American search engines and other “information location tools” would still have to filter their content to redact any links to the shunned site. As Wikileaks has learned, repressive regimes have long known, and the Supreme Court acknowledged in Citizens United, economic regulation can silence speech (and run afoul of the First Amendment) as effectively as overt censorship.

That means we’re bound to see many more stories like the one entrepreneur Dmitri Shapiro tells: His innovative company Veoh won repeated copyright lawsuits filed by movie studios, but was still killed off by the cost of litigation. SOPA and PIPA will ensure that future lawsuit targets lack the means to fight back—which almost certainly means they’ll never get off the ground in the first place.

Such fears are hardly “hypothetical,” as Rep. Smith likes to argue, given industry’s ugly history of abusing copyright law to squelch competition and criticism. Remember, at the end of the day, that the market position of major studios and record labels is very much bound up with their control of traditional distribution channels.  Artists don’t need to be signed to a major label in order to record a great album—but they’re key to marketing the album and getting it into stores.

Any large platform that gives creators an easy way to reach audiences directly, or gives consumers easier mobile access to their legal content, will inevitably do two things: It will enable some amount of copyright infringement, because that’s what digital communications technologies tend to do, and it will cut out incumbent middlemen by circumventing their distribution channels. Industry complains loudly (and often rather dishonestly) about the first effect; the more serious long term threat to their business models is the second.

We’ve already seen a decade of futile efforts to stop unauthorized circulation of copyrighted materials online by “cracking down” ever harder. More new regulations aren’t likely to do the job—but the collateral damage they inflict will keep rising. As a recent and very thorough study by the Social Science Research Council argues, and Netflix has already shown within the United States, the most effective remedy for piracy is to make content easily available online at an attractive price.  Since it’s become a “political fact” that we Must Do Something Right Now to reduce online infringement, why not try that?

What’s Next for SOPA and PIPA? is a post from Cato @ Liberty - Cato Institute Blog

Imagine that Congress passed a law setting up a procedure that could require ordinary citizens like you to remove telephone numbers from your phone book or from the “contacts” list in your phone. What about a policy that cut off the phone lines to an entire building because some of its tenants used the phone to plot thefts or fraud? Would it be okay with you if the user of the numbers coming out of your phone records or the tenants of the cut-off building had been adjudged “rogue” users of the phone?

Cutting off phone lines is the closest familiar parallel to what Congress is considering in two bills nicknamed “SOPA” and “PIPA”—the “Stop Online Piracy Act” and the “PROTECT IP Act.”

Julian Sanchez has vigorously argued several points about these bills. Here, I’ll try to describe what they try to do to the Internet.

Simplifying, every computer and server has an IP (or “Internet Protocol”) address, which is a set of numbers that uniquely identify its location on the Internet. The IP address for the server hosting Cato’s Spanish language site, elcato.org, for example, is 67.192.234.234.

Now, these numbers are hard to remember, so there is a system that translates IP addresses into something more familiar. That’s the domain name system, or “DNS.” The domain name system takes the memorable name that you type into the address bar of your computer, such as elcato.org, and it looks up the IP address so you can be forwarded along to the IP address of your choice.

One of the major ideas behind SOPA and PIPA is to cut Internet sites that violate copyright out of the domain name system. No longer could typing “elcato.org” get you to the Web site you wanted to visit. Much of the debate has been about the legal process for determining whether to strike out a domain name.

But preventing a domain name lookup doesn’t take the site off the Internet. It just makes it slightly harder to access. You can prove it to yourself right now by copying “67.192.234.234″ (without the quotes) and plugging it into your address bar. (The Internet is complicated. Some of you might be directed to other Cato sites.) Then come back here and read on, por favor!

The government would require law-abiding citizens to “black out” phone numbers—or Internet service providers to do the same with domain names—for this little effect on wrongdoing? It doesn’t make sense. The practical burdens on the law-abiding Internet service provider would be large. “Blacking out” an entire building—just like a Web site—would cut off the lawful communications right along with the unlawful ones. It’s through-the-looking-glass information control, with enormous potential to obstruct entirely lawful communications and impinge on First Amendment rights.

Which is why many Web sites today are “blacking out” in protest. In various ways, sites like Craigslist.org, Wikipedia, and many others are signaling to their visitors that Congress is threatening the core functioning of the Internet with bills like SOPA and PIPA. And threatening all of our freedom to communicate.

The Internet is not the government’s to regulate. It is an agreement on a set of protocols—a language that computers use to talk to one another. That language is the envelope in which our communications—our First-Amendment-protected speech—travels in hundreds of different forms.

The Internet community is growing in power. (Let’s not be triumphal—government authorities will use every wile to maintain control.) Hopefully the people who get engaged to fight SOPA and PIPA will recognize the many ways that the government regulates and limits information flows through technical means. The federal government exercises tight control over electromagnetic spectrum, for example, and it claims authority to impose public-utility-style regulation of Internet service provision in the name of “net neutrality.”

Under the better view—the view of freedom behind opposition to SOPA and PIPA—these things are not the government’s to regulate.

The Internet Is Not .gov’s to Regulate is a post from Cato @ Liberty - Cato Institute Blog

Earlier this month, I detailed at some length why claims about the purported economic harms of piracy, offered by supporters of the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA), ought to be treated with much more skepticism than they generally get from journalists and policymakers.  My own view is that this ought to be rather secondary to the policy discussion: SOPA and PIPA would be ineffective mechanisms for addressing the problem, and a terrible idea for many other reasons, even if the numbers were exactly right. No matter how bad last season’s crops were, witch burnings are a poor policy response.  Fortunately, legislators finally seem to be cottoning on to this: SOPA now appears to be on ice for the time being, and PIPA’s own sponsors are having second thoughts about mucking with the Internet’s Domain Name System.

That said, I remain a bit amazed that it’s become an indisputable premise in Washington that there’s an enormous piracy problem, that it’s having a devastating  impact on U.S. content industries, and that some kind of aggressive new legislation is needed tout suite to stanch the bleeding. Despite the fact that the Government Accountability Office recently concluded that it is “difficult, if not impossible, to quantify the net effect of counterfeiting and piracy on the economy as a whole,” our legislative class has somehow determined that—among all the dire challenges now facing the United States—this is an urgent priority. Obviously, there’s quite a lot of copyrighted material circulating on the Internet without authorization, and other things equal, one would like to see less of it. But does the best available evidence show that this is inflicting such catastrophic economic harm—that it is depressing so much output, and destroying so many jobs—that Congress has no option but to Do Something immediately? Bearing the GAO’s warning in mind, the data we do have doesn’t remotely seem to justify the DEFCON One rhetoric that now appears to be obligatory on the Hill.

The International Intellectual Property Alliance—a kind of meta-trade association for all the content industries, and a zealous prophet of the piracy apocalypse, released a report back in November meant to establish that copyright industries are so economically valuable that they merit more vigorous government protection. But it actually paints a picture of industries that, far from being “killed” by piracy, are already weathering a harsh economic climate better than most, and have far outperformed the overall U.S. economy through the current recession.  The “core copyright industries” have, unsurprisingly, shed some jobs over the past few years, but again, compared with the rest of the economy, employment seems to have held relatively stable at a time when you might expect cash-strapped consumers to be turning to piracy to save money.

Since the core function of copyright is to incentivize the production of creative works, it’s also worth looking for signs of declining output associated with filesharing. Empirically, it’s surprisingly hard to find an effect. Rather, a recent survey study by Felix Oberholzer-Gee of the Harvard Business School concluded that “data on the supply of new works are consistent with the argument that file sharing did not discourage authors and publishers” from producing more works, at least in the U.S. market.

So, for instance, Nielsen SoundScan data shows new album releases stood at 35,516 in 2000, peaked at 106,000 in 2008, and (amidst a general recession) fell back to mid-decade levels of about 75,000 for 2010. That’s against a general background of falling sales since 2004—mostly explained by factors unrelated to piracy—which finally seems to have reversed in 2011. The actual picture is probably somewhat better than that, because SoundScan data are markedly incomplete when it comes to the releases by indie artists who’ve benefited most from the rise of digital distribution.

If we look at movies, the numbers compiled by the industry statistics site Box Office Mojo show an average of 558 releases from American studios over the past decade, which rises to 578 if you focus on just the past five years. The average for the previous decade—before illicit movie downloads were even an option on most people’s radar—is 472 releases per year. (As we learn from a recent Congressional Research Service report, it’s weirdly hard to detect a strong overall correlation between output and employment in the motion picture industry, which actually fell slightly from 1998 to 2008, even as profits and CEO pay soared. One reason the growing trend in recent decades for “Hollywood” features to actually be produced in Canada or Australia.)

That’s all very nice, one might object, but wouldn’t these heartening numbers be even higher if labels and studios could recapture some of the revenue lost to illicit downloads? Well, they surely might—but it’s not nearly as clear as you’d think.

One reason is that they already are recapturing much of that revenue through “complementary” purchases. As Oberholzer-Gee observes, recording industry numbers show large increases in concert revenues corresponding to the drop in recorded music sales. That suggests that, as people discover new artists by sampling downloaded albums online, they’re shifting consumption within the sector to live performances. In other words, people have a roughly constant “music budget,” and what they don’t spend on the albums they’ve downloaded gets spent on seeing that new band they discovered.  For the firms that specifically make their money from the sale of recordings, that may seem like cold comfort, but if we’re concerned with the music industry as a whole, it’s a wash. Something similar might occur with respect to purchases of merchandise based on licensed film properties.

Another factor is that, notwithstanding projections of a “long tail” effect resulting from lower search and distribution costs in the digital era, most entertainment industries continue to operate on a “tournament” or “lottery” model, where a few hits generate jackpot revenues, sufficient to make up for losses on the majority of new products.  Unsurprisingly, the most heavily pirated movies each year tend to be the ones that are also highly successful at the box office and in DVD sales, with similar patterns in album downloads. In other words, bleeding revenue to piracy is going to be a problem to the extent that your product is a hit, in a market where the core uncertainty about this crucial fact (at the time when the decision whether to greenlight production is made) looms a lot larger than the marginal loss from illicit downloads if you are successful.

It’s a tricky but more or less tractable problem to estimate roughly how many full-time jobs you’ll need regionally to support one additional $150 million movie production next year. It’s a totally different question how aggregate sectoral employment in a volatile and evolving industry changes based on investor responses to a $150 million across-the-board drop in the size of the total film jackpot, especially given that arcane financial arrangements are one place Hollywood does show a genius for constantly adapting its business model. If you want to know how many people are getting laid off when McDonald’s revenues drop, it makes a difference whether it’s each of 13,000 franchises earning $100 less per year, or one franchise earning $1.3 million less, even though the total reduction is the same.

Finally, more demand for content being captured by the content industries is not always the same thing as demand for more content, in the sense of “a greater variety of output.” I noted earlier that the past few years have seen a significant spike in the number of movie titles released annually. But as the Los Angeles Times reported in 2008, studio executives soon began complaining about a “glut” of new movies, many of which were targeted at the same demographics, and therefore cannibalizing their own audiences. As one executive suggested, that meant that (at least in a market dominated by a few huge distributors) releasing fewer titles could yield higher profits—and, indeed, the number of titles released in the following two years dropped back to mid-decade levels. The key point here is that shifting some portion of the pirate audience to some form of legal viewing doesn’t necessarily change this basic calculus, because there’s an upper bound to the number of hours most people are going to spend watching (say) racing movies, whether they’re paying for the privilege or not. Rising demand can just as easily, for instance, bid up star salaries for a fixed number of films.

The point here isn’t that piracy by American consumers is somehow completely independent from output or employment rates in the content industries—though, again, that’s not at all the same thing as the overall U.S. employment rate. Obviously, at some level it has to have some effect. But the link is, to use the technical economic term, weirder than in many other sectors of the economy. In many industries, the relationship between consumer spending and job creation is relatively straightforward. If demand for widgets or restaurant meals rises, satisfying that demand requires a roughly linear increase in widget factories and restaurants, in hiring of widget-makers and cooks and waiters, and in purchases of the raw material inputs for those goods. Distribution of copyrighted content—and in particular digital distribution over the Internet—is a bit more complicated, for precisely the same reason piracy is an issue: once the first copy of a work has been created, an unlimited number of additional units (of the digital product) can be produced at effectively zero cost.

Let’s imagine, implausibly, that a measure  like SOPA did manage to reduce online piracy by U.S. consumers by some meaningful amount. A small potion of that reduction, the minority of downloads representing legal purchases displaced by file sharing, would translate into sales for the content industries. What form would these take? It seems reasonable to suppose that the majority of people who were previously getting their music and movies from The Pirate Bay are not typically lining up to buy shiny plastic discs at Wal-Mart. Rather, they’re probably disproportionately displacing legal digital downloads from venues like iTunes and Amazon, or subscription services like Netflix and Spotify, which are pretty clearly where the overall market is quickly going anyway.  (Apparently, literal thieves don’t even bother stealing physical media anymore.) For movies, there’s probably also some displacement of theatrical ticket sales, though as the theatrical experience is in many ways a distinct good, it’s hard to say how much substitution it’s reasonable to expect.

In the very short term, increased legal purchases of digital content wouldn’t seem likely to generate many additional jobs. If spending in the physical retail sector jumps 20 percent, shops need to hire more clerks, and their suppliers more manufacturing workers, to meet the increased demand. If spending in the iTunes store jumps 20 percent, Apple probably needs to pay a few bucks more for bandwidth and electricity, but basically everyone just gets to smile and pocket the extra profit. The jobs effects estimates we’re seeing tossed around, however, are coming from a 2007 study that would have had to employ, at the most recent, adjustments made several years before that to the benchmark multipliers the Bureau of Economic Analysis developed in 2002. Even leaving aside its many other problems, then, the job impact estimates in that study would have been largely based on legacy assumptions from a brick-and-mortar economy. (The loss estimates relied on would also, necessarily, fail to account for the recent rise of popular, legal streaming services that have likely lured many consumers back from the pirate market. There is, alas, no very good data here, but I’d wager Hulu and Netflix have done exponentially more to reduce piracy losses than enforcement crackdowns ever will.) In any event, you’d expect the most immediate effect of consumer spending shifts from widgets and restaurants to digital downloads would be, if anything, fewer net jobs.  The output and employment effects, rather, would show up in the longer term as lower returns reduce incentives to produce new content—and hire the workers needed to support that production.  For some of the reasons discussed above, though, empirically there’s just not much evidence for a dramatic effect of this kind.

No doubt piracy is costing the content industries something—or they wouldn’t be throwing so much money at Congress in support of this kind of legislation. If we could wave a magic wand and have less piracy, obviously that would be good.  But in the real world, where enforcement has direct costs to the taxpayer, regulation has costs on the industries it burdens, and the reduction in piracy they’re likely to produce is very small, it seems important to point out that the credible evidence for the magnitude of the harm is fairly thin. As a rough analogy, since antipiracy crusaders are fond of equating filesharing with shoplifting: suppose the CEO of Wal-Mart came to Congress demanding a $50 million program to deploy FBI agents to frisk suspicious-looking teens in towns near Wal-Marts. A lawmaker might, without for one instant doubting that shoplifiting is a bad thing, question whether this is really the optimal use of federal law enforcement resources. The CEO indignantly points out that shoplifting kills one million adorable towheaded orphans each year. The proof is right here in this study by the Wal-Mart Institute for Anti-Shoplifting Studies. The study sources this dramatic claim to a newspaper article, which quotes the CEO of Wal-Mart asserting (on the basis of private data you can’t see) that shoplifting kills hundreds of orphans annually. And as a footnote explains, it seemed prudent to round up to a million. I wish this were just a joke, but as readers of my previous post will recognize, that’s literally about the level of evidence we’re dealing with here.

In short, piracy is certainly one problem in a world filled with problems. But politicians and journalists seem to have been persuaded to take it largely on faith that it’s a uniquely dire and pressing problem that demands dramatic remedies with little time for deliberation.  On the data available so far, though, reports of the death of the industry seem much exaggerated.

Internet Regulation & the Economics of Piracy is a post from Cato @ Liberty - Cato Institute Blog

The Freakonomics blog has an excellent post on the bills in Congress popularly known as SOPA and PIPA. The “Stop Online Piracy Act” and the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act” aka the “PROTECT IP Act” would attempt to frustrate online copyright violations by tinkering with the inner workings of the Internet.

Would amending the Internet be justified? The post is called “How Much Do Music and Movie Piracy Really Hurt the U.S. Economy?“:

Supporters of stronger intellectual property enforcement … argue that online piracy is a huge problem, one which costs the U.S. economy between $200 and $250 billion per year, and is responsible for the loss of 750,000 American jobs. These numbers seem truly dire: a $250 billion per year loss would be almost $800 for every man, woman, and child in America. And 750,000 jobs – that’s twice the number of those employed in the entire motion picture industry in 2010. The good news is that the numbers are wrong …

Freakonomics’ authors picked up two good authorities: Cato’s own Julian Sanchez and Cato’s own (adjunct) Tim Lee. It’s nice to see Cato scholars getting high-profile credit for their dogged insistence on real numbers, something Congress routinely fails to exhibit.

Losses from violations of copyright law are hard to calculate.

There are certainly a lot of people who download music and movies without paying. It’s clear that, at least in some cases, piracy substitutes for a legitimate transaction … In other cases, the person pirating the movie or song would never have bought it. This is especially true if the consumer lives in a relatively poor country, like China, and is simply unable to afford to pay for the films and music he downloads. Do we count this latter category of downloads as “lost sales”? Not if we’re honest.

And there’s another problem: even in the instances where Internet piracy results in a lost sale, how does that lost sale affect the job market? While jobs may be lost in the movie or music industry, they might be created in another. Money that a pirate doesn’t spend on movies and songs is almost certain to be spent elsewhere. Let’s say it gets spent on skateboards — the same dollar lost by Sony Pictures may be gained by Alien Workshop, a company that makes skateboards.

The challenges go deeper: The theoretical arguments about intellectual property laws are a congeries. Libertarian advocates of statutory intellectual property protection will cite Ayn Rand, who was a stalwart on defending creations of the mind as property. But a coherent system of rights does not produce conflicting claims, and intellectual property laws seem to exalt the property of some at a cost to the liberty of others. The some, in this case, are the music and movie industries, the others, Internet content companies and users.

This area still needs a good deal of sorting out. For the time being, a firm insistence on real numbers is a good thing. Serious empirical work is sorely needed. Killing off bogus numbers can only go so far.

A Dogged Insistence on Real Numbers is a post from Cato @ Liberty - Cato Institute Blog

At a recent Cato event on transparency, I emphasized that there is no federal government “organization chart” published in a way computers can use.

Here’s what I mean:

Appendix C of the Office of Management and Budget’s Circular A-11 is the White House’s definitive public listing of agencies and bureaus, along with their OMB and Treasury codes—unique identifiers for the agencies and bureaus of the federal government.

First problem: It’s a PDF document. To be computer-usable this should be represented in digital form as a lookup table.

But beyond that, it doesn’t follow a coherent organization. There’s an agency code (“200″) called “Other Defense Civil Programs,” for example. There’s obviously no agency called “Other Defense Civil Programs.” That’s a catch-all description, not an agency.

With most agencies, the bureau codes refer to bureaus, such as the Bureau of Land Management (bureau code: “04″) in the Department of the Interior (agency code: “010″), but with respect to the Department of Defense (agency code: “007″), the bureau codes become functional descriptions such as “Military Personnel” (“05″). There is no bureau in the Department of Defense called “Military Personnel.”

Even the most basic organizational information is a hash, and it’s published in PDF, unusable for computer-assisted oversight of the government!

The House appears committed to improving its publication practices. If the administration wants to advance the ball on transparency for its part, it will begin to publish coherent information—starting with basic information about the organization of the executive branch—in machine-readable form, using standardized identifiers. An edict from OMB to harmonize on identifiers down to the program level could be implemented in months, if not weeks.

My recent paper “Publication Practices for Transparent Government” talks about what to do. Our data model for budgeting, appropriating, and spending articulates how government agencies, bureaus, programs, and projects—and the relationships among them—should be represented.

There’s No Machine-Readable Government Org Chart is a post from Cato @ Liberty - Cato Institute Blog