Archive for the ‘Telecom, Internet & Information Policy’ Category
“A Closed ‘Super Congress’? Oh, I Don’t Think So.”
That was my inner conversation when I heard that the “Super Congress”* (or “Super Committee”) created by the debt ceiling deal might operate behind closed doors.
Congress is free to create any committee it wants, of course. Congress determines the rules of its proceedings. But ordinary committees and subcommittees are too opaque. A “Super Committee” should lead—not lag—in transparent operations.
In a forthcoming report on government transparency, we’ll be looking at the kinds of things committees should be publishing in computer-useable formats, and in real time or near-real-time: meeting notices, transcripts, written testimonies, live video, original bills, amendments to bills, motions, and votes. There are ways that many of these documents and records can be optimized for transparency, including by flagging agencies, programs, dollar amounts, and so on in the texts of published documents.
That’s why I’m glad to see transparency stalwart the Sunlight Foundation calling for a transparent Super Committee. “Congress pushed through the ‘Debt Ceiling’ bill with almost no transparency,” they say. “Let’s make sure the new ‘Super Congress’ committee created by this bill operates in the open.”
The things they highlight, reflecting priorities of transparency groups across the ideological spectrum, include: live webcasts of all official meetings and hearings; the committee’s report being posted for 72 hours before a final committee vote; disclosure of every meeting held with lobbyists and other powerful interests; Web disclosure of campaign contributions as they are received; and financial disclosures of committee members and staffers.
More Cost Data and Better Debt Insight
Data-transparent government is still a ways off, but some small steps forward are underway. To wit, my project WashingtonWatch.com, which is adding new data going to the costs of bills in Congress.
As detailed in an announcement that went up this morning, many more bills on the site will have cost estimates associated with them, the product of research being done at the National Taxpayers Union Foundation. Some bills spend pennies or less per U.S. family. Some spend $5,000 per family and more. Wouldn’t you like to know which are which?
The site has also begun displaying national debt information on a per-family, per-person, and per-couple basis. Your individual (official) debt—just for being an American—is about $45,000 dollars, your real debt far higher.
I’ll have much more to say on government transparency in the coming months. In the meantime, people may do their part to avoid the next calamitous debt ceiling debate by following the day-to-day, month-to-month, and year-to-year in Congress using resources like WashingtonWatch.com. Shrinking our disastrously run and bloated government is a long game that starts with small steps. Channel your outrage productively, friends.
Privacy Is Security
Here’s a point that ought to seem obvious: “Security”—whether physical or electronic—is always a function of the thing you’re trying to secure. If I were to tell you that my Washington apartment has barred windows, an outer front gate, a deadbolt on the inner door, and an alarm system to boot, you’d probably say my home sounds highly secure. If I told you that the precise same measures were the complete security system for a bank, you’d laugh. The reason is obvious: Unless I finally push the NSA over the line, my apartment only needs to withstand attacks from local thugs. A bank’s security must be able to withstand assaults from seasoned teams of professional criminals who — with millions as a potential jackpot — may be willing to spend weeks in planning, take extraordinary personal risks, and “invest” thousands of dollars in burglary equipment or bribes to insiders. My Apple gadgets and comic book art — though precious to me — are unlikely to inspire such extraordinary expenditures of time, effort, and money. Put another way: My apartment is “secure” when my security system makes the risk-adjusted cost of a break-in attempt higher than the value of my stuff to a prospective burglar.
Many people don’t find this as obvious, however, in the context of data security—a point I allude to glancingly in a New York Post op-ed this morning that takes aim at a data retention mandate wending its way through Congress. If I started storing big piles of gold bullion and precious gems in my home, my previously highly secure apartment would suddenly become laughably insecure, without my changing my security measures at all. If a company significantly increases the amount of sensitive or valuable information stored in its systems — because, for example, a government mandate requires them to keep more extensive logs — then the returns to a single successful intrusion (as measured by the amount of data that can be exfiltrated before the breach is detected and sealed) increase as well. The costs of data retention need to be measured not just in terms of terabytes, or man hours spend reconfiguring routers. The cost of detecting and repelling a higher volume of more sophisticated attacks has to be counted as well.
One very simple security measure a company can practice, then, is to simply avoid retaining enough data to attract the interest of the most skilled professionals (or, alternatively, those willing to hire out botnets to aid their attacks). Because the adequacy of a security system is always a function of the payoff of breach to the attacker, then, privacy is an important component of security, as well as a value worth respecting for its own sake.
Finns Begin a Quixotic Quest for Prevention
In the aftermath of the Oslo terror attack, Finnish police—yes, Finnish—plan to increase their surveillance of the Internet:
Deputy police commissioner Robin Lardot said his forces will play closer attention to fragmented pieces of information—known as ‘weak signals’—in case they connect to a credible terrorist threat.
That is not the way forward. As I explored in a series of posts and a podcast after the Fort Hood shooting here in the United States, random violence (terrorist or otherwise) is not predictable and not “findable” in advance—not if a free society is to remain free, anyway. That’s bad news, but it’s important to understand.
In the days since the attack, many commentators have poured a lot of energy into interpretation of Oslo and U.S. media treatment of it while the assumption of an al Qaeda link melted before evidence that it was a nationalist, anti-immigrant, anti-Islamic “cultural conservative.” Such commentary and interpretation is riveting to people who are looking to vindicate or decimate one ideology or another, but it doesn’t matter much in terms of security against future terrorism.
As former FBI agent (and current ACLU policy counsel) Mike German advises, any ideology can become a target of the government if the national security bureaucracy comes to use political opinion or activism as a proxy or precursor for crime and terrorism. Rather than blending crime control with mind control, the only thing to do is to watch ever-searchingly for genuine criminal planning and violence, and remember the Oslo dead as Lt. General Cone did Fort Hood’s: “The … community shares your sorrow as we move forward together in a spirit of resiliency.”
TSA’s Partial Retreat From Full-Body Scans
It’s tempting to believe that the Transportation Security Administration’s move to change the software in strip-search machines is a response to the court ruling finding that it violated the law in rolling out the machines, but it’s almost surely coincidence.
The new software will show items that the software deems suspicious on a generic outline of a body rather than showing a detailed body image. The change will indeed reduce the invasiveness of the machine strip-search process. And because the image is less revealing, it can be viewed in the screening area instead of at a remote location. That means there doesn’t need to be a person dedicated to looking at denuded images of travelers. A major cost of running these machines—payroll—drops by a substantial margin.
The software will almost certainly not do as good a job of discovering hidden weapons as a human looking at a detailed image would. If it’s calibrated to over-report, TSA agents will rightly start to ignore its alerts on belt buckles and underwire bras. If it’s calibrated to under-report, well, it might fail to alert on an actual weapon or bomb. But those things are exceedingly rare, and the increased risk probably won’t make a difference.
In fact, that’s the interesting thing happening here: the TSA is allowing a small increase in risk in exchange for large gains in privacy and cost savings. The reason it took years of complaints, litigation, legislation, and other conflict is because the TSA did not analyze the risks and its responses before going forward with strip-search machines as it did. Trial-and-error isn’t costly to the government. The taxpayer fronts the money and gives up the privacy.
None of this means the TSA has now gotten the balance right. The airport security gauntlet will still be an overwrought mess and an affront to constitutional liberty. We will have to remain insistent on principle, on dignity and privacy, and on sound risk management while TSA gets a public relations bump from being less awful than it was before.
DHS’ Contempt of Congress and Constitution
Homeland Security Newswire reports:
Last week, DHS officials chastised Representative Jason Chaffetz (R – Utah) for disclosing sensitive security information to the press.
In a letter, Joseph Maher, DHS’s deputy counsel, scolded Chaffetz, the chair of the House Subcommittee on National Security, Homeland Defense, and Foreign Operations, for openly discussing “sensitive security information” provided by the Transportation Security Administration(TSA). Maher wrote, “This document was marked as [Sensitive Security Information] and provided clear notice that unauthorized disclosures of the document violated federal law.”
The letter comes in response to Chaffetz’s comments last week that revealed that there have been more than 25,000 security breaches at U.S. airports since November 2001.
Take out your Constitutions, kids. There, in Article I, you’ll see the words that create the Congress and establish its authorities. Now go look for the language that authorizes a sprawling executive branch with agencies like the Department of Homeland Security. Enough searching will suggest to you that the DHS is a subordinate of Congress. It exists by the grace (and/or mistake) of the legislative branch of the government.
You’ll also see the Speech or Debate Clause, which bars Members of Congress from being “questioned in any other Place” for anything they say in Congress. The clause exists to insulate Members of Congress from outside authority trying to influence their deliberations—outside authorities like DHS deputy counsel Joseph Maher.
Did Representative Chaffetz reveal SSI, or “sensitive security information”? So what? In my experience, that’s a designation that DHS officials throw around cheaply and easily. Here, it’s being used more to hide the agency’s failings than to protect the public.
Representative Chaffetz is entirely correct to air publicly the failings of the TSA. The more aware we are of the government’s security fakery, the more sensible will be our estimate of risks to airline security and how to respond to them.
Strip-Search Machines: A Loss Seeds the Win
Last week, the D.C. Circuit Court of Appeals rejected a Fourth Amendment challenge to the Transportation Security Administration’s strip-search machine policies, but it found that the TSA violated the Administrative Procedure Act in rolling them out. Too bad that the court arrived at the Fourth Amendment issues before they were ripe.
The bulk of the decision was devoted to the TSA’s law violation in creating strip-search machine policies without doing a notice-and-comment rulemaking. That’s the procedure federal agencies are required to carry out when Congress has delegated them legislative authority. Congress did delegate such authority when it told the Department of Homeland Security to develop technologies that detect nonmetallic, chemical, biological, and radiological weapons in 2004′s Intelligence Reform and Terrorism Prevention Act.
“[T]he TSA has advanced no justification for having failed to conduct a notice-and-comment rulemaking,” the court wrote, adding that it expects the agency “to act promptly on remand to cure the defect in its promulgation.”
The TSA will likely spout “constantly changing threat environment” boilerplate to try and argue that it can avoid notice and comment under the APA’s “good cause” exception. An agency can skip notice and comment “when the agency for good cause finds . . . that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.”
But the threat environment is not “constantly changing” at the level of abstraction relevant for the strip-search machine policy—some people are out there who might try to get dangerous articles onto planes—and these machines will be in place for decades, if not permanently, under the TSA policy. They will affect the privacy and security of billions of air passenger journeys. Even if there were need for haste in rolling out the machines, nothing makes it uniquely difficult, or anything other than appropriate, for the TSA to engage in a public process to substantiate its actions.
Obama Administration Fights Privacy Act Liability
In February 2004, privacy advocates were put off by a Supreme Court case called Doe v. Chao, in which the Court found that the Privacy Act requires a victim of a government privacy violation to show “actual damages” before receiving any compensation. The Act appeared to provide for $1,000 per violation in statutory damages, but the Court interpreted the legislation to require that actual damages be proven, after which the victim would be entitled to a minimum award of $1,000. (Statutory damages are appropriate in privacy cases against the government because government bureaucrats pay little price themselves when their agency gets fined. A penalty is required to draw oversight and political attention to violations of the law.)
Doe v. Chao was a close call given the statutory language, and the Court chose the outcome that would limit the government’s exposure to Privacy Act liability. Doing so marginally weakened the government’s attentiveness to the already insubstantial protections of the Privacy Act.
A companion case to Doe v. Chao has now reached the Supreme Court. FAA v. Cooper, which the highest court recently agreed to hear, involves a victim of a government privacy invasion who alleges “actual damages” based on evidence of mental and emotional distress. Cooper, a recreational pilot who was HIV-positive, had chosen to conceal his health status generally, but revealed it to the Social Security Administration for the purposes of pursuing disability payments. When the SSA revealed that he was HIV-positive to the Department of Transportation, it violated the Privacy Act. Cooper claims in court that he suffered mental and emotional distress at learning of the disclosure of his health status and inferentially his sexual orientation, which he had kept private.
In the Ninth Circuit Court of Appeals and now in the Supreme Court, the Obama Administration has argued that it doesn’t have to pay the victim of this privacy violation because mental and emotional distress do not qualify as “actual damages.” No one disputes that Cooper has to present objective proof of harm as a check on the truth of his claims. But the government isn’t saying that Cooper is faking distress at having his health status and sexual orientation illegally exposed by the government. The government is arguing that the court should limit “actual damages” to economic injury simply because it’s the government being sued.
Relegate Mandatory Data Retention to the Dustbin of History
Greg Nojeim of the Center for Democracy and Technology reports on yesterday’s hearing in the House Judiciary Committee on H.R. 1981, the Protecting Children from Internet Pornographers Act of 2011. (I lamented the bill earlier this week, as did Julian Sanchez last week.)
Rep. Sensenbrenner [(R-Wis.)], Chair of the Crime Subcommittee, opened the hearing with an extraordinarily strong attack on the bill. Saying the Committee should relegate mandatory data retention to the dustbin of history, he attacked the data retention provision on economic and privacy grounds. “I believe this bill is bad policy and I will do my best to kill it.” He also said, “This bill runs roughshod over the privacy rights of people who use the Internet for thousands of lawful purposes … this bill should be defeated and put in the dustbin of history.” He also lashed out at the provision in the bill (Section 7) that would give the U.S. Marshals administrative subpoena authority to investigate unregistered sex offenders, reminding the Subcommittee that as Chairman of the full Committee during the debates about reauthorizing the Patriot Act in 2005 or 2006, he had examined the issues surrounding administrative subpoenas and determined that admin subpoena authority would be too much a risk to privacy to confer on the gov’t.
Kudos to Rep. Sensenbrenner for considering the privacy consequences of this bill and the risks in conferring too much power on the government. I’d be in favor of his keeping these concerns in mind with policies well beyond data retention.
Copyright Monkey Business
Given enough time, a monkey sitting at a typewriter will type out the complete works of William Shakespeare. Believe it or not, it’s called the infinite monkey theorem. A thousand monkeys at a thousand typewriters would cut the time in half … or something.
But would the monkey hold the copyright?
We may soon find out. Or at least we’ll be entertained by the tiff between TechDirt‘s Mike Masnick and a person claiming to represent the owner of a photograph taken by, yes, a monkey.
The short answers are: 1) A photograph taken by a monkey probably isn’t copyrighted, and 2) if it were, displaying the photo in a discussion of its copyright status is probably fair use. The lesson is: many, many people don’t understand what the copyright laws are, or why they are.
Mike participated in our “Copyright Controversies” conference some years ago. Should there be a sequel, we’ll invite the monkey.
Moral Panic and Your Privacy
Want to understand a big chunk of what Washington, D.C. does? Learn about “moral panic.”
Moral panic is a dynamic in the political and media spheres in which some threat to social order—often something taboo—causes a response that goes far beyond meeting the actual threat. It’s a socio-political stampede, if you will. You might be surprised to learn how easily stampeded your society is.
Take a look at H.R. 1981, the Protecting Children from Internet Pornographers Act of 2011. It’s got everything: porn, children, the Internet. And it’s got everything: financial services providers dragooned into law enforcement, data retention requirements heaped on Internet service providers, expanded “administrative subpoena” authority. (Administrative subpoenas are an improvisation to accommodate the massive power of the bureaucracy, and they’ve become another end-run around the Fourth Amendment. If it’s “administrative” it must be reasonable, goes the non-thinking…)
This isn’t a bill about child predation. It’s a bald-faced attack on privacy and limited government. Congress can move legislation like this, even in the era of the Tea Party movement, because child predation is a taboo subject. The inference is too strong in too many minds that opposing government in-roads on privacy is somehow supporting child exploitation. Congress and its allies use taboos to cow the populace into accepting yet more government growth and yet more surveillance.
I’m not turned to mush by taboos, so the question I’m most interested in having asked at tomorrow’s hearing on the bill in the House Judiciary Committee is: “Under what theory of the Commerce Clause is this bill within the power of the federal government?”
I Guess the ‘You Are All Criminals Act’ Didn’t Have the Same Ring
If you thought it was the height of cynicism when legislators dubbed a massive expansion of government surveillance power the “USA Patriot Act” (recently extended—really!—under the heading of small business legislation), feast your eyes upon the Protecting Children from Internet Pornographers Act of 2011, on which the House Judiciary Committee is slated to hold a hearing next Tuesday. What kind of monster would dare be on the record opposing that bill?
As you may have already guessed, the handful of provisions in the bill that really deal specifically with child porn are a fig leaf for its true purpose: A sweeping data retention requirement meant to turn Internet Service Providers and online companies into surrogate snoops for the government’s convenience. Any provider of an “electronic communication” or “remote computing” service—meaning broadband providers like Comcast, but also companies like Google—would have to retain records of the “temporarily assigned network address” (such as an IP address) associated with each account for 18 months. Some of the other provisions in the act seem perfectly reasonable (though I don’t know enough to say whether they’re necessary), but as a hearing earlier this year made crystal clear, it’s the data retention requirement that the government really cares about.
Thanks to an unwise Supreme Court decision dating from the 70s, information about your private activites loses its Fourth Amendment protection when its held by a “third party” corporation, like a phone company or Internet provider. As many legal scholars have noted, however, this allows constitutional privacy safeguards to be circumvented via a clever two-step process. Step one: The government forces private businesses (ideally the kind a citizen in the modern world can’t easily avoid dealing with) to collect and store certain kinds of information about everyone—anyone might turn out to be a criminal, after all. No Fourth Amendment issue there, because it’s not the government gathering it! Step two: The government gets a subpoena or court order to obtain that information, quite possibly without your knowledge. No Fourth Amendment problem here either, according to the Supreme Court, because now they’re just getting a corporation’s business records, not your private records. It makes no difference that they’re only keeping those records because the government said they had to.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
