Archive for the ‘Telecom, Internet & Information Policy’ Category
CISPA and the Right Way to Do Cybersecurity Information Sharing
The White House has issued a threat to veto the Cyber Intelligence Information Sharing Protection Act (CISPA) in its current form, despite recent amendments aimed at assuaging the concerns of privacy and civil liberties advocates:
H.R. 3523 fails to provide authorities to ensure that the Nation’s core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards. For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information. Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.
The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes. Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately. The Government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes.
We Don’t Want the Cybersmoking Cybergun to Be a Cybermushroom Cybercloud
The House Committee on Homeland Security held a hearing today bearing the unsubtle title: “America is Under Cyber Attack: Why Urgent Action is Needed.” With the conclusion fixed in advance of the testimony—which, as promised, uniformly prophesied imminent cybercataclysm—you’d think the real question would be why a hearing was needed. The answer, of course, is to frighten off any second thoughts about cybersecurity legislation due for consideration this Friday, to which opposition has been mounting among some techies and civil libertarians.
Jim Harper has already done plenty of excellent work puncturing the more apocalyptic hype around cybersecurity—a favorite at this hearing was “Cyber Pearl Harbor”—which I need not rehash here. Even bracketing the question of how realistic some of the threat scenarios are, however, what struck me was that “cyber attack” is really something of a category error, at least as used at this hearing, where “attack” carries the grim overtones of a national security threat, and “America” as a whole is the target. In reality, you have a range of security problems facing a diverse array of public and private entities. Some are analogous to conventional state or terror-group sponsored attacks or espionage. Most are the digital equivalents of what we’d normally label “crime”: theft, vandalism, corporate espionage, and so on.
At the extreme end, you have largely hypothetical attacks on the SCADA control systems that operate critical infrastructure like power plants or transportation networks. These have the potential to inflict the kind of damage we’d associate with a physical attack, but we’ve only got one known real-world instance of this, and experts agree that it was almost certainly born in the USA. Such attacks are rare because they’re very difficult to carry off, involve identifying and exploiting vulnerabilities in uncommon task-specific software systems, and would most likely require insider complicity—which means they’re probably best conceived as one aspect of the more general problem of hardening critical infrastructure targets. Ditto for attempts to compromise systems with sensitive government data—a hard problem for government IT departments, but not one Congress has an obvious role in beyond appropriating the necessary funds.
Then you have the vast majority of actual successful “cyber attacks,” which target ordinary private systems, and range from sophisticated spear-phishing efforts aimed at exfiltrating valuable corporate commercial data to simple DDOS attacks launched by “script kiddies.” Some of these are serious and costly—but the costs are primarily borne by the targeted entities, which will more likely have the incentive, responsibility, and local knowledge required to respond appropriately.
These aren’t entirely unrelated problems: A malware-infected private computer may be conscripted into a botnet or serve as a staging ground for an attack on a more critical target. But it hardly seems conducive to sober policy making to lump them together under the general heading of “cybersecurity.” First, because resources aren’t going to be prioritized well if officials in the grip of apocalyptic mass-casualty scenarios start throwing money at programs that are primarily about making it harder for Anonymous to crash websites. Second, because the nature and scope of (for instance) the information sharing that might facilitate security improvements, and the privacy interests implicated by such sharing, may be quite different for these different types of cases, and be better dealt with under separate rubrics to the extent government has a role to play at all.
Plain Language Regulation?
Now where have we seen this before? S. 2337 would require that federal regulations use plain writing that is clear, concise, well-organized, and appropriate for the subject matter and intended audience.
Well, according to the “Plain Writing Association,” efforts to produce plain writing in government go back as far as the 1977 issuance of a report on federal paperwork. President Carter commanded simple and clear regulations in 1978.
Twenty years later, President Clinton issued a memorandum calling for “Plain Language in Government Writing.”
There’s even a “PlainLanguage.gov” Web site already. Because the last Congress passed Public Law 111-274, the Plain Language Act of 2009.
Maybe passing another law will do it. Maybe the search for locution that provides a level of clarity sufficient for public consumption comes from alternate changes in public policy than to amend the expression of their societal impact. (ahem)
Cybersecurity Bills? No, Thanks
Prominent academics, experienced engineers, and professionals published an open letter to Congress yesterday, stating their opposition to CISPA and other overly broad cybersecurity bills. Highlight:
We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties. The bills currently under consideration, including Rep. Rogers’ Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523) and Sen. McCain’s SECURE IT Act (S. 2151), are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users’ private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security.
Cato’s recent Capitol Hill briefing on cybersecurity covered many similar points, and additional ones, too. CISPA and three other bills are scheduled for consideration on the House floor this week.
Cybersecurity: Talking Points vs. Substance
In the late stages of a legislative battle, it often comes down to “talking points.” Whoever puts out the message that sticks wins the debate—damn the substance.
Rep. Mike Rogers (R-MI) is prioritizing talking points over substance if a CQ report about a speech he gave to the Ripon Society is accurate. (He put it up on his Web site, from which one could infer endorsement. Rogers is not a cosponsor of SOPA, the Stop Online Piracy Act, so let’s not have the government taking down the house.gov domain just now, mkay?)
From the report:
“We’re finding language we can agree on,” he said in a speech to the Ripon Society, a moderate Republican group. “Are we going to agree on everything? Probably not. They don’t want anything, anytime, ever.” But, Rogers said, he hopes to give the groups “language that at least allows them to sleep at night, because I can’t sleep at night over these threats.”
This seems to suggest that a few tweaks to language, well in the works with the privacy community, will make his version of cybersecurity legislation a fait accompli. I’m a keen observer of the privacy groups, and I see no evidence that this is so. The bill is so broadly written that it is probably unrepairable.
And that is a product of Congress’s approach to this problem: Congress does not know how to address the thousands of difference problems that fall under the umbrella term “cybersecurity,” so it has fixed on promiscuous (and legally immunized) “information sharing” with government security agencies as the “solution.” Privacy can rightly be traded for other goods such as security, but with no benefits discernible from wanton information sharing, one shouldn’t expect sign-off from the privacy community.
That is not actually the message of the privacy community, who, on average, trust the government more than most conservatives and libertarians. The mainstream privacy community probably would accept highly regulatory and poorly formed cybersecurity legislation if it had enough privacy protections. But Rogers’ talking points try to push privacy folk onto the “unreasonable” part of the chess board, saying, “They don’t want anything, anytime, ever.”
That’s closer to my view than anything the orthodox privacy advocates are saying. Cybersecurity is not an area where the federal government can do much to help. But even I said in my 2009 testimony to the House Science Committee that the federal government has a role in improving cybersecurity: being a smart consumer that influences technology markets for the better.
What Representative Rogers—and all advocates for cybersecurity legislation—have failed to do is to make the affirmative case for their bills. “I can’t sleep at night” is not an answer to the case, carefully made by Jerry Brito of the Mercatus Center at Cato’s recent Hill briefing, that the threat from cyberattacks is overblown.
The briefing was called “Cybersecurity: Will Federal Regulation Help?” That’s a place one can go for substance.
‘How an E-Verify Requirement Can Help’
I know little about a House Judiciary Committee hearing tomorrow on E-Verify, but the title of it has a peculiar odor: “Document Fraud in Employment Authorization: How an E-Verify Requirement Can Help.”
You see, the immigration policies Congress has set are the source of the problem. Document fraud is made more likely by employment authorization requirements meant to enforce them, which are also—let’s remember—intrusive and costly business regulation.
In my Cato Policy Analysis “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration,” I wrote about restrictive immigration policies and the intrusive “internal enforcement” programs they have spawned. In a section titled “Counterattacks and Complications,” I examined how workers and employers will collude to avoid and frustrate worker verification. Mandatory E-Verify will increase identity and document fraud because it makes these frauds profitable. Trying to solve this problem, the government will naturally gravitate toward more powerful identity systems, including biometric identity cards and tracking.
Sure enough, House Judiciary Committee chairman Lamar Smith’s bill, the “Legal Workforce Act,” has a “pilot program” for a biometric national identity card.
When committing fraud is the pathway to productive employment, you know something is out of whack. Among the things out of whack are: too-restrictive immigration policy, internal enforcement, and E-Verify. This is supposed to be a free country where willingness and ability are the keys to employment.
Data Transparency Coalition Debuts Today
Meet the Data Transparency Coalition.
The Washington Post‘s Capitol Business blog reports this morning:
A small but growing collection of companies has formed a coalition that will push the federal government to establish a standard system by which agencies categorize their data. …
“Our members understand that if the government identified its data elements in consistent ways, there would be vast new opportunities for the tools that they are building,” Executive Director Hudson Hollister said.
Early supporters include Microsoft and data analysis and management firms Level One Technologies, Teradata, and BrightScope. I’m on their Board of Advisors. One of their early priorities will be to pass H.R. 2146, the DATA Act.
Cato has worked extensively on government transparency, beginning with our December 2008 policy forum entitled, “Just Give Us the Data! Prospects for Putting Government Information to Revolutionary New Uses.”
We have modeled much of the data that the government should be publishing in standardized formats (much more cheaply than CBO has estimated it would cost) and graded the quality of current data publication in the areas of congressional process and budgeting, appropriating, and spending. Expect improvements to come with this new organization joining other efforts.
Follow the coalition‘s founder and executive director on Twitter @hudsonhollister, and you can Like their Facebook page, as well, to get updates that way.
The TSA Won’t Be Reformed
Why is it that the head of the Transportation Security Administration comes out with his ideas for reform three years after leaving office? Is it the book he’s got coming out next week? That’s part of it. But he supplies the real answer: “TSA’s bureaucratic momentum and political pressures.”
It’s possible to imagine an agency that isn’t directed by bureaucratic momentum and political pressures, but it isn’t possible to produce one. The litany of nonsensical procedures, indignities, and privacy invasions at the airport will not go away until the TSA does.
Asset Forfeiture Abuse Threatens Fair Trial in Copyright Case
For many years, my colleagues at Cato have spoken out against abuse of asset forfeiture, which undermines the rule of law by depriving defendants of their property long before they have been convicted of any crime. In the past, asset forfeiture abuse has mostly occurred in drug cases. But in January, the government used it against a defendant in a criminal copyright case. The government’s tactics threaten the defendant’s right to a fair trial and highlight the problematic nature of taking the property of defendants before they are convicted of any crime.
I should acknowledge at the outset that the defendants, Megaupload and its founder Kim Dotcom, are not very sympathetic. Megaupload was an online “file locker” service that had become one of the most popular platforms for distributing illegal copies of copyrighted movies and music. Whether Megaupload is liable for this illegal activity is a complex legal question, but most of the experts I’ve talked to say that Megaupload faces long odds.
Still, at least some legal experts think Megaupload has a shot at winning the case, and in any event our constitution requires that Megaupload be considered innocent until a jury decides otherwise. So it’s problematic that, at the time the government indicted Megaupload and Dotcom, it simultaneously shut down the company’s servers and froze all of Megaupload and Dotcom’s assets. And even worse, the government has objected to releasing the frozen assets even for purposes that are essential to affording Megaupload a fair trial.
Megaupload leased servers from a company called Carpathia Hosting. There were 1103 servers, worth more than a million dollars and containing 25 petabytes—that’s 25 million gigabytes—of data. When Megaupload’s assets were seized, the company was no longer able to pay its bills and Carpathia terminated Megaupload’s hosting agreement. Megaupload says that data from the servers will be needed to prepare its defense, and has asked for permission to buy the servers from Carpathia in order to preserve the data. But the government has objected to unfreezing the necessary assets, raising a number of objections. Carpathia has said that if it can’t find someone to pay for the servers, it will be forced to delete the data so it can make the servers available for other clients. If that happens, it could seriously damage Megaupload’s opportunity to defend itself in court.
Even more troubling, the government has objected to unfreezing assets so that Megaupload can hire a lawyer. The New Zealand courts unfroze some of Kim Dotcom’s assets in New Zealand (where he is fighting extradition) to pay his living expenses there. The US government has suggested that Megaupload could use those funds to pay its legal bills. But there are several problems with this. First, the released funds were earmarked for living expenses, not legal bills. Second, the Megaupload corporation is a separate legal entity from Kim Dotcom. Yet only Dotcom—not Megaupload—has funds available.
Most importantly, while the funds that have been made available to Dotcom might be sufficient to pay the legal bills of a defendant in a typical criminal case, this case is not typical. It involves complex legal and technical issues. Properly litigating them will require extensive computer forensics work, expert witnesses, and in-depth legal research. Even if the Dotcom money were available to pay Megaupload’s US legal bills, it wouldn’t come close to covering the costs of litigating such a complex case.
The courts have yet to rule on these issues; with luck the judge will overrule the government’s objections and unfreeze sufficient funds to allow Megaupload to buy the servers and pay its legal bills. But the fact that the government is even raising these arguments suggests a troubling lack of concern for the rule of law.
From Cybercrime Statistics to Cyberspying
Someone finally decided to examine “cybercrime” statistics, and here’s what they found:
The cybercrime surveys we have examined exhibit [a] pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined. This is not simply a failure to achieve perfection or a matter of a few percentage points; it is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias.
That’s Dinei Florêncio and Cormac Herley of Microsoft Research in a New York Times piece entitled: “The Cybercrime Wave That Wasn’t.”
You see, cybercrime statistics have been generated using surveys of individuals and businesses, but you can’t generate valid numerical results that way. An opinion poll’s errors will naturally cancel out—there are a roughly equal number of wrongly stated “thumbs-up”s and “thumbs-down”s.
When you ask people to estimate losses, though, they can never estimate less than zero, so errors will always push results to the high side. High-side errors extrapolated society-wide drive the perception that cybercrime is out of control.
There are more drivers of excess insecurity than just bad loss estimates. There are also data breach notification laws, which require data holders to report various kinds of personal data spillage. These reports are the high-tech, grown-up version of a favorite schoolyard taunt: “Your epidermis is showing!” Epidermis is, of course, a scientific name for skin. It often doesn’t matter that one’s epidermis is showing. The questions are: What part of the epidermis? And what social or economic consequences does it have?
Most breached data is put to no use whatsoever. A 2005 study of data breaches found the highest fraudulent misuse rate for all breaches under examination to be 0.098 percent—less than one in 1,000 identities. (The Government Accountability Office concurs that misuse of breached data is rare.) Larger breaches tend to have lower misuse rates, which makes popular reporting on gross numbers of personal data breaches misleading. Identity frauds are limited by the time and difficulty of executing them, not by access to data.
Why does excess cyber-insecurity matter? Doesn’t it beneficially drive companies to adopt better security practices for personal data?
It undoubtedly does, but security is not costless, and money driven to data security measures comes from other uses that might do more to make consumers better off. More importantly, though, data breach agitation and distended crime statistics have joined with other cybersecurity hype to generate a commitment in Congress to pass cybersecurity legislation.
Cybersecurity bills pending in both the House and Senate could have gruesome consequences for privacy because of “information sharing” provisions that immunize companies sharing data with the government for cybersecurity purposes. The potential for a huge, lawless cyberspying operation is significant if anyone can feed data to the government free of liability, including the privacy protections in property law, torts, and contract. Congress would not improve things by regulating in the name of cybersecurity, and it just might make things a lot worse.
It is ironic that overwrought claims about cybercrime and data breach could be privacy’s undoing, but they just might.
Will Pennsylvania Join the REAL ID Rebellion?
Since Congress passed a national ID law called the REAL ID Act in 2005, states have been registering their objections. The law tries to coerce states into implementing the feds’ national ID and would have them issue uniform drivers’ licenses and put drivers’ personal information into a federal data exchange. By 2009, fully half the states had barred themselves from implementing REAL ID or passed resolutions denouncing the law.
The states continue to play their constitutional role in counterbalancing federal overreach. I noted a few weeks ago how New Hampshire is resisting E-Verify, the federal background check system. But—as I also recently wrote—federal “bureaucrats and big-governmenters” are working to revive their national ID.
Pennsylvania may soon join the REAL ID rebellion. The legislature there has sent Governor Tom Corbett (R) a bill to opt the state out of REAL ID’s national ID system.
As we often see, though, there is confusion about the relevance of IDs and a national ID to national security. In the story linked above, state representative Greg Vitali (D) is cited saying that the 9-11 hijackers were carrying multiple phony drivers’ licenses. “And I’m just concerned with regard to the message that we send by backing away from more secure IDs,” he says.
Representative Vitali is mistaken on the facts. The 9/11 hijackers did not have false identification documents. The 9/11 Commission report said: “All but one of the 9/11 hijackers acquired some form of U.S. identification document, some by fraud.” Those “frauds” were things like fibbing about the length of their residency in Virginia, not their names.
The security issues are complicated. I dealt with them in my book, Identity Crisis: How Identification is Overused and Misunderstood. But here’s what it boils down to: Had REAL ID been the law prior to 9/11 and operating perfectly—100% compliance, no corruption at DMVs, and no forgery of breeder documents or licenses—that might have required the 9/11 attackers to keep their visas current. That’s the extent of its security value.
How many hundreds of millions of taxpayer dollars should we spend, how much of Americans’ privacy should we give up, and how much power should we transfer to the federal government when the only benefit is to mildly inconvenience some future attacker?
Many of the threats we imagined in the years after 9/11 were not real. Sleeper cells? Osama bin Laden sleeps with the fishes.
Terrorism didn’t get its start on 9/11, and it will never be non-existent. But our strong nation can celebrate its victory over terrorism by deep-sixing the national ID card. That’s the “message” that would come from defeating the federal government’s national ID law.
Cell Phone Location Surveillance: Now at a Police Dept. Near You!
As The New York Times reported this weekend, a series of freedom-of-information requests by the American Civil Liberties Union have confirmed what privacy and surveillance wonks long suspected: The use of cell phones as tracking devices by state and local law enforcement has become extremely common over the past few years, and is often done without the check of a Fourth Amendment search warrant based on probable cause.
More than 200 law enforcement agencies have responded to the ACLU’s request so far, and all but ten acknowledge tracking cell phone location for some purposes. Many do so primarily in emergency situations to locate potential victims of crime or accident, and of those that also make use of location tracking for investigative purpose, several insist that they always obtain a probable cause warrant. But many others either have unclear standards, or rely on subpoenas or court orders based on the low and easily-met standard of “relevance” to an investigation. In effect, they assert the right to put a virtual tracker on citizens—the same conduct the Supreme Court unanimously held to be covered by the Fourth Amendment when a physical tracking device is used—without any need to persuade a judge that a lojacked individual is actually engaged in any criminal conduct.
Perhaps the most troubling revelation, however, is the evidence that at least a handful of law enforcement agencies reported seeking “tower dumps” revealing everyone near a location at a particular time, a form of mass surveillance that can be used to generate a list of potential suspects. I was aware of only one previous case where such a method had been used, back in 2008 in Texas, and at the time that case was unique as far as anyone knew. Now, however, it appears to be sufficiently routine that major providers have a standard price sheet: A one hour “tower dump” from T-Mobile will run you $150, while Verizon Wireless charges $30–$60 for every 15-minutes worth of mass location data. This is a method in serious tension with our constitutional tradition of “particularity” in searches, and if it were to be permitted under any circumstances, it would require extraordinary safeguards, ideally established by a clear legislative framework—not a patchwork of agencies making up the rules as they go.
Don’t be surprised if you hadn’t heard about this happening in your town: Training materials obtained by the ACLU instruct police to never mention such tracking capabilities when speaking to media, and to omit them as far as possible from police reports. The goal, no doubt, is to avoid reminding criminals that any powered-on phone is a potential tracker. But this also means that a signally intrusive form of government monitoring has become widespread with minimal public awareness, let alone discussion or debate. Let’s hope media attention to these disclosures changes that.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
