Archive for the ‘Telecom, Internet & Information Policy’ Category
The Census’ Broken Privacy Promise
When the 1940 census was collected, the public was reassured that the information it gathered would be kept private. “No one has access to your census record except you,” the public was told. President Franklin Roosevelt said: “There need be no fear that any disclosure will be made regarding any individual or his affairs.”
Apparently the limits of what the government can do with census information have their limits. Today the 1940 census goes online.
When the Census Bureau transferred the data to the National Archives, it agreed to release of the data 72 years after its collection. So much for those privacy promises.
Adam Marcus of Tech Freedom writes on C|Net:
Eighty-seven percent of Americans can find a direct family link to one or more of the 132+ million people listed on those rolls. The 1940 census included 65 questions, with an additional 16 questions asked of a random 5 percent sample of people. You can find out what your father did, how much he made, or if he was on the dole. You may be able to find out if your mother had an illegitimate child before she married your father.
To be sure, this data will open a fascinating trove for researchers into life 70 years ago. But the Federal Trade Commission would not recognize a “fascinating trove” exception if a private company were to release data it had collected under promises of confidentiality.
Government officials endlessly point the finger at the private sector for being a privacy scourge. Senator Al Franken did last week in a speech to the American Bar Association last week (text; Fisking). He’s the chairman of a Senate subcommittee dedicated to examining the defects in private sector information practices. Meanwhile, the federal government is building a massive data and analysis center to warehouse information hoovered from our private communications, and the Obama Administration recently extended to five years the amount of time it can retain private information about Americans under no suspicion of ties to terrorism.
Marcus has the bare minimum lesson to take from this episode: “Remember this in 2020.”
Supreme Court: No Privacy Act Liability for Mental and Emotional Distress
Back in July of last year, I wrote about a case in the Supreme Court called FAA v. Cooper. In that Privacy Act case, a victim of a government privacy invasion had alleged “actual damages” based on evidence of mental and emotional distress.
Cooper, a recreational pilot who was HIV-positive, had chosen to conceal his health status generally, but revealed it to the Social Security Administration for the purposes of pursuing disability payments. When the SSA revealed that he was HIV-positive to the Department of Transportation, which was investigating pilot’s licenses in the hands of the medically unfit, the SSA violated the Privacy Act. Cooper claimed that he suffered mental and emotional distress at learning of the disclosure of his health status and inferentially his sexual orientation, which he had kept private.
The question before the Court was whether the Privacy Act’s grant of compensation for “actual damages” included damages for mental and emotional distress. This week the Court held … distressingly … [sorry, I had to] … NO. Under the doctrine of sovereign immunity, the Privacy Act has to be explicit about providing compensation for mental and emotional distress. Justice Alito wrote for a Court divided 5-3 along traditional ideological lines (Justice Kagan not participating).
The decision itself is a nice example of two sides contesting how statutory language should be interpreted. My preference would have been for the Court to hold that the Privacy Act recognizes mental and emotional distress. After all, a privacy violation is the loss of confident control over information, which, depending on the sensitivity and circumstances, can be very concerning and even devastating.
The existence of harm is a big elephant in the privacy room. Many advocates seem to be trying to lower the bar in terms of what constitutes harm, arguing that the creation of a risk is a harm or that worrisome information practices are harmful. But I think harm rises above doing things someone might find “worrisome.” Harm may occur, as in this case, when one’s (hidden) HIV status and thus sexual orientation is revealed. Harm has occurred when one records and uploads to the Internet another’s sexual activity. But I don’t think it’s harmful if a web site or ad network gathers from your web surfing that you’ve got an interest in outdoor sports.
The upshot of Cooper is this: Congress can and should amend the Privacy Act so that the damages it must compensate when it has harmed someone include real and proven mental and emotional distress.
Biometrics—and the Curious Relevance of Occupational Licensing
Yesterday, I testified (by remote communications) in the Alaska House of Representatives’ Health and Social Services Committee, which is considering a bill to heavily regulate the collection and use of biometrics. The bill is inspired by a man who was denied entry into the CPA exam when he refused to have his fingerprints scanned for that purpose. You can read more about his campaign at the PrivacyNOWalaska.org site.
I’m entirely sympathetic to his concerns about potential overcollection of biometrics in digital form, and what may happen to biometric data after it is collected. As I said in my testimony, “a digital record of a biometric can be stored indefinitely, copied an infinite number of times, and transmitted around the globe at the speed of light. This creates security and privacy concerns cutting against the use of machine-biometrics.” On the other hand, the CPA exam apparently has a problem with imposter fraud and faux test-takers who go simply to memorize questions and sell them on a test-prep black market.
Unfortunately, the bill is not callibrated to balance the competing interests at stake. It would create a “notice and consent” regime for biometrics collection, an idea that has failed to produce privacy protection in other areas. It would require massive and expensive re-tooling of data systems to provide consumers a right to amend or revoke their permission to use biometrics or order destruction of biometric data. And it would flatly outlaw marketing that uses biometric information—not just the stuff we learned to be spooked about in the film Minority Report, but knowingly agreed-to tailoring of discounts at the grocery store if we used a biometrically-secured payment system, for example.
I urged the Alaska legislators to ensure that biometrics collectors account for and prevent potential harm to Alaskans when they design and use their systems, but not to constrain biometrics so much that their security benefits never materialize.
There are a number of things Alaska and other states could do to help society callibrate the use of biometrics. They could ensure that biometrics collectors are liable and subject to jurisdiction in the state of collection when contract violations and harms arise from the use or misuse of biometric data.
Alaska could also establish that there is no “third-party doctrine” under its state constitution. A person sharing data under contractual or regulatory protections should maintain his or her search-and-seizure rights in that data. The government should not be able to access such data—though shared—without proper suspicion, warrants, and subpoenas.
Alaska has rejected the REAL ID Act, and it could do more to prevent the emergence of national identity systems by rejecting any E-Verify mandate. I encouraged the Alaskans to follow the lead of New Hampshire and bar state identity data from being shared with any national ID system.
The root of the problem in Alaska, though, may be the accountancy cartel. This is an area I know precious little about, but it appears that you must take the CPA exam to act as an accountant in the state. This positions the administrators of the CPA exam to make unreasonable, privacy-invasive demands for biometric data on a take-it-or-leave-it basis.
Oh what a tangled web we weave, when first we practise to … restrict the right to earn a living!
My testimony starts with a primer on biometrics. We have much to learn yet about biometric technologies, their uses, and their consequences. Banning them would deny the public many benefits. Using them promiscuously would have many costs.
Bureaucrats and Big-Governmenters Work to Revive Their National ID
There are some rich ironies in a recent Stewart Baker blog post touting the slow crawl toward REAL ID compliance he believes states are making. One of the choicest is that his cheerleading for a national ID appears under a Hoover Institution banner that says “ADVANCING A FREE SOCIETY.”
No, having a national ID would not advance a free society. You could say “ADVANCING A SECURE SOCIETY” but even then you’d be overstating the case. A national ID would reduce the security of individuals massively in the aggregate in exchange for modest and arguable state security gains.
Speaking of which, Baker posts a picture of Mohammed Atta’s Florida driver’s license in his post. The implication is that having a national ID would have prevented the 9/11 attacks. In fact, having a national ID would have caused a mild inconvenience to the 9/11 attackers. Billions of dollars spent, massive aggregate inconvenience to law-abiding American citizens, and a much-more-powerful federal government so that terrorists could be mildly inconvenienced?
One of the greatest ironies is that Baker doesn’t—as he never has—takes on the merits of how and how well a national ID would advance security goals. But the merits don’t matter. Baker’s post provides a nice reminder that the bureaucrats will use their big-government allies to restart their moribund national ID plans if they can. Despite massive public opposition to REAL ID, they’ll try to build it anyway.
An anti-immigration group recently issued a report saying that states are getting on board with REAL ID. (They’re meeting massively reduced REAL ID “milestones” coincidentally, not to meet federal demands.) National ID advocate Jim Sensenbrenner (R-WI) put on a lop-sided show-hearing in the House Judiciary Committee last week, hoping to prop up REAL ID’s decaying body.
As if anyone would believe it, a DHS official said at the hearing that the January 2013 deadline for state compliance would not be extended. Book your tickets now, because there won’t be a damn thing different on the airport come January. The Department of Homeland hasn’t stood by any of its deadlines for REAL ID compliance. If it did, by refusing IDs from non-compliant states at the airport, the public outcry would be so large that REAL ID would be repealed within the week.
REAL ID will never be implemented. That doesn’t stop the federal government from spending money on it, so the bureaucrats keep trying to corral you into their national ID. They get occassional help, and sometimes it even travels under the false flag of “ADVANCING A FREE SOCIETY.”
FTC Issues Groundhog Report on Privacy
The Federal Trade Commission issued a report today calling on companies “to adopt best privacy practices.” In related news, most people support airline safety… The report also “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.”
This is regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago. In May of 2000, the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet.
By “humming along,” I don’t mean that all privacy problems have been solved. (And they certainly wouldn’t have been solved if Congress had passed a law saying they should be.) “Humming along” means that ongoing push-and-pull among companies and consumers is defining the information practices that best serve consumers in all their needs, including privacy.
Congress won’t be enacting legislation this year, and there doesn’t seem to be any groundswell for new regulation in the next Congress, though President Obama’s reelection would leave him unencumbered by future elections and so inclined to indulge the pro-regulatory fantasies of his supporters.
The folks who want regulation of the Internet in the name of privacy should explain how they will do better than Congress did with credit reporting. In forty years of regulating credit bureaus, Congress has not come up with a system that satisfies consumer advocates’ demands. I detail that government failure in my recent Cato Policy Analysis, “Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate.”
Sweet Repeal
Look at this legislative language. It’s the stuff of beauty:
(a) In general.—The following sections of the Communications Act of 1934 (47 U.S.C. 151 et seq.) are hereby repealed:
(1) Section 339 (47 U.S.C. 339).
(2) Section 340 (47 U.S.C. 340).
(3) Section 341 (47 U.S.C. 341).
(4) Section 342 (47 U.S.C. 342).
(5) Section 612 (47 U.S.C. 532).
(6) Section 614 (47 U.S.C. 534).
(7) Section 712 (47 U.S.C. 612).
And there’s more.
It’s from H.R. 3675, The Next Generation Television Marketplace Act, introduced by Rep. Steve Scalise (R-LA), and its Senate counterpart, S. 2008, from Sen. Jim DeMint (R-SC).
Cato alum Adam Thierer’s recent Forbes column has the low-down:
There’s a common myth heard frequently in communications policy circles that America’s video marketplace was largely deregulated in the 1980s and ’90s, and that we now have a free market nirvana. Nothing could be further from the truth. When it comes to television programming, many layers of red tape still encumber this sector and prevent a truly free market in video programming from developing.
Adam goes on to discuss all the ways that players in this marketplace are working to maintain the advantages they see coming from regulation. It’s a gruesome pile-up of rent-seeking that the Scalise-DeMint bill is trying to clear up.
It sure is cool to see a bill that repeals existing regulations, for a change. Ten or fifteen thousand more like this would be a good start.
The Country’s Biggest Spy Center
Under insufficiently sharp questioning, the head of the National Security Agency, Keith Alexander, has denied the substance of a Wired report on the agency’s massive new computer facility and the capabilities the government has to monitor our communications—even heavily encrypted communications.
If you want a sense of how Congress, still panicked by 9/11, has abdicated its responsibilities and permitted the construction of a “turnkey totalitarian state,” read the whole thing.
Supreme Court Invalidates Patent on Human Thought
On Tuesday, the Supreme Court invalidated a patent that effectively claimed ownership of a fact about the human body. A joint brief by the Cato Institute, Competitive Enterprise Institute, and the Reason Foundation had urged the high court to reject the patent, arguing that it posed a threat to freedom of thought and innovation.
The patent focused on a class of drugs called thiopurines, which are used to treat autoimmune diseases. When a patient takes a thiopurine drug, it is processed by the body into chemicals known as “metabolites.” Doctors measure metabolite levels in order to properly adjust the dosage of thiopurine drugs.
A company called Prometheus Labs filed a patent on a thiopurine drug testing process. The patent didn’t cover the drugs themselves or any particular method for measuring metabolite levels—these had already been invented years ago by other companies. Rather, Prometheus patented the idea that particular metabolite levels “indicate a need” to raise or lower the drug dosage. In effect, Prometheus was claiming ownership of a basic fact about the human body.
When the Mayo Clinic created its own thiopurine testing product, Prometheus sued. It argued that when a doctor used Mayo’s test, she could infringe Prometheus’s patent by thinking about the scientific correlation is disclosed. And that, in turn, made Mayo an accessory to the doctor’s infringing thoughts.
But Mayo argued that the patent was invalid because it claimed a law of nature, something the Supreme Court has said repeatedly isn’t eligible for patent protection. Mayo’s argument was supported not only by the Cato Institute, but also by the American Civil Liberties Union, the American Medical Association, the American Association of Retired Persons, and many other groups. They warned that it was dangerous to grant patents that can be infringed by mere thoughts, and that such patents would harm the quality of medical care by restricting doctors’ access to information.
In an unanimous decision by Justice Stephen Breyer, the Supreme Court reiterated its traditional principle that you can’t patent laws of nature, and held that the concrete steps of the patented process—administering the drug and measuring metabolite levels—were too conventional to transform an unpatentable idea into a patentable process.
The decision—and the fact that it was unanimous—is important because it reaffirms the principle that abstract ideas and laws of nature are not eligible for patent protection. But we would have liked to see Justice Breyer go further. After a series of disastrous decisions by lower courts in the 1990s, the Patent Office began granting a large number of patents, such as those for “business methods” and software, that seemed inconsistent with the Supreme Court’s ban on patenting laws of nature and abstract ideas. Those same decisions gave rise to the medical diagnostic patents that were at issue in Tuesday’s decision. But the Supreme Court has yet to address the broader question of whether the changes of the 1990s were consistent with the Supreme Court’s precedents. It ducked the question in a 2010 decision about business method patents, and Justice Breyer seems to have ducked it again in this decision. The result has been a great deal of uncertainty about what can be patented, and an explosion of patent litigation in the software industry. Mayo v. Prometheus was a step in the right direction, but it was also a missed opportunity to rule on these broader questions.
National Surveillance Programs and Their State Impediments
Having originally come to Washington to defend federalism, I am always delighted to see the division of powers among the states and the federal government have its proper effect: to protect liberty and limited government.
As with REAL ID, the E-Verify federal background check system is meeting up with state resistance. The Republican Liberty Caucus of New Hampshire reported yesterday:
This afternoon, the House passed HB 1549, which would prohibit the state’s participation in the E-Verify system, with a nearly unanimous voice vote. The House also killed HB 1492, which would require employers to verify an employee’s eligibility to work in the United States using the E-Verify System, with a 226-59 vote.
E-Verify is essentially a national identification system that requires employers to verify all job applicants’ citizenship in a national database system before they can employ them. If the state agreed to participate, all citizens would have to be listed in this national database as a U.S. citizen in order to get a job.
You want to fix immigration, feds? You do it without putting American citizens into a national ID system. Good message.
Here’s the clear language of HB 1549, which the New Hampshire House has approved to govern release of motor vehicle records. It embraces legitimate law enforcement while rejecting national identification schemes.
III. Motor vehicle records may be made available pursuant to a court order or in response to a request from a state, a political subdivision of a state, the federal government, or a law enforcement agency for use in official business. The request shall be on a case-by-case basis. Any records received pursuant to this paragraph shall not be further transferred or otherwise made available to any other person or listed entity not authorized under this paragraph. No records made available under this section shall be used, directly or indirectly, for any federal identification database. (New language in bold.)
To learn more about E-Verify and its role as a nascent national identification scheme, read my Cato Policy Analysis: “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration.”
Viral Video Strips Down Strip-Search Machines
The TSA’s response yesterday to a video challenging strip-search machines was so weak that it acts as a virtual confession to the fact that objects can be snuck through them.
In the video, TSA strip-search objector Jonathan Corbett demonstrates how he put containers in his clothes along his sides where they would appear the same as the background in TSA’s displays. TSA doesn’t refute that it can be done or that Corbett did it in his demonstration. More at Wired’s Threat Level blog.
More than six months ago, the D.C. Circuit Court of Appeals required the Transportation Security Administration to commence a rulemaking to justify its strip-search machine/prison-style pat-down policy. TSA has not done so. The result is that the agency still does not have a sturdy security system in place at airports. It’s expensive, inconvenient, error-prone, and privacy-invasive.
Making airline security once again the responsibility of airlines and airports would vastly improve the situation, because these actors are naturally inclined to blend security, cost-control, and convenience with customer service and comforts, including privacy.
I have a slight difference with Corbett’s characterization of the problem. The weakness of body scanners does not put the public at great danger. The chance of anyone exploiting this vulnerability and smuggling a bomb on board a domestic U.S. flight is very low. The problem is that these machines impose huge costs in dollars and privacy that do not foreclose a significant risk any better than the traditional magnetometer.
Corbett is right when he urges people to “demand of your legislators and presidential candidates that they get rid of this eight billion-dollar-a-year waste known as the TSA and privatize airport security.”
Why Hayek Would Have Hated Software Patents
In his famous essay “The Use of Knowledge in Society,” Friedrich Hayek argued that the socialists of his day falsely assumed that knowledge about economy could be taken as “given” to central planners. In reality, information about the economy—about what products are needed and where the necessary resources can be found—is dispersed among a society’s population. Economic policies that implicitly depend on omniscient decision-makers are doomed to failure, because the decision-makers won’t have the information they need to make good decisions.
In a new paper to be published by the NYU Annual Survey of American Law, Christina Mulligan (who drafted a recent amicus brief for Cato) and I argue that the contemporary patent debate suffers from a similar blind spot. A patent is a demand that the world refrain from using a particular machine or process. To comply with this demand, third parties need an efficient way to discover which patents they are in danger of infringing. Yet we show that for some industries, including software, the costs of discovering which patents one is in danger of infringing are astronomical. As a consequence, most software firms don’t even try to avoid infringing peoples’ patents.
Patents are often described as “intellectual property,” and patent law provides for harsh property-like remedies against patent infringers. But a property system that is so convoluted that ordinary firms can’t figure out who owns what isn’t a property system at all. Genuine property rights enhance economic efficiency by bringing predictability to the allocation of scarce resources and thereby promoting decentralized decision-making. Software patents retard economic efficiency by subjecting software firms to a constant and unavoidable threat of litigation for accidentally infringing the patent rights of others. Hayek would not have approved.
Our paper is available from SSRN.
The REAL ID Fight Continues in the States
Federal programs almost never die. Bureaucrats and their big-government allies are still trying to cobble together an American national ID.
But leaders in the states continue to fight. In this case, it’s Michigan state representative and House transportation committee chairman Paul Opsommer (R-DeWitt). In response to a recent report citing state compliance with REAL ID “benchmarks,” he’s put out a scathing report that was written up in the River Country (MI) Journal.
“The things we have done in Michigan, like making sure illegal aliens cannot get driver’s licenses, we are doing independently of REAL ID, and we are not interested in allowing the federal government to have permanent control over our licenses,” said Opsommer. “You can bet your bottom dollar that at some point if Obamacare is not repealed that the federal government will adopt new rules in the future requiring the cards’ use for access to healthcare. You can bet they will require it to buy a firearm. You can bet they ultimately want to put RFID chips into all these and share our full data with Canada, Mexico, and beyond. If we don’t repeal Title II of the REAL ID Act, all we are doing is putting off the ‘I told you so’ moment for a few years down the road.”
The tensions that the Framers of the Constitution designed into our governmental structure are doing their work through Rep. Opsommer.
“State documents should be state documents, and federal documents should be federal documents,” he says.
“If the federal government is bent on having a national ID card, they need to get their own house in order and start to make federal passports more secure and more affordable. Quit trying to outsource your own mismanagement of the federal passport system onto the states and let us get onto the business of issuing our own safe and secure sovereign driver’s licenses.”
The bureaucrats will keep at it at least until the Congress defunds REAL ID. But they’ll keep bumping into the likes or Rep. Paul Opsommer.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
