Collecting Dots and Connecting Dots
As Jeff Stein notes over at the Washington Post, the declassified summary of the Senate Intelligence Committee’s report on the Christmas underpants bomber ought to sound awfully familiar to anyone who thumbed through the 9/11 Commission’s massive analysis of intelligence failures. Of the 14 points of failure identified by the Senate, one pertains to a failure of surveillance acquisition: the understandably vague claim that NSA “did not pursue potential collection opportunities,” which it’s impossible to really evaluate without more information. (Marc Ambinder tries to fill in some of the gaps at The Atlantic.) The other 13 echo that old refrain: Lots of data points, nobody managing to connect them. Problems included myopic analysis—folks looking at Yemen focused on regionally-directed threats—sluggish information dissemination, misconfigured computers, and simple failure to act on information already in hand.
Yet you’ll notice that in the wake of such failures, the political response tends to be heavily weighted toward finding ways to collect more dots. We hear calls for more surveillance cameras in our cities, more wiretapping with fewer restrictions, fancier scanners in the airport, fewer due process protections for captured suspects. Sometimes you’ll also see efforts to address the actual causes of intelligence failure, but they certainly don’t get the bulk of the attention. And little wonder! Structural problems internal to intelligence or law enforcement agencies, or failures of coordination between them, are a dry, wonky, and often secret business. The solutions are complicated, distinctly unsexy, and (crucially) don’t usually lend themselves to direct legislative amelioration—especially when Congress has already rolled out the big new coordinating entities that were supposed to solve these problems last time around.
But demands for more power and more collection and more visible gee-whiz technology? Well, those are simple. Those are things you can trumpet in a 700-word op-ed and brag about in press releases to your constituents. Those are things pundits and anchors can debate in without intimate knowledge of Miroesque DOJ org charts. In short, we end up talking about the things that are easy to talk about. We should not be under any illusions that this makes them good solutions to intel’s real problems. Hard as it is for pundits to sit silent or legislators to seem idle, sometimes the most vital reforms just don’t make for snazzy headlines.
Online Privacy and Regulation by Default
My colleague Jim Harper and I have been having a friendly internal argument about Internet privacy regulation that strikes me as having potential implications for other contexts, so I thought I might as well pick it up here in case it’s of interest to anyone else. Unsurprisingly, neither of us are particularly sanguine about elaborate regulatory schemes—and I’m sympathetic to the general tenor of his recent post on the topic. But unlike Jim, as I recently wrote here, I can think of two rules that might be appropriate: A notice requirement that says third-party trackers must provide a link to an ordinary-language explanation of what information is being collected, and for what purpose, combined with a clear rule making those stated privacy policies enforceable in court. Jim regards this as paternalistic meddling with online markets; I regard it as establishing the conditions for the smooth functioning of a market. What do those differences come down to?
Public Information and Public Choice
One of the high points of last week’s Gov 2.0 Summit was transparency champion Carl Malamud’s speech on the history of public access to government information — ending with a clarion call for government documents, data, and deliberation to be made more freely available online. The argument is a clear slam-dunk on simple grounds of fairness and democratic accountability. If we’re going to be bound by the decisions made by regulatory agencies and courts, surely at a bare minimum we’re all entitled to know what those decisions are and how they were arrived at. But as many of the participants at the conference stressed, it’s not enough for the data to be available — it’s important that it be free, and in a machine readable form. Here’s one example of why, involving the PACER system for court records:
The fees for bulk legal data are a significant barrier to free enterprise, but an insurmountable barrier for the public interest. Scholars, nonprofit groups, journalists, students, and just plain citizens wishing to analyze the functioning of our courts are shut out. Organizations such as the ACLU and EFF and scholars at law schools have long complained that research across all court filings in the federal judiciary is impossible, because an eight cent per page charge applied to tens of millions of pages makes it prohibitive to identify systematic discrimination, privacy violations, or other structural deficiencies in our courts.
If you’re thinking in terms of individual cases — even those involving hundreds or thousands of pages of documents — eight cents per page might not sound like a very serious barrier. If you’re trying to do a meta-analysis that looks for patterns and trends across the body of cases as a whole, not only is the formal fee going to be prohibitive in the aggregate, but even free access won’t be much help unless the documents are in a format that can be easily read and processed by computers, given the much higher cost of human CPU cycles. That goes double if you want to be able to look for relationships across multiple different types of documents and data sets.
Picture Don Draper Stamping on a Human Face, Forever
Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms — in a nutshell: they don’t like it — I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?
600 Billion Data Points Per Day? It’s Time to Restore the Fourth Amendment
Jeff Jonas has published an important post: “Your Movements Speak for Themselves: Space-Time Travel Data is Analytic Super-Food!”
More than you probably realize, your mobile device is a digital sensor, creating records of your whereabouts and movements:
Mobile devices in America are generating something like 600 billion geo-spatially tagged transactions per day. Every call, text message, email and data transfer handled by your mobile device creates a transaction with your space-time coordinate (to roughly 60 meters accuracy if there are three cell towers in range), whether you have GPS or not. Got a Blackberry? Every few minutes, it sends a heartbeat, creating a transaction whether you are using the phone or not. If the device is GPS-enabled and you’re using a location-based service your location is accurate to somewhere between 10 and 30 meters. Using Wi-Fi? It is accurate below 10 meters.
The process of deploying this data to markedly improve our lives is underway. A friend of Jonas’ says that space-time travel data used to reveal traffic tie-ups shaves two to four hours off his commute each week. When it is put to full use, “the world we live in will fundamentally change. Organizations and citizens alike will operate with substantially more efficiency. There will be less carbon emissions, increased longevity, and fewer deaths.”
This progress is not without cost:
Read the rest of this post »
Does the PASS ID Act Protect Privacy?
I’ve written about PASS ID here a couple of times before – first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.
The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.
“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.
Interstate Data Sharing?
First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.
Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.
How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.
Some Thinking on “Cyber”
Last week, I had the opportunity to testify before the House Science Committee‘s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and — blamo! — I’m a cybersecurity expert.
Not really — but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.
. . . But What Is “Cyber”?
Cyberwar. Cyberdefense. Cyberattack. Cybercommand.
You run across these four words before you finish the first paragraph of this New York Times story (as reposted on msnbc.com). It’s about government plans to secure our technical infrastructure.
When you reach the end of the story, though, you still don’t know what it’s about. But you do get a sense of coming inroads against Americans’ online privacy.
The problem, which the federal government has assumed to tackle, is the nominal insecurity of networks, computers, and data. And the approach the federal government has assumed is the most self-gratifying: “Cyber” is a “strategic national asset.” It’s up to the defense, intelligence, and homeland security bureaucracies to protect it.
But what is “cyber”?
With the Internet and other technologies, we are creating a new communications and commerce “space.” And just like the real spaces we are so accustomed to, there are security issues. Some of the houses have flimsy locks on the front doors. Some of the stores leave merchandise on the loading docks unattended. Some office managers don’t lock the desk drawers that hold personnel files. Some of the streets can be too easily flooded with water. Some of the power lines can be too easily snapped.
These are problems that should be corrected, but we don’t call on the federal government to lock up our homes, merchandise, and personnel files. We don’t call on the federal government to fix roads and power lines (deficit “stimulus” spending aside). The federal government secures its own assets, but that doesn’t make all assets a federal responsibility or a military problem.
As yet, I haven’t seen an explanation of how an opponent of U.S. power would use “cyberattack” to advance any of its aims. If it’s even possible, which I doubt, taking down our banking system for a few days would not “soften up” the country for a military attack. Knocking out the electrical system in one region of the country for a day wouldn’t let Russia take control of the Bering Strait. Shutting down Americans’ access to Google Calendar wouldn’t advance Islamists’ plans for a worldwide Muslim caliphate.
This is why President Obama’s speech on cybersecurity retreated to a contrived threat he called “weapons of mass disruption.” Fearsome inconvenience!
The story quotes one government official as follows:
“How do you understand sovereignty in the cyberdomain?” General Cartwright asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”
That’s correct. “Cyber” is not a problem that affects our sovereignty or the integrity of our national boundaries. Thus, it’s not a problem for the defense or intelligence establishments to handle.
The benefits of the online world vastly outstrip the risks – sorry Senator Rockefeller. With those benefits come a variety of problems akin to graffiti, house fires, street closures, petit theft, and organized crime. Those are not best handled by centralized bureaucracies, but by the decentralized systems we use to secure the real world: property rights, contract and tort liability, private enterprise, and innovation.
Computers Freedom & Privacy 2009
The Computers Freedom & Privacy conference is consistently one of the most interesting and forward-looking privacy conferences. This year, it’s at George Washington University in Washington, D.C. June 1-4.
I helped organize it this time, though by no means does the event skew libertarian. What it does is bring together people of all ideologies to discuss common concerns about the present and future state of privacy.
I’ll be speaking on a panel called “The Future of Security vs. Privacy” on Tuesday, June 2nd. Here’s the program page. And here’s the registration page if any of this whets your appetite.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
