Shades of Warning: What It Means to Inform
Ben Friedman helpfully supplies more information to go with my positive reaction to the Department of Homeland Security’s decision to scrap color-coded threat warnings.
Our colloquy leaves somewhat open what should replace color-coding. Because most threat warnings are false alarms, and because exhortations to vigilance will tend toward the vagueness of the color-coding system, Ben hopes “DHS winds up being tighter-lipped.”
His points are good ones, but they don’t dissuade me from my belief that DHS should “begin informing the public fully about threats and risks known to the U.S. government.”
The right answer here centers on who is better at digesting threat information—experts in the national security bureaucracy or the public?
There is a great deal of expertise in the U.S. government focused on turning up threat information and digesting it for policymakers. However, that expertise has limits, often manifested as threat inflation, as Ben notes, and as myopia. Daniel Patrick Moynihan’s Secrecy: The American Experience illustrates the latter well (especially the edition with Richard Gid Powers’ fine introduction).
The public consists of hundreds of millions of subject matter experts in every walk of life. They include owners and operators of all our infrastructure, reporters and commentators in the professional and amateur press, academics, state and local law enforcement personnel, information networks, and social networks of all kinds. We have security-interested folk in the hundreds of millions spread out across the land, all in regular communication with each other. We’re a tremendously powerful information processing machine. I believe this public can do a better job of digesting threat information than “experts,” particularly when it comes to terrorism threats, which can—theoretically, at least—manifest themselves pretty much anywhere.
Patriot Act Update
It looks as though we’ll be getting a straight one-year reauthorization of the expiring provisions of the Patriot Act, without even the minimal added safeguards for privacy and civil liberties that had been proposed in the Senate’s watered down bill. This is disappointing, but was also eminently predictable: Between health care and the economy, it was clear Congress wasn’t going to make time for any real debate on substantive reform of surveillance law. Still, the fact that the reauthorization is only for one year suggests that the reformers plan to give it another go—though, in all probability, we won’t see any action on this until after the midterm elections.
The silver lining here is that this creates a bit of breathing room, and means legislators may now have a chance to take account of the absolutely damning Inspector General’s report that found that the FBI repeatedly and systematically broke the law by exceeding its authorization to gather information about people’s telecommunications activities. It also means the debate need not be contaminated by the panic over the Fort Hood shootings or the failed Christmas bombing—neither of which have anything whatever to do with the specific provisions at issue here, but both of which would have doubtless been invoked ad nauseam anyway.
Surveillance, Security, and the Google Breach
Yesterday’s bombshell announcement that Google is prepared to pull out of China rather than continuing to cooperate with government Web censorship was precipitated by a series of attacks on Google servers seeking information about the accounts of Chinese dissidents. One thing that leaped out at me from the announcement was the claim that the breach “was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” That piqued my interest because it’s precisely the kind of information that law enforcement is able to obtain via court order, and I was hard-pressed to think of other reasons they’d have segregated access to user account and header information. And as Macworld reports, that’s precisely where the attackers got in:
That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.
This is hardly the first time telecom surveillance architecture designed for law enforcement use has been exploited by hackers. In 2005, it was discovered that Greece’s largest cellular network had been compromised by an outside adversary. Software intended to facilitate legal wiretaps had been switched on and hijacked by an unknown attacker, who used it to spy on the conversations of over 100 Greek VIPs, including the prime minister.
As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.
The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic. Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.
The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.
Use Your Law Deferment to Work for Liberty!
Many law firms are asking their incoming first-year associates to defer their start dates (from a few months to a full year) and are offering stipends to these deferred associates to work at public interest organizations. Cato has been running a deferred associates program for the last few months and we are now extending it for as long as top-notch candidates want to ride out the economy with us.
The Cato Institute invites third-year law students and others facing firm deferrals to apply to work at our Center for Constitutional Studies. This is an opportunity to assist projects ranging from Supreme Court amicus briefs to policy papers to the Cato Supreme Court Review. Start and end dates are flexible. Interested students and graduates should email a cover letter, resume, transcript, and writing sample, along with any specific details of their deferment (timing, availability of stipend, etc.) to Jonathan Blanks at jblanks@cato.org.
Please feel free to pass the above information to your friends and colleagues. For information on Cato’s programs for non-graduating students, contact Joey Coon at jcoon@cato.org.
Lying and the Federal Government
Speaking of White House gate-crashers Tareq and Michaele Salahi (as we were trying to think of an excuse to do, to increase blog traffic), Slate says they might be guilty of a federal crime. What crime? Well, possibly trespassing on federal property. Or maybe the “broad prohibition on lying to the federal government.” Title 18, section 1001 of the U.S. Code
can be used to prosecute anyone who “knowingly and willfully … falsifies, conceals, or covers up by any trick, scheme, or device a material fact” or “makes any materially false, fictitious, or fraudulent statement or representation” to the government. That could include lying about your arrest record on a government job application, claiming a fake deduction on your taxes, or telling someone you’re on the White House invite list when you’re not.
I can’t help wondering, is there any equally broad prohibition on lying by the federal government? If the federal government, or a federal agency, or a federal official “knowingly and willfully … falsifies, conceals, or covers up” information or “makes any materially false, fictitious, or fraudulent statement or representation” — about the costs of a new entitlement, or how a candidate for reelection will act in his next term, or case for going to war — is that prohibited? Or are the rules tougher on the ruled than the rulers?
Three Keys to Surveillance Success: Location, Location, Location
The invaluable Chris Soghoian has posted some illuminating—and sobering—information on the scope of surveillance being carried out with the assistance of telecommunications providers. The entire panel discussion from this year’s ISS World surveillance conference is well worth listening to in full, but surely the most striking item is a direct quotation from Sprint’s head of electronic surveillance:
[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.
Geithner Ignores Bailout History
Perhaps the biggest problem with the Obama plan to “reform” our financial system is the impact it would have on the market perception surrounding “too big to fail” institutions. In identifying some companies as “too big to fail” holders of debt in those companies would assume that they would be made whole if those companies failed. After all, that is what we did for the debt-holders in Fannie, Freddie, AIG, and Bear. Both former Secretary Paulson and Geithner appear under the impression that moral hazard only applies to equity, despite debt constituting more than 90% of the capital structure of the typical financial firm.
Geithner believes he’s found a way to solve this problem – he’ll just tell everyone that there isn’t an implicit subsidy, and there won’t be a list of “too big to fail” companies. Great, why didn’t I think of that. After all, the constant refrain in Washington over the years that Fannie and Freddie weren’t getting an implicit subsidy really prepared the markets for their demise.
Even more bizarre is Geithner’s assertion that the government can force these institutions to hold higher capital, maintain more liquidity and be subjected to greater supervision, all without anyone knowing who exactly these companies are. Does the Secretary truly believe that these companies’ securities disclosures won’t include the amount of capital they are holding? Whether there is an official list or not is besides the question, market participants will be able to infer that list from publicly available information and the actions of regulators.
One has to wonder whether Geithner spent any of his time at the NY Fed actually watching how markets work. Before we continue down the path of financial reform, maybe it would be useful for our Treasury Secretary to take a few weeks off to study what got us into this mess. We’ve already been down this road of denying implicit subsidies and then providing them after the fact. Maybe it’s time to try something different.
Online Privacy and Regulation by Default
My colleague Jim Harper and I have been having a friendly internal argument about Internet privacy regulation that strikes me as having potential implications for other contexts, so I thought I might as well pick it up here in case it’s of interest to anyone else. Unsurprisingly, neither of us are particularly sanguine about elaborate regulatory schemes—and I’m sympathetic to the general tenor of his recent post on the topic. But unlike Jim, as I recently wrote here, I can think of two rules that might be appropriate: A notice requirement that says third-party trackers must provide a link to an ordinary-language explanation of what information is being collected, and for what purpose, combined with a clear rule making those stated privacy policies enforceable in court. Jim regards this as paternalistic meddling with online markets; I regard it as establishing the conditions for the smooth functioning of a market. What do those differences come down to?
A Bizarre Privacy Indictment
Page one of today’s Washington Times—above the fold—has a fascinating story indicting the White House for failing to disclose that it will collect and retain material posted by visitors to its pages on social networking sites like Facebook and YouTube. The story is fascinating because so much attention is being paid to it. (It was first reported, as an aside at least, by Major Garrett on Fox News a month ago.)
The question here is not over the niceties of the Presidential Records Act, which may or may not require collection and storage of the data. It’s over people’s expectations when they use the Internet.
Marc Rotenberg, president of the Electronic Privacy Information Center, said the White House signaled that it would insist on open dealings with Internet users and, in fact, should feel obliged to disclose that it is collecting such information.
Of course, the White House is free to disclose or announce anything it wants. It might be nice to disclose this particular data practice. But is it really a breach of privacy—and, through failure to notify, transparency—if there isn’t a distinct disclosure about this particular data collection?
Let’s talk about what people expect when they use the Internet and social networking sites. Though the Internet is a gigantic copying machine, some may not know that data is collected online. They may imagine that, in the absence of notice, the data they post will not be warehoused and redistributed, even though that’s exactly what the Internet does.
There can be special problems when it is the government collecting the information. The White House’s “flag@whitehouse.gov” tip line was concerning because it asked Americans to submit information about others. There is a history of presidents amassing “enemies” lists. But this is not the complaint with White House tracking of data posted on its social networking sites.
People typically post things online because they want publicity for those things—often they want publicity for the fact that they are the ones posting, too. When they write letters, they give publicity to the information in the letter and the fact of having sent it. When they hold up signs, they seek publicity for the information on the signs, and their own role in publicizing it.
How strange that taking note of the things people publicize is taken as a violation of their privacy. And failing to notify them of the fact they will be observed and recorded is a failure of transparency.
America, for most of what you do, you do not get “notice” of the consequences. Instead, in the real world and online, you grown-ups are “on notice” that information you put online can be copied, stored, retransmitted, and reused in countless ways. Aside from uses that harm you, you have little recourse against that after you have made the decision to release information about yourself.
The White House is not in the wrong here. If there’s a lesson, it’s that people are responsible for their own privacy and need to be aware of how information moves in the online environment.
Thursday Links
- Michael Tanner on the Obama health care speech: All sizzle, no substance.
- Why Main Street should embrace globalization. Plus, why international trade doesn’t cause unemployment at home.
- Should the IRS have the right to share your tax information with foreign governments? How about totalitarian ones? It may not be so far off.
- Libertarian news anchor John Stossel leaving ABC for Fox.
- Podcast- Obama: Hey, lets force everyone to have insurance, and fine Americans who don’t comply.
Picture Don Draper Stamping on a Human Face, Forever
Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms — in a nutshell: they don’t like it — I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?
Tom Ridge on the Bush Administration’s War on Terror
Former congressman, governor, and secretary of the Department of Homeland Security Tom Ridge is a long-time GOP loyalist. But he apparently doesn’t have good things to say about the Bush administration on its vaunted war on terrorism.
A new report on his upcoming book warns:
Tom Ridge, the first head of the 9/11-inspired Department of Homeland Security, wasn’t keen on writing a tell-all. But in The Test of Our Times: America Under Siege…and How We Can Be Safe Again, out September 1, Ridge says he wants to shake “public complacency” over security.
And to do that, well, he needs to tell all. Especially about the infighting he saw that frustrated his attempts to build a smooth-running department. Among the headlines promoted by publisher Thomas Dunne Books: Ridge was never invited to sit in on National Security Council meetings; was “blindsided” by the FBI in morning Oval Office meetings because the agency withheld critical information from him; found his urgings to block Michael Brown from being named head of the emergency agency blamed for the Hurricane Katrina disaster ignored; and was pushed to raise the security alert on the eve of President Bush’s re-election, something he saw as politically motivated and worth resigning over.
This confirms widespread suspicion that the Bush administration’s terrorism initiatives were highly political. It also undercuts the claim that we should trust government to protect us by sacrificing our liberties and giving trustworthy public servants greater discretion.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
