The Freakonomics blog has an excellent post on the bills in Congress popularly known as SOPA and PIPA. The “Stop Online Piracy Act” and the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act” aka the “PROTECT IP Act” would attempt to frustrate online copyright violations by tinkering with the inner workings of the Internet.

Would amending the Internet be justified? The post is called “How Much Do Music and Movie Piracy Really Hurt the U.S. Economy?“:

Supporters of stronger intellectual property enforcement … argue that online piracy is a huge problem, one which costs the U.S. economy between $200 and $250 billion per year, and is responsible for the loss of 750,000 American jobs. These numbers seem truly dire: a $250 billion per year loss would be almost $800 for every man, woman, and child in America. And 750,000 jobs – that’s twice the number of those employed in the entire motion picture industry in 2010. The good news is that the numbers are wrong …

Freakonomics’ authors picked up two good authorities: Cato’s own Julian Sanchez and Cato’s own (adjunct) Tim Lee. It’s nice to see Cato scholars getting high-profile credit for their dogged insistence on real numbers, something Congress routinely fails to exhibit.

Losses from violations of copyright law are hard to calculate.

There are certainly a lot of people who download music and movies without paying. It’s clear that, at least in some cases, piracy substitutes for a legitimate transaction … In other cases, the person pirating the movie or song would never have bought it. This is especially true if the consumer lives in a relatively poor country, like China, and is simply unable to afford to pay for the films and music he downloads. Do we count this latter category of downloads as “lost sales”? Not if we’re honest.

And there’s another problem: even in the instances where Internet piracy results in a lost sale, how does that lost sale affect the job market? While jobs may be lost in the movie or music industry, they might be created in another. Money that a pirate doesn’t spend on movies and songs is almost certain to be spent elsewhere. Let’s say it gets spent on skateboards — the same dollar lost by Sony Pictures may be gained by Alien Workshop, a company that makes skateboards.

The challenges go deeper: The theoretical arguments about intellectual property laws are a congeries. Libertarian advocates of statutory intellectual property protection will cite Ayn Rand, who was a stalwart on defending creations of the mind as property. But a coherent system of rights does not produce conflicting claims, and intellectual property laws seem to exalt the property of some at a cost to the liberty of others. The some, in this case, are the music and movie industries, the others, Internet content companies and users.

This area still needs a good deal of sorting out. For the time being, a firm insistence on real numbers is a good thing. Serious empirical work is sorely needed. Killing off bogus numbers can only go so far.

A Dogged Insistence on Real Numbers is a post from Cato @ Liberty - Cato Institute Blog

It’s a valuable public good, research is, isn’t it? Think of where we’d be without it! I mean, it was government research that came up with the Internet, for heaven sake.

That’s a response to the argument I made last week against government funding of scientific research. Moving away from public funding of scientific research would solve the problem of private companies capturing publication spoils from research that taxpayers funded.

The Defense Advanced Research Projects Agency did indeed come up with and popularize the protocol called TCP/IP, which the Internet uses. (Everyone’s use of the protocol really makes the Internet what it is, of course, but nevermind that.)

To take the Internet as proof that the government is a necessary producer of research and innovation, you have to reject the scientific method. Unfortunately, there are rarely controls in public policy. We can’t find out what would have happened if government policy had taken a different course, so we don’t know anything more about who should fund research from the fact that government-funded research has produced good things in the past.

But what would have happened if U.S. public policy had taken a different course? I’ve thought about the impossible-to-answer question of where we would have been without DARPA and other government influences on telecom. What most people don’t consider, I believe, is the restraining influence the government-granted AT&T monopoly had on telecommunications for most of the 20th century. AT&T developed a “Teletypewriter Exchange” system in 1931, for example, but had no need to develop it, there being little or no competitive pressure to do so. (Its patent on attaching devices to phone wires undoubtedly helped as well, preventing anyone using AT&T’s wires for modem service.)

Had there been competition, I suspect that someone would have come up with the idea of packet-switched networks—that’s what the Internet is—before Leonard Kleinrock did in 1962. Kleinrock was a student at MIT—he wasn’t at DARPA, which didn’t get into packet-switching until about 1966. (Then again, MIT was almost certainly awash in government money—specifically military money—so there you go. Maybe we owe all the good things we’ve got to war, but I doubt it.)

My guess—and it’s only that—is that we would have had the Internet some decades earlier if not for government interventions in telecommunications. We probably would have had multiple, competing “Internets,” actually, adopted more slowly than the Internet we got. (In a chapter of Privacy in America: Interdisciplinary Perspectives, I explored how government has accelerated the development of computing and communications, overpowering society’s capacity to adjust, with negative consequences for privacy.)

Support for government-funded research requires one to elide opportunity costs, the things foregone when one thing is chosen. As I said before, tradeoffs are ineluctable: Money spent on government research takes away from private research, or from other priorities such as reducing debt. In the absence of taxation to support research, the money would go to the public’s priorities as determined directly by the public in manifold spending and investing decision. Taxation and spending on government research is merely the substitution of centralized, political decision-making for a distributed, direct decision-making system. Its supporters are generally going to be beneficiaries of that system—elites, in short.

Even these beneficiaries of the status quo tend to agree that political decisions about funding for scientific research are warped. The solution to that problem, they’ll say, is fixing the political system—that is, creating a political system that is not so political.

Such a breakthrough is as unlikely as the invention of water that is not wet. Perhaps we can put DARPA on both projects.

But Don’t We Really Need Government Research? is a post from Cato @ Liberty - Cato Institute Blog

On Thursday, the House Judiciary Committee is slated to take up the misleadingly named Stop Online Piracy Act, an Internet censorship bill that will do little to actually stop piracy. In response to an outpouring of opposition from cybersecurity professionals, First Amendment scholars, technology entrepreneurs, and ordinary Internet users, the bill’s sponsors have cooked up an amended version that trims or softens a few of the most egregious provisions of the original proposal, bringing it closer to its Senate counterpart, PROTECT-IP. But the fundamental problem with SOPA has never been these details; it’s the core idea. The core idea is still to create an Internet blacklist, which means everything I say in this video still holds true:

Let’s review the main changes. Three new clarifying clauses have been added up front: the first two make clear that SOPA is not meant to create an affirmative obligation for site owners to monitor user content (good!) or mandate the implementation of technologies as a condition of compliance with the law (also good!). But the underlying incentives created by the statute push strongly in that direction whether or not it’s a formal requirement: What else do we imagine sites threatened under this law because of user-uploaded content or links will do to escape liability? A third clause says the bill shouldn’t be construed in a way that would impair the security or integrity of the network—which is a bit like slapping a label on a cake stipulating that it shouldn’t be construed to make you fat. These are all nice sentiments, but they remind me of the old philosophers’ joke: “You’ve obviously misinterpreted my theory; I didn’t intend for it to have any counterexamples!”

The big changes in the section establishing court-ordered blocking of supposed “rogue” sites appear to be intended to respond to the objections of cybersecurity professionals and network engineers, who pointed out that requiring falsification of Domain Name System records to redirect users from banned domains would interfere with a major government-supported initiative to secure the Internet against such hijacking. The updated language explicitly disavows the idea of redirection, removes a hard five-day deadline for compliance, and (crucially) says that any DNS operator (like your ISP) has fully satisfied its obligations under the statute if it simply fails to respond to DNS queries for blacklisted sites.

This is bad for transparency, in both the engineering and democratic senses of that term, insofar as it makes a government block indistinguishable from a technical failure, but it does, in a sense, address the direct conflict with DNSSEC. But as network engineers point out, a well-designed application implementing DNSSEC isn’t just going to give up when it doesn’t get a valid, cryptographically signed reply: it’s going to try other DNS servers (including servers outside US jurisdiction) until it finds one that answers.

There are two possibilities here. The first is that application designers don’t design their software properly to implement DNSSEC for fear of liability under the statute’s anti-circumvention provisions, which would be a Very Bad Thing. The second is that they’re assured they won’t be held liable for good design, in which case this whole elaborate censorship process—which was never going to be particularly effective against people who actually want to find pirated content—becomes a truly farcical pantomime, in which nobody running reasonably up-to-date clients even notices the nominal “blocking,” beyond a few seconds delay in resolving the “blocked” site. Now, if we’ve got to have an Internet censorship law, a completely impotent one is surely the best kind, but it becomes a bit mysterious what the point of all this is, beyond providing civil libertarians with a chuckle at the vast amount of money Hollywood has wasted ramming this thing through.

The other big change is to the private right of action, which previously would have allowed any copyright holder to unilaterally compel payment processors and ad networks to cut off sites that it merely accuses of infringement, or enabling infringement, or (in a baffling specimen of tortured language) taking “deliberate actions to avoid confirming a high probability” that the site would be used for infringement. That last little hate crime against English is mercifully absent from the revised SOPA, and it makes clear that only foreign sites are covered, and a judge is now required to actually issue an order before intermediaries are obligated to sever ties.

Which ultimately goes to show that the original proposal was so profoundly wretched that you can improve it a great deal, and still have a very bad idea. This is still, as many legal scholars have correctly observed, censorship by slightly circuitous economic means. The involvement of a judge should (knock on wood) weed out the most obviously frivolous complaints, but it still makes it far too easy for U.S. corporations to effectively destroy foreign Internet sites based on a one-sided proceeding in U.S. courts.

These changes are somewhat heartening insofar as they evince some legislative interest in addressing the legitimate concerns that have been raised thus far. But the problem with SOPA and PROTECT-IP isn’t that they need to be tweaked in order to get the details of an Internet censorship system right. There is no “right” way to do Internet censorship, and the best version of a bad idea remains a bad idea.

The New SOPA: Now With Slightly Less Awfulness! is a post from Cato @ Liberty - Cato Institute Blog

Tattoo it on your forearm—or better, that of your favorite legislator—for easy reference in the next debate over wiretapping: government surveillance is a security breach—by definition and by design. The latest evidence of this comes from Germany, where there’s growing furor over a hacker group’s allegations that government-designed Trojan Horse spyware is not only insecure, but packed with functions that exceed the limits of German law:

On Saturday, the CCC (the hacker group) announced that it had been given hard drives containing “state spying software,” which had allegedly been used by German investigators to carry out surveillance of Internet communication. The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the United States. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Back in 2004–2005, software designed to facilitate police wiretaps was exploited by unknown parties to intercept the communications of dozens of top political officials in Greece. And just last year, we saw an attack on Google’s e-mail system targeting Chinese dissidents, which some sources have claimed was carried out by compromising a backend interface designed for law enforcement.

Any communications architecture that is designed to facilitate outsider access to communications—for all the most noble reasons—is necessarily more vulnerable to malicious interception as a result. That’s why technologists have looked with justified skepticism on periodic calls from intelligence agencies to redesign data networks for their convenience. At least in this case, the vulnerability is limited to specific target computers on which the malware has been installed. Increasingly, governments want their spyware installed at the switches—making for a more attractive target, and more catastrophic harm in the event of a successful attack.

The Lives of Others 2.0 is a post from Cato @ Liberty - Cato Institute Blog

Officials in London are looking everywhere but the mirror for places to affix blame for the recent riots. Beyond the immediate-term answer, individual rioters themselves, the target of choice seems to be “social media.” Prime Minister David Cameron is considering banning Facebook, Twitter, and Blackberry Messenger to disable people from organizing themselves or reporting the locations and activity of the police.

Nevermind substantive grievance. Nevermind speech rights. We’ve got scapegoats to find!

[Events like this are nothing but a vessel into which analysts pour their ideological preconceptions, so here's a sip of mine: Just like a spoiled child doesn't grow up to be a gracious and kind adult, a population sugar-fed on entitlements doesn't become a meek and thankful underclass. Also: people don't like it when the police kill unarmed citizens. Which brings us to some domestic U.S. ineptitude...]

Two-and-a-half years ago, a (San Francisco) Bay Area Rapid Transit (BART) police officer shot and killed an unarmed man on a station platform in full view of a train full of riders (video). Sentenced to just two years for involuntary manslaughter, he was paroled in June. This week, upon learning of planned protests of the killing that may have disrupted service, BART officials cut off cell phone service in select stations, hoping to thwart the demonstrators.

[Update: A correspondent notes that the BART protest was in relation to another, more recent killing.]

The Electronic Frontier Foundation rightly criticized the tactic in a post called “BART Pulls a Mubarak in San Francisco.” It’s the same technique that deposed Eqyptian dictator Hosni Mubarak used to try to prevent the uprising that toppled him.

What’s true in Egypt is true in the U.K. is true in the United States. People will use the new communications infrastructures—cell phone networks, social media platforms, and such—to express grievance and to organize.

Western government officials may think that our lands are an idyll compared to the exotic savagery of the Middle East. In fact, we have people being killed by inept law enforcement in the U.S. and the U.K. just like they have people being killed by government thugs in the Middle East. What seems like a difference in kind is a difference in degree—and it’s no difference at all to the dead.

Among the prescriptions that flow from the London riots and BART’s communications censorship are the intense need for greater professionalism and reform of police practices. Wrongful killings precipitate (rightful) protest and (wrongful) violence and looting. Public policies in the area of entitlements and immigration that deny people a stake in their societies need a serious reassessment.

But we also need to keep in mind the propensity of government officials—in all governments—to seek control of communications infrastructure when it serves their goals. From the perspective of the free-speaking citizen, centralization of communications infrastructure is a key weakness. It gives fearful government authorities a place to go when they want to attack the public’s ability to organize and speak.

The Internet itself is a distributed, packet-switched network that generally resists censorship and manipulation. Internet service, however, is relatively centralized, with a small number of providers giving most Americans the bulk of their access. In the name of “net neutrality,” the U.S. government is working to bring Internet service providers under a regulatory umbrella that it could later use for censorship or protest suppression. Platforms like Facebook and Twitter are also relatively centralized. It is an important security to have many of them, and to have them insulated from government control. The best insulation is full decentralization, which is why I’m interested in the work of the Freedom Box Foundation and open source social networks like Diaspora.

The history of communications freedom is still being written. Here’s to hoping that “a Mubarak” is always a failure to control people through their access to media.

Welcoming a New Common Noun: ‘the Mubarak’ is a post from Cato @ Liberty - Cato Institute Blog

In the aftermath of the Oslo terror attack, Finnish police—yes, Finnish—plan to increase their surveillance of the Internet:

Deputy police commissioner Robin Lardot said his forces will play closer attention to fragmented pieces of information—known as ‘weak signals’—in case they connect to a credible terrorist threat.

That is not the way forward. As I explored in a series of posts and a podcast after the Fort Hood shooting here in the United States, random violence (terrorist or otherwise) is not predictable and not “findable” in advance—not if a free society is to remain free, anyway. That’s bad news, but it’s important to understand.

In the days since the attack, many commentators have poured a lot of energy into interpretation of Oslo and U.S. media treatment of it while the assumption of an al Qaeda link melted before evidence that it was a nationalist, anti-immigrant, anti-Islamic “cultural conservative.” Such commentary and interpretation is riveting to people who are looking to vindicate or decimate one ideology or another, but it doesn’t matter much in terms of security against future terrorism.

As former FBI agent (and current ACLU policy counsel) Mike German advises, any ideology can become a target of the government if the national security bureaucracy comes to use political opinion or activism as a proxy or precursor for crime and terrorism. Rather than blending crime control with mind control, the only thing to do is to watch ever-searchingly for genuine criminal planning and violence, and remember the Oslo dead as Lt. General Cone did Fort Hood’s: “The … community shares your sorrow as we move forward together in a spirit of resiliency.”

Finns Begin a Quixotic Quest for Prevention is a post from Cato @ Liberty - Cato Institute Blog

It’s hard to imagine how we would get through life without necessities like bacon and duct tape. But have you ever thought about how the free market gives you so much for so little?

Here’s a video that should be mandatory viewing in Washington. Too bad politicians didn’t watch it before imposing government-run health care.

And since we’re contemplating the big-picture issue of whether markets are better than statism, here’s some very sobering polling data from EurActiv:

A recent survey has found deep pessimism among European Commission staff on a wide range of issues, including the course of European integration over the past decade and the likelihood of success of the EU’s strategy for economic growth. Some 63% partially or totally agreed that “the European model has entered into a lasting crisis.”

This is remarkable. Even the statist über-bureaucrats of the European Commission realize the big-government house of cards is collapsing, yet politicians in Washington still want to make America more like Europe.

Bacon, Duct Tape, and the Free Market is a post from Cato @ Liberty - Cato Institute Blog

An insert that ran in the Washington Times this week didn’t say directly that the Federal Trade Commission’s budget should be cut. But a few short steps get you there.

The FTC-produced insert—a 16-page, color brochure appearing in a number of papers—is titled: “Living Life Online.” It’s aimed at teaching children how to use the Internet, with articles titled: “Sharing Well With Others” and “Minding Your Manners.” An ad on the back points kids to an FTC Web site about advertising called Admongo.gov, and little smart-phone insets contain factoids like:

DID YOU KNOW? Teens text 50 messages a day on average, five times more than the typical adult (who sends or receives 10 text messages a day).

Well, I have some factoids to share, too:

DID YOU KNOW? The U.S. Constitution provides for a federal government of limited, enumerated powers (and teaching kids about the Internet is not one of them).

Here’s another:

DID YOU KNOW? The federal government has had massive deficit spending in recent years, of $459 billion in FY2008, $1.4 trillion in FY2009, $1.3 trillion in FY2010, and $1.5 trillion in FY2011 (which is a huge damper on economic recovery).

It’s time to make serious budget cuts, and a government agency that seeks to replace parenting with government propagandizing to children is a great opportunity to do that.

Cato’s Downsizing Government project has been making its way through the major agencies, but don’t overlook the little ones. President Obama’s budget called for the FTC to spend $321 million in fiscal 2012. Zeroing that out would save a bunch, not only in direct expenses but in the dead-weight loss to the economy and consumer welfare symbolized by the FTC’s awful “Man Restraining Trade” statues.

FTC Advert: Cut Our Budget! is a post from Cato @ Liberty - Cato Institute Blog

An unsettling thought.   Some allegations are so ugly that it’s hard to reserve judgment until the accused has had a chance to explain.  This report from the Today Show is a reminder as to why our legal system has trials and a presumption of innocence. 

The FBI Arrested Your Neighbor for Child Pornography! is a post from Cato @ Liberty - Cato Institute Blog

In response to civil unrest, the Egyptian government appears to have ordered service providers to shut down all international connections to the Internet. According to the blog post at the link just above, Egypt’s four main ISPs have cut off their connections to the outside world. Specifically, their “BGP routes were withdrawn.” The Border Gateway Protocol is what most Internet service providers use to establish routing between one another, so that Internet traffic flows among them.

An attack on BGP is one of few potential sources of global shock cited by an OECD report I noted here the other day. The report almost certainly imagined a technical attack by rogue actors but, assuming current reporting to be true, the source of this attack is a government exercising coercion over Internet service providers within its jursidiction. Nothing I pick up suggests that Egypt’s attack on its own Internet will have spillover effects, but it does suggest some important policy concerns.

The U.S. government has proposed both directly and indirectly to centralize control over U.S. Internet service providers. C|Net’s Declan McCullagh reports that an “Internet kill switch” proposal championed by by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) will be reintroduced in the new Congress very soon. The idea is to give “kill switch” authority to the government for use in responding to some kind of “cyberemergency.”

We see here that a government with “kill switch” power will use it when the “emergency” is a challenge to its authority. When done in good faith, flipping an Internet “kill switch” would be stupid and self-destructive, tantamount to an auto-immune reaction that compounds the damage from a cybersecurity incident. The more likely use of “kill switch” authority would be bad faith, as the Egyptian government illustrates, to suppress speech and assembly rights.

In the person of the Federal Communications Commission, the U.S. government has also proposed to bring Internet service providers under a regulatory umbrella that it could then use for censorship or protest suppression in the future. On the TechLiberationFront blog, Larry Downes has recently completed a five-part analysis of the government’s regulatory plan (1, 2, 3, 4, 5). The intention of its proponents is in no way to give the government this kind of authority, but government power is not always used as intended, and there is plenty of scholarship to show that government agencies use their power to achieve goals that are non-statutory and even unconstitutional.

The D.C. area’s surfeit of recent weather caused the cancellation yesterday of a book event I was to participate in, discussing Evgeny Morozov’s The Net Delusion: The Dark Side of Internet Freedom. I don’t know that he makes the case overwhelmingly, but Morozov argues that governments are ably using the Internet to stifle freedom movements.

Events going on here in the United States right now could position the U.S. government to exercise the kind of authority we might look down our noses at Egypt for practicing. The lesson from the Egypt story—what we know of it so far—is that eternal vigilance is the price of freedom.

Egyptian Government Attacks Egypt’s Internet is a post from Cato @ Liberty - Cato Institute Blog

Suzanne Lucas, who blogs as Evil HR Lady, isn’t really evil, she’s just uncomfortably candid about many workplace truths that her fellow HR professionals tend to gloss over.

One of those truths is that in general no one owes you tenure in your job, even if you do it well. In our society, the principle of employment at will is still (fortunately) given much legal weight, meaning that an employment relationship continues only if both sides want it to.

And a consequence of that might just be that the law creates no right to slag your employer on your Facebook page one evening and demand that your employer overlook it the next morning:

So, why am I in favor of companies being able to terminate an employee for online behavior? (These things, of course, aren’t limited to Facebook. Myspace, Twitter, and blogs are all good candidates for firing). Here are 3 Reasons.

Easy firing=easy hiring. I want companies to hire people. In fact, my fondest wish is that all my readers who are searching for jobs find one this year. The more restrictions government places on terminating employees, the more hesitant companies are to hire new people.

Bad judgment isn’t limited to online behavior. Companies need employees they can trust to make good decisions. If you lack the critical thinking skills to say, “Hmmm, if I post that my boss is a jerk, my boss just might find out about it,” then you probably lack the critical thinking skills to do your job. Yes, people vent. But the internet is not private. And anyone who thinks they can trust all their 476 friends to keep something quiet isn’t someone I want on my staff.

Companies should be able to presume loyalty. I know, I know, your company doesn’t care much about your career and they have no problem firing you, so why should you care about them? Because they pay you to care about them….

You can read the whole thing, including the rest of her reasoning, here.

‘Why Your Boss Should Be Able To Fire You Over Facebook’ is a post from Cato @ Liberty - Cato Institute Blog

Larry Downes has depth of knowledge and a way with words, both of which he puts to good use in this C|Net opinion piece on the FCC’s vote today moving forward with public-utility-style regulation of Internet service.

If you’re interested in learning detail about the issues, it’s a good read. My favorite part is the conclusion:

The misplaced nostalgia for an Internet that has long since evolved to something much different and much more useful has led to the adoption today of rules that may have a similar effect. The FCC’s embrace of open-Internet rules may indeed preserve the Internet—but preserve it in the same way amber preserves the bodies of prehistoric insects. That gloomy outcome isn’t certain, of course. Internet technology has a wonderful habit of routing around inefficiency and unnecessary obstacles. As between Moore’s Law and FCC law, I’m betting on the technology to prove the ultimate regulator—and the sensible one, at that.

FCC Votes to Preserve the Internet . . . in Amber is a post from Cato @ Liberty - Cato Institute Blog

If there were any doubt that the 90s are back in style, witness the Obama administration’s attempt to reignite the Crypto Wars by seeking legislation that would force Internet services to redesign their networks and products to provide a centralized mechanism for decrypting user communications. It cannot be stressed enough what a radical—and terrible—idea this is.  I’ll be writing on this at greater length this week, but a few quick points.

First, while the Communications Assistance for Law Enforcement Act (CALEA) already requires phone and broadband providers to build in interception capacity at their network hubs, this proposed requirement—at least going on the basis of the press description, since there’s no legislative text yet—is both broader and more drastic. It appears that it would apply to the whole panoply of online firms offering secure communication services, not just big carriers, imposing a greater relative burden. More importantly, it’s not just mandating that already-centralized systems install a government backdoor. Rather, if I understand it correctly, the proposal would insist on a centralized (and therefore less secure) architecture for secure communications, as opposed to an end-to-end model where encryption is handled client-side. In effect, the government is insisting on the right to make a macro-design choice between competing network models for thousands of companies.

Second, they are basically demanding that providers design their systems for breach. This is massively stupid from a security perspective.  In the summer of 2004, still unknown hackers exploited surveillance software built in to one of Greece’s major cell networks to eavesdrop on high government officials, including the prime ministers. The recent hack of Google believed to originate in China may have used a law-enforcement portal to acquire information about dissidents. More recently, we learned of a Google engineer abusing his access to the system to spy on minors.

Third, this demand has implications beyond the United States. Networks designed for interception by U.S. authorities will also be more easily tapped by authoritarian governments looking to keep tabs on dissidents. And indeed, this proposal echoes demands from the likes of Saudi Arabia and the United Arab Emirates that their Blackberry system be redesigned for easier interception. By joining that chorus, the U.S. makes it more difficult for firms to resist similar demands from unlovely regimes.

Finally, this demand highlights how American law enforcement and intel agencies have been circumventing reporting requirements designed to provide information on this very problem. As the Crypto Wars of the 90s drew to a close, Congress amended the Wiretap Act, which creates strong procedural protections when the government wants to use intrusive electronic surveillance, to add a requirement that agencies report each instance in which they’d encountered encryption.  The idea was to get an objective measure of how serious a problem this posed. The most recent report, however, cited only one instance in which encryption was encountered, out of 2,376 wiretap orders. Why, then, are we now being told encryption is a huge problem? Almost certainly because law enforcement and intelligence agencies aren’t using the Wiretap Act to intercept electronic communications—preferring, instead, to avail themselves of the far more lax standards—and spare reporting requirements—provided by the Stored Communications Act.  It’s always easier to claim you need sweeping new powers from Congress when you’ve managed to do an end-run around the provisions Congress put in place to keep itself informed about how you’re using your existing powers, after all.

Designing an Insecure Internet is a post from Cato @ Liberty - Cato Institute Blog

“Techno-Panics” are public and political crusades against the use of new media or technologies, particularly driven by the desire to protect children. As the moniker suggests, they’re not rational. Techno-panic is about imagined or trumped-up threats, often with a tenuous, coincidental, or potential relationship to the Internet. Adam Thierer and Berin Szoka of the Progress & Freedom Foundation have written extensively about techno-panics on the TechLiberationFront blog.

Talking about techno-panic does not deny the existence of serious problems. It merely identifies when policymakers and advocates lose their sense of proportion and react in ways that fail to address the genuine issues—such as censoring a web site because it reveals the fact that some few among a community of tens of millions of people will conspire to break the law.

You’d think that a congressional representative from the heart of Silicon Valley would not sow techno-panic, but here’s Jackie Speier (D-Calif.) on the Craigslist censorship issue:

“We can’t forget the victims, we can’t rest easy. Child-sex trafficking continues, and lawmakers need to fight future machinations of Internet-driven sites that peddle children.”

Of all representatives in Congress, Speier should know that Craigslist has been making it easier for law enforcement to locate and enforce the law against any perpetrators of crimes against children. Pushing them to rogue sites does law enforcement no good. Censoring Craiglist only masks the problem, which may be in the interest of politicians, but definitely not children.

Speier (D-Silicon Valley) Sows Techno-panic is a post from Cato @ Liberty - Cato Institute Blog

By now the name of Yoani Sánchez has become common currency for those who follow Cuba. Through the use of New Media (blog, Twitter and YouTube) Yoani has challenged the Castro regime in a way that various U.S. government-sponsored efforts have  failed to do before, earning the respect and tacit admiration of even those who continue to sympathize with the Cuban regime. As my colleague Ian Vásquez put it a few months ago, Yoani keeps speaking truth to power.

Although she’s a remarkable individual, Yoani is not alone in fighting repression with technology. Other bloggers are making their voice heard, and that makes the Castro dictatorship nervous. As Yoani wrote in a paper recently published by Cato, despite the many difficulties and costs that regular Cubans face when trying to access Internet,

… a web of networks has emerged as the only means by which a person on the island can make his opinions known to the rest of the world. Today, this virtual space is like a training camp where Cubans go to relearn forgotten freedoms. The right of association can be found on Facebook, Twitter, and the other social networks, in a sort of compensation for the crime of “unlawful assembly” established by the Cuban penal code.

As recent events in Iran and elsewhere have shown, once a technology becomes pervasive in a society, it is extremely difficult for a totalitarian regime to control it. A new paper published today by the Cuba Study Group highlights the potential of technology in bringing about democracy and liberty to Cuba. The document entitled “Empowering the Cuban People through Technology: Recommendations for Private and Public Sector Leaders,” also recommends lifting all U.S. restrictions that hinder the opportunities of companies to provide cell phone and Internet service to the island. For example, the paper reviews the current U.S. regulatory framework on technology investment in other repressive regimes such as Iran, Syria, Burma and North Korea, and finds that “the U.S. regulations governing telecommunications-related exports to Cuba are still some of the most restrictive.”

By removing these counterproductive restrictions, Washington could help unleash an Internet revolution in Cuba. More Yoanis will certainly bring about more change in the island than 50 years of failed U.S. trade and travel bans.

Unleashing an Internet Revolution in Cuba is a post from Cato @ Liberty - Cato Institute Blog

The Wall Street Journal reports Saturday that Turkey and Pakistan are blocking, monitoring, and threatening such websites as Google, YouTube, Facebook, Yahoo, and Amazon. At least you’ve got to give them credit for going after the big guys! The Journal notes, “A number of countries in the Islamic world, including Iran and Saudi Arabia, have banned Internet content in the past for being sacrilegious. But those countries have authoritarian governments that closely monitor the Internet and the media.” Of course, it’s not just Islamic countries that try to protect their citizens — or subjects — from dissenting thoughts. China has been involved in well-publicized battles with Google, Rupert Murdoch’s Star TV, and other media companies.

But it’s hard to make your country a part of the world economy and keep it closed to outside thoughts and images. North Korea may be able to do it — though recent stories suggest that even the benighted people of the world’s most closed society know more about the world than we have previously thought. Countries that don’t want to be North Korea have a harder time. The latest example: Thomas Erdbrink reports in the Washington Post that Murdoch’s Farsi1 satellite station is

pulling in Iranian viewers with sizzling soaps and sitcoms but has incensed the Islamic republic’s clerics and state television executives.

Unlike dozens of other foreign-based satellite channels here, Farsi1 broadcasts popular Korean, Colombian and U.S. shows and also dubs them in Iran’s national language, Farsi, rather than using subtitles, making them more broadly accessible. Its popularity has soared since its launch in August….

Satellite receivers are illegal in Iran but widely available. Officials acknowledge that they jam many foreign channels using radio waves, but Farsi1, which operates out of the Hong Kong-based headquarters of Star TV, a subsidiary of Murdoch’s News Corp., is still on the air in Tehran.

Viewers are increasingly deserting the six channels operated by Iranian state television, with its political, ideological and religious constraints, for Farsi1′s more daring fare, including the U.S. series “Prison Break,” “24″ and “Dharma and Greg.”

Those who want to build a wall around the minds of the Iranian people denounce Murdoch and his temptations:

Some critics here hold Murdoch responsible for what they see as this new infestation of corrupt Western culture. The prominent hard-line magazine Panjereh, or Window, devoted its most recent issue to Farsi1, featuring on the cover a digitally altered version of an evil-looking Murdoch sporting a button in the channel’s signature pink and white colors. “Murdoch is a secret Jew trying to control the world’s media, and [he] promotes Farsi1,” the magazine declared.

“Farsi1′s shows might be accepted in Western culture . . . but this is the first time that such things are being shown and offered so directly, completely and with ulterior motives to Iranian society. Does anybody hear alarm bells?” wrote Morteza Najafi, a regular Panjereh contributor.

The Iranian state — Akbar Ganji calls it a “sultanate” in Weberian terms — has tried to block access to Farsi1. It jams foreign channels, it sends police out to confiscate satellite dishes, but it can’t seem to prevent many citizens from tuning in to officially banned broadcasts.

Way back in 1979, David Ramsay Steele of the Libertarian Alliance in Great Britain wrote about the changes beginning in China. He quoted authors in the official Beijing Review who were explaining that China would adopt the good aspects of the West — technology, innovation, entrepreneurship — without adopting its liberal values. “We should do better than the Japanese,” the authors wrote. “They have learnt from the United States not only computer science but also strip-tease. For us it is a matter of acquiring the best of the developed capitalist countries while rejecting their philosophy.” But, Steele replied, countries like China have a choice. “You play the game of catallaxy, or you do not play it. If you do not play it, you remain wretched. But if you play it, you must play it. You want computer science? Then you have to put up with striptease.” 

North Korea and Burma choose to “remain wretched.” That’s not the future Iran’s leaders want. But they too will find it difficult to keep their citizens in an information straitjacket while participating in a global economy. 

Footnote: In all this discussion of how authoritarian governments try to protect their citizens from offensive images, alternative ideas, and what’s going on in the rest of the world, I am for some reason reminded of the “30 Rock” episode in which NBC executive Jack Donaghy (Alec Baldwin) is trying to figure out how to deal with a high-strung performer. Another actress tells him, ”You’ve got to lie to her, coddle her, protect her from the real world.” Jack replies,”I get it — treat her like the New York Times treats its readers.”

Technology vs. Tyranny is a post from Cato @ Liberty - Cato Institute Blog

A Senate plan to give the president authority to seize control of the Internet in the event of emergency is security malpractice of the highest order. As I told C|Net’s Declan McCullagh, this is a plan for an auto-immune reaction. When something goes wrong with the Internet, the government will attack that infrastructure and make society weaker.

The Internet is the medium over which we communicate and self-organize. It’s where emergency response happens—where individuals learn what is happening, communicate it to others, compare notes with friends and loved ones, and determine appropriate responses. (Our appreciation for “first responders” should not be diminshed by noting that they are typically second responders, taking over for private citizens who are almost always first on any scene.)

The Internet is also self-repairing. When weaknesses in it are exposed, that fact is communicated via Internet, and the appropriate fixes and patches are distributed via Internet. Seizing control of the Internet—to the extent the government can do that—would degrade society’s natural response to emergency, and it would undercut the Internet’s ability to self-heal.

This idea—of government authority taking over the Internet for our protection—fundamentally misunderstands the nature of the Internet, the nature of our society, and the type of government the Framers prescribed for us.

Planning a Cybersecurity Auto-Immune Reaction is a post from Cato @ Liberty - Cato Institute Blog

Wired News reports on another bill proposing to create government authority to take over the Internet—this time, because of “cyberattacks.”

Most revealing is the part of the report exposing how Senate staff must fish around for reasons why the authority would be exercised, never mind to what effect:

In order for the President to declare such an emergency, there would have to be knowledge both of a massive network flaw — and information that someone was about to leverage that hole to do massive harm. For example, the recent “Aurora” hack to steal source code from Google, Adobe and other companies wouldn’t have qualified, one Senate staffer noted: “It’d have to be Aurora 2, plus the intel that country X is going to take us down using that vulnerability.”

A second staffer suggested that evidence of hackers looking to leverage something like the massive Conficker worm — which infected millions of machines and was seemingly poised in April 2009 to unleash something nefarious — might trigger the bill’s emergency provisions. “You could argue there’s some threat information built in there,” the staffer said.

These scenarios will never happen. And we wouldn’t want the government grabbing control of the Internet if they did.

The idea of government “taking over” the Internet for security purposes is equal parts misconceived and self-defeating. It’s a packet-switched network, meaning that it routes around the equivalent of damage that would be caused by anyone’s attempt to “control” it. The government could certainly degrade the Internet with a well-coordinated attack, of course.

And that’s the way to think about government controlling the Internet in some kind of emergency: It would be an attack on the country’s natural resilience.

In February, CNN broadcast a bogus reality TV show produced by the Bipartisan Policy Center called “cyber.shockwave.” A variety of technically incompetent government officials talked about pulling the plug on the Internet and cell phone networks in response to some emergency. Commentator D33PT00T captured the idiocy of this idea, Tweeting, “ok my phn doesn’t work & Internet doesn’t work – ths guys R planning 2 run arnd w/ bullhorns ‘all is well remain calm!’”

The Internet may have points of weakness, but it is a source of strength overall. A government take-over of the Internet in the event of emergency would be equivalent to an auto-immune reaction in which the government would attack the society. Proposals for the federal government to take control of the Internet under any circumstance are unfounded and dangerous.

Unfounded Government Plans to Take Control of the Internet is a post from Cato @ Liberty - Cato Institute Blog

The “Cyber Privacy Act”? No it ain’t!

Michigan Representative Thaddeus McCotter (R) has introduced a bill to create a take-down regime for personal information akin to the widely abused DMCA process. The Digital Millennium Copyright Act established a system where copyright holders could as a practical matter force content off the Internet simply by requesting it.

McCotter’s proposal would similarly regulate every Internet site that has a comment section. He thinks it’s going to protect privacy, but he’s sorely mistaken. Its passage would undermine privacy and limit free speech.

I’ll take you through how McCotter’s gotten it wrong.

The operative language of H.R. 5108 is:

Any Internet website that makes available to the public personal information of individuals shall–

(1) provide, in a clear and conspicuous location on the Internet website, a means for individuals whose personal information it contains to request the removal of such information; and

(2) promptly remove the personal information of any individual who requests its removal.

The Federal Trade Commission would enforce the failure to abide by requests as it does unfair and deceptive trade practices. (Meaning: penalties.)

So if someone posts his or her name in a comment section and later regrets it, the operator of that web site would have to take it down. Sounds nice—and that is the right thing for webmasters to do when the circumstances warrant. But what about when they don’t?

Let’s say you run a site that receives hundreds or thousands of comments per day, many of them from anonymous visitors. Let’s say the site deals with controversial issues, and some visitors are angry at each other—they’re even angry at the site for hosting the discussion. Those visitors start working to undermine the conversation. They personally attack others, adopt false names, tell lies, and use vulgarities. This kind of person is well known on the web. They’re called “trolls.”

What would trolls do if federal law required webmasters to take down personal information by request? Simple: They would post the personal information of others. They would pose as others and falsely ask to have information taken down.

It’s a great way to attack a site: require it to consider hundreds or thousands of personal information take-down requests, each one backed by the threat of federal penalties.

What do you do as a webmaster to counter that? You require all comments to be tied to a fixed identity. Require a log-in before site visitors can comment. Then you can figure out later if the person requesting a take-down of personal information is the person who it pertains to.

What’s the result of that? Web sites collect and store more information about visitors. Then they turn around and use it for tracking and marketing. The information is available to litigators and government investigators, of course, through subpoenas and warrants.

Are you doing the math? McCotter’s “Cyber Privacy” bill is a proposal to increase Internet surveillance. Maybe he intends to improve Internet courtesy and decency. But decency is not a federal government project. It’s bottom-up, not top-down.

I write, of course, as a spare-time webmaster myself. The bills on WashingtonWatch.com get hundreds of comments per day. Many bills get lots of comments, but one in particular—subject of dispute, controversy, and trolling, along with productive political organizing—has over 130,000 comments.

I do a lot to foster a good visitor experience, consistent with maintaining the space available for free speech. I advise people about how to deal with trolls, I allow people to register so their stable identities can build trustworthy reputations, I proctor commenters about controlling vulgarities—sometimes strongly editing comments when they don’t, and I allow users to block commenters and words they don’t want to see.

When the context warrants it, I do remove personal information at the request of people that I believe are making honest, good faith requests. I think it’s part of what builds allegiance to the site.

But if I were required by law to do this, it would be an entirely different calculation. Each request would present me with a veiled legal threat, not a small customer service opportunity.

As trolls figured out how to exploit the law—the way some copyright holders exploit the DMCA—they could inundate small sites with requests. Webmasters would be right to treat all requests with suspicion. Confirming requests would require them to convert to greater surveillance. A percentage of the small sites and blogs that are hobbies or money-losers would just shut down comments rather than deal with the nonsense.

Representative McCotter’s plan to regulate Internet communications this way is no “Cyber Privacy” act. It’s anti-privacy, and it’s anti-free-speech.

McCotter’s Plan to Expand DMCA-Style Take-Downs is a post from Cato @ Liberty - Cato Institute Blog

The secrecy surrounding government surveillance is a constant source of frustration to privacy activists and scholars: It’s hard to have a serious discussion about policy when it’s like pulling teeth to get the most elementary statistics about the scope of state information gathering, let alone any more detailed information. Even when reporting is statutorily required, government agencies tend to drag their heels making statistics available to Congress — and it can take even longer to make the information more widely accessible. Phone and Internet companies, even when they join the fight against excessive demands for information, are typically just as reluctant to talk publicly about just how much of their customers’ information they’re required to disclose. That’s why I’m so pleased at the news that Google has launched their Government Requests transparency tool.  It shows a global map on which users can see how many governmental demands for user information or content removal have been made to Google’s ever-growing empire of sites — now including Blogger, YouTube, and Gmail — starting with the last six months.

So far, the information up there is both somewhat limited and lacking context.  For instance, it might seem odd that Brazil tops the list of governmental information hounds until you bear in mind that Google’s Orkut social network, while little-used by Americans, is the Brazilian equivalent of Facebook.

There are also huge gaps in the data: The United States comes in second with 3,580 requests from law enforcement at all levels, but that doesn’t include intelligence requests, so National Security Letters (tens of thousands of which are issued every year) and FISA warrants or “metadata” orders (which dwarf ordinary federal wiretaps in number) aren’t part of the tally. And since China considers all such government information requests to be state secrets — whether for criminal or intelligence investigations — no data from the People’s Republic is included.

Neither is there any detail about the requests they have counted — how many are demands for basic subscriber information, how many for communications metadata, and how many for actual e-mail or chat contents. The data on censorship is similarly limited: They’re counting governmental but not civil requests, such as takedown notices under the Digital Millennium Copyright Act.

For all those limits — and the company will be striving to provide some more detail, within the limits of the law — this is a great step toward bringing vital transparency to the shadowy world of government surveillance, and some nourishment to the data-starved wretches who seek to study it. We cannot have a meaningful conversation about whether censorship or invasion of privacy in the name of security have gone too far if we do not know, at a minimum, what the government is doing. So, for a bit of perspective, we know that U.S. courts reported a combined total of 1,793 (criminal, not intel) wiretaps sought by both federal and state authorities. Almost none of these (less than 1 percent) were for electronic interception.

This may sound surprising, unless you keep in mind that federal law establishes a very high standard for the “live” interception of communications over a wire, but makes it substantially easier — under some circumstances rather terrifyingly easy — to get stored communications records. So there’s very little reason for police to jump through all the hoops imposed on wiretap orders when they want to read a target’s e-mails.

If and when Google were to break down that information about requests — to show how many were “full content” as opposed to metadata requests — we would begin to have a far more accurate picture of the true scope of governmental spying. Should other major players like Yahoo and Facebook be inspired to follow Google’s admirable lead here, it would be better still.  Already, though, that one data point from a single company — showing more than twice as many data requests as the total number of phone wiretaps reported for the entire country — suggests that there is vastly more actual surveillance going on than one might infer from official wiretap numbers.

How Much Government Snooping? Google It Up! is a post from Cato @ Liberty - Cato Institute Blog