Online Privacy and the Commerce Clause
I fear that with the PATRIOT Act on the brain, I’ve been remiss in continuing the colloquy on behavioral ads and privacy regulation that I’d been having with Jim Harper—who flattered me by responding in a long and thoughtful essay a couple weeks back. Because there’s so much interesting stuff there, I hope he won’t mind if I restrict myself to the first part of his reply here, in the interest of making this all a bit more digestible to those whose fascination with the topic may not be quite as consuming as ours. I’ll consider briefly the constitutional issue Jim raises, and turn to some of the specifics of the issue—and the relative merits of the common law alternative—in another post.
So like every good dorm room bull session, we begin in the weeds of policy and quickly find ourselves breathing the rarefied air of constitutional theory. Supposing for the moment that we thought it were a good idea on policy grounds, would it be within the power of Congress to set ground rules for online advertisers who gather personal data from Web browsers? Recall that there are two particular rules that I’ve said I’d be tentatively open to, but which Jim rejects: a requirement of notice when information is being collected (say via a small link from the adspace to a privacy policy) and a rule establishing that privacy policies are enforceable, so that individual users can sue for damages if a company knowingly violates its stated policy (thus far, courts have not generally found these to be binding). Does this fall within the power to “regulate commerce … among the several states”? I think so. I’ll start with what I hope will be some uncontroversial arguments and go from there.
Filed under: Law and Civil Liberties; Regulatory Studies; Telecom, Internet & Information Policy
On Notice
I’m delighted that Julian Sanchez has joined us at Cato. He’s as smart as they come. I’m equally pleased that I’ll have an intellectual sparring partner here on some of my issues from time to time. I encouraged Julian to share here some of what we had been discussing about privacy notices via email.
There are lots of dimensions to our conversation, but I’ll summarize it as follows: Can federal statutes protect Web surfers’ privacy? (We’re talking about privacy from other private actors, not privacy from government. Government self-control expressed in federal statutes could obviously improve privacy from government.)
Julian can see a couple of statutes helping: a requirement that third-party trackers provide a link explaining what they do, and a requirement that privacy policies be enforceable.
I think the former is a fine thing if people want it. I’m dubious about its benefits, though, and wouldn’t mandate it. The latter is the outcome I prefer—strongly!—but a federal statute is the wrong way to get there.
As you read Julian’s comment and mine, I think the divide you’ll see is a common one among libertarians. Some of us love efficiency and wealth creation, which is such a delightful product of free markets. And some of us love freedom for its own sake, not just for free markets, efficiency, and wealth creation. We’ll give up a little efficiency and wealth (in the short term) to protect liberty.
I’ll discuss the topic in the order I would as a legislative staffer (which I was), treating first the subject Julian left to last: whether the federal government has a constitutional role.
A Bizarre Privacy Indictment
Page one of today’s Washington Times—above the fold—has a fascinating story indicting the White House for failing to disclose that it will collect and retain material posted by visitors to its pages on social networking sites like Facebook and YouTube. The story is fascinating because so much attention is being paid to it. (It was first reported, as an aside at least, by Major Garrett on Fox News a month ago.)
The question here is not over the niceties of the Presidential Records Act, which may or may not require collection and storage of the data. It’s over people’s expectations when they use the Internet.
Marc Rotenberg, president of the Electronic Privacy Information Center, said the White House signaled that it would insist on open dealings with Internet users and, in fact, should feel obliged to disclose that it is collecting such information.
Of course, the White House is free to disclose or announce anything it wants. It might be nice to disclose this particular data practice. But is it really a breach of privacy—and, through failure to notify, transparency—if there isn’t a distinct disclosure about this particular data collection?
Let’s talk about what people expect when they use the Internet and social networking sites. Though the Internet is a gigantic copying machine, some may not know that data is collected online. They may imagine that, in the absence of notice, the data they post will not be warehoused and redistributed, even though that’s exactly what the Internet does.
There can be special problems when it is the government collecting the information. The White House’s “flag@whitehouse.gov” tip line was concerning because it asked Americans to submit information about others. There is a history of presidents amassing “enemies” lists. But this is not the complaint with White House tracking of data posted on its social networking sites.
People typically post things online because they want publicity for those things—often they want publicity for the fact that they are the ones posting, too. When they write letters, they give publicity to the information in the letter and the fact of having sent it. When they hold up signs, they seek publicity for the information on the signs, and their own role in publicizing it.
How strange that taking note of the things people publicize is taken as a violation of their privacy. And failing to notify them of the fact they will be observed and recorded is a failure of transparency.
America, for most of what you do, you do not get “notice” of the consequences. Instead, in the real world and online, you grown-ups are “on notice” that information you put online can be copied, stored, retransmitted, and reused in countless ways. Aside from uses that harm you, you have little recourse against that after you have made the decision to release information about yourself.
The White House is not in the wrong here. If there’s a lesson, it’s that people are responsible for their own privacy and need to be aware of how information moves in the online environment.
Public Information and Public Choice
One of the high points of last week’s Gov 2.0 Summit was transparency champion Carl Malamud’s speech on the history of public access to government information — ending with a clarion call for government documents, data, and deliberation to be made more freely available online. The argument is a clear slam-dunk on simple grounds of fairness and democratic accountability. If we’re going to be bound by the decisions made by regulatory agencies and courts, surely at a bare minimum we’re all entitled to know what those decisions are and how they were arrived at. But as many of the participants at the conference stressed, it’s not enough for the data to be available — it’s important that it be free, and in a machine readable form. Here’s one example of why, involving the PACER system for court records:
The fees for bulk legal data are a significant barrier to free enterprise, but an insurmountable barrier for the public interest. Scholars, nonprofit groups, journalists, students, and just plain citizens wishing to analyze the functioning of our courts are shut out. Organizations such as the ACLU and EFF and scholars at law schools have long complained that research across all court filings in the federal judiciary is impossible, because an eight cent per page charge applied to tens of millions of pages makes it prohibitive to identify systematic discrimination, privacy violations, or other structural deficiencies in our courts.
If you’re thinking in terms of individual cases — even those involving hundreds or thousands of pages of documents — eight cents per page might not sound like a very serious barrier. If you’re trying to do a meta-analysis that looks for patterns and trends across the body of cases as a whole, not only is the formal fee going to be prohibitive in the aggregate, but even free access won’t be much help unless the documents are in a format that can be easily read and processed by computers, given the much higher cost of human CPU cycles. That goes double if you want to be able to look for relationships across multiple different types of documents and data sets.
Filed under: Government and Politics; Telecom, Internet & Information Policy
Picture Don Draper Stamping on a Human Face, Forever
Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms — in a nutshell: they don’t like it — I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?
Filed under: Regulatory Studies; Telecom, Internet & Information Policy
Privacy Zealot-Elitists v. Real Consumer Advocates
Berin Szoka and (Cato alum) Adam Thierer of the Progress & Freedom Foundation have been doing yeoman’s work to undermine the claim that advocates for regulation represent the interests of consumers.
Argentina Decriminalizes Personal Drug Consumption
Following in Mexico’s footsteps last week, the Supreme Court of Argentina has unanimously ruled today on decriminalizing the possession of drugs for personal consumption.
For those who might be concerned with the idea of an “activist judiciary,” the Court’s decision was based on a case brought by a 19 year-old who was arrested in the street for possession of two grams of marijuana. He was convicted and sentenced to a month and a half in prison, but challenged the constitutionality of the drug law based on Article 19 of the Argentine Constitution:
The private actions of men which in no way offend public order or morality, nor injure a third party, are only reserved to God and are exempted from the authority of judges. No inhabitant of the Nation shall be obliged to perform what the law does not demand nor deprived of what it does not prohibit.
Today, the Supreme Court ruled that personal drug consumption is covered by that privacy clause stipulated in Article 19 of the Constitution since it doesn’t affect third parties. Questions still remain, though, on the extent of the ruling. However, the government of President Cristina Fernández has fully endorsed the Court’s decision and has vowed to promptly submit a bill to Congress that would define the details of the decriminalization policies.
According to some reports, Brazil and Ecuador are considering similar steps. They would be wise to follow suit.
Filed under: International Economics and Development; Law and Civil Liberties
600 Billion Data Points Per Day? It’s Time to Restore the Fourth Amendment
Jeff Jonas has published an important post: “Your Movements Speak for Themselves: Space-Time Travel Data is Analytic Super-Food!”
More than you probably realize, your mobile device is a digital sensor, creating records of your whereabouts and movements:
Mobile devices in America are generating something like 600 billion geo-spatially tagged transactions per day. Every call, text message, email and data transfer handled by your mobile device creates a transaction with your space-time coordinate (to roughly 60 meters accuracy if there are three cell towers in range), whether you have GPS or not. Got a Blackberry? Every few minutes, it sends a heartbeat, creating a transaction whether you are using the phone or not. If the device is GPS-enabled and you’re using a location-based service your location is accurate to somewhere between 10 and 30 meters. Using Wi-Fi? It is accurate below 10 meters.
The process of deploying this data to markedly improve our lives is underway. A friend of Jonas’ says that space-time travel data used to reveal traffic tie-ups shaves two to four hours off his commute each week. When it is put to full use, “the world we live in will fundamentally change. Organizations and citizens alike will operate with substantially more efficiency. There will be less carbon emissions, increased longevity, and fewer deaths.”
This progress is not without cost:
Read the rest of this post »
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
All Hail the Demise of a Bad Policy!
Well, not actually. Instead, the Washington Post’s headline says “U.S. Web-Tracking Plan Stirs Privacy Fears.” The story is about the reversal of an ill-conceived policy adopted nine years ago to limit the use of cookies on federal Web sites.
A cookie is a short string of text that a server sends a browser when the browser accesses a Web page. Cookies allow servers to recognize returning users so they can serve up customized, relevant content, including tailored ads. Think of a cookie as an eyeball – who do you want to be able to see that you visited a Web site?
Your browser lets you control what happens with the cookies offered by the sites you visit. You can issue a blanket refusal of all cookies, you can accept all cookies, and you can decide which cookies to accept based on who is offering them. Here’s how:
- Internet Explorer: Tools > Internet Options > “Privacy” tab > “Advanced” button: Select “Override automatic cookie handling” and choose among the options, then hit “OK,” and next “Apply.”
I recommend accepting first-party cookies – offered by the sites you visit – and blocking third-party cookies – offered by the content embedded in those sites, like ad networks. Or ask to be prompted about third-party cookies just to see how many there are on the sites you visit. If you want to block or allow specific sites, select the “Sites” button to do so. If you selected “Prompt” in cookie handling, your choices will populate the “Sites” list.
- Firefox: Tools > Options > “Privacy” tab: In the “cookies” box, choose among the options, then hit “OK.”
I recommend checking “Accept cookies from sites” and leaving unchecked “Accept third party cookies.” Click the “Exceptions” button to give site-by-site instructions.
Because you can control cookies, a government regulation restricting cookies is needless nannying. It may marginally protect you from government tracking – they have plenty of other methods, both legitimate and illegitimate – but it won’t protect you from tracking by others, including entities who may share data with the government.
The answer to the cookie problem is personal responsibility. Did you skip over the instructions above? The nation’s cookie problem is your fault.
If society lacks awareness of cookies, Microsoft (Internet Explorer), the Mozilla Foundation (Firefox), and producers of other browsers (Apple/Safari, Google/Chrome) might consider building cookie education into new browser downloads and updates. Perhaps they should set privacy-protective defaults. That’s all up to the community of Internet users, publishers, and programmers to decide, using their influence in the marketplace.
Artificially restricting cookies on federal Web sites needlessly hamstrings federal Web sites. When the policy was instituted it threatened to set a precedent for broader regulation of cookie use on the Web. Hopefully, the debate about whether to regulate cookies is over, but further ‘Net nannying is a constant offering of the federal government (and other elitists).
By moving away from the stultifying limitation on federal cookies, the federal government acknowledges that American grown-ups can and should look out for their own privacy.
Assessing the Claim that CDT Opposes a National ID
It was good of Ari Schwartz to respond last week to my recent post querying whether the Center for Democracy and Technology outright opposes a national ID or simply “does not support” one.
Ari says CDT does oppose a national ID, and I believe that he honestly believes that. But it’s worth taking a look at whether the group’s actions are consistent with opposition to a national ID. I believe CDT’s actions — most recently its support of the PASS ID Act — support the creation of a national ID.
(The title of his post and some of his commentary suggest I have engaged in rhetorical excess and mischaracterized his views. Please do judge for yourself whether I’m being shrill or unfair, which is not my intention.)
First I want to address an unusual claim of Ari’s — that we already have a national ID system. If that is true, his support for PASS ID is more sensible because it is an opportunity to inject federal privacy protections into the existing system (putting aside whether it is a federal responsibility to manage a state system or systems).
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Would PASS ID Really Save States Money?
The proposed PASS ID Act is a national ID just like REAL ID, and it threatens privacy just as much. Some argue that a national ID under PASS ID should be palatable, though, because it reduces costs to states.
But savings to states under PASS ID are not at all clear. Let’s take a look at the costs of creating a U.S. national ID.
The REAL ID Act, passed in May 2005, required states to begin implementing a national ID system within three years. In regulations it proposed in March 2007, the Department of Homeland Security extended that draconian deadline. States would have five years, starting in May 2008, to move all driver’s license and ID card holders into REAL ID-compliant cards.
The Department of Homeland Security estimated the costs for this project at $17.2 billion dollars (net present value, 7% discount). Costs to individuals came it at nearly $6 billion – mostly in wasted time. Americans would spend more than 250 million hours filling out forms, finding birth certificates and Social Security cards, and waiting in line at the DMV.
The bulk of the costs fell on state governments, though: nearly $11 billion dollars. The top three expenditures were $5.25 billion for customer service at DMVs, $4 billion for card production, and $1.1 billion for data systems and IT. Getting hundreds of millions of people through DMVs and issuing them new cards in such a short time was the bulk of the cost.
To drive down the cost estimate, DHS pushed the implementation schedule way back. In its final rule of January 2008, it allowed states a deadline extension to December 31, 2009 just for the asking, and a second extension to May 2011 for meeting certain milestones. Then states would have until the end of 2017 to replace all cards with the national ID card. That’s just under ten years.
Then the DHS decided to assume that only 75% of people would actually get the national ID. (Never mind that whatever benefits from having a national ID drop to near zero if it is not actually “national.”)
The result was a total cost estimate of about $6.85 billion (net present value, 7% discount). Individual citizens would still spend $5.2 billion worth of their time (in undiscounted dollars) on paperwork and waiting at the DMV. But states would spend just $1.5 billion on data and interconnectivity systems; $970 million on customer service; and $953 million on card production and issuance—a total of about $2.4 billion. (All undiscounted—DHS didn’t publish estimates for the final rule the same way it published their estimates for the proposed rule.)
Maybe these cost estimates were still too high. Maybe they weren’t believable. Or maybe Americans’ love of privacy and hatred of a national ID explains it. But the lower cost estimate did not slow the “REAL ID Rebellion.” Given the costs, the complexity, the privacy consequences, and the dubious benefits, states rejected REAL ID.
Enter PASS ID, which supposedly alleviates the costs to states of REAL ID. But would it?
At a Senate hearing last week, not one, but two representatives of the National Governors Association testified in favor of PASS ID, citing their internal estimate that implementing PASS ID would cost states just $2 billion.
But there is reason to doubt that figure. PASS ID is a lot more like REAL ID – the original REAL ID – in the way that most affects costs: the implementation schedule.
Filed under: Law and Civil Liberties; Telecom, Internet & Information Policy
Review of the Big REAL ID Hearing
The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.
Good News!
Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.
First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.
She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.
Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”
Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.
REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.
Lack of Deep Thinking = Belief in the Living Constitution?
In a twist on the “lack of deep thinking” idea, part of what might be going on in Sotomayor’s head—why she keeps answering questions about judicial philosophy with reference to precedent rather than constitutional first principles is because she’s not an originalist. How can we hope for her to tell us her understanding of the meaning of the constitutional text, after all, if that text’s meaning changes with the times?
For example, Stuart Smalley Al Franken asked Sotomayor point blank, “do you believe the right to privacy includes the right to have an abortion?” The nominee began here response with: “The Court has said….” That is, it is not the Constitution—whatever your view of it may be, whether you think it contains a right to abortion or not—that is the supreme law of the land, but what nine black-robed philosopher-kings say. Of course, if your (non-)theory of constitutional interpretation is to keep “improving” the document—and to keep one step ahead of public opinion, so judges can effect social “progress”—then it’s irrelevant what the Constitution said before the Supreme Court put its gloss on it.
And if you subscribe to this “living Constitution” or “active liberty” theory, then naturally the life experiences of a “wise Latina,” along with lessons from foreign and international law—which, Sotomayor said as recently as her April speech to ACLU, get a judge’s “creative juices flowing”—are all valid parts of your jurisprudential toolkit.
CP Townhall
Some Thinking on “Cyber”
Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and — blamo! — I’m a cybersecurity expert.
Not really — but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.
. . . But What Is “Cyber”?
Cyberwar. Cyberdefense. Cyberattack. Cybercommand.
You run across these four words before you finish the first paragraph of this New York Times story (as reposted on msnbc.com). It’s about government plans to secure our technical infrastructure.
When you reach the end of the story, though, you still don’t know what it’s about. But you do get a sense of coming inroads against Americans’ online privacy.
The problem, which the federal government has assumed to tackle, is the nominal insecurity of networks, computers, and data. And the approach the federal government has assumed is the most self-gratifying: “Cyber” is a “strategic national asset.” It’s up to the defense, intelligence, and homeland security bureaucracies to protect it.
But what is “cyber”?
With the Internet and other technologies, we are creating a new communications and commerce “space.” And just like the real spaces we are so accustomed to, there are security issues. Some of the houses have flimsy locks on the front doors. Some of the stores leave merchandise on the loading docks unattended. Some office managers don’t lock the desk drawers that hold personnel files. Some of the streets can be too easily flooded with water. Some of the power lines can be too easily snapped.
These are problems that should be corrected, but we don’t call on the federal government to lock up our homes, merchandise, and personnel files. We don’t call on the federal government to fix roads and power lines (deficit “stimulus” spending aside). The federal government secures its own assets, but that doesn’t make all assets a federal responsibility or a military problem.
As yet, I haven’t seen an explanation of how an opponent of U.S. power would use “cyberattack” to advance any of its aims. If it’s even possible, which I doubt, taking down our banking system for a few days would not “soften up” the country for a military attack. Knocking out the electrical system in one region of the country for a day wouldn’t let Russia take control of the Bering Strait. Shutting down Americans’ access to Google Calendar wouldn’t advance Islamists’ plans for a worldwide Muslim caliphate.
This is why President Obama’s speech on cybersecurity retreated to a contrived threat he called “weapons of mass disruption.” Fearsome inconvenience!
The story quotes one government official as follows:
“How do you understand sovereignty in the cyberdomain?” General Cartwright asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”
That’s correct. “Cyber” is not a problem that affects our sovereignty or the integrity of our national boundaries. Thus, it’s not a problem for the defense or intelligence establishments to handle.
The benefits of the online world vastly outstrip the risks – sorry Senator Rockefeller. With those benefits come a variety of problems akin to graffiti, house fires, street closures, petit theft, and organized crime. Those are not best handled by centralized bureaucracies, but by the decentralized systems we use to secure the real world: property rights, contract and tort liability, private enterprise, and innovation.
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
Social Control as a Profit Center
Here’s an idea that should be killed in the crib: scanning automobiles for up-to-date insurance.
Says Gizmodo (via ars technica and the Chicago Sun-Times):
The system is anticipated to raise yearly earnings “well in excess” of $100 million (possibly even double that figure or more), with InsureNet taking a modest 30% for their services. Of course, all of this cash would be contingent on uninsured drivers actually paying their fines.
There will be thousands more reasons like this put forward for mass public surveillance. The answer should almost always be no because of the accumulations of data about law-abiding citizens such programs would collect in government (and government-contractor) databases.
America Threatened as Never Before
The Justice Department is on the job. Perceiving a dire threat against the American republic, they have acted to keep America safe. As my colleague Sallie James noted yesterday, they are stealing confiscating the money of Internet gamblers.
Reports Richard Morrison of our friends at the Competitive Enterprise Institute:
Just when it seemed that those in power had begun to think about Internet poker in a positive light, the Department of Justice throws us back into the digital dark ages by seizing $34 million in funds rightfully owned by around 27,000 online poker players. The government is alleging that the funds are associated with illegal online gambling and money laundering.
In a letter sent to Alliance Bank, the prosecutor said accounts held by payment processor Allied Systems Inc. are subject to seizure and forfeiture “because they constitute property involved in money laundering transactions and illegal gambling offenses.” The letter was signed by Arlo Devlin-Brown, assistant U.S. attorney for the Southern District of New York.
Knowing that the federal government is busy violating our privacy and grabbing our money to save us from ourselves just makes one feel great to be an American
Filed under: Regulatory Studies; Telecom, Internet & Information Policy
Privacy Regulation: Expensive and Ineffective
Lee Gomes writes on Forbes.com with a clear-eyed reminder that privacy regulation has been costly, yet failed to deliver. Lovers of government intervention will, of course, take this as an argument to double-down.
Filed under: Regulatory Studies; Telecom, Internet & Information Policy
E-Verify: The Surveillance Solution
The federal government will keep data about every person submitted to the “E-Verify” background check system for 10 years.
At least that’s my read of the slightly unclear notice describing the “United States Citizenship Immigration Services 009 Compliance Tracking and Monitoring System” in today’s Federal Register. (A second notice exempts this data from many protections of the Privacy Act.)
To make sure that people aren’t abusing E-Verify, the United States Citizenship and Immigration Services Verification Division, Monitoring and Compliance Branch will watch how the system is used. It will look for misuse, such as when a single Social Security Number is submitted to the system many times, which suggests that it is being used fraudulently.
How do you look for this kind of misuse (and others, more clever)? You collect all the data that goes into the system and mine it for patterns consistent with misuse.
The notice purports to limit the range of people whose data will be held in the system, listing “Individuals who are the subject of E-Verify or SAVE verifications and whose employer is subject to compliance activities.” But if the Monitoring Compliance Branch is going to find what it’s looking for, it’s going to look at data about all individuals submitted to E-Verify. “Employer subject to compliance activities” is not a limitation because all employers will be subject to “compliance activities” simply for using the system.
In my paper on electronic employment eligibility verification systems like E-Verify, I wrote how such systems “would add to the data stores throughout the federal government that continually amass information about the lives, livelihoods, activities, and interests of everyone—especially law-abiding citizens.”
It’s in the DNA of E-Verify to facilitate surveillance of every American worker. Today’s Federal Register notice is confirmation of that.
Filed under: Cato Publications; Telecom, Internet & Information Policy; Trade and Immigration
Computers Freedom & Privacy 2009
The Computers Freedom & Privacy conference is consistently one of the most interesting and forward-looking privacy conferences. This year, it’s at George Washington University in Washington, D.C. June 1-4.
I helped organize it this time, though by no means does the event skew libertarian. What it does is bring together people of all ideologies to discuss common concerns about the present and future state of privacy.
I’ll be speaking on a panel called “The Future of Security vs. Privacy” on Tuesday, June 2nd. Here’s the program page. And here’s the registration page if any of this whets your appetite.
Cato on Facebook
Cato on Twitter
Cato on YouTube
Cato Tweets