Archives: 09/2009

Chart of the Day — Federal Ed Spending

The debate over No Child Left Behind re-authorization is upon us.

Except it isn’t.

In his recent speech kicking off the discussion, education secretary Arne Duncan asked not whether the central federal education law should be reauthorized, he merely asked how.

Let’s step back a bit, and examine why we should end federal intervention in (and spending on) our nation’s schools… in one thousand words or less:

Fed Spend Ach Pct Chg (Cato -- Andrew Coulson)

While the flat trend lines for overall achievement at the end of high school mask slight upticks for minority students (black students’ scores, for instance, rose by 3-5 percent of the 500 point NAEP score scale), even those modest gains aren’t attributable to federal spending. Almost that entire gain happened between 1980 and 1988, when federal spending per pupil declined.

And, in the twenty years since, the scores of African American students have drifted downard while federal spending has risen stratospherically.

Senator Bennett, Rubbing His Temples Over, and Over, and Over, and Over Again

Nancy Scola at TechPresident has a pretty hilarious write-up of a Senate hearing Tuesday on the transparency and accessibility of government contracting databases. Guess what? It’s a mess.

And on the TechLiberationFront blog, I expressed my dismay with industry association “TechAmerica” dragging its heels on transparency in service to its government-contractor membership.

President Obama’s Trade War on the Poor

A Wall Street Journal story yesterday reports the rising level of poverty in America caused by the steep and lingering recession. As I point out in a Washington Times column that also ran yesterday, one unintended consequence of President Obama’s trade policies so far has been to make the growing number of poor even poorer.

As I explained in the “Economic Watch” column:

America’s highest remaining trade barriers are aimed at products mostly grown and made by poor people abroad and disproportionately consumed by poor people at home. While industrial goods and luxury products typically enter under low or zero tariffs, the U.S. government imposes duties of 30 percent or more on food and lower-end clothing and shoes - staple goods that loom large in the budgets of poor families.

To win favor with organized labor and other opponents of trade liberalization, Mr. Obama has either defended or actually raised barriers on precisely those products of most interest to poor households. …

The $25 billion in revenue raised each year from import duties represent by far the most regressive tax the federal government imposes. Yet the Obama administration and the Democratic Congress have refused to move forward with trade agreements that would lower trade taxes that fall most heavily on the poor. By supporting the farm bill, but not new trade agreements, the president has embraced the status quo rather than change.

Read the full article.

On Notice

I’m delighted that Julian Sanchez has joined us at Cato. He’s as smart as they come. I’m equally pleased that I’ll have an intellectual sparring partner here on some of my issues from time to time. I encouraged Julian to share here some of what we had been discussing about privacy notices via email.

There are lots of dimensions to our conversation, but I’ll summarize it as follows: Can federal statutes protect Web surfers’ privacy? (We’re talking about privacy from other private actors, not privacy from government. Government self-control expressed in federal statutes could obviously improve privacy from government.)

Julian can see a couple of statutes helping: a requirement that third-party trackers provide a link explaining what they do, and a requirement that privacy policies be enforceable.

I think the former is a fine thing if people want it. I’m dubious about its benefits, though, and wouldn’t mandate it. The latter is the outcome I prefer—strongly!—but a federal statute is the wrong way to get there.

As you read Julian’s comment and mine, I think the divide you’ll see is a common one among libertarians. Some of us love efficiency and wealth creation, which is such a delightful product of free markets. And some of us love freedom for its own sake, not just for free markets, efficiency, and wealth creation. We’ll give up a little efficiency and wealth (in the short term) to protect liberty.

I’ll discuss the topic in the order I would as a legislative staffer (which I was), treating first the subject Julian left to last: whether the federal government has a constitutional role.

Is It Constitutional?

As we all know, the U.S. constitution gave the federal government limited powers, reserving the rest to the states and people. This was for a number of reasons, including contemporary experience with the imperiousness of a remote government.

Technology and communications might eventually change things, but so far nothing has overcome the proclivity of remote powers to misunderstand their subjects and act badly toward them, ignorant of their needs. (I’ll discuss how little the federal government—or anyone—knows about consumers’ privacy interests below.)

The constitution did give the federal government power to “regulate commerce with foreign nations, and among the several states, and with the Indian tribes.” Under the articles of confederation, the states had fallen into trade protectionism, and the purpose of this power was to suppress this form of parochialism.

It’s a straightforward inference from the grant of like authority over international, interstate, and tribal commerce that this was not a general grant to regulate all things we today call “commercial.” It was authority to make regular the buying and selling of things across jurisdictional lines. The Supreme Court allowed the limits on the commerce power to be breached in the New Deal era.

Has the constitutional design of our government been rendered quaint by the emergence of national markets for goods and services? By that international marketplace for goods, services, and ideas that we call the Internet?

No. Because the constitution and the commerce clause were not a commercial charter. They were the design of what we would today call a “political economy.” The framers designed in competition for power among branches of the federal government and between the states and federal government. Government powers contesting against each other would leave the people more free. I won’t recite how federalism works in every detail, but I encourage people to familiarize themselves with its genius.

National markets and the Internet do weaken federalism in some respects. They make it harder for businesses to exit states that make themselves unfriendly through high taxes, poor services, and inefficient regulation. Thus it is harder to hold state officials accountable. But this is no argument for removing their power to a more remote level of government, from which consumers and businesses have no power of exit save leaving the country! Establishing federal commercial rules would cut tendons in the political economy that the constitution created.

And with the whole country under the same rule, there would be almost no way to learn whether a better rule is preferable. A national rule established in ignorance of what the future holds (and they all are) stands a decent chance of being inefficient, unjust, or ill-adapted to new developments in technology, consumer demand, or business models. But there’s no corrective mechanism. Short-term efficiency gained by stabilizing expectations comes at the cost of long-term sclerosis.

There are ways consistent with the constitution to harmonize state laws while leaving states free to innovate in response to change, I hasten to point out.

The “national markets” argument for federal preemption is supported by many efficiency-oriented libertarians. But as markets globalize, the argument will support global regulation equally well. This is something that many of those same libertarians oppose. Perhaps they believe that American politicians can be trusted but not foreign ones—I don’t know, and I don’t see much difference between them. There are many good reasons for preferring local or personal regulation to national or global.

Does Notice Work?

But let’s assume the federal government is going to act in this area, and that we have been assigned to write a statute that promotes the privacy of Web-surfers. Does requiring third-party trackers to provide notice do that? I don’t think so.

First, let’s be more precise about the problem we’re trying to fix. Julian says that there exists a set of consumer expectations that are not being met. “Empirically,” he says, most people don’t expect to be monitored all the time unless they’ve been explicitly warned otherwise. I take Julian’s point to be that this lack of notice is depriving them of information they need to exercise privacy-protective self-help. The result is less privacy than consumers would have with notice and lower consumer welfare.

I haven’t seen the research on which Julian bases his statement about consumer expectations, and I don’t know of any public opinion research that has overcome the deficits Solveig Singleton and I identified in our 2001 paper on privacy polling.

If people have these expectations, they’re counterfactual. I’m willing to be corrected if it’s no longer true, but I believe that most servers record and store the IP addresses from which they have received requests for data, monitoring and archiving records of all visitors in at least an elemental sense.

I don’t think consumers’ expectations are terribly clear. Expectations are still being set, and my recent post about the White House’s cookie policy was a volley in the battle to set them.

My preference is for consumers to be empowered and required to protect themselves from cookie-based tracking that they don’t want. I believe consumers are responsible for their choices in computers, software, Internet connection, and security. No computer is ever “coaxed” into releasing information if it hasn’t been set up to allow it.

Protection against unwanted data release isn’t easy in a changing technology environment, but Internet users have a great deal of help in making their choices, and they will get better at it if their well-being requires it. The alternative is nannying and regulation of the type most libertarians object to.

In his post, Julian appears to agree that people shouldn’t expect privacy in messages posted to public fora but then switches the subject slightly. Drawing an analogy between Web surfing and a changing room at a clothing store, he suggests that much online behavior is like undressing in a cordoned-off area on someone else’s premises. Decency (and, Julian says, law) requires notice when people might be observed in that setting.

I fear that Julian has lumped a lot of very different kinds of interaction together, making the online world legible for the purpose of writing a uniform rule about how it should work. Planners must do away with complexity, of course, but that is why planning fails so badly compared to the self-organizing done in markets and reflected in common law rules.

Again, given the thousands of different contexts of online communication, I don’t think people’s expectations are settled or static. People’s expectations when clicking from site to site sweep across a much wider, newer landscape than when they are buying a toaster, in which expectations truly are relatively settled.

But assuming that people do have the expectations Julian says, will notice that their expectations are not being met make them aware of it? Will it empower them to protect their privacy? Our experience with first-party tracking suggests otherwise.

In the late 1990s, the U.S. commercial Internet adopted a strong custom of posting privacy policies. It’s worth noting that this was adopted without government coercion (though there was the threat of coercion—in our business, we never get controlled experiments). Well-intended though this was, it has not spawned a culture of privacy.

What evidence there is suggests that people don’t read privacy policies. When people choose online service providers, they don’t compare the written policies of different providers. Their sources of information instead include news stories, friends, blogs—a marketplace of information much more robust than these privacy policies.

Consumers do adjust the online products and providers they use, mostly by shunning what they find scary. Firms adjust their privacy practices in light of their own and other firms’ flubs. I think much or all of this would happen regardless of whether there was a privacy notice on every homepage. (Again, we lack controlled experiments.)

The few privacy advocates who read notices—and even many privacy advocates don’t bother—routinely complain about how permissive they are. Many notices say, essentially, “We care about your privacy a lot! And we do whatever we please with the information you give us!”

Consumers do not seem willing to punish them for having such information policies. One possibility is that consumers don’t care about privacy in many circumstances. That’s not crazy. Another is that notices don’t inform. There’s a good chance that consumers take the existence of notice as an indication that they are being accorded privacy, regardless of what’s in the policy. Privacy notices may fool consumers into thinking they’re protected when they’re not.

In the main I can’t say our online culture is necessarily shaping up wrongly, but the presence of notice about first-party tracking has not made consumers much better off in terms of privacy. It may have given information to advocacy groups and watchdogs that they otherwise wouldn’t have gotten so easily, but links on every homepage are just ritual. The privacy conversation happens elsewhere. I don’t think this ritual should be extended and deepened with more notice about more things.

Julian is not alone in thinking it should, of course. There are many who would impose comprehensive notice regimes or refine the ones we’ve got. Many of these people confuse privacy notices with privacy, and privacy laws with privacy. I don’t think mandating privacy notices bears up as an effective consumer protection.

Easier Said Than Done

I also think there are a lot of practical problems and costs to mandating privacy notices.

As so many have before him, Julian asks for an “ordinary-language explanation” of what is going on. But we don’t yet have a reliable and well-understood language for describing all the things that happen with data. Much less do we know what features of data use are salient to consumers. Many blame corporate obfuscation for long, confusing privacy policies, but just try describing what happens to information about you when you walk down the street and the difficulty with writing privacy policies become clear.

Then there’s avoidance. A lot of tracking is fungible, and new innovations in tracking are sure to come, both on the technical side and the business side. If a notice regime were to stir consumer opposition to third-party tracking, the tracking could well shift back to first parties who could then serve up the products of tracking as third parties do now. What will the rule have done, then, but distort and raise costs in information markets without improving privacy?

The answer when notice fails to protect privacy, of course, is to ban tracking altogether, a goal that I think some privacy advocates maintain sub rosa. This would undercut the free-content Internet, which is supported by advertising, and which uses tracking for targeting. Mandating notice is a step toward giving people privacy they may not want while taking away content they do.

Julian would propose an elegant rule, of course, but would it survive the trip through a legislature? We have experience there, too, with California’s privacy policy mandate. Does it look simple to you? As statutes go, it actually is. (California Business and Professions Code Section 22575-22579, you’ve just been damned with faint praise…!)

There are plenty of seams in it, though. Take what it means to “conspicuously post” a privacy notice—a defined term in the legislation. Last year, a brouhaha broke out over the meaning of “conspicuously post” with regard to Google’s privacy policies. It would have been funny if it weren’t so stupid. By the reckoning of many, Google was failing to “conspicuously post” its privacy policy by failing to put a link to it on its homepage.

Google, of course, is a search engine. It helped bring about the end of the portal era, during which we went to sites with great masses of links. Google works hard to maintain a clean, crisp, “anti-portal” homepage, and its privacy policy was and is easily found via search. But it could not withstand the pressure to post a privacy link on its home page. Today, more people probably click on that link by mistake than on purpose.

Is html the last protocol? How do you implement a link to a privacy notice on services of the future that don’t necessarily use the Web? How much money and time should a revolutionary new Internet device or service using a new protocol spend arguing to the Federal Trade Commission that it should be allowed to proceed?

Of course, every new regulation is wafer-thin. I don’t oppose them because each and every one of them lack any merit—only because the entirety of them do more harm than alternatives would. So let’s now turn to my preferred alternative: common law.

Common Law Rules Rule

Julian analogizes his third-party notice rule to the common law contract doctrine of implied warranty, of which I approve because it has shown over generations to be a fair and efficient rule. Things sold as toasters are supposed to toast bread. If you’re selling a toaster that doesn’t do that, and if you don’t make that clear, you violate a term implied by common law into sales contracts. But rules that haven’t been tested and proven over time like this don’t deserve to be laws.

Until recently (in historical terms), all law was common law. People made up the laws that suited their needs and passed them from generation to generation. Julian’s description of common law as “parasitic” on social practice is inapt. Social practice and common law are on a continuum. When a custom is so deeply ingrained and wrapped up with the rights we accord people, we treat that custom as law and penalize or punish deviations through coercive means. (I don’t think there should be a lot of law, of course.)

With our habit for personality cults, we like to think that Hammurabi, Justinian, and Napoleon were “law-givers,” but what they did was write down law that already existed in the practices of the people. (In an age of mass illiteracy, it’s doubtful that writing something down did much to affect people’s behavior.)

When civil law countries started writing summaries of their law, they took one road: expert lawmakers would decide the rules that govern society.  Common law countries went down another path, in which courts formalized the law discovery process but did not seek to supplant it.

Legislatures in both systems today are typically bodies of non-experts—neither legal experts nor subject matter experts—who deign to script how society should work rather than letting society decide for itself. As we see daily in Washington, D.C., the result is not a system that gravitates toward fairness or efficiency, but a series of compromises dividing goodies (money and rules) among the best-represented interests in society, the rest of the population be damned.

No legislature today, and for all his smarts not Julian, has the knowledge needed to write an appropriate rule about what (if anything) people should be told when they go to a Web site or click on a link. With users having the ability to discern what a link does, and having knowledge that the Internet is a big copying machine, I think that the most efficient, fair, and protective rule will probably be caveat clickor. But I am willing to wait and see if that is best.

If consumers want to know something before they click, they are well equipped to let Web sites know their preferences. Let social customs evolve to meet the needs of consumers in light of ongoing multi-layered change in the Internet and its use.

“But doesn’t an ever-changing Internet make the case for some modest regulation? The Internet is so new! We really must have baseline rules or we’ll have costly disorder! We pay the price every day for our failure to regulate because people aren’t going online like they would if they were confident of their privacy!”

These are arguments regulators and social engineers make to sound “market friendly.” The problem is that they rest on the same unsupported assertions that Julian has made about privacy expectations, notice, human wants, and the interactions among these things.

There is plenty of surmise but little good evidence that people are staying offline because of privacy concerns. There is little understanding of how to get people to protect their privacy. Notice is at best an unproven technique, more probably a waste of time.

You can regulate in haste, but you won’t necessarily achieve anything. And it’s not the job of legislators—certainly not Congress—to make the privately owned and operated Internet more user-friendly.

Julian has it backward to suggest that statutes should move in to stabilize expectations when technology is fast-changing. That’s precisely the wrong time to congeal the rules.

When existing law doesn’t serve new conditions, custom followed by common law slowly discover adaptations to satisfy them. It takes some time—and it’s time that should be taken. The alternative, statutory law, has no corrective function to undo regulations that fail to suit later circumstances.

The notice rule Julian proposes is planning of the type we deplore when it comes to industrial production, the layout of towns and cities, transportation, energy, educational curricula, and so on. Why support it when it comes to online rules of engagement?

In my withering, fun attack on Julian’s notice rule, I’ve left out whether privacy notices should be enforceable. They should. As contract terms. I look forward to that rule being adopted at common law. I regret it each time the Federal Trade Commission disrupts the conditions that would establish that rule. And I’m eager to learn how society will solve the problem of damages.

A Preliminary Assessment of PATRIOT Reform Bills

Hearings were held on both sides of the Hill last week to consider a trio of surveillance powers set to expire under PATRIOT Act sunset rules. But the stage is set for a much broader fight over the sweeping expansion of search and surveillance authority seen over the past eight years; the chairmen of both the House and Senate Judiciary Committees have announced their intention to use the occasion to revisit the entire edifice of post-9/11 surveillance law. Two major reform bills have already been introduced: Sen. Russ Feingold’s JUSTICE Act and Sen. Patrick Leahy’s USA PATRIOT Sunset Extension Act. Both would preserve the core of most of the new intelligence tools while strengthening oversight and introducing more robust checks against abuse or overreach. The JUSTICE Act, however, is both significantly broader in scope and frequently establishes more stringent and precisely crafted civil liberties safeguards. Most observers expect the Leahy bill to provide the basis for the legislation ultimately reported out of Judiciary, the central question being how much of JUSTICE will be incorporated into that legislation during markup later this week. While the surveillance authorities and oversight measures covered in each bill are varied and complex, it’s worth examining the differences in some detail.

Immunity

One thing to get out of the way first: Most of the press coverage I’ve seen of Feingold’s bill to date leads with the provision that would repeal the retroactive legal immunity Congress granted to telecommunications firms that participated in the National Security Agency’s program of warrantless wiretaps. During last year’s debate over reforms to the Foreign Intelligence Surveillance Act, most reporters seem to have decided that because the immunity controversy was the sexiest or the easiest aspect of the FISA amendments to explain, it was also the most important. Which is pretty much backwards. Granting retroactive immunity was a bad idea, but the repeal clause in the JUSTICE Act is (a) not terribly likely to pass, and (b) ultimately trivial compared with the need to place reasonable limits on powers that, without strong oversight, could permit large-scale spying on Americans. In a paradoxically somewhat ominous development, a separate telecom immunity bill was introduced Monday with the co-sponsorship of both Feingold and Leahy, along with Chris Dodd and Jeff Merkley. I say “ominously” because it can be read as indicating a consensus among Democratic senators to focus on the headline-friendly immunity issue at the expense of the more important safeguards on future surveillance. More hopefully, breaking it out could be a “we tried” move designed to win plaudits from allies and draw fire from enemies without letting the measure be a poison pill in the broader reform bill, where the stuff that matters ends up. Time will tell, obviously.

Lone Wolves

That aside, let’s start with the three expiring provisions, which I discussed briefly last week.  The so-called “lone wolf” provision allows the special investigative powers of FISA, which normally require a target to be an “agent of a foreign power,” to be used on non-citizens who lack any apparent affiliation to a terrorist group, but nevertheless are thought to be engaged in “international terrorism or activities in preparation therefor.” The Leahy bill would renew it; Feingold’s JUSTICE Act does not. Lone wolf authority has never been invoked, suggesting that, as yet, it has been neither subject to abuse nor particularly urgently needed. But since the statutory definition of a “lone wolf” requires evidence of criminal conduct—engagement in “international terrorism”—any case in which it would apply should also be a case where investigators would be able to obtain an ordinary Title III criminal warrant.

That seems like the more appropriate approach for some of the cases that the Justice Department apparently thinks would be covered, such as a person who “self-radicalizes” by reading terrorist Web sites. If that is the extent of the “international” connection required, the provision uncomfortably blurs the line between domestic national security investigations, for which the Fourth Amendment demands a traditional warrant, and foreign intel investigations where an array of special considerations closely linked to the actual involvement of “foreign powers” justify greater leeway for investigators.

Roving Taps

Both bills would renew FISA’s “roving wiretap” authority, which permits investigators to eavesdrop on targets without specifying a particular phone line or e-mail account in advance, in order to deal with suspects who may rapidly change communications venues in an attempt to thwart surveillance. Under FISA, however, owing to the difficulties inherent in foreign intel surveillance, the target of a warrant can be merely described rather than directly identified.  This led to worries about “John Doe” roving warrants that would contain neither the target’s name nor any particular location. Congress added some extra language in 2006, requiring the target to be “specifically described”—that is, if not a name, a precise enough description to single out a unique individual—in roving warrants, and also required after-the-fact notice of the court when surveillance “roved” to a new facility.

Given the secrecy inherent in FISA proceedings, it’s impossible to know precisely how investigators and the court have interpreted this new language, or whether it truly provides an adequate safeguard. Where the Leahy bill would renew roving as currently written, JUSTICE adds the requirement that roving warrants contain the “identity” of the target, and codifies the principle that roving taps should only be activated during periods when it is reasonable to believe the target is “proximate to” the facility. The latter language, it should be noted, may actually have the practical effect of loosening restrictions on roving taps. Even in roving cases, FISA’s minimization provisions require an evidentiary “nexus” between the target and a facility that “is being used, or about to be used” by the target. The “proximity” standard pulled across from the Title III criminal context may actually be more permissive.

215 “Tangible Thing” Orders

Last of the provisions expiring this year is authority  under section 215 of FISA, to compel the production of “any tangible thing”  from just about anyone, though it’s primarily intended to cover various kinds of business records. Under the original PATRIOT Act, this required only a certification to the secret FISA court that the records or objects sought were “relevant” to an investigation. In 2006, Congress added a requirement that applications for 215 orders include some factual showing of relevance, but many kinds of requests were deemed presumptively relevant.

Both bills tighten this up, with some minor differences. All now limit 215 orders to records pertaining to suspected agents of foreign powers, the activities of those agents, or persons known to be in direct contact with or otherwise linked to those agents. This preempts expanding friend-of-a-friend fishing expeditions where the target’s father’s brother’s nephew’s cousin’s former roommate’s colonoscopy results are potentially “relevant.” Feingold adds a “least intrusive means” requirement when the records pertain to “activities”—since in that case the presumption is that the identities of the specific targets are unknown, and the order seeks to discover them. Feingold’s bill also permits records to pertain to a “subject of an ongoing and authorized national security investigation” other than an agent of a foreign power, which would appear to broaden the scope of accessible records.

Neither bill responds to the concern raised by civil libertarians that “contact” with a suspect is too vaguely defined. Again, since we’re necessarily ignorant about precisely how courts have construed the “relevance” standard, it wouldn’t hurt to make explicit that when the records sought pertain to non-targets in “contact” with a target, there be some showing that establishes a nexus between the nature of the contact and the investigatory purpose to obtain foreign intelligence information.

National Security Letters

That covers the expiring provisions. Fortunately, both bills recognize that it would be fruitless to tighten restrictions on 215 orders without doing something to rein in the vastly more frequently used National Security Letters. An Inspector General audit found that in at least one instance, the FBI improperly used NSLs to obtain information they had previously sought under a 215 order, and which the FISA court had denied on the grounds that the investigation raised First Amendment concerns.

More generally, it’s believed that, especially after Congress imposed some restrictions on the scope of 215 orders, investigators have preferred to instead rely on relatively unfettered NSLs whenever possible. Almost 50,000 were issued in 2006 alone, and the majority were used to obtain information about U.S. persons.  These are slightly more restricted in their application, allowing acquisition of records from telecoms and “financial institutions,” but PATRIOT removed many limitations on the types of records that could be sought from those institutions, and post-PATRIOT reforms vastly expanded the definition of “financial institution” to cover many businesses we wouldn’t intuitively describe that way: pawnshops, casinos, travel agencies, businesses with lots of cash transactions, and probably your nephew’s piggy bank. Crucially, they are issued by investigative agencies—mainly the FBI—without court approval. Inspector General audits have discovered rampant misuse of this tool.

Both bills contain language parallel to their 215 sections requiring a tighter link between the records sought and the subject of the investigation. Significantly, the JUSTICE Act also restores pre-PATRIOT limitations on the kinds of records that can be sought, limiting NSLs to relatively basic information about clients or subscribers and requiring a court order for more sensitive data. The Leahy bill would establish a new four-year sunset for expanded NSL authorities; Feingold’s does not, presumably because it already substantially rolls back PATRIOT’s expansion of those authorities. Greg Nojeim of the Center for Democracy and Technology argues that NSL reform is the most important part of the PATRIOT reauthorization debate.

Gag Orders

NSLs and 215 orders are both routinely accompanied by gag orders, which several courts have found to raise significant First Amendment problems.  Both bills allow recipients of NSLs or 215 orders to challenge both the orders and any accompanying gag, and shift the burden of proof from the recipient to the government to show that the gag—now limited in duration, but renewable—is necessary to avert harm to an investigation or to national security. Previously recipients seeking to challenge a gag were in the unenviable position of proving that there was “no reason” to think disclosure could have any adverse consequence. JUSTICE, however, goes further in detailing the specific kinds of harms that may justify imposition of a gag, and requiring a showing a direct link between the alleged harm and the particular investigation, while the Leahy bill permits more generalized and vague allegations of harm.

Also covered under both bills are pen registers and trap-and-trace devices, typically bundled together under the rubric of “pen/trap” surveillance, which involves acquiring communications metadata—the numbers and times of incoming and outgoing phone calls, e-mail addresses, Web URLs visited, and the like—under a lower standard than would be required for a full-blown search or wiretap. Again echoing the language of their 215 and NSL provisions, both bills put some teeth into the “relevance” requirement by limiting whose metadata can be obtained. JUSTICE, however, also imposes these limits on criminal pen/trap orders for the first time, closing a potential loophole that would remain if only FISA pen/trap orders were covered.

Reporting and Audits

Finally, the Leahy and Feingold bills both include an array of enhanced reporting requirements, mandating somewhat more detailed public disclosure of how often different investigative tools are used. Leahy’s bill also requires the Inspector General of the Department of Justice to conduct a series of annual audits, with reports to Congress, on the use of “tangible things” orders, pen/trap surveillance, and NSLs.

JUSTICE-Only Reforms: FISA Amendments Act

That covers the terrain in which the two bills overlap.  But arguably the most important difference between the Leahy and Feingold bills—and along with more stringent NSL reform, perhaps the most important component of the JUSTICE Act that should be ported into whatever bill is finally reported out of Judiciary—concerns the changes made to the ill-advised FISA Amendments Act passed last year.That law gave the Attorney General broad power to authorize wiretaps aimed at communications between the U.S. and other countries, with only anemic court oversight.

The JUSTICE Act provides stronger barriers to “reverse targeting,” in which an authorization nominally directed at a party abroad is granted for the purpose of eavesdropping on a particular U.S. person’s foreign communications. The new language clarifies that surveillance is impermissibly “reverse targeted” when it is a “significant purpose”—as opposed to “the purpose”—of the surveillance to listen in on the American party. When one side of a communication is in the U.S., the bill triggers additional requirements that either the particular communication be relevant to terrorism (not merely “foreign intelligence,” which is far broader) or that the foreign side of the communication is affiliate with a terrorist group.

Perhaps most important of all, JUSTICE bars “bulk collection”—massive, vacuum cleaner acquisition of international communications—by requiring that at least one party to any communication “acquired” be an actual individual target, though not necessarily a named or known target. While this is plainly intended to prevent the kind of Orwellian computer-filtered fishing expeditions civil libertarians have worried might be authorized, it’s important to note that there’s a potentially huge loophole here, involving ambiguity about the point at which a communication is technically “acquired.” It’s too complicated to cover in detail here, but I’ve written about it in my previous life as a journalist. If, as the government has argued in the past, acquisition only occurs when an intercepted communication is “fixed in a human readable format,” the new language would bar bulk recording in an intelligible form, but not necessarily bar bulk collection for computer filtering. Again, the issues here are fairly complex, and I’m working on a paper that takes them up in greater detail.

Other JUSTICE-Only Reforms

There are a hodgepodge of other changes in the ambitious JUSTICE Act, and I’ll just mention very briefly some of the most important ones. The bill puts some stricter limits on the granting of so-called “Sneak-and-Peek” warrants, which allow for disclosure of a search to its target to be delayed for long periods. As David Rittgers observed yesterday, these were sold as necessary for terror investigations, but as with some other PATRIOT powers, have ended up being invoked overwhelmingly in ordinary criminal cases. It tweaks the language of a PATRIOT provision designed to allow monitoring of computer hackers to prevent abuse. It narrows the definition of the crime of “material support” for terrorism to make clear that it covers knowing support for criminal activities—as opposed to, say, humanitarian aid. And it ensures that PATRIOT’s definition of “domestic terrorism” can’t be applied to (legitimately illegal but non-terrorist) civil disobedience by political groups.

Either bill would do a great deal to halt the erosion of civil liberties safeguards we’ve seen over the past eight years, and in general these are reforms well crafted to provide oversight and checks against abuse without depriving investigators of tools vital to legitimate national security investigations. The most important items here, however, are the more stringent limitations on National Security letters embodied in the JUSTICE Act, and that legislation’s common-sense limits on the frankly astonishing discretion to authorize surveillance granted the executive branch under the FISA Amendments Act. How those provisions fare will tell us how serious Congress is about protecting civil liberties.

Cyberbullying Bill on the March

Federal prosecutors moved to criminalize internet harassment last year by prosecuting Lori Drew. Lori Drew, as you may recall, is a Missouri woman who created a fictional MySpace profile named “Josh” and started an online relationship with Megan Meier, a teenage girl who may have spread gossip about Drew’s daughter at the local high school. After “Josh” broke up with her, Megan Meier killed herself.

While this is despicable conduct, Missouri prosecutors found that Drew had broken no criminal statute and could not be prosecuted.

Enter Thomas O’Brien, U.S. Attorney for the Central District of California. O’Brien filed charges against Drew based on alleged violations of the Computer Fraud and Abuse Act (CFAA). O’Brien alleged that by violating MySpace’s policy requiring factual information in the user profile and affirming the click-to-agree contract, Lori Drew had committed a crime akin to hacking or unauthorized access of computer data. Because of MySpace’s ties to the Central District of California, Lori Drew was haled into court halfway across the country.

Though the jury convicted Drew and reduced the felony charges to misdemeanors, District Judge George Wu threw out the conviction because the statute would allow the prosecution of nearly anyone on the internet. The decision is available here. The government has since filed a notice of appeal. Orin Kerr notes that the appeal may face additional hurdles – the line of cases that the government used to interpret the statute so broadly has been overturned by the Ninth Circuit.

Several members of Congress have since jumped on the Named Victim Act bandwagon, sponsoring the Megan Meier Cyberbullying Prevention Act. The Act goes far beyond the issue of unauthorized access, criminalizing any rude speech delivered via the internet, cell phone, or text message:

‘(a) Whoever transmits in interstate or foreign commerce any communication, with the intent to coerce, intimidate, harass, or cause substantial emotional distress to a person, using electronic means to support severe, repeated, and hostile behavior, shall be fined under this title or imprisoned not more than two years, or both.

‘(b) As used in this section–

‘(1) the term ‘communication’ means the electronic transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received; and

‘(2) the term ‘electronic means’ means any equipment dependent on electrical power to access an information service, including email, instant messaging, blogs, websites, telephones, and text messages.’.

The scope of this law is breathtaking. Had a rough breakup with your significant other? Engaged in a flame war on a website’s comment section? We’ve got a law against that, you know.

The House Judiciary Committee will be holding a hearing on this law tomorrow. Cato Adjunct Scholar Harvey Silverglate, author of Three Felonies a Day: How the Feds Target the Innocent, will be testifying. Silverglate will also be at a book forum on Thursday at Cato, which can be watched live here.

Tuesday Links

  • Twenty inaccurate claims in Obama’s speech to Congress on health care. “If [members of Congress] yelled out every time President Obama said something untrue about health care, they would quickly find themselves growing hoarse.”
  • Political tensions decreasing between Taiwan and China.
  • How Americans misunderstand war: “America’s biggest mistake in Afghanistan and Iraq was to think its modern military would make winning easy.”
  • Always read the fine print: There is a dangerous provision in the Senate Finance Committee’s health care bill that could deny crucial health treatments for Medicare patients.