Tag: declan mccullagh

A No-Brainer: Bad for Privacy and Liberty

CNET journalist Declan McCullagh has lit up the Internets today with his reporting on a revamped Senate online privacy bill that would give an alphabet soup of federal agencies unprecedented access to email and other online communications.

Leahy’s rewritten bill would allow more than 22 agencies – including the Securities and Exchange Commission and the Federal Communications Commission – to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge.

This would be an astounding expansion of government authority to snoop. And it comes at a time when the public is getting wind through the Petraeus scandal of just how easy it already is to access our private communications.

Assuming McCullagh’s reading of the draft he obtained is remotely plausible, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) should reconsider his current course–if he wants to maintain the mantle of a privacy leader, at least.

The Washington, D.C., meta-story is almost as interesting. Who is where on the bill? And when? The ACLU’s Christopher Calabrese told McCullagh last night, “We believe a warrant is the appropriate standard for any contents.” Freedom Works came out of the gate this morning with a petition asking for oppositions to Senator Leahy’s revised bill.

The Center for Democracy did not have a comment when McCullagh asked, though spokesman Brock Meeks suggests via Twitter today that McCullagh didn’t try hard enough to reach him. The reason that’s important? CDT has a history of equivocation and compromise in the face of privacy-invasive legislation and policies. At this point, the group has said via Twitter that they “wouldn’t support the rewrite described in CNET.” That’s good news, and it’s consistent with people’s expectations for CDT both on the outside and within.

There will undoubtedly be more to this story. Emails should not only be statutorily protected, but Fourth Amendment protected, based on the framework for communications privacy I laid out for the Supreme Court in Cato’s Florida v. Jardines brief.

On Breach of Decorum and Government Growth

Last week, the Center for Democracy and Technology changed its position on CISPA, the Cyber Intelligence Sharing and Protection Act, two times in short succession, easing the way for House passage of a bill profoundly threatening to privacy.

Declan McCullagh of C|Net wrote a story about it called “Advocacy Group Flip-Flops Twice Over CISPA Surveillance Bill.” In it, he quoted me saying: “A lot of people in Washington, D.C. think that working with CDT means working for good values like privacy. But CDT’s number one goal is having a seat at the table. And CDT will negotiate away privacy toward that end.”

That comment netted some interesting reactions. Some were gleeful about this “emperor-has-no-clothes” moment for CDT. To others, I was inappropriately “insulting” to the good people at CDT. This makes the whole thing worthy of further exploration. How could I say something mean like that about an organization whose staff spend so much time working in good faith on improving privacy protections? Some folks there absolutely do. This does not overcome the institutional role CDT often plays, which I have not found so creditable. (More on that below. Far below…)

First, though, let me illustrate how CDT helped smooth the way for passage of the bill:

Congress is nothing if not ignorant about cybersecurity. It has no idea what to do about the myriad problems that exist in securing computers, networks, and data. So its leaders have fixed on “information sharing” as a panacea.

Because the nature and scope of the problems are unknown, the laws that stand in the way of relevant information sharing are unknown. The solution? Scythe down as much law as possible. (What’s actually needed, most likely, is a narrow amendment to ECPA. Nothing of the sort is yet in the offing.) But this creates a privacy problem: an “information sharing” bill could facilitate promiscuous sharing of personal information with government agencies, including the NSA.

On the House floor last week, the leading Republican sponsor of CISPA, Mike Rogers (R-MI), spoke endlessly about privacy and civil liberties, the negotiations, and the process he had undertaken to try to resolve problems in the privacy area. At the close of debate on the rule that would govern debate on the bill, he said:

The amendments that are following here are months of negotiation and work with many organizations—privacy groups. We have worked language with the Center for Democracy and Technology, and they just the other day said they applauded our progress on where we’re going with privacy and civil liberties. So we have included a lot of folks.

You see, just days before, CDT had issued a blog post saying that it would “not oppose the process moving forward in the House.” The full text of that sentence is actually quite precious because it shows how little CDT got in exchange for publicly withdrawing opposition to the bill. Along with citing “good progress,” CDT president and CEO Leslie Harris wrote:

Recognizing the importance of the cybersecurity issue, in deference to the good faith efforts made by Chairman Rogers and Ranking Member Ruppersberger, and on the understanding that amendments will be considered by the House to address our concerns, we will not oppose the process moving forward in the House.

Cybersecurity is an important issue—nevermind whether the bill would actually help with it. The leadership of the House Intelligence Committee have acted in good faith. And amendments will evidently be forthcoming in the House. So go ahead and pass a bill not ready to become law, in light of “good progress.”

Then CDT got spun.

As McCullagh tells it:

The bill’s authors seized on CDT’s statement to argue that the anti-CISPA coalition was fragmenting, with an aide to House Intelligence Committee Chairman Mike Rogers (R-Mich.) sending reporters e-mail this morning, recalled a few minutes later, proclaiming: “CDT Drops Opposition to CISPA as Bill Moves to House Floor.” And the Information Technology Industry Council, which is unabashedly pro-CISPA, said it “applauds” the “agreement between CISPA sponsors and CDT.”

CDT quickly reversed itself, but the damage was done. Chairman Rogers could make an accurate but misleading floor statement omitting the fact that CDT had again reversed itself. This signaled to members of Congress and their staffs—who don’t pay close attention to subtle shifts in the views of organizations like CDT—that the privacy issues were under control. They could vote for CISPA without getting privacy blow-back. Despite furious efforts by groups like the Electronic Frontier Foundation and the ACLU, the bill passed 248 to 168.

Defenders of CDT will point out—accurately—that it argued laboriously for improvements to the bill. And with the bill’s passage inevitable, that was an essential benefit to the privacy side.

Well, yes and no. To get at that question, let’s talk about how groups represent the public’s interests in Washington, D.C. We’ll design a simplified representation game with the following cast of characters:

  • one powerful legislator, antagonistic to privacy, whose name is “S.R. Veillance”;
  • twenty privacy advocacy groups (Groups A through T); and
  • 20,000 people who rely on these advocacy groups to protect their privacy interests.

At the outset, the 20,000 people divide their privacy “chits”—that is, their donations and their willingness to act politically—equally among the groups. Based on their perceptions of the groups’ actions and relevance, the people re-assign their chits each legislative session.

Mr. Veillance has an anti-privacy bill he would like to get passed, but he knows it will meet resistance if he doesn’t get 2,500 privacy chits to signal that his bill isn’t that bad. If none of the groups give him any privacy chits, his legislation will not pass, so Mr. Veillance goes from group to group bargaining in good faith and signaling that he intends to do all he can to pass his bill. He will reward the groups that work with him by including such groups in future negotiations on future bills. He will penalize the groups that do not by excluding them from future negotiations.

What we have is a game somewhat like the prisoner’s dilemma in game theory. Though it is in the best interest of the society overall for the groups to cooperate and hold the line against a bill, individual groups can advantage themselves by “defecting” from the interests of all. These defectors will be at the table the next time an anti-privacy bill is negotiated.

Three groups—let’s say Group C, Group D, and Group T—defect from the pack. They make deals with Mr. Veillance to improve his bill, and in exchange they give him their privacy chits. He uses their 3,000 chits to signal to his colleagues that they can vote for the bill without fear of privacy-based repercussions.

At the end of the first round, Mr. Veillance has passed his anti-privacy legislation (though weakened, from his perspective). Groups C, D, and T did improve the bill, making it less privacy-invasive than it otherwise would have been, and they have also positioned themselves to be more relevant to future privacy debates because they will have a seat at the table. Hindsight makes the passage of the bill look inevitable, and CDT looks all the wiser for working with Sir Veillance while others futilely opposed the bill.

Thus, having defected, CDT is now able to get more of people’s privacy chits during the next legislative session, so they have more bargaining power and money than other privacy groups. That bargaining power is relevant, though, only if Mr. Veillance moves more bills in the future. To maintain its bargaining power and income, it is in the interest of CDT to see that legislation passes regularly. If anti-privacy legislation never passes, CDT’s unique role as a negotiator will not be valued and its ability to gather chits will diminish over time.

CDT plays a role in “improving” individual pieces of legislation to make them less privacy-invasive and it helps to ensure that improved—yet still privacy-invasive—legislation passes. Over the long run, to keep its seat at the table, CDT bargains away privacy.

This highly simplified representation game repeats itself across many issue-dimensions in every bill, and it involves many more, highly varied actors using widely differing influence “chits.” The power exchanges and signaling among parties ends up looking like a kaleidoscope rather than the linear story of an organization subtly putting its own goals ahead of the public interest.

Most people working in Washington, D.C., and almost assuredly everyone at CDT, have no awareness that they live under the collective action problem illustrated by this game. This is why government grows and privacy recedes.

In his article, McCullagh cites CDT founder Jerry Berman’s role in the 1994 passage of CALEA, the Communications Assistance to Law Enforcement Act. I took particular interest in CDT’s 2009 backing of the REAL ID revival bill, PASS ID. In 2006, CDT’s Jim Dempsey helped give privacy cover to the use of RFID in identification documents contrary to the principle that RFID is for products, not people. A comprehensive study of CDT’s institutional behavior to confirm or deny my theory of its behavior would be very complex and time-consuming.

But divide and conquer works well. My experience is that CDT is routinely the first defector from the privacy coalition despite the earnest good intentions of many individual CDTers. And it’s why I say, perhaps in breach of decorum, things like: “A lot of people in Washington, D.C. think that working with CDT means working for good values like privacy. But CDT’s number one goal is having a seat at the table. And CDT will negotiate away privacy toward that end.”

The ‘Privacy Bill of Rights’ Is in the Bill of Rights

Every lover of liberty and the Constitution should be offended by the moniker “Privacy Bill of Rights” appended to regulatory legislation Senators John Kerry (D-MA) and John McCain (R-AZ) introduced yesterday. As C|Net’s Declan McCullagh points out, the legislation exempts the federal government and law enforcement:

[T]he measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users’ personal information–in many cases without obtaining a search warrant from a judge.

The real “Privacy Bill of Rights” is in the Bill of Rights. It’s the Fourth Amendment.

It takes a lot of gall to put the moniker “Privacy Bill of Rights” on legislation that reduces liberty in the information economy while the Fourth Amendment remains tattered and threadbare. Nevermind “reasonable expectations”: the people’s right to be secure against unreasonable searches and seizures is worn down to the nub.

Senators Kerry and McCain should look into the privacy consequences of the Internal Revenue Code. How is privacy going to fare under Obamacare? How is the Department of Homeland Security doing with its privacy efforts? What is an “administrative search”?

McCullagh was good enough to quote yours truly on the new effort from Sens. Kerry and McCain: “If they want to lead on the privacy issue, they’ll lead by getting the federal government’s house in order.”

Strip-Search Images Stored

The Transportation Security Administration will be sure to point out that it was not them—it was the U.S. Marshals Service—that kept ”tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse,” according to Declan McCullagh of C|Net news.

The TSA has taken pains to make sure that their use of strip-search machines does not produce compromising images of the traveling public, but rules are made to be broken. How do you protect privacy in the use of a technology that is fundamentally designed to invade privacy?

The Information Economy Stops Evolving Today

That would be the message if a bill introduced in Congress this week were to pass. H.R. 5777 is the “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” or the “BEST PRACTICES Act.” If acronyms were a basis for judging legislation, it should be widely hailed as a masterwork.

But its substance is concerning, to say the least. The bill’s scope is massive: Just about every person or business that systematically collects information would be subject to a new federal regulatory regime governing information practices. By systematic, I mean: If you get a lot of emails or run a website that collects IP addresses (and they all do), you’re governed by the bill.

There’s one exception to that: The bill specifically exempts the government. What chutzpah our government has to point the finger at us while its sprawling administrative data collection and surveillance infrastructure spiral out of control.

Reviewing the bill, I found it interesting to consider what you get when you take a variety of today’s information “best practices” and put them into law. Basically, you freeze in place how things work today. You radically simplify and channel all kinds of information practices that would otherwise multiply and variegate.

I spoke about this yesterday with CNet News’ Declan McCullagh:

Harper says it reminds him of James C. Scott’s book, “Seeing Like A State.” Governments and big corporations “radically simplify what they oversee to make it governable,” he said. “In things like forestry and agriculture, this has had devastating environmental effects because ecosystems don’t function when you eliminate the thousands of ‘illegible’ relationships and interactions. This is Seeing Like a State for the information economy.”

Give people remedies when they’re harmed by information practices, and then leave well enough alone. There’s no place for a list of “must-do’s” and “can’t-do’s” that choke our nascent information economy—especially not coming from a government that doesn’t practice what it preaches.

Planning a Cybersecurity Auto-Immune Reaction

A Senate plan to give the president authority to seize control of the Internet in the event of emergency is security malpractice of the highest order. As I told C|Net’s Declan McCullagh, this is a plan for an auto-immune reaction. When something goes wrong with the Internet, the government will attack that infrastructure and make society weaker.

The Internet is the medium over which we communicate and self-organize. It’s where emergency response happens—where individuals learn what is happening, communicate it to others, compare notes with friends and loved ones, and determine appropriate responses. (Our appreciation for “first responders” should not be diminshed by noting that they are typically second responders, taking over for private citizens who are almost always first on any scene.)

The Internet is also self-repairing. When weaknesses in it are exposed, that fact is communicated via Internet, and the appropriate fixes and patches are distributed via Internet. Seizing control of the Internet—to the extent the government can do that—would degrade society’s natural response to emergency, and it would undercut the Internet’s ability to self-heal.

This idea—of government authority taking over the Internet for our protection—fundamentally misunderstands the nature of the Internet, the nature of our society, and the type of government the Framers prescribed for us.

New at Cato Unbound: Ten Years of Code

Code and Other Laws of Cyberspace, Lawrence Lessig’s seminal work on Internet law, turns ten this year. To mark the occasion, Cato Unbound has invited a distinguished panel of Internet law experts to discuss the book’s enduring significance: What did it get right? What did it get wrong? And where do we go from here?

Joining us will be Adam Thierer, Jonathan Zittrain, and Lawrence Lessig himself. The lead essay, up this morning, is by Declan McCullagh. Readers of Code will recall that McCullagh was called out by name in the book’s final chapter, and his “do-nothing” cyberlibertarian views were criticized at length. Ten years later, is it time to reconsider? Join us and find out.