Tag: pipa

The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy

The Daily Caller reports that Senator Harry Reid (D-NV) is planning another effort at Internet regulation—right on the heels of the SOPA/PIPA debacle. The article seems calculated to insinuate that a follow-on to SOPA/PIPA might slip into cybersecurity legislation the Senate plans to take up. Whether that’s in the works or not, I’ll detail here the privacy threats in cybersecurity language being circulated on the Hill.

A Senate draft currently making the rounds is called the “Cybersecurity Information Sharing Act of 2012.” It sets up “cybersecurity exchanges” at which government and corporate entities would share threat information and solutions.

Sharing of information does not require federal approval or planning, of course. Information sharing happens all the time according to market processes. But “information sharing” is the solution Congress has seized upon, so federal information sharing programs we will have. Think of all this as a “see something, say something” campaign for corporate computer security people. Or perhaps “e-fusion centers.”

Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:

We live in a free country where all that is not forbidden is allowed. There is no need in such a country for “affirmative” authority to act. So what does this section do as it in purports to permit private and governmental entities to monitor their information systems, operate active defenses, and such? It sweeps aside nearly all other laws controlling them.

“Consistent with the Constitution of the United States and notwithstanding and other provision of law,” it says (emphasis added), entities may act to preserve the security of their systems. This means that the only law controlling their actions would be the Constitution.

It’s nice that the Constitution would apply</sarcasm>, but the obligations in the Privacy Act of 1974 would not. The Electronic Communications Privacy Act would be void. Even the requirements of the E-Government Act of 2002, such as privacy impact assessments, would be swept aside.

The Constitution doesn’t constrain private actors, of course. This language would immunize them from liability under any and all regulation and under state or common law. Private actors would not be subject to suit for breaching contractual promises of confidentiality. They would not be liable for violating the privacy torts. Anything goes so long as one can make a claim to defending “information systems,” a term that refers to anything having to do with computers.

Elsewhere, the bill creates an equally sweeping immunity against law-breaking so long as the law-breaking provides information to a “cybersecurity exchange.” This is a breath-taking exemption from the civil and criminal laws that protect privacy, among other things.

(1) IN GENERAL.—No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any non-Federal governmental or private entity, or any officer, employee, or agent of such an entity, and any such action shall be dismissed promptly, for the disclosure of a cybersecurity threat indicator to—
(A) a cybersecurity exchange under subsection (a)(1); or
(B) a private entity under subsection, (b)(1), provided the cybersecurity threat indicator is promptly shared with a cybersecurity exchange.

In addition to this immunity from suit, the bill creates an equally sweeping “good faith” defense:

Where a civil or criminal cause of action is not barred under paragraph (1), a good faith reliance by any person on a legislative authorization, a statutory authorization, or a good faith determination that this Act permitted the conduct complained of, is a complete defense against any civil or criminal action brought under this Act or any other law.

Good faith is a question of fact, and a corporate security official could argue successfully that she acted in good faith if a government official told her to turn over private data. This language allows the corporate sector to abandon its responsibility to follow the law in favor of following government edicts. We’ve seen attacks on the rule of law like this before.

A House Homeland Security subcommittee marked up a counterpart to this bill last week. It does not have similar language that I could find.

In 2009, I testified in the House Science Committee on cybersecurity, skeptical of the government’s ability to tackle cybersecurity but cognizant that the government must secure its own systems. “Cybersecurity exchanges” are a blind stab at addressing the many challenges in securing computers, networks, and data, and I think they are unnecessary at best. According to current plans, cybersecurity exchanges come at a devastating cost to our online privacy.

Congress seems poised once again to violate the rule from the SOPA/PIPA disaster: “First, do no harm to the Internet.”

SOPA/PIPA: Harbinger or Aberration?

He’s not unrestrained, but Larry Downes sees the remarkable downfall of legislation to regulate the Internet’s engineering as a harbinger of things to come. Jerry Brito, meanwhile, tells us “Why We Won’t See Many Protests like the SOPA Blackout.”

They’re both right—over different time-horizons. The information environment and economics of political organization today are still quite stacked against public participation in our unwieldy federal government. But in time this will change. Congress and Washington, D.C.’s advocacy and lobbying groups now have some idea what the future will feel like.

The Internet Is Not .gov’s to Regulate

Imagine that Congress passed a law setting up a procedure that could require ordinary citizens like you to remove telephone numbers from your phone book or from the “contacts” list in your phone. What about a policy that cut off the phone lines to an entire building because some of its tenants used the phone to plot thefts or fraud? Would it be okay with you if the user of the numbers coming out of your phone records or the tenants of the cut-off building had been adjudged “rogue” users of the phone?

Cutting off phone lines is the closest familiar parallel to what Congress is considering in two bills nicknamed “SOPA” and “PIPA”—the “Stop Online Piracy Act” and the “PROTECT IP Act.”

Julian Sanchez has vigorously argued several points about these bills. Here, I’ll try to describe what they try to do to the Internet.

Simplifying, every computer and server has an IP (or “Internet Protocol”) address, which is a set of numbers that uniquely identify its location on the Internet. The IP address for the server hosting Cato’s Spanish language site, elcato.org, for example, is 67.192.234.234.

Now, these numbers are hard to remember, so there is a system that translates IP addresses into something more familiar. That’s the domain name system, or “DNS.” The domain name system takes the memorable name that you type into the address bar of your computer, such as elcato.org, and it looks up the IP address so you can be forwarded along to the IP address of your choice.

One of the major ideas behind SOPA and PIPA is to cut Internet sites that violate copyright out of the domain name system. No longer could typing “elcato.org” get you to the Web site you wanted to visit. Much of the debate has been about the legal process for determining whether to strike out a domain name.

But preventing a domain name lookup doesn’t take the site off the Internet. It just makes it slightly harder to access. You can prove it to yourself right now by copying “67.192.234.234” (without the quotes) and plugging it into your address bar. (The Internet is complicated. Some of you might be directed to other Cato sites.) Then come back here and read on, por favor!

The government would require law-abiding citizens to “black out” phone numbers—or Internet service providers to do the same with domain names—for this little effect on wrongdoing? It doesn’t make sense. The practical burdens on the law-abiding Internet service provider would be large. “Blacking out” an entire building—just like a Web site—would cut off the lawful communications right along with the unlawful ones. It’s through-the-looking-glass information control, with enormous potential to obstruct entirely lawful communications and impinge on First Amendment rights.

Which is why many Web sites today are “blacking out” in protest. In various ways, sites like Craigslist.org, Wikipedia, and many others are signaling to their visitors that Congress is threatening the core functioning of the Internet with bills like SOPA and PIPA. And threatening all of our freedom to communicate.

The Internet is not the government’s to regulate. It is an agreement on a set of protocols—a language that computers use to talk to one another. That language is the envelope in which our communications—our First-Amendment-protected speech—travels in hundreds of different forms.

The Internet community is growing in power. (Let’s not be triumphal—government authorities will use every wile to maintain control.) Hopefully the people who get engaged to fight SOPA and PIPA will recognize the many ways that the government regulates and limits information flows through technical means. The federal government exercises tight control over electromagnetic spectrum, for example, and it claims authority to impose public-utility-style regulation of Internet service provision in the name of “net neutrality.”

Under the better view—the view of freedom behind opposition to SOPA and PIPA—these things are not the government’s to regulate.

Internet Regulation & the Economics of Piracy

Earlier this month, I detailed at some length why claims about the purported economic harms of piracy, offered by supporters of the Stop Online Piracy Act (SOPA) and PROTECT-IP Act (PIPA), ought to be treated with much more skepticism than they generally get from journalists and policymakers.  My own view is that this ought to be rather secondary to the policy discussion: SOPA and PIPA would be ineffective mechanisms for addressing the problem, and a terrible idea for many other reasons, even if the numbers were exactly right. No matter how bad last season’s crops were, witch burnings are a poor policy response.  Fortunately, legislators finally seem to be cottoning on to this: SOPA now appears to be on ice for the time being, and PIPA’s own sponsors are having second thoughts about mucking with the Internet’s Domain Name System.

That said, I remain a bit amazed that it’s become an indisputable premise in Washington that there’s an enormous piracy problem, that it’s having a devastating  impact on U.S. content industries, and that some kind of aggressive new legislation is needed tout suite to stanch the bleeding. Despite the fact that the Government Accountability Office recently concluded that it is “difficult, if not impossible, to quantify the net effect of counterfeiting and piracy on the economy as a whole,” our legislative class has somehow determined that—among all the dire challenges now facing the United States—this is an urgent priority. Obviously, there’s quite a lot of copyrighted material circulating on the Internet without authorization, and other things equal, one would like to see less of it. But does the best available evidence show that this is inflicting such catastrophic economic harm—that it is depressing so much output, and destroying so many jobs—that Congress has no option but to Do Something immediately? Bearing the GAO’s warning in mind, the data we do have doesn’t remotely seem to justify the DEFCON One rhetoric that now appears to be obligatory on the Hill.

The International Intellectual Property Alliance—a kind of meta-trade association for all the content industries, and a zealous prophet of the piracy apocalypse, released a report back in November meant to establish that copyright industries are so economically valuable that they merit more vigorous government protection. But it actually paints a picture of industries that, far from being “killed” by piracy, are already weathering a harsh economic climate better than most, and have far outperformed the overall U.S. economy through the current recession.  The “core copyright industries” have, unsurprisingly, shed some jobs over the past few years, but again, compared with the rest of the economy, employment seems to have held relatively stable at a time when you might expect cash-strapped consumers to be turning to piracy to save money.

Since the core function of copyright is to incentivize the production of creative works, it’s also worth looking for signs of declining output associated with filesharing. Empirically, it’s surprisingly hard to find an effect. Rather, a recent survey study by Felix Oberholzer-Gee of the Harvard Business School concluded that “data on the supply of new works are consistent with the argument that file sharing did not discourage authors and publishers” from producing more works, at least in the U.S. market.

So, for instance, Nielsen SoundScan data shows new album releases stood at 35,516 in 2000, peaked at 106,000 in 2008, and (amidst a general recession) fell back to mid-decade levels of about 75,000 for 2010. That’s against a general background of falling sales since 2004—mostly explained by factors unrelated to piracy—which finally seems to have reversed in 2011. The actual picture is probably somewhat better than that, because SoundScan data are markedly incomplete when it comes to the releases by indie artists who’ve benefited most from the rise of digital distribution.

If we look at movies, the numbers compiled by the industry statistics site Box Office Mojo show an average of 558 releases from American studios over the past decade, which rises to 578 if you focus on just the past five years. The average for the previous decade—before illicit movie downloads were even an option on most people’s radar—is 472 releases per year. (As we learn from a recent Congressional Research Service report, it’s weirdly hard to detect a strong overall correlation between output and employment in the motion picture industry, which actually fell slightly from 1998 to 2008, even as profits and CEO pay soared. One reason the growing trend in recent decades for “Hollywood” features to actually be produced in Canada or Australia.)

That’s all very nice, one might object, but wouldn’t these heartening numbers be even higher if labels and studios could recapture some of the revenue lost to illicit downloads? Well, they surely might—but it’s not nearly as clear as you’d think.

One reason is that they already are recapturing much of that revenue through “complementary” purchases. As Oberholzer-Gee observes, recording industry numbers show large increases in concert revenues corresponding to the drop in recorded music sales. That suggests that, as people discover new artists by sampling downloaded albums online, they’re shifting consumption within the sector to live performances. In other words, people have a roughly constant “music budget,” and what they don’t spend on the albums they’ve downloaded gets spent on seeing that new band they discovered.  For the firms that specifically make their money from the sale of recordings, that may seem like cold comfort, but if we’re concerned with the music industry as a whole, it’s a wash. Something similar might occur with respect to purchases of merchandise based on licensed film properties.

Another factor is that, notwithstanding projections of a “long tail” effect resulting from lower search and distribution costs in the digital era, most entertainment industries continue to operate on a “tournament” or “lottery” model, where a few hits generate jackpot revenues, sufficient to make up for losses on the majority of new products.  Unsurprisingly, the most heavily pirated movies each year tend to be the ones that are also highly successful at the box office and in DVD sales, with similar patterns in album downloads. In other words, bleeding revenue to piracy is going to be a problem to the extent that your product is a hit, in a market where the core uncertainty about this crucial fact (at the time when the decision whether to greenlight production is made) looms a lot larger than the marginal loss from illicit downloads if you are successful.

It’s a tricky but more or less tractable problem to estimate roughly how many full-time jobs you’ll need regionally to support one additional $150 million movie production next year. It’s a totally different question how aggregate sectoral employment in a volatile and evolving industry changes based on investor responses to a $150 million across-the-board drop in the size of the total film jackpot, especially given that arcane financial arrangements are one place Hollywood does show a genius for constantly adapting its business model. If you want to know how many people are getting laid off when McDonald’s revenues drop, it makes a difference whether it’s each of 13,000 franchises earning $100 less per year, or one franchise earning $1.3 million less, even though the total reduction is the same.

Finally, more demand for content being captured by the content industries is not always the same thing as demand for more content, in the sense of “a greater variety of output.” I noted earlier that the past few years have seen a significant spike in the number of movie titles released annually. But as the Los Angeles Times reported in 2008, studio executives soon began complaining about a “glut” of new movies, many of which were targeted at the same demographics, and therefore cannibalizing their own audiences. As one executive suggested, that meant that (at least in a market dominated by a few huge distributors) releasing fewer titles could yield higher profits—and, indeed, the number of titles released in the following two years dropped back to mid-decade levels. The key point here is that shifting some portion of the pirate audience to some form of legal viewing doesn’t necessarily change this basic calculus, because there’s an upper bound to the number of hours most people are going to spend watching (say) racing movies, whether they’re paying for the privilege or not. Rising demand can just as easily, for instance, bid up star salaries for a fixed number of films.

The point here isn’t that piracy by American consumers is somehow completely independent from output or employment rates in the content industries—though, again, that’s not at all the same thing as the overall U.S. employment rate. Obviously, at some level it has to have some effect. But the link is, to use the technical economic term, weirder than in many other sectors of the economy. In many industries, the relationship between consumer spending and job creation is relatively straightforward. If demand for widgets or restaurant meals rises, satisfying that demand requires a roughly linear increase in widget factories and restaurants, in hiring of widget-makers and cooks and waiters, and in purchases of the raw material inputs for those goods. Distribution of copyrighted content—and in particular digital distribution over the Internet—is a bit more complicated, for precisely the same reason piracy is an issue: once the first copy of a work has been created, an unlimited number of additional units (of the digital product) can be produced at effectively zero cost.

Let’s imagine, implausibly, that a measure  like SOPA did manage to reduce online piracy by U.S. consumers by some meaningful amount. A small potion of that reduction, the minority of downloads representing legal purchases displaced by file sharing, would translate into sales for the content industries. What form would these take? It seems reasonable to suppose that the majority of people who were previously getting their music and movies from The Pirate Bay are not typically lining up to buy shiny plastic discs at Wal-Mart. Rather, they’re probably disproportionately displacing legal digital downloads from venues like iTunes and Amazon, or subscription services like Netflix and Spotify, which are pretty clearly where the overall market is quickly going anyway.  (Apparently, literal thieves don’t even bother stealing physical media anymore.) For movies, there’s probably also some displacement of theatrical ticket sales, though as the theatrical experience is in many ways a distinct good, it’s hard to say how much substitution it’s reasonable to expect.

In the very short term, increased legal purchases of digital content wouldn’t seem likely to generate many additional jobs. If spending in the physical retail sector jumps 20 percent, shops need to hire more clerks, and their suppliers more manufacturing workers, to meet the increased demand. If spending in the iTunes store jumps 20 percent, Apple probably needs to pay a few bucks more for bandwidth and electricity, but basically everyone just gets to smile and pocket the extra profit. The jobs effects estimates we’re seeing tossed around, however, are coming from a 2007 study that would have had to employ, at the most recent, adjustments made several years before that to the benchmark multipliers the Bureau of Economic Analysis developed in 2002. Even leaving aside its many other problems, then, the job impact estimates in that study would have been largely based on legacy assumptions from a brick-and-mortar economy. (The loss estimates relied on would also, necessarily, fail to account for the recent rise of popular, legal streaming services that have likely lured many consumers back from the pirate market. There is, alas, no very good data here, but I’d wager Hulu and Netflix have done exponentially more to reduce piracy losses than enforcement crackdowns ever will.) In any event, you’d expect the most immediate effect of consumer spending shifts from widgets and restaurants to digital downloads would be, if anything, fewer net jobs.  The output and employment effects, rather, would show up in the longer term as lower returns reduce incentives to produce new content—and hire the workers needed to support that production.  For some of the reasons discussed above, though, empirically there’s just not much evidence for a dramatic effect of this kind.

No doubt piracy is costing the content industries something—or they wouldn’t be throwing so much money at Congress in support of this kind of legislation. If we could wave a magic wand and have less piracy, obviously that would be good.  But in the real world, where enforcement has direct costs to the taxpayer, regulation has costs on the industries it burdens, and the reduction in piracy they’re likely to produce is very small, it seems important to point out that the credible evidence for the magnitude of the harm is fairly thin. As a rough analogy, since antipiracy crusaders are fond of equating filesharing with shoplifting: suppose the CEO of Wal-Mart came to Congress demanding a $50 million program to deploy FBI agents to frisk suspicious-looking teens in towns near Wal-Marts. A lawmaker might, without for one instant doubting that shoplifiting is a bad thing, question whether this is really the optimal use of federal law enforcement resources. The CEO indignantly points out that shoplifting kills one million adorable towheaded orphans each year. The proof is right here in this study by the Wal-Mart Institute for Anti-Shoplifting Studies. The study sources this dramatic claim to a newspaper article, which quotes the CEO of Wal-Mart asserting (on the basis of private data you can’t see) that shoplifting kills hundreds of orphans annually. And as a footnote explains, it seemed prudent to round up to a million. I wish this were just a joke, but as readers of my previous post will recognize, that’s literally about the level of evidence we’re dealing with here.

In short, piracy is certainly one problem in a world filled with problems. But politicians and journalists seem to have been persuaded to take it largely on faith that it’s a uniquely dire and pressing problem that demands dramatic remedies with little time for deliberation.  On the data available so far, though, reports of the death of the industry seem much exaggerated.

A Dogged Insistence on Real Numbers

The Freakonomics blog has an excellent post on the bills in Congress popularly known as SOPA and PIPA. The “Stop Online Piracy Act” and the “Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act” aka the “PROTECT IP Act” would attempt to frustrate online copyright violations by tinkering with the inner workings of the Internet.

Would amending the Internet be justified? The post is called “How Much Do Music and Movie Piracy Really Hurt the U.S. Economy?”:

Supporters of stronger intellectual property enforcement … argue that online piracy is a huge problem, one which costs the U.S. economy between $200 and $250 billion per year, and is responsible for the loss of 750,000 American jobs. These numbers seem truly dire: a $250 billion per year loss would be almost $800 for every man, woman, and child in America. And 750,000 jobs – that’s twice the number of those employed in the entire motion picture industry in 2010. The good news is that the numbers are wrong …

Freakonomics’ authors picked up two good authorities: Cato’s own Julian Sanchez and Cato’s own (adjunct) Tim Lee. It’s nice to see Cato scholars getting high-profile credit for their dogged insistence on real numbers, something Congress routinely fails to exhibit.

Losses from violations of copyright law are hard to calculate.

There are certainly a lot of people who download music and movies without paying. It’s clear that, at least in some cases, piracy substitutes for a legitimate transaction … In other cases, the person pirating the movie or song would never have bought it. This is especially true if the consumer lives in a relatively poor country, like China, and is simply unable to afford to pay for the films and music he downloads. Do we count this latter category of downloads as “lost sales”? Not if we’re honest.

And there’s another problem: even in the instances where Internet piracy results in a lost sale, how does that lost sale affect the job market? While jobs may be lost in the movie or music industry, they might be created in another. Money that a pirate doesn’t spend on movies and songs is almost certain to be spent elsewhere. Let’s say it gets spent on skateboards — the same dollar lost by Sony Pictures may be gained by Alien Workshop, a company that makes skateboards.

The challenges go deeper: The theoretical arguments about intellectual property laws are a congeries. Libertarian advocates of statutory intellectual property protection will cite Ayn Rand, who was a stalwart on defending creations of the mind as property. But a coherent system of rights does not produce conflicting claims, and intellectual property laws seem to exalt the property of some at a cost to the liberty of others. The some, in this case, are the music and movie industries, the others, Internet content companies and users.

This area still needs a good deal of sorting out. For the time being, a firm insistence on real numbers is a good thing. Serious empirical work is sorely needed. Killing off bogus numbers can only go so far.