Tag: privacy

Prediction: DHS Programs Will Create Privacy Concerns in 2011

The holiday travel season this year revealed some of the real defects in the Transportation Security Administration’s new policy of subjecting select travelers to the “option” of going through airport strip-search machines or being subjected to an intrusive pat-down more akin to a groping. Anecdotes continue to come forth, including the recent story of a rape victim who was arrested at an airport in Austin, TX after refusing to let a TSA agent feel her breasts.

Meanwhile, the Department of Homeland Security is working on the “next big thing”: body-scanning everywhere. This “privacy impact assessment” from DHS’s Science and Technology Directorate details a plan to use millimeter wave—a technology in strip-search machines—along with other techniques, to examine people from a distance, not just at the airport but anywhere DHS wants.

With time to observe TSA procedures this holiday season, I’ve noticed that it takes a very long time to get people through strip-search machines. In Milwaukee, the machines were cordoned off and out of use the Monday after Christmas Day because they needed to get people through. Watch for privacy concerns and sheer inefficiency to join up when TSA pushes forward with universal strip/grope requirements.

And the issue looks poised to grow in the new year. Republican ascendancy in the House coincides with their increasing agitation about this government security excess.

I’ll be speaking at an event next Thursday, January 6th, called ”The Stripping of Freedom: A Careful Scan of TSA Security Procedures.” It’s hosted by the Electronic Privacy Information Center (EPIC) at the Carnegie Institute for Science in Washington, DC.

EPIC recently wrote a letter asking Homeland Security Secretary Janet Napolitano to task the DHS Privacy Committee (or “DPIAC,” on which I serve) with studying the impact of the body scanner program on individuals’ constitutional and statutory rights:

The TSA’s deployment of body scanners as the primary screening technique in American airports has raised widespread public concerns about the protection of privacy. It is difficult to imagine that there is a higher priority issue for the DPIAC in 2011 than a comprehensive review of the TSA airport body scanner program.

Will the Secretary ask her expert panel for a thorough documented review? Wait and see.

Whatever happens there, privacy concerns with DHS programs will be big in 2011.

Independent Agencies Test Tea Party Mettle

Is there something special about December? Perhaps it’s the spirit of giving that had the Federal Communications Commission voting yesterday to regulate Internet service. At the beginning of the month—December 1st—the Federal Trade Commission issued a report signaling its willingness to regulate online businesses.

No, it’s not the fact that it’s December. It’s the fact that it’s after November.

November—that’s the month when we had the mid-term election. The FCC and FTC appear to have held off coming out with their regulatory proposals ahead of the elections because the Obama administration couldn’t afford any more evidence that it heavily favors government control of the economy and society.

There was already plenty of evidence out there, of course, but the election is past now, and the administration has taken its lumps. It’s an open question whether there will be a second Obama term, so the heads of the FCC and FTC are swinging into action. They’ll get done what they can now, during the period between elections when the public pays less attention.

And that is a challenge to the Tea Party movement, which would be acting predictably if it lost interest in politics and public policy during the long year or more before the next election cycle gets into full swing. Politicians know—and the heads of independent agencies are no less political than anyone else—that the public loses focus after elections. That’s the time for agencies to quietly move the agenda—during the week before Christmas, for example.

So it’s not the spirit of giving—it’s the spirit of hiding—that has these independent agencies moving forward right now. It’s up to the public, if it cares about liberty and constitutionally limited government, to muster energy and outrage at the latest moves to put the society under the yoke of the ruling class. Both the FCC and the FTC lack the power to do what they want to do, but Congress will only rein them in if Congress senses that these are important issues to their active and aware constituents.

Conservatives, Liberals, and the TSA

Libertarians often debate whether conservatives or liberals are more friendly to liberty. We often fall back on the idea that conservatives tend to support economic liberties but not civil liberties, while liberals support civil liberties but not economic liberties – though this old bromide hardly accounts for the economic policies of President Bush or the war-on-drugs-and-terror-and-Iraq policies of President Obama.

Score one for the conservatives in the surging outrage over the Transportation Security Administration’s new policy of body scanners and intimate pat-downs. You gotta figure you’ve gone too far in the violation of civil liberties when you’ve lost Rick Santorum, George Will, Kathleen Parker, and Charles Krauthammer. (Gene Healy points out that conservatives are reaping what they sowed.)

Meanwhile, where are the liberals outraged at this government intrusiveness? Where is Paul Krugman? Where is Arianna? Where is Frank Rich? Where is the New Republic? Oh sure, civil libertarians like Glenn Greenwald have criticized TSA excesses. But mainstream liberals have rallied around the Department of Homeland Security and its naked pictures: Dana Milbank channels John (“phantoms of lost liberty”) Ashcroft: “Republicans are providing the comfort [to our enemies]. They are objecting loudly to new airport security measures.” Ruth Marcus: “Don’t touch my junk? Grow up, America.” Eugene Robinson: “Be patient with the TSA.” Amitai Etzioni in the New Republic: “In defense of the ‘virtual strip-search.’” And finally, the editors of the New York Times: ”attacks are purely partisan and ideological.”

Could this just be a matter of viewing everything through a partisan lens? Liberals rally around the DHS of President Obama and Secretary Napolitano, while conservatives criticize it? Maybe. And although Slate refers to the opponents of body-scanning as “paranoid zealots,” that term would certainly seem to apply to apply to Mark Ames and Yasha Levine of the Nation, who stomp their feet, get red in the face, and declare every privacy advocate from John Tyner (“don’t touch my junk”) on to be “astroturf” tools of “Washington Lobbyists and Koch-Funded Libertarians.” (Glenn Greenwald took the article apart line by line.)

Most Americans want to be protected from terrorism and also to avoid unnecessary intrusions on liberty, privacy, and commerce. Security issues can be complex. A case can be made for the TSA’s new procedures. But it’s striking to see how many conservatives think the TSA has gone too far, and how dismissive – even contemptuous – liberals are of rising concerns about liberty and privacy.

Secrecy or Privacy? The Power of Language

My friend Kelly Young notes (on Facebook) this Washington Post article on guns used in crimes:

I am awed again by the power of language. The Washingt0n Post today claims that government protection of the identity of lawful purchasers of legal weapons is “secrecy” to be “penetrated” for the sake of the paper’s reporting. It is not “privacy” that is “violated,” as with release of airport scans of travelers, gathering names of minors seeking abortions, and warrantless searches of homes. And how about those secret journalistic sources?

(Language cleaned up slightly, as the original was typed Blackberry-style.) He’s right. The word “privacy” doesn’t appear in the article. Maybe a cynics’ dictionary would read, “Privacy is the ability to keep facts about myself hidden from you. Secrecy is your keeping facts about yourself hidden from me.”

Does Risk Management Counsel in Favor of a Biometric Traveler Identity System?

Writing on Reason’s Hit & Run blog, Robert Poole argues that the Transportation Security Administration should use a risk-based approach to security. As I noted in my recent “’Strip-or-Grope’ vs. Risk Management” post, the Department of Homeland Security often talks about risk but fails to actually do risk management. Poole and I agree—everyone agrees—that DHS should use risk management. They just don’t.

With the pleasure of remembering our excellent 2005 Reason debate, “Transportation Security Aggravation,” I must again differ with Poole’s prescription, however.

Poole says TSA should separate travelers into three basic groups (quoting at length):

  1. Trusted Travelers, who have passed a background check and are issued a biometric ID card that proves (when they arrive at the security checkpoint) that they are the person who was cleared. This group would include cockpit crews, anyone holding a government security clearance, anyone already a member of the Department of Homeland Security’s Global Entry, Sentri, and Nexus, and anyone who applied and was accepted into a new Trusted Traveler program. These people would get to bypass regular security lanes  upon having their biometric card checked at the airport, subject only to random screening of a small fraction.
  2. High-risk travelers, either those about whom no information is known or who are flagged by the various Department of Homeland Security (DHS) intelligence lists as warranting “Selectee” status. They would be the only ones facing body-scanners or pat-downs as mandatory, routine screening.
  3. Ordinary travelers—basically everyone else, who would go through metal detector and put carry-ons through 2-D X-ray machines. They would not have to remove shoes or jackets, and could travel with liquids. A small fraction of this group would be subject to random “Selectee”-type screening.

He believes, and has argued for years, that dividing ”good guys” from “bad guys” will effectively secure. It’s certainly intuitive. Poole’s a good guy. I’m a good guy. You’re a good guy (in a non-gender-specific sense).

Knowing who people are works for us in every day life: Because we can find people who borrow our stuff, for example—and because we know that we can be found—we husband our behavior and generally don’t steal things from each other, we, the decent people with a stake in society.

Poole’s thinking takes our common experience and scales it up to a national program. Capture people’s identities, link enough biography to those identities, and—voila!—we know who the good guys are and who are the (potential) bad.

But precisely what biographical information assures that a person is “good”? (The proposal is for government action: it would be a violation of due process to keep the criteria secret and an equal protection violation to unfairly divide good and bad.) How do we know a person hasn’t gone bad from the time that their goodness was established?

The attacker we face with air security measures is not among the decent cohort whose behavior is channeled by identification. That attacker’s path to mischief is nicely mapped out by Poole’s proposal: Get into the Trusted Traveler group, or find someone who can get in it. (It’s easy to know if you’re a part of it. They give you a card! You can also test the system to see if you’ve been designated “high-risk” or “ordinary.”)

With a Trusted Traveler positioned to do wrong, chances are good that he or she won’t be subjected to screening and can carry whatever dangerous articles onto a plane. The end result? Predictable gnashing of teeth and wailing about a “failure to connect the dots.”

All this is not to say that Poole’s plan should not be adopted. If he can convince an airline of its merits, and the airline can convince its shareholders, insurers, airports, and their customers, they should implement the program to their heart’s content. They should reap the economic gain, too, when they prove that they have found a way to better serve the public’s safety, convenience, privacy, and transportation needs.

It is the TSA that should not implement this program. Along with what are significant security defects, it is the creation of a program that the government might use to control access to other goods, services, and infrastructure throughout society. The TSA would migrate toward conditioning all travel on having a government-issued biometric identity card. Fundamentally, the government should not be making these decisions or operating airline security systems.

A very interesting paper surfaced by recent public attention to this issue predicts that annual highway deaths will increase (from an already significant number) by between 11 and 275 because of people’s avoidance of privacy-invasive airport procedures. But what caught my eye in it were the following numbers:

During the past decade, terrorist attacks, with respect to air travel in the United States, have occurred three times involving six aircraft. Four planes were hijacked on 9/11, the shoe bomber incident occurred in December 2001, and, most recently, the Christmas Day underwear bomber attempted an attack in 2009. In that same span of time, over 99 million planes took off and landed within the United States, carrying over 7 billion passengers.

Especially because 9/11’s ”commandeering” attack on air travel has been essentially foreclosed by hardened cockpit doors and passenger/crew awareness, these numbers suggest the smallness of the chance that somone can elude worldwide investigatory pressure, prepare an explosive and detonator that actually work, smuggle both through conventional security, and successfully use them to take down a plane. It hasn’t happened in nearly 100 million flights.

This is not an argument to “let up” on security or to stop searching for measures that will cost-effectively drive the chance of attacker success even closer to zero.  But more thorough risk management analysis than mine or Bob Poole’s would probably show that accepting the above risk is preferable to either delaying and invading the bodily privacy of travelers or creating a biometric identity and background-check system.

Physician, Heal Thyself

The Wall Street Journal reports that the Commerce Department will soon come forth with a ”stepped-up approach to policing Internet privacy that calls for new laws and the creation of a new position to oversee the effort.”

Meanwhile, with nearly 22 months in office, President Obama has still not named a single candidate to the Privacy and Civil Liberties Oversight Board that Congress established to review the government’s actions in response to terrorism. Had he appointed a board, it would have issued three public reports by now, and we would be awaiting a fourth.

Should Legislatures, Commissions, and Such Figure Out Privacy Problems?

The recent European Commission proposal to create a radical and likely near impossible-to-implement “right to be forgotten” provides an opportunity to do some thinking about how privacy norms should be established.

In 1961, Italian liberal philosopher and lawyer Bruno Leoni published Freedom and the Law, an excellent, if dense, rumination on law and legislation, which, as he emphasized, are quite different things.

Legislation appears today to be a quick, rational, and far-reaching remedy against every kind of evil or inconvenience, as compared with, say, judicial decisions, the settlement of disputes by private arbiters, conventions, customs, and similar kinds of spontaneous adjustments on the part of individuals. A fact that almost always goes unnoticed is that a remedy by way of legislation may be too quick to be efficacious, too unpredictably far-reaching to be wholly beneficial, and too directly connected with the contingent views and interests of a handful of people (the legislators), whoever they may be, to be, in fact, a remedy for all concerned. Even when all this is noticed, the criticism is usually directed against particular statutes rather than against legislation as such, and a new remedy is always looked for in “better” statutes instead of in something altogether different from legislation. (page 7, 1991 Liberty Fund edition)

The new Commission proposal is an example. Apparently the EU’s 1995 Data Protection Directive didn’t do it.

Rather than some central authority, it is in vernacular practice that we should discover the appropriate “common” law, emphasizes Leoni.

“[A] legal system centered on legislation resembles … a centralized economy in which all the relevant decisions are made by a handful of directors, whose knowledge of the whole situation is fatally limited and whose respect, if any, for the people’s wishes is subject to that limitation. No solemn titles, no pompous ceremonies, no enthusiasm on the part of the applauding masses can conceal the crude fact that both the legislators and the directors of a centralized economy are only particular individuals like you and me, ignorant of 99 percent of what is going on around them as far as the real transactions, agreements, attitudes, feelings, and convictions of people are concerned. (page 22-23, emphasis removed)

The proposed “right to be forgotten” is a soaring flight of fancy, produced by detached intellects who lack the knowledge to devise appropriate privacy norms. If it were to move forward as is, it would cripple Europe’s information economy while hamstringing international data flows. More importantly, it would deny European consumers the benefits of a modernizing economy by giving them more privacy than they probably want.

I say “probably” because I don’t know what European consumers want. I only know how to learn what they want—and that is not by observing the dictates of the people who occupy Europe’s many government bureaucracies.