Tag: privacy

How Identification Is Overused and Misunderstood

Justice Anthony Kennedy seems to be carving out his place as the Supreme Court justice who doesn’t “get” identity. Maryland v. King was the case issued today that shows that.

His opener was the 2004 decision in Hiibel v. Sixth Judicial District Court of Nevada, which ratified laws requiring people to disclose their names to police officers on request.

In that case, Deputy Lee Dove of the Humboldt County (NV) Sheriff’s Department had received a report that a man had slugged a woman. He didn’t know the names of the alleged perpetrator or the victim, but Dove found Larry Hiibel standing next to his truck at the side of the road talking to his seventeen-year-old daughter seated inside. Dove didn’t check to see if they were having a dispute, or if anyone had hit anyone. He just started demanding Hiibel’s ID.

“Knowledge of identity may inform an officer that a suspect is wanted for another offense, or has a record of violence or mental disorder,” Justice Kennedy wrote, approving Hiibel’s arrest for refusing to show his papers:

On the other hand, knowing identity may help clear a suspect and allow the police to concentrate their efforts elsewhere. Identity may prove particularly important in [certain cases, such as] where the police are investigating what appears to be a domestic assault. Officers called to investigate domestic disputes need to know whom they are dealing with in order to assess the situation, the threat to their own safety, and possible danger to the potential victim.

Even if he had gotten Larry Hiibel’s ID, that wouldn’t have told Dove any of these things. Dove would have had to stop his battery investigation to investigate Hiibel’s background, which he didn’t do until after he had arrested Hiibel–and after his partner had thrown Hiibel’s distraught daughter to the ground. (There’s your battery.)

In Maryland v. King, Justice Kennedy did it again. He wrote the decision approving DNA identification of arrestees. Like demanding Hiibel’s ID, which had no relation to investigating battery, Maryland’s practice of collecting DNA has no relation to investigating or proving the crime for which King was arrested, and it does nothing to administer his confinement. This Justice Scalia made clear in a scathing dissent.

The Court alludes at several points to the fact that King was an arrestee, and arrestees may be validly searched incident to their arrest. But the Court does not really rest on this principle, and for good reason: The objects of a search incident to arrest must be either (1) weapons or evidence that might easily be destroyed, or (2) evidence relevant to the crime of arrest. Neither is the object of the search at issue here. (citations omitted)

Justice Kennedy appears to think there are certain behaviors around detention and arrest that law enforcement is allowed without regard to the detention or arrest. Here, he has sanctioned the gathering of DNA from arrested people, supposedly presumed innocent until proven guilty, to investigate the possibility of their connection to other, unknown crimes. His logic would allow searching the cell phone of a person arrested for public drunkenness to see if they have participated in an extortion plot.

There is plenty of time to run DNA identification data past cold case files after conviction, and all parties agree that’s what would have happened in King’s case. Given that, the Supreme Court has upheld DNA-based investigation of innocent people for their connections to cold cases because they happen to have been arrested. That’s the strange result of Maryland v. King.

Mobility Is Freedom, Not an Invasion of Privacy

Mobility is freedom, or at least an important part of it. Yet earlier this month challenges to expansions of that freedom came from, surprisingly, the Mises Institute of Canada, Reason magazine, and American Enterprise Institute. The issues are new automobile technologies, specifically self-driving cars and improved road pricing, and the challenges came from people who clearly don’t understand the technologies involved.

Self-driving cars, says Roger Toutant writing for the Mises Institute of Canada, will lead to “a national, state-operated, computer network that will be used to achieve an Orwellian level of vehicular control and information sharing. …The implications are ominous. In the future, private spheres will be invaded and all movements will be tracked.”

“Boot up a Google car,” agrees Greg Beato of Reason magazine, “and it’s not so easy to cut the connection with the online mothership.” If you get into a Google driverless car, “you immediately start sending great quantities of revealing information to a company that’s already hoarding every emoticon you’ve ever IMed.”

It is appropriate to question new technologies, but the answer is that’s not the way these cars work. None of the self-driving cars being developed by Volkswagen, Google, or other companies rely at all on central computers. Instead, all the computing power is built into each car.

Civil Liberties After Boston—My Take

It’s to be expected that privacy will suffer a bear market after a terrorist attack or attempt. I’ve seen worse, of course, but was concerned this week to read a piece by Richard Epstein on the Hoover Institution web site that I think sounds needless anti-privacy notes. Professor Epstein is not only an important public intellectual, but a Cato adjunct scholar of which we’re proud, and a friendly professional colleague (to whose defense I’ll leap when he’s wronged).

The issue is what policies governments might adopt toward the end of terrorism prevention. Professor Epstein finds the statement of Massachusetts state senator Robert Hedlund (R-Weymouth) to be a bridge too far. Hedlund says:

It’s not surprising that you have law enforcement agencies rushing out to use [the Boston bombing and subsequent manhunt] as pretext to secure additional powers but I think we have to maintain perspective and realize that civil liberties and the protections we’re granted under the Constitution and our rights to privacy, to a degree, are nonnegotiable…

You don’t want to let a couple of young punks beat us and allow our civil liberties to be completely eroded. I don’t fall into the trap that, because of the hysteria, we need to kiss our civil liberties away.

Professor Epstein calls that “dead wrong,” saying, “the last thing needed in these difficult circumstances is a squeamishness about aggressive government action.” Given the importance of preventing terrorism, claims of right against increased surveillance and racial or other profiling should be “stoutly resisted,” he says.

I agree with Professor Epstein that flat claims about a “right to privacy” shouldn’t limit surveillance. “Concern” with racial or ethnic profiling is not a sound basis for desisting from the practice. But I don’t take Hedlund’s statement to be a product of squeamishness, and I think it is in the main correct.

Where I think Professor Epstein goes wrong insofar as he wants law enforcement to have its way is in setting aside “technical difficulties” and “means-ends” questions as peripheral. For me, the Fourth Amendment’s bar on unreasonable searches and seizures demands coordination between means and ends in light of the technological situation (both in terms of doing harm and discovering it). It is not a given that government action is reasonable, and no amount of priority given to a threat makes an incoherent response reasonable and constitutional.

Good, Market-Based Privacy Advocacy

Too much privacy advocacy is done by a self-appointed expert class who, believing their own preferences to be universal, beseech legislators and regulators to mold or even remake the information economy. I have nothing against self-appointed experts—I am one, and some of you have been falling for my schtick for a decade. But the hubris of claiming to know how things should come out? That’s too much.

So the Electronic Frontier Foundation’s “Who Has Your Back?” report is real stand-out. Using a clear, six-star grid, they assess how well major Internet companies and ISPs do when it comes to key dimensions of privacy protection.

This puts you, the consumer, in a position to choose with whom you want to do business. As importantly, it puts business decision-makers on notice: If they don’t satisfy actual consumer demand for privacy, they are more likely than before to lose money.

If consumers care about privacy, they will act on what’s in this report—and specifically on the dimensions of privacy protection that matter to them. If they don’t, they won’t, because they prioritize other things, and businesses can do the same. It’s an elegant system—a market-based system—for discovering and delivering what consumers want.

The alternative is a foggy war (politics being war by other means) in which the “consumer advocate” and “industry” use every artifice to persuade various authorities whether or not, and how, to intervene. The actual desire of the consumer is an afterthought in this regulatory battle.

So, Who Has Your Back?

The report is worth checking out. You might learn that a provider you trust is not so trustworthy. You might learn of services that you should try because they are good actors. You might disagree with the methodology, and that’s fine, too. The responses of businesses and consumers to this report will be far more finely tuned to actual consumer demand for privacy than the gaudy privacy show that runs ‘round the clock these days in Washington, D.C., state capitols, and Brussels.

Congratulations and thanks to the Electronic Frontier Foundation for some good, market-based privacy advocacy!

The Path to National Identification

In my 2008 paper, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration,” I wrote about where “internal enforcement” of immigration law leads: “to a national, cradle-to-grave, biometric tracking system.” More recently, I wrote “Internal Enforcement, E-Verify, and the Road to a National ID” in the Cato Journal. The “Gang of Eight” immigration proposal includes a large step on that path to national identification.

National ID provisions in the 2007 immigration bill were arguably its downfall. Scrapping the national ID provisions in the current bill would improve it, allowing our country to adopt more sensible immigration policies without suffering a costly attack on American citizens’ liberties.

Title III of the “Gang of Eight” bill is entitled “Interior Enforcement.” It begins by reiterating the current prohibition on hiring unauthorized aliens. (What seems to many a natural duty of employers was an invention that dates back only as far as 1986, when Congress passed the Immigration Reform and Control Act. Prior to that time, employers were free to hire workers based on the skills and willingness they presented, and not their documents. But since that time, Congress has treated the nation’s employers as deputy immigration agents.)

The bill details the circumstances under which employers may be both civilly and criminally liable under the law and provides for a “good faith defense” and “good faith compliance” that employers may hope to use as shelter. The bill restates (with modifications) the existing requirements for checking workers’ papers, saying that employers must “attest, under penalty of perjury” that they have “verified the identity and employment authorization status” of the people they employ, using prescribed documents or combination of documents. Cards that meet the requirements of the REAL ID Act are specifically cited as proof of identity and authorization to work.

In addition, the bill would create a new “identity authentication mechanism,” requiring employers to use that as well. It would take one of two forms. One is a “photo tool” that enables employers to match photos on covered identity documents to photos “maintained by a U.S. Citizenship and Immigration Services database.” If the photo tool is not available, employers must use a system the bill would instruct the Department of Homeland Security develop. The system would “provide a means of identity authentication in a manner that provides a high level of certainty as to the identity of such individual, using immigration and identifying information that may include review of identity documents or background screening verification techniques using publicly available information.”

The bill next turns to expanding the E-Verify system, requiring its use by various employers on various schedules. The federal government and federal contractors would have to use E-Verify as required already or within 90 days. A year after the DHS publishes implementing regulations, the Secretary of Homeland Security could require anyone touching “critical infrastructure” (defined here) to use E-Verify. She could require immigration law violators to use E-Verify anytime she likes.

CISPA’s Vast Overreach

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

What Is the Value of Bitcoin?

With Bitcoin enjoying a spike in price against government currencies, there is lots of talk about it on the Interwebs. If you’re not familiar with it yet, here’s a good Bitcoin primer, which also counsels reading a lot more before you acquire Bitcoin, as Bitcoin may fail. If you like Bitcoin and want to buy some, don’t go all goofy. Do your homework. As if you need to be told, be careful with your money.

Much of the commentary declares a Bitcoin bubble for one reason or another. It might be a bubble, but nobody actually knows. A way of guessing is to compare Bitcoin’s qualities as a currency and payment network to the alternatives. Like any service or good, there are many dimensions to value storage and transfer.

I may not capture them all, and they certainly don’t predict the correct price against the dollar or other currencies. That depends on the ultimate viscosity of Bitcoin. But Bitcoin certainly has value of a different kind: it may discipline fiat currencies and the states that control them.