Tag: privacy

Congress Has No Idea What the NSA Is Doing

Didja think that the legislative branch oversees the executive branch? Think again! Congress has no idea what the National Security Agency (NSA) is doing.

Spencer Ackerman at Wired’s Danger Room blog reports on a letter the inspector general of the intelligence community sent earlier this month to Senators Ron Wyden (D-OR) and Mark Udall (D-CO). They had asked how many people in the United States have had their communications collected or reviewed by the NSA.

The letter repeated the NSA IG’s conclusion that estimating this number was “beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission.” Not only that, figuring out the number of people in the United States that the NSA has snooped on “would itself violate the privacy of U.S. persons.”

A federal agency can write a tart, dry non-response like this because Congress is utterly supine before the security bureaucracy. The tough-talking politicians in both parties have no idea what is happening in the agencies they routinely defend as essential. And Congress still hasn’t approved nominations for the Privacy and Civil Liberties Oversight Board, weak sauce that it is, nearly five years since it was reconstituted with greater independence and subpoena power.

The letter concludes with a hopeful note: “I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight.” That also serves as a confession: We have no idea what the NSA is doing.

David Davis Is Right

British Conservative Party member and former shadow home secretary David Davis says that data retention requirements being debated in the U.K. are “incredibly intrusive” and would only “catch the innocent and incompetent.” He’s right.

The United States was formed after a Revolutionary War against Britain so that we could live under a government more protective of liberty. The Fourth Amendment’s requirement of particularity with respect to warrants prevents our government from issuing blanket requirements that information about all of our communications be retained in case it’s needed for law enforcement.

At least we must hope so. Because some in our Congress seem to have little qualm about reversing the Revolutionary War’s results.

Oh, the Uses of the ‘Cyber’ Prefix: Cyberbellicosity, for Example

Senate Majority Leader Harry Reid’s (D-Nev.) announcement yesterday of upcoming Senate action on cybersecurity legislation coincides nicely with reporting that the recently discovered Flame virus has similarities to Stuxnet. You see, the best example of a cyberattack having kinetic effects—causing physical damage—is Stuxnet. It targeted Siemens industrial software and equipment used in Iran’s nuclear program, causing damage to some centrifuges used in that program.

Stuxnet is widely believed to be a product of the U.S. and Israeli governments. Flame’s kinship with Stuxnet adds to the story: Our government is a top producer of cyberattacks.

The methods used in these viruses will be foreclosed as researchers unpack how they work. Our technical systems adapt to new threats the way humans develop antibodies to disease. But in the near term the techniques in Stuxnet and Flame may well be incorporated into attacks on our computing infrastructure.

The likelihood of attacks having extraordinary consequences is low. This talk of “cyberwar” and “cyberterror” is the ugly poetry of budget-building in Washington, D.C. But watch out for U.S. cyberbellicosity coming home to roost. The threat environment is developing in response to U.S. aggression.

This parallels the United States’ use of nuclear weapons, which made “the bomb” (Dmitri) an essential tool of world power. Rightly or wrongly, the United States’ use of the bomb spurred the nuclear arms race and triggered nuclear proliferation challenges that continue today. (To repeat: Cyberattacks can have nothing like the consequence of nuclear weapons.)

Senator Reid has gone hook, line, and sinker for the “cyber-9/11” idea, of course. Like all politicians, his primary job is not to set appropriate cybersecurity policies but to re-elect himself and members of his party. The tiniest risk of a cyberattack making headlines to use against his party justifies expending taxpayer dollars, privacy, and digital liberties. This it not to prevent cyberattack. It is to prevent political attack.

Politics is well understood by the authors of the letter Senator Reid cited in his statement about bringing cybersecurity legislation to the Senate floor. They are mostly from the party opposite his. Several of them participated at some level in developing our nation’s cyberbellicose world posture. And several now make their living in consulting and contracting firms that respond to the danger they helped create.

They are:

  • Michael Chertoff, Homeland Security secretary under President Bush, is now co-founder and Managing Principal of The Chertoff Group, which “provides business and government leaders with the same kind of high-level, strategic thinking and diligent execution that have kept the American homeland and its people safe since 9/11.”
  • Mike McConnell, former director of the National Security Agency and National Intelligence under President Bush, is now Vice Chairman of Booz Allen Hamilton.
  • Paul Wolfowitz was a deputy defense secretary under President Bush, now a visiting scholar at AEI.
  • General Michael Hayden, former director of the NSA and the CIA under President Bush, is now a principal at the Chertoff Group, and in January 2011 was elected to the Board of Directors of Motorola Solutions, which “provides business- and mission-critical communication products and services to enterprises and governments.”
  • Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff, is on the board of advisors of TASC, Inc. TASC “provides advanced systems engineering, integration and decision–support services to the Intelligence Community, Departments of Defense and Homeland Security and civilian agencies of the federal government. We deliver honest counsel, forward–thinking engineering and advanced technologies that help our customers protect Americans at home, in the air, on the battlefield and in cyberspace.”
  • Hon. William J. Lynn III, former deputy defense secretary, is now Chairman & CEO of DRS Technologies, a Defense and Security Electronics Division of Italian industrial group Finmeccanica. DRS Technologies is “leading supplier of integrated products, services and support to military forces, intelligence agencies and prime contractors worldwide.”

Joe Barton, Meet Alessandro Acquisti

We were all very excited about the Facebook IPO last week (I guess), and Washington, D.C. wants to have its part in the action. This Politico article, “Facebook IPO Pits Privacy vs. Profits,” is a good illustration. It is the organs of government saying we are relevant, you know.

I was particularly intrigued by the comment of Rep. Joe Barton (R-TX). He’s playing against type—if we’re still to believe that Republicans stand for limited government—where he’s quoted saying: “I believe in free market principles, but there are some things the market can’t put a price on because they lack a monetary value. Privacy is one of those things.”

Aha! Washington does have a role the market can’t provide.

Except that the observation isn’t valid. There are lots of things in markets that “lack a monetary value.” You don’t think that every dimension of every good and service has a price tag on it, do you? Markets still deliver these things through the decision-making of their participants.

Alessandro Acquisti at Carnegie Mellon University has been studying how consumers value privacy for years. Crucially, he’s been studying how they value privacy when confronted with real and simulated trade-offs. (What consumers and politicians say isn’t very informative.) He sometimes puts a price tag on privacy in his studies.

It’s often a low price. Consumers don’t value privacy as much as many of us would like. But markets do implicitly price privacy. You make a little bit more—not a lot—if you deliver privacy. You stand to lose—sometimes a lot—if you don’t protect privacy.

Stand down, Mr. Barton. Stand down, Washington, D.C. You are not relevant to the Facebook IPO. Free market principles suggest leaving markets free to serve consumers’ actual preferences as determined by market processes. This is the case whether you think of privacy as having a “monetary value” or not.

It’s Illegal to Say ‘None of Your Damn Business’

The government’s troops are rallying behind the Census Bureau’s American Community Survey. “After the House voted this month to defund a major part of the U.S. Census Bureau, the agency is taking the threat very seriously,” reports the Washington Times, “with its supporters in both business and government rallying to preserve the annual questionnaire.”

Wait. Who could be against the Census Bureau? Its constitutional charter is to enumerate citizens every ten years for the purpose of apportioning representation in Congress. This is a necessary and unremarkable administrative function.

Oh, wait—again. Government bloat is a law of gravity, and the Census Bureau does far, far more than count noses. Its American Community Survey has made the Census Bureau the research arm for the welfare/redistribution state and a source of corporate welfare in the form of demographic data about Americans.

So Census goes around asking people dozens of questions that have nothing to do with the agency’s constitutional purpose.

The ACS is controversial enough among the strongly principled that Census has a Web page entitled: “Is the American Community Survey legitimate?” Their answer: “Yes. The American Community Survey is legitimate. It is a survey conducted by the U.S. Census Bureau.” (Did you know there’s a whole class on the “appeal to authority” at Fallacy University?…)

The real authority they cite is Title 13 of the U.S. code, which, in section 221, allows the government to fine people who refuse to answer the Census Bureau’s questions. It’s illegal to say “none of your damn business” when a government official comes around asking about your toilet. I’ve written many times, in long form and short, that the helping hand of government strips away privacy before it goes to work.

So it’s nice to see that Rand Paul (R-KY) in the Senate and Ted Poe (R-TX) in the House have introduced a bill to make the American Community Survey voluntary, unless it’s a question that the Census actually needs for its constitutional purposes. Reading public comments on the House bill is particularly interesting. There is a good number of people who want to be left well enough alone. They shouldn’t be subject to penalties for saying so. It’s a matter of principle and privacy.

I Second That Skepticism

The ACLU’s Chris Calabrese notes that nominations to the Privacy and Civil Liberties Board were forwarded from the Senate Judiciary Committee to the full Senate this morning. Congress created the Board in August 2007, and we have waited, and waited, and waited while the Bush and Obama administrations neglected to appoint anyone to it.

Calabrese is rightly skeptical that the “PCLOB” can make a difference:

[T]he national security establishment is huge, with tens of thousands of employees and a budget of more than $60 billion. The NSA alone has more than 30,000 employees. Contrast that with the PCLOB. It’s currently authorized (if it finally gets filled) to spend a whopping $900,000 and hire ten full-time employees for the 2012 fiscal year. With this level of staffing, it’s hard to imagine that the Board and its investigators can even begin to understand this vast national security infrastructure, never mind properly oversee it.

I have a fair amount of experience with privacy oversight in the U.S. government, having served on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. That experience has fairly well validated my thinking in 2001, before there were “privacy officers”:

The appointment of a privacy czar or creation of a privacy office is a poor substitute for directly addressing the voraciousness of many government programs for citizens’ personal information. Political leaders themselves should incorporate privacy into their daily consideration of policy options, rather than farming out that responsibility to officials who may or may not have a say in government policy.

To see how the PCLOB fits into government thinking, we can look at a 2007 speech given by Donald Kerr, principal deputy director of National Intelligence. To him, “privacy” is giving the government access to all the data it wants, subject to oversight.

[P]rivacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.

That’s not privacy.

So don’t think for a minute that privacy will be better protected with a PCLOB in place, except perhaps marginally in the few programs that the Board dips into.

The membership of the board is slated to be: Jim Dempsey of the Center for Democracy and Technology, a sincere and knowledgeable privacy player, whose “player” role I find incompatible with producing good privacy outcomes; Elisebeth Collins Cook, a former Department of Justice lawyer who I had never heard of before her nomination; Rachel Brand, an attorney for the U.S. Chamber of Commerce also unknown to me; Patricia Wald, a former federal judge for the D.C. Circuit whose privacy work is unknown to me; and David Medine, currently a WilmerHale partner who will chair the board. Medine is unquestionably government-friendly. He was a Federal Trade Commission bureaucrat who helped draft the Gramm-Leach-Bliley financial privacy and the Children’s Online Privacy Protection Act (COPPA) regulations.

On Breach of Decorum and Government Growth

Last week, the Center for Democracy and Technology changed its position on CISPA, the Cyber Intelligence Sharing and Protection Act, two times in short succession, easing the way for House passage of a bill profoundly threatening to privacy.

Declan McCullagh of C|Net wrote a story about it called “Advocacy Group Flip-Flops Twice Over CISPA Surveillance Bill.” In it, he quoted me saying: “A lot of people in Washington, D.C. think that working with CDT means working for good values like privacy. But CDT’s number one goal is having a seat at the table. And CDT will negotiate away privacy toward that end.”

That comment netted some interesting reactions. Some were gleeful about this “emperor-has-no-clothes” moment for CDT. To others, I was inappropriately “insulting” to the good people at CDT. This makes the whole thing worthy of further exploration. How could I say something mean like that about an organization whose staff spend so much time working in good faith on improving privacy protections? Some folks there absolutely do. This does not overcome the institutional role CDT often plays, which I have not found so creditable. (More on that below. Far below…)

First, though, let me illustrate how CDT helped smooth the way for passage of the bill:

Congress is nothing if not ignorant about cybersecurity. It has no idea what to do about the myriad problems that exist in securing computers, networks, and data. So its leaders have fixed on “information sharing” as a panacea.

Because the nature and scope of the problems are unknown, the laws that stand in the way of relevant information sharing are unknown. The solution? Scythe down as much law as possible. (What’s actually needed, most likely, is a narrow amendment to ECPA. Nothing of the sort is yet in the offing.) But this creates a privacy problem: an “information sharing” bill could facilitate promiscuous sharing of personal information with government agencies, including the NSA.

On the House floor last week, the leading Republican sponsor of CISPA, Mike Rogers (R-MI), spoke endlessly about privacy and civil liberties, the negotiations, and the process he had undertaken to try to resolve problems in the privacy area. At the close of debate on the rule that would govern debate on the bill, he said:

The amendments that are following here are months of negotiation and work with many organizations—privacy groups. We have worked language with the Center for Democracy and Technology, and they just the other day said they applauded our progress on where we’re going with privacy and civil liberties. So we have included a lot of folks.

You see, just days before, CDT had issued a blog post saying that it would “not oppose the process moving forward in the House.” The full text of that sentence is actually quite precious because it shows how little CDT got in exchange for publicly withdrawing opposition to the bill. Along with citing “good progress,” CDT president and CEO Leslie Harris wrote:

Recognizing the importance of the cybersecurity issue, in deference to the good faith efforts made by Chairman Rogers and Ranking Member Ruppersberger, and on the understanding that amendments will be considered by the House to address our concerns, we will not oppose the process moving forward in the House.

Cybersecurity is an important issue—nevermind whether the bill would actually help with it. The leadership of the House Intelligence Committee have acted in good faith. And amendments will evidently be forthcoming in the House. So go ahead and pass a bill not ready to become law, in light of “good progress.”

Then CDT got spun.

As McCullagh tells it:

The bill’s authors seized on CDT’s statement to argue that the anti-CISPA coalition was fragmenting, with an aide to House Intelligence Committee Chairman Mike Rogers (R-Mich.) sending reporters e-mail this morning, recalled a few minutes later, proclaiming: “CDT Drops Opposition to CISPA as Bill Moves to House Floor.” And the Information Technology Industry Council, which is unabashedly pro-CISPA, said it “applauds” the “agreement between CISPA sponsors and CDT.”

CDT quickly reversed itself, but the damage was done. Chairman Rogers could make an accurate but misleading floor statement omitting the fact that CDT had again reversed itself. This signaled to members of Congress and their staffs—who don’t pay close attention to subtle shifts in the views of organizations like CDT—that the privacy issues were under control. They could vote for CISPA without getting privacy blow-back. Despite furious efforts by groups like the Electronic Frontier Foundation and the ACLU, the bill passed 248 to 168.

Defenders of CDT will point out—accurately—that it argued laboriously for improvements to the bill. And with the bill’s passage inevitable, that was an essential benefit to the privacy side.

Well, yes and no. To get at that question, let’s talk about how groups represent the public’s interests in Washington, D.C. We’ll design a simplified representation game with the following cast of characters:

  • one powerful legislator, antagonistic to privacy, whose name is “S.R. Veillance”;
  • twenty privacy advocacy groups (Groups A through T); and
  • 20,000 people who rely on these advocacy groups to protect their privacy interests.

At the outset, the 20,000 people divide their privacy “chits”—that is, their donations and their willingness to act politically—equally among the groups. Based on their perceptions of the groups’ actions and relevance, the people re-assign their chits each legislative session.

Mr. Veillance has an anti-privacy bill he would like to get passed, but he knows it will meet resistance if he doesn’t get 2,500 privacy chits to signal that his bill isn’t that bad. If none of the groups give him any privacy chits, his legislation will not pass, so Mr. Veillance goes from group to group bargaining in good faith and signaling that he intends to do all he can to pass his bill. He will reward the groups that work with him by including such groups in future negotiations on future bills. He will penalize the groups that do not by excluding them from future negotiations.

What we have is a game somewhat like the prisoner’s dilemma in game theory. Though it is in the best interest of the society overall for the groups to cooperate and hold the line against a bill, individual groups can advantage themselves by “defecting” from the interests of all. These defectors will be at the table the next time an anti-privacy bill is negotiated.

Three groups—let’s say Group C, Group D, and Group T—defect from the pack. They make deals with Mr. Veillance to improve his bill, and in exchange they give him their privacy chits. He uses their 3,000 chits to signal to his colleagues that they can vote for the bill without fear of privacy-based repercussions.

At the end of the first round, Mr. Veillance has passed his anti-privacy legislation (though weakened, from his perspective). Groups C, D, and T did improve the bill, making it less privacy-invasive than it otherwise would have been, and they have also positioned themselves to be more relevant to future privacy debates because they will have a seat at the table. Hindsight makes the passage of the bill look inevitable, and CDT looks all the wiser for working with Sir Veillance while others futilely opposed the bill.

Thus, having defected, CDT is now able to get more of people’s privacy chits during the next legislative session, so they have more bargaining power and money than other privacy groups. That bargaining power is relevant, though, only if Mr. Veillance moves more bills in the future. To maintain its bargaining power and income, it is in the interest of CDT to see that legislation passes regularly. If anti-privacy legislation never passes, CDT’s unique role as a negotiator will not be valued and its ability to gather chits will diminish over time.

CDT plays a role in “improving” individual pieces of legislation to make them less privacy-invasive and it helps to ensure that improved—yet still privacy-invasive—legislation passes. Over the long run, to keep its seat at the table, CDT bargains away privacy.

This highly simplified representation game repeats itself across many issue-dimensions in every bill, and it involves many more, highly varied actors using widely differing influence “chits.” The power exchanges and signaling among parties ends up looking like a kaleidoscope rather than the linear story of an organization subtly putting its own goals ahead of the public interest.

Most people working in Washington, D.C., and almost assuredly everyone at CDT, have no awareness that they live under the collective action problem illustrated by this game. This is why government grows and privacy recedes.

In his article, McCullagh cites CDT founder Jerry Berman’s role in the 1994 passage of CALEA, the Communications Assistance to Law Enforcement Act. I took particular interest in CDT’s 2009 backing of the REAL ID revival bill, PASS ID. In 2006, CDT’s Jim Dempsey helped give privacy cover to the use of RFID in identification documents contrary to the principle that RFID is for products, not people. A comprehensive study of CDT’s institutional behavior to confirm or deny my theory of its behavior would be very complex and time-consuming.

But divide and conquer works well. My experience is that CDT is routinely the first defector from the privacy coalition despite the earnest good intentions of many individual CDTers. And it’s why I say, perhaps in breach of decorum, things like: “A lot of people in Washington, D.C. think that working with CDT means working for good values like privacy. But CDT’s number one goal is having a seat at the table. And CDT will negotiate away privacy toward that end.”