Tag: privacy

Big Teacher Is Watching

Researching government invasions of privacy all day, I come across my fair share of incredibly creepy stories, but this one may just take the cake.  A lawsuit alleges that the Lower Merion School District in suburban Pennsylvania used laptops issued to each student to spy on the kids at home by remotely and surreptitiously activating the webcam built into the bezel of each one. The horrified parents of one student apparently learned about this capability when their son was called in to the assistant principal’s office and accused of “inappropriate behavior while at home.” The evidence? A still photograph taken by the laptop camera in the student’s home.

I’ll admit, at first I was somewhat skeptical—if only because this kind of spying is in such flagrant violation of so many statutes that I thought surely one of the dozens of people involved in setting it up would have piped up and said: “You know, we could all go to jail for this.” But then one of the commenters over at Boing Boing reminded me that I’d seen something like this before, in a clip from Frontline documentary about the use of technology in one Bronx school.  Scroll ahead to 4:37 and you’ll see a school administrator explain how he can monitor what the kids are up to on their laptops in class. When he sees students using the built-in Photo Booth software to check their hair instead of paying attention, he remotely triggers it to snap a picture, then laughs as the kids realize they’re under observation and scurry back to approved activities.

I’ll admit, when I first saw that documentary—it aired this past summer—that scene didn’t especially jump out at me. The kids were, after all, in class, where we expect them to be under the teacher’s watchful eye most of the time anyway. The now obvious question, of course, is: What prevents someone from activating precisely the same monitoring software when the kids take the laptops home, provided they’re still connected to the Internet?  Still more chilling: What use is being made of these capabilities by administrators who know better than to disclose their extracurricular surveillance to the students?  Are we confident that none of these schools employ anyone who might succumb to the temptation to check in on teenagers getting out of the shower in the morning? How would we ever know?

I dwell on this because it’s a powerful illustration of a more general point that can’t be made often enough about surveillance: Architecture is everything. The monitoring software on these laptops was installed with an arguably legitimate educational purpose, but once the architecture of surveillance is in place, abuse becomes practically inevitable.  Imagine that, instead of being allowed to install a bug in someone’s home after obtaining a warrant, the government placed bugs in all homes—promising to activate them only pursuant to a judicial order.  Even if we assume the promise were always kept and the system were unhackable—both wildly implausible suppositions—the amount of surveillance would surely spike, because the ease of resorting to it would be much greater even if the formal legal prerequisites remained the same. And, of course, the existence of the mics would have a psychological effect of making surveillance seem like a default.

You can see this effect in law enforcement demands for data retention laws, which would require Internet Service Providers to keep at least customer transactional logs for a period of years. In face-to-face interactions, of course, our default assumption is that no record at all exists of the great majority of our conversations. Law enforcement accepts this as a fact of nature. But with digital communication, the default is that just about every activity creates a record of some sort, and so police come to see it as outrageous that a potentially useful piece of evidence might be deleted.

Unfortunately, we tend to discuss surveillance in myopically narrow terms.  Should the government be able to listen in on the phone conversations of known terrorists? To pose the question is to answer it. What kind of technological architecture is required to reliably sweep up all the communications an intelligence agency might want—for perfectly legitimate reasons—and what kind of institutional incentives and inertia does that architecture create? A far more complicated question—and one likely to seem too abstract to bother about for legislators focused on the threat of the week.

The Government Has Your Baby’s DNA

My 2004 Cato Policy Analysis, “Understanding Privacy – and the Real Threats to It,” talks about how government programs intended to do good have unintended privacy costs. “The helping hand of government routinely strips away privacy before it goes to work,” I wrote.

There could be no better illustration of that than the recent CNN report on government collection and warehousing of American babies’ DNA. “Scientists have said the collection of DNA samples is a ‘gold mine’ for doing research,” notes a sidebar to the story.

I have no doubt that it is—and that government-mandated harvesting of this highly valuable personal data from children is an unjust enrichment of the beneficiaries.

Switzerland’s Strong Human Rights Laws Should Be Emulated, not Persecuted

In a rational world, Switzerland would be a role model for other nations. It is quite prosperous thanks largely to a modest burden of government. There is remarkable ethnic and religoius diversity, but virtually no tension because power is decentralized (sort of what America’s Founders envisioned for the United States). Yet despite these – and many other – attractive features, Switzerland is being persecuted because of strong human rights laws that protect financial privacy. Money-hungry politicians from other nations resent Swtizerland’s attractive policies, and they would rather trample Swiss sovereignty rather than fix their own oppressive tax laws. An official from the Swiss Bankers Association provides some background in a New York Times column:

In Switzerland, this tradition of treating a client’s financial affairs in confidence became law in 1934 when it was codified in Article 47 of the country’s first-ever federal banking act as a contemporary reaction to the economic crisis, various domestic political considerations and well-publicized cases of espionage involving France and Germany. …Banking secrecy…reflects the very high degree of trust that exists between the Swiss state and its citizens and it has strong democratic foundations. …The Swiss are proud of their system and they reward it with a high level of taxpayer honesty. It works because the Swiss vote their own taxes, they have a high degree of control over the way tax revenues are spent and over all they believe their tax system to be reasonable, comprehensible, transparent and fair. …Doesn’t Switzerland hear the snapping jaws and cracking whips of foreign finance ministers, tax collectors, O.E.C.D. bureaucrats, cash-dispensing government agents and other denizens of the encroaching real world as they circle round Mother Helvetia intent on biting huge chunks out of her banking secrecy, if not swallowing it whole? …In March last year the Swiss announced they would give up the evasion-fraud distinction for foreign bank clients and adopt the O.E.C.D. standards on information exchange in tax matters. …However, requests for assistance must be made with regard to a specific individual, and “fishing expeditions” — any indiscriminate trawling through bank accounts in the hope of finding something interesting — remain ruled out. …Switzerland demonstrates to the world that it is possible for a state to collect taxes with a high degree of taxpayer honesty and without the authorities being corroded with suspicion about the financial activities of their citizens. Citizens in a democracy would never allow their police force to have an automatic right of forced entry into their homes just on the off-chance of finding some stolen goods, so why on earth should the state have an automatic right of forced entry into citizens’ banks accounts just on the off-chance of discovering some tax evasion? There must be a limit to the extent to which respect for an individual’s privacy is sacrificed on the altar of international cooperation in tax matters.

Sadly, the United States is part of the effort to create a global tax cartel. An “OPEC for politicians” would be terrible news for taxpayers, though, much as a cartel of gas stations would be bad for driviers. So-called tax havens play a valuable role in curtailing the greed of the political class. Ask yourself a simple question: Would politicians be more likely or less likely to raise tax rates if they knew taxpayers had no escape options?

Data Privacy Day’s Man About Town

Betcha didn’t know that January 28th is Data Privacy Day. That’s the day on which it’s customary to give gifts of cash and money to your favorite privacy advocate. No, not really. Though Hallmark hasn’t gotten a hold of it, it is a day on which some extra attention gets paid to privacy issues.

I’ll be speaking at two events coinciding with Data Privacy Day. On Wednesday, I’ll be speaking at the 2010 Internet Data Privacy Colloquium put on by a group called Dialogue on Diversity. Register here.

And on Thursday I’ll be speaking at an event put on by the Future of Privacy Forum called “Online Privacy: Your Reputation is ON the LINE.” (Get it? “ON the LINE”? Online? We’re talkin’ computers, folks.) You can register for it on the event’s page.

There you have it! Data Privacy Day! The one day this year, among many, that you should lavish your favorite privacy expert with gifts and praise. And gifts.

No Privacy Please, We’re Millennials

TrueSlant’s Kashmir Hill notes—and endorses—Facebook CEO Mark Zuckerberg’s conclusion that the kids today won’t stay off my lawn just don’t care much about privacy.

On the one hand, this shouldn’t be terribly surprising. Quite apart from the recent proliferation of social networking technology, generational researchers have long contrasted the heavily supervised and scheduled upbringings of (middle class) Millennials born in the ’80s and early ’90s with that of their “latch key” Gen X predecessors. And for anyone currently of college age, post-9/11 levels of security theater are viewed not as a novel expansion of official intrusion, but as the baseline, as normal. This can’t be a matter of total indifference to the fogeys among us, because shifting norms will affect both legislators’ willingness to ratchet up surveillance and, at least potentially, judicial assessments of which “expectations of privacy” society is prepared to recognize as “reasonable” for Fourth Amendment purposes.

Still, let me throw out some grounds for questioning this broad generational diagnosis. Privacy is not just a function of the raw quantity of information available about each of us, but of the control we exercise over that information. To be sure, it may seem that we have less of that as well when any scrap of data that appears on the Internet can so easily be copied and circulated. But for the generation that came of age online, those scraps of data are often part of a very conscious public performance of identity. Not necessarily a performance all of them will be eager to own ten years down the line, but a performance all the same.

In his excellent book The Digital Person, legal scholar Dan Solove contrasts two kinds of privacy dystopia: the Orwellian and the Kafkaesque. The focus in the Orwellian vision is on exposure: Big Brother’s spies and cameras are everywhere, and no detail of your personal life too minute to escape notice. But the plight of Kafka’s Josef K. is somewhat different: He finds himself at the mercy of an inscrutable bureaucracy, with no access to the details of his case file, and no way of tracing the provenance of the information it contains or correcting errors. We are more exposed, but we increasingly set the terms of our exposure.

It’s easy to look at all the information that comes up in a simple Google search for someone’s name and conclude that privacy is dead. But I think it’s at least as significant that the crucial first page of results is likely to consist of information that the individuals themselves have chosen to make public: Blogs, Facebook or MySpace profiles, Twitter accounts, Last.fm pages, YouTube channels. A similar inquiry a generation ago surely would have been much more laborious and less fruitful, but it also would have consisted to a far greater extent of what others had to say about the target: gossip first and foremost, but perhaps also press mentions, official records, and so on. It’s not that such information is now less accessible, but for the average person, it’s pushed to the margin by what we’ve chosen to disclose. That’s not an unmixed blessing—some may feel as though this merely traps them in a kind of openness arms race—but neither is it the privacy death-spiral a purely quantitative analysis might suggest.

Three Keys to Surveillance Success: Location, Location, Location

The invaluable Chris Soghoian has posted some illuminating—and sobering—information on the scope of surveillance being carried out with the assistance of telecommunications providers.  The entire panel discussion from this year’s ISS World surveillance conference is well worth listening to in full, but surely the most striking item is a direct quotation from Sprint’s head of electronic surveillance:

[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.

To be clear, that doesn’t mean they are giving law enforcement geolocation data on 8 million people. He’s talking about the wonderful automated backend Sprint runs for law enforcement, LSite, which allows investigators to rapidly retrieve information directly, without the burden of having to get a human being to respond to every specific request for data.  Rather, says Sprint, each of those 8 million requests represents a time when an FBI computer or agent pulled up a target’s location data using their portal or API. (I don’t think you can Tweet subpoenas yet.)  For an investigation whose targets are under ongoing realtime surveillance over a period of weeks or months, that could very well add up to hundreds or thousands of requests for a few individuals. So those 8 million data requests, according to a Sprint representative in the comments, actually “only” represent “several thousand” discrete cases.

As Kevin Bankston argues, that’s not entirely comforting. The Justice Department, Soghoian points out, is badly delinquent in reporting on its use of pen/trap orders, which are generally used to track communications routing information like phone numbers and IP addresses, but are likely to be increasingly used for location tracking. And recent changes in the law may have made it easier for intelligence agencies to turn cell phones into tracking devices.  In the criminal context, the legal process for getting geolocation information depends on a variety of things—different districts have come up with different standards, and it matters whether investigators want historical records about a subject or ongoing access to location info in real time. Some courts have ruled that a full-blown warrant is required in some circumstances, in other cases a “hybrid” order consisting of a pen/trap order and a 2703(d) order. But a passage from an Inspector General’s report suggests that the 2005 PATRIOT reauthorization may have made it easier to obtain location data:

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [REDACTED PHRASE]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [REDACTED PHRASE] from the FISA Court. Therefore, OIPR decided not to request [REDACTED PHRASE] pursuant to Section 215 until it re-briefed the issue for the FISA Court. As a result, in 2006 combination orders were submitted to the FISA Court only from January 1, 2006, through March 8, 2006.

The new statutory language permits FISA pen/traps to get more information than is allowed under a traditional criminal pen/trap, with a lower standard of review, including “any temporarily assigned network address or associated routing or transmission information.” Bear in mind that it would have made sense to rely on a 215 order only if the information sought was more extensive than what could be obtained using a National Security Letter, which requires no judicial approval. That makes it quite likely that it’s become legally easier to transform a cell phone into a tracking device even as providers are making it point-and-click simple to log into their servers and submit automated location queries.  So it’s become much more  urgent that the Justice Department start living up to its obligation to start telling us how often they’re using these souped-up pen/traps, and how many people are affected.  In congressional debates, pen/trap orders are invariably mischaracterized as minimally intrusive, providing little more than the list of times and phone numbers they produced 30 years ago.  If they’re turning into a plug-and-play solution for lojacking the population, Americans ought to know about it.

If you’re interested enough in this stuff to have made it through that discussion, incidentally, come check out our debate at Cato this afternoon, either in the flesh or via webcast. There will be a simultaneous “tweetchat” hosted by the folks at Get FISA Right.

Online Privacy and the Commerce Clause

I fear that with the PATRIOT Act on the brain, I’ve been remiss in continuing the colloquy on behavioral ads and privacy regulation that I’d been having with Jim Harper—who flattered me by responding in a long and thoughtful essay a couple weeks back. Because there’s so much interesting stuff there, I hope he won’t mind if I restrict myself to the first part of his reply here, in the interest of making this all a bit more digestible to those whose fascination with the topic may not be quite as consuming as ours. I’ll consider briefly the constitutional issue Jim raises, and turn to some of the specifics of the issue—and the relative merits of the common law alternative—in another post.

So like every good dorm room bull session, we begin in the weeds of  policy and quickly find ourselves breathing the rarefied air of constitutional theory. Supposing for the moment that we thought it were a good idea on policy grounds, would it be within the power of Congress to set ground rules for online advertisers who gather personal data from Web browsers? Recall that there are two particular rules that I’ve said I’d be tentatively open to, but which Jim rejects: a requirement of notice when information is being collected (say via a small link from the adspace to a privacy policy) and a rule establishing that privacy policies are enforceable, so that individual users can sue for damages if a company knowingly  violates its stated policy (thus far, courts have not generally found these to be binding). Does this fall within the power to “regulate commerce … among the several states”? I think so. I’ll start with what I hope will be some uncontroversial arguments and go from there.

So first, let’s grant that there’s one type of “original intent” that everyone ought to care about, whatever their more general interpretive stance: what Ronald Dworkin calls the linguistic intent of the Framers. That is, if words like “commerce” and “regulate” had narrower meanings in 1787 than they do today, we must, of course, read them now in that light: “Commerce” means actual interstate traffic in goods and services, rather than economic activity more generally, and “regulation” is centrally about establishing uniform rules and procedures.  With these appropriately narrowed readings in mind, I think it’s still a slam-dunk that online ads are covered.

There are, in fact, at least three different senses in which behavioral ads might be classed as interstate commerce. First, the purchase of the ad space itself is obviously a commercial transaction—frequently though not necessarily between entities in different states—and there’s a reasonable question of whether a host site with posted privacy policy is implicitly committed to applying that policy as a condition on ad space sold to third parties. The ads themselves will typically propose a commercial transaction, and in a more direct way than other ads are, can plausibly be seen as the first step in the transaction itself, as clicking on the ad will often bring you directly to a page where you can complete the purchase it recommends. Finally, the personal and behavioral user data collected is itself a valuable commodity, and many sites function with a pretty explicit informational quid pro quo: You will receive access to our content in exchange for registering and providing us with certain data. Since the Internet is borderless, most sites will be getting most of their traffic from people located in different states or countries, and even narrowly state-focused sites are likely to have substantial border-crossing traffic. So on a pretty straight reading of the constitutional language, I find very little reason to doubt that Congress may set uniform default rules for these interstate transactions, rather than leaving it to a patchwork of state rules.

Now, Jim’s reason for questioning this seems to be that the primary concern of the Framers was to prevent states from creating trade barriers. That may be, but if we skip ahead to Article 1, Section 10, we find that Congress knew perfectly well how to enact general and purely prohibitory bans on such shenanigans  using more apt “no state shall” language. Instead, they used precisely the same language for interstate commerce as they did for international commerce, where history suggests that the Framers (many of them steeped in the mercantilist economic theories of the day) had been above all concerned to preserve the ability to erect protectionist trade barriers. So we’re left with a choice between ascribing to the Framers a frankly stunning level of linguistic incompetence or supposing that the Constitution actually does grant the affirmative power that a facial reading suggests.

Needless to say, this does not require us to adopt the post–New Deal reading that places anything with the least potential influence on economic activity under Congressional purview. But we’re pretty close to the core here. Indeed, one of the early cases I know Jim considers a lodestone for the “no trade barriers” reading, Gibbons v. Ogden, involves a congressional grant of a license to operate steamboats. The court found that this superseded the monopoly New York had sought to grant another steamboat operator, which fits Jim’s point to an extent, but it’s crystal clear from that (1824) ruling that the power of Congress here is a broad authority to grant or withhold a privilege to operate interstate vessels, and establish conditions on such vessels, including restrictions on ownership and personnel. It seems to me you’d have to get awfully creative to read the clause in a way that authorizes that kind of authority over an “instrumentality” of commerce (water navigation) but forbids Congress from specifying the kind of notice a merchant must provide when initiating an actual interstate commercial transaction.

A slightly more controversial suggestion: When the specific substantive intent of the Framers is not explicitly embedded in the Constitution’s language—by which I mean, the specific use they thought a wise Congress would make of enumerated powers in light of contemporary economic theories, whether liberal or mercantilist—I am not inclined to give it very great weight. Or more bluntly, when the legal language is abstract, I don’t think we’re bound by an original conception of how or where it applied in specific cases—to the extent such a consideration is even intelligible when we’re talking about Internet advertising. Manifestly, very few people at the time of the passage of the Fourteenth Amendment believed that the abstract guarantee of “equal protection” entailed a substantive right of black children to attend public schools the states restricted to whites. But insofar as what they wrote into law was the abstract guarantee, I don’t think we’re required to care what they believed. Our modern reading should be constrained by the original sense of the words used, and to some extent by the original structural purpose served (translated as necessary). But in specific application—whether privacy rules for online ads are encompassed within “regulation” of “commerce”—then even if you pulled out the Ouija board and got a personal verdict from James Madison, it would just be one more opinion.

Finally, and maybe most controversially: What kind of recommendations should we make in a world where our preferred interpretation of the Constitution lost the fight a long time ago? If the question is what we should recommend to judges, presumably we want to recommend that they start shifting back in the direction of a reading we regard as better justified. But what about when, as Jim imagines, we’re advising legislators? Should we only recommend what we believe to be authorized by what we hold to be the best reading of the Constitution, or will it sometimes make sense to endorse legislation that is plainly allowed by the current regnant interpretation, but that might be outside the scope of the interpretation we regard as superior? I think it will, partly for theoretical, and partly for pragmatic reasons.

At a practical level, both legislators and citizens widely believe Congress to have broader policy discretion than most of the authors here. So very generally speaking, I don’t think it serves limited government to refrain from weighing in on the relative merits of policy options that wouldn’t be on the table at all if our arguments had fared better at the meta-level. (Recall the old joke about the principled pacifist answer to how to respond to World War II: Don’t sign the Treaty of Versailles!) Now, on this particular question it’s not a sure thing that Congress or the FTC will act, and maybe “hands off” is the best advice to give. But there are plenty of areas where there’s no realistic chance that Congress is going to abstain altogether, even if we think that’s what the best interpretation of the Constitution requires. In those cases, I think it’s at least sometimes appropriate to flag the meta objection and then say something about the policy merits. Obviously there are limits—I don’t expect I’ll ever express a view on the “best” way to run a torture chamber—but there are plenty of issues where it seems perverse for the people most concerned with limited government to sit out the day-to-day debates and focus on getting Wickard v. Filburn overturned, glad as I am that there are folks hammering that.

That dovetails with the theoretical reason, which has to do with the broader question of why constitutional principles are binding on us at all. I assume it is not because the Founders, brilliant though they were, enjoyed some divine right of command that the inheritors of their institutions are compelled to obey. Partly it’s that the principles embedded in the Constitution are good ones, but a substantial piece of the answer, I think, is that they provide a stable framework within which we conduct our political and private lives. Judges give weight to stare decisis even when they think the case at the fountainhead of a line of precedent was poorly decided, in part because the legitimacy and authority of law are to a great extent a function of its predictability, of the way it allows us to take actions and make agreements and know pretty much what the legal consequences will be, however much else may remain unpredictable. Constitutional restraints do this one level up, establishing (albeit roughly) a domain of legal variation over the longer term. This is  not, for what it’s worth, wacky postmodern Critical Legal Studies stuff; it’s an extrapolation from Hayek. To imagine that you can remake a society’s institutions wholesale—even if your guide is the best interpretation of a founding document, and even if you’re pretty sure that interpretation held sway a couple centuries ago—is the fallacy of constructivist rationalists.

Now, I think the right account of why we should regard the Constitution as binding starts with considerations along these lines, but this has the (perhaps unfortunate) consequence that even if you had a super-awesome unanswerable argument for why the Constitution mandates libertopia, at least when read properly absent the accretions of precedent, you still wouldn’t have an argument that judges, legislators, and government officials must all start acting on this understanding as of tomorrow. What you’d have is a good starting point for a much more gradual process of paring government back down. Not, to be clear, because I think the Constitution “means whatever the Supreme Court says it does”—that would be incoherent, since the court’s practice is unintelligible, and its legitimacy illusory, unless we assume there’s an independent meaning for them to strive toward.  But an “independent” meaning can be located in a community of interpretation and practice that extends beyond the framing generation. By analogy: If I want to use language “correctly” to communicate, I don’t get to just assign whatever meanings I like to words. It’s even possible to make a strong argument that the majority of speakers at a particular historical moment are using a word—like “decimate” or “hopefully” or “brutalize”—improperly. But neither does it mean that the first person to coin the term gets to specify its legitimate uses forever. And, in fact, anyone who insisted on using “decimate” to mean only “reduce by ten percent” would probably find his attempts at communication misfiring badly. To say that meaning is necessarily public and independent—consult Hayek’s cousin Wittgenstein here—does not require a baptismal view of meaning. Or at any rate, whether it does or not depends on the function your interpretive practice serves.

So yeah, that’s all pretty far removed from our original discussion—and I’m hoping far enough below the fold that it doesn’t put me on the wrong end of another dozen arguments with colleagues. I’ll do another post later this week where I actually get to the policy question, and some potent objections that both Jim and Tim Lee have raised.