Tag: privacy

Mobility Is Freedom, Not an Invasion of Privacy

Mobility is freedom, or at least an important part of it. Yet earlier this month challenges to expansions of that freedom came from, surprisingly, the Mises Institute of Canada, Reason magazine, and American Enterprise Institute. The issues are new automobile technologies, specifically self-driving cars and improved road pricing, and the challenges came from people who clearly don’t understand the technologies involved.

Self-driving cars, says Roger Toutant writing for the Mises Institute of Canada, will lead to “a national, state-operated, computer network that will be used to achieve an Orwellian level of vehicular control and information sharing. …The implications are ominous. In the future, private spheres will be invaded and all movements will be tracked.”

“Boot up a Google car,” agrees Greg Beato of Reason magazine, “and it’s not so easy to cut the connection with the online mothership.” If you get into a Google driverless car, “you immediately start sending great quantities of revealing information to a company that’s already hoarding every emoticon you’ve ever IMed.”

It is appropriate to question new technologies, but the answer is that’s not the way these cars work. None of the self-driving cars being developed by Volkswagen, Google, or other companies rely at all on central computers. Instead, all the computing power is built into each car.

Civil Liberties After Boston—My Take

It’s to be expected that privacy will suffer a bear market after a terrorist attack or attempt. I’ve seen worse, of course, but was concerned this week to read a piece by Richard Epstein on the Hoover Institution web site that I think sounds needless anti-privacy notes. Professor Epstein is not only an important public intellectual, but a Cato adjunct scholar of which we’re proud, and a friendly professional colleague (to whose defense I’ll leap when he’s wronged).

The issue is what policies governments might adopt toward the end of terrorism prevention. Professor Epstein finds the statement of Massachusetts state senator Robert Hedlund (R-Weymouth) to be a bridge too far. Hedlund says:

It’s not surprising that you have law enforcement agencies rushing out to use [the Boston bombing and subsequent manhunt] as pretext to secure additional powers but I think we have to maintain perspective and realize that civil liberties and the protections we’re granted under the Constitution and our rights to privacy, to a degree, are nonnegotiable…

You don’t want to let a couple of young punks beat us and allow our civil liberties to be completely eroded. I don’t fall into the trap that, because of the hysteria, we need to kiss our civil liberties away.

Professor Epstein calls that “dead wrong,” saying, “the last thing needed in these difficult circumstances is a squeamishness about aggressive government action.” Given the importance of preventing terrorism, claims of right against increased surveillance and racial or other profiling should be “stoutly resisted,” he says.

I agree with Professor Epstein that flat claims about a “right to privacy” shouldn’t limit surveillance. “Concern” with racial or ethnic profiling is not a sound basis for desisting from the practice. But I don’t take Hedlund’s statement to be a product of squeamishness, and I think it is in the main correct.

Where I think Professor Epstein goes wrong insofar as he wants law enforcement to have its way is in setting aside “technical difficulties” and “means-ends” questions as peripheral. For me, the Fourth Amendment’s bar on unreasonable searches and seizures demands coordination between means and ends in light of the technological situation (both in terms of doing harm and discovering it). It is not a given that government action is reasonable, and no amount of priority given to a threat makes an incoherent response reasonable and constitutional.

Good, Market-Based Privacy Advocacy

Too much privacy advocacy is done by a self-appointed expert class who, believing their own preferences to be universal, beseech legislators and regulators to mold or even remake the information economy. I have nothing against self-appointed experts—I am one, and some of you have been falling for my schtick for a decade. But the hubris of claiming to know how things should come out? That’s too much.

So the Electronic Frontier Foundation’s “Who Has Your Back?” report is real stand-out. Using a clear, six-star grid, they assess how well major Internet companies and ISPs do when it comes to key dimensions of privacy protection.

This puts you, the consumer, in a position to choose with whom you want to do business. As importantly, it puts business decision-makers on notice: If they don’t satisfy actual consumer demand for privacy, they are more likely than before to lose money.

If consumers care about privacy, they will act on what’s in this report—and specifically on the dimensions of privacy protection that matter to them. If they don’t, they won’t, because they prioritize other things, and businesses can do the same. It’s an elegant system—a market-based system—for discovering and delivering what consumers want.

The alternative is a foggy war (politics being war by other means) in which the “consumer advocate” and “industry” use every artifice to persuade various authorities whether or not, and how, to intervene. The actual desire of the consumer is an afterthought in this regulatory battle.

So, Who Has Your Back?

The report is worth checking out. You might learn that a provider you trust is not so trustworthy. You might learn of services that you should try because they are good actors. You might disagree with the methodology, and that’s fine, too. The responses of businesses and consumers to this report will be far more finely tuned to actual consumer demand for privacy than the gaudy privacy show that runs ‘round the clock these days in Washington, D.C., state capitols, and Brussels.

Congratulations and thanks to the Electronic Frontier Foundation for some good, market-based privacy advocacy!

The Path to National Identification

In my 2008 paper, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration,” I wrote about where “internal enforcement” of immigration law leads: “to a national, cradle-to-grave, biometric tracking system.” More recently, I wrote “Internal Enforcement, E-Verify, and the Road to a National ID” in the Cato Journal. The “Gang of Eight” immigration proposal includes a large step on that path to national identification.

National ID provisions in the 2007 immigration bill were arguably its downfall. Scrapping the national ID provisions in the current bill would improve it, allowing our country to adopt more sensible immigration policies without suffering a costly attack on American citizens’ liberties.

Title III of the “Gang of Eight” bill is entitled “Interior Enforcement.” It begins by reiterating the current prohibition on hiring unauthorized aliens. (What seems to many a natural duty of employers was an invention that dates back only as far as 1986, when Congress passed the Immigration Reform and Control Act. Prior to that time, employers were free to hire workers based on the skills and willingness they presented, and not their documents. But since that time, Congress has treated the nation’s employers as deputy immigration agents.)

The bill details the circumstances under which employers may be both civilly and criminally liable under the law and provides for a “good faith defense” and “good faith compliance” that employers may hope to use as shelter. The bill restates (with modifications) the existing requirements for checking workers’ papers, saying that employers must “attest, under penalty of perjury” that they have “verified the identity and employment authorization status” of the people they employ, using prescribed documents or combination of documents. Cards that meet the requirements of the REAL ID Act are specifically cited as proof of identity and authorization to work.

In addition, the bill would create a new “identity authentication mechanism,” requiring employers to use that as well. It would take one of two forms. One is a “photo tool” that enables employers to match photos on covered identity documents to photos “maintained by a U.S. Citizenship and Immigration Services database.” If the photo tool is not available, employers must use a system the bill would instruct the Department of Homeland Security develop. The system would “provide a means of identity authentication in a manner that provides a high level of certainty as to the identity of such individual, using immigration and identifying information that may include review of identity documents or background screening verification techniques using publicly available information.”

The bill next turns to expanding the E-Verify system, requiring its use by various employers on various schedules. The federal government and federal contractors would have to use E-Verify as required already or within 90 days. A year after the DHS publishes implementing regulations, the Secretary of Homeland Security could require anyone touching “critical infrastructure” (defined here) to use E-Verify. She could require immigration law violators to use E-Verify anytime she likes.

CISPA’s Vast Overreach

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

What Is the Value of Bitcoin?

With Bitcoin enjoying a spike in price against government currencies, there is lots of talk about it on the Interwebs. If you’re not familiar with it yet, here’s a good Bitcoin primer, which also counsels reading a lot more before you acquire Bitcoin, as Bitcoin may fail. If you like Bitcoin and want to buy some, don’t go all goofy. Do your homework. As if you need to be told, be careful with your money.

Much of the commentary declares a Bitcoin bubble for one reason or another. It might be a bubble, but nobody actually knows. A way of guessing is to compare Bitcoin’s qualities as a currency and payment network to the alternatives. Like any service or good, there are many dimensions to value storage and transfer.

I may not capture them all, and they certainly don’t predict the correct price against the dollar or other currencies. That depends on the ultimate viscosity of Bitcoin. But Bitcoin certainly has value of a different kind: it may discipline fiat currencies and the states that control them.

“Everyone Will Have to Decide For Themselves”

Alessandro Acquisti is one of my favorite privacy researchers, and a quote he gave the New York Times about consumer privacy is all Acquisti, right down to the Italian-born locution.

“Should people be worried? I don’t know,” he said with a shrug in his office at Carnegie Mellon. “My role is not telling people what to do. My role is showing why we do certain things and what may be certain consequences. Everyone will have to decide for themselves.”

Alas, Times reporter Somini Sengupta did not report on Acquisti as neutrally as Acquisti reports on privacy.

We don’t always act in our own best interest, his research suggests. We can be easily manipulated by how we are asked for information. Even something as simple as a playfully designed site can nudge us to reveal more of ourselves than a serious-looking one.

It is just as plausible that people mouth a desire for privacy but then act more consistently with their self-interest when they reveal information that provides them fuller interaction, free Internet content, and broader commercial choices.

Read more of Acquisti on his Economics of Privacy page.