Tag: privacy

Called it! Eleven Years Ago

What is this blog for, if not to let Cato scholars call out what smarty-pantses they are?

The Wall Street Journal reports on automobile license plates as the “new tracking frontier.”

For more than two years, the police in San Leandro, Calif., photographed Mike Katz-Lacabe’s Toyota Tercel almost weekly. They have shots of it cruising along Estudillo Avenue near the library, parked at his friend’s house and near a coffee shop he likes. In one case, they snapped a photo of him and his two daughters getting out of a car in his driveway. Mr. Katz-Lacabe isn’t charged with, or suspected of, any crime. Local police are tracking his vehicle automatically, using cameras mounted on a patrol car that record every nearby vehicle—license plate, time and location.

I didn’t have every detail, of course, but 11 years ago I noted the coming problem of license-plate tracking in testimony to a House Transportation subcommittee.

It was a little odd at the time, and still is, to talk about the privacy problem with license plates. But the emerging technology environment makes it essential to analyze and assess more carefully the information and identification demands that the government places on us.

[T]he requirement in all fifty states that cars must exhibit license plates linked to their owners is “anti-privacy” law, as would be a law requiring people to wear name tags in order to walk on public sidewalks. Mandatory license plates prevent citizens from exhibiting the expectation of privacy that Justice Harlan wrote about in Katz. Roughly speaking, they require people to expose their identities to police as a condition of driving on our roadways.

I expanded on “anti-privacy” law in my 2004 Cato Policy Analysis, “Understanding Privacy—and the Real Threats To It.”

We’re still grappling with the problem of privacy “in public.” The Supreme Court’s decision on GPS tracking in the Jones case is the most significant recent iteration of that. (Cato brief and related blog post; pre-decision posts: 1, 2, 3; post-decision posts: 4, 5, 6.) The latest Cato Supreme Court Review (also available digitally) includes an article of mine on the case. My latest thinking on Fourth Amendment privacy can by found in Cato’s brief in Florida v. Jardines.

It is possible to think systematically about privacy. Privacy is not just a morass of feelings about advancing technologies. Once one understands privacy (in its strongest sense) as the exercise of power to control information about oneself, one can see a decade ahead that license plates create privacy problems.

Pretty smart, huh? Yeah.

Incoherent Politicians Lag Public Opinion on TSA

If you needed proof of politicians’ sensitivity to, and encouragement of, persistent terrorism fears, look no further than today’s hearing in the House Homeland Security Subcommittee on Transportation Security. It’s called “Eleven Years After 9/11 Can TSA Evolve To Meet the Next Terrorist Threat?” and it’s being used to feature—get this—a report arguing for a “smarter, leaner” Transportation Security Administration.

Could the signaling be more incoherent? The hearing suggests both that unknown horrors loom and that we should shrink the most visible federal security agency.

Lace up your shoes, America—we’re goin’ swimmin’!

Our federal politicians still can’t bring themselves to acknowledge that terrorism is a far smaller threat than we believed in the aftermath of the September 11, 2001, attacks, and that the threat has waned since then. (The risk of attack will never be zero, but terrorism is far down on the list of dangers Americans face.)

The good news is that the public’s loathing for the TSA is just as persistent as stated terrorism fears. This at least constrains congressional leaders to do make gestures toward controlling the TSA. Perhaps we’ll get a “smarter, leaner” overreaction to fear.

Public opprobrium is a constraint on the growth and intrusiveness of the TSA, so I was delighted to see a new project from the folks at We Won’t Fly. Their new project highlights the fact that the TSA has still failed to begin the process for taking public comments on the policy of using Advanced Imaging Technology (strip-search machines) at U.S. airports, even though the D.C. Circuit Court of Appeals ordered it more than a year ago.

The project is called TSAComment.com, and they’re collecting comments because the TSA won’t.

The purpose of TSAComment.com is to give a voice to everyone the TSA would like to silence. There are many legitimate health, privacy and security-related concerns with the TSA’s adoption of body scanning technology in US airports. The TSA deployed these expensive machines without holding a mandatory public review period. Even now they resist court orders to take public comments.

TSAComment.com has gotten nearly 100 comments since the site went up late yesterday, and they’re going to deliver those comments to TSA administrator John Pistole, Homeland Security secretary Janet Napolitano, and the media.

The D.C. Circuit Court did require TSA to explain why it has not carried out a notice-and-comment rulemaking on the strip-search machine policy, and assumedly it will rule before too long.

Getting the TSA to act within the law is important not only because it is essential to have the rule of law, but because the legal procedures TSA is required to follow will require it to balance the costs and benefits of its security measures articulately and carefully. Which is to say that security policy will be removed somewhat from the political realm and our incoherent politicians and moved more toward the more rational, deliberative worlds of law and risk management.

Hope springs eternal, anyway…

There could be no better tribute to the victims of 9/11 than by continuing to live free in our great country. I won’t shrink from that goal. The people at TSAComment do not shrink from that goal. And hopefully you won’t either.

Yes, Nationalizing Facebook Is a Nonstarter

The other day, I was asked to review a draft slate of pro-innovation proposals that might be put before the next presidential administration (regardless of who heads it). I went down the list, typing again and again, “Education policy is not a federal role.”

The rather amateurish list was packed with ideas for injecting book-learnin’ into our economy. It betrayed little awareness of how our constitutional republic is structured, including the absence of federal authority over education. I guess some books are better than others

It occurred to me as I typed that people coming after me to look over the innovation proposals might think I was an idiot.

“Look right there! There is a federal Education Department. Don’t deny it!” they might say.

When I say education policy is not a federal role, I am saying something normative, about how things should be. As a present-day literal matter, there is rather obviously a federal role in education. And the sooner we restore authority to localities and especially parents, the better.

That how-things-could-be lens, though, is how to look at a self-described “thought experiment” on Slate called “Let’s Nationalize Facebook.”

It would be better to have a national privacy commissioner with real authority, some stringent privacy standards set at the federal level, and programs for making good use of some of the socially valuable data mining that firms like Facebook do. … Facebook would have to rise to First Amendment standards rather than their own terms of service. The company could be regulated the way public utilities often are.

It’s thinking far more magical than my statements about education policy.

Were Facebook nationalized, its privacy problems would not evaporate. They would double. The obscure (and, for some, concerning) uses Facebook makes of data in commerce would be joined by secret uses of data and equivocal denials by military spymasters.

Would Facebook be prevented from “serving authoritarian interests”? Tell that to the activist/whistleblower who has been driven into the arms of Ecuador, of all countries, because he fears extradition to the United States.

Public utility regulation of social media has already been made mincemeat. Nationalizing Facebook is indeed a nonstarter.

“If only we elected the right people,” our friends on the left seem to think, “things would be better. If only our elected officials dedicated their lives to careful balancing of our precious American values, if we got a real regulator in there, if only they didn’t come under outside pressure…” If only, if only, if only.

It is quite conceivable to have some wise and neutral authority make better decisions about how every organ of society might operate. I think this dream is what brings our friends on the left to believe so strongly in increasing government control over society.

The thing is, it is quite impossible for that wise and neutral authority ever to exist.

We can go to the aphorisms—“Power tends to corrupt, and absolute power corrupts absolutely”; we can go to school: the public choice school of economics, specifically; or we can go to the lessons of history to show that there is not a beneficent government in the kitchen, lovingly brewing coffee for you, when you wake from your ‘democratic’ dream.

My dream of having education policy restored to its rightful place with localities and families is more likely—well, I’ll put it this way—less unlikely than a powerful, all-seeing, yet benign central government.

What We Can and Can’t Know About NSA Spying: A Reply to Prof. Cordero

Georgetown Law professor Carrie Cordero—who previously worked at the Department of Justice improving privacy procedures for monitoring under the Foreign Intelligence Surveillance Act—attended our event with Sen. Ron Wyden (D-OR) on the FISA Amendments Act last week.  Perhaps unsurprisingly, she’s rather more comfortable with the surveillance authorized by the law than our speakers were, and posted some critical commentary at the Lawfare blog (which is, incidentally, required reading for national security and intelligence buffs). Marcy Wheeler has already posted her own reply, but I’d like to hit a few points as well. Here’s Cordero:

Since at least the summer of 2011, [Wyden and Sen. Mark Udall] have been pushing the Intelligence Community to provide more public information about how the FAA works, and how it affects the privacy rights of Americans. In particular, they have, in a series of letters, requested that the Executive Branch provide an estimate of the number of Americans incidentally intercepted during the course of FAA surveillance. According to the exchanges of letters, the Executive Branch has repeatedly denied the request, on the basis that: i) it would be an unreasonable burden on the workforce (and, presumably, would take intelligence professionals off their national security mission); and ii) gathering the data the senators are requesting would, in and of itself, violate privacy rights of Americans.

The workforce argument, even if true, is, of course, a loser. The question of whether the data call itself would violate privacy rights is a more interesting one. Multiple oversight personnel independent of the operational and analytical wings of the Intelligence Community – including the Office of Management and Budget, the NSA Inspector General, and just last month, the Inspector General of the Intelligence Community, have all said that the data call requested by the senators is not feasible. The other members of the SSCI appear to accept this claim on its face. Meanwhile, Senator Wyden states he just finds the claim unbelievable. That there must be some way it can be done, he says, if even on a sample basis. Maintaining that position puts him in an interesting place, however: is the privacy advocate actually advocating for violating the privacy rules, to appease a Congressional request? Assuming that he would not actually want to advocate that the rules be waived at the request of a politician, a question then arises as to whether the Intelligence Community has adequately explained exactly how the data call would work and why it would conflict with existing privacy rules and protections, such as minimization procedures.

I’ll grant Cordero this point: as absurd as it sounds to say “we can’t tell you how many Americans we’re spying on, because it would violate their privacy,” this might well be a concern if those of us who follow these issues from the outside are correct in our surmises about what NSA is doing under FAA authority. The only real restriction the law places on the initial interception of communications is that the NSA use “targeting procedures” designed to capture traffic to or from overseas groups and individuals. There’s an enormous amount of circumstantial evidence to suggest that initial acquisition is therefore extremely broad, with a large percentage of international communications traffic being fed into NSA databases for later querying. If that’s the case, then naturally the tiny subset of communications later reviewed by a human analyst—because they match far narrower criteria for suspicion—is going to be highly unrepresentative. To get even a rough statistical sample of what’s in the larger database, then, one would have to “inspect”—possibly using software—a whole lot of the innocent communications that wouldn’t otherwise ever be analyzed. And possibly the rules currently in place don’t make any allowance for querying the database—even to analyze metadata for the purpose of generating aggregate statistics—unless it’s directly related to an intelligence purpose.

A few points about this.  First: assuming, for the moment, that  this is the case, why can’t NSA and DOJ say so clearly and publicly? Because it would somehow imperil national security to characterize the surveillance program even at this highest level of generality, without any mention of particular search parameters or targets? Would it “help the terrorists” if they answered a more recent query from a bipartisan group of senators, asking whether database searches (as opposed to initial “targeting”) had focused on specific American citizens?  Please.

A  more plausible hypothesis is that they recognize that an official, public acknowledgement that the government is routinely copying and warehousing millions of completely innocent communications—even if they’re only looking at the “suspicious” minority— would not go over entirely smoothly with the citizenry. There might even be a demand for some public debate about whether this is the kind of thing we’re willing to countenance. Legal scholars might become curious whether whatever arguments support the constitutionality of this practice hold up as well in the light of the day as they do when they’re made unopposed in closed chambers. Even without an actual estimate, any meaningful discussion of the workings of the program would be likely to undermine the whole pretense that it only “incidentally” involves the communications of innocent Americans, or that the constraints on “targeting”constitute a meaningful safeguard.  The desire to avoid the whole hornet’s nest using the pretext of national security is perhaps understandable, but it shouldn’t be acceptable in a democracy. Yet everyone knows overclassification is endemic—even the government’s own former “classification czar” has blasted the government’s use of inappropriate secrecy as a weapon against critics.

Second, transparency at this level of generality is an essential component of privacy protection. To the extent that the rules governing  access to the database preclude any attempt to audit its aggregate contents—including by automated software tallying of identifiers such as area codes and IP addresses—then they should indeed be changed, not because a senator demanded it, but because they otherwise preclude adequate oversight. An online service that keeps no server logs would be somewhat more protective of its users privacy… if  its database were otherwise perfectly secure against intrusion or misuse. In the real world, where there’s no such thing as perfect security, such a service would be protecting user privacy extremely poorly, because it would lack the ability to detect and prevent breaches. If it is not possible to audit the NSA’s system in this way, then that system needs to be altered until it is possible. If giving Congress a rough sense of the extent of the agency’s surveillance of Americans falls outside the parameters of the intelligence mission (and therefore the permissible uses of the database), it’s time for a new mission statement.

Finally, Cordero closes by noting the SSCI has touted its own oversight as “extensive” and “robust,” which Cordero thinks “debunks” the  suggestion embedded in our event title that the FAA enables “mass spying without accountability.”  (Can I debunk the debunking by lauding the accuracy and thoroughness of my own analysis?)  Unfortunately, the consensus of most independent analysts of the intelligence committees’ performance is a good deal less sanguine—which makes me hesitant to take that self-assessment at face value.

As scholars frequently point out, the overseers are asked to process incredibly complex information with a limited cleared staff to assist them, and often forbidden to take notes at briefings or remove reports from secure facilities. When you read about those extensive reports, recall that in the run-up to the invasion of Iraq only six senators and a handful of representatives ever read past the executive summary of the National Intelligence Estimate on Iraq’s WMD programs to the far more qualified language of the  full 92-page report. You might think the intel committees would need to hold more hearings than their counterparts to compensate for these disadvantages, but UCLA’s Amy Zegart has found that they consistently rank at the bottom of the pack, year after year. Little wonder, then, that years of flagrant and systemic misuse of another controversial surveillance tool—National Security Letters—was not uncovered by the “extensive” and “robust” oversight of the intelligence committees, but by the Justice Department’s inspector general.

In any event, we seem to have at least 13 senators who don’t believe they’ve been provided with enough information to perform their oversight role adequately. Perhaps they’re setting the bar too high, but I find it more likely that their colleagues—who over time naturally grow to like and trust the intelligence officials upon whom they rely for their information—are a bit too easily satisfied. There are no  prizes for expending time, energy, and political capital on ferreting out civil liberties problems in covert intelligence programs, least of all in an election year. It’s far easier to be satisfied with whatever data the intelligence community deigns to dribble out—often with heroic indifference to statutory reporting deadlines—and take it on faith that everything’s running as smoothly as they say. That allows you to write, and even believe, that you’re conducting “robust” oversight without knowing (as Wyden’s letter suggests the committee members do not) roughly how many Americans are being captured in NSA’s database, how many purely-domestic communications have been intercepted,  whether warrantless “backdoor” targeting of Americans is being done via the selection of database queries. But the public need not be so easily satisfied, nor accept that meaningful “accountability” exists when all those extensive reports leave the overseers ignorant of so many basic facts.

Mass Tragedy Boilerplate and Rebuttal

On the road last week, and allergic to getting too heavily involved in the issue de l’heure, I only today saw Holman Jenkins’ Wall Street Journal commentary: “Can Data Mining Stop the Killing?

After the Aurora theater massacre, it might be fair to ask what kinds of things the NSA has programmed its algorithms to look for. Did it, or could it have, picked up on Mr. Holmes’s activities? And if not, what exactly are we getting for the money we spend on data mining?

Other than to collect it in a great mass along with data about all of us, the NSA could not have “picked up on” Mr. Holmes’s activities. As I wrote earlier this year about data mining’s potential for averting school shootings:

“[D]ata mining doesn’t have the capacity to predict rare events like terrorism or school shootings. The precursors of such events are not consistent the way, say, credit card fraud is. Data mining for campus violence would produce many false leads while missing real events. The costs in dollars and privacy would not be rewarded by gains in security and safety.

Jeff Jonas and I wrote about this in our 2006 Cato Policy Analysis, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

If the NSA has data about the pathetic loser, Mr. Holmes, and if it were to let us know about it, all that would do is provide lenses for some pundit’s 20/20 hindsight. Data about past events always points to the future that occurred. But there is not enough commonality among rare and sporadic mass shootings to use their characteristics as predictors of future shootings.

Jenkins doesn’t drive hard toward concluding that data mining would have helped, but his inquiry is mass tragedy boilerplate. It’s been rebutted by me and others many times.

The Obama Girls’ Health Care Choices

According to the White House, President Obama recently told a crowd of supporters:

Mr. Romney wants to get rid of funding for Planned Parenthood.  I think that is a bad idea.  I’ve got two daughters. I want them to control their own health care choices.

Umm, yeah. Two things about that.

One, if—as President Obama wills it—the president of the United States gets to determine Planned Parenthood’s funding levels, then his daughters do not control their health care choices.

Two, it hardly seems that Obama’s daughters—these children of The One Percent—have even the most plausible claim that low-income Americans should be forced to pay for their … eventual … services that Planned Parenthood provides.

Fourth Amendment Gone to the Dogs—and to Lasers?!

For all their use by law enforcement across the country, drug-sniffing dogs haven’t gotten a lot of consideration in the Supreme Court. In a pair of cases next fall, though, the Court seems likely to give them some attention. Florida v. Harris is one of the cases it has taken. Harris will examine “[w]hether an alert by a well-trained narcotics detection dog certified to detect illegal contraband is insufficient to establish probable cause for the search of a vehicle.”

This week, we filed an amicus brief in the other drug-sniffing dog case, coming out of the same state. Florida v. Jardines asks whether the Fourth Amendment would be implicated if the government brought a drug-sniffing dog to the front door of your home seeking the scent of illegality.

What the Court has done with drug-sniffing dogs so far is not very good. We homed in on the major precedent, Caballes, to illustrate the weakness of the “reasonable expectation of privacy” test that originated in United States v. Katz (1967).

In Illinois v. Caballes, 543 U.S. 405 (2005), this Court did not apply Katz analysis. It did not examine (or even assume) whether Roy Caballes had exhibited a subjective expectation of privacy, the first step in the Katz test. Thus, the Court could not take the second step, examining its objective reasonableness.

Instead, the Caballes Court skipped forward to a corollary of the Katz test that the Court had drawn in United States v. Jacobsen, 466 U.S. 109 (1984): “Official conduct that does not ‘compromise any legitimate interest in privacy’ is not a search subject to the Fourth Amendment.” Caballes, 543 U.S. at 408 (quoting Jacobsen, 466 U.S. at 123).

This is a logical extension of the Katz test, and one that helps reveal its weakness in maintaining the Fourth Amendment’s protections consistently over time. Now, instead of examining whether searches and seizures are reasonable, courts applying the Jacobsen/Caballes corollary can uphold any activity of government agents sufficiently tailored to discovering only crime.

What kinds of activities might those include? We talked about lasers.

A DHS program that might be directed not only at persons, but also at their houses and effects, is called the “Remote Vapor Inspection System” (or RVIS). RVIS “generates laser beams at various frequencies” to be aimed at a “target vapor.” Beams “reflected and scattered back to the sensor head” reveal “spectral ‘signatures’” that can be compared with the signatures of sought-after gasses and particulates. [citations omitted] Using RVIS, government agents might remotely examine the molecular content of the air in houses and cars, quietly and routinely explore the gasses exiting houses through chimneys and air ducts, and perhaps even silently inspect any person’s exhaled breath. If RVIS technology is programmed to indicate only on substances that indicate wrongdoing, the Jacobsen/Caballes corollary extinguishes the idea that its pervasive, frequent, and secret use would be a search.

If a dog sniff only reveals illegal activity, compromising no privacy interest, it’s not a search. So using lasers to check your breath for illegal substances is not a search either. We hope, obviously, that the Court will do away with this rule, which is so attenuated from both the language and the purpose of the Fourth Amendment.

Instead of determining whether a person has “reasonable expectations of privacy”—we called that doctrine a “jumble of puzzles”—courts should examine whether a “search” has occurred by seeing if police accessed something that was hidden from view.

When a person has used physics and law to conceal something from others, the Fourth Amendment and the Court should back those privacy-protective arrangements, breaching them only when there is probable cause and a warrant (or some exception to the warrant requirement).

To hold otherwise would be to allow the government to invade privacy not just using drug-sniffing dogs but using ever more sophisticated technology.