Tag: secrecy

Still Contemptuous of the Court, TSA Doesn’t Even Try to Justify its Strip-Search Machine Policy

It took the Transportation Security Administration 20 months to comply with a D.C. Circuit Court of Appeals order requiring it to issue a justification for its policy of using strip-search machines for primary screening at airports and to begin taking comments from the public.

In that time, it came up with a 53-page (double-spaced) notice of proposed rulemaking. That’s 2.65 double-spaced pages per month.

This may be the most carefully written rulemaking document in history. We’ll be discussing it next week at an event entitled: “Travel Surveillance, Traveler Intrusion.” Register now!

The TSA’s strip-search machine notice will be published in the Federal Register tomorrow, and the public will have 90 days to comment. The law requires the agency to consider those public comments before it finalizes its policies. If the comments reveal the TSA’s policies to be arbitrary or capricious, the policies can be struck down.

But what is there to comment on? The TSA’s brief document defends a hopelessly vague policy statement instead of the articulation that the court asked for. And as to the policy we all know it’s implementing, TSA hides behind the skirts of government secrecy.

When the court found that the TSA was supposed to take comment from the public, it wanted a clearer articulation of what rules apply at the airport. The court’s ruling itself devoted several paragraphs to the policy and how it affects American travelers.

[T]he TSA decided early in 2010 to use the scanners everywhere for primary screening. By the end of that year the TSA was operating 486 scanners at 78 airports; it plans to add 500 more scanners before the end of this year.

No passenger is ever required to submit to an AIT scan. Signs at the security checkpoint notify passengers they may opt instead for a patdown, which the TSA claims is the only effective alternative method of screening passengers. A passenger who does not want to pass through an AIT scanner may ask that the patdown be performed by an officer of the same sex and in private. Many passengers nonetheless remain unaware of this right, and some who have exercised the right have complained that the resulting patdown was unnecessarily aggressive.

The court wanted a rulemaking on this policy. In the jargon of administrative procedure, the court demanded a “legislative rule,” something that reasonably details the rights of the public and what travelers can expect when they go to the airport.

Instead, the TSA has produced a perfectly vague policy statement that conveys nothing about what law applies at the airport. In the regulations that cover screening and inspection, the TSA simply wants to add:

(d) The screening and inspection described in (a) may include the use of advanced imaging technology. For purposes of this section, advanced imaging technology is defined as screening technology used to detect concealed anomalies without requiring physical contact with the individual being screened.

Not a word about the use of strip-search machines as primary screening. Nothing about travelers’ options. Nothing about signage. Nothing about the procedures for opt-outs. Nothing about what a person can do if they have a complaint. It’s not a regulation. It’s a restatement of “we do what we want.”

That’s contemptuous of the court’s order requiring TSA to inform the public, take comments, and consider those comments in formulating a final rule. TSA is doing everything it can to make sure that the airport is a constitution-free zone, and this time it’s lifting a middle finger to the D.C. Circuit Court of Appeals.

It is possible, even in a relatively short document, to articulate how billions of dollars spent on exposing the bodies of millions of law-abiding Americans makes the country better off. What’s amazing about the document is how little it says. TSA doesn’t even try to justify its strip-search machine policy. Instead, it plays the govenment secrecy trump card.

Here is everything TSA says about how strip-search machines (or “AIT” for “advanced imaging technology”) make air travel safer:

[R]isk reduction analysis shows that the chance of a successful terrorist attack on aviation targets generally decreases as TSA deploys AIT. However, the results of TSA’s risk-reduction analysis are classified.

Balderdash.

Under Executive Order 135256, classification is permitted if “disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism.”

“If there is significant doubt about the need to classify information,” the order continues, “it shall not be classified.”

Assessing the costs and benefits of TSA’s policies cannot possibly result in damage to national security. The reason I know this? It’s already been done, publicly, by Mark G. Stewart of the University of Newcastle, Australia, and John Mueller of the Ohio State University. They published their findings in the Journal of Homeland Security and Emergency Management in 2011, and national security is none the worse.

Walking through how well policies and technologies produce security can be done without revealing any intelligence about threats, and it can be done without revealing vulnerabilities in the policy and technology. But the TSA is playing the secrecy trump card, hoping that a gullible and fearful public will simply accept their authority.

I anticipated that the agency might try this tactic when the original order to engage in a public rulemaking came down in mid-2011. In a Cato blog post, I wrote:

Watch in the rulemaking for the TSA to obfuscate, particularly in the area of threat, using claims to secrecy. “We can’t reveal what we know,” goes the argument. “You’ll have to accept our generalizations about the threat being ‘substantial,’ ‘ever-changing,’ and ‘growing.’” It’s an appeal to authority that works with much of the American public, but it is not one to which courts—a co-equal branch of the government—should so easily succumb.

If it sees it as necessary, the TSA should publish its methodology for assessing threats, then create a secret annex to the rulemaking record for court review containing the current state of threat under that methodology, and how the threat environment at the present time compares to threat over a relevant part of the recent past. A document that contains anecdotal evidence of threat is not a threat methodology. Only a way of thinking about threat that can be (and is) methodically applied over time is a methodology.

The TSA published nothing, and it hopes to get past the public and the courts with that.

Its inappropriate and undeniably overbroad use of secrecy will be in our comments to the agency and the legal appeal that will almost certainly follow.

Crucially, agency actions like this are subject to court review. When the TSA finalizes its rules, a court will “decide all relevant questions of law, interpret constitutional and statutory provisions, and determine the meaning or applicability of the terms of an agency action.” Sooner or later, we’ll talk about whether TSA followed the court’s order, the lawfulness of wrapping its decision-making in secrecy, and the arbitrary nature of a policy that has no public justification.

Congress Has No Idea What the NSA Is Doing

Didja think that the legislative branch oversees the executive branch? Think again! Congress has no idea what the National Security Agency (NSA) is doing.

Spencer Ackerman at Wired’s Danger Room blog reports on a letter the inspector general of the intelligence community sent earlier this month to Senators Ron Wyden (D-OR) and Mark Udall (D-CO). They had asked how many people in the United States have had their communications collected or reviewed by the NSA.

The letter repeated the NSA IG’s conclusion that estimating this number was “beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission.” Not only that, figuring out the number of people in the United States that the NSA has snooped on “would itself violate the privacy of U.S. persons.”

A federal agency can write a tart, dry non-response like this because Congress is utterly supine before the security bureaucracy. The tough-talking politicians in both parties have no idea what is happening in the agencies they routinely defend as essential. And Congress still hasn’t approved nominations for the Privacy and Civil Liberties Oversight Board, weak sauce that it is, nearly five years since it was reconstituted with greater independence and subpoena power.

The letter concludes with a hopeful note: “I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight.” That also serves as a confession: We have no idea what the NSA is doing.

Shades of Warning: What It Means to Inform

Ben Friedman helpfully supplies more information to go with my positive reaction to the Department of Homeland Security’s decision to scrap color-coded threat warnings.

Our colloquy leaves somewhat open what should replace color-coding. Because most threat warnings are false alarms, and because exhortations to vigilance will tend toward the vagueness of the color-coding system, Ben hopes “DHS winds up being tighter-lipped.”

His points are good ones, but they don’t dissuade me from my belief that DHS should “begin informing the public fully about threats and risks known to the U.S. government.”

The right answer here centers on who is better at digesting threat information—experts in the national security bureaucracy or the public?

There is a great deal of expertise in the U.S. government focused on turning up threat information and digesting it for policymakers. However, that expertise has limits, often manifested as threat inflation, as Ben notes, and as myopia. Daniel Patrick Moynihan’s Secrecy: The American Experience illustrates the latter well (especially the edition with Richard Gid Powers’ fine introduction).

The public consists of hundreds of millions of subject matter experts in every walk of life. They include owners and operators of all our infrastructure, reporters and commentators in the professional and amateur press, academics, state and local law enforcement personnel, information networks, and social networks of all kinds. We have security-interested folk in the hundreds of millions spread out across the land, all in regular communication with each other. We’re a tremendously powerful information processing machine. I believe this public can do a better job of digesting threat information than “experts,” particularly when it comes to terrorism threats, which can—theoretically, at least—manifest themselves pretty much anywhere.

The public constantly digests risk and threat information from other walks of life. We digest information about ordinary crime, health and disease, finance and investment, driving and walking, etc., etc. There is nothing about terrorism that disables the public from making judgments about threat information and incorporating it into daily life. People can figure out what matters and what does not, and they can apply information in the spheres they know.

When I say “fully inform,” I don’t argue for broadcasting every speck of information the U.S. government collects. There are limited domains in which information sharing will reveal sources and methods, undercutting access to future information. Appropriate caveats are part of ”fully” informing, of course. Natural pressure will cause too speculative threats to be winnowed from public release. But even opening a firehose will get people the water they need to drink.

Tight lips sink ships. The presumption should fall in favor of sharing information with the public. After a period of adjustment lasting from months to a year or more, the American information system would incorporate open threat information into daily life, and the country would be more secure. People made confident by the ability to consume and respond to threat information will feel more secure, which is the other half of what security is all about.

Random Thoughts on WikiLeaks

I’ve fielded some questions today about the WikiLeaks story, and I’m feeling pretty conflicted.

I’m aware of the fact that the leak of classified information could pose a short-term risk to national security, but it is my sense that most of the claims of dire harm are overwrought. There is considerable evidence that much – perhaps most – classified material is improperly classified; governments oftentimes invoke claims of secrecy to shield themselves from embarrassment, not to protect national security. In that sense, some diplomats and government officials might be red in the face today, but I doubt that most Americans are feeling less secure than before the latest revelations from WikiLeaks.

If I thought that the attention on minute and often mundane details that shouldn’t be classified precipitated a closer look at overclassification, WikiLeaks might have a beneficial side effect. As it is, however, it is likely to increase the government’s obsession with secrecy, with policymakers scrambling to close down supposedly dangerous loopholes, some of which were opened up after 9/11 to facilitate information-sharing between agencies. This process of clamping down on interagency collaboration has already begun.

As to the particulars, with respect to diplomatic correspondence, there is a tension between individuals sharing their genuine opinions about another country, or that country’s leaders, and concern that their candid assessments in private conversations be revealed. People do keep secrets from one another, including their friends, spouses and family members. It is basic human nature. And it is basic human nature to clam up the next time you’re talking to a friend who recently blabbed your secrets to a third party. As such, the WikiLeaks episode might have a chilling effect on candor, but I believe that this effect will dissipate over time.

Concern that this will undermine U.S. diplomatic standing, or otherwise lead people to question the U.S. government’s capacity for conducting foreign policy, is misplaced. We don’t (or shouldn’t) question the U.S. Army’s ability to conduct military operations because of the occasional friendly fire incident. Given the volume of documents released in now several Wikileaks’ rounds, some might ask whether this is the equivalent of many thousands of unfortunate incidents, and therefore a sign of a systemic failure. I doubt it. The vast majority of individuals in possession of classified material treat this information with great care. More to the point, I am confident that this will be a minor episode in U.S. diplomatic history when compared to huge blunders such as the war in Iraq and the deepening – and open-ended – war in Afghanistan.

The WikiLeaks case also touches on the law, and of an individual’s responsibility to obey such laws, two of my least favorite subjects. Not all laws are sacrosanct, and I’ve just noted that much classified material shouldn’t be. As such, some might claim that releasing such information is a legitimate form of civil disobedience, because the laws governing release of documents are unjust.

But I don’t think that overclassification and other resorts to secrecy to shield the government from public scrutiny are on par with far more egregious violations of the basic rights and liberties of all citizens. If I could be convinced otherwise, I might change my mind.

For now, because I don’t trust individual leakers to be able to discern which material is legitimately classified, and which is not, I believe that individuals who possess classified material and knowingly release it to people not cleared for such information should be prosecuted to the full extent of the law.

Finally, as a practical matter, I am particularly leery of individuals passing judgment on when to follow the rules, and when to ignore them, in cases involving national security. We rightly condemn military officers who defy civilian authority over the conduct of war. We should be equally critical of people who choose to go their own way in the conduct of information warfare. People with access to classified material have chosen to work in the government. They therefore choose to abide by the government’s rules, and should expect to pay a penalty if they violate them.

TSA’s Strip/Grope: Unconstitutional?

Writing in the Washington Post, George Washington University law professor Jeffrey Rosen carefully concludes, “there’s a strong argument that the TSA’s measures violate the Fourth Amendment, which prohibits unreasonable searches and seizures.” The strip/grope policy doesn’t carefully escalate through levels of intrusion the way a better designed program using more privacy protective technology could.

It’s a good constutional technician’s analysis. But Professor Rosen doesn’t broach one of the most important likely determinants of Fourth Amendment reasonableness: the risk to air travel these searches are meant to reduce.

Writing in Politico last week, I pointed out that there have been 99 million domestic flights in the last decade, transporting seven billion passengers. Not one of these passengers snuck a bomb onto a plane and detonated it. Given that this period coincides with the zenith of Al Qaeda terrorism, this suggests a very low risk.

Proponents of the TSA’s regime point out that threats are very high, according to information they have. But that trump card—secret threat information—is beginning to fail with the public. It would take longer, but would eventually fail with courts, too.

But rather than relying on courts to untie these knots, Congress should subject TSA and the Department of Homeland Security to measures that will ultimately answer the open risk questions: Require any lasting security measures to be justified on the public record with documented risk management and cost-benefit analysis. Subject such analyses to a standard of review such as the Adminstrative Procedure Act’s “arbitrary and capricious” standard. Indeed, Congress might make TSA security measures APA notice-and-comment rules, with appropriate accomodation for (truly) temporary measures required by security exigency.

Claims to secrecy are claims to power. Congress should withdraw the power of secrecy from the TSA and DHS, subjecting these agencies to the rule of law.

Secrecy or Privacy? The Power of Language

My friend Kelly Young notes (on Facebook) this Washington Post article on guns used in crimes:

I am awed again by the power of language. The Washingt0n Post today claims that government protection of the identity of lawful purchasers of legal weapons is “secrecy” to be “penetrated” for the sake of the paper’s reporting. It is not “privacy” that is “violated,” as with release of airport scans of travelers, gathering names of minors seeking abortions, and warrantless searches of homes. And how about those secret journalistic sources?

(Language cleaned up slightly, as the original was typed Blackberry-style.) He’s right. The word “privacy” doesn’t appear in the article. Maybe a cynics’ dictionary would read, “Privacy is the ability to keep facts about myself hidden from you. Secrecy is your keeping facts about yourself hidden from me.”

‘Perfect Citizen’: Congress’ Perfect Failure

Reliable national security reporter Siobhan Gorman at the Wall Street Journal has broken a story about an Internet surveillance program called “Perfect Citizen” to be managed by the National Security Agency.

Reading about it is frustrating, and for me blame quickly settles on Congress. Our legislature is utterly supine before the national security bureaucracy, which exaggerates cybersecurity threats and consistently uses the secrecy trump card to defy oversight.

If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such—the unique characteristics of new attacks—might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.

A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinized by private-sector experts, academics, security vendors, and watchdog groups.

Benign intentions do not control future results, and governmental surveillance of the Internet for “cybersecurity” purposes may warp over time to surveillance for ideological and political purposes.

These abstract criticisms of “Project Citizen” are all that publicly available information allows. Far better would come from me and others more qualified if Congress were to do its job.

Congress owes it to us, the United States’ true citizens, to have public hearings on “Perfect Citizen.” Congress should reject broad assertions of secrecy so that the whole body politic can participate in securing our country from all threats.

Congressional and public oversight—searching oversight that tests assumptions and asks hard questions—would strengthen any government cybersecurity effort we find warranted. It would also ameliorate the threat of such programs to our civil liberties, democratic processes, and privacy.