Tag: Security

Libertarians Shouldn’t Want Perfect Security—Reply to Professor Epstein

I was pleased to see last week that Professor Epstein had penned a response to my criticism of his recent piece on Hoover’s Defining Ideas in which he argued against treating protection of civil liberties and privacy as “nonnegotiable” in the context of counterterrorism. It is not the disagreement that is pleasing, of course, but the opportunity to air it, which can foster discussion of these issues among libertarians while illustrating to the broader world how seriously libertarians take both security and liberty.

What’s most important in Professor Epstein’s rejoinder is what comes at the end. He says that I should “comment constructively on serious proposals” rather than take an a priori position that civil liberties and privacy will often impede expansions of government power proposed in the name of counterterrorism.

I believe that Professor Epstein and I share the same prior commitments–to limited government, free markets, and peace. Having left it implicit before, I’ll state that I, too, believe that protection of life and property is the primary function of the state. But I also believe that excesses in pursuit of security can cost society and our liberties more than they produce in benefits.

Some years of work on counterterrorism, civil liberties, and privacy bring me to my conclusions. I had put in a half-decade of work on privacy before my six years of service on the Department of Homeland Security’s privacy advisory committee began in 2005. While interacting with numerous DHS components and their programs, I helped produce the DHS Privacy Committee’s risk-management-oriented “Framework for Privacy Analysis of Programs, Technologies, and Applications.” From time to time, I’ve also examined programs in the Science and Technology Directorate at DHS through the Homeland Security Institute. My direct knowledge of the issues in counterterrorism pales in comparison to the 30+ experts my Cato colleagues and I convened in private and public conferences in 2009 and 2010, of course, but my analysis benefitted from that experience and from co-editing the Cato book: Terrorizing Ourselves: Why U.S. Counterterrorism Policy is Failing and How to Fix It.

Whether I’m operating from an inappropriate a priori position or not, I don’t accept Professor Epstein’s shift of the burden. I will certainly comment constructively when the opportunity arises, but it is up to the government, its defenders, and here Professor Epstein to show that security programs are within the government’s constitutional powers, that such programs are not otherwise proscribed by the constitution, and that they cost-effectively make our society more secure.

The latter two questions are collapsed somewhat by the Fourth Amendment’s requirement of reasonableness, or “fit” between means and ends when a search or seizure occurs. And to the extent I can discern the program that Professor Epstein prefers, I have commented on it as constructively as I can.

Silicon Valley Doesn’t Care About Privacy, Security

That’s the buzz in the face of the revelation that a mobile social network called Path was copying address book information from users’ iPhones without notifying them. Path’s voluble CEO David Morin dismissed this as a problem until, as Nick Bilton put it on the New York TimesBits blog, he “became uncharacteristically quiet as the Internet disagreed and erupted in outrage.”

After Morin belatedly apologized and promised to destroy the wrongly gotten data, some of Silicon Valley’s heavyweights closed ranks around him. This raises the question whether “the management philosophy of ‘ask for forgiveness, not permission’ is becoming the ‘industry best practice’ ” in Silicon Valley.

Since the first big privacy firestorm (which I put in 1999, with DoubleClick/Abacus), cultural differences have been at the core of these controversies. The people inside the offending companies are utterly focused on the amazing things they plan to do with consumer data. In relation to their astoundingly (ahem) path-breaking plans, they can’t see how anyone could object. They’re wrong, of course, and when they meet sufficient resistance, they and their peers have to adjust to the reality that people don’t see the value they believe they’ll provide nor do people consent to the uses of data they’re making.

This conversation—the push and pull between innovative-excessive companies and a more reticent public made up of engineers, advocates, and ordinary people—is where the privacy policies of the future are being set. When we see legislation proposed in Congress and enforcement action from the FTC, these things are whitecaps on much more substantial waves of societal development.

An interesting contrast is the (ahem) innovative lawsuit that the Electronic Privacy Information Center filed against the Federal Trade Commission last week. EPIC is asking the court to compel the FTC to act against Google, which recently changed and streamlined its privacy policies. EPIC is unlikely to prevail—the court will be loathe to deprive the agency of discretion this way—but EPIC is working very hard to make Washington, D.C. the center of society when it comes to privacy and related values.

Washington, D.C. has no capacity to tune the balances between privacy and other values. And Silicon Valley is not a sentient being. (Heck, it’s not even a valley!) If a certain disregard for privacy and data security has developed among innovators over-excited about their plans for the digital world, that’s wrong. If a company misusing data has harmed consumers, it should pay to make those consumers whole. Path is, of course, paying various reputation costs for getting it crosswise to consumer sentiment.

And that’s the right thing. The company should answer to the community (and no other authority). This conversation is the corrective.

John Mueller Joins Cato

I am pleased to announce that John Mueller, a leading scholar in the fields of political science, international relations, and national security, has joined the Cato Institute as a senior fellow.

All of us at Cato are very excited to have John as a colleague. Over the last decade as a professor of political science and as the Woody Hayes Chair of National Security Studies at the Ohio State University’s Mershon Center for International Security Studies, John has taken on the conventional wisdom in the national security arena with a rare combination of accessible, breezy prose and meticulous cost-benefit analysis. In particular, he has focused on how policymakers inflate national security threats at home and abroad.

His newest book, Terror Money and Security, which he presented at a recent Cato forum, examines whether the gains in security over the past decade were worth the funds expended. For the vast majority of U.S. homeland security and counterterrorism policies, John and his co-author, Mark Stewart, resoundingly conclude “no.”

As a member of the Cato Institute, John will contribute to our multitude of programs and publications while furthering his work on the subjects of security, defense, and U.S. foreign policy. Cato is fortunate to have such a brilliant scholar join its staff.

For more Cato Institute work on foreign policy and national security, go here.

Iraq Violence Not an Excuse for US Troops to Stay

A wave of violence spread across Iraq today with 70 dead and some 300 injured. Iraqi security forces are blaming al Qaida affiliates, but no group has officially claimed responsibility. The New York Times puts the events in context:

Coming a little less than two weeks after the Iraqi government said it would negotiate with the United States about keeping some of its 48,000 troops here after the end of the year, the violence raised significant questions about the capabilities of the Iraqi security forces.

This is indeed a tragic loss of life, but this level of violence actually has become less common and usually occurs when the Iraqi government is making important decisions on the future of the country and U.S. troop presence. Each time a bomb is detonated in Iraq, commentators argue that it proves we cannot leave Iraq yet; the job is not done.

If the job isn’t done, it should be. And soon. There will certainly be violence in Iraq for the foreseeable future, but a U.S. troop presence is not going to prevent these horrific incidents and often serves as a pretext for them. The continued violence shouldn’t obscure one unalterable fact: the Iraqis must solve their internal security problems. That, in turn, will likely require them to also solve their political problems, something that they have so far refused to do.

As Ted Galen Carpenter and Doug Bandow have explained those calling for an extended U.S. presence in Iraq base their arguments on faulty logic that is devoid of serious considerations about strategic U.S. interests in the region. The most committed of the stay longer/forever crowd hopes our presence in Iraq will resemble that of U.S. troops in South Korea or Germany. But this isn’t only a false analogy; it is based on false premises about vital U.S. interests: namely, that the U.S. government, and U.S. taxpayers, should be responsible for the security of other countries.

Those who worry about us leaving too soon/ever shouldn’t fret too much, however. Regardless of what happens in the negotiations over an extension of the U.S. troop presence, the United States will still maintain a staff of 17,000 employees (including contractors) based out of the world’s largest embassy.

Through it all, President Obama has been relatively silent. He has claimed that we are “winding down” the nation’s wars, but the prospect of tens of thousands of Americans remaining in Iraq hardly constitutes an end-game there. And no one knows what sort of long-term presence the president has in mind for Afghanistan.

President Obama won the presidency due in part to his opposition to the Iraq war at a time when most other politicians were either supportive or silent. This stand allowed him to build credibility with the American people, despite his relative lack of foreign policy experience. While other so-called experts were calling for war, he was concerned that the Iraq war was likely to undermine American and regional security, cost hundreds of billions of dollars, and claim many tens of thousands of lives. Tragically, he was correct.

The combat mission may have ended, but Americans are still dying in Iraq. It is time for the President and his administration to keep the promise of ending U.S. military involvement there, and hasten the day when Iraqis are fully responsible for their own affairs.

Cross-posted from the National Interest.

Behavior Detection as Interrogation

With the Department of Homeland Security constantly spinning out new projects and programs (plus re-branded old ones) to investigate you, me, and the kitchen sink, it’s sometimes hard to keep up. But I was intrigued with a report that behvaior detection officers are getting another look from the Transportation Security Administration. Behavior detection is the unproven, and so far highly unsuccessful (Rittgers, Harper), program premised on the idea that telltale cues can reliably and cost-effectively indicate intent to do harm at airports.

But there’s a new behavior detection program already underway. Or is it interrogation?

Due to a bottleneck at the magnetometers in one concourse of the San Francisco airport (no strip-search machines!), I recently had the chance to briefly interview a Transportation Security Administration agent about a new security technique he was implementing. As each passenger reached him, he would begin to examine the traveler’s documentation and simultaneously ask the person’s last name. He confirmed to me that the purpose was to detect people who did not immediately, easily, and accurately respond. In thousands of interactions, he would quickly and naturally learn to detect obfuscation on the part of anyone carrying an ID that does not have the last name they usually use.

As a way of helping to confirm identity, it’s a straightforward and sensible technique. Almost everyone knows his or her last name, and quickly and easily repeats it. The average TSA agent with some level of experience will fluently detect people who do not quickly and easily repeat the name on the identity card they carry. The examination is done quickly. This epistemetric check (of a “something-you-know” identifier—see my book, Identity Crisis) occurs during the brief time that the documents are already getting visual examination.

Some people will not repeat their name consistent with custom, of course. The hard of hearing, speakers of foreign languages, people who are very nervous, people who have speech or other communication impediments, and another group of sufferers—recently married women—may exhibit “suspicious” failure to recite their recently changed surnames. Some of these anomalies TSA agents will quickly and easily dismiss as non-suspicious. Others they won’t, and in marginal cases they might use non-suspicious indicia like ethnicity or rudeness to adjudge someone “suspicious.”

The question whether these false positives are a problem depends on the sanction that attaches to suspicion. If a stutterer gets a gauntlet at the airport each time he or she fails to rattle off a name, the cost of the technique grows compared to the value of catching … not the small number of people who travel on false identification—the extremely small number of people who travel on false identification so as to menace air transportation.

We used this and closely related techniques, such as asking a person’s address or the DMV office where a license was issued, at the bar where I worked in college. It did pretty well to ferret out people carrying their older friends’ IDs. Part of the reason it worked well is because our expert doormen could quickly escalate to further inquiry, dismissing their own suspicions or denying entry to the bar very quickly. The cost of getting it wrong was to deny a person entry to the bar and sometimes possession of a license. These are relatively small costs to college students, unlike the many hours in time-costs to a traveler wrongly held up at the airport. According to my interview, suspicion generated this way at the airport requires a call to a supervisor, but I did not learn if secondary search is standard procedure, or if cases are handled some other way.

TSA agents are not doormen at bars, of course, and the subjects they are examining are not college kids out to get their drink on. These are government agents examining citizens, residents, and visitors to the United States as they travel for business and pleasure, often at high cost in dollars and time. The stakes are higher, and when the government uses a security technique like this, a layer of constitutional considerations joins the practical issues and security analysis.

I see three major legal issues with this new technique: Fourth Amendment search and seizure, the Fifth Amendment right against self-incrimination, and Due Process. When questioning joins an ID check at the airport, it’s a deepening of a search that is already constitutionally suspect. The Fifth Amendment issues are interesting because travelers are being asked to confess through their demeanor whether they are lying or telling the truth. It would seem to cross a Fifth Amendment line and the rule against forced self-incrimination. The Due Process issues are serious and fairly straightforward. When a TSA screener makes his or her judgment that a person is not responding consistent with custom and is therefore “suspicious,” these judgement calls allow the screeners to import their prejudices. Record-keeping about suspicion generated using this technique should determine whether administration of this epistemetric check violates constitutional due process in its application.

In its constant effort to ferret out terrorist attacks on air transportation, the TSA is mustering all its imagination. Its programs raise scores of risk management issues, they create constitutional problems, and they are a challenge to our tradition of constitutionally limited government. The threat that a person will use false identification to access a plane, defeating an otherwise working watch-list sytem, to execute some attack is utterly small. At what cost in dollars and American values do we attack that tiny threat?

The founding problem is the impetuous placement of federal government agents in the role of securing domestic passenger aviation. There are areas where government is integral to securing airports, airlines, and all the rest of the country—foreign intelligence and developing leads about criminal plots, for example—but the day-to-day responsibility for securing infrastructure like airports and airplanes should be the responsibility of its owners.

If the TSA were to go away, air security measures might be similar in many respects, but they would be conducted by organizations who must keep travelers happy and safe for their living. The TSA hasn’t anything like private airports’ and airlines’ incentives to balance security with convenience, privacy, cost-savings, and all other dimensions of a satisfactory travel experience. Asking people their names at airport security checkpoints is an interesting technique, and not an ineffective one, but it should probably be scrapped because it provides so little security at a relatively great cost.

The NYT’s Weak Defense of Homeland Security Grants

Last week, the House passed a homeland security appropriations bill slashing funding for grants to states and localities. The New York Times has now noticed and unleashed an indignant editorial:

House Republicans talk tough on terrorism. So we can find no explanation — other than irresponsibility — for their vote to slash financing for eight antiterrorist programs. Unless the Senate repairs the damage, New York City and other high-risk localities will find it far harder to protect mass transit, ports and other potential targets.

The programs received $2.5 billion last year in separate allocations. The House has cut that back to a single block grant of $752 million, an extraordinary two-thirds reduction. The results for high-risk areas would be so damaging — with port and mass transit security financing likely cut by more than half — that the chairman of the House Homeland Security Committee, Peter King of New York, voted against the bill as “an invitation to an attack.”

Only a few months ago, Times editorials accused King of trying to “hype” and “stoke” fear of homegrown Muslim terrorism. It’s sort of touching to see them get behind his fearmongering when the beneficiaries are local firefighters, police, and other local interests.

But the editorial has trouble worse than hypocrisy. For starters, it’s light on facts. Its accounting seems to omit over $320 million in funds for local firefighters that a floor amendment put in the bill. It also fails to mention that the bill eliminates a formula that ensures that homeland security funds are distributed to every state. Because it means that counterterrorism spending is highest per-capita in rural areas where the threat from terrorism is lowest, homeland security watchers have long attacked that minimum funding provision. So while this bill would indeed cut homeland security funds going to New York, it would also mean that New York gets more of the remaining funds.

More importantly, the Times evidently did not try too hard to find an explanation for the cuts once they settled on irresponsibility, given that Republican appropriators readily offered one: the funds are wasteful. Rather than explain why they think the money is well spent (my definition of responsibility), the editorial conflates spending on security with security itself. It says the cuts will be “damaging,” but it cites only damage to the budgets of recipient agencies, not their purpose.

In fact, the threat of terrorism is so low in the United States and the efficacy of the funds in mitigating it so uncertain that the right amount of homeland security spending in most parts of the United States is none. That is especially true now that we are roughly a decade removed from the September 11 attacks, which spawned a massive increase in homeland security grant-making. That splurge was meant to bolster our ability to defend against what has proved a massively inflated threat of catastrophic terrorism; it was not meant to be a permanent subsidy to state and local governments.

New York City is uniquely threatened, but that does not mean that federal taxpayers should foot the bill. The federal government should collect intelligence on terrorists and hunt them down. Local and state officials should use that information to determine the right amount of local security spending. They have to ask whether normal policing funds, school spending, or slightly lower taxes are worth sacrificing for a new camera or chemical clean-up suit. Federal grants, because they are buried in a massive budget and partially deficit-funded, dilute our ability to perceive those tradeoffs. They also heighten fear of terrorism by encouraging state and local interests to overstate their peril to win the grants, as the editorial demonstrates.

It ends by instructing the Senate to “stand up for security over politics” and restore funding to past levels. But these decisions should be made politically. We give power over security policy to politicians — rather than leaving it exclusively to unelected bureaucrats — because these decisions are important. That is a product of design, not an accident. The notion that security is too important for politics is backwards.

Luckily, the attempt to divorce security policy from electoral politics is a pretense. The Times is engaging in politics by asking for funds. They aim to politically punish those that oppose their preferred policies. If the Senate restores most of the grant funds, as it likely will, it will do so for sound political reasons.

Cross-posted from The National Interest.

Government Control of Language and Other Protocols

It might be tempting to laugh at France’s ban on words like “Facebook” and Twitter” in the media. France’s Conseil Supérieur de l’Audiovisuel recently ruled that specific references to these sites (in stories not about them) would violate a 1992 law banning “secret” advertising. The council was created in 1989 to ensure fairness in French audiovisual communications, such as in allocation of television time to political candidates, and to protect children from some types of programming.

Sure, laugh at the French. But not for too long. The United States has similarly busy-bodied regulators, who, for example, have primly regulated such advertising themselves. American regulators carefully oversee non-secret advertising, too. Our government nannies equal the French in usurping parents’ decisions about children’s access to media. And the Federal Communications Commission endlessly plays footsie with speech regulation.

In the United States, banning words seems too blatant an affront to our First Amendment, but the United States has a fairly lively “English only” movement. Somehow, regulating an entire communications protocol doesn’t have the same censorious stink.

So it is that our Federal Communications Commission asserts a right to regulate the delivery of Internet service. The protocols on which the Internet runs are communications protocols, remember. Withdraw private control of them and you’ve got a more thoroughgoing and insidious form of speech control: it may look like speech rights remain with the people, but government controls the medium over which the speech travels.

The government has sought to control protocols in the past and will continue to do so in the future. The “crypto wars,” in which government tried to control secure communications protocols, merely presage struggles of the future. Perhaps the next battle will be over BitCoin, an online currency that is resistant to surveillance and confiscation. In BitCoin, communications and value transfer are melded together. To protect us from the scourge of illegal drugs and the recently manufactured crime of “money laundering,” governments will almost certainly seek to bar us from trading with one another and transferring our wealth securely and privately.

So laugh at France. But don’t laugh too hard. Leave the smugness to them.

Pages