Topic: Law and Civil Liberties

Civil Liberties and Business

The Washington Legal Foundation has just published a Special Report: Federal Erosion of Business Civil Liberties (pdf).  Looks like a comprehensive analysis of the ongoing trend at the federal level to criminalize ordinary business activity. 

Check out this admission from the SEC’s Paul Atkins: “What is astonishing is that the attorney-client privilege, one of the foundational rights on which rests Anglo-American legal culture … should now be under siege.  The two federal agencies that have been most vigorous in seeking waiver of the attorney-client privilege have been the Department of Justice and – unfortunately, I must say – the Securities and Exchange Commission.”  Well, admitting the problem is the first step toward addressing the problem.  But notice the way he makes his agency appear uncontrollable.  It’s a fairly common tactic here in the capital.  Senators talk about “runaway spending” as if the federal budget was on some sort of auto-pilot.  And then they name highways and buildings after themselves to memorialize their “public service” and “leadership.”

When the status quo becomes politically unacceptable, Congress ought to abolish corporate welfare and restore the attorney-client privilege and other legal safeguards.

Related Cato work here and here.

ID Checks are About Control, Not Security

If there was ever any doubt that ID checks at airports are about control and not security, the Transportation Security Administration is clearing that up. Starting June 21, it says, “passengers that willfully refuse to provide identification at security checkpoint [sic] will be denied access to the secure area of airports.”

The claim is that this initiative is “the latest in a series designed to facilitate travel for legitimate passengers while enhancing the agency’s risk-based focus - on people, not things.” So let’s take a moment to look at how refusing airport access to the willful enhances security.

… OK! We’re done!

No terrorist or criminal would draw attention to him or herself by obstinately refusing an ID check. This is only done by the small coterie of civil libertarians and security experts who can’t stand the security pantomime that is airport identification checking. The rest of the people traveling without ID have lost theirs - and TSA officials at airports have no way of knowing which is which.

This new rule will do nothing to improve airport security, but watch for the incident when a TSA agent “doesn’t believe” someone who has truly lost his or her driver’s license and tries to strand a traveler in a faraway city.

A Free Market Gem in Guatemala

The L.A. Times has a very fine article today on Francisco Marroquín University, Guatemala’s libertarian institution of higher learning, and its founder, Manuel “Muso” Ayau.

Those of us who have visited UFM can testify as to the passion for liberty that fills the place. It’s certainly a free market gem in the midst of Central America.

Swire on Cybercrime Underenforcement

Peter Swire of the Center for American Progress has a paper out called “No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime.” He identifies how local law enforcement lacks the ability and incentive to address various wrongs done on the Internet because of their complexity and their multi-jurisdictional nature.

Swire has identified a real problem. Just like everyone else, law enforcement struggles to keep up in the changing online environment. And it’s true that local law enforcement lacks incentive to expend efforts going after a distant cybercrime ring for the benefit of one local complainant and thousands of strangers.

(He calls this a “commons problem” and I understand how he means it to illustrate that law enforcement personnel and organizations are economic actors. Crime victims are a sort of public good to those organizations and they can’t enjoy the benefits of caring for most of those who would benefit from their work. I think this fits more neatly in the public choice box: local law enforcement in one jurisdiction doesn’t get any benefit — budgetary, political, or otherwise — from helping strangers, so they’re less inclined to do so.)

Swire’s conclusion is that there should be more federal law enforcement — such as by the Federal Trade Commission and the the Justice Department — or “federated” law enforcement, combining state and federal authorities: “A more federated approach recognizes the usefulness of enforcement task forces that draw on multiple jurisdictions. Federal‐state task forces, for instance, have been used widely for drug prosecutions and, more recently, in fighting terrorism.”

While these are logical conclusions, I would be reluctant to call for greater federal law enforcement. There isn’t authority for it in the Constitution, and the uses of “federated” law enforcement he identifies — in the “War on Drugs” and the “War on Terror“ — have not been shining examples we ought to follow.

I suspect that Swire would class this as an objection he calls “We Don’t Want Enforcement,” of which he identifies two strains. One is the extent to which some of these “harms” are worthy of enforcement. This is a strong objection, not so much to Swire’s thesis, but to a second one that’s implicit. Swire is not just calling for federal or federated law enforcement aimed at protecting the public from violations of their rights (which manifest themselves as legally cognizable “harms”); he’s classing all kinds of mischief as “harms” to dramatically broaden the sweep of the federal law enforcement task.

Consider this strange circumlocution: “The focus here is on online fraud, malicious software, and other harms that are carried out through the Internet.” In the world of natural language “harms” are “caused,” not “carried out.” Malicious software is “distributed” or “propagated,” not “carried out.” Fraud and malicious software often cause harm, but sometimes do not.

Classing malicious software as a “harm” would make it actionable in the abstract, such as through prescriptive software regulation. If this is what he’s talking about, Swire should surface it and talk about it rather than wedging bad behavior with potential harmful results into the term “harm.” (He’s not alone — see this post and the resulting comments discussing whether increased exposure to risk is a “harm.”)

A second strain of the “We Don’t Want Enforcement” objection is a melange of privacy concerns that Swire would address with due process and privacy rules.

A third strain (with some relation to the privacy concern) emerges from the “commons”/public choice dynamic that Swire identified so astutely as part of the cause of the problem. Bureaucracies and their members are economic actors, and a greater federal law enforcement regime would naturally begin to seek greater powers from the moment it came into existence. This is very much at play in the “wars” on drugs and terror, where federal law enforcement agencies seek much more to promote their institutional interests in growth than the safety, freedom, and prosperity of the people. “We Don’t Want Federal Bureaucracies Doing Law Enforcement” is a much stronger objection than Swire recognizes.

My main concern, though, sounds in moral hazard. Should a federal law enforcement apparatus emerge too early, or occupy fields where it is not absolutely essential, people and organizations that should be responsible for their own security will shunt that responsibility off to the government. Supine and seemingly incompetent, they will fall victim to many crimes and harms that they would otherwise have defended themselves against.

I often analogize the development of security in the online environment to security in the offline environment. Imagine if you were building streets, houses, and buildings from scratch, never having seen such things before. It would take some time to recognize the value of doors, windows, and walls in preventing crime. When you’ve got that window in place, you also need to close the latch, etc.

An alternative to all this distributed learning is to post law enforcement on every corner of every street, or in front of every house. But having a cop on every corner is expensive and hard to administer. There’s risk of corruption, and laziness, and so on. The best security is provided by the most interested actors, and I’d be loathe to have federal law enforcement communicate that there is anyone more responsible than software companies, online service providers, payment systems, and individuals for securing the online environment.

There is some role for the federal government in preventing and detecting multi-jurisdictional and international crimes. I wouldn’t rush to embrace it, or to class a broad array of behaviors as “harms” so that the federal law enforcement role mushrooms into an ineffective and costly “War on Cybercrime.”

Fusion Centers in Search of a Problem

Via Secrecy News: “There is, more often than not, insufficient purely ‘terrorist’ activity to support a multi-jurisdictional and multi-governmental level fusion center that exclusively processes terrorist activity.” This is from a Naval Postgraduate School master’s thesis entitled: “An Examination of State and Local Fusion Centers and Data Collection Methods.”

Though they arose to counter the terrorism threat, “fusion centers” will seek out other things to do. Programs like these are born of slogans - “connect the dots” - “information sharing” - rather than sound security thinking. In a TechKnowledge piece last year titled, “Fusion Centers: Leave ‘Em to the States,” I juxtaposed the active fusion center in Massachusetts with the hair-on-fire overreaction of the Boston Police to a guerrilla marketing campaign featuring stylized Lite-Brites.

An E-Verify Triple: That’s a De-De-Debunker

Department of Homeland Security Assistant Secretary for Policy Stewart Baker has weighed in with another post on the DHS “Leadership Journal” blog about the E-Verify system for conducting federal immigration background checks on all people hired in the United States. He takes on three supposed myths about E-Verify.

Myth 1: That E-Verify is burdensome for employers.

Baker says that E-Verify is a bit less burdensome than ordering books for the first time on Amazon.com. It would be fun to actually run that test. But just for starters, here’s the 600-word form you have to read and fill out before you even register as an employer. The word count of the Memorandum of Understanding you have to read and sign is well over 3,000 words - eight pages of legalistic instructions. Jeff Bezos! Call your bankruptcy lawyer!

Buying a book from Amazon.com doesn’t require you to check someone else’s documents, doesn’t put you at risk of violating federal law, and so on, and so on. These just aren’t comparables.

Baker’s most interesting evidence? An anonymous commenter on one of his earlier posts who just gushes about E-Verify. In fact, the first two comments on that post - both anonymous - come within nine minutes of each other. One praises E-Verify’s ease of use. The other comes from the “worker” perspective - just like a PR flack would want to have covered. Here’s the actual quote: “This E-verify system will let you know if you have a mistake that you need to correct before it is just too late for you!” So very like an infomercial …

But let’s cut to the chase: Regulators in agencies across the federal government are constantly coming with burdens on employers. Oh, they claim that each one is wafer thin, yes. But the cumulative results are disgusting.

Myth, the second: That E-Verify is discriminatory.

Critics “conjure up evil employers who disfavor certain ethnic groups when they apply government hiring rules,” says Baker. That’s not quite it. Unfortunately, rational employers would disfavor certain ethnic groups. Here’s how I put it in my paper “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration”:

With illegal immigrants today coming predominantly from Spanish-speaking countries south of the U.S. border, identity fraud and corruption attacks on the EEV system would focus largely on Hispanic surnames and given names. Recognizing that Hispanic employees—even native-born citizens—are more often caught up in identity fraud and tentative nonconfirmation hassles, employers would select against Hispanics in their hiring decisions.

But this is against the rules, protests Baker. And it’s true that the program’s rules forbid this behavior. But Baker is thinking quite a bit like the economist in this old joke:

An economist, a physicist, and an engineer are trapped on a desert island and all they have to eat is a can of baked beans. The engineer first tries to open the can by putting at an angle to the sun to try and burn a hole in it. That doesn’t work. So the physicist gets a rock and does some calculations as to how much force he would have to hit the can with to get it open. No luck. Finally, the economist turns to them both and says, “You’re doing it all wrong! What we need to do is assume we have a can opener …”

“If there are rules against it, it won’t happen.” Friends, avoid South Seas adventures with economist Stewart Baker.

Myth 3: That E-Verify does nothing about identity theft.

E-Verify does something about identity theft. You have to have a matching name and Social Security Number pair to get through the system. That makes defrauding employers harder. It will also make identity theft more profitable and more common if E-Verify goes national. Again, from my paper:

Faced with the alternative of living in poverty and failing to remit wealth to their families, illegal immigrants would deepen the modest identity frauds they are involved in today. Their actions would draw American citizens, unfortunately, into a federal bureaucratic identity vortex.

But Baker is talking about in-system fraud, and the idea of accumulating more biometric information into a national identity system. Currently, a “photo screening tool” in E-Verify shows employers the picture that was printed on DHS-issued permanent resident cards and employment authorization documents. This suppresses forgery of cards, while it may lull employers into checking the card against the computer screen - not against the worker. Whatever the case, DHS is seeking access to passport photos from the State Department and driver license photos from state governments across the country so that it can knit together a national biometric database. (Pictures are biometrics - relatively crude ones, of course. When having a picture database fails to secure against illegal immigration, they’ll move to stronger ones.)

Baker is exaggerating to say that the photo screening tool is a significant step in countering identity fraud. It’s only in very limited use, the system itself would promote identity fraud, and countering identity fraud this way requires a national biometric database, with all the privacy ills that entails. This is why we wouldn’t want E-Verify even if it was ready for prime-time.

Three myths debunked? Or three debunkings de-debunked? Secretary Baker’s commentaries are welcome because they illustrate key points of disagreement, allowing you, the American public, a fuller view into the issues at stake.