Topic: Telecom, Internet & Information Policy

Libertarians Shouldn’t Want Perfect Security—Reply to Professor Epstein

I was pleased to see last week that Professor Epstein had penned a response to my criticism of his recent piece on Hoover’s Defining Ideas in which he argued against treating protection of civil liberties and privacy as “nonnegotiable” in the context of counterterrorism. It is not the disagreement that is pleasing, of course, but the opportunity to air it, which can foster discussion of these issues among libertarians while illustrating to the broader world how seriously libertarians take both security and liberty.

What’s most important in Professor Epstein’s rejoinder is what comes at the end. He says that I should “comment constructively on serious proposals” rather than take an a priori position that civil liberties and privacy will often impede expansions of government power proposed in the name of counterterrorism.

I believe that Professor Epstein and I share the same prior commitments–to limited government, free markets, and peace. Having left it implicit before, I’ll state that I, too, believe that protection of life and property is the primary function of the state. But I also believe that excesses in pursuit of security can cost society and our liberties more than they produce in benefits.

Some years of work on counterterrorism, civil liberties, and privacy bring me to my conclusions. I had put in a half-decade of work on privacy before my six years of service on the Department of Homeland Security’s privacy advisory committee began in 2005. While interacting with numerous DHS components and their programs, I helped produce the DHS Privacy Committee’s risk-management-oriented “Framework for Privacy Analysis of Programs, Technologies, and Applications.” From time to time, I’ve also examined programs in the Science and Technology Directorate at DHS through the Homeland Security Institute. My direct knowledge of the issues in counterterrorism pales in comparison to the 30+ experts my Cato colleagues and I convened in private and public conferences in 2009 and 2010, of course, but my analysis benefitted from that experience and from co-editing the Cato book: Terrorizing Ourselves: Why U.S. Counterterrorism Policy is Failing and How to Fix It.

Whether I’m operating from an inappropriate a priori position or not, I don’t accept Professor Epstein’s shift of the burden. I will certainly comment constructively when the opportunity arises, but it is up to the government, its defenders, and here Professor Epstein to show that security programs are within the government’s constitutional powers, that such programs are not otherwise proscribed by the constitution, and that they cost-effectively make our society more secure.

The latter two questions are collapsed somewhat by the Fourth Amendment’s requirement of reasonableness, or “fit” between means and ends when a search or seizure occurs. And to the extent I can discern the program that Professor Epstein prefers, I have commented on it as constructively as I can.

After Boston, Division in the Libertarian Ranks: My Response to Jim Harper

My recent observations on Hoover’s Defining Ideas about the relationship of civil liberties to national security have drawn a stern response from Cato’s own Jim Harper, whose central claim is that I have sounded “needless anti-privacy notes” in my attack on the privacy protective policies that have been championed by Massachusetts Republican State Senator Robert Hedlund, whom I criticized for being too squeamish on aggressive and targeted government action to counter the threats that became all too visible on April 15, 2013. 

Harper’s initial parry is to stress a proposition that no one should care to deny, namely, that the Fourth Amendment imposes a bar against unreasonable searches and seizures, which in turn requires an examination of the purported relationship between the restriction that government seeks to impose and the evil that it seeks to defend against.  But in his choice of example and articulation of principle, Harper is guilty of grievous non sequiturs that add needless confusion to a problem that is already difficult enough to handle.

To examine the relationship between privacy and security, it is always a mistake to start with an example that the author describes as “an illustration ad absurdum,” which is just what Harper does when he bravely denounces a rule that allows for “100% crotch checks at street corners in major cities.”  The simple response is that this kind of action is under current law regarded as per se illegal even in connection with the so-called Terry stopswhich allow a police officer “to stop and frisk” individual on the public street if he or she has “reasonable suspicion” to think that the targeted person has engaged in illegal activity. 

That example has absolutely nothing to do with the design of a workable surveillance system. It also falsely calibrates the relevant choices by dismissing the current cries for increased surveillance as a “closer” question, when the two situations are worlds apart.  The Fourth Amendment treatment of unreasonable searches and seizures rests on a critical distinction between investigation of particular suspects and the stopping of dangers from unknown quarters.  There is a lot more information in the first case, so that a dragnet search makes no sense, which is why particularized evidence is required.  But general surveillance at unknown targets has to spread its net far wider.  It is both less intrusive and more comprehensive, and it can and does work. It was painfully clear from the pattern of events in Boston that the private surveillance cameras that were trained on the Boston Marathon provided indispensable information toward identifying and apprehending the Tsarnaev brothers.  What makes their use unreasonable, when there is not the slightest evidence that the information so acquired was used for improper purposes unrelated to the search?

It may be “worth discussing,” as Harper suggests, whether the use of surveillance will help deter some crimes and stop others.  But, if so, the only useful discussion is one that asks the means-ends question of how, in light of cost and privacy concerns, one can construct the best cost-effective surveillance system available, which can then be coordinated with the activities of police officers and volunteers on the ground, especially at any public event that presents a soft target.

But to dismiss these efforts on the unsupported speculation that “the possibility of apprehension seems not have occurred to the Tsarnaev brothers” can only be described as blinding error, especially in light of their frantic efforts to escape capture so they could strike again.  Nor does it make the slightest sense to tie general surveillance policy to some dubious account of the psychological make-up of two individuals.  It is far wiser to develop policies that improve the ability to track and identify dangerous suspects. Of course it is possible to construct a “surveillance architecture” that so dense as to be useless.  But once again, the sensible case for beefing up Boston’s public surveillance does not require that system designers leap from one indispensable extreme to another.  The real question is how to identify the comprehensive policies that do make sense.

Harper is equally off target about the potential gains from racial or ethnic profiling.  No one accepts the extreme proposition that all terrorists come from the same ethnic stock or practice the same religion. But that observation offers absolutely no reason to ignore valuable information that could help tweak the design of surveillance systems of searches.  The question here is not whether sensible protocols and profiles can narrow the search down to one-fifth the world’s population, most of which does not live in Boston anyhow.  It is the question of whether one can winnow the list of potential suspects from 100 to 20 people, which, if done reliably, gives law enforcement a huge leg up in conducting its investigations.

In sum, Harper would have a stronger case if he had tried to comment constructively on serious proposals that are put forward.  But to take an ill-advised a priori position that does nothing to advance either the protection of human life and human property, both private and public, is inconsistent with any sound libertarian position.  Remember that libertarians like myself, and I hope Harper, regard the protection of both as the primary function of the state. Harper’s careless and imprecise invocation of the Fourth Amendment cannot conceal this fundamental truth.

Good, Market-Based Privacy Advocacy

Too much privacy advocacy is done by a self-appointed expert class who, believing their own preferences to be universal, beseech legislators and regulators to mold or even remake the information economy. I have nothing against self-appointed experts—I am one, and some of you have been falling for my schtick for a decade. But the hubris of claiming to know how things should come out? That’s too much.

So the Electronic Frontier Foundation’s “Who Has Your Back?” report is real stand-out. Using a clear, six-star grid, they assess how well major Internet companies and ISPs do when it comes to key dimensions of privacy protection.

This puts you, the consumer, in a position to choose with whom you want to do business. As importantly, it puts business decision-makers on notice: If they don’t satisfy actual consumer demand for privacy, they are more likely than before to lose money.

If consumers care about privacy, they will act on what’s in this report—and specifically on the dimensions of privacy protection that matter to them. If they don’t, they won’t, because they prioritize other things, and businesses can do the same. It’s an elegant system—a market-based system—for discovering and delivering what consumers want.

The alternative is a foggy war (politics being war by other means) in which the “consumer advocate” and “industry” use every artifice to persuade various authorities whether or not, and how, to intervene. The actual desire of the consumer is an afterthought in this regulatory battle.

So, Who Has Your Back?

The report is worth checking out. You might learn that a provider you trust is not so trustworthy. You might learn of services that you should try because they are good actors. You might disagree with the methodology, and that’s fine, too. The responses of businesses and consumers to this report will be far more finely tuned to actual consumer demand for privacy than the gaudy privacy show that runs ‘round the clock these days in Washington, D.C., state capitols, and Brussels.

Congratulations and thanks to the Electronic Frontier Foundation for some good, market-based privacy advocacy!

The Path to National Identification

In my 2008 paper, “Electronic Employment Eligibility Verification: Franz Kafka’s Solution to Illegal Immigration,” I wrote about where “internal enforcement” of immigration law leads: “to a national, cradle-to-grave, biometric tracking system.” More recently, I wrote “Internal Enforcement, E-Verify, and the Road to a National ID” in the Cato Journal. The “Gang of Eight” immigration proposal includes a large step on that path to national identification.

National ID provisions in the 2007 immigration bill were arguably its downfall. Scrapping the national ID provisions in the current bill would improve it, allowing our country to adopt more sensible immigration policies without suffering a costly attack on American citizens’ liberties.

Title III of the “Gang of Eight” bill is entitled “Interior Enforcement.” It begins by reiterating the current prohibition on hiring unauthorized aliens. (What seems to many a natural duty of employers was an invention that dates back only as far as 1986, when Congress passed the Immigration Reform and Control Act. Prior to that time, employers were free to hire workers based on the skills and willingness they presented, and not their documents. But since that time, Congress has treated the nation’s employers as deputy immigration agents.)

The bill details the circumstances under which employers may be both civilly and criminally liable under the law and provides for a “good faith defense” and “good faith compliance” that employers may hope to use as shelter. The bill restates (with modifications) the existing requirements for checking workers’ papers, saying that employers must “attest, under penalty of perjury” that they have “verified the identity and employment authorization status” of the people they employ, using prescribed documents or combination of documents. Cards that meet the requirements of the REAL ID Act are specifically cited as proof of identity and authorization to work.

In addition, the bill would create a new “identity authentication mechanism,” requiring employers to use that as well. It would take one of two forms. One is a “photo tool” that enables employers to match photos on covered identity documents to photos “maintained by a U.S. Citizenship and Immigration Services database.” If the photo tool is not available, employers must use a system the bill would instruct the Department of Homeland Security develop. The system would “provide a means of identity authentication in a manner that provides a high level of certainty as to the identity of such individual, using immigration and identifying information that may include review of identity documents or background screening verification techniques using publicly available information.”

The bill next turns to expanding the E-Verify system, requiring its use by various employers on various schedules. The federal government and federal contractors would have to use E-Verify as required already or within 90 days. A year after the DHS publishes implementing regulations, the Secretary of Homeland Security could require anyone touching “critical infrastructure” (defined here) to use E-Verify. She could require immigration law violators to use E-Verify anytime she likes.

Why Art Laffer’s Unfortunate Endorsement of a State Sales Tax Cartel Is Misguided

Art Laffer has a guaranteed spot in the liberty hall of fame because he popularized the common-sense notion that you can’t make any assumptions about tax rates and tax revenue without also figuring out what happens to taxable income.

Lot’s of people on the left try to denigrate the “Laffer Curve,” but it’s worth noting that even left-wing economists now admit that you don’t maximize revenue with a 100 percent tax rate.*

Indeed, I think the only people who now cling to that absurd view are the bureaucrats at the Joint Committee on Taxation.

But this post isn’t about the Laffer Curve. It’s about a disappointing column that Art Laffer wrote last week in the Wall Street Journal.

The issue is whether states should have the power to impose taxes on sales that take place outside their borders. Art starts the column with a very good point about the link between growth and living standards.

After enjoying an average growth rate above 3.5% per year between 1960 and 1999, Americans have had to make do with less than one-half that pace since 2000. The consequences are already dramatic and will become even more so over time. Overall we are 20% poorer today than we would be had the pre-2000 growth rate persisted.

CISPA’s Vast Overreach

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

Americans Deserve to See Federal Role in National Tests

The drive to impose uniform curriculum standards on the nation’s schools has been one of stealth, and at times, seemingly intentional deception. Most egregious has been the mantra of Common Core proponents that the effort has been “state-led and voluntary,” despite Washington coercing state adoption through the Race to the Top program and No Child Left Behind waivers; standards creators encouraging just such federal “incentives”; and Washington selecting and funding the two groups creating the tests to go with the standards. And now, more than a week after the U.S. Department of Education announced the creation of a “technical review” panel to assess the assessments, it seems increasingly certain that the panel’s work will be done behind closed doors.

At least one report asserts that the meetings will, indeed, be closed to the public. Education Week’s initial reporton the review says that the panel’s “feedback” will eventually be made public in “a yet-to-be-determined form,” but says nothing about the meetings themselves. Cato Center for Educational Freedom efforts to confirm the meeting status with the U.S. Department of Education have come up empty, with calls over two days either resulting in no information or simply going unanswered. At best, then, the meetings will be open to the public but ED has a terrible communications system. At worst the panel’s work will be completely under wraps save for some kind of final – and perhaps heavily filtered – report.

Either scenario is unacceptable. These tests are being funded by taxpayers, and the goal is ultimately to use them to assess the math and reading mastery of the nation’s children. Funders and families deserve to see what this review panel is doing, and shouldn’t have to pull telecommunications teeth to find out if and how they can do that. In addition, Common Core supporters have taken to painting opponents as paranoid, while at the same time denying or downplaying the federal government’s major role in pushing the Common Core. It would not be surprising were they to use the same tactics should Common Core opponents raise questions about the degree to which the Feds are influencing what is on the tests. The panel may well leave test content alone, but given the track record so far it is rational to fear the worst, especially when it seems the review panel is purposely being kept out of real sunlight.

Americans deserve to see all that the Feds are doing with this supposedly non-federal effort.