Topic: Telecom, Internet & Information Policy

Congress Spends Your Tax Dollars on a National ID

It’s appropriations season! – that wonderful time of year when the House and Senate pass competing versions of legislation to fund government agencies, bureaus, and…whatever pork and pet projects they can squeeze in.

Congress has made most of its spending decisions over the past few years through last-minute continuing resolutions or consolidated appropriations bills. That makes it harder to follow the money (which may be part of the reason they’ve been doing it that way), but it’s important to watch the dollars because some of that money is going toward national ID systems and biometrics.

Last week the House passed their FY 2014 Department of Homeland Security appropriations bill. As in years past, the legislation contains funding for three of everyone’s favorite identification programs: REAL ID, E-Verify, and US-VISIT/the Office of Biometric Identity Management (OBIM), a DHS office covering biometrics for travelers at airports, ports, and other points of entry.

For the coming fiscal year, the House appropriated $114 million for E-Verify, $232 million for OBIM, and $1.2 billion for the State Homeland Security Grant Program (SHSGP), from which grants for REAL ID implementation get doled out to states.

These numbers are consistent with past levels of appropriations for these programs, with the exception of REAL ID, which had its own funding stream until it was folded into SHSGP in fiscal 2012.

NSA Spying, NSA Lying, and Where the Fourth Amendment Is Going

If you want a good primer on the NSA spying disclosed so far, check out the item by Cato alum Tim Lee on the Washington Post’s WonkBlog. It’s a blessedly brief but informative run-down covering:

- mass collection of phone records;

- the PRISM program, which gathers data about Americans incidentally to its stated aim of foreign surveillance; and

- the NSA’s fiber optic eavesdropping: “[T]he NSA has a broad program (actually, several of them) to sweep up Internet traffic from fiber optic cables.”

Also, be sure to read the letter Senators Wyden (D-OR) and Udall (D-CO) sent to NSA head General Keith Alexander yesterday. In it, they point out inaccurate and misleading statements the NSA made in a recently distributed fact sheet. At a certain point, inaccuracies become willful.

On the question of whether surveillance of every American’s phone calling is constitutional, Lee notes how the government and its defenders will rely on a 1979 case called Smith v. Maryland. In that case, the government caused a telephone company to install a pen register at its central offices to record the numbers dialed from the home of a suspected robber. Applying doctrine that emerged from Katz v. United States (1967), the Court found that a person doesn’t have a “reasonable expectation of privacy” in phone calling information, so no search occurs when the government collects and examines this information.

It takes willfulness of a different kind to rely on Smith as validation the NSA’s collection of highly revealing data about all of us. Smith dealt with one suspect, about whom there was already good evidence of criminality, if not a warrant. The NSA program collects call information about 300+ million innocent Americans under a court order. And the Supreme Court is moving away from Katz doctrine, having avoided relying on it in recent major Fourth Amendment cases such as Jardines (2013), Jones (2012), and Kyllo in 2001.

Nobody knows where exactly the Court is headed with the Fourth Amendment in the challenging area of communications, but I’ve argued for reaching back to the wisdom of Justice Butler, dissenting in Olmstead (1929):

Telephones are used generally for transmission of messages concerning official, social, business and personal affairs, including communications that are private and privileged – those between physician and patient, lawyer and client, parent and child, husband and wife. The contracts between telephone companies and users contemplate the private use of the facilities employed in the service. The communications belong to the parties between whom they pass.

Cato Comments on TSA Body Scanners

In 2007, the president and CEO of the RAND Corporation, James Thomson, wrote up his impressions of the management at the Department of Homeland Security. “DHS leaders … ‘manage by inbox,’ with the dominant mode of DHS behavior being crisis management,” he wrote. “DHS implements most of its programs with little or no evaluation of their performance.”

If you want proof, look no further than the nation’s airports. Across the United States, the Transportation Security Administration harries American travelers daily, giving them a Hobson’s choice between standing, arms raised, before a nude body scanner or undergoing a prison-style pat-down. It doesn’t have to be this way.

Nearly two years ago, the U.S. Court of Appeals for the D.C. Circuit ordered TSA to do a notice-and-comment rulemaking on its nude body scanning policy. Few rules “impose [as] directly and significantly upon so many members of the public” as the use of body scanning machines, the court said. Its ruling required the agency to publish its policy, take comments from the public, and consider them in formalizing its rules.

The last day to comment on the proposed rules is Monday, June 24th. You can submit your comments until then.

In our comment, Cato senior fellow John Mueller, Mark G. Stewart from the University of Newcastle in Australia, and I take the TSA to task a number of ways. The TSA fails to account for privacy in its proposed policy, even though the lawsuit that required the rulemaking was based on its privacy consequences.

The policy proposal that TSA issued is hopelessly vague. In fact, the court decision requiring the TSA to put its policies on record is more informative about what the rights of travelers and responsibilities of the TSA are.

Instead of placing its risk management work in the docket, TSA claims that its “risk-reduction analysis” is classified. There is almost no basis for treating such work as secret. Indeed, Mueller and Stewart have done a risk assessment of nude body scanners, published it in an article and their book, and spoken about it at public conferences. Their analysis has shown that the nude body scanning policy does not provide cost-effective security. Quite simply, spending money on nude body scanning buys a tiny margin of security at a price that is too dear. If you add non-monetary costs such as privacy and liberty, as well as opportunity costs such as time wasted due to body scanning, the cost-ineffectiveness of body scanners becomes all the more clear.

Travelers wary of TSA mistreatment choose driving over flying for many short or medium-length journeys. Given the far greater danger of driving, this means more injuries and as many as 500 more Americans killed per year on the roads. Outside of war zones, TSA policies visit more death on Americans than Islamist extremist terrorism has worldwide since 9/11.

The National Research Council found in 2010 that the risk models the Department of Homeland Security uses for natural hazards are “near state of the art” and “are based on extensive data, have been validated empirically, and appear well suited to near-term decision needs.” This is not the case with airline security. In fact, the TSA will accept risks of death that are higher than terrorism in order to maintain nude body scanning policies. The original body scanners, which applied x-ray technology, posed a fatal cancer risk per scan of about one in 60 million. Asked about this on the PBS NewsHour, TSA head John Pistole said this risk was “well, well within all the safety standards that have been set.” The chance of an individual airline passenger being killed by terrorism is much lower: one in 90 million.

TSA’s nude body scanning policies probably cause more deaths than they prevent. For this reason, we recommend in our comment that the TSA suspend the current policies, commence a new rulemaking, and implement a rational policy resulting from an examination of all issues on the public record. After comments close, TSA will issue a final regulation on a schedule it determines, after which the regulation can be challenged in court, and very likely it will.

Hacking for Liberty

You’ve probably heard the old parable about the man looking for his car keys under a street lamp because the light is better there.

I’ve regularly worried aloud about the government transparency project following the same path. Most recently, I pointed out that the president’s executive order was about open data, not transparent government.

“Open data” is pretty much any data the government makes available in useful formats – Agriculture Department data about the gender of farm operators, for example. But don’t look there for government transparency. The Ag Department’s check register is still in the dark.

Transparent government is going to result from data that reflects the deliberations, management, and results of all the government’s agencies and organs. It’s fine to release interesting data, and it’s fine for people to build things with it, but the government transparency project doesn’t advance without data about what government entities are thinking and doing, and how well they’re doing it.

That’s why I’m happy to have offered the legislative data we produce to a hack-a-thon happening this week in San Francisco. Lincoln Labs’ Liberty Hackathon offers $5,000 in prizes to the top producers of technologies that advance civic values like individual privacy and economic liberty. “Top ideas and teams will be considered for future investment.” Sounds good.

My hope is that someone will build something that makes it easier to automatically track what’s happening in Congress, like, oh, spending for example. Our data can automatically reveal every bill that proposes spending, the amount, and the purpose. Wouldn’t it be nice to have that information at your fingertips? You might be inspired to contact your senators and member of Congress and tell them what you think. Maybe an app will tell you how your representatives voted on each and every spending bill that becomes law.

“Data excavation” is how Seamus Kraft at the OpenGov Foundation has characterized the work we do in our Deepbills project, and I’ve been very complimented by his recognition of the work. Transparency will not be a gift from government. We’ll have to dig out the data about the government’s deliberations, management, and results. Maybe this weekend some of the projects produced at the Liberty Hackathon will show how excavated government data energize democracy and protect liberty.

A Reply to Epstein & Pilon on NSA’s Metadata Program

Last week, my colleague Roger Pilon and Prof. Richard Epstein co-wrote a Chicago Tribune op-ed defending the National Security Agency’s bulk metadata collection program. I had not, initially, intended to respond directly: Cato scholars often disagree among themselves—as Roger and I long have in this area—and normally it suffices for us each to state our own affirmative arguments and let readers decide for themselves which is most convincing. However, as I now see that some observers—and in particular, a significant number of libertarians—have mistakenly taken this to mean that “Cato” supports the NSA program, which continues to dominate the news, I feel it’s necessary to say something here about why I (and, as I believe, the majority of my colleagues) reject that view.

In an area where so much remains secret, it is impossible to have a sensible debate unless we are at least clear on the public facts.  So before I address their broader arguments, it is necessary to correct a few important factual errors in the Tribune piece. Pilon and Epstein write:

The names linked to the phone numbers are not available to the government before a court grants a warrant on proof of probable cause, just as the Fourth Amendment requires.

This is incorrect. Nothing in the law would require a warrant to get the name associated with a number, and the public statements of FBI Director Robert Mueller directly contradict this claim.

At the risk of stating the obvious: phone numbers can often be associated with names by a simple Google search, and the NSA and FBI have access to far larger databases that would likely make such an association trivial.

But even if that weren’t the case, 18 USC §2709 allows names, addresses, and other “basic subscriber information” associated with a number to be obtained via a National Security Letter based on a certification of “relevance” to an investigation, with no need for judicial approval. As Director Mueller explained at a recent hearing, this is precisely how such information would be obtained here, assuming it were not already available.

Indeed, once that warrant is granted to examine content, the content can be used only for national security issues, not even ordinary police work.

This is also incorrect. Under 50 USC §1801, the minimization procedures governing information acquired from electronic surveillance shall “allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.” As the FISA House Report makes clear, this does not refer to terrorism or espionage related crimes, which can already be retained and disseminated as “foreign intelligence information,” but rather to information about crimes “totally unrelated to intelligence matters.”

How Much Bulk Records Snooping Bypasses Judges?

The revelation that the National Security Agency has been indiscriminately collecting Americans’ phone records using sweeping bulk orders issued by a secret court has sparked enormous controversy. Yet we know that at least in the first few years after 9/11, something very similar occurred without any judicial process at all, as first reported by USA Today in 2006. Though that story was dwarfed at the time by the controversy over the Bush administration’s warrantless wiretap program, it was actually the call records program that provoked a dramatic showdown between the White House and Justice Department, nearly triggering a mass resignation when the president threatened to reauthorize it over the objections of the acting attorney general that it was unlawful.

The controversy reemerged earlier this month when the Guardian published a leaked court order to Verizon’s business-focused subsidiary to produce “all call detail records,” including all “routing information,” and specifically requesting communications “wholly within the United States, including local telephone calls.” The order made it clear that the program continued, and was not merely large-scale but sought literally all domestic records. Moreover, it raised concerns about the Foreign Intelligence Surveillance Court’s interpretation of §215 more generally. The court had apparently determined that an authority to demand “any tangible thing” from nearly any person or entity could be exercised in a completely non-particularized way: Give us everything, we may eventually decide some of it is “relevant.” But it’s still not wholly clear when and why the FISC got involved in the metadata program—and how much of it may still bypass judicial supervision.

It’s clear from the original USA Today story that the metadata program in its original incarnation “didn’t need a court order—or approval under FISA—to proceed.” It’s also relatively clear that something changed around 2006. Statements from the program’s defenders in Congress indicate that the current version of the program, involving orders reissued at three-month intervals, has been operating for seven years. Moreover, you can read between the (heavily redacted) lines of a March 2008 Inspector General report on the use of §215 in 2006 and see intimations that “unlike in previous years,” the authority was being used in some programmatic way that would not be included in the IG’s discussion or metrics.

Yet the numbers reported annually for §215 orders, as Amie Stepanovich of the Electronic Privacy Information Center reminded me, are hard to square with a major shift to reliance on the authority for metadata at that time. Only a handful of §215 orders were issued in the subsequent years: six in 2007, 13 in 2008, and 21 in 2009. Even if those metrics only count the “primary order” authorizing acquisition from multiple providers, and not the “secondary orders” issued to each provider, that seems low. You’d still need at least four each year for each type of bulk order, and the Wall Street Journal has reported that the program reaches far beyond telephone data to encompass “records from Internet-service providers and purchase information.”

Instead, we see two enormous jumps in orders starting in 2010. That year, there were 96 orders, of which a surprising 43 were modified. That seemed odd to observers because §215 authority is so broad, requiring only “relevance” to an investigation, that the court would rarely have occasion to intervene—unless what was being demanded was so mindbogglingly expansive that it strained even that flaccid standard. We then see another big jump in 2011, to 205 orders (176 modified), which levels off in 2012 at 212 orders (200 modified). What was going on there? If the NSA bulk metadata program moved over to reliance on §215 in 2006, why is there no sign of anything like it in the numbers until four years later?