Topic: Telecom, Internet & Information Policy

I Hate to Say “I Told You So” II (Web Wiretap Edition)

I wrote recently in Wired about the many problems with an FBI proposal to require Internet providers to render their services more wiretap-friendly. Perhaps chief among these is the deleterious effect such a mandate would have on cybersecurity.

This is so, first, because it would tend to push companies away from design choices that make a system more resilient or secure but harder to intercept. If you risk massive fines when you can’t cough up user communications, that’s a powerful incentive to prefer server-side over end-to-end encryption, centralized routing over peer-to-peer, and closed over open standards and source code. Second, as 20 renowned computer scientists and security experts also pointed out in a letter released last Friday [PDF], the surveillance interface companies create to comply with orders can itself become an attractive “attack surface” subject to exploitation. The primary concern there, of course, is that lawful intercept code can be hijacked by a third party to enable their own surveillance—but it can also be a source of information about government investigations for hackers in the service of foreign powers.

Lo and behold, The Washington Post reports today that a successful 2010 hack against Google, believed to have originated in China, also compromised a sensitive database of information on accounts that had been flagged for national security surveillance. That’s a boon to any foreign government looking to discover which agents have had their covers blown and which remain undetected—and something worth throwing considerable hacking resources at. It’s not clear whether the attackers were also able to use any internal law enforcement interface to assist them in targeting the accounts of Chinese dissidents, which is the part of the attack that had been previously reported.

Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?

I Hate to Say “I Told You So” (Spying on the Press Edition)

On Friday, I wrote a piece for Mother Jones speculating that government spying on press communications may not be “unprecedented,” as Associated Press head Gary Pruitt put it, but simply rarely disclosed. The rules requiring disclosure of such surveillance, after all, only appear to apply to “subpoenas” for “telephone toll records,” not secret tools like National Security Letters. Even outside the shadowy world of intelligence, as federal magistrate judge Stephen Smith has observed, court orders granting government access to electronic communication records routinely remain secret indefinitely. I suggested that there could be quite a few other cases like the AP story that we’ve simply never heard about, even if the Justice Department scrupulously follows its own rules, because they didn’t involve grand jury subpoenas for phone logs.

It is rare for someone who writes about the intelligence community to have a speculation of this sort confirmed almost instantly, but a report in the Washington Post today is already shining a spotlight on another hitherto unreported leak investigation in which the government obtained a warrant to read the e-mail of Fox News reporter James Rosen. The warrant in that case was sealed for over a year, and appears to have remained unnoticed until today—nearly three years after the search of Rosen’s e-mail was authorized. Why should anyone believe this is the only such case that hasn’t yet come to light?

The Rosen case is especially unsettling because the warrant affidavit suggests that Rosen himself could be subject to prosecution under the Espionage Act, on the grounds that his alleged encouragement to a source to provide classified information amounts to “conspiracy.” The attempt to redefine as crime what is ultimately a routine and necessary part of national security reporting really is rather unprecedented: As the Congressional Research Service has observed, “we are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it,” and there “may be First Amendment implications that would make such a prosecution difficult.”

A successful prosecution, of course, is not necessarily the point. The case against NSA whistleblower Thomas Drake—who revealed massive waste in the Agency’s deals with intelligence contractors—ultimately collapsed: The information he’d revealed was embarrassing to the government, not dangerous to national security. But Drake’s life had still been shattered, and a clear message sent to any others who might seek to embarrass the government. Reporters are already feeling the chilling effects of the AP leak investigation—and presumably that’s the real aim: Not to jail leakers as an end int itself, but to ensure that government sources are too scared to talk to press without approval.

That might sound like a fine idea if we were really only talking about vital national security secrets whose publication would endanger the United States. But as even top intelligence officials have acknowledged, “overclassification” is rampant in government. Much of the most basic information, without which effective national security reporting would be impossible, is reflexively classified whether or not it poses any realistic security risks, and reporters routinely discuss such information. In practice, that means the government can pick and choose which leakers to go after—and which ones to wink at because they’re serving the administration’s interests.

Three Questions about Government Spying on the Press

It’s heartening to see widespread outrage—both online and from members of Congress—about the news that Justice Department vacuumed up phone records spanning two months from 20 phone lines belonging to the Associated Press or its employees. This may not be a return to the bad old days of J. Edgar Hoover, who kept files of derogatory information about hostile journalists, but surveillance of the press—even in the course of otherwise legitimate investigations—always threatens to impede the vital check on government the Fourth Estate provides. A subpoena covering so many of a major news organization’s phone lines, including shared switchboard and fax numbers used by scores of reporters, for such an extended period, seems especially troubling in the context of this administration’s unprecedented war on whistleblowers. It’s effectively a warning that nobody who speaks to the press without White House approval—whether they’re leaking classified secrets or just saying things the bosses wouldn’t like—can count on anonymity.  I’ll have plenty more to say about this soon, but a few key questions reporters and legislators ought to be asking:

  • DOJ regulations are supposed to require a careful balancing of investigative needs against First Amendment values before reporter records are sought, with advance notice to the press whenever possible. The AP is fairly certain its records were seized as part of a leak investigation aimed at uncovering the source of  a story about a foiled terrorist plot—a story the AP itself sat on until they were convinced publication posed no national security risk. The administration itself was on the verge of announcing the same facts. Given that anonymous sources discussing classified matters with press are a routine and indispensable part of journalism, what made this investigation so urgent that it was necessary to use methods experts agree were far more broad and intrusive than the norm?
  • Read hyper-literally, those same DOJ regulations refer only to “subpoenas” directed at journalists themselves or seeking “telephone toll records.” And the DOJ’s own operational guidelines make quite clear that they do read the rules hyper-literally: They apparently are not held to apply to the myriad tools other than grand jury subpoenas at the government’s disposal, such as National Security Letters or administrative subpoenas. Does DOJ employ a similarly literal reading of “telephone toll records,” such that they’re not required to observe these rules when they obtain other electronic records, such as e-mail transactional data? The DOJ, recall, says they often don’t need warrants to read e-mail or Facebook chats, let alone review transactional metadata concerning such communications. So it seems odd that they would pull out all the stops when it comes to phone records, yet ignore the channels by which modern reporters probably conduct the bulk of their correspondence. Even if it would have been infeasible to access logs of AP’s e-mail transactional data without tipping them off (my understanding is they maintain their own e-mail servers), nearly every journalist has potentially revealing Facebook friend lists, personal Gmail accounts, Twitter direct message headers, and so on—some of which would be more targeted than records from phone lines shared by dozens of journalists. Was other data that DOJ believes to be outside the scope of their reporting obligations—either because it wasn’t obtained by “subpoena” or because it wasn’t “telephone toll records”—obtained in this case? More broadly, how much press data is obtained without notification because it falls outside these categories?
  • Thanks to a 2010 Inspector General report, we know a bit about the FBI’s use of “community of interest” data requests that sweep up call log data not just on a single target, but all the phones their target is in regular contact with—and maybe even the numbers those phones are calling too. After using this technique for years—sometimes literally by accident—FBI sought an Office of Legal Counsel opinion about whether the press notification rules applied when such requests were likely to indirectly pull in press records. In January 2009, OLC concluded they did—but since they ended up not getting the records in that instance, and the agent making the request apparently hadn’t understood quite what he was requesting, the FBI decided it didn’t need to tell anyone at the time. What, then, is the Justice Department’s current policy when it comes to information about press communications obtained indirectly through “community of interest” requests? Is any attempt made to ascertain when such requests have acquired reporters’ phone records, whether or not that was either intended or foreseen when the request was made? Since records in the FBI database are retained indefinitely for potential future data mining, even records the FBI doesn’t currently know belong to reporters could easily end up revealing patterns of press activity as a result of future analysis. Does DOJ think it must inform reporters when this happens, or is it only at the acquisition stage that the notice obligation applies?  Has any broad effort been made to determine how many reporter records are in FBI databases, especially as a result of requests made before 2009? 

Of course, whatever the answers to these questions, the Electronic Frontier Foundation is right to point out that the broader problem is that communications metadata isn’t entitled to much protection under either current Fourth Amendment jurisprudence or federal statute. This means the government can typically access metadata with little or no judicial oversight—and if you’re not a reporter there are no special rules requiring the government to ever notify you that your records have been swept up in some investigation. As technological change makes such metadata increasingly revealing—because nearly everything you do online leaves some digital trace, from which ever more detailed inferences can be drawn using sophisticated analytic tools—the problem is not just for press freedom: it’s a privacy problem for all of us.

President Obama’s New E.O.: Open Data, Not Government Transparency

There’s a powerful irony lurking underneath the executive order and OMB memorandum on open data that the White House released in tandem today: We don’t have data that tells us what agencies will carry out these policies.

It’s nice that the federal government will work more assiduously to make available the data it collects and creates. And what President Obama’s executive order says is true: “making information resources easy to find, accessible, and usable can fuel entrepreneurship, innovation, and scientific discovery that improves Americans’ lives and contributes significantly to job creation.” GPS and weather data are the premier examples.

But government transparency was the crux of the president’s 2008 campaign promises, and it is still the rightful expectation of the public. Government transparency is not produced by making interesting data sets available. It’s produced by publishing data about the government’s deliberations, management, and results.

Today’s releases make few, if any, nods to that priority. They don’t go to the heart of transparency, but threaten to draw attention away from the fact that basic data about our government, including things as fundamental as the organization of the executive branch of government, are not available as open data.

Yes, there is still no machine-readable government organization chart. This was one of the glaring faults we found when we graded the publication practices of Congress and the executive branch last year, and this fault remains. The coders who may sift through data published by various agencies, bureaus, programs, and projects can’t sift through data reflecting what those organizational units of government are.

Compare today’s policy announcements to events coming up on Capitol Hill in the next two weeks.

On Thursday next week (May 16), the House Committee on Oversight and Government Reform will host a “DATA Demonstration Day” to illustrate to Congress and the media how technology may cut waste and improve oversight if federal spending data is structured and transparent. (That would include my hobby-horse, the machine-readable federal government organization chart.) We’ll be there demo-ing how we add data to the bills Congress publishes.

On May 22nd, the House Administration Committee is hosting its 2013 Legislative Data and Transparency Conference. This is an event at which various service providers to the House will announce not just policies, but recent, new, and upcoming improvements in publication of data about the House and its deliberations. (We’ll be there, too.)

The administration’s open data announcements are entirely welcome. Some good may come from these policies, and they certainly do no harm (barring procurement boondoggles–which, alas, is a major caveat). But I hope this won’t distract from the effort to produce government transparency, which I view as quite different from the subject of the new executive order and memorandum. The House of Representatives still seems to be moving forward on government transparency with more alacrity.

Libertarians Shouldn’t Want Perfect Security—Reply to Professor Epstein

I was pleased to see last week that Professor Epstein had penned a response to my criticism of his recent piece on Hoover’s Defining Ideas in which he argued against treating protection of civil liberties and privacy as “nonnegotiable” in the context of counterterrorism. It is not the disagreement that is pleasing, of course, but the opportunity to air it, which can foster discussion of these issues among libertarians while illustrating to the broader world how seriously libertarians take both security and liberty.

What’s most important in Professor Epstein’s rejoinder is what comes at the end. He says that I should “comment constructively on serious proposals” rather than take an a priori position that civil liberties and privacy will often impede expansions of government power proposed in the name of counterterrorism.

I believe that Professor Epstein and I share the same prior commitments–to limited government, free markets, and peace. Having left it implicit before, I’ll state that I, too, believe that protection of life and property is the primary function of the state. But I also believe that excesses in pursuit of security can cost society and our liberties more than they produce in benefits.

Some years of work on counterterrorism, civil liberties, and privacy bring me to my conclusions. I had put in a half-decade of work on privacy before my six years of service on the Department of Homeland Security’s privacy advisory committee began in 2005. While interacting with numerous DHS components and their programs, I helped produce the DHS Privacy Committee’s risk-management-oriented “Framework for Privacy Analysis of Programs, Technologies, and Applications.” From time to time, I’ve also examined programs in the Science and Technology Directorate at DHS through the Homeland Security Institute. My direct knowledge of the issues in counterterrorism pales in comparison to the 30+ experts my Cato colleagues and I convened in private and public conferences in 2009 and 2010, of course, but my analysis benefitted from that experience and from co-editing the Cato book: Terrorizing Ourselves: Why U.S. Counterterrorism Policy is Failing and How to Fix It.

Whether I’m operating from an inappropriate a priori position or not, I don’t accept Professor Epstein’s shift of the burden. I will certainly comment constructively when the opportunity arises, but it is up to the government, its defenders, and here Professor Epstein to show that security programs are within the government’s constitutional powers, that such programs are not otherwise proscribed by the constitution, and that they cost-effectively make our society more secure.

The latter two questions are collapsed somewhat by the Fourth Amendment’s requirement of reasonableness, or “fit” between means and ends when a search or seizure occurs. And to the extent I can discern the program that Professor Epstein prefers, I have commented on it as constructively as I can.

After Boston, Division in the Libertarian Ranks: My Response to Jim Harper

My recent observations on Hoover’s Defining Ideas about the relationship of civil liberties to national security have drawn a stern response from Cato’s own Jim Harper, whose central claim is that I have sounded “needless anti-privacy notes” in my attack on the privacy protective policies that have been championed by Massachusetts Republican State Senator Robert Hedlund, whom I criticized for being too squeamish on aggressive and targeted government action to counter the threats that became all too visible on April 15, 2013. 

Harper’s initial parry is to stress a proposition that no one should care to deny, namely, that the Fourth Amendment imposes a bar against unreasonable searches and seizures, which in turn requires an examination of the purported relationship between the restriction that government seeks to impose and the evil that it seeks to defend against.  But in his choice of example and articulation of principle, Harper is guilty of grievous non sequiturs that add needless confusion to a problem that is already difficult enough to handle.

To examine the relationship between privacy and security, it is always a mistake to start with an example that the author describes as “an illustration ad absurdum,” which is just what Harper does when he bravely denounces a rule that allows for “100% crotch checks at street corners in major cities.”  The simple response is that this kind of action is under current law regarded as per se illegal even in connection with the so-called Terry stopswhich allow a police officer “to stop and frisk” individual on the public street if he or she has “reasonable suspicion” to think that the targeted person has engaged in illegal activity. 

That example has absolutely nothing to do with the design of a workable surveillance system. It also falsely calibrates the relevant choices by dismissing the current cries for increased surveillance as a “closer” question, when the two situations are worlds apart.  The Fourth Amendment treatment of unreasonable searches and seizures rests on a critical distinction between investigation of particular suspects and the stopping of dangers from unknown quarters.  There is a lot more information in the first case, so that a dragnet search makes no sense, which is why particularized evidence is required.  But general surveillance at unknown targets has to spread its net far wider.  It is both less intrusive and more comprehensive, and it can and does work. It was painfully clear from the pattern of events in Boston that the private surveillance cameras that were trained on the Boston Marathon provided indispensable information toward identifying and apprehending the Tsarnaev brothers.  What makes their use unreasonable, when there is not the slightest evidence that the information so acquired was used for improper purposes unrelated to the search?

It may be “worth discussing,” as Harper suggests, whether the use of surveillance will help deter some crimes and stop others.  But, if so, the only useful discussion is one that asks the means-ends question of how, in light of cost and privacy concerns, one can construct the best cost-effective surveillance system available, which can then be coordinated with the activities of police officers and volunteers on the ground, especially at any public event that presents a soft target.

But to dismiss these efforts on the unsupported speculation that “the possibility of apprehension seems not have occurred to the Tsarnaev brothers” can only be described as blinding error, especially in light of their frantic efforts to escape capture so they could strike again.  Nor does it make the slightest sense to tie general surveillance policy to some dubious account of the psychological make-up of two individuals.  It is far wiser to develop policies that improve the ability to track and identify dangerous suspects. Of course it is possible to construct a “surveillance architecture” that so dense as to be useless.  But once again, the sensible case for beefing up Boston’s public surveillance does not require that system designers leap from one indispensable extreme to another.  The real question is how to identify the comprehensive policies that do make sense.

Harper is equally off target about the potential gains from racial or ethnic profiling.  No one accepts the extreme proposition that all terrorists come from the same ethnic stock or practice the same religion. But that observation offers absolutely no reason to ignore valuable information that could help tweak the design of surveillance systems of searches.  The question here is not whether sensible protocols and profiles can narrow the search down to one-fifth the world’s population, most of which does not live in Boston anyhow.  It is the question of whether one can winnow the list of potential suspects from 100 to 20 people, which, if done reliably, gives law enforcement a huge leg up in conducting its investigations.

In sum, Harper would have a stronger case if he had tried to comment constructively on serious proposals that are put forward.  But to take an ill-advised a priori position that does nothing to advance either the protection of human life and human property, both private and public, is inconsistent with any sound libertarian position.  Remember that libertarians like myself, and I hope Harper, regard the protection of both as the primary function of the state. Harper’s careless and imprecise invocation of the Fourth Amendment cannot conceal this fundamental truth.

Good, Market-Based Privacy Advocacy

Too much privacy advocacy is done by a self-appointed expert class who, believing their own preferences to be universal, beseech legislators and regulators to mold or even remake the information economy. I have nothing against self-appointed experts—I am one, and some of you have been falling for my schtick for a decade. But the hubris of claiming to know how things should come out? That’s too much.

So the Electronic Frontier Foundation’s “Who Has Your Back?” report is real stand-out. Using a clear, six-star grid, they assess how well major Internet companies and ISPs do when it comes to key dimensions of privacy protection.

This puts you, the consumer, in a position to choose with whom you want to do business. As importantly, it puts business decision-makers on notice: If they don’t satisfy actual consumer demand for privacy, they are more likely than before to lose money.

If consumers care about privacy, they will act on what’s in this report—and specifically on the dimensions of privacy protection that matter to them. If they don’t, they won’t, because they prioritize other things, and businesses can do the same. It’s an elegant system—a market-based system—for discovering and delivering what consumers want.

The alternative is a foggy war (politics being war by other means) in which the “consumer advocate” and “industry” use every artifice to persuade various authorities whether or not, and how, to intervene. The actual desire of the consumer is an afterthought in this regulatory battle.

So, Who Has Your Back?

The report is worth checking out. You might learn that a provider you trust is not so trustworthy. You might learn of services that you should try because they are good actors. You might disagree with the methodology, and that’s fine, too. The responses of businesses and consumers to this report will be far more finely tuned to actual consumer demand for privacy than the gaudy privacy show that runs ‘round the clock these days in Washington, D.C., state capitols, and Brussels.

Congratulations and thanks to the Electronic Frontier Foundation for some good, market-based privacy advocacy!