Topic: Telecom, Internet & Information Policy

NSA Spying on a Gazillion Americans

Today’s widespread outrage over reports that the National Security Agency is conducting widespread, untargeted, domestic surveillance on millions of Americans reminds me of this post from July 2012, in which Sen. Rand Paul reported on a private briefing he’d received. He couldn’t reveal what he’d learned, but he was able to report that the number of Americans subject to surveillance was closer to “a gazillion” than to zero. Now we have a bit more information. As I wrote then:

Sen. Rand Paul (R-KY) gave a great speech on surveillance last week at FreedomFest. Actually, he gave two good speeches, but the one embedded below is his short 6-minute talk at the Saturday night banquet. He talks about our slide toward state intrusion into our phone calls, our emails, our reading habits and so on. You know how big the surveillance state has gotten? The answer is “a gazillion.” Watch the speech—complete with high-falutin’ references to Fahrenheit 451 and the martyr Hugh Latimer!

U.S. Trade Agency Bans iPhones

Well, some of them anyway. The U.S. International Trade Commission has found that Apple infringed one of Samsung’s patents related to 3G technology and issued an injunction against the importation and sale of the iPhone 3GS, iPhone 4, iPad 3G, and iPad 2 3G.  These are not the latest models, but neither are they obsolete. (For a very helpful and thorough explanation of the issues in the case, check out Florian Mueller’s FOSS Patents blog.)

The outcome in this case offers an excellent example of why having a redundant patent litigation venue at the ITC with slightly different laws and procedures is bad public policy. If this patent had been litigated in federal district court, where the vast majority of patent litigation takes place, the judge would have refused to issue an injunction as contrary to the public interest—even if Apple egregiously and remorselessly infringed Samsung’s patent.

The patent at issue in the ITC investigation is what’s known as a standard-essential patent. This is a term for technology that’s so ubiquitous as to be necessary for interoperability within the industry (like 3G) and that the patent owner has agreed to license to anyone who makes a reasonable royalty offer (thus promoting it to become the industry standard). It is highly unlikely that a federal district court would issue an injunction against any product based on infringement of such a patent, because doing so would be excessively disruptive and unfair. In fact, the Justice Department and other antitrust agencies have argued that merely seeking an injunction based on one of these patents might violate antitrust law.

None of this matters at the ITC, where injunctive relief is the only remedy available. In 2006, the U.S. Supreme Court held that courts should award only monetary damages in patent cases unless there are special circumstances necessitating an injunction and doing so would not harm the public interest. The purpose and consequence of the Supreme Court’s decision was to prevent patent trolls from using small patents to get large settlements. But monetary damages are unavailable at the ITC, and the agency decided the Supreme Court’s ruling didn’t apply to them.

In the Apple-Samsung case, Apple claimed that Samsung’s request for royalties of 2.4 percent was unreasonably high. If the patent is worth less than 2.4 percent of the product’s value, an injunction against selling the entire phone is excessive. This is especially true when the technology is virtually impossible to design around. Rather than simply deciding who pays what to whom in a dispute that is mostly about licensing fees, a sales ban deprives consumers of choice in the market.

The good news is that efforts are underway in Washington to fix the problem of excessive remedies at the ITC. The White House released a proposal for patent reform this week that included a call “to enhance consistency in the standards applied at the ITC and district courts.” Specifically, they want the ITC to use the same public interest test that courts use before issuing an injunction (Rep. Devin Nunes made a very similar proposal last year). This is a good plan. It would likely have prevented the new iPhone ban and will do a lot to make the ITC less attractive to patent trolls.

Fixing problems at the ITC by making it more like district court litigation, however, shows very clearly how redundant and unnecessary it is to have two venues for patent litigation. Why should we have the ITC hearing patent cases in the first place?  There is no satisfactory answer to that question. As I argued in a Policy Analysis last year, the ITC’s power to investigate and exclude imports for patent infringement not only disrupts the proper functioning of the U.S. patent system, it also violates international trade rules. We could save ourselves a lot of trouble down the line by shutting the whole thing down.

Your Congress, Your NSA Spying

The National Security Agency is collecting records of every domestic and cross-border Verizon phone call between now and July 19th. The secret court order requiring Verizon to hand over these records has been leaked to the Guardian.

You may find that outrageous. 1984 has arrived. Big Brother is watching you.

But the author of this story is not George Orwell. It’s Representative Lamar Smith of Texas, Senator Diane Feinstein of California, and you.

Here’s what I mean: In June of last year, Representative Smith (R) introduced H.R. 5949, the FISA Amendments Act Reauthorization Act of 2012. Its purpose was to extend the FISA Amendments Act of 2008 for five years, continuing the government’s authority to collect data like this under secret court orders. The House Judiciary Committee reported the bill to the full House a few days later. The House Intelligence Committee, having joint jurisdiction over the bill, reported it at the beginning of August. And in mid-September, the House passed the bill by a vote of 301 to 118.

Sent to the Senate, the bill languished until very late in the year. But with the government’s secret wiretapping authority set to expire, the Senate took up the bill on December 27th. Whether by plan or coincidence, the Senate debated secret surveillance of Americans’ communications during the lazy, distracted period between Christmas and the new year.

Senator Dianne Feinstein (D) was the bill’s chief defender on the Senate floor. She parried arguments doggedly advanced by Senator Ron Wyden (D-OR) that the surveillance law lacks sufficient oversight. My colleague Julian Sanchez showed ably at the time that modest amendments proposed by Wyden and others would improve oversight and in no way compromise security. But false urgency created by the Senate’s schedule won the day, and on December 28th of last year, the Senate passed the bill, sending it to the president, who signed it on December 30th.

The news that every Verizon call is going to the NSA not only vindicates Senator Wyden’s argument that oversight in this area is lacking. It reveals the upshot of that failed oversight: The secret FISA court has been issuing general warrants for communications surveillance.

That is contrary to the Fourth Amendment to the Constitution, which requires warrants to issue “particularly describing the place to be searched, and the persons or things to be seized.” When a court requires “all call detail records” to be handed over “on an ongoing daily basis,” this is in no sense particular. Data about millions of our phone calls are now housed at the NSA. Data about calls you make and receive today will be housed at the NSA.

The reason given for secret mass surveillance of all our phone calls, according to an unofficial comment from the Obama administration, is that it is a “critical tool” against terrorism. These arguments should be put to public proof. For too long, government officials have waved off the rule of law and privacy using “terrorism” as their shibboleth. This time, show us exactly how gathering data about every domestic call on one of the largest telecommunications networks roots out the tiny number of stray-dog terrorists in the country. If the argument is based on data mining, it has a lot to overcome, including my 2008 paper with IBM data mining expert Jeff Jonas, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

The ultimate author of the American surveillance state is you. If you’re like most Americans, you allowed yourself to remain mostly ignorant of the late-December debate over FISA reauthorization. You may not have finished digesting your Christmas ham until May, when it was revealed that IRS agents had targeted groups applying for tax exempt status for closer scrutiny based on their names or political themes.

The veneer of beneficent government is off. The National Security Agency is collecting records of your phone calls. The votes in Congress that allowed this to happen are linked above in this post. What are you going to do about it?

How Identification Is Overused and Misunderstood

Justice Anthony Kennedy seems to be carving out his place as the Supreme Court justice who doesn’t “get” identity. Maryland v. King was the case issued today that shows that.

His opener was the 2004 decision in Hiibel v. Sixth Judicial District Court of Nevada, which ratified laws requiring people to disclose their names to police officers on request.

In that case, Deputy Lee Dove of the Humboldt County (NV) Sheriff’s Department had received a report that a man had slugged a woman. He didn’t know the names of the alleged perpetrator or the victim, but Dove found Larry Hiibel standing next to his truck at the side of the road talking to his seventeen-year-old daughter seated inside. Dove didn’t check to see if they were having a dispute, or if anyone had hit anyone. He just started demanding Hiibel’s ID.

“Knowledge of identity may inform an officer that a suspect is wanted for another offense, or has a record of violence or mental disorder,” Justice Kennedy wrote, approving Hiibel’s arrest for refusing to show his papers:

On the other hand, knowing identity may help clear a suspect and allow the police to concentrate their efforts elsewhere. Identity may prove particularly important in [certain cases, such as] where the police are investigating what appears to be a domestic assault. Officers called to investigate domestic disputes need to know whom they are dealing with in order to assess the situation, the threat to their own safety, and possible danger to the potential victim.

Even if he had gotten Larry Hiibel’s ID, that wouldn’t have told Dove any of these things. Dove would have had to stop his battery investigation to investigate Hiibel’s background, which he didn’t do until after he had arrested Hiibel–and after his partner had thrown Hiibel’s distraught daughter to the ground. (There’s your battery.)

In Maryland v. King, Justice Kennedy did it again. He wrote the decision approving DNA identification of arrestees. Like demanding Hiibel’s ID, which had no relation to investigating battery, Maryland’s practice of collecting DNA has no relation to investigating or proving the crime for which King was arrested, and it does nothing to administer his confinement. This Justice Scalia made clear in a scathing dissent.

The Court alludes at several points to the fact that King was an arrestee, and arrestees may be validly searched incident to their arrest. But the Court does not really rest on this principle, and for good reason: The objects of a search incident to arrest must be either (1) weapons or evidence that might easily be destroyed, or (2) evidence relevant to the crime of arrest. Neither is the object of the search at issue here. (citations omitted)

Justice Kennedy appears to think there are certain behaviors around detention and arrest that law enforcement is allowed without regard to the detention or arrest. Here, he has sanctioned the gathering of DNA from arrested people, supposedly presumed innocent until proven guilty, to investigate the possibility of their connection to other, unknown crimes. His logic would allow searching the cell phone of a person arrested for public drunkenness to see if they have participated in an extortion plot.

There is plenty of time to run DNA identification data past cold case files after conviction, and all parties agree that’s what would have happened in King’s case. Given that, the Supreme Court has upheld DNA-based investigation of innocent people for their connections to cold cases because they happen to have been arrested. That’s the strange result of Maryland v. King.

We Need an Independent Review of Government Spying on Reporters

Declaring that “journalists should not be at legal risk for doing their jobs,” President Obama announced Thursday that he had directed Attorney General Eric Holder to review the Justice Department’s guidelines for spying on reporters in the course of leak investigations.

That would be more reassuring if Holder himself hadn’t signed off on a search warrant for the e-mail correspondence of Fox News reporter James Rosen. The warrant application dubbed Rosen a “co-conspirator” in a violation of the Espionage Act, on the disturbing theory that asking a source to disclose classified information—as national security reporters necessarily do routinely—is itself a crime, even if publication of the same material is constitutionally protected. In other words, the president is asking the fox to investigate mysterious disappearances in the henhouse.

If reporters were looking to take comfort in the press shield bill the President asked Congress to revive in response to the Justice Department’s seizure of Associated Press phone records, they shouldn’t. Because the bill’s protections include a national security exception—and national security leak investigations are precisely when the government is most likely to spy on journalists—it seems unlikely to have made much difference in either the AP or Rosen cases. Indeed, as the Freedom of the Press Foundation points out, it could even make it easier for the government to obtain press records by overriding the common law safeguards some courts have recognized.

If the president really wants to demonstrate his concern for the potential of government spying to chill vital investigative reporting, he needs to take a very different approach, centered on greater transparency and a truly independent audit of Justice Department policy.

Transparency can begin with letting the public know exactly what the guidelines for investigating the press are—and how the Justice Department interprets them. As the FBI’s operational guidelines make clear, the rules requiring the press to be notified when their phone records are obtained only apply to subpoenas—not other secretive tools, such as National Security Letters, which can be issued without court approval. But the rules governing NSL demands for media records remain secret.

The Justice Department should also release any internal memos interpreting the rules governing press investigations. We know, for example, that there exists an informal 2009 opinion in which Justice Department lawyers analyzed how the rules would apply to sweeping demands—such as so-called “community of interest” requests—that can vacuum up a reporter’s records (among many others) even if the reporter is not specifically named as a target. Only brief excerpts of that opinion have been disclosed, thanks to a 2010 Inspector General report, and there is no way of knowing how many others remain secret.

Finally, we need an independent review—conducted by the Office of the Inspector General, not Attorney General Holder—to determine just how much surveillance of reporters has already occurred. It seems clear that the Justice Department does not think the current rules always require the press to be informed when they’ve been spied on: DOJ lawyers convinced a judge that the government never had to notify Rosen they’d read his e-mails. And because demands for electronic records can be quite broad, it would be all too easy for the government to end up with sensitive information about journalistic investigations even when no reporter was explicitly targeted.

When Congress and the public know what the rules really are, and how they have been applied in practice, we can begin a serious conversation about what reforms are needed to protect press freedom. Asking Eric Holder to investigate Eric Holder, on the other hand, is unlikely to protect much of anything—except, perhaps, Eric Holder.

Cato’s “Deepbills” Project Advances Government Transparency

It’s not the culmination–that will come soon–but a major step in our work to improve government transparency has been achieved. I’ll be announcing and extolling it Wednesday at the House Administration Committee’s Legislative Data and Transparency conference. Here’s a quick survey of what we’ve been doing and the results we see on the near horizon.

After president Obama’s election in 2008, we recognized transparency as a bipartisan and pan-ideological goal at an event entitled: “Just Give Us the Data.” Widespread agreement and cooperation on transparency has held. But by the mid-point of the president’s first term, the deep-running change most people expected was not materializing, and it still has not. So I began working more assiduously on what transparency is and what delivers it.

In “Publication Practices for Transparent Government” (Sept. 2011), I articulated ways the government should deliver information so that it can be absorbed by the public through the intermediary of web sites, apps, information services, and so on. We graded the quality of government data publication in the aptly named November 2012 paper: “Grading the Government’s Data Publication Practices.”

But there’s no sense in sitting around waiting for things to improve. Given the incentives, transparency is something that we will have to force on government. We won’t receive it like a gift.

So with software we acquired and modified for the purpose, we’ve been adding data to the bills in Congress, making it possible to learn automatically more of what they do. The bills published by the Government Printing Office have data about who introduced them and the committees to which they were referred. We are adding data that reflects:

- What agencies and bureaus the bills in Congress affect;

- What laws the bills in Congress effect: by popular name, U.S. Code section, Statutes at Large citation, and more;

- What budget authorities bills include, the amount of this proposed spending, its purpose, and the fiscal year(s).

We are capturing proposed new bureaus and programs, proposed new sections of existing law, and other subtleties in legislation. Our “Deepbills” project is documented at cato.org/resources/data.

This data can tell a more complete story of what is happening in Congress. Given the right Web site, app, or information service, you will be able to tell who proposed to spend your taxpayer dollars and in what amounts. You’ll be able to tell how your member of Congress and senators voted on each one. You might even find out about votes you care about before they happen!

Having introduced ourselves to the community in March, we’re beginning to help disseminate legislative information and data on Wikipedia.

The uses of the data are limited only by the imagination of the people building things with it. The data will make it easier to draw links between campaign contributions and legislative activity, for example. People will be able to automatically monitor ALL the bills that affect laws or agencies they are interested in. The behavior of legislators will be more clear to more people. Knowing what happens in Washington will be less the province of an exclusive club of lobbyists and congressional staff.

In no sense will this work make the government entirely transparent, but by adding data sets to what’s available about government deliberations, management and results, we’re multiplying the stories that the data can tell and beginning to lift the fog that allows Washington, D.C. to work the way it does–or, more accurately, to fail the way it does.

At this point, data curator Molly Bohmer and Cato interns Michelle Newby and Ryan Mosely have marked up 75% of the bills introduced in Congress so far. As we fine-tune our processes, we expect essentially to stay current with Congress, making timely public oversight of government easier.

This is not the culmination of the work. We now require people to build things with the data–the Web sites, apps, and information services that can deliver transparency to your door. I’ll be promoting our work at Wednesday’s conference and in various forums over the coming weeks and months. Watch for government transparency to improve when coders get a hold of the data and build the tools and toys that deliver this information to the public in accessible ways.

I Hate to Say “I Told You So” II (Web Wiretap Edition)

I wrote recently in Wired about the many problems with an FBI proposal to require Internet providers to render their services more wiretap-friendly. Perhaps chief among these is the deleterious effect such a mandate would have on cybersecurity.

This is so, first, because it would tend to push companies away from design choices that make a system more resilient or secure but harder to intercept. If you risk massive fines when you can’t cough up user communications, that’s a powerful incentive to prefer server-side over end-to-end encryption, centralized routing over peer-to-peer, and closed over open standards and source code. Second, as 20 renowned computer scientists and security experts also pointed out in a letter released last Friday [PDF], the surveillance interface companies create to comply with orders can itself become an attractive “attack surface” subject to exploitation. The primary concern there, of course, is that lawful intercept code can be hijacked by a third party to enable their own surveillance—but it can also be a source of information about government investigations for hackers in the service of foreign powers.

Lo and behold, The Washington Post reports today that a successful 2010 hack against Google, believed to have originated in China, also compromised a sensitive database of information on accounts that had been flagged for national security surveillance. That’s a boon to any foreign government looking to discover which agents have had their covers blown and which remain undetected—and something worth throwing considerable hacking resources at. It’s not clear whether the attackers were also able to use any internal law enforcement interface to assist them in targeting the accounts of Chinese dissidents, which is the part of the attack that had been previously reported.

Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?