Tag: Security

Sticking Around Afghanistan Forever?

I’ll confess one of the arguments that I’ve never understood is the claim that the U.S. “abandoned” Afghanistan after aiding the Mujahadeen in the latter’s battle against the Soviet Union.  Yet Secretary of Defense Robert Gates apparently is the latest proponent of this view.

Reports the Washington Post:

Defense Secretary Robert M. Gates said in an interview broadcast this week that the United States would not repeat the mistake of abandoning Afghanistan, vowing that “both Afghanistan and Pakistan can count on us for the long term.”

Just what does he believe we should have done?  Obviously, the Afghans didn’t want us to try to govern them.  Any attempt to impose a regime on them through Kabul would have met the same resistance that defeated the Soviets.  Backing a favored warlord or two would have just involved America in the ensuing conflict. 

Nor would carpet-bombing Afghanistan with dollar bills starting in 1989 after the Soviets withdrew have led to enlightened, liberal Western governance and social transformation.  Humanitarian aid sounds good, but as we’ve (re)discovered recently, building schools doesn’t get you far if there’s little or no security and kids are afraid to attend.  And a half century of foreign experience has demonstrated that recipients almost always take the money and do what they want – principally maintaining power by rewarding friends and punishing enemies.  The likelihood of the U.S doing any better in tribal Afghanistan as its varied peoples shifted from resisting outsiders to fighting each other is a fantasy.

The best thing the U.S. government could do for the long-term is get out of the way.  Washington has eliminated al-Qaeda as an effective transnational terrorist force.  The U.S. should leave nation-building to others, namely the Afghans and Pakistanis.  Only Afghanistan and Pakistan can confront the overwhelming challenges facing both nations.

Picture Don Draper Stamping on a Human Face, Forever

Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms – in a nutshell: they don’t like it – I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.

First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this.  But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too – but normal people don’t.  And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices.  Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies – except this turns out to impose a significant economic cost in itself.

The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?

Here’s why I still come down mostly on Adam and Berin’s side, and against many of the regulatory remedies proposed. At the risk of stating the obvious, users start with de facto control of their data. Slightly less obvious: While users will tend to have heterogeneous privacy preferences – that’s why setting defaults either way is tricky – individual users will often have fairly homogeneous preferences across many different sites. Now, it seems to be an implicit premise of the argument for regulation that the friction involved in making lots of individual site-by-site choices about privacy will yield oversharing. But the same logic cuts in both directions: Transactional friction can block efficient departures from a high-privacy default as well. Even a default that optimally reflects the median user’s preferences or reasonable expectations is going to flub it for the outliers. If the variance in preferences is substantial, and if different defaults entail different levels of transactional friction, nailing the default is going to be less important than choosing the rule that keeps friction lowest. Given that most people do most of their Web surfing on a relatively small number of machines, this makes the browser a much more attractive locus of control. In terms of a practical effect on privacy, the coalition members would probably achieve more by persuading Firefox to set their browser to reject third-party cookies out of the box than from any legislation they’re likely to get – and indeed, it would probably have a more devastating effect on the behavioral ad market. Less bluntly, browsers could include a startup option that asks users whether they want to import an exclusion list maintained by their favorite force for good.

On the model proposed by the coalition, individuals have to make affirmative decisions about what data collection to permit for each Web site or ad network at least once every three months, and maybe each time they clear their cookies. If you think almost everyone would, if fully informed, opt out of such collection, this might make sense. But if you take the social benefits of behavioral targeting seriously, this scheme seems likely to block a lot of efficient sharing. Browser-based controls can still be a bit much for the novice user to grapple with, but programmers seem to be getting better and better at making it more easy and automatic for users to set privacy-protective defaults. If the problem with the unregulated market is supposed to be excessive transaction costs, it seems strange to lock in a model that keeps those costs high even as browser developers are finding ways to streamline that process. It’s also worth considering whether such rules wouldn’t have the perverse consequence of encouraging consolidation across behavioral trackers. The higher the bar is set for consent to monitoring, the more that consent effectively becomes a network good, which may encourage concentration of data in a small number of large trackers – not, presumably, the result privacy advocates are looking for. Finally – and for me this may be the dispositive point – it’s worth remembering that while American law is constrained by national borders, the Internet is not. And it seems to me that there’s a very real danger of giving the least savvy users a false sense of security – the government is on the job guarding my privacy! no need to bother learning about cookies! – when they may routinely and unwittingly be interacting with sites beyond the reach of domestic regulations.

There are similar practical difficulties with the proposal that users be granted a right of access to behavioral tracking data about them.  Here’s the dilemma: Any requirement that trackers make such data available to users is a potential security breach, which increases the chances of sensitive data falling into the wrong hands. I may trust a site or ad network to store this information for the purpose of serving me ads and providing me with free services, but I certainly don’t want anyone who sends them an e-mail with my IP address to have access to it. The obvious solution is for them to have procedures for verifying the identity of each tracked user – but this would appear to require that they store still more information about me in order to render tracking data personally identifiable and verifiable. A few ways of managing the difficulty spring to mind, but most defer rather than resolve the problem, and add further points of potential breach.

That doesn’t mean there’s no place for government or policy change here, but it’s not always the one the coalition endorses. Let’s look  more closely at some of their specific concerns and see which, if any, are well-suited to policy remedies. Only one really has anything to do with behavioral advertising, and it’s easily the weakest of the bunch. The groups worry that targeted ads – for payday loans, sub-prime mortgages, or snake-oil remedies – could be used to “take advantage of vulnerable consumers.” It’s not clear that this is really a special problem with behavioral ads, however: Similar targeting could surely be accomplished by means of contextual ads, which are delivered via relevant sites, pages, or search terms rather than depending on the personal characteristics or browsing history of the viewer – yet the groups explicitly aver that no new regulation is appropriate for contextual advertising. In any event, since whatever problem exists here is a problem with ads, the appropriate remedy is to focus on deceptive or fraudulent ads, not the particular means of delivery. We already, quite properly, have rules covering dishonest advertising practices.

The same sort of reply works for some of the other concerns, which are all linked in some more specific way to the collection, dissemination, and non-advertising use of information about people and their Web browsing habits. The groups worry, for instance, about “redlining” – the restriction or denial of access to goods, services, loans, or jobs on the basis of traits linked to race, gender, sexual orientation, or some other suspect classification. But as Steve Jobs might say, we’ve got an app for that: It’s already illegal to turn down a loan application on the grounds that the applicant is African American. There’s no special exemption for the case where the applicant’s race was inferred from a Doubleclick profile. But this actually appears to be something of a redlining herring, so to speak: When you get down into the weeds, the actual proposal is to bar any use of data collected for “any credit, employment, insurance, or governmental purpose or for redlining.” This seems excessively broad; it should suffice to say that a targeter “cannot use or disclose information about an individual in a manner that is inconsistent with its published notice.”

Particular methods of tracking may also be covered by current law, and I find it unfortunate that the coalition letter lumps together so many different practices under the catch-all heading of “behavioral tracking.” Most behavioral tracking is either done directly by sites users interact with – as when Amazon uses records of my past purchases to recommend new products I might like – or by third party companies whose ads place browser cookies on user computers. Recently, though, some Internet Service Providers have drawn fire for proposals to use Deep Packet Inspection to provide information about their users’ behavior to advertising partners – proposals thus far scuppered by a combination of user backlash and congressional grumbling. There is at least a colorable argument to be made that this practice would already run afoul of the Electronic Communications Privacy Act, which places strict limits on the circumstances under which telecom providers may intercept or share information about the contents of user communications without explicit permission. ECPA is already seriously overdue for an update, and some clarification on this point would be welcome. If users do wish to consent to such monitoring, that should be their right, but it should not be by means of a blanket authorization in eight-point type on page 27 of a terms-of-service agreement.

Similarly welcome would be some clarification on the status of such behavioral profiles when the government comes calling. It’s an unfortunate legacy of some technologically atavistic Supreme Court rulings that we enjoy very little Fourth Amendment protection against government seizure of private records held by third parties – the dubious rationale being that we lose our “reasonable expectation of privacy” in information we’ve already disclosed to others outside a circle of intimates. While ECPA seeks to restore some protection of that data by statute, we’ve made it increasingly easy in recent years for the government to seek “business records” by administrative subpoena rather than court order. It should not be possible to circumvent ECPA’s protections by acquiring, for instance, records of keyword-sensitive ads served on a user’s Web-based e-mail.

All that said, some of the proposals offered up seem,while perhaps not urgent, less problematic. Requiring some prominent link to a plain-English description of how information is collected and used constitutes a minimal burden on trackers – responsible sites already maintain prominent links to privacy policies anyway – and serves the goal of empowering users to make more informed decisions. I’m also warily sympathetic to the idea of giving privacy policies more enforcement teeth – the wariness stemming from a fear of incentivizing frivolous litigation. Still, the status quo is that sites and ad networks profitably elicit information from users on the basis of stated privacy practices, but often aren’t directly liable to consumers if they flout those promises, unless the consumer can show that the breach of trust resulted in some kind of monetary loss.

Finally, a quick note about one element of the coalition recommendations that neither they nor their opponents seem to have discussed much – the insistence that there be no federal preemption of state privacy law. I assume what’s going on here is that the privacy advocates expect some states to be more protective of privacy than Congress or the FTC would be, and want to encourage that, while libertarians are more concerned with keeping the federal government from getting involved at all. But really, if there’s an issue that was made for federal preemption, this is it.  A country where vendors, advertisers, and consumers on a borderless Internet have to navigate 50 flavors of privacy rules to sell a banner add or an iTunes track does not sound particularly conducive to privacy, commerce, or informed consumer choice.

Arizona to Feds: No “Enhanced” Drivers License

Last week, the governor of Arizona signed H.B. 2426, which bars the state from implementing the “enhanced” drivers license (EDL) program.

If the federal REAL ID revival bill (PASS ID) becomes law, it will give congressional approval to EDLs, which up to now have been simply a creation of the federal security and state driver licensing bureaucracies.

As governor of Arizona, the current Secretary of Homeland Security signed a memorandum of understanding with the DHS to implement EDLs, and she backs PASS ID even though she signed an anti-REAL ID bill as governor. As I said before, Secretary Napolitano seems to be taking the national ID tar baby in a loving embrace.

Bringing the States Back In

afghanistanIt’s an annoying, hackneyed trope of foreign policy types to say “if you want to understand X, you have to understand Y.”  That said, let me engage in a little bit of it.

What’s going on in Afghanistan, we’re supposed to believe, is about terrorism, failed states, economic development, counterinsurgency, counterterrorism, human rights, and some other stuff.  And to an extent, it is about each of those things.  But to my mind, if you want to get a handle on what’s driving events over there, and on its historical status as a plaything of regional and extraregional powers, you ought to read this article in today’s Wall Street Journal.

The themes that permeate the article are familiar: States as the primary actors in international politics, their uncertainty about other states’ intentions, the fundamental zero-sumness of security competition…somebody should cook up a theory or two on this stuff.

Eventually–although in fairness, God only knows when–we’re going to leave Afghanistan.  When that happens, India and Pakistan are still going to live in the neighborhood.  They’d each prefer to have lots of influence in Afghanistan, and to preclude the other from having too much.  Accordingly, they’re both trying to set up structures and relationships that would, in the ideal scenario, let them control Afghanistan.  In a less-than-ideal scenario, they’d like enough influence to undermine the other’s control of the country.  Until you grasp that nettle, you’re really just fumbling around in the dark.

Find a solution for that in your COIN manual.

“If You’re Not Having Fun Advocating for Freedom, You’re Doing it Wrong!”

The health care debate has catalyzed a wonderful national clash of cultures centering on freedom versus control. Here’s one example that’s both complex and delightful.

Progressive site TalkingPointsMemo ran a story yesterday about a man named “Chris” who carried a rifle outside an event in Phoenix at which President Obama appeared. “We will forcefully resist people imposing their will on us through the strength of the majority with a vote,” Chris said.

To many TPM readers, this kind of thing is self-evidently shocking and wrong: Carrying a weapon is inherently threatening, Second Amendment notwithstanding. And vowing to resist the properly expressed will of the majority—isn’t that an outrageous denial of our democratic values?

Well, … No. Our constitution specifically denies force to democratic outcomes that impinge on freedom of speech and religion, on bearing arms, and on the security of our persons, houses, papers, and effects, to name a few. Our constitution also tightly circumscribed the powers of the federal government. Those restrictions were breached without abiding the supermajority requirements of Article V, alas.

There are many nuances in this clash of cultures, and it’s fascinating to watch the battle for credibility. One ugly issue is preempted rather handily by the fact that Chris is African-American.

Next question, taken up by CNN: Was the interview staged? Hell, yeah! says Chris’ interviewer. And they know each other—big deal.

Finally, they were laughing and having a good time. Isn’t this serious? Yes, it is serious, says Chris’ interviewer, but “If you’re not having fun advocating for freedom, you’re doing it wrong!”

It’s a great line—friendly, in-your-face advocacy that might just succeed in familiarizing more Americans with the idea of living as truly free people.

Today Talking Points Memo is charging that the man who interviewed Chris was a prominent defender of a militia group in the 90s, some members of which were convicted of crimes. I know nothing of the truth or falsity of this charge, and I had never heard of the militia group, the interviewer, or his organization before today.

This struggle over credibility is all part of the battle between freedom and control that is playing itself out right now. It’s an exciting time, and a chance for many more Americans to learn about liberty and the people who live it.

<object width=”425” height=”344”><param name=”movie” value=”http://www.youtube.com/v/XqPSV0ZQL1Q&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1”></param><param name=”allowFullScreen” value=”true”></param><param name=”allowScriptAccess” value=”always”></param><embed src=”http://www.youtube.com/v/XqPSV0ZQL1Q&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1” type=”application/x-shockwave-flash” allowfullscreen=”true” allowScriptAccess=”always” width=”425” height=”344”></embed></object>

Tell Me How This Ends

Yesterday, President Obama defended his new approach to the war in Afghanistan. According to the president, our strategy is to disrupt, dismantle, and defeat al Qaeda and its extremist allies. In order to accomplish this goal, Obama’s strategy indicates we must create a functioning national state there.


Beltway orthodoxy tells us it’s because extremists will emerge in ungoverned parts of the world and attack the United States. As my colleagues Justin Logan and Chris Preble point out here, there’s reason to doubt whether state failure or poor governance in itself poses a threat.

But responsible leaders would be upfront about the expected costs of our policy: to transform what is a deeply divided, poverty stricken, tribal-based society into a self-sufficient, non-corrupt, stable democracy would require a multi-decade commitment—and even then there’d be no assurance of success.

Why Afghanistan’s form of governance directly implicates America’s security, or why it demands the deployment of tens of thousands of U.S. troops to police it are questions rarely asked let alone addressed.

Fun With DHS Press Releases!

Let’s fisk a DHS press release! It’s the “Statement by DHS Press Secretary Sara Kuban on Markup of the Pass ID Bill by the Senate Homeland Security and Government Affairs Committee.” Here goes:

On the same day that Secretary Napolitano highlighted the Department’s efforts to combat terrorism and keep our country safe during a speech in New York City,

This part is true: Secretary Napolitano was in New York speaking about terrorism.

Congress took a major step forward on the PASS ID secure identification legislation.

There was a markup of PASS ID in the Homeland Security and Governmental Affairs Committee. It’s a step – not sure how major.

PASS ID is critical national security legislation

People who have studied identity-based security know that knowing people’s identities doesn’t secure against serious threats, so this is exaggeration.

that will break a long-standing stalemate with state governments

Thirteen states have barred themselves by law from implementing REAL ID, the national ID law. DHS hopes that changing the name and offering them money will change their minds.

that has prevented the implementation of a critical 9/11 recommendation to establish national standards for driver’s licenses.

The 9/11 Commission devoted three-quarters of a page to identity security – out of 400+ substantive pages. That’s more of a throwaway recommendation or afterthought. False identification wasn’t a modus operandi in the 9/11 attacks, and the 9/11 Commission didn’t explain how identity would defeat future attacks. (Also, using “critical” twice in the same sentence is a stylistic no-no.)

As the 9/11 Commission report noted, fraudulent identification documents are dangerous weapons for terrorists,

No, it said “travel documents are as important as weapons.” It was talking about passports and visas, not drivers’ licenses. Oh – and it was exaggerating.

but progress has stalled towards securing identification documents under the top-down, proscriptive approach of the REAL ID Act

True, rather than following top-down prescription, states have set their own policies to increase driver’s license security. It’s not necessarily needed, but if they want to they can, and they don’t need federal conscription of their DMVs to do it.

– an approach that has led thirteen states to enact legislation prohibiting compliance with the Act.

“… which is why we’re trying to get it passed again with a different name!”

Rather than a continuing stalemate with the states,

Non-compliant states stared Secretary Chertoff down when he threatened to disrupt their residents’ air travel, and they can do the same to Secretary Napolitano.

PASS ID provides crucial security gains now by establishing common security standards for driver’s licenses

Weak security gains, possibly in five years. In computer science – to which identification and credentialing is akin – monoculture is regarded as a source of vulnerability.

and a path forward for ensuring that states can electronically verify source documents, including birth certificates.

We’re on the way to that cradle-to-grave biometric tracking system that will give government so much power over every single citizen and resident.

See? That was fun!