Topic: Telecom, Internet & Information Policy

North Carolina: REAL ID Implementation on Hold

North Carolina is not one of the states that has joined the REAL ID Rebellion. By all accounts, it was plodding along, getting ready to implement the federal government’s national ID mandate.

But now comes news that the changes North Carolina had planned are on hold. “ ‘The Real ID Act is pretty much at a standstill nationwide,’ said Marge Howell, a spokeswoman for the Division of Motor Vehicles,” according to one report:

As a means of complying with the federal Real ID Act, the state DMV had planned on implementing a requirement that people who apply for a new or renewed driver’s license start producing documentation showing the motorist’s proof of identity and legal address beginning Dec. 1. That has now been delayed.

Another change, set to begin on July 1, requires the DMV to mail a motorist’s license to a residential address instead of instantly issuing a license. Howell said that program won’t go into effect statewide at the beginning of July. Instead, the DMV plans to phase that program in.

Even the compliant states are getting the message that REAL ID is a non-starter.

I recently queried whether one of the largest companies producing driver’s licenses would continue to agitate for the national ID law or embrace a diverse, competitive identification and credentialing marketplace.

ID Checks are About Control, Not Security

If there was ever any doubt that ID checks at airports are about control and not security, the Transportation Security Administration is clearing that up. Starting June 21, it says, “passengers that willfully refuse to provide identification at security checkpoint [sic] will be denied access to the secure area of airports.”

The claim is that this initiative is “the latest in a series designed to facilitate travel for legitimate passengers while enhancing the agency’s risk-based focus - on people, not things.” So let’s take a moment to look at how refusing airport access to the willful enhances security.

… OK! We’re done!

No terrorist or criminal would draw attention to him or herself by obstinately refusing an ID check. This is only done by the small coterie of civil libertarians and security experts who can’t stand the security pantomime that is airport identification checking. The rest of the people traveling without ID have lost theirs - and TSA officials at airports have no way of knowing which is which.

This new rule will do nothing to improve airport security, but watch for the incident when a TSA agent “doesn’t believe” someone who has truly lost his or her driver’s license and tries to strand a traveler in a faraway city.

Swire on Cybercrime Underenforcement

Peter Swire of the Center for American Progress has a paper out called “No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime.” He identifies how local law enforcement lacks the ability and incentive to address various wrongs done on the Internet because of their complexity and their multi-jurisdictional nature.

Swire has identified a real problem. Just like everyone else, law enforcement struggles to keep up in the changing online environment. And it’s true that local law enforcement lacks incentive to expend efforts going after a distant cybercrime ring for the benefit of one local complainant and thousands of strangers.

(He calls this a “commons problem” and I understand how he means it to illustrate that law enforcement personnel and organizations are economic actors. Crime victims are a sort of public good to those organizations and they can’t enjoy the benefits of caring for most of those who would benefit from their work. I think this fits more neatly in the public choice box: local law enforcement in one jurisdiction doesn’t get any benefit — budgetary, political, or otherwise — from helping strangers, so they’re less inclined to do so.)

Swire’s conclusion is that there should be more federal law enforcement — such as by the Federal Trade Commission and the the Justice Department — or “federated” law enforcement, combining state and federal authorities: “A more federated approach recognizes the usefulness of enforcement task forces that draw on multiple jurisdictions. Federal‐state task forces, for instance, have been used widely for drug prosecutions and, more recently, in fighting terrorism.”

While these are logical conclusions, I would be reluctant to call for greater federal law enforcement. There isn’t authority for it in the Constitution, and the uses of “federated” law enforcement he identifies — in the “War on Drugs” and the “War on Terror“ — have not been shining examples we ought to follow.

I suspect that Swire would class this as an objection he calls “We Don’t Want Enforcement,” of which he identifies two strains. One is the extent to which some of these “harms” are worthy of enforcement. This is a strong objection, not so much to Swire’s thesis, but to a second one that’s implicit. Swire is not just calling for federal or federated law enforcement aimed at protecting the public from violations of their rights (which manifest themselves as legally cognizable “harms”); he’s classing all kinds of mischief as “harms” to dramatically broaden the sweep of the federal law enforcement task.

Consider this strange circumlocution: “The focus here is on online fraud, malicious software, and other harms that are carried out through the Internet.” In the world of natural language “harms” are “caused,” not “carried out.” Malicious software is “distributed” or “propagated,” not “carried out.” Fraud and malicious software often cause harm, but sometimes do not.

Classing malicious software as a “harm” would make it actionable in the abstract, such as through prescriptive software regulation. If this is what he’s talking about, Swire should surface it and talk about it rather than wedging bad behavior with potential harmful results into the term “harm.” (He’s not alone — see this post and the resulting comments discussing whether increased exposure to risk is a “harm.”)

A second strain of the “We Don’t Want Enforcement” objection is a melange of privacy concerns that Swire would address with due process and privacy rules.

A third strain (with some relation to the privacy concern) emerges from the “commons”/public choice dynamic that Swire identified so astutely as part of the cause of the problem. Bureaucracies and their members are economic actors, and a greater federal law enforcement regime would naturally begin to seek greater powers from the moment it came into existence. This is very much at play in the “wars” on drugs and terror, where federal law enforcement agencies seek much more to promote their institutional interests in growth than the safety, freedom, and prosperity of the people. “We Don’t Want Federal Bureaucracies Doing Law Enforcement” is a much stronger objection than Swire recognizes.

My main concern, though, sounds in moral hazard. Should a federal law enforcement apparatus emerge too early, or occupy fields where it is not absolutely essential, people and organizations that should be responsible for their own security will shunt that responsibility off to the government. Supine and seemingly incompetent, they will fall victim to many crimes and harms that they would otherwise have defended themselves against.

I often analogize the development of security in the online environment to security in the offline environment. Imagine if you were building streets, houses, and buildings from scratch, never having seen such things before. It would take some time to recognize the value of doors, windows, and walls in preventing crime. When you’ve got that window in place, you also need to close the latch, etc.

An alternative to all this distributed learning is to post law enforcement on every corner of every street, or in front of every house. But having a cop on every corner is expensive and hard to administer. There’s risk of corruption, and laziness, and so on. The best security is provided by the most interested actors, and I’d be loathe to have federal law enforcement communicate that there is anyone more responsible than software companies, online service providers, payment systems, and individuals for securing the online environment.

There is some role for the federal government in preventing and detecting multi-jurisdictional and international crimes. I wouldn’t rush to embrace it, or to class a broad array of behaviors as “harms” so that the federal law enforcement role mushrooms into an ineffective and costly “War on Cybercrime.”

Fusion Centers in Search of a Problem

Via Secrecy News: “There is, more often than not, insufficient purely ‘terrorist’ activity to support a multi-jurisdictional and multi-governmental level fusion center that exclusively processes terrorist activity.” This is from a Naval Postgraduate School master’s thesis entitled: “An Examination of State and Local Fusion Centers and Data Collection Methods.”

Though they arose to counter the terrorism threat, “fusion centers” will seek out other things to do. Programs like these are born of slogans - “connect the dots” - “information sharing” - rather than sound security thinking. In a TechKnowledge piece last year titled, “Fusion Centers: Leave ‘Em to the States,” I juxtaposed the active fusion center in Massachusetts with the hair-on-fire overreaction of the Boston Police to a guerrilla marketing campaign featuring stylized Lite-Brites.

Just Say No to Legislation by Treaty

I’ve written before about the growing problem of trade agreements being hijacked for the benefits of domestic special interest groups, especially the copyright lobby. Free trade is about making it easier for goods to flow across borders. In recent years, we’ve seen an increasing abuse of trade negotiators’ authority, as they’ve inserted provisions into trade agreements requiring the parties to enact extremely specific changes to their domestic copyright laws.

Copyright scholar William Patry raises the alarm about another attempt by the United States Trade Representative to skirt the domestic legislative process with a treaty called the Anti-Counterfeiting Trade Agreement. The details are secret, but it appears that the agreement will cover much more than trade and counterfeiting issues. Patry explains why we should be concerned:

USTR is in the driver’s seat in initiating and negotiating agreements that are cast as trade agreements, but which are in fact agreements fundamentally reshaping substantive IP law. No trade official in any country, no matter how well intentioned, should have that authority. In the U.S., the power to make copyright policy vests exclusively in the Congress. We do not want our trade representatives to negotiate on their own agreements that require changes in domestic copyright laws and then present the agreement after signature to the legislature as a fait d’accompli.

Use of the fait d’accompli is not limited to trade representatives, and is seen in other executive branch agencies. The DMCA is an example of an attempted fait d’accompli. Much to the chagrin of its proponents, the DMCA ended up being only passed after considerable hearings and congressional involvement, in large part due to the fact that the Administration, in that instance through the PTO, did not get everything it wanted from other countries in the 1996 WIPO treaties, and hence couldn’t completely rely on the fait d’accompli argument. Had it been able to do so the story would have been different, and that is what the ACTA process is intended to achieve, a result that legislatures will have to accept, unless they are willing to permit the country to be in conflict with an important trade agreement.

I couldn’t agree more. The issue here is not that the particular copyright provisions are bad policy, although I suspect they are. The issue is that the Constitution vests Congress, not the executive branch, with authority to make laws. Congress should jealously guard that authority. At a minimum, it should demand public disclosure of the terms of the treaty well before it’s signed, so that there’s time for Congressional hearings and democratic debate about its provisions. And Congress should send a clear signal that it won’t ratify a treaty that’s negotiated in secret and sprung on the Congress at the last minute. Mike Masnick is absolutely right that this issue should be getting a lot more attention from American media.

Freedom Is Diversity …

… in the communications world.

This recent TechKnowledge article by James Plummer makes the case for more freedom in the use of the radio spectrum. This will bring more voices to the media marketplace, fostering competition and diversity in ideas and culture.

“Low-Power FM: Freedom is Diversity” concludes: “The FCC and Congress are both poised to further open up the FM spectrum. Both should ignore the pleadings of special interests on all sides as they do so. “

Privacy Legislation vs. Google’s Homepage

Google stands accused of violating the California Online Privacy Protection Act of 2003, which requires Web sites and online services to “conspicuously post” their privacy policies.

It’s obvious to some that this requires Google to have a link on its homepage to its privacy policy, but the law says that online service providers can use “any other reasonably accessible means of making the privacy policy available for consumers of the online service.” In the case of Google, one might consider … a search?

But I think this little episode has a deeper lesson. It reveals the thoroughgoing incapacity of lawmakers and advocates to be social engineers. Linking to privacy policies on home pages was an experiment that failed long ago. People don’t read them. People who are interested in reading them can find them so long as they’re placed sensibly somewhere on a Web site.

In their voluntary transactions, if people want privacy, they’re gonna seek it (and, though it’s tough, often get it); if they’re indifferent, they’re not. Mandated privacy notices – especially the placement of them – are a sideshow.