by Andrea O’Sullivan & Adam Thierer

This essay originally appeared on The Bridge on September 25, 2019.

It is quickly becoming one of the iron laws of technology policy that by attempting to address one problem (like privacy, security, safety, or competition), policymakers often open up a different problem on another front. Trying to regulate to protect online safety, for example, might give rise to privacy concerns, or vice versa. Or taking steps to address online privacy through new regulations might create barriers to new entry, thus hurting online competition.

In a sense, this is simply a restatement of the law of unintended consequences. But it seems to be occurring with greater regularity in the technology policy today, and it serves as another good reminder why humility is essential when considering new regulations for fast-moving sectors.

Consider a few examples.

Privacy vs security & competition 

Many US states and the federal government are considering data privacy regulations in the vein of the European Union’s wide-reaching General Data Privacy Regulation (GDPR). But as early experiences with the GDPR and various state efforts can attest, regulations aimed at boosting consumer privacy can often butt against other security and competition concerns.

Consider how the GDPR can be abused to undermine user security—and ultimately (and ironically) privacy itself. At this year’s Black Hat computer security conference, one researcher recently explained how the GDPR’s “right of access” provision—which mandates that companies give users their personal data—can be exploited by malicious actors to steal personally identifiable information. If a hacker is convincing enough, he or she can use “social engineering” to pose as the target and coax companies to divulge the information. Without GDPR’s mandated reporting infrastructure, such an attack would be much harder.

Nor are malicious actors even necessary for the GDPR to undermine security. In 2018, a customer requested their Alexa voice recordings from Amazon. The company sent the data to the wrong person in an apparent case of human error. If mighty Amazon cannot rise to the challenge of error-free GDPR compliance, what hope do smaller outfits have?

Perhaps the biggest story about the GDPR, however, has been its malign effects on competition. After all, the law earned its nickname—the “Google Data Protection Regulation”—for a reason. Titans like Google and Facebook have dominated European ad tech market since the advent of the GDPR because they can shoulder compliance risks in a way that smaller vendors cannot. More ad money has flowed to Google’s coffers as a result.

But the GDPR applies to far more than just ad tech. Ventures as varied as publishing and virtual tabletop dice rollers have been forced to shutter their digital doors rather than risk the wrath of European data authorities.

Similar stories emanate from the US. Illinois’ biometric privacy law, which governs the use of technologies like facial recognition and fingerprint scanning, led to the prohibition of Google’s Arts and Culture app which matched user-submitted photos with a classical work of art. If Google can’t hack it in the Land of Lincoln, how could a potential Google-slayer be expected to do so?

These are just the stories we hear about. A prematurely thwarted venture is unlikely to have a platform to voice their compliance problems. What is clear is that the data privacy laws enacted so far have had predictable negative impacts on security and competition, and that ill-defined “privacy fundamentalism” too often drives ill-fitting policies.

Safety vs. free speech & competition

Content moderation at scale is extremely challenging, especially as it relates to efforts to address “hate speech” and extremist viewpoints. On the one hand, free speech activists argue that onerous private content moderation policies can limit debate and punish certain viewpoints, particularly if a platform is a public default for expression. On the other hand, social justice activists contend that lax private standards can fuel the proliferation of conspiracy theories, radicalization, and violent rhetoric.

Recently, President Trump and some conservative lawmakers have been clamoring for greater regulatory controls of social media platforms in the name of “fairness” and countering supposed anti-conservative bias. Sens. Josh Hawley (R-MO) and Ted Cruz (R-TX), for example, have introduced a bill that would require platforms to submit their content moderation policies to regular regulatory audits. If a platform is deemed to be not “politically neutral,” it will lose its liability protections under Section 230 of the Communications Decency Act.

This is reminiscent of the “fairness doctrine,” a long-standing Federal Communications Commission (FCC) policy that was a thinly-veiled attempt to influence the political content of broadcast programs. Conservatives rightly opposed such government involvement in content decisions in decades past, but with this new effort against technology platforms, many of them are repeating the mistakes of the past.

The history of the actual fairness doctrine serves as a cautionary tale here. Today the fairness doctrine is mostly remembered as an anti-conservative effort because of the attention paid to right-leaning talk radio. Former Kennedy administration official Bill Ruder admitted that their “massive strategy was to use the [fairness doctrine] to challenge and harass right-wing broadcasters, and hope that the challenges would be so costly to them that they would be inhibited and decide it was too costly to continue.”

But as testaments from previous broadcast leaders point out, the fairness doctrine was wielded against both “conservatives” and “liberals” depending on who was in power and what their objectives were. When the Nixon administration took office, they wielded the rule to muzzle broadcasters who criticized the White House. And the FCC also applied the doctrine against The Kingmen’s song “Louie Louie” for its suspiciously unintelligible lyrics.

The tension between policies to promote “safety” and government-protected rights to free speech can be literal, as well. Consider efforts to ban so-called “3-D printed guns.” Defense Distributed and other activists do not 3-D print and sell guns. Rather, they publish the schematics for others to print their own arms online. As with the encryption technologies we will discuss below, such code is probably First Amendment-protected speech, although the applications of the schematics may be considered “dual-use” (meaning with both civilian and military applications.) An outright ban on 3-D printed gun blueprints very clearly antagonizes the right to free speech in the US and could threaten innovation in other open source, peer-to-peer 3D-printed applications.

Safety vs. privacy & security

Efforts to promote “safety” can also too often backfire at the expense of privacy and security.

Perhaps the most dramatic and high-stakes illustration of this principle was the years-long legal drama that pitted law enforcement authorities against computer scientists in the so-called “Crypto Wars.” Although cryptographic technologies that conceal data for privacy or security have been around since the days of ancient Egypt—our own Founding Fathers are known to have communicated using ciphers—in the 20th century, they had mostly been limited to military and academic institutions.

The advent of public-key cryptography made these security techniques more accessible to the public for the first time. This was great news for information security: communications and devices could be made hardened to attacks, and people were given more privacy options. But law enforcement feared that criminals would use cryptography to cover their tracks. Thus, in the name of safety, law enforcement first tried banning cryptography as a dual use technology through munitions export controls. When that failed on First Amendment grounds, policymakers attempted to legislate “backdoors” into encryption protocols that would allow government access.

It is easy to see how outright bans or backdoors for encryption technologies could hurt privacy and security. Obviously, prohibiting the civilian use of a privacy and security technology limits privacy and security. But granting government access into encryption standards would ironically ultimately undermine safety as well. After all, if a government can get into an encryption standard, so might a malicious hacker. Although the “Crypto Wars” seemed settled in the 1990’s, these same debates have been cropping up again as more and more devices have default encryption technologies.

We can also think about mandated reporting requirements intended to promote public safety. Consider the “know your customer” rules imposed on financial institutions. To prevent ills like money laundering and financial fraud, banks and exchanges must keep detailed customer information on file. Yet this ostensibly “pro-safety” rule generates its own security and privacy risks. Banks must manage to responsibly store and protect this valuable customer data, lest their customers’ information get hacked and their identities stolen. This has sadly too often proven too tall an order, and third-party-managed personally identifiable information is exposed to outside parties all the time.

A similar problem arises with efforts to promote child safety online. Consider the debate over MySpace’s age verification efforts in the mid-2000s. Child safety advocates grew concerned over the risks facing children on new social media platforms. Young children lacking awareness of the dangers that could lurk online could unwittingly make friendships with predators posing as other children. So a movement grew to require these new platforms to verify age and identity with a government-provided identification card.

There were obvious technical problems. For starters, children that were young enough to fall under the age verification limit were unlikely to have a government-provided photo identification card. But beyond these simple administrative issues, there was the question of privacy and security. Could Myspace adequately protect the reams of sensitive data from outside breach? Might children actually be put more at danger should those items—which would likely include the children’s address—fall into the wrong hands? And should the government and social media platforms really be in the business of parenting to begin with? Might this actually create a “moral hazard” which leaves parents thinking that online spaces are safer than they actually are?

Tying it all together

In each of these instances, it probably seemed like there was no downside to newly proposed regulations. With time, however, the dynamic effects associated with those policies become evident, and often result in the opposite of what was intended, or the policies led to other problems that supporters did not originally envision.

The nineteenth-century French economic philosopher Frédéric Bastiat famously explained the importance of considering the many unforeseen, second-order effects of economic change and policy. Many pundits and policy analysts pay attention to only the first-order effects—what Bastiat called “the seen”—and ignore the subsequent and often “unseen” effects. Those unseen effects can have profound real-world consequences in the form of less technological innovation, diminished growth, fewer job opportunities, higher prices, diminished choices, and other costs.

Even when defenders of the failed interventions are forced to admit that their well-intentioned plans did not work out as planned, their response is typically of the  we-can-do-better variety. The result is usually just more regulation as one intervention begs another and another. As the Austrian economist Ludwig von Mises taught us 70 years ago in his masterwork, Human Action:

“All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther…”

The lesson is clear: paternalistic public policies may sound sensible on the surface, but as Milton Friedman taught us long ago, “One of the great mistakes is to judge policies and programs by their intentions rather than their results. We all know a famous road that is paved with good intentions.”

By Adam Thierer & Jennifer Huddleston Skees

“ He’s making a list and checking it twice. Gonna find out who’s naughty and nice .”

With the Christmas season approaching, apparently it’s not just Santa who is making a list. The Trump Administration has just asked whether a long list of emerging technologies are naughty or nice — as in whether they should be heavily regulated or allowed to be developed and traded freely.

If they land on the naughty list, these technologies could be subjected to complex export control regulations, which would limit research and development efforts in many emerging tech fields and inadvertently undermine U.S. innovation and competitiveness. Worse yet, it isn’t even clear there would be any national security benefit associated with such restrictions.  

From Light-Touch to a Long List

Generally speaking, the Trump Administration has adopted a “light-touch” approach to the regulation of emerging technology and relied on more flexible “soft law” approaches to high-tech policy matters. That’s what makes the move to impose restrictions on the trade and usage of these emerging technologies somewhat counter-intuitive. On November 19, the Department of Commerce’s Bureau of Industry and Security launched a “ Review of Controls for Certain Emerging Technologies .” The notice seeks public comment on “criteria for identifying emerging technologies that are essential to U.S. national security, for example because they have potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage.”

The Commerce Department has long sought to control the use of such technologies through a combination of methods, including formal export controls. The process for establishing such controls was clumsily cobbled together over time, so Congress passed the Export Control Reform Act of 2018 (ECRA) to formalize these regulations. ECRA requires that the President formulate an interagency process to coordinate these rules with the goal of creating, “a regular and robust process to identify the emerging and other types of critical technologies of concern, as defined in United States foreign direct investment laws, and regulate their release to foreign persons as warranted regardless of the nature of the underlying transaction.” As part of this process, the Commerce Department is to create a list “of foreign persons and end-uses that are determined to be a threat to the national security and foreign policy of the United States . . .  and to whom exports, reexports, and transfers of items are controlled.”

Sweeping Breadth

That is what prompted the Trump Administration’s recent Emerging Technologies notice, which includes is a remarkably sweeping list of technologies that the Commerce Department is considering for the exports controls list. The list has 14 major categories:

(1) Biotechnology

(2) Artificial intelligence

(3) Position, Navigation, and Timing (PNT) technology

(4) Microprocessor technology

(5) Advanced computing technology

(6) Data analytics technology

(7) Quantum information and sensing technology

(8) Logistics technology

(9) Additive manufacturing / 3D printing

(10) Robotics

(11) Brain-computer interfaces

(12) Hypersonics

(13) Advanced materials

(14) Advanced surveillance technologies

The Department’s 14-category list also includes over 40 itemized examples of specific applications. For example, the “artificial intelligence” category alone includes a list of 11 applied types of AI, from AI cloud technologies and chipsets to neural networks to speech and audio processing.

The breadth of this list is remarkable in that it touches almost every emerging technology sector imaginable. It might have been easier for the Commerce Department to simply list those emerging technologies that will not be subject to review for potential export controls. It is an “everything-but-the-kitchen-sink” approach to emerging technology policy oversight and regulation that could clearly have far reaching consequences beyond national security.

There are some obvious dangers with such an open-ended review and it is important to remember these technologies have many beneficial applications as well as any potential risks.

Threatening Beneficial Uses

First, the potential export regulations create the danger of negative spillover effects that could undermine beneficial uses of each technology listed . All of the technologies listed have already been used in many ways that benefit both consumers and businesses. Limitations on their export could limit their availability or prevent improvements due to concerns that such broad interpretations of restrictions could limit the market.

For example, the regulation of AI mentioned above would not only address concerns about how AI might be used in weapons, but could even undermine the export of technology that has become a part of our everyday lives such as Siri in iPhones and Amazon’s Alexa. While the department claims that it seeks to “avoid negatively impacting U.S. leadership in the science, technology, engineering, and manufacturing sectors,” it is unlikely that any but the most narrowly tailored rules could actually avoid having a negative impact on innovation in the named technologies .

The more general purpose a technology the more difficult it will be to control the potential impact on the beneficial uses of the technology as well as the negative impacts. In fact, in some cases such as AI and robotics it can even be difficult to define what the technology is, because it is typically the applications and not the technology more generally that is being discussed and regulated. In many cases, the anti-export regulations would or could at least signal to entrepreneurial innovators that their time is better spent on other technologies or that their work should be taken elsewhere and risks the U.S. falling behind other countries in these important innovative areas.  

Undermining International Competitiveness

Second, the inquiry could undermine U.S. competitiveness by encouraging more offshoring in a world of innovation arbitrage opportunities . With our increasingly connected global economy and specifically the more mobile nature of many emerging technologies, it is becoming easier for innovators who find themselves subjected to onerous regulations in one country to move their research and development efforts to another. This is sometimes referred to as “ innovation arbitrage .”

While the U.S. remains a leader in attracting innovators, this scenario has already played out several times. For example, Amazon moved its drone testing program to the UK rather than test in the US due in large part to FAA regulations regarding drones. Similarly, 23andme also initially took its direct-to-consumer genetic testing abroad after the FDA threatened to shut down their product.

Heavily regulating the export of general applications of these technologies could actually backfire and encourage innovators to take their research to countries like China where they do not face such regulations. R. David Edelman, the director of the Project on Technology, the Economy, and National Security at MIT, has noted that while the inquiry might be “intended to help US companies be more competitive,” the reality is that “it would almost certainly give Chinese companies that don’t face those same restrictions a sizable advantage in the playing field.”

Moreover, if export controls undermine domestic innovation and competitiveness in this fashion and benefit developers in other countries, it means the U.S. will have less of a say over the ethical development of many important technologies. Bloomberg contributor Noah Smith observes that , when it comes to the global race for hegemony in genetic sciences, China is poised to take the lead. “If the U.S. shies away from developing genetic-engineering technology, these riches will flow to China, or to whatever other countries seize the technological edge,” he notes. That would be problematic not just from a competitive perspective, but also from an ethical perspective, because America would have less of a say in guiding the development of these important but controversial technologies. “Dystopian outcomes are also less likely with the U.S. at the helm,” Smith believes.

Limiting or Ending Technologies Consumers Already Enjoy

Third, the inquiry could pose a threat to everyday consumer technologies that are already widely distributed . The most interesting thing about the technologies listed in the notice is that many of them have moved well beyond the “emerging” phrase of development. They are already out in the wild and being used by people every day.

For example, among the AI technologies listed in the notice are “speech and audio processing (e.g., speech recognition and production)” as well as, “natural language processing (e.g., machine translation).” We already enjoy a great many services such as those today, including Siri and Alexa. Meanwhile, there are technologies already on the market that help disabled and autistic children communicate and interact with their peers using AI and robotics.

For example, the KASPAR robot helps children with such disabilities learn social skills to interact with their peers and teach conversational skills. Similarly, technology that translates apparently nonverbal sounds and other methods of communication into speech via apps and other technology with various voices that others can understand could be subject to development ending regulations or be unable to help children in other countries if the proposed export restrictions are phrased too broadly. Not only might new restrictions limit the development of new technologies, it could even limit or eliminate those that we have already embraced and improved the lives of many.

Risk to Research & Open-Source Efforts

Fourth, the expansion of export controls for many of the technologies listed in the inquiry opens the door to widespread policing of open source coding and communications , but offers no explanation of how that would even work. A large number of the technologies on the Commerce Department list have both commercial and non-commercial applications. Innovation scholars use terms like “ free innovation ” and “social entrepreneurialism” to describe innovative efforts that are undertaken by individuals or groups of people to pursue a broader array of social goals or values beyond just profit-seeking.

A prominent example of social entrepreneurs engaging in free innovation involves the use of 3D printers and open source designs to voluntarily create prosthetics for children with limb deficiencies. What happens to collaborative, non-commercial innovations like that if export controls are suddenly imposed on additive manufacturing technologies by the Department of Commerce? If one participant is based outside the US, is that sufficient to subject such collaboration to export controls? What, exactly, would be subjected to controls? The 3D printers? The open source blueprints? The website hosting such information? It is difficult to imagine how such regulation would work in practice but it is easy to imagine the effect it would have if pursued: It would create a massive chilling effect on many beneficial forms of innovation and simultaneously threaten freedom of speech and academic research.

This same problem could play out in many other technology fields listed in the Commerce Department notice, including: robotics, speech recognition, biotechnology, and genetic engineering, among many others often engage in open and cross-border collaboration for open source development. Free innovation and social entrepreneurialism are expanding rapidly in these and other emerging technology arenas. Thus, export control regulation can no longer hinge on going after “deep-pocketed” corporations looking to sell physical systems. To be truly effective, regulations will need to cover bottom-up, “grassroots” innovation. But that move will have profound ramifications for the freedom to freely tinker with or even freely research important technologies and technological processes.

Dubious National Security Benefits

There’s a final danger associated with this effort: it might not help advance America’s national security objectives , and could even hinder them.

To the extent that ECRA and this new Department of Commerce effort lead to heightened scrutiny for the many dozens of technologies identified, it could undermine research and development efforts in many of those fields. It could do so directly (by formally limiting or forbidding domestic R&D efforts) or indirectly (by incentivizing many domestic emerging tech innovators to move their operations offshore, or discouraging foreign developers from setting up shop here). Not only would such actions risk the US losing its lead in innovation, it could actually result in such regulations backfiring from a national security perspective.  

At the end of the day, the problem here is that Congress is failing to clearly identify what is “essential to the national security of the United States.” ECRA just passes the buck on that thorny question to the Commerce Department for a laundry list of emerging technologies. By soliciting public input, the best hope here is that experts in these various emerging technology sectors will step forward and identify the trade-offs associated with inclusion of most of these technologies on the export controls list. Hopefully, the list would then be narrowed the much smaller class of applied technologies that have a very real, immediate, and clearly catastrophic potential for harm to the national security interests of the nation. That would have been the better way to begin this process, but Congress and the Administration have instead adopted the opposite approach here and now we must hope that they are willing to significantly pare back the list of technologies even being considered for inclusion.

Back to the Crypto Wars?

In a sense, this debate was foreshadowed by the debate in the late 1990s over export controls for encryption technologies. As encryption emerged , law enforcement and national security agencies were concerned about its potential use by bad actors to hide or destroy evidence or information by using encrypted devices or services and sought to require backdoors to be able to access encrypted data and to restrict the export of certain types of encryption and certain encrypted devices. Such requirements, as the Information Technology & Innovation Foundation’s Daniel Castro and Alan McQuinn pointed out, would actually reduce the security of everyday Americans to cyber attacks, negatively impact U.S. businesses’ global competitiveness, and reduce the competitiveness and innovation of the technology sector not only in encryption but in related fields as well.

Luckily, many of these concerns were avoided and encryption restrictions have been narrowly tailored. Recent tensions between the FBI and tech companies like Apple illustrate that this debate is far from settled. Now it seems that the Commerce Department’s proposed restrictions could create the same vulnerabilities more broadly for a great number of emerging technologies.

“Soft Law” & Next Steps

In some ways this move to regulate technologies via export restrictions shows the dark side of the growing trend of “soft law.” Soft law, as we discuss in more detail in our forthcoming paper , includes regulatory actions such as guidance documents, working groups, sandboxing, and many other informal regulatory mechanisms. Such mechanisms are often used to regulate emerging technologies in the absence of formal actions or because the traditional policymaking apparatus cannot keep pace with the rapid evolution of technology. In many cases soft law has been used to accelerate technological development that otherwise might have been limited by traditional hard law.

But where soft law thrives in the vacuum left by a lack of formal delegation and regulation, this inaction also poses risks. Agencies like the Commerce Department could extend amorphous powers over emerging technologies without the expertise to fully understand the way such regulations might negatively affect beneficial technological developments, which are typically hard to predict in advance.

A smarter approach to export controls for emerging technologies begins with a rational assessment of:

1. a more robust evaluation of what really constitutes a tangible, immediate, irreversible, and catastrophic harm to the national security interests of the United States;
2. the practicality of proposed controls for any emerging technologies considered for inclusion on the list;
3. the wisdom of placing technologies on the list which already have been developed or marketed overseas (or appear poised to be); and,
4. the potential unintended consequences that any new export controls might have on the innovative potential of American creators and companies, the future of research in important sectors, the free flow of knowledge regarding peaceful applications, and the competitive standing of the United States relative to other countries.
5. whether catastrophic concerns about emerging technologies might be better addressed through multilateral accords or agreements aimed at achieving global consensus regarding inappropriate use and applications (as has been done in chemical weapon treaties and nuclear non-proliferation efforts).

Several specific technologies may still qualify for inclusion on the export controls list after such an evaluation, but it will start with a more limited approach and then expand as necessary. Such an approach assumes that in general purpose technology is not a threat until proven otherwise. By inverting the process in this fashion, the Administration wouldn’t be treating every emerging technology under the sun as guilty until proven innocent; innovations would be allowed to flourish naturally until the potential for harm is well-documented.

Unfortunately, the Commerce Department’s proposed approach does just the opposite and risks minimizing the benefits of these emerging technologies while doing little to advance national security interests in a meaningful way.

This Wednesday, TechFreedom joined Niskanen Center and a coalition of free market groups in urging the White House to endorse the use of strong encryption and disavow efforts to intentionally weaken encryption, whether by installing “back doors,” “front doors,” or any security vulnerabilities into encryption products.

The coalition letter concludes:

We urge your Administration to consider the full ramifications of weakening or limiting encryption. There is no such thing as a backdoor that only the US government can access: any attempt to weaken encryption means making users more vulnerable to malicious hackers, identity thieves, and repressive governments. America must stand for the right to encryption — it is nothing less than the Second Amendment for the Internet.

“ The White House’s silence on encryption is deafening,” said Tom Struble, Policy Counsel at TechFreedom. “The President’s hitherto failure to endorse strong encryption has given ammunition to European regulators seeking to restrict cross-border data flows and require that data on EU citizens be stored in their own countries. Just yesterday, the European Court of Justice struck down a longstanding agreement that made it easier for Europeans to access American Internet services. If the White House continues to dawdle, it will only further embolden ‘digital protectionism’ across the pond.”

The letter’s signatories include: Niskanen Center, TechFreedom, FreedomWorks, R Street Institute, Students For Liberty, Citizen Outreach, Downsize DC, Institute for Policy Innovation, Less Government, Center for Financial Privacy and Human Rights, and American Commitment.

Declan McCullagh, chief political correspondent for CNET and former Washington bureau chief for Wired News, discusses recent leaks of NSA surveillance programs. What do we know so far, and what more might be unveiled in the coming weeks? McCullagh covers legal challenges to the programs, the Patriot Act, the fourth amendment, email encryption, the media and public response, and broader implications for privacy and reform.

Download

Related Links

• Snowden: NSA snoops on U.S. phone calls without warrants, McCullagh
• Snowden: Feds can’t plug leaks by ‘murdering me’, McCullagh
• Feds: Power grid vulnerable to cyber threats, McCullagh

The smartphone is arguably one of the most empowering and revolutionary technologies of the modern era. By putting the processing power of a personal computer and the speed of a broadband connection into a device that fits in a pocket, smartphones have revolutionized how we communicate, travel, learn, game, shop, and more.

Yet smartphones have an oft-overlooked downside: when they end up in the wrong hands, they offer overreaching agents of the state, thieves, hackers, and other wrongdoers an unparalleled avenue for uncovering and abusing the volumes of sensitive personal information we increasingly store on our mobile phones.

Over on Ars Technica, I have a long feature story that examines the constitutional and technical issues surrounding police searches of mobile phones:

Last week, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF) , holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

California’s opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, it’s not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest. In this article, we will discuss the rationale for allowing police to conduct warrantless searches of arrestees, your right to remain silent during police interrogation, and the state of mobile phone security.

You can read the full essay on Ars Technica here. And while you’re at it, I highly recommend watching this informative YouTube video that explains why it’s not a good idea to talk to police:

I haven’t said a lot about Google picking up wifi signals as it gathered imagery for its helpful Street View service, but the group “Consumer Watchdog” is doing cartwheels and handstands to try and generate interest in it. In my opinion, they’ve gone a little too far, and now—as have so many before—they will learn to fear my blog post.

This release from CW’s “corporateering” section is misleading in several ways. Take this, for example:

Google now admits that its Street View cars snooped on private WiFi networks as they prowled streets in thirty countries photographing people’s homes over the last three years. The company acknowledges it recorded communications it picked up from unencrypted WiFi networks.

To say “Google now admits” suggests that Google covered it up. Wrong. Google came forward with the information as soon as it discovered its mistake.

Is it “private WiFi networks” from which Google picked up data? The concepts and terminology are unclear to many, but the “private” characterization is misleading.

Many of these networks were privately owned, no doubt, but the question is whether they were configured to conceal the data being transmitted on them. They were not. Information was sent out in the clear (i.e. unencrypted) on these networks. And it was sent out by radio.

We should go into that: At most frequencies, including the frequency used by wifi, radio signals can travel long distances. Radio signals pass through or around walls and vehicles and people and shrubs and trees. If you broadcast data by radio at the typical signal-strength for a wifi set-up, there’s a good chance that it’s going to travel outside your house and beyond your property line, say, into the street.

Given the physical behavior of radio waves, what people do to prevent others accessing the information on a wifi network is they encrypt the network. That is, they scramble the data so that it’s just gibberish to anyone who picks it up. (Or at least it takes an enormous amount of computing power to unscramble the signal.) Lots and lots of wifi networks are encrypted these days, which is a good security practice, though it denies your neighbors the favor of using your Internet connection if they need to.

Given the way radio works, and the common security/privacy response—encryption—it’s hard to characterize data sent in the clear as private. The people operating them may have wanted their communications to be private. They may have thought their communications were private. But they were sending out their communications in the clear, by radio—like a little radio station broadcasting to anyone in range.

The physics here are more powerful than your innocent desires, Consumer Watchdog. That’s not private.

I have a hard time blaming Google for picking up these signals, which were sent out—again—by radio, in the clear. And, as Google explained at the outset, they generally “collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second.”

If picking up bits of data sent unencrypted out to the street is “snooping” on “private wifi networks,” then glancing at someone’s open fly is “leering” at their “exposed genitalia.”

Let’s use that to segue into some talk about creepy behavior.

The release continues:

Over the last week, to gauge the potential threat posed by Google’s WiSpy activities, the nonpartisan, nonprofit public interest group “sniffed” some Congress members’ networks to see if they were vulnerable to the Internet giant, but scrupulously avoided gathering any communications. The investigation focused on a handful of members of the Energy and Commerce Committee, which has jurisdiction over Internet issues. Of the five residences the consumer group checked, one, [Democratic California representative Jane] Harman’s, had a clearly identifiable and vulnerable network. The other four residences had vulnerable networks in the vicinity that may belong to the members of Congress.

Consumer Watchdog people looked up the home addresses of Members of Congress. They went to the homes of these people. And they “sniffed” to see if there were wifi networks in operation there. If you care about privacy, this behavior is worse than what Google did.

When Google grabbed all this data—which they didn’t want and are trying to get rid of—they tied it to SSID information, MAC addresses, and probably physical locations. (Knowing how the data was configured would tell us what inferences might be drawn from it.) But not a single fact about a single identifiable wifi user has been revealed. No personal information—much less private information—got any meaningful exposure.

In its gross effort to rain attention on Google’s misdeed, Consumer Watchdog has now collected information on identifiable individuals—these members of Congress—and put that information in a press release. That’s more stalkerish and more exposing of personal information than driving past in an automobile picking up with indifference whatever radio signals are accessible from the street.

Now, Consumer Watchdog has not committed a privacy outrage. Politicians volunteer to be objects of this kind of intrusion when they decide that they’re qualified to be the boss of us. But this misleading release—and the personal information collection that went into producing it—are just a little too over the top to go without comment.

by Adam Thierer & Berin Szoka — (Ver. 1.0 — Summer 2009)

We are attempting to articulate the core principles of cyber-libertarianism to provide the public and policymakers with a better understanding of this alternative vision for ordering the affairs of cyberspace. We invite comments and suggestions regarding how we should refine and build-out this outline. We hope this outline serves as the foundation of a book we eventually want to pen defending what we regard as “Real Internet Freedom.” [Note:  Here’s a printer-friendly version, which we also have embedded down below as a Scribd document.]

I. What is Cyber-Libertarianism?

Cyber-libertarianism refers to the belief that individuals—acting in whatever capacity they choose (as citizens, consumers, companies, or collectives)—should be at liberty to pursue their own tastes and interests online.

Generally speaking, the cyber-libertarian’s motto is “Live & Let Live” and “Hands Off the Internet!”  The cyber-libertarian aims to minimize the scope of state coercion in solving social and economic problems and looks instead to voluntary solutions and mutual consent-based arrangements.

Cyber-libertarians believe true “Internet freedom” is freedom from state action; not freedom for the State to reorder our affairs to supposedly make certain people or groups better off or to improve some amorphous “public interest”—an all-to convenient facade behind which unaccountable elites can impose their will on the rest of us.

B.  Application in Social & Economic Contexts

The cyber-libertarian draws no distinction between social and economic freedom when applying this vision:

• Social Freedom: Individuals should be granted liberty of conscience, thought, opinion, speech, and expression in online environments.
• Economic Freedom: Individuals should be granted liberty of contract, innovation, and exchange in online environments.

Cyber-libertarians also argue that social and economic freedoms are inextricably intertwined:  It is not enough to support liberty of action in one sphere; foreclosing freedom in one sphere will eventually affect freedom in the other.

C.  How “Code Failures” Are to Be Addressed

The cyber-libertarian believes that “code failures” (the digital equivalent of so-called “market failures”) are better addressed by voluntary, spontaneous, bottom-up, marketplace responses than by coerced, top-down, governmental solutions.   From a practical perspective, the decisive advantage of the market-driven approach to correcting code failure comes down to the rapidity and nimbleness of those responses.  Stated differently, cyber-libertarians have a strong aversion to the politicization of technology issues and efforts to replace market processes with bureaucratic processes.

Importantly, the cyber-libertarian defines “markets” broadly to include monetary and non-monetary transactions as well as proprietary and non-proprietary modes of production.  To be clear, collaborative, non-proprietary technologies and efforts ( e.g., Wikipedia and open source software) are not at odds with cyber-libertarianism.  But the cyber-libertarian does reject the notion these models are the only acceptable model or that they should be imposed on us by law.  The proper policy position with regards to the “open vs. closed” or “proprietary vs. non-proprietary” debate should be one of techno-agnosticism.  Lawmakers and courts should not be tilting the balance in one direction or the other.

More generally speaking, instead of seeking to define or impose a single utopian vision, the cyber-libertarian seeks to enable what libertarian philosopher Robert Nozick called a “Utopia of Utopias:” a framework within which many different models of organizing commerce and community can flourish alongside, and in competition with, each other.

D.  General Relationship to “Internet Exceptionalism”

Internet exceptionalists are first cousins to cyber-libertarians:  They believe that the Internet has changed culture and history profoundly and is deserving of special care before governments intervene.  [See Section IV for an expanded discussion.]

II. The Intellectual Foundations of Cyber-Libertarianism

A.  Traditional Libertarian Philosophy

• Natural Rights philosophers –John Locke, Ayn Rand, The Founders
• Utilitarian philosophers – John Stuart Mill (On Liberty), Herbert Spencer
• “Austrian School” of Economics – Ludwig von Mises, F.A.  Hayek, Murray Rothbard
• Milton Friedman (Free to Choose)
• Robert Nozick – argument for a minimalist state; “utopia of utopias” notion
• Thomas Sowell – critique of “The Vision of the Anointed”
• Richard Epstein – vision of “Simple Rules for a Complex World

B.  Modern Cyber-Libertarian Theorists

• Ithiel de Sola Pool (Technologies of Freedom)
• Alvin Toffler (The Third Wave , Future Shock)
• George Gilder (Microcosm , Telecosm)
• Peter Huber (Law & Disorder in Cyberspace)
• Tom W.  Bell
• Technology Liberation Front bloggers

C.  Internet Exceptionalists[see Sec.  IV below]

• Nicholas Negroponte (Being Digital)
• John Perry Barlow (“Declaration of the Independence of Cyberspace”)
• David Post
• Eric Goldman
• H.  Brian Holland

III. The Contrast with Cyber-Collectivism

A.  Cyber-Collectivism Defined

Cyber-collectivism is the opposite of cyber-libertarianism.  Cyber-collectivism refers to the general belief that cyber-choices should be guided by the State or an elite class according to some amorphous “general will” or “public interest.”  The distant influence of Plato, Rousseau, and Marx can often been seen in the work of cyber-collectivists.

Cyber-collectivism comes in many flavors, however.  “Left”-leaning cyber-collectivists, for example, are more focused on social concerns than economic ones.  Some “Right”-leaning cyber-collectivists are focused on controlling the impact of the Internet on culture or security.  In other words, cyber-collectivism is not as philosophically coherent as cyber-libertarianism—which, though it comes in many flavors, shares a larger core of common agreement

B.  General Relationship to “Information Commons” Movement

There is a close relationship between the Leftist variant of cyber-collectivism and the “digital commons” or “information commons” movement, which generally refers to the belief that digital resources should be shared or perhaps commonly owned instead of held privately—both because cyber-collectivists think this is more equitable and because they generally think such arrangements will ultimately work better.

Cyber-collectivists are typically not Marxists; few of them call for state ownership of the information means of production.  Rather, cyber-collectivists might better be thought of a “cyber social Democrats” (in a European sense) or “Digital New Dealers” (in the American tradition).  They advocate a generous role for law and regulation in many online matters, but do not typically resort to full-blown nationalization.

C. Exponents of Cyber-Collectivism

Some notable cyber-collectivists or information commons adherents (and their key works):

• Lawrence Lessig (Code , Free Culture)
• Tim Wu (Who Controls the Internet?)
• Yochai Benkler (The Wealth of Networks)
• Jonathan Zittrain (The Future of the Internet & How to Stop It)
• David Bollier (Viral Spiral)
• Harvard Berkman Center*
• New America Foundation*
• Public Knowledge*

(*We are, of course, generalizing a bit here. Not everyone in these institutions is a cyber-collectivist and, again, there are many flavors of cyber-collectivism, just as there are many flavors of cyber-libertarianism. Individuals in some of these organizations diverge significantly in attitudes towards technological change and the proper scope of government influence throughout the high-tech sector.)

IV. Relationship Between Cyber-Libertarianism & Internet Exceptionalism

Some non-libertarians occasionally join ranks with cyber-libertarians out of a belief that the Internet is different and deserving of special consideration and care. This is commonly referred to as “Cyber-Exceptionalism” or “Internet Exceptionalism.” John Perry Barlow’s 1996 “Declaration of the Independence of Cyberspace” was probably the earliest (and most extreme) articulation of “Internet Exceptionalism”:

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather. We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear. Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions. You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions. You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don’t exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract. This governance will arise according to the conditions of our world, not yours. Our world is different.

Similarly, in 1994, The Progress & Freedom Foundation brought together four leading technology visionaries (Esther Dyson, George Gilder, George Keyworth, and Alvin Toffler) to pen A Magna Carta for the Knowledge Age. In that manifesto, the authors argued:

Cyberspace is the land of knowledge, and the exploration of that land can be a civilization’s truest, highest calling. The opportunity is now before us to empower every person to pursue that calling in his or her own way. The challenge is as daunting as the opportunity is great. The Third Wave has profound implications for the nature and meaning of property, of the marketplace, of community and of individual freedom. As it emerges, it shapes new codes of behavior that move each organism and institution—family, neighborhood, church group, company, government, nation—inexorably beyond standardization and centralization, as well as beyond the materialist’s obsession with energy, money and control. Turning the economics of mass-production inside out, new information technologies are driving the financial costs of diversity—both product and personal—down toward zero, “demassifying” our institutions and our culture. Accelerating demassification creates the potential for vastly increased human freedom. It also spells the death of the central institutional paradigm of modern life, the bureaucratic organization. (Governments, including the American government, are the last great redoubt of bureaucratic power on the face of the planet, and for them the coming change will be profound and probably traumatic.)

As that last paragraph suggests, this “Magna Carta” for cyberspace contained some hints of cyber-libertarian thinking, but the general thrust of the document was more generally of the Internet Exceptionalist school of thought.

Internet Exceptionalists are sometime critiqued for sounding like techno-utopians, but it is a mistake to conflate the two. There are not always synonymous.

V. Cyber-Libertarianism’s Early Legal Foundations & Victories

• Section 230 of the Communications Decency Act of 1996 is probably the best example of cyber-exceptionalism in practice. It grants broad immunity to online intermediaries for third party content except for criminal and IP law—breaking with traditional tort liability standards. Specifically, Sec. 230 rejected the “deputization of the middleman” model of liability.
• Overturning of the Communications Decency Act’s indecency & obscenity provisions in Reno v. ACLU decision
• Various court decisions blocking enforcement of the Child Online Protection Act (COPA) of 1999
• The encryption wars & the defeat of the “Clipper Chip”
• The Internet Tax Freedom Act of 1998

VI. Applications: How Cyber-Libertarians Think about Various Policy Issues

• Free speech & online child safety: Favor parental empowerment and industry self-regulation over censorship. “Household standards” should trump “community standards.”
• Privacy policy & online advertising: Privacy is a subjective condition and efforts to regulate to “protect privacy” could have unintended consequences for freedom of speech and the growth of online content and commerce. User empowerment and industry self-regulation represent the superior way to address privacy concerns.
• Net neutrality / infrastructure regulation: “Open access” regulation is nothing more the infrastructure socialism. Network operators should be free to own, operate, and price their systems and services as they see fit, subject only to enforcement of their terms of service and other voluntary disclosures as contracts with their users. New entry and innovation are better alternative to regulating yesterday’s networks and technologies.
• Internet taxation: No special taxes should be imposed on online services or Internet access. To the extent the Net disrupts traditional tax bases that should be seen as an opportunity to reform those tax systems.
• Online gambling: People should be free to do what they want with their money and Internet gambling is likely impossible to shut down entirely anyway, given the nature of the Internet.
• Antitrust: “Market power” and “code failures” are best dealt with by spontaneous evolution of markets and new entry, not bureaucratic micro-management of old technologies or market structures. Regulation often creates, or tends to foster, most monopolies. As Ithiel de Sola Pool once noted, “The force that preserves most monopoly privilege is law… most would vanish in the absence of enforcement.”
• IP issues: Cyber-libertarians are deeply divided over IP issues (especially copyright) and this reflects a long-standing division within libertarian ranks on these issues more generally. Some believe IP rights are a natural extension of traditional property rights and/or a sensible way to incentivize scientific and artistic creativity. Others believe no one has a right to “property-tize” intangible creations or that copyright is simply industrial protectionism. And there are many views in between.

VII. Prospects for Cyber-Libertarianism

A. The Pessimistic View

• Government’s will quash online freedom and bring the Internet under their thumbs.
• Regulatory efforts are expanding at a breathtaking pace and will not slow anytime soon.

B. The Optimistic View

• “Technologies of Freedom” (tools and methods to avoid online regulation, censorship and control) will ultimately triumph.
• Technology is evolving faster than government’s ability to regulate it.

VIII. Related Reading on Cyber-Libertarianism & Internet Exceptionalism

• John Perry Barlow, Declaration of the Independence of Cyberspace (1996).
• Tom W. Bell, Free Speech, Strict Scrutiny, and Self-Help: How Technology Upgrades Constitutional Jurisprudence , 87 U. Minn. L. Rev. 743 (2003).
• Esther Dyson, George Gilder, George Keyworth, & Alvin Toffler, The Progress & Freedom Foundation, A Magna Carta for the Knowledge Age (1994).
• Eric Goldman, The Third Wave of Internet Exceptionalism, Santa Clara Magazine (Winter 2008).
• H. Brian Holland, In Defense of Online Intermediary Immunity: Facilitating Communities of Modified Exceptionalism, Kansas L. Rev. (2007).
• Peter Huber, Law & Disorder in Cyberspace: Abolish the FCC and Let Common Law Rule the Telecosm (1997).
• Ithiel de Sola Pool, Technologies of Freedom (1983).
• David Post, In Search of Jefferson’s Moose: Notes on the State of Cyberspace (2009).
• Adam Thierer, The Pragmatic Internet Optimist’s Creed, Technology Liberation Front Blog (Nov. 11, 2008).
• Technology Liberation Front Blog, About the Technology Liberation Front (August 2004, revised 2008).

Cyber-Libertarianism: The Case for Real Internet Freedom [Ver 1.0 – Thierer & Szoka] http://d.scribd.com/ScribdViewer.swf?document_id=18490847&access_key=key-14tt6eb4f2cdcil8wnf2&page=1&version=1&viewMode=

By Eric Beach, Adam Marcus & Berin Szoka

In the first entry of the Privacy Solution Series, Berin Szoka and Adam Thierer noted that the goal of the series is “to detail the many ‘technologies of evasion’ (i.e., empowerment or user ‘self-help’ tools) that allow web surfers to better protect their privacy online.” Before outlining a few more such tools, we wanted to step back and provide a brief overview of the need for, goals of, and future scope of this series.

We started this series because, to paraphrase Smokey the Bear, “Only you can protect your privacy online!” While the law can play a vital role in giving full effect to the Fourth Amendment’s restraint on government surveillance, privacy is not something that cannot simply be created or enforced by regulation because, as Cato scholar Jim Harper explains, privacy is “the subjective condition that people experience when they have power to control information about themselves.” Thus, when the appropriate technological tools and methods exist and users “exercise that power consistent with their interests and values, government regulation in the name of privacy is based only on politicians’ and bureaucrats’ guesses about what ‘privacy’ should look like.” As Berin has put it:

Debates about online privacy often seem to assume relatively homogeneous privacy preferences among Internet users. But the reality is that users vary widely, with many people demonstrating that they just don’t care who sees what they do, post or say online. Attitudes vary from application to application, of course, but that’s precisely the point: While many reflexively talk about the ‘importance of privacy’ as if a monolith of users held a single opinion, no clear consensus exists for all users, all applications and all situations.

Moreover, privacy and security are both dynamic: The ongoing evolution of the Internet, shifting expectations about online interaction, and the constant revelations of new security vulnerabilities all make it impossible to simply freeze the Internet in place. Instead, users must be actively engaged in the ongoing process of protecting their privacy and security online according to their own preferences.

Our goal is to educate users about the tools that make this task easier. Together, user education and empowerment form a powerful alternative to regulation. That alternative is “less restrictive” because regulatory mandates come with unintended consequences and can never reflect the preferences of all users.

Many forthcoming Privacy Solution Series entries will describe tools that fit into two broad categories:

• Encryption (protecting communications): The scrambling of content to protect against unauthorized viewing.
• Anonymization (protecting identity): Paradoxically, the Internet offers an unprecedented degree of both anonymity and transparency/track-ability. While most behavior online does leave a plethora of tracks in the form of ISP records, server logs, and cookie IDs, users can achieve a significantly greater degree of privacy online by blocking data collection mechanisms like cookies or routing traffic through a non-monitored server.

For some, one category is more important than the other. For example, some believe that public message boards are more civil when users are prohibited from posting anonymously and posts are signed with the user’s real name instead of a made-up “handle.” But these same people may feel very strongly that the content of emails should be protected ( i.e., encrypted) so that only the intended recipient can view them.

In other situations and/or for other people, the exact opposite may be true. A user might not care that Gmail scans their email to provide targeted advertising as long as Google does not associate that information with their actual identity.

Regulatory solutions inevitably fail to recognize such complexity and even inconsistency of user preferences. By contrast, user empowerment offers diverse solutions for a diverse citizenry.

Additional information about encryption, anonymity & other technologies of evasion

• Bruce Schneier’s Applied Cryptography (available online in part in an older version online), is considered one of the definitive works about encryption for the layman.
• Access Denied: the Practice and Policy of Global Internet Filtering, published in 2008 by Harvard’s Berkman Center, discusses encryption and technologies of evasion, while also describing current filtering and censoring efforts in many countries. You can view much of the book at the OpenNet initiative or preview the book at Google Books. Berkman’s 2007 Circumvention Landscape Report outlines technologies of censorship and technologies of evasion in an applied context.
• The Electronic Frontier Foundation offers an excellent introduction to the basics of encryption as part of its Surveillance Self-Defense Project.
• The Handbook for Bloggers and Cyberdissidents published by Reporters Without Borders, which details techniques for circumventing censorship.

In episode #44 of “Tech Policy Weekly,” Berin Szoka and Adam Thierer engage in a debate with Internet security expert Chris Soghoian, who is a student fellow at the Berkman Center for Internet & Society at Harvard University. He is also a Ph.D. candidate at Indiana University’s School of Informatics.

Chris is an up-and-coming star in the field of cyberlaw and technology policy as he has quickly made a name for himself in debates over privacy policy, data security, and government surveillance.  He straddles the line between academic and activist, and the role he often plays in many tech policy debates is somewhat akin to what Ralph Nader has done in many other fields through the years. Except, in this case, instead of “Unsafe at Any Speed” it’s more like “Unsafe at Any Setting,” since Chris is often raising a stink about what he regards as unjust or unreasonable privacy or security settings that various online websites or service providers use.

On the show, Chris talks about two of his recent crusades to get certain online providers to change their default settings to improve user security or privacy: (1) His effort this week to get major email providers—and Google in particular—to change their default security settings on their email offerings; and (2) his earlier crusade to create permanent opt-out cookies to stop behavioral advertising by advertising networks.

There are several ways to listen to today’s TLF Podcast. You can press play on the player below to listen right now, or download the MP3 file. You can also subscribe to the podcast by clicking on the button for your preferred service. (And do us a favor, Digg this podcast!)

[display_podcast]

Finally, here’s some relevant links that were mentioned during today’s show:

• Chris Soghoian’s webpage + his Harvard Berkman Center page
• Chris’s blog (“Slight Paranoia”)
• Chris’s “TACO” (Targeted Advertising Cookie Opt-Out) plug-in for Firefox (and description of it on his home page)
• Chris’s “Caught in the Cloud” paper (+ a video of him presenting it at Harvard)
• The letter from 38 cybersecurity researchers that Chris sent to Google
• Berin Szoka’s response to Chris’s “Caught in the Cloud” paper
• Berin’s discussion of the issue of preserving user choice through permanent opt-out cookies

I’ve been quite depressed to witness Bruce Schneier’s ongoing conversion from opponent of government intervention in the high-tech economy (at least on encryption) to vociferous proponent (at least in terms of privacy regulation).  Anyway, his latest cheerleading piece for government privacy regulation in The Wall Street Journal includes lots of fear-mongering about private website data collection for, God forbid, purposes of trying to better target advertising and market us products we might actually want.

Schneier uses the term “deceptive” several times in the piece to refer to privacy policies that don’t make it explicitly clear that some of the information you leave on a site, or that is collected preemptively by them, will be used to craft more targeted marketing efforts.  Like many other would-be privacy regulators, Schneier seemingly wants companies to fly blimps over your desk as you surf the Net with big signs that basically say: ‘Hey stupid, your info may be used to market you stuff.’  It’s hard to be against more disclosure, of course — and most sites spell out what they do with data in their privacy policies — but it never seems to be good enough for most privacy advocates, who paint consumers out to be mindless sheep who cannot be trusted to make wise decisions for themselves.  Sorry, but I just don’t buy it.

Specifically, I think there’s a pretty easy solution to the concern Schneier articulates about cloud computing when he says:

Cloud computing services like Google Docs, and social networking sites like RealAge and Facebook, bring with them significant privacy and security risks over and above traditional computing models. Unlike data on my own computer, which I can protect to whatever level I believe prudent, I have no control over any of theses sites, nor any real knowledge of how these companies protect my privacy and security.  I have to trust them.

Huh?  Why do you just “have to trust them”?  How about just not using those services?!  Or, use privacy self-help solutions when possible to manage your privacy preferences.  And for God’s sake Bruce, you wrote the definitive textbook on cryptography!  How about using encryption if you’re so concerned about who might be collecting your data online??

Meanwhile, Schneier doesn’t bother telling us what economic engine is going to power the Internet economy going forward once the privacy regulations he favors get on the books and make targeted advertising and data collection a federal crime.  Should we expect all these free Internet sites and services to just fall like manna from heaven?  Again, while the supposed harms from private data collection are largely conjectural, the harm to the Internet economy from heavy-handed, top-down privacy regulations would be all too real.  As we always say here, there is no free lunch.

I’ve just finished reading Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion, by Hal Abelson, Ken Ledeen, and Harry Lewis, and it’s another title worth adding to your tech policy reading list. The authors survey a broad swath of tech policy territory — privacy, search, encryption, free speech, copyright, spectrum policy — and provide the reader with a wonderful history and technology primer on each topic.

I like the approach and tone they use throughout the book. It is certainly something more than “Internet Policy for Dummies.” It’s more like “Internet Policy for the Educated Layman”: a nice mix of background, policy, and advice. I think Ray Lodato’s Slashdot review gets it generally right in noting that, “Each chapter will alternatively interest you and leave you appalled (and perhaps a little frightened). You will be given the insight to protect yourself a little better, and it provides background for intelligent discussions about the legalities that impact our use of technology.”

Abelson, Ledeen, and Lewis aren’t really seeking to be polemical in this book by advancing a single thesis or worldview. To the extent the book’s chapters are guided by any central theme, it comes in the form of the “two basic morals about technology” they outline in Chapter 1:

The first is that information technology is inherently neither good nor bad — it can be used for good or ill, to free us or to shackle us. Second, new technology brings social change, and change comes with both risks and opportunities. All of us, and all of our public agencies and private institutions, have a say in whether technology will be used for good or ill and whether we will fall prey to its risks or prosper from the opportunities it creates. (p. 14)

Mostly, what they aim to show is that digital technology is reshaping society and, whether we like or it not, we better get used to it — and quick!  “The digital explosion is changing the world as much as printing once did — and some of the changes are catching us unaware, blowing to bits our assumptions about the way the world works… The explosion, and the social disruption that it will create, have barely begun.” (p 3)

In that sense, most chapters discuss how technology and technological change can be both a blessing and a curse, but the authors are generally more optimistic than pessimistic about the impact of the Net and digital technology on our society. What follows is a quick summary of some of the major issues covered in Blown to Bits.

Privacy: In the chapter on privacy, the authors conclude that it is increasingly difficult to bottle up our personal information and protect it and ourselves entirely from the outside world. “Despite the very best efforts, and the most sophisticated technologies, we can not control the spread of our private information. And we often want information to be made public to serve our own, or society’s purposes.” (p. 70) They argue that there still may be some ways to deal with the misuse of information and that some new technologies might be able to help protect our privacy at the margins. Generally speaking, however, this is a losing battle, and, more importantly, there is an increasing tension between privacy and freedom of speech:

A continuing border war is likely to be waged, however, along an existing free speech front: the line separating my right to tell the truth about you from your right not to have that information used against you. In the realm of privacy, the digital explosion has left matters deeply unsettled. (p. 70)

These are issues I discussed in more detail in my recent review of Daniel Solove’s important new book, Understanding Privacy. Abelson, Ledeen, and Lewis are right to point out that these tensions are only going to increase in coming years and their chapter outlines many of the new fault lines in the debate over online privacy.

Encryption: Having followed the “crypto wars” closely in the mid-1990s, I also found their chapter on cryptography intriguing. The authors note that encryption has gone mainstream. “Keys are cheap. Secret messages are everywhere on the Internet. We are all cryptographers now.” Despite that, the authors note that “very little email is encrypted today.” With the exception of some human rights groups and some particularly privacy-sensitive users, most of us are perfectly content to send our e-mails unencrypted. They argue that there are three reasons most people are unconcerned about their e-mail privacy:

First, there is still little awareness of how easily our e-mail can be captured as the packets flow through the Internet. […] Second, there is little concern because most ordinary citizens feel they have little to hide, so why would anyone bother looking? […] Finally, encrypted email is not built into the Internet infrastructure in the way encrypted web browsing is. (p. 191-92)

They continue and conclude:

Overall, the public seems unconcerned about privacy of communication today, and that privacy fervor that permeated the crypto wars a decade ago is nowhere to be seen. In a very real sense, the dystopian predictions of both sides of that debate are being realized: On the one hand, encryption technology is readily available around the world, and people can hide the contents of their messages, just as law-enforcement feared… At the same time, the spread of the Internet has been accompanied by an increase in surveillance, just as the opponents of encryption regulation feared. (p. 193)

Actually, I’m not sure there really was a “privacy fervor that permeated the crypto wars a decade ago.” Many of us who argued passionately for crypto-freedom back then knew it was unlikely that the masses were going to rush right out and start encrypting all their mail the minute the policy battle ended. In reality, most of us live pretty mundane lives and just don’t care enough to go through the hassle of encrypting the random chatter of e-mail. But it was the principle of the matter that counted — the government should never be given the keys to unlock all private communications. That is what we were fighting about in the crypto wars — not the necessity of everyone encyrpting every e-mail they sent.

Importantly, however, the authors correctly note how the truly beneficial result of the fight for crypto-freedom was an explosion of online commerce, facilitated by behind-the-scenes crypto protecting our transactions. Amazon, eBay, and many other e-commerce vendors, both big and small, have prospered because of strong crypto. That was the security blanket many of us needed before we were willing to take the plunge and begin doing most of our shopping and financial transactions online. This is a great public policy success story, and Abelson, Ledeen, and Lewis do a wonderful job relaying it to the reader.

Online Free Speech / Age Verification: As a passionate First Amendment advocate, the chapter on free speech issues was also of great interest to me. The authors run through the early history of efforts to censor online speech, including the Communications Decency Act of 1996 (CDA) and the Child Online Protection Act of 1998 (COPA), and bring us right up to speed with congressional efforts such as the Deleting Online Predators Act (DOPA), which would ban social networking sites and services in publicly funded schools and libraries. “DOPA, which has not passed into law, is the latest battle in a long war between conflicting values,” note the authors. “On the one hand, society has an interest in keeping unwanted information away from children. On the other hand, society as a whole has an interest in maximizing open communication.” (p. 231)

Abelson, Ledeen, and Lewis go on to outline the dangers of online censorship and the importance of defending the First Amendment from new legislative and regulatory attacks, but they would have done well to cite the growing diversity of parental control tools and methods that are now on the market. I share their passion for defending free speech values, but it is equally important we work hard to show parents and policymakers how many effective self-help tools and strategies are out there on the market today to help them guide — or even control — their child’s media and Internet experiences. Not everyone is equally excited about what a world of media abundance offers us, or out children. If we hope to continue to fend off attacks on the First Amendment, we have to make sure parents are empowered to mentor their kids and limit access to content they find objectionable so they don’t expect Uncle Sam to play the role of national nanny.

I was glad to see the authors spend some time focusing on online age verification / identity authentication since that is probably the most important free speech debate raging today. [I’ve written quite a bit here about the battle over online age verification for social networking sites and other online sites.] The authors point out Congress already attempted to impose age verification on the Internet when they passed the Child Online Protection Act in 1998. “The big problem,” the authors note, “was that these methods either didn’t work or didn’t even exist.” (p. 248) Indeed, the effort in COPA to require “adult personal identification numbers” or a “digital certificate that verifies age” was in their words, “basically a plea from Congress for the industry to come up with some technical magic for determining age at a distance.” (p. 248)  And things really haven’t advanced much since then, they argue:

In the state-of-the-art, however, computers can’t reliably tell the if party on the other end of the communications link is a human or is another computer. For a computer to tell whether a human is over or under the age of 17, even imperfectly, would be very hard indeed. Mischievous 15-year-olds could get around any simple screening system that could be used in the home. The Internet just isn’t like a magazine store. (p. 249)

I hope policymakers are listening — especially the many stubborn state attorneys general who continue to push age verification as a silver-bullet solution to online child safety concerns.

Spectrum Policy: The authors point out how the death of media scarcity has profound implications for the future of speech regulation and spectrum policy alike. “As a society,” they argue, “we simply have to confront the reality that our mindset about radio and television is wrong. It has been shaped by decades of the scarcity argument.” (p. 292)  Regarding what it means for speech controls, they note:

If almost anyone can now send information that many people can receive, perhaps the government’s interest in restricting transmissions should be less than what it once was, not greater. In the absence of scarcity, perhaps the government should have no more authority over what gets said on radio and TV than it does over what gets printed in newspapers. (p. 261)

I couldn’t agree more, and I’ve written voluminously on the topic of creating a “consistent First Amendment standard for the Information Age.” Abelson, Ledeen, and Lewis seem to agree with what I said there when they argue:

Other regulation of broadcast words and images should end. Its legal foundation survives no longer in the newly engineered world of information. There are too many ways for the information to reach us. We need to take responsibility for what we see, and what our children are allowed to see. And they must be educated to live in a world of information plenty. (p. 293)

The death of the scarcity doctrine should also have a profound impact on the future spectrum policy decisions, they say. Perhaps scarcity-based rationales for regulation made (some) sense in the past, but:

These were facts of the technology of the time. They were true, but they were contingent truths of engineering. They were never universal laws of physics, and are no longer limitations of technology. Because of engineering innovations over the past 20 years, there is no practically significant “natural limitation” on the number of broadcast stations. Arguments from inevitable scarcity can no longer justify U.S. government denials of the use of the airwaves. The vast regulatory infrastructure, built to rationalize use of the spectrum but much more limited radio technology, has adjusted slowly — as it almost inevitably must: Bureaucracies don’t move as quickly as technological innovators. The FCC tries to anticipate resource needs centrally and far in advance. But technology can cause abrupt changes in supply, and market forces can cause abrupt changes in demand. Central planning works no better for the FCC than it did for the Soviet Union. (p. 272)

I completely agree, although challenging questions remain about how to get us out of the current mess. Abelson, Ledeen, and Lewis argue that “commons-based” approaches make the most sense. I am certainly open to the idea of treating certain swaths of spectrum as a commons, but it’s important to recognize that this does not necessarily get the regulators completely out of the picture. In fact, as my TLF colleague Jerry Brito has persuasively argued, there is the real potential that the FCC could become an aggressive device regulator if we switch to this approach. “A ‘commons’ model is not a third way between regulation and property, it is just another kind of regulation,” Brito concludes. That’s why I continue to believe that a property rights-based approach for most spectrum allocation makes the most sense and will get the spectrum deployed for its most highly-valued use. Commons-based approaches should supplement, not supplant, that model.

Abelson, Ledeen, and Lewis also fail to sweat the details about how to handle the issue of incumbent spectrum users in the transition to their preferred commons-based model. That strikes me as a pretty big problem. They repeatedly mention how incumbents often seek to block beneficial spectrum reforms — which is no doubt true on some occasions — but that doesn’t mean incumbent spectrum holders don’t have legitimate rights in their existing allocations that should be honored. I would hope that, even if they wanted to go with a pure commons approach going forward, the authors would at least be willing to grandfather-in existing spectrum users. If the goal is to encourage them to vacate what they currently have, incentivize them with flexible use and resale rights. For example, for the right price, a lot of broadcast spectrum holders might be willing to give up their current allotment. Alternatively, if flexible use was allowed, they might deploy their spectrum for a different purpose. Unfortunately, both of these options are currently prohibited by the FCC’s command-and-control regulatory system.

Overall, however, I enjoyed the spectrum chapter and found the history and technology primer in this chapter to be the best in the book.

Copyright: The authors have a strongly-worded chapter on copyright that generally argues for relaxing copyright protections. Interestingly, however, (unless I am missing something) I notice they don’t offer their book for free download on their site.  I’m always intrigued by copyright critics who refuse to put their own content online. Apparently, it’s another case of ‘copying is good for me, but not for thee.’ Regardless, in their copyright chapter, they argue that:

The war over copyright and the Internet has been escalating for more than 15 years. It is a spiral of more and more technology that makes it ever easier for more and more people to share more and more information. This explosion is countered by a legislative response that brings more and more acts within the scope of copyright enforcement, subject to punishments that grow ever more severe. Regulation tries to keep pace by banning technology, sometimes even before the technology exists… If we cannot slow the arms race, tomorrow’s casualties may come to include the open Internet and dynamic of innovation that fuels the information revolution. (p. 199)

The authors make a fair point about the perils of banning technologies to protect copyright. That’s never the right answer. Regrettably, however, they pay less attention to what I regard as the legitimate concerns of copyright holders about how to protect their creative works and expressive endeavors going forward. And it’s not just about protecting large-scale industries, as they and other copyright critics are often prone to claim. It’s about whether or not we want a workable copyright system going forward. Of course, some critics wouldn’t mind seeing copyright law fade into the sunset altogether. But Abelson, Ledeen, and Lewis don’t really make it clear how far they’d be willing to go. They do have a brief discussion about collective licensing approaches as a possible solution, which may be coming sooner than we think for the Net. Unfortunately, they don’t spend much time developing the details. I remain skeptical about the sensibility of that approach — especially since it will likely end up being compulsory in nature and fraught with fairness problems (i.e. Who pays in? How much? On the other end, who gets paid how much when their content appears online? etc.) Nonetheless, I think that’s where we’ll end up before the copyright wars are over, so it would have been nice to see the authors spend more time on collective licensing issues.

They also spend a lot of time discussing DRM. I was surprised by their comment that, “Developers of DRM and trusted platforms may be creating effective technologies to control the use of information, but no one has yet devised effective methods to circumscribe the limits of that control.” (p. 212) I must say, that does not seem to match up with the reality of the market we see around us today in which DRM systems are rapidly crumbling and being abandoned left and right.

Conclusion

I didn’t agree with everything in Blown to Bits, such as their unfortunate call for Net neutrality regulation. Overall, however, I enjoyed the book and recommend it. The narrative can be a little disjointed at times, almost sounding like a series of e-mail exchanges between friends (which may have been the case since the book had three authors). But the text is very accessible and contains a great deal of useful information to bring you up to speed on the hottest tech policy debates under the sun. If the authors are smart, they’ll throw the book online and update it periodically to keep it fresh. As I have found with my parental controls and Media Metrics reports, that’s the only way to keep up with the frantic pace of change in the tech policy arena — version your books like software and release periodic updates.

This book will definitely appear on my big, end-of-year “Most Important Tech Policy Books of 2008” list, which I should have wrapped up shortly. Also, I think this book makes a nice complement to Palfrey and Gasser’s Born Digital, which I reviewed here last month. And, if you are interested in another title that takes an approach similar to what Abelson, Ledeen, and Lewis have taken here, you might want to check out Bruce Owen’s outstanding 1999 book “The Internet Challenge to Television.” It’s an oldy but a goodie, as I noted here.

Finally, given the title of the book and the countless times in the text that Abelson, Ledeen, and Lewis talk about the “bits revolution,” how “bits are bits,” and how “bits behave strangely,” shockingly, they never seem to get around to crediting Nicholas Negroponte for his pioneering work on this front in Being Digital. Long before anybody else gave a damn about how the movement from a world of atoms to a world bits would change our entire existence, Nicholas Negroponte was preaching that gospel to the unconverted. And considering he was saying all that back in the dark (dial-up) ages of 1995, the man deserves some credit, as I have noted here before.

Stuck with limited ISP choices, broadband users are increasingly angry with the growing number of providers that poke around in their customers’ traffic. From resetting Bittorrent sessions to sniffing packets for URLs, more and more providers are wielding their power as the “man in the middle” to monitor and manipulate traffic in unpopular and possibly illegal ways. While these practices can be beneficial, tech-savvy consumers are understandably agitated. Congress is now considering legislation that would outlaw these ISP practices.

Instead of urging lawmakers to enact sweeping new laws that would often do more harm than good, broadband users should look to the recent emergence of commercial secure tunneling services. These services remind us that the marketplace is perfectly capable of resolving skirmishes without government getting involved.

Numerous companies have begun to offer encrypted tunnels using Virtual Private Networks (VPNs). These networks have long been used for a variety of reasons, and are popular with network security experts because of how well they protect data from outside snooping. By tunneling traffic through secure links, broadband users can break free from the constraints imposed by ISPs on certain types of traffic. Routing peer to peer applications through these tunnels makes them almost entirely indistinguishable from other types of traffic—even to stateful packet inspection tools like Sandvine that are undeterred by header encryption.

Tunneling traffic via encrypted, remote servers is also one of the toughest targets for ISPs. Many corporate users and university students connect to VPNs for necessary reasons, and there’s no easy way for an ISP to distinguish “legitimate” VPN traffic from the other kind. And with new secure tunneling firms popping up all the time, simply blocking the IP-address ranges of known tunnels is no solution. Absent a VPN Whitelist—highly infeasible given the growing number of VPNs in the wild—ISPs will soon realize that, no matter how much they invest in packet inspection tools like Sandvine and Phorm, informed users will always find a way to stay a step ahead.

Despite being the freest nation on earth, the United States has a spotty track record when it comes to Internet privacy and anonymity. Fortunately, VPN services can be based anywhere on the planet. Data retention laws (like the one pending in the current Congress) have little effect on the privacy of users who tunnel their traffic through a nation that doesn’t force ISPs to retain data. Gleaning useful intelligence from a VPN connection between the user and the exit node is impossible — even if your ISP captures every last byte you transmit, as long as your VPN service doesn’t retain data, government snoops or would-be hackers will be left with nothing but indecipherable garbage.

VPN services typically charge a small monthly fee, but not all of them cost money. Some VPN services only offer PPTP encryption. That’s enough to deter casual snooping, but it can be cracked with some determination. Other services offer more sophisticated IPSec or SSL based encryption that relies on the highly secure AES cipher. All of the world’s supercomputers combined cannot crack data that has been properly encrypted via AES and a strong password. Of course, by using a VPN service, you are placing your trust in the tunneling service rather than your ISP—so verifying the service’s commitment to privacy and reliability is paramount.

Tunneling services can also circumvent region-locking techniques used by content portals like those offered by the major television networks. People living outside the United States often cannot access desired content because of exclusivity agreements with content owners. Portals typically block foreign residents by running a reverse DNS lookup on visitors’ IP addresses, which reveals the user’s country of origin. But offshore VPN services conceal their users’ true location, causing users to appear as if they are located in the country in which the VPN server is based.

Like many other goods and services, VPNs can be used for good or evil. Some of the uses discussed here may even violate laws in certain nations or run astray of terms of service agreements. Despite the potential for misuse, the secure tunnel is a promising tool that will likely grow more popular as ISPs increasingly turn to deep packet inspection for both network management and profit-seeking purposes.