Articles by Jim Harper

Jim HarperJim is the Director of Information Policy Studies at The Cato Institute, the Editor of Web-based privacy think-tank Privacilla.org, and the Webmaster of WashingtonWatch.com. Prior to becoming a policy analyst, Jim served as counsel to committees in both the House and Senate.


This morning on WNYC in New York City, I debated Josh Silver of the pro-Internet-regulation group Free Press. It was a healthy exchange of views, except for a few barbs and innuendos thrown by Silver, who is obviously frustrated by his group’s lack of progress in seeking a “government takeover of the Internet.” (He wanted to debate in simple, ideological terms like that, so I indulge here.)

What was most interesting to me was how unsophisticated Silver is with respect to government and regulation. Take a look at his plea:

What we’re asking for—what we need are regulatory agencies that are not captured by industry and that actually act on behalf of the American public. And that’s what they were created to do. The FCC—1934, with the advent of radio—was created to make sure that the public interest was protected. And what we’ve seen is industry capture of regulatory agencies has made those agencies fail again and again and again.

And the only thing that’s gonna work is if the Obama administration and the FCC stand up and say, “No more business as usual. We are going to protect net neutrality. We’re going to protect competition, and make sure there’s choices for consumers. And we’re going to end the status quo in Washington that has really broken our entire political system.”

The Obama administration and the FCC did stand up and say “no more business as usual,” but that’s what politicians do to seduce voters. Then, once in power, they go about business as usual. Lucy always yanks away the football, Charlie Brown.

Silver is not alone in having these sweet, sad “good government” sentiments. Many of my interlocutors, with whom I often share outcome goals, believe strongly in achieving those goals by remaking governmental and political systems so that they finally “work.” They believe so strongly in this approach that they seem to think it’s just around the corner—if only we prohibit some speech here, some petitioning of the government there. Y’know, “take the money out of politics.”

Hopefully this fantasy will never come true, because it requires reversing fundamental rights such as free speech in all its instantiations—a handover of power from people to the government and elites that run it.

In the absence of that perfected, all-powerful government—thank heavens—we must organize the society’s resources using the best machine we’ve got for discovering consumers’ interests and delivering on them: an unhampered marketplace, now energized and enhanced by the Internet.

(Second in a series.)

The Register quotes security guru Bruce Schneier saying: “Facebook is the worst [privacy] offender – not because it’s evil but because its market is selling user data to its commercial partners.”

Facebook’s business model is to guide advertisements on its site toward users based on their interests as revealed by data about them. It is not to sell data about users. Selling data about users would undercut its advertising business.

It’s easy to misspeak in extemporaneous comments, and The Register is not your most careful media outlet. But we’ve almost got enough data points to show a consistent practice of misrepresentation on Bruce Schneier’s part. Perhaps that should be actionable as an unfair or deceptive practice under section five of the FTC Act.

DIY News and Commentary

by on October 13, 2010 · 1 comment

What a delight it has been to watch the rescue of the Chilean miners on a live feed, without commentary from any plasticized, blathering “news reporter.” Of course, there are editorial judgments being made by the camera crews and on-scene director, but it is refreshing to make my own judgments based on what I see happening and what I see on the faces of the miners, their wives, and standers-by.

As my friend, the curmudgeonly @derekahunter notes, “There’s really nothing worse than listening to a reporter attempting to fill time while waiting for something to happen.”

Meanwhile, I’ve been chasing down some intemperate commentary on Twitter about the recent discovery of explosives in a New York cemetery. One Fred Burton, identified on his Twitter feed as Vice President of Intelligence for STRATFOR and a former counter-terrorism agent, Tweeted at the time that these explosives seemed like “a classic dead drop intended for an operative.”

But now we know the explosives are old, they were dug up and laid aside in May or June of 2009, and someone recently found them and decided to report them. That is not consistent with a dead drop, and Burton was wrong to speculate as he did, starting an Internet rumor that needlessly propagates fear.

As a public service, I’m doing a little bit to cut into Burton’s credibility, which should cause him to think twice next time. The winning Tweet is not mine, though. It’s @badbanana’s: “Military-grade explosives found at NYC cemetery. Hundreds confirmed dead.”

In summary, it’s a do-it-yourself news and commentary night. I’m making my world and re-making yours (just a tiny bit), rather than all of us sitting around being fed what to think.

Well, then, this post (via Adam Shostack) is for you!

“Dissent” goes through the numbers revealed in the first year of data breach reporting under the Health Insurance Portability and Accountability Act regulations. The post gives extremely light treatment to the possibility—indeed, the likelihood—of noncompliance with the regulations due to unawareness of breaches or judgments that reporting is more dangerous than not reporting.

But one also must wonder . . . Why does this matter?

Data breach notification is the grown-up version of the schoolyard taunt: “Your epidermis is showing!” The questions are: What part of the epidermis? And what social or economic consequences does it have?

Of course, these statistics may be interesting and relevant to security professionals, but harm is where the rubber hits the road for consumer protection. (See this interesting colloquy recently on Concurring Opinions.) Some data breaches have some relationship to consumer harm, but gross breach statistics don’t seem to be a window onto harm prevention.

“There’s no question [cable news is] contributing to the splintering of the political system and the means by which people get information about that system,” said Robert Thompson, who runs the Bleier Center for Television and Popular Culture at Syracuse University. “If there’s no standard base line of fact and reporting, where can the conversation go?”

This, from “Cable News Chatter is Changing the Electoral Landscape,” by Howard Kurtz and Karen Tumulty in today’s Washington Post.

Cable news and, of course, the Internet are definitely splintering the media environment. But there’s a big difference between the political system and the means by which people get information about it. Why on earth should there be a standard base line on which all political conversation must rest?

Speaking of earth, people used to think that the earth was at the center of the universe. Other planets moved erratically with relation to ours, and that was difficult to explain. Now we know that it is the sun at the center of our solar system, and the movements of planets, stars, and galaxies have been rationalized.

Many of us occupy different political and ideological planets, some of which have similar orbits, some very different. Slowly, sometimes, we can align our orbits by inquiring and debating about the nature of humankind, what is good, and the social systems that produce the greatest good for the greatest number.

Finding out that we should have these debates is not a threat to the political system. It’s a threat to the geocentric model of the political system, in which the three major networks provided the “standard base line of fact and reporting.”

The media universe is still not splintered enough, in my opinion. But, increasingly, the conversation will more easily go wherever it is supposed to go, unhindered by the false authority of a small number of news executives.

Faux Urgency

by on October 4, 2010 · 0 comments

Tech policy polemicist Scott Cleland has hit home with today’s “FreePress’ Faux Urgency on Net Neutrality.”

FreePress’ problem is that people have wised up to their repeated hysterical calls to “Save the Internet” from a problem that has never materialized as they recklessly warned. FreePress has failed miserably in finding or defining any real-world problem that needs radical intervention to fix.

Cleland is meaner to the folks at Free Press than I would be, but he’s right to note that the problems net neutrality regulation might fix haven’t materialized over a long period of, yes, faux urgency.

The details of Tyler Clementi’s case are slowly revealing themselves. He was the Rutgers University freshman whose sex life was exposed on the Internet when fellow students Dharun Ravi and Molly Wei placed a webcam in his dorm room, transmitting the images that it captured in real time on the Internet. Shortly thereafter, Clementi committed suicide.

Whether Ravi and Wei acted out of anti-gay animus, titillation about Clementi’s sexual orientation, or simply titillation about sex, their actions were utterly outrageous, offensive, and outside of the bounds of decency. Moreover, according to Middlesex County, New Jersey prosecutors, they were illegal. Ravi and Wei have been charged with invasion of privacy.

This is what invasion of privacy looks like. It’s the outrageous, offensive, truly galling revelation of private facts like what happened in this case. Over the last 120 years, common law tort doctrine has evolved to find that people have a right not to suffer such invasions. New Jersey has apparently enshrined that right in a criminal statute.

The story illustrates how quaint are some of the privacy “invasions” we often discuss, such as the tracking of people’s web surfing by advertising networks. That information is not generally revealed in any meaningful way. It is simply being used to serve tailored ads.

This event also illustrates how privacy law is functioning in our society. It’s functioning fairly well. Law, of course, is supposed to reflect deeply held norms. Privacy norms—like the norm against exposing someone’s sexual activity without consent—are widely shared, so that the laws backing up those norms are rarely violated.

It is probably a common error to believe that law is “working” when it is exercised fairly often, fines and penalties being doled it with some routine. Holders of this view see law—more accurately, legislation—as a tool for shaping society, of course. Many of them would like to end the societal debate about online privacy, establishing a “uniform national privacy standard.” But nobody knows what that standard should be. The more often legal actions are brought against online service providers, the stronger is the signal that online privacy norms are unsettled. That privacy debate continues, and it should.

It is not debatable that what Ravi and Wei did to Tyler Clementi was profoundly wrong. That was a privacy invasion.

Taxpayers Against Earmarks is a new effort to rid the federal legislative process of some of its most acute horse-trading: earmarks. Find it at the cleverly named URL, EndingSpending.com.

My project WashingtonWatch.com has worked to generate earmark transparency. Here’s the earmarks main page, and you should expect to see FY 2011 earmarks there soon.

Republicans earmarksThere’s little doubt that many spending earmarks are part of a subtle—or not-so-subtle—quid pro quo in which federal legislators buy votes by directing funds to favored home-state or home-district interests. Taxpayers Against Earmarks has a well-produced web site that invites people to sign up and join the anti-earmark effort.

Earmarked spending is a small part of the overall budget, of course, but earmarking is emblematic of the “favor factory” that Congress has become as the federal budget and federal power have bloated. Federal spending is appropriate in the small number of cases when it provides national public goods that benefit the country as a whole, but refurbishing local museums, funding projects at state universities, and requiring the military to buy from a particular defense contractor do not benefit the general welfare. Taxpayers Against Earmarks is working to begin the process of getting federal spending under control.

Clear’s coverage map shows service in many cities and plans to expand to many more. Competition is rendering moot the call for public utility-style regulation of Internet service in the name of ‘net neutrality. I expect to hear soon about how unsatisfactory competition is under triopoly conditions.

If you blinked, you missed it. Heaven knows, I did. The OECD privacy guidelines celebrated their 30th birthday on Thursday last week. They were introduced as a Recommendation by the Council of the Organization for Economic Cooperation and Development on September 23, 1980, and were meant to harmonize global privacy regulation.

Should we fete the guidelines on their birthday, crediting how they have solved our privacy problems? Not so much. When they came out, people felt insecure about their privacy, and demand for national privacy legislation was rising, risking the creation of tensions among national privacy regimes. Today, people feel insecure about their privacy, and demand for national privacy legislation is rising, risking the creation of tensions among national privacy regimes. Which is to say, not much has been solved.

In 2002—and I’m still at this? Kill me now—I summarized the OECD Guidelines and critiqued them as follows on the “OECD Guidelines” Privacilla page.

The Guidelines, and the concept of “fair information practices” generally, fail to address privacy coherently and completely because they do not recognize a rather fundamental premise: the vast difference in rights, powers, and incentives between governments and the private sector. Governments have heavy incentives to use and sometimes misuse information. They may appropriately be controlled by “fair information practices.”

Private sector entities tend to have a balance of incentives, and they are subject to both legal and market-punishments when they misuse information. Saddling them with additional, top-down regulation in the form of “fair information practices” would raise the cost of goods and services to consumers without materially improving their privacy.

Not much has changed in my thinking, though today I would be more careful to emphasize that many FIPs are good practices. It’s just that they are good in some circumstances and not in others, some FIPs are in tension with other FIPs, and so on.

The OECD Guidelines and the many versions of FIPs are a sort of privacy bible to many people. But nobody actually lives by the book, and we wouldn’t want them to. Happy birthday anyway, OECD guidelines.