Articles by Jim Harper

Jim HarperJim is the Director of Information Policy Studies at The Cato Institute, the Editor of Web-based privacy think-tank Privacilla.org, and the Webmaster of WashingtonWatch.com. Prior to becoming a policy analyst, Jim served as counsel to committees in both the House and Senate.


Boeing subsidiary Narus reports on its Web site that it “protects and manages” a number of worldwide networks, including that of Egypt Telecom. A recent IT World article entitled “Narus Develops a Scary Sleuth for Social Media” reported on a Narus product called Hone last year:

Hone will sift through millions of profiles searching for people with similar attributes — blogger profiles that share the same e-mail address, for example. It can look for statistically likely matches, by studying things like the gender, nationality, age, location, home and work addresses of people. Another component can trace the location of someone using a mobile device such as a laptop or phone.

Media advocate Tim Karr reports that “Narus provides Egypt Telecom with Deep Packet Inspection equipment (DPI), a content-filtering technology that allows network managers to inspect, track and target content from users of the Internet and mobile phones, as it passes through routers on the information superhighway.”

It’s very hard to know how Narus’ technology was used in Egypt before the country pulled the plug on its Internet connectivity, or how it’s being used now. Narus is declining comment.

So what’s to be done?

Narus and its parent, The Boeing Company, have no right to their business with the U.S. government. On our behalf, Congress is entitled to ask about Narus’/Boeing’s assistance to the Mubarak regime in Egypt. If contractors were required to refrain from assisting authoritarian governments’ surveillance as a condition of doing business with the U.S. government, that seems like the most direct way to dissuade them from providing top-notch technology capabilities to regimes on the wrong side of history.

Of course, decades of U.S. entanglement in the Middle East have created the circumstance where an authoritarian government has been an official “friend.” Until a few weeks ago, U.S. unity with the Mubarak regime probably had our government indulging Egypt’s characterization of political opponents as “terrorists and criminals.” It shouldn’t be in retrospect that we learn how costly these entangling alliances really are.

Chris Preble made a similar point ably on the National Interest blog last week:

We should step back and consider that our close relationship with Mubarak over the years created a vicious cycle, one that inclined us to cling tighter and tighter to him as opposition to him grew. And as the relationship deepened, U.S. policy seems to have become nearly paralyzed by the fear that the building anger at Mubarak’s regime would inevitably be directed at us.

We can’t undo our past policies of cozying up to foreign autocrats (the problem extends well beyond Egypt) over the years. And we won’t make things right by simply shifting — or doubling or tripling — U.S. foreign aid to a new leader. We should instead be open to the idea that an arms-length relationship might be the best one of all.

Via TechDirt, “The news media always need a bogeyman,” says Cracked.com in their well-placed attack on techno-panics, “5 Terrifying Online Trends (Invented By the News Media).” It’s a popular topic here, too.

You have to read all the way to the end to get exactly what the New York Times is getting at in its Sunday editorial, “Netizens Gain Some Privacy.”

Congress should require all advertising and tracking companies to offer consumers the choice of whether they want to be followed online to receive tailored ads, and make that option easily chosen on every browser.

That means Congress—or the federal agency it punts to—would tell authors of Internet browsing software how they are allowed to do their jobs. Companies producing browser software that didn’t conform to federal standards would be violating the law.

In addition, any Web site that tailored ads to their users’ interests, or the networks that now generally provide that service, would be subject to federal regulation and enforcement that would of necessity involve investigation of the data they collect and what they do with it.

Along with existing browser capabilities (Tools > Options > Privacy tab > cookie settings), forthcoming amendments to browsers will give users more control over the information they share with the sites they visit. That exercise of control is the ultimate do-not-track. It’s far preferable to the New York Times‘ idea, which has the Web user issuing a request not to be tracked and wondering whether government regulators can produce obedience.

[I got enough push-back to a recent post arguing the existence of market nimbleness in the browser area that I’m unsure of the thesis I expressed there. The better explanation of what’s going on may be that regulatory pressure is moving browser authors and others to meet the peculiar demands of the pro-regulatory community. The reason they have waited to act until now is because they do not perceive consumers’ interests to be met by protections against tailored advertising. The question of what meets consumers’ interests won’t be answered if regulation supplants markets, of course.]

In response to civil unrest, the Egyptian government appears to have ordered service providers to shut down all international connections to the Internet. According to the blog post at the link just above, Egypt’s four main ISPs have cut off their connections to the outside world. Specifically, their “BGP routes were withdrawn.” The Border Gateway Protocol is what most Internet service providers use to establish routing between one another, so that Internet traffic flows among them. I anticipate we might have comments here that dig deeper into specifics.

An attack on BGP is one of few potential sources of global shock cited by an OECD report I noted recently. The report almost certainly imagined a technical attack by rogue actors but, assuming current reporting to be true, the source of this attack is a government exercising coercion over Internet service providers within its jurisdiction.

That is far from an impossibility in the United States. The U.S. government has proposed both directly and indirectly to centralize control over U.S. Internet service providers. C|Net’s Declan McCullagh reports that an “Internet kill switch” proposal championed by by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) will be reintroduced in the new Congress very soon. The idea is to give “kill switch” authority to the government for use in responding to some kind of “cyberemergency.” We see here that a government with use “kill switch” power will use it when the “emergency” is a challenge to its authority.

When done in good faith, flipping an Internet “kill switch” would be stupid and self-destructive, tantamount to an auto-immune reaction that compounds the damage from a cybersecurity incident. The more likely use of “kill switch” authority would be bad faith, as the Egyptian government illustrates, to suppress speech and assembly rights.

In the person of the Federal Communications Commission, the U.S. government has also proposed to bring Internet service providers under a regulatory umbrella that it could turn to censorship or protest suppression in the future. Larry Downes has a five-part analysis of the government’s regulatory plan here on TLF (1, 2, 3, 4, 5). The intention of its proponents is in no way to give the government this kind of authority, but government power is not always used as intended, and there is plenty of scholarship to show that government agencies use their power to achieve goals that are non-statutory and even unconstitutional.

The D.C. area’s surfeit of recent weather caused the cancellation yesterday of a book event I was to participate in, discussing Evgeny Morozov’s The Net Delusion: The Dark Side of Internet Freedom. I don’t know that he makes the case overwhelmingly, but Morozov argues that governments are ably using the Internet to stifle freedom movements. (See Adam’s review, hear Jerry’s podcast.)

Events going on here in the United States right now could position the U.S. government to exercise the kind of authority we might look down our noses at Egypt for practicing. The lesson from the Egypt story—what we know of it so far—is that eternal vigilance is the price of freedom.

(HT: Schneier) Here’s a refreshingly careful report on cybersecurity from the Organization for Economic Cooperation and Development’s “Future Global Shocks” project. Notably: “The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.” There will be no cyber-“The Day After.”

Here are a few cherry-picked top lines:

Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact.

The vast majority of attacks about which concern has been expressed apply only to Internet-connected computers. As a result, systems which are stand-alone or communicate over proprietary networks or are air-gapped from the Internet are safe from these. However these systems are still vulnerable to management carelessness and insider threats.

Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.

The hyping of “cyber” threats—bordering on hucksterism—should stop. Many different actors have a good deal of work to do on securing computers, networks, and data. But there is no crisis, and the likelihood of any cybersecurity failure causing a crisis is extremely small.

Via @csoghoian (who can be wrathful if you don’t attribute), Adobe buries the lede in its blog post about privacy improvements to the Flash player. They’re working with the most popular browser vendors on integrating control of “local shared objects”—more commonly known as “Flash cookies”—into the interface. Users control of Flash cookies will soon be similar to control of ordinary cookies.

It doesn’t end there:

Still, we know the Flash Player Settings Manager could be easier to use, and we’re working on a redesign coming in a future release of Flash Player, which will bring together feedback from our users and external privacy advocates. Focused on usability, this redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we’ll enable you to access the Flash Player Settings Manager directly from your computer’s Control Panels or System Preferences on Windows, Mac and Linux, so that they’re even easier to locate and use. We expect users will see these enhancements in the first half of the year and we look forward to getting feedback as we continue to improve the Flash Player Settings Manager.

Mysterious, sinister “Flash cookies” were Exhibit A in the argument for a Do Not Track regulation. There is no way that people can cope with the endless array of tracking technologies advertisers are willing to deploy, the argument went, so the government must step in, define what it means to be “tracked,” and require it to stop—without kneecapping the free Internet. (Good luck with that!)

But Flash cookies are now quickly taking their place as a feature that users can control from the browser (or OS), customizing their experience of the Web to meet their individual privacy preferences. This is not a panacea, of course: People must still be made aware of the importance of controlling Flash cookies, as well as regular cookies. New tracking technologies will emerge, and consumer-friendly information controls meeting those challenges will be required in response.

But if this is what the drawn-out “war” against tracking technologies looks like, color me pro-war!

In a few short months, Adobe has begun work on the controls needed to put Flash cookies under peoples’ control. The Federal Trade Commission—prospective imposer of peace through complex, top-down regulation—took more than a year to produce a report querying whether a Do Not Track regulation might be a good idea. This problem will essentially be solved (and we’ll be on to the next one) before the FTC would have gotten saddled up.

Yes, Adobe may have acted because of the threat of damaging government regulation. That seems always to be what gets these companies moving. Of course it does, when the primary modus operandi of privacy advocacy is to push for government regulation. Were the privacy community to work as assiduously on boycotts as acting through intermediary government regulators, change might come even faster.

We could do without the standing army of regulators. Having a government sector powerful enough to cow the business sector is costly, both in terms of freedom and tax dollars.

With the failure of Do Not Track, the vision of a free and open Internet—populated by aware, empowered individuals—lives on.

I’ve been bemused by a minor controversy about remarks Ryan Calo of Stanford University made to a New York Times reporter for this story on Internet privacy and government access.

“When your job is to protect us by fighting and prosecuting crime, you want every tool available,” said Ryan Calo, director of the consumer privacy project at the Center for Internet & Society at Stanford Law School. “No one thinks D.O.J. and other investigative agencies are sitting there twisting their mustache trying to violate civil liberties. They’re trying to do their job.”

That apparently didn’t sit well in some corners of the privacy community, and Calo felt obligated to explain the comment as though he had implied that DoJ efforts to undercut privacy should not be resisted. He hadn’t.

But evidently some people do think DoJ officials, or some relevant segment of them, are mustache-twisting privacy-haters. There are a few genuine oddballs committed to undercutting privacy, but it’s not worth casting aspersions on the entire security bureaucracy because of these few.

I believe the motivations of the vast majority of DoJ officials are good. They feel a real sense of honor from doing their self-chosen task of protecting the country from various threats. On average, they’ll likely weigh security and safety more heavily than the average privacy advocate or civil libertarian. Because they don’t think about privacy as much, they may not understand as well what privacy is and how to protect it consistent with pursuing justice. These are all good faith reasons why DoJ officials may undervalue and, in their work, undercut privacy. It is not necessary to believe that a dastardly enemy sits on Constitution Avenue mocking the document that street is named after.

The theory of the evil DoJ official says more about the theoretician than the DoJ. Experience in Washington has shown me that incompetence is almost always the better explanation than malice. (That’s not very nice, talking about “incompetence,” but there are some DoJ officials who lack competence in the privacy area.) Some people apparently need a dramatic story line to motivate themselves.

I’m sure it feels good to cast oneself as a white hat facing down a team of secretive, nefarious, government-sponsored black hats. But this mind-set gives away strategic leverage in the fight for privacy. The story is no longer how to protect privacy; it’s who is bad and who is good. Everyone (everyone thoughtful about messaging and persuasion, anyway) recognizes that Wikileaks veered off course by letting Wikileaks itself and Julian Assange become the story. We’re not having the discussion we should have about U.S. government behavior because of Assange’s self-regard.

I agree with my privacy brethren on the substance of the issues, but those who have similar self-regard, who insist on good-vs.-evil framing in order to cast themselves as heroic—they are closing the ears of DoJ officials they might reach and giving away opportunities to actually improve protections for privacy in the country.

So I say in Politico today. Highlights:

During his first two years in office, the president generated a lot of heat in the transparency area — but little sunlight. House Republicans can quickly outshine Obama and the Democratic Senate. It all depends on how they implement the watch phrase of their amendment package: “publicly available in electronic form.”
. . .
The House can reach the gold standard for transparency if its new practices make introducing a bill and publishing the bill online the same thing. Moving a bill out of committee and posting the committee-passed version as online data must also be the same thing. Voting on a bill and publishing all data about the vote online must be standard procedure.
. . .
The transparency community owes it to Congress to say how it wants to get the data.

Of course, I’ve fooled you just a little bit. The whole thing is a highlight! (ahem) Read it.

I laughed out loud when I read the following line in Harlan Yu’s post, “Some Technical Clarifications About Do Not Track“:

“[T]he Do Not Track header compels servers to cooperate, to proactively refrain from any attempts to track the user.”

(Harlan’s a pal, but I’m plain-spoken with friends just like everyone else, so here goes, buddy.)

To a policy person, that’s a jaw-dropping misstatement. An http header is a request. It has no coercive power whatsoever. (You can learn this for yourself: Take 30 minutes and write yourself a plug-in that charges ten cents to every site you visit. Your income will be negative 30 minutes of your time.)

Credit goes to the first commenter on his post who said, “What if they ignore the header? . . . Wouldn’t there also need to be legal penalties in place for violations, in order for this to work? (To encourage advertising companies to put in those lines of code.) Is this in the works?” Continue reading →

It might take Facebook a while to turn identity provision into a revenue opportunity, but if it is a money-maker, it could be a substantial one. Simson Garfinkel has a piece in Technology Review that goes into some of the things Facebook is doing with its “Connect” service.

As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.

It’s a good, relatively short article, worth a read.

As an online identity provider, Facebook could facilitate secure commerce and communication in a way that’s easy and familiar for consumers. That adds value to the Internet ecosystem, and Facebook may be able to extract some of the surplus for itself—perhaps by charging sites and services that are heavy users small amounts per login via Connect. The security challenges of such a system would grow as more sites and services rely on it, of course, and Garfinkel highlights them in an accessible way.

Quibbles are always more interesting, so I’ll note that I cocked my head to one side where Garfinkel asks “whether it’s a good thing for one company to hold such a position of power.” Strange.

Taking “power” in its philosophical sense to mean “a measure of an entity’s ability to control its environment, including the behavior of other entities,” Facebook Connect gives the company very little power. Separate, per-site logins—or a parallel service that might be created by Google, for example—are near at hand and easy to switch to for anyone who doesn’t like Facebook’s offering.

Ironically, Garfinkel refers to these identity services as “Internet driver’s licenses,” inviting a comparison with the power structure in the real-world licensing area. If you want to drive a car legally, there are no alternatives to dealing with the state, so the state can impose onerous conditions on licensing. Drivers’ licenses require one to share a great deal of information, they cost a lot of money (relative to Facebook’s dollar price of “free”), and switching is not an option if the issuer starts to change the bargain and enroll licensees in a national ID system. Garfinkel himself noted how drivers’ licenses enhance state power in a good 1994 Wired article.

In sum, the upsides of an identity marketplace are there, for both consumers and for Facebook. The downsides are relatively small. The “power” exercised by any provider in a marketplace for identity provision is small compared to the alternative of using states as identity providers.