Privacy, Security & Government Surveillance

FTC sacrifices the rule of law for more flexibility; Commissioner Ohlhausen wisely dissents

by Geoffrey Manne on August 2, 2012 · 1 comment

On July 31 the FTC voted to withdraw its 2003 Policy Statement on Monetary Remedies in Competition Cases. Commissioner Ohlhausen issued her first dissent since joining the Commission, and points out the folly and the danger in the Commission’s withdrawal of its Policy Statement.

The Commission supports its action by citing “legal thinking” in favor of heightened monetary penalties and the Policy Statement’s role in dissuading the Commission from following this thinking:

It has been our experience that the Policy Statement has chilled the pursuit of monetary remedies in the years since the statement’s issuance. At a time when Supreme Court jurisprudence has increased burdens on plaintiffs, and legal thinking has begun to encourage greater seeking of disgorgement, the FTC has sought monetary equitable remedies in only two competition cases since we issued the Policy Statement in 2003.

In this case, “legal thinking” apparently amounts to a single 2009 article by Einer Elhague. But it turns out Einer doesn’t represent the entire current of legal thinking on this issue. As it happens, Josh Wright and Judge Ginsburg looked at the evidence in 2010 and found no evidence of increased deterrence (of price fixing) from larger fines:

If the best way to deter price-fixing is to increase fines, then we should expect the number of cartel cases to decrease as fines increase. At this point, however, we do not have any evidence that a still-higher corporate fine would deter price-fixing more effectively. It may simply be that corporate fines are misdirected, so that increasing the severity of sanctions along this margin is at best irrelevant and might counter-productively impose costs upon consumers in the form of higher prices as firms pass on increased monitoring and compliance expenditures. Continue reading →

1 comment

Petitioning WH.gov: TSA’s Strip-Search Machines

by Jim Harper on July 30, 2012 · 1 comment

[Update II: The petition has now expired, about 2,500 signatures shy of the 25,000 needed to require a White House response.]

[Update: The D.C. Circuit Court of Appeals has accepted CEI’s amicus brief and ordered the TSA to answer EPIC’s petition. It is common for courts to simply reject petitions of this kind, so this is important progress in the effort to get TSA to follow the law.]

Will the White House give us a substantive answer or not?

A few weeks ago, we ‘celebrated’ the one-year anniversary of a court order requiring the TSA to do a notice-and-comment rulemaking on its policy of using strip-search machines for primary screening at airports. It’s been a year and the TSA has shown no action.

The Electronic Privacy Information Center, which brought the original case, filed a petition asking the D.C. Circuit Court of Appeals to require action on the TSA’s part. The Competitive Enterprise Institute and many other friends of the court chimed in with an amicus brief highlighting issues in the case. I emceed a Cato Capitol Hill briefing on the topic.

But the real fun has been with a petition on Whitehouse.gov asking the president to make the TSA follow the law. When I put that up there, the issue took off. Stories and links went out on Ars Technica, Wired, and the Washington Times, just to name a few. People sent notices out to their email lists. And there was plenty of Tweeting, blogging, reTweeting, reblogging.

The <a href=""petition”>https://petitions.whitehouse.gov/petition/require-transportation-security-administration-follow-law/tffCTwDd”>petition is nearing 16,000 signatures (of 25,000 needed to require a response from the White House). That would be great to have, though not essential. The PR value has already been gained.

PR value is real value in Washington, D.C., and to illustrate that value, inveterate friend of liberty Will Hayworth whipped up a little code to grab the locations of the people that named their location when they signed the petition, and he put them on a Google map. It’s a nice illustration of the nationwide distaste for the TSA’s policy—and its refusal to implement the policy consistent with the law.

Take a look and see how many people from your state or town have signed on. Do your friends need a reminder? Send them the link to the petition page!

Locations of Signers to “TSA—Follow the Law” Petition

Petitioning isn’t going to upend government, but it is an organizing idea with a constitutional pedigree—the First Amendment. So if you think TSA should follow the law, well, maybe you should <a href=""join”>https://petitions.whitehouse.gov/petition/require-transportation-security-administration-follow-law/tffCTwDd”>join in the fun!

If we get 25,000 signatures by August 9th, the White House will have to respond.

1 comment

Parmy Olson on Anonymous and LulzSec

by Jerry Brito on July 24, 2012

Parmy Olson, London Bureau chief for Forbes, discusses her new book We are Anonymous: Inside the Hacker World of Lulzsec, Anonymous and the Global Cyber Insurgency. The book is an inside look at the people behind Anonymous, explaining the movement’s origins as a group of online pranksters, and how they developed into the best known hacktivist organization in the world. Olson discusses the tension that has existed between those that would rather just engage in pranks and those that want to use Annoymous to protest different groups they see as trying to clamp down on internet freedom, as well as some of the group’s most famous campaigns like the attacks against the Church of Scientology and the campaign against Paypal and Mastercard. Olson also describes the development of LulzSec which became famous for a series of attacks in 2011 on high profile websites including Fox, PBS, Sony, and the CIA.

Download

Revised Cybersecurity Act Makes Meaningful Progress on Privacy

by Ryan Radia on July 20, 2012 · 0 comments

By Ryan Radia and Berin Szoka

A new version of the Cybersecurity Act of 2012 was introduced last night (PDF), and a vote on the Senate floor reportedly may occur as early as next week. Although we’re still digesting the 211-page bill, its revised information sharing title stands out for its meaningful safeguards regarding what cybersecurity information may be shared by providers and its limits on how government may use shared information. Such prudence is of utmost importance in any bill that gives private entities blanket immunity from civil and criminal laws, including the common law, for activities such as cybersecurity information sharing.

By way of background, our organizations—the Competitive Enterprise Institute and TechFreedom— joined several other free market groups in sending a coalition letter to House leadership back in April regarding CISPA (which ultimately passed that chamber). While we support legislation streamlining federal laws to ensure cybersecurity information flows freely among private companies and, where appropriate, to and from the government, we urged important changes to CISPA to limit potential governmental abuses and meaningfully protect individuals’ private information. Unfortunately, most of our suggestions were not reflected in the final version of that bill.

We’re very glad to see that many of our free market principles are now reflected in Title VII of the Cybersecurity Act (the part of the bill that deals with information sharing). The bill’s sponsors adopted many significant, positive changes to Title VII to better protect privacy and individual liberties, including:

Allowing individuals harmed by governmental misuse of shared cyber threat information to sue the federal government for actual or statutory damages of $1000 (whichever is greater);
Proscribing all governmental use and sharing of cyber threat information for purposes unrelated to cybersecurity, except to avert imminent threats of death or serious bodily harm or sexual exploitation of minors;
Barring the federal government from conditioning the award of a federal grant, contract, or purchase on a private entity’s sharing of cybersecurity threat information (except in limited circumstances);
Immunizing only private entities that share cybersecurity threat information upon a reasonable and good faith belief that such sharing is authorized by the Title;
Providing for meaningful oversight of information sharing and use by the Privacy and Civil Liberties Oversight Board.

We also applaud Senators Franken, Durbin, Coons, Wyden, Blumenthal, and Sanders, whose efforts made these important revisions to the Cybersecurity Act possible. It’s not every day that CEI or TechFreedom praise members of Congress—or government in general! We do so here because the changes to Title VII of the Cybersecurity Act will meaningfully reduce the likelihood that the bill, if enacted, will enable government to impermissibly access and abuse citizens’ private information. (For more on changes to the Cybersecurity Act, see this ACLU blog post by Michelle Richardson.)

To be sure, we still have serious concerns about Title VII of the bill — and even greater concerns about other provisions in the bill, especially those regulating cybersecurity of “critical infrastructure”. We’ll offer plenty of criticism about those provisions in coming days, but for now, seeing a few rays of light from Capitol Hill is enough to give us pause.

0 comments

Video: How I Think about Privacy

by Adam Thierer on July 19, 2012 · 0 comments

Last month, it was my great privilege to be invited to deliver some remarks at the University of Maine’s Center for Law and Innovation (CLI) as part of their annual “Privacy in Practice” conference. Rita Heimes and Andrew Clearwater of the CLI put together a terrific program that also featured privacy gurus Harriet Pearson, Chris Wolf, Omer Tene, Kris Klein and Trevor Hughes. [Click on their names to watch their presentations.] In my remarks, I presented a wide-ranging (sometimes rambling) overview of how privacy policy is unfolding here in the U.S. as compared to the European Union, and also offered a full-throated defense of America’s approach to privacy as compared to the model from the other side of the Atlantic that many now want us to adopt here in the U.S. I also identified the many interesting parallels between online child safety policy and privacy policy here in the U.S. and discussed how we can apply a similar toolbox of solutions to problems that arise in both contexts. If you’re interested, I’ve embedded my entire 20-minute speech below, but I encourage you to also check out the other speakers videos that the folks at the CLI have posted on their site here. And keep an eye on the Maine Center for Law and Innovation; it is an up and coming powerhouse in the field of cyberlaw and Internet policy.

0 comments

We Must Take UN’s Internet Grab Seriously

by Steven Titch on June 21, 2012 · 2 comments

Thanks to TLFers Jerry Brito and Eli Dourado, and the anonymous individual who leaked a key planning document for the International Telecommunication Union’s World Conference on International Telecommunications (WCIT) on Jerry and Eli’s inspired WCITLeaks.org site, we now have a clearer view of what a handful of regimes hope to accomplish at WCIT, scheduled for December in Dubai, U.A.E.

Although there is some danger of oversimplification, essentially a number of member states in the ITU, an arm of the United Nations, are pushing for an international treaty that will give their governments a much more powerful role in the architecture of the Internet and economics of the cross-border interconnection. Dispensing with the fancy words, it represents a desperate, last ditch effort by several authoritarian nations to regain control of their national telecommunications infrastructure and operations

A little history may help. Until the 1990s, the U.S. was the only country where telephone companies were owned by private investors. Even then, from AT&T and GTE on down, they were government-sanctioned monopolies. Just about everywhere else, including western democracies such as the U.K, France and Germany, the phone company was a state-owned monopoly. Its president generally reported to the Minster of Telecommunications.

Since most phone companies were large state agencies, the ITU, as a UN organization, could wield a lot of clout in terms of telecom standards, policy and governance–and indeed that was the case for much of the last half of the 20th century. That changed, for nations as much as the ITU, with the advent of privatization and the introduction of wireless technology. In a policy change that directly connects to these very issues here, just about every country in the world embarked on full or partial telecom privatization and, moreover, allowed at least one private company to build wireless telecom infrastructure. As ITU membership was reserved for governments, not enterprises, the ITU’s political influence as a global standards and policy agency has since diminished greatly. Add to that concurrent emergence of the Internet, which changed the fundamental architecture and cost of public communications from a capital-intensive hierarchical mechanism to inexpensive peer-to-peer connections and the stage was set for today’s environment where every smartphone owner is a reporter and videographer. Telecommunications, once part of the commanding heights of government control, was decentralized down to street level.

Continue reading →

2 comments

Why Mandatory Online Age Verification is So Problematic: What Expert Task Forces Have Found

by Adam Thierer on June 18, 2012 · 4 comments

There was an important article about online age verification in The New York Times yesterday entitled, “Verifying Ages Online Is a Daunting Task, Even for Experts.” It’s definitely worth a read since it reiterates the simple truth that online age verification is enormously complicated and hugely contentious (especially legally). It’s also worth reading since this issue might be getting hot again as Facebook considers allowing kids under 13 on its site.

Just five years ago, age verification was a red-hot tech policy issue. The rise of MySpace and social networking in general had sent many state AGs, other lawmakers, and some child safety groups into full-blown moral panic mode. Some wanted to ban social networks in schools and libraries (recall that a 2006 House measure proposing just that actually received 410 votes, although the measure died in the Senate), but mandatory online age verification for social networking sites was also receiving a lot of support. This generated much academic and press inquiry into the sensibility and practicality of mandatory age verification as an online safety strategy. Personally, I was spending almost all my time covering the issue between late 2006 and mid-2007. The title of one of my papers on the topic reflected the frustration many shared about the issue: “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.”

Simply put, too many people were looking for an easy, silver-bullet solution to complicated problems regarding how kids get online and how to keep them safe once they get there. For a time, age verification became that silver bullet for those who felt that “we must do something” politically to address online safety concerns. Alas, mandatory age verification was no silver bullet. As I summarized in this 2009 white paper, “Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer,” all previous research and task force reports looking into this issue have concluded that a diverse toolbox and a “layered approach” must be brought to bear on these problems. There are no simple fixes. Specifically, here’s what each of the major online child safety task forces that have been convened since 2000 had to say about the wisdom of mandatory age verification: Continue reading →

4 comments

Banning Kids from Facebook is Like Banning Kids from Parks & Shopping Malls

by Adam Thierer on June 14, 2012 · 3 comments

In my most recent weekly Forbes column, “Common Sense About Kids, Facebook & The Net,” I consider the wisdom of an online petition that the child safety advocacy group Common Sense Media is pushing, which demands that Facebook give up any thought of letting kids under the age of 13 on the site. “There is absolutely no proof of any meaningful social or educational value of Facebook for children under 13,” their petition insists. “Indeed, there are very legitimate concerns about privacy, as well as its impact on children’s social, emotional, and cognitive development.” Common Sense Media doesn’t offer any evidence to substantiate those claims, but one can sympathize with some of the general worries. Nonetheless, as I argue in my essay:

Common Sense Media’s approach to the issue is short-sighted. Calling for a zero-tolerance, prohibitionist policy toward kids on Facebook (and interactive media more generally) is tantamount to a bury-your-head-in-sand approach to child safety. Again, younger kids are increasingly online, often because their parents allow or even encourage it. To make sure they get online safely and remain safe, we’ll need a different approach than Common Sense Media’s unworkable “just-say-no” model.

Think about it this way: Would it make sense to start a petition demanding that kids be kept out of town squares, public parks, or shopping malls? Most of us would find the suggestion ludicrous. Continue reading →

3 comments

Ryan Radia Debates CISPA

by Jim Harper on June 12, 2012 · 3 comments

I’m impressed with the job Ryan Radia did in this Federalist Society podcast/debate about CISPA, the Cyber Intelligence and Sharing Protection Act.

It’s also notable how his opponent Stewart Baker veers into a strange ad hominem against “privacy groups” in his rejoinder to Ryan. Baker speaks as though arguable overbreadth in privacy statutes written years ago makes it appropriate to scythe down all law that might affect information sharing for cybersecurity purposes. That’s what language like “[n]otwithstanding any other provision of law” would do, and it’s in the current version of the bill three times.

3 comments

Your right to be forgotten and my right to speak

by Jerry Brito on June 7, 2012 · 2 comments

Earlier this week I interviewed Andrew Keen about his new book, Digital Vertigo, and pressed him on his support for a ‘right to be forgotten.’ I noted that such a right would conflict with free speech rights, and he begged to differ.

“My own data, which I have published on the web, I should have a right, if I choose, for that data to go away,” he said. “That doesn’t impact in any way on your right to speak.”

This is a view of the EU’s proposal that I’ve heard from several folks, and I wanted to take a moment to explain why it’s mistaken. If the proposed EU right only covered information held by you that you wanted to unpublish–from Facebook, Tumblr, a self-hosted blog, etc.–then we wouldn’t need a right. Those services give you that ability right now, and if they didn’t, I don’t think folks would patronize them.

No, the right that Vivianne Redding has outlined is not a right to erase information held by oneself, but a right to erase data held about oneself. For example, in researching this post, I searched for an essay by Joris van Hoboken, an info law PhD candidate in Amsterdam, that made a great case against the right to be forgotten. As it turns out, the blog post I was looking for had been removed. His whole site is down, perhaps for technical reasons, but perhaps because he has changed his mind and is now embarrassed by his previous views and wants them erased from the internet. Luckily, I had saved the essay in Evernote and you can see it here.

Now, van Hoboken might have the power under copyright law to make me take down the essay, but he has no right to keep me from writing about the fact that he wrote such a (potentially embarrassing) essay and even summarizing or excerpting it. That is the right that the EU would like to confer on citizens, and my right to speak is the one it wants to curtail.

The proposal does state that a “controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary for exercising the right of freedom of expression[.]” The problem with this exemption is that it creates an opportunity for the government to decide what kind of speech qualifies as legitimate expression, and which one does not. I would like to see those opportunities limited.

In his book, Keen is critical of the twittering masses who disobeyed the British High Court’s superinjunction on speaking about Ryan Gigg’s extramarital affair. Keen might think that such superinjunctions are legitimate and appropriate, and that the state should sometimes determine what content is and is not appropriate for free expression. But that’s different from pretending that a right to privacy does not conflict with a right to free speech.

Paul Bernal puts his finger on it when he writes,

[T]he cultural differences in attitudes to privacy and free speech in the EU and the US. In the EU, and particularly in Germany, privacy is taken very seriously, and the rights that people have over data are considered crucial. In the US, privacy very much takes second place to free speech – anything that can even slightly infringe on free speech is likely to face short shrift. The right to be forgotten has been very actively opposed in the US on those grounds–Jeffrey Rosen in the Stanford Law Review calling it the ‘biggest threat to free speech on the internet in the coming decade’.

Who is right? Neither, really. The right is not what its more active opponents in the US think it is–but neither has it been written tightly enough and carefully enough to provide the kind of practical, realisable right to delete personal data that the EU would like to see.

Yes, our cultural lenses do make us see free speech in different ways. And yes, maybe we in the U.S. are a bit sensitive about our speech rights. But the way the proposal is written now, we have good reason to be. It would not be too difficult to use such a ‘right’ for censorship.