My audio wrap-up of the FISA fight is here.
Privacy, Security & Government Surveillance 
When he’s opining in his areas of expertise, especially copyright law, Larry Lessig is often a brilliant scholar with important things to say. Unfortunately, when he wanders outside of his area of competence, he tends to be a lot less perceptive. Consider, for example this incredibly wrong-headed defense of his FISA vote:
Obama has not shifted in his opposition to immunity for telcos: As he has consistently indicated, he opposes immunity. He voted to strip immunity from the FISA compromise. He has promised to repeal the immunity as president. His vote for the FISA compromise is thus not a vote for immunity. It is a vote that reflects the judgment that securing the amendments to FISA was more important than denying immunity to telcos. Whether you agree with that judgment or not, we should at least recognize (hysteria notwithstanding) what kind of judgment it was. The amendments to FISA were good. Getting a regime that requires the executive to obey the law is important. Whether it is more important than telco immunity is a question upon which sensible people might well differ. And critically, the job of a Senator is to weigh the importance of these different issues and decide, on balance, which outweighs the other. This is not an easy task. I don’t know, for example, how I personally would have made the call. I certainly think immunity for telcos is wrong. I especially think it wrong to forgive campaign contributing telco companies for violating the law while sending soldiers to jail for violating the law. But I also think the FISA bill (excepting the immunity provision) was progress. So whether that progress was more important than the immunity is, I think, a hard question. And I can well understand those (including some friends) who weigh the two together, and come down as Obama did (voting in favor).
The amendments to FISA were not “good.” There’s just no way you can characterize the FISA amendments as an improvement over what was already on the books. They sure as hell aren’t “a regime that requires the executive to obey the law,” except perhaps in the trivial sense that they’re so permissive that the Bush administration may not need to break the law in order to continue its dragnet surveillance activities. The amendments eliminate meaningful judicial oversight for overseas communications—allowing broad “authorizations” that don’t name specific individuals, allowing the judicial review process to drag out for months while surveillance continues, and allowing the government to bypass the courts and send “directives” directly to telcos. This is not a structure that will lead to meaningful scrutiny of eavesdropping by the judicial branch.
Since Lessig doesn’t explain what’s “good” about the amendments, or how they constitute progress, I’m not really sure how to respond. I explained why the amendments are bad in detail here, should he come across this post perhaps he can read that and tell me where I went off the rails. But I do wonder whether it made an impression on him that virtually everyone outside the Democratic leadership regards this as an unadulterated victory for the White House. If this represented “progress” that places new restraints on the executive branch, why did almost every Republican in Congress vote for it? Why have we seen nothing but cheering from National Review, Human Events and other partisans for executive power? Everyone on the right knows they won. Everyone on the left knows they lost. The only people who think this was a tough compromise are senior Democrats in Congress who have an obvious interest in exaggerating their toughness. And Larry Lessig, apparently.
Mike is completely right to point out that Sen. Hatch’s comment that “Congress should not condone oversight through litigation” is absurd. Judicial scrutiny of executive branch activities is precisely what the Founders had in mind when they set up three branches of government, and the courts were doing exactly what they were designed to do.
But I also want to point out another absurd thing about Hatch’s statement: even if we granted that oversight-through-litigation isn’t the way to go, shouldn’t he be putting forward some other oversight mechanism? Like a warrant requirement, for example? Or aggressive Congressional hearings? One can imagine taking this kind of argument seriously if the opponents of the lawsuits were putting forward some other mechanism for holding the government and the phone companies accountable for their actions. But as far as I can tell, the Republicans, along with a depressing number of Democrats, are utterly uninterested in any kind of oversight at all, whether it comes from the legislative or judicial branches. The goal isn’t to replace “oversight through litigation” with oversight through some other, more effective process. The goal is to avoid having to do any oversight at all.
Coming off last week’s July 4 recess, the Senate held a hearing on the privacy implications of online advertising. Online ads, behavioral tracking, targeted ads – whatever you might call it – has been an explosive policy issue, but today’s hearing was mostly just sparklers, with only a few bottle rockets here and there.
The big players were there–Google, Microsoft, Facebook and NebuAd–minus the ISPs, which Dorgan called out as being absent (which is why there will be another online ads hearing just for the ISPs, sure to be full of loud M-80s).
Key concepts mentioned over and over: Self Regulation; the need for Baseline Privacy Law; Pseudo-Anonymous; Opt-in vs. Opt-out; Choice.
Key Principle #1 – Self Regulation
All the witnesses espoused the need for self regulation. I’ve never liked this term, as it sounds like more of a system of conscious personal health management than a public policy strategy. Alas, it’s the lingua franca of pro-market forces in Washington.
Google, not surprisingly, is a supporter of self-regulation when it comes to online advertisements (but see baseline privacy law below). Most surprisingly, Google took very little heat from the Committee. There weren’t any questions about why it took so long to have a privacy link on its website – which Google added only a few days ago. Was the hearing, hmm, hmm, a catalyst toward this sort of “self regulation”?
The FTC is pushing for “self-regulation” principles, which I describe more in a previous post. Continue reading →
From pp. 141-143 of The FBI and American Democracy:
For inexplicable reasons, [John Malone, head of the FBI’s New York Field Office in the 1960s], had not complied with the record destruction requirements of the Do Not File procedure. His failure to do so preserved a massive file (amounting to twenty-seven volumes) that documented the number and targets of break-ins conducted by New York agents, identified the agents participating, and contained the specific records of the targeted individuals or organizations that agents had photographed… Because the Malone file confirmed that, in 1972 and 1973, New York agents had conducted break-ins during an investigation of the Weather Underground activists, a practice that fell within the five-year statute of limitations, Justice Department officials accordingly instituted a criminal inquiry that led to the indictment of John Kearney, the FBI supervisor who headed the New York break-in squad (identifiable from the Malone records). FBI agents nationwide bitterly criticized Kearney’s indictment, protesting that he had been following worders. Further investigation led to the May 1977 discovery of thirteen break-in authorization memoranda at FBI headquarters. Consequently, in April 1978, Justice Department officials dropped the Kearney incitment and indicted, instead, former Acting FBI Director L. Patrick Gray III, former FBI Associate Director W. Mark Felt [AKA “Deep Throat”], and former FBI Assistant Director Edward Miller for having authorized illegal practices. Gray subsequently succeeded in having his trial severed from that of Felt and Miller, arguing that he had been misled and had no knowledge of the Weather Underground break-ins. Conceding the weakness of their case against Gray, Justice Department officials dropped the crimnal charges against him in December 1980. Felt and Miller were convicted. But President Ronald Reagan pardoned them on March 26, 1981, on the grounds that “they acted not with criminal intent, but in the belief that they had grants of authority reaching to the highest levels of government.”
Is it too much to hope that history repeats itself when President Obama takes office? Minus the pardon, preferably.
More fun stuff from page 100 of the Theoharis boo:
FBI officials were interested in the sexual indiscretions of elected memebrs of Congress. FBI agents were specifically encouraged to report and record any such discoveries and to do so discreetly. During an interview with the so-called Pike Committee in 1975, a former FBI agent described this practice. Puzzled over why such information was being collected, the agent claimed to have consulted his boss, FBI Assistant Director Cartha DeLoach. He then recounted DeLoach’s response: “The other night we picked up a situation where the Senator was seen drunk, in a hit-and-run accident, and some good-looking broad was with him. He [DeLoach] said, ‘We got the information, reported it in a memorandum’ and DeLoach—and this is an exact quote—he said ‘by noon of the next day the good Senator was aware that we had the information and we never had any trouble with him on appropriations since.'”
Now, I have no evidence that today’s NSA or FBI is doing anything like this. But of course, someone in the 1960s wouldn’t have realized what the FBI was doing then, either. We certainly shouldn’t be passing legislation making this sort of thing easier to pull off and harder to uncover.
I’m boning up on the history of the FBI, reading Athan Theoharis’s The FBI and American Democracy. So far, I’ve gotten from the FBI’s inception (100 years ago this month) to midcentury. The most remarkable thing about it is how familiar it all seems. As Theoharis tells the story, the FBI has, from its inception, pushed for ever broader authority to spy on Americans. During the first half of the 20th century, it pushed relentlessly for broader statutory authority. When Congress would not give it the authority it wanted, it sought authorization from senior executive branch officials for authorization to break the law. If authorization wasn’t fortcoming, the bureau would often do what it wanted anyway and not tell its nominal superiors of its activities.
A few illustrative anecdotes:
Too funny. Anti-Google gadfly Scott Cleland has coined a hilarious new name for the company to highlight his privacy concerns with the search giant and its business practices. My chief concern now is . . . Which executive do we suspect of being a cross-dresser?
Cleland has a point. Foremost, I think, the judge that ordered Google to disclose a great mass of YouTube viewer information is being cavalier with the legitimate privacy concerns in a data-dump that big. I don’t share Berin’s confidence that a protective order will control access to, and uses of, this information. Data is so, so volatile.
But the judge is in a position to rule like this because Google collects and keeps so much information.
I have complimented Google on good practices in the past, but the modesty of the steps it has taken to protect user privacy is showing. At the time, their niggardly protective efforts forced them to try importing shades of gray into a circumstance that is black or white: They said their logs were “much more anonymous” than before, rather than flatly anonymous.
Well, they’re ‘not very anonymous’ if they have IP addresses and usernames in them, are they. But Google also boxed itself into a corner by arguing elsewhere that IP addresses aren’t really personally identifiable information.
“We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.” (‘Sure, we love the heavy regulatory regime you’ve got going because we love privacy, but let’s not include IP addresses, mkay?’)
The modesty of its protective steps, and the company’s go-along get-along approach to regulators in Europe (+ would-be Europeans here in the States), are coming home to roost. Instead of taking great strides to protect privacy and telling regulators to just back off, Google has taken small steps and tripped over its shoelaces.
‘J. Edgar Google’ has created the circumstances in which a judge can require them to hand over lots of personally identifiable user data. It’s a situation in which few people believe they will be protected.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.