Last year, my PFF colleague Adam Thierer asked whether State AGs + NCMEC = The Net’s New Regulators? Adam noted that NCMEC, the National Center for Missing and Exploited Children, a private non-profit organization, was playing a law enforcement role in regulating child pornography—but without any clear mechanisms for ensuring its accountability and effectiveness. Adam’s point wasn’t just that transparency is a good thing, but that when it comes to a cause as important as protecting children from exploitation, it’s vital to ensuring that we’re that we’re actually doing a good job at it!

Yesterday, Emmanuel Lazaridis commented on that post:

Given the increasing regulatory and investigative powers of the NCMEC, it is no longer clear whether or not the [Freedom of Information Act] applies to NCMEC records. We are about to find out. I am right now bringing a case against the NCMEC in federal court for access to records under the FOIA and, failing that, for discovery under 28 U.S.C. § 1782(a).

Mr. Lazaridis’s complaint in the D.C. District Court claims that Lazaridis (a Greek national) has been unfairly deemed a fugitive from U.S. justice for having taken his daughter to Greece over the objections of the girl’s American mother, Lazaridis’s ex-wife. NCMEC got involved by placing the girl on their MissingKids.com registry of abducted children. Lazaridis wants the court to recognize his custody, deem him not to be a fugitive, and to order NCMEC to turn over all their records on the girl.

This is, of course, just one side of the story (and such cases are usually so complicated as to be indecipherable to outsiders). But even if Lazaridis’s case were wholly without merit, his basic argument would be a sound one: Why shouldn’t NCMEC, in exercising any of its essentially governmental functions, be subject to the same accountability requirements through FOIA as the FBI would be?

When the issue is the Lazaridis family’s trans-Atlantic custody battle, it may seem easy to ignore this question. But when NCMEC is essentially making policy regarding filtering Internet content, blacklisting websites, turning over user logs to law enforcement, or “cleaning up” Craigslist, the question of NCMEC’s accountability under FOIA cannot be avoided as a critical decision about the future of Internet governance.

On heels of Adam’s piece last year, controversialist Chris Soghoian suggested one answer: Given its status as a sacred cow, we cannot expect any politician pay heed to calls to overhaul NCMEC or subject it to oversight. However, what we can do, is call for the nationalization of the National Center for Missing and Exploited Children.

Think of it this way: We have a drug czar, a war czar, a copyright czar, and will likely have a cybersecurity czar and car czar under the next administration. Why not throw a child porn czar into the mix? Nationalize NCMEC, make all of its workers federal employees, with good health care and job security, and perhaps even expand its budget–after all, it does good work, right? NCMEC’s job is simply too important to be entrusted to a nonprofit group–such a task can only be performed by a fully trained and funded law enforcement agency (one, which conveniently enough, is subject to the Freedom of Information Act, congressional oversight, and constitutional requirements for due process.)

Despite my differences with Chris, he’s often right and may be here, too. He’s certainly right that Congress is unlikely to address the problem of NCMEC’s accountability given the sensitivity of the issue of child protection.

But, fortunately, we live in a republic, not a pure democracy: Our third branch of government, the courts, exists to enforce the rule of law; being somewhat insulated from political pressure, the courts provide a final check on the authority even of the almighty NCMEC. So while Chris’s nationalization proposal might well be the ideal solution, it hasn’t happened yet—nine months later to the day, and it’s probably not high on the Obama administration’s list of czarist reforms.

But simply by ordering NCMEC to comply with FOIA, the Lazaridis court could, with the stroke of a pen, bring accountability to NCMEC’s law enforcement functions. The legal question is simple: Does NCMEC qualify as an “agency,” which FOIA defines as an “authority of the Government of the United States?”

If so, NCMEC must not only respond to requests for certain of its “records,” but it must also follow a rule-making process akin to that required of federal agencies when they make policy decisions, offering the public appropriate notice and the opportunity to comment on proposed regulations—instead of, say, threatening Internet companies behind closed doors (sometimes the same companies that later make generous donations to NCMEC) or cutting deals with state attorneys general.

It turns out that this is not a new issue. Federal courts have had to decide whether a number of quasi-governmental entities qualify as “agencies” over the years, especially given the trend towards privatization over the last three decades. Some organizations, like the Smithsonian Institution, have decided to comply with FOIA even though courts have held that they’re not required to do so. NCMEC could have allayed all these concerns years ago by doing the same thing, but absent a change in management at the organization, it seems only a court order will force the organization to open its “black box” of decision-making to public inquiry.

In a number of other circumstances, courts have required nominally private organizations to comply with the federal FOIA or its state equivalents. A thorough (if dated) treatment of this issue can be found in the 1999 law review article, Privatization and the Freedom of Information Act: An Analysis of Public Access to Private Entities Under Federal Law by Craig Feiser, Florida’s deputy solicitor general and an adjunct at FSU Law. Feiser explains:

When Congress amended FOIA in 1974, it added section 552(f)(1) and broadened the definition of “agency” to include entities not explicitly mentioned under the APA, but which “perform governmental functions and control information of interest to the public.”

In deciding whether a private organization qualifies as an agency subject to FOIA, courts have considered two factors.

One factor asks whether the entity has substantial independent authority in performing a function of the government, making it the functional equivalent of the government. The other factor asks whether the government substantially controls the entity’s day-to-day operations or organizational framework. In using either factor, the court is essentially asking to what degree the entity is performing a government function. In one case, the government is pulling nearly all of the strings; in the other case, the entity is making decisions independently for the government.

Financially, NCMEC is largely a creature of government: 70% of NCMEC’s $42 million budget in 2007 came from the government. But as Feiser notes, funding does not always mean control. Government control over NCMEC’s internal decisions is unclear. Indeed, the very lack of government control over an organization essentially regulating the Internet and imposing criminal sanctions that could follow convicted “sex offenders” for life would by itself be an enormous problem.

But given what NCMEC actually does, it obviously qualifies as an “agency” subject to FOIA under the “functional equivalence factor,” which as Feiser explains,

basically represents the opposite situation from the control factor. Here, the entity is functioning independently, but making decisions for the government, as opposed to having its decisions made by the government. In effect, it is the functional equivalent of the federal government, and, therefore, it should be an “agency” under the FOIA.

I’ll be watching the Lazaridis case closely, hoping that the court sees NCMEC for what it is: a private organization tasked with implementing not just any government function, but the enforcement of laws against the most vulnerable victims in society. Absent such a recognition, NCMEC will continue to grow into an unaccountable regulator for the Internet.

Today, the only public oversight of NCMEC required by law is the requirement that NCMEC (like any non-profit with federal tax-exempt 501(c)(3) non-profit status) file a Form 990 each year disclosing basic information about its finances. That report does not list NCMEC’s donors, because donors have a First Amendment right to remain anonymous, but a more transparent organization would, like my own think tank, at least identify its major donors. The 2006 and 2007 Form 990s do reveal a few interesting things, though, about what NCMEC does with its budget (70% of which comes from the taxpayer):

• NCMEC’s CEO, Ernie Allen, was paid $359,191 plus $411,636 in benefits in 2006 (PDF p. 46) and $409,821 plus $426,540 in benefits in 2007 (PDF p. 19), for a total of $1.6 million in two years (roughly $800,000/year);
• Not counting Allen, NCMEC spent $778,564 on its top five highest-paid employees in 2006 ($155,713/employee), and $875,657 in 2007 ($175,131/employee) (PDF p. 10 in both);
• 31% of NCMEC’s 2006 revenues and 35% of its 2007 revenues went to salaries (PDF pp. 1 & 2 in both); and
• NCMEC had 104 employees paid over $50,000 in 2006 (PDF p. 10) and 116 in 2007 (PDF p. 10).

I’d be reluctant to suggest that anyone at NCMEC was more interested in money than in protecting children, but if given the choice, we’d all prefer to do well while doing good. So if Allen were smart, he’d realize that a court order subjecting NCMEC to FOIA might be the best of all possible worlds: Requiring real accountability would neutralize calls for nationalizing NCMEC, allowing the organization to continue operating as a non-profit that can pay quite a bit better than the Federal civil service. Even the Senior Executive Service, for agency heads, maxes out at a measly $177,000/year.

Of course, if NCMEC’s records and decisions to regulate the Internet were subject to FOIA, the organization might not be able to… “convince” the Internet companies it essentially regulates to write large checks to NCMEC. But even this tax-hating libertarian would be hard-pressed to argue against funding the enforcement of laws against child pornography, abduction and exploitation with taxpayer dollars.

As the grandson of an FBI agent, whose framed credentials hang in a place of pride in my office (stamped “RETIRED” after his 25 years of loyal service), I can’t help but wonder how many more agents the FBI could employ to combat child porn with an extra $1.6 million/year in funding (the salary of Allen and NCMEC’s top-five highest paid employees). It seems that FBI agents today make roughly $48,000-87,000/year. Let’s call it an average of $67,500 and throw in 20% for overhead. That works out to $81,000/year—or:

• 20 new agents for what NCMEC is paying its top six employees; or
• 368 new agents for the $29.82 million NCMEC received in government support in 2007.

I’m sure the solution is far more complicated than simply hiring more FBI agents, and that NCMEC does much good work in the service of a noble cause. But until NCMEC is either nationalized as a direct arm of law enforcement or made significantly more accountable as a private organization, we won’t really have any way of knowing whether the money being spent on NCMEC is being spent in the most effective manner possible to deal with the problems of child pornography, abduction and exploitation. We also won’t know whether draconian alternatives to direct enforcement ( e.g., hiring more FBI agents) like network-level filtering mandates are truly necessary, despite their unintended consequences for the free speech and privacy rights of law-abiding Internet users.

In episode #44 of “Tech Policy Weekly,” Berin Szoka and Adam Thierer engage in a debate with Internet security expert Chris Soghoian, who is a student fellow at the Berkman Center for Internet & Society at Harvard University. He is also a Ph.D. candidate at Indiana University’s School of Informatics.

Chris is an up-and-coming star in the field of cyberlaw and technology policy as he has quickly made a name for himself in debates over privacy policy, data security, and government surveillance.  He straddles the line between academic and activist, and the role he often plays in many tech policy debates is somewhat akin to what Ralph Nader has done in many other fields through the years. Except, in this case, instead of “Unsafe at Any Speed” it’s more like “Unsafe at Any Setting,” since Chris is often raising a stink about what he regards as unjust or unreasonable privacy or security settings that various online websites or service providers use.

On the show, Chris talks about two of his recent crusades to get certain online providers to change their default settings to improve user security or privacy: (1) His effort this week to get major email providers—and Google in particular—to change their default security settings on their email offerings; and (2) his earlier crusade to create permanent opt-out cookies to stop behavioral advertising by advertising networks.

There are several ways to listen to today’s TLF Podcast. You can press play on the player below to listen right now, or download the MP3 file. You can also subscribe to the podcast by clicking on the button for your preferred service. (And do us a favor, Digg this podcast!)

[display_podcast]

Finally, here’s some relevant links that were mentioned during today’s show:

• Chris Soghoian’s webpage + his Harvard Berkman Center page
• Chris’s blog (“Slight Paranoia”)
• Chris’s “TACO” (Targeted Advertising Cookie Opt-Out) plug-in for Firefox (and description of it on his home page)
• Chris’s “Caught in the Cloud” paper (+ a video of him presenting it at Harvard)
• The letter from 38 cybersecurity researchers that Chris sent to Google
• Berin Szoka’s response to Chris’s “Caught in the Cloud” paper
• Berin’s discussion of the issue of preserving user choice through permanent opt-out cookies

Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.

A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google services—or at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.

No Free Lunch: The Costs of Encryption Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” ( i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users.

Offering persistent SSL is resource-intensive, because encryption requires computing power on the server side. Google currently spends billions on the servers that run all Google’s services, including Gmail — $2.4 billion back in 2007, when the company was much smaller. Google’s pricing for their App Engine offers some insight into cost, putting a cost of $0.10/CPU computing cycle. But without knowing what their actual cost is or how many CPU computing cycles the average Gmail user might consume per year using persistent SSL, it’s difficult to translate this price into an actual estimate of the cost of providing persistent SSL. Thus, while there are no hard numbers on how much Gmail costs Google to provide or how much more it would cost to provide persistent SSL for every user by default, both costs are clearly substantial. Chris himself provides a shot-in-the-dark guess that SSL-encrypted communications might require as much as six times the server resources as unencrypted communications. I’d love to know where Chris came up with that guess, whether the upper-bound might be even higher, and how he thinks smaller operators would pay for that cost.

Indeed, Chris’s letter does not discuss the cost of providing SSL at all, mentioning the word “cost” just once, and in a completely different sense: “Other Google applications demonstrate that security need not come at the cost of performance.” This is perfectly consistent with Chris’s general response to the costs of regulation: “Your broken business model is not my problem” (which sounds more charming in Chris’s elegant British English).

But just as Chris is correct that “Defaults matter,” it is even more true that “Costs matter.” Google appears to take the question of how much it costs to provide SSL off the table: “in this case, the additional cost of offering HTTPS isn’t holding us back.” But this is by no means a dismissal of the importance of costs. Rather, Google is simply saying that it has already decided that the advantage of providing persistent SSL are worth the costs. Every advantage to users in terms of greater security is, of course, also an advantage to Google as it competes for customers. While Gmail may have the highest profile among webmail companies, it still lags far behind Yahoo! Mail and Microsoft’s Hotmail in market share: As of February, Yahoo!’s market share was 56%, Microsoft’s 19% and Google’s 11%. Offering increased security, as Google already does with the full-SSL opt-in, is simply a way for Google to gain a competitive advantage over its rivals. One can only imagine the barrier to entry such an expensive default, if mandated or simply expected, will create for new, smaller competitors to Google, Microsoft, Yahoo! and other web titans across a wide range of cloud services.

Google’s apparent agreement with Chris and his band of cybersecurity experts conceals a more fundamental difference of perspectives. While I consider Chris a good friend, what separates us him, and what separates him from Google, is the question of trade-offs. Chris exemplifies what the economist and philosopher Thomas Sowell called the “Vision of the Anointed.” As the best and brightest in society (“the talented few”), the Anointed are often right, as Chris certainly is here on some level: Persistent SSL is a great thing and most Gmail users would probably be better off with it once Gmail irons out all the kinks in implementing it. (Indeed, I had already opted-in to using persistent SSL reading before Chris’s letter.)

No, the problem with the Anointed is not that they are necessarily wrong, but that they focus on “Solutions” to problems, while those with the “Tragic Vision” focus on the “Trade-offs” inherent in the constraints of reality. For the Anointed, seeking to impose their preferences on others, Sowell notes:

it is simply a question of choosing the best solution, while to those with the tragic vision the more fundamental question is: Who is to choose? And by what process, and by what consequences for being wrong? … it is so easy to be wrong—and to persist in being wrong—when the costs of being wrong are paid by others. (pp. 135-36).

Google’s response focuses on one important trade-off: that made by users deciding between added security and a slower Gmail connection. Individual preferences on this choice might vary, even among fully-informed users: For example, some Gmail power users may prefer speed over security, knowing that the risks addressed by are lessened because they do not take their desktop PCs to unsecure Wi-Fi hotspots at, say, the local coffee shop.

But there is a more fundamental trade-off at stake: While Google already offers persistent SSL for free to all users and says that they intend to make this the default setting in the near future, using SSL for everyone will be expensive and that cost will ultimately be borne by consumers as well as by Google (and other webmail operators that follow suit). The cost of providing SSL might mean, for example, that Google will provide less storage space or other innovative Gmail features than it would otherwise have done, because while the politicians in Washington can simply print more money to put a “chicken in every pot” (and a mortgage in every subprime borrower’s hands), Google’s resources are necessarily limited. In short, even in the world of “Free!” content and services, there is no free lunch! In a world of scarce resources (a/k/a reality, even the reality of the digital economy), we must make trade-offs.

Again, Chris may well be correct that the security benefits of SSL are worth this particular trade-off but it’s important to distinguish between two different kinds of decisions. Again, Sowell makes the point brilliantly:

trade-offs must be incremental rather than categorical, if limited resources are to produce optimal results in any social system as a whole. Despite the importance of incremental trade-offs, the language of politics is filled with categorical rhetoric about ‘setting priorities,” “providing basic necessities.” or “assuring safety” in foods, medicines, or nuclear power. But incremental decisions differ as much from categorical decisions as trade-offs differ from solutions. If faced with a categorical choice between food and music, every sane person would choose food, since one can live without music but not without food. But if faced with an incremental choice, the decision could easily be just the opposite. If food were categorically more important than music, then we would never reach a point where we were prepared to sacrifice resources that could be used to produce food, in order to produce music. Given this premise, Beethoven, Brahms, and Bach should all have been put to work growing potatoes, instead of writing music, if food were categorically more important.

Online “security” (like online “privacy”) is, like food or physical safety, undeniably a good thing. But we must still make trade-offs between security and the other things with which is necessarily competes. Google currently runs vast server farms, but still has only a certain number of CPU cycles to use for a variety of competing purposes. Spending that scarce resource (and the money that ultimately pays for it) on persistent SSL necessarily means being able to offer less of other things across the wide range of services Google offers. It is in recognition of such unintended consequences that Sowell concludes that:

many a sound and beneficial principle becomes a dangerous absurdity when it becomes a fetish. That is why any categorical principle must be assess not only in terms of its soundness as a principle, but also in terms of what happens when that principle is applied categorically.

So, what would happen if this insistence on persistent SSL were “applied categorically?”

Impact on the Competitive Landscape While Google may be able to “eat” the cost of persistent SSL for all its Gmail users, mandating the use of persistent SSL may create a significant barrier to entry that could keep smaller providers out of the market. Even shaming a leading webmail provider like Google into voluntarily increasing their security offering may accomplish the same result by raising consumer expectations. Indeed, this is what competition is all about!

For a large webmail provider like Yahoo!-already struggling to find its way in a rapidly evolving competitive landscape for web content, services and advertising despite its 56% webmail market share-the cost of providing persistent SSL for their enormous installed base of users will necessarily reduce their resources available to compete with Google in webmail and on other fronts. For Microsoft, every dollar spent on upgrading Hotmail security could have been spent on improving Bing, Microsoft’s new search engine, which seems capable of posing a significant challenge to Google in the search market.

In general, increasing the cost of providing a service will necessarily tend to make that service less competitive. If there are fewer companies competing to offer webmail (and other related products like calendar services), there will be less pressure on each of them to compete in non-price terms such as…. security and privacy protection. Thus, in the real world, fetishizing security can actually lead to less security.

The Cost/Benefit Approach to Security Improvements Indeed, while the full use of SSL is an obvious way to improve the security of webmail, it is not obvious that it is the most cost-efficient way to do so. If the precise costs of using persistent SSL for all users are substantial but unclear, it is impossible to evaluate whether user security might be improved more by prioritizing scarce resources to deal with other threats.

The threat posed by unauthorized account access via cookie stealing and packet sniffing appears to be far smaller than other less obvious security threats, such as permitting the use of weak passwords, duplicating passwords across accounts, reliance on poor secret questions, the accessing of accounts at unsecured public terminals, and the failure of users to log out. Likewise, threats to end-user security and privacy such as cross-site scripting attacks or cross-site forgery requests account for a far greater portion of internet-related security incidents. There may be no technological “silver bullet” for these problems, but they may represent the “low hanging fruit” for improving security at a much lower cost.

Again, the question is not just whether the Anointed are right, but who is to decide among various options such as persistent SSL, user education and changes in user interface design.

HTTPS Über Alles: Where is This Going? Google indicated that they’re exploring turning on persistent SSL (HTTPS) for all Gmail users, but says nothing about other Google services. Chris’s letter, however, asks Google to adopt HTTPS for Google Docs and Calendar, and goes on to mention Facebook and MySpace as companies that leave their users “vulnerable to data theft and account hijacking” because they do not use HTTPS.

So just how far should the adoption of HTTPS go? Chris’s draft “Caught in the Cloud” paper repeatedly argues that all cloud services should adopt persistent SSL. Yet even he recognizes that e-mail may be uniquely sensitive:

While most users’ word processing documents or photo collections may not be that valuable to a fraudster, an email account can have considerable value – due to the fact that inboxes routinely contain passwords and account information for other websites. For example, many Web sites will resend a password to a user’s email address in the event that the user forgets her password. Thus, a poorly secured email account can be leveraged to gain access to a victim’s bank account, brokerage account or online health records. (p. 15)

Here, Chris seems to recognize the need to make real trade-offs. But his coalition letter draws no such distinction, and even if it did, the more important point is that the Anointed think they know better how to draw these distinctions than anyone else —especially the companies who actually offer cloud services.

So what about Facebook messaging, Twitter tweets, and other social networking communication tools? How should “we” decide which of these services really merits persistent SSL? More important, who is this “we,” anyway?
Who’s actually going to make these decisions? Rather than trusting in the “systemic process” of competition among cloud computing companies, for whom security can be an element of non-price competition, the Anointed presume to make these decisions for everyone else.

Paying for SSL In a world of trade-offs, it’s important to look not just at the opportunity cost of providing features like persistent SSL, but also at the additional sources of revenue that could cover the costs of cloud computing features like SSL. If we can “grow the pie,” the trades-offs made to support persistent SSL will not be so painful. Two potential revenue streams seem obvious.

First, Google and other cloud service providers could simply charge for persistent SSL. For instance, Google currently charges $50/year/user for customized, ad-free Google Apps email accounts.

Second, if the advertising that supports webmail and other cloud services were more profitable, Google could afford more “guns and butter”: persistent SSL for everyone and continued expansion of storage space and roll-out of new Gmail features. This is precisely why Google, Yahoo! and other online advertising companies want to offer “Interest-Based Advertising” that is tailored to a user’s interests based on data about their web surfing. Unfortunately, the Anointed have so fetishized “User Privacy” that they are blind to these trade-offs, and fail to recognize that limiting targeted advertising in the name of “Privacy” may compromise “Security,” just as mandating “Security” protections may actually reduce competitive pressures to increase “Privacy” protections.

Thus, as Sowell emphasizes, we must understand that trade-offs cannot be made in isolation because “What can be afforded seriatim vastly exceeds what can be afforded simultaneously.” That is, we must make “trade-offs within an overall system constrained by inherent limitations of resources, knowledge, etc.” It is precisely because that task is so challenging that we must proceed cautiously and resist the insistence of the Anointed that there is an “urgent need for action to avert impending catastrophe.”

Other Options: User Empowerment & Education Chris’s letter calls for persistent SSL by default in the belief that users do not know enough to protect themselves. In the alternative, the letter suggests four steps Google could take to help users make more fully informed choices. These suggestions seem generally reasonable, and it might well make sense to adopt them, but there are other means to address the ignorance of the “Benighted” than by presuming to decide which trade-offs Google should make in how it designs the user interface of Gmail for all users.

First, Google could present more information and a cleaner choice about persistent SSL during the initial account set-up process. In other words, when a user creates a new Google account, they would be told the pros and cons of persistent SSL and could then make a more informed decision about whether to use persistent SSL or SSL only for authentication. Since Gmail currently has only an 11% share of the webmail market, the vast majority of potential users would have to make these decisions at the point of initial sign-up, while the user interface for existing users would not be further complicated. This example illustrates just one way in which Google might be able to able to make better decisions about the trade-offs at issue than the Anointed, however well-deserved their credentials in the field of web security.

Second, Google could add more discussion of SSL to its existing online educational resources about user privacy and security. Google could expand its Privacy Center on YouTube to include detailed discussions about the potential risks of not using persistent SSL and easy-to-follow video tutorials about the pros and cons of HTTPS.

The Politics of Shame A final word about tactics: I call Chris a “Shame Artist” in the best sense of the term. Shaming corporations is a key part of the reputational marketplace —something my colleague Adam Thierer has emphasized in his work [PDF p. 30] on online parental controls and child protection. People like Chris play a critical role in helping to raise public awareness of genuine problems, and to encourage companies to improve their practices. This dynamic has never worked as well, or as quickly, as it does in the online marketplace. But there are two important caveats to the beneficial role played by shame artists.

First, there is a fine line between (i) shining the spotlight of public attention on a problem and bringing reputational pressure to bear on the company responsible, and (ii) threatening such a company with regulation if you don’t get what you want. Here, as is often the case, Chris is playing dangerously close to that line. Chris’s “Lost in the Cloud” paper calls first for companies to change their practices voluntarily, then for mandating disclosure of SSL choices and risks, and then for mandates:

the government [could] regulate providers of cloud computing services, as it has already done in the banking and health industries. Banks are simply not permitted to let customers to make encryption a “choice,” just as car manufacturers are no longer permitted to make seat belts optional. We would prefer that regulators first forced cloud computing providers to display clear educational warnings before regulators go down the path of mandating specific technologies. However, if educational warnings failed to provoke a sufficient market response, stronger regulation might be appropriate.

At the very least, Chris is hanging the regulatory “Sword of Damocles” over the necks of cloud computing providers: The sword hasn’t fallen yet, but it threatens to drop at any moment if industry doesn’t cooperate.

Second, pressuring providers of free (ad-supported) services to offer more features risks increasing the deeply-rooted assumption that users of these services are somehow entitled to them, including whatever specific functionality the Anointed think ought to be included in the service. In fairness to Chris and his coalition, their letter does not specify how persistent SSL should be provided and he seems to be content with the idea that Google might charge for the service—a recognition of a trade-off that separates him from the more extreme among the Anointed. But once Congress, AGs and other government officials start rushing in to do Chris’s bidding, subtly or not-so-subtly coercing cloud service providers, I hope he isn’t surprised when they come back knocking on those same doors asking for more favors in the name of “Internet security.” With one hand they giveth (what Chris wants); with the other they might eventually take away (something Chris and his comrades find important).

But anytime a company is pressured to give away even more of what it’s already giving away for free, the expectation of a getting a “Free Lunch” grows. (“Free dessert, too?
Don’t mind if I do!“) Worse, if companies appear to cave in to this pressure without acknowledging the trade-offs involved, they both add to that expectation and encourage future attacks by shame artists, since they are signaling a willingness to cave-in. This is essentially the same moral hazard problem as created by negotiating with terrorists. I certainly don’t mean to compare either Chris’s goals or his methods to those of violent extremists or to trivialize his arguments. But the dynamic created by weak responses to shaming in this context is nonetheless analogous: Every time a company says “Why not? Cost is no issue!,” they make it that much more difficult for themselves and others to say, in the future, that cost sometimes will require more obvious trade-offs like charging users for the feature demanded by the Anointed. At some point, such “upsells” may become so politically untenable that the practical choices are (i) not offering the feature at all and (ii) offering it to everyone for free (the costs of which will be borne somewhere else). I fear we may already have reached that point.

What a victory for privacy and personal responsibility is Chris Soghoian’s Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). It signals to the 27 ad networks with well-configured opt-out cookies that you don’t want them to track you.

It’s a technical solution that empowers (and places responsibility with) the user to exercise dominion over his or her personal information. No need for law and regulation. No need to go pleading to politicians and bureaucrats for help.

It’s also a little more efficient than my method of controlling tracking, which is to take a glance at cookies as Web sites ask to set them on my computer.

(The answer is usually “no,” but it’s very interesting to see who all wants to get a glance at me when I visit any site. It’s a lot more than just ad networks, btw. I have no idea why people think ad-network tracking is bad and tracking by others is a matter of indifference.)

Now, Chris and I always find something to disagree about, so for good measure I’ll note that I disagree with his goal of switching targeted advertising from opt-out to opt-in.

Cookies are the wrong mechanism for universal opt-out, he correctly notes, and an opt-out HTTP header, were one adopted, would be switched on by default, so the big players won’t go there. “The only way we will get an easy to use, built-into the browser solution,” he concludes, “will be if government regulators get involved. FTC staffers — are you listening?”

Actually, an easy to use, built-into-the-browser solution is right there. In Firefox, it’s Tools > Options > Privacy > uncheck “Accept cookies from sites” or “Accept third-party cookies” (or further define what you want done with cookies). In Internet Explorer, it’s Tools > Internet Options > Privacy > Advanced > select “Override automatic cookie handling” and define what you want done.

A lot of folks think it’s jaw-droppingly difficult to look at cookies as they’re offered. It’s not. It’s easy to give cookies a quick skim as they come in. (Sometimes exercising responsibility for yourself is difficult. Walk it off.)

Now, should everyone do as I do? No. Should everyone do a Chris wants (and be untracked unless they request it)? Also, no.

The default on the street and on the Internet is for information to be available to others. If you don’t like it, you cover up your nakedness with clothes, or you figure out how to block cookies offered by sites you don’t want a relationship with. Kudos to Chris for giving people a cloak to wear, even though he advocates that regulators should tut-tut Web site operators for using their eyes to see.

Chris Soghoian has the story.

Chris Soghoian called out a problem and now takes credit for a fix to the way the Whitehouse.gov Web site delivered third-party cookies – specifically YouTube cookies.

The use of YouTube videos on the President’s site is a Web 2.0-ish improvement, which is welcome, but embedding videos meant that YouTube was placing cookies on the computers of visitors to Whitehouse.gov and – as a natural result – collecting records of people’s visits to that site.

Things got weird when the Whitehouse.gov privacy policy exempted YouTube cookies from the general ban on persistent cookies on federal Web sites.

For videos that are visible on WhiteHouse.gov, a ‘persistent cookie’ is set by third party providers when you click to play a video. . . . This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.

A government entity should not show preference for a particular service provider in a policy like this and the White House should either exempted third-party cookies generally, or not at all.

The federal government’s June, 1999 policy on cookies (formerly found here, but apparently moved) reflects June, 1999 thinking about cookies – as sinister and dastardly. It was a little silly back then, and is more so today.

And that’s the one small difference I have with the way Chris characterizes the problem. He says, “the decision to embed YouTube videos . . . also enabled the Google owned video sharing site to sneakily collect data on the millions of people who visit whitehouse.gov.”

Cookies aren’t sneaky. First- and third-party cookies are placed by more sites than not, and they exist in droves. They are used for tracking, recordkeeping, and customer service functions of various kinds. To someone who knows how the Internet and browsers work, they’re anything but sneaky. They’re integral.

I agree that Whitehouse.gov policy and practice were out of step with one another, and exempting YouTube from the policy was not a good fix. But Web sites using cookies to gather information online is about as sneaky as humans using eyeballs to gather information on the street. As with controlling what you reveal when you walk down the street, the onus should be on Internet users to be aware of cookies, their purpose and function, and how to control them.

I, for one, ask my browser to prompt me about first- and third-party cookies, refusing most of them. (It’s quite easy once you’re in the habit.) User education and personal responsibility are the solutions to the cookie “problem.” That’s not easy – it’ll take one generation – but the result will be much better than chasing Web site after Web site trying to insulate a supine user community from their own profligacy with information.