Interoperability is a topic that has long been of interest to me. How networks, platforms, and devices work with each other–or sometimes fail to–is an important engineering, business, and policy issue. Back in 2012, I spilled out over 5,000 words on the topic when reviewing John Palfrey and Urs Gasser’s excellent book, Interop: The Promise and Perils of Highly Interconnected Systems.

I’ve always struggled with the interoperability issues, however, and often avoided them became of the sheer complexity of it all. Some interesting recent essays by sci-fi author and digital activist Cory Doctorow remind me that I need to get back on top of the issue. His latest essay is a call-to-arms in favor of what he calls “adversarial interoperability.” “[T]hat’s when you create a new product or service that plugs into the existing ones without the permission of the companies that make them,” he says. “Think of third-party printer ink, alternative app stores, or independent repair shops that use compatible parts from rival manufacturers to fix your car or your phone or your tractor.”

Doctorow is a vociferous defender of expanded digital access rights of many flavors and his latest essays on interoperability expand upon his previous advocacy for open access and a general freedom to tinker. He does much of this work with the Electronic Frontier Foundation (EFF), which shares his commitment to expanded digital access and interoperability rights in various contexts.

I’m in league with Doctorow and EFF on some of these things, but also find myself thinking they go much too far in other ways. At root, their work and advocacy raise a profound question: should there be any general right to exclude on digital platforms? Although he doesn’t always come right out and say it, Doctorow’s work often seems like an outright rejection of any sort of property rights in networks or platforms. Generally speaking, he does not want the law to recognize any right for tech platforms to exclude using digital fences of any sort.

Where to Draw the Lines?

As someone who has authored a book about the importance of permissionless innovation, I need to be able to answer questions about where these lines between open versus closed systems are drawn. Definitions and framing matter, however. I use “permissionless innovation” as a descriptor for one possible policy disposition when considering where legal and regulatory defaults should be set. Another conception of permissionless innovation is more of an engineering ideal; a general freedom to connect, tinker, modify, etc. (I speak more about these conceptions in my latest book, Evasive Entrepreneurs.) Of course, someone advocating permissionless innovation as a policy default will sometimes be confronted with the question of what the law should say when someone behaves in an “evasive” fashion in the latter conception of permissionless innovation.

Doctorow would generally answer that question by saying that law should not be rigged to favor exclusion through laws like the DMCA (and specifically the law’s anti- circumvention provisions), Computer Fraud and Abuse Act, patent law, and various other rules and laws. “[T]he current crop of Big Tech companies has secured laws, regulations, and court decisions that have dramatically restricted adversarial interoperability.”

Generally speaking, I agree. I’m not a fan of technocratic laws or regulations that seek to micro-manage interoperability and which stack the deck in favor of exclusionary conduct with steep penalties for evasion. But does that mean adversarial interoperability should be permitted in all cases? Should there exist any sort of common law presumption one way or the other when a user or competitor seeks access to an existing private platform or device?

Specifics matter here and I don’t have time to get into all the case studies that Doctorow goes through. Some are no-brainers, like the infamous Lexmark case involving refillable printer ink cartridges. Other cases are far more complicated, at least for me. Does Epic, creator of Fortnite, have a right of adversarial interoperability that it can exercise against Apple and their AppStore? As Dirk Auer suggests in a new essay, this episode looks more like a straightforward pricing dispute. Epic is making it out to be much more than that, suggesting Apple is guilty of unfair and exclusionary practices that require a legal remedy.

Why not take that logic further and just say Apple’s App Store us tantamount to a natural monopoly or digital essential facility that Epic and everyone else is entitled to on whatever terms they want? For that matter, why not apply the same logic to Epic’s Fortnite platform or even its Unreal Engine? Does every other gaming developer have a right to piggyback on the juggernaut that Epic has built?

This gets to the core question about Doctorow’s concept of adversarial interoperability: Exactly what should common law and the courts say platform owners make access rights a simple pricing matter and say: “You pay or you are out.” Like Doctorow and EFF, I don’t want Apple to benefit from any special favors from laws like DMCA. Where we differ is that I would still leave the door open for Apple to exercise various other common law contractual rights or property rights in court.

I suspect Doctorow would deny any such claims by Apple or anyone else. If so, I would like to see him spell out in more precise terms exactly what Apple’s property rights and contractual rights are in this instance. Or, again, should we just treat the App Store as a digital commons with unfettered open access rights for developers? If so, would Apple be required to still manage the resource once it is a quasi-commons?

I think that would end miserably, but would like to hear Doctorow’s preferred approach before saying more. I suspect a lot rides on the distinction between “open” verses “proprietary” standards, but compared to Doctorow and EFF, I am willing to embrace a world of both open and proprietary systems, and many hybrids in between. I don’t want the law favoring one type over the other, but that means I need to endorse a generalized property right for digital operators such that they can still exclude others (even in the absence of artificial regulatory rights like DMCA creates). Again, I suspect Doctorow would reject that standard, preferring a generalized right of access, even if that means the platforms become de facto commons.

More Radical Steps

Elsewhere, Doctorow has said is that some of these questions would be better addressed through more aggressive antitrust regulation. Mere data portability or mandatory interoperability isn’t enough for him. “Data portability is important,” Doctorow says, “but it is no substitute for the ability to have ongoing access to a service that you’re in the process of migrating away from.”

In his latest online book on “How to Destroy Surveillance Capitalism,” Doctorow suggests that it is time to “make Big Tech small again” through an “anti-monopoly ecology movement.” That “means bans on mergers between large companies, on big companies acquiring nascent competitors, and on platform companies competing directly with the companies that rely on the platforms.” And he desires a host of other remedies.

So, here we have the convergence of interoperability policy and antitrust policy, with a layer of property confiscation layered on top apparently. “Now it’s up to us to seize the means of computation, putting that electronic nervous system under democratic, accountable control,” he insists in his latest manifesto.

What’s funny about this is that Doctorow begins most of his essays by pointing out all the ways that politics is the problem when it comes to access issues, only to end by suggesting that a lot more political meddling is the required solution. He repeatedly laments how large tech players have so often been able to convince lawmakers and regulators to pass special laws or regulations that work to their favor. Yet, in his We-Can-Build-A-Better-Bureaucrat model of things, all those old problems will apparently disappear when we get the right people in power and get rid of those nefarious capitalist schemers.

Thus, what really animates Doctorow’s advocacy for adversarial interoperability is a deep suspicion of free market capitalism and property rights in particular. In this worldview, interoperability really just becomes a Trojan Horse meant to help bring down the entire capitalist order. Am I exaggerating? “As to why things are so screwed up? Capitalism.” Those are his exact words from the conclusion of his latest book.

Adversarial Innovation & Evolutionary Interop

Still, Doctorow raises many legitimate issues about interconnection and digital access rights. But we need a better approach to work though these questions than the one he suggests.

In my lengthy review of the Palfrey and Gasser Interop book, I tried to sketch out an alternative framework for thinking seriously about these issues. I referred to my preferred approach as “experimental interoperability” or “evolutionary interoperability.” I described this as the theory that ongoing marketplace experimentation with technical standards, modes of information production and dissemination, and interoperable information systems, is almost always preferable to the artificial foreclosure of this dynamic process through state action. The former allows for better learning and coping mechanisms to develop while also incentivizing the spontaneous, natural evolution of the market and market responses.

Adversarial interoperability is important, but not nearly as important as adversarial innovation and facilities-based competition. Stated differently, access rights to existing systems is an important value, but the incentives we have in place to encourage entirely new systems is what really matters most. At some point, a generalized right of access to existing systems discourages the sort of platform-building that could help give rise to the sort of creative destruction we have seen at work repeatedly in the past and that we still need today. Taken too far, adversarial interoperability threatens to undermine this goal. Why seek to build a better alternative platform if you can just endlessly free ride off someone else’s by force of law?

Thus, I prefer to work at the margins and think through how to balance these competing claims of access / interoperability rights versus contractual / property rights. My take will be too utilitarian for not only Doctorow but also for some libertarians, who want clear answers to all these questions based upon their preferred natural law-oriented constructions of rights. The problem with that approach is that it leads to all-or-nothing extremes (complete digital property rights, or virtually none) and that approach is fundamentally unworkable and destructive. We need to work harder about how to balance these rights and values in pro-competitive, pro-innovation fashion.

There is No Such Thing as Optimal Interoperability

In sum, there is no such thing as “optimal interoperablity.” Sometimes proprietary or “closed” systems will offer the public features and options that they will find preferable to “open” ones.  “There are many reasons why consumers might prefer ‘closed’ systems – even when they have to pay a premium for them,” argues Dirk Auer in a separate essay. It could be greater convenience, security, or other things. Palfrey and Gasser correctly noted in their book that, “the state is rarely in a position to call a winner among competing technologies” (p. 174). Moreover, they concluded:

“Lawmakers need to keep in view the limits of their own effectiveness when it comes to accomplishing optimal levels of interoperability. Case studies of government intervention, especially where complex information technologies are involved, show that states tend to be ill suited to determine on their own what specific technology will be the best option for the future (p. 175)

A thousand amens to that! The law should not artificially foreclose experimentation with many different types of platforms, standards, devices and the interoperability that exists among them.

By Adam Thierer & Jennifer Huddleston Skees

“ He’s making a list and checking it twice. Gonna find out who’s naughty and nice .”

With the Christmas season approaching, apparently it’s not just Santa who is making a list. The Trump Administration has just asked whether a long list of emerging technologies are naughty or nice — as in whether they should be heavily regulated or allowed to be developed and traded freely.

If they land on the naughty list, these technologies could be subjected to complex export control regulations, which would limit research and development efforts in many emerging tech fields and inadvertently undermine U.S. innovation and competitiveness. Worse yet, it isn’t even clear there would be any national security benefit associated with such restrictions.  

From Light-Touch to a Long List

Generally speaking, the Trump Administration has adopted a “light-touch” approach to the regulation of emerging technology and relied on more flexible “soft law” approaches to high-tech policy matters. That’s what makes the move to impose restrictions on the trade and usage of these emerging technologies somewhat counter-intuitive. On November 19, the Department of Commerce’s Bureau of Industry and Security launched a “ Review of Controls for Certain Emerging Technologies .” The notice seeks public comment on “criteria for identifying emerging technologies that are essential to U.S. national security, for example because they have potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage.”

The Commerce Department has long sought to control the use of such technologies through a combination of methods, including formal export controls. The process for establishing such controls was clumsily cobbled together over time, so Congress passed the Export Control Reform Act of 2018 (ECRA) to formalize these regulations. ECRA requires that the President formulate an interagency process to coordinate these rules with the goal of creating, “a regular and robust process to identify the emerging and other types of critical technologies of concern, as defined in United States foreign direct investment laws, and regulate their release to foreign persons as warranted regardless of the nature of the underlying transaction.” As part of this process, the Commerce Department is to create a list “of foreign persons and end-uses that are determined to be a threat to the national security and foreign policy of the United States . . .  and to whom exports, reexports, and transfers of items are controlled.”

Sweeping Breadth

That is what prompted the Trump Administration’s recent Emerging Technologies notice, which includes is a remarkably sweeping list of technologies that the Commerce Department is considering for the exports controls list. The list has 14 major categories:

(1) Biotechnology

(2) Artificial intelligence

(3) Position, Navigation, and Timing (PNT) technology

(4) Microprocessor technology

(5) Advanced computing technology

(6) Data analytics technology

(7) Quantum information and sensing technology

(8) Logistics technology

(9) Additive manufacturing / 3D printing

(10) Robotics

(11) Brain-computer interfaces

(12) Hypersonics

(13) Advanced materials

(14) Advanced surveillance technologies

The Department’s 14-category list also includes over 40 itemized examples of specific applications. For example, the “artificial intelligence” category alone includes a list of 11 applied types of AI, from AI cloud technologies and chipsets to neural networks to speech and audio processing.

The breadth of this list is remarkable in that it touches almost every emerging technology sector imaginable. It might have been easier for the Commerce Department to simply list those emerging technologies that will not be subject to review for potential export controls. It is an “everything-but-the-kitchen-sink” approach to emerging technology policy oversight and regulation that could clearly have far reaching consequences beyond national security.

There are some obvious dangers with such an open-ended review and it is important to remember these technologies have many beneficial applications as well as any potential risks.

Threatening Beneficial Uses

First, the potential export regulations create the danger of negative spillover effects that could undermine beneficial uses of each technology listed . All of the technologies listed have already been used in many ways that benefit both consumers and businesses. Limitations on their export could limit their availability or prevent improvements due to concerns that such broad interpretations of restrictions could limit the market.

For example, the regulation of AI mentioned above would not only address concerns about how AI might be used in weapons, but could even undermine the export of technology that has become a part of our everyday lives such as Siri in iPhones and Amazon’s Alexa. While the department claims that it seeks to “avoid negatively impacting U.S. leadership in the science, technology, engineering, and manufacturing sectors,” it is unlikely that any but the most narrowly tailored rules could actually avoid having a negative impact on innovation in the named technologies .

The more general purpose a technology the more difficult it will be to control the potential impact on the beneficial uses of the technology as well as the negative impacts. In fact, in some cases such as AI and robotics it can even be difficult to define what the technology is, because it is typically the applications and not the technology more generally that is being discussed and regulated. In many cases, the anti-export regulations would or could at least signal to entrepreneurial innovators that their time is better spent on other technologies or that their work should be taken elsewhere and risks the U.S. falling behind other countries in these important innovative areas.  

Undermining International Competitiveness

Second, the inquiry could undermine U.S. competitiveness by encouraging more offshoring in a world of innovation arbitrage opportunities . With our increasingly connected global economy and specifically the more mobile nature of many emerging technologies, it is becoming easier for innovators who find themselves subjected to onerous regulations in one country to move their research and development efforts to another. This is sometimes referred to as “ innovation arbitrage .”

While the U.S. remains a leader in attracting innovators, this scenario has already played out several times. For example, Amazon moved its drone testing program to the UK rather than test in the US due in large part to FAA regulations regarding drones. Similarly, 23andme also initially took its direct-to-consumer genetic testing abroad after the FDA threatened to shut down their product.

Heavily regulating the export of general applications of these technologies could actually backfire and encourage innovators to take their research to countries like China where they do not face such regulations. R. David Edelman, the director of the Project on Technology, the Economy, and National Security at MIT, has noted that while the inquiry might be “intended to help US companies be more competitive,” the reality is that “it would almost certainly give Chinese companies that don’t face those same restrictions a sizable advantage in the playing field.”

Moreover, if export controls undermine domestic innovation and competitiveness in this fashion and benefit developers in other countries, it means the U.S. will have less of a say over the ethical development of many important technologies. Bloomberg contributor Noah Smith observes that , when it comes to the global race for hegemony in genetic sciences, China is poised to take the lead. “If the U.S. shies away from developing genetic-engineering technology, these riches will flow to China, or to whatever other countries seize the technological edge,” he notes. That would be problematic not just from a competitive perspective, but also from an ethical perspective, because America would have less of a say in guiding the development of these important but controversial technologies. “Dystopian outcomes are also less likely with the U.S. at the helm,” Smith believes.

Limiting or Ending Technologies Consumers Already Enjoy

Third, the inquiry could pose a threat to everyday consumer technologies that are already widely distributed . The most interesting thing about the technologies listed in the notice is that many of them have moved well beyond the “emerging” phrase of development. They are already out in the wild and being used by people every day.

For example, among the AI technologies listed in the notice are “speech and audio processing (e.g., speech recognition and production)” as well as, “natural language processing (e.g., machine translation).” We already enjoy a great many services such as those today, including Siri and Alexa. Meanwhile, there are technologies already on the market that help disabled and autistic children communicate and interact with their peers using AI and robotics.

For example, the KASPAR robot helps children with such disabilities learn social skills to interact with their peers and teach conversational skills. Similarly, technology that translates apparently nonverbal sounds and other methods of communication into speech via apps and other technology with various voices that others can understand could be subject to development ending regulations or be unable to help children in other countries if the proposed export restrictions are phrased too broadly. Not only might new restrictions limit the development of new technologies, it could even limit or eliminate those that we have already embraced and improved the lives of many.

Risk to Research & Open-Source Efforts

Fourth, the expansion of export controls for many of the technologies listed in the inquiry opens the door to widespread policing of open source coding and communications , but offers no explanation of how that would even work. A large number of the technologies on the Commerce Department list have both commercial and non-commercial applications. Innovation scholars use terms like “ free innovation ” and “social entrepreneurialism” to describe innovative efforts that are undertaken by individuals or groups of people to pursue a broader array of social goals or values beyond just profit-seeking.

A prominent example of social entrepreneurs engaging in free innovation involves the use of 3D printers and open source designs to voluntarily create prosthetics for children with limb deficiencies. What happens to collaborative, non-commercial innovations like that if export controls are suddenly imposed on additive manufacturing technologies by the Department of Commerce? If one participant is based outside the US, is that sufficient to subject such collaboration to export controls? What, exactly, would be subjected to controls? The 3D printers? The open source blueprints? The website hosting such information? It is difficult to imagine how such regulation would work in practice but it is easy to imagine the effect it would have if pursued: It would create a massive chilling effect on many beneficial forms of innovation and simultaneously threaten freedom of speech and academic research.

This same problem could play out in many other technology fields listed in the Commerce Department notice, including: robotics, speech recognition, biotechnology, and genetic engineering, among many others often engage in open and cross-border collaboration for open source development. Free innovation and social entrepreneurialism are expanding rapidly in these and other emerging technology arenas. Thus, export control regulation can no longer hinge on going after “deep-pocketed” corporations looking to sell physical systems. To be truly effective, regulations will need to cover bottom-up, “grassroots” innovation. But that move will have profound ramifications for the freedom to freely tinker with or even freely research important technologies and technological processes.

Dubious National Security Benefits

There’s a final danger associated with this effort: it might not help advance America’s national security objectives , and could even hinder them.

To the extent that ECRA and this new Department of Commerce effort lead to heightened scrutiny for the many dozens of technologies identified, it could undermine research and development efforts in many of those fields. It could do so directly (by formally limiting or forbidding domestic R&D efforts) or indirectly (by incentivizing many domestic emerging tech innovators to move their operations offshore, or discouraging foreign developers from setting up shop here). Not only would such actions risk the US losing its lead in innovation, it could actually result in such regulations backfiring from a national security perspective.  

At the end of the day, the problem here is that Congress is failing to clearly identify what is “essential to the national security of the United States.” ECRA just passes the buck on that thorny question to the Commerce Department for a laundry list of emerging technologies. By soliciting public input, the best hope here is that experts in these various emerging technology sectors will step forward and identify the trade-offs associated with inclusion of most of these technologies on the export controls list. Hopefully, the list would then be narrowed the much smaller class of applied technologies that have a very real, immediate, and clearly catastrophic potential for harm to the national security interests of the nation. That would have been the better way to begin this process, but Congress and the Administration have instead adopted the opposite approach here and now we must hope that they are willing to significantly pare back the list of technologies even being considered for inclusion.

Back to the Crypto Wars?

In a sense, this debate was foreshadowed by the debate in the late 1990s over export controls for encryption technologies. As encryption emerged , law enforcement and national security agencies were concerned about its potential use by bad actors to hide or destroy evidence or information by using encrypted devices or services and sought to require backdoors to be able to access encrypted data and to restrict the export of certain types of encryption and certain encrypted devices. Such requirements, as the Information Technology & Innovation Foundation’s Daniel Castro and Alan McQuinn pointed out, would actually reduce the security of everyday Americans to cyber attacks, negatively impact U.S. businesses’ global competitiveness, and reduce the competitiveness and innovation of the technology sector not only in encryption but in related fields as well.

Luckily, many of these concerns were avoided and encryption restrictions have been narrowly tailored. Recent tensions between the FBI and tech companies like Apple illustrate that this debate is far from settled. Now it seems that the Commerce Department’s proposed restrictions could create the same vulnerabilities more broadly for a great number of emerging technologies.

“Soft Law” & Next Steps

In some ways this move to regulate technologies via export restrictions shows the dark side of the growing trend of “soft law.” Soft law, as we discuss in more detail in our forthcoming paper , includes regulatory actions such as guidance documents, working groups, sandboxing, and many other informal regulatory mechanisms. Such mechanisms are often used to regulate emerging technologies in the absence of formal actions or because the traditional policymaking apparatus cannot keep pace with the rapid evolution of technology. In many cases soft law has been used to accelerate technological development that otherwise might have been limited by traditional hard law.

But where soft law thrives in the vacuum left by a lack of formal delegation and regulation, this inaction also poses risks. Agencies like the Commerce Department could extend amorphous powers over emerging technologies without the expertise to fully understand the way such regulations might negatively affect beneficial technological developments, which are typically hard to predict in advance.

A smarter approach to export controls for emerging technologies begins with a rational assessment of:

1. a more robust evaluation of what really constitutes a tangible, immediate, irreversible, and catastrophic harm to the national security interests of the United States;
2. the practicality of proposed controls for any emerging technologies considered for inclusion on the list;
3. the wisdom of placing technologies on the list which already have been developed or marketed overseas (or appear poised to be); and,
4. the potential unintended consequences that any new export controls might have on the innovative potential of American creators and companies, the future of research in important sectors, the free flow of knowledge regarding peaceful applications, and the competitive standing of the United States relative to other countries.
5. whether catastrophic concerns about emerging technologies might be better addressed through multilateral accords or agreements aimed at achieving global consensus regarding inappropriate use and applications (as has been done in chemical weapon treaties and nuclear non-proliferation efforts).

Several specific technologies may still qualify for inclusion on the export controls list after such an evaluation, but it will start with a more limited approach and then expand as necessary. Such an approach assumes that in general purpose technology is not a threat until proven otherwise. By inverting the process in this fashion, the Administration wouldn’t be treating every emerging technology under the sun as guilty until proven innocent; innovations would be allowed to flourish naturally until the potential for harm is well-documented.

Unfortunately, the Commerce Department’s proposed approach does just the opposite and risks minimizing the benefits of these emerging technologies while doing little to advance national security interests in a meaningful way.

This morning, a group of organizations led by the Center for Responsibility and Ethics in Washington (CREW), R Street, and the Sunlight Foundation released a public letter to House Speaker John Boehner and Minority Leader Nancy Pelosi calling for enhanced congressional oversight of U.S. national security surveillance policies.

The letter—signed by over fifty organizations, ranging from the Electronic Frontier Foundation, the Competitive Enterprise Institute, and the Brennan Center for Justice at the New York University School of Law, and a handful of individuals, including Pentagon Papers whistleblower Daniel Ellsberg—expresses deep concerns about the expansive scope and limited accountability of intelligence activities and agencies, famously exposed by whistleblower Edward Snowden in 2013. The letter states:

Congress is responsible for authorizing, overseeing, and funding these programs. In recent years, however, the House of Representatives has not always effectively performed its duties. The time for modernization is now. When the House convenes for the 114th Congress in January and adopts rules, the House should update them to enhance opportunities for oversight by House Permanent Select Committee on Intelligence (“HPSCI”) members, members of other committees of jurisdiction, and all other representatives. The House should also consider establishing a select committee to review intelligence activities since 9/11. We urge the following reforms be included in the rules package.

The proposed modernization reforms include:

1) modernizing HPSCI membership to more accurately reflect House interests by allowing chairs and ranking members of other committees with intelligence jurisdiction to select a designee on HPSCI;

2) allowing each HPSCI Member to designate a staff member of his or her choosing to represent their interests on the committee, as is the practice in the Senate;

3) making all unclassified intelligence reports quickly available to the public;

4) improving HPSCI the speed and transparency of responsiveness to member requests for information; and

5) improving general HPSCI transparency by better informing members of relevant activities like upcoming closed hearings, legislative markups, and committee activities

The groups also urge reforms to empower all members of Congress to be informed of and involved with executive intelligence agencies’ activities. They are:

1) making all communications from the executive branch available to all Members unless the sender explicitly indicates otherwise;

2) reaffirming Members’ abilities to access, review, and publicly discuss materials already available to the public that are classified by the executive branch, as is the case with the Snowden leaks. Members should feel comfortable to discuss this kind of information without fear of reprimand;

3) providing Members with at least one staff member with access to classified information through a Top Secret/Special Compartmented Information (TS/SCI) clearance;

4) allowing Members to speak with whistleblowers without fear of reprisal; and

5) improving training for Members and staff on how to handle classified information and conduct effective congressional oversight of classified matters.

Over at the CREW blog, Daniel Schuman provides some more context of the problems these groups seek to address:

Members of Congress rely on staff to do a lot of work, but most staff working on intelligence issues are not permitted to hold the necessary security clearances to do their jobs. Sometimes, the Intelligence Committee in the House intercepts mail from the executive branch addressed to all members of Congress. That same committee sits on unclassified reports, refusing to make them available to the public. Briefings provided by the intelligence community are announced for inconvenient times, do not provide enough detailed information, and members of Congress often are not allowed to take notes on what was said. The executive branch has 666,000 employees with top secret/SCI clearance and 541,000 contractors with top secret/SCI clearance, and yet often times members of Congress are not permitted to talk with one another about their briefings. Members of Congress are not allowed to publicly speak about—and staff may not read—classified information that has been published in the newspaper or on the internet. This makes no sense for the deliberative body that was designed as a check on executive power.

While these proposed reforms aim to improve congressional oversight through common-sense changes or clarifications in House procedure and committee structure, these still only address failures of intelligence oversight that we have gleaned from our current knowledge of the byzantine maze of surveillance agency activities so far. The picture painted by the little knowledge that have right now is not pretty. An associated white paper presenting the reforms in more detail notes:

The last decade-and-a-half has witnessed major intelligence community failures. From the inability to connect the dots on 9/11 to false claims about weapons of mass destruction in Iraq, from the unlawful commission of torture to the inability to predict the Arab spring, from lying to Congress about the NSA to CIA surveillance of Senate staff, the intelligence community has a credibility gap. Moreover, with recent revelations about secret government activities, to the apparent surprise of many members of Congress, it is increasingly clear that Congress has not engaged in effective oversight of the intelligence community .

To get a fuller picture of the extent of the problem, the letter proposes that the House adopt a special committee to conduct a distinct, broad-based review of the activities of the intelligence community after 9/11. Similar committees have been assembled in the past to address previous shortcomings:

The last time so many revelations of government misdeeds came to light in news reports, Congress reacted by forming two special committees to investigate intelligence community activities. The reports by the Church and Pike Committees led to wholesale reforms of the intelligence community , including improving congressional oversight mechanisms. The magnitude of current revelations and intelligence community failures leads to this conclusion: the House (and Senate) must establish a distinct, broad-based review of the activities of the intelligence community since 9/11. The House should establish a committee modeled after the Church or Pike Committees, provide it adequate staffing and financial support, and give it a broad mandate to review intelligence community activities, engage in public reporting wherever possible, and issue recommendations for reform.

The Church and Pike Committees of the 1970’s were products of a decade of explosive revelations of government surveillance run amok. The white paper cites a 1974 New York Times exclusive report by Seymour Hersh that revealed the CIA had been operationalized to inspect the mail, telephone communications, and residences of tens of thousands of uncharged private citizens since the 1950’s. Earlier that year, allegations that the U.S. Army had been performing illegal surveillance of American citizens were verified and repudiated by Senator Sam Ervin’s Military Surveillance Investigations. In 1975, a bombshell NSA investigation published by the Times reported that the then largely-unknown intelligence unit “eavesdrops on virtually all cable, Telex, and other nontelephone communications leaving and entering the United States” and “uses computers to sort out and obtain intelligence from the contents” in the now-infamous Project Shamrock. The revealed executive abuses of the Nixon administration provided the cherry on top of a growing distrust and anger with surreptitious U.S. surveillance practices.

Today is another era of outrageous whitstleblower reports and rapidly dwindling trust in U.S. surveillance bodies. A mere 24 percent of Americans reported that they trust the government to “do the right thing” most of the time in 2013 Rasmussen poll. (A miniscule 4 percent of your fellow Pollyanna patriots trust Uncle Sam all of the time.) Meanwhile, technological advances have allowed U.S. intelligence agencies a greater degree of potential (and, as Snowden revealed, actual) surveillance than every before. This gap in trust and power simply cannot continue indefinitely.

While not without their problems, the Church and Pike committees are noteworthy milestones in reclaiming congressional accountability over executive intelligence agencies run amok. Creating a new committee to comprehensively assess current surveillance agency activities, warts and all, and recommend accountability measures to address the unknown excesses that likely lurk in the shadows is one step in the right direction toward taming back the tentacles of unlawful government surveillance.

But if there’s one thing we’ve learned from the fruits of the 1970’s committees—namely, the Foreign Foreign Intelligence Surveillance Act (FISA) of 1978—it’s that what once served as a hindrance to government abuses may one day become a party to it. For example, the Foreign Intelligence Surveillance Court (FISC) established by FISA that was intended to provide critical oversight of federal spying programs is today limited by the inadequate tools available to verify whether or not surveillance programs are lawful.

Imposing accountability on agencies whose missions are devoted to secrecy is a tough nut to crack. Our history struggling with this challenge suggests that these proposed reforms are good preliminary actions. But watching the watchers will continue to be an omnipresent duty.

Ladar Levison, founder of encrypted email service Lavabit, discusses recent government action that led him to shut down his firm. When it was suspected that NSA whistleblower Edward Snowden used Lavabit’s email service, the FBI issued a National Security Letter ordering Levison to hand over SSL keys, jeopardizing the privacy of Lavabit’s 410,000 users. Levison discusses his inspiration for founding Lavabit and why he chose to suspend the service; how Lavabit was different from email services like Gmail; developments in his case and how the Fourth Amendment has come into play; and his involvement with the recently-formed Dark Mail Technical Alliance.

Download

Related Links

• Lavabit, Levison
• Dark Mail, Zimmerman, Callas, Janke, Levison
• Lawyers raise civil liberty concerns in Lavabit case, Salon
• Lawyers for Lavabit founder: judges may dismiss civil liberties concerns, The Guardian

Here’s the video from a recent panel I sat on at the 4th annual Privacy Identity Innovation conference (pii2013) in downtown Seattle on September 17, 2013. The panel was entitled, “Emerging Technologies and the Fine Line between Cool and Creepy,” a topic I have written much about here in recent blog posts as well as in law review articles.  The panel was expertly moderated by the awesome Natalie Fonseca, co-founder and executive producer of the pii2013 event as well as the always excellent Tech Policy Summit. Other panelists included Terence Craig, Co-founder and CEO, PatternBuilders and Co-author, Privacy and Big Data, Jamela Debelak, Technology and Liberty Director, ACLU of Washington, and my friend Larry Downes, Consultant and Author of The Laws of Disruption, among other excellent books. We discussed how to balance out the competing tensions surround new information technologies and stressed the various ways we could alleviate the primary concerns about many of them.

(The video, which is embedded down below, lasts just under 40 minutes. The audio is a little uneven because I was too stupid to keep the microphone close to my mouth. Sorry about that!)

In June, The Guardian ran a groundbreaking story that divulged a top secret court order forcing Verizon to hand over to the National Security Agency (NSA) all of its subscribers’ telephony metadata—including the phone numbers of both parties to any call involving a person in the United States and the time and duration of each call—on a daily basis. Although media outlets have published several articles in recent years disclosing various aspects the NSA’s domestic surveillance, the leaked court order obtained by The Guardian revealed hard evidence that NSA snooping goes far beyond suspected terrorists and foreign intelligence agents—instead, the agency routinely and indiscriminately targets private information about all Americans who use a major U.S. phone company.

It was only a matter of time before the NSA’s surveillance program—which is purportedly authorized by Section 215 of the USA PATRIOT Act (50 U.S.C. § 1861)—faced a challenge in federal court. The Electronic Privacy Information Center fired the first salvo on July 8, when the group filed a petition urging the U.S. Supreme Court to issue a writ of mandamus nullifying the court orders authorizing the NSA to coerce customer data from phone companies. But as Tim Lee of The Washington Post pointed out in a recent essay, the nation’s highest Court has never before reviewed a decision of the Foreign Intelligence Surveillance Act (FISA) court, which is responsible for issuing the top secret court order authorizing the NSA’s surveillance program.

Today, another crucial lawsuit challenging the NSA’s domestic surveillance program was brought by a diverse coalition of nineteen public interest groups, religious organizations, and other associations. The coalition, represented by the Electronic Frontier Foundation, includes TechFreedom, Human Rights Watch, Greenpeace, the Bill of Rights Defense Committee, among many other groups. The lawsuit, brought in the U.S. district court in northern California, argues that the NSA’s program—aptly described as the “Assocational Tracking Program” in the complaint—violates the First, Fourth, and Fifth Amendments to the Constitution, along with the Foreign Intelligence Surveillance Act.

In a statement today, TechFreedom President Berin Szoka described the lawsuit as follows:

We’re standing up for the constitutional rights of all Americans: The First Amendment protects our right to communicate and associate privately. The Fourth Amendment protects us against unreasonable searches and seizures by barring the kind of general warrant that compelled U.S. telephone carriers to turn over potentially sensitive information about Americans’ telephone call records. The secretive processes of the Foreign Intelligence Surveillance Court violate the most fundamental guarantees of the Fifth Amendment to due process, as well as basic principles of the rule of law.

Amen. Our founding fathers wrote the 4th Amendment to prevent precisely this kind of secretive sifting through citizens’ private records. As the recent scandal involving the IRS targeting tea party groups illustrates, America’s founders knew all too well that government would always be tempted to use perfectly innocuous information about Americans’ beliefs and behaviors to harass them and treat them unfairly. This is why our Constitution and federal laws restrict the government’s power to collect private information about its citizens. These rules exist not so criminals can conceal their behavior, but to protect you and me. And when the government violates those rules, it is acting criminally.

Think you’re off the the hook because you communicate primarily using the Internet, rather than via phone? Think again. We know that far more extensive collection of Americans’ data has occurred under the same authority—50 U.S.C. § 1861—upon which the Associational Tracking Program is based.

According to a leaked 2009 NSA Inspector General report, NSA in 2001 began collecting “bulk Internet metadata” from at least three unknown large Internet companies. A 2007 DOJ memo regarding “supplemental procedures” for NSA data collection authorized the agency to collect Internet metadata—including the “email address[es]” of each sender and recipient of an email, along with their “IP address”—for “persons in the United States.” The memo further states that “NSA has in its database a large amount of communications metadata associated with persons in the United States.” However, a spokesman for James Clapper, the Director of National Intelligence has claimed this Internet metadata collection program was “discontinued in 2011 for operational and resource reasons.” Who knows if this is accurate, or another “clearly erroneous” statement that will be corrected in future months or years in a statement resembling the letter James Clapper sent to the Senate Intelligence Committee a few weeks ago.

Yet if the NSA’s Associational Tracking Program is lawful, the Internet metadata program is probably legal as well. If courts fail to halt the NSA’s program as it currently exists, and clarify what Section 215 of the USA PATRIOT Act really means, nothing is stopping the government from resuming its acquisition of Internet metadata—that is, if it hasn’t already done so.

These suspicionless mass surveillance programs don’t just endanger our constitutional rights. They also threaten free enterprise in the information economy. Increasingly, we transact, communicate, innovate, and create in the digital realm, where information itself is a form of wealth. But if Americans reasonably perceive their digital communications—including metadata—are subject to warrantless governmental interception, some who might use cloud services will choose not to do so. Not only would this distort the future of Internet commerce, it might cause cloud computing servers and businesses to move or be formed abroad—which, ironically, could deny U.S. law enforcement access to this cloud data.

If the information age is to realize its full potential, providers of electronic communications services must be free to make credible assurances to their users about when private information will be shared, and with whom. Users need to know that the data they relinquish is confined to agreed-upon business, transactional, and record-keeping purposes—not automatically stored in a government datacenter.

The New York Times reports:

The Russians, who with only minimal success, had for years sought to make these companies provide law enforcement access to data within Russia, reacted angrily. Mr. Gattarov formed an ad hoc committee in response to Mr. Snowden’s leaks.

Ostensibly with the goal of safeguarding Russian citizens’ private lives and letters from spying, the committee revived a long-simmering Russian initiative to transfer control of Internet technical standards and domain name assignments from two nongovernmental groups that control them today to an arm of the United Nations, the International Telecommunications [sic] Union.

It’s not immediately clear to me how moving Internet standards and DNS from IETF and ICANN to the ITU is supposed to stop the NSA from spying on Russians, so the smart read is that this is retaliation pure and simple.

Brazil’s foreign minister, Antonio Patriota, for example, a week ago endorsed the Russian proposal to transfer some control over Internet technical standards to the United Nations telecommunications agency.

While these are not major changes in policy positions, the NSA’s surveillance programs seem to be galvanizing those who want the ITU to take an active role in Internet governance. It’s time for the USA to practice what it preaches on Internet freedom.

Declan McCullagh, chief political correspondent for CNET and former Washington bureau chief for Wired News, discusses recent leaks of NSA surveillance programs. What do we know so far, and what more might be unveiled in the coming weeks? McCullagh covers legal challenges to the programs, the Patriot Act, the fourth amendment, email encryption, the media and public response, and broader implications for privacy and reform.

Download

Related Links

• Snowden: NSA snoops on U.S. phone calls without warrants, McCullagh
• Snowden: Feds can’t plug leaks by ‘murdering me’, McCullagh
• Feds: Power grid vulnerable to cyber threats, McCullagh

Over at The Umlaut, I try to articulate why even people who have “nothing to hide” should be concerned about NSA surveillance:

I have no doubt that Prism is a helpful tool in combatting terrorism and enforcing the law, as the Obama administration claims. But ubiquitous surveillance doesn’t just help enforce the law; it changes the kinds of laws that can be enforced. It has Constitutional implications, not just because it violates the Fourth Amendment, which it does, but because it repeals a practical barrier to ever greater tyranny.

Read the whole thing, and pass it on.

With Bitcoin enjoying a spike in price against government currencies, there is lots of talk about it on the Interwebs, including Jerry’s typically thoughtful post from earlier today. If you’re not familiar with it yet, here’s a good Bitcoin primer, which also counsels reading a lot more before you acquire Bitcoin, as Bitcoin may fail. If you like Bitcoin and want to buy some, don’t go all goofy. Do your homework. As if you need to be told, be careful with your money.

Much of the commentary in the popular press declares a Bitcoin bubble for one reason or another. It might be a bubble, but nobody actually knows. A way of guessing is to compare Bitcoin’s qualities as a currency and payment network to the alternatives. Like any service or good, there are many dimensions to value storage and transfer.

I may not capture them all, and they certainly don’t predict the correct price against the dollar or other currencies. That depends on the ultimate viscosity of Bitcoin. But Bitcoin certainly has value of a different kind: it may discipline fiat currencies and the states that control them.

Intrinsic Value: If you’re just starting to think about money, this is where you’ll find Bitcoin an obvious failure. These evanescent strings of code have no intrinsic value whatsoever! Anyone relying on them as a store of value is a volunteer victim. Smart people stick with U.S. dollars and other major currencies, thin sheets of cloth or plastic with special printing on them…

No major currency has intrinsic value. Indeed, there isn’t much of anything that has intrinsic value. The value of a thing depends on other people’s demand for it. This is as true of Bitcoin as it is of dollars, sandwiches, and sand. So the intrinsic value question, which seems to cut in favor of traditional currencies, is actually a wash.

Transferability: Bitcoin is good with transferability–far better than any physical currency and quite a bit better than most payment systems. Not only is it fast, with transactions “settling” fairly quickly, but it is borderless. The genius of PayPal (after it gave up on being a replacement monetary system itself) was quick transfer to most places that rich people want to send money. Bitcoin allows quick transfer anywhere the Internet goes.

Acceptance: Bitcoin bombs badly in the area of acceptance. Try buying a sandwich with Bitcoin today and you’ll go hungry because few people and businesses accept it. This is a real problem, but it’s nothing intrinsic to Bitcoin. When Hank Aaron broke Babe Ruth’s home run record, people didn’t understand that credit cards were like money. (Watch the video at the link two or three times if you need to. It’s not only a great moment in sports.) Acceptance of different form-factors for value and payments can change.

Cost: How many billions of dollars per year do we pay for storage and transfer of money? Bitcoin is free.

Inflation-Resistance: Assuming the algorithms work as advertised, the quantity of Bitcoin will rise to a pre-established level of about 21 million over the next couple of decades and will never increase after that. This compares favorably to fiat currencies, the quantity of which are amended by their managers, sometimes quite dramatically, to undercut their value. If you want to hold money, holding Bitcoin is a better deal than holding dollars. Which brings us to…

Deflation-Resistance: Without central planners around to carefully debase its value, Bitcoin might go deflationary, with people refusing to spend it while it rises against all other stores of value and goods. Arguably, that’s what’s happening in the current Bitcoin price-spike. People are buying it in anticipation of its future increase in value.

Deflation can theoretically cause an economy to seize up, with everyone refusing to buy in anticipation of their money gaining in value over the short term. There is room for discussion about whether hyper-deflation can actually occur, how long a hyper-deflation can persist, and whether the avoidance of deflation is worth the risk of having centrally managed currency. I have a hard time being concerned that excessive savings could occur. However, whatever the case with those related issues, Bitcoin is probably deflation-prone compared to dollars and other managed currencies.

Surveillance-Resistance: Where you put your money is a reflection of your values. Payment systems and governments today are definitely gawking through that window into our souls.

Bitcoin, on the other hand, allows payments to be made with very little chance of their being tracked. I say “little chance” because there is some chance of tracking payments on the network. Sophisticated efforts to mask payments will be met by sophisticated efforts to track them. Relatively speaking, though, payments through traditional payment systems like checks, credit cards, and online transfer are super-easy to track. Cash is pretty darn hard to track. So Bitcoin stacks up well against our formal payment systems, but equally or perhaps poorly to cash.

Seizure-Resistance: The digital, distributed nature of Bitcoin makes it resistant to official seizure. Are you in a country that exercises capital controls? (What a euphemism, “capital controls.” It’s seizure.) Put your money into Bitcoin and you can email it to yourself. Carve your Bitcoin code into the inner lip of your frisbee before heading out on that Black Sea vacation. Chances are they won’t catch it at the border.

Traditional currencies either exist in physical form or they’re held and transferred by institutions that are more obediant to the state than they are loyal to their customers. (If Cyprus has anything to do with the current price-spike of Bitcoin, it’s as a lesson to others. Cypriots apparently did not move into Bitcoin in significant numbers.)

Because Bitcoin transactions are relatively hard to track, many can be conducted–how to put this?– independent of one’s tax obligations. In relation to the weight of the tax burden, Bitcoin may grow underground economies. Indeed, it flourishes where transactions (in drugs, for example) are outright illegal. Bitcoin probably moves the Laffer curve to the left.

Security: The tough one for Bitcoin is security. Most people don’t know how to store computer code reliably and how to prevent others from accessing it. Individuals have lost Bitcoin because of hard-drive crashes. (This will cause small losses in the total quantity of Bitcoin over time.) Bitcoin exchanges have collapsed because hackers broke in. And there’s a genuine risk that viruses might camp on your computer, waiting for you to open your (otherwise encrypted) wallet file. They’ll send your Bitcoin to heaven-knows-where the moment you do.

When a Bitcoin transaction has happened, it is final. Like a cash expenditure or loss, there is no reversability and nobody to complain to if you don’t have access to the person on the other side of the transaction. The downside of a currency that costs nothing to transfer is the lack of a 1-800 number to call.

So Bitcoin lags traditional currencies along the security dimension. But this is not intrinsic to Bitcoin. Security will get better as people learn and technology advances. (How ’bout a mega-firewall that requires approval of all outbound Internet traffic while the wallet is open?)

There may be Bitcoin-based payment services, banks, and lenders that provide reversibility, security, that pay interest, and all the other goodies associated with dollars today. To the extent they can stay clear of the regulatory morass, they may be less expensive, more innovative, and, in the early going, more risky.

So what’s the right price for Bitcoin? Only a fool can say. (No offense, all of you declaring a Bitcoin bubble.) I think it depends on the ultimate “viscosity” of Bitcoin.

Let’s say Bitcoin’s exclusive use becomes a momentary medium of exchange: Every buyer converts currency to Bitcoin for transfer, and every seller immediately converts it to her local currency. There’s not much need to hold Bitcoin, so there’s not that much demand for Bitcoin. Its equilibrium price ends up pretty low.

On the other hand, say everybody in the world keeps a little Bitcoin on hand for quick, costless transactions once there’s a handy, reliable, and secure Bitcoin payment system downloadable to our phones. If lots of people hold Bitcoin just because, that highly viscous environment suggests a high price for Bitcoin relative to other currencies and things.

Whatever the case, people are now buying Bitcoin because they think others are going to buy it in the future. Whether they’re “speculators” trying to buy in ahead of other speculators, or if they’re buying Bitcoin as a hedge against the varied weaknesses of fiat currencies and state-controlled payment systems, it doesn’t matter.

What does matter, I think, is having this outlet. The availability of Bitcoin is a small, but growing and important security against fiat currencies and state-controlled payments. It is a competitor to state money.

Bitcoin’s existence makes central bankers slightly less free to inflate the money they control, states will have slightly less success with seizing money, and surveillance of traditional payment systems will be decreasingly useful for law enforcement, taxation, and control.

I don’t think Bitcoin delivers us to libertarian “Shangri-la” or anarcho-capitalism, but it’s a technology that fetters government some. It’s a protection for people, their hard-earned wealth, and their privacy. That’s the value of Bitcoin, in my mind, no matter its current price.

As I noted in an addendum to my previous post, less than an hour after I posted an essay about how the District of Columbia’s subsidy deal with LivingSocial was potentially set to unravel, I received a call from two representatives of the D.C. Mayor’s office asking me to clarify a few aspects of the deal. The tone and substance of the call was courteous and profession from the start and I told them I would be happy to post a quick update to my essay letting readers know of the points that they wanted stressed.

After I did so, however, I kept thinking how strange it was that I received such a quick response from the Mayor’s office about my little post. After all, I can’t imagine that the Technology Liberation Front is on the top of their morning reading list! I just figured that someone in the Mayor’s office probably had a Google Alert set up that caught it.  But then, as luck would have it, I was reading through the Wall Street Journal at lunch and came across a story entitled, “In D.C., Social-Media Surveillance Pays Off” by Sarah Portlock. She reports that:

The local government in the nation’s capital is paying hundreds of thousands of dollars to a startup to gather comments on Twitter, Facebook and other online message boards as well as the government’s own website. The data help form a letter grade for the bureaucracies that handle drivers licenses, building permits and the like. These social-media analytics services are already common for businesses such as restaurants and hotel chains that want to go beyond the comment cards most customers ignore. The D.C. experiment suggests governments are beginning to mirror the private sector in seeking real-time unvarnished feedback.

The D.C. government apparently has a 2-year $670,000 contract with newBrandAnalytics, Inc. to gather social media feedback and insights about the District.  So, I figure that’s how the folks in the D.C. Mayor’s office stumbled upon my little rant. I had posted a link to my essay on both Twitter and Google+ and they probably got an immediate report back about it.

In any event, that got me wondering about how people are going to respond to this sort of “surveillance” of social media sites and activities by governments.

I can imagine that some people will feel it’s “creepy” and suggest it violates some privacy norms. But the sort of “surveillance” happening here isn’t the typical “law-and-order” stuff. What we’re talking here about is really just the same sort of customer service efforts that many private sector companies undertake regularly. Like those private companies, the District is interested in getting feedback about how it’s doing its job. The Journal article quotes Nicholas Majett, head of the District’s Department of Consumer and Regulatory Affairs, saying: “Knowing that every day you’re going to get a report about how you’re doing, that actually puts you on your toes and makes sure you’re doing the best possible job.”

In that sense, I applaud the District’s effort to gather impressions and insights from social media sites and use them to improve their public service record. (Of course, I’m of the mind that the District government is doing far more than it needs to and that many of its licensing and regulatory processes, for example, should be completely abolished or privatized. I’m also not sure that the system is worth $670,000 of taxpayer money.)

About the only way I could imagine any of this raising privacy concerns is if the District was gathering these social media insights, matching them up with other databases they have access to, and then using that information to somehow intimidate citizens or deny them some sort of service. It’s always easy to conjure up privacy boogeyman stories like that, but until there is any evidence that social media insights are being used in some nefarious way, I’m not too worried about what the District is doing here.

Going forward, however, it will certainly be interesting to see what happens when government “customer service” efforts such as these grow more sophisticated and come into conflict with certain privacy expectations. While I’m not of the mind that you really have much of a reasonable expectation of privacy on Facebook, Google+ or Twitter, I can imagine that many people are going to be freaked out if they start getting regular emails, tweets, texts, or even phone calls from government officials responding to complaints that were written just moments prior on their favorite social media sites.

Of course, these efforts are also worth monitoring to see if they actually do anything to help improve government service / responsiveness. If these efforts can make my DMV experience even moderately more tolerable, I would probably consider them a success!

This seems like a logical follow-up to Berin Szoka’s previous post about technology, social activism, and government power. ReasonTV has produced this important short clip on “Cops Vs. Cameras: The Killing of Kelly Thomas & The Power of New Media.” It documents how the combined power of citizen journalism, social media, and surveillance video can ensure that our police authorities are held accountable for their actions. In this particular case, it can hopefully win some justice for Kelly Thomas, the homeless Fullerton, California man who was brutally beaten to death by police officers on the night of July 5, 2011.

There is live video from the horrific beating here, but I caution you it is not for the faint of heart. Watching the last moments of man’s life slip away from repeated blows to the head while he begs for his life and calls out for his father is, well, stomach-turning. But imagine if this video and the other citizen videos that were taking that night had not existed. As the ReasonTV clip notes, the Fullerton police department basically ignored requests for more information about the case until Kelly’s father (who was former police officer himself) took cell photos of his son’s beaten face in the hospital and released them to the public. Then the citizen videos of the beating were posted on YouTube and went viral. And then, finally, mainstream media started paying attention. And now the surveillance video from a nearby street camera has been released after citizens and activists demanded it.

While we spend a lot of time today worrying about the privacy implications of new technologies, especially surveillance technologies, episodes like these make it clear that there are also powerful benefits from these new surveillance tools. David Brin first pointed this out in his provocative 1997 book, The Transparent Society, in which he noted:

While new surveillance and data technologies pose vexing challenges, we may be wise to pause and recall what worked for us so far. Reciprocal accountability — a widely shared power to shine light, even on the mighty — is the unsung marvel of our age, empowering even eccentrics and minorities to enforce their own freedom. Shall we scrap civilization’s best tool – light — in favor of a fad of secrecy?

Of course, that doesn’t mean we shouldn’t take steps to limit the surveillance powers of our government over the citizenry. We absolutely must. But we must draw a distinction between the tools and their uses and make sure we do not go overboard with what Brin called the “fad of secrecy” such that new privacy rules limit the use and spread of these technologies.

For far too long governments have avoided accountability for their actions because of a lack of transparency. Nowhere has this been more dismaying that in matters of policing. While our law enforcement officers deserve respect for the hard jobs they have to keep the public safe, they also must account for their actions when they go too far precisely because we grant them coercive powers held by no other group in society. Luckily, new technologies can help us keep their power in check and hold them accountable. While some authorities are fighting back and trying to limit citizen efforts to record them and hold them accountable, the genie is already well out of the bottle. These surveillance tools are not going away and law enforcement authorities will now be forced to live under the gaze of an empowered citizenry. Hopefully that increases transparency and accountability in all policing activities going forward. Read Brin’s short 2011 essay “Sousveillance: A New Era for Police Accountability” for greater elaboration.

This morning, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law had a hearing entitled: “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.” It was a remarkably scattered affair, and I blogged three key—and very distinct—elements of it on the Cato@Liberty blog:

• The Department of Justice used this “mobile privacy” hearing to call for increased surveillance of Internet and mobile phone users.
• To escape a prosecutorial dead-end, Senator Blumenthal (D-CT) strongly suggested that he would outlaw the collection of radio signals. Where this government power would lead is quite profound.
• Ignoring mobile privacy, Senator Schumer (D-NY) touted his hobby-horse, mobile app censorship.

Valid concerns with what mobile operating system providers Google and Apple have done with location information were somewhat lost in this disjointed and confused hearing.

San Francisco’s Entertainment Commission will soon be considering a jaw-dropping attack on privacy and free assembly. Here are some of the rules the Commission may adopt for any gathering of people expected to reach 100 or more:

3. All occupants of the premises shall be ID Scanned (including patrons, promoters, and performers, etc.). ID scanning data shall be maintained on a data storage system for no less than 15 days and shall be made available to local law enforcement upon request.
4. High visibility cameras shall be located at each entrance and exit point of the premises. Said cameras shall maintain a recorded data base for no less than fifteen (15 days) and made available to local law enforcement upon request.

Would you recognize a police state if you lived in one? How about a police city? The First Amendment right to peaceably assemble takes a big step back when your identity data and appearance are captured for law enforcement to use at whim simply because you showed up. (ht: PrivacyActivism.org)

Boeing subsidiary Narus reports on its Web site that it “protects and manages” a number of worldwide networks, including that of Egypt Telecom. A recent IT World article entitled “Narus Develops a Scary Sleuth for Social Media” reported on a Narus product called Hone last year:

Hone will sift through millions of profiles searching for people with similar attributes — blogger profiles that share the same e-mail address, for example. It can look for statistically likely matches, by studying things like the gender, nationality, age, location, home and work addresses of people. Another component can trace the location of someone using a mobile device such as a laptop or phone.

Media advocate Tim Karr reports that “Narus provides Egypt Telecom with Deep Packet Inspection equipment (DPI), a content-filtering technology that allows network managers to inspect, track and target content from users of the Internet and mobile phones, as it passes through routers on the information superhighway.”

It’s very hard to know how Narus’ technology was used in Egypt before the country pulled the plug on its Internet connectivity, or how it’s being used now. Narus is declining comment.

So what’s to be done?

Narus and its parent, The Boeing Company, have no right to their business with the U.S. government. On our behalf, Congress is entitled to ask about Narus’/Boeing’s assistance to the Mubarak regime in Egypt. If contractors were required to refrain from assisting authoritarian governments’ surveillance as a condition of doing business with the U.S. government, that seems like the most direct way to dissuade them from providing top-notch technology capabilities to regimes on the wrong side of history.

Of course, decades of U.S. entanglement in the Middle East have created the circumstance where an authoritarian government has been an official “friend.” Until a few weeks ago, U.S. unity with the Mubarak regime probably had our government indulging Egypt’s characterization of political opponents as “terrorists and criminals.” It shouldn’t be in retrospect that we learn how costly these entangling alliances really are.

Chris Preble made a similar point ably on the National Interest blog last week:

We should step back and consider that our close relationship with Mubarak over the years created a vicious cycle, one that inclined us to cling tighter and tighter to him as opposition to him grew. And as the relationship deepened, U.S. policy seems to have become nearly paralyzed by the fear that the building anger at Mubarak’s regime would inevitably be directed at us. We can’t undo our past policies of cozying up to foreign autocrats (the problem extends well beyond Egypt) over the years. And we won’t make things right by simply shifting — or doubling or tripling — U.S. foreign aid to a new leader. We should instead be open to the idea that an arms-length relationship might be the best one of all.

Today, China renewed Google’s license to do business in the country, reports The Washington Post. The announcement means that Google will maintain its presence in the country for the foreseeable future. Google will likely meet criticism, but this is good news nonetheless for Chinese Internet users.

The rapidly unfolding Google-China saga has made headline after headline since January, when Google announced that it had suffered an intrusion originating in China. In March, after months of internal debate and heavy public criticism, Google shut down its China-based search engine Google.cn, redirecting all queries to its Hong Kong-based Google.com.hk site. Late last month, Google reactivated some of its China-based services and has continued to operate in China, albeit on a limited basis.

Operating in China has long been a headache for Google, due to the Chinese government’s notorious disregard for Internet freedom, embodied by its infamous “Great Firewall of China.” China surveils all Internet traffic that traverses its borders and attempts to block its citizens from accessing information sources which the government considers unfavorable. China also gleans data from its network to identify and retaliate against political dissidents.

Human rights advocates have long derided Google and other U.S. tech companies, such as Microsoft and Yahoo, for doing business in China. China requires all search engines operating in the country to censor a broad range of information, like photos of the 1989 Tiananmen Square massacre. Critics contend that complying with the Chinese government’s oppressive demands is unethical and that facilitating censorship and suppression is morally unacceptable on its face.

Such criticisms, however principled, miss the forest for the trees. If Google were to cease its Chinese operations entirely, the result would be one less U.S. Internet firm accessible to Chinese citizens. While Google is the worldwide search leader, in the Chinese search market Google lags behind Baidu, a search company based in China. Baidu’s market share increased after Google shut down its China-based search site. If Google were to pull out of China entirely, chances are Baidu would pick up many more users.

Why is this troubling? Because Baidu has a long history of complying with the Chinese government’s demands, and has never publicly repudiated the regime’s oppressive practices.

American firms that operate in China do so begrudgingly, often repudiating the state’s human rights violations and, at times, even pushing back when they believe the government has gone too far. Google in particular has struggled over the ethical dilemma posed by China. Before 2005, Google had not formally entered the Chinese market at all, partially on human rights grounds. And after its servers were hacked from within China in late 2009, Google was reportedly on the verge of pulling out of China entirely.

The complicity of U.S. tech firms in China’s oppressive practices has also spurred attacks from politicians looking to score political points. At a recent hearing, Rep. Chris Smith (R-N.J.) accused Microsoft of “enabling tyranny” in China. And Senator Dick Durbin (D-Ill.) is pushing for federal legislation to regulate the practices of U.S. companies that do business in non-democratic nations.

Such saber-rattling will only make problems worse. Undermining the autonomy of private U.S. corporations to make their own business decisions only discourages constructive business engagement with China. Worse, American politicians’ lambasting of China actually emboldens the Chinese regime, which plays upon nationalist sentiments to garner public support.

American businesses, on the other hand, are in a far better position to criticize Chinese censorship. Google and Microsoft are household names in China. And it is far more difficult for the Chinese government to demonize American technology firms than the U.S. government.

Yes, China has a horrendous human rights record, but it isn’t the only nation in the world whose government routinely tramples human rights. In the flawed world we live in, to expect businesses to operate only in nations that truly respect their citizens’ human rights is wishful thinking. Neither Google nor any other American company enjoys facilitating Chinese oppression. But given the available alternatives, is pulling out really a superior option? Is relegating Chinese citizens to patronizing solely Chinese firms actually conducive to improving human rights?

In the long run, disengaging China will not encourage its government to grant greater political freedoms to its people. Commerce between the U.S. and China facilitates wealth creation and opens up new economic opportunities in both countries. In China, that new wealth, along with corresponding new opportunities, help expand the country’s middle class, bringing subsistence farmers into cities and, thus, closer to the global economy.

For China to become a politically and economically freer nation, a sizable middle class is a crucial factor. While Google, Microsoft, and Yahoo may not seem to be making China any freer now, they can only help in the long run.

No, I’m not here to tell you more about the “supersized” FTC. Berin has done yeoman’s work to highlight that issue, among other things with the PFF event you can review here. On TechDirt, Mike Masnick wrote this morning about how the feds are itching to regulate the Internet.

This is about the direct government invasions of privacy likely to occur if S. 3217 passes. On the Cato@Liberty blog I write about the detailed financial market research that new regulatory agencies would do—research aimed at you.

Example:

Section 1071(b) requires any deposit-taking financial institution to geo-code customer addresses and maintain records of deposits for at least three years. Think of the government having its own Google map of where you and your neighbors do your banking. The Bureau [of Consumer Financial Protection] may “use the data for any other purpose as permitted by law,” such as handing it off to other bureaus, like the Federal Bureau of Investigation.

“Washington, D.C. has determined that Washington, D.C. should manage the financial services industry. Your personal and private financial affairs will be managed there too.”

What would I say about my own writing but read the whole thing?

Here’s a great conversation at Slate.com about Shane Harris’ new book The Watchers.

We’ll be having the author here at Cato on March 10th for a similar discussion of his book and the growth of the surveillance state.

Register here.

Fellow TLFer Julian Sanchez has written (twice) at Cato@Liberty on the big school-using-laptops-to-spy-on-kids case.

Indulging my contrarian habit, I’m taking a little bit of a different view, though not necessarily an inconsistent one. While it seems error to me that the school district issued laptops with a potentially invasive security system, failing to fully inform parents, I think a lot more facts have to come out before we reach legal conclusions.

I started to feel some contrary comin’ on when I read the lengthy commentary of a parent at the school, posted on a privacy colleague’s Facebook wall. Among other things, she said:

The minor in question is a truly bad kid. [cites supporting facts] He had broken two laptop computers and had been issued a loaner computer with the explicit instructions not to take it off school property. It disappeared from the school and when questioned he told the school it had been stolen from him. There is quite a bit of theft and laptops had been a target. The kids seemed to know about the security system in place, I didn’t know about it which I think was wrong — the school has apologized for this. The school activated the security system realized the computer was in use and the webcam took a still shot. The minor in question was sitting in front of the webcam, the rumor is with drugs. The photo was sent to the police which apparently was standard procedure for stolen property and not related to anything else.

Maybe the “drugs” were Mike & Ike’s candies. The plaintiff’s lawyer says so. (Consider the veracity of a kid explaining things to his parents and their counsel, though, and of a trial lawyer seeking to lead a class action.)

Sugar pills or not, if the laptop is AWOL from school—presumptively stolen—I don’t see that it would be unreasonable to use the security system to discover its location, and the camera to capture images of who is using it. If there are statutes that would prevent that, I think a court would find a way to avoid applying them, be it on the theory that the putative thief assumed the risk of being surveilled, unclean hands, or some other basis.

The reporting and commentary has been a little overwrought. Better facts will determine what law should apply. Parents at the school have started a Facebook group to discuss this and share the rest of the story given that the school district has, well, lawyered up.

I tipped a reporter at an outlet I respect about this parent’s version of events. The reporter was alternately dismissive of sources that weren’t “official” and highly defensive when I suggested that her writing and reporting appeared to be preserving controversy rather than getting to the bottom of things. So much for relying on media—even new media—for getting information out.

Maybe spun-up outrage will cause better policies in this area than would otherwise result. Maybe we’ll learn that the security system was used for routine, inappropriate spying on kids. But as a legal case, there’s a lot more to be learned before we should draw conclusions.

If you have a mobile phone, that’s the upshot of an argument being put forward by the government in a case being argued before the Third Circuit Court of Appeals tomorrow. The case is called In the Matter of the Application of the United States of America For An Order Directing A Provider of Electronic Communication Service To Disclose Records to the Government.

Declan McCullagh reports:

In that case, the Obama administration has argued that Americans enjoy no “reasonable expectation of privacy” in their—or at least their cell phones’—whereabouts. U.S. Department of Justice lawyers say that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls.

The government can maintain this position because of the retrograde “third party doctrine.” That doctrine arose from a pair of cases in the early 1970s in which the Supreme Court found no Fourth Amendment problems when the government required service providers to maintain records about their customers, and later required those service providers to hand the records over to the government.

I wrote about these cases, and the courts’ misunderstanding of privacy since 1967’s Katz decision, in an American University Law Review article titled “Reforming Fourth Amendment Privacy Doctrine“:

These holdings were never right, but they grow more wrong with each step forward in modern, connected living. Incredibly deep reservoirs of information are constantly collected by third-party service providers today. Cellular telephone networks pinpoint customers’ locations throughout the day through the movement of their phones. Internet service providers maintain copies of huge swaths of the information that crosses their networks, tied to customer identifiers. Search engines maintain logs of searches that can be correlated to specific computers and usually the individuals that use them. Payment systems record each instance of commerce, and the time and place it occurred. The totality of these records are very, very revealing of people’s lives. They are a window onto each individual’s spiritual nature, feelings, and intellect. They reflect each American’s beliefs, thoughts, emotions, and sensations. They ought to be protected, as they are the modern iteration of our “papers and effects.”

This is a case to watch, as it will help determine whether or not your digital life is an open book to government investigators.

Be sure to read Julian’s write-up of the USA-PATRIOT Act reform bills.

Posted in London.

Just before the New Year, Mike Masnick reported:

It’s been well over five years since we first heard about a plan in Oregon to attach GPS devices to cars and tax drivers based on how much they drove and the idea hasn’t become any better in the intervening years… but apparently it’s still being pushed. Oregon’s governor is trying to move forward with the plan.  One of the reasons behind the bill has nothing to do with a more efficient way to tax drivers, but because the state is gaining less revenue from its gas tax since there are more fuel-efficient cars on the roads these days. Of course, rather than reward drivers for driving more fuel efficient cars, this sort of tax punishes them, and actually encourages the use of less fuel efficient vehicles. And, of course, that doesn’t even begin to get into the potential (and likely) privacy problems brought about by any system whereby the government has full access to a GPS system on your car.

This is a great example of the problems that often arise when trying to bring into the digital age areas of the economy monopolized or dominated by government.  There’s a clear (if imperfect) analogy here to Obama’s ambitious goal of digitizing health records:  both are great ideas that raise special privacy concerns because of the heavy involvement of government.  These privacy concerns are certainly not unwarranted:  I wouldn’t want the government to have access to my car’s location or my medical history at any given moment or a complete record of where I’ve driven or what doctors I’ve seen.  But just as relying on paper health records is clearly stupid (and dangerous), it would make a hell of a lot more sense for drivers to pay for road use depending on “where, when and how far they drove”—as in a small pilot project in the UK.

Today, state and Federal taxes on every gallon of gasoline are intended to serve two conflicting purposes—but do a poor job with both.  First, the taxes fund the cost of building and maintaining roads.  But the tax provides only a very rough proxy for how much driving Americans are doing, and says nothing about which roads are actually being used or when.  So government road planners have to guess at which roads need to be upgraded or where new roads are required.  Worse, the current system does nothing to encourage rational decisions on the part of drivers, who currently have no direct economic incentive (other than saving time) not to drive during rush hour or to use less-congested roads.

Second, the current tax system is what economists would call “Pigouvian“: it is intended to correct the negative externalities (air pollution) caused by driving.  But, again, taxing total gallons of gas consumed is a poor proxy for emissions.  As Cato’s Jerry Taylor points out (start podcast at 1:33), cars are already sufficiently computerized that if we really wanted to punish pollution through the tax system, we could directly tax emissions themselves by having each car keep track of unhealthy emissions and then uploading that data, say, at the car’s annual inspection.

So in a rational world, we’d abolish gasoline taxes entirely and institute user fees to fund the cost of roads & highways that reflect actual use.   If government insists on it, we could also tax emissions directly.  (We could make the whole transition revenue-neutral, lest this reform result in higher taxes/fees.)  Merely by reducing congestion, better economic incentives could significantly reduce air pollution.

If roads weren’t run by government monopolies, this kind of change would have happened a long time ago.  Although many people associate toll booths with road privatization, no private business would ever choose a technology as cumbersome (and costly) as toll booths if they had the option of using a system as seamless and invisible to the user as GPS-tracking or even existing transponder-based systems ( e.g.,  E-Z Pass, FasTrak).  Maybe there’s a more efficient or privacy-friendly option out there, or at least on the horizon.  I don’t know, but I suspect competing road operators would figure it out.

Some drivers might still be uncomfortable with the idea of a private company having access to their driving data, but that private company would have a strong incentive to compete for privacy-sensitive drivers by offering strong data protection policies (such as data anonymization and retention limits), which would of course be enforced under the FTC’s existing “unfair & deceptive trade practices.”

But because government has virtually monopolized the road system, we’re stuck with a terrible choice:

• Continue to use a “pricing” (tax) system from the 1950s when modern satellite and computer technology offers us clearly superior alternatives that could reduce congestion and pollution and perhaps even save lives; OR
• Risk putting the data created by those modern technologies directly into the government’s hands.

It’s a hard choice.  I don’t know what the right answer is—other than privatizing the roads, enforcing corporate privacy policies strictly under existing law, and increasing Fourth Amendment protections against government access to user data kept by companies.  Since road privatization is unlikely to happen in an era when we are (re)nationalizing core industries through bailouts, I suspect that we’ll end up having to choose either technology (with all its benefits)  or privacy, when we should be able to have both.

President Obama has talked about “investing” $50 billion in tax money over the next five years to subsidize the digitization of health records.  While one might hope that these records wouldn’t be directly accessible to government in the same way that driving records would be under the Oregon or UK projects, it’s by no means clear that this won’t be the case, given the Federal government’s dominant role in the health care sector.  If the Golden Rule (“He Who Has the Gold, Makes the Rules”) holds, increased government spending on health care across the board—whether in the name of e-Health or universal health—will surely lead to greater government control of the health care system.  That will probably mean greater access to e-health records.  If politicians can access FBI files of their opponents, they’ll probably abuse access to health care records, too.  No safeguards are ever perfect, of course, and invasions of privacy would happen if the data were kept by private companies, but at least those companies would be accountable in court, in the court of public opinion and in the marketplace if they allowed such violations by their employees or corporate partners, or simply failed to protect such a “honey pot” of data.

I’d like to see the most modern technology used across the board—whether it’s for roads or health care.  I just don’t want the real Big Brother—government—to have access to that information, a problem that is only going to increase as government’s role in our lives grows.

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

According to ABC News:

Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.

It’s a simple formula: Lack of oversight produces abuses. Members of Congress may scurry around and declare outrage, but the responsibility is their own as much as anyone else’s.

By Berin Szoka & Adam Thierer Progress Snapshot 4.19 (PDF)

Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users.  Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space.  While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.

In an upcoming PFF Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.

We will also issue a three-part challenge to those who call for regulation of online advertising practices:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

The Online Advertising Market

While there are other forms of targeted advertising based on who you are (“demographic”) or where you are (“locational”), the most important varieties are based on what you’re searching for, seeing or doing online at any particular moment (“contextual”) and the pattern of what you’re searching for, seeing or doing over time (“behavioral”). The bulk of Internet advertising falls into one or both of these last two categories, with behavioral advertising growing rapidly.

Search engines deliver contextual ads on search results pages based on the search keywords entered by a user, while third-party advertising networks (some of which also run search engines) deliver contextual ads on behalf of website operators who sell ad space to the network, with the ads displayed on each page chosen according to keywords on that page. Contextual advertising is far “smarter” than displaying the same “dumb” untargeted banner ads to every user, because the contextual ad uses keywords to “guess” what the user is interested in based on the context of each page. But the purely contextual ad network doesn’t “remember” what the user has looked at in the past, so its insights into what the user would find relevant are very limited, especially for some websites. Online behavioral advertising (OBA) solves this problem and increases the value of advertising space on all websites by targeting ads based on a “profile” of the user created by tracking websites the user has visited—as well as limiting the number of times a user is shown a particular ad.

The Perceived Harm Driving Calls for Regulation

For a decade, the basic technology behind OBA has changed little: When a user visits the typical webpage, they download not only the webpage contents but also a small piece of code that allows the website to distinguish that user’s browser from other browsers (a “cookie”)—without personally identifying the user. Some cookies are required to make sites work properly (“site cookies”) while others (“tracking cookies”) are used by the third party ad network in which that site participates to recognize that browser across multiple sites participating in the ad network, and thus create a “profile” of what the user might be interested in. Even though such profiles themselves are anonymous, many privacy advocates have pointed to four reasons why online profiling is becoming “too invasive:” (i) It is sometimes possible to infer the actual identity of the user; (ii) though all browsers allow users to opt-out of tracking by “cleaning out” their tracking cookies, a website may be able to restore deleted tracking cookies through the use of cookie alternatives such as “Flash cookies”; (iii) certain vulnerabilities in current browser design make it theoretically possible to “sniff” a user’s browsing history, cache or bookmarks; and (iv) the use of “packet inspection” by Internet Service Providers (ISPs) (instead of the use of cookies) to track online browsing amounts to illegal wiretapping.

The other concerns expressed by the advocates of regulation vary significantly. Some fear that browsing profiles could be captured by hackers, somehow associated with personally identifying information, and used for identity theft. These advocates demand limits on data retention as well as data security mandates. Others demand that users have access to their own profiles—a goal inherently in tension with data security. Most share a vague queasiness about “being tracked” and about advertising in general, while downplaying the effectiveness of self-regulation or user self-help.

Perhaps most legitimately, others fear that the real “Big Brother”—the government—will gain access to a “honeypot” of surveillance data that might be associated with individual users. A variety of other solutions have been proposed to what is, for the most part, a poorly defined problem, including a government-run “Do Not Track” registry to make it easier for users to block tracking cookies; mandating opt-in for some or all forms of profiling; and banning completely the collection of tracking data about sensitive subjects, cross-referencing of data sets, and use of packet inspection data for OBA.

The Less Restrictive Means: A Layered Approach

But how should policymakers decide which, if any, of these interventions are really necessary–or would even be effective? Ironically, those who demand immediate OBA regulation to protect user privacy are often the first to insist on less burdensome approaches whenever a policy “problem” involves purely non-commercial speech. For example, emphasizing personal and parental responsibility is often favored as the more sensible approach to dealing with free speech and child protection concerns. But, as Chapman University Law Professor Tom Bell has asked, why not apply the same standard across the board? Why not expect those especially privacy-sensitive users who object to OBA to do something about it? To the extent effective self-help privacy tools exist, they provide a means of solving policy problems that is not only “less restrictive” than government regulation but generally more effective and customizable as well. Why settle for one-size-fits-all solutions of incomplete effectiveness when users can quite easily and effectively manage their own privacy? Indeed, those who advocate personal responsibility and industry self-regulatory approaches to free speech and child protection issues should be advancing the same position with regards to privacy.

Fortunately, a wide variety of self-help tools and “technologies of evasion” are readily available to all users and can easily thwart traditional cookie-based tracking, as well as more sophisticated tracking technologies such as packet inspection. While cookie management tools that allow users to delete their cookies have been standard in browsers for some time, the latest generation of browsers incorporates far more advanced control over what kind of cookies browsers will accept from websites in the first place. Furthermore,  the extensible nature of modern browsers allows any freelance software developer who sees a way to improve a browser to do so by writing an add-on that “plugs in” to the browser using standard programming interfaces designed by each browser developer.  Many such add-ons are wildly popular, but even those users who never install a single one benefit from the acceleration of browser evolution made possible by add-ons.  We will be documenting examples of these tools in our upcoming Special Report and in an ongoing  series of blog essays.

The Benefits of Smarter Advertising

The “free” Internet economy is based on a simple value exchange: Users get access to an ever-expanding collection of content and services at no cost from websites that are able to generate revenue from “eyeballs” on their pages by selling space on their sites to advertisers, usually through ad networks. The smarter that advertising, the more free content and services it can support. This is the same value exchange that has supported free, over-the-air television and radio content for decades. The only difference is technological: Because websites can connect directly with the user, they need not rely on crude profiling tools such as Nielsen ratings.

There are larger economic benefits of smarter online advertising. First, it makes the overall economy more open and competitive by allowing small market entrants to reach consumers with messages about their products. Second, those who attack the use of packet inspection by ISPs for OBA fail to see that it is precisely the kind of “game-changer” that could disrupt Google’s currently dominant market position. Third, the involvement of ISPs in OBA could help defer broadband costs: Even if OBA revenue does not completely subsidize monthly service costs, smarter advertising could at least keep prices in check and potentially lower them significantly going forward.

But smarter advertising isn’t just about selling products or services. It is ultimately about making all kinds of speech more cost-effective. The ability to “target” listeners more narrowly also increases the ability of political and other not-for-profit speakers to communicate their messages. In short, smarter advertising means more voices, more choices, and more speech. The line between “advertising” and “content” is already blurring rapidly, as the technologies used to customize advertising are also used to customize webpages and ad networks themselves are used to deliver content.

The Larger Implications of Potential Regulation

As if reducing the advertising revenue generated by each web ad didn’t do enough to reduce the total amount of funding for free web content and services, government regulation of targeted online advertising could reduce advertising revenues even further by aggravating the problem of adblocking in two ways. First, the less relevant ads are, the more annoying users will find them, and the more likely users are to try to block them. Increased relevance is perhaps the most important remedy for adblocking and the best way to maintain the implicit value exchange that currently supports free Internet content and services

Second, regulation could short-circuit the eternal battle of technological one-upmanship between online advertisers and those users who rely on the technologies of evasion to “opt-out” of seeing ads or being tracked. Such privacy-conscious users are “free-riding” off of those users who don’t opt-out, since (at present) they generally don’t lose access to the free content and services supported by the targeted advertisements that other users do see. The user who blocks tracking, but not ads, is still free-riding off those users who don’t opt-out of tracking. On a large enough scale, such self-help has the potential to disrupt the value exchange of the Internet, just as automatic commercial-skipping has already disrupted the value exchange of television. As with all “Spy v. Spy” battles, this long-term trend is inevitable: As more sophisticated technologies of evasion are incorporated seamlessly into browsers and can be used without significantly degrading the browsing experience, their use will become increasingly mainstream. But ultimately, just as with television commercial-skipping, market forces can and will, if permitted, respond through technological means and the development of new business models. Today’s implicit quid pro quo may become, of necessity, explicit: Websites and ad networks will have to find increasingly creative ways to grant access to certain content and services for users who do not block ads or the tracking that makes ad space more valuable. Policymakers should take care not to ban such technologies or cripple such business models (e.g., through requiring opt-in), which may rely on more sophisticated forms of targeting such as the use of packet inspection data.

As users face an increasingly clear choice between (i) getting content and services for free supported by behavioral advertising and (ii) paying to receive those same services and content without tracking or even without ads altogether, policymakers will finally see whether users are really as bothered by profiling as the advocates of OBA regulation insist. Given the ongoing and widespread replacement of fee- or subscription-supported web business models with ad-supported models, it seems likely that the vast majority of consumers will continue to choose ad-supported models, including profiling.

Conclusion

The questions raised above—about the harm that supposedly requires intervention, the availability of less restrictive means, and the cost/benefit analysis of regulation—are vital considerations for the future of the Internet. Indeed, if smarter online advertising will not fund the Internet’s future, what will? As both the desire for “free” services and content and the need for bandwidth expand, OBA has the potential to offer important new revenue sources that can help support the entire ecosystem of online content creation and service innovation, while also providing a new source of funding for Internet infrastructure and making ads less annoying and more informative. That would certainly seem preferable to increased user fees or other “pay-per-view” pricing models for Internet content and services.

But looming legislative and regulatory action could stop all of that by replacing the current regime—in which the FTC merely enforces industry self-regulatory policies—with one in which the government preemptively dictates how data may be collected and used. The more enlightened approach is a “layered” approach to privacy protection that combines industry self-regulation, enforcement of industry-established privacy policies, consumer education, and user “self-help” solutions. These and other issues will be addressed in greater detail in our upcoming PFF Special Report.