Skating on Stilts

Privacy groups put much of their effort into attacking new technologies for a reason.  They’re afraid that, once we see a technology in action, we won't be scared by its hypothetical risks, while its benefits will be easier to assess. Once that happens, imposing new privacy laws gets a lot harder.

To see just how fast that cycle can run, let's take a trip down privacy's memory lane.

In 2004, when Britney Spears was topping the charts with “Toxic,” Google introduced a free, ad-supported email system called Gmail. Thirty-one privacy groups immediately demanded that the service be suspended. California State Senator Liz Figueroa introduced a bill to hobble the service by requiring that both sender and recipient consent to scanning of messages for ads.  And EPIC offered the following advice, still posted in a lonely corner of its website:

 Don't send e-mails to @gmail.com addresses

Remember, since Gmail is scanning and extracting incoming e-mails as well, even if you aren't a Gmail user, your privacy may still be violated by Gmail. To avoid such scanning, keep an eye on the domain of e-mail addresses to which you are you are sending and replying.

If you get an e-mail from a Gmail account and you wish not to reply consider explaining something like this:

Dear Friend,

I have received your e-mail, but due to privacy concerns, I don't want to send my response to your Gmail account. Please give me another e-mail address where I can reach you. If you don't have another e-mail address, consider the following free e-mail accounts with generous storage which do not pose the same privacy risks:

• Rediffmail(1GB + no content extraction)
• Walla(1GB + no content extraction)
• Spymac(1GB + no content extraction)
• Aventure-mail(2GB + no content extraction)

For more information on the privacy risks posed by Gmail, see http://www.epic.org/privacy/gmail/faq.html.

Sincerely,

Concerned Citizen

On the whole, I’d say that, for all her travails, Britney is holding up a lot better than EPIC's advice.

Gmail now has 425 million subscribers, making it the largest webmail service in the world. The links touted by EPIC, in contrast, mostly resolve to domain-recycling shops. Sen. Figueroa’s legislation died, and she has left the Senate for the California unemployment appeals board.

The point is not that privacy groups have a hair-trigger for “creepiness” claims, though they do. The point is that EPIC’s musty language felt entirely plausible just eight years ago. If the privacy groups had succeeded and Sen. Figueroa’s legislation had passed, we’d still be waiting for the regulations to be finished and the first appellate decisions to be handed down. Webmail providers would still be struggling with fears of legal liability, and 425 million consumers would have fewer choices.

All to protect us from a privacy scare that’s already as dated as disco.   

PHOTO: iStock Photo

And do you have to be a Republican to use it?

PHOTOS: From Salon

Adam Mueller, a police-the-police campaigner, has been convicted and sentenced to three months in jail for recording and posting telephone conversations with a Manchester, NH, police captain, a Manchester high school principal and a school secretary. Mueller was seeking comment on a video recording made by a high school student and allegedly showing a Manchester officer using excessive force to deal with a high school student. The conviction has led to sympathetic coverage in both the left and right blogospheres.

But one point hasn’t gotten much coverage.  It turns out that Mueller was convicted of violating a privacy law. He had recorded a conversation “without the consent of all parties to the communication,” a violation of NH 570-A:2. New Hampshire is one of about a dozen “all party consent” states.  The federal government and most states are “one party consent” jurisdictions, where recording is legal if one participant agrees to it.  Two-party consent laws were expressly protected when a federal wiretapping law was adopted, on the theory that states should be free to provide additional protection to conversational privacy. Recently, though, these laws have mainly protected the police, who’ve used the laws to arrest bystanders for making cell phone videos of police conduct. 

Judging from the outrage such arrests have sparked, it’s safe to say that protecting police from public scrutiny is an unintended consequence of this privacy law. (As I’ve pointed out recently, that is not the only unintended consequence of all-party consent laws.  They’re also bad for computer security. In most states, I can hire someone to screen incoming messages for malware, and as long as I consent to the monitoring there’s no legal problem.  In all-party consent states, though, there’s a real risk that I need the consent of the malware sender before someone can screen his incoming message.)

That laws sometimes have unintended consequences is not news. But as a privacy-watcher, I’ve been struck by the sheer number and variety of unintended consequences spawned by privacy laws.  I coined the phrase “privacy victim” to describe the many people who’ve been harmed by the unintended consequences of privacy laws. Adam Mueller is a privacy victim. There are millions more.

I don’t think this is an accident. Privacy laws are largely efforts to regulate technology.  Some new technology comes along, and we don’t like some of the changes it is likely to bring.  The privacy campaigners tell us that we can keep the good parts of the technology and ban the bad .  So we adopt a new privacy law based on some principle that sounds good to us at the time.  All-party consent laws, for example, responded to cheap taping equipment by adopting the principle that both parties should agree before their conversation is recorded.  It sounded good at the time; after all, wouldn’t any other rule encourage treachery? Then, gradually, cheap recording technology spread, and it became easier and easier to violate the law.  After a while, the principle that sounded so good a decade or two earlier began to seem a little artificial. Our internal privacy expectations had changed, but the law hadn’t.

Inevitably, violations of the law proliferated, to the point where the violations didn’t feel like wrongdoing.  Adam Mueller, remember, posted evidence that he had committed a felony under New Hampshire law on the Internet. When law-breaking is widespread and unapologetic, the authorities can pick and choose whom they prosecute.  Is it any surprise that they choose to prosecute people who inconvenience the authorities? Or that the laws end up being used to bolster the status quo? Again, ask Adam Mueller.

No, none of this is a surprise.   Rather, it is the perfectly predictable consequence of most privacy laws.  Regulating technology is a tricky business.  Laws adopted when a technology is born don’t usually fit very well when the technology matures. But having laws on the books that don’t fit our actual sense of right and wrong practically invites abuse by those in power. That’s what happened to Adam Mueller and a host of other would-be citizen-journalists who’ve been busted for recording the police. A generation ago it happened to Linda Tripp, whose taping of calls with Monica Lewinsky about her affair with President Clinton spurred 49 Democratic Maryland legislators to demand that she be prosecuted for violating that state’s all-party consent law. And it will happen over and over again, usually in service to the establishment, the more privacy laws we adopt to regulate future selves we don’t really understand.

Adam Mueller is not the first privacy victim. And he won’t be the last.

Greg McNeal's article for Forbes argues that the UAV industry is now squarely in the privacy lobby's sights.  That means that the industry must be demonized and creepified relentlessly until new legal constraints are imposed on public and private use of the technology. 

All the signs are there.  The left-leaning privacy groups have already recruited Drudge and parts of the right to provide what amounts to political stoop labor for their regulatory agenda. (What do we call this tendency on the right -- "Libertarians for More Regulation"?)

The industry, meanwhile, seems to have brought salesmen to a gun fight:

As the legal and policy landscape is changing, so too must the R&D approach of unmanned systems manufacturers who are great at selling the capabilities of their systems, but are not adept at dealing with their products as policy catalysts.  They speak about the benefits their systems can provide, great ISR capabilities, portability, ease of use, etc.  They make a compelling case, but the problem is they are arguing the merits of their systems.  Their opponents in the privacy lobby aren’t interested in the merits, they are interested in stopping the development of these systems out of a fear of some potential government violation of privacy – however that term privacy is to be defined at any given moment.  The problem for the industry is that the privacy lobby is much better at this game than industry is, mostly because the industry isn’t giving the privacy lobby’s concerns enough attention. This is a fatal miscalculation, the privacy lobby is extremely adept at demonizing programs and advancements in technology — the unmanned systems industry (not just AUVSI) needs to prepare for the fight.

Read the whole thing.

 PHOTO: robertmandel at iStockPhoto

Eugene Volokh of the Volokh Conspiracy recently posted about whether it can ever be libelous to say, accurately, that someone has been arrested after the arrest has been expunged.  The New Jersey Supreme Court rightly described the idea as Orwellian and rejected it.

In Europe, though, something like this rule is being advanced in the name of privacy.  Unlike the wacky libel theory highlighted by Eugene, the equally wacky European “right to be forgotten” stands a good chance of being adopted in some form.  In fact, it stands a good chance of being applied widely inside the United States as a result of Europe’s unending campaign to export its data protection standards.

The European Commission explains its proposed directive as follows:

Any person should have the right to have personal data concerning them rectified and
a 'right to be forgotten' where the retention of such data is not in compliance with this
Regulation. In particular, data subjects should have the right that their personal data
are erased and no longer processed, where the data are no longer necessary in relation
to the purposes for which the data are collected or otherwise processed, where data
subjects have withdrawn their consent for processing or where they object to the
processing of personal data concerning them or where the processing of their personal
data otherwise does not comply with this Regulation.

In Eurospeak, a “data subject” is anyone about whom facts have been collected or processed.  The data protection rules apply to anyone who does the collecting or processing, whether a big mail order company, a community newsletter, or a lonely blogger. While there’s a regulatory carveout allowing retention of data “for exercising the right of freedom of expression,” the presumption of the rule is that any data about a person must be erased if the person objects to its retention.  Indeed, if the data has been passed on to third parties for processing, they must also be told “to erase any links to, or copies or replications of that personal data.”

If you’re thinking that such a foolish law could never be adopted here, think again. Europe has long engaged in a kind of data boycott of the United States, refusing to allow American companies to process any personal data from Europe on grounds that US privacy law is not “adequate” to protect Europeans.  Under this economic pressure, more and more companies have agreed in effect to apply European data protection law to their activities inside the United States.In fact, the Federal Trade Commission is now busily enforcing European data protection law in the US.

So there’s a decent chance that the “right to be forgotten” will be enforced here, and that it will end up regulating what information Americans are allowed to give to other Americans.

And what about the First Amendment, you say?  Sorry, that’s just a local ordinance in Europe’s view – though in time perhaps you’ll be able to file a “Form 327a -- Request to Retain Data for Purposes of Exercising the Right of Freedom of Expression” and receive a prompt reply from a European agency granting or denying your request.

I’ve long suspected that President Obama would respond to the failure of cybersecurity legislation with an executive order.  Many of the legislative proposals that failed in the Senate can be implemented by the President acting alone.  An executive order would also advance a story line that has the President robustly protecting national security while a do-nothing Congress dithers. After a little thought, in fact, I now think that an executive order could actually do more for cybersecurity than any legislation that this Congress could plausibly have adopted.

At a minimum, the Administration is keeping its options open on an executive order.  Here’s what Presidential spokesman Jay Carney said when The Hill asked point-blank whether a cybersecurity order was in the works:

“In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed….Moving forward, the President is determined to do absolutely everything we can to better protect our nation against today’s cyber threats and we will do that."

What can the President do by executive order?  The Senate bill’s measures fell into three categories, and most of them can be implemented in some form without legislation. 

First, lots of them were filler, authorizing new research programs, reforms of the Federal Information Systems Management Act, and so on.  None of these were likely to change the world, in part because they can mostly be implemented under existing law. Like the proposed bills, an executive order would simply dramatize changes that are already under way.

Second, the Senate (but not the House) proposed private sector security standards. Broadly speaking, the Senate majority wanted to legislate a central role for DHS, which would take the lead in identifying industries where cybersecurity is essential. The Senate bill then called on those industries to adopt security standards, which would be backed by some kind of government enforcement or incentives.  Some of the biggest fights in the Senate were over DHS’s role, over how much new enforcement power the government would have, and over whether to jam cybersecurity standards into existing federal regulations for industries like power, pipelines, transportation, and communications.

Ironically, by the time Senate supporters of the bill were done trying unsuccessfully to woo the Chamber of Commerce, their bill did only a little that could not be done by executive order.  DHS has lots of legislative authority over cybersecurity already.  It could almost certainly identify critical infrastructure and encourage voluntary standards without more legislation. It may not be able to enforce the standards with fines and orders, but those tools were mostly stripped from the bill in a futile attempt to win business acquiescence. As for incentives, the SAFETY Act, with a little effort (it’s designed for terrorism not cyberattacks), could be repurposed to provide liability protection for companies that meet cybersecurity standards. And, again with controversy, DHS could be assigned the role of driving coordinated security standards into the regulatory processes of all federal agencies.  Even the independent agencies, such as the FCC, have acknowledged that they must follow the executive branch on national security matters, so such a result is at least plausible, and lawsuits challenging such a measure would simply keep the issue in the news longer, reemphasizing the administration’s preferred narrative.  In short, on this score, the Obama administration probably gets more out of the cybersecurity act’s failure than it would have gotten out of success. (That might explain its otherwise inexplicable CISPA veto message, which helped doom bipartisan cybersecurity efforts on the Hill.)

The third topic, information sharing, is more problematic.  The key legislative changes, proposed by everyone, would have undone a couple of overbroad privacy laws from the 60s and the 80s. One such law allowed states to require that all parties consent to private interception of their communications. In today’s world, that’s foolish; it means giving malware authors a veto over measures to screen their attacks. The other aging privacy provision prevented certain companies from sharing with the government attack signatures that they already share among themselves; that’s because the signatures pretty much have to contain the personal data (gasp!) of the attackers. Thanks to past privacy lobbying, federal law says that personal data may be shared by electronic service providers only in response to a subpoena, thus reducing what needs to be a speed-of-light transmission to a speed-of-lawyers snail’s pace. Privacy campaigners managed to make the repeal of these outmoded provisions controversial.  So by the time the Senate was done trying without success to woo privacy groups with amendments (yes, you do see a pattern here), its bill was arguably worse than the status quo.

It is hard to fix bad laws with an executive order, but in this case I’m not sure it can't be done.  States with two-party laws are a minority already (about a dozen states, depending on how you count), and their laws are under pressure in the courts (thanks to police officers claiming that it's a felony for members of the public to record them without their consent). What's more, despite claims about their chilling effect on signature filtering, two-party-consent laws don’t seem to have stopped the emergence of robust spam filtering by private companies.  A clear presidential statement that allowing such laws to bar signature filtering threatens national security would almost certainly resolve any lingering doubts, especially if it’s backed by an order that the Justice Department intervene as necessary in private state suits that challenge signature filtering.

All that's left then is the federal ban on unsubpoenaed information sharing, and even it might yield to a little creativity.  Not everyone is subject to the ban.  So can the parties who are covered by the restriction (ISPs, webmail providers) simply share their data with parties who aren’t covered (security firms)?  And can the security firms in turn sell their data to government?  Maybe so.  Again, a clear presidential statement that such a measure is essential for national security would make the courts think twice before declaring that Tinker-to-Evers-to-Chance is simply an evasion of the ban on Tinker sharing with Chance.

In short, an aggressive executive order could do as much or more than the bills that were emerging from the lobbyist-ridden cybersecurity negotiations on the Hill.  An order would be controversial, but the controversy itself may be welcomed by the administration.  I have no doubt that right now it would relish a fight over national security with the Chamber of Commerce. (Whether it would welcome a tussle with privacy groups is less clear, so the information sharing problem may be left to fester. ) 

With substance and politics in alignment, it’s easy to see why rumors are flying about a pending order.

UPDATE:  Corrected Evans to Evers

The cybersecurity bill is dead for this Congress, with cloture failing by a vote of 52-46. The Senate's failure to reach any kind of compromise is particularly striking, given that roughly two-thirds of the basic ideas in the bill had been endorsed by all of the following: the Obama administration, Senator McCain and the great majority of Senate Republicans, Majority Leader Reid, Senators Lieberman and Collins, as well as a bipartisan majority of the House.

So, who deserves the credit for killing the bill? Or the blame, if we suffer a significant attack on our civilian infrastructure before Congress returns to the issue?

On the lobbying side, I'd nominate two candidates. 

The US Chamber of Commerce is the Democrats' favorite whipping boy. But in this case the Democrats are right.  The Chamber wanted this bill dead, and it rejected substantial efforts to accommodate its concerns on the part of Senators Lieberman, Collins, and Kyl -- none of whom are exactly enemies of business. It simply pocketed the concessions and kept campaigning against the bill, threatening to make the issue a "key vote" and give supporters an antibusiness score on the Chamber's scorecard.

A less obvious but equally important role was played by the privacy groups, whose contribution I've already described at length. The information sharing provisions in CISPA, the House bill, had support from all parts of Congress and from the Administration, but the privacy groups managed to make the provisions controversial nonetheless, trashing not just the Republican-supported CISPA but even the Obama Administration's version of information sharing. That foreclosed any hope of reaching a compromise that would enact information sharing plus several uncontroversial provisions while stripping out the private sector standards (the Administration also rejected this half-a-loaf strategy).

Between them, business and privacy lobbyists provided the friction that made progress on the bill difficult.  Senators on both sides of the aisle were hearing from natural allies who opposed the bill.  

But Senators are capable of pushing back on constituents, especially when national security is at issue.  Why didn't that happen here?

To some extent, it did. In retrospect, kudos go to the House, which showed a surprisingly bipartisan commitment to finding a solution. When the regulatory provisions ran into the Chamber's buzz saw, the intelligence committee and House leadership produced a half-loaf information sharing bill and mustered substantial Democratic support for it.

So who killed the bill?  Again, I've got two candidates.

Sen. McCain played the largest role in rallying opposition to Collins-Lieberman and then was unable or unwilling to deliver a compromise when the chips were down. I've worked with him.  I respect him.  He's an honest patriot.  But he miscalculated badly here.

So did the President. Expressing disappointment, he declared that "the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyberattacks.” Today he called on the Senate to "heed not the special interests but the needs of the American people," and pledged to "continue working with colleagues on both sides of the aisle to solve our differences and find a path forward.” But In fact the President probably contributed as much as Senate Republicans to collapse of the bill.  When the House was considering cybersecurity legislation, the White House it issued a veto threat against CISPA on fairly flimsy grounds -- mainly its half-a-loaf nature and some remarkably trivial differences over privacy protection (e.g., CISPA relied on Inspectors General to perform privacy reviews; the White House preferred to use the Privacy and Civil Liberties Oversight Board, despite having left that board without members for nearly all of the President's first term). 

That point-scoring White House message signaled to Democrats that the cybersecurity bill was not immune from partisan gamesmanship and helped to sour the atmosphere in the Senate. The closer the election came, the harder it was for anyone to overcome their mistrust of the other side's intentions. 

That, in short, is why it's hard to pass legislation in an election year.

UPDATE: Original version incorrectly attributed to the White House a statement made by (Senator) Whitehouse.

Photo credit:  iStock