Skating on Stilts

I reviewed Juan Zarate's Treasury's War for the Wall Street Journal.  If you have a subscription, here's the paywalled link. For cheapskates, here's the gist:

Treasury has attacked money laundering by big banks, imposing fines up to $2 billion on institutions around the world. As a result, banks have toughened their compliance regimes. Under the slogan “know your customer,” they now feel obliged to run checks on their customers’ reputations and to shun even faintly suspicious transactions.

In such a climate, it’s easy to become a customer no one wants to know. And the easiest way of all is to be officially labeled a “primary money laundering concern.” A bank that has been tarred with that brush quickly becomes a pariah to every bank with a compliance program. Because a pariah can’t perform normal financial transactions under such conditions, its solvency is immediately drawn into question. And, boom, within 24 hours, even a bank with no direct ties to the United States is effectively out of business, brought down by a Treasury-induced run. Treasury’s designation turns out to be a remarkably effective weapon—the Predator drone of financial sanctions—killing instantly, without warning, far from home.

In one of his better stories, Mr. Zarate shows how Treasury’s new weapon struck even North Korea, a veteran sanctions-buster that had sheltered comfortably in China’s lee for decades.

China’s diplomats stood by their client as usual, but not its banks. Rather than risk its access to world financial markets, even the state-owned Bank of China in Macau froze North Korean accounts. Later, after many ceremonial toasts at a session of the international talks on nuclear proliferation, one inebriated North Korean negotiator leaned in to his American counterparts and admitted: “You Americans have finally have found a way to hurt us.”

Mr. Zarate brings verve and the joy of combat to this and other tales. I served with him in government; and “Treasury’s War” certainly speaks with his hard-nosed, in-it-to-win-it voice. He is indeed a warrior-bureaucrat (and, truth be told, one after my own heart). In Mr. Zarate’s hands, what could have been a dry series of think-tank papers becomes a lively narrative filled with heroes, villains, and fools. ...

Mr. Zarate’s enthusiasm for his new weapon is heartfelt. Since leaving government, though, I’ve had a chance to see Treasury’s war from the other side. And like a Predator strike, it looks a little different on the ground. If you own a bank, Treasury’s designation can wipe out your investment overnight. Yet because the decision is fatal, challenges are rare. Treasury never sees its errors or the collateral damage it has caused. And what begins as an awesome and sobering responsibility soon becomes a routine part of the bureaucracy’s toolbox, prone to overuse and free from oversight.

Read the whole thing.

I'll be testifying tomorrow before the House Intelligence Committee.  This post is an excerpt from that testimony. The full version is here:  Download Baker - HPSCI testimony - Oct. 29 2013.

I fear that the campaign by Glenn Greenwald and others who control the Snowden documents has forced the executive branch into a defensive crouch.  Other nations are taking advantage of the moment to demand concessions that the White House is already halfway to granting.  If so, we will regret them as a country long after the embarrassment of fielding angry phone calls from national leaders has faded into a short passage in President Obama's memoirs.

European and other nations see the prospect for enormous gains at the expense of the U.S., in part because President Obama seems genuinely embarrassed and unwilling to defend the National Security Agency.  Instead, he is offering assurances to select world leaders that they are not targets, and his homeland security adviser is declaring that “the president has directed us to review our surveillance capabilities, including with respect to our foreign partners. We want to ensure we are collecting information because we need it and not just because we can [and that] we are balancing our security needs with the privacy concerns all people share.”

Administration sources have begun criticizing the NSA for putting the President in this bind, and they are hinting at the possibility of negotiating reciprocal deals with other countries that will bar espionage directed at each other while sharing intelligence.

In short, we face the prospect that foreign nations will capitalize on President Obama's defensive crouch to extract diplomatic and intelligence concessions that would have been unthinkable a year ago. At the same time, I note, these nations have asked China, which is subjecting them to the most notorious and noisy computer hacking campaign on the planet, for, well, for nothing at all.

The reason for that reticence is simple.  They know that China will give them nothing.

And that, it seems to me, is where Congress comes in.  Sometimes an American negotiator's best friend is an unreasonable Congress.  As far as European negotiators are concerned, the United States Congress is almost in China's league. 

If Congress sets limits on what the executive branch can concede to its foreign counterparts, those limits will be observed.  And if Congress specifies consequences for threatening U.S. industry, threatening U.S. industry will be much less attractive.

That's why I suggest that any legislation addressing the domestic intelligence program also address the international campaign to weaken U.S. intelligence capabilities. What would that legislation say?  Let me suggest a few possibilities, any one of which would provide U.S. negotiators with useful limits and leverage:

• A “cooling off”  provision requiring that any intelligence reciprocity agreement with any nation be submitted to Congress for review prior to taking effect.
• A “start with common ground” provision prohibiting reciprocal intelligence talks with any nation unless the DNI determines that the nation does not use its intelligence services to steal commercial information from private American companies for the benefit of its own companies.
• A “true reciprocity” provision requiring an independent report to this committee from the CIA, NSA, and other agencies prior to any proposed intelligence reciprocity arrangement taking effect; no such arrangement could take effect without a determination by Congress that the arrangement provided benefits to the U.S. intelligence community that matched the benefits to the counterpart nation.
• A “trust but verify” provision requiring that the DNI certify that any reciprocal “no spying” promise in an international agreement be verifiable and enforceable.
• A “no hostage-taking” provision that bars negotiations – and counterterrorism intelligence-sharing – with any European Union member if the European Union terminates its existing terrorism information sharing arrangements with the United States or takes action to punish U.S. companies in an effort to regulate U.S. intelligence or law enforcement agencies.  Exceptions for intelligence sharing would require a determination by the DNI that the sharing is in the national interest of the United States and that the country in question took action to oppose the termination.
• A “stay in your lane” provision barring any negotiation with the European Union that touches on intelligence.  The European Union has no authority over European intelligence, and its role in past counterterrorism negotiations has been uniformly hostile to American interests.
• A “sauce for the goose” provision requiring declassified reports from the intelligence community on (1) the scope and intrusiveness of other nations' surveillance of American officials, businessmen, and private citizens and (2) how much data about individual Americans is being retained by companies in Europe and elsewhere, how often it is accessed by European governments, and whether that access meets our constitutional and legal standards.

I contributed a short piece today to the New York Times on the latest Snowden-generated flap over allegations that NSA targeted Angela Merkel's mobile phone.  Excerpts:

To play the role it has played in the world for the last 70 years, the United States must be able to gather intelligence anywhere in the world with little or no notice. We never know where the next crisis will erupt, where the next unhappy surprise is coming from. It’s the intelligence community’s job to respond to today’s crises, but its agencies live in a world where intelligence operations take years to yield success. That makes it a little hard – and very dangerous -- to create “intelligence-free zones." ...

Even the countries we usually see as friends sometimes take actions that quite deliberately harm the United States and its interests. Ten years ago, when the U.S. went to war with Iraq, France and Germany were not our allies. They were not even neutral. They actively worked with Russia and China to thwart the U.S. military’s mission. Could they act against U.S. interests again in the future – in trade or climate change negotiations, in Syria, Libya or Iran? ...

That’s just life and international politics. As German Chancellor Angela Merkel too knows quite well. She visited China right after public disclosures that the Chinese had penetrated her computer network, yet she managed to be “all smiles” while praising relations between the two countries as “open and constructive.” ...

The United States can’t stop gathering intelligence without running the risk of terrible surprises. So it won’t.

NIST has revised the draft cybersecurity framework that it released in August.  What it published today is a  "preliminary cybersecurity framework." After comments, a final framework will be released in February.

I've been very critical of the draft released in August.  NIST clearly worked to address the criticisms.

The result is a mixed bag, but the document is still a net loss for security.

What's improved? First, in an effort to introduce flexibility into the document,  NIST deleted  all the “should” language from the privacy standards.

Second, it added a paragraph that asserts the “flexibility” that organizations have to implement the privacy provisions:

Appendix B contains a methodology to protect privacy and civil liberties for a cybersecurity program as required under the Executive Order. Organizations may already have processes for addressing privacy risks such as a process for conducting privacy impact assessments. The privacy methodology is designed to complement such processes by highlighting privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls. As organizations review and select relevant categories from the Framework Core, they should review the corresponding category section in the privacy methodology. These considerations provide organizations with flexibility in determining how to manage privacy risk.

Third, NIST responded to my concern that the “governance” section of the appendix would smuggle  into the rules governing private companies all of the fair information practice principles, or FIPPs, that govern federal agencies.  NIST narrowed the scope of the governance section by tying it to the actual PII being used for cybersecurity.  See the bold language below..

 Old version: Organizations should identify policies and procedures that address privacy or PII management practices.  Organizations should assess whether or under which circumstances such policies and procedures : [followed by a list of FIPPs, many with dubious relationship to cybersecurity]

New version: Identify policies and procedures that address privacy or PII management practices for the PII identified under the Assets category. In connection with the organization’s cybersecurity procedures, assess whether or under which circumstances such policies and procedures: [followed by the same list]

That's a substantial improvement.

What's wrong with the new version? Well, the first change, dropping the "should"s, is well-intended but largely cosmetic.  In fact, it arguably makes the rules harsher, not more flexible. That’s because, instead of telling companies what they “should” do to protect privacy, the appendix now just commands them to do those things. You can see that in the example above.  Also in this one:

 Old version: “When performing forensics, organizations should only retain PII that is relevant to the investigation.”

New version: “When performing forensics, only retain PII or communications content that is necessary to the investigation.”

(As an aside, note the other change in the new version, which is pretty clearly the result of privacy groups’ comments.  It tells companies to protect communications content, not just PII. But that change is only needed if the companies are sharing content that can’t be traced to a person.  So it seems to mean that companies who share information about spam should minimize the amount of spam they quote when trying to tell other companies which messages to block. That's dumb.  More broadly, why shuld such a  mandate be added to a standard that insists that it’s about PII?)

That brings me to my biggest concern.  Despite NIST’s claim that it has left companies lots of flexibility, you can’t really find flexibility in the language of the privacy appendix.  So I continue to fear that the net result of the package will be to impose a "privacy tax" on cybersecurity, adding to the cost of security measures by tying those measures to expensive privacy obligations whose value is unproven.  For example:

 Old: “When voluntarily sharing information about cybersecurity incidents, organizations should ensure that only PII that is relevant to the incidents is disclosed.”

New: “When voluntarily sharing information about cybersecurity incidents, limit disclosure of PII or communications content to that which is necessary to describe or mitigate the incident”

The new language is slightly less demanding, but it still calls on companies that share information about malware and intrusions to make determinations about which information is “necessary” to describe or mitigate the incident. If the company guesses wrong about a couple of bits of information, and someone later decides that those bits weren’t strictly necessary to mitigate the incident, then the standard has been violated and liability is much more likely.  At a minimum,  lawyers have to review every category of data that is being shared and write rules for when it is necessary and when it isn’t.  It takes heroic ignorance to believe that a requirement like that won’t reduce the sharing that’s already occurring, even among private enterprises.

Finally, NIST took a further step that has heightened my concern that this appendix is going to impose the FIPPs on the entire US private sector.  That’s because the only “reference” standard offered by NIST to explain and implement the appendix is a document that is plainly written for government agencies trying to implement federal privacy standards.  In the absence of any other reference, the pressure will be great to follow the government rules.

So, to return to the example above, suppose you’re a company that wants to implement privacy-compliant information sharing. You consult the “reference” standard, and here’s what you’re told:  

MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION

Control: The organization:

a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;

b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and

c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.

Supplemental Guidance: Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.

Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register oron their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules. By performing periodic evaluations, organizations reduce risk, ensure that they are collecting onlythe data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR- 1. 

Control Enhancements:

(1) MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION | LOCATE / REMOVE / REDACT / ANONYMIZE PII

The organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.

Supplemental Guidance: NIST Special Publication 800-122 provides guidance on anonymization.

  None of this is good for quick and easy cybersecurity information sharing.  It seems to suggest that each sharing company has to evaluate its cybersecurity data and minimize, perhaps even anonymize, the data it keeps and to get rid of anything it isn’t sure it needs. The data will have to be scrubbed for accuracy and completeness.  To make that decision, the guidance creates a committee that includes not just the lawyers but top officials and a privacy officer, further clogging and bureaucratizing what should be an instantaneous exchange of threat data. This raises the cost of information sharing, which is what you do only if you want less of something.

There's a lot of talk in the press these days about how hard it is for the federal government to do IT right and how the blame for the failures of the healthcare.gov website should fall on the federal procurement system, not the federal managers.  

As someone who advocated enthusiastically for federal use of relatively advanced IT while in government, I agree that the procurement process makes it hard to produce IT that works on budget and on time. There have been plenty of expensive IT failures in recent administrations.

That said, it isn't impossible, even with stiff political opposition, to manage big public-facing federal IT projects successfully.  I can think of three fairly complex IT projects that my old department delivered despite substantial public/Congressional opposition in the second half of George W. Bush's administration.  

They weren't quite as hard as the healthcare problem, but they were pretty hard and the time pressure was often just as great.  Putting together the list from memory, which may be faulty on some details, they are:

• ESTA:  The Electronic System for Travel Authorization, unknown to Americans, must be negotiated by 20 million visa-waiver visitors to the US, who must seek and obtain approval for their travel.  Backend systems must send the details of each traveler's filing to multiple agencies. The electronic approval then must be available to hundreds or thousands of US ports of entry 24 hours a day.  The system was put in place by Customs and Border Protection in about two years, with a firm deadline of January 2009 and despite the sniping of the European Union, which saw it as an "electronic visa." Estimated cost to build and maintain:  $50 million a year.
• E-Verify:  Half a million employers log on to E-Verify, many of them every day, to enter new-employee data and get confirmation from DHS that the employee is work-authorized.  Total transactions are about 20 million a year. The back-end coordinates with several other agency databases,  usually within a few minutes.  Business interests and immigration advocacy groups hated the system and did their best to portray it as a failure.  Any work-authorized American who was denied authorization, even temporarily, was treated as a scandal requiring abandonment of the system. Cost to build and maintain:  maybe $100 million a year.  To be fair, the system was put together much more slowly, over a decade or more, though some of the biggest jumps in traffic occurred in a few years after 2006.
• US-VISIT:  Every foreign visitor to the United States is now fingerprinted at the border and the prints must be instantly compared against records in several other agencies. The program handles 45 million transactions a year and was put in place in a few years under Secretary Ridge, at a time when DHS was also trying to organize itself.  Civil liberties and foreign hostility to the whole idea of fingerprinting visitors was intense, and hopes that the system would fail were widespread in those circles.  It didn't.  Annual cost:  up to $300 million.

These programs aren't directly comparable to the healthcare challenge, but they're in the ballpark; as I remember they were delivered without serious schedule or cost overruns, and they worked when delivered.  So it can be done with careful management, and to be frank, if your administration's entire legacy depends on delivering a working healthcare IT system, managing the IT process should be a pretty high priority.

For that reason, I am surprised at the management problems that the Obamacare website has suffered from.  They can't be blamed entirely on the IT procurement process.

I'm a much bigger fan of Girl Talk, whom I've blogged about before, than of current copyright law.  So it's hard to resist a chance to talk about both.  Girl Talk (actually a fellow named Greg Gillis) produces delightful mashups of hip-hop and classic rock that shed new light on both. Since Girl Talk relies on a claim of fair use for his sampling and doesn't seek the original label's authorization, he has trouble selling his albums through the usual channels.  (His stuff is available here.)

Now Michael Schuster, another Girl Talk lawyer-fan, has produced a law-review-style study of All Day, Girl Talk's latest album, arguing that the songs it samples actually had higher sales in the year after the sampling than in the year before.  For those of us who think copyright law is too protective of plaintiffs, the article is comforting.  It suggests that current law may actually be hurting the authors it purports to help by discouraging musicians from introducing their fans to our pop-cultural heritage. And that's how it's being covered by a largely sympathetic press and blogosphere.

Actually, though, I think the article is a little too comforting.  I am always skeptical of scholarly research that reinforces academic prejudices, since scholars tend adjust their standards of proof to fit their prejudices.  And Schuster's article, it seems to me, does exactly that.

Schuster achieves his results by playing with the sample, dropping nine songs from a sample of about 200 because they completely wreck his argument.  His reason for dropping the songs is that they were hits in the 30 months prior to the release of Girl Talk's album, so their sales were bound to decline and it isn't appropriate to charge Girl Talk with the natural rhythm of pop music sales.   

If he didn't drop those songs, though, Schuster's data would show a 50% drop in sales for songs that Girl Talk samples -- exactly the opposite of the effect he claims. Schuster says he's just correcting for noise in the data.  Maybe so, but once you start making big after-the-fact adjustments to a sample of 200, you can prove pretty much anything.

At best, then, Schuster has developed an interesting hypothesis that ought to be tested by a new experiment untainted by data cherry-picking.

So how about it, Greg Gillis?  We need a new Girl Talk album, and soon.  

For science's sake.  

PS How's that for an evergreen blog title? If the FTC enforced honesty in blogging, at least half the content of the blogosphere would appear under this heading.

I've been critical of the claim that European privacy law offers more protection against government surveillance than American law.  Apparently not critical enough.  An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.  

His tale of disillusionment revealed three privacy deficits in European law that even I hadn't noticed when I trashed the myth of European privacy superiority. First, unlike their US counterparts, German email providers are unable to issue transparency reports of the sort that US companies have been publishing:

“German law forbids providers to talk about inquiries for user data or handing over user data,” Löhr added. “We are currently investigating a possible way with our lawyer to issue a transparency report about questions from police like Google, Microsoft, and [many] other US providers do, but we can not promise we will be able to do so. We try hard.” Indeed, the German Telecommunications Act of 2004 (PDF) states very clearly, “The person with obligations shall maintain silence vis-à-vis his customers and third parties about the provision of information.” In other words, German communications services would be under a gag order by default.

Of course, given their other disadvantages on the government-privacy front, maybe European providers aren't exactly eager to issue transparency reports.  For example, in the US, authorities have to get a specific "gag" order to prevent subscribers from getting notice that their mail has been seized; while gag orders are common in the US, they often expire after a time and can usually be challenged.  It appears that Europe simply doesn't make disclosure an option.  Silence, not disclosure, is the law's default.

 [A]n American provider could notify its customer that he or she is the target of a judicial investigation. Google has a user notification policy, for instance, that stands unless the court forbids it from disclosing that information. ... German court orders, by contrast, appear to be sealed automatically.

And finally, it appears that European mail providers cannot challenge government discovery orders before turning over the data.  In Germany and the Netherlands, the only jurisdictions the writer examined, providers turn over the data first, and then argue about whether they should have to do so:

Löhr also added that Posteo could challenge a secret court order after the fact, unlike in the case of the United States, where such challenges can be made before such a handover. "If we think the order was not right, we can complain afterwards—and we would do so," Löhr told Ars.

The same is true elsewhere in Europe:

“There is an option to challenge that request [in the Netherlands], but only after it has [been] given the data,” Ot van Daalen, the director of Bits of Freedom, a Dutch digital rights group, told Ars. “A successful challenge leads to an order of the court to destroy the data. In the case of possible privileged communication, in practice the data is sealed in an envelope pending challenge and only opened after the data is deemed to be unprivileged by the court.”

NOTE:  I'm experimenting with comments, hoping to get a higher ratio of wheat to chaff.  Today's experiment:  If you have comments that I am likely to find supportive, clarifying -- or entertainingly abusive -- please send them to vc.comments[at]gmail.com.

I’d like to offer readers a short quiz on judicial independence. 

Imagine a field where liability is common but damages vary widely -- patent law, perhaps, or disability claims.  In this field, there is a specialized court that has attracted Congressional and press criticism because it rules for the plaintiff 99% of the time. Stung by relentless criticism based on this statistic, the chief judge of the court finally writes a public letter to Congress, saying, in essence,

“You don’t understand how this court works.  The court conducts detailed pretrial settlement negotiations and in at least 25% of its cases, the judge tells the plaintiff that he is likely to lose unless he reduces his claim to an amount the court considers more reasonable, and the plaintiff almost always does.  The court on occasion tells the plaintiff that his chances are so poor that the case should be dropped, and it usually is.  In order to correct the misimpression created by the 99% success rate figure, from now on this court will keep track of every case in which we force the plaintiff to reduce or abandon his claim and will publish those statistics regularly.”

Based on those facts, I offer two multiple-choice questions:

1.  The court’s letter is (choose one):

a.  A breach of the tradition that courts do not enter the political arena to justify their decisions.

b.  A prudent and factual response to public misunderstandings about the court’s decisions and role.

2.  Which statement about the court's collection of statistics is most accurate?

a.  It improperly encourages the court's judges to "improve" their track record by negotiating for reductions and withdrawals of plaintiffs' claims even when those reductions and withdrawals are not required by law.

b.  It is a valuable public service countering an inaccurate public impression; no reasonable person could believe that the publication of such statistics would ever influence the court’s execution of its judicial responsibilities.

If you were even tempted to choose “a” as the answer to either question, you should be troubled by these two letters, written by Chief Judge Walton of the FISA court.  They say,  in essence that the government’s 99% success rate before the FISA court fails to take into account the frequent and intense negotiations between the court and the government, negotiations that result in modification or withdrawal of roughly a quarter of all FISA applications. The most recent letter promises that in the future the court will keep track of all the modifications or withdrawals of FISA orders that the court negotiates and will report the court's track record to Congress and the public.

In my view, nothing better illustrates the error behind the popular bien-pensant meme that the FISA court is just a rubber stamp. The reverse is true, and for obvious reasons.  Saying no makes the court a civil liberties hero; saying yes makes it a civil liberties goat.  Which do you think the judges want to be? You don't have to dig deep into these letters to guess the answer.

The current political and press climate inevitably strains the FISA judges’ impartiality and encourages the court to demand concessions from the government that have no basis in law.  A similar climate before 9/11 might explain Chief Judge Lamberth’s legally unjustified and fateful imposition of "the wall" in the months before the attacks, echoes of which may be found in Judge Walton’s over-the-top attack on the government in the section 215 telephone metadata case.

But even those who don’t share that view must surely wonder what role the FISA court and its staff are playing when they negotiate changes in a quarter of the warrants brought before them. Why are permanent staffers, apparently accountable only to a shifting array of judges, holding meetings up to three times a week and maintaining daily phone contact with the government to pursue questions that originate in at least some instances with the staff and not the judges? Why does the FISA court receive draft (essentially negotiation) copies of planned government pleadings before they have been reviewed and approved by executive officials?

To anyone who has served in government, these are familiar tactics.  Any good executive branch bureaucrat seeking to expand his turf insists that his staff have early access to other agencies’ plans and reserves the right to negotiate those plans before they’re final. By the same token, any good executive branch bureaucrat works hard to influence how the press and Congress views his agency. All this elbowing and delegating and schmoozing and corresponding, though, has a distinctly unjudicial air. 

In fact, the more the FISA court seeks to justify itself to Congress and the press, the less like a court it sounds. 

 

From Foreign Policy:

Recently, Heritage refused to publish two papers about the National Security Agency's surveillance programs written by a prominent conservative attorney. Why? Because he concluded that the programs were legal and constitutional, according to sources familiar with the matter. It was a surprising move for a think tank that has supported extension of the Patriot Act -- which authorizes some of NSA's activities -- and has long been associated with right-of-center positions on national security and foreign policy.

But the paper's conclusions did not sit well with DeMint, the sources said, who worried about offending or alienating more libertarian lawmakers such Sen. Rand Paul, a DeMint ally and leadingcritic of NSA's collection of Americans' phone records, as well as Tea Partiers, who according to a recent poll think that government counterterrorism policies have gone "too far" in restricting civil liberties. It's those groups that brought DeMint his greatest influence as a lawmaker and made him a national political heavyweight.

 

It turns out that at least one Washington mugger is a little too well informed about current affairs:

An attempted mugging on Capitol Hill was thwarted Monday night by a quick-thinking victim — one who apparently keeps an eye on national security news.

The victim, who weighs a petite 95 pounds, explained to the assailant she was an intern with the National Security Agency. ...

The victim elaborated further, warning the would-be mugger that the phone she held in her hand — complete with a pink-and-blue Lilly Pulitzer case — would be tracked by the NSA if she were to turn it over.

"I told him that the NSA could track the phone within minutes, and it could cause possible problems for him," the victim recounted.

 

The New York Times recently ran a story arguing that, after the Snowden revelations, Europe would have to build its own cloud computing industry to protect European privacy.  I was moved to send the Times a letter in response. The Times edits such letters pretty heavily, so I'm sharing it here:

You left some critical facts out of your lengthy October 7 article on European government efforts to encourage European “cloud” computing services.  While the article dwells on a perceived U.S. intelligence threat to European users’ privacy, it fails to ask a question of greater importance to Times readers: What will happen to personal data, American and European, that is stored in a European cloud? Nothing good, it turns out. European law requires that Internet service providers and telephone carriers store personal metadata for up to two years so that it will be available to European law enforcement and security agencies – a privatized and more comprehensive version of the NSA’s domestic telephone metadata collection. (NSA gave up its domestic Internet metadata collection a few years ago; Europe did not.) Not only does the “data retention” requirement in European law cover more personal information, it comes with far fewer safeguards. In Europe, unlike the United States, the authorities need only ask for stored data; companies can and do “volunteer” their data without any court order or other legal process. See Statement of Stewart A. Baker before the Committee on the Judiciary, United States Senate, July 31, 2013. And it shows in the surveillance statistics. Residents of Italy and the Netherlands are more than 100 times more likely to be the subjects of government surveillance than Americans, according to a study by the Max Planck Institute. See Hans-Jörg Albrecht, et al., Legal Reality and Efficiency of the Surveillance of Telecommunications, Max Planck Institute 104 (2003). The same will be true for Americans whose data is stored in a European cloud I have testified before Congress on the one-sided nature of Europe’s focus on privacy threats to the cloud. I’m disappointed to see the same one-sided focus on the news pages of The New York Times. Is all snooping on Americans a bad thing, or have you decided that it’s OK when foreign governments do it?

In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security:  It doesn’t actually require companies to do much to improve their network security. 

My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement for industry by smuggling the Fair Information Practice Principles into the law.  In doing so, it clearly goes beyond the scope of the cybersecurity executive order, which is focused on protecting critical infrastructure.  When was the last time lost PII caused “catastrophic regional or national effects on public health or safety, economic security, or national security?”

 Today I take my critique one step further, arguing that the framework as it stands may in fact diminish the nation’s cybersecurity.  

 The reason is simply stated.  If you want more of something, you don’t raise its cost.  But by grafting strong privacy mandates to its weak cybersecurity standards,  the privacy appendix raises the cost of putting cybersecurity measures in place. It’s like a ship design that requires the builder to pay for the installation of barnacles before launch.

 That disincentive will be easy to heed.  Taken as a whole, the message of the framework is, “You don’t have to implement any particular cybersecurity measures, but if you do, you’d better implement a bunch of privacy measures along with them.”  This tempts network professionals to do less security, thus saving them as well the hassles that the framework’s privacy appendix calls for.

 There are a lot of examples.  Let’s start with network audits and monitoring.  These are absolutely essential cybersecurity tools in today's environment.  They give a detailed picture of everything – and everyone – operating on the network. But for that reason, the NIST privacy appendix treats them as suspect -- measures to be strictly limited.  They are to be used only if their effectiveness is regularly demonstrated and  they are regularly scrubbed to bring their privacy impact to a minimum: "When performing monitoring that involves individuals or PII, organizations should regularly evaluate the effectiveness of their practices and tailor the scope to produce the least intrusive method of monitoring." If I’m right about the legal effect of these standards, the failure to observe this rule will lead to negligence or regulatory liability.  But a lawyer asked to avoid that liability will be appalled at the requirement to produce the “least intrusive method of monitoring.”  Lawyers understand that, with hindsight, plaintiffs and regulators can often point to some method of monitoring that would have been less intrusive and that might have worked just as well. Avoiding liability under such a rule is more a  matter of luck than planning.

 Audits get the same suspect treatment under the appendix.  Companies that record personal data as part of a network audit are told to consider "how such PII could be minimized while still implementing the cybersecurity activity effectively."  Again, it will always be possible after the fact to discover a way to reduce a little more the personal data used in an audit.” Lawyers can flyspeck the audit plan forever without eliminating the risk. 

 The privacy appendix also prescribes yet more privacy assessments for cybersecurity detection and filtering.  Companies “should regularly review the scope of detection and filtering methods to prevent the collection or retention of PII that is not relevant to the cybersecurity event.”  Instead of poring over logs, looking for intruders, cybersecurity professionals are to pore over them for personal data that “is not relevant.” In another liability magnet, companies are instructed to adopt policies “to ensure that any PII that is collected, used, disclosed, or retained is accurate and complete.” That language will give employees who violate network rules new ways to challenge disciplinary actions. 

 Even in the middle of responding to a breach, the NIST appendix expects security staff to prioritize privacy: “When considering methods of incident containment, organizations should assess the impact on individuals’ privacy and civil liberties,” and “when PII is used for recovery, an organization may need to consider how to minimize the use of PII to protect an individual’s privacy or civil liberties.”

Perhaps worst of all, the privacy appendix imposes a heavy new legal and practical burden on cybersecurity information-sharing.  It calls on companies to scrub any forensic data they may collect before they share it with others: “When voluntarily sharing information about cybersecurity incidents, organizations should ensure that only PII that is relevant to the incidents is disclosed”; and “When performing forensics, organizations should only retain PII that is relevant to the investigation.” Today, companies quickly share information with each other about new threats, including “personal” data like the IP addresses or the email accounts that are spreading malware.  They face no real risk of liability for such sharing, at least as long as they keep the government out of the sharing arrangement.  Once the NIST privacy appendix takes effect, though, even such private cybersecurity sharing will slow to a crawl as lawyers try to anticipate whether every piece of data has been screened for PII and for relevance. 

 In short, under the NIST framework, pretty much every serious cybersecurity measure in use today will come with new limits and possibly new liability. This is especially troubling because the framework does not prescribe any particular security measures, which means that companies that want to escape the new liabilities can simply decide not to implement the security measures.  Rather than deal with the barnacles, they can just scuttle the ship. 

Let’s hope that NIST scuttles the privacy appendix instead.

Following up on my earlier NIST post, it's fair to ask why  I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST's standards for cybersecurity are looking far less prescriptive than business feared. There's not a “shall” or “should” to be found in NIST's August draft.

At least not until you get to the privacy appendix. Then, suddenly, "should" blossoms in practically every sentence. The appendix says that it's just telling companies  what methodology they should use to protect privacy while carrying out cybersecurity measures. In truth, it is setting out a detailed and comprehensive set of prescriptions for companies handling personally identifiable information (PII). 

Right off the bat, the NIST privacy "methodology"  shows remarkable ambition, telling companies that they “should identify all PII of employees, customers, or other individuals that they collect or retain, or that may be accessible to them.” Why critical infrastructure cybersecurity should require a comprehensive census of PII -- but not of other sensitive corporate information -- is not explained.  

The cybersecurity executive order asked NIST to produce a methodology to "identify and mitigate" the cybersecurity's framework's impact on privacy, but in fact, many of the privacy provisions in NIST's appendix have only a nodding acquaintance with cybersecurity.  For example, the NIST privacy appendix tells companies that they should “limit [their] use and disclosure of PII to the minimum amount necessary to provide access to applications, services, and facilities” and that they “should securely dispose of or de-identify PII that is no longer needed.” That may or may not be a good practice, but it's connection to protecting the cybersecurity of critical infrastructure is tenuous.  Later, the document goes even further, calling for companies to designate a privacy officer, particularly remarkable given that it doesn't call for designation of a cybersecurity officer.

The NIST appendix's disconnection from cybersecurity is most clear when it says that companies should identify their privacy policies and assess whether those policies do the following:

"i) provide notice to and enable consent by affected individuals regarding collection, use, dissemination, and maintenance of PII, as well as mechanisms for appropriate access, correction, and redress regarding use of PII;

"ii) articulate the purpose or purposes for which the PII is intended to be used;

"iii) provide that collection of PII be directly relevant and necessary to accomplish the specified purpose(s) and that PII is only retained for as long as is necessary to fulfill the specified purpose(s);

"iv) provide that use of PII be solely for the specified purpose(s) and that sharing of PII should be for a purpose compatible with the purpose for which the PII was collected; and

"v) to the extent practicable, ensure that PII is accurate, relevant, timely, and complete."

Not one of these quasi-requirements has anything to do with the objectives of the executive order.  But they have everything to do with smuggling comprehensive privacy regulation into a cybersecurity initiative. In fact, the provisions are more specific and demanding than the twenty-year privacy consent decrees imposed on technology companies like Google that have been caught up in FTC enforcement actions. 

The provisions are drawn from the so-called Fair Information Practice Principles that the US government adopted for itself in the 1970s -- and that Europe's data protection laws incorporated around the same time. The United States has never applied them across the board to its private sector, in part because they turned into such a free-floating instrument of selective enforcement in Europe. Taken literally, the principles are either fatally ambiguous or impossible to fully comply with, leaving privacy bureaucrats with authority to impose harsh penalties on anyone they choose.

Not surprisingly, that sounds like a great idea to the United States' foremost practitioner of selective enforcement, the Federal Trade Commission. For more than a decade, the FTC has begged Congress to enact something like the Fair Information Practice Principles as a way of giving the Commission some legislative support for its claim to be  the nation's chief privacy enforcer. To no avail.  So for the Commission, the NIST proposal is a bonanza of new authority, or at least topcover.  Indeed, it is a godsend for every regulatory agency that wants to add privacy to its list of regulatory requirements. 

That's because of how the cybersecurity executive order treats NIST's work product. Once NIST has finished the framework, next January, the administration plans to use a wide range of incentives to get industry to adopt the framework. But the document's effect will be felt as soon as a preliminary draft is issued in October.  The executive order instructs every regulatory agency in the federal government to to review the preliminary NIST framework and report to the President on whether the agency has authority to impose NIST's framework on the industries it regulates. If an agency lacks authority, it will almost certainly be invited to go ask for it. This means that the privacy appendix, which made its first appearance in public in the dead of August, will have a potentially irreversible effect as early as October 10, when NIST is due to issue the preliminary framework.  

In short, if the NIST framework keeps this appendix, the FTC and every other regulator in town will have plenty of topcover to impose the Fair Information Practice Principles on the private sector.  The excuse for doing so will be the need for better cybersecurity, but adoption of the NIST framework as written will likely be a net loss for cybersecurity.  That's the subject of a third and final post that I'll offer shortly.

NOTE: I tried to reach NIST officials to get their response.  But the shutdown means that many are not available. I did get a clear sense that the preliminary framework will not be released on October 10.  It will likely be delayed for as long as the shutdown lasts, plus some time for interagency clearance.  So the bad news from the shutdown is that we can't get to NIST's website, and the good news is that every day of shutdown is a day of delay for this unfortunate standard.  All things consdered, I think I can live without the website.

Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they're adopted, the order says, other agencies will encourage private companies, especially those running critical infrastructure, to use the standards. Regulatory agencies are expected to establish requirements based on the standards. And it is widely expected that the standards will drive negligence liability in the wake of a breach, since the courts are always glad to find government-endorsed definitions of “reasonable” security measures.

 Now that NIST has released a discussion draft of its preliminary framework, business's worries are looking a bit overblown. And they're distracting from a much more serious threat buried in the NIST draft – the stealth imposition of a European-style privacy regime on the U.S. private sector.

 Why? Let's look at the draft. (I would ordinarily link to the NIST webpage, which posted the framework weeks ago, but the administration's passive-aggressive shutdown strategy means that NIST took its website off line – very likely at greater cost than leaving it up. Luckily, Lawfare again proves itself the indispensable Blog of Record by preserving a copy of the framework here.)

 The cybersecurity standards that everyone has been worried about turn out to be more taxonomic than prescriptive. You won't find a “shall” or a “should” anywhere in the appendix that sets out the framework. Instead, the framework is procedural to its core. The cybersecurity mission is divided into five steps: identify your network assets, put protections in place, detect breaches of your protective measures, respond to the breaches you detect, and finally recover and learn from the breaches. The five steps are in fact a loop, rather like painting the Golden Gate bridge: Paint until you reach the end, then start again from the beginning, incorporating any lessons you learned along the way.

 That doesn't guarantee a good paint job – lazy painters can still skip spots, work too slowly, or use cheap, unsuitable paint -- but it does describe how a conscientious painter might do his job. The framework, in short, depends on the motivation and good judgment of the painter.

 To be fair, the framework tries to give a bit of content to the Five Steps by defining each of them more precisely and by adding two additional layers of detail below each step. Thus, Detection is broken into three categories – screening for anomalies and events, continuously monitoring processes, and setting up detection processes to make sure breaches aren't ignored. And each of these subcategories is itself divided into four to eight subcategories. Thus, Continuous Monitoring includes subcategories like “perform network monitoring” in response to the detection of a breach. All in all, there are nearly a hundred subcategories in the draft framework.

The framework then drills down one more layer, identifying actual industry standards that correspond to each of the subcategories. At this point, you might think that the framework has identified several hundred tasks relevant to cybersecurity. In fact, though, the framework crossreferences the same five or six standards in every one of the nearly 100 subcategories it identifies. 

So the NIST framework is certainly open to criticism. It offers less choice to industry than first appears. The framework may point to a hundred roads, but they all lead to the same five places. And when you get to one of those places, there's no certainty that you're safe. The framework tells industry only what boxes should be checked, not how carefully the job should be done. In a way it's a shiftless painter's best friend. And, perhaps, a good painter's worst enemy, since just skipping a box could lead to tort liability.

 Still, the framework largely avoids substantive mandates, and its structure rebuts any suggestion that the subcategories are really requirements by providing several different standards that offer several different ways of interpreting each subcategory. I'm not personally convinced that this is a good thing, given the shiftless painter problem, but business groups that feared substantive mandates may be mollified.

If so, they'll be missing the real danger in this document. Because, while business has been concentrating its fire on the risk of cybersecurity regulation, it looks as though enthusiasts for sweeping privacy regulation of industry have stolen a march on everyone. I'll cover that risk in a second post.