Skating on Stilts

My new book, Skating on Stilts, is mostly a meditation on how the technologies we love eventually find new ways to kill us, and how to stop them from doing that. I talk about three technologies -- jet flight, computers, and biotech. Anticipating the release of the book next week, Huffington Post is hosting an excerpt from the biotech chapter on its site this week.

A Venn diagram of blogger ideology would show only the tiniest sliver of common readership between this blog and HuffPo -- probably Hollywood conservatives. So clicking on the link is a testament to your broadminded liberality, and it will confuse the heck out of the link diagram engines.

Actually, there's a serious point buried there. Worries about the future are inevitably colored by ideology. Libertarians are more likely worry about the ways new technology will empower the state. Huffington Post readers probably worry more about the ways new technology will permit business misconduct. People like me worry about the ways new technology will empower terrorists.

But biotech is so protean and powerful that it's likely to empower all three kinds of misuse. So unease about biotech brings everyone together. It's the Richard Nixon of future technologies!

EJazzNews sends out an email with a free sampler of jazz every week. Full tracks, zip file of mp3s, no DRM. Good stuff, too, by my unadventurous lights. This week's, EJN 13, featured several torchy female jazz singers and a scatting male singer that were talented and new to me. Better than Pandora, which has gotten a bit predictable. Other samplers featured other styles; not every week will be a hit with all audiences. So delete the tracks you don't like, guilt free.

BP has had another agonizing failure as it tries to stop the massive oil deep under the Gulf of Mexico.

The President, meanwhile, is taking heat for the disaster and his apparent paralysis in the face of crisis. The consequences of the spill are devastating, and compensation is well beyond the resources of BP, even if the whole company is seized.  The crisis deserves to be the  proper focus for every resource the President can bring to bear.  

The problem is that, while he's got resources, none of them really know enough about BP's business to do anything useful. So all the President can really offer BP is cheerleading, coffee, and veiled threats of indictment. 

 If that sounds like schadenfreude, that's not my intent.  Rather, the BP crisis is giving me a sense of what cyberwar will be like.  If it happens, and I think that's likely, it will be pretty ugly.  As I say in Skating on Stilts,

 "It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing: Attacked at home and forced to give up cherished principles or loyal allies to save ourselves."

Hostile nations are probably already seeding our privately owned infrastructure with logic bombs and malware designed to shut down critical services -- power, telecom, Internet, banks, water and sewage. Each private company has a private, and unique, network design.  Each private company has a private, and unique, set of defenses and recovery plans. 

So when an attack occurs, if it's successful, some of those defenses will fail.  Some citizens will spend days, weeks, maybe months, without power or phones or water or access to their bank.  We'll be at war, under attack, hurting.  

We'll look to the Commander in Chief. And he'll look pretty much the way President Obama does today.

Helpless. 

He won't be able to send troops to protect, say, Verizon's network.  His troops mostly don't have the skills, and if they do have the skills, they don't know the network.  Even if a company has screwed up badly, failing to adopt basic backup and malware protections, he'll have to defer to the idiots who got us into the mess until they find a way to get us out. 

Of course, by the time they do, the war may be more or less over. 

So, if we expect a replay of the BP experience in the event of cyberwar, can we learn something from the current experience?  Maybe.  

Here are a few ideas that occur to me.  First, it's often the case that private companies can quite confidently get us into trouble that they then can't fix; when that's true, we ought to be very dubious about their confident assertions that regulation is excessive or unneeded. 

Second, the government needs to be much more involved in understanding the problems that companies may face in the event of a surprising crisis -- as well as the solutions.  Maybe that means insisting on seeing their crisis response plans -- and evaluating and testing them.  Or having a corps of private, public, or half-of-each (think Marine Corps Reserve) experts who actually can supplement company resources capably in a crisis. 

Finally, perhaps we should be developing well-protected, cyberstupid government networks that can be used for critical private functions in a crisis. As the BP tragedy plays out, I hope we'll learn more.  

Americans will forgive the President for being surprised and helpless this time, I think.  But not the next time. 

Or we could say what the hell, trust the industry reps, and keep going pretty much the way we're going now. 

 Then, all we'll need when the war comes is a warehouse full of pom-poms and coffee beans. 

The lawyers, at least, we don't need to stockpile.

Before the fuss over Arizona's immigration law, there was a different fuss over a different Arizona immigration law. 

Now the first fuss is coming back to haunt the Obama Administration, the professionals in the office of the Solicitor General, and maybe even Elena Kagan. 

That first fuss was over the Legal Arizona Workers Act,  a 2006 Arizona statute that (1) imposed state penalties on employers who hire illegal workers and (2) required businesses in Arizona to use E-Verify.  (E-Verify is a federal database that checks the names and Social Security numbers of new hires to make sure they match and thus makes it harder for illegal immigrants to get hired using made-up names and numbers.) 

The 2006 Arizona immigration law was challenged as soon as it was enacted, but it was upheld in both the district and appellate courts.  The more recent Arizona immigration law, known as SB 1070, has provoked litigation and a halting boycott of Arizona. 

Now the controversy over SB 1070 may affect the fate of the first law, which is in the last stages of litigation.  Last year, the groups challenging the first law as preempted filed a certiorari petition.  The Supreme Court asked for the views of the federal government at the beginning of the term -- on November 2, 2009.  The Solicitor General has finally filed its brief, and it asks the Court to grant certiorari and strike down the Arizona law. 

 Here are my thoughts on the SG's filing:

• The brief is particularly awkward for Secretary Napolitano.  She is the SG's principal client on this case, since she administers the immigration laws.  And as governor of Arizona, Secretary Napolitano signed the Legal Arizona Workers Act, saying "“Immigration is a federal responsibility, but I signed [the bill] because it is now abundantly clear that Congress finds itself incapable of coping with the comprehensive immigration reforms our country needs. I signed it, too, out of the realization that the flow of illegal immigration into our state is due to the constant demand of some employers for cheap, undocumented labor.”  It's true that Governor Napolitano also asked for changes to the law to make the civil rights provisions stronger, but it's hard not to read the brief as repudiating her decision to sign the act.

• The brief takes positions that from a political and policy point of view are hard to square with, well, sanity.  In leaving little room for states to address a problem the feds haven't solved, the brief gets to the left of the Ninth Circuit, which upheld this law.  Worse, the SG's leading argument for why Arizona's law must fall is that Arizona is being too hard on business owners who hire illegals.  No, really.  That's exactly what it says:  The law must fall because "[t]he remedies authorized under the Arizona statute for hiring an unauthorized alien— suspension of an employer’s licenses for a first violation and permanent revocation for a second— are far more severe than those authorized under federal law."  The SG argues that employers' punishment should be limited to $2,000 per worker for a first violation -- and only after a knowing violation has been proven.  Now, enforcement actions are vanishingly rare because of the "knowing" standard, and an illegal worker's depressed wages will save the employer $2,000 in a few months or less, so profit-maximizing employers can and will simply scoff at federal immigration enforcement.  That's worth remembering when an administration official says that the immigration system is broken.  It's broken because the administration has filed a brief designed to make sure it stays broken.

• Also striking is how far the SG has stretched the usual rules for certiorari in pursuit of that goal.  There is no conflict in the circuits, as the SG admits in a footnote.  And its talk about how the state's penalties and procedures will distort immigration enforcement is all a little, well, hypothetical.  This for the reason that the lawsuit is a facial challenge, not a challenge to the law as applied.  Indeed, there's been surprisingly little state enforcement in Arizona, which might say something about the risk that state enforcement will distort the federal scheme.  The Supreme Court doesn't like to take cases without, you know, facts and things, and it doesn't like to take cases without giving the courts below a good long chance to chew the issues over.  Skipping those steps is usually a recipe for screwing up.  Yet here, the SG is urging that all those rules be tossed overboard.  Why?  Because, well, because it's important. This is about immigrants, and racism, and Arizona, for Pete's sake!  There's no time for niceties like a factual record or a conflict among the circuits.

• Equally fascinating is the brief's over-clever and tone-deaf treatment of E-Verify, the electronic database that is the best thing to happen to workplace enforcement in the last fifteen years.  It's fast, and it stops one kind of fraud -- fake names and Social Security numbers -- cold, with very little impact on legal workers.  But it only really took off when states began requiring businesses to use it.  Now, something like one out of three or one out of four new hires is run through this electronic screen -- up from one in twenty before Arizona started the ball rolling.  The federal government has invested more than $100 million to make the system easy and to ease any impact on lawful workers.  Congress has reauthorized the program and funded the improvements under Republican and Democratic Congresses.  It's a signature initiative of blue-dog Democrats like Heath Shuler.  The Obama administration, and Secretary Napolitano, have given vocal support to E-Verify.  So you'd think it would be hard for the Solicitor General to oppose it.  Think again.  The SG trashes Arizona's E-Verify mandate as inconsistent with federal law: "The better reading of the law is that States and localities may not impose such requirements."

• This is the least persuasive part of the brief, which is really saying something.  When I was a law clerk and reading SG briefs every day, I quickly got in the habit of reading the footnotes first.  That's where the SG buries the most embarrassing weaknesses in its case.  So it's remarkable that this 22-page filing includes a single footnote that covers one full page and slops over in both directions onto two more.  And it's a doozy.  In the footnote, the SG admits that the federal government filed a brief inconsistent with its current position just nine months ago (that's right, under this President).

• Another glaring weakness is the fact that, thanks to a sunset provision, Congress actually extended the life of E-Verify a couple of times in 2009 (that's right, under this President).  It's true that the extension came in appropriations rather than authorizing measures.   But when it extended E-Verify, Congress was well aware of the Arizona law and the many similar laws that it inspired (indeed, those laws and the workload they created was one reason why extra funds had to be appropriated).  But Congress didn't overturn the state laws.  This seems like a big problem for the SG, which claims that Arizona's law is inconsistent with Congress's intent.  It's an even bigger problem than usual because the court decisions the SG is trying to overturn were on the books before Congress extended the program, something the courts usually see as implicitly endorsing the case law as it stands.

• How does the SG deal with this big hole in its analysis?  I am flabbergasted and disappointed to say that the SG seems to do something even a law student learns not to do by his second moot court.  It ignores the problem. Its statement of facts acknowledges the 2009 reauthorization of E-Verify in a sentence.  But thereafter there's not a hint that the reauthorization might have an impact on the SG's argument.  I have to say that I expected better of that office.  I've never known them to hide a relevant contrary authority (that's what its footnotes are for).  But I don't think any good lawyer could miss the problem that the reauthorization poses.  And I don't think the SG did miss it; the SG's language seems just a little too clever.  Here's what the SG says:

But the statutory language contains no

indication that Congress intended to permit States to

undermine its own decision not to impose a blanket

mandate on all employers by allowing States to impose

just such a mandate.

But the statutory language contains no indication that Congress intended to permit States to undermine its own decision not to impose a blanket mandate on all employers by allowing States to impose just such a mandate.

Now, I suppose someone could justify that language by saying "Hey! I was talking about the statutory language, and that's what the brief says -- the statutory language contains no indication that Arizona's law is approved.  It doesn't say anything about indications derived from Congress's later enactments.  So it's technically accurate; there isn't anything in the statutory language that blesses Arizona's law."  But anyone who offers that defense doesn't deserve the trust of the Supreme Court or the respect of the Supreme Court bar.  I know that sounds harsh, and I like and respect a lot of people in the SG's office, so I'll leave it in the conditional until I hear the SG's justification for what looks at first blush like very slippery advocacy.

• Worse, it’s slippery advocacy to no point.  Because the SG ends up saying that there’s no need for the Court to grant certiorari to decide whether the E-Verify mandate is pre-empted.  (If it hadn’t been thirty years since Saturday Night Live was funny, I’d cite Emily Litella in this space; but never mind.)  Why does the SG think the Court should deny cert on that question?  Because “E-Verify is continuing to evolve, discussions are ongoing within the federal government about appropriate ways modify the system, and the sunset provision ensures that Congress will revisit the program and decide by September 30, 2012, whether to maintain it in its current form or modify the program. Thus, any decision on the E-Verify question could soon be overtaken by events, and there is no compelling need for the Court to intervene in this interim period.”  If that’s where the SG finally comes out, why did it take that long, slippery detour to trash this part of Arizona’s law?  My guess is that a substantial part of the administration, probably centered in Justice and in Hispanic-outreach/policy positions, wanted to kill E-Verify too.  And I’d further guess that they were beaten back by a combination of Solicitor General resistance (the SG already looks uncomfortably political in seeking review of the uncertworthy first question; excluding the second question is a way to salvage the office’s credibility), political realism (attacking all immigration enforcement measures is not exactly centrist), and DHS pushback (the Secretary has supported E-Verify consistently, to her credit).  But I suspect the E-Verify haters extracted a concession, and this language is it.  With this language, after all, the federal government’s top lawyers are declaring their view that the Arizona E-Verify requirement is illegal.  That expressed view will deter other states from adopting similar requirements, may spur the courts to reconsider their stance on state law, and will put E-Verify in play for Congressional immigration reform bargaining.  It’s a sop to the immigration left, and not a small one.

• Just two or three final thoughts.  First, why did this crippled wisp of a filing take seven months to get to the Court?  Not the research load; the brief cites fewer than a dozen cases.  My guess is that the main reason was a long fight over the politics of what the brief should say.  That’s a principal cause of crappy SG filings, and this brief certainly fills that bill.  Second, why was this brief released late on the Friday before a long weekend?  That’s usually where administrations bury stuff they hope no one will notice.  (Me, I’m all for it.  The Saturday of a long weekend is the only time I can really find to do substantive blogwork.  If enough bloggers turn out to have day jobs, the age-old rule about how to bury bad news may require a codicil.)  Hiding this brief would be smart politics, but I don’t presume that the SG scheduled its filing for political reasons.  It’s also possible that there were Supreme Court practice reasons for the schedule.  The Court’s last conference is July 1.  Maybe there’s a requirement that the SG’s brief be filed more than thirty days before the conference where it will be considered.  I’ve frankly forgotten, and I’m hoping someone closer to current practice will provide the answer, although I still think that the brief could have been filed next Tuesday even under a thirty-day-notice requirement.  If it could be filed Tuesday, that’s when most appellate lawyers would file it; if they have a chance to improve a brief over the weekend they will take the time to do so.  (Unless of course they’re being watched closely by jealous political masters, who can’t usually be forced to proof editorial changes on Sunday.)

• And last:  What does all this say about Elena Kagan, woman of mystery and Solicitor General until two weeks ago?  Nothing good, I fear.  The brief is at best a hacked-together, please-no-one compromise.  At worst it borders on the unprofessional.  I don’t think Elena Kagan owns every sentence in the brief; she stopped acting as Solicitor General on May 17, and this brief was presumably filed on May 28, when it was released.  But on May 17 the case had already been in her office for six and a half months.  It’s hard to believe that the brief had not been largely drafted before she left – perhaps even drafted and redrafted several times by contending offices.  It’s also hard to believe, given the stakes, that she was not part of the effort to craft a solution to the fraught legal and political issues the case created.  No doubt we’ll learn something about that in the weeks to come.  There’s likely to be a long paper record of any internal debate, and there may even be people who are willing to talk out of school about the case.  Whether it becomes an issue in her hearings is anyone’s guess.  If it does, though, she’s likely to look completely out of touch with the country if she attacks the one part of immigration enforcement that actually seems to have become more effective under both Bush and Obama.  In any event, the brief will probably fuel a narrative popularized by David Brooks — that she’s a Gen X careerist whose main goal in life has been to avoid stepping on culture-wars landmines strewn by the boomers.  Either way, I doubt this is more than a speed bump for her.  But if it becomes even a minor issue for her, it could become a major problem for Neal Katyal, who actually signed the brief and who does own it, warts and all.

Judith Miller has a striking article on the history of Japanese WWII biological warfare in City Journal.  She interviews a few remaining likely victims of the truly massive biological warfare attacks sponsored by Unit 731 of the Japanese army and describes the "science" that made the weapons possible:

Maruta, or “logs,” as the Japanese scientists dubbed their victims, would be registered, given numbers, and later dragged from their cells through underground tunnels into the testing labs at the compound’s center. Here, Sheldon Harris reported, they would have to eat food laced with one of 31 germs—anthrax-filled chocolate, plague-treated cookies, typhus-infected beer—or be injected directly with deadly pathogens to determine the minimal dose required to sicken or kill them. The “logs” usually lasted only a few weeks. Some were “sacrificed” after unit officials deemed them no longer fit for scientific study. ... I recalled interviewing an elderly Japanese soldier several years earlier who told me that he had performed vivisections, without anesthetic, on naked prisoners. Describing in almost a whisper his revulsion the first time he picked up his scalpel when ordered to do so, he said that he eventually grew accustomed to the “procedure.” But his anguish suggested otherwise.

Equally striking has been the reluctance of Japanese institutions to discuss the evils of biological warfare.

Franzblau has tried for years to introduce a resolution at World Medical Association meetings calling upon doctors to ask Japan to “officially repudiate Unit 731” and to explain “why physicians employed in Unit 731 have never been prosecuted for murder and crimes against humanity.” Each year, his resolution has gone nowhere. “There has never even been a debate,” he complains. The Japanese Medical Association has also remained silent, perhaps because one former president of the JMA was a Unit 731 staff member, as were former officials in many prestigious Japanese organizations.

Japanese politicians and even Japanese courts have called the use of nuclear weapons on Hiroshima and Nagasaki a war crime, and the issue has provoked an intense debate in the United States.  If Miller's article is correct, though, the death toll caused by Unit 731 in China may be double the number killed by atomic weapons in Japan. As I explain in Skating on Stilts, it's likely that terrorists will use biological weapons to cause mass casualties long before they acquire nukes.  So we can't really afford silence and amnesia about just how loathsome biological weapons can be.

Skating on Stilts will be coming a little sooner and a (very) little cheaper than Amazon originally projected.  The online bookstore has moved its expected release date from July 15 to June 15.  And it's lowered the price from $13.57 to $13.46.

European negotiators have struck three deals on travel reservation data with the United States, and each negotiation has turned out worse for Europe than the last.  So now the European Commission has proposed a fourth negotiation.  Its opening position for the fourth set of talks is even less realistic than its proposals for the first three. 

My personal favorite is the insistence that the US amend the Privacy Act to cover foreigners.  There is little or no  evidence that Americans can sue European police agencies for their handling of, say, the information they harvest whenever we check into a European hotel.  Yet somehow the right to sue over data protection becomes a matter of fierce European moral urgency when it can be used to bash the United States.

According to the BBC and US researchers, we'd get more out of computer chips if we let them make more mistakes, then cleaned up the mistakes with "stochastic" software:

"Silicon chips that are allowed to make mistakes could help ensure computers continue to get more powerful, say US researchers.

As components shrink, chip makers struggle to get more performance out of them while meeting power needs.

Research suggests relaxing the rules governing how they work and when they work correctly could mean they use less power but get a performance boost."

I feel the same way about blogging.

My law firm opened an office in Beijing a couple of weeks ago, and I went to the ceremonies, met with clients, and, most entertainingly, I spent half an hour being interviewed about cybersecurity on China's English-language TV program, Dialogue. It was a bit weird. The pert interviewer managed to deftly combine the style of a Katie Couric with the content of a Chinese government official. Whenever I seemed to be veering into dangerous territory, the otherwise polite woman was quick to cut me off. And she was relentless in pressing the Chinese line. Rough paraphrase of some fencing from around minute 20:

Host: "There has been a lot of fingerpointing about the source of attacks. Can you defend this fingerpointing now that you're out of government?"

Baker: "Well, it's unfortunate but inevitable given the massive scope of the attacks in the last decade. We are used to fingerpointing at the US, but it is striking that China is being accused so widely in places like India and Brazil. There will be an impact on the Chinese economy from these concerns."

Host: "But it's hard to present concrete evidence. Isn't this all subjective perception? Maybe the perceptions aren't right. What kind of evidence should governments provide as a matter of fairness when they make such provocative claims?"

Baker: Well, it's very hard to get perfect evidence by tracking attackers from one machine to the next. But sometimes you can look at the kinds of information that is being stolen, and ask what governments want that information; that provides a clue about who is stealing the data."

Host: "But couldn't the hackers just pretend to steal certain kinds of information to make it look like someone else had done it?"

Like I said, she was good, and relentlessly on message.

Playing in the dirt can make you smarter.  The effect seems to be temporary, though, so you may have to join your toddler on the floor.

Several people have told me that their preorders were cancelled by Amazon.  That's not because of delays in delivering the book, which is likely to come out at the end of June.  Instead, it appears that Amazon put up two pages for Skating on Stilts and took preorders from both of them.  I'd like to think that this was the result of a frenzy of interest in the book; a single page just didn't seem like enough.

Unfortunately, to cure the problem, Amazon seems to have simply deleted one page and cancelled all orders made from that page.  Works for them, but not for those who ordered early. 

If that happened to you, don't worry.  You can simply pre-order from the right page .  And, as compensation for the hassle, you'll save 11 cents over the price you would otherwise have paid.

UPDATE:  I corrected this snakebitten link. Thanks, Frank.

Stewart Baker will be guest-blogging this week at Instapundit.com, part of an army of bloggers needed to replace the indefatigable Glenn Reynolds. 

Trying to imitate the success of the US privacy lobby in smearing traveler security checks as "investigations" of "innocent travelers", The Daily Mail proclaims its outrage and lobbies the new UK government to kill an effective traveler screening program.

http://www.amazon.com/Skating-Stilts-Tomorrows-Terrorism-PUBLICATION/dp/0817911545/ref=sr_1_1?ie=UTF8&s=books&qid=1274309289&sr=1-1

UPDATE:  Fixed bad link

Matt Drudge wants us to blame "Big Sis" because "SECURITY LET SUSPECT ON PLANE."  

And the AP has a similar take, leading with, " The no-fly list failed to keep the Times Square suspect off the plane."  

Is there a fail here?  And if so, whose fault is it?

To catch everyone up, judging from AP reports, my initial guess was probably right:  The government put Shahzad on its terror watchlists, including the no-fly list, and DHS recognized his name when Emirates airline gave its passenger manifest to DHS.  This of course was just before takeoff, so the plane had already pulled back the jetway when Customs and Border Protection stopped the flight:  "By the time [DHS/CBP] officials spotted Shahzad's name on the passenger list and recognized him as the bombing suspect they were looking for," AP says, " he was in his seat and the plane was preparing to leave the gate." 

I thought that was impressively fast work -- roughly 8 hours from identification through designation, population to the computer system, and identification before takeoff.  But not so fast that it can't be secondguessed, apparently.  

The implicit criticism in Drudge and AP is that the no-fly list didn't work, that Shahzad should not have been able to buy a ticket at all. Well, if the system had worked perfectly, that's true.  Shahzad would have been stopped at the gate.  

So why didn't it work perfectly?  It appears that Emirates was running the no-fly list -- that is, the airline itself was checking passenger names against the no-fly list that it got from TSA.  But Emirates apparently didn't update its version of the no-fly list between the time TSA added Shahzad and the time of its JFK flight.  

Maybe it's not a complete surprise that an airline take eight hours or more to update its list.  But if that was a failure, it seems as though the blame should fall on Emirates, not TSA. 

Now, you might ask (unless you're Ron Paul) why we would choose to rely on under-incentivized and under-financed private companies to run a major national security program?  This looks like a job that government can and does do better than the private sector.  

After all, CBP, which is a government agency, managed to update its list in that 8 hours, and then to catch Shahzad with what was probably as little as half an hour of review time.  Why were we relying on dozens of airlines and computer systems to run the no-fly list instead of a single government computer system? 

Ah, here it gets interesting.  TSA has been trying to take over administration of the no-fly list since 2003.  It's in the process of doing that, finally, this year.  Why the delay? Simple: Privacy campaigners, left and right.  Privacy groups claimed that TSA could not be trusted with data about who was checking in and what their reservations said.  

They in turn persuaded Sen. Ron Wyden (D-OR) to put a provision in the DHS appropriations bill that stalled the transfer of responsibility for the no-fly list from airlines to TSA for years.  (I tell the story in Skating on Stilts.) 

In fact, it looks as though the transfer still hasn't happened in the case of Emirates.  So if you want to blame someone for the design of the no-fly system, you might want to point the finger at the privacy lobby and their supporters in Congress and media.  

Which, by the way, certainly seem to have included one Matt Drudge (See, for example, this heart-pounding headline from March 18, 2004:  "TSA To Require Airlines To Divulge Passenger Records ..." Or this from November 29, 2007:  "TSA wants to require birthdate, gender to purchase airline tickets; background checks... ") 

So, Matt Drudge, if you're looking for someone to blame the "No-Fly Fail" on, well, you just might want to glance in the mirror.

Although it's early still, this bombing doesn't look especially well-organized, and I expect that we'll catch the perp soon.  That said, I can't help wondering why New York City, the best-funded and most terror-focused police department in the country, doesn't have video of the would-be terrorist getting out of the car.  

New York has been spending tens of millions, perhaps hundreds of millions, of dollars on street cameras.  The lower Manhattan camera project was expected to cost $90 million and to  network 3,000 cameras.  That's $30,000 per camera.  The project is being expanded to midtown at a similar cost. Despite all this funding, though, we don't have pictures of the wannabe bomber.  That's probably because NYC hasn't finished installing the midtown system.  

But there's another problem; 3,000 cameras aren't really enough to take pictures all across lower Manhattan, if what you want is a record of everything that happens for later investigation.  Inevitably, there are lots of blind spots in the system, at the same time that it costs an arm and a leg for each camera, which creates an incentive to leave blind spots in low-risk areas. 

I think New York has made a mistake in doing this.  It is trying to use cameras for real-time detection of terrorists.  That massively raises the cost.  The cameras have to be networked back to a central office, they probably have to have real-time pan and zoom capability.   And even then, it's hard to see how cameras would help prevent attacks in a scenario like Times Square.  The SUV wouldn't look any more suspicious to police watching on video than to observers on the scene. 

Long-time readers of the blog, both of them, know what's coming next.  I'm going to point out that the best use of cameras is likely to be after the fact -- to identify the perp once the crime has been committed or attempted.  If so, we don't need to waste time on networks or pan and zoom capability.  

All we need is a bunch of cheap standalone cameras that provide blanket coverage and keep taking pictures, overwriting their memory every week or two.  That would cost maybe $200 per camera.  For the cost of a single pan and zoom camera, you could put a couple of dozen standalone cameras on every block.  And privacy would be better protected because retrieving the video would be expensive and overt, making it unlikely that the police would do so unless a crime had been committed. 

As loyal readers know, one of my projects at DHS was to move this idea forward, so we challenged industry to design a cheap, standalone camera for use on mass transit vehicles that could withstand even a massive terrorist blast without losing data.  

And, as a reward for reading this plug again, here's the ever-popular video of an exploding bus.  Most of the cameras and data did indeed survive even this ball-bearing-enhanced explosion.

I thought that providing government health care and welfare payments to al Qaeda's favorite Canadians, the Khadr family, was just misplaced Canadian generosity:  "Family members have spoken scornfully of Canadian society, as they receive medical care and welfare payments that keep them in a pleasant apartment in Toronto," the Washington Post once noted. 

Turns out, Canada was just in the forefront of international human rights. 

But they'll never stay ahead of European Court of Justice, which has now declared that the live-in wives of UN-designated terrorists are entitled to receive family assistance payments.  The UN asset freeze is irrelevant, you see, because welfare payments made to the terrorists' wives aren't supposed to be misused.  According to the Counterterrorism Blog,

"The court indicated that the essential purpose and object of the asset freeze was to combat international terrorism, and to cut off terrorists from financial resources that would be used for terrorist activities. Yet, it should be presumed, the court reasoned, that the social payments involved here would be used only for household expenses. If and when such payments were turned over to the designated spouse for terrorist purposes, the court reasoned, the UK authorities could then hold the spouse accountable other UK laws and penalties."

Well, that settles that.  No self-respecting terrorist would cheat a Western government, and terror investigators have nothing better to do than audit the household accounts of families like the Khadrs.

 Considering that they sit in Northern Europe, it's remarkable what a sunny world the judges of the ECJ inhabit.

Omar Khadr turned to terror early in life.  He was only fifteen years old in the months after 9/11, but he spent them laying mines for al Qaeda in Afghanistan -- and allegedly throwing the grenade that killed Sgt. Christopher Speer, a Special Forces medic. Khadr was pulled from the rubble, patched up, and sent to Gitmo. 

Now the question is whether Khadr will escape trial because he was a juvenile at the time of his crimes.

The Washington Post thinks he will:

"This is not what you would choose to open with," said a senior administration official, speaking of a planned July trial for Khadr, who is accused of throwing a grenade that killed a U.S. Special Forces medic. "Khadr has become a cause, and this is not a case that will demonstrate the strength and validity of military commissions."

To avoid trying Khadr, the Justice Department has apparently offered the accused killer a plea bargain in which he would serve only five years in prison. 

Other media reports confirm that the administration has cold feet on this case.  Canada's National Post recently quoted an authority "in a position to know" as saying that the Obama administration has been pressing the Canadian government to request that Khadr be returned to Canada.

Why?  Because some US officials "don't have the stomach to try a child for war crimes" the National Post reports, and a Canadian repatriation request would put a diplomatic cover on an outcome they badly want to engineer for other reasons:

The National Post has no firsthand information on who is driving this stance, but it fingers Samantha Power, Michael Posner and Harold Koh as the officials most likely to fit its source's description.

You'd think from the administration's gunshy approach that there must be a big legal problem with trying someone for crimes committed at fifteen.  If so, I can't find it.  Practically every state in the union allows juveniles to be tried as adults at the discretion of juvenile court judges, which often use a standard that combines the best interests of the child and of society.  Many states create a presumption that the juvenile will be treated as an adult in the case of serious crimes; the presumption kicks in at 15 or less in most of these states.

Even the international law argument that juveniles can't be tried for war crimes is remarkably thin. 

• See, for example, this  report by a Canadian international human rights subcommitte of the Canadian Parliament; the authors would dearly love to find an international treaty prohibiting such a prosecution but they can't.  Instead, after a lot of citations to provisions about giving special treatment to child soldiers, most human rights groups fall back on the highly technical argument that US military tribunals "have no juvenile justice provisions" -- that is, no formal authority to treat juveniles differently.  Of course that doesn't prevent prosecutors and the tribunal from considering the defendant's age in both the trial and the sentencing, which clearly is already happening in Khadr's case.  
• Other human rights groups complain that the US isn't adhering to a protocol to the child soldiers convention, which says that governments should provide "all appropriate assistance" for child soldiers' "physical and psychological recovery and their social reintegration."  Of course, nothing in that provision prevents such soldiers from being tried for their crimes, though one might think that the social reintegration clause would bar the return of Omar Khadr to the bosom of his terror-supporting, America-hating family of welfare queens in Toronto.

So what's the problem with the case?  It is widely believed to have a stronger evidentiary basis than any other likely military prosecution.  Despite this, the administration is apparently so spooked by emanations and penumbras of international law that it is ready to send the killer of an American soldier back to his loathsome family after a few years -- and perhaps immediately, if he gets credit for eight years already served. 

At that point, Omar Khadr will be in his twenties and living just a three-hour drive from the world's longest undefended border. 

Gee, what could go wrong with that?

I finally had a chance to read Arizona's new law on illegal immigration. It's rather different from the press portrayal. Maybe I'll blog about that, but I want to start with the astonishingly vituperative attack by Cardinal Roger Mahony on what he calls "Arizona's Dreadful Anti-Immigrant Law." Here's what he said on his blog:

I can't imagine Arizonans now reverting to German Nazi and Russian Communist techniques whereby people are required to turn one another in to the authorities on any suspicion of documentation. Are children supposed to call 911 because one parent does not have proper papers? Are family members and neighbors now supposed to spy on one another, create total distrust across neighborhoods and communities, and report people because of suspicions based upon appearance?

Of course we all know the rule that the first debater to compare the other side to the Nazis is losing the debate. And this is a law that even President Obama, who obviously dislikes it, can't say for sure goes beyond the state's constitutional authority.  Plus, there's nothing in the bill about children turning in parents or neighbors spying on neighbors. 

Why is the Cardinal's criticism so over the top? 

Maybe he's just really exercised about the issue. But even so, he can't think that his flaming rhetoric is persuasive. Now, after reading the law, I suspect the Cardinal's interest is a little closer to home.

A part of the law that hasn't been emphasized by the media deals with the fact that Arizona has become the kidnapping capital of the country as coyotes transport and hold captive large numbers of illegal migrants. The law makes it illegal to "transport .. . conceal, harbor or shield an alien from detection in any place in this state, including any building or any means of transportation, if the person knows or recklessly disregards the fact that the alien has come to, has entered or remains in the United States in violation of law." Similarly, the law makes it illegal to "encourage or induce" people to come to Arizona illegally. 

That's a pretty reasonable response to the crisis, you might think, which probably explains why it isn't featured in media reports. But imagine that you're the head of the Catholic church in Arizona. Sooner or later, a lot of your parishioners are going to tell their local priest that they're here illegally. The church has been pretty clear about what it will do about that. Nothing. To take one recent example, a bishop in Oklahoma responded to that state's effort to enforce immigration law with defiance:

"I wish to make it absolutely clear that no one will be denied access to our Catholic charitable, pastoral and/or educational programs because they are illegal immigrants. This is to be true for all our parishes, institutions, schools and the various operations of Catholic Charities."

The problem with this stance is that it comes awfully close to declaring in advance that the church intends to "harbor or shield from detection" illegal immigrants. So Cardinal Mahony has to ask himself whether his priests are courting liability under the new law if they continue to give shelter and transport to parishioners whom they know or suspect are illegal immigrants. That's a big deal. 

Suddenly Cardinal Mahony's outburst about the evils of spying and turning in parents makes a little more sense.  The law is going to put his church in a newly awkward position. Complying with Arizona's tough new legal obligations will be hard to square with the bold moral stance taken by the church in a more forgiving era. The prospect of paying a much higher price for what had been a pretty comfortable form of civil disobedience is bound to engender a lot of emotion. And that, I suspect, is the source of the Cardinal's otherwise inexplicable outburst.

The malware arms race continues apace. First, the bad guys hid malware on innocent websites, hoping to infect casual web users. Next, Google and Yahoo rode to the rescue, using their spiders to find infected websites and warn web users away from the malware. 

Now the bad guys have made their countermove. They're deploying software on infected sites that watches for the search giants' spiders. When they spot a spider, they serve up bland, malware-free content. The rest of us get the nasty stuff. 

 You can see what will come next: The search giants will try to make their spiders look like ordinary web surfers -- varying their IP addresses, configurations, and other identifiers to avoid detection by the new, more sophisticated malware. 

 That's good, but I've got a question. Why can't we take this strategy one step further? Why can't Google and Yahoo release software that lets the rest of us look more like search engine spiders? It seems to me that that would have two good results. First, if my browser looks like an antimalware spider, infected sites won't serve me malware. Second, Google and Yahoo will find it a lot easier to make their spiders look like the rest of us if the rest of us look like their spiders. 

 In fact, take it even further. I'd happily run a bit of code from the search engines that actually watched for malware and reported it to Google and Yahoo when I encountered infected sites. The bad guys will have a lot more trouble distinguishing between antimalware spiders and ordinary users once the ordinary users actually become spiders.

(Crossposted to Volokh.)

Today, anyway.  Scott Shane's piece on TSA policy  marks the first appearance of Skating on Stilts in any mainstream media outlet: 

“It’s an experiment, and we’ll have to see how it works,” said Mr. Baker, a Washington lawyer whose book on counterterrorism, “Skating on Stilts,” is scheduled for publication in June.

With his usual nudge-and-wink, Matt Drudge invites us to be dismayed that "BIG SIS" -- his moniker for Janet Napolitano -- is "Monitoring Web Sites for Terror and Disaster Info." Drudge links to a story saying that DHS will be monitoring social media like Twitter, as well as websites like Drudge, to keep abreast of events during the Winter Olympics. The source of the story is a twelve-page "Privacy Impact Assessment" issued by DHS.

This isn’t the first Privacy Impact Assessment (PIA) on DHS's use of social media. A few weeks earlier, DHS wrote a similar assessment of using social media during Haitian rescue operations.

I am indeed dismayed, but not for Drudge's reasons. True, it's disappointing that neither the Volokh Conspiracy nor www.skatingonstilts.com is deemed worthy of government monitoring. But what’s really dismaying is that DHS and its Privacy Office felt obliged to labor over two separate and painfully obvious privacy assessments just to do things that you and I would do by simply firing up our browsers.

The Olympics PIA says in the first paragraph that DHS “is only monitoring publicly available online forums, blogs, public websites, and message boards.” Which should pretty much end the discussion.

The government ought to be able to read the papers or watch TV or look at blogs just like anyone else. Or so you’d think. But no, the PIA drones on and on, offering thirty variations of “Hey, this stuff is public” as it assesses the “privacy impact” of, uh, surfing the web.

And so we get painfully obvious applications of irrelevant privacy principle like this:

“7.1 What are the procedures that allow individuals to gain access to their information?

Social media are public websites. All users have access to their information through their user accounts. Individuals should consult the privacy policies of the services they subscribe to for more information.”

Did we really need the federal government to tell us that?

The biggest problem with this policy, though, isn't the "well, duh" response it inspires. DHS apparently went into a defensive crouch about the whole program. The PIA is full of unnecessary and risky effort to appease privacy zealots.

First, the PIAs expire quickly (the Olympics PIA expires after thirty days, Haiti after ninety), which suggests that DHS is planning on issuing a new PIA every time it wants to look at social media for a new event or disaster. The problem with that policy isn’t just that the waste of time and electrons. The policy is also likely to slow the use of social media in the first hours of an event, when they’d be most useful. For example, the PIA for Haiti social media monitoring was issued on January 21 – nine days after the earthquake struck. Tweets from the rubble were probably getting a little stale by then (though we can hope that DHS did the monitoring first and the PIA later).

Worse, DHS says it won’t collect or share any personally identifiable data (PII), even if the information is included in the tweets. It reassures us that “any PII related to the posting will be redacted.” Does that mean that a tweet saying, “Henri Rideau is buried alive under the rubble at his home, 124 Rue Cayenne” will only be distributed after someone takes the time to bowdlerize it to read, “--- is buried alive under the rubble at ---”?

I’m sure Henri will thank DHS for protecting his personally identifiable information.

If someone else digs him out.

The PIA also assures us that DHS won’t read posts on sites that require a user name and login. This is also a wildly overbroad "protection" for privacy. It applies even if the site is entirely open to the public, apparently, since Facebook is not listed. In fact, the last time I looked, the Washington Post required a login, too, and it too is left off the list. But maybe DHS can wait for the dead tree edition before it gets any disaster news broken by the Post.

Is there really a difference between public posts and Facebook updates that are shared with everyone on Facebook? If your mobile phone is set to send messages as Facebook updates rather than tweets, the government will never know you’re in trouble, thanks to this incoherent effort to appease the privacists.

DHS deserves some credit for actually understanding the value of social media in a crisis, but its self-inflicted limitations will either prevent imaginative use of social media or will guarantee violations when these unnecessary limits are set aside as a sensible response to some breaking crisis.

And that will predictably lead to new Drudge headlines: “Developing ... BIG SIS violated privacy rules hundreds of times in ‘emergency’ monitoring of Americans ...”

In the long run, I guess, dumb privacy policy is its own punishment.

The title says it all.  Hoover Press has accepted "Skating on Stilts" for publication this spring, assuming I get it out of my computer and to the proofreaders by the end of the month. 

Of course, I could tinker with it for months, but Judge Lamberth gave me a candid and helpful interview on the sources of the wall on Friday, and I've incorporated it this weekend.  So this is a great time to quit tinkering and ship the damn thing.  Which I am doing.

I've added a new chapter on TSA and the privacy machine.  It tracks my article on the Christmas Day attack for National Review, which never put the piece on line.  So I'll post the chapter in installments over the next couple of weeks.  

One last thing:  I need a subtitle, since "Skating on Stilts" is memorable but not informative.  Working subtitle is the rather bland "Terror, Technology, and Privacy."  That sort of misses the memoir element of the book, and frankly I'm not sure I'd read a book with that subtitle. 

So, other candidates are still in the mix.  How about "My Three Years at DHS, Trying to Keep Terrorists, Technology, and the Privacy Lobby from Killing You"?  Other suggestions welcome.

Secretary Napolitano is doing a lightning tour of Europe, trying to build on the sense of urgency about air screening since the Christmas attack.  Her tour has already produced one of the few DHS blog entries with a human touch, as DAS Koumans conveys a sense of the glamour and leisure that come with DHS international travel:

So, we took off at 6 PM from Washington, D.C., got two or three hours of sleep on the flight as the Secretary spent most of her time preparing for the next day’s meetings, and landed at 6:45 AM local time in Spain. ... We had only had 10 minutes before we began our first event. Here's hoping no one noticed we went to our first two bilateral meetings in the clothes we slept in!

The Secretary seems to have focused European attention by asking for wider deployment of whole body imaging machines, which has made Europeans realize that there may be more serious privacy issues than letting government officials see travel reservation data -- information that is already shown to airline workers on two continents:

 "A good PNR system may be, at least, as efficient" as the scanners, said the Secretay's EU counterpart.  So the EU, US, and European interior ministers agreed on a work program that would consider "what and how operational cooperation sharing [of PNR] could be further improved and compatible approaches could be developed among partners committed to aviation security, the rule of law, and international humans rights."

Of course putting this in a US-EU context is fraught with opportunities for delay and mischief.  The EU still has no serious responsibility for actually stopping terrorists.  At best, it grades the work of the member state agencies that actually look for terrorists.  At worst, it finds reasons to get in their way. (Hints of that can be seen at the end of the statement above, which translates as, "Oh my goodness.  We can't say anything nice about aviation security -- especially in a statement adopted with the United States -- unless we give more than equal time to the rule of law and international human rights!")  

 So, whether the EU can overcome its genes and actually improve security cooperation remains to be seen.  If the European Parliament follows past practice, you wouldn't give high odds:

"It will be very difficult for the European Council to get a majority in parliament for this proposal," Manfred Weber, deputy head of the Christian Democratic faction of the European Parliament, was quoted as saying.
 
Justice spokesman for the Green party faction, Jan Philipp Albrecht, accused EU domestic commissioner Jacques Barrot and the European Council of creating facts for their own purposes. Albrecht said that the Lisbon Treaty, which came into force at the beginning of December, empowered the European Parliament to full participation in decision-making on internal affairs, with the power to block legislation.

Actually, though, I'm betting the other way.  I think MEPs like Weber and Albrecht are going to eat their words. 

The Lisbon Treaty means the Parliament can't sit on the sidelines carping any more.  They actually have the power to kill new security measures.  But that means they'll have to take responsibility for killing them.  

Carping while the security measures took effect without Parliament's approval was good politics.  But actually killing security measures in Parliament will turn out to be very bad politics.  After all, a lot of Europeans would have died on flight 253 if the bomber had succeeded.  Do Weber and Albrecht expect to be bragging after the next attack that they blocked measures that might have stopped it?

No, my guess is that in the end this could turn out to be a useful exercise in sobering up the European Parliament. 

I'm in New Delhi, talking to the Indian government about terrorism, technology, encryption, and regulation.  Just the ride in from the airport was enough to remind me I wasn't in the U.S. any more.  Don't expect much blogging -- or responding to pointed comments -- this week.