Category: Government Secrecy

0

Goldilocks and Cybersecurity

It may seem strange in a week where Megaupload’s owners were arrested and SOPA / PROTECT IP went under, but cybersecurity is the most important Internet issue out there. Examples? Chinese corporate espionage. Cyberweapons like Stuxnet. Anonymous DDOSing everyone from the Department of Justice to the RIAA. The Net is full of holes, and there are a lot of folks expert in slipping through them.

I argue in a forthcoming paper, Conundrum, that cybersecurity can only be understood as an information problem. Conundrum posits that, if we’re worried about ensuring access to critical information on-line, we should make the Net less efficient – building in redundancy. But for cybersecurity, information is like the porridge in Goldilocks: you can’t have too much or too little. For example, there was recent panic that a water pump burnout in Illinois was the work of cyberterrorists. It turned out that it was actually the work of a contractor for the utility who happened to be vacationing in Russia. (This is what you get for actually answering your pager.)

The “too little” problem can be described via two examples. First, prior to the attacks of September 11, 2001, the government had information about some of the hijackers, but was impeded by lack of information-sharing and by IT systems that made such sharing difficult. Second, denial of service attacks prevent Internet users from reaching sites they seek – a tactic perfected by Anonymous. The problem is the same: needed information is unavailable. I think the solution, as described in Conundrum, is:

increasing the inefficiency with which information is stored. The positive aspects of both access to and alteration of data emphasize the need to ensure that authorized users can reach, and modify, information. This is more likely to occur when users can reach data at multiple locations, both because it increases attackers’ difficulty in blocking their attempts, and because it provides fallback options if a given copy is not available. In short, data should reside in many places.

But there is also the “too much” problem. This is exemplified by the water pump fiasco: after 9/11, the federal government, including the Department of Homeland Security, began a massive information-sharing effort, such as through Fusion Centers. The difficulty is that the Fusion Centers, and other DHS projects, are simply firehosing information onto companies who constitute “critical infrastructure.” Much of this information is repetitive or simply wrong – as with the water pump report. Bad information can be worse than none at all: it distracts critical infrastructure operators, breeds mistrust, and consumes scarce security resources. The pendulum has swung too far the other way: from undersharing to oversharing. Finding the “just right” solution is impossible; this is a dynamic environment with constantly changing threats. But the government hasn’t yet made the effort to synthesize and analyze information before sounding the alarm. It must, or we will pay the price of either false alarms, or missed ones.

(A side note: I don’t put much stock in which federal agency takes the lead on cybersecurity – there are proposals for the Department of Defense, or the Department of Energy, among others – but why has the Obama administration delegated responsibility to DHS? Having the TSA set Internet policy hardly seems sensible. Beware of Web-based snow globes!)

Cross-posted at Info/Law.

Ackerman and Benkler on the Occupied First Amendment

Slate writer Raymond Vasvari recently observed that, “for every uplifting paragraph” of precedent vindicating rights to protest, there are a “thousand cases bending an abstract right to the prosaic realities of protest.” We may never learn the extent to which Occupy Wall Street protesters were classified “enemies within,” and subject to coordinated intergovernmental suppression. But we can observe, with professors Ackerman and Benkler, that the “irony of free speech” is reaching a breaking point:

Whatever else it accomplishes, Occupy Wall Street is revealing distortions in our current understanding of the First Amendment. In recent decisions, the Supreme Court has protected Wall Street’s constitutional right to pour millions into political campaigns. But as presently construed, the First Amendment isn’t an obstacle when it comes to silencing the Occupiers. . . .

Instead of hiding behind obsolete court decisions, big city mayors must recognize that they are on the constitutional front-line. Michael Bloomberg is failing this test when he keeps Occupiers out of New York’s public parks and tolerates the arrests of dozens of protesters, providing an example for similar actions in Boston, Denver, and San Diego. In contrast, Antonio Villaraigoso is showing that leadership on behalf of the First Amendment is well within the realm of the politically possible. Los Angeles has not only avoided arrests, but seems to be expanding available public space as the protest swells. Similarly, the U.S. Parks police are on the right track in giving the demonstrators a four month extension on Freedom Plaza.

How to explain Mayor Bloomberg’s deviance from constitutional ideals? Maybe he’s one of the worried wealthy, realizing that he can only afford another 170 of his trademark $100 million dollar political campaigns with his fortune of $17 billion. Ensconced in an alternate reality of privilege, Bloomberg retails stories of struggling and put-upon banks. It is his very plutocratic disconnection from the daily life of his subjects that makes an extraordinary protest like OWS necessary.
Read More

3

The Month Ahead: Spies, Lies, Russia, and Terrorist Watchlists

It’s great to be back at Concurring Opinions (and thanks to Danielle for the generous (re)introduction last week).  This month, I plan to blog on a few ongoing projects and some upcoming news events.  Here are two topics soon to come, with two more after the break.

(1)  Spies.  Immigration authorities seize a suspected spy in Manhattan on the grounds that he entered the country unlawfully.  Rather than process him through the immigration system, or transfer him to the criminal justice system, he is secretly flown more than a thousand miles away, interrogated without a lawyer, and kept virtually incommunicado for almost seven weeks in a government facility on the Texas-Mexican border.  When he doesn’t break, he is transferred back to New York to be tried in federal court for a capital offense.  The evidence from his warrantless arrest and secret detention helps to convict him. 

When did this happen?

No surprise that the story resonates with our national security debates today.  But it all happened during the Eisenhower Administration.  Rudolf Abel was the top Soviet spy in North America before he was convicted of atomic espionage.  Thanks to his lawyer, his life was spared (and he was later exchanged for U-2 pilot Francis Gary Powers).  I think that there are lessons to be learned from this history today, but mine seems to be the minority view.

(2)  Lies.  Okay, not lies exactly, but pretext.  (You try rhyming pretext with anything.  You’ll wind up perplexed, if not vexed, with the text that comes next.)  Pretextual use of the law is all around us.  The most common example is the law governing arrests.  In Whren v. United States, the Supreme Court unanimously agreed that the police were free to do “under the guise of enforcing the traffic code what they would like to do for different reasons,” namely, stop and search Whren’s car for drugs.  Abel’s case (referenced in Whren) presented another classic instance of pretext: his detention for an immigration violation was used for the unintended purpose of counterespionage, neatly skirting in the process constitutional protections against warrantless searches and seizures, not to mention official disappearances.  When Abel’s able lawyer argued pretext, however, the Supreme Court sustained the conviction.

Sometimes the law abhors pretext.  For example, in Kelo v. City of New London, the Supreme Court categorically rejected the idea that the state may take property under the pretext of a public purpose.  How should citizens regard the pretextual use of the law by state officials?  Does such use tend to weaken the rule of law in ways that should matter to us as individuals or as a society?  When tempted to use a law for an unintended purpose, how should the “good” official distinguish an innovative pretextual use from a destructive one?  The Supreme Court dodged these questions just last term in Ashcroft v. Al-Kidd and I’d like to think hard about why.

Read More

Audit Trails: The Corporate Surveillance We Need

What do the following problems have in common?

1) food poisoning
2) systemic risk in the financial system
3) data breaches
4) violations of civil liberties
5) tax evasion
6) insider trading

In each case, we could do a lot more to stop the problem if we better tracked the actions that lead to it. An “audit trail” can enable that tracking. Decades ago, such tracking would be inordinately costly. Nowadays, it is increasingly embedded into any quality logistical system. The technologies of RFID chips, cheap imaging and data storage, and rapid search are ubiquitous. Corporations use them to track customers and products. Now public authorities need to use them to track corporations.

Consider, for instance, this recent story on food safety:
Read More

The War Against Disclosure

Three remarkable recent lobbying campaigns go beyond the normal bounds of partisan sniping over “markets vs. regulation.” They threaten our capacity to understand how society is ordered: whom it serves, for what purposes, and at what costs. Consider these attacks on basic disclosure norms in politics and business:

1) Campaign Finance Disclosures: Regardless of ideology, almost everyone used to agree that campaign funding sources and amounts should be disclosed. 92% of Americans had that position in 2010. Justice Scalia has eloquently insisted that such disclosure laws violate no one’s rights. But thought leaders in the Republican party are now vigorously resisting disclosure, as Norm Ornstein observes:

The 2010 mid-term elections showed clearly how legal loopholes involving non-profit groups called 501(c)4s, and the failure to adopt clear regulations surrounding campaigns, can result in hundreds of millions of dollars of spending to influence campaigns that masked the identity of huge donors. In response to these realities, the Federal Communications Commission is considering requiring robust disclosure by TV stations of the major donors of political ads; the Securities and Exchange Commission is considering requiring public corporations to disclose to stockholders their spending on politics, and the White House has drafted an executive order to require companies applying for federal contracts to disclose their spending on political campaigns. . . .

Last month, Mitch McConnell [said] he views disclosure as “a cynical effort to muzzle critics of this administration and its allies in Congress.” . . . The Wall Street Journal’s full-throated support for transparency has disappeared as well; it blasted the FCC recently for considering requiring TV stations to put donors of campaign spots on the Internet . . .

John Yoo has also joined the debate, arguing that presidential power stops just short of the prerogative to require federal contractors to disclose their political donations.

2) Conflict Mineral and Extractive Industry Disclosures: One of the surprising victories for decency in the Dodd-Frank Act last year was a provision requiring certain disclosures from mining and resource extraction companies, and companies using “conflict minerals” from in or around the Congo. If you’re a consumer with preferences for certain industrial processes (say, those that don’t create incentives for rape, murder, and starvation), you want to be able to see which companies are fueling conflict and corruption and which are not. But intense corporate pressure is now delaying the rulemaking process needed to implement the disclosure provisions. According to Gerry Fay, “it is estimated that going ‘conflict free’ would cost companies just one penny per product.” But apparently that is too high a price to end corporate complicity in one of Africa’s bloodiest wars.
Read More

0

Black Box Government: The Whole Picture

The media often assesses governmental transparency issue by issue.  The Obama Administration gets an annual rating for its performance on FOIA compliance.  It receives press for its invocation on the state secrets privilege.  And so on.  But it may be worth taking stock of the total picture.  From the state secrets privilege to the proposed SHIELD Act and FOIA, the Obama Administration seems in pursuit of black box government much like its predecessor.  On reflection, the Administration’s call for a more transparent government in January 2009 seems a mismatch with its actions.  In this way, theory and practice don’t coincide.

The Administration has not backed away from its predecessor’s aggressive use of the state secrets privilege.  According to Steven Aftergood, “there is a great deal of continuity between the Bush and Obama administrations . . . . there is no case where the Obama administration has rescinded a claim of state secrets privilege that was advanced by the Bush [administration].”  The U.S. government has recently invoked the state secrets privilege in instances that appear designed to hide government screw ups rather than to protect national security.  For instance, the government hopes to block evidence in a case against a contractor who duped the government into spending millions on allegedly fake counterterrorism technology.  It has invoked the privilege to block a personal injury lawsuit by a CIA employee who alleged that environmental contamination in his home made his family sick. In a case inherited from the Bush administration, Obama’s Justice Department has continued to argue that classified records of eavesdropping on an Islamic charity were state secrets.  Two wiretapped lawyers were awarded $20,400 each, a ruling that last week the Obama administration indicated it would appeal.  ACLU Executive Director Anthony Romero laments that although the President promised to reform abuses of the state secrets privilege as a candidate, he has reneged on that promise as the President.

The Obama Administration has devoted significant energy to punishing whistle blowers.  As Politico reporter Josh Gerstein explains, the Administration is “pursuing an unexpectedly aggressive legal offensive against federal workers who leak secret information to expose wrongdoing, highlight national security threats or pursue a personal agenda.”  Since President Barack Obama took office, prosecutors have filed criminal charges in five cases involving unauthorized distribution of classified national security information to the media and is now considering prosecuting WikiLeaks founder Julian Assange.  The U.S. government, by contrast, only brought three such cases in the preceding 40 years.  Moreover, in response to the Wikileaks disclosures, the Administration has gotten behind the proposed SHIELD Act, which would amend Section 798 of the Espionage Act of 1917.  The amendment would expand the kinds of information covered by the Espionage Act and enables the U.S. government to prosecute private citizens who have not worked for the government or signed a security agreement.

In a recent post, I underscored that FOIA compliance continues to disappoint.  The National Security Archive recently issued its report “Glass Half Full: 2011 Knight Open Government Survey Finds Freedom of Information Change But Many Agencies Lag in Following Obama’s Openness Order.”Although the group found some progress (49 agencies took concrete action in light of the March 2010 White House memorandum instructing agencies to update all FOIA material and assess whether their FOIA resources were adequate), its results were decidedly mixed.  Only 24 agencies actually updated their FOIA training materials, only 13 agencies followed its mandate, and 41 of the agencies remained inert. Of those 41 agencies, 17 could not provide concrete records showing that they had followed the memo’s instructions; two agencies withheld documents by incorrectly citing FOIA exemptions; 17 agencies were still working on the request after more than 100 business days (in violation of FOIA); and four agencies never acknowledged the team’s requests despite numerous calls and faxes. Ancient requests, as old as 18 years, “still languish in the system.” As the team reports, twelve agencies have outstanding FOIA requests older than six years.” Eric Newton, an advisor to the Knight Foundation, remarked that “at this rate, the President’s first term in office may be over by the time federal agencies do what he asked them to do on his first day in office.”  At a hearing before the House Committee on Oversight and Government Reform, FOIA expert Daniel Metcalfe expressed his disappointment by the “surprising slowness and incompleteness of the Obama Administration’s new FOIA policy implementation.” Metcalfe lamented the administration’s “do as I say, not as I do mentality,” as evinced by the performance of its lead agency, the Department of Justice, whose FOIA backlog is worse than it was a year ago.

Viewed together with my co-blogger Frank Pasquale’s insights on fusion centers (see our forthcoming article) and his important forthcoming book on The Black Box Society, the Obama Administration, issue for issue, seems to support black box government, not a transparent one.

1

Nothing to Hide: The False Tradeoff Between Privacy and Security

I’m pleased to announce the publication of my new book, NOTHING TO HIDE: THE FALSE TRADEOFF BETWEEN PRIVACY AND SECURITY (Yale University Press, May 2011).  Here’s the book jacket description:

“If you’ve got nothing to hide,” many people say, “you shouldn’t worry about government surveillance.” Others argue that we must sacrifice privacy for security. But as Daniel J. Solove argues in this important book, these arguments and many others are flawed. They are based on mistaken views about what it means to protect privacy and the costs and benefits of doing so. The debate between privacy and security has been framed incorrectly as a zero-sum game in which we are forced to choose between one value and the other. Why can’t we have both?

In this concise and accessible book, Solove exposes the fallacies of many pro-security arguments that have skewed law and policy to favor security at the expense of privacy. Protecting privacy isn’t fatal to security measures; it merely involves adequate oversight and regulation. Solove traces the history of the privacy-security debate from the Revolution to the present day. He explains how the law protects privacy and examines concerns with new technologies. He then points out the failings of our current system and offers specific remedies. Nothing to Hide makes a powerful and compelling case for reaching a better balance between privacy and security and reveals why doing so is essential to protect our freedom and democracy.

This book grows out of an essay I wrote a few years ago about the Nothing-to-Hide Argument.   The essay’s popularity surprised me and made me realize that there is a hunger out there for discussions about the arguments made in the debate between privacy and security.

The primary focus of NOTHING TO HIDE is on critiquing common pro-security arguments.  I’ve given them nifty names such as the “Luddite Argument,”the “War-Powers Argument,” the “All-or-Nothing Argument,” the “Suspicionless-Searches Argument,” the “Deference Argument,” and the “Pendulum Argument,” among others.  I also discuss concrete issues of law and technology, such as the Fourth Amendment Third Party Doctrine, the First Amendment, electronic surveillance statutes, the USA-Patriot Act, the NSA surveillance program, and government data mining.

0

YLJ Online Symposium: A Republic of Statutes

yljonline

The Yale Law Journal Online has just published the final piece of a symposium devoted to William N. Eskridge, Jr. and John Ferejohn’s remarkable new book, A Republic of Statutes: The New American Constitution. The book chronicles the development of constitutional principles derived not directly from the text of the Constitution itself but from the implementation of entrenched “superstatutes” by administrative and executive officials. The symposium essays examine both the broad contours of the theory advanced by Eskridge and Ferejohn as well as its application to particular fields of law, such as immigration, national security, and health care. Visit YLJ Online to read the full collection:

2

The Aftermath of Wikileaks

The U.K.’s freedom of information commissioner, Christopher Graham, recently told The Guardian that the WikiLeaks disclosures irreversibly altered the relationship between the state and public.  As Graham sees it, the WikiLeaks incident makes clear that governments need to be more open and proactive, “publishing more stuff, because quite a lot of this is only exciting because we didn’t know it. . . WikiLeaks is part of the phenomenon of the online, empowered citizen . . . these are facts that aren’t going away.  Government and authorities need to wise up to that.”  If U.K. officials take Graham seriously (and I have no idea if they will), the public may see more of government.  Whether that more in fact provides insights to empower citizens or simply gives the appearance of transparency is up for grabs.

In the U.S., few officials have called for more transparency after the release of the embassy cables.  Instead, government officials have successfully pressured internet intermediaries to drop their support of WikiLeaks.  According to Wired, Senator Joe Lieberman, for instance, was instrumental in persuading Amazon.com to kick WikiLeaks off its web hosting service.  Senator Lieberman has suggested that Amazon, as well as Visa and and PayPal, came to their own decisions about WikiLeaks. Lieberman noted:

“While corporate entities make decisions based on their obligations to their shareholders, sometimes full consideration of those obligations requires them to act as responsible citizens.  We offer our admiration and support to those companies exhibiting courage and patriotism as they face down intimidation from hackers sympathetic to WikiLeaks’ philosophy of irresponsible information dumps for the sake of damaging global relationships.”

Unlike the purely voluntary decisions that Internet intermediaries make with regard to cyber hate, see here, Amazon’s response raises serious concerns about what Seth Kreimer has called “censorship by proxy.”  Kreimer’s work (as well as Derek Bambauer‘s terrific Cybersieves) explores American government’s pressure on intermediaries to “monitor or interdict otherwise unreachable Internet communications” to aid the “War on Terror.”

Legislators have also sought to ensure opacity of certain governmental information with new regulations.  Proposed legislation (spearheaded by Senator Lieberman) would make it a federal crime for anyone to publish the name of U.S. intelligence source.  The Securing Human Intelligence and Enforcing Lawful Dissemination (SHIELD) Act would amend a section of the Espionage Act that forbids the publication of classified information on U.S. cryptographic secrets or overseas communications intelligence.  The SHIELD Act would extend that prohibition to information on human intelligence, criminalizing the publication of information “concerning the identity of a classified source or information of an element of the intelligence community of the United States” or “concerning the human intelligence activities of the United States or any foreign government” if such publication is prejudicial to U.S. interests.

Another issue on the horizon may be the immunity afforded providers or users of interactive computer services who publish content created by others under section 230 of the Communications Decency Act.  An aside: section 230 is not inconsistent with the proposed SHIELD Act as it excludes federal criminal claims from its protections.  (This would not mean that website operators like Julian Assange would be strictly liable for others’ criminal acts on its services; the question would be whether a website operator’s actions violated the SHIELD Act).   Now for my main point: Senator Lieberman has expressed an interest in broadening the exemptions to section 230’s immunity to require the removal of certain content, such as videos featuring Islamic extremists.  Given his interest and the current concerns about security risks related to online disclosures, Senator Lieberman may find this an auspicious time to revisit section 230’s broad immunity.

Can Suspicious Activity Reports Trigger Health Data Gathering?

In an article entitled “Monitoring America,” Dana Priest and William Arkin describe an extraordinary pattern of governmental surveillance. To be sure, in the wake of the attacks of 9/11, there are important reasons to increase the government’s ability to understand threats to order. However, the persistence, replicability, and searchability of the databases now being compiled for intelligence purposes raise very difficult questions about the use and abuse of profiles, particularly in cases where health data informs the classification of individuals as threats.
Read More