Adam Thierer's Blog, page 131

I'm reading David Brin's 1998 classic The Transparent Society and I'd like to share a passage that I found especially interesting in light of the recent Do-Not-Track bill introduced by Sen. Rockefeller.

On this blog, Adam Thierer has often written about the implicit quid pro quo between tracking and free online services. It seems to me that many folks find this an abstract concept. Here is Brinn writing in the late 90s about the possibility of an explicit quid pro quo:

An Economy of Micropayments? I cannot predict whether such an experiment would succeed, though using a "carrot"—or what chaos theorists call an "attractor state"—offers better prospects than the [IP owner's] coalition's present strategy of saber rattling and making hollow legal threats. In fact, the same approach might be used to deal with other aspects of "information ownership," even down to the change of address you file with the post office. Perhaps someday advertisers and mail-order corporations will pay fair market value for each small use, either directly to each person listed or through royalty pools that assess users each time they access data on a given person. Or we might apply the concept of "trading-out": getting free time at some favorite per-use site in exchange for letting the owners act as agents for our database records. It could be beneficial to have database companies competing with each other, bidding for the right to handle our credit dossiers, perhaps by offering us a little cash, or else by letting us trade our data for a little fun. Proponents of such a "micropayment economy" contend that the process will eventually become so automatic and computerized that it effectively fades into the background. People would hardly notice the dribble of royalties slipping into their accounts when others use "their" facts—any more than they would note the outflowing stream of cents they pay while skimming on the Web.

That is essentially what happened, except without all the transactions costs. It seems to me that all Do Not Track will do is introduce the transactions costs that we have so far avoided to the benefit of innovation. Who will this change benefit? The few people who are not willing to make the trade and who today have options to opt out. This leaves the majority of us who are willing to make the bargain in a very un-Coasean world.

On the podcast this week, Julian Sanchez, a research fellow at the Cato Institue who focuses on issues related to technology, privacy, and civil liberties, discusses electronic communications. Sanchez talks about changes in surveillance of electronic communications since 9/11, highlighting the large number of cases in which the FBI has gathered phone, internet, and banking information without judicial oversight. He then discusses the legal framework around electronic communications, which he says was built for a very different set of assumptions than we have today. Sanchez also gives a few recommendations for how to disentangle the convoluted legal standards related to electronic communications.

Related Links


"Record Number of Americans Targeted by National Security Letters," by Sanchez
"The Strange Case Against ECPA Reform," by Sanchez
"Apple, The iPhone And A Locational Privacy Techno-Panic," by Adam Thierer

To keep the conversation around this episode in one place, we'd like to ask you to comment at the web page for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

A UK government report issued this week warns that climate change, in addition to threatening many different parts of everyday life, also threatens the Information and Communications Technology (ICT) industry. The report, available online, warns that regulatory measures have to be taken to lessen the threat of rising temperatures and stormy weather, which would have adverse effects on the radio waves that constitute communications technology.

Specifically, the report's authors assume that rising temperatures and rainy storms will interfere with radio waves. This assumes that that the aforementioned rising temperatures and rainy storms are indeed a foregone conclusion. For the sake of argument, let's assume they are correct.

The study mentions that rising temperatures will cause cell towers to lose efficiency, but nothing in the document backs this up. Making such a claim requires scientific data but nothing was offered. A skeptical person reading this report may think, anecdotally, that cell towers are sited in all sorts of conditions all over the globe, taking into account varying temperatures in which they operate. Cell towers sited in Alaska are probably able to handle the extreme cold, otherwise the cell provider would not waste money placing it there. Likewise, a cell tower sited in Arizona would need to take into account the 100 degree+ temperature. And at last count, wireless service is available in both Alaska and Arizona.

The basis for their concern is that the UK report authors are assuming a 2-10 Celsius increase in mean temperature by 2080 (throughout England). This exceeds the IPCC prediction by quite a large margin and reality is likely to be far less. In the United States the worst case scenario is expected to be about 7 degrees Fahrenheit over the next several decades. But again, many climatologists assume it will be about half that.

The point of my critique is not to criticize their climate science, but rather the public policy approach that policymakers and the private market must undertake in order to address these concerns.

Interestingly, the report calls for a "climate resilient world," but then doesn't describe what a climate resilient world looks like, or the regulations that would be required to bring this utopia about (most of the recommendations require further study and prioritization). But the report does assert that "countries will need to increase their investment in their infrastructure to adjust to a more challenging climate." So, the devil is in the details — UK economic regulators would be tasked with planning (aka regulating) on behalf of the ICT industries.

And while I applaud the introduction of "resiliency" into the conversation, I disagree with their interpretation of resiliency. One problem is that the authors concede that "the impact of climate change on telecommunications is not well understood," but the report goes on to make some pretty fantastical potential pitfalls of what might happen if steps are not taken to mitigate these risks. Regulators shouldn't be tasked with regulating using the worst case scenario as a basis for establishing rules. This is why cost/benefit analyses are necessary.

The UK report, and its subsequent recommendations, are in actuality engaging in a strategy of "anticipation" rather than "resiliency." They are anticipating that catastrophic harm to the ICT industry will come about (rather than "may") due to climate change. This despite the fact that we have been dealing with electromagnetic communication for one hundred years, and so far the only true threats to the continuation and expansion of this technology is physical infrastructure development (as in taller buildings that block line-of-site or cause signal attenuation) or solar activity in the form of solar flares.

A true adaption of a "resiliency" would take into account the fantastic evolutionary improvements in WiFi and other telecommunications over the last decade alone and even account for the high probability that WiFi as we know it will not be around by the time the worst-of-the-worst climate change repercussions hit. Same goes with traditional voice wireless telecommunications. Just check your local newspaper or tech blog for advertisements of 4G networks (3G networks are only 4-5 years old!). Before you know it, we will see improved iterations of today's network emerge, this will be followed by revolutionary and possibly disruptive advances in communications in the next few decades. And by 2080? Chances are that we won't even need cell towers; maybe not even fiber optics. (see Adam's rundown on resiliency for more information)

Innovation moves rapidly, much more rapidly than government regulators. We need to take this into account when considering rulemaking and long-term climate change.

Wireless Fidelity (WiFi for short) has been around for awhile and in very different forms but most consumers are only familiar with a few systems since they came onto the consumer market in the early 2000s. This chart shows the evolution of consumer WiFi (though there are over a dozen other standards that most people don't know about).

System

Range

Speed

Notes



802.11b
150-300 feet
11Mb/s
1999


802.11g
150-300 feet
54Mb/s
2003


802.11n
300-600 feet
600mb/s
Multiple I/O


WiMax
31 miles
40Mb/s – 1Gb/s
mobile voice/broadband

The evolution of both wired and wireless technology continue unabated. And as the FCC moves toward opening up more wireless spectrum, companies and researchers will learn how to capitalize on these new airwaves, bringing more mobile broadband to citizens. If warmer temperatures or increased storms pose any threat to the global communications industry, you can bet that it won't catch the governments and businesses, which have already poured billions of dollars into this investment, by surprise.

The report touches on other parts of the UK infrastructure that no doubt need to be addressed before 2080, such as roads, bridges, dams, airports, etc. This type of physical infrastructure may indeed be more susceptible to floods, hurricanes, tornadoes, etc. (again, assuming that a much worse climate period is heading our way and also that no maintenance or upgrading to this infrastructure is accounted for, again, not very realistic).

But policymakers still need to take into account the probability of massive floods and temperature increases with the cost of regulating against these risks. It's tempting for government regulators to come to the rescue via economic regulation, but the cost and unintended consequences may very well outweigh any potential benefits. No one can see with crystal clarity just where human technological advancement will take us in the next seven decades, but acknowledging the fact that it exists would be a good start.

"There's No Data Sheriff on the Wild Web," is an article by Nick Bilton in the New York Times this weekend, pointing out that no federal law punishes the massive breaches of personal information like the recent Epsilon and Sony cases.

"There needs to be new legislation and new laws need to be adopted" to protect the public, said Senator Richard Blumenthal, Democrat of Connecticut, who has been pressing Sony to answer questions about its data breach and what the company did to avoid it. "Companies need to be held accountable and need to pay significantly when private and confidential information is imperiled."

But how? Privacy experts say that Congress should pass legislation regulating companies if they collect certain types of information. If such laws existed today, they say, Sony could be held responsible for failing to properly protect the data by employing up-to-date security on its systems.

Or at the very least, companies would be forced to update their security systems. In underground online forums last week, hackers said Sony's servers were severely outdated and infiltrating them was relatively easy.

While there may be no law requiring site operators to keep their networks updated and secure, it's not as if they currently have no incentive to do so, and it's not as if they are completely unaccountable. Witness the (at least) two lawsuits already filed against Sony. One in Canada for $1 billion and one in the U.S. looking for class action status. Not to mention that the PlayStation network is still down and losing money, as well as Sony's reputation loss. Are you now more or less likely to buy a PlayStation as your next console?

To the extent we do need legislation, it's not to tell firms to keep their Apache servers up to date. There are plenty of terrible things that happen to a firm if it doesn't take the security of its customers' data seriously. Sony is living proof of that. Adding a criminal fine to the pile likely won't improve private incentives. What prescriptive legislation might to do, however, is put federal bureaucrats in charge of security standards, which is not a good thing in my book.

The missing incentive here might be the incentive to disclose that a breach has occurred. Rep. Mary Bono Mack has suggested that she might introduce legislation to require such disclosures. Such legislation may well be responding to a real and harmful information asymmetry. If a firm could preserve such an asymmetry, then the usual incentives wouldn't work.

Rather than trying to legislatively predict and preempt security breaches, when it comes to the security of personal information it might be better to seek a policy of transparency and resiliency. As I explain in my latest TIME Techland piece, we may now be in a world were it's next to impossible to ensure that at lease some of our private personal information that is digitized and connected to the net won't be compromised. To attempt to put that genie back in the bottle might be not only futile, but counterproductive. Instead, we may be better served by being informed when our data is compromised, seeking civil redress, and learning to cope with the new reality. As I write in the piece:

On net, the fact that we now live in a hyper-connected world where information can't be controlled is a good thing. The cultural, social, economic and political benefits of such a transparent system will likely outweigh the price we pay in privacy and security. And that's especially the case if learn to live with that reality.

Human beings are incredibly resilient, and faced with a new environment, we adapt. When major changes take place—-from natural disasters to the Industrial Revolution—-we learn to live in the new context, but only if we acknowledge the new reality. We need to get used to this new world in which information can't be controlled.

Maybe a new social norm will develop that accepts that everyone will have embarrassing facts about them online, and that it's OK because we're human. Maybe if we assumed that data breaches are inevitable, we wouldn't give up on securing networks, but we might do more to cope. For example, the technology exists to make all credit card numbers single-use to a particular vendor, so they're of little value to hackers.

Welcome to the new world. Information wants to be free. The Net interprets information control as damage and routes around it. Get used to it.

Late last week, the Project on Government Oversight's Danielle Brian took a little umbrage at a by former U.S. Deputy Chief Technology Officer Beth Noveck, who had been implementing the Obama Administration's Open Government Initiative until she recently returned to New York Law School.

Brian's piece suggests a slight schism in the transparency community, between what I believe are the "insider" and "outsider" camps. Brian leaves to the end a crucial point: "[C]an't the two camps in the open government world peacefully co-exist? There's just too much work to be done for us to get bogged down in denigrating each others' agendas." They most certainly can.

Noveck was a bit dismissive of the open government movement as perceived by much of the transparency community. "Many people, even in the White House," she wrote, "still assume that open government means transparency about government." Actually, Noveck continued, open government is "open innovation or the idea that working in a transparent, participatory, and collaborative fashion helps improve performance, inform decisionmaking, encourage entrepreneurship, and solve problems more effectively. By working together as team [sic] with government in productive fashion, the public can then help to foster accountability."

Visualize the difference between these two approaches: open government as a tool for public oversight and open government as a tool for public participation. When open government is about public oversight, the wording connotes the public looking down from above on the work its servants are doing. When open government is about collaboration, the public is at best an equal partner, allowed to participate in the work of governing. Noveck's unfortunate language choice treats accountability as a kind of dessert to which the public will be entitled when it has donated sufficient energies to making the government work better.

The administration's December 2009 open government memorandum predicted this divide. In calling for each agency to publish three "high-value data sets," it said:

High-value information is information that can be used to increase agency accountability and responsiveness; improve public knowledge of the agency and its operations; further the core mission of the agency; create economic opportunity; or respond to need and demand as identified through public consultation.

As I noted at the time, it's a very broad definition.

Without more restraint than that, public choice economics predicts that the agencies will choose the data feeds with the greatest likelihood of increasing their discretionary budgets or the least likelihood of shrinking them. That's data that "further[s] the core mission of the agency" and not data that "increase[s] agency accountability and responsiveness." It's the Ag Department's calorie counts, not the Ag Department's check register.

Noveck wants us to put the calorie counts to use. Brian wants to see the check register.

There is no fundamental tension between these two agendas. Both are doable at the same time. The difference between them is that one is the openness agenda of the insider: using transparency, participation, and collaboration to improve on the functioning of government as it now exists.

The openness agenda of the outsider seeks information about the management, deliberation, and results of the government and its agencies. It is a reform (or "good government") agenda that may will realign the balance of power between the government and the public. That may sound scary—it's certainly complicates some things for insiders—but the "outsider" agenda is shared by groups across the ideological and political spectra. Its content sums to better public oversight and better functioning democracy, things insiders are not positioned to oppose.

I think these things will also reduce the public's demand for government, or at least reduce the cost of delivering what it currently demands. But others who share the same commitment to transparency see it as likely to validate federal programs, root out corruption, and so on (a point I made in opening Cato's December 2008 policy forum, "Just Give Us the Data!") There are no losers in this bet. Better functioning programs and reduced corruption are better for fans of limited government than poorly functioning programs and corruption.

Forward on all fronts! The existence of two camps is interesting, but not confounding to the open government movement.

Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of their forthcoming "Do Not Track Kids Act of 2011."  I've only had a chance to give it a quick read, but the bill, which is intended to help safeguard kids' privacy online, has two major regulatory provisions of interest:

(1) New regulations aimed at limiting data collection about children and teens, including (a) expansion of the Children's Online Privacy Protection Act (COPPA) of 1998, which would build upon COPPA's "verifiable parental consent" model; and (b) a new "Digital Marketing Bill of Rights for Teens;" and (c) limits on collection of geolocation information about both children and teens.

(2) An Internet "Eraser Button" for Kids to help kids wipe out embarrassing facts they have place online but later come to regret.  Specifically, the bill would require online operators "to the extent technologically feasible, to implement mechanisms that permit users of the website, service, or application of the operator to erase or otherwise eliminate content that is publicly available through the website, service, or application and contains or displays personal information of children or minors." This is loosely modeled on a similar idea currently being considered in the European Union, a so-called "right to be forgotten" online.

Both of these proposals were originally floated by the child safety group Common Sense Media (CSM) in a report released last December.  It's understandable why some policymakers and child safety advocates like CSM would favor such steps. They fear that there is simply too much information about kids online today or that kids are voluntarily placing far too much personal information online that could come back to haunt them in the future. These are valid concerns, but there are both practical and principled reasons to be worried about the regulatory approach embodied in the Markey-Barton "Do Not Track Kids Act":

It is very hard to imagine how most elements of this new "Do Not Track Kids" regulatory regime would work without requiring mandatory online age verification of all websurfers, which would raise serious constitutional issues. Previous efforts to age-verify websurfers (namely, The Child Online Protection Act or COPA) have been found to violate the First Amendment and also to raise different privacy concerns. By contrast, the Children's Online Privacy Protection Act (COPPA) partially avoided this problem by limiting its coverage to kids 12 and under and did not mandate strict age verification. The Markey-Barton bill seems to imagine that the COPPA regime can simply be expanded without serious constitutional scrutiny (or economic cost, for that matter). The sponsors are wrong. Their bill puts COPPA on a collision course with COPA because it would necessitate expanded age verification in order to be effective.
An Internet "Eraser Button" is similarly challenged by practical realities and principled concerns. It's unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.
Although some of the concerns that motivate the "Do Not Track Kids Act" are understandable, there are two very different models for how we might address these problems: 'Legislate & Regulate' vs. 'Educate & Empower.' The latter is the superior framework for dealing with these concerns in light of the practical and principled problems associated with the former.

I will expand upon these concerns in a follow-up post, but for now I would direct your attention to the 36-page white paper that Berin Szoka and I released two years ago on this topic:"COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech." It explains why this issue is so complicated and raises so many constitutional red flags.

Additional Reading:

on COPA:

Son of COPA?: H.R. 4059, "The Online Age Verification and Child Safety Act" – by Adam Thierer
Closing the Book on COPA? – by Adam Thierer
COPA Struck Down (Part 1): Again! – by Adam Thierer
COPA Struck Down (Part 2): The Effectiveness of Filtering & Age Verification – by Adam Thierer
COPA Struck Down (Part 3): Implications for Age Verification & Social Networking – by Adam Thierer

on Eraser Button:

Erasing Our Past On The Internet - by Adam Thierer [Forbes essay]
Europe Reimagines Orwell's Memory Hole – by Larry Downes
"Privacy" as Censorship: Fleischer Dismantles the EU's "Right to Forget" – by Berin Szoka
The Conflict Between a "Right to Be Forgotten" & Speech / Press Freedoms – by Adam Thierer

For Forbes.com this morning, I take a close look at last month's controversial FCC order requiring facilities-based wireless carriers to negotiate data roaming agreements with other carriers.

There are business, technical, and legal reasons why the order stands on unsteady ground, which the article looks at in detail.

The order, by encouraging artificial competition in nationwide mobile broadband, could also undermine arguments against AT&T's merger with T-Mobile USA.

How so?  If every regional, local, or rural carrier can offer their customers access to the nationwide coverage of Verizon, AT&T, or Sprint, on terms overseen for "commercial reasonableness" by the FCC, what's the risk of combining AT&T and T-Mobile's infrastructure.  Indeed, doing so would create stronger nationwide 3G and 4G networks for other carriers to use.  It's actually pro-competitive, and a pragmatic solution to spectrum exhaustion.

The bigger question is why the FCC seems so determined to get into the business of regulating the Internet economy, when Congress has so clearly and consistently told them to stay out of it.

(The results of that wise foresight speak for themselves:  compare the health of digital life to the health of, say, wireline telephone and over-the-air TV broadcasters, which the FCC has long-regulated to within an inch of their lives, or less.)

With its historic client base rapidly disappearing, the FCC, like any good business, is looking for new markets and new clients.  But like Harold Hill, the flim-flam artist featured in Meredith Wilson's classic "The Music Man," it doesn't know the territory.

Shut out of market for digital regulation by Congress (underscored repeatedly by the courts), the agency has no expertise in dealing with the business or technical dynamics of the Internet.  To paraphrase Wilson, the market is looking for mandolin picks, but the FCC keeps selling big trombones.

The result is trouble, my friends.  Right here.

I spaced out and completely forget to post a link here to my latest Forbes column which came out over the weekend.  It's a look at back at last week's hullabaloo over "Apple, The iPhone, and a Locational Privacy Techno-Panic." In it, I argue:

Some of the concerns raised about the retention of locational data are valid. But panic, prohibition and a "privacy precautionary principle" that would preemptively block technological innovation until government regulators give their blessings are not valid answers to these concerns. The struggle to conceptualize and protect privacy rights should be an evolutionary and experimental process, not one micro-managed at every turn by regulation.

I conclude the piece by noting that:

Public pressure and market norms also encourage companies to correct bone-headed mistakes like the locational info retained by Apple.  But we shouldn't expect less data collection or less "tracking" any time soon.  Information powers the digital economy, and we must learn to assimilate new technology into our lives.

Read the rest here. And if you missed essay Larry Downes posted here on the same subject last week, make sure to check it out.

With news today that the Department of Justice is extending its probe of the AT&T – T-Mobile merger, and that the FCC has received thousands of comments on the issue, the FCC's hopefully soon to be release Wireless Competition Report is taking on even greater importance.

Last year's report was the first in 15 years not to find the market "effectively competitive." As a result, expectations are high for the new annual report. How it determines the state of competition in the wireless market could affect regulatory policy and how the Commission looks at mergers.

The Mercatus Center at George Mason University's Technology Policy Program for a discussion of these issues, including:

What does a proper analysis of wireless competition look like?
What should we expect from the FCC's report this year?
How should the FCC address competition in the future?

Our panel will feature Thomas W. Hazlett, Professor of Law & Economics, George Mason University School of Law; Joshua D. Wright, Assistant Professor of Law, George Mason University School of Law; Robert M. Frieden, Professor of Telecommunications & Law, Penn State University; and Harold Feld, Legal Director, Public Knowledge

When: Wednesday, May 18, 2011, 4 – 5:30 p.m. (with a reception to follow)

Where: George Mason University's Arlington Campus, just ten minutes from downtown Washington. (Founders Hall, Room 111, 3351 N. Fairfax Drive, Arlington, VA)

To RSVP for yourself and your guests, please contact Megan Gandee at 703-993-4967 or mmahan@gmu.edu no later than May 16, 2011. If you can't make it to the Mercatus Center, you can watch this discussion live online at mercatus.org.

A federal judge in Illinois has refused to allow a plaintiff to match IP addresses to individual names in a piracy case, indicating that use of IP addresses without any other evidence is too unreliable in identifying actual perpetrators, and as such, violates the rights of those caught in what he termed a "fishing expedition."

In his decision, Judge Harold Baker pointed to one of several recent cases where paramilitary-type police raids on the residences of persons suspected of downloading child pornography that turned up nothing. What had happened was that real culprit had used that household's unsecured wireless Internet connection.

The circumstances of the case here were somewhat different, but the same principle applied. The attorney of VPR Internationale, an owner of a adult web site, sought the court's permission to match names to ISP addresses suspected of illegal file sharing of the site's content. Judge Baker concluded that an IP address, by itself, did not constitute reasonable grounds to subpeona records for use in targeting suspects, noting in particular how easy it is for unsecure wireless networks to by hijacked.

According to Ars Technica's Nate Anderson, Baker already had rejected the request on two occasions. When the plaintiff sought leave to take the matter to an appeals court; Baker last week rebuffed him once more, saying it was totally improper to do expedited discovery against anonymous individuals with no representation of their own before the court.

"Could expedited discovery be used to wrest quick settlement, even from people who have done nothing wrong?" asked Baker. "The embarrassment of public exposure might be too great, the legal system too daunting and expensive, for some to ask whether [plaintiff porn company] VPR has competent evidence to prove its case."

Baker then went on to cite a recent mistaken child porn raid, where an IP address was turned into a name—but the named person hadn't committed the crime. "The list of IP addresses attached to VPR's complaint suggests, in at least some instances, a similar disconnect between IP subscriber and copyright infringer… The infringer might be the subscriber, someone in the subscriber's household, a visitor with her laptop, a neighbor, or someone parked on the street at any given moment."

This sets a good precedent and I hope that it will soon be used to deny a warrant for another predawn SWAT raid on an unsuspecting homeowner whose only mistake was failing to lock down a router. Given the potential these "wrong door" raids have for violence and death, we need the sort of discretion Judge Baker showed here when it comes to policing Internet crime.