Skating on Stilts -- the award-winning book

Now available in traditional form factor from Amazon and other booksellers.

It's also available in a Kindle edition.

And for you cheapskates, the free Creative Commons download is here.

EU competition bureau creating yet another intellectual property regime?

I was struck by the EU competition bureau's recent threat to punish Google because of "the way Google copies content from competing vertical search services and uses it in its own offerings." (Vertical search services are specialized search engines like Yelp and Kayak that help people find local restaurants or cheap flights and rental cars.)

In his public statement, the EU's vice president for competition policy, Joaquin Almunia, seemed to say that Google is abusing a dominant position in search by "copying original material from the websites of its competitors such as user reviews and using that material on its own sites without their prior authorisation." This is bad, says Almunia, because:

"In this way they are appropriating the benefits of the investments of competitors. We are worried that this could reduce competitors' incentives to invest in the creation of original content for the benefit of internet users. This practice may impact for instance travel sites or sites providing restaurant guides."

This is odd language for a competition case, but quite familiar in an intellectual property context. The United States and the Europeans have a demanding copyright regime precisely to prevent companies from "appropriating the benefits" of other people's content; and this regime has been expanded many times in living memory to better protect the investments of copyright owners.

Indeed, going the U.S. one better, the EU has adopted an additional set of intellectual property protections for compilers of databases; these protections cover uncopyrightable compilations, like phone books.

Again, the point of both laws is to create "incentives to invest in the creation of original content" -- and to balance those incentives against society's interest in the free exchange of information. If Google had violated either regime, presumably it would be in court or under investigation for doing so. (Marvin Ammori has a recent post explaining why they aren't.)

Instead,the European Union's competition bureau seems to be saying that the balance struck in those highly IP-friendly regimes wasn't, well, IP-friendly enough. Vertical search providers apparently need a kind of super-copyright.

Indeed, reading the EU's press release, it appears that vertical search providers need a super-copyright not only in their own work but in their users' comments as well.

That may or may not be good competition law, but it sure looks like overkill when viewed through an intellectual property lens.

CAVEAT LECTOR: My law firm and I have done work for Google, though not in connection with competition or EU issues.

Big Data and Network Security

As far as I can tell, one of the few network security tools getting better at the speed of Moore’s Law is network monitoring and audit.  Modern networks throw off vast amounts of data as users go about their daily business.  It is often possible to find the telltale signs of network intrusion by watching for activity that is anomalous or that fits the signature of network attacks elsewhere.  But finding those faint signals in a sea of noise isn’t easy.  No one wants to sit and read logs.  The good news is that tools to analyze Big Data are improving and getting cheap at a great rate, and companies like Zions Bank have begun using open source programs like Hadoop to analyze their networks. 

Around 2005, [Zions Bank Chief Security Officer] Wood said, his team made the move to a massively parallel processing system that was designed for log management but that his team bent and hammered into a data warehouse for analytics. “We adopted a business intelligence mindset,” he said, “but slanted toward security.” He brought in some data-analysis specialists, and they started mining data and searching for patterns, a process made easier by the new higher-powered and more scalable system. But it, too, reached its limits as unstructured data from myriad new sources began streaming in.

In 2010, Zions started its transition to Hadoop and has been running its big data workloads exclusively on that platform since late 2011. Wood said he’s loading about 130 data sources into Hadoop, including server logs, web logs and customer transactions. Now, he explained, his team is able to analyze massive amounts of data — and fast — to detect everything from malware and spear phishing attempts to account takeovers. The latter is similar to credit card theft, only instead of discovering anomalous spending, Zions is able to detect anomalous transfers from customers’ bank accounts.

And Wood doesn’t worry about outgrowing his Hadoop cluster, which means his team can keep innovating on new ways to detect criminal behavior. If you’re monitoring network traffic, for example, Wood said, you “have to get down to 0s and 1s in packets to look for the needle in the haystack.” That means storing and analyzing everything in its raw form.

This approach to security is gaining traction, but once again, it looks as though the financial sector, rather than government, is pioneering a network security technology.  In fact, this is going to be a tough act for government to follow.  Just read that last sentence again.  “That means storing and analyzing everything in its raw form.”

Just as they stalled government network intrusion prevention technology for a decade, privacy advocates are likely to trash any government security system that depends on storing and analyzing everything, even everything on the government’s own networks.  Which means that security will likely remain Mission Impossible for most government information security officers.

3D Printing is cool -- but not yet sexy

The promise of perfectly personalized products from 3D printers is on the horizon, but this 3D-printed bikini -- supposedly the "world's first ready-to-wear, completely 3D-printed article of clothing" -- looks surprisingly uncomfortable and badly fitted to me.  

And believe me, I looked closely. I take seriously my responsibilities as a technology commentator.  And in that role, I think it's safe to say that the future is already here but coverage is skimpy.

I'm guessing that Woody Allen had already registered dot-insecure

Two and a half years after former Director of National Intelligence Mike McConnell called for a “dot-secure” network, a Silicon Valley startup with $9.6 million in funding has announced plans to launch one. From the description, this isn’t intended to be a wholly secure network, since that’s a promise no one can fulfill.  Instead, it’s intended to link companies that take security seriously. At a minimum, the shared standards and security consciousness should allow much better forensics and audits of network behavior, even when the behavior crosses organizational and technical firewalls.  In fact, I assume the $9.6 million will be spent mainly on rule-writing and rule-enforcement. 

If ever there were a startup that lawyers and accountants could have dreamed up, this is it.  I hope that doesn’t guarantee its failure.

Better late than never

The one man convicted of the Lockerbie bombing has died, three years after being released by the Scottish Nationalist government for what was advertised as his last few weeks of life. 

Evidently determined never to apologize, SNP leader Alex Salmond defended that release today, saying that “regardless of people's views they can have complete confidence that it was taken on the basis of the due process of Scots Law.”  

As a practical matter, Scots now have full responsibility for “due process of Scots law,” having achieved home rule by a process known as devolution.  A remarkably apt name that, when you think about it.

UPDATE: I edited the last paragraph to avoid the erroneous implication that compassionate release was governed by British law before devolution.

The Law of Cyberwar: Round 2, and 3, and 4

Here's something for those who liked my earlier article for Foreign Policy about the foolishness of letting lawyers determine our cyberwar strategy, though it's probably even more of a treat for those who hated my article and wished they had equal time. The ABA Journal has posted an extensive, no-holds-barred debate over the views expressed in that article.  Gen. Charles Dunlap, a former deputy judge advocate general of the U.S. Air Force, contradicts my article with passion, after which I offer a rebuttal, and he a surrebuttal. 

Here's a sample of Gen. Dunlap's full-throated assault on my position:

Military commanders have seen the no-legal-limits movie before and they do not like it. In the aftermath of 9/11, civilian lawyers moved in exactly that direction. Former Attorney General Alberto Gonzales, for example, rejected parts of the Geneva Conventions as “quaint.” He then aligned himself with other civilian government lawyers who seemed to believe that the president’s war-making power knew virtually no limits. The most egregious example of this mindset was their endorsement of interrogation techniques now widely labeled as torture.

The results of the no-legal-limits approach were disastrous. The ill-conceived civilian-sourced interrogation, detention and military tribunal policies, implemented over the persistent objections of America’s military lawyers, caused an international uproar that profoundly injured critical relations with indispensable allies. Even more damaging, they put the armed forces on the road to Abu Ghraib, a catastrophic explosion of criminality that produced what military leaders like then-U.S. Commander in Iraq Lt. Gen. Ricardo Sanchez labeled as a “clear defeat.”

Infused with illegalities, Abu Ghraib became the greatest reversal America has suffered since 9/11. In fact, in purely military terms, it continues to hobble counterterrorism efforts. Gen. David Petraeus observed that “Abu Ghraib and other situations like that are nonbiodegradable. They don't go away.” Petraeus told the New York Times, “The enemy continues to beat you with them like a stick.” In short, military commanders want to adhere to the law because they have hard experience with the consequences of failing to do so.

...

In truth, as important as the moral perspective may be, the practical advantages of adherence to the rule of law have a power all their own—as history plainly shows.

Nazi Germany’s and Imperial Japan’s gruesome violations of the law of war, for example, hardly proved advantageous to them. More recently, Saddam Hussein, who embraced war without “limits,” was pulled from a subterranean spider hole—dirty, defeated and soon to be dead. Moammar Gadhafi’s illicit threats to wage war upon his own civilian population in the spring of 2011 brought the military power of the international community down upon him to the point where he ended his days groveling in a sewer pipe.

Military leaders know that adherence to the law is a pragmatic essential to prevailing in 21st century conflicts. It might be attractive to some to capitalize on the unpopularity of lawyers, to demonize them and even the law itself, but military commanders understand that war today has changed. They know that law has permeated war much as it has every other human activity, and they realize the perils of ignoring its power and influence. Whether anyone likes it or not, war has become, as Gen. James Jones, then the commander of NATO forces, observed in 2003, “very legalist and very complex.”

 And here's a taste of my rebuttal:

Gen. Dunlap’s second theme is plainly heartfelt but equally mistaken. To him, taking lawyers out of cyberwar strategy will lead to “lawless war,” and he pulls out all the stops to condemn it, invoking Abu Ghraib, Adolf Hitler, Imperial Japan and, um, Alberto Gonzales.

If you’re wondering how the former attorney general got on that list, I suspect it’s because Gen. Dunlap is still fighting the last war. The last turf war, to be precise. The years after 9/11 saw bitter conflict between military judge advocates general and civilian leaders like Gonzales. They fought over military tribunals, Guantanamo and interrogation.

The military lawyers mostly won. But the cost of that victory was high. It did surprising damage to civilian control of the military (it’s hard, for example, to read Gen. Dunlap’s essay without getting the impression that “civilian lawyer” is some new kind of epithet). And it led military and national security lawyers to draw the wrong lessons from the post-9/11 wars. In the future, they concluded, no war should be planned or fought without a lawyer at every commander’s elbow.

Really? Let’s assume, despite substantial contrary evidence, that when we fight in places like Libya or Iraq or Afghanistan we can deprive our adversaries of propaganda victories so long as our military does nothing without a lawyer’s approval. Even if that’s true, why would we expect the same approach to work for a war in cyberspace?

At its worst, cyberwar could reduce large parts of the United States to the condition of post-Katrina New Orleans, maybe for weeks or months. Responding to propaganda attacks isn’t likely to be high on our to-do list.

The exchange is part of a new book, soon to be published by the ABA, entitled "Patriots Debate." It is a sequel to the earlier volume, Patriot Debates, in which most provisions of the Patriot Act requiring renewal were debated in the same long-form, mostly civil format. The sequel deals with a broader range of legal issues arising from the last ten years of fighting terrorists.

Why we need to fix CISPA, not kill it

Security guru Dan Kaminsky and I joined earlier this year to fight SOPA because it was bad for cybersecurity. Today, for the same reason, we joined in a Politico op-ed to rebut attacks on CISPA, the Cyber Intelligence Sharing and Protection Act:

    We may have thrown some of the first stones, but SOPA was ultimately buried by an avalanche of criticism. Tumblr, Reddit and Wikipedia, among others, even protested by taking their sites down for a day. The effect was not subtle. SOPA is dead.

    They say victory has a hundred fathers. It also has a hundred would-be sons — and “son of SOPA” campaigns have proliferated. In Europe, for example, SOPA’s defeat inspired a surprisingly successful effort to block the Anti-Counterfeiting Trade Agreement.

    Here in the United States, though, the debate has taken an odd turn. After stopping a bill that would have undermined cybersecurity, some Internet activists are now targeting bills that could actually make the Internet safer. They’re charging that bills like the Cyber Intelligence Sharing and Protection Act represent stealth attempts to resurrect SOPA under the guise of promoting cybersecurity....

    There are ways to address this concern, but we must remember the bigger privacy and civil liberties threat: the Internet’s insecurity....

    Without security, no network offers privacy. A hacked database offers no protection.

    Part of the solution is to get better at sharing information. That means sharing attack signatures at light speed so as soon as a new attack vector is identified by one company, it can be blocked by others. Government needs to be part of that system — it has a lot to defend and it’s pretty good at identifying signatures.

    But under current law, once the government shows up to receive information, private-sector participation slows from the speed of light to the speed of lawyers. Current law lets companies share information with the government without a court order only to protect their own networks against malware, but not to protect others....

    In short, we need to fix CISPA, not fight it. We can all agree that if Facebook reports that a link has been used to propagate malware, the government should expend its resources to warn users and foil the attack, not issue notices of potential copyright violations about the link.

Remarkably, the House Intelligence Committee has proposed additional amendments that would accomplish precisely this goal.

TSA automating its ID and boarding pass checks

Ever so slowly, TSA is closing loopholes in the security system that it jury-rigged on top of the old, airline-run system inherited in 2001.  The biggest loophole in recent years was the way risky travelers were identified. In essence, the airline was told to print a special code on a risky traveler’s boarding pass.  Then, the traveler would carry his pass to the checkpoint, where he’d get special scrutiny. 

That was hardly the best system. It depended on risky travelers themselves hand-carrying security messages from airline to checkpoint.  And it was easy to forge boarding passes that didn’t carry the mark of Cain.

Under a new system now being piloted, TSA will still depend on travelers carrying messages, but at least the messages will be hard to forge. Airlines will use private encryption keys to authenticate and protect the information stored on each boarding pass. Once the information is decrypted at the checkpoint, it will be compared to the information on the traveler’s ID. If the two match, TSA can apply its identity-based security measures with some confidence.

In addition to securing the information on boarding passes, the new TSA system will automate ID-checking.  ID readers will scan for security features and compare the written and the encoded information on IDs to make sure they match each other and the data on the boarding pass. This obviously raises the bar for forgery of both boarding passes and IDs.  It likely also spells the end of black-light flashlights and jeweler's loupes in the security line. The new system will roll out first at Dulles airport near Washington.

In an effort to address the privacy objections that dog every new measure it proposes, TSA has announced that, after its machines have carefully checked those IDs and correlated them to boarding pass and flight information, TSA will destroy all the data. That strikes me as a choice that's open to debate.  Enforced amnesia means that all travelers will always look alike to TSA.  I suppose that sounds good if you fear government discrimination, but not if you want a security system that applies different security measures to travelers based on differences in their conduct.  

Mustang Photos

Mustang, the ancient kingdom between Tibet and Nepal, is where Gordon and I took our last trek.  Now it's the subject of a very nice photo spread by Boston.com.

Yet another reason to keep the lawyers out of cyberwar

According to Richard Clarke,  government lawyers play such a large role in designing American covert cyber operations that by the time the lawyers are done messing with them, they're anything but covert:

One reason to believe the Stuxnet attack was made in the USA, Clarke says, “was that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

“What makes you say that?” I asked.

“Well, first of all, I’ve sat through a lot of meetings with Washington [government/Pentagon/CIA/NSA-type] lawyers going over covert action proposals. And I know what lawyers do.

“The lawyers want to make sure that they very much limit the effects of the action. So that there’s no collateral damage.” He is referring to legal concerns about the Law of Armed Conflict, an international code designed to minimize civilian casualties that U.S. government lawyers seek to follow in most cases.

Clarke illustrates by walking me through the way Stuxnet took down the Iranian centrifuges.

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA [Supervisory Control and Data Acquisition] software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens [the German manufacturer of the Iranian plant controls]?’ ‘Yes.’ Third question: ‘Is it running Siemens 7 [a genre of software control package]?’ ‘Yes.’ Fourth question: ‘Is this software contacting an electrical motor made by one of two companies?’” He pauses.

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

“There are reports that it’s gotten loose, though,” I said, reports of Stuxnet worms showing up all over the cyberworld. To which Clarke has a fascinating answer:

“It got loose because there was a mistake,” he says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

The last time I wrote about the restrictions that US government lawyers are piling on cyberweapons, I asked, "Lawyers don't win wars. But can they lose one?" Clarke's observation, however, suggests another problem.  

If other nations decide that they can attribute attacks to the United States because our legal culture leaves such distinct fingerprints on our covert weapons, maybe the better question is whether American government lawyers will be responsible for causing the next war.

(Hat tip to Jack Goldsmith, who flagged the Clarke article in Lawfare. Photo credit: Freefoto)

REAL ID–Back from the dead?

I testified a few days ago at a House Judiciary subcommittee hearing on REAL ID implementation.  I expected to have harsh things to say about the way REAL ID has been handled by the National Governors Association and the Obama administration. And there was certainly plenty to criticize.  But what surprised me after a few years away from the issue is how much progress has been made, almost reluctantly, by all parties.  Much more secure identification is now within reach, though politics may delay the final steps much too long.  Here’s some of what I told the subcommittee:

 

Unfortunately, not everyone agrees with the need for better drivers’ license security. Opposition to REAL ID unites the nations' governors and the ACLU. As a candidate, President Obama campaigned against REAL ID. And as a governor, Secretary Napolitano did the same. So it was no surprise that the Obama administration supported repeal of REAL ID and adoption of a softer approach, called PASS ID. Expecting PASS ID to be adopted, the administration soft-pedaled the states’ obligations under REAL ID.

But PASS ID did not pass, and REAL ID is still the law. Unfortunately, however, it's not being treated like a real law. In 2009, the Secretary of Homeland Security permanently stayed the deadline for states to come into material compliance, on the grounds that the Department was pursuing PASS ID. By March 2011, with the deadline for full compliance with REAL ID just two months away, that reasoning wouldn't work anymore; everyone recognized that PASS ID was dead. But the Secretary nonetheless postponed the deadline for full compliance to January 2013 without taking comments. The remarkable justification for the delay was that the administration had encouraged the states to hope that the law would change, so they didn’t take steps to comply with the law as it stands:

…

I only wish I could get an extension on my tax return by saying I was hoping the law would change before the returns were due but that I'm now ready to “refocus on achieving compliance” with the requirements of the tax code.

In fact, apart from hoping that the states will refocus, the Department does not seem to be doing much to encourage them to meet the new deadline. As far as I can see, it hasn’t audited state compliance; it hasn’t processed the submissions of states that want to certify their compliance with REAL ID; and it hasn’t pressed the states that are lagging far behind to step up their efforts.

…

[D]espite all the public outcry and political posturing, most motor vehicle departments are making good progress toward the goals set out in the REAL ID act. Janice Kephart of the Center for Immigration Studies has done invaluable work in surveying the states’ progress toward achieving compliance with the standards set by REAL ID. Her most recent study estimates that nine states are on track to achieve full compliance with all REAL ID requirements by January 2013, and that another 27 will have achieved material compliance with the act by then. That means that the great majority of states can meet the deadline, at least for material compliance, if they simply keep on doing what they have been doing.

In saying that I do not mean to overlook the distinction between material compliance and full compliance. The principal difference is that states can achieve material compliance without having in place an electronic verification system for birth certificates. To achieve full compliance, they must check birth certificates with the issuing jurisdiction.

Now, as you might guess from my early remarks, I think that checking birth certificates is crucial to achieving a more secure license system. Birth certificates are much easier to forge and much harder to check than licenses, so it’s no wonder that everyone from aspiring terrorists to cop-killing car thieves views a forged birth certificate as the key to building a fake identity.

And so, having an electronic system for checking birth certificates is crucial. It too should be in place as soon as possible.

…

Once again, there is good news on this front in the Kephart report, which says that by February of this year, 37 states had already entered their birth records into a system that allows other agencies to conduct verification online. This system, called Electronic Verification of Vital Events (or EVVE), is administered by the National Association for Public Health Statistics and Information Systems (or NAPHSIS). The network is still growing; NAPHSIS tells me that they’ve added another state since February; EVVE now covers 38 states. And the system isn’t just theoretically available. It’s actually being used on a daily basis by several US government agencies, such as the State Department’s passport fraud investigators, the Office of Personnel Management, and the Social Security Administration.

The really good news, then, is that there are no technical barriers to nearly immediate implementation of electronic birth certificate checks. Any state that can achieve material compliance by 2013 can also achieve the most important element of full compliance by that date; it just has to hook up its DMV to EVVE. In short, nearly 40 jurisdictions are on track to do what the 9/11 Commission recently urged them to do: implement drivers’ license security without delay.

The rest of the testimony is here. The hearing itself was remarkable in several respects.  There was much less heat than I expected.  Chairman Sensenbrenner, author of REAL ID, seemed pleased with the progress to date and disinclined to beat up the Administration.  The Administration’s witness (my successor at DHS Policy, David Heyman) said there were no plans to extend the January 2013 deadline for full compliance. The governors’ witness was less hostile to REAL ID than in the past.  The privacy groups were not much in evidence, and their arguments about the dangers of a giant database were undercut by the fact that four of the five data-sharing networks needed to implement REAL ID are already in operation, with George Orwell nowhere in sight. The lesson for government officials is that, despite enormous friction and resistance, things that ought to get done in Washington do get done, eventually.  We aren’t quite done with REAL ID implementation, but if this were World War II, we’d be somewhere between D-Day and the Battle of the Bulge.

Testifying about Cybersecurity legislation

The Senate's big cybersecurity bill has finally surfaced officially, and the hearing will be tomorrow at 2:30 DC time in front of the Homeland Security and Government Affairs Committee.  After Sen. Rockefeller and Sec. Napolitano, I'll be part of a panel that includes Gov. Tom Ridge, Scott Charney of Microsoft, and Jim Lewis of the Center for Strategic and International Studies. 

Here's my prepared testimony.

Mr. Chairman, Ranking Member Collins, members of the committee, it is an honor to testify before you on such a vitally important topic. I have been concerned with cybersecurity for two decades, both in my private practice and in my public service career, as general counsel to the National Security Agency and, later, to the Robb-Silberman commission that assessed U.S. intelligence capabilities on weapons of mass destruction, and, more recently, as assistant secretary for policy at the Department of Homeland Security. In those two decades, security holes in computer networks have evolved from occasionally interesting intelligence opportunities into a full-fledged counterintelligence crisis. Today, network insecurity is not just an intelligence concern.  It could easily cause the United States to lose its next serious military confrontation.

 

Moore’s Outlaws: The Exponential Growth of the Cybersecurity Threat

 

Our vulnerabilities, and their consequences, are growing at an exponential rate.  We’ve all heard of Moore’s Law.  What we face today, though, are Moore’s outlaws: criminals and spies whose ability to penetrate networks and to cause damage is increasing exponentially thanks to the growing complexity, vulnerability, and ubiquity of insecure networks. If we don’t do something, and soon, we will suffer network failures that dramatically change our lives and futures, both as individuals and as a nation.

 

It doesn’t take a high security clearance or great technical expertise to understand this threat.  It follows from two or three simple facts. 

 

Fact One. Breaking into computer networks to steal secrets has never been easier, despite all the security measures we encounter on those networks.

 

Why do I say that?  Simple. In recent months, we have learned that some of the most security-conscious institutions on the planet have been compromised. HBGary, RSA, Verisign, and DigiNotar are all in the network security business; they understand how to protect secrets on line -- if anyone does.  But RSA was electronically attacked and its most important business secrets, the keys to its security business, were stolen.  HBGary lost control of its CEO’s email correspondence to a group of online vigilantes, and its CEO lost his job as a result. DigiNotar, a Dutch entity that issues online credentials, was compromised by a hacker working with Iranian security forces.  Six weeks after the breach became public, DigiNotar was out of business.  I think it’s fair to say that these security-conscious companies would have done whatever they could to prevent these disclosures, but they failed.  They were unable to secure their networks.

 

Actually, the same is true for governments.  The Defense Department used to say that attacks on its systems had never penetrated the classified networks.  Now it has disclosed that this is no longer true.  Defense contractors have also been compromised, and with them, the designs for our most recent weapons systems.

 

That is the first fact:  No network, no matter how important its secrets and no matter how security conscious its owner, can be seen as secure in today’s world. Attackers have an excellent chance of breaking in and stealing secrets. And here is the second:

 

Fact Two.  Once the attackers are in, they don’t have to stop at stealing secrets.  They can cause severe physical damage just by manipulating the digital systems they have compromised. 

 

When I was at DHS, we demonstrated that hackers could cause a large generator to self-destruct, just by sending the generator commands over the network. More recently, the Stuxnet malware is believed to have crippled Iran’s uranium enrichment efforts for months, simply by infecting the computerized industrial control system responsible for Iran’s centrifuges. That was good news for people who think that Iran’s nuclear program is dangerous. But Stuxnet was also a proof of concept, showing that network flaws can be used to cause massive damage to any machinery that relies on computerized industrial controls.

 

And what machinery runs on such controls? Pretty much everything necessary to sustain our society: refineries, pipelines, electric power, water, and sewage systems. Worse, the industrial control systems that run these necessities are not really designed with cybersecurity in mind. In fact, there is reason to believe that Windows networks running on the Internet are much more secure than industrial control systems.  At a minimum, we can say with confidence that industrial control systems are no better protected than the systems that failed at RSA, Verisign, HBGary, and DigiNotar.

 

Cyberweapons pose a real threat to the United States. Those two facts lead to a third, common-sense conclusion: Any nation that feels the need to prepare for a military confrontation with the United States has already begun developing cyberweapons. Cyberweapons are especially potent against the United States.  That’s because they are deniable; figuring out who has launched a cyberattack will be very difficult, making our other military assets less useful in deterring attacks.  Cyberweapons are also asymmetric; they cause more harm in developed nations than in less advanced societies.  And perhaps most importantly, such weapons can overturn the American war experience of the last sixty years – that conflicts will be fought far away, at a time and place of our choosing. Any nation expecting a conflict with the American military would be enthusiastic about developing a weapon that can cause massive civilian suffering on our home front before a single shot has been fired on the battle lines.

 

Now that such a weapon is within their reach, the impact could be unprecedented. We have no experience with losing large parts of our power, refinery, water and sewage systems all at once. The closest we’ve come was New Orleans after Katrina. And there, everyone knew beforehand that the disaster was coming.  Preparations had been made, and most people left the city well in advance. They went to places where the infrastructure still worked, while organized military and civilian relief efforts rapidly moved in to help those who remained. Even so, the breakdown in order and the human suffering was extreme.

 

Thanks to growing cyber insecurity, all Americans now live in a digital New Orleans, with Katrina just offshore. And not one Katrina, but many.  Computer exploits that we once thought were the work of large nations such as Russia or China now seem to be within the capability of countries like Iran and North Korea.  If I am right that computer insecurity continues to grow worse each year, then the sophistication needed to launch a cyberattack will continue to decline, and soon such attacks will be within the capability of criminal gangs and online vigilantes like Anonymous.

 

Disaster is not inevitable.  We can head this threat off if we treat it seriously. We may have years before suffering an attack of this kind.  We do not have decades.  We must begin now to protect our critical infrastructure from attack. And so far, we have done little.  

 

The Cybersecurity Act and Its Critics

 

The committee and the bipartisan group that has worked with the Majority Leader deserve great credit for producing a historic comprehensive legislative package to deal with this grave threat. The bill does three big things.  First, it seeks to improve the cybersecurity of the infrastructure industries on which our lives and social order depend.  Second, it sets aside the legal restrictions and doubts that have made it hard to share security information between government and industry.  And third, it reforms the federal information security standards process.

 

Of these, the most important is the title dealing with critical infrastructure, and I will focus my testimony on it. This part of the bill will no doubt encounter resistance. The business community is quick to condemn anything that smacks of new government regulation.  Information technology companies have achieved enormous success in recent decades and have gone largely unregulated.  They want to stay that way. 

 

They argue that information technology is too fast-moving and technically complex for government to regulate. And that’s not completely wrong. It is a fool’s errand to address network vulnerabilities by adopting command-and-control regulations specifying particular security measures. A new regulation takes two to three years to wend its way through notice and comment and other mandated procedures. In three years, malware will go through several generations, and attacks will evolve many times. Specifying particular security measures by regulation will not work.

 

But neither will laissez-faire reliance on the private sector. We do not expect General Motors to field its own antimissile defenses in the event of a nuclear attack. And we cannot expect private power or oil companies to stand alone against calculated attacks from the militaries of half a dozen nations. I believe that the bill, with a few modifications, charts a way to improve private sector security without resorting to command and control regulation. 

 

Another source of resistance comes from advocates who claim that this bill is somehow similar to the Stop Online Piracy Act, or SOPA.  If the bill reaches the floor, they threaten, it will meet the same fate as SOPA.

 

Well, to paraphrase Sen. Bentsen in the 1988 vice-presidential debate, I knew SOPA, I opposed SOPA, and Mr. Chairman, this bill is no SOPA.

 

I took a very early stand against SOPA, and I’m proud to have played a role in forcing its reconsideration. SOPA was a bad idea because it would have given a little help to one industry while making everyone who uses the Internet much less secure.  That criticism of SOPA struck a chord with Americans because we all use the Internet with a nagging fear that our security is at risk. That security concern was at the heart of the early opposition to SOPA. This bill, in a real sense, is the opposite of SOPA.  It addresses the entirely justified security concerns of ordinary users.

 

There is another reason not to heed the advocates who oppose this title.  They’re the guys who got us into this fix. 

 

Three Presidents in a row have warned against cybersecurity risks, and three have tried to do something about it. All have been stymied by business and privacy advocates acting in alliance. A dozen years ago, President Clinton’s administration proposed that the Defense Department build tools to check Internet traffic sent to DOD sites, not just for spam but for malware that might be sent by foreign governments. In response, business and privacy groups rose up, claiming that this would somehow violate the rights of people communicating with the government.  The proposal was killed in Congress.  Today, after what may be the most massive loss of weapons technology and other secrets in history, we are only beginning to build an Einstein system that does for civilian systems what President Clinton was not allowed to do.

 

We’ve had a lost decade in cybersecurity.  The government bears some responsibility for that lost decade, but those who counsel inaction bear more. We followed their advice, and the threat is far worse now than it was ten years ago. If we follow their advice again, we will face a crisis much sooner.

 

Unpacking the Critical Infrastructure Protection Proposal

 

In fact, if I may turn to the contents of the bill, I fear that it has already been weakened unduly by those who want us to do nothing.

 

That is not to criticize the overall thrust of the bill. The title on critical infrastructure is in general a well-considered and coherent approach. It starts with a government assessment of the industries where the risk is greatest. See section 102. Based on the assessment, individual systems or assets deemed to be most at risk are, on an industry sector-by-sector basis, designated as “covered critical infrastructure.” Section 103. Next, performance requirements to mitigate those risks are adopted for each industry. Section 104. Finally, adherence is enforced by requiring the owner of covered infrastructure to certify compliance (or to obtain a third-party assessor’s certification of compliance) with the performance requirements. Section 105.

 

This broad structure is meant to solve the problem of how to regulate a fast moving and complex technology. It does so by leaving as much discretion as possible in the hands of the private sector. It gives the private sector preferential input into the process of assessing and identifying covered critical infrastructure.  Performance requirements are supposed to be established, if at all possible, based on private sector proposals or existing industry standards. What’s more, the title doesn’t call for government simply to tell industry what security technologies to adopt. The point of the process is to identify the risks, warn industry of those risks, and challenge industry to develop standards and adopt measures that industry finds best adapted to the risks.

 

Done well, an approach of this kind is both more demanding and more flexible than traditional regulation.  The government sets the bar, and it is up to industry to find the best way to get over it.  That makes the approach more flexible than ordinary regulation.  But if hackers find new ways to compromise critical networks, then industry measures that once were good enough must now be strengthened, automatically and without a new regulation.  That makes the system more demanding than ordinary regulation.  It’s a good solution.

 

In several details, however, the bill fails to follow through on its overall approach.

 

How many deaths does it take before security matters? First, because the bill imposes no obligations whatsoever on systems or assets that are not designated as “covered critical infrastructure,” the process of designation is a big deal.  If an asset is not designated as “covered critical infrastructure,” then the owner has no obligation under the bill to guard against attack by hackers, criminals, or nation states, leaving those who depend on the asset unprotected.  So, the standards for prioritizing industries and designating systems or assets are crucial. 

 

Yet the standards currently included in the bill for designating “covered critical infrastructure” are bound to leave huge swaths of important systems unprotected.   The bill states that the Secretary of Homeland Security may “only designate a system or asset as covered critical infrastructure if damage or unauthorized access to that system or asset could reasonably result in . . . (i) the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause (I) a mass casualty event that includes an extraordinary number of fatalities; or (II) mass evacuations with a prolonged absence; (ii) catastrophic economic damage to the United States . . . or (iii) severe degradation of national security of national security capabilities, including intelligence and defense functions.  ” 

 

Let’s unpack that first test.  It says that a system or asset cannot be regulated under this bill unless a cyberattack on it would so interrupt life-sustaining services that it would cause “a mass casualty event that includes an extraordinary number of fatalities.” Really?  So an individual infrastructure owner, such as a rural electricity provider, has no responsibility under this title if it can show that an undefended cyberattack would only cause an ordinary number of fatalities? 

 

How many dead Americans is that, exactly?  Under the bill as written, any business that wants to avoid being regulated can take the government to court and argue that it is exempt from obligation under the law because only a few its customers will actually die if its security fails.  That’s wrong. The courts are going to have to give effect to every adjective in this bill, from “extraordinary” numbers of fatalities, to “catastrophic” economic damage and “severe” degradation of national security.  Do we really want to see companies escape any security obligations by arguing that their failures will of course degrade national security or cause economic damage, but not severe degradation or catastrophic damage? This would be a better bill if those adjectives were reconsidered.

 

The information technology exclusions. My second concern is that the bill gives the IT industry too much of a free pass.  The bill expressly prohibits the inclusion of any “commercial information technology product, including hardware and software” within the category of “covered critical infrastructure.” 

 

This is odd.  Commercial information technology products are certainly part of the problem.  Why shouldn’t they be part of the solution? 

 

Of course IT companies have legitimate concerns about how regulation would affect their ability to innovate, especially on a global basis.  Perhaps it doesn’t make sense to treat individual platforms, such as Windows, as covered infrastructure sectors. But at the same time, we cannot ask the owners of covered networks to improve security without help from their IT providers.

 

The bill as drafted probably does allow the government to set standards for IT companies indirectly. (Thus, the government could endorse a performance standard like this one:  “Operating systems utilized by covered critical infrastructure must enable authentication of each machine on the network by means of a trusted processing module or equivalent hardware-based technique.”) Assuming this is consistent with the statute, the exclusion of commercial IT products from covered infrastructure may be tolerable.

 

But such an indirect approach is put at risk by a second set of limits written into the bill.  These exclusions would prevent the government, when establishing performance requirements, from requiring the use or regulating the design of commercial information technology products and related services.  This language is much too broad. It would cast doubt on any performance standard that applies by its terms to commercial hardware or software used by critical industries, including the example that I gave above.

 

It seems to me that, if IT products are not to be treated as a covered infrastructure,  the companies that make them should be encouraged to provide very specific forms of security support to those of their customers who are covered.  Put another way, the IT industry can reasonably ask for one of these exclusions, but not both.

 

 

Immunity for operators who have no statutory obligations. By the same token, the bill imposes obligations on the owners of critical infrastructure but not on the operators of critical infrastructure. This seems to exclude anyone who acts as an outsourced provider to the actual owner. So if a telecommunications company outsources its hardware operation to a foreign switch manufacturer or a pipeline company hires an IT company to run its networks, the obligations of the bill do not apply to the switch manufacturer or the IT company. This is less troubling, I suppose, than the blanket exclusion of all commercial IT products, since obligations imposed on the owner may be passed on to the operator.  But if the operator isn’t subject to regulation, why should we reward the operator as well as the owner with an immunity from punitive damages?

 

Cutting through the regulatory drag in an emergency. Finally, my biggest concern about the bill has to do with the risk of regulatory atherosclerosis. The process set forth in the bill is very friendly to industry, deferring at every turn to industry-led standards and solutions.  In general, this is a good idea.  But the end result is a process that will take many years to implement, especially in sectors that decide to resist rather than comply with the intent of Congress.

 

Here’s my quick assessment of the likely elapsed time from enactment to actual implementation of security measures by a reluctant industry.

 

·       Risk assessments. The top-level risk assessment must be done in 90 days, but there is no deadline for doing sectoral risk assessments. Those could take at least a year and probably two to finish, and they must be completed before the remaining steps can be taken.

·       Designation.  The government must explain its criteria for designation, and it appears that it must individually identify the companies to be designated.  What’s more, every decision it makes can be challenged in court, which will make the government cautious and slow in making designations.  This step too will take at least a year or two in many sectors. And that’s not the end.  The bill chooses the slowest possible judicial review process, sending appeals first to district court and then up on appeal.  Any industry that appeals its status could buy two or three more years before the next step can be taken.

·       Set performance requirements. The bill’s preferred method for setting performance requirements is to rely on stakeholder proposals or existing industry standards.  But if, after all of these proposals are submitted and reviewed, they are insufficient to address the security threat at issue, then and only then can the Secretary of Homeland Security, still in consultation with industry, develop satisfactory requirements.  That process too could easily take another two years.

·       Enforce the requirements. Once all of that is done, and an enforcement regulation has been written, each covered company must certify that it has adopted measures that it considers sufficient to meet the applicable performance requirement.  (Alternatively, the company can choose to wait for the government to go through the long process of creating, training and testing up an entire new class of third-party assessors.) If the government suspects that the company’s certification is false, it can conduct its own assessment, but it’s not completely clear that it can impose any new requirements; it may be that the company can wait to be sued for a false certification and then avoid any penalty by adopting a new set of security measures and claiming that it has remediated any failure in a timely way.  That could be very lengthy and messy, but let’s figure a year for the certification and another year to sue a recalcitrant company.

 

Based on those calculations, a company that simply exercises rights conferred by the title could delay any cybersecurity measures for eight to ten years after enactment.  That’s another lost decade.

 

I don’t mean to suggest that the risk of delay should be solved by getting rid of these lengthy processes.  They are necessary to get the benefit of the private sector’s creativity and flexibility in dealing with security problems. They should be retained in most circumstances. 

But clearly there are some problems that we cannot wait a decade to solve. In an emergency, the government must have authority to skip or compress any of the procedures described above.  If a security threat to a particular company or sector plainly threatens the lives of Americans, the department should be free to demand prompt action by the company. The company may remain free to choose the solution, but the government must be able to insist that the solution work and that it be implemented as promptly as necessary to save lives. That, after all, is the purpose of this bill. Without authority to waive time-consuming procedures in an emergency, the bill will fail in that purpose. I know such authorities are hard to draft, so I’ve attached one possible version to my testimony.

 

Conclusion: Our Best Hope to Avoid a Predictable Disaster

 

In closing, let me return to my main theme.  We face a crisis.  Cybersecurity is bad and getting worse. Civilian lives, and our ability to win the next war, depend on solving our security problems.  We have to do that without losing the great benefits that a largely unregulated global IT industry had brought to us. But we cannot let advocates for the status quo condemn us to another lost decade of growing insecurity. This bill, even with its flaws, is our best hope to head off a perfectly predictable disaster.

 

We are all living in a digital New Orleans.  No one really wants to spend money reinforcing the levees. But the alternative is worse.

 

And it is bearing down on us at speed.

 

 

 

Possible Amendment to Deal with Imminent Threats

 

Stewart Baker

 

SEC XXX. RESPONDING TO IMMINENT THREATS

 

(a) Notwithstanding the other sections of this Title, in the event that the imminence or existence of a cybersecurity emergency as defined in section (b) makes it impracticable to complete one or more of the steps below in accordance the procedures established under this title the Secretary shall have the authority to promptly —

(1) identify cyber risks that have created the cybersecurity emergency within one or more affected sectors;

(2) designate the covered critical infrastructure and any systems or assets that must respond to these risks;

(3) develop risk-based cybersecurity performance requirements that address the identified cyber risks;

(4) require, within a period of time determined by the Secretary, that each owner of covered critical infrastructure, whether identified under this section or section 103 of this title, implement security measures sufficient to satisfy the risk-based security performance requirements established under this section and promptly —

(A) certify in writing to the Secretary that the owner has developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements established under this section; or

(B) submit a third-party assessment in accordance with Section 104(d);

(5) enforce any requirement of this section; and

(6) expedite the implementation of any other provision of this title.

 

            (b) The Secretary shall declare that a cybersecurity emergency exists only when a cybersecurity risk to a particular critical infrastructure sector --

(1) cannot be prevented in timely fashion by adhering to the procedures set forth in sections 102 through 107 of this title; and

(2) poses a present or imminent threat of

(A)the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause—

(i) a mass casualty event that includes an extraordinary number of fatalities; or

(ii) mass evacuations with a prolonged absence;

(B) catastrophic economic damage to the United States including—

(i) failure or substantial disruption of a United States financial market;

(ii) incapacitation or sustained disruption of a transportation system; or

(iii)other systemic, long-term damage to the United States economy; or

(C) severe degradation of national security or national security capabilities, including intelligence and defense functions.

 

(c) Judicial review in accordance with section 103 shall be available as provided in that section, but no stay shall be granted of any order, determination, directive or other action under this section unless the party requesting the stay posts a bond fully sufficient to cure any harm that may be caused by failure to implement the stayed order, determination, directive, or other action.

 

 



Is GOP a SOPA "Nope" Hope?

Here’s a revised version of an op-ed I published on the potential importance of the SOPA fight.  The original appeared in Hollywood Reporter.

What went wrong for SOPA, the entertainment industry’s proposal for stopping international piracy? And what does it mean for Hollywood’s future clout in Washington?

I had a ringside seat for the battle over SOPA, though not as a supporter.  I thought it would make Internet users more vulnerable to cybercrime. That was a problem that could have been fixed.  Instead, after a brief halt and some modest changes, the entertainment industry decided to press for a showdown.

And a showdown, of course, is what it got.

Why did it turn out so badly? The entertainment industry’s first mistake, then and now, is believing that its adversary is a group of other companies -- Google, Internet service providers, and others -- who are somehow hoping to profit from the Internet travails of the entertainment industry.

In fact, the industry is fighting what amounts to a new popular culture.

Unlike the old pop culture, this one is largely independent of the music, movie, and broadcast industries. In fact, people who spend hours on line instead of watching TV or going to movies will probably encounter the entertainment industry only when Youtube videos of their kids dancing to Prince or spoofing Star Wars are pulled down by Hollywood's bots, or when the RIAA threatens to sue them for their college savings, or when digital rights software makes it hard to move their stuff to a new tablet or phone.

To the entertainment industry these episodes may seem like collateral damage in the fight to stop piracy.  To the new pop culture, though, collateral damage and misuse of enforcement tools is everywhere, and it threatens everyone.  The content industry has made itself into the villain. Increasingly it looks like an occupying power; obeyed at gunpoint, despised for its hamhanded excesses, and resisted from every dark corner.  Unfortunately for the entertainment industry, as its customers migrate to the Internet, it loses not just their money but their hearts and minds as well.

The industry's miscalculation about the source of the resistance to SOPA may have led to an even bigger mistake.  As long as the campaign for better IP enforcement was an inside-the-beltway, company-versus-company struggle, it could be fought within the Congressional judiciary committees, where both Republican and Democratic politicians were wooed and won as individuals. As a result, strengthening intellectual property enforcement has been a bipartisan issue for the last 25 years.  But when the fight went from the committees to the floor, and Wikipedia went dark, every member of Congress was expected to take a stand. 

The two parties reacted very differently. Despite widespread opposition to SOPA from bloggers on the left, Democrats in Congress (and the Administration) were reluctant to oppose the bill outright. The MPAA was not shy about reminding them that Hollywood had been a reliable source of funding for Democratic candidates, and that it would not tolerate defections. 

But that very public message also reached another audience: Tea Party conservatives. Most of them had never given a second's thought to intellectual property enforcement before coming to town. But many had drawn support from conservative bloggers.  They began to ask why they should vote against their Internet supporters to rescue an industry that was happily advertising how much it hated them. Pretty soon, far more Republicans than Democrats had bailed on SOPA, and the Republican presidential candidates had all come out for what they called "Internet freedom." 

That's what really ought to worry the entertainment industry. For Republicans, opposition to new intellectual property enforcement is starting to look like a political winner. It pleases conservative bloggers, appeals to young swing voters, stokes the culture wars, and drives a wedge between two Democratic constituencies, Hollywood and Silicon Valley. 

We’ve seen this movie before.  Immigration reform and the DREAM Act, free trade agreements, and the USA PATRIOT Act all commanded impressive bipartisan support. For a while. Now, not so much. Bills on these topics still come to the floor, and they sometimes even pass, but only after endless partisan point-scoring and amendments driven by talk radio and mass email. The same could soon be true of intellectual property enforcement.

With SOPA, the entertainment industry pushed a generation of Republicans into choosing sides between Hollywood and the Internet.

They may never look back.

While I’m on the subject, talk about culture clash: I’ve written two SOPA op-eds, for Politico and Hollywood Reporter, and both have been put without notice behind paywalls. That’s never happened to me before, and it seems a little odd. Sure, it must sound good to the publishers, at least for a while.  But they aren’t paying op-ed contributors in gobs of cash, or in massive circulation.  They’re giving circulation to the contributors’ ideas.  Or not, in the case of the paywalled publications.

Contributors who actually care about communicating to the public have to wonder why they should offer content to an outlet with such a policy.  That only makes sense to contributors who have a strong reason to communicate just to the elite audience that pays to get these highly specialized publications -- lobbyists or studio execs in the case of Politico and Hollywood Reporter. It makes sense, in other words, only to contributors who see their op-eds as an alternative form of targeted advertising.

Nothing wrong with that, either, except that it means the subscribers who pay for the publications have to read even the op-eds with their hands on their wallets, wondering, “Now why did he want me, and only me, to read that?” Ironically, then, in the long run the paywalled op-eds are less valuable than op-eds that appear for free.

UPDATE: The Hollywood Reporter assures me that the paywall is temporary -- likely to last only a day or two while they're promoting the new issue.  So, uh, never mind.  When the public link is available, I'll add it.

UPDATE 2: Done.

Stilts Scoops Drudge, The Atlantic, and Reuters by … Two Years

Matt Drudge and The Atlantic are hyperventilating, and Mark Hosenball of Reuters is bragging, about what The Atlantic calls an “exclusive” report that DHS “routinely monitors dozens of popular websites, including Facebook, Twitter, Hulu, WikiLeaks and news and gossip sites including the Huffington Post and Drudge Report.” 

There are just two problems with this exclusive news report. It isn’t news and it isn’t exclusive. 

Readers of this blog could have learned exactly the same thing in one of my posts from, uh, February of 2010. 

Here’s what I said two years ago:

With his usual nudge-and-wink, Matt Drudge invites us to be dismayed that “BIG SIS” — his moniker for Janet Napolitano — is “Monitoring Web Sites for Terror and Disaster Info.” Drudge links to a story saying that DHS will be monitoring social media like Twitter, as well as websites like Drudge, to keep abreast of events during the Winter Olympics. The source of the story is a twelve-page “Privacy Impact Assessment” issued by DHS.

This isn’t the first Privacy Impact Assessment (PIA) on DHS’s use of social media. A few weeks earlier, DHS wrote a similar assessment of using social media during Haitian rescue operations.

I am indeed dismayed, but not for Drudge’s reasons.  True, it’s disappointing that neither the Volokh Conspiracy nor www.skatingonstilts.com is deemed worthy of government monitoring.  But what’s really dismaying is that DHS and its Privacy Office felt obliged to labor over two separate and painfully obvious privacy assessments just to do things that you and I would do by simply firing up our browsers.

That’s it.  The story is that people at DHS are, gasp, browsing the Internet. As I said then, there’s no scandal, other than the electrons wasted by DHS agonizing over the privacy implications of browsing Internet sources to find out what’s happening in the world.  And if it was a nonstory in February of 2010, what does that make it in January of 2012?

Actually, it's a lesson -- that both the mainstream media and the blogosphere are doggedly overreporting anything that could be deemed a privacy violation by government, especially DHS.  If you only followed these things casually, you’d be sure that DHS was constantly violating Americans’ rights, and reports like this would be a key bit of evidence.  But when you give the “story” a little scrutiny, all you find is an agency that needs to know what’s happening in an emergency and that is looking at public social media sites for information, just like the rest of us.  There’s no privacy issue there at all, despite the heavy breathing and the headlines.

Kind of makes you wonder how many more phony privacy violations you’ve been conned into believing, huh?

UPDATE: Mark Hosenball of Reuters says that he never called his report an exclusive, since he knew about the 2010 assessment; the "exclusive" label was applied by The Atlantic, not Hosenball.  I changed the first line to avoid tagging him with the statement.

Testifying against SOPA

I will be testifying next Wednesday against SOPA, reprising my concerns about its impact on implementation of new web security protocols. I've blogged those concerns here and here. The hearings are being held by Darrell Issa (R-CA), chair of the House Oversight and Government Reform Committee, who is troubled by the Judiciary Committee's determination to take SOPA to the floor without hearing from witnesses on this issue. More details here.

Air France 447 and the Future of Socially Engineered Cyberwar

I recently read Popular Mechanics’ riveting article reconstructing the last minutes Air France 447, which in 2009 disappeared without explanation over the Atlantic between Rio and Paris. Using the cockpit transcript, the article reveals that the pilots essentially flew a fully functioning passenger jet into the sea. Why?  It appears that a temporary loss of flight speed data and then the disconnection of autopilot systems panicked a copilot into lifting the nose of the plane.  He then more or less kept the stick pulled all the way back as the plane lost forward speed and plunged into the ocean, paying no attention to dozens of blared stall warnings. Here’s a bit of the transcript and Popular Mechanics’ commentary:

02:10:55 (Robert) Putain!
Damn it!
Another of the pitot tubes begins to function once more. The cockpit's avionics are now all functioning normally. The flight crew has all the information that they need to fly safely, and all the systems are fully functional. The problems that occur from this point forward are entirely due to human error.
02:11:03 (Bonin) Je suis en TOGA, hein?
I'm in TOGA, huh?
Bonin's statement here offers a crucial window onto his reasoning. TOGA is an acronym for Take Off, Go Around. When a plane is taking off or aborting a landing—"going around"—it must gain both speed and altitude as efficiently as possible. At this critical phase of flight, pilots are trained to increase engine speed to the TOGA level and raise the nose to a certain pitch angle.
Clearly, here Bonin is trying to achieve the same effect: He wants to increase speed and to climb away from danger. But he is not at sea level; he is in the far thinner air of 37,500 feet. The engines generate less thrust here, and the wings generate less lift. Raising the nose to a certain angle of pitch does not result in the same angle of climb, but far less. Indeed, it can—and will—result in a descent.
While Bonin's behavior is irrational, it is not inexplicable. Intense psychological stress tends to shut down the part of the brain responsible for innovative, creative thought. Instead, we tend to revert to the familiar and the well-rehearsed. Though pilots are required to practice hand-flying their aircraft during all phases of flight as part of recurrent training, in their daily routine they do most of their hand-flying at low altitude—while taking off, landing, and maneuvering. It's not surprising, then, that amid the frightening disorientation of the thunderstorm, Bonin reverted to flying the plane as if it had been close to the ground, even though this response was totally ill-suited to the situation. 

The article offers a final observation on what things were like in that cockpit, minutes from the crash:

Over the decades, airliners have been built with increasingly automated flight-control functions. These have the potential to remove a great deal of uncertainty and danger from aviation. But they also remove important information from the attention of the flight crew. While the airplane's avionics track crucial parameters such as location, speed, and heading, the human beings can pay attention to something else. But when trouble suddenly springs up and the computer decides that it can no longer cope—on a dark night, perhaps, in turbulence, far from land—the humans might find themselves with a very incomplete notion of what's going on. They'll wonder: What instruments are reliable, and which can't be trusted? What's the most pressing threat? What's going on? Unfortunately, the vast majority of pilots will have little experience in finding the answers.

That all sounds right.  But like everything else these days, it made me think about cyberwar.  Some of the most effective tactics used by our adversaries have a social engineering component.  That is, they know how humans react to certain situations and take advantage of that reaction to gain control of our computers.  They know we’re likely to open messages and click on links sent by superiors in our organization. They know we will accept friend requests from people who are already connected to a lot of our friends.  Stuxnet took advantage of social engineering of a sort by making sure that the systems reported normal activity to the humans in the control center while sending abnormal requests to the machines.  The humans believed what their controls told them.

What does this have to do with the crash of AF447?  The reaction of the AF447 pilots was tragically human.  Once we lose faith in computer systems, especially in an emergency, all of us are likely to ask, “What instruments are reliable, and which can't be trusted? What's the most pressing threat? What's going on?” And if we have only minutes to make a decision, we’re likely to lock on a fragment of our training and keep trying it. The evidence that we’re failing disastrously just makes us pull harder on the stick.

So:  Why can’t that reaction be engineered? Put another way, could a hacker have caused the AF447 crash, not by directly overriding the pilots but by manipulating their very human reactions? I should stress that I don’t believe a hacker did that.  Quite the reverse. I’m asking whether future cyberattacks will try to manipulate the human beings behind the computers. 

On reflection, the answer is obvious.  All of war is an effort to manipulate the opponent into a different, defeated frame of mind. But the logical conclusions are pretty troubling. Even as we begin to deploy automated defenses against remote sabotage, attackers will turn to social engineering to defeat them. Once again, this gives the offense far more options than the defense. 

Thus, imagine that we decide to improve our cyberdefenses by redesigning critical military or civilian systems so that computers alone cannot cause catastrophic missteps. That’s good, but it simply challenges the attacker to find a way to influence not just the computers but also the humans – to panic the humans into a catastrophic misstep. Even if the attacker can’t fly our planes into the sea, maybe he can get our pilots to do it for him. Even if he can't cross the air gap to bring down our nuclear plants, he might be able to fake an emergency in the operations center that leads to the same outcome.

As AF447 shows, the key to such an attack is to create doubts about what is true in a situation where decisions must be made in minutes.  Then, as AF447 shows, humans revert to muscle memory and to training, which in some cases can lead rather predictably to disaster.

We’re already seeing rudimentary social engineering in cyberattacks.  We need to get ready for something a lot more sophisticated.

SOPA-rope-a-dopa

Critics of the Stop Online Piracy Act (H.R. 3261) have had an impact.  A manager’s amendment has been offered by Lamar Smith, R-TX, the Judiciary Committee chairman.  I was critical of the first version.  Here’s my take on the new version.

This version contains several provisions aimed at the security concerns raised about the first version.  The new bill insists that it is imposing no technology mandate and that it should not be construed to impair the security of the domain name system or the network of an ISP that receives an order. And it whittles away at the original requirement that ISPs must “block and redirect” visitors to pirate sites. Now, the ISPs are only obliged to block those efforts, not to redirect the subscribers to an alternative site that warns against piracy. ISPs also get a safe harbor that allows them some assurance that they don’t have to redesign their networks to carry out the blocking.

Unfortunately, the new version would still do great damage to Internet security, mainly by putting obstacles in the way of DNSSEC, a protocol designed to limit certain kinds of Internet crime. Today, it’s not uncommon for crooks to take over Internet connections in hotels, coffee shops and airports -- and then to direct users to fake websites.  Users sent to a fake banking site are prompted to enter account and password data, which is used to loot the account. DNSSEC prevents such attacks by giving each website a signed credential that must be shown to the browser by the domain name system server before the connection can be completed.

That’s a great idea, but crooks will predictably try to override it.  Their best bet is to claim that the website doesn’t have a signed credential – a claim that will be plausible at least during the transition to DNSSEC.  What should a browser do if a website says it doesn’t have a signed credential yet?  The site might be telling the truth, or it might be a fake site backed by a DNS server that’s been tampered with.  To find out, the browser needs to ask a second DNS server, and if that server doesn’t give an answer, a third and a fourth server until it gets an answer. That’s the only way to keep criminals from blocking the real DNS credentials and offering their own.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites.  SOPA envisions the AG telling ISPs to block the address of www.piracy.com.  So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address.  Eventually, it will find a server in, say, Canada.  Free from the Attorney' General’s jurisdiction, the server will provide a signed address for piracy.com, and the browser will take its user to the authenticated site.

That’s what the browser should do if it’s dealing with a hijacked DNS server.  But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.

The latest version of SOPA will feed that view.  It allows the AG to sue “any entity that knowingly and willfully provides …a product … designed by such entity or by another in concert with such entity for the circumvention or bypassing of” the AG’s blocking orders.

It’s hard to escape the conclusion that this provision is aimed squarely at the browser companies. Browsers implementing DNSSEC will have to circumvent and bypass criminal blocking, and in the process, they will also circumvent and bypass SOPA orders. The new bill allows the AG to sue the browsers if he decides he cares more about enforcing his blocking orders than about the security risks faced by Internet users. Indeed, the opaque language about “another in concert with such entity” makes perfect sense in the context of browser extensions.  It allows the AG to sue not just browsers but also add-ons with this feature.

OK, that’s the law.  Now imagine you are Microsoft, or Google, or Apple, or Mozilla.  The DNSSEC guys come to you and ask you to implement DNSSEC.  It won’t increase your revenue, they admit, but it will make the Internet much safer for your users.  You want to be a good internet citizen, so you think maybe you should devote some precious code-writing resources to the cause.  But first you ask your lawyers whether they foresee any problems. 

“Well, yes,” they’d have to say. “If you add code to the browser that implements DNSSEC, you’ll have to add code that circumvents criminal hijackings of the DNS system.  And that code can be declared illegal by the Attorney General pretty much whenever he likes.  You can litigate about it, of course, but if you lose, the AG can shut down all shipments of your browser until it’s been revised to the satisfaction of his staff and their advisers in Hollywood.”

Faced with that advice, would you implement DNSSEC?

Neither would I. 

In fact, I wouldn’t even allow the DNSSEC guys to write an extension that implemented their protocol. And so, by poising a sword of Damocles over the browser companies, SOPA will kill DNSSEC. 

Let’s hope that the opposition to SOPA hasn’t punched itself out against the first version of the bill, because this version is badly in need of a knockout punch.

More content than the Wall Street Journal -- and no paywall!

The Wall Street Journal recently published a round-robin dialogue on privacy featuring Jeff Jarvis, danah boyd, Chris Soghoian, and me. Our vibrant discussion was quite heavily compressed for publication, so two of the other participants have now published their contributions in full.  Jeff Jarvis's is here, and danah boyd's is here. Publishing the full version on the web seems like good practice generally, so I'm following suit, with a few edits to avoid cross-referencing material that hasn't been put on the web.  The Wall Street Journal's questions are in bold italics.

How much should people care about privacy?

 That’s like asking how much they should care about the weather. Some, for sure. If we don’t, we’re liable to end up deeply uncomfortable from time to time.

 But let’s not kid ourselves. Privacy is like the weather in another way, too. For all the complaining, no one is going to do much about it.

 They can’t. The price of storing and analyzing data is dropping exponentially; and keeping that data hidden is a hopeless task.

 So, in the end, we will adjust.  Privacy is the most adaptable of rights. 

 Sometimes our sense of what is private shrinks. The man who invented the right to privacy, Louis Brandeis, was appalled that ordinary newsmen could snap his picture and print it in the paper without so much as a by-your-leave.  And most of us can sympathize, if we remember the shock of seeing ourselves in a photo, looking quite different than we imagined.  But no one today thinks that photography is a privacy violation. We’ve adjusted to the new technology. 

 And sometimes our sense of privacy grows. Most of us would be deeply uncomfortable at the idea of having strangers sleeping in our homes, listening to our family conversations, and gossiping about us over the back fence. But Brandeis never gave the privacy risk posed by his servants a second thought.

 It's tempting, in that first uncomfortable moment when new technology starts to shrink our old sense of privacy, to ask for new laws to protect us from change.

 They won’t. Sooner or later, the laws on the books will yield to Moore’s law. But in the meantime, bad laws can do a lot of damage.

 Maybe it made sense to tell the FBI in Hoover’s day that its agents couldn’t compile clippings files on Americans who weren't suspected of acting improperly. But by the time of 9/11, when any coed could assemble clips files on her blind dates -- in seconds, for free, with the help of Google -- did it really make sense for FBI agents to be the only people in the country barred from printing out name searches?

 So, sure, we should care about privacy. But we should also care about dumb privacy laws whose cost we won’t appreciate until it’s too late.

 What is the harm that can be inflicted by bad privacy laws? Will it prevent us from catching terrorists or drug cartels?

 Bad privacy laws abound, but the harm they do is too often downplayed in the media. 

 Take the story of September 11 itself. As the attacks loomed, the secret court that approves national security wiretaps had plunged the FBI into turmoil -- but over privacy, not terrorism. Perhaps reacting to charges that it was merely a rubber stamp, the secret court had begun aggressively protecting Americans’ privacy -- by imposing harsh, career-killing sanctions on an FBI agent who failed to observe the Wall between law enforcement and intelligence.

 As described in Skating on Stilts, the court’s harsh punishment was still reverberating when the FBI learned that two al Qaeda operatives had entered the US. Members of its massive Cole bombing task force begged for a chance to track them down.  But no one was willing to risk the secret court’s wrath by using a criminal task force to pursue intelligence leads.

 And so we missed our last, best chance to stop the 9/11 attacks -- thanks to the secret court’s misplaced enthusiasm for a dubious privacy doctrine. That’s what turned me from a moderate privacy supporter into a profound skeptic. 

 Worse, because the secret court has never been held to account for its fecklessness, it is reportedly still following the same path -- imposing new and secret privacy restrictions on our intelligence agencies. And leaving us all at risk of becoming the next privacy victims.

 You've said that privacy advocates have helped turn our computers into surveillance machines; what privacy laws are you referring to? And how should it have been prevented? 

 There are indeed privacy laws that make computer defense much more difficult.  European laws protecting employee privacy make it harder to secure corporate networks, and U.S. privacy rules make it hard for the government to identify and warn Americans whose computers have been taken over by botnets. But the real problem is the way privacy groups have prevented the government from making policy changes in response to the growing danger of network attacks. 

 Take intrusion detection. Many corporate networks use technology that monitors networks to detect intrusions and alert administrators to threats. As long ago as the 1990s, the Clinton Administration proposed creating a Federal Intrusion Detection network, or FIDNet, that would do the same thing for civilian government networks.  It didn't happen. FIDNet was condemned by privacy groups as "a monitoring system that threatens privacy and other civil liberties.” Along with their allies in the press, privacy advocates made FIDNet so controversial that Congress killed it. When George W. Bush revisited the idea, it made even less progress.  Only now, after a third President has raised the alarm about network attacks, are we beginning to roll out coordinated intrusion detection for the civilian arms of government.  Of course we're a decade late; foreign governments have had ten years to steal all the information the privacy advocates now say they’re worried about – delays caused in large part by the privacy advocates themselves. 

If secret court orders protecting privacy led to 9/11, as you contend - isn't the answer to not have secret courts? Not that privacy is terrible?

 Secrecy may well be cloaking dubious rulings by the secret court, just as it cloaked the court's enforcement of the Wall. But we can't expose those rulings without also exposing the highly classified intelligence operations the court is overseeing.  To solve this kind of dilemma, the Congress's intelligence committees sometimes conduct classified investigations and release an unclassified summary of their findings.  Maybe the value of such an investigation is one thing that privacy advocates and I (and the Wall Street Journal) can all agree on.

 But the problem at its heart is not secrecy.  It's the court's willingness to create novel privacy and civil liberties protections.  That may sound like a good thing, but it cost us dearly in August 2001. We should consider that cost before we impose new privacy rules.

Adele Tops The Supremes

Why is there so much bad privacy law, and so many privacy victims? Here's my theory.  Privacy advocates exploit that first uncomfortable moment when we realize that technology is changing our world, offering a Luddite illusion that law can prevent uncomfortable change.  The result is laws and court rulings on privacy that quickly become quaint.

It’s not hard to find support for that view if you compare United States v. Jones, the GPS 4th Amendment case, with an article in today’s Washington Post about the rapid spread of license plate readers:

When stored over time, the collected data can be used instantaneously or can help with complex analysis, such as whether a car appears to have been followed by another car or if cars are traveling in a convoy. Police also have begun using them as a tool to prevent crime. By positioning them in nightclub parking lots, for example, police can collect information about who is there. If members of rival gangs appear at a club, police can send patrol cars there to squelch any flare-ups before they turn violent. After a crime, police can gather a list of potential witnesses in seconds. … Arlington police cars equipped with the readers regularly drive through the parking garage at the Pentagon City mall looking for stolen cars, checking hundreds of them in a matter of minutes as they cruise up and down the aisles.

At the same time that license plate readers are spreading across the landscape, companies like Google and Apple are investing heavily in location-based services for smartphones.  As a result, we’re rapidly losing any expectation that our location is private.  These fast-moving technologies make the technique at issue in Jones – whether law enforcement can physically attach a GPS tracking device to a suspect’s car – seem almost antediluvian.

Recall the moment that many journalists treated as the critical coup de grace for the government in Jones. Pressing the SG’s office about GPS tracking of Supreme Court Justices, Chief Justice Roberts asked, “So your answer is yes, you could tomorrow decide that you put a GPS device on every one of our cars, follow us for a month; no problem under the Constitution?” Many reporters and lawyers thought that this question was a killer for the government, likely hoping that the Court will ride to privacy’s rescue and  impose constitutional constraints on such tracking.

That may be so, but what the Court says about location privacy in Jones is not likely to stand the test of time. It’s as caught in the present moment as Adele’s “Someone Like You” – and a little less likely to endure. If the case had come up ten years ago, the Court, unthreatened by the location revolution, would likely have accepted the SG’s answer -- that the FBI could physically follow the Justices’ movements in public without causing a constitutional concern, and a GPS device shouldn’t be viewed differently. And if the case came up ten years from now, the SG would answer, “Chief Justice Roberts, we don’t need to attach a GPS device to your car.  We can already track its movements with no warrant in a license plate database that is always getting bigger and more effective.  And we already have subpoena access to the third party location-based service providers that you all authorized when you activated your smart phones. Hell, soon, those services are going to merge.  People will mount dirt-cheap cloud-connected license-plate reading cameras on their cars as protection against a hit-and-run or road-rage attack -- or to help the police find a kidnapper. No one is going to expect privacy in their car’s location then.”

In 2021, I predict, thirty-somethings will snuggle nostalgically to “Someone Like You,” and reminisce about the days when their parents didn’t know where they were – while smugly congratulating themselves that their kids will never be able to do the same to them.

And if the Court imposes constitutional restrictions on GPS tracking in Jones? What will be the ruling’s fate in 2021?  It seems to me that the debate is going to end in one of two ways.  Either constitutional restrictions on GPS devices will become a forgotten corner of the law, as law enforcement moves to newer location tracking techniques, or the Court will begin a campaign it cannot win – trying to regulate a host of location technologies in a vain effort to preserve twentieth century notions of privacy.

That's where dumb privacy law comes from.

 

Photo credits:  Thanks to Francis Storr in Flickr and to Amazon.co.uk

Finding Fault with the Stop Online Piracy Act

Once again, Congress is being asked to make bad rules that will hurt network security, but this time the blame doesn't fall on the privacy lobby.  This time the booby prize goes to the intellectual property lobby.

Below is an op-ed I wrote for Politico this week on the security consequences of the copyright enforcement bills now on the Hill -- PROTECT IP and the Stop Online Piracy Act.  As it happens, the House Judiciary Committee held a hearing on the proposal on Wednesday, when the op-ed appeared, and some of the questioning turned on my op-ed.  Indeed, I gather that it contributed to an unexpectedly ragged performance from Hollywood's normally smooth witnesses.

Unfortunately, the Politico article was posted behind a paywall.  That's pretty ironic for an op-ed questioning the value of over-enforcing the copyright laws. So I'm posting it here, too:

Everyone knows that internet security is bad and getting worse.  Recognizing the problem, Congress is hard at work on cybersecurity, with a number of bills on the table.  Ironically, at the very same time, Congress is getting ready to pass a copyright enforcement bill that could kill our best hope for actually securing the internet.

How did that happen?  Let’s start with the internet, where fake websites cost users millions of dollars in fraud losses every year.  Unless we find a better system for locking down website identities, this and other forms of online crime will continue to skyrocket.

It turns out that internet engineers have already designed a system to solve this problem -- a set of technical rules that go by the unlovely name of DNSSEC. Under these rules, an Internet website will be given identification credentials by the same company that registers its Internet name.  Thus, when Citibank claims the domain name citibank.com, the registry who issues the name will at the same time lock that name to a particular Internet address. From then on, anyone who types “citibank.com” into his browser will be sent to one and only one Internet address.  Under the new system, the browser simply will not take the user to a site that isn’t verified by Citibank’s unique credentials.

That’s protection that the people who bank online need today. 

Why don’t they have it?  Two reasons.  The first is friction.  Moving to the new rules won’t be free.  It will require a lot of work by browser companies, internet service providers, domain registries, and others – many of whom may never get any direct benefit from the change.  Naturally, these companies are a little slow to spend money that just makes the internet overall safer; that’s the tragedy of the commons.  But as the need for security becomes obvious to all, we’re slowly overcoming that friction, thanks in part to the leadership of my old agency, the Department of Homeland Security, in getting government to adopt the new procedures.

The second problem is new. It is Hollywood’s desperate desire to keep foreign websites from delivering pirated movies and music to American computers.  To do that, the movie industry wants a law that will require internet service providers block their customers from going to those sites.  Instead, the users are supposed to be sent to a site that warns them against copyright infringement.

 Hollywood has sold that idea to Congress, and bills are now moving through both houses to impose this “block and redirect” obligation on internet service providers.  And they’re moving fast. The Senate bill is out of committee, while the House judiciary committee is holding hearings on a similar bill this week.

 This is far faster than Congress’s cybersecurity effort, and it runs directly counter to that effort. Because “block and redirect” is exactly what crooks are doing today to bank customers.  If the bills become law, the security system won’t be able to tell the difference between sites that have been blocked by law and those that have been sabotaged by hackers. Indeed, it isn’t hard to imagine crooks redirecting users to sites that say, “You were redirected here because the site you asked for has violated copyright,” while at the same time planting malware on the user’s computer. 

 What’s more, the bill will likely break the fragile consensus that my former agency, the Department of Homeland Security, has spent years helping to build around the switch to DNSSEC.  If the bill passes, practically everyone who needs to make changes to implement DNSSEC will instead be on the phone to their lawyers, asking whether they will be sued for adopting a security technology that makes the mandated “block and redirect” system even more difficult. 

If “block and redirect” could stop Hollywood’s bleeding, perhaps a case could be made for undermining everyone’s security in order to protect the studios’ intellectual property. But it won’t stop the bleeding.  Even today, if someone is blocked and redirected away from his favorite pirate website, he can find many simple ways to defeat the block. He can paste his favorite pirate website’s number (rather than its name) into the address box on his browser.  Or he can simply tell his computer to look up the site’s address on a Canadian server instead of an American one.

Passing this bill will make Hollywood feel better, and richer. 

For about a minute. 

It will leave the rest of us hurting and poorer for years.

 

Privacy Victims by the Million: Law Turns Parents and Children into Liars … and Criminals?

A recent report by Danah Boyd and others reveals that turning parents and children into liars is a principal effect of the Children’s Online Privacy Protection Act, or COPPA.  According to Consumer Reports, 7.5 million kids under 13 have joined Facebook. Since Facebook prohibits kids of that age from the service, that’s 7.5 million children who lied in the signup process.  And most of them got help in telling the lie from their parents.  According to Boyd’s study, the vast majority of parents were aware that their children joined Facebook before reaching 13; in fact, more than two-thirds of these parents helped their under-age kids join. 

That’s a lot of lying.

COPPA more or less forces Facebook into excluding thirteen-year-olds.  The law and the FTC regs implementing it set stringent limits on the kinds of information that web services can collect from kids under 13 in the absence of “verifiable parental consent.” Obtaining verifiable consent requires mail, fax, phone calls, or credit card numbers; email is allowed only if accompanied by a cryptographically secure digital signature. It is quite deliberately a hassle.  And once the consent is received, the service is charged with knowledge that the customer is a child, which triggers special legal protections and limits, not to mention FTC and state attorney general oversight. 

All in all, unless you’re running a site focused exclusively on preteens, you’d be crazy to let them join.  Facebook isn’t crazy.  It excludes children.  But staying off Facebook isn’t really an option for kids with a social life, or grandparents for that matter. So the real effect of the law and Facebook’s policy is to force children and their parents to lie about the child’s age.

Teaching kids to lie isn’t exactly a government policy to be proud of.  But federal law has another unintended legal consequence in store for those parents and kids.  As Orin Kerr and I have pointed out, Facebook users who violate the site’s terms of service also violate the Computer Fraud and Abuse Act, at least according to the Justice Department. Which would make every one of those parents and children guilty of a federal misdemeanor.

By my count, that’s well over ten million misdemeanors, not to mention ten million privacy victims.

Now, you might ask, “Who the hell is the government to take away the decision whether my kids can join Facebook?”  Actually, most parents feel exactly this way.  When the study asked them who should have the final say about whether or not their child should be able to use online services, 93% chose the parents, 3% opted for the company providing the service, 2% chose the government, and  2% would leave the decision to the child.

So how did we end up with an online regime that is this intrusive, stupid, and unpopular? 

It wasn’t easy.  It took a lot of lobbying, and the story may help explain why we have so many stupid privacy rules.

First, in the 1990s, when parents and children were just beginning to go online, no one knew what that would be like.  There was a lot of free-floating anxiety.   By the late 1990s, the Federal Trade Commission and groups like the Consumer Federation of America were maneuvering to focus that anxiety on fear that evil websites would extract information from trusting youngsters without parental knowledge.  My guess is that the Commission and the consumer groups wanted an overarching online privacy law, and they thought that a law focusing on children’s privacy would be a good first step. 

The FTC released a study in 1998 that painted the online industry in dark colors:

The results with respect to the collection of information from children are … troubling. Eighty-nine percent of children's sites surveyed collect personal information from children. While 54% of children's sites provide some form of disclosure of their information practices, few sites take any steps to provide for meaningful parental involvement in the process. Only 23% of sites even tell children to seek parental permission before providing personal information, fewer still (7%) say they will notify parents of their information practices, and less than 10% provide for parental control over the collection and/or use of information from children. The Commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold.

Later, in testifying before Congress, the FTC highlighted a few extreme examples:

One child-directed site collected personal information, such as a child's full name, postal address, e-mail address, gender, and age. The site also asked a child extensive personal questions about financial information, such as whether a child previously had received gifts in the form of stocks, cash, savings bonds, mutual funds, or certificates of deposit; who had given a child these gifts; and whether a child had put monetary gifts into mutual funds, stocks or bonds. The site also asked for family financial information including whether a child's parents owned mutual funds. Apparently in exchange for providing this information, a child was entered into a contest. Elsewhere on the Web site, contest winners' full names, age, city, state, and zip code were posted.

Another child-directed site collected personal information to register a child for a chat room. The information included a child's full name, e-mail address, city, state, gender, age, and hobbies. The Web site had a lotto contest that asked for a child's full name and e-mail address. Lotto contest winners' full names were posted on the site. For children who wished to find an electronic pen pal, the site offered a bulletin board service that posted messages, including children's e-mail addresses. While the Web site said it asked children to post messages if they were looking for a pen pal, in fact anyone of any age could visit this bulletin board and use the Web site information directly to contact a child.

Those examples would have a lot less power today, partly because the gathering of online data doesn't seem as alien or scary as it did in 1998.  We've given our email addresses to a lot of sites without being stalked by predators.  We also know that there are practical limits on web services data collection and usage. Sites that ask kids for too much information are unlikely to prosper because, as Boyd’s study shows, parents play a pretty big role in their preteens’ decision to join a service. 

But in 1998 the FTC's stories were seen as disturbing portents of a dystopian future. And how could we head off this future?  Not to worry; the FTC also had a solution.  Casting itself as a vigilant defender of parental rights, the Commission told Congress that the solution was – what else? – an expansion of Commission authority over online privacy practices: "As a result of our activities over the past three years, the Commission has developed significant expertise regarding children's privacy. … The Commission strongly supports the approach adopted in this legislation."

The bill was enacted later that year.

Where were the privacy groups while this was going on?  On the case, sort of.  The Center for Democracy and Technology testified in favor of the overall bill, but it wanted changes to give parents even less knowledge about their kids’ online activities; it asked (with some success) for modification of provisions that would have given parents access to any information their child provided to a website and alerted them when the child gave his email address to a website. 

If you were a parent in 1998, you probably felt pretty good when you heard about COPPA’s passage.  You’d been told that it was going to protect your kids’ privacy by empowering you. But in fact, it mainly empowered a government agency to decide what your kids can do online.  And the privacy groups you thought were on your side?  They were more interested in protecting your kids from, well, you.

This isn’t just history.  The story of COPPA is by and large the story of most privacy legislation: a new technology emerges, followed by a “privacy panic” over how it might be misused (often engineered by interested agencies and privacy groups), followed by hasty legislation with large-scale unintended consequences -- and, soon, a new class of privacy victims.

If I were a libertarian, I’d be particularly troubled by the FTC’s role in this drama. In the name of privacy and parental control, we let the FTC create a legal regime that expanded government’s authority over the Internet and took away parents’ ability to control their childrens’ online memberships, at least without lying.

And this weird mix of the authoritarian and the libertarian is not a bug unique to COPPA; it is a deliberate feature embraced by most of the privacy lobby whenever they talk about setting privacy rules for the private sector.  Considering how many supporters of privacy legislation tend to be dubious about government authority, it’s remarkable how often privacy legislation empowers some bureaucrat to regulate some part of the economy more aggressively. 

Photo credit: http://www.flickr.com/photos/joebehr/5130944038/sizes/o/in/photostream/

Well, that’s all right then

The British Commonwealth has endorsed an end to the traditional preference for sons over daughters in royal succession.  Said British Prime Minister David Cameron, "The idea that a younger son should become monarch instead of an elder daughter simply because he's a man … this way of thinking is at odds with the modern countries that we've all become.”

So, instead of letting its ruler be determined by an accident of biology, the UK will now choose its ruler based on … a different accident of biology.

Counterterrorism: Why President Obama Loves Travel Data as Much as He Loves Drones

Anyone who’s read Skating on Stilts knows I am a big believer in using travel data for counterterrorism purposes.  What’s more interesting is that the Obama administration has been just as enthusiastic.  Some of the reasons for its enthusiasm showed up in testimony to the House Homeland Security Committee last week, when the Department of Homeland Security released stories about its use of travel data that I had not seen before. 

Remember Faisal Shahzad, the Times Square bomber who was pulled off a plane at JFK as it was preparing to leave the country?  It turns out that travel data was his nemesis, helping DHS and the FBI track him at every turn:

  Early in this investigation, the Federal Bureau of Investigation (FBI) learned of Shahzad‘s cell phone number from a report shared by DHS.  The FBI ran the phone number in their ACS system and was able to connect it to the DHS report. Through good interagency cooperation, the FBI asked DHS if it had encountered any individual who reported this phone number during border crossings.  DHS searched its PNR database for the phone number, identified Shahzad, and learned other information he had provided to DHS.  DHS then provided the additional data to the FBI.  Later, Shahzad attempted to flee the United States, but DHS‘s analysis of departing passenger data identified him before departure and DHS removed him from the aircraft.

Najibullah Zazi was the guy who rented a truck and drove cross country to set off explosives in the New York City subway. It turns out we used travel data to identify the scope of the conspiracy and to interrogate him. According Indian news sources, Tom Bush, testifying for Customs and Border Protection, revealed that:

"Using PNR data, DHS and CBP worked closely with the FBI to crosswalk the names of his co-travelers against open counter-terrorism cases inside the United States and determined his co-travelers were being trained during the same trips to Pakistan in the same training camps. Zazi was arrested on September 19th, 2009, and the information from his PNR records were used in his questioning and his indictment. Zazi pled guilty in February 2010."

Particularly impressive was the use of travel data to identify David Headley, the American who did reconnaissance work for the Mumbai attacks

"Law enforcement intelligence information implicated a specific person in the plotting of a 2008 Mumbai attack, as well as the possible attacks against a Danish newspaper office. … Starting with a very common first name, David, a partial travel itinerary and a very vague travel timeframe, CBP was able to review its PNR data in connection with other DHS databases…. Within 24 hours, CBP was able to provide the FBI with the person's full name, address, passport number, travel history and other information useful to law enforcement pursuing him. You may know that person as David Headley, who pled guilty in March 2010."

In short, travel data has been crucial in keeping Americans alive during the ten years since 9/11.  And during the same decade, the European Union has been doing everything it can to cripple our use of travel data.  It’s forced four rounds of negotiation on privacy standards for travel data and then has blown up every deal it’s reached, always threatening to cut off the flow of data if the US doesn’t keep talking.

With that record, you’d be forgiven if you wondered whether Europe’s elite thinks it’s a good thing to keep Americans alive. 

Or maybe, with that record, you’d be forgiven if you stopped wondering.

Misadventures in Mustang

 Reposted below is the complete journal of Gordon and Stewart's trek through Mustang, Nepal, in chronological order.

The Royal Audience

It’s time for our audience with the raja.

There’s just one problem.

“What else can I wear?” I ask my son, Gordon.

I mean it literally. The raja and his remnant kingdom are tucked high in the Himalayas between Tibet and Nepal at an altitude of 12,000 feet and more. And with the shadows growing long, I am cold.

So, protocol can go hang. What I want to know is whether there are any more clothes I can put on before we meet the Raja of Lo. I'm wearing a watch cap, a rain jacket, cargo pants, and long underwear.  Not enough.  After walking four days to get to Lo Manthang, the kingdom's ancient capital, we’ve already got on all the clean clothes we brought with us. And most of the dirty ones.

I feel a little guilty. I spent nearly four years representing the United States in meetings with foreign officials -- meetings where it was a major faux pas to wear the wrong lapel pin. The kingdom of Lo has can trace its roots to 1380; it has had a king about three times as long as the United States has had a president. And I am going to sit down with its king wearing dusty hiking shoes and a watch cap.

I am pretty sure our protocol officer wouldn’t have approved.

Our guide entered the room. “Quickly please!” he said. “The raja will see you now.” I rise to my feet and head down to the street, stopping only to tuck a small bottle of local whiskey into my pocket.

Saturday, May 14

The bus from Kathmandu to Pokhara bumps and squeals down the steep, winding grade. The high-pitched squeal of brakes is an annoyance, except when the road pitches down and we can see, too easily, over the road’s edge. Then, the wail of the brakes has a kind of comfort in it.

We are leaving behind the press and clamor of Kathmandu. Out on narrow terraces eked from steep hillsides, we see farmers harvesting corn, cutting down everything and carrying out bundles of corn stalks on their backs.

Hours later we arrive in Pokhara – a bustling little south Asian town at Annapurna’s feet. The next day, we are up early for the short flight around Annapurna to Jomsom.

 

Sunday, May 15

We arrive at 5:30 for a 6 am flight. At 6, nothing has happened. We're on Nepal time now. When it finally takes off a couple of hours later, the flight rises over some steep hills, turns right at the giant peak, then cruises up a steep valley, with mountains rising above us on both sides.

The plane doesn’t exactly descend to land in Jomsom. We just keep flying at more or less the same altitude until the airfield rises to meet us.

Jomsom was until recently the jumping off point for most treks into the ancient kingdom of Lo. The kingdom and the territory around it are now known as Mustang, and Mustang has long been restricted territory. Foreigners were barred until the 1990s, and even now a permit (and a hefty fee) is required to trek in Mustang. Jomsom is the administrative and governmental capital of the region.

Nepal’s officials check our permits for the Mustang restricted area. They also tell us to change our plans. Our entire trek was planned around a festival in Lo Manthang – a religious ceremony featuring indigenous music, dancing, masks and costumes. But it turns out to be a moveable feast, and the event has been moved back a couple of weeks. We can't postpone our trek at this point. We'll have to miss the festival. It’s like this morning’s flight, I think. If you’re on a timetable, you’re bound to be disappointed in Nepal. Rolling with the flow is the only path to contentment. And, on trips like this, nominal goals like the festival are in the end a kind of maguffin – the term Alfred Hitchcock used for the otherwise meaningless object that drives the plot.

Besides, we've got another maguffin. Three of them, actually. We’re carrying books and toys for three of Mustang’s schools. This is almost a tradition for us; when we hiked the Inca Trail to Machu Picchu in Peru, we brought a bunch of our kids' outgrown toys and helped a local group distribute them at a mountain schoolhouse. This time, I've gotten advice about local schools from the Alex Lowe Charitable Foundation. Our kids are grown, and their kids are too young to have castoff toys, so I've solicited contributions from friends and colleagues, who have loaded us up with 25 pounds of books and toys. We need to find the schools and drop off three loads as we work our way up the valley to Lo Manthang. Our first dropoff is in Kagbeni, at the end of today's hike.

Mustang is in the rainshadow of the Himalayas, with annual rainfall roughly equivalent to the Great Plains of North America. The mountain slopes are steep and arid but they do not drop into a V-shaped valley. Instead they stop abruptly at a wide flat expanse of gravel with a thin braided river – the Kali Gandaki – wandering among the rocks. The original valley floor must have filled with centuries of glacial runoff. Perhaps someday this will be a pastoral scene, with a river ambling back and forth through grassy meadows. But for now the valley holds nothing but softball-sized rocks from edge to edge. In this whole expanse, there is one tree and no grass. The valley must be filled with raging snowmelt each spring, stripping away any plants that have gained a foothold since the last flood.

Working up the valley, we cross the braided river a couple of times on wooden bridges cobbled together from random debris. Then our path rises to a new road clinging to the right side of the valley, just above the river bed. We start out at a brisk pace, but even with porters to carry much of the load, I’m soon sweating and lagging, losing ground whenever I stop to take a photo. It’s a short day, with little altitude gain, but we’re already at 2800 meters and not in hiking shape. I'm glad when, after an hour and a half of hiking, we come to a small village with a teahouse. We order sweet milky tea and rest.

Refreshed, another half an hour of walking brings us to Kagbeni. The lodge has a great glassed-in dining room overlooking the largest green patch for ten miles around – 4 acres of oats and barley that dip and wave in the constant wind like the sea. It’s mesmerizing.

Liesl Clark of the Foundation has told me to look up Kunga Tashi, who leads the School Board and runs the “Dancing Yak” Restaurant. Kunga turns out to be a strikingly young man with a passion for the school. He tells me that it has recently expanded and now takes boarders as young as four and as old as sixteen. Especially in the higher grades, almost all the kids who want an education must become boarders. There are only about six or seven schools beyond tenth grade, and they have to serve a nearly roadless region the size of West Virginia.

Thanks to foreign and Nepalese government assistance, the school charges nothing for tuition, room or board. The Foundation's contribution is an extremely well stocked library to which we'll be adding toys and some books and maps. The smallest kids are on break, and they come in to road-test the toys. The most immediate hit is a set of two blocks with half of a vehicle pictured on each face. If kids successfully pair the front and back end of the vehicle – a fire engine, say, or a motorcycle – they are rewarded with a sound that matches the vehicle.

I know just enough Nepali to communicate this concept to a gaggle of four-year olds. “G 
ood?” “No good?” I ask, pairing the fire engine with the motorcycle. “No good,” they shout. When I finally get it right, with their help, they are startled with delight at the fire engine's loud siren. Then each kid gets a chance to match a different vehicle and discover the sounds of success.

I am determined to get some play value from this toy because I had my doubts about bringing wooden toys, which are almost as heavy as they are politically correct. In the end, though, the weight was worth it. And the kids’ enthusiasm for the other toys – tinker toys, jigsaw puzzles, and a set of Dr. Seuss flash cards – made it feel like Christmas.

We get a tour of the school and plenty of tea. They have no computers for the kids. A Danish group had sent one a couple of years ago, but the mouse doesn’t work. At the suggestion of Liesl Clark, we've also collected laptops from friends and colleagues. These we've left with the Open Learning Exchange in Kathmandu, where they'll be refitted with Linux and some Nepali and English learning programs. Liesl asked that we not take the laptops themselves to the schools because the students and faculty will need training before the computers are actually used. Considering their weight, we're happy to oblige. In any event, the school doesn't now have table space or a free room to put computers in.

It’s building more, though. The young men at work on the new building clearly understand twenty-first century global fashion. They wear low-slung, gravity-defying pants and a variety of branded shirts. As an apparent concession to Kagbeni's constant wind, they have covered their faces, often with kerchiefs that make them look like train robbers or wannabe-anarchist WTO protesters. But their work methods are closer to the ninth century. To move a large pile of rocks fifteen feet, they form two lines and toss stones rhythmically from one worker to the next, bucket brigade style.

Leaving the school, we have time to explore Kagbeni. Women are daubing a mani wall in traditional colors made from local minerals. Mani walls hold a long string of prayer wheels. Passersby can walk to the left of the wall and turn the entire string of prayer wheels without breaking stride.

Signs of religious devotion are everywhere in Kagbeni. It is an ancient monastery town -- though it looks more like a fortress. And perhaps it was. Fortresses are established to protect valuable assets, and the most precious resource in this dry and vertical land is probably the 4 acres of flat and irrigated barley just outside our hostel. The Buddhist monastery here dates to the 1400’s and was once maintained by hundreds of monks who farmed land up and down the valley but could retreat to defend the fortified town in a time of war. Now, though, the monastery's population has dwindled to 40 – half of them students – plus a couple of remarkably large and mean guard dogs, who bark fiercely down from a rooftop that isn’t quite far enough above our heads.

The main worship room of the monastery shows telltale signs of the monastery's declining fortunes; much like an over-stretched British peer’s stately home, it mixes impressive art and history with cracked windows and tawdry modernizing touches, like the twisty fluorescent bulb that hangs down in front of a centuries-old statue of Buddha.

 

Monday, May 16

Today we’ll finally leave the vast gravelly bed of the Kali Gandaki river, climbing to 3,000 meters. We begin by dropping to the Kali Gandaki and crossing a few of its braided channels on makeshift wooden footbridges. The trail then takes us up onto hills and cliffs overlooking the river.

We set a blistering pace, bolstered by maximum strength ibuprofen. Sandstone rises on all sides, often as great cliffs. In a few places, manmade caves have been hacked from the sandstone, probably in the days when raiders marched regularly through the valley. The caves may once have been reached by steps and handholds carved from the rock, but these have long ago eroded away.

After a few hours, we stop for lunch at Chhusang, the last truly Nepali village along our route. From here we’ll climb away from the Kali Gandaki and into regions more influenced by Tibet's culture than Nepal’s.

Like all the villages, Chhusang's gardens have high walls to keep out wandering livestock. We walk next to a shallow stream that has been diverted to slab along the hillside and then drop to the walled gardens. There it irrigates a several-acres oasis -- startling green against a landscape that otherwise resembles the drier parts of Wyoming.

Crossing the Kali Gandaki for the last time on a metal foot bridge, we immediately begin climbing a slippery sand and gravel trail that wriggles chaotically up a steep slope – and marks the real boundary between Nepal and the ancient Tibetan kingdom of Lo.

The altitude makes itself felt now; we strain to breathe deeply enough to keep moving. After an unrelenting 15 minutes, we’ve raised our altitude two or three hundred meters and are entering Chelle, the first Tibetan village of the region.

Chelle too has the region's distinctive walled oases, dominated by stands of apple trees that look nothing like the apple trees of North America. The architecture of the town is distinctive too, and so is the atmosphere. There are far more animals; indeed, they share the town, and even the homes, with the human residents.

Cows, mules, and goats get the bottom floor of most homes, while people get the top floors. The homes feature an interior atrium, making it easy for the residents to keep an eye on their livestock. A roof closes off the atrium, often topped with glass or plastic to let in light. Otherwise, the roofs are flat, habitable spaces that add what amounts in this dry country to a third f loor. Thigh-high stacks of firewood act like balcony walls at the edge of the rooftops.

I ask whether residents burn the wood in the winter. No, I'm told. The wood is too valuable to burn.  If they need a fire, most residents burn twigs and cow dung.  These firewood parapets aren't about utility; they're about prestige.  Firewood is so rare and expensive that having a cord or two on top of your house is a status symbol -- and thus too precious to burn.

It’s noticeably colder here, and I wonder aloud how having an open atrium works in the long Himalayan winter. Turns out, many of the villagers drive their horses and marketable livestock south along the river, sell the livestock, pen the horses, and head to balmy Pokhara to get temporary jobs.

Lo in winter is a harsh land, with waist-deep snows. But it's just a 6-day walk to a balmy climate. Who wouldn't go if they could? It reminds me of all the wheat farmers in Manitoba who lock their barns and fly to Arizona for the winter.

With every square yard of farmland precious enough to tend by hand, and every animal a part of the family home, overpopulation is always a risk. There just isn't enough land to keep subdividing it foreach new generation. In response, I’m told, the Lo people have devised some remarkable cultural innovations.

In the old days, and perhaps even today, brothers might share not just a farm, but a wife. That way, the fields can be handed down from one set of brothers to a single set of descendants. Marrying two men to one woman didn’t produce an excess of old maids, locals say, because girls were often scarce. I don’t have the heart to ask why.

In any event, the gender mismatch might not last long. If a wife didn't produce an heir, her husbands were allowed to take a second wife; the alternative, not having another generation to inherit the fields, was unthinkable.

Finally, the last resort for sons and daughters who didn't inherit or find a mate with prospects was one that the second sons of European nobles would have recognized – organized religion. Unmarried men and women were sent to monasteries where they worked and held the land in common.

 

Tuesday, May 17

We start today by continuing the grim uphill that brought us into Chelle, but the trail soon levels off to something more reasonable. We pass a piece of heavy machinery working on the road. Lord only knows how they got it up the slope that so disheartened us, but it’s a reminder that this region won’t be accessible only to walkers much longer.

The Chinese have already built a good dirt road from the Tibetan border to well south of Lo Manthang, so that only the country we’re hiking today separates the Nepali and the Chinese roads.

The isolation tells. We are now deep in the last traditional Tibetan territory left in the world. Rams' skulls hang over doorways. At meals we are offered Tibetan bread (lightly fried, pita-like, and tasty) and Tibetan beer imported from the other side of the border. We pass people crushing rocks by hand to make the mineral dyes that color the mani walls and the gompas, or monasteries.

Stretching our day to 8 hours, we take several long slabbing trails in and out of side valleys, gaining altitude steadily until we hit 3700 meters. The trail is wide – probably to accommodate herds of goats and horses – but the dropoff is steep. Sidetrails lead to heart-stopping suspended footbridges.

We are suffering a little from altitude – on the uphill slopes, breathing itself feels like a chore. We’re stronger on this third day, but that doesn’t make the uphill sections easy.

Arriving at last in Ghiling, an hour past our original destination, we admire the monastery and hear that the monks are celebrating Buddha’s birthday. We head up.

In the main room of the temple, six or seven monks sit in two facing rows perhaps eight feet apart. A long thin table stands before each row of monks. Some of the monks are young boys of perhaps twelve;
others are mature men. One of the younger monks is reading a bit hesitantly from a piece of paper that has been folded so often it is coming apart in his hands. When he finishes, all the monks begin chanting. A worshipper makes the rounds, bowing to each monk and putting a few bills on a light scarf resting in front of the monk. The monk folds the scarf over the money and resumes chanting, throwing what look like small seeds in the air and ringing a bell at frequent intervals. The chanting reaches a climax with a sudden burst of drumming and horn playing – loud and dissonant to my ears. Then the chanting resumes.

A monk gives me a flashlight so I can see the pictures on each wall. They seem a weird mix of Buddhist and Hindu representations, very bright and well-executed. And well-preserved, if the inscription – 1797 – can be relied upon.

Tonight’s lodging is the most basic yet and the weather is colder, but we have beds and warm blankets. The toilet, however, does not bear further description.

 

 

Wednesday, May 18

We can hear the monks chanting as we get up, followed by children's voices. Apparently, the whole village begins its day at the gompa.

We begin ours with a soul-destroying haul out of the valley, past the villagers watering their horses and tending to their herd. It’s only a 300 meter climb, but the altitude requires a self-conscious deep breathing rhythm if I don’t want to stop every 20 steps. I may finally have to admit that Gordon can now out-hike me. He is keeping up with our guide while I consistently lag back a few yards or more.

When we get to the top we’re just over 4000 meters. We descend rapidly to Ghemi, where we have an early lunch. The scenery is beginning to change, opening out into big dry hills, a bit more watered than New Mexico or Utah but with the same broad vistas of a rolling country mixed with eroded sandstone in vivid yellow and orange.

As always in a country of irrigated oases, the last mile or two to the next village is downhill. We’ve got some toys and books for the school in this town, called Tsarang. We don’t know much more about it than the name of the headmaster, and at first our guide reports that it’s closed. But the tearoom proprietor recognizes the name and remembers Liesl Clark and her two kids. She calls the headmaster, Mr. Bista, and he shows us to the school.

Many of the teachers are nuns, or anis, and the students can become monks or nuns if they have a calling, says the headmaster. The Ani School, as it’s called is far more basic than the school in Kagbeni. The kitchen is a simple stove and a few pots. Classrooms have nothing but blackboards and benches for sitting and for writing. The school does have an impressive solar electrical system but no way to store power, so anything requiring electricity needs to be done while the sun shines. The school also has one pretty new desktop computer (though a laptop would have been better given the power setup); the headmaster confessed that he knew nothing of the computer or what software it runs.

In contrast to the extremely basic facilities elsewhere, the library is spectacular – a big room with floor to ceiling bookshelves filled with Tibetan, Napal, and English works. Many US elementary schools have no better.

We hand over our maps and books, and I set to work on an enormous inflatable globe donated by a partner who asked only for photos of me blowing the damn thing up at altitude. An odd mix of generosity and cruelty, I thought, but he’ll get his photo.

The kids descend on the toys, paying special attention to a toy I had my doubts about – a felt house with felt furnishings that can be stuck to the house – felt chairs, felt tables, plus toilets, cats, dogs, bathtubs, clothes for the Mother and Father, and on and on, a cornucopia of felt goods that look grotesquely excessive in this simple school.

Many of the items are clearly not familiar household items in Tsarang. (I doubt most of these kids have used a sit-down toilet in their lives.) But the teacher uses the toy as a horizon-broadening device, describing each item as she helps the kids place it in the felt home. Mostly this works. But her explanation for the bubble-bath foam that goes with the bathtub is greeted with a mix of merriment and disbelief.

 

Thursday, May 19

Hard beds make for a bad night. On the whole, the room beds have been fine – narrow cots with a very firm foam mattress. More disturbing is the lack of sheets and pillowcases. The pillows (also very firm, bordering on unyielding) have permanent looking cases covered with embroidered designs – too fancy to change every day or even every week. Ditto for the blankets. As I lay awake last night listening to an indefatigable barking dog, just the barest hint in the air left me convinced that some traveler has thrown up on my blanket -- and that washing it in cold water wasn’t quite good enough.

Today’s hike is a sprint to Lo Manthang. We mostly follow the new Chinese road, which climbs steadily without the steepness of a footpath.

We walk for a time with a European aid official. The official was pleasant and clearly loved Nepal. But the official reminded me again that our aid programs have a kind of moral vanity at their heart, as rich nations pay poor ones to do things we wish we were doing. This official bemoaned the Chinese road, not just as hegemony (“The Chinese are imposing their goods on Mustang”), but for the change it will surely bring (‘they insist on making the same mistakes as us”).

I, too, will be sad when the road breaks through the last few kilometers to Chelle, and goods and people begin moving swiftly throughout Mustang. When that happens, hiking from in Mustang will become a choice, a form of recreation, and not simply the only way to see the country. Plus, the traffic will make the trip nasty and dangerous for walkers.

But I know that is simply an aesthetic preference, and one that it would shameful to impose on people who measure their net worth in cords of firewood. What kind of aid program, I wondered, do you get from countries whose officials believe that roads are a “mistake” for less developed countries? Apparently a lot of very well engineered footbridges, to hear what this official was proudest of. Maybe suspension footbridges are a good idea, but there is a whiff of patronization in such a gift: “We'll help you walk, but don't ask us to help you drive!”

Four hours of concentrated hiking brings us at last to Lo Manthang. This walled city was once the seat of an independent kingdom. The king and the kingdom were Tibetan in culture, but they also had close ties to Nepal. The Loba, or Lo people, spent several centuries exploiting the low pass that leads to Tibet, trading salt from India for crops and animals from the Tibetan plateau. The ruling dynasty has been a dependency of Nepal for a century or more. The current raja of Lo retained some autonomy until the 1990s, when he accepted the rank of Colonel in Nepal’s army in exchange for more complete integration into Nepal’s government. Then, in 2008, when Nepal's royal family abdicated and Maoists joined Nepal’s government, the last vestiges of the Kingdom of Lo were also abolished. The raja, born in 1933, still lives in Lo Manthang and mediates local disputes, but he has no formal authority.

The raja met with the first few visitors allowed into Manthang in the 1990s, and their accounts of the meetings are quite charming. We discover that the raja still grants audiences to trekkers. It is necessary to buy an admission ticket for the palace, a great hulk in the center of town, and to bring a traditional scarf or prayer flag.

And one more thing, says our guide. It would be good to bring him a present.

Hmm. This is complicated. I am not carrying a lot of extra gear suitable for a gift.

“Would he like a toy?” I ask.

Not likely, I'm told. But a bottle of whiskey would not be amiss. Perhaps that’s when doubts about this audience began to creep in.

But still. I’ve never been received by royalty before. This could be exciting. I dust off the talent for pleasant chats with foreign officials that I once had to draw on every week while in government. Will he speak English, I wonder, or will we have to wait for translation? What is the proper protocol for introducing Gordon, for entering the audience room? What about photographs? I have no protocol officer to advise me; I'm going to have to improvise. And then
there’s my clothes. It’s too cold to wear anything less, but I’m pretty sure that dusty boots and a watch cap aren’t the usual attire for royal audiences in other parts of the world.

Meanwhile, we have time to explore the city. The walls are impressive – twenty feet high, with watchtowers that are even higher. And they would have to be, becau
se apart from a steepish hillside below one wall, Lo Manthang has no natural defenses to work with – no cliffs, riverbanks and the like. There’s a river at the foot of the hillside – or at least a creek, because without irrigation there would be no agriculture and no city in this vast dry land. A tiny tributary runs right into the city, but there’s little room for agriculture within the walls.
Instead, Lo Manthang is a warren of high homes in the traditional layout – animals on the ground floor, living quarters above, and a flat roof for working in the sun.

Temples are everywhere, along with monks, who support a large monastery here. Outside the palace, there's a square where people congregate to watch the tourists, to spin prayer wheels, and to chat. This is where the residents will hold the Tiji festival in a couple of weeks.

A light rain is falling, but it cannot drive the villagers away. As in many other parts of Mustang, the heart of social life here is the public faucet, where women gather to wash pots, clothes and themselves. Everyone is friendly, and only a few are importunately selling souvenirs. Walking the alleys of Lo Manthang, I understand the spell that Nepal casts on Westerners. Almost all of the residents are dignified and friendly. There’s isn't the whiff of predation that often taints encounters with the locals in poor countries. Even the salesmen take no for an answer. And, after two toy distribution sessions, what impresses me most about the c
hildren is their discipline and cooperation. Not one child has grabbed a toy to play with alone. They take great care to handle the new toys cautiously and to share them with others.

Our guide enters the room. “Quickly please!” he says. “The raja will see you now.”

We assemble in front of the palace and a young woman gestures us up the stairs. It's the biggest building in Lo Manthang, but it doesn’t look much like a palace. What it does look like is a major reconstruction project that was halted halfway through, with piles of dirt and abandoned planks lying about in lightless gloom. The stairs are bare planks, rising like a ladder laid against a house. You really need a handrail. There is one, but it's simply a rounded strip of wood nailed to the stairs themselves. Surprisingly, that works fine, because the stairs rise so steeply that two or three steps bring the handrail to waist level. We climb two levels in the gloom. It's a five-story palace, and it occur

s to me that perhaps the bottom two floors have been reserved for livestock, following a traditional Tibetan layout.

Sure enough, after climbing through the dark, we at last come to a living area, where an open atrium lets in light from the roof. We head up a third set of stairs. I’ve just seen a few people walk down these steps; they bent an inch or more when stepped on, so I try to stay close to the handrail.

Assembling at the top of the stairs, we are at last given a quick protocol lesson. Hold your scarf draped over both hands, and extend them to the king when you are presented. He will put it over your head, we’re instructed.

We enter the audience room. It has a dusty charm – good rugs, plenty of wooden furniture, and many pictures and other decorations on the wall. I approach the king. He is an old man seated on a comfortable bench.

Best of all, he’s wearing a watch cap and dusty boots.

We line up, scarves are placed over our heads, and we sit for a cup of tea. I put my bottle of whiskey on a table beside the king. He beams at me.

We sit, silent. The king occasionally looks over at us, but he obviously feels no need to make small talk. OK, I think, time to call on my rusty diplomatic chit-chat.

I open with praise for Mustang. It is translated. He gives me another smile. I introduce Gordon. Another smile, but less wattage. It’s becoming clear that small talk from visitors is not especially welcome. Instead, we’re told that when we’re finished our tea, we can kneel beside the king for a photo. We chug our tea and kneel for photos. The audience is over.

We make our way down the rickety stairs. The handrails are more necessary but less visible on the way down. We must go slowly, feeling for each step. When we get to the construction zone, my suspicions about livestock are confirmed. From the shadows, a mastiff begins barking. He’s savage, and determined to get at the intruders. Holes in the palace wall provide just enough light to see him in profile, straining against a chain and kicking up dust as he lunges at us. Taking the steep steps slowly and carefully becomes less of a priority. Half walking, half sliding, we burst through the palace door and tumble into the street.

 

Friday, May 20

Today and tomorrow, instead of moving on, we will make Lo Manthang our base for day trips. Today we rent a horse to get to Choser, a small village about an hour or two from town and the site of the third and last school where we’re dropping off books and toys.

It's an Asian mountain horse – a pony, really. I could walk alongside him with my arm slung companionably over his back. Horses in Mustang are guided largely by the grunts and whistles and shushes of their herdsmen. They're mainly used as pack animals, and using verbal cues lets a single herdsman guide the whole pack train from behind on the mountain trails.

Leaving the walled city, we move through dust as fine as talc. It rises in great clouds as we walk. The villages all have a rhythm. In the morning as we’re leaving, herdsmen are dr

iving their livestock out of the village and up to the hills where there is a bit of grass. Bells on cows and horses ring as they pass. Herds of goats also move toward the hills, the kids jumping on every wall they pass through the villages, dancing with enthusiasm.

One reason this region was closed to foreigners until the 1990s was its role as a center of armed resistance when China invaded Tibet. Not all Tibetans met the invaders with spirituality and passive resistance. The Khampas were a Tibetan tribe that fought back. Famous and feared as warriors, they wore their hair long and fought China for decades after the 1950 invasion, raiding from refuges across the border in Nepal. Mustang was one of their principal staging areas because it had such a low pass into Tibet. I discover that the CIA supported the Khampa warriors, even flying some to Colorado for advanced training. CIA support for the insurgents gradually diminished, ending for good in the early 1970s. Not much later, the Nepalese government, likely under heavy pressure from China, forced the Khampas to disarm.

After that experience, it is no surprise that the Chinese have built a road across their border and into the heart of Mustang. They want to be sure that they can respond in force if guerrilla war ever returns to the region. Meanwhile the road makes it easy for Chinese officials to visit Lo Manthang. As we hike along the road, a convoy of late-model SUVs suddenly rounds the turn and heads toward us at high speed. We scramble out of the way as the cars, two white and two black, splash through a stream and past us.

The Nepalese tell me not to get too close to the Mustang-Tibet border. “Local people can cross there. They’re known,” says one, “but if we Nepalese go there, maybe they’ll arrest us, torture us. We don’t know.”

The third school is a public boarding school for the district. It serves 120 students. Students spend 8 months of the year in Choser, but in winter the whole school transfers to Pokhara; it’s just too cold to stay in Mustang.

The Chinese government, evidently on a charm offensive here, has paid for the construction of a science lab that’s still being completed. It contains a large multipurpose room with twenty Compaq laptops running Windows 7. The school also boasts a large array of solar power panels to power the place. The library, though, is the least impressive we’ve seen.

We end the afternoon with a visit to caves built into local cliffs. Window holes poked through the rock wall expand into interlocking rooms that extend deep into the cliff. The rooms rise five stories high, one level linked to the next by crude ladders or carved foot-holds. Moving from one room to another sometimes means jumping over holes that lead to the level below. The ceilings are stained shiny black with soot from 2500 years of fires.

This is where local villagers used to hide out when raiding parties from Tibet or Nepal rode through the valley. The only problem was that if the raiders settled down for a siege, they could cut off the defenders' water. Once, the story goes, besieged cavedwellers had almost run out of water; desperate, some of them poured mustard oil over their heads and leaned out of the windows, dripping wet, to mock the invaders. Convinced that the villagers had plenty of water and that the siege had failed, the raiders moved on.

Today, the villagers are building an irrigation terrace at the foot of the caves. Everything must be done by hand. Men and women use picks to pull earth from the uphill side of the terrace. They shovel the loose earth onto stiff, flattened animal hides; other women drag the hides across the terrace and dump it on the downhill slope, extending the terrace by perhaps an inch or two. I think that they’ve probably been using the same techniques for the last 2500 years.

 

Saturday, May 21

 

After breakfast, we head up the valley, me riding, Gordon walking. We’re making for a gompa on a hill a few miles to the north. When we arrive, the gompa is locked. It looks down at heels, and finding the custodian takes so long that we nearly leave. When he does come panting up the trail from the village, though, the custodian proves to be a young, chatty fellow who is full of information. Not himself a monk, he nonetheless provides a detailed tour of the gompa's ceremonial hall. It has extensive murals, a wall of religious texts in special containers, and a host of musical instruments. In winter, he says, every village family but one heads for lower and warmer ground, along with most of the monks. He stayed this winter, enduring waist-high snows and bitter cold, shoveling snow off the gompa roof so no water could seep in to wreck the murals. It occurs to me that someone must have done this every winter for centuries to preserve the murals he's just shown me.

If you have to stay the winter, he says, it's better not to be a monk. The villagers who stay can eat their animals to keep up their strength. The monks are vegetarians, and vegetables aren’t easy to find in Mustang in winter. But the monks who stay through the winter have to live on potatoes they've buried in the dirt during the summer. True, they have a greenhouse to speed the arrival of summer vegetables, but it's late May now, and there are no new crops; the monks are still digging up last year's potatoes.

He takes us outside and points at the border with China – a series of low hills no different from those we’ve crossed many times already. No wonder the traders -- and the Khampas – were fond of Mustang. And no wonder the Chinese are working so hard to extend their influence here. The custodian tells us that the Chinese distributed food to all the villagers this winter. Despite the largess, he remains skeptical of their motives. Nepal has no troops on the border, he notes, while China has many. Nepalese crossing into China need to get permission for every trip, he adds, but Chinese officials cross the border at will, with no permission that he’s aware of. He confirms that the caravan we saw yesterday was Chinese.

In a nearby village a home is under construction. All of the houses we encounter seem to be built in the same general way. Even the modern materials incorporated into the houses follow a traditional pattern.

By far the most common building materials are sundried mud bricks, perhaps one foot long and six inches square. They can’t be kiln-dried because firewood is too scarce. So vacant fields are regularly filled with rows of bricks curing in the sun. They look like post-modern war memorials.

What wood is available is used mainly to frame doors and windows and to construct the higher floors. In the first floor, it looks as though stones surmounted by mud bricks make up the walls, although mud seems like a dubious load bearer.

For higher floors, poles are set in the ground to support large rafter-type horizontal poles. Across these main rafters are laid a series of lesser poles at two-foot intervals. These are then spanned by one-or-two-inch wooden strips. Atop the strips is hay impregnated with mud. At the end of the day, the houses are sticks and mud, and I realize that, without careful upkeep, all of this -- walls, buildings, whole gompas -- will melt back into the landscape. In fact, many of the hilltops carry ruins that are halfway through the transition from buildings to eroded mounds of dirt.

 

 

 

Monday May 23

Four hours of hard hiking with few stops takes us to Shyangmochen. We are back on the same trail we took on the way in, and we’re staying in the tearoom where we had lunch on our way to Gheling.

It seems a lot softer and more civilized on the way out than it did when we stopped for lunch so many days ago It has a hot water shower that actually gets above tepid (though the air temperature makes it a challenge not to lose all the warmth of the shower and then some while drying and dressing.) The lunch table is set up directly beneath a traditional Mustang skylight. There are electric lights and even a couple of power outlets. The beds and pillows have sheets and pillow cases. Really, it’s practically the Ritz.

Perhaps energized by the slightly lower altitude and the half day of hiking, I decide it’s time to wash a bunch of clothes. The village’s washing is done at the community tap, fed in an endless stream that flows out of the irrigation system. And back into it, for that matter, since any water that flows from the tap is recaptured for the crops downhill.

I share the tap with several women who are obviously better at this than I. They bring big metal bowls that they fill with soap, clothes, and water, working up an impressive lather while I’m rubbing a bit of hand soap into my clothes, one sock at a time. It doesn’t take long for me to learn what seems to be a universal female phrase for, “If you’re done messing about in a typically useless male way, would you reconnect the hose so we can get about our business?” I also learn not to stand about downwind of the tap when they’re vigorously rinsing.

The best part of doing the wash is the drying. The afternoon wind is again hitting 50 mph and the sun is out. I hang the wet clothes on a metal wire clothesline. It’s very satisfying when hiking to have reasonable confidence that in the morning your clothes will be not just cleanish but that you won’t be putting them on wet, which tends to take the joy out of clean clothes.

 

Tuesday, May 24

Today we are retracing our original path, making the long descent to Chelle, the last of the “Tibetan” villages along the trail.

We pass the same road construction machinery that blocked our path on the way up. The road builders have made visible progress since we passed this way last week. I have new appreciation for the difficulties the road builders will face. Finding a way for cars and trucks to navigate those grueling staircases won’t be easy. But with enough blasting powder, the road will get through, even if flash floods and rockfalls occasionally cut the road during wet seasons. And that will make an enormous difference in Mustang’s culture. We were privileged to see it before the trucks start grinding through the villages, bringing cheap beer, wifi hotspots, and HIV.

Back in Chelle, the teahouse that we had to ourselves last week is now packed. More than a dozen French trekkers are using the adjacent campground and enlivening the common rooms. Germans, New Zealanders, and others have taken over the remaining rooms. They are all bound for the Tiji festival in Lo Manthang.

All day on this leg we’ve met party after party hustling toward Lo Manthang for the same reason. I’m sorry we missed the festival, but in the end I suspect it’s a bit like our audience with the king – a maguffin, more exciting in prospect than in reality. And it turns out that by missing the festival we earned a bonus -- walking to Lo Manthang alone, scarcely seeing one foreigner a day, even after we stopped for the night. These trekkers will never be alone. They’ll be passing and repassing each other every day, queuing with each other outside the latrines, and straining Lo Manthang to the bursting point when they arrive.

To our eyes, the mass of festival trekkers on this leg looks like a freak – completely out of proportion to normal travel levels before or after the Tiji crowd. The Tiji bulge resembles a pig making its way through a python, or a baby boom making its way through a nation’s demography. But the Tiji trekkers, like the boomers, won’t see it that way. The crowds and the queues will be their normal, never changing as they move up the valley. They won’t realize how rare it was to meet other hikers on the trail just a few days on either side of the trek they took.

We’ve been looking for a chance to play carom, a game that we’ve seen porters playing all along the trail. Carom resembles pool, if pool were played with poker chips on a table about 3 feet square, with a raised lip and a hole in each corner. In the middle of the table are eleven poker chips. Each player has an outsized chip that he flicks at the other chips. The object is to be the first to drop your 5 chips and then the “queen” into the corner holes. A crack pool player, Gordon has deduced the rules.

Now we’ve found a carom joint that is willing to let us try our hand. When the raucous Nepali game ends, a few observers linger to watch the Westerners make a hash of their game. Accurately flicking a chip at a target turns out to be remarkably difficult. By luck, I get one chip almost on the lip of a hole across the table from me. Then I waste ten turns just trying to hit the damn thing, and when I do, it moves further from the hole. Gordon is better, but only at the theory. He understands the angles and possibilities better than I do, but his execution is just as bad. We battle to a tie, with each having a single chip, plus the crucial red queen, on the board. By then, all observers have drifted away in disgust, unable to extract even comic relief from our efforts. At that point it was safe for me to let Gordon win. That’s my story, anyway, and nothing will shake it; there were no witnesses.

 

Wednesday, May 25

We are leaving the last of Tibet behind today, descending from Chelle to the floor of the Kali Gandaki. To extract the maximum up-country time from our territory permit, we’ve left ourselves a single day to get to Kagbeni from Chelle – a hike that took two days on the way in.

It is a demanding day, in part because our guide wants to get as much hiking in before noon, when the winds will surely be raging up the river valley. So we plough on with only a couple of occasional five-minute stops at the top of steep climbs. The good news is that I can feel the altitude change. My legs get as tired as ever, but the sense that every step requires a special breathing rhythm is gone. Even on the steepest uphills, running out of breath is rare. Other symptoms, such as a hacking cough, also recede as we drop below 3000 meters for the first time in a week.

The Kali Gandaki remains as remarkable as ever. The valley floor is so flat and barren that it looks almost like a reservoir of stones -- as though a dam had been constructed downstream and the gravel and rocks had somehow floated to the top. This is more or less what environmentalists tell us will eventually happen to Lake Powell and other big hydropower lakes; they’ll fill with debris. I’m sure that they’re right to tell us how terrible that will be, but if the floor of the Kali Gandaki is any guide, it will also produce some dramatic landscapes.

Toward the end of the day, we drop to the floor of the Kali Gandaki. It is not as flat as it looks from a distance. Rocks slip under our feet with each step, and old channels, now dry, make the footing unpredictable. Worse, the bridge we used to cross the river has washed away. We have a choice – wade or climb back to the road running high along the valley wall,

By now, I’m damned if we’ll climb these cliffs one more time. The water is swift but not deep, perhaps a bit above our knees. With poles, that’s usually safe, though pushing things if the current is very strong.

The standard Western stream crossing technique is to take your socks off, put your shoes back on, cross the river, pour out the water, put on the socks, and walk in damp but not squelching-wet footgear for a few hours. Wearing shoes helps a bit with the shocking cold of mountain streams and a lot with the treacherous footing of the streambed. Braced against the stream with a strongly planted upstream pole and an insurance pole downstream, this technique has gotten us across some tough streams, including a memorable encounter with the Upper Yellowstone in thigh-high flood.

But the Nepali guides have a different idea. They want to cross barefoot. So we too tie our shoelaces together, drape them around our necks and start across barefoot. I can feel the rocks underfoot – a mixed blessing, but good for stability. What I haven’t counted on is the way being barefoot changes the enthusiasm with which you drive your upstream pole into the river, knowing that the current will inevitably drag the point back downstream a foot or more before it hits the gravel. At least you hope it hits gravel.

When we get to Kagbeni, feet unpunctured, the Tiji festival boom is over. No one in the inn is going to Lo Manthang. Kagbeni is also on the month-long Annapurna Circuit trail, and the inn is full of guests doing some portion of tha trek. There’s a large group of mature Japanese women and men, plus a gaggle of 20-something backpackers – Germans and Russians, mainly – who’ve hooked up by chance during their last few days of the Annapurna circuit. They spend much of the evening arguing about whether to walk or take the bus next day to Jomsom, and how far to go beyond Jomsom. They finally agree to walk to Jomsom, starting at 6 a.m. One Russian boisterously puts forward first one proposal then another. He seems oblivious to the group dynamic. Sooner or later, someone needs to tell him to stop throwing out disruptive new options and to get with the program. If this is what the Russian Duma is like, I think, it’s easy to see why so many Russians voted for Putin.

This gaggle of Europeans seems as isolated from Nepal as any packaged-tour group staying at the local Hilton. A tour group may remember Kathmandu as the place with the terrible breakfast buffet, while the Europeans remember it as the place where they met a bombshell German babe, but either way, the trip is more about them than about Nepal. Maybe that’s true for all of us.

What I find interesting is that this group isn’t full of gap-year college kids. These trekkers have finished school. Many have dropped out of professional-track jobs. Some expect to pick up a new job in a few months, others lost jobs in the 2008-09 recession and are waiting for better times. But Nepal isn’t that cheap. Just to eat, sleep and indulge in the occasional beer or a bus, those backpackers must be spending $10 a day, plus airfare in the thousands of dollars. I’m not sure how many college students in the West can get their parents to underwrite the cost of a month on the Annapurna Circuit, so the trek is left to a slightly more affluent crowd. I suppose it’s no surprise that even backpacking has gone upscale as global economies converge.

Next morning, the Euro gaggle ends up leaving a little before we do, around 7. They move, like a convoy, at the speed of the slowest ship. We pass them in the first hour and soon are able to drop our packs at the Jomsom airport hotel and keep going. We’ve decided to take a day trip down the valley to a town called Marpha, also on the Annapurna circuit.

Marpha is a big change from the country we’ve been trekking through. On the way, we pass the first bit of greenery we’ve seen all trip that isn’t walled up like Ft. Knox. It’s a simple, close cropped patch of lawn that no doubt serves a pasture for the occasional horse, but unlike Mustang, the landowners aren’t consumed by fear that someone else’s goat might sneak an illicit bite. Indeed, even the walls around gardens here are lower, more symbolic and casual than in Mustang; water is clearly more abundant here.

Marpha itself is a lovely town full of white-washed stone homes with dark red frames around doors and windows. Marpha is proud of its apples, and it should be. We have an apple pie for lunch – a cinnamon flavored core of chopped apple surrounded by a flaky, deep-fried crust. I buy some yak cheese to go with it, despite anxiety about eating uncooked food. But we’ve spent the trip worrying about how to sterilize anything that passes our lips, and so far we’ve been fine. Maybe the economic convergence that makes backpacking more expensive is also slowly reducing the risk of bad water even in countries as poor as Nepal.

We head back along the road. It is a taste of what Mustang trekkers will soon experience. We can go twenty minutes with no traffic, but we can never ignore the risk that a truck or bus will come barreling around a turn. They take up so much of the road that you always have to have to be ready to jump for the side of the road if a horn sounds behind you. Even the motorcycles expect you to move if you’re in the same rut they’ve chosen. The Annapurna circuit is quickly replacing trail with dirt road, and I mentally cross it off our list of likely future hikes.

We end our hike at the airport hotel. It’s not fancy, but it does let us take our first hot shower in ten days. What a heavenly way to end our trek.

The Science is Settled: You're Just Too Bone Stupid to Live

The Institute of Medicine, part of the National Academy of Sciences, has studied the problem of how to distribute antibiotics in the event of an anthrax attack.  It’s a big problem, because, as the study confirms, the antibiotics have to be in people’s hands (mouths, really) within 48 hours of an attack.  And it may take the government almost that long to realize we’ve been attacked.  So, the scientists had a choice between recommending (1) a Big Government solution, in which the government stockpiles the antibiotics, flies them to the affected area when needed, and relies on the near-bankrupt Postal Service to get them to the right people in time, or (2) letting people have (or buy) Medkit packets of antibiotics to store at home for an emergency.

The study was funded by HHS, so you won’t be surprised to discover that the Institute recommended (1) a Big Government solution.  The main reason it gives is that you and the rest of the public are just too bone stupid to be trusted with antibiotics.  But to spare your feelings, the Institute puts it this way:  letting you have antibiotics raises “the potential for inappropriate use in routine settings (e.g., using the antibiotics to treat a cold) and the potential for widespread inappropriate use in response to a distant anthrax attack, a false alarm caused by a nonanthrax white-powder event, or some other public health emergency for which antibiotics are not indicated.” 

But, really, “too bone stupid” is pretty much what they meant.  

This is the National Academy of Sciences, of course, so they’ve got scientific evidence of our stupidity.  Like, for example, the Center for Disease Control gave more than four thousand people in St. Louis special antibiotic medkits to hold for an emergency.  Months later, they went back and collected them.  They counted the people who had engaged in “inappropriate use in routine settings.” And they found, uh, four.  Not four percent, four people.  That’s one-tenth of one percent, last time I looked. 

Apparently we weren’t as dumb as the National Academy of Sciences would like to think, so they declared that this science wasn’t settled, in fact it wasn’t even worth thinking about.  Why?  Because participants were promised a $25 gift certificate if they completed the study. According to the National Academy’s report, this promise of a gift card so tantalized the unwashed masses that they pretended to be less stupid than the scientists know we really are. So the study didn’t count.

Once all that nasty unpredictable science was out of the way, the National Academy of Sciences was free to say what it wanted to say all along:  No antibiotics for you.

But the gob-smacking foolishness of relying on government distribution of antibiotics in an emergency was simply too obvious for even the Institute of Medicine and the National Academy of Sciences to completely ignore.  So they encouraged the distribution of some medkits to some people. 

Who, you ask? 

Do you really have to?  The study tentatively recommends that the life-saving kits be issued to “some first responders, health care  providers, and other workers that support critical infrastructure, as well as their families.” Apparently medical workers aren’t too stupid to live, according to the Institute of, uh, Medicine.  And neither are government workers – those postal workers, the cops that will have to accompany them, and anybody else in government who’s smart enough to call himself a first responder (want to bet that includes the Governor?). 

And their families too, of course.  We’ll need to repopulate, after all.

Have I been unfair to the authors?  It’s possible.  I went through the report fast, and with mounting blood pressure.  So I welcome corrections. Or jokes about government health care, as you choose.

The more important question is:  What can you do to protect yourself from this astonishing bit of policy malpractice? 

Here, at least, I can praise the report, because it acknowledges, a bit grudgingly, an option I highly recommend:  Ask your doctor for a prescription for antibiotics and stash them in a cool, dark,dry place (not your warm, light, wet bathroom).  If your doctor balks, you can quote this passage from the report:

Personal stockpiling might also be used for certain
individuals who lack access to antibiotics via other timely
dispensing mechanisms (for example, because of their
medical condition and/or social situation) and who de-
cide—in conjunction with their physicians—that this is
an appropriate personal strategy. This is allowed under
current prescribing practice and would usually be done
independently of a jurisdiction’s public health strategy
for dispensing medical countermeasures.

Of course you’re supposed to persuade your doctor that you’d “lack access to antibiotics via other timely dispensing mechanisms.” I suggest reading him the part about how the Postal Service will carry out the distribution. If that doesn’t convince him, maybe you need a smarter doctor.

Photo credit: http://www.flickr.com/photos/hukuzatuna/2536746395/