A French court has upheld a government agency's order requiring that Google post a notice on its famously clean home page. The notice draws attention to the agency's ruling that Google violated French privacy law when it collected personal information under a consolidated privacy statement rather than using several different statements for its different business lines.
Translated loosely from the French, then, the ruling is:
"You have learned facts that the government did not want you to learn without first saying words that the government wanted you to say. To make sure you never do that again, the government will now require you to say other words that the government has written for you."
And all in the name of human rights.
You've got to hand it to the Turks. Just when it seemed that the European Union would never see how abusive privacy laws can be, the Turkish Parliament adopted a privacy bill that caused even the EU to choke. According to the Wall Street Journal, the law is a prime candidate for a Privy -- a genuinely Dubious Achievement in Privacy Law:
The law, which must be approved by President Abdullah Gül to take effect, would allow the agency charged with monitoring telecommunications to block access to Internet sites within four hours of receiving complaints about privacy violations. ...
"The approach that the Internet is being banned, is being censored is wrong," Transport, Maritime Affairs and Communications Minister Lutfi Elvan said Thursday. The measure will prevent infringement of personal rights by bypassing lengthy court procedures that failed to protect privacy in a timely manner, he said.
Shortly after the bill passed, the European Union, which Turkey seeks to join, criticized it for introducing restrictions on freedom of expression. Turkey has an estimated 40 million Internet users.
"The Turkish public deserves more information and more transparency, not more restrictions," said Peter Stano, spokesman for the European Commissioner for Enlargement Stefan Füle. "The law needs to be revised in line with European standards."
Meeting "European standards" for privacy law? That'll be tough. I'm guessing the Turkish Parliament could choose between renaming the law as "The Reding Right to Be Forgotten, Faster, Act" or simply amending it so it applies only to American corporations.
The press is still after James Clapper, Director of National Intelligence, for his statements in response to a question from Sen. Wyden (D OR) in March of last year. Wyden asked whether NSA was collecting data on millions of Americans. “Not wittingly,” Clapper responded.
CNN's Jake Tapper asked President Obama on Friday whether he had concerns about Clapper's answer. Tapper got the Presidential equivalent of a shrug:
"I think that Jim Clapper himself would acknowledge, and has acknowledged, that he should have been more careful about how he responded," Obama said. "His concern was that he had a classified program that he couldn't talk about, and he was in an open hearing in which he was asked, he was prompted to disclose a program, and so he felt he was caught between a rock and a hard place."
The press keeps wondering why Clapper's response hasn't wrecked his career. Maybe a parable will help explain his survival.
Imagine that the Senate is preparing to confirm the nomination of a well-known woman to an important administration job. The committee chairman loathes the nominee and her policies. But his investigators have turned up nothing against her – until they discover that she had an affair with a foreign national fifteen years ago, about a year before the birth of her only son.
The chairman calls the official into his office and confronts her with the evidence.
“It's true,” she says. “It was a terrible mistake. I ended it almost immediately. Then I discovered I was pregnant. The biological father doesn't know. Neither do my husband or my son.”
“This affair was as reckless as your policy judgments,” thunders the chairman. “The committee and the American people deserve to know your true character.”
“Please,” she pleads. “I will tell every member of the committee about it, and if they want to vote against my confirmation, so be it. But I beg you not to disclose this publicly. My son and husband will find out, and it will wreck their lives.”
“Oh, I won't disclose it," says the chairman. “You will. Because one of my first questions at the hearing will be 'You and your husband have had one biological child together, is that correct?' “
He smiles. “You can answer that question honestly and disclose the affair, or you can commit perjury. Your choice.”
At the hearing, the chairman asks the question.
“Yes,” the official answers, “My husband was there when I gave birth to my son, and he's been there for us every day since.”
So here's my question: Who is the hero of this story and who the villain?
If you can't bring yourself to condemn the official or to praise the chairman, well, now you understand the executive branch's view of the exchange between Clapper and Wyden.
I interviewed David Medine this week in the course of Steptoe's latest podcast on technology, security, privacy, and government. The interview yielded a good overview of the Board's report, and not an uncritical one. I questioned the Board's decision to write a legal brief on the 215 program, as well as the Board's remarkable claim that it had found the unambiguous "plain meaning" of section 215 -- despite the fact that 15 judges disagreed. David is a fine lawyer, and he gave as good as he got.
The exchange is interesting, and I think it digs deeper into the report than most news stories have.
Almost immediately after the Republican National Committee adopted an error-filled resolution attacking the NSA and its telephone metadata program, current and former GOP officials took a strong stand against the RNC resolution:
[T]he RNC resolution threatens to do great damage to the security of the nation. It would be foolhardy to end the program without ensuring that we remain safe from attack. This database provides a uniquely valuable capability for discovering new phone numbers associated with international terrorist organizations, including numbers that may be used by terrorist cells within the United States. Former Deputy Director of the CIA Michael Morrell has testified that having this capability might have prevented 9/11 and could help to prevent the next 9/11.
This is not a Democratic or a Republican program. Protecting Americans from terrorism should not be a partisan issue. The program was first launched under President George W. Bush. It was approved by Congressional leaders of both parties. And for good reason. It helps to keep Americans safe.
It may be appropriate to modify the program in certain respects, if that can be done without a significant loss in effectiveness, but abolishing it without any idea how to close the intelligence gap that 9/11 exposed is not a recipe for partisan advantage. It is a recipe for partisan oblivion.
Count us out.
Signatories included a current intelligence committee member, Rep. Mike Pompeo, and a host of former Bush administration officials: Attorney General Mukasey, Homeland Security Secretary Chertoff, CIA Director Hayden, Homeland Security Adviser Wainstein, DOD Under Secretary Edelman, OLC head Bradbury, and me.
Former Homeland Security committee chair Peter King expressed similar views even more colorfully.
In other contexts, I've called it Obama Derangement Syndrome, where suspicion of the President begins to distort GOP views of even the least politicized national security elements of government.
That really is a dead end.
In my experience, privacy law produces a remarkable number of foolish outcomes. The reason, I suspect, is that our notions of "privacy" evolve too quickly to be reduced to law. It's like writing a law codifying good manners. Over time, as our definition of good manners or privacy changes, the old code starts producing irrational results -- or it is enforced only selectively, to punish those who offend the powerful. That observation led to annual awards for Dubious Achievement in Privacy Law -- the Privies for short. The nominees from last year can be found here.
It's a new year, but privacy law is already living down to my expectations, throwing off stupid or venal results at a rapid clip. It's time to open nominations for the 2015 Privies. Here is the first:
Worst Use of Privacy Law to Serve Power and Privilege: University of North Carolina at Chapel Hill
There's nobody more powerful at UNC than the big athletic programs. So when Mary Willingham, a UNC researcher, disclosed that 60% of the Tar Heel student-athletes she studied were reading at a level between the fourth grade and the eighth grade, she was asking for trouble.
She got it. An angry UNC- Chapel Hill chancellor put four counter-researchers to work attacking Willingham's research and then denounced it as "a travesty."
But this is academia, where it's not enough to debate your opponents. They have to be crushed.
And what better weapon to use against inconvenient speech than federal privacy law? Before she knew it, Willingham's approval to conduct her research was suspended. Why? Because she was using individual students' names to correlate their test scores with their grades. The UNC Institutional Review Board,which regulates human subject research to protect student privacy, declared that it hadn't approved her collection of student names, so the research had to be shut down, now. it didn't matter that "Willingham ... thought she was following IRB rules because as the primary investigator she never released names to anyone" at least until a hostile UNC administrator demanded them. Just keeping the names in a file drawer was a violation, according to IRB administrators at UNC.
Of course the administrators also denied that Willingham had been singled out for punishment or that the controversy over UNC's academic standards had triggered their action. She was free, they insisted, to apply for approval to continue embarrassing the Tar Heels.
Fat chance. Willingham's only hope of fighting this abuse of power is to find some equally powerful ally.
Maybe she should seek approval for her research from Duke's Institutional Review Board.
I've been doing a regular weekly podcast with Michael Vatis and Jason Weinstein, two of my partners who share an interest in security, privacy, and technology, as well as a background in government.
More recently, we've started inviting newsmakers to join us for a half-hour interview.
Earlier this week, I interviewed Chris Inglis, the recently retired Deputy Director of the National Security Agency. It's a wide-ranging interview that touched on everything from NSA's morale to the changes in its culture that this crisis will demand. Chris Inglis flagged the Snowden disclosures he finds most disturbing and unjustifiable even on Snowden's terms but refused to accuse Snowden of working with Russia, saying he hadn't seen evidence of that. It's a useful contribution to the debate by an insider who is now free to be a bit more candid than before, within the limits imposed by classified information rules.
Next week, I'll be interviewing David Medine, chairman of the Privacy and Civil Liberties Oversight Board, about the Board's report, which I've already panned here. It should be a civil but vigorous exchange of views! If you want to subscribe to the podcasts, the RSS feed is here.
I've now had a chance to look at the report of the Privacy and Civil Liberties Oversight Board on section 215 and the telephone metadata program. What a disappointment.
The PCLOB declares by a bare majority that the program is unlawful and should be shut down. The report's 45-page (!) statutory analysis reads like an opinion written by a court that is bound and determined to reach a favored outcome.
Elsewhere the PCLOB expresses enthusiasm for adversarial briefing and argument: "Our judicial system thrives on the adversarial presentation of views." The PCLOB majority, though, would apparently prefer to thrive without the hassle of, you know, briefs and arguments and stuff, especially if they might get in the way of its preferred legal determination.
Rachel Brand in dissent gives the entire 45-page exegisis the back of her hand, and with justification:
This legal question will be resolved by the courts, not by this Board, which does not have the benefit of traditional adversarial legal briefing and is not particularly well-suited to conducting de novo review of long-standing statutory interpretations.
The other dissenter, Elisabeth Cook, similarly devotes only a sentence to the statutory issue and the Board's effort to play judge. I don't think it's because the dissenters lacked for ammunition to rebut the majority's statutory labored and tendentious argument. I suspect that they thought the whole thing was pointless and largely self-rebutting.
I feel the same way, but I can't help pointing out a few of the flaws in this part of the report. First, the Board argues that all the phone records in the country can't be deemed "relevant" to an FBI investigation of terrorism. That has some plausibility, since the vast majority of phone records aren't going to be relevant to any investigation.
The problem for the Board is that the law has never required that discovery orders exclude all irrelevant data. In fact, courts have routinely approved civil, criminal, and administrative order that sweep up lots and lots of utterly irrelevant information about perfectly innocent parties. The best you can say about the law in this area is that it allows the government to subpoena information in buckets, even if only a few spoonfuls of clearly relevant information can be found in each bucket.
The courts have struggled with exactly how many spoonfuls of relevant data in how big a bucket of irrelevant data can still be obtained in discovery. As the majority admits:
To be sure, the case law regarding civil discovery, grand jury subpoenas, and administrative subpoenas shows that relevance is interpreted broadly, and that incidental production of unrelated materials is accepted as essential to enable fulsome investigative efforts. Standards of relevance thus permit parties and the government to engage in a degree of fishing, so long as it is not arbitrary or in bad faith. But the case law makes equally clear that the definition of relevance is not boundless.
And here's the problem with the majority analysis: It tries to talk about the program as though the government were actually searching every piece of metadata in the database. But we all know by now that the order requiring production of the data was matched by an order greatly restricting searches to a few hundred a year, searches that are relevant to terror investigations under the most demanding standard imaginable.
Viewed as a whole, the 215 metadata program is like a discovery order telling a party to put a mass of records into a court-supervised escrow, where the mass will be searched for a few bits of relevant data that are then supplied to the other party. The Board majority is willfully blind to the direct connection between the production order and the minimization requirements that accompany it.
There's an old joke that to think like a lawyer you have to be able to treat two intimately connected facts as though they were completely unrelated. If so, the Board's majority opinion is the most lawyerly thing I've read in years.
One more point. Section 215 was renewed twice by Congress after the FIS court approved the current interpretation of "relevant." Since Congressional action re-enacting a statute is usually viewed as approving the administrative and judicial interpretations adopted before reenactment, this is kind of a bad fact for the Board majority.
They respond with a flurry of argument (never an indication of confidence). Extending section 215's sunset date isn't the same as re-enacting it, they say. And the rule on reenactments doesn't apply if the language of the statute is clear; since the Board majority is sure that its one-eye-closed reading of section 215 is plainly right, it can ignore the reenactment rule (a particularly ballsy statement given that the three Board members' interpretation has so far lost 15-1 in front of actual judges).
Finally, the Board majority says the reenactment doctrine doesn't apply because, while the FIS court's interpretation of 215 was known to the intelligence and judiciary committees of both houses and to many other members as well, it was still classified and so not known to all members or the public.
This argument is also willfully blind, this time to the ruling Supreme Court precedent, Lorillard v. Pons, 434 U.S. 575 (1978). That case held that jury trials were available in private enforcement actions under the Age Discrimination in Employment Act (ADEA), even though the act said nothing about jury trials. Why? Because the ADEA said that it would "be enforced in accordance with the 'powers, remedies, and procedures' of the Fair Labor Standards Act (FLSA)." Now, the FLSA doesn't say anything about jury trials either, but the courts interpreting that Act had all decided that it did allow them in private suites. So the Supreme Court presumed that Congress understood that when it adopted the "procedures" of the FLSA it was adopting the jury trial interpretation of courts applying the FLSA: "[W]here, as here, Congress adopts a new law incorporating sections of a prior law, Congress normally can be presumed to have had knowledge of the interpretation given to the incorporated law, at least insofar as it affects the new statute."
So here's my question: How many members of Congress had any idea that they were incorporating those FLSA decisions into the ADEA, let alone what the decisions said? One? Five? If more than a handful of committee chairmen and floor managers were even vaguely aware of the cases the Supreme Court presumed they fully grasped, I'll eat my hat.
The members of Congress who understood the interpretation of section 215 when they voted on its extension probably outnumber by ten or twenty to one the Congressmen who understood that the ADEA required a jury trial when that law was adopted.
The Board majority claims that "it is not a legitimate method of statutory construction to presume that these legislators, when reenacting the statute, intended to adopt a prior interpretation that they had no fair means of evaluating." The problem with that statement is that it could have been made with equal justice about the ADEA and the Supreme Court's statutory construction in Pons. (Pons also puts a hole below the waterline of the claim that the presumption only applies to "real" reenactments, since the Pons Court applied the presumption to interpretations of the FLSA, a statute that wasn't being reenacted at all.)
So the Board majority in the end stumbles into overturning the entire re-enactment doctrine in its zeal to kill an important national security program. Life is hard when you try to make law without briefs and arguments and stuff.
Since the report's recommendation to abandon the 215 program has already been rejected by President Obama, much of the Board's report thus boils down to an unpersuasive amicus brief aimed at undermining the argument the President's lawyers will be making in the Second and DC circuits.
I would have expected a more serious and useful work product from the Board, especially in its first outing.
According to Charlie Savage at the NYT, the Privacy and Civil Liberties Oversight Board will issue today a report declaring that the NSA's telephone metadata program is illegal and should be ended. That is the conclusion of the three Democrats on the board; the two Republicans dissented. If you were wondering why it took the Obama administration three years to fill the board, you now have the answer. How does the board get around the fact that the statute was reauthorized by Congress twice after the metadata program began? The story hints at the PCLOB's view:
Defenders of the program have argued that Congress acquiesced to that secret interpretation of the law by twice extending its expiration without changes. But the report rejects that idea as “both unsupported by legal precedent and unacceptable as a matter of democratic accountability.”
I find it hard to believe that this position withstands analysis but I'll wait to see the full report.
Randy Barnett argues that NSA's metadata program is bad because the government will use the information to target people for their political views and to embrace mission creep.
His solution is to leave the metadata in the hands of the phone company. But really, what good would that do?
Suppose that, as Randy fears, Congress wakes up one day and decides to use phone metadata to suppress dissent and gun ownership across America. The fact that the data is stored in four or five phone companies' databases rather than NSA's will forestall the Dark Night of Fascism for, oh, about 90 minutes. For the sake of that speedbump, we should give up our ability to identify cross-border terror plots?
Randy's solution to that problem is to overrule a line of Supreme Court cases (Smith v. Maryland) holding that no one has a reasonable expectation of privacy in information they've disclosed to a third party. With Smith v. Maryland set aside, the government would need a search warrant to see the metadata.
Overruling existing Supreme Court precedent is a law professor's prerogative, but the rest of us don't have to go along. And in fact the Smith v. Maryland doctrine makes sense, especially compared to Randy's solution. We all learned no later than the third grade that secrets shared with another are not really secrets. They can be revealed at times and in ways we never expected. It hurts, but it's a fact of life.
Randy's solution is a fiction; he wants the courts to deny the facts of life and pretend that we still control information we willingly gave away. And considering how many slippery slopes Randy has to invoke to make metadata collection scary, he hasn't given much thought to the slipperiness of the doctrine he wants to create. Data gets cheaper to collect and to share all the time. Exactly which kinds of data would he leave under our fictional control after we have given it up, and for how long?
After the fictionalizing and overruling is done, though, all Randy achieves is to require a warrant before the government can see phone metadata. That rule would break the NSA program, for sure, and it would recreate the gap that existed on September 10.
So what benefit offsets that high cost? After all, courts too are government agencies staffed by human beings; the ex parte process of obtaining warrants is hardly a guarantee against the Dark Night of Fascism. It's just a bigger speedbump – and probably a less effective protection than we now have.
The metadata program, unlike a warrant, is reviewed by members of both parties, both houses of Congress, and the judiciary. It includes audits and oversight that search warrants never get.
It seems to me that Randy's approach is the equivalent of knocking down a house because the roof may leak some day and erecting in its place a lean-to made of sticks.
Ars Technica has published an article highlighting a recently declassified FIS court opinion. The opinion says in a footnote that "NSA expects that it will continue to provide on average approximately three telephone identifiers per day to the FBI." Earlier opinions say NSA is providing two identifiers a day. The opinions stop putting a number on NSA's referrals in 2009. This story is accurate up to a point, but it then veers off into weirdness and paranoia:
Some experts speculated that this system of the NSA tipping off the FBI may be an unusual arrangement—analogous to the NSA’s giving information to the Drug Enforcement Agency to prosecute criminal cases. “I am not sure it tells us anything new but rather adds more confirmation to a widely suspected and occasionally confirmed technique of law enforcement following intelligence leads and then reverse-engineering a paper trail to use in court," Fred Cate, a law professor at Indiana University, told Ars. ... However, others pointed out that in the absence of further information as to how exactly the NSA’s information is sent to the FBI, and under what circumstances, it’s impossible to know precisely what’s going on. “Furthermore, given how broadly it's possible to define the word ‘tip,’ we have no information on how useful those thousand tips were,” Brian Pascal, a research fellow at the University of California Hastings College of the Law, told Ars. “Both intelligence and law enforcement organizations receive many, many tips, and a large part of their job is separating the signal from the noise. “As far as parallel construction goes, the only thing I can say for certain is that if one records a sufficiently large number of dots, then it's possible to connect them to draw any number of pictures. This is not always the result of nefarious intentions—it can happen unintentionally too. Think about all the people who were improperly placed on watchlists due to conclusions reached by some opaque algorithm.”
Huh? We don't need any of this speculation to understand why the FBI is getting tips from NSA. We just need a refresher on how the 215 program works: NSA gets a suspicious number in the US and does a link analysis to see what other numbers might be tied to that number and are themselves suspicious. If it finds a suspicious set of numbers, NSA gives them to the FBI to check out.
This means, of course, that NSA doesn't actually know even the names that are associated with the metadata it is analyzing, a fact that a fair-minded observer might be expected to know, since it's part of NSA's explanation for why the metadata program isn't "spying" on all Americans.
In fact, Ars Technica doesn't seem to realize that the FBI tips it's getting exercised about have been part of the public explanation of the 215 program for months. Despite all the hyperventilating about how NSA's search of three hops' worth of calls could lead to scrutiny of millions of subscribers, it turns out that, at its peak, the program was leading to scrutiny of maybe a thousand actual subscribers a year. I say "at its peak" because we also know that the number of tips to the Bureau has declined since 2007. By 2012, the number was down to 500 tips a year.
So, really, the headline should be "NSA cut surveillance by 50% before Snowden leaks."
But I won't hold my breath waiting for that entry to appear on Drudge.
The Committee on Foreign Investment in the United States, or CFIUS, reviews foreign investments for national security risks. It is now beyond doubt that Chinese investment is getting much closer scrutiny from CFIUS. A total of ten transactions failed to survive review in 2012, according to a just-released Treasury report. That may not sound like a lot, but in 2011, only two deals failed to make it through the process. At the time, two was a lot of deals to kill in a year, since CFIUS has sometimes gone a decade or more without deep-sixing any. When in government, I had a reputation as a CFIUS security hawk, but I doubt I ever recommended killing more than two deals in a year.
This crowd is tough.
Matt Blaze, a well-known public cryptographer and NSA critic (but I repeat myself), offered what seemed like a modest concession in the relentless campaign against NSA intelligence gathering:
The NSA's tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn't if you're a target, to be sure. But it means that there is no good reason to give in to demands that we weaken cryptography, put backdoors in communications networks, or otherwise make the infrastructure we depend on be more "wiretap friendly". The NSA will still be able to do its job, and the sun need not set on targeted intelligence gathering.
Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we've learned recently about what the NSA has been doing.
TAO is retail rather than wholesale.
A day later he revealed just how modest this olive branch was, making clear that he wants to take away the NSA's best hacking tools. He told the Washington Post today that NSA should be required to surrender any undiscovered vulnerability it finds:
Among the weapons in the NSA’s arsenal are “zero day” exploits, tools that take advantage of previously unknown vulnerabilities in software and hardware to break into a computer system. The panel recommended that U.S. policy aim to block zero-day attacks by having the NSA and other government agencies alert companies to vulnerabilities in their hardware and software. That recommendation has drawn praise from security experts such as Matt Blaze, a University of Pennsylvania computer scientist, who said it would allow software developers and vendors to patch their systems and protect consumers from attacks by others who may try to exploit the same vulnerabilities.
Matt tries to square that circle by saying that NSA can keep exploiting the vulnerability at the same time that it reports. So at least we'll have good intelligence on really stupid targets who don't update their software. That's some compromise.
The zero-day problem is a thorny one, to be sure. There are times when it's in the country's interest to patch rather than exploit a hole, but a policy requiring that holes always be patched will not stop hacking by anyone other than NSA.
Sen. Bernie Sanders (I-VT) has written a letter to NSA's director, asking whether the agency has spied on members of Congress. It sounds like he's uncovered a scandal, until you read the fine print. It turns out that Sen. Sanders is simply asking whether NSA collects Americans' telephone metadata, and every sentient American already knows that answer: NSA's program collects metadata for all US calls. So Sen. Sanders's letter isn't an inquiry, it's a stunt.
The Guardian is an enthusiastic participant in the stunt, with Spencer Ackerman writing that NSA "did not deny collecting communications from legislators of the US Congress." Well, duh. Unfortunately, it looks as though Ted Cruz, who so far has avoided the worst fever swamps of NSA paranoia, also fell for the stunt, tweeting "@SenSanders asks ? millions of Americans would like answered: Are any law-abiding citizens safe from NSA spying?"
At the risk of being repetitive, Sen. Cruz, we've all known the answer for months. NSA's 215 program collects all domestic call metadata, and it protects all that data by requiring that any search of the data be based on a reasonable suspicion of terrorism. All means all. All Americans' metadata is collected. All Americans' privacy is protected by the minimization requirements. Sen. Sanders's stunt adds precisely nothing to what we know about the program, or to the debate.
But as long as the press covers the stunt as though it were a story, I think we can predict the next batch of letters that Sen. Sanders will send to NSA:
The New Yorker has a remarkably thought-provoking article on what some call the "neurobiology" of plants. That's a deliberately edgy way of pointing out just how much communicating and sensing and adapting plants do, all without anything resembling a brain. Some samples:
Plants have evolved between fifteen and twenty distinct senses, including analogues of our five: smell and taste (they sense and respond to chemicals in the air or on their bodies); sight (they react differently to various wavelengths of light as well as to shadow); touch (a vine or a root “knows” when it encounters a solid object); and, it has been discovered, sound. In a recent experiment, Heidi Appel, a chemical ecologist at the University of Missouri, found that, when she played a recording of a caterpillar chomping a leaf for a plant that hadn’t been touched, the sound primed the plant’s genetic machinery to produce defense chemicals. Another experiment, done in Mancuso’s lab and not yet published, found that plant roots would seek out a buried pipe through which water was flowing even if the exterior of the pipe was dry, which suggested that plants somehow “hear” the sound of flowing water....
Mimosa pudica, also called the “sensitive plant,” is that rare plant species with a behavior so speedy and visible that animals can observe it; the ... mimosa also collapses its leaves when the plant is dropped or jostled. Gagliano potted fifty-six mimosa plants and rigged a system to drop them from a height of fifteen centimetres every five seconds. Each “training session” involved sixty drops. She reported that some of the mimosas started to reopen their leaves after just four, five, or six drops, as if they had concluded that the stimulus could be safely ignored. “By the end, they were completely open,” Gagliano said to the audience. “They couldn’t care less anymore.”
Was it just fatigue? Apparently not: when the plants were shaken, they again closed up. “ ‘Oh, this is something new,’ ” Gagliano said, imagining these events from the plants’ point of view. “You see, you want to be attuned to something new coming in. Then we went back to the drops, and they didn’t respond.” Gagliano reported that she retested her plants after a week and found that they continued to disregard the drop stimulus, indicating that they “remembered” what they had learned. Even after twenty-eight days, the lesson had not been forgotten. She reminded her colleagues that, in similar experiments with bees, the insects forgot what they had learned after just forty-eight hours. ...
Time-lapse photography is perhaps the best tool we have to bridge the chasm between the time scale at which plants live and our own. This example was of a young bean plant, shot in the lab over two days, one frame every ten minutes. A metal pole on a dolly stands a couple of feet away. The bean plant is “looking” for something to climb. Each spring, I witness the same process in my garden, in real time. I always assumed that the bean plants simply grow this way or that, until they eventually bump into something suitable to climb. But Mancuso’s video seems to show that this bean plant “knows” exactly where the metal pole is long before it makes contact with it. Mancuso speculates that the plant could be employing a form of echolocation. There is some evidence that plants make low clicking sounds as their cells elongate; it’s possible that they can sense the reflection of those sound waves bouncing off the metal pole.
Equally sophisticated are plants' chemical communication systems:
Since the early nineteen-eighties, it has been known that when a plant’s leaves are infected or chewed by insects they emit volatile chemicals that signal other leaves to mount a defense. Sometimes this warning signal contains information about the identity of the insect, gleaned from the taste of its saliva. Depending on the plant and the attacker, the defense might involve altering the leaf’s flavor or texture, or producing toxins or other compounds that render the plant’s flesh less digestible to herbivores. ... Several species, including corn and lima beans, emit a chemical distress call when attacked by caterpillars. Parasitic wasps some distance away lock in on that scent, follow it to the afflicted plant, and proceed to slowly destroy the caterpillars.
I can't help tying these capabilities to the Next Big Thing in computing: the Internet of Things, more properly thought of as mass deployment of sensors. In many ways, that's a capability in search of an application. It's easy to wire your house so the network knows what room you're in, but really, why bother? In contrast sensors that can eavesdrop on plant communications could have lots of applications. Farmers can wait to apply pesticides until their crop tells them which pests are attacking which plants. Hunters can ask the forest where deer congregate to do their browsing. Maybe the grass in minefields is already broadcasting the location of the explosives its roots are avoiding.
Lots of these capabilities could be built into smart phones, perhaps with sensor attachments. Even more sophisticated work could be done with special purpose devices mounted on drones or just on the Google Street View car. It's nice to have pictures of houses along the road, but imagine Google Plant View: a map of everything the plants know about a neighborhood: soil types and pH content, homes with toxic molds, the progress of invasive insects, herbivores, and plants.
Of course we'd have to be able to translate plant volatiles into English. Or maybe Italian, since the "poet-philosopher" of the field is an Italian researcher by the name of Stefano Mancuso; and he has already begun to assemble a dictionary:
His somewhat grandly named International Laboratory of Plant Neurobiology, a few miles outside Florence, occupies a modest suite of labs and offices in a low-slung modern building. ... Giving a tour of the labs, he showed me ... a chamber in which a ptr-tof machine—an advanced kind of mass spectrometer—continuously read all the volatiles emitted by a succession of plants, from poplars and tobacco plants to peppers and olive trees. “We are making a dictionary of each species’ entire chemical vocabulary,” he explained. He estimates that a plant has three thousand chemicals in its vocabulary, while, he said with a smile, “the average student has only seven hundred words.”
The dubious achievement awards, also known as the Privies, were dominated by officials of the Obama Administration.
The awards are a light-hearted way of expressing skepticism about the effort to write evolving notions of privacy into law. Because concepts of what is private change rapidly while laws remain on the books for decades, unintended consequences are common. Outmoded privacy laws are often misused to protect the powerful or are invoked hypocritically to achieve other ends, and judicial applications of privacy statutes often make no sense to ordinary people, whose concepts of privacy have evolved faster than the law.
The winners of the 2014 Privies exemplify all of these flaws.
Health and Human Service Secretary Kathleen Sebelius was voted Privacy Hypocrite of the Year for imposing harsh penalties on private companies whose systems for handling personal health data had security weaknesses -- the same kind of weaknesses that HHS ignored when it rolled out the deeply flawed healthcare.gov site.
Agriculture Secretary Thomas Vilsack, meanwhile, won the prize for Worst Use of Privacy Law to Protect Power and Privilege. Vilsack's Agriculture Department invoked privacy law to prevent the New York Times from checking the names and addresses of people who made questionable claims for federal funds in the “Pigford” scandal. Since media attention to fraud in the program would have cast doubt on the department's stewardship of taxpayer funds, most voters thought the government was actually applying a common government understanding of privacy: "Privacy Law Protects You From Anything That Might Embarrass Me."
Finally, in the one category where no executive branch candidates were nominated, the award for Dumbest Privacy Case of the Year went to U.S. District Court Judge Lucy Koh for her opinion opening the door to claims that all 425 million users of Gmail are victims of wiretapping by Google (and quite possibly are themselves aiding and abetting wiretapping when they send mail to others). The decision also hints that spam filters are themselves a form of wiretapping in the absence of detailed consent procedures. One decision, three remarkably dumb results.
The Privies are based on the votes of privacy professionals, who know the dirty secrets of privacy law better than most, but the general public was also invited to vote for a People's Choice award in the same categories. Kathleen Sebelius and Tom Vilsack dominated the voting among both privacy professionals and the general public. Judge Koh was the clear favorite of privacy professionals, but she was edged out in popular voting by the Boston Police Department, which invoked wiretapping law to threaten a citizen who recorded and posted on the Internet his conversation with a press spokesman of the Boston Police Department.
The full slate of nominations can be found here. The final results of balloting are listed below.
Privacy Hypocrite of the Year
Kathleen Sebelius, US Secretary of Health and Human Services
Viviane Reding, European Commissioner for Justice, Fundamental Rights, and Citizenship
Francois Hollande, President of France
James Sensenbrenner, U.S. House of Representatives
Angela Merkel, Chancellor of Germany
Tom Vilsack, Secretary of Agriculture
China's Privacy Law
Max Mosley, former president of the Fédération Internationale de l'Automobile
Spain’s Data Protection Agency (Agencia Española de Protección de Datos)
Gmail Wiretapping Claims (Hon. Lucy Koh)
FTC v. LabMD (Federal Trade Commission)
Joffe v. Google (Hon. Jay Bybee, Ninth Circuit)
Boston Police Department Wiretap Prosecution (Commissioner William Evans)
Note: columns may not sum to 100 due to rounding.
I'm shocked to discover that the august Ninth Circuit has been tampering with the balloting for the Privies, perhaps hoping to save its own Judge Bybee from winning the award for "Dumbest Privacy Case" of 2014. The nomination was for a decision that exposed Google to liabilty for gathering wi-fi signals while driving by on the street.
As we noted in the nomination, "the law exempts the capturing of radio broadcasts and publicly accessible communications; there's not much doubt that wi-fi uses radio waves and can be accessed by the public if it's not secured. But Judge Bybee of the Ninth Circuit wasn't deterred by either of the barriers to holding Google liable. He decided that radio communications are only those things we hear on the AM-FM dial. As for being publicly accessible, he writes, why that's ridiculous: if you listened to wi-fi signals on an AM radio, "they would sound indistinguishable from random noise."
Now Judge Bybee seems ready to admit that he didn't really think that whole "how would the signals sound on an AM radio/" thing through. Responding to the imminent threat of a Privy Award (and Google's rehearing petition), the panel has modified the opinion to make it less ridiculous. It has granted rehearing and dropped the entire discussion about what is and is not publicly accessible, leaving the definition of "publicly accessible" to be argued before the district court in the first instance.
There are still some tight races, whether in voting by the public or by privacy professionals. But there are differences between the two groups. The most interesting difference concerns the crucial vote for "Privacy Hypocrite of the Year." Among the public, the top two contenders are Rep. James Sensenbrenner, for deliberately skipping classified briefings and then complaining that he wasn't told about NSA's classified program, and Sec. Kathleen Sebelius, for launching healthcare.gov without any of the security features her Department has penalized private health companies for failing to implement.
But among privacy professionals, the race for top honors is between Secretary Sebelius and a little-known Brussels bureaucrat, European Commissioner (and Vice President) Viviane Reding, who is notorious for trying to regulate US intelligence activities while admitting that she has no authority to regulate European intelligence agencies.
The votes of privacy professionals are weighted more heavily precisely to give obscure but outrageous abusers of privacy law a fair shot at winning, so privacy professionals with strong views on whether Commissioner Reding deserves the prize need to weigh in now.
You have only 24 hours to make your vote count.
Quick reactions to a couple of books I had a chance to read over the Christmas break.
I can highly recommend Company Man by John Rizzo. Rizzo was one of the first lawyers at the CIA, and he recounts a thirty year career there with grace and a remarkable absence of rancor, even though he was denied the ultimate promotion -- to General Counsel -- after a highly politicized confirmation hearing. (His offense was asking the Justice Department whether certain harsh interrogation techniques were legal, and not selling out the CIA officers who relied on Justice's advice by disavowing it when he got to the hearing.)
Rizzo had a ringside seat at all the most dramatic political events involving the CIA from the 1970s to the Obama Administration. He brings self-deprecating wit and a lot of human insight to his portrayal of these events and the CIA directors he helped guide through them. It's available on January 5, 2014. (Disclosure: I got an early copy because John and I have been friends and colleagues for a long time. But in the interest of full disclosure, I have no incentive to overpraise his book, since I'm afraid it's actually better than mine.)
In contrast, The Frackers by Gregory Zuckerman was a disappointment. The book is getting praise from the right blogosphere because it tells the story of fracking straight, with only occasional flaming faucets and with considerable attention to the remarkable contribution that the frackers have made to the nation's energy independence. I tend to agree that that's the right take on the industry, but as a read, the book is benefiting from conservative affirmative action. It's long, dense, and full of characters whose stories are admirable but pretty much indistinguishable. Wait, which founder nearly went bankrupt and which one was fired after hitting a slump? Which one bet big on shale in Texas? North Dakota? Pennsylvania? Who ended up making his wife a very rich divorcee and whose son developed a drug problem? And why do I care? The book would have been better with fewer stories and a bit more differentiation among them.
Voting for the 2014 Dubious Achievements in Privacy Law is almost done, and the race is heating up. Who used privacy law most egregiously to serve power and privilege? There are plenty of candidates, but the leaders this year are two: On the one hand, the Chinese government, which adopted a privacy law and promptly brought criminal privacy charges against a Western investigator examining corporate misdeeds. And on the other, the Obama administration's Agriculture Department, which cited privacy grounds in refusing to name any of the beneficiaries of the notoriously fraud-ridden "Pigford" settlement.
But if your favorite was a man who could afford both a naked five-hour, five-hooker sadomasochistic orgy and a litigation campaign to clear his name by proving that it was not a naked five-hour, five-hooker sadomasochistic orgy with a Nazi theme, well, Max Mosley isn't quite out of the running yet. With a surge of support, his privacy law campaign to force the Internet to forget pictures of his naked five-hour etcetera still could qualify as the worst use of privacy law to protect the privileged.
If you're sure you know which of the candidates is abusing privacy law most egregiously to serve the powerful, and you haven't already voted, now is the time to review the candidates and then to cast your ballot.
Usually it takes a couple of stories. First foreign officials condemn reports that NSA has gathered intelligence on their government. Then, later, they have to admit that, well, yes, they do sometimes spy on the United States.
But Israel has taken chutzpah to new heights -- simultaneously demanding that the United States stop spying on Israel and that it release the guy caught spying on the United States for Israel:
Senior Israeli officials on Sunday demanded an end to U.S. spying on Israel, following revelations that the National Security Agency intercepted emails from the offices of the country’s top former leaders.
It was the first time that Israeli officials have expressed anger since details of U.S. spying on Israel began to trickle out in documents leaked by former NSA contractor Edward Snowden. The scandal also spurred renewed calls for the release of Jonathan Pollard, a former American intelligence analyst who has been imprisoned in the U.S. for nearly three decades for spying on behalf of Israel.
“This thing is not legitimate,” Israeli Intelligence Minister Yuval Steinitz told Israel Radio. He called for both countries to enter an agreement regarding espionage.
“It’s quite embarrassing between countries who are allies,” Tourism Minister Uzi Landau said. “It’s this moment more than any other moment that Jonathan Pollard (should) be released.”
Unfortunately, while voting for the 2014 Privacy Hypocrite of the Year is still open, it is too late for Israel to overcome the lead of nominees like Kathleen Sebelius, Jim Sensenbrenner, and Francois Hollande.
As voting continues for the 2014 Privy Awards, here's a peek at another closely watched matchup. Which judge will win the coveted Privy for having written the dumbest privacy decision of the year? Just to make it interesting, the two judicial candidates are both from San Francisco, but Jay Bybee is a Republican appointee to the court of appeals while Lucy Koh is a Democratic appointee to the district court.
So, who is going to prevail in the race to the bottom for least persuasive privacy opinion of the year? Judging from the public vote so far, Judge Koh has a modest lead. But she could easily be spared the ignominy of losing to Judge Bybee. All she needs is the support of .0000001% of the 425 million Gmail subscribers she ruled were unfairly tricked into allowing an illegal wiretap of their Gmail accounts.
If you have a view but haven't voted, balloting is still open. Start here for a list of the candidates. Go here to cast your vote. And remember, the votes of privacy professionals will be weighted most heavily, so check to see if you qualify before you vote.
Voting continues in the Privy Award for Privacy Hypocrite of the Year, which features a partisan matchup. One nominee is Republican James ("You Hid Information From Me By Disclosing It at Briefings I Refused to Attend")Sensenbrener. Another is Kathleen ("Harsh Privacy Penalties for Thee, But Not For Me") Sebelius.
Voting isn't over, and the contest still could go either way (or one of the European candidates might prevail), but I know there's interest in this matchup, so I'm leaking partial hints to inspire further participation.
The short answer is that, despite a strong campaign by Ben Wittes of Lawfare, Kathleen Sebelius currently leads Jim Sensenbrenner in the public voting. There is lots of time left (voting won't close until early January), and the privacy professional vote will count most. But if your candidate is Jim Sensenbrenner and you haven't voted, it's time to get on the stick. And if you like Secretary Sebelius for the honor, better do the same; her lead is not safe.
The Associated Press recently ran a long story about Robert Levinson, a former FBI agent who disappeared while in Iran. Levinson later showed up in Internet photos suggesting he was a hostage. The AP story made clear that the former agent had a long relationship with the CIA and was likely working on a CIA project when he went to Iran.
That means the AP story was a potential death sentence for Levinson. How did AP decide whether to release such dangerous information? Well, here's what its executive editor said (emphasis added):
In the absence of any solid information about Levinson’s whereabouts, it has been impossible to judge whether publication would put him at risk. It is almost certain that his captors already know about the CIA connection but without knowing exactly who the captors are, it is difficult to know whether publication of Levinson’s CIA mission would make a difference to them. That does not mean there is no risk. But with no more leads to follow, we have concluded that the importance of the story justifies publication.
Short version: Unless someone proves this story will kill Levinson, it's too good to sit on.
I'm often tough on the New York Times, but its handling of the same problem contrasts sharply with AP's. Here's what it said [paywall] when the AP story seemed to have scooped the Gray Lady:
The New York Times has known about the former agent’s C.I.A. ties since late 2007, when a lawyer for the family gave a reporter access to Mr. Levinson’s files and emails. The Times withheld that information to avoid jeopardizing his safety or the efforts to free him.
I can't help noting that the New York Times could also have been influenced by a relatively recent law that protects the identities of covert agents. The Intelligence Identities Protection Act of 1982 makes it a felony to disclose those identities:
Whoever, in the course of a pattern of activities intended to identify and expose covert agents and with reason to believe that such activities would impair or impede the foreign intelligence activities of the United States, discloses any information that identifies an individual as a covert agent to any individual not authorized to receive classified information, knowing that the information disclosed so identifies such individual and that the United States is taking affirmative measures to conceal such individual’s classified intelligence relationship to the United States, shall be fined under title 18 or imprisoned not more than three years, or both.
Associated Press must be leaning hard on the defense that it has shown no "pattern" of identifying "agents" in the plural.
The 2014 Privies --
Dumbest Privacy Case of the Year
a. Boston Police Department (Commissioner William Evans)
Record Your Talk with Boston Police, Face Felony Wiretap Charges
When Taylor Harding called the Boston Police Department's press spokesman about his case, he recorded the call and posted it to YouTube. At which point the Boston police charged him with felony wiretapping. Pretty stupid, but don't blame the cops. Blame privacy law.
Under Massachusetts law, it's a righteous bust, thanks to the privacy advocates who persuaded the Massachusetts legislature that both participants in a call had to agree before the call could be recorded. Spurred by a technological panic, the legislature couldn't have been clearer about its intent: "The uncontrolled development and unrestricted use of modern electronic surveillance devices pose grave dangers to the privacy of all citizens of the Commonwealth. Therefore, the secret use of such devices by private individuals must be prohibited.”
Chalk up another unintended consequence for privacy advocates trying to stop the march of technology. As the tools for recording conversations and even video spread to everyone, the two-party consent law doesn't make sense and is mostly enforced only on behalf of the rich and powerful. So this case was almost nominated in the category "Worst Use of Privacy Law to Protect Power and Privilege." But in the end, the Boston Police Department was ridiculed into dropping the case. Turns out that the police don't quite have as much power and privilege as the technorati. Which is really only comforting if you think the technorati lynch mob will never come for you.
b. Joffe v. Google (Hon. Jay Bybee, Ninth Circuit)
"Radio Waves Aren't Radio. Publicly Accessible Broadcasts Aren't Publicly Accessible. And #$kjhi&#^- ..."
When Google's Street View car collected wi-fi signals from the homes and businesses it passed, it only gathered information that anyone could have gathered without leaving the street. The users who hadn't secured their wi-fi signals decided to shoot the messenger, suing Google for illegally wiretapping them. Kind of a long shot legal claim, since the law exempts the capturing of radio broadcasts and publicly accessible communications; there's not much doubt that wi-fi uses radio waves and can be accessed by the public if it's not secured. But Judge Bybee of the Ninth Circuit wasn't deterred by either of the barriers to holding Google liable. He decided that radio communications are only those things we hear on the AM-FM dial. As for being publicly accessible, he writes, why that's ridiculous: if you listened to wi-fi signals on an AM radio, "they would sound indistinguishable from random noise."
Come to think of it, so does this opinion.
c. FTC v. LabMD (Federal Trade Commission)
Stupid Mistake + Media Coverage = Unfair Practice
When LabMD set up security for its network, it didn't expect a rogue employee to poke holes in its security by running Limewire, a program notorious for sharing pirated music -- as well as any business or personal records that happen to be on the same network. And it certainly didn't expect a complaint from the Federal Trade Commission when Limewire shared a spreadsheet with customer data.
There's no doubt that LabMD made a mistake, and a bad one. But the Federal Trade Commission isn't empowered to correct every mistake made by American businesses. It only has authority to charge companies that have committed "unfair practices." What LabMD did may have been dumb; it may have been sloppy; but you've got to strain pretty hard to call it an unfair practice. The FTC has been trying for years to become America's privacy and security enforcer. For just as long, Congress has refused to give it that role.
You have to admire an agency with the cojones to argue that it can make up its own legal authority as well as the offenses that it chooses to punish. Maybe if you look closely at the seal, you can see the agency's true motto: "Whatever It Takes: Finding Ways To Punish Companies Criticized by the New York Times Since 1914."
d. The Gmail Wiretapping Claims (Hon. Lucy Koh, N.D. Cal.)
Judge Uncovers Wiretap Plot with 425 Million Co-Conspirators
Is there anyone left who doesn't know that Google provides free email and pays for it by serving ads tied to the content of your correspondence? In fact, it's the most popular free email service on the planet, endorsed by 425 million subscribers who voted with their feet for Gmail.
Apparently the Gmail business model was news to Lucy Koh, a federal judge in San Francisco, who decided that all 425 million Gmail subscribers were dopes who couldn't possibly have consented to Google's automated scanning of email content, even though its terms of service said the company reserved the right to "pre-screen, review, flag, [or] modify ... any or all Content from any Service." That language didn't count, Judge Koh said, because it didn't tell consumers that Google was reviewing the mail to provide ads as well as to find objectionable content.
Maybe Google could have written a clearer (though longer and therefore less readable) document. But the effect of Judge Koh's tortured reading was to make Google potentially liable under the wiretap laws for tapping the communications of all 425 million users, plus everyone they wrote to. At $10,000 per violation, that's a pretty heavy price for free email. Not to mention that, if you were one of the 424,999,999 subscribers who actually understood the business model, it looks as though Judge Koh just exposed you to liability for aiding and abetting the wiretapping of everyone you slyly tricked into exchanging mail with you. In fact, the result was so strained that it couldn’t even persuade a magistrate in the same court, who read her opinion and ruled the other way despite being outranked by Judge Koh. Oh, and those spam filters you couldn't live without? In a footnote, Judge Koh suggests they're wiretapping too unless they have a consent clause that even a federal judge can understand.
Before this decision, Judge Koh was most famous for telling an attorney for Apple that he must be "smoking crack." Judge Koh, in contrast, seems intent on smoking the rubble of the Internet economy.
Review: All Three Awards -- and All the Nominees -- Are Listed Here.