Wednesday, January 11, 2006

Privacy: Variations on the Theme of Liberty

I have noted elsewhere that the mainstream media seem to have missed an opportunity to declare a "privacy crisis." Nevertheless, there is in the air (so to speak) a quasi-hysterical view that privacy is the be-all and end-all of existence -- above and beyond life, liberty, and the pursuit of happiness. It is past time for a balanced view of privacy. Thus this post.

I begin by addressing privacy as a right. I then turn to private-sector issues, namely, identity theft and the use of personal information by businesses. In the next substantive portion of this post I address privacy vis-a-vis government, disposing quickly of the national ID card to focus on warrantless "eavesdropping" and data-mining. I then offer a brief summary and conclusion.


Privacy in the Law

Privacy is one among many values that liberty should serve. An individual's desire for privacy is as legitimate as a desire for, say, a Lamborghini, a full head of hair, and perpetual youth. Seriously, privacy is a legitimate pursuit, yet (like a Lamborghini) it cannot an absolute right. For -- as I have argued elsewhere -- if privacy were an absolute right, it would be possible to get away with murder in one's home simply by committing murder there. In fact, if there are any absolute rights, privacy certainly isn't one of them. Privacy really is a bargain that individuals strike with the rest of the world. We cannot act in the world without ceding some privacy, so the question is how to decide when the bargain we are being asked to strike is a good one or a bad one, given the benefits and risks of ceding some privacy.

You may now ask: "What about the Constitution, the Bill of Rights, and all of that?" Read the Constitution and Bill of Rights and you will find that there is nothing about privacy in them. The Fourth and Fifth Amendments come closest to being "privacy" amendments, but they're really about due process of law. The vaunted Ninth Amendment doesn't protect an unemurated privacy right. Rather, as I explained here, in drafting the Ninth Amendment Madison had in mind no particular unenumerated rights:
It is clear from its text and from Madison's statement [upon presenting the Bill of Rights to the House of Representatives] that the [Ninth] Amendment states but a rule of construction, making clear that a Bill of Rights might not by implication be taken to increase the powers of the national government in areas not enumerated, and that it does not contain within itself any guarantee of a right or a proscription of an infringement.
Thomas McAffee, writing about the Ninth Amendment in The Heritage Guide to the Constitution (pp. 366-71), comes to the same conclusion:
. . . Madison . . . affirmed that the reason for the Ninth Amendment was not to expand the power of the Court to find new rights, but rather to restrict the ability of the Court to expand the legislative powers of Congress. Madison continued to maintain that that was the central meaning of the Ninth Amendment throughout his life, and his interpretation was seconded by most commentators of the time.
There is neverthess a notion that the Fourteenth Amendment guarantees privacy as a matter of substantive due process. As I have explained, however, substantive due process protects constitutionally guaranteed rights (e.g., liberty of contract). It does not protect imaginary rights, such as the non-existent general right to privacy.

The notion of a general right to privacy is a fairly recent invention of the Supreme Court. It was conjured to serve the Court's legislative agenda in Griswold v. Connecticut (overturning a Connecticut law that banned the sale of contraceptives) and Roe v. Wade (overturning a Texas anti-abortion law). But, as I wrote here,
the Roe v. Wade majority acknowledged that abortion is not even an unenumerated right. It then manufactured from specified procedural rights enumerated in the Bill of Rights -- rights which are totally unrelated to abortion -- and from strained precedents involving "penumbras" and "emanations," a general right to privacy in order to find a "privacy" right to abortion. . . .

It is therefore unsurprising that the majority in Roe v. Wade could not decide whether the general privacy right is located in the Ninth Amendment or the Fourteenth Amendment. Neither amendment, of course, is the locus of a general privacy right because none is conferred by the Constitution, nor could the Constitution ever confer such a right, for it would interfere with such truly compelling state interests as the pursuit of justice. The majority simply chose to ignore that unspeakable consequence by conjuring a general right to privacy for the limited purpose of ratifying abortion.

The spuriousness of the majority's conclusion is evident in its flinching from the logical end of its reasoning: abortion anywhere at anytime. Instead, the majority delivered this:
The privacy right involved, therefore, cannot be said to be absolute. . . . We, therefore, conclude that the right of personal privacy includes the abortion decision, but that this right is not unqualified and must be considered against important state interests in regulation.
And so, the Court brought us right back to where we were in the beginning -- without a general or absolute right to privacy.

There are, of course, federal and State laws that define specific areas of privacy. At the federal level, for example, there is the Medical Information Privacy and Security Act (MIPSA). As described by Wikipedia, MIPSA
contains important provisions requiring accesses to generate an audit trail, and for patients to be able to partition their data so that for example genetic information is not revealed when they go for a flu jab. Individuals have a right to access, copy, edit and augment their information.
Wikipedia summarizes State law thusly:

Most states in the U.S. grant a right to privacy and recognise four torts:

  1. Intrusion upon seclusion or solitude, or into private affairs;
  2. Public disclosure of embarrassing private facts;
  3. Publicity which places a person in a false light in the public eye; and
  4. Appropriation of name or likeness.
All such federal and State laws are carve-outs -- delineations of specific areas of privacy. They are not general guarantees of privacy. Do we need even more carve-outs to deal with the "privacy crisis"? Let us begin by defining the real privacy problem.

Privacy in the Real World

You may, in spite of what I have just said, think that you have a "right" to privacy. But try that line with prospective creditors, who have a "right" to know enough about you to decide whether to extend credit to you; try that line with banks, which have a "right" to know enough about you so that they can safeguard your savings from impostors; and try that line with the police, who have a "right" (constitutionally) to obtain a warrant to search your home if you are suspected of a crime.

If you want absolute privacy you should not have a job (working for someone else), a credit card, a checking account, a brokerage account, a 401(k), a house, land, a car, a legalized marriage, children who were born in a hospital or educated formally, a formal education of your own, a telephone, an Internet connection, or almost any of the other trappings of what we call civilization. The real issue is the extent to which you are willing to forgo some aspects of privacy in order to work for someone else (other than the Mob), possess a credit card, etc.

Given that privacy is neither an absolute right nor something that many of us choose to purchase by forgoing the trappings of civilization, let's consider what we really seek when we claim to seek privacy. Suppose that, unknown to you, someone gathers information about you that you had not intended to disclose. You have suffered no harm unless the gathering of such information
  • enables a person, business, or government to manipulate your behavior by presenting information or options in ways calculated to lead you to certain decisions (e.g., see my posts about "libertarian paternalism" here, here, here, and here)
  • causes unsubstantiated harm to your reputation
  • results in blackmail or the theft of your property
  • results in the imposition of a civil or criminal penalty for an act or acts that you did not commit.
Beyond that, there is no reason to give special preference to privacy over other considerations; for example, a lender's need for information about your credit-worthiness, government's legitimate interest in protecting citizens from terrorism.


Dealing With "Identity Theft"

Let's be clear about what is being stolen in "identity theft." An identity thief's real crime isn't stealing a person's identity, it's using information about that person to steal from that person and/or to steal from others. With that understood, the solution to "identity theft" is straightforward: Fraud is fraud and theft is theft, and they ought to be prosecuted as such.

Moreover, businesses that abet "identity theft" through lax verification and security procedures should be held accountable for their misfeasance.

On to the tougher issue of how to cope with banks, lenders, vendors, and the like.

A Market Solution for Other Private-Sector Issues

Should there be restrictions on the scope of personal information that private data aggregators are allowed to gather? If so, how should those restrictions should be enforced? One option is individual choice, in which each person picks the set of privacy bargains that suits his or her taste for privacy, on the one hand, and ease of transacting business, on the other hand. The other option is for government to establish one-size-fits-all rules -- even beyond those it already has laid down -- such as a ban on the use of universal identification numbers (e.g., Social Security numbers) by banks, credit agencies, insurers, and the like.

The problem with one-size-fits-all rules -- especially one as sweeping as a ban on the use of universal ID numbers -- is that they make it harder and more expensive for consumers to transact business. A consumer's credit rating, which now follows him wherever he goes, thanks (or no thanks) mainly to his Social Security number, is (for almost all consumers) a boon, not a bane. Without the SSN or some other universal identifier, we would revert the days of local and regional credit-rating agencies. The higher cost of verifying a purchasers' credit would, of course, reduce the volume of transactions and lead to higher prices. Small businesses would be especially hard-hit.

So, beyond the obvious penalties for "identity theft" and for misfeasance on the part of businesses that hold personal information, the answer to the private-sector privacy quandary lies . . . in the private sector. The answer, specifically, is the use of what I will call "privacy brokers." These would be companies that are qualified to explain to an individual his privacy options, and authorized to exercise the individual's preferences on his behalf. Such firms would be fully knowledgeable of applicable laws and the ins-and-outs of the privacy policies of companies with which an individual might do business. (Bear with me as I explain why I'm not inventing a new and costly middleman.)

How would privacy brokers be paid? If they were paid by businesses, consumers rightly wouldn't trust them. But how likely is it that consumers will shell out what looks like additional money for a service that, to most consumers, might seem unnecessary? After, in spite of all the personal information that's afloat in the databases of businesses, credit-card issuers, and credit-rating agencies, relatively few consumers have been defrauded or otherwise compromised.

The answer, of course, is that consumers already are paying for the services of credit-rating agencies through the prices charged by businesses and the interest charged by credit-card issuers. It would be relatively easy for credit-rating agencies to transform themselves into privacy brokers. Privacy brokers would collect all of the information now required by creditors, but they would collect it as consumers' agents, after duly informing consumers of their options and the risks and benefits of those options. Each consumer would agree to compensate his privacy broker by assigning a share of his credit purchases to the broker. Conveniently enough, the consumer's creditors would no longer be paying the former credit-rating agency (now a privacy broker) a share of the consumer's credit purchases for the same information. Thus the consumer would not see any increase in prices or interest charges.

Privacy brokers would compete on the basis of price, service, and reputation. If a privacy broker were to allow its data to be compromised, it would quickly lose customers to existing competitors and new entrants to the privacy-brokerage business. Moreover, privacy brokers -- each with tens of millions of clients -- would have considerable leverage over businesses' privacy policies. As a selling point, privacy brokers could use that leverage on the behalf of their clients. Privacy brokers could, for example, negotiate reductions in the amount of personal information that is kept on consumers, ensure that consumers never have to opt-out when it comes to third-party use of personal information, and (most importantly) extract enforceable guarantees about the security of personal information. Those kinds of pro-consumer activities would be fostered by competition among privacy brokers.

My bottom line here is that there is an effective, efficient market answer to concerns about securing privacy vis-a-vis the private sector. But the private sector must act before Congress imposes an inefficient, one-size-fits-all, "solution" on us. There is still time to act, according to a story in Wired News (November 10), which says that "Congress is unlikely to pass any data-security bills by the end of the year, according to Hill watchers."


Is a National ID Card a Good Idea?

A national ID card would be a good idea if its use would decrease the likelihood of terrorism, but it wouldn't-- as I will explain.

I have no objection to carrying an ID card. I already carry several, the possession of which by another person would give that person access to just about anything he might want to know about me: my date of birth, SSN, health history, driving record, criminal record (zilch, sorry), and so on.

A well-designed ID card might even prevent some kinds of "identity theft" if the identifying information embedded in the card could be read only by secure machines and would not be accessible to opportunistic thieves (e.g., unskilled restaurant and department-store employees).

But well-heeled terrorist organizations would find ways to create seemingly legitimate ID cards for their members. And there's the rub. Possession of a single piece of ID, one that is presumed to be authoritative, would make it easier for terrorists to gain access to vulnerable sites (e.g., passenger aircraft) and to elude investigation by deflecting suspicion.

Uncle Sam already knows (or can know) everything about me. A national ID card wouldn't make a difference in that respect. But it would make it easier for terrorists to terrorize. The card is therefore a bad idea.

Privacy or Liberty?

It is sometimes necessary for government to intrude on privacy for the sake of liberty. If, for example, the punishment of crime fosters the security of life, limb, and property by deterring yet more crime, then liberty is served by certain types of governmental intrusion on privacy (e.g., searches of private property, questioning of suspects and witnesses, and compulsion of testimony in criminal cases).

Similarly, the defense of the United States (which includes the defense of Americans and American interests abroad), may justify governmental intrusions on privacy. But there must be restraints on governmental intrusion to ensure that no instance of intrusion is broader than required for the accomplishment of a legitimate governmental function. From a libertarian perspective, that rules out any governmental intrusion of privacy which isn't aimed at promoting justice or defending citizens and their property.

Thus, for example, government is improperly intrusive when it issues a census questionnaire that asks for more information than is necesary to enumerate the population. By contrast, government is properly vigilant when it engages in clandestine surveillance that is warranted by a known threat to the life and limb of Americans (e.g., the continuing threat from al Qaeda).

Those who reflexively oppose certain provisions of the Patriot Act (e.g., the issuance of national security letters for library reading lists) and those who bemoan NSA intercepts of international communications want privacy to take precedence over other manifestations of liberty. As I wrote here, "There can be no absolute liberties where life is at stake. Without life, liberty is meaningless." The Framers of the Constitution recognized that principle:
. . . When the Fourth Amendment was written, the sole remedy for an illegal search or seizure was a lawsuit for money damages. Government officials used warrants as a defense against such lawsuits. Today a warrant seems the police officer's foe -- one more hoop to jump through -- but at the time of the Founding it was the constable's friend, a legal defense against any subsequent claim. Thus it was perfectly reasonable to specify limits on warrants (probable cause, particular description of the places to be search and the things to be seized) but never to require their use. (From the "Warrant Clause," by Prof. William J. Stuntz of Harvard Law in The Heritage Guide to the Constitution, pp. 326-9.)
Thus, by the original meaning of the Constitution, all warrantless searches may be permissible. But judges and legislators have so changed the meaning of the Constitution that these views have instead become prevalent: government cannot conduct searches without a warrant; warrantless searches are "invasions of privacy" (as if privacy were either constitutionally guaranteed or some sort of "natural right'). Moreover, there is -- especially among "civil libertarians," anti-American Americans, and right-wing loonies -- a preference for an undifferentiated right to "privacy" over "the common defence, "to provide for which the Constitution was adopted. Antidotes to such views may be found here:
President had legal authority to OK taps (Chicago Tribune)
Our domestic intelligence crisis (Richard A. Posner)
Many posts by Tom Smith of The Right Coast (start here and scroll up)
Eavesdropping Ins and Outs (Mark R. Levin, writing at National Review Online)
The FISA Act And The Definition Of 'US Persons' (Ed Morrissey of Captain's Quarters)
A Colloquy with the Times (John Hinderaker of Power Line)
September 10 America (editorial at National Review Online)
A Patriot Acts (Ben Stein, writing at The American Spectator)
More on the NSA Wiretaps (Dale Franks of QandO)
The President's War Power Includes Surveillance (John Eastman, writing at The Remedy)
Warrantless Intelligence Gathering, Redux (UPDATED) (Jeff Goldstein, writing at Protein Wisdom)
FISA Court Obstructionism Since 9/11 (Ed Morrissey of Captain's Quarters)
FISA vs. the Constitution (Robert F. Turner, writing at OpinionJournal)
Wisdom in Wiretaps (an editorial from OpinionJournal)
Under Clinton, NY Times Called Surveillance a Necessity (William Tate, writing at The American Thinker)
Experts' Letter on NSA Program (by Tom Smith of The Right Coast)
(U.S. Department of Justice)
Terrorists on Tap (Victoria Toensing, writing at OpinionJournal)
Letter from Chairman, Senate Intelligence Committee, to Chairman and Ranking Member of Senate Judiciary Committee
Letter from H. Bryan Cunningham to Chairman and Ranking Member of Senate Judiciary Committee
Has The New York Times Violated the Espionage Act? (article in Commentary by Gabriel Schoenfeld)
Point of No Return (Thomas Sowell, writing at RealClearPolitics)
Letter from John C. Eastman to Chairman of House Judiciary Committee
FISA Chief Judge Speaks Out, Bamford Misinforms (a post at The Strata-Sphere)
DoJ Responds to Congressional FISA Questions (another post at The Strata-Sphere)
As for the president's authority in foreign affairs -- which encompasses the defense of the nation -- I quote Sai Prakash, who writes about the Constitution's Executive Vesting Clause (Article II, Section 1, Clause 1) in The Heritage Guide to the Constitution (pp. 179-82):
The [Executive Vesting Clause] . . . accords the President those foreign-affairs authorities not otherwise granted to Congress or shared with the Senate. . . .

The Articles of Confederation lacked an independent chief executive. Instead, the Continental Congress exercised the executive power, appointing and dominating the secretaries of the executive departments. Unfortunately, law execution under the direction of a distracted, plural executive was neighter vigorous nor swift. Congress likewise proved a poor steward of foreign affairs, with American diplomats complaining that Congress could not act with the requisite speed or secrecy. . . .

Resolving to avoid the problems plaguing state and national executives, the Constitution's makers created an energetic, responsible, and unified executive. . . . The Anti-Federalists well understood the Framers' design and criticized the unitary executive [but they lost the argument: ED] . . . .

. . . [T]he delegates [to the Constitutional Convention] spoke of the President's principal foreign-affairs role, oftentimes referring to the Senate's role in treaty-making as a limited exception to the grant of foreign-affairs authority to the President. . . .

. . . [T]raditional rules of statutory interpretation require us to take seriously the differences in phrasing across the three vesting clauses. Artilce I, Section 1 ("All legislative Powers herein granted shall be vested in a Congress of the United States. . . .") makes clear that it vests no authorities separate from those enumerated in the rest of Article I. In contrast, Article III, Section 1 ("The judicial Power of the United States, shall be vested in one supreme Court, and in such inferior Courts as the Congress may . . . establish.") clearly vests the federal courts with judicial authority. The Executive Vesting Clause reads like its Article III counterpart, in sharp contrast to the Article I introductory clause. . . .

In a case touching upon foreign affairs, the judiciary has recently reaffired that the executive power grants foreign-affairs authority to the President. See American Insurance Ass'n v. Garamendi (2003). This marks a departure from prior case law, which had grounded the executive's foreign-affairs powers not in any constitutional text, but in necessity and sovereignty. See United States v. Curtiss-Wright Export Corp. (1936).
John Yoo and James C. Ho, writing in the same volume about the president's role as commander in chief (pp. 195-8), have this to say:
. . .[S]ome originalist scholars have concluded that Congress's war power is limited to its control over funding and its power to impeach executive officers. They contend that the President is constitutionally empowered to engage in hostilities with whatever resources Congress has made available to the executive. . . .

In summary, the argument for executive initiative rests on the background understanding that the vesting of "executive Power" and the "Commander in Chief" designation together constitute a substantive grant of authority to the President to conduct military operations.
It is clear that it is fully within the president's constitutional authority to order electronic surveillance of communications between persons in the U.S. and persons overseas. It is especially clear that such surveillance is legitimate because of its war-related purpose.

The Framers intended the executive to be a passive enforcer of laws passed by Congress that bear on domestic affairs (and those laws were to be strictly limited in scope by Article I, Section 8, of the Constitution). At the same time, the Framers intended the executive to defend Americans actively against enemies foreign and domestic. No one has put it more clearly than Justice Felix Frankfurter:
. . . [W]e have had recent occasion to quote approvingly the statement of former Chief Justice Hughes that the war power of the Government is 'the power to wage war successfully.' . . . Therefore, the validity of action under the war power must be judged wholly in the context of war. That action is not to be stigmatized as lawless because like action in times of peace would be lawless. To talk about a military order that expresses an allowable judgment of war needs by those entrusted with the duty of conducting war as 'an unconstitutional order' is to suffuse a part of the Constitution with an atmosphere of unconstitutionality. The respective spheres of action of military authorities and of judges are of course very different. But within their sphere, military authorities are no more outside the bounds of obedience to the Constitution than are judges within theirs. . . . To recognize that military orders are 'reasonably expedient military precautions' in time of war and yet to deny them constitutional legitimacy makes of the Constitution an instrument for dialetic subtleties not reasonably to be attributed to the hard-headed Framers, of whom a majority had had actual participation in war. If a military order such as that under review does not transcend the means appropriate for conducting war, such action . . . is as constitutional as would be any authorized action by the Interstate Commerce Commission within the limits of the constitutional power to regulate commerce.
To get down to cases -- the case of NSA surveillance, in particular -- Tom Smith of The Right Coast has this to say:
. . . [I]t strikes me as just wrong, and very counter-intuitive, to think of the Fourth Amendment as limiting the President's Article II wartime powers at all. If this were the case, it would mean something like the President's powers to wage war against those US citizens who had decided to fight for the enemy, had to be conducted within something like the proscriptions of constitutional criminal procedure. Surely, that can't be right. This is not to say the President's Article II powers are unlimited. That is what, I take it, the Youngstown Steel case is about. But if FISA really does subject Article II wartime powers to the procedural rigamarole in FISA, then it would be unconstitutional. . . . So where that leaves us, it seems to me, is fairly clear. The President did not violate FISA, as that statute has been interpreted by the highest court other than the Supreme Court that has has the power to interpret it, and indeed specializes in interpreting it, so presumably is due some deference for that, and thus, for the President's action to be illegal, it would have to have exceeded his Article II powers. . . . While it is logically possible that the NSA program exceeded the Article II powers, it strikes me as a very implausible claim. We are not talking here about nationalizing the steel industry, or interring all Muslims or something of that sort. We are talking about data-mining calls and emails which have an elevated probability of being connected to terrorism, because they are within a network anchored by phone numbers or email addresses found in al Qaeda phones or computers, or because of charateristics of the calls or emails. If anyone thinks . . . that doing that is outside the President's Article II powers, they have a ludicrously narrow conception of those powers, a conception simply inconsistent with the President's discharge of his duty to prevent future catastrophic terrorist attacks on the people of the United States. That alone suggests it is an incorrect conception of those powers, a fact even the Supreme Court is likely to notice.
What we see in the dispute about such things as the Patriot Act and NSA surveillance is a failure to distinguish between the free exercise of liberty, on the one hand, and the necessary exercise of governmental power to preserve liberty, on the other hand. That failure is unwitting -- but nonetheless dangerous -- when it emanates from persons who simply have no understanding of the Constitution or who wish to live in a dream-world in which government simply cannot encroach upon their privacy for any reason. That failure is entirely witting -- and essentially subversive -- when it emanates from persons who simply wish to twist the meaning of the Constitution so that it serves their anti-libertarian agenda: statism at home and surrender abroad.

What About Government Data-Mining?

There is, nevertheless, a real threat that surveillance could lead to the creation of massive databases that could be misused by government officials. Tom Smith observes that
technology on the data mining front is moving very fast. In fact, the term data mining is too narrow and somewhat dated. For just a taste of one cutting edge approach, check this out. This company takes a semantic network approach to unstructured databases. There are other approaches as well.

What I am getting at is, if the government puts together a huge database -- and . . . it is within their capabilities, well within -- then with tech from the private sector, not to mention what NSA geniuses come up with, then what they can figure out about individuals, firms, and so on, really does not have any clear limit. It is not at all far fetched to say if the government wanted to, it could know more about people than they know about themselves, a lot more.

There are many questions here. The first is whether the storage of this information violates constitutional protections. I think sentience may make some difference here. If every email you have sent in the last five years is stored in some place the government has access to, but they do not actually access it, then I'm not sure your privacy has been affected at all.

But here is something that worries me, though maybe it shouldn't. Search algorithms are already astonishingly powerful. They are advancing rapidly. It may be possible soon to pull out from such things as patterns of emails, phone calls, puchases and the like, people likely to be involved in drug trafficing, money laundering, whatever. If an impartial algorithm can troll through a database and produce a list of people who really are, to some high degree of probability, connected with herion trafficking say, should that be enough to support a warrant to start the really intrusive, traditional sort of surveillance?

I have already made clear that I think the President should be able to do exactly this if it is necessary to fight a war. But law enforcement agencies doing it does strike me as pretty creepy. It could be an extremely powerful law enforcement tool, though.
It is one thing to create databases that enable law-enforcement officials to detect and avert attacks on Americans and Americans' interests, at home and abroad. It is quite another thing to create and use such databases for the purpose, say, of anticipating or imagining criminal conspiracies.

How, then, is it possible to protect Americans from acts of war, terrorism, insurrection, or rebellion without subjecting them to the very real danger of overreaching on the part of government officials -- who will be tempted to misuse the information to which they have access? We learned -- on September 11, 2001 -- that it is folly to put a firewall between domestic and foreign intelligence. The firewall must be placed elsewhere; here is how I would construct it and where I would place it:
  • No government agency (including contractors) may collect or store personal information other than that which is gathered pursuant to a specific, constitutionally authorized exercise of authority (e.g., issuing driving licenses, maintaining tax and property records, investigating crimes that have been reported, maintaining records of arrests and convictions, algorithmically surveilling communications for the purpose of detecting possible terrorist activity).
  • The federal government (and only particular units of the federal government, as authorized by law) may collate such information in a database or databases that may be used only for the purposes of detecting conspiracies to commit acts of war, terrorism, insurrection, or rebellion against the United States, a State, or the citizens of the United States or their property.
  • Information gleaned from such a database may be used, without judicial approval, to avert an imminent attack or to respond to an attack.
  • Otherwise, the information gleaned from such a database may be used, with judicial approval, to initiate surveillance of persons or property within the jurisdiction of the United States -- and then only for the purpose of preventing acts of war, terrorism, insurrection, or rebellion.
  • Actions against persons or property outside the jurisdiction of the United States must be taken in accordance with the 1973 War Powers Resolution and/or applicable treaties.
  • Information gleaned from such a database may never be used for any purpose other than the prevention of or response to acts of war, terrorism, insurrection, or rebellion against the United States, a State, or the citizens of the United States or their property.
Details would be supplied by statute. Compliance would be monitored by a commission; the president, Congress (by concurrent resolution), and the chief justice of the United States each would appoint one-third of the commission's members.


Privacy is not, never has been, and never should be an absolute right. To make it such would be incompatible with the defense of life, liberty, and property.

With respect to privacy in the private sector, we should remember that a one-size-fits-all regulation has the predictable effect of fitting almost no one and generally forcing buyers and sellers to make inferior choices. Government should protect Americans from force and fraud. Beyond that, it is up to Americans to decide for themselves how much privacy they wish to enjoy in their voluntary transactions. They could do so quite effectively, and at no additional cost, with the help of "privacy brokers" -- firms that would do for consumers what they now do for businesses.

Turning to privacy vis-a-vis government, we should remember that government legitimately seeks to protect the lives and property of Americans, so that they can pursue happiness as they see it. Privacy absolutists -- those who place privacy above security -- endanger us all. They would render us defenseless against very real and potent threats to liberty and the pursuit of happiness. The idea of a national ID card fails because it would create a vulnerability, not because it would threaten privacy in the land of the ubiquitous Social Security number. On the other hand, there is a legitimate place for the surveillance of telecommunications and for data-mining, as long as the use of both is confined to the protection of life, liberty, and property against our enemies. A way of ensuring that surveillance and data-mining are not misused is to establish an oversight commission comprising members of all three branches of the federal government.

The legitimate function of the state is to protect its citizens from predators and parasites, it is not to protect predators and parasites. The critics of aggressive defense like to proclaim their dedication to civil liberties, but their statist agenda in domestic matters betrays their selective dedication to liberty.

There is a balance to be struck between privacy and liberty, but it should not -- and need not -- be struck in favor of our enemies. The Constitution is, first and foremost, a mutual defense pact, not a suicide pact.

Related collections of posts:
The Constitution: Original Meaning, Subversion, and Remedies
Economics: Principles and Issues
War, Self-Defense, and Civil Liberties

Tuesday, January 10, 2006

The "Privacy Crisis"

This is an appendix to "Privacy: Variations on the Theme of Liberty."

In the first half of 2005, when "identity theft" and the possibility of a national ID card were hot stories, I was sure that the mainstream media would declare a "privacy crisis." But the MSM has the attention span of a fly, and so its gaze wandered to other issues, not the least of them being the indictment of VP Cheney's chief of staff for allegedly having committed a crime by lying about something he might or might not have said about a crime that probably wasn't committed. The MSM returned to the privacy issue in a big way with the disclosure in December that President Bush had authorized warrantless intercepts by the National Security Agency of communications between persons in the U.S. and overseas.

Here, then, is a summary of what the media -- if they had the attention span of a two-year old -- would call a "privacy crisis."

My exposure to the "privacy crisis" began on February 5, 2005, when I watched "this amusing advert" (courtesy: Alex Tabarrok at Marginal Revolution).

In late February and early March I learned of the massive thefts of personal information from databases at ChoicePoint and LexixNexis. Those thefts led predictably to calls for more stringent regulation of private data aggregators, which in mid-March encountered resistance on the part of ChoicePoint and LexisNexis to a ban on the sale of Social Security numbers.

Also in mid-March, Glen Whitman of Agoraphilia weighed in with "Accomplices to Identity Theft," which points to an MSN Money article that pins some of the blame for identity theft on lenders:
Now that intruders have raided a second big consumer database, we're bound to hear lots more calls for increased federal oversight of the companies that buy and sell our personal information.

What will get far less attention, unfortunately, is the fact that these incursions wouldn't be so incredibly damaging to consumers' finances if lenders didn't make that information worth stealing in the first place.

Think about it: The only reason an identity thief cares about knowing your Social Security Number or other private data is that it can be used to open accounts in your name and commit fraud. Lax verification procedures at credit card companies and other financial institutions make that possible -- even easy.

“Companies are so eager to grant credit,” said Linda Foley, executive director of the Identity Theft Resource Center, “that they will grant it to almost anyone for any reason.”
(Whitman reasonably asked whether "lenders [should] be made liable for damages to identity theft victims, or punished in some other way when they facilitate identity theft, in order to give them an incentive to adopt more scrupulous lending practices?")

On March 27, Wired News worried me with a report that "Amazon Knows Who You Are"; thus: has one potentially big advantage over its rival online retailers: It knows things about you that you may not know yourself.

Though plenty of companies have detailed systems for tracking customer habits, both critics and boosters say Amazon is the trailblazer, having collected information longer and used it more proactively. It even received a patent recently on technology aimed at tracking information about the people for whom its customers buy gifts.

Amazon sees such data gathering as the best way to keep customers happy and loyal, a relationship-building technique that analysts consider potentially crucial to besting other online competitors.

"In general, we collect as much information as possible such that we can provide you with the best feedback," said Werner Vogels, Amazon's chief technology officer.

But some privacy advocates believe Amazon is getting dangerously close to becoming Big Brother with your credit card number.

I was next faced with William Safire's dire warning about the end of privacy in his April 10 review of Robert O'Harrow Jr.'s No Place to Hide and Patrick Radden Keefe's Chatter: Dispatches from the Secret World of Global Eavesdropping:
O'Harrow notes that many consumers find it convenient to be in a marketing dossier that knows their personal preferences, habits, income, professional and sexual activity, entertainment and travel interests and foibles. These intimately profiled people are untroubled by the device placed in the car they rent that records their speed and location, the keystroke logger that reads the characters they type, the plastic hotel key that transmits the frequency and time of entries and exits or the hidden camera that takes their picture at a Super Bowl or tourist attraction. They fill out cards revealing personal data to get a warranty, unaware that the warranties are already provided by law. ''Even as people fret about corporate intrusiveness,'' O'Harrow writes about a searching survey of subscribers taken by Conde Nast Publications, ''they often willingly, even eagerly, part with intimate details about their lives.''

Such acquiescence ends -- for a while -- when snoopers get caught spilling their data to thieves or exposing the extent of their operations. The industry took some heat when a young New Hampshire woman was murdered by a stalker who bought her Social Security number and address from an online information service. But its lobbyists managed to extract the teeth from Senator Judd Gregg's proposed legislation, and the intercorporate trading of supposedly confidential Social Security numbers has mushroomed.
Safire moved on to "snooping" by the government and its links to private data-mining:
When an article in The New York Times by John Markoff, followed by another in The Washington Post by O'Harrow, revealed the Pentagon's intensely invasive Total Information Awareness program headed by Vice Admiral John Poindexter of Iran-Contra infamy, a conservative scandalmonger took umbrage. (''Safire's column was like a blowtorch on dry tinder,'' O'Harrow writes in the book's only colorful simile.) The Poindexter program's slogan, ''Knowledge Is Power,'' struck many as Orwellian. Senators Ron Wyden and Russell D. Feingold were able to limit funding for the government-sponsored data mining, and Poindexter soon resigned. A Pentagon group later found that ''T.I.A. was a flawed effort to achieve worthwhile ends'' and called for ''clear rules and policy guidance, adopted through an open and credible political process.'' But O'Harrow reports in ''No Place to Hide'' that a former Poindexter colleague at T.I.A. ''said government interest in the program's research actually broadened after it was apparently killed by Congress.''

There are many issues swirling around in the maelstrom of utterances about privacy....

Of all the companies in the security-industrial complex, none is more dominant or acquisitive than ChoicePoint of Alpharetta, Ga. This data giant collects, stores, analyzes and sells literally billions of demographic, marketing and criminal records to police departments and government agencies that might otherwise be criticized (or de-funded) for building a national identity base to make American citizens prove they are who they say they are. With its employee-screening, shoplifter-blacklisting and credit-reporting arms, ChoicePoint is also, in the author's words, ''a National Nanny that for a fee could watch or assess the background of virtually anybody.''...

A second book -- not as eye-opening as O'Harrow's original reporting but a short course in what little we know of international government surveillance -- is ''Chatter: Dispatches from the Secret World of Global Eavesdropping,'' by Patrick Radden Keefe. This third-year student at Yale Law School dares to make his first book an examination of what he calls the liberty-security matrix....

Keefe's useful research primer on today's surveillance society, and especially O'Harrow's breakthrough reporting on the noxious nexus of government and commercial snooping, open the way for the creation of privacy beats for journalism's coming generation of search engineers. A small furor is growing about the abuse of security that leads to identity theft. We'll see how long the furor lasts before the commercial-public security combine again slams privacy against the wall of secrecy....
I next wrung my hands about the national ID card that seems to be in the making (via Wired News):

02:00 AM May. 12, 2005 PT

Legislation supporting a standardized national driver's license may have won unanimous approval in the Senate on Tuesday, but the bill's apparently smooth passage left some jagged edges in its wake....

Supporters of the bill say it would prevent terrorists and undocumented immigrants from obtaining legitimate documents that would help them move freely through the country. Last year, the 9/11 Commission called for tightening control over government-issued IDs because 18 of the 19 hijackers in the Sept. 11, 2001, terror attacks used U.S. IDs to pass through airport security.

But opponents of the bill say it would create a national ID card and a de facto national database -- a concept that Congress rejected when it was first proposed several years ago.

The act would force states to produce standardized, tamper-resistant driver's licenses that would include machine-readable, encoded data. States wouldn't be required to comply. But those that don't comply would create hardship for residents, who wouldn't be able to use their licenses as official identification to travel on airplanes, collect federal benefits or gain access to federal buildings.

On July 15 Wired News reported on a bill now before Congress that "strives to protect privacy":

A bipartisan group of senators introduced comprehensive identity-theft legislation Thursday that throws some of the burden for preventing the increasingly common crime onto businesses and other organizations that collect personal information. The new legislation also would give consumers more control over their personal data.

The Identity Theft Protection Act, introduced in the Senate commerce committee by a bipartisan coalition, addresses problems with recent high-profile data breaches by requiring entities that collect sensitive information, such as Social Security numbers, to secure the data physically and technologically and to notify consumers nationwide when data is compromised.

The bill also allows consumers to freeze their credit reports to help prevent unauthorized parties from accessing private data or opening new credit accounts in an individual's name without their permission.

On July 17 Wired News reported about the threat of "Google-opoly":

Google is at once a powerful search engine and a growing e-mail provider. It runs a blogging service, makes software to speed web traffic and has ambitions to become a digital library. And it is developing a payments service.

Although many internet users eagerly await each new technology from Google, its rapid expansion is also prompting concerns that the company may know too much: what you read, where you surf and travel, whom you write.

"This is a lot of personal information in a single basket," said Chris Hoofnagle, senior counsel with the Electronic Privacy Information Center. "Google is becoming one of the largest privacy risks on the internet."

An InformationWeek Weblog entry dated November 4 had this to say about "spychips":

"Spychips" is a scary new book out by consumer-privacy advocates Katherine Albrecht and Liz McIntyre, and it should be must-reading for anyone who doesn't "get" the concerns over RFID chips. Even if half of what the book says in the planning or thinking stages is true, that's more than enough to make anyone nervous about the potential -- or even planned, if the authors are to be believed -- misuse of this technology.

Albrecht is by no means without bias here -- she also is the founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIN), which, among other things, has organized events such as the recent consumer protest against RFID use at a Dallas Wal-Mart. She definitely has an ax to grind.

So it would be easy to dismiss the concerns highlighted in the book, and the evidence backing them were it not for where Albrecht and McIntyre dug up some of this stuff. They wielded the Freedom Of Information Act, hunted through corporate Web sites, crawled through company reports, and excavated some very interesting proposals filed at the patent office.
They even checked up on the government. Much of this is stuff you could track yourself, except for perhaps a page with what Albrecht claimed was misleading information on RFID, which allegedly was removed from a medical-products company's Web site after the publication of "Spychips."

McIntyre is quoted in a CASPIN release saying that "...companies like IBM, Procter & Gamble, Bank of America, BellSouth, and Philips will also have some explaining to do when people read about their patent pending ways to use RFID to track people through the things they wear, carry, and throw away. Consumers will realize these companies have an RFID agenda that should concern us all." Like what? Well, like embedding the chips in shoes so that the wearer can be tracked in RFID reader-equipped buildings. There is even a reference to a company that wants to implant RFID chips inside of people. How nice.

Indeed, as RFID reporter Laurie Sullivan notes in a recent story, the start of what has privacy advocates and some consumers worried is already happening: "Check the next Hewlett-Packard printer you buy at Wal-Mart or that Ann Taylor blouse you picked up. Chances are a radio-frequency ID tag came home with your purchase."

I don't think anyone cares about the really neat uses of RFID -- to track Alzheimer patients or newborns, manage inventory, or track the shipment of goods. Sun, for example, is trialing an RFID-fueled asset-tracking service that supposedly lets the company verify any item's location and physical characteristics within an hour, without linking to a network. And Ford just announced an RFID just-in-time delivery system, which will enable better coordination of 40 to 50 shipments a day of truck parts. Lots of people would like their appliances and cars to alert them before a major failure.

But none of this changes the fact that RFID can be used badly, invasively, and secretly, something "Spychips" makes plenty clear. Even potentially useful applications, such as installing biometric or RFID chips in passports and licenses, have as many cons as there are pros. It's worth stopping to take a breath and think this stuff out. Which is what some people are doing.

Sullivan has reported on a bill pending in the California Senate that is seeking to put a three-year moratorium on using RFID chips in various government-issued documents -- driver's licenses, library cards, etc. And in a somewhat related action, Microsoft is pushing for a national, federal standard on protecting consumer data. Obviously, one of the concerns about RFID tracking is who will have access to any data that is collected.

To get an idea of where Albrecht is coming from, and to judge her views on RFID for yourself, listen to Sullivan's two-part podcast with the privacy advocate and author. You can access part one here.
Not to let the Patriot Act go unmentioned, there's this (from Wired News of November 6):
Lawmakers expressed concern Sunday [November 6] that the FBI was aggressively pushing the powers of the anti-terrorist USA Patriot Act to access private phone and financial records of ordinary people.

"We should be looking at that very closely," said Sen. Joseph Biden (D-Delaware), who is a member of the Senate Judiciary Committee. "It appears to me that this is, if not abused, being close to abused."

Sen. Chuck Hagel (R-Nebraska), a member of the Senate Intelligence Committee, agreed, saying the government's expanded power highlights the risks of balancing national security against individual rights.

"It does point up how dangerous this can be," said Hagel, who appeared with Biden on ABC's This Week.

Under the Patriot Act, the FBI issues more than 30,000 national security letters allowing the investigations each year, a hundredfold increase over historic norms, The Washington Post reported Sunday, quoting unnamed government sources.

The security letters, which were first used in the 1970s, allow access to people's phone and e-mail records, as well as financial data and the internet sites they surf. The 2001 Patriot Act removed the requirement that the records sought be those of someone under suspicion.

As a result, FBI agents can review the digital records of a citizen as long as the bureau can certify that the person's records are "relevant" to a terrorist investigation. . . .

Issued by the FBI without review by a judge, the letters are used to obtain electronic records from "electronic communications service providers." Such providers include internet service companies but also universities, public interest organizations and almost all libraries, because most provide access to the internet.

Last September in an ACLU lawsuit, a federal judge in New York struck down this provision as unconstitutional on grounds that it restrains free speech and bars or deters judicial challenges to government searches. That ruling has been suspended pending an appeal to the New York-based 2nd U.S. Circuit Court of Appeals.

In a hearing last week the court suggested it might require the government to permit libraries, major corporations and other groups to challenge FBI demands for records.

The Patriot Act provision involving national security letters was enacted permanently in 2001, so it was not part of Congress' debate last summer over extending some Patriot Act provisions.

As the Dec. 31 deadline has approached for Congress to renew provisions of the act, the House and Senate have voted to make noncompliance with a national security letter a criminal offense.

Finally, on December 16, The New York Times disclosed the NSA intercepts, about which an editorialist at Wired News erroneously wrote this:
This week, The New York Times revealed that the Bush administration ignored the Foreign Intelligence Surveillance Act, or FISA, and intercepted telephone calls and e-mails from American citizens without a warrant. FISA requires that investigators provide a judge with evidence that there's reason to believe the person they plan to place under surveillance is an agent of a foreign power. . . .

There is no legal justification for these warrantless interceptions, which included calls to and from American citizens.
John Schmidt, a former associate attorney general in the Clinton administration, set the record straight:
President Bush's post- Sept. 11, 2001, authorization to the National Security Agency to carry out electronic surveillance into private phone calls and e-mails is consistent with court decisions and with the positions of the Justice Department under prior presidents.

The president authorized the NSA program in response to the 9/11 terrorist attacks on America. An identifiable group, Al Qaeda, was responsible and believed to be planning future attacks in the United States. Electronic surveillance of communications to or from those who might plausibly be members of or in contact with Al Qaeda was probably the only means of obtaining information about what its members were planning next. No one except the president and the few officials with access to the NSA program can know how valuable such surveillance has been in protecting the nation.

In the Supreme Court's 1972 Keith decision holding that the president does not have inherent authority to order wiretapping without warrants to combat domestic threats, the court said explicitly that it was not questioning the president's authority to take such action in response to threats from abroad.

Four federal courts of appeal subsequently faced the issue squarely and held that the president has inherent authority to authorize wiretapping for foreign intelligence purposes without judicial warrant. . . .

The passage of the Foreign Intelligence Surveillance Act in 1978 did not alter the constitutional situation. That law created the Foreign Intelligence Surveillance Court that can authorize surveillance directed at an "agent of a foreign power," which includes a foreign terrorist group. Thus, Congress put its weight behind the constitutionality of such surveillance in compliance with the law's procedures.

But as the 2002 Court of Review noted, if the president has inherent authority to conduct warrantless searches, "FISA could not encroach on the president's constitutional power."

Every president since FISA's passage has asserted that he retained inherent power to go beyond the act's terms. Under President Clinton, deputy Atty. Gen. Jamie Gorelick testified that "the Department of Justice believes, and the case law supports, that the president has inherent authority to conduct warrantless physical searches for foreign intelligence purposes." . . .

Should we be afraid of this inherent presidential power? Of course. If surveillance is used only for the purpose of preventing another Sept. 11 type of attack or a similar threat, the harm of interfering with the privacy of people in this country is minimal and the benefit is immense. The danger is that surveillance will not be used solely for that narrow and extraordinary purpose.

But we cannot eliminate the need for extraordinary action in the kind of unforeseen circumstances presented by Sept.11. I do not believe the Constitution allows Congress to take away from the president the inherent authority to act in response to a foreign attack. That inherent power is reason to be careful about who we elect as president, but it is authority we have needed in the past and, in the light of history, could well need again.
(For more on the NSA issue, go here and follow the links at the end of the post.)