You are here

OpenMarket: Privacy and Cybersecurity

  • House Intel Committee Chair Ignores Report Calling NSA Surveillance Illegal

    June 2, 2014 11:51 AM

    At a recent event titled “A Statesman Forum on Cybersecurity Policy and Diplomacy” at George Washington University, House Intelligence Committee Chairman Mike Rogers (R-Mich.) stated:


    Every investigation, every group that review it found no illegal activity, no abuses, and that it was lawful. It’s hard to say that there was some horrible rogue agency when all the groups that investigated it came to the same conclusion.


    Rep. Rogers is wrong. His statement, which referred to the National Security Agency’s data collection programs under Section 215 of the USA PATRIOT Act (50 U.S.C. § 1861), ignores the report published by the Privacy and Civil Liberties Oversight Board (PCLOB) in January 2014 concluding that the NSA’s data collection programs under Section 215 are illegal. The findings of PCLOB—an independent federal agency established in 2004 to ensure that government surveillance does not overstep its lawful bounds—are worth revisiting after the USA FREEDOM Act, a bill intended to reform NSA surveillance activities, lost more than half of its sponsors last week following a new version of the bill out of the House Rules Committee.


    Section 215 is the provision of the USA PATRIOT Act, a 2001 law which amended the Foreign Intelligence Surveillance Act (FISA), that prescribes the conditions under which intelligence agencies, like the NSA, may gain access to information such as phone call data. This law has been the key legal justification for the NSA’s controversial metadata collection programs, which many people accuse the agency of using to collect domestic data. In June 2013, Edward Snowden, a former private contractor for the NSA, revealed documents to Glenn Greenwald and other reporters who used them to expose these programs.


  • The Premises of Net Neutrality

    May 19, 2014 4:12 PM

    In the electric power industry, if you run an extension cord across the street to serve another, you go to jail. The local utility has a protected monopoly. We’ve put most of that "public utility" vision behind us in communications. Wired and wireless and satellite options abound for Internet service; we'll likely see blimps and communications drones, and who knows what else.


    Yet special interests still want the Federal Communications Commission (FCC) to regulate the content flows and grid infrastructure, the prices and services of the Internet via something called net neutrality. They actually are quite open about wanting government regulated monopoly power.


    The Internet as a utility, like the power company. They want speed limits.


    We're nearly a decade into a series of disruptive efforts to inflict "net neutrality" on the Internet; Neutrality is the idea that we won't have access to content where and when and as fast as we want it without government and special interests controlling the wires.


    Neutrality proponents want to inflict a "Mother-May-I" method of operation on the Internet; they want planning boards and regulatory affirmation of content carriage arrangements and of infrastructure deals.


    It's not a bright new idea, and not even one rooted in a plausible belief in natural monopoly, or one informed by angelic visions of "common carriage. Regulation like net neutrality devolves into cronyism. It was also rooted in cronyism.


    Early telecommunications and power networks were highly competitive, with duplicative infrastructure. The powerful didn't like the competition. The cronies got a franchise and guaranteed profit, everybody else got shut out, and the effects still linger.


  • USDOT Calls for Connected Vehicle Mandate; Security and Privacy Concerns Remain

    February 3, 2014 2:03 PM

    The U.S. Department of Transportation (DOT) announced today it would chart a regulatory path that would require all new automobiles to be equipped with vehicle-to-vehicle (V2V) communications systems sometime in the next several years. This follows a National Transportation Safety Board recommendation that connected vehicle technology be mandated on all new vehicles.


    V2V and vehicle-to-infrastructure (V2I) safety systems could provide large safety benefits in the future. Unfortunately, DOT has jumped the gun, requiring systems while large challenges remain, particularly issues related to data privacy and security.


    A November 2013 report from the Government Accountability Office (GAO) provides a good description of what DOT is attempting to do:

  • Target, Retailers Use Dodd-Frank to Skimp on Data Security

    January 22, 2014 12:29 PM

    Chutzpah, thy name is the National Retail Federation!


    In the wake of the recent credit and debit card breach at Target that may have compromised the data of up to 110 million consumers, the leading retail trade association argued in federal court on Friday that it should pay even less for fraud prevention and cleanup after fraud losses.


    Joined by the National Association of Convenience Stores and the National Restaurant Association, the NRF claimed to the court that it is actually against the law for banks and credit unions to charge retailers for fraud losses in debit card processing fees. "The inclusion of fraud losses in the allowable costs recoverable ... cannot be justified," the groups maintained in a legal brief (page 20).


    The interchange fees that banks and credit unions charge merchants for debit card transactions -- what retailers pejoratively call "swipe fees" -- have been subject to price controls since the passage of the Dodd-Frank financial overhaul in 2010. Dodd-Frank's Durbin Amendment, which came about as a result of heavy lobbying by Target, Wal-Mart and other big retailers, states that the debit interchange fees charged to retailers must be “reasonable and proportional to the cost incurred by the issuer [bank or credit union issuing the card] with respect to the transaction.”


    CEI opposed the Durbin Amendment from the start, because we believe price controls are a violation of individual property rights and turn out to be impractical. But many who voted for the Durbin Amendment believed that the price-setting process would be similar to rate regulation of electricity and phone service, in that the fee set would allow for infrastructure and service costs plus what is judged as a "reasonable rate of return."


    What happened, though, was that ever since the Fed began implementing the provision, the retail lobby has argued that the provision not only bars banks and credit unions from profiting on the fees charged to retailers, only a very limited portion of costs could actually be recovered in the fee.


  • Target Breach -- Are Dodd-Frank "Swipe Fee" Price Controls to Blame?

    December 24, 2013 10:41 AM

    Target wants  you to know it is oh-so-sorry for any inconvenience its data SNAFU (as OpenMarket is a family blog, please look up the acronym) has caused, and as a token of its concern, it offered customers a whooping 10 percent discount this weekend!


    In the meantime, who is cleaning up the mess from Target's breach that has affected as many as 40 million credit and debit card accounts? The nation's banks and credit unions -- big and small. In East Tennessee, for instance, Citizens National Bank canceled and reissued 1,000 credit and debit cards potentially affected, but took the step of calling each customer beforehand.


    This is just the latest incident in which banks and credit unions that issue credit and debit cards have had to step up to the plate after a retailer's customer data is compromised. As noted by Wisconsin Credit Union League CEO Brett A. Thompson, upon a data breach at Michaels craft stores in 2001, the financial institutions “had to determine which states were involved, monitor potentially compromised accounts, manually reduce limits for both ATM and PIN transactions, monitor ATM transactions in the affected states, notify debit card holders of potential fraud on their accounts, issue new debit cards to those whose accounts were compromised and refund money to fraud victims.”


    Yet how do retailers repay banks and credit unions and their own customers? By complaining about how much the have to pay in credit and debit card "swipe fees" and lobbying for price controls, such as the Durbin Amendment of the 2010 Dodd-Frank financial "reform," which limited what retailers can be charged for debit cards to 21 cents per swipe (a level a judge has now ruled is not draconian enough in a pending court case!).


  • Memo to Road Socialists: There Is Nothing Unlibertarian about Road Pricing

    November 5, 2013 11:10 PM

    Virginia just elected Democrat Terry McAuliffe as governor, as had been predicted by every poll conducted during the past few months -- although at much smaller margins than had been projected. During the twilight hours of the campaign, some of Republican Ken Cuccinelli's supporters began attacking Libertarian Robert Sarvis for various alleged ideological sins. One in particular involved Sarvis's expressed support for adopting a user-based funding model for Virginia's roads, specifically his mention of a mileage-based user fee as a possible replacement to fuel and non-user tax revenue.


    The claim is that this is necessarily a government surveillance scheme and that such a proposal is inherently unlibertarian. This is false and is based upon ignorance of how such systems actually operate. Furthermore, labeling a mileage-based user fee system as unlibertarian runs contrary to the opinions of virtually every libertarian transportation scholar. What follows is my attempt to articulate why libertarians ought to support mileage-based user fees over fuel taxes and general tax revenue funding for transportation.


    Virginia's New Transportation Law


    To put this in context, outgoing Republican Virginia Governor Bob McDonnell enacted this past spring a tax-and-spend transportation law that raised taxes, failed to do serious program reform, and increased the share of non-user funding for Virginia's roads. CEI harshly criticized the plan for these reasons. In the lead up to the vote, Cuccinelli supported a watered-down proposal that didn't rely on the general sales and use tax increases backed by McDonnell. However, the Cuccinelli-supported plan, just like the McDonnell plan, relied on increased sales tax funding of transportation, and assumed Congress would legalize state Internet sales taxes so Virginia could use the "Amazon tax" to fund transportation projects.


    In October, the Cuccinelli campaign released a seemingly reasonable transportation plan that stressed the devolution of funding and management responsibility from the state to local authorities (the Sarvis campaign also repeatedly stressed decentralization of transportation funding and management). While decentralization, ideally to the facility level, is a goal shared by many fans of free markets and limited government, the Cuccinelli plan failed to articulate how locally controlled roads should be funded -- specifically, the revenue collection mechanisms. Out of the three candidates, only Sarvis offered user-based road pricing alternatives such as tolling and a mileage-based user fee (MBUF).


  • Stop Watching Us: End Suspicionless NSA Mass Surveillance

    October 23, 2013 4:28 PM

    By now, pretty much everybody has heard that the U.S. National Security Agency is indiscriminately collecting private information about all Americans who use a major U.S. phone company -- including the phone numbers of both parties to any call involving a person in the United States. And the NSA is collecting buddy lists, monitoring email traffic, and gathering an untold-but-vast amount of other data from millions of people around the world. Stunning new revelations about this surveillance keep emerging; just this afternoon, German Chancellor Angela Merkel called President Barack Obama to complain about reports that the United States may have tapped her mobile phone. (The White House refused to comment on past snooping, stating only that the U.S. government doesn't currently listen to Merkel's calls, and won't do so in the future.)

  • Gmail’s Targeted Advertising Accused of Being Wiretapping: Part 2

    October 16, 2013 1:18 PM

    As I stated in my previous article, a federal court is currently hearing a lawsuit challenging Google’s “targeted advertising” practices. The plaintiffs claim the company violated the Wiretap Act, but Google insists that its conduct falls under exceptions within the Act.


    One such exception that likely applies to Google is the “ordinary course of business” clause:


    2(a)(i) It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.


    Google uses targeted advertising in order to fund and therefore maintain its free email services. The plaintiffs argue that this goes against the industry standard for “ordinary business” practices:


    263. The ordinary course of business within the industry for webmail electronic communication services for the ability to send and receive electronic communications does not include the interception and use of content of an electronic communication as Google performs on the subject electronic communications.

  • Gmail’s Targeted Advertising Accused of Being Wiretapping: Part 1

    October 9, 2013 12:47 PM

    It has long been widely known that Google uses software that scans its users’ Gmail messages to generate targeted advertising. Recently, though, a lawsuit has been allowed to proceed in federal court in which the plaintiffs accuse Google of violating the Wiretap Act by scanning user emails.


    This controversy is nothing new for Google, which has faced numerous privacy challenges since launching Gmail in 2004.


    In the ongoing case, the plaintiffs base their complaint on the argument that Google’s email scanning violates the Wiretap Act, a federal law that prohibits the interception of wired and electronic communications in many circumstances. But Google argues that the law’s exceptions give the company a right to scan emails. First, Google points to the Wiretap Act’s consent clause:


    2(d) It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.


    As long as Gmail account holders have agreed to Google’s terms of service, and those terms specify that Google has the right to intercept users’ messages, then Google has their consent to intercept. Google does specify such interception practices in subparagraph 8.3 of its 2007 terms of service, which remained in force until March 2012:


    8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service…


  • Mississippi Should Tell CFPB to "Stop Spying on Me"

    September 17, 2013 1:27 PM

    The federal Consumer Financial Protection Bureau is coming to Mississippi Wednesday and Thursday with a public forum on "access to information." A vital question for Mississippians to ask leaders of the bureaucracy at the venue, being held from 11 AM to 1 PM tomorrow at Mississippi Valley State University in Itta Bena, is why the CFPB wants so much access to their personal information.


    Here is the CFPB's meeting agenda for Mississippi. This Facebook page tells about the privacy violations and other problems with this uniquely unaccountable governmental entity.


    The CFPB, created by the Dodd-Frank financial overhaul to defend consumers in the credit card and mortgage markets, is building a database of sensitive individual financial information that rivals that of the National Security Agency. According to Bloomberg News, the CFPB already has "anonymous information about at least 10 million consumers."


    On top of this, at a U.S. House hearing in July, CFPB acting deputy director Steven Antonakes revealed that bureau hopes to monitor 900 million credit-card accounts. This represents nearly 80 percent of the U.S. credit-card market. Sen. Mike Crapo (R-Idaho), a consistent advocate of privacy who called for limits on the surveillance provisions of the PATRIOT Act during the Bush administration, declared, “The bureau was founded with a mission to watch out for American consumers, not to watch them.”


    CFPB director Richard Cordray, who will be at the forum as well as CFPB meetings in Itta Bena and Jackson that are closed to the public, has defended the database by saying that the CFPB blocks out "personally identifiable information" such as Social Security numbers, and that these mounds of data are needed for the CFPB to "understand" the markets it is regulating.


Pages

Subscribe to OpenMarket: Privacy and  Cybersecurity