Congress is considering H.R. 5050, the Social Networking Online Protection Act, which would prohibit employers from requiring or requesting that employees provide a user name, password, or other means for accessing a personal account on a social networking website.
Cato at Liberty
Cato at Liberty
Email Signup
Sign up to have blog posts delivered straight to your inbox!
Topics
Technology and Privacy
Hulu, Pricing Strategies, and the Costs of Piracy
I’ve written on a couple previous occasions about how our approach to copyright policy is badly distorted by wildly inflated estimates of what online piracy “costs” the U.S. economy. The true figure, as most serious analysts admit, is likely unknowable, but the content industries have discovered that no figure is too ludicrous to be parroted with a straight face by well‐meaning politicians. The higher the fabricated number, the easier it becomes to claim that even the most expensive and draconian antipiracy measures, however questionably effective, can pass a cost‐benefit test. Some recent news involving the video streaming site Hulu reminds me of yet another reason to be wary of those figures.
According to press reports, free access to Hulu content may soon be limited to users who already subscribe to a traditional cable package. The incumbent cable companies hope this will entice viewers to buy or maintain more profitable cable subscriptions rather than “cutting the cord” and shifting entirely to online viewing. Some may, of course, but others will predictably turn to piracy: Tech reporter Ryan Singel of Wired joked on Twitter that the Pirate Bay was probably purchasing new servers in response to the announcement. Regardless of whether Hulu ultimately opts for this approach, there’s a more serious general point to be teased out there, however.
Related Tags
On Breach of Decorum and Government Growth
Last week, the Center for Democracy and Technology changed its position on CISPA, the Cyber Intelligence Sharing and Protection Act, two times in short succession, easing the way for House passage of a bill profoundly threatening to privacy.
Declan McCullagh of C|Net wrote a story about it called “Advocacy Group Flip‐Flops Twice Over CISPA Surveillance Bill.” In it, he quoted me saying: “A lot of people in Washington, D.C. think that working with CDT means working for good values like privacy. But CDT’s number one goal is having a seat at the table. And CDT will negotiate away privacy toward that end.”
That comment netted some interesting reactions. Some were gleeful about this “emperor‐has‐no‐clothes” moment for CDT. To others, I was inappropriately “insulting” to the good people at CDT. This makes the whole thing worthy of further exploration. How could I say something mean like that about an organization whose staff spend so much time working in good faith on improving privacy protections? Some folks there absolutely do. This does not overcome the institutional role CDT often plays, which I have not found so creditable. (More on that below. Far below…)
First, though, let me illustrate how CDT helped smooth the way for passage of the bill:
Related Tags
CISPA and the Right Way to Do Cybersecurity Information Sharing
The White House has issued a threat to veto the Cyber Intelligence Information Sharing Protection Act (CISPA) in its current form, despite recent amendments aimed at assuaging the concerns of privacy and civil liberties advocates:
Read the rest of this post →H.R. 3523 fails to provide authorities to ensure that the Nation’s core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards. For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information. Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.
The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes. Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately. The Government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti‐competitive purposes.
We Don’t Want the Cybersmoking Cybergun to Be a Cybermushroom Cybercloud
![Media Name: PA-brains.jpg](/sites/cato.org/files/styles/pubs_2x/public/wp-content/uploads/PA-brains.jpg?itok=KBAwO5sy)
The House Committee on Homeland Security held a hearing today bearing the unsubtle title: “America is Under Cyber Attack: Why Urgent Action is Needed.” With the conclusion fixed in advance of the testimony—which, as promised, uniformly prophesied imminent cybercataclysm—you’d think the real question would be why a hearing was needed. The answer, of course, is to frighten off any second thoughts about cybersecurity legislation due for consideration this Friday, to which opposition has been mounting among some techies and civil libertarians.
Jim Harper has already done plenty of excellent work puncturing the more apocalyptic hype around cybersecurity—a favorite at this hearing was “Cyber Pearl Harbor”—which I need not rehash here. Even bracketing the question of how realistic some of the threat scenarios are, however, what struck me was that “cyber attack” is really something of a category error, at least as used at this hearing, where “attack” carries the grim overtones of a national security threat, and “America” as a whole is the target. In reality, you have a range of security problems facing a diverse array of public and private entities. Some are analogous to conventional state or terror‐group sponsored attacks or espionage. Most are the digital equivalents of what we’d normally label “crime”: theft, vandalism, corporate espionage, and so on.
At the extreme end, you have largely hypothetical attacks on the SCADA control systems that operate critical infrastructure like power plants or transportation networks. These have the potential to inflict the kind of damage we’d associate with a physical attack, but we’ve only got one known real‐world instance of this, and experts agree that it was almost certainly born in the USA. Such attacks are rare because they’re very difficult to carry off, involve identifying and exploiting vulnerabilities in uncommon task‐specific software systems, and would most likely require insider complicity—which means they’re probably best conceived as one aspect of the more general problem of hardening critical infrastructure targets. Ditto for attempts to compromise systems with sensitive government data—a hard problem for government IT departments, but not one Congress has an obvious role in beyond appropriating the necessary funds.
Then you have the vast majority of actual successful “cyber attacks,” which target ordinary private systems, and range from sophisticated spear‐phishing efforts aimed at exfiltrating valuable corporate commercial data to simple DDOS attacks launched by “script kiddies.” Some of these are serious and costly—but the costs are primarily borne by the targeted entities, which will more likely have the incentive, responsibility, and local knowledge required to respond appropriately.
These aren’t entirely unrelated problems: A malware‐infected private computer may be conscripted into a botnet or serve as a staging ground for an attack on a more critical target. But it hardly seems conducive to sober policy making to lump them together under the general heading of “cybersecurity.” First, because resources aren’t going to be prioritized well if officials in the grip of apocalyptic mass‐casualty scenarios start throwing money at programs that are primarily about making it harder for Anonymous to crash websites. Second, because the nature and scope of (for instance) the information sharing that might facilitate security improvements, and the privacy interests implicated by such sharing, may be quite different for these different types of cases, and be better dealt with under separate rubrics to the extent government has a role to play at all.
Related Tags
Plain Language Regulation?
Now where have we seen this before? S. 2337 would require that federal regulations use plain writing that is clear, concise, well‐organized, and appropriate for the subject matter and intended audience.
Well, according to the “Plain Writing Association,” efforts to produce plain writing in government go back as far as the 1977 issuance of a report on federal paperwork. President Carter commanded simple and clear regulations in 1978.
Twenty years later, President Clinton issued a memorandum calling for “Plain Language in Government Writing.”
There’s even a “PlainLanguage.gov” Web site already. Because the last Congress passed Public Law 111–274, the Plain Language Act of 2009.
Maybe passing another law will do it. Maybe the search for locution that provides a level of clarity sufficient for public consumption comes from alternate changes in public policy than to amend the expression of their societal impact. (ahem)
Related Tags
Cybersecurity Bills? No, Thanks
Prominent academics, experienced engineers, and professionals published an open letter to Congress yesterday, stating their opposition to CISPA and other overly broad cybersecurity bills. Highlight:
We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties. The bills currently under consideration, including Rep. Rogers’ Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523) and Sen. McCain’s SECURE IT Act (S. 2151), are drafted to allow entities who participate in relaying or receiving Internet traffic to freely monitor and redistribute those network communications. The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users’ private communications to US Federal agencies, and lacking good public accountability or transparency, these “cybersecurity” bills unnecessarily trade our civil liberties for the promise of improved network security.
Cato’s recent Capitol Hill briefing on cybersecurity covered many similar points, and additional ones, too. CISPA and three other bills are scheduled for consideration on the House floor this week.