Privacy

Post image for USDOT Calls for Connected Vehicle Mandate; Security and Privacy Concerns Remain

The U.S. Department of Transportation (DOT) announced today it would chart a regulatory path that would require all new automobiles to be equipped with vehicle-to-vehicle (V2V) communications systems sometime in the next several years. This follows a National Transportation Safety Board recommendation that connected vehicle technology be mandated on all new vehicles.

V2V and vehicle-to-infrastructure (V2I) safety systems could provide large safety benefits in the future. Unfortunately, DOT has jumped the gun, requiring systems while large challenges remain, particularly issues related to data privacy and security.

A November 2013 report from the Government Accountability Office (GAO) provides a good description of what DOT is attempting to do:

DOT and the automobile industry have been conducting research on new types of technologies to prevent crashes—called vehicle-to-vehicle (V2V) technologies—in recent years. These technologies facilitate the sharing of data, such as vehicle speed and location, among vehicles to warn drivers of potential collisions. Based on the data shared, V2V technologies are capable of warning drivers of imminent collisions, including some that sensor-based crash avoidance technologies would be unable to detect. DOT’s efforts related to these technologies are being led by NHTSA and the Intelligent Transportation Systems (ITS) Joint Program Office within DOT’s Research and Innovative Technology Administration (RITA). According to NHTSA, if V2V technologies are widely deployed, they have the potential to address 76 percent of multi-vehicle crashes involving at least one light vehicle by providing warnings to drivers.

Sounds good, right? But there are big challenges to V2V deployment, of which GAO identifies five:

1) finalizing the technical framework and management framework of a V2V communication security system, which will be unique in its size and structure; 2) ensuring that the possible sharing with other wireless users of the radio-frequency spectrum used by V2V communications will not adversely affect V2V technology’s performance; 3) ensuring that drivers respond appropriately to warnings of potential collisions; 4) addressing the uncertainty related to potential liability issues posed by V2V technologies; and 5) addressing any concerns the public may have, including those related to privacy.

Requiring that cars “talk to each other” before critical issues related to security (how are hackers prevented from manipulating V2V warnings and how are the security systems financed and operated?) and privacy (who owns the V2V data collected and who may obtain it, and under what conditions may they obtain it?) strikes me as premature. The automakers and senior lawmakers, such as Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., are similarly concerned.

The private sector, in partnership with government researchers, has been methodically developing V2V and V2I technologies. We should allow them to continue this process without the imposition of regulatory mandates, however good the intentions. Once the technologies have been sufficiently improved, we should allow the market to determine V2V deployment. Not only will this maintain consumer and producer choice, but it will reduce the very real safety risks associated with prematurely deploying potentially flawed technologies.

Even if you believe a V2V government mandate is an appropriate public policy position, you should recognize that this call from DOT is premature. Lawmakers should call on the DOT to continue its partnership with the private sector in the development of nonbinding V2V standards, rather than moving forward with strict regulatory requirements.

Post image for Target, Retailers Use Dodd-Frank to Skimp on Data Security

Chutzpah, thy name is the National Retail Federation!

In the wake of the recent credit and debit card breach at Target that may have compromised the data of up to 110 million consumers, the leading retail trade association argued in federal court on Friday that it should pay even less for fraud prevention and cleanup after fraud losses.

Joined by the National Association of Convenience Stores and the National Restaurant Association, the NRF claimed to the court that it is actually against the law for banks and credit unions to charge retailers for fraud losses in debit card processing fees. “The inclusion of fraud losses in the allowable costs recoverable … cannot be justified,” the groups maintained in a legal brief (page 20).

The interchange fees that banks and credit unions charge merchants for debit card transactions — what retailers pejoratively call “swipe fees” — have been subject to price controls since the passage of the Dodd-Frank financial overhaul in 2010. Dodd-Frank’s Durbin Amendment, which came about as a result of heavy lobbying by Target, Wal-Mart and other big retailers, states that the debit interchange fees charged to retailers must be “reasonable and proportional to the cost incurred by the issuer [bank or credit union issuing the card] with respect to the transaction.”

CEI opposed the Durbin Amendment from the start, because we believe price controls are a violation of individual property rights and turn out to be impractical. But many who voted for the Durbin Amendment believed that the price-setting process would be similar to rate regulation of electricity and phone service, in that the fee set would allow for infrastructure and service costs plus what is judged as a “reasonable rate of return.”

What happened, though, was that ever since the Fed began implementing the provision, the retail lobby has argued that the provision not only bars banks and credit unions from profiting on the fees charged to retailers, only a very limited portion of costs could actually be recovered in the fee.

[click to continue…]

Post image for Target Breach — Are Dodd-Frank “Swipe Fee” Price Controls to Blame?

Target wants  you to know it is oh-so-sorry for any inconvenience its data SNAFU (as OpenMarket is a family blog, please look up the acronym) has caused, and as a token of its concern, it offered customers a whooping 10 percent discount this weekend!

In the meantime, who is cleaning up the mess from Target’s breach that has affected as many as 40 million credit and debit card accounts? The nation’s banks and credit unions — big and small. In East Tennessee, for instance, Citizens National Bank canceled and reissued 1,000 credit and debit cards potentially affected, but took the step of calling each customer beforehand.

This is just the latest incident in which banks and credit unions that issue credit and debit cards have had to step up to the plate after a retailer’s customer data is compromised. As noted by Wisconsin Credit Union League CEO Brett A. Thompson, upon a data breach at Michaels craft stores in 2001, the financial institutions “had to determine which states were involved, monitor potentially compromised accounts, manually reduce limits for both ATM and PIN transactions, monitor ATM transactions in the affected states, notify debit card holders of potential fraud on their accounts, issue new debit cards to those whose accounts were compromised and refund money to fraud victims.”

Yet how do retailers repay banks and credit unions and their own customers? By complaining about how much the have to pay in credit and debit card “swipe fees” and lobbying for price controls, such as the Durbin Amendment of the 2010 Dodd-Frank financial “reform,” which limited what retailers can be charged for debit cards to 21 cents per swipe (a level a judge has now ruled is not draconian enough in a pending court case!).

[click to continue…]

Post image for Memo to Road Socialists: There Is Nothing Unlibertarian about Road Pricing

Virginia just elected Democrat Terry McAuliffe as governor, as had been predicted by every poll conducted during the past few months — although at much smaller margins than had been projected. During the twilight hours of the campaign, some of Republican Ken Cuccinelli’s supporters began attacking Libertarian Robert Sarvis for various alleged ideological sins. One in particular involved Sarvis’s expressed support for adopting a user-based funding model for Virginia’s roads, specifically his mention of a mileage-based user fee as a possible replacement to fuel and non-user tax revenue.

The claim is that this is necessarily a government surveillance scheme and that such a proposal is inherently unlibertarian. This is false and is based upon ignorance of how such systems actually operate. Furthermore, labeling a mileage-based user fee system as unlibertarian runs contrary to the opinions of virtually every libertarian transportation scholar. What follows is my attempt to articulate why libertarians ought to support mileage-based user fees over fuel taxes and general tax revenue funding for transportation.

Virginia’s New Transportation Law

To put this in context, outgoing Republican Virginia Governor Bob McDonnell enacted this past spring a tax-and-spend transportation law that raised taxes, failed to do serious program reform, and increased the share of non-user funding for Virginia’s roads. CEI harshly criticized the plan for these reasons. In the lead up to the vote, Cuccinelli supported a watered-down proposal that didn’t rely on the general sales and use tax increases backed by McDonnell. However, the Cuccinelli-supported plan, just like the McDonnell plan, relied on increased sales tax funding of transportation, and assumed Congress would legalize state Internet sales taxes so Virginia could use the “Amazon tax” to fund transportation projects.

In October, the Cuccinelli campaign released a seemingly reasonable transportation plan that stressed the devolution of funding and management responsibility from the state to local authorities (the Sarvis campaign also repeatedly stressed decentralization of transportation funding and management). While decentralization, ideally to the facility level, is a goal shared by many fans of free markets and limited government, the Cuccinelli plan failed to articulate how locally controlled roads should be funded — specifically, the revenue collection mechanisms. Out of the three candidates, only Sarvis offered user-based road pricing alternatives such as tolling and a mileage-based user fee (MBUF).

[click to continue…]

Post image for Stop Watching Us: End Suspicionless NSA Mass Surveillance

By now, pretty much everybody has heard that the U.S. National Security Agency is indiscriminately collecting private information about all Americans who use a major U.S. phone company — including the phone numbers of both parties to any call involving a person in the United States. And the NSA is collecting buddy lists, monitoring email traffic, and gathering an untold-but-vast amount of other data from millions of people around the world. Stunning new revelations about this surveillance keep emerging; just this afternoon, German Chancellor Angela Merkel called President Barack Obama to complain about reports that the United States may have tapped her mobile phone. (The White House refused to comment on past snooping, stating only that the U.S. government doesn’t currently listen to Merkel’s calls, and won’t do so in the future.)

A broad coalition called StopWatching.us has brought together over 100 public advocacy organizations and companies from across the ideological spectrum to educate lawmakers and the public about these mass surveillance programs. The Competitive Enterprise Institute, the sponsor of this blog, is a member of the coalition. And over 500,000 people have signed the StopWatching.us petition. On Saturday, October 26, StopWatching.us is hosting a rally in Washington, D.C., in front of Union Station, to protest the mass surveillance programs. Go here for more details.

Meanwhile, check out this new Electronic Frontier Foundation-produced video, which features Maggie Gyllenhaal, Oliver Stone, John Cusack, Wil Wheaton, Rep. John Conyers Jr., and Phil Donahue speaking out against mass surveillance by the NSA:

As I stated in my previous article, a federal court is currently hearing a lawsuit challenging Google’s “targeted advertising” practices. The plaintiffs claim the company violated the Wiretap Act, but Google insists that its conduct falls under exceptions within the Act.

One such exception that likely applies to Google is the “ordinary course of business” clause:

2(a)(i) It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.

Google uses targeted advertising in order to fund and therefore maintain its free email services. The plaintiffs argue that this goes against the industry standard for “ordinary business” practices:

263. The ordinary course of business within the industry for webmail electronic communication services for the ability to send and receive electronic communications does not include the interception and use of content of an electronic communication as Google performs on the subject electronic communications.

But, Google makes a solid argument, in its motion to dismiss, that ordinary business practices need only apply to the specific business in question:

But the “ordinary course of business” exemption does not turn on whether an alleged practice is necessary for an ECS provider to deliver an electronic communication. Nor does the exemption turn on whether an ECS provider’s practices conform to Plaintiffs’ subjective notion of the prevailing “industry standard.” Indeed, it would be nonsensical to assume that Congress intended to deprive an ECS provider of the “ordinary course of business” exemption simply because it chooses to run its business differently (or better) than its competitors.

In the case of Google, targeted advertising provides revenue which is used to maintain the free email service at high quality. Without this source of revenue, Google might well have to restructure a core aspect of its current business model.

Nevertheless, since Google explains that “written messages” will be scanned and that they will also be used for advertising purposes, the company is fully within its rights to use Gmail messages for advertising purposes.

Google should continue to stand up for its current methods; otherwise, courts will be enabled to discriminate against new business models at will.

It has long been widely known that Google uses software that scans its users’ Gmail messages to generate targeted advertising. Recently, though, a lawsuit has been allowed to proceed in federal court in which the plaintiffs accuse Google of violating the Wiretap Act by scanning user emails.

This controversy is nothing new for Google, which has faced numerous privacy challenges since launching Gmail in 2004.

In the ongoing case, the plaintiffs base their complaint on the argument that Google’s email scanning violates the Wiretap Act, a federal law that prohibits the interception of wired and electronic communications in many circumstances. But Google argues that the law’s exceptions give the company a right to scan emails. First, Google points to the Wiretap Act’s consent clause:

2(d) It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.

As long as Gmail account holders have agreed to Google’s terms of service, and those terms specify that Google has the right to intercept users’ messages, then Google has their consent to intercept. Google does specify such interception practices in subparagraph 8.3 of its 2007 terms of service, which remained in force until March 2012:

8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service…

[click to continue…]

Post image for Mississippi Should Tell CFPB to “Stop Spying on Me”

The federal Consumer Financial Protection Bureau is coming to Mississippi Wednesday and Thursday with a public forum on “access to information.” A vital question for Mississippians to ask leaders of the bureaucracy at the venue, being held from 11 AM to 1 PM tomorrow at Mississippi Valley State University in Itta Bena, is why the CFPB wants so much access to their personal information.

Here is the CFPB’s meeting agenda for Mississippi. This Facebook page tells about the privacy violations and other problems with this uniquely unaccountable governmental entity.

The CFPB, created by the Dodd-Frank financial overhaul to defend consumers in the credit card and mortgage markets, is building a database of sensitive individual financial information that rivals that of the National Security Agency. According to Bloomberg News, the CFPB already has “anonymous information about at least 10 million consumers.”

On top of this, at a U.S. House hearing in July, CFPB acting deputy director Steven Antonakes revealed that bureau hopes to monitor 900 million credit-card accounts. This represents nearly 80 percent of the U.S. credit-card market. Sen. Mike Crapo (R-Idaho), a consistent advocate of privacy who called for limits on the surveillance provisions of the PATRIOT Act during the Bush administration, declared, “The bureau was founded with a mission to watch out for American consumers, not to watch them.”

CFPB director Richard Cordray, who will be at the forum as well as CFPB meetings in Itta Bena and Jackson that are closed to the public, has defended the database by saying that the CFPB blocks out “personally identifiable information” such as Social Security numbers, and that these mounds of data are needed for the CFPB to “understand” the markets it is regulating.

[click to continue…]

Have a listen here.

In the wake of the NSA’s spying scandal, several groups are filing a lawsuit challenging the NSA’s actions as unconstitutional. Associate Director of Technology Studies Ryan Radia shares many of the suit’s criticisms of the NSA, and adds a few of his own.

Post image for DHS Secretary Napolitano Resigns, TSA Body Scanner Scandal Remains Unresolved

Homeland Security Secretary Janet Napolitano is resigning to become president of the University of California system. Republican politicians such as Sen. John McCain (R-Ariz.) and Rep. Mike McCaul (R-Tex.) quickly praised Napolitano when news of her resignation broke, with McCain saying she “served our nation with honor” and McCaul touting her as “someone who does not underestimate the threats against us.”

Fortunately, not all Republican members of Congress are as enthusiastic when it comes to America’s bloated and malignant security state. “Secretary Napolitano’s departure comes not a minute too soon,” said Rep. John Mica (R-Fla.). “Now is a good time for Congress to consider dismantling the monstrous Department of Homeland Security and replacing it with a smaller security focused entity that is realistically capable of connecting the dots of threats posed to our national security.” Hear, hear, Rep. Mica.

News of Napolitano’s resignation deserves one response from civil libertarians and those in favor of risk-based security policy: Don’t let the door hit you on the way out. Among other unsavory deeds, for her entire tenure, she allowed the Transportation Security Administration to illegally deploy whole-body imaging scanners in airports. Until a court ordered the TSA in July 2011 to conduct the legally mandated regulatory proceeding, officials at the Department of Homeland Security maintained that such basic lawful administrative procedures were unnecessary and the public had no right to officially comment on the use of the machines. It then took over a year and a half for the TSA to open the regulatory proceeding in March 2013, something it should have done in 2009 before deploying the scanners in the first place.

In the proceeding, CEI and former American Airlines Chairman and CEO Robert L. Crandall submitted formal comments highlighting the TSA’s continued flouting of federal law and the agency’s incredibly shoddy cost-benefit analysis and risk assessment (which remains classified for some reason). These comments can be found here with a podcast explaining the issues at stake available here. The TSA is still illegally deploying body scanners and it will likely take another court order to ultimately put a halt to, or at least reduce, the agency’s pathological lawlessness.

While we cheer what is hopefully the end of Napolitano’s political career, it is quite possible the Obama administration’s replacement could be even worse. On that slightly pessimistic note, happy Friday, everyone!