Category Archives: Criminal

The PATRIOT Act: Last Refuge of Scoundrels

“Patriotism,” as Samuel Johnson famously said, “is the last refuge of a scoundrel.”  In that sense, perhaps the USA PATRIOT Act is appropriately named after all.

In the immediate aftermath of 9/11, most people (though not everyone) agreed that the government should be given additional investigative powers to reduce the risk of more terrorist attacks.  The fact that perfectly good intelligence was already available and ignored before 9/11 was considered water under the bridge.  The attacks signaled a new era in national defense.

Electronic communications bore the brunt of government complaints that the enemy had outpaced the government in an information arms race, and not surprisingly some of the most contentious features of the PATRIOT Act involved provisions to expand government powers of surveillance, information collection, and secrecy:

  • The use of wiretaps and other electronic collection methods was largely stripped of judicial oversight, especially with regard to foreign surveillance.
  • The range of information that could be collected without probable cause (including phone, financial and other records) was expanded.
  • The rampant misuse of National Security Letters ensured that the targets of information demands (including banks and communications and Internet providers) would be gagged from revealing just how extensively the government was using its new powers.

As I say in Law Three of The Laws of Disruption (“Social Contracts in Digital Life”), however, the PATRIOT Act’s expansion of surveillance powers didn’t just spring out of the national trauma of 9/11.  In fact, it was just a new act in a long-playing drama between investigators and civil rights activists.

Since at least the invention of the telephone, state and federal law enforcement agencies have complained about the unintended consequences of information technology’s accelerating pace of disruption.  Lawmakers and courts have struggled to strike the balance between the free flow of information as both an economic and personal imperative against the ability of government to protect its citizens from criminal activities.

The PATRIOT Act gave investigators their golden opportunity to leapfrog the competition.  Nearly every wish on the FBI’s Christmas List was granted, including powers that had been wisely refused for decades.  Both the First and Fourth Amendments have been severely battered, as some courts and even the FBI have acknowledged.  But no one wants to give up their presents.

In 2005, when some of the more dubious provisions came up for renewal, the Bush Administration lobbied hard for and won an unmodified PATRIOT Act.  As  the Cato Institute’s Julian Sanchez points out, the Obama Administration and key members of Congress including leading Democrats are now the ones singing the PATRIOT Act’s praises.  Hopes of real reform in this latest renewal process are fading fast.

To me the most dangerous aspect of anti-terror laws passed in the last decade has been the secrecy with which governments can now operate.  Meaningful judicial review of search and seizure has been cut out, gag orders have been abused, and Congress regularly tells us that if only we knew what they knew from secret briefings we’d understand why all of this other secrecy is so important.

Governments working in secret are working against the Law of Disruption.  Information wants to get out, and sooner or later it does.  That’s when we see the wisdom of the Founding Fathers in building in checks-and-balances to reduce the risk of overreaching and ultimately tyranny.

Crippling those limits, as we have done over the last decade, may or may not have made us much safer.  It has certainly made us less free.

Whether the costs outweigh the benefits is hard to say when both sets of data are being suppressed.

The Persistent Myths of Identity Theft

ftc logoLaw Six of The Laws of Disruption deals with the myths and realities of Internet crime.  It’s a subject that’s bothered me for a long time.  Back in the Stone Age (1995), John Perry Barlow and I wrote a Position Paper for Computer Sciences Corporation titled, “Five Privacy and Security Imperatives for Electronic Trade.”   (It’s so old I can’t even provide a link!)

This was before there was any electronic trade, or what came to be known (when it arrived) as e-commerce.  This was in the era where people were saying things like, “No one will ever give their credit card number out over the Internet.”  (Never start a sentence with “no one will ever,” especially when it relates to technology.)

The problem was that most of the people saying “no one will ever” worked for banks and credit card companies.  Many of them were clients of our research program.  They were overwhelmed by the idea of e-commerce.  Technically, they didn’t know how they would integrate their private networks with the public Internet.  From a business standpoint, they didn’t know how they could make it cost-effective to process what were expected to be smaller-dollar transactions in high volume from a new kind of merchant population.  Not to be unkind, but much of the fear surrounding e-commerce was generated to hold back the flood while these companies looked for ways to build dams.

Eventually these problems were resolved, but the fear-mongering has had a lasting effect.  In 2001, according to the Pew Internet & American Life Project, 87% of Americans said they were concerned about credit card theft online; by 2008 it was down only marginally.  Yet by 2009 over 50% of all American adults had paid online with a credit card anyway.

In the interim, of course, an entire industry has emerged with a strong incentive to keep the fear numbers high.  Companies that make money selling anti-virus software, credit reports, identity theft insurance and alternative payment methods (e.g., PayPal) stoke the fears of users that only a fool would ever type his or her credit card number into a web browser.

Identity theft is real, but for those who have been victims of it, generally the loss of money is the least of its damage (banks and credit card companies are legally obliged to return money fraudulently obtained from a customer’s account).  Restoring credit history and credit scores is where the real crimes take place, and the perpetrators are often the consumer’s own financial services providers.

The recent indictment of three men in the theft of 130 million credit card numbers is a good example of the continued obfuscation employed by the industry and their counterparts at the Federal Trade Commission, confusion often left unchallenged by journalists.  The thieves, an American named Albert Gonzalez and his offshore co-conspirators, broke into corporate networks of payment processors as well as major retailers including 7-11 and TJ Maxx.  When Gonzalez, plead guilty, the Associated Press described him as “masterminding one of the largest cases of identity theft in U.S. history.”  Reuters called it “one of the largest identity-theft crimes on record.”

Stealing credit card numbers from corporate computers is a serious crime, but it is not “identity theft.”

The problem is that “identity theft” has come to mean many different things, including what we may now think of as the quaint form where consumers give their credit card number online to a scam artist, often in response to a fake email message purporting to be from their bank or other payment processors.  The scammer uses or sells the number to open new accounts, make fraudulent withdrawals or charges, and otherwise pass himself off as if he was the victim.  (See my 2005 article, “If Feds Fail, What Can Stop Identity Theft?”)

But that’s small potatoes compared to the kind of crime Gonzalez and his colleagues commit, where millions of credit card numbers are stolen and then sold.  Most of these, however, don’t actually result in identity theft—the credit card numbers are used to get cash and merchandise and are quickly disabled by software that recognizes dubious transactions.  Again the financial losses here are borne by the banks and credit card processors, not the consumers or the merchants.  That’s why the software is good and getting better.  It’s their money at stake.

No one’s “identity” is being stolen, but the use of the term to describe every financial fraud involving a computer amps up the terror level of consumers who largely have nothing to fear.  The vast majority of “real” identity theft has nothing to do with computers at all, but rather  begins with a stolen or lost wallet, stolen or simply discarded mail, or inside jobs pulled by clerks and others with legitimate access to the data.

The real problems are on the back-end, where credit card systems are left insufficiently secured, or where laptops with sensitive data are left in the back seats of cars where they are stolen not for the data but for the hardware.  We keep hearing horror stories of government employees, university officials, and private sector employees who can’t even be bothered to put password protection on their logins, let alone encrypt their data.  And the continued use of social security numbers by private enterprises both as a customer ID and an authentication field is probably the most dangerous practice of all.

Oddly enough, these were exactly the problems Barlow and I pointed out in 1995.  The solutions were obvious then, and they’re still obvious now.  But as long as consumers are being misdirected to think it’s their behavior that needs to be controlled, the financial services industry can avoid solving their largely self-made problems.

Meanwhile, electronic commerce doesn’t grow as quickly as it could.

If anyone wants a hardcopy of my 1995 position paper, I’m happy to send it along!

Lori Drew verdict finally overturned

I wrote extensively in Chapter 8 of The Laws of Disruption about the madness of prosecuting Lori Drew, a Missouri woman, for her participation in a cruel MySpace hoax that contributed to the suicide of a 13 year-old girl named Megan Meier. Drew’s behavior aside, the decision by federal prosecutors to charge her under the Computer Fraud and Abuse Act was a cynical effort to appease an angry mob of bloggers and news media who wanted to see blood spilled. The judge, who for dubious reasons of his own allowed the case to go to the jury, signalled a few months ago that he was going to grant a defense motion to overturn the verdict, which he has has now done.

As the old legal adage goes, hard cases make bad law. Had the jury’s verdict stood, federal prosecutors would have found themselves with the awesome power to treat any violation of the Terms of Service of any private website as a federal crime, limited only by the wise application of prosecutorial discretion, which the Drew case itself amply demonstrated to be a virtue best honored in the breach.

(Not to get into the details of messy facts, but most of the nasty behavior was perpetrated not by Drew but by an 18 year-old part-time employee of her home-based business, who received immunity for cooperating with the prosecution. Drew hadn’t even been the one who clicked on the “I Agree” for the MySpace Terms of Service, as if anyone believes that doing so signals understanding let alone ability to comply. The jury foreperson, after the case, made clear that their chief objection to Drew was her failure to adequately parent her own 13 year-old daughter, the other mastermind behind the hoax. If only that were a crime…)

Drew’s ultimate acquittal was never in serious doubt. But in the meantime, recognizing the lack of any real law she or her teenage co-conspirators had broken, the Missouri legislature weighed in with an idiotic anti-“cyberbulling” statute known of course as “Megan’s Law,” which is now being tested, as reported last week by CNET’s Lance Whitney. The law criminalizes the use of the phone or Internet by someone 21 years old or over to cause emotional distress to someone 17 or under. Garden-variety bullying by one’s peers and, one presumes, emotional distress inflicted by parents are still perfectly legal. In the test case, a 40 year-old woman is being charged for posting a fake personal ad on behalf of a teenage girl. The defendant faces up to four years in prison.

It doesn’t take a genius or a crystal ball to see that Megan’s Law will soon be declared unconstitutional on First Amendment grounds. Which the Missouri legislature undoubtedly knew. But passing stupid laws that appease angry mobs is easy, especially when hypocritical legislators can all rely on “activist” judges to overturn them.