I’m pleased to post nominations in the hotly contested first category of Dubious Achievements in Privacy Law. Take your time to make a choice. Voting will not open until all nominations have been published — likely December 15.
Corrections and suggestions for additional nominees may be sent to email@example.com. But for those who think a particular nomination is unfair, the best remedy is to vote for a nominee who deserves the award and encourage others to do the same.
The 2014 Privies —
“Privacy Hypocrite of the Year”
a. Viviane Reding, European Commissioner for Justice, Fundamental Rights, and Citizenship
Why Regulate Ourselves When We Can Regulate the United States?
Commissioner Reding has led the charge to impose European restrictions on the way the National Security Agency gathers intelligence. When asked by the Guardian why the European Commission didn’t start by imposing restrictions on the way European Union members like Great Britain gather intelligence, she said
[T]here was little she or Brussels could do …, since secret services in the EU were the strict remit of national governments. The commission has demanded but failed to obtain detailed information from the British government on how UK surveillance practices are affecting other EU citizens…. “I have direct competence in law enforcement but not in secret services. That remains with the member states. In general, secret services are national,” said the commissioner.
Unless those secret services are American, apparently.
b. Francois Hollande, President of France
Spying on Allies is “Totally Unacceptable” Except When We Do It
President Hollande called President Obama to describe U.S. spying on its allies as “totally unacceptable,” language that was repeated by the Foreign Ministry when it castigated the U.S. ambassador over a story in Le Monde claiming that NSA had scooped up 70 million communications in France in a single month.
Whoops. Two days later, former French foreign minister Kouchner admitted, “Let’s be honest, we eavesdrop too. Everyone is listening to everyone else. But we don’t have the same means as the United States, which makes us jealous.”
No, make that a double helping of Whoops. Because a week later, the Wall Street Journal revealed that it was the French government, not the NSA, that had collected the data: “Millions of phone records at the center of a firestorm in Europe over spying by the National Security Agency were secretly supplied to the U.S. by European intelligence services—not collected by the NSA, upending a furor that cast a pall over trans-Atlantic relations.
c. James Sensenbrenner, U.S. House of Representatives
You Hid Information From Me By Disclosing It at Briefings I Refused to Attend
Rep. Sensenbrenner (R-WI) was chairman of the House Judiciary Committee when section 215 of the USA PATRIOT Act was first enacted, but in 2013 he repudiated the telephone metadata that had been built on section 215.
Rep. Sensenbrenner complained that the program had been hidden from Congress: “the NSA has cloaked its operations behind such a thick cloud of secrecy that, even if our trust was restored, Congress and the American people would lack the ability to verify it.” Then it turned out that Justice Department witnesses appearing before the Judiciary Committee had made express references to the program in open testimony and to separate classified briefings offered to the members. At which point, Rep. Sensenbrenner declared that he refused to attend most secret briefings because he didn’t want to bear the burden of protecting classified information.
d. Angela Merkel, Chancellor of Germany
We Need Trust — and Can We Get Our List of 300 Targeted Americans Back, Too?
Chancellor Merkel reacted with outrage to a story that NSA had monitored her personal mobile phone, calling President Obama and demanding an explanation. “We need trust,…” she said. “Spying among friends cannot be.” Some in Merkel’s allied party explained the reaction by comparing U.S. eavesdropping to the methods of the East German Communist regime. But similar tactics by actual Communists received a very different reaction. When Chancellor Merkel visited China right after public disclosures that the Chinese had penetrated her computer network, she managed to be “all smiles” for the Chinese while praising relations between the two countries as “open and constructive.” There were no demands then for trust or an end to China’s hacking campaign.
And it turns out that spying on allies is a good deal more acceptable when Berlin is doing the spying. According to Der Spiegel, in 2008,
[T]he BND, Germany’s foreign intelligence service, inadvertently sent American officials a list of 300 phone numbers belonging to US citizens and residents — raising suspicions that the numbers had been tapped. A former deputy secretary of homeland security under President George W. Bush also described French and German intelligence agencies as “good” at spying on American officials. And US National Intelligence Director James Clapper on Tuesday testified before Congress that European allies are guilty of the same kind of spying that the US does.
e. Secretary Kathleen Sebelius
Harsh Privacy Penalties for Thee, But Not For Me
Secretary Sebelius’s Department of Health and Human Services imposed harsh penalties on companies handling health data during 2012. Even when there was no evidence that any data had been compromised, her department extracted millions of dollars in fines from companies that failed to perform adequate planning and testing for the security of their networks. Wellpoint, which among other things “did not perform an adequate technical evaluation in response to a software upgrade,” paid $1.7 million in fines. Idaho State, which “did not conduct an analysis of the risk to the confidentiality of [health data] as part of its security management process,” paid $400,000.
But those were the rules for others, not for HHS itself. Charged with implementing a website, healthcare.gov, that will carry sensitive health data for millions of Americans, HHS ignored the rules it imposed on the private sector. According to David Kennedy of TrustedSec, “even basic security was not built into the healthcare.gov website. TrustedSec is confident based on the exposures identified that the website has critical risks associated with it and security concerns should be remediated immediately.” Morgan Wright of Crowd Sourced Investigations pointed to failings that Wellpoint and Idaho State will have no difficulty recognizing: “The first major issue is the lack of, and inability to conduct, an end‐to-end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top-down view of the full security posture.”
CategoryTwo — “We All Got to Serve Somebody”
Worst Use of Privacy Law to Protect Power and Privilege
UPDATE: Corrected spelling of Francois Hollande’s name. Thanks Yefim Somin.