The Volokh Conspiracy

I find even good flight search sites, like Hipmunk, Yapta, and Kayak, a little frustrating.  Now Google Flight Search is getting ready to do what Google does best – transform Internet tools for free. Google’s new travel search service is the first fruit from its acquisition last year of ITA Software, a travel search firm.

Lots of travel sites trembled when Google bought ITA.  And well they should.

This thing is cool.

You kind of have to explore it yourself, but the visualization tools are excellent and will save you money.  Example: A weekend trip Burlington from Washington would cost $845 right now.  Last time I took that trip, I had to fly to Albany and drive to get a decent fare.  Now, thanks to Google Flight’s visualization of future weekend fares, I’ve discovered that United will sell me a $219 weekend ticket from Dulles to Burlington if I just make reservations about a month in advance.  (To see this example, go to the search page for that trip and click on the little calendar icon on the top right side of the page.)

That’s the kind of thing you could learn from the other sites only by laboriously typing dates over and over again, then waiting to see what turned up. With Google Flight, the low fare just jumps out at you.  There’s lots more geeky fun to be had with other tools, too.

The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag.  But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.

Again.

In fact, for the eleventh time since it was adopted in the 1980s.  We’ve seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated.  But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”

Justice’s latest proposals fit squarely into this mold.  Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years.  It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes.  It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.

Well, you might ask, why not get tough with hackers?  Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security.  That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them.  Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.

Take a look at the website where Justice maintains a representative list of its most significant prosecutions.  What’s striking is how few prosecutions it has to brag about – less than 50 – and how few of those (maybe half) represent cases in which we actually caught the kind of remote hackers we’re most threatened by. I’m willing to bet that there is no other federal criminal law that has been amended so often in prosecutors’ favor with so few successful prosecutions to show for it.

The latest amendments are more of the same:  Shooting in the dark with a bigger gun. As protections against cyberattack, these amendments are useless.  They are added to the administration’s package mainly to give it the appearance of heft.

They are the legislative equivalent of Hamburger Helper.

Actually, they’re worse than that.  The RICO provision is far more dangerous than it first appears. To explain, I’ll need to repeat some of what Orin Kerr has been saying for years, so if you’re already familiar with that, you can skip the next ten paragraphs.

***

As I’ve said, the remarkable growth in cyberattacks over the last quarter century has enabled Justice to turn the CFAA into what may be the most prosecutor-friendly criminal statute on the books.  What does “prosecutor-friendly” mean in practice?  That any competent prosecutor can find a way to indict and convict anyone who does anything Really Bad with a computer.

With the CFAA, that’s mission accomplished:  The law imposes harsh criminal penalties on anyone who accesses a protected computer “without” or “in excess of” authorization.  The definition of a “protected computer” has been expanded until it covers any computer used in interstate or foreign communication, which in the Internet age is, well, every computer. As a practical matter, then, you can be indicted any time you do something on a computer that isn’t authorized. That term isn’t defined, but you can bet that if you do something Really Bad with a computer, it will turn out to be unauthorized.

Take Lori Drew, an overprotective, nasty mother who created a fake teenage-boy identity on MySpace in an effort to humiliate her daughter’s teenaged frenemy.  The scheme worked so well that the teen killed herself.  There’s no doubt that Lori Drew’s behavior was Really Bad, and it involved computers, so federal prosecutors decided it must violate the CFAA. And, mirabile dictu, it did.  By using a fake identity, Drew had violated MySpace’s terms of service, which meant that she had accessed a MySpace computer “in excess of” authorization. Drew was convicted, although in the end, with Orin Kerr’s help, the guilty verdict was overturned.

This kind of prosecutorial overreach is an inherent risk of the CFAA, given its reliance on the slippery concept of authorization.  As some civil liberties groups recently pointed out, the CFAA at its heart makes it a federal crime to violate a private contract, even a contract of adhesion like a social network’s terms of use:

If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation).  However, if an employee emails that document, there may be a CFAA violation.  If a person assumes a fictitious identity at a party, there is no federal crime.  Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation.

I don’t want to be too hard on the drafters of the CFAA;  they faced a tough drafting problem.  Hackers cause terrible harm, but the things they do aren’t all that different from the things legitimate users do.  Legitimate users open files, modify code, install programs, and send data to remote sites.  So do hackers.  We know the difference between the two, but it’s not easy to express that difference without falling back on the notion that the good guys are authorized to do those things and the bad guys aren’t.

I think this means that any statute that criminalizes hacking is likely to be either too broad or not broad enough.  Congress chose broad language to make sure that hackers couldn’t get off on a technicality, but in the process it gave Justice enormous prosecutorial discretion. Justice Department official James Baker gave a persuasive defense of the “authorization” test in last week’s testimony.  But the Department’s misuse of its broad discretion in the Lori Drew case suggests a need for greater accountability and discipline within the Department.  Requiring that the head of the Criminal Division sign off on all such cases — and take the blame if they turn out badly — may be a more workable solution than taking away the prosecutors’ discretion by changing the law.

Remarkably, though, that isn’t even the worst problem created by the CFAA.  The law also creates a private cause of action, handing a big legal weapon to everyone from the RIAA to the Church of Scientology.  And private parties aren’t exactly showing a lot of restraint.  According to the Center for Democracy and Technology, at least one company has brought a CFAA counterclaim in a pregnancy discrimination case, seeking damages under the Act because its employee acted in excess of authorization on the corporate network.  What did she do?  She violated a corporate proscription on “excessive Internet use.”  Equally abusive is a case that Orin Kerr has pointed out – Sony’s threat to sue PS3 hackers because they used their own computers in violation of Sony’s licensing restrictions.

Maybe back in the 1980s, Congress thought that creating a civil action would unleash the plaintiff’s bar on real hackers.  If so, Congress was deluded.

Civil CFAA lawsuits have proliferated but by and large they aren’t being filed against people who hack into systems.  Instead, they’re being brought by corporations against employees thought to have downloaded too much information from the corporate network before quitting.  They’re being brought by websites to keep competitors from using “scraper” software to collect their pricing data. Maybe those are bad things.  If so, they’re probably already torts under state law, and it’s hard to see why the cases should be in federal court.  And if they aren’t torts under state law, well, it’s even harder to see why they should be in federal court.  It’s the law of unintended consequences run amok.

***

OK, that’s the Gospel According to Orin Kerr. Now back to the latest proposal from Justice.

Justice wants to make the CFAA one of the federal crimes that qualify as “racketeering activity” under the Racketeer Influenced and Corrupt Organizations Act, or RICO.  This would add RICO prosecutions to the long list of get-tough measures that Justice rarely uses against actual hackers because, well, because it can’t catch most actual hackers.

But that doesn’t mean the amendment would have no effect.  Because, like the CFAA, RICO creates a private cause of action against RICO violators.  Actually it’s not just a private cause of action.  It’s a bonanza. Plaintiffs can recover treble damages plus attorney’s fees by bringing suit against “racketeers.” And what do you know, just like CFAA civil suits, it turns out that most RICO civil suits have been brought against ordinary businessmen, “rather than against the archetypal, intimidating mobster,” according to the Supreme Court.

The Supreme Court and Congress have struggled for decades to curb abuses of civil RICO.  Now, almost casually, the Justice Department proposes to open another can of RICO liability for unintended defendants.

How would that happen?  First, treble damages under civil RICO can be claimed by any person “injured in his business or property by reason of” a RICO violation.  18 U.S.C. § 1964(c).    A violation of RICO occurs, inter alia, when a “person employed by or associated with any enterprise engaged in” interstate or foreign commerce participates, “directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity.”  (Sorry for the dense language; it may help to parse the language by thinking of a mobster who acquires partial ownership of a legitimate “enterprise” through threats of violence. He would be squarely covered by the provision, as long as he committed a  pattern of racketeering activity –- that is, more than one predicate crime.  But the words will sweep in far more conduct than classic mobster tactics, especially if Justice gets its way and violating the CFAA becomes a predicate offense.)

Pulling these elements together, let’s look at what the Justice Department’s proposal would mean for some of the unnecessary federal litigation now being brought under the CFAA.  We can start with the employer lawsuits against departing employees.  Employers who want to turn their CFAA claims into much more potent RICO claims would have to show that the departing employee committed two CFAA violations, which should be easy, since every unauthorized download is a new offense.  And, they’d have to show that they were injured in their business by reason of the racketeering; this they can do by showing the same damages that supported the CFAA case.  In short, on a quick look, the Justice Department seems to have created a massive incentive for companies to sue departing employees, and perhaps the companies they join, as racketeers.  Anyone who has a plausible CFAA case today will have a plausible RICO case once Justice gets its amendment.

Okay, another one: How about CDT’s favorite case – the pregnant worker accused of a CFAA violation because of excessive Internet use?  Well, she probably violated the rule on Internet use more than once, which makes for a pattern of racketeering, and she’s employed by an enterprise, in whose affairs she participated by misusing its computers.  The enterprise has been injured, too, by virtue of not getting her full attention at work.  What do you know? She sounds like a racketeer too!  It would be malpractice not to hit her with a counterclaim for treble damages and attorneys’ fees.

(At this point, you may be wondering why the Obama administration, of all administrations, wants to give employers even heavier litigation weapons to use against their employees. Beats me.  Maybe it has something to do with trial lawyers.  Maybe it’s just prosecutorial myopia.  James Baker’s testimony doesn’t even acknowledge the issue.)

OK, let’s try a harder problem.  You’re a copyright holder — Jon Stewart, say — and you’d like faster takedowns and more respect from YouTube.  Posting copyrighted material on YouTube is a violation of law and can lead to termination of your YouTube account.  The Lori Drew case tells us that the people who post clips in violation of that policy are using YouTube’s computers “in excess of authorization.” That’s a CFAA violation.  Do it twice and it becomes a pattern of racketeering, at least if Justice gets its way.  Now, the people doing the posting aren’t employees of YouTube, but they are “associated with” the YouTube enterprise, and they are participating indirectly in the conduct of YouTube’s affairs by virtue of their shocking CFAA violations.  What’s more, the Daily Show can claim injury in its business because it has lost viewers and ad revenue.  Presto!  Another racketeer takes the fall.  Maybe they’ll name YouTube’s parent, Google, as a co-conspirator just to keep it on its toes.

Oh, and what about you, dear reader?  Have you ever violated the terms of service on a website?  Hell, have you ever read them?  C’mon, I’ve seen the comments on my privacy and TSA posts. Are you sure yours didn’t violate the site’s proscription on “abusive or denigrating comments”?  Cause if you did it twice, that’s a predicate, and VC is an interstate enterprise that you are associated with and in whose affairs you are participating by virtue of your appalling violations of the terms of use and thus of the CFAA.  Best of all, VC has what strikes me as a pretty upscale readership.  Treble damages and attorney’s fees would go a long way toward finally monetizing my blogging habit.

(Had you going there, huh?  Actually, as far as I know, VC doesn’t have any terms of use for commenters, so fire away. You’re safe.)

I’m not a RICO lawyer, thank God, so maybe I’m oversimplifying what it takes to make out a civil RICO suit.  But, what the hell, the lawyers representing departing or pregnant employees aren’t RICO lawyers either.  If the claim against them is plausible on its face, they will face overwhelming pressure to settle, quite possibly by abandoning good claims, especially if their next employer is dragged in as a co-conspirator.  Ditto for the YouTube uploaders.

And in exchange for all this uncertainty and injustice, what benefit can we expect in fighting actual criminals?  About as much as we’ve gotten from the CFAA’s private right of action, which is nothing, and from RICO’s private right of action, which is less than nothing.

This is Hamburger Helper with a dose of cyanide.

UPDATE: Clarified with a reference to Google’s ownership of YouTube

Photo credits:

http://www.flickr.com/photos/arkangl/with/4709166389/

http://www.flickr.com/photos/like_the_grand_canyon/3853938360/lightbox/

Iran is to cyberwar what 1930s Spain was to airwar – contested ground where everyone tries out new technology and tactics.  After being on the receiving end of Stuxnet, which sabotaged the Natanz enrichment plant and showed that cyberweapons could replace cruise missiles, it looks as though the Iranian government has gone on the offensive.

The Dutch government’s electronic certification authority, DigiNotar, was compromised by a hacker in July of this year.  DigiNotar handled the hack badly, trying to fix the problem without disclosing it. As a result, DigiNotar’s credentials are being revoked by all of the major browsers.  This means that most web users will not be able to verify the bona fides of any site that DigiNotar has vouched for.  That includes a lot of Dutch government sites, and there are some reports that the Dutch government is leaning on Microsoft to keep the credentials operative for another week.  It also means that DigiNotar will be either out of business or buried in lawsuits that could also reach its parent, VASCO Data Security International.

The hacker who pulled off the compromise has posted messages claiming that the hack was revenge for Dutch peacekeepers’ surrender of thousands of Muslim men to Serb militias during the Balkan wars; the men were executed. The hacker says nothing about Iranian government sponsorship.

So why do I think the Iranian government was involved?

To understand that requires a bit of background about the role of certificate authorities on the Internet.  One of Netscape’s cleverest technological innovations was its solution to the problem of Internet eavesdropping.  It used public key encryption to encrypt the channel between a website and each user.  The user could look up a site’s public key and use that key to encrypt all of the user’s communications with the site.  (I’m oversimplifying here, but that’s the idea.)

The only problem was that the system was open to a “man in the middle” attack, where Mallory turns what’s meant to be a secure link between Alice and Bob into two secure links with himself as a secret hub and Alice and Bob as unsuspecting spokes.

Put another way, if an Iranian user asks Google for its public key, and he uses it to encrypt his communications, how does he know that he’s really using Google’s key?  If the Iranian government wants to read his Gmail, it could intercept his request and send him its own key.  He’d set up a secure channel with the government, which would then simply pass his login credentials on to Google.  For the rest of the session the government would sit in the middle, reading and passing on all the packets from both sides of the transaction.  Not good.

To prevent that, Netscape decided to bake a set of public keys into its browser.  The companies with the baked-in keys were certification authorities.  They could issue certificates vouching for the credentials of every site that wanted to offer secure, encrypted communications.

It was a great system, lightweight and very secure.  But only if the certification authorities kept their credential-signing process completely secure.  If they didn’t, then users would not know who was at the other end of the line, the website they wanted or a man in the middle.

Occasionally, of course, some fraudster would use fake documents to persuade a certification authority to sign credentials for a site the fraudster didn’t own.  That sort of thing could be fixed pretty easily.  Browser providers had already recognized that there had to be a way to revoke website certificates obtained by fraud, so browsers now do an online check each time they use a certificate; in essence, they ask an online server whether the certificate they are about to use has been revoked. So a single fraudulently obtained credential can be rendered harmless as soon as the fraud is discovered.

What happened to DigiNotar was not so easily fixed.  It appears that the hacker gained control of the credential-signing process for some weeks during July of this year, and he signed credentials for hundreds of online sites, including Google, Microsoft, and the CIA.

Now, that’s deeply embarrassing, and it probably would have been enough on its own to spell the end of DigiNotar.  But what came next was even worse.

Starting in August, according to investigators, online revocation checks for DigiNotar certificates jumped. Suddenly lots of people wanted to know whether the DigiNotar certificate for Google had been revoked.  This meant that hundreds of thousands of users were sure that DigiNotar was the authority that had signed Google’s credentials.  (In fact, Google signs its own credentials.) And 99% of the users asking about DigiNotar’s certificate for Google came from Iran. (Even the 1% of requests that didn’t come from Iran seem to have come from proxies and TOR routers in other countries, meaning they too could have been Iranian users.)

Clearly a lot of Iranian users had been fooled into thinking that DigiNotar had issued Google’s credentials.  I can only think of one way that could happen – if the Iranian government and ISPs were systematically intercepting packets bound for Google and saying, in effect, “I’m Google. Here are my credentials, signed by DigiNotar.  Let’s go secure and foil any eavesdroppers.” The user’s browser would say, “Wait a minute while I check to make sure DigiNotar hasn’t revoked your DigiNotar credentials, Google… Ok, you check out, let’s talk.”  As soon as the user started sending his login name and password to the fake Google, the middleman would use those credentials to log in to Google, which would set up a secure communications channel with the middleman.  The entire session would be encrypted unbreakably at every point in the chain save the one that mattered:  the government listening post in the middle. The Iranian government would be sitting pretty — Mallory between Alice and Bob.

Some observations, mostly additional reasons for thinking that this was an Iranian government operation, and what that means:

• The notes posted by the DigiNotar hacker make him sound like a flake and a braggart, hardly the kind of postings you’d expect from the Iranian secret police. Maybe this is misdirection, or maybe he pulled off the exploit and then handed over his loot to the Iranian government, voluntarily or involuntarily. But the implementation of the man-in-the-middle attack was so quick and so smooth that it looks to me as though the hacker was working with the government from the start.
• The same hacker who compromised Diginotar claims to have carried out attacks on Comodo and Globalsign, two other certification authorities. Both companies agree that they were hacked, although Globalsign is not admitting that its credentials were compromised. Again, compromising certification authorities is a great idea if you’re in the business of man-in-the-middle attacks; otherwise it’s got mostly nihilistic look-at-me-trashing-your-infrastructure appeal, which might make you wonder why this hacker has specialized in such attacks if he doesn’t work for the government.
• If this were an Iranian government op, the websites for which fake credentials were issued should be an Iranian government wish list — all the places where it most wants to be in the middle between the site and Iranian users. If so, the point of the fake CIA certificate wasn’t help hackers break into the CIA’s network. The point was to impersonate the CIA on line – to lure dissidents into setting up an apparently secure communications channels with a foreign intelligence service.  Iranian government paranoia about the CIA’s influence is so profound it’s almost flattering, and the Iranian government probably is kidding itself that the election protests were the result of foreign meddling, not the government’s unpopularity.
• In fact, the domains whose credentials were falsified do seem to be a kind of museum of Iranian government paranoia. Along with Google, Microsoft, and the CIA, the hacker made fake credentials for Mossad, MI6, Facebook, Skype, WordPress, Twitter, azadegi.com (an Iranian dissident site in Persian), Walla.co.il (a site in Hebrew), torproject.org, and Yahoo, along with others.  The full list is here.  In some ways, it’s an honor roll.
• It’s also a tell — more evidence that the attack on DigiNotar was government sponsored.  After all, if the DigiNotar hacker was really acting on his own, without government guidance, how did he manage to create so many certificates that would have so much value for an Iranian government man-in-the-middle attack?
• If this is cyberwar, it’s an Iranian government war against its own people.  And a very dangerous one. The flood of revocation checks coming from Iran continued all through August, meaning that anyone in that country who logged on to Gmail or Hotmail or the other honor-roll sites has probably lost control of everything – not just emails they sent in August but their passwords, their stored emails, their stored files, anything that could be accessed by passwords they used in August.
• As a result, DigiNotar’s security breakdown could foretell a new human rights disaster, with hundreds of thousands of victims. And, since we know the IP addresses that checked DigiNotar’s certificates, we could probably identify each victim individually.
• Which raises this question: We know from the online revocation checks that three hundred thousand Iranian users were fooled into using fake  DigiNotar certificates for Google. The same information should be available for Microsoft, Facebook, and every other fake certificate that was issued by the hacker.  Those numbers are the big story, and I don’t understand why reporters have dropped the ball on it, unless they don’t appreciate its significance.
• Mozilla has done a particularly good job of dealing with this issue, communicating more details earlier than most browser companies. Most recently, it called on the certification authorities it bakes into its browser to audit their security — and to put automatic blocks on some of the names, such as Google or Facebook, that are most likely to inspire man-in-the-middle attacks and least likely to change certificate authorities on short notice.  In contrast, Apple handled the whole affair pretty badly, taking days longer than the other big browsers to announce that it was revoking DigiNotar’s credentials.
• Iranian dissidents probably could protect themselves from these attacks by installing a browser extension called CertPatrol, which warns you if a site you’ve visited before has suddenly changed its certificate authority.  CertPatrol likely would have told all those Gmail users that, instead of going to a “Google” site that Google vouched for, they were instead going to a “Google” site that DigiNotar vouched for. They could also protect their Google account by turning on Google’s two-step verification process, which won’t let you log on from strange IP addresses until you’ve typed in a separate code sent directly to your phone.

As always when I venture too far into technical territory, I am quite aware that there are fine points I may be missing.  I welcome corrections and comments.

Earlier this year, Bloomberg reporters sneaked onto a conference call that Swatch held with invited securities analysts.  The reporters taped Swatch executives’ two-hour exchange with the analysts, even though the call-in preliminaries included warnings that the call would be recorded for Swatch and that no other recordings should be made. When Bloomberg started selling its own transcript of the call, Swatch sued.

You might think that Swatch had some sort of privacy claim – that Bloomberg violated the wiretap or computer hacking laws.  In fact, though, Swatch registered its recording of the call with the US Copyright Office and sued Bloomberg for infringement.

Bloomberg’s actions are controversial, for sure.  But how can copyright extend this far?  We live in a world where more or less everything can be recorded. If Swatch has a copyright claim here, what about former Senator George Allen? Having learned from his macaca moment six years ago, can he announce that he’s recording all his campaign events, so no one else can?  What about a police officer who objects to bystanders using their phones to film him in action?  Can he point to his cruiser-cam and accuse the bystanders of infringing copyright?

That seems to be the view of Manhattan federal judge Alvin Hellerstein, 78, who approved Swatch’s copyright claim with little display of concern about its implications.  Denying the motion to dismiss, Judge Hellerstein blandly found that Swatch had met the requirements for claiming copyright: (1) the call was “fixed” on tape and (2) Swatch executives had exercised creativity during the call.  (Point 2 might give Swatch investors pause, of course, but that’s a different question.)

Bloomberg will be free to assert a “fair use” defense at trial, but that’s cold comfort, especially if, as I suspect, Swatch’s registration of copyright allows it to seek massively punitive statutory damages.

You might think that Judge Hellerstein was forced into this unappetizing precedent by a broadly written copyright law.  But he wasn’t.  In fact, the statute as written seems to require that Swatch give Bloomberg and everyone else 48 hours’ notice before Swatch could turn the call into a copyrighted performance.  But the court adopts Nimmer’s view and refuses that reading of the statute because limiting copyright damages claims “would serve no purpose.”

And I suppose that’s true, as long as you can’t imagine the law serving any purpose other than enforcing copyright.

UPDATE:  Corrected typo; with thanks to “great unknown.”

At Ben Wittes’s request, I’ve put up a post on Lawfare reflecting on the things I got wrong in the days after 9/11. I can’t pretend it’s much of an apology.  Here’s the gist:

First, I misread the willingness of the press and the Pulitzer committee to stop celebrating disclosures of classified information. A few years later, two New York Times reporters Eric Lichtblau and James Risen, were actually awarded a Pulitzer for blowing the secrecy of the Bush administration anti-terror wiretap program.  given the doubts about its legality, that’s understandable.  But the same two reporters, along with the Times itself, shortly thereafter disgraced themselves by disclosing a secret Treasury Department program that tracked terrorist finances — a disclosure they made despite a complete lack of either scandal or illegality.

The second thing I got wrong was thinking that the press still mattered in the same old way.  I thought that the only way to influence the national conversation about terrorism was to persuade the editors of the Times to expand their Circle of Respectable Opinion to include a greater concern for security. Instead, the months after 9/11 created massive demand for independent bloggers who were willing to highlight stories and analyses that the press was filtering out. And so began a hemorrhage of readers, a loss of indispensability, that would fatally undercut the hold that mainstream media had on the national attention.

In an odd way, the two errors are connected.  Because the mainstream media didn’t take its loss of influence well.  In fact, it acted like a country parson who begins to deliver fire and brimstone sermons as his flock starts to dwindle. Remember the New York Times’s endless campaign in 2002 against the Augusta Country Club for, um, something or other? Its attack on Bush’s antiterror programs was part of that same doubled-down bet. But the mix of self-righteousness and flop sweat that infected the Times gradually forced anyone with views to the right of Manhattan’s Upper West Side to look elsewhere for news judgment.

This just in: The right kind of bacteria in your gut can literally change your mind – reducing anxiety in stressful situations.  Now we know why they call it intestinal fortitude. Because it is.

I have an op-ed in the NY Post, commenting on the role that bureaucratic turf fights may play in the Associated Press story looking for scandal in NYPD’s counterterrorism tactics. 

Here’s a sample:

When you’re done [with the story], you find that NYPD is uniquely determined to find terrorists before they strike.  To do that, NYPD is willing to go far outside its borders — to London, to Jerusalem, even to New Jersey.

It partners with counterterror analysts at the CIA.  It looks for leads in places where terrorists have been found before – in immigrant communities and in mosques, for example – and it doesn’t give terrorists a haven where they know the cops can’t  go.  It takes advantage of its diversity by asking its officers to hang out in communities where they blend in.  It recruits street sources wherever it can find them. It maps the neighborhoods it’s most concerned about.

Shocked yet?

Me neither. 

So what gives? How come we’re getting this story, at this length, at this time?

One possibility is turf…. 

It appears that Chinese TV inadvertently disclosed custom-built software in the act of attacking Falun Gong websites.  In a story that originally broke on Falun Gong media outlets but has since been corroborated by others,  background footage from a government-run channel’s documentary “showed a piece of custom-built Chinese software actually launching a cyberattack against a U.S. target.” According to Security News Daily,

The clip shows a Chinese-language dialogue box with two drop-down menus, which, according to The Epoch Times, give users the option of selecting which IP addresses or specific websites to attack, followed by a button labeled, “Attack.”

The text above atop the software tool translates to “Select Attack Destinations,” and is credited to the Information Engineering University of China’s People’s Liberation Army.

In the video, which can be seen in its entirety here, the perpetrators apparently use or spoof an IP address belonging to the University of Alabama at Birmingham to attack Minghui.org, the main website of the Falun Gong, a Chinese spiritual practice banned in its homeland.

(The University later offered this statement: “It is impossible to tell how old the archival footage used in the military technology program is. UAB decommissioned the website in question in 2001. It appears from the Chinese video that the purpose was not to launch an attack from that website, but to block access to it. We are not aware of any attack, current or historical, involving that IP address.” )

What gives?  Are the Chinese dumb enough or insouciant enough to disclose on national TV a cyberattack program so well established that it has its own purpose-built software?  Ordinarily, we’d be left with no answers beyond this rather unsatisfying news story.  But the involvement of an American IP address almost certainly gives US prosecutors authority to investigate the incident as a possible violation of the Computer Fraud and Abuse Act.  And right now, the website of the US Attorney in the Northern District of Alabama is highlighting such achievements as “Federal Judge Sentences Hueytown Tax Preparer To 2 ½ Years In Prison.”

I’m guessing that, compared to policing Hueytown tax preparers, going after Chinese cyberattacks might look pretty good to federal investigators in Birmingham. So perhaps someday we’ll get more definitive answers about that 6-second clip.

My book, Skating on Stilts, has been named a 2010 Book of the Year, winning a bronze in the Political Science category from ForeWord Review, whose awards are made each year by a panel of librarians and booksellers choosing among the offerings of independent publishers.

I’m back from my trek through Mustang, Nepal.  Since I blegged here for toys, books, and laptops to take to rural schools along my route, I thought readers might want to learn what actually happened on the trek.  I’ve begun posting installments from my travel journal on Skating on Stilts.  Since the Volokh Conspiracy isn’t exactly a travel blog, I don’t plan to post them all here.  But for those who are interested, here’s a link, and a taste, from the first installment.  More to come soon.

The Royal Audience

It’s time for our audience with the raja.

There’s just one problem.

“What else can I wear?” I ask my son, Gordon.

I mean it literally. The raja and his remnant kingdom are tucked high in the Himalayas between Tibet and Nepal at an altitude of 12,000 feet and more. And with the shadows growing long, I am cold.

So, protocol can go hang. What I want to know is whether there are any more clothes I can put on before we meet the Raja of Lo. I’m wearing a watch cap, a rain jacket, cargo pants, and long underwear.  Not enough.  After walking four days to get to Lo Manthang, the kingdom’s ancient capital, we’ve already got on all the clean clothes we brought with us. And most of the dirty ones.

I feel a little guilty. I spent nearly four years representing the United States in meetings with foreign officials — meetings where it was a major faux pas to wear the wrong lapel pin. The kingdom of Lo has can trace its roots to 1380; it has had a king about three times as long as the United States has had a president. And I am going to sit down with its king wearing dusty hiking shoes and a watch cap.

I am pretty sure our protocol officer wouldn’t have approved.

Our guide entered the room. “Quickly please!” he said. “The raja will see you now.” I rise to my feet and head down to the street, stopping only to tuck a small bottle of local whiskey into my pocket.

Deputy Secretary Lynn has given a speech unveiling the unclassified parts of the Pentagon’s cyberwar strategy.  All of the “pillars” and practically all the unclassified content of the cyberwar strategy are defensive.  Here’s the theme: 

“Our strategy’s overriding emphasis is on denying the benefit of an attack.  Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way.  If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”

 This is not completely comforting.  It’s like hearing that our nuclear war strategy is to build more fallout shelters. 

The network defenses we have today, and even the ones we hope to have tomorrow, will not deter adversaries or deny them the benefits of an attack.  The DIB Cyber Pilot, for example, is an classified version of technology the private sector has been using for nearly ten years. It’s a good thing, but it hasn’t exactly stopped hackers cold.

Defensive research is also a good idea, although neither of the ideas flagged in the speech — self-healing networks and methods for processing encrypted data — are likely to change the enormous advantage currently held by attackers in cyberspace.

So this is at best a partial strategy.  The Pentagon deserves credit for taking on the issue and doing the planning.  But the plan as described fails to engage on the hard issues, such as offense and attribution and, well, winning. 

I hope that the actual classified version doesn’t suffer from the same diplomatic and political correctness.

It took twenty years before the Somali refugee program began producing “home-grown” terrorists in any numbers, and they were home-grown in a real sense; many were disaffected second-generation immigrants rediscovering their Somali roots and ancient Somali loyalties.

The Iraq refugee program seems to have eliminated the twenty-year lag, admitting at least two fully-formed militant Islamic terrorists in April and July of 2009, according to the indispensable Lawfare blog.  Upon admission as terrorists refugees, and while they were probably still receiving welfare and other assistance from the US government, the two resumed their careers in support of terrorism aimed at American troops.  Luckily, the FBI was in control of their terrorist planning, and the two have now been arrested and indicted.

So far, so good.  But the arrests raise real questions about the Iraq refugee program.  The United States has admitted over 50,000 refugees from Iraq since the war there began.  Conditions are chaotic, and it is hard to insist on documentation.  In any event, fake documents aren’t hard to purchase in Iraq.  So it is hard to vet these refugees.

DHS did plan on using one innovative method to keep terrorists out of the program.  It proposed to compare refugee-applicants’ fingerprints to the US Defense Department’s database of latent fingerprints found on IEDs in Iraq.  That seemed like a no-brainer.  Yet at least one of the terrorist-refugees recently arrested by the FBI did leave his latent prints on an IED, according to the arresting agent’s affidavit. And he was still admitted by DHS.

All that raises serious questions.  In my view, it suggests that the Iraq refugee program is misconceived – that we are taking too great a risk in bringing large numbers of Iraqi refugees to the United States whom we cannot vet properly.  But even for supporters of the current program, it raises questions about how the program should be run.

The most important is:  What went wrong in the vetting of these two refugee applicants?  Were there clues in the terrorist-refugees’ background that we failed to pick up on?  Did they use forged documents to win refugee status?  Were they aided by Iraqi terror groups to enter the United States?  And why did the DHS fingerprint program fail?  The FBI was able to match one refugee’s latent fingerprints to DOD’s records from a 2005 IED bombing, but it did that in 2011, as part of a criminal investigation.  Why didn’t DHS find the same latent fingerprints in 2009, before it admitted the terrorist-refugee?  Did DOD withhold the prints from DHS on “privacy” and other legal grounds?  Or did the matching process simply fail for technical reasons?  Has the Iraq refugee program been suspended or revised in light of the ability of terrorists to scam it?

These are vital questions, because we continue to admit large numbers of Iraqis as refugees (the Conference of Catholic Bishops says this year’s target is another 18,000 Iraqi admissions to the US — a number that it thinks is too low but one that would increase the total number of Iraqi refugees in this country by 40%).  And, as the LA Times notes, “FBI Director Robert S. Mueller III told a House hearing in February that he had information that Al Qaeda in Iraq may have used the [US refugee program's] weaknesses to send operatives to the U.S.”  What are we doing to fix those weaknesses?  And if we can’t fix them, why are we continuing to make a priority of Iraqi refugee admissions?

UPDATE:  Fixed typo.

For years, the European Parliament has done everything it could to catch the US Congress’s eye.  Long relegated to second-class status in Europe, the European Parliament craved the respect it hoped would come from a dialogue with its “counterpart” in Washington.

Well, congratulations, guys.  You’ve succeeded.

What did the trick was the Parliament’s role in reopening the transatlantic fight over airline reservation data. After years of negotiation and at least three separate agreements on the topic, the EU and US agreed in 2007 to a long peace, one that would last until 2014.  But the European Parliament seized on a dubious technicality to reject the peace. (The technicality: only 24 of the 27 EU members had finished their lengthy treaty approval process when the Parliament’s authority to approve new treaties took effect.)

The Parliament declared that it would only approve the deal if the EU got to regulate US law enforcement practices, saying that American “use of PNR data for law enforcement and security purposes must be in line with European data protection standards, in particular regarding purpose limitation, proportionality, legal redress, limitation of the amount of data to be collected and of the length of storage periods.”

That got Congress’s attention, because airline data has been the key to many successful operations to apprehend or thwart terrorists hoping to attack Americans at home. Even the Washington Post condemned the European Parliament’s irresponsible grandstanding.

But say what you will, those European Parliamentarians certainly know how to bring us together.  In a moment of bipartisanship, the ranking Democrats and Republicans from both House and Senate Homeland Security committees have introduced joint resolutions instructing DHS not to yield an inch in talks with Europe. (Here’s the press release.)

My favorite line in the resolution is the one where Congress ”urges the Department of Homeland Security to not enter into any agreement that would impose European oversight structures on the United States.”

Actually, I thought we did that in 1776. But if it was worth doing once, it’s probably worth repeating.

Here’s a surprise. The Obama administration has unveiled a program that, if widely implemented, could dramatically improve immigration enforcement – sending millions of illegal immigrants home and reducing greatly the incentives for illegal entry – all without arresting and deporting any more people than we do today.  It could mean immigration enforcement that is effective, tough, and compassionate.

And no one has noticed.

This has been the Holy Grail of immigration enforcers for a generation. So far, they’ve pinned their hopes on E-Verify, a voluntary electronic ID check used to enforce the immigration employment laws.

E-Verify works, up to a point. When employers adopt E-Verify, the usual illegal worker scam of making up a Social Security Number doesn’t work. E-Verify checks to see whether the new hire’s name and SSN actually belong together. If they don’t match, the new hire has to correct his Social Security records if he wants to keep working.

So far, so good.  Not everyone wants E-Verify to succeed, though. Business hates it, and has fought hard to keep it from becoming mandatory.  With federal encouragement, several states have made the program mandatory for local businesses, but the Solicitor General’s office recently reversed that federal policy and asked the Supreme Court to overturn state E-Verify laws.  If Congress doesn’t act, the SG’s coup is likely to succeed, for reasons I’ve given before.

The real limit on E-Verify’s success, however, is identity theft, as critics ranging from the General Accountability Office to the Florida Chamber of Commerce are quick to point out. E-Verify can be fooled if an illegal worker assumes the name and social security number of a real person. E-Verify has struggled with that problem for years.  It’s had some success, mainly by adding ID photos to the its database, but it is still dogged by the threat of identity theft.

That’s why I was so surprised when the Obama administration solved the problem, more or less overnight.

Continue reading ‘Don’t Tell Anyone, But the Administration Just Solved the Immigration Enforcement Problem’ »

James Baker of the Justice Department recently testified to the Senate Judiciary Committee about ECPA reform, and in the process he touched on the provision of ECPA that prohibits ISPs from sharing subscriber data with the government in the absence of a court order.  Mr. Baker hinted that this provision should perhaps be expanded to prohibit ISPs from sharing subscriber data with any third party in the absence of a court order:

A sixth potentially appropriate topic for legislation is the disclosure by service providers of customer information for commercial purposes.  Under § 2702(c)(6) of ECPA, there are currently no explicit restrictions on a provider disclosing non-content information pertaining to a customer or subscriber “to any person other than a government entity.”  This approach may be insufficiently protective of customer privacy.  Congress could consider whether this rule strikes the appropriate balance between providers and customers.

http://www.wired.com/images_blogs/threatlevel/2011/04/bakerepca.pdf

This strikes me as a dangerous step from the point of view of cybersecurity.  Let me give one example.  In a distributed denial of service attack, infected consumer machines are instructed to send packets to a victim site, which is then overwhelmed by malicious traffic.  An ISP can often tell which of their customers’ machines have been infected just by looking at the nature of the signals the machines are sending.  If the ISP passes that information on to the victim site, the victim site or its service provider can shunt aside or drop signals from the infected computers as part of the target’s defenses.

Mr. Baker’s casual proposal to extend the ECPA bar on disclosure would seem to make such such defensive moves illegal in the absence of a court order.  It seems to me that this would dramatically slow responses to denial of service attacks.

Am I missing something, or is the Justice Department just clueless?  Orin Kerr, the batsignal is flashing!

A position on ACTA that DHS staked out while I was there has made the news, thanks to a recent FOIA release.

ACTA is the latest in a string of international intellectual property enforcement treaties driven by the United States Trade Representative’s office and industries that depend on IP as part of their business model.

In the Bush Administration, DHS didn’t much like ACTA, at least as it was then drafted.  It seemed like a sweetheart deal for a few intellectual property owners, who’d get free government enforcement of their private rights, potentially to the detriment of security and traditional customs enforcement.  Worse, the sweetheart deal would be written into international treaty, putting it beyond Congress’s reach if the risks we foresaw actually came to pass.  That’s what my memo to USTR said.

I still think we were right, and apparently so do outlets like Techcrunch Techdirt.  In fact, it’s kind of entertaining to watch the visible pain it causes Techcrunchdirt to admit that they, er, agree with DHS.  Or, in the words of one commenter: “Ok I am confused, what side am I supposed to root for. I thought I hated both sides.”

UPDATE: Corrected site name; thanks to commenter EMB.

The press guidance provided by China’s censors is so voluminous and detailed that leaked copies of the guidance are now available on a regular basis.  China Digital Times publishes a weekly list of what China’s censors tell their journalists not to report or hype. It’s a remarkable glimpse into the dark soul of Chinese bureaucracy, a guide to what really scares China’s rulers.  But there’s irony there as well.  I mean, why read Chinese papers when we can get all the juiciest bits from the censors themselves?

And juicy they are.  The censors’ guidance is a kind of Drudge Report for China.  Take the story about the music student who was out driving his Cruze one night and hit a mother bicycling home from her job?  Fearing that she’d gotten his license plate and would make him pay for her broken leg, he stabbed her to death in the street.  Now he too is facing the death penalty.  It’s an irresistible tale of wealth, entitlement and tragedy in modern China.

How did I find the story? Thanks to China’s State Council Information Office, which instructed Chinese websites to cover it only by reprinting copy from the Xinhua News Agency.  “Do not conduct follow-up reports,” the censors warned, “and do not repost stories related to this case.”

But my favorite in recent weeks is the guidance issued by the Central Propaganda Bureau about Liu Zhijun, 58, the recently disgraced transportation minister who ran up nearly $300 billion in debt creating China’s bullet train bubb…er…network.  The propaganda bureau has issued this frustratingly brief guidance:  “All media are not to report or hype the news that Liu Zhijun had 18 mistresses.”

Really?  How can you not hype that news?  He’s the same age as George Tenet, for God’s sake.  I want to know what he was eating.

Heck, you could fill an entire week speculating just on the logistics of the thing. Is it any wonder the guy needed to travel between cities at 200 mph?

UPDATE: Fixed broken link

Next month, my son Gordon and I are continuing a long tradition of dubious hikes (see, e.g., our heat stroke hike out of Antalya, Turkey).  We’ll be trekking up into the Mustang region of Nepal.  Closed to outsiders for many years, Mustang borders Tibet and partakes heavily of Tibetan culture. 

I’m writing about it here because, in some of our past hikes to remote areas, we’ve turned treks into schleps, carrying toys and other supplies to village schools. The best part was getting our kids to donate their much-loved but outgrown toys to the cause.  We still treasure a few photos of our mundane suburban toys in the hands of Peruvian schoolchildren (like our pillow-fencing set, right).

Unfortunately, our kids are now at that awkward age where the only toys they still have are reserved for their children, who are too young to have outgrown much.

So I’m throwing the opportunity open to readers of the blog, or at least their children.  If you’ve got kids over, say, ten, and they want to donate some of their educational toys, I’ll schlep them to Nepal and deliver them to one of three schools/libraries in Mustang that were started in memory of Alec Lowe by some of Lowe’s fellow mountaineers. And, assuming my camera keeps working, I’ll bring back a picture of Nepali kids making use of each toy.

The school/libraries are part of some very intimate and admirable work the Alec Lowe Charitable Foundation has done in Mustang.  One of their libraries is pictured, left. Liesl Clark, a moving force in the library campaign, tells me that educational toys and books in English would be quite welcome.  The libraries serve kids from preschool to secondary school, so there’s no age cutoff.

And what if you’re too old to have outgrown toys lying around?  That’s just a question of redefining toys.  Liesl says her latest project is to acquire laptops from the US, reformat the drives to Linux, and add educational software in Nepali and English:

A new program we’re working on is getting laptops into the libraries that are preloaded with Nepali-English learning software by our partner, Open Learning Exchange Nepal. If you are interested in donating any old laptops for the cause, please let me know and I can have a colleague pick the laptop(s) up from you in Kathmandu so they can be loaded with the software for the libraries. We did a pilot project with my old laptop and it was wildly successful. We hope to have at least one laptop in each library within a year.

(Here’s a nice short film that gives a feel for Mustang, and for the laptop project.)  So if you’ve got a laptop or netbook that’s been gathering dust since you switched to an iPad, this is your chance to put it to good use.

The three Mustang libraries are in Kagbeni, Tsarang, and Chhoser, near the old capital of Lo-Manthang.  For further background about the locations your kids’ toys would benefit, check out the online PBS photo-tour of the region.

Since we’re leaving in just a couple of weeks, and since there’s a limit to how much we can carry, I suggest that you email me at stewart.baker+schlep@gmail.com as soon as you decide you’re interested in making a donation. Let me know what you’d like to donate and where you are.  If demand is overwhelming, or time is short, we may have to limit contributions by weight or by location (I can pick up donations in the Washington DC area).   And, if you’re willing to donate cash as well, I’ll get information about how you can air-freight any laptops I can’t carry to Katmandu for pickup by the Open Learning Exchange.

That seems to be the theme of this article from the ever-predictable Der Spiegel, which recites a bunch of alleged failures by the German government in implementing the SWIFT data agreement, then raises the prospect of suspending the agreement, thereby cutting off US access to some financial data and making the world safer for funders of terrorism.

I testified yesterday at a government oversight hearing on TSA.  It was a through-the-looking-glass experience for anyone whose memory extends back to, well, 2007.  That’s because the Republican members mostly lined up to bash whole body imagers and talk about privacy while the Democrats mostly spoke about the importance of air passenger security.  Government Oversight chairman Issa and subcommittee chairman Chaffetz were particularly vocal in scorning TSA’s current approach. This is reminiscent of the “big switch” on privacy in the late Clinton years, when Republicans began attacking the Clinton administration on civil liberties grounds.

When your party doesn’t control the Executive, the playbook says you should attack the administration on almost any basis.  So the switch isn’t a complete surprise.  But attacks like this have consequences, and the most obvious consequence of a successful campaign against TSA will be more reliance on metal detectors, which have no hope of catching any of the bombs al Qaeda has used since 9/11.

Still, there are things TSA could do to improve security and passenger dignity, and they got some attention yesterday.  TSA should spend more time looking for terrorists, and less looking for weapons.  But to do that, TSA needs to know something about the passengers it’s screening, and in the last spasm of two-minute hate for TSA, back in 2003, Congress restricted the agency’s access to passenger data.

Luckily, it looks as though the stars are lining up to rethink that restriction.  We could see a TSA “known traveler” program in which passengers can volunteer more information in exchange for streamlined screening, something I supported at the hearing:

Imagine you are among the majority who don’t see what the fuss over travel data is about.  You authorize TSA to access data about you – travel data,say, and perhaps criminal or other records.  When you show up for your flight, your boarding pass has already been coded to show that you’re entitled to use the trusted traveler lane.  Good thing, too, because that line is much shorter.  The TSA official checks your ID and boarding pass as usual, but he waves you into a fast lane, where the most aggravating and time-consuming security procedures have been eliminated – the liquids and laptop inspections, perhaps the shoe inspection too.  No wonder the trusted traveler line is shorter; it is moving twice as fast.  Every once in a while, though, scanning the boarding pass sets off a beep, and the officer waves you into a standard line for the usual drill.  This is a random event, programmed into the system in advance based on all the data that TSA has.  The line is still a lot faster, because only a few of the trusted travelers end up in the standard inspection, but that random event makes it difficult for terrorists to game the trusted traveler program. The upshot would be faster inspections, less hassle, and more security.  More privacy too, for those who think that giving up a little information is a fair trade for fewer scans and patdowns.

Secretary Ridge helped lead a private group that recommended a similar solution yesterday.  And TSA head Pistole is also thinking along similar lines. Here’s what he said in an ABA talk recently:

We want to focus our limited resources on higher-risk passengers, while speeding and enhancing the passenger experience at the airport.

I believe what we’re working on will provide better security by more effectively deploying our resources, while also improving passengers’ travel experiences by potentially streamlining the screening experience for many people.

There are lots of risks in such a program, so the details matter, but if the flap over scanners and patdowns produces a smarter approach to travel data, maybe we’ll end up safer and less prodded at the airport.

I finally had time to listen to the oral argument in this year’s Supreme Court challenge to an Arizona immigration law.  I’ve noted before – here and here – my view that the Solicitor General was badly wrong on policy and professional grounds when he used that case to attack the e-Verify program.

The e-Verify program, which electronically checks to make sure a job applicant’s newly hired employee’s name matches his social security number, is one of the few interior immigration enforcement measures that works, does so humanely, and has significant bipartisan support.  The current Secretary of DHS, Janet Napolitano, endorsed the computer system when she was governor of Arizona and again as Secretary.  But she couldn’t keep the Justice Department from throwing e-Verify under the bus; in a telling triumph of lawyer over client, DOJ set aside its past litigating positions and declared that Arizona had no authority to mandate the use of e-Verify by Arizona businesses.

I expected a tight vote on the Court.  I still do, but it looks as though e-Verify will do worse than the rest of Arizona’s law, which may squeak through.  That will be played as a symbolic victory for the right, because it allows states some role in enforcing immigration law.  But it likely will be more symbolic than practical, because the part of Arizona’s law that may survive simply says that businesses can lose their state business licenses if they knowingly hire illegal workers.

That sounds tough, but as a practical matter, proving that a business knowingly hired illegal workers is very hard to do, even for ICE; state officials will have a much harder time making such cases, and business litigators will cut them to ribbons in the courts, claiming that they misapplied complex federal immigration law.  Will such a remote threat deter illegal hiring?  Maybe a little, but businesses that knowingly hire illegal workers are already at risk of federal criminal prosecution.  It is a vanishingly small risk in this administration, but the risk of losing a license won’t be much bigger in Arizona if the law is upheld.

Requiring all businesses in Arizona to use E-Verify, in contrast, does have an important practical impact.  Tens of thousands of Arizona employers now check to make sure that job applicants have names that match their social security numbers.  Since fake names and fake social security numbers are the simplest way to beat the current immigration employment system, taking that option off the table makes it harder to get work illegally.  And Arizona has taken that option off the table more thoroughly than most states with a mandate that has  boosted e-Verify usage substantially. Losing the state mandate will really set enforcement back.

So why do I think the Court will split the baby, giving conservatives a symbolic victory but not a practical one?  Because the oral argument featured a classic Kennedy-in-the-middle exchange.  Justice Scalia, Justice Alito, and the Chief Justice all expressed some sympathy for the anti-preemption forces.  Justice Breyer, Justice Ginsburg, and Justice Sotomayor all seem to support preemption (though Justice Sotomayor did so only on very particular grounds).  Justice Kennedy seemed to telegraph his views throughout the argument, and they were split.  He was waveringly sympathetic to the state licensing requirement, but he had no sympathy at all for the state’s e-Verify mandate.  Here’s what he said to the state’s lawyer:

JUSTICE KENNEDY:  But you are taking the mechanism that Congress said will be a pilot program that is optional, and you are making it mandatory.  It seems to me that’s almost a classic example of a State doing something that is inconsistent with the Federal requirement.

OK, in theory, Justices’ questions don’t tell you how they’re going to vote.  But that question doesn’t leave much doubt about where Justice Kennedy will come out, at least on e-Verify. To complete the vote count: Justice Thomas didn’t ask any questions, but I think it’s safe to assume he’s closer to the conservatives on this issue than to the liberals. And Justice Kagan is recused.

So it only takes four votes for e-Verify to survive, because the court below upheld the state law. And there seem to be four votes for Arizona without Justice Kennedy.  In theory, Justice Kennedy could have voted against Arizona across the board, leading to affirmance by an evenly divided court.  But if that were going to happen, it should have been announced right after the vote.  I’m guessing that Justice Kennedy did what his questions foreshadowed — cast the fifth vote in favor of Arizon’s licensing provision while splitting the Court 4-4 on e-Verify.

If I’m right, e-Verify has no future in the courts.  Justice Kagan won’t be recused the next time around, and I am confident she’ll vote to kill any state e-Verify mandate.  Indeed, the lower courts are likely to read the tea leaves and knock the mandate over the head without requiring a second round in Washington.

The good news is that a 4-4 decision should make clear to Congress that only further legislation will preserve the states’ authority to mandate e-Verify use.  And one can hope that Secretary Napolitano will have more influence over the administration’s legislative strategy than she had over the Solicitor General.

UPDATES:  Fixed links to earlier posts; also corrected description of program.

Last year, computer security researchers succeeded in hacking automotive systems.  Once they had done so, they could kill the engine, lock the doors, and turn off the brakes while the car was moving down the highway.  The attacks worked best, not surprisingly, when the researchers had been able to plug into the car’s onboard computers.  This year, the same team went looking for more creative ways to get access to cars’ onboard systems.  The most innovative of their successes came from altering the code on a music CD.  The additional signals modified the stereo system’s firmware, giving the researchers access to the car’s computer network.

It will be a while before your CDs turn on you, but the researchers seem confident that their malware can be surreptitiously added to mp3 files distributed on peer-to-peer networks.  They envision a whole new style of auto theft, in which thieves “could instruct cars to unlock their doors and report their GPS coordinates and Vehicle Identification Numbers to a central server.”

Which brings us to the RIAA.  Considering the clout they’ve already demonstrated on Capitol Hill, it may just be a matter of time before the industry persuades Senator Leahy to introduce the “Steal Our Music, We Steal Your Car” Act of 2011, authorizing copyright owners to introduce car-hacking code into Limewire and Bittorrent networks and then take possession of the music thieves’ vehicles.  No doubt, they can produce studies showing that the act would create thousands of exciting auto repo jobs, and a tie-in with CarMax would help share the lobbying burden.

OK, I’m kidding.  But I am looking forward to a bitter CFIUS debate if the Chinese try to buy XM/Sirius.

A welcome sign of sanity from France:

A French court has dismissed a criminal-libel charge brought against a journal editor over a negative book review and ordered the plaintiff to pay punitive damages. The editor, Joseph H.H. Weiler, a professor at New York University’s School of Law, said he had been awarded €8,000 (about $11,000) as a result of the action brought against him by Karin N. Calvo-Goller, a senior lecturer at the Academic Center of Law & Business, in Israel.

I posted on the lawsuit earlier.  $11,000 won’t cover a lot of legal fees, but the judgment is a rebuke to Ms. Calvo-Goller and will likely discourage libel tourism in France.

Speaking as the author of a book (have I mentioned that here?), I understand how personally authors take bad reviews.  And I find the idea of suing the reviewers for their many obvious errors mildly entertaining.  But I am gobsmacked by the imagination — not to mention the chutzpah — it takes for an author who doesn’t like a review to demand that it be taken off line, to refuse a proffered right of reply, and then to sue — not the reviewer but the publisher of the review. And for criminal libel no less.  But that’s what Karin Calvo-Goller is said to have done, in a stunning post by the victim of her ire. It begins:

My entire professional life has been in the law, but nothing had prepared me for this. I have been a tenured faculty member  at the finest institutions, most recently Harvard and NYU.  I have held visiting appointments from Florence to Singapore, from Melbourne to Jerusalem. I have acted as legal counsel to governments on four continents, handled cases before the highest jurisdictions and arbitrated the most complex disputes among economic ‘super powers.’

Last week, for the first  time I found myself  in the dock, as a criminal defendant.

And it just gets better.  Or worse.  As the defendant points out, Calvo-Goller won’t get big damages from bringing a criminal action against him, but the French state in its majesty can fine him to vindicate her honor; and the richer he is, the more her honor will cost him.  Here’s the longer version, which quotes the professor demonstrating her command of first amendment law as follows:

I am aware of the extent of freedom of expression under the First Amendment to the
Constitution of the United States (freedom which, as you know, is less extensive in
EU countries). However, the extent of that freedom ends where its exercise damages
the reputation of an individual.

I’m tempted to remark on the wisdom in general of taking human rights lessons from professors steeped in European and United Nations law, but I’m more interesting in a shorter question:  What can Karin Calvo-Goller possibly be thinking?  Already, a search of her name on Google yields in third place an entry linking “Calvo-Goller” to the phrase “an idiot and a fascist jerk”, thusly:

Given that Calvo-Goller’s actions threaten to injure her reputation by making her look like an idiot and a fascistic jerk, I am hereby charging her with criminal libel against herself.

Really.  Someone probably should let Karin Calvo-Goller know how the Internet works and about, you know, Google and stuff.  Because if she’s worried about her reputation, suppressing book reviews in the European Journal of International Law is just the beginning of the job she’s cut out for herself.

PS  In 2010, Congress adopted the SPEECH Act, which refuses enforcement of libel tourism awards, so perhaps the United States can look forward to a new wave of “libel refugees.”

UPDATE:  Original post only discussed the failed 2008 attempt to enact libel tourism protections, not the successful 2010 enactment.

The Ft. Hood shooting has finally been the subject of a careful after-action analysis — a study that DOD should have done but didn’t.  The analysis was done instead in a bipartisan report by Senators Lieberman and Collins, who lead the Homeland Security committee.  Their report reveals few new facts but offers disturbing insights into DOD’s cultural dysfunctions.

On November 5, 2009, witnesses say, Maj. Nidal Hasan leaped on a desk at a Ft. Hood readiness center, shouted “Allahu Akbar” and began executing the unarmed soldiers all around him.  Thirteen people were dead and thirty-two wounded before an armed police officer managed to shoot Hasan five times.  Now confined to a wheelchair, Hasan is expected to go on trial shortly.

Anyone who paid attention to news coverage after the rampage knows that the Army had plenty of warning about Hasan’s Islamist views.  Classmates say that he questioned whether he could fight against other Muslims and made presentations justifying the murder of non-Muslims, suggesting that Muslim-Americans in the armed forces might kill other servicemembers, defending Osama bin Laden, and justifying suicide bombers.  The servicemembers in the audience were so appalled that the instructor finally stopped one of Hasan’s presentations.  Off the record, it seems, everyone thought Hasan was dangerous, a nutjob, or an Islamist, and perhaps all three.

On the record, though, no one would criticize him.  You don’t rise in the armed forces if you can’t read your superiors.  And the rising officers who met Hasan knew what their superiors wanted without having to be told.  Islam was a religion of peace, and Muslims in the Army were a welcome sign of diversity. Treating Hasan as a dangerous Islamist would put those messages at risk.

And that might be bad for their careers.  So instead they spun Hasan’s rants into gold.  His 2007-2008 evaluation praises Hasan for having “focused his efforts on illuminating the  role of  culture and  Islamic faith  within the Global War on Terrorism.”  It adds that his “work in this area has extraordinary potential to inform national  policy and military strategy. … His unique interests have captured the interest and attention of  peers and mentors alike.”

The next year was the same, full of praise for Hasan’s “keen interest in  Islamic culture and  faith  and his shown capacity to contribute to our psychological understanding of  Islamic  nationalism and how it  may relate to events of  national security and Army interest.”

So far, no surprises.  It was clear within a few days of the shootings that political correctness had played a role in Hasan’s promotion and retention.  What the Lieberman-Collins report tells us, though, is how big a role political correctness played even after the government discovered through intercepts that Hasan was corresponding with the Yemeni-American Islamist, Anwar al-Awlaki.  (Awlaki’s name is redacted from the report but has been widely reported in the press.)

The intercepted correspondence went to the FBI’s San Diego office. According to the Lieberman-Collins report, Hasan’s initial correspondence wasn’t conclusive proof that he was a risk, but it begged for investigation.  His messages, it says, “meandered in  a ‘stream of consciousness,’ hinted at the answer Hasan  wanted to hear, and  had content that contravened officership standards.”  According to the report, “The communications on their face  raised questions of  whether Hasan was a potential counterinteligence or  counterterrorism threat.”  That’s how the FBI office in San Diego saw it too. Because Hasan was stationed at Walter Reed medical center, San Diego asked the FBI’s Washington field office to follow up.

The Washington field office booted the assignment.  It waited until the 90-day deadline for responding to inquiries was nearly up.  Then a detailee spent four hours looking at Hasan’s records.  The detailee found no mention of Hasan in terrorism databases but he did find the evaluation reports in which Hasan’s public displays of radicalization were cleverly repackaged as praiseworthy research into the “role of culture and Islamic faith within the Global War on Terrorism.”

So, put yourself in the place of the agent assigned to this problem.  You’ve got an Army major sending weird but not quite damning emails to al-Awlaki.  The Army seems to know he’s working in the area of Islam and terrorism, and he isn’t in the suspected terrorist database.  You could go talk to him, or send an official request for information to the Army.  If you do, though, there’s a chance you’ll be accused of trying to wreck Hasan’s career on flimsy evidence — on the basis of his protected religious and political speech, no less.  In addition to constitutional violations, you could be slammed for racism, or Islamophobia, or cultural insensitivity. After all, this is happening in May of 2009, and the Justice Department is under new management, management that is sending very different signals about its priorities in dealing with terrorism and Islam.

Meanwhile, the evaluation reports are staring you in the face.  They offer an easy way out of the dilemma.  “Research, yeah, that’s the ticket,” I imagine the agent saying to himself, “Hasan could be doing research.”  So he blows off San Diego’s concern without interviewing Hasan or doing anything else that might cause waves.   San Diego complains. Washington fires back. And neither office does enough followup to discover the rest of Hasan’s correspondence with Awlaki.  (There’s a long and interesting inside-baseball story about that, and the FBI’s relationship with other agencies, in the report that I may discuss in another post.)

Next thing the FBI in San Diego knows, there are thirteen dead and 32 wounded at Ft. Hood.  As the reports hit the wire, one San Diego agent points and says to another, “”You know who that is?  That’ s  our boy!”

It was indeed. You’d think a loss like that would cure DOD of political correctness.

You’d be wrong.

DOD quickly stood up an independent review of the Ft. Hood shooting by former Secretary of Veterans Affairs Togo West and retired admiral Vern Clark.  A staff of full-time contractors and military personnel served West and Clark, who were asked to look hard at internal threats to the military. The result of all this effort is a model of politically correct mush — a classic of contractor-speak, in fact.

Fifty members of the military community were gunned down, their ears still ringing with “Allahu Akbar!” shouted by a man wearing their own uniform. And the official DOD report on the attack never mentions Islam once.  In contrast, it touches on the threat posed by “low self-esteem” four times.

The closest the report comes to blaming Islamic extremism for the attack is a single sentence identifying the sources of domestic terrorism.  In case you’re wondering, they include “animal rights, environmentalism, nationalism, white supremacy, religious causes, and right-wing politics.”

So there you are.  I can’t help wondering if Secretary West and Adm. Clark expect the Pentagon to take on the threats in that order. That way, DOD would first stem the threat of excessive nationalism in the military; then it could turn to the threat posed by “religious causes.”  And maybe, just to avoid discrimination, it could do the religions alphabetically — getting to Islamic extremism after it mops up Episcopalian extremism and just before tackling Jehovah’s Witness extremism.

Okay, that’s a little unfair to Secretary West and Adm. Clark.  But only a little.  In its delicate sidestepping of Hasan’s obvious motivation, and its irresponsible sidestepping of the shocking PCness epitomized by Hasan’s evaluations, the West/Clark report is part of DOD’s problem.  It stands in stark contrast to the aggressive DOD action in 1996, when two Army soldiers carried out a racially motivated murder of an African-American couple.  Then, the Army had no trouble adopting a policy on extremist activities that forthrightly named white supremacist activities as a basis for disciplining soldiers.

When it comes to jihad, though, the mealy-mouthed West/Clark report tells us everything we need to know about DOD’s thinking. As the Lieberman-Collins report makes clear, the Army had all the tools it needed to deal with Hasan’s radicalization; it had used them recently and to good effect against racist and white supremacist groups in the Army.  As the Lieberman/Collins report makes clear, however, Islamic supremacy is an ideology that DOD refuses to acknowledge:

Neither of  Secretary Gates’ two memoranda directing implementation of particular West/Clark recommendations mentions violent Islamist extremism explicitly.  Both memoranda continue to down play the unique threat of violent Islamist extremism by portraying it as a subset of a more general threat – either workplace violence or undefined “extremism” more generally.  We remain concerned that DoD will  not appropriately revise policies to address violent Islamist extremism among servicemembers and that DoD personnel will not be specifically trained concerning violent Islamist extremism.

That sounds like a safe bet to me.  But it’s a bet likely to be measured in deaths not dollars.

If there’s anything I’ve learned in government, it’s that intellectual climate matters.  The 9/11 attacks were aided greatly by an intellectual climate in which privacy and civil liberties had far more practical value than preventing terrorist attacks. And a climate in which Islamic radicalization is described only in euphemisms didn’t just protect Hasan from scrutiny.  It help the next recruit as well.

That’s why efforts to shut the Overton window on inquiries into domestic radicalization are not just wooly-minded.  They’re dangerous.  This time, political correctness runs the risk of getting Americans killed – by discouraging counterterrorism officials from doing their jobs properly.

Senators Lieberman and Collins deserve credit for their courage in holding the window open.