The Supreme Court declined to hear an appeal of the Sixth Circuit’s ruling that the plaintiffs in the NSA suit here in Michigan lacked standing. The hard part, of course, is it’s extremely difficult to prove standing here – that’s the whole point of a covert surveillance regime.

So, AT&T is safe legally (especially if President Bush gets his way, and the telcos are immunized from liability), but they deserve this type of ridicule for complying so eagerly with the government’s rather broad surveillance requests. (Diverting all traffic so the NSA can monitor seems, well, overbroad.) Keep your eye on the negotiations in the House.

Intelligence officials who have examined these systems say they’re convinced that the qualities that many computer users find so attractive about virtual worlds — including anonymity, global access and the expanded ability to make financial transfers outside normal channels — have turned them into seedbeds for transnational threats.
[snip]
The government’s growing concern seems likely to make virtual worlds the next battlefield in the struggle over the proper limits on the government’s quest to improve security through data collection and analysis and the surveillance of commercial computer systems.

O’Harrow quotes from a U.S. intelligence study that says something like: “All the kids today are dancing and ‘jiving’ to this new rock-and-roll music on their jukeboxes, leading to increased lascivious behavior and moral decay.”

Now, I understand the possible dangers inherent in a global digital network that facilitates anonymity and allows users to make financial transactions. But that system is called the internet. It isn’t clear to me why those portions of the internet taken up by Second Life are necessarily more threatening than somewhat more familiar problems such as encrypted e-mail or money-transfer systems like PayPal. These innovations can be used for crime. My guess is that the novelty of flying avatars and virtual buildings drives the government’s fear, rather than a significant increase in actual risk from Second Life over and above the internet as a whole.

Even conceding that Second Life could be an especially attractive haven for Bad Guys, the potential for an over-reaction is very high. After all, regular old telephones help criminals and terrorists to communicate too, but that does not necessarily justify routinely monitoring them on a massive scale. (As Jim Dempsey of CDT aptly notes, “When the government is finished, every new technology becomes a more powerful surveillance tool than the technology before it.”)

I certainly hope we won’t see a rush to install monitoring or data-mining in these environments, either as a legal requirement or — perhaps more likely — though the eager cooperation of their proprietors. In a somewhat ominous sign, O’Harrow reports that Linden Lab is already hurrying to reassure the spooks that there is plenty of monitoring already in place:

Officials from Linden Lab have initiated meetings with people in the intelligence community about virtual worlds. They try to stress that systems to monitor avatar activity and identify risky behavior are built into the technology, according to Ken Dreifach, Linden’s deputy general counsel.

Is Linden Lab headed down the well-trodden path, already taken by many airlines, phone companies, and search engines, of voluntarily handing over their customers’ information to the government’s data-mining machine? Let’s hope not.

This is a nice example of an information law problem in an environment with very low information costs (at least end user costs). Google Earth and Live Local provide all sorts of neat information, but they’re like vacuums: they pick up desirable stuff and the (metaphorical) cat’s tail with equal ease. The standard moves here are to inveigh against a US company risking our national security during a war on terror (um, is al-Qaeda building nuclear subs?) or to bemoan the inability to protect information in the age of the Internet and distributed computing.

But, as law and economics folks will tell you, sometimes we should expand our focus and to see what other, possibly cheaper fixes are available. If I don’t want someone photographing my cat, I can close my shades, or we can regulate the sale of telephoto lenses. Which is less expensive / intrusive? Is it better to compel Google and Microsoft to filter their content, or to ask drydocks to cover a sub’s private parts with a tarp?

I’m being somewhat facetious, but the problem is a recurring one: information becomes available via the Net and is embarrassing / naughty / potentially dangerous, and there are calls for regulation or for limits. But sometimes self-help is the best help of all…

I’ve wanted for a while to post something about proposals to improve the database used to conduct background checks for gun purchases under the Brady Law. Last month’s tragic shootings at Virginia Tech demonstrated that this background check does not do a good job of screening out mentally ill gun purchasers. As we now know, in December 2005 a Virginia court found Seung Hui Cho, the perpetrator of that crime, an imminent danger to himself as a result of mental illness. Cho was ordered to receive involuntary outpatient treatment, but never did. Putting aside what this says about the inadequacies of our mental health system, why was Cho allowed to buy a gun?

The short answer is that he wasn’t allowed. Since 1968, federal law has barred persons who are “adjudicated mentally defective” (the age of the statute shows from the antiquated language) — along with others including convicted felons — from purchasing firearms. Since 1994, the Brady Law has required background checks of firearms purchasers to ensure that they qualify for gun ownership under these 1968 provisions.

But as all info/law types know, a database is only as good as the data you feed it. And the data going in to the National Instant Check System, or NICS, is not always the best. Since most of the relevant legal determinations (such as felony convictions or involuntary mental health commitments) are made by states, the states hold the data. And the federal government has no real power to require that the states make data about these decisions available, as the Supreme Court held in Printz v. United States, a major federalism decision stemming from the Brady Law. Absent any requirement with teeth, states have not added all the relevant records to NICS for a variety of reasons — cost, opposition to gun control, adherence to state privacy laws, lack of initiative or disorganization. (There are many more complexities here. For one, in some states gun dealers contact local authorities for background checks, meaning that records available from other states may not even be consulted. But you get the idea.)

The media has reported the discovery of this “loophole” with incredulity. And I understand the sentiment. But for those of us who have followed this issue for a long time, this is not news. Indeed, Fox Butterfield, the veteran gun issues reporter for the New York Times, wrote lengthy exposes of these problems, including the lack of mental health records in NICS, all the way back in the year 2000. The problem is that, despite the fantasy of high technology on shows like 24 or CSI: Paducah, there is no Bat-Computer. Law enforcement access to data is not as sophisticated as the general public believes.

Predictably, there are now proposals to improve the system. Virginia’s governor plans to provide more information about the state’s mental health decisions to NICS; other states are following suit. At the federal level, Congresswoman Carolyn McCarthy, a long-time gun control advocate, is promoting her bill to give states more funds to improve the quality of data, and withdrawing funds to penalize those that do not, as reported here. These seem like good ideas, generally speaking.

But there is a big catch: data privacy. Understandably, mental health advocates are concerned about assembling a big national database of everyone diagnosed with such problems. And they should be. In other contexts, big government databases rightfully make us nervous. The federal government’s sorry history in maintaining an accurate and useful no-fly list shows that, even when the intended purpose of the database is worthy, the details of implementation can change a good database into a bad one. Likewise, critics associated with both the left and the right have questioned the employee-verification requirements embodied in the immigration bill now before Congress because they threaten to create another privacy-infringing and error-riddled database. Inaccuracies and misuses harm individuals and undermine the purpose for which the database is designed.

The Brady Law proposals now on the table focus on getting more records into NICS, but they seem pretty light on the how — the features of law and system design necessary to protect privacy. One fundamental precept embodied in NICS is that it functions as a “red light/green light” system, telling firearm dealers whether or not they may “PROCEED” to sell the gun, period, without any further details. It would be good to move that same principle upstream from the output to gun dealers and into the collection and warehousing of the data. Both law and code should create a database that is usable to check names for firearm sales, but not as a source for other purposes. And there also must be the capacity to audit, correct, and update. There is no omniscient Bat-Computer, but anyway we’re better off with smaller, nimbler, privacy-protective databases that provide limited disclosures for limited and important purposes.

These are complex issues. I certainly hope they don’t get overlooked in the understandable rush to prevent the next Virginia Tech shooting.
[Full disclosure: I worked as an aide on Capitol Hill in support of the Brady Law, and later on for its House sponsor.]

I found the op-ed very powerful because it moves beyond the typical dichotomous arguments between “fighting terrorism” and “protecting civil liberties” to examine the collateral impact of such pervasive secrecy on innocent bystanders such as the pseudonynomous author. The op-ed tells us that “John Doe” runs a small internet business and received a national security letter demanding information about a client. Rather than comply with what seemed like a fishy request, he courageously went to the ACLU. The secrecy rules mean he still can’t tell us why he was suspicious, although he does say that the FBI later dropped the request. But during the whole fight, he was forced to live a double life:

Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case — including the mere fact that I received an NSL — from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie.

Even now, with the request for information withdrawn, he is forbidden to speak. That is a huge burden to place on someone. Forcing third parties into the role of involuntary government spies might be justified in highly exceptional circumstances, but the inspector general’s report demonstrates that their use has been anything but exceptional. As the better books by John le Carre demonstrate, there is a great personal toll to living a double life.

Of course, there are other systemic reasons why such secrecy is corrosive. My colleague Heidi Kitrosser has written about this issue in related circumstances, and John Doe points out that he could have warned Congress and the public about the likelihood of FBI abuses years ago if not for the gag order. If these practices had been reined in sooner, maybe our society would have created many fewer involuntary liars.