InfoTech & Public Policy

As my final blog post of the year, I’d like to briefly summarize a couple of the overall themes that I took away from the course.

Technology and Public Policy are deeply intertwined. Not only does the framework set by policy determine how and what technology is developed and used, but also technology drives the constant reinvention of policy.

Advances in technology force policymakers to revisit old decisions in the context of setting new rules. As Cable TV became technically feasible, regulators were forced to reevaluate why they regulated broadcasts in the first place. As Grokster came on the scene as a new file-sharing mechanism, the courts were forced to reexamine the grounds for the Betamax ruling. Each time a new disruptive technology appears on the scene, a chance to re-fight old battles arises.

But in another sense, as technology constantly changes the landscape upon which these policy decisions are made, the core principals that policymakers adhere to remain remarkably consistent. Perhaps it is because they are so vague. Economic growth, equitable distribution, and personal freedom are all fundamental ideas that our policy with respect to technology seeks to promote. The troubles come when these principals are in conflict with one another, and we are forced to make compromises between them.

It works the other way as well – policy decisions that were made in the past have a fundamental impact on the shape of future technology development. Consider all the policy decisions that had to be in place for Google to blossom. It is too broad to even name all the categories these decisions fell into: phone network regulation/deregulation, property rights for content owners, privacy regulations; the list goes on and on. The legal and regulatory environment has a tremendous impact on the future of technology, and maintaining (or improving!) the quality of these rules will be crucial to maintaining a high rate of growth in the future.

But in another sense, technical development is to a degree inevitable as well. The powers of market forces are strong, sometimes stronger than even the best laws or regulations. As humans continue to build on successive generations of technology, the power of policymakers to influence outcomes must not be overestimated. Certain situations will arise (such as pirated music) where no matter how well designed the legal structure, the underlying technical and market forces will largely determine outcomes.

I have enjoyed thinking about the issues presented at the intersection of Technology and Public Policy this semester. I hope to be able to put these ideas into practice someday during my time in industry, and maybe if I’m lucky in public office sometime far down the road.

I have often wondered about the privacy one has to the files on a computer.  I have several roommates, and I often came into my room to find one of my roommates or one of their friends using my computer.  I was extremely irritated by this, as I feel a need to protect the files on my computer.  My computer is now always password protected.

However, what would happen if the police came knocking on my door without a warrant, and I wasn’t there?  In regular police searches, warrants are necessary, but the Supreme Court has stated that third parties, such as spouses and roommates, do have the authority for allowing the search of shared spaces.  It is clear in living spaces that almost all is accessible to both parties living there, with the exception of a locked cabinet.  Situations that are disputable are private bedrooms within shared spaces.  Even more legally trickier is searching a computer. 

In cases where police ask to do an impromptu search, not many questions are usually asked to determine if the search of a computer is permissible.  There are many questions which should be asked.  For instance, is the computer shared, accessible to both parties, or only belonging to one or the other.  Where the computer is located is crucial for this question.  For if the computer is located in a bedroom not typically considered part of a shared living space, the other resident might not be considered as having access.  If the computer is shared, are locked files legally considered locked?  How does password protection play into the law? 

In a case where a girlfriend gave permission for the police to search her boyfriend’s computer, since she shared access to most files, the search was deemed permissible.  However, password protected files only accessible to the boyfriend were not allowed to be searched without a warrant.  Another case recently decided on was an elderly father (Dr. Andrus) giving permission for the police to search his son’s computer.  The son, Ray Andrus, was an adult living in a separate, unlocked bedroom in the house, and was suspected in a child pornography ring.  While the bedroom was not a shared living space, the father had unlimited access to the room.  Police came to the house to request permission to search the bedroom.  The father consented to the search, including to the search of the son’s computer.  Police did not ask to determine if the father had shared access or how password protected the system was.  The system did have a password for login.

Should the police be required to determine the level of access to a computer before searching?  The 2-1 ruling on this decision was that the search was legal.  The majority opinion stated that “Dr. Andrus had apparent authority to consent to a search of the computer in Ray Andrus’ bedroom.  The court also stated that it was not police’s responsibility to determine the ownership of the computer unless it was ambiguous, and if the defendant had proved the commonplace of password protection on personal computers, the search might have been ruled illegal.

I believe that the search should be considered illegal.  Password protection is incredibly easy, and the shift of family computers to individual computers is known to nearly everyone living in the developed world.  Police officers using common sense should know to ask if the third party knows of the password to the system if one exists.  The following represents the minority opinion, with which I fully agree.  

“Accordingly, in my view, given the case law indicating the importance of computer password protection, the common knowledge about the prevalence of password usage, and the design of EnCase or similar password bypass mechanisms, the Fourth Amendment and the reasonable inquiry rule, mandate that in consent-based, warrantless computer searches, law enforcement personnel inquire or otherwise check for the presence of password protection and, if a password is present, inquire about the consenter’s knowledge of that password and joint access to the computer.”

In Week 3 of the semester we examined privacy considerations with respect to data mining operations executed by private corporations. In the current week (12), we discussed network surveillance by the government. My impression is that Americans are generally much more worried about the government spying on them than they are concerned about privately-owned data brokers violating their privacy. This discrepancy might well be a manifestation of the general trend of Americans distrusting government (see nomadicpuma’s “On Probable Cause…” post below), but in this case, I think that the American people are angry at the wrong people.

To begin with, the confusing thing about privacy is that everyone claims to want it but very few people actually take steps to preserve their privacy in their everyday lives. My favorite example: many consumers have a keyring full of plastic discount cards (CVS card, Acme card, etc) which they can swipe to get a small discount on certain purchases. In exchange for this (negligible) profit loss, these retailers gain the ability to correlate purchases with customer identities. This can be very useful when evaluating purchasing trends to help drive pricing strategy, for example, but it also opens the door to abuse by the retailer or (more likely) a malicious insider. For example, it would be pretty easy for someone with access to CVS’ customer database to figure out which families have babies at home by examining who had bought diapers and baby powder in the last few months. This knowledge could easily be used for nefarious purposes. The incredible penetration rate of these discount cards (practically everyone I know has a CVS card) shows that Americans are either (a) quite willing to sacrifice privacy for a savings of a dollar or two or (b) too naïve to realize what these systems are really doing.

Large data-mining corporations amass much more data than individual retailers and are thus capable of even greater abuse. As we discussed earlier, these companies attempt to build a complete file describing an individual by collecting contact information, job information, salary information, residence information, and so on. Then, the data-mining outfit will sell this information to practically anyone willing to pay for it – common clients are companies doing background checks on potential employees. As far as I can tell, the public seems highly unconcerned about these corporations, even though the information they amass can have a huge impact on an individual’s life (it might well be the deciding factor in whether or not an individual gets a job, for example). Furthermore, there are documented cases of data leakages and reporting of erroneous information by these private outfits (as discussed in the Solove and Hoofnagle paper in Week 3). Yet there is very little public outrage about these data brokers; I’m not sure if this is a result of ignorance or if Americans are aware of these private outfits and remain unconcerned.

I believe that our government is undeserving of most of the distrust it receives from the public. Our government is generally pretty good with civil liberties: our citizens virtually never disappear from the streets, there are very few cases of illegal warrantless investigations, and our democratic process is fair and transparent. So far, not a single case of abuse of the NSA wiretapping system has been reported (that is, the controversy surrounding the system stems from the fact that its basic design may violate some rights, not that the system has actually been used to single out specific Americans for political reasons).

My theory is that the different levels of trust in these public and private efforts is primarily a result of the public’s generally low level of education about privacy. People tend to insist upon privacy protection, only to basically throw it away by making poor decisions in everyday life. Our government should initiate social education programs to try to encourage citizens to make better decisions about privacy on a daily basis. For example, these programs might help teach people to ask themselves “Why do they need this particular piece of information about me?” when filling out some kind of form. This awareness could go a long way to preventing privacy leakages and might potentially even lessen the efficacy of data brokers. Our government will never gain the trust of all of its citizens, but the initiation of such programs might potentially gain some amount of trust, and they would certainly benefit society.

As with any surveillance activity, tracking and checking packets for suspicious data has a trade off. While on one hand, there is an increased level of security, on the other hand, there is less privacy and any of your traffic is possibly subject to investigation.

It seems like many modes of communication these days are subject to the same argument. In order to be able to carry out security and law enforcement procedures, it requires a sacrifice of privacy on the part of the individuals. While in some instances, the need for privacy can and should be waived, in others, it seems ridiculous to subject everyone to searches for a minuscule reward.

In the example we looked at in class, we said that it seemed to make sense if the list of suspects was down to three and the surveillance would be used to further gain evidence on those people. However, the argument could be easily extended. As Jon mentioned, why would we stop only at three people. Where would we draw the line?

For traditional wiretapping and surveillance methods, there already exists a set of rules and protocols for officials to follow in order to first obtain the warrant and then carry out the surveillance. Even for those methods, the line between what is acceptable and helps security and what would be an invasion of privacy without justification is somewhat blurry.

For surveillance methods involving VoIP or email, other issues are brought into the picture. Many of the issues are similar to those brought up in class when we were talking about the government possibly using data mining to get information from the vast internet traffic. While there are advantages to be gained by doing so, the main disadvantage in invasion of privacy. Certainly people want to be secure and for law enforcement to have the ability to provide that security. However, knowing how much of their communication would be monitored, it would be less of a clear cut case. Also, since internet traffic is distributed, in order to perform any type of surveillance, some amount of reading (either by a person or a computer) of innocent bystanders’ communication is necessary. In general, people seem to be more comfortable with their Internet traffic being intercepted, analyzed and filtered by a computer before it reaches another person. While it does provide some measure of privacy since no person actually sees most of the traffic, the fact that it is seen by some process and stored somewhere means that a person could easily be involved in earlier stages of the information collection.

Even with strict government measures in place about who sees the information and at what stage, it can be misused. However, in the absence of another method to monitor distributed internet traffic using computers at the initial stages seems like an appropriate solution. As with most policy solutions, there is a trade off. In this case, the trade off is between privacy and security. Personally, I would go for a solution which leans towards security and gives up some privacy to attain it but as a general measure, a mean is needed. Carrying over the measures needed to obtain a warrant for traditional surveillance methods to more current technologies and using computers as opposed to human for first-level filtration both seem to achieve this mean.

In the dystopia imagined by George Orwell in 1984, memory holes are ubiquitous feeders into a massive system of information destruction by the government. The narrator describes how

When one knew that any document was due for destruction, or even when one saw a scrap of waste paper lying about, it was an automatic action to lift the flap of the nearest memory hole and drop it in, whereupon it would be whirled away on a current of warm air to the enormous furnaces which were hidden somewhere in the recesses of the building.

This system is used to eliminate any information — news reports, photographs, personal notes — that could call into question the legitimacy or efficacy of the government. The narrator emphasizes the ease and speed of the memory holes, and the irrevocable nature of the information loss.

In the real, post-1984 world, a government official who tries to delete information, is unlikely to succeed. Professor Felten noted that when storage was expensive, the default practice was to delete information, but the low cost of storage now means that all information is retained, and that significant effort must be exerted to expunge it.

Microsoft researcher Gordon Bell is exploiting the low cost of storage for his MyLifeBits project. Inspired by a prescient 1945 article in which Vannevar Bush envisioned a “Memex,”

a device in which an individual stores all his books, records, and communications, and which is mechanized so that it may be consulted with exceeding speed and flexibility. It is an enlarged intimate supplement to his memory.

Bell seeks to record his whole existence with the aid of a small digital camera on his neck, a microphone on his elbow, and a scanner to digitize documents from his earlier, analog life.

The downside, as a Fast Company writer observed, is that perfect memory could overwhelm a user and cause him to alter his behavior to be “less flamboyant, less funny, less willing to say risky but potentially useful things.” But it’s not just Bell whose life is being recorded,

soon you’ll be part of it too — whether you want to be or not. The way Bell sees it, computers and the Internet are now rapidly becoming capable of storing everything you do and see. Hard-drive space has exploded in size, and every day … We blog about our thoughts, upload personal pictures to Flickr, save every email on our infinitely expanding Gmail accounts, shoot video on our cell phones, record phone calls straight to our hard drives when we use Skype.

We’re living in an era of scandalous Facebook photos that disqualify job applicants, and of well-intentioned political campaigns derailed by YouTube clips of candidate flubs. Far from a tool of oppression, an effective memory hole device would be liberating, returning society to a time when foolish mistakes could be excused and youthful indiscretions overlooked.

In order to identify potential terrorist threats and other criminal activities, it has been suggested that the government should be able to design technologies that are capable of sifting through internet traffic to identify potentially criminal actions, such as the identity of users who visit Al-Qaeda affiliated websites or e-mails that contain suspicious language. As it is unclear of the extent to which such broad monitoring technologies can be used given fourth amendment prohibitions and wiretapping regulations, it has been suggested that ISPs voluntarily alert the government to suspicious activity or otherwise make their logs available to investigators before such information is requested. 

These types of actions represent a breach of trust between the ISPs and their users and are an illegitimate way for the government to pursue criminals. First of all, “voluntary” action that is potentially related to national security can quickly become de facto mandatory if the major ISPs choose to engage in such practices. Second, ordinary users should be able to expect a reasonable level of privacy in their internet use. Data on their surfing habits should not be made available for public, government, or any third parties use. Any legal limits imposed on the information that ISPs can pass on to others would serve to make the data transfer less mandatory and more represent a government-sponsored dragnet. 

The key here is to distinguish between the times when technologies can be used to gather data on suspicious individuals and when more broad tools can be used to examine data on a large number of individuals. In the first case, the ability of the government to snoop should be directly proportional to the suspicion a person deserves. Fair levels of observation can be maintained by requiring investigators to obtain a warrant for the type of search or monitoring they seek. For certain suspects, virtually any form of monitoring is acceptable. In the second situation, however, the government must not compromise general privacy through secretive means or without oversight. Technologies such as public security cameras that provide a clear tradeoff in terms of privacy versus security may be appropriate to use in certain locations, assuming the public favors their use. Covering an area with hidden cameras or examining internet behavior secretively, without public consultation or permission is inappropriate.  

In a democratic society, the people have the right to make decisions regarding which tradeoffs between security and privacy that they find acceptable and which represent too much of a violation of their rights. Even if it is a private company, not government investigators that is identifying the suspicious behavior, this does not supersede the right of the public at large to establish privacy and security regimes that reflect their attitudes towards appropriate levels of privacy. It should be noted that this example does not apply solely to ISPs but to any private company that holds information about individual behavior that a third party, such as the government, seeks to examine.

Resisting the temptation of joining discussion on the VOIP and related issues, I wish to narrate my own personal experience of how a simple use of technology could actually save thousands of lives!
Parents in Asia ( and most of the countries having Confucian Philosophy) have strong ’son preference’. Various social evils such as dowry system, inferior status of the girl etc have been put forth as reasons for discrimination against girl child. And its in this regard that the facility of ultrasound scans have been misused to detect and disclose the sex of the fetus ( which could be ascertained reasonably accurately from the sixteenth week of pregnancy) leading to sex selective abortions if it turns out to be a girl . Sex ratio at Birth thus is rising rapidly creating serious gender imabalances. There is an Act in India to prevent the misuse but the act remains on paper. Most of the implementors raise their hands saying that its extremely difficult to capture what goes on inside the scan room. There have been few sting operations by the electronic media but it has actually achieved little in terms of curbing the malaise except for raising occassional hue & cry.
While working as a District Collector in one of the prominent Districts in South India, I went through the Act and realised that a) ultra sound scans could be under taken only under certain conditions specified under the Act and b) Forms such as “F” are to be filled in and maintained for every scan done on a pregnant woman and these forms are to be reported statutorily by these scan centers to the District authorities every month. It was not being done anywhere. I accordingly started implementing the act from October 2004.
I devised a very simple reporting proforma and the software containing this proforma was supplied to every scan centers making it mandatory for them to furnish the information every month through internet. We went all out initiating legal actions against those who didnt furnish or those who furnished incomplete /incorrect information. As a result, we seized more than one third of the total scan machines and initiated prosecution against large number of centers. The action had desired impact and the sex ratio improved substantially. We could as a result of our intervention could ensure that 3500 girls ( who would otherwise be aborted ) were born in 2005-06 .
The intervention by the District administration has been highly successful and caught national attention We could, as a result of this simple follow up also trace the illegal supplies of ultrasound machines by multinational giants such as GE. This also had a salutary impact as it raised awareness on this issue and got covered in WSJ recently.
The drive in Hyderabad is conitnuing since then. The Minisitry of Health, Government of India is following the same information package through out the country so that collection of data gets institutionalized and appropriate action could be initiated in time. Infact, my intervention in Hyderabad was mentioned in the Parliament (check for the English version available in the later half) by the Minister of Health, Government of India. To quote Minister:

“Of course, there are a few examples in different parts of the country where they have been doing well. Like in Hyderabad, there is a Collector called Arvind Kumar. By his initiation, he has now set a trend where just following the same law, without any modification under the PNDT, in the last year-and-a-half, there has been an increase in the birth of girls or females in the Hyderabad city. This is just one example where there is some positiveness in this on-going problem, all over the country.

The Hyderabad success story is because of computerisation and effective implementation of that. So, we have a success story. We need to do that and we are trying to do it and it will be done in the due course of time. ”