This is Stewart Baker's Typepad Profile.
Join Typepad and start following Stewart Baker's activity
Join Now!
Already a member? Sign In
Stewart Baker
Former government official now practicing law
Recent Activity
I've spent much of this year doing a weekly podcast on security, privacy, government and law with a couple of my partners, Michael Vatis and Jason Weinstein. (The RSS feed is here.) I thought readers of this blog might like a taste of the podcast, which has attracted a substantial audience in Washington. This week, in episode 38, our guest is Shaun Waterman, editor of POLITICO Pro Cybersecurity. Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity. We begin as usual with the week’s NSA news. NSA has released its second privacy transparency report. We’ve invited Becky Richards, NSA’s privacy and civil liberties watchdog, on the program to talk about it, so I’m using this post to lobby her to become a guest soon: Come on in, Becky, it’s a new day at the NSA! Laura Poitras’s new film about Snowden gets a quick review. We question the hyped claim that there’s a “second leaker” at NSA; most of the leaked information described in the film was already pretty widely known. Two more post-Snowden pieces of litigation are also in the news. We dig into the Justice... Continue reading
Posted 7 days ago at Skating on Stilts
Jonathan, It's true that the IT department should still have access to the contents of emails that go through the corporate email server, in the absence of end-to-end encryption. But an employee doesn't have to use the corporate email server to do business. He can send text messages, or he can use 3d party messaging or emailing apps. The company probably can't get access to the contents of those messages without access to the phone. If an employee wants to use texts on an iPhone to do business with customers, then, Apple or the employee needs to provide access to those texts. That's just one example. I suspect there are more, because letting an encrypted email hook to the network in any way makes it more likely that the phone will be used in ways the company doesn't like. Stewart
The New York Times asked me to comment on Apple's encryption policy on its Room for Debate page, where op-eds are half the normal size. Here's the link and here's what I said: Apple is a lot like a teenager getting Edward Snowden's name tattooed up her arm. The excitement will die, but the regrets will last. For all of us. Most Americans believe in privacy from government searches, but not for criminals. The Constitution protects a citizen's “houses, papers and effects” only until a judge finds probable cause that the citizen has committed a crime. This year, the Supreme Court ruled that the police need a warrant to search cellphones seized at the time of arrest. But with Apple's new encryption, probable cause and a warrant will be of little help to the police who seize a suspect’s iPhone and want to search it. That decision should not be left to Apple alone. And it won't be. Companies do not want to give their employees the power to roam corporate networks in secrecy. And even if they did, their regulators wouldn't let them. If Apple wants to sell iPhones for business use, it will have to give companies a... Continue reading
Posted Sep 30, 2014 at Skating on Stilts
If you think Edward Snowden and Glenn Greenwald have stopped attacking NSA, you haven't been following them closely enough. While American media have largely lost interest in Snowden and Greenwald, the pair continue to campaign outside the United States against the intelligence agency. Their most ambitious effort was in New Zealand, a member of the “Five Eyes” intelligence alliance with the U.S. and U.K. The center-right New Zealand government has been embroiled in accusations of illegal surveillance of Kim Dotcom, who grew wealthy running a file-sharing site and is now fighting extradition to the United States for copyright violations. As part of that fight, Dotcom dove into New Zealand's national elections, hoping to unseat the two-term government and, in his words, "to close one of the Five Eyes." Snowden and Greenwald dove in with him, joining eagerly in campaign events sponsored by Dotcom. Greenwald used his new Omidyar-funded news site to release a lengthy article in the last week of the campaign; it accused New Zealand of working with NSA to conduct mass surveillance. When the prime minister denied the accusation, Snowden called him a liar. The combination of carefully timed Snowden leaks and Dotcom's millions looked potent. Dotcom even... Continue reading
Posted Sep 20, 2014 at Skating on Stilts
I've done a bit more online experimentation with Google's “famous or not” algorithm, first described here. Unfortunately, one of the risks of experimentation is that it may raise more questions than it answers. That's what happened to me. So I'll simply report the results. In short, the use of quotations in name searches seems to have an effect on when displays the warning tag that it uses for non-famous people. Here are the results so far for several different searches on my name (quotation marks are part of the search). Remember that Google inserts the tag, warning that some entries may have been deleted due to EU data protection law, when it concludes that someone is not famous: stewart baker = no tag (i.e., Google-famous) stewart a. baker = no tag (i.e., Google-famous) “stewart a. baker” = no tag (i.e., Google-famous) “stewart baker” = tag (i.e., not Google-famous) stewart baker steptoe = no tag (i.e., Google-famous) stewart baker nsa = no tag (i.e., Google-famous) “stewart baker” nsa = tag (i.e., not Google-famous) Just to see how Google treats a genuinely famous person, I tried Robyn Rihanna Fenty (aka Rihanna): robyn fenty = no tag (i.e., Google-famous) robyn rihanna fenty... Continue reading
Posted Sep 9, 2014 at Skating on Stilts
Three months ago, I tried hacking Google's implementation of Europe's “right to be forgotten.” For those of you who haven't followed recent developments in censorship, the right to be forgotten is a European requirement that “irrelevant or outdated” information be excluded from searches about individuals. The doctrine extends even to true information that remains on the internet. And it is enforced by the search engines themselves, operating under a threat of heavy liability. That makes the rules particularly hard to determine, since they're buried in private companies' decisionmaking processes. So to find out how this censorship regime works in practice, I sent several takedown requests to Google's British search engine, (Europe has not yet demanded compliance from US search engines, like, but there are persistent signs that it wants to.) I've now received three answers from Google, all denying my requests. Here's what I learned. The first question was whether Google would rule on my requests at all. I didn't hide that I was an American. Google's “right to be forgotten” request form requires that you provide ID, and I used my US driver's license. Would Google honor a takedown request made by a person who wasn't a... Continue reading
Posted Sep 8, 2014 at Skating on Stilts
I am not a big fan of the EU's "right to be forgotten," but it has one silver lining. I was noodling around with Google's ever-more-baroque implementation of the principle this weekend, and I discovered that it offers a quick and cheap way to discover just how famous Google thinks you are. To understand how Google got in the "famous or not" business requires a dive into the search engine's stutter-step implementation of the EU requirement. In China, of course, when Google is required to suppress a link, it includes a warning on the results page, saying in essence that the results have been censored. Google originally planned to do the same in response to European censorship. But the European data protection censors didn't like that kind of transparency. They thought that the notice, even if it didn't actually say what had been suppressed, would stigmatize Europeans who invoked the right to be forgotten. (That, and it might remind searchers that their access to data was being restricted by European law.) Google caved, mostly. But it left in place a vestige of its original policy. Now, it includes the following warning on its European results pages whenever any name is... Continue reading
Posted Aug 31, 2014 at Skating on Stilts
The evidence is mounting that Edward Snowden and his journalist allies have helped al Qaeda improve their security against NSA surveillance. In May, Recorded Future, a predictive analytics web intelligence firm, published a persuasive timeline showing that Snowden's revelations about NSA's capabilities were followed quickly by a burst of new, robust encryption tools from al-Qaeda and its affiliates: This is hardly a surprise for those who live in the real world. But it was an affront to Snowden's defenders, who've long insisted that journalists handled the NSA leaks so responsibly that no one can identify any damage that they have caused. In damage control mode, Snowden's defenders first responded to the Recorded Future analysis by pooh-poohing the terrorists' push for new encryption tools. Bruce Schneier declared that the change might actually hurt al Qaeda: “I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight.” Schneier is usually smarter than this. In fact, the product al Qaeda had been recommending until the leaks, Mujahidin Secrets, probably did qualify as “home-brew encryption.” Indeed, Bruce Schneier dissed Mujahidin Secrets in 2008 on precisely that ground,... Continue reading
Posted Aug 3, 2014 at Skating on Stilts
I've long been an advocate for fewer restraints on how the private sector responds to hacking attacks. If the government can't stop and can't punish such attacks, in my view the least it could do is not threaten the victims with felony prosecution for taking reasonable measures in self-defense. I debated the topic with co-blogger Orin Kerr here. I'm pleased to note that my side of the debate continues to attract support, at least from those not steeped in the "leave this to the professionals" orthodoxy of the US Justice Department. The members of the 9/11 Commission, who surely define bipartisan respectability on questions of national security, have issued a tenth anniversary update to the Commission's influential report. The update repeats some of the Commission's earlier recommendations that have not been implemented. But it also points to new threats, most notably the risk of attacks on the nation's computer networks. No surprise there, but I was heartened to see the commissioners' tentative endorsement of private sector "direct action" as a response to attacks on private networks: Congress should also consider granting private companies legal authority to take direct action in response to attacks on their networks. This "should consider" formulation... Continue reading
Posted Jul 27, 2014 at Skating on Stilts
HIPAA is an arguably well-intentioned privacy law that seems to yield nothing but "unintended" consequences. I put "unintended" in quotes because the consequences are often remarkably convenient, at least for those with power. I'm not sure you can call something that convenient "unintended." The problem has gotten so bad that even National Public Radio and the Pro Publica organization -- hotbeds of bien pensant liberalism -- have started to notice. This story, for example, could be mined for a host of Privy nominations for Dubious Achievements in Privacy Law: In the name of patient privacy, a security guard at a hospital in Springfield, Mo., threatened a mother with jail for trying to take a photograph of her own son. In the name of patient privacy, a Daytona Beach, Fla., nursing home said it couldn't cooperate with police investigating allegations of a possible rape against one of its residents. In the name of patient privacy, the U.S. Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing. When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients' medical information from being shared without... Continue reading
Posted Jul 26, 2014 at Skating on Stilts
When you're in the business of pointing out how often privacy law ends up protecting power and privilege, you never run out of material. Everyone remembers Lois Lerner, the IRS official who pleaded the fifth amendment and refused to testify about her role in the agency's scrutiny of Tea Party nonprofits. And everyone remembers her mysterious computer crash making years of emails unavailable in 2011. Could the messages be recovered with advanced forensics? We'll never know, because the IRS so systematically nuked Lerner's drives that no one could ever recover anything from them. Why? According to The Hill, "the agency said in court filings Friday that the hard drive was destroyed in 2011 to protect confidential taxpayer information." I'm sure the taxpayers will find a way to show their gratitude. Continue reading
Posted Jul 19, 2014 at Skating on Stilts
It's time once again to point out that privacy laws, with their vague standards and selective enforcement, are more likely to serve privilege than to protect privacy. The latest to learn that lesson are patients mistreated by the Veterans Administration and the whistleblowers who sought to help them. According to the Washington Post: Citing patient privacy, managers have threatened VA employees or retaliated against those who complain about agency misconduct, according to a key congressman and the union that represents most of the department’s employees. “VA routinely uses HIPAA as an excuse to punish into submission employees who dare to speak out,” said Rep. Jeff Miller (R-Fla.), chairman of the House Committee on Veterans’ Affairs. He is leading a probe into the coverup of long wait times for VA patients. David Borer, the American Federation of Government Employees’ top lawyer, listed a number of cases involving a VA claim of patient privacy used to stifle whistleblowers in a June letter to the department. The Office of Special Counsel (OSC), which investigates whistleblower retaliation cases, is “very concerned about the misuse of HIPAA,” said Eric Bachman, an OSC deputy special counsel. “The potential chilling effect of even a small number of... Continue reading
Posted Jul 18, 2014 at Skating on Stilts
China seems to have found a reliable legal tool for suppressing dissent. A prominent Chinese human rights lawyer, Pu Zhiqiang, has been arrested after a meeting in a private home to commemorate the 25th anniversary of the killings at Tiananmen Square. The charge? “Illegal access to the personal information of citizens,” a crime punishable by three years in prison. Clearly, China is on its way to earning a second Privy nomination for “Worst Use of Privacy Law to Protect Power and Privilege.” But where are EFF and EPIC and CDT and the ACLU? This is not the first time China has brought privacy charges against politically disfavored defendants. Why haven't these advocates of more privacy law vocally condemned China's use of privacy law to foster oppression? The same question might be asked of the Article 29 Working Party in the European Union, along with a second one: How is China’s law different from the data protection laws that Europe has been urging the world to adopt? Continue reading
Posted Jun 16, 2014 at Skating on Stilts
Vodafone put out a highly informative report on the intercept practices of the countries where it does business. The greatest news interest was spurred by its statement that some countries tap directly into the provider's infrastructure and take what they want without notice to the provider: In a “small number” of countries, Vodafone said in the report, the company “will not receive any form of demand for communications data access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.” Vodafone refused to name the countries. But I can't help thinking that the report provides some pretty clear clues about two of them. I suspect we'll soon discover that they are France and Belgium. The reason is buried in the footnotes to the report. The report gives reasons when it does not disclose the number of lawful intercept warrants the company received in a particular country. Sometimes reporting on wiretaps is prohibited by law. But in eight cases, the report doesn't cite legal restrictions on disclosure. Instead, it says that it has no intercept numbers because there is “no technical implementation” of lawful intercept capabilities in those countries. In one country, Kenya,... Continue reading
Posted Jun 7, 2014 at Skating on Stilts
Just how dumb is the “right to be forgotten”? Google will make it easy to find out. That's because Google has automated the process for making takedown requests under the European Court of Justice's “right to be forgotten” ruling. If you've got a piece of personal data that you'd like forgotten, all you have to do is fill out Google's handy online form. Anyone can make a request (though you'll need to take a digital photo of a piece of ID as proof of identity). You then need to find a link (using a European version of Google) and explain why the personal data at the link is inaccurate, outdated, or inappropriate. The opportunity for abuse is obvious. I feel bad for Google, which is stuck trying to administer this preposterous ruling. But that shouldn't prevent us from showing quite concretely how preposterous it is. I propose a contest. Let's all ask for takedowns. The person who makes the most outrageous (and successful) takedown request will win a “worst abuse of privacy law” prize, otherwise known as a Privy. To get you started, here are the four requests I've already filed. 1. Ban this book! URL: Reason this link... Continue reading
Posted Jun 7, 2014 at Skating on Stilts
I'll be testifying tomorrow afternoon before the Senate Select Committee on Intelligence, talking about the bill that bans NSA's bulk collection of metadata. It passed the House after small amendments that privacy groups are now complaining loudly about. I don't like the bill for quite different reasons. My prepared testimony is here: Download Stewart Baker Testimony June 5 2014 to Senate Intelligence Committee. After explaining why bulk collection should not be banned, here's what I say about the privacy groups' objections: Everyone recognizes that if bulk collection requests are foreclosed, then the government must make individualized requests for data. And to do that, it has to give the companies specific search terms to use. Before amendment, the House bill said that the government could only ask the companies to use three kinds of search terms. They could only ask the companies to look for a suspicious “person, entity, or account.” This was foolish. Clues come in many forms. What if the agency doesn’t know the suspect’s name but does know his internet address, or the unique identifier of his tablet? Those are properand specific search terms, and they are likely to be of value to terrorism investigators. So the bill... Continue reading
Posted Jun 4, 2014 at Skating on Stilts
The ACLU and EPIC have campaigned long and hard against surveillance cameras in public spaces, and they've had considerable success -- despite a paucity of actual serious privacy abuses. So it's worth remembering that all this privacy theater imposes real costs on crime victims. This story, headlined "After Boy and Girl Are Stabbed, Anger Over a Lack of Cameras" is only surprising because it appears in the New York Times: The 7-year-old girl is hospitalized in critical condition, the only witness to a crime that so far defies explanation: A man stabbed two young children in the elevator of a public-housing project and escaped into the late-spring evening. Her best friend, a 6-year-old boy, is dead. Though residents of the Brooklyn housing project saw a man fleeing through the development after the attack, he remained at large on Monday, the search made more difficult because the building has no surveillance cameras. Living in housing projects in East New York means living with the daily threat of violence, and Boulevard Houses is no exception. But until Sunday night, parents felt safe taking their children downstairs to play.... The lack of cameras raised questions on Monday as elected officials accused the New... Continue reading
Posted Jun 3, 2014 at Skating on Stilts
The NBC interview with Edward Snowden was instructive in several ways. He continues to present himself as a reasonable man who tried to stop illegal programs but was left with no option but to go public. But the more closely you listen, especially when he says things that can be checked against the record, the more dubious his claim begins to seem. In fact, the NBC interview, and the exchange with NSA that followed, reveal a lot about Snowden’s style of truth-telling, which turns out to be hard to distinguish from, well, lying. When questioned about his claim to have raised concerns inside the NSA before breaking his promises of confidentiality, Snowden said, “I actually did go through channels, and that is documented. The NSA has records, they have copies of emails right now to their Office of General Counsel, to their oversight and compliance folks, from me raising concerns about the NSA’s interpretations of its legal authorities.” This time, remarkably, NSA was not caught flat-footed. Showing an impressive grasp of the news cycle, the agency quickly released the only email that Snowden sent to the NSA GC. It was clearly the message Snowden described, but it was nothing like... Continue reading
Posted Jun 2, 2014 at Skating on Stilts
When the Justice Department's indicted six People's Liberation Army hackers, it directly accused the PLA of stealing "privileged attorney-client communications related to Solar World's ongoing trade litigation with China." This is not a surprise to knowledgeable observers. Chinese attacks on large U.S. law firms have been widely acknowledged, and last summer the American Bar Association condemned "unauthorized, illegal intrusions into the computer systems and networks utilized by lawyers and law firms." But the ABA flinched from actually mentioning China or the PLA in the resolution, and as far as I can see, ABA President Jim Silkenat has still said nothing about Chinese hacking of US law firms. Contrast that silence with Silkenat's rush to demand answers from the NSA about more attenuated allegations. On February 15 of this year, the New York Times published a Snowden-inspired article claiming that Australia had intercepted an American law firm's advice to Indonesia on a piece of trade litigation. The article was full of anti-NSA spin but it made no claim that NSA itself was spying on privileged communications. Nonetheless, five days after that story appeared, Silkenat sent a two-page letter to the head of NSA. "Whether or not those press reports are accurate,"... Continue reading
Posted May 22, 2014 at Skating on Stilts
That's the possibility raised by Edward Jay Epstein in a (paywalled) Wall Street Journal op-ed. Epstein offers some new evidence for his theory. In particular he says that NSA investigators now know that Snowden's tactics included breaking into two dozen compartments using forged or stolen passwords. Once there, Snowden loosed an automated "spider" with instructions to scrape the compartments for particular information. In most cases, US officials have said, the data Snowden took was overwhelmingly of military and intelligence value to our adversaries and had little or nothing to do with privacy or whistleblowing. It's entirely possible that Snowden is a spy. But it's also possible that he stole the military data to make sure he could find a safe foreign haven after his disclosures. That would fit the pattern of his disclosures over the past year. Dozens of recent Snowden leaks have revealed nothing about "mass surveillance" -- but they have consistently advanced Russian geopolitical interests. In support of the "documents for asylum" theory, remember that, during his unsuccessful campaign to stay in Hong Kong, Snowden was quick to display stolen documents detailing the Chinese computers NSA had hacked. Here's the South China Morning Post from June 13, 2013:... Continue reading
Posted May 11, 2014 at Skating on Stilts
Earlier, I promised a post that would make the positive case for the third-party doctrine and Smith v. Maryland. The case against it seems pretty obvious. Privacy advocates are glad to tell us that the pace of technological change requires that we expand fourth amendment protections. “We're putting our entire lives on line,” they say. “The government's ability to collect and analyze data is growing. Only by expanding the fourth amendment can we even the balance that protects our privacy.”Or more colloquially, “Some new technologies are just plain creepy, especially in the hands of the government, and we want the fourth amendment to save us from them.” The problem with that argument is that definitions of “creepy” change pretty fast. Brandeis wrote his seminal article on privacy because he thought the Kodak camera was creepy, and he wanted the law to prevent the hoi polloi from taking his picture. In the 1970s, the FBI's ability to maintain clippings files on prominent Americans was a creepy source of power for J. Edgar Hoover. And the Attorney General actually imposed a fourth-amendment-style “predicate” requirement on future FBI clippings files about individuals. Today, though, Google has democratized the clippings file, and it's too... Continue reading
Posted May 4, 2014 at Skating on Stilts
The third-party doctrine of Smith v. Maryland, 442 U.S. 735 (1979), is getting a bad rap from libertarians of the left and the right. Smith holds that the police don't need a search warrant to get information about me from a third party. If I keep a diary in my desk drawer, the police must get a search warrant based on probable cause if they want to read it. If I leave the diary with my mother for safekeeping, though, the third party doctrine says that the police only need to serve her with a subpoena to get it. The same is true if I store the diary in the cloud with Google Drive or Dropbox. If it were on my computer, the police would need a warrant to read it; in the cloud, they don't. The theory of Smith is that I have a reduced privacy expectation in things I've shared with others. Life teaches us the same lesson. By the third grade we've all discovered the dangers of telling our deepest secrets to a friend. The Founders knew it too. As Ben Franklin famously said in Poor Richard's Almanack, “Three can keep a secret, if two of them... Continue reading
Posted May 4, 2014 at Skating on Stilts
Apart from the word "property," what is it about modern intellectual property law that should appeal to conservatives? The free-floating liability to plaintiffs' lawyers? The income transfers to people who mostly hate middle America? The capture of lawmakers and regulators by a rent-seeking minority? The enshrining of those lobbyists' victories in international law -- enforced in Geneva and immune to democratic change in this country? The law's dramatic turn from the original understanding of the Framers of the Constitution? Despite these features, only a handful of conservatives seem ready to rethink intellectual property law. One young conservative in that camp is Derek Khanna, whose just-released R Street Policy Paper makes the conservative case for copyright reform. Here's a sample: As with other enumerated powers of the federal government, Congress has expanded copyright far beyond what was originally intended. Just as Congress frequently neglects to abide the Origination Clause and the Commerce Clause, it likewise has ignored the Copyright Clause’s requirement that these monopoly instruments be granted only for “limited times.” Contributing greatly to this distortion has been the influence of a persistent army of special interest lobbyists, usually representing media companies, rather than the interests of cre- ators and the... Continue reading
Posted May 1, 2014 at Skating on Stilts
I don't know how the Supreme Court will decide ABC v. Aereo, argued last week. But however the case is decided, I suspect there's a real risk that the Court will screw up the law. Why? Three reasons. 1. The case requires interpretation of a complicated statutory regime that the Court rarely construes. Aereo is exploiting a seam in copyright law that implicates fair use, performance rights, and how these rules apply to cloud computing. Intervening occasionally in complex statutory schemes is a high-risk endeavor for the Court. They are very smart lawyers but if they don’t get a run of cases in the same area, they often lack a feel for how all the pieces fit together. 2. That is surely true in Aereo, where the court is genuinely at sea. Oral argument revealed a widespread disposition to view Aereo's business model as too clever by half -- using thousands of tiny "personal" antennas to collect and transmit broadcast television without paying the fees that apply to cable companies who do the same. The justices seem to be struggling to find a way to slap Aereo down without damaging the legal framework that today protects cloud companies like Dropbox... Continue reading
Posted Apr 28, 2014 at Skating on Stilts
The latest NSA data dump is a set of declassified pleadings on the 215 metadata program. The program has been upheld by all the Foreign Intelligence Surveillance Court (FISC) judges and by district court William Pauley in New York. It was, however, ruled unlawful once -- by DC district judge Richard Leon. Judge Leon's opinion was colorful, but it hasn't proved especially persuasive. The declassified documents may tell us why. They disclose the latest court fight over the program. A telecom company that received a 215 order (identified by Ellen Nakashima of the Washington Post as Verizon) asked the FISC to reconsider the program in light of Judge Leon's ruling. Judge Rosemary Collyer of the FISC did so, and made short work of it, laying out and rejecting each of Judge Leon's reasons for treating the program as a fourth amendment violation. No surprise, really. But what has to hurt is Judge Collyer's dead-pan takedown of Judge Leon's hyperventilating prose. And in a parenthetical, no less. Summarizing Judge Leon's reasons for not following Smith v. Maryland, Judge Collyer writes: The NSA program, on the other hand, "involves the creation and maintenance of a historical database containing five years' worth of... Continue reading
Posted Apr 27, 2014 at Skating on Stilts