Slashdot Mirror

gannebraemorr writes "The U.S. Department of Justice and the FBI believe they don't need a search warrant to review Americans' e-mails, Facebook chats, Twitter direct messages, and other private files, internal documents reveal. Government documents obtained by the American Civil Liberties Union and provided to CNET show a split over electronic privacy rights within the Obama administration, with Justice Department prosecutors and investigators privately insisting they're not legally required to obtain search warrants for e-mail."

chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."

chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."

kodiaktau writes "The ACLU has issued a FOIA request to determine whether the IRS gets warrants before reading taxpayers' email. The request is based on the antiquated Electronic Communication Protection Act — federal agencies can and do request and read email that is over 180 days old. The IRS response can be found at the ACLU's website. The IRS asserts that it can and will continue to make warrantless requests to ISPs to track down tax evasion. Quoting: 'The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 "Search Warrant Handbook" from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that "the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications." Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the "4th Amendment Does Not Protect Emails Stored on Server" and there is "No Privacy Expectation" in those emails.'"

kodiaktau writes "The ACLU has issued a FOIA request to determine whether the IRS gets warrants before reading taxpayers' email. The request is based on the antiquated Electronic Communication Protection Act — federal agencies can and do request and read email that is over 180 days old. The IRS response can be found at the ACLU's website. The IRS asserts that it can and will continue to make warrantless requests to ISPs to track down tax evasion. Quoting: 'The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 "Search Warrant Handbook" from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that "the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications." Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the "4th Amendment Does Not Protect Emails Stored on Server" and there is "No Privacy Expectation" in those emails.'"

Via the EFF comes news that, during a case involving the use of a Stingray device, the DOJ revealed that it was standard practice to use the devices without explicitly requesting permission in warrants. "When Rigmaiden filed a motion to suppress the Stingray evidence as a warrantless search in violation of the Fourth Amendment, the government responded that this order was a search warrant that authorized the government to use the Stingray. Together with the ACLU of Northern California and the ACLU, we filed an amicus brief in support of Rigmaiden, noting that this 'order' wasn't a search warrant because it was directed towards Verizon, made no mention of an IMSI catcher or Stingray and didn't authorize the government — rather than Verizon — to do anything. Plus to the extent it captured loads of information from other people not suspected of criminal activity it was a 'general warrant,' the precise evil the Fourth Amendment was designed to prevent. ... The emails make clear that U.S. Attorneys in the Northern California were using Stingrays but not informing magistrates of what exactly they were doing. And once the judges got wind of what was actually going on, they were none too pleased:"

An anonymous reader writes "Last night before the State of the Union speech, President Obama signed an executive order for improving cybersecurity of critical infrastructure (PDF). The highlights of the order are: 'information sharing programs' for the government to provide threat reports to industry; an overarching cybersecurity framework developed by NIST to figure out best practices for securing critical infrastructure; and reviews of existing regulations to make sure they're effective. The ACLU supports the Order, as does the EFF. '"A lot of what this shows is that the president can do a lot without cybersecurity legislation," said Mark Jaycox, policy analyst and legislative assistant for the Electronic Frontier Foundation, who points out that the executive order satisfies the need for information sharing without the privacy problems that existed under legislative proposals where loopholes would have allowed companies to dump large amounts of data on the government in an effort to obtain legal immunities. Without those immunities, companies will by nature be more circumspect about what they provide the government, thus limiting what they hand over, Jaycox said.'"

Nerdolicious writes "Ars Technica reports that the ACLU has received a response from the FBI after a formal legal complaint was filed to release documents related to warrantless GPS tracking data. But, as you can see from the two memos the ACLU posted to its website, they have unsurprisingly been redacted to uselessness, consisting almost entirely of large black blocks covering full pages."

Nerdolicious writes "Ars Technica reports that the ACLU has received a response from the FBI after a formal legal complaint was filed to release documents related to warrantless GPS tracking data. But, as you can see from the two memos the ACLU posted to its website, they have unsurprisingly been redacted to uselessness, consisting almost entirely of large black blocks covering full pages."

New submitter electron sponge writes "On Friday morning, the Senate renewed the FISA Amendments Act (PDF), which allows for warrantless electronic eavesdropping, for an additional five years. The act, which was originally passed by Congress in 2008, allows law enforcement agencies to access private communications as long as one participant in the communications could reasonably be believed to be outside the United States. This law has been the subject of a federal lawsuit, and was argued before the Supreme Court recently. 'The legislation does not require the government to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application. The court’s rulings are not public.'" The EFF points out that the Senate was finally forced to debate the bill, but the proposed amendments that would have improved it were rejected.

An anonymous reader sends this excerpt from The Hill: "The past week's violence in Gaza has rekindled calls for Twitter to shutter the accounts of U.S.-labeled terror groups such as Hamas. Seven House Republicans asked the FBI in September to demand that Twitter take down the accounts of U.S.-designated terrorist groups, such as Hamas, Hezbollah and Somalia's al Shabaab. The letter to FBI Director Robert Mueller was spearheaded by Rep. Ted Poe (R-Texas), who said Wednesday that the recent events vindicated the request. 'Allowing foreign terrorist organizations like Hamas to operate on Twitter is enabling the enemy,' [Poe said] 'Failure to block access arms them with the ability to freely spread their violent propaganda and mobilize in their War on Israel.'"

hypnosec writes "According to data obtained by the American Civil Liberties Union (ACLU), surveillance of emails and other forms of Internet communications without warrants has increased substantially over the last two years. Documents, obtained by the ACLU, reveal that there has been a 361% increase in 'pen register' and 'trap-and-trace' orders between 2009 and 2011. The ACLU has appealed to Congress to bring in more judicial oversight in these warrantless orders."

New submitter wermske writes "Ars Technica and ZDNet report the Location Privacy Act of 2012 (SB-1434) was passed by the California legislature on Wednesday. The California Location Privacy Act, co-sponsored by the ACLU of California and the Electronic Frontier Foundation, updates California privacy law to reflect the modern mobile world by providing needed protection against warrantless government access to a person's location information. Recent reports indicate that cell phone tracking is routine and few agencies obtain warrants for such surveillance. The need for this protection resurfaced last week when warrantless GPS tracking appeared again in the national news — a federal appeals court ruled that law enforcement is allowed to track the GPS signal coming from a suspect's prepaid phone without a warrant. The scope of the Location Privacy Act would include gathering GPS or other location-tracking data from cell phones, tablets, computers, automobiles, etc. The next stop is the governor's desk; however, there is concern that Governor Jerry Brown may not sign this act into law. In 2011, Gov. Brown vetoed an attempt at enforcing stricter privacy rules."

coastal984 writes with news that the American Civil Liberties Union is launching a nation-wide effort to find out how police departments are using and retaining information gathered from license plate scanners. They've sent FOIA requests to departments in 38 states, as well as the Departments of Justice, Homeland Security, and Transportation. "It’s not an exaggeration to say that in ten years there will be [automatic license plate readers] just about everywhere, making detailed records of every driver’s every movement, and storing it for who knows how long. In some cases, we know that the worst-case scenario—vast databases with records of movements of massive numbers of people—is already happening. To avoid this fate we need to convince the nation and our lawmakers to take action on this serious threat to our liberty. And to make a convincing case, we need to know a lot more about the problem as it stands. Last year, most people didn’t know why we should call our mobiles 'trackers' instead of phones; there was very little public information on how police departments were using our phones to track our location. The ACLU stepped in and spearheaded a massive public records project, bringing together affiliates from every part of the country, obtaining documents that showed how police nationwide were getting access to our intimate information without judicial oversight."

coastal984 writes with news that the American Civil Liberties Union is launching a nation-wide effort to find out how police departments are using and retaining information gathered from license plate scanners. They've sent FOIA requests to departments in 38 states, as well as the Departments of Justice, Homeland Security, and Transportation. "It’s not an exaggeration to say that in ten years there will be [automatic license plate readers] just about everywhere, making detailed records of every driver’s every movement, and storing it for who knows how long. In some cases, we know that the worst-case scenario—vast databases with records of movements of massive numbers of people—is already happening. To avoid this fate we need to convince the nation and our lawmakers to take action on this serious threat to our liberty. And to make a convincing case, we need to know a lot more about the problem as it stands. Last year, most people didn’t know why we should call our mobiles 'trackers' instead of phones; there was very little public information on how police departments were using our phones to track our location. The ACLU stepped in and spearheaded a massive public records project, bringing together affiliates from every part of the country, obtaining documents that showed how police nationwide were getting access to our intimate information without judicial oversight."

An anonymous reader writes with news that might make privacy advocates a bit uneasy. From the article: "Everyone driving on Interstate 15 in southwest Utah may soon have their license plate scanned by the U.S. Drug Enforcement Administration. The DEA and two sheriffs are asking permission to install stationary license plate scanners on the freeway in Beaver and Washington counties. The primary purpose would be to catch or build cases against drug traffickers, but at a Utah Legislature committee meeting Wednesday, the sheriffs and a DEA representative described how the scanners also could be used to catch kidnappers and violent criminals. That, however, wasn't the concern of skeptical legislators on the Law Enforcement and Criminal Justice Interim Committee. They were worried about the DEA storing the data for two years and who would be able to access it."

CWmike writes "CNET's Declan McCullagh reported last week on the FBI's argument that the massive shift of communications from the telephone system to the Internet 'has made it far more difficult for the agency to wiretap Americans suspected of illegal activities.' The law has already been expanded once, in 2004, to include broadband networks, but still excludes Web companies. The FBI says its surveillance efforts are in danger of 'going dark' if it is not allowed to monitor the way people communicate now. Not surprisingly, a range of opponents, from privacy advocates to legal experts, disagree — strongly. On key tech hitch with the plan, per ACLU attorney Mark Rumold and others: There is a difference between wiretapping phones and demanding a backdoor to Internet services. 'A backdoor doesn't just make it accessible to the FBI — it makes it vulnerable to others,' Rumold says."

Gunkerty Jeb writes "Senator Al Franken (D-MN) is demanding answers to questions about the U.S. Department of Justice practice of gathering data from wireless providers in order to monitor individuals' movements using mobile phone location data. In a letter (PDF) to Attorney General Eric Holder, Franken said, 'I was further concerned to learn that in many cases, these agencies appear to be obtaining precise records of individuals' past and current movements from carriers without first obtaining a warrant for this information. I think that these actions may violate the spirit if not the letter of the Jones decision.'"

Sparrowvsrevolution writes "In defense of user privacy, Twitter filed a motion (PDF) yesterday in a New York state court asking a judge to block a subpoena that would force the company to turn over the data of one of its users, Malcolm Harris. Harris was arrested in an Occupy Wall Street protest on the Brooklyn Bridge in October for 'disorderly conduct.' The company's lawyers claim that the subpoena violates the fourth amendment and Twitter's terms of service, which says that users' tweets belong to them and thus can't be handed over to law enforcement without their consent."

alphadogg writes with a distressing bit of analysis of the training materials acquired by the ACLU last week. From the article: "Many law enforcement agencies across the U.S. track mobile phones as part of investigations, but only a minority ask for court-ordered warrants, according to a report released Monday by the American Civil Liberties Union. More than 90 law enforcement agencies said they track mobile phones during investigations, but only six reported receiving court-approved warrants after demonstrating that there's probable cause of a crime, according to an ACLU report based on public information requests filed by the group last year." The ACLU has a handy page allowing you to see if your local PD engages in such practices.

alphadogg writes with a distressing bit of analysis of the training materials acquired by the ACLU last week. From the article: "Many law enforcement agencies across the U.S. track mobile phones as part of investigations, but only a minority ask for court-ordered warrants, according to a report released Monday by the American Civil Liberties Union. More than 90 law enforcement agencies said they track mobile phones during investigations, but only six reported receiving court-approved warrants after demonstrating that there's probable cause of a crime, according to an ACLU report based on public information requests filed by the group last year." The ACLU has a handy page allowing you to see if your local PD engages in such practices.

alphadogg writes with a distressing bit of analysis of the training materials acquired by the ACLU last week. From the article: "Many law enforcement agencies across the U.S. track mobile phones as part of investigations, but only a minority ask for court-ordered warrants, according to a report released Monday by the American Civil Liberties Union. More than 90 law enforcement agencies said they track mobile phones during investigations, but only six reported receiving court-approved warrants after demonstrating that there's probable cause of a crime, according to an ACLU report based on public information requests filed by the group last year." The ACLU has a handy page allowing you to see if your local PD engages in such practices.

bs0d3 writes "U.S. Intelligence has hired social scientists to mine the vast resources of the Internet — Web searches and Twitter messages, Facebook and blog posts, the digital location trails generated by billions of cellphones. They intend to use this info to track sociological laws of human behavior — enabling them to predict political crises, revolutions and other forms of social and economic instability. Privacy advocates are deeply skeptical of the project, saying it reminds them of Total Information Awareness, a 9/11 Pentagon program that proposed hunting for potential attackers by identifying patterns in vast collections of public and private data: telephone calling records, e-mail, travel data, visa and passport information, and credit card transactions. In a recent budget proposal, the defense agency argues that its analysis can expose terrorist cells and other groups by tracking their meetings, rehearsals and sharing of material and money transfers."

adeelarshad82 writes "How long does your cell phone carrier retain information about your calls, text messages, and data use? According to data gathered by the Department of Justice, it can be as little as a few days or up to seven years, depending on your provider. The data was made public after the American Civil Liberties Union filed a Freedom of Information Act request related to an investigation into cell phone location tracking by police."

adeelarshad82 writes "How long does your cell phone carrier retain information about your calls, text messages, and data use? According to data gathered by the Department of Justice, it can be as little as a few days or up to seven years, depending on your provider. The data was made public after the American Civil Liberties Union filed a Freedom of Information Act request related to an investigation into cell phone location tracking by police."

According to the San Francisco Appeal, the cellphone service shut-down that the BART system imposed Thursday (by disabling transponders which allow cellphone communications in the underground portion of the system), besides drawing rebukes from various civil liberties groups, has generated plans for a protest Monday organized by Anonymous.

tgtanman writes "The Washington Post reports that the TSA will begin installing new software on millimeter wave body scanners at 41 airports that will replace the controversial body images with generic images of the body. While the change is currently limited to millimeter wave scanners, similar upgrades for backscatter scanners is being developed, according to the TSA. The ACLU has applauded the changes but continues to note other concerns with the scanners."

jhernik writes "Lawyers on Friday asked a judge to overturn a ruling from earlier this month, forcing Twitter to hand over account details to the Department of Justice, in a case related to the federal government's ongoing investigation of WikiLeaks. The appeal (PDF) seeks to overturn a ruling that would give the government access to Twitter account details for three users who had contact with WikiLeaks. The government also wants Twitter to provide information on WikiLeaks founder Julian Assange and on Bradley Manning, a US Army private charged with providing data to WikiLeaks."

Hugh Pickens writes writes "Alex Madrigal reports in the Atlantic that the ACLU has taken up the case of Maryland corrections officer Robert Collins, who was required to provide his Facebook login and password to the Maryland Division of Corrections during a recertification interview so the interviewer could log on to his account and read not only his postings, but those of his family and friends too. 'We live in a time when national security is the highest priority, but it must be delicately balanced with personal privacy,' says Collins. 'My fellow officers and I should not have to allow the government to view our personal Facebook posts and those of our friends, just to keep our jobs.' The ACLU of Maryland has sent a letter to Public Safety Secretary Gary Maynard (PDF) concerning the Division of Correction's blanket requirement that applicants for employment with the division, as well as current employees undergoing recertification, provide the government with their social media account usernames and personal passwords for use in employee background checks. After three weeks the ACLU has received no response."

eldavojohn writes "The ACLU has recently identified Network Neutrality a key free speech issue and said in a lengthy PDF report: 'Freedom of expression isn't worth much if the forums where people actually make use of it are not themselves free. And the Internet is without doubt the primary place where Americans exercise their right to free expression. It's a newspaper, an entertainment medium, a reference work, a therapist's office, a soapbox, a debating stand. It is the closest thing ever invented to a true "free market" of ideas.' The report then goes on to argue that ISPs have incentive and capability of interfering with internet traffic. And not only that but the argument that it is only 'theoretical' are bogus given they list ten high profile cases of it actually happening. If the ACLU can successfully argue that Net Neutrality is a First Amendment Issue then it might not matter what businesses (who fall on either side of the issue) want the government to do."

eldavojohn writes "The ACLU has recently identified Network Neutrality a key free speech issue and said in a lengthy PDF report: 'Freedom of expression isn't worth much if the forums where people actually make use of it are not themselves free. And the Internet is without doubt the primary place where Americans exercise their right to free expression. It's a newspaper, an entertainment medium, a reference work, a therapist's office, a soapbox, a debating stand. It is the closest thing ever invented to a true "free market" of ideas.' The report then goes on to argue that ISPs have incentive and capability of interfering with internet traffic. And not only that but the argument that it is only 'theoretical' are bogus given they list ten high profile cases of it actually happening. If the ACLU can successfully argue that Net Neutrality is a First Amendment Issue then it might not matter what businesses (who fall on either side of the issue) want the government to do."

shriphani writes "A US judge has ruled that Myriad Genetics' breast cancer gene patent is invalid. Hopefully this will go a long way in ensuring that patents on genes do not stand in the way of research. From the article: 'Patents on genes associated with hereditary breast and ovarian cancer are invalid, ruled a New York federal court today. The precedent-setting ruling marks the first time a court has found patents on genes unlawful and calls into question the validity of patents now held on approximately 2,000 human genes.'"

MacAndrew writes "The ACLU has sued the United States Government to enforce a Freedom of Information Act (FOIA) request for 'the release of records relating to the use of unmanned aerial vehicles — commonly known as 'drones' — for the purpose of targeting and killing individuals since September 11, 2001.' (Complaint.) The information sought includes the legal basis for use of the drones, how the program is managed, and the number of civilian deaths in areas of operation such as Iraq, Afghanistan, Pakistan, and Yemen. The ACLU further claims that 'Recent reports, including public statements from the director of national intelligence, indicate that US citizens have been placed on the list of targets who can be hunted and killed with drones.' Aside from one's view of the wisdom, effectiveness, and morality of these military operations, the inclusion of US citizens suggests that summary remote-control executions are becoming routine. Especially given the difficulty in locating and targeting individuals from aircraft, risks of human and machine error are obvious, and these likely increase as the robots become increasingly autonomous (please no Skynet jokes). This must give pause to anyone who's ever spent time coding or debugging or even driving certain willful late model automobiles, and the US government evidently doesn't want to discuss it."

Hugh Pickens writes "The Washington Post reports that Erroll Southers, President Obama's nominee to head the Transportation Security Administration, gave Congress misleading information about incidents in which he inappropriately accessed a federal database, possibly in violation of privacy laws. Southers accepted full responsibility for a 'grave error in judgment' when he accessed confidential criminal records twenty years ago about his then-estranged wife's new boyfriend. Southers's admission that he was involved in a questionable use of law enforcement background data has been a source of concern among civil libertarians, who believe the TSA performs a delicate balancing act in tapping into passenger information to find terrorists while also protecting citizens' privacy." "In his letter to key senators on November 20, Southers said he simply forgot the circumstances of the searches, which occurred in 1987 and 1988 after he grew worried about his wife and their son, who had begun living with the boyfriend. 'During a period of great personal turmoil, I made a serious error in judgment by using my official position with the FBI to resolve a personal problem,' Southers wrote. Civil liberties specialists say that the misuse of databases has been common among law enforcement authorities for many years, despite an array of local, state and federal prohibitions intended to protect personal information. Studies have found that police at every level examine records of celebrities, women they have met and political rivals. 'I am distressed by the inconsistencies between my recollection and the contemporaneous documents, but I assure you that the mistake was inadvertent, and that I have at all times taken full responsibility for what I know to have been a grave error in judgment,' Southers added."

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

ewhac writes "Back in June, the American Civil Liberties Union published an article describing Facebook's complete lack of meaningful security on your and your friends' information. The article went virtually unnoticed. Now, a developer has written a Facebook 'Quiz' based on the original article that graphically illustrates all the information a Facebook app can get its grubby little hands on by recursively sweeping through your friends list, pulling all their info and posts, and showing it to you. What's more, apps can get at your information even if you never run the app yourself. Facebook apps run with the access privileges of the user running it, so anything your friend can see, the app they're running can see, too. It is unclear whether the developer of the Facebook app did so 'officially' for the ACLU."

bkuhn writes "The ACLU and the Public Patent Foundation have filed a lawsuit charging that patents on two human genes associated with breast and ovarian cancer are unconstitutional and invalid. The lawsuit (PDF) was filed on behalf of four scientific organizations representing more than 150,000 geneticists, pathologists, and laboratory professionals, as well as individual researchers, breast cancer and women's health groups, and individual women. Individuals with certain mutations along these two genes, known as BRCA1 and BRCA2, are at a significantly higher risk for developing hereditary breast and ovarian cancers."

Frequent Slashdot contributor Bennett Haselton writes with his idea for mass adoption of anti-virus software: "If the US government did more to encourage people to keep their computers secure — by buying TV ads to publicize free private-sector anti-virus programs, or subsidizing the purchase of anti-virus software — we'd all be better off, on average. That's not just idealistic nanny-statism, but something you can argue mathematically, to the point where even some libertarians would agree." Read on for the rest of Bennett's thoughts.

This requires a discussion of "positive externalities," which may seem pedantic to you if you remember the concept from econ class, in which case you can skim the next five paragraphs. When you buy anti-virus software, some of the benefits accrue to you — less risk of your data being lost to a virus, or of annoying spyware infecting your computer with pop-up ads — but some of the benefits also accrue to other people. Prior to anti-virus software being installed on your computer, your machine might have been infected and taken over by criminals who used it to send spam. Or it might have helped to propagate the virus to other people. (Note: I am using "virus" to incorporate related things like "worms" and not worrying about the distinction.) Or you might have thought there was a problem with your computer, not realizing the problem was caused by a virus, and wasted time calling the tech support line for your computer manufacturer or for some other product on your computer. (If the company charges for tech support, then you're paying the cost of your call rather than passing those costs on to others, but if the call is free, then the costs have to be passed on to the company and hence indirectly to their other customers.) When you install anti-virus software, the chances of all these things happening are reduced, and those are the benefits that accrue to others — positive externalities, in economics jargon.

The key assumption is that you can put a price on all of the positive externalities generated by a given person installing the anti-virus software. It's different for every person, but it always adds up to some value, something that is not microscopic, but also not fantastically larger than the purchase price of the anti-virus program. It's on the order of adding 1/100,000th of a penny's worth of value to the lives of 100 million other people, for a total positive externality of $10.

To see that this is a reasonable assumption, suppose that if I had a choice between living in a world where all 100 million other Internet users in the US had no anti-virus software installed (using round numbers to make things simpler), and living in a world where all of the other users in the US had anti-virus software installed, I would pay $10 more per year to live in the latter, counting only the benefits to me and not factoring in any altruistic desire to help protect fellow citizens. (I personally would pay a lot more than $10 because I use the Internet so much, but the average might be closer to $10. Also, what I'd really like is for more people in certain other countries to install anti-virus software — China comes to mind — but I'm leaving them out of this discussion because it would be harder for the US government to encourage that.) When everyone else in the US is using anti-virus software, the benefits are returned to me in various ways, such as it being easier for me to send and receive e-mail because there aren't so many botnet-infected machines sending spam. (This is independent of my decision as to whether to buy anti-virus software for myself or not.)

Now, once I've decided I'd pay $10 more to have all my fellow Americans install anti-virus software, I could draw a graph (while my friends are out snowboarding with their girlfriends) with "how many other US users have hypothetically installed anti-virus software" on the x-axis, and "how much would I pay to live in that world" on the y-axis. At the point on the graph where no other people have anti-virus software, I'm willing to pay $0 to live in that world. (Well, of course I'd pay a lot more than $0 to be alive in any world, but I'm comparing other worlds to that one, so I'm just using $0 as my baseline.) At the point on the x-axis where all 100 million other users have installed anti-virus software, I'm willing to pay $10 to live in that world instead. What does the graph look like in between those points? Well, I can assume it's upward-sloping — the more other people install anti-virus software, the better it is for me. I could also adopt the simplifying assumption that it's a straight line — so I would pay $3 to live in a world where 30 million other people have anti-virus software installed, $6 to live in a world where 60 million other people have it installed, etc. It's not really a straight line, because when the first 50 million Americans install anti-virus software, that still leaves 50 million others to get infected and do damage, but when the next 50 million install it, that has eliminated all the unguarded computers in the US, and made it a lot harder for viruses to spread, at least within our borders. In other words, the line representing the quality of life to me as a function of how many other people installed anti-virus software, would rise more slowly in the range 0-50 million than it would rise in the range 50-100 million. But as long as the curve doesn't make any sudden jumps — for example, I know that the 30-millionth person installing anti-virus software isn't suddenly going to make my quality of life go up by $1 — I know the curve generally has to rise smoothly. So for a really rough approximation I'll treat it as a straight line.

If the graph is a straight line with the value $0 when nobody else installs anti-virus software, and $10 when everybody else installs anti-virus software, then each additional user installing anti-virus software creates an additional benefit to me of 1/100,000th of a penny (so 1/100,000th of a penny, times 100 million, comes out to $10).

You may think it's ridiculous or meaningless to say that someone else installing anti-virus software can benefit me to the tune of 1/100,000th of a penny. I myself can't wrap my head around it. But I can use the necessary properties of the graph — that it starts at $0, ends at $10, must curve upward, and doesn't make any sudden jumps — to reason that it should be approximately true.

And then, if each other US Internet user derives an average of 1/100,000th of a penny's worth of benefit when you install anti-virus software, then the total benefit that you confer on other people by installing the software, comes out to 1/100,000th of a penny times 100 million, or $10. And that's not even counting all the spillover benefits to users in other countries each time an American installs anti-virus software, something that we could consider a kind of off-the-books foreign aid. (Even if we would really like for it to be reciprocated by all users in countries like China installing anti-virus software as well.)

This is actually not hard to reconcile with people's attitudes toward installing anti-virus software. It's recommended as something you should do not only for your own protection, but also as something you should do to be a "good Netizen" so as not to impose inconveniences on other people. If your installing anti-virus software only conferred about 1 penny's worth of total benefit on the rest of the world, nobody would bother exhorting you to do it as a kind of civic duty. On the other hand, if your installing anti-virus software conferred thousands of dollars' worth of good on the world (or, equivalently, not installing anti-virus software exposed the rest of the world to thousands of dollars' worth of risk or damage), then people would not only be exhorted to install it, it would probably be required by law, like functioning car brakes. The kind of pressure that we see today to install anti-virus software — gentle prodding but not outright compulsion — feels commensurate with a value between $1 and $100 of the benefits that a person confers on the rest of the world by installing it.

But this logic also means is that we are missing an opportunity to make everybody better off on average, by actually subsidizing the purchase of anti-virus software for some people who otherwise would not have bought it. Suppose each user confers $10 worth of positive externalities on other American Internet users when they install anti-virus software. Now first consider the case of an a program like Norton Anti-Virus which costs $40.

For anybody who personally values their own anti-virus protection at $40 or more, great — they'll buy the software, they get the value they want from it, and everybody else gets the positive externalities of that person's virus protection, for free. But consider the people who value the anti-virus software at somewhere between $35 and $40. With no government rebate, they won't buy the software.

But now suppose the government offers a $5 rebate (funded by a tax on all 100 million Internet users) to anyone who buys anti-virus software. Everybody who would have bought the software before, will obviously still buy it now that the government rebate has effectively lowered the price to $35, and now, all the people who value the software between $35 and $40 will buy it as well. For each person who purchases the software at the new price of $35, the following is true:

• The person who bought the anti-virus software is better off — they valued the software at at least $35, and they got it for $35. (Otherwise, they wouldn't have bought it.)
• The taxpayers who subsidized the purchase are better off. Each rebate cost the taxpayer one-hundred-millionth of $5. But when that user installed the anti-virus software, they conferred $10 worth of total benefit on all other Internet users in the US, so that benefits each Internet-using taxpayer one-hundred-millionth of $10. So they're ahead.

If this seems fanciful, we're still in the domain of standard economics textbook stuff. When positive externalities are involved, the free market by itself will usually not reach the optimal outcome; by adding in some government subsidies, you can achieve an outcome that leaves everyone better off than they were before (even after subtracting the cost of the taxes to fund the subsidies). Call them "subsidies even a libertarian could love." Steven Landsburg's books The Armchair Economist and More Sex Is Safer Sex, and Tim Harford's books The Undercover Economist and The Logic Of Life, explain the logic of externalities probably better than I can, and give other interesting examples. When I say "subsidies even a libertarian could love," consider that Landsburg once wrote that George W. Bush's tax plan was unfairly burdensome to the rich, because "it seems patently unfair to ask anyone to pay over 30 times as much as his neighbors." That's pretty, uh, libertarian. But even Landsburg has argued, in More Sex Is Safer Sex, that LoJack anti-car-theft devices should be heavily subsidized by the government, because they create positive externalities — when more people buy LoJacks, thieves are deterred from stealing everyone's cars, because there's no way to tell whether a particular car has a LoJack installed or not. To the extent that anti-virus software creates positive externalities, it should be subsidized as well.

A modified version of this logic applies even to free anti-virus programs like AVG Anti-Virus. AVG is only "free" if you don't count the costs of finding out about it in the first place, then downloading it, installing it, and leaving it running. All of these add up to costs that, for whatever reason, have led to many people choosing to run nothing at all, rather than to run AVG even though it's free. If the government ran a campaign announcing the rebates for purchasers of anti-virus software, they could also use the campaign to recommend certain free programs -- thus effectively offsetting the "costs" by providing a "subsidy" for those programs in the form of free advertising.

When I ran this past some people for comment, two respondents, Steven Landsburg and Esther Dyson, independently recommended versions of a popular alternative idea, which was to penalize people directly for spreading computer virus infections. Landsburg commented:

I certainly think there are huge externalities here, and they derive from the fact that idiots who don't know what they're doing insist on administering their own mail clients. I don't have a mail client on my machine precisely because I am one of those idiots and I don't want to be responsible for a virus grabbing my address book and running with it.

So I have long thought that mail clients should be taxed and/or (if it were technologically feasible) that individual users should be fined heavily if viruses spread from their machines (or send spam from their machines).

Esther Dyson suggested something similar:

One method to consider is — rather than subsidy — requiring the ISPs to post a bond for their customers and assume responsibility for their actions. They can ask their customers in turn either to buy an antivirus package, to sell one that the ISP will offer for free, or to post a bond guaranteeing that they know what they're doing and will do no harm. The ISP is then liable for the misbehavior of its customers and may forfeit the bond if some specified level of disruption is caused by its customers.

In theory, this works better than my idea because it precisely targets the undesirable behavior: We don't really want to penalize people for not running anti-virus software, we want to penalize people for not running anti-virus software and imposing costs on others as a result. It's not possible for 100 million people to charge one person 1/100,000th of a penny each for the inconvenience and risk that person creates by not installing anti-virus software, but it might be possible for one recipient of the virus to seek to punish the person who gave it to them.

However, I think this scheme would have more practical problems:

1. You can only penalize the virus spreader if you know exactly who was responsible for passing it on to you. This works for old-school viruses that spread as e-mail attachments, but not for worms like Code Red that probe the network looking for other machines to infect — if you're infected as a result of a remote IP address probing your machine, it's unlikely that you would ever find out exactly when or how it happened, much less the owner of the IP address that infected you.
2. If you found out that a friend spread a computer virus to your machine, you'd probably be under a lot of pressure from your friend not to turn them in.
3. For people who did get taken to court for spreading viruses, there would be overhead costs associated with processing the case, over and above the actual fine that may be levied against the individual. (If the penalty happens outside the court system — for example by ISPs keeping the bond posted to them by a customer — at least some of those customers will probably feel wronged and sue the ISP, generating court costs either way.)
4. If someone accidentally spread a virus to a large number of other machines, that could make their total liability far greater than what they could actually pay.

The idea of fining or otherwise punishing people for accidentally spreading viruses is something I've thought about too, but usually in a moment of venting. As Steven Landsburg dryly says, "Your solution (subsidized antivirus software) might be more effective, but mine would be more satisfying (to me)." I think the option of punishing people for propagating viruses is something that should be explored in more detail, but I can't offhand think of any solutions that would avoid the problems listed above. The fact is that anybody with an Internet connection has the potential to do enormous damage if their machine gets infected, and in most cases it would be too hard to track the harm back too them, and too harsh to make them pay the real cost of the damage.

On the other hand, the option of a government publicity campaign to get people to install anti-virus software — at least the free ones, which should be a no-brainer — is something that seems like it should start bringing benefits right away. Government advertisements for free programs would require the least amount of paperwork to set up, because all the government would have to do would be to produce the TV ads and buy the airtime. (Other proposals, such as subsidies for non-free anti-virus software, or paying people outright to install anti-virus software, would require more overhead to implement. That doesn't mean they shouldn't be tried, but go for the low-hanging fruit first.) Now, what the ads should look like would be a question for advertising experts, but I would really hammer home the point: "Go to this government website and we have a list of recommended FREE anti-virus programs. These are not 'free trials' for something you have to pay for later. They are FREE. If you're not using anything at all, at least go get one of these." Along a list of the non-free programs for people who want even more protection, and links to third-party reviews of those.

More generally, I think that government-funded action to encourage better computer security is something that has not been given enough consideration. I think this is partly due to hostility to anything that smacks of government intervention (because of, among other things, numerous times the US government has attempted to censor the Internet), and partly because of an assumption that the free market will provide the best solution by itself. But if the government is actually on the right side of an issue — the side of promoting better computer security — then there's no reason to be petty and foul up their campaign just because we're still resentful that they once tried to make the Internet into a no-cussing zone. Hey, if the government thugs start to care more about computer viruses than about Internet porn, then they're learning! Give them a pat on the head and help them get the word out! And meanwhile, economic theory predicts that because of the externalities problem, the free market by itself won't lead to the optimal number of people using anti-virus software or keeping their computers secure. That's precisely the situation where a government-funded push toward more computer security can bring everyone more benefits than it costs. If you wear a Ron Paul t-shirt, but you found out about free anti-virus software software from a state-sponsored TV ad, nobody has to know.

trackpick points out a recent ACLU initiative to publicize a recent expansion of authority claimed by the Border Patrol to stop and search individuals up to 100 miles from any US border. They have created a map of what they call the US Constitution-Free Zone. "Using data provided by the US Census Bureau, the ACLU has determined that nearly 2/3 of the entire US population (197.4 million people) live within 100 miles of the US land and coastal borders. The government is assuming extraordinary powers to stop and search individuals within this zone. This is not just about the border: This 'Constitution-Free Zone' includes most of the nation's largest metropolitan areas.'"

trackpick points out a recent ACLU initiative to publicize a recent expansion of authority claimed by the Border Patrol to stop and search individuals up to 100 miles from any US border. They have created a map of what they call the US Constitution-Free Zone. "Using data provided by the US Census Bureau, the ACLU has determined that nearly 2/3 of the entire US population (197.4 million people) live within 100 miles of the US land and coastal borders. The government is assuming extraordinary powers to stop and search individuals within this zone. This is not just about the border: This 'Constitution-Free Zone' includes most of the nation's largest metropolitan areas.'"

Wired's Threat Level blog reports that the American Civil Liberties Union has filed a lawsuit contesting the constitutionality of the Foreign Intelligence Surveillance Act. Recently passed by both the House and Senate, FISA was signed into law on Thursday by President Bush. The ACLU has fought aspects of FISA in the past. The new complaint (PDF) alleges the following: "The law challenged here supplies none of the safeguards that the Constitution demands. It permits the government to monitor the communications of U.S. Citizens and residents without identifying the people to be surveilled; without specifying the facilities, places, premises, or property to be monitored; without observing meaningful limitations on the retention, analysis, and dissemination of acquired information; without obtaining individualized warrants based on criminal or foreign intelligence probable cause; and, indeed, without even making prior administrative determinations that the targets of surveillance are foreign agents or connected in any way, however tenuously, to terrorism."

tpaudio writes "The ACLU and the EFF are suing the Department of Justice over how the government might be using GPS and location data from cell phones. With over 200 million Americans carrying cell phones, this could be pretty important for setting guidelines. We have already seen other frightening powers related to cell phones, such as 'cell mic tapping.'" The ACLU press release is also available, and it contains links to the complaint and the Freedom of Information Act request. We've previously discussed instances of cell phone tracking in the US and elsewhere.

The ACLU has reportedly uncovered another pass at telecom immunity and is urging concerned citizens to speak out against what they call a "dangerous backroom deal." "But now, word comes that House leadership may be working hand-in-hand with Senator Jay Rockefeller, the Democratic Chairman of the Senate Intelligence Committee, who has spearheaded efforts to give immunity to law-breaking phone companies that provided mountains of customer data to the government without warrants. As discussions continue, it's critical that House leadership avoid buckling to pressure from the White House or Senator Rockefeller at all costs. House leadership — and every representative — need to draw a line in the sand, by rejecting any compromise that would undo the achievement we fought so hard for in February."

mrogers writes "The EFF has uncovered a troubling footnote in a newly declassified Bush Administration memo, which asserts that 'our Office recently [in 2001] concluded that the Fourth Amendment had no application to domestic military operations.' This could mean that the Administration believes the NSA's warrantless wiretapping and data mining programs are not governed by the Constitution, which would cast Administration claims that the programs did not violate the Fourth Amendment in a whole new light — after all, you can't violate a law that doesn't apply. The claimed immunity would also cover other DoD agencies, such as CIFA, which carry out offline surveillance of political groups within the United States."

Wired has an article on the national fusion centers in the US, which were created to aid intelligence-sharing in the fight against terrorism but are increasingly being used to look at other sorts of crimes. The keynote of these centers is "all hazards, all threats" — the LA police chief is quoted: "Information that might seem innocuous may have some connection to terrorism." The ACLU has up an interactive US map to help you become acquainted with your local fusion center.

quizzicus writes "The Washington Post writes today about a sensitive White House document detailing how to screen for, silence, and remove protesters who show up at the President's public appearances. Obtained by an ACLU subpoena in the Rank v. Jenkins case, the Presidential Advance Manual (PDF) is dated October 2002. It lays out strategies such as searching audience members at the door for hidden protest material, strategically placing 'rally squads' throughout the crowd to intercept and shout down hecklers, and forcefully removing dissenters who cannot be squelched. The manual advises, however, that staff should 'decide if the solution would cause more negative publicity than if the demonstrators were simply left alone.'"

quizzicus writes "The Washington Post writes today about a sensitive White House document detailing how to screen for, silence, and remove protesters who show up at the President's public appearances. Obtained by an ACLU subpoena in the Rank v. Jenkins case, the Presidential Advance Manual (PDF) is dated October 2002. It lays out strategies such as searching audience members at the door for hidden protest material, strategically placing 'rally squads' throughout the crowd to intercept and shout down hecklers, and forcefully removing dissenters who cannot be squelched. The manual advises, however, that staff should 'decide if the solution would cause more negative publicity than if the demonstrators were simply left alone.'"

jamie caught a breaking news story this evening: the secret FISA Court has ordered the Bush administration to respond by August 31 to an ACLU request for orders and legal papers discussing the scope of the government's authority to engage in the secret wiretapping of Americans. The ACLU's press release calls it an "unprecedented order."

Bennett Haselton has writes "In recent arguments over the constitutionality of the Child Online Protection Act, both sides have argued over the efficiency of Internet blocking software. While COPA would prohibit commercial U.S. websites from publishing freely available material that is "harmful to minors", the ACLU has argued that blocking software is a far more effective alternative, since among other things it can block porn sites located overseas, non-commercial websites, and p2p programs, all of which are beyond the reach of COPA. On the other hand, we had the surreal experience of watching the Department of Justice lawyer arguing in favor of a censorship law by saying that the blocking software alternative was unfair to children -- because it blocked too much legitimate material." The rest of Bennett's essay follows.

"For example," said DOJ attorney Eric Beane during opening arguments, "one filter even blocked a website promoting a marathon to raise funds for breast cancer research. Part of the CIA's World Fact Book was blocked. And a page with an ACLU calendar. [Blocking software blocks] a significant portion of other materials on the World Wide Web, materials that in many cases are necessary for a child to complete his homework." (Opening arguments transcript, p. 37.) As someone who has been publishing critiques of blocking software for years, I read those words and felt like cheering, despite the fact that I'm sitting in the other side's fan section for this match. (Beane is right, but he's missing the point, which is that whatever problems exist with blocking software, are minor compared to the problems with COPA -- because blocking software raises no constitutional issues when it's used by a private party in their own house, whereas COPA affects everyone in the U.S.)

The irony, of course, is that three years ago, in the trial over the similarly-named Children's Internet Protection Act (CIPA) which required blocking software in all schools and libraries that receive federal funds, it was the ACLU pointing out the flaws in blocking software and the Department of Justice claiming that blocking software was accurate and effective.

At first it would seem that both sides are now guilty of flip-flopping. But reviewing what was said then and what was said now, my conclusion is that the ACLU did nothing more than shift their focus to a different set of facts, while the government did contradict themselves. And the source of this seeming flip-flop actually comes down to something pretty simple: two different ways of stating one set of numbers.

Now before going further I can't resist saying that I think the whole debate over "harmful to minors" material is pretty silly, because I don't think the pro-censorship side has ever put forth a reason why they think that pictures of naked people, or even people having sex with each other, are harmful to people under 18. I disagree with some people on matters like abortion and the death penalty, but I at least think they have some facts on their side; but I don't know of any facts supporting people who think that pornography is dangerous. Why is a woman's nipple harmful but a man's nipple isn't? How are the majority of high school students who have already had sex anyway, supposed to be harmed by pictures of other people having sex? And apart from the logical paradoxes, the pervasiveness of the Internet has now given us empirical data too: virtually all minors have now have access to anything they want to get on the Internet (either at home, or by sneaking to a friend's house), and where's the evidence that adolescents' brains have been hormonally turned to mush any more than they always have been?

But for the remainder of the discussion, suppose you're addressing people who believe that nudity and sexual material really are harmful to people under 18. (In any case, the judges probably believe it, and even if they don't, they're bound by legal precedents that assume as much.) The question is how accurately blocking software achieves this goal.

Blocking software has two types of error rates: underblocking (failure to block porn sites) and overblocking (blocking of non-pornographic sites). Underblocking errors are usually expressed one way: the percentage of porn sites in a given sample that are not blocked. But overblocking errors can be stated in two ways: the percentage of non-porn sites that are blocked, or the percentage of blocked sites that are not pornographic. (There are borderline cases like nude art sites, but it turns out they're not common enough to affect the margin of error much; the vast majority of sites are either clearly porn or clearly not.)

The key is that if you want the overblocking rate to sound low, you talk about the percentage of non-porn sites that are blocked. If you want it to sound high, you talk about the percentage of blocked sites that are non-porn.

For example, in the 2003 Supreme Court arguments over CIPA, Department of Justice attorney Theodore Olson downplayed the error rates of blocking software by saying:

"But even if it's tens of thousands of the -- of the 2 billion pages of material that is on the Internet, we're talking about one two-hundredths of 1 percent, even if it's 100,000, of materials would be blocked."

Here he's referring to the percentage of non-porn sites that are filtered. Attorney Paul Smith, arguing against the law, countered:

"And so we have -- on these lists is a proportion, a huge proportion, perhaps 25, perhaps 50 percent of the sites that are blocked that are not illegal even for children."

and:

"And the evidence is that there's about 11 million websites on the Internet, in --in the accessible part of the Internet and that 100,000 of those are the sexually explicit ones and that the --there are at least tens of thousands more that are on the list. So it's --the Government also says in their brief that about one percent of the Internet is over- blocked, which would be about 100,000 sites. So it is a substantial percentage. It is also a substantial amount. And most importantly, it's a very large percentage of what they're blocking is not what they intend to block."

-- that is, talking about the percentage of blocked sites that were non-pornographic. Both sides cited the same figure (100,000 non-pornographic sites blocked, apparently referring to an average across all blocking programs) -- but that same number could be seen as an "error rate" of either one hundredth of one percent, or 50%, depending on which formula you use.

Then in this year's COPA trial, the ACLU called CMU professor Lorrie Faith Cranor who testified that in tests that she reviewed,

"[blocking software programs] correctly blocked an average of approximately 92 percent of objectionable content. And they incorrectly blocked an average of 4 percent of content not matching the test criteria."

(Oct. 24th transcript, p. 57.) Back to talking about the percentage of non-porn sites that are blocked -- which, again, when you put it that way, sounds low. On the other hand, although I couldn't find exact numbers cited by the DOJ's lawyers on the number of sites that were incorrectly blocked, in the portions of his opening argument quoted above, Eric Beane focused on the sad fact of the sites that were blocked -- not the fact that they comprised only a tiny fraction of sites on the Web. The two sides simply swapped formulas.

As for Peacefire's own studies over the years of blocking software error rates, one of the legitimate criticisms that could be made about our efforts was that we focused almost exclusively on the second number, the percentage of blocked sites that were non-porn. If you were interested in how blocking software actually affects the surfing experience of minors who are forced to use it, perhaps you would focus more on the first number, the percentage of non-porn sites that are blocked. Perhaps, you might say, that as an organization addressing the blocking software issue specifically from a minors' rights point of view, we really should have focused on that number quite a bit! But I did get a bit preoccupied with playing "gotcha" with the blocking companies, focusing on the percentage of blocked sites that were obvious mistakes, because it was frankly too much fun publicizing the absurdly high error rates of their programs, which belied the claims made by most blocking companies that all sites on their blacklist were examined by a human at their company before being added. (Although it seems to have done some good -- as far as I know, no blocking company is making that claim about their product today.)

The error rates were indeed absurdly high; we took a sample of the first 1,000 .com domains in an alphabetical list, ran them through several programs, and found that of the sites blocked, between 20% and 80% (!) were errors. (The median error rate was about 50%, which corresponds to the figure given by Paul Smith in the CIPA trial oral arguments quoted above.) This surprised even critics of blocking software, and skeptics complained that we must have made mistakes or simply fudged the numbers. (The whole point of using the first 1,000 .com domains was that if we had used a random sample and gotten error rates like that, we could have been accused of "stacking the deck" and using a fake random sample that was loaded with known errors and not truly random.) Years later, it came out that the companies whose products we'd tested, had been following a policy that if they found an objectionable site on a given IP address, all sites on that IP would be blocked, on the theory that hosting companies often group porn sites together on the same machine. Trouble was, while this may have often been true for bona fide porn sites, it was not true for most sites that featured just an incidental shot of someone's bare breasts or a large amount of profanity -- but this would also be enough to get all sites blocked at a given IP. So the 80% error rate was about what you'd expect after all.

You might think that a product with an 80% error rate could never survive in the marketplace, but consider who was buying the software. On the one hand, you had schools and companies buying the programs -- but they didn't care whether it worked so much as they cared about being able to show, for liability reasons, that they did something. On the other hand, you had parents who really did care about keeping porn off their computer -- but how many parents really did any thorough testing of the product, other than making sure it blocks the obvious sites like Playboy.com? A serious test could take days. Their kids are the only ones who would end up doing any thorough "testing" of the product, and if they found a way around it, it's not likely that they would tell their parents. With no market pressure to fix problems, an 80% error rate wasn't really surprising.

But even the most vocal critics of blocking software only pointed out that blocking software sometimes blocked sites about plumbing, or soccer, or aluminum siding; we never claimed that most of those sites would be blocked. Even with our high numbers of wrongly blocked sites, if they had been expressed as a percentage of non-porn sites that are blocked, they would have still sounded like a "low error rate".

The moral is, always keep track of what the "error rate" refers to in these debates. By moving around a few variables in a formula, the Department of Justice was able to go from saying in 2003 that blocking software was minimally intrusive, to making a speech in 2006 that made blocking software sound so tragically limiting that you could practically hear the violins playing. (I know, people who live in glass houses... *ahem*)

And what about the ACLU? If the Department of Justice is guilty of flip-flopping, from saying in 2003 that blocking software is a reasonable and narrowly tailored solution, to saying in 2006 that it's clumsy, ineffective, and overbroad, is the ACLU guilty of flip-flopping in the opposite direction?

Actually, the ACLU's position has always been consistent: blocking software has First Amendment problems when used in a school or library, due to overblocking and underblocking errors, but if used in the home it is still a lot more effective than a law like COPA, which would score pathetically on the same scale. As ACLU attorney Chris Hansen stated in opening arguments:

"COPA does not reach the 50% of all speech that is overseas... Filters are the most effective. Almost all of the filters that [expert witness] Mr. Mewett tested were at least 95% effective. Think about the 5% ineffectiveness compared to where we start with COPA being 50% ineffective..."

(Opening arguments, p. 22. Note: Chris Hansen has confirmed that the official transcript is wrong; it has him saying "35%" instead of "95%", which wouldn't make any sense.) As for overbreadth, COPA would criminalize speech by adults, intended for adults, something that no blocking program could ever do -- and as for minimizing collateral damage to innocent sites, does anyone think that even if COPA is upheld, parents will throw out their blocking software?

Even though the ACLU focused on different statistics in the two trials, in both cases they were focusing on the numbers that were relevant to the issue. When talking about constitutional problems with blocking software in schools and libraries, the percentage of blocked sites that are incorrectly blocked, is important, because it's their First Amendment rights that are at issue. The DOJ lawyer talking about all the sites that weren't blocked, was missing the point. If your site is being blocked, it hardly matters to you that for every blocked site there are hundreds that are not. "Hey, your site is not accessible, but don't worry, your competitors' sites are!"

On the other hand, when talking about the use of blocking software in the home, the publisher's First Amendment rights are not at issue; the issues that most parents would care about, are how effective it is, and whether most clean sites are still accessible. Well of course most of them are. Blocking software is not that bad.

Confused? The option to just stop making a big deal out of porn on the Internet is looking better all the time, isn't it?

Bennett Haselton has writes "In recent arguments over the constitutionality of the Child Online Protection Act, both sides have argued over the efficiency of Internet blocking software. While COPA would prohibit commercial U.S. websites from publishing freely available material that is "harmful to minors", the ACLU has argued that blocking software is a far more effective alternative, since among other things it can block porn sites located overseas, non-commercial websites, and p2p programs, all of which are beyond the reach of COPA. On the other hand, we had the surreal experience of watching the Department of Justice lawyer arguing in favor of a censorship law by saying that the blocking software alternative was unfair to children -- because it blocked too much legitimate material." The rest of Bennett's essay follows.

"For example," said DOJ attorney Eric Beane during opening arguments, "one filter even blocked a website promoting a marathon to raise funds for breast cancer research. Part of the CIA's World Fact Book was blocked. And a page with an ACLU calendar. [Blocking software blocks] a significant portion of other materials on the World Wide Web, materials that in many cases are necessary for a child to complete his homework." (Opening arguments transcript, p. 37.) As someone who has been publishing critiques of blocking software for years, I read those words and felt like cheering, despite the fact that I'm sitting in the other side's fan section for this match. (Beane is right, but he's missing the point, which is that whatever problems exist with blocking software, are minor compared to the problems with COPA -- because blocking software raises no constitutional issues when it's used by a private party in their own house, whereas COPA affects everyone in the U.S.)

The irony, of course, is that three years ago, in the trial over the similarly-named Children's Internet Protection Act (CIPA) which required blocking software in all schools and libraries that receive federal funds, it was the ACLU pointing out the flaws in blocking software and the Department of Justice claiming that blocking software was accurate and effective.

At first it would seem that both sides are now guilty of flip-flopping. But reviewing what was said then and what was said now, my conclusion is that the ACLU did nothing more than shift their focus to a different set of facts, while the government did contradict themselves. And the source of this seeming flip-flop actually comes down to something pretty simple: two different ways of stating one set of numbers.

Now before going further I can't resist saying that I think the whole debate over "harmful to minors" material is pretty silly, because I don't think the pro-censorship side has ever put forth a reason why they think that pictures of naked people, or even people having sex with each other, are harmful to people under 18. I disagree with some people on matters like abortion and the death penalty, but I at least think they have some facts on their side; but I don't know of any facts supporting people who think that pornography is dangerous. Why is a woman's nipple harmful but a man's nipple isn't? How are the majority of high school students who have already had sex anyway, supposed to be harmed by pictures of other people having sex? And apart from the logical paradoxes, the pervasiveness of the Internet has now given us empirical data too: virtually all minors have now have access to anything they want to get on the Internet (either at home, or by sneaking to a friend's house), and where's the evidence that adolescents' brains have been hormonally turned to mush any more than they always have been?

But for the remainder of the discussion, suppose you're addressing people who believe that nudity and sexual material really are harmful to people under 18. (In any case, the judges probably believe it, and even if they don't, they're bound by legal precedents that assume as much.) The question is how accurately blocking software achieves this goal.

Blocking software has two types of error rates: underblocking (failure to block porn sites) and overblocking (blocking of non-pornographic sites). Underblocking errors are usually expressed one way: the percentage of porn sites in a given sample that are not blocked. But overblocking errors can be stated in two ways: the percentage of non-porn sites that are blocked, or the percentage of blocked sites that are not pornographic. (There are borderline cases like nude art sites, but it turns out they're not common enough to affect the margin of error much; the vast majority of sites are either clearly porn or clearly not.)

The key is that if you want the overblocking rate to sound low, you talk about the percentage of non-porn sites that are blocked. If you want it to sound high, you talk about the percentage of blocked sites that are non-porn.

For example, in the 2003 Supreme Court arguments over CIPA, Department of Justice attorney Theodore Olson downplayed the error rates of blocking software by saying:

"But even if it's tens of thousands of the -- of the 2 billion pages of material that is on the Internet, we're talking about one two-hundredths of 1 percent, even if it's 100,000, of materials would be blocked."

Here he's referring to the percentage of non-porn sites that are filtered. Attorney Paul Smith, arguing against the law, countered:

"And so we have -- on these lists is a proportion, a huge proportion, perhaps 25, perhaps 50 percent of the sites that are blocked that are not illegal even for children."

and:

"And the evidence is that there's about 11 million websites on the Internet, in --in the accessible part of the Internet and that 100,000 of those are the sexually explicit ones and that the --there are at least tens of thousands more that are on the list. So it's --the Government also says in their brief that about one percent of the Internet is over- blocked, which would be about 100,000 sites. So it is a substantial percentage. It is also a substantial amount. And most importantly, it's a very large percentage of what they're blocking is not what they intend to block."

-- that is, talking about the percentage of blocked sites that were non-pornographic. Both sides cited the same figure (100,000 non-pornographic sites blocked, apparently referring to an average across all blocking programs) -- but that same number could be seen as an "error rate" of either one hundredth of one percent, or 50%, depending on which formula you use.

Then in this year's COPA trial, the ACLU called CMU professor Lorrie Faith Cranor who testified that in tests that she reviewed,

"[blocking software programs] correctly blocked an average of approximately 92 percent of objectionable content. And they incorrectly blocked an average of 4 percent of content not matching the test criteria."

(Oct. 24th transcript, p. 57.) Back to talking about the percentage of non-porn sites that are blocked -- which, again, when you put it that way, sounds low. On the other hand, although I couldn't find exact numbers cited by the DOJ's lawyers on the number of sites that were incorrectly blocked, in the portions of his opening argument quoted above, Eric Beane focused on the sad fact of the sites that were blocked -- not the fact that they comprised only a tiny fraction of sites on the Web. The two sides simply swapped formulas.

As for Peacefire's own studies over the years of blocking software error rates, one of the legitimate criticisms that could be made about our efforts was that we focused almost exclusively on the second number, the percentage of blocked sites that were non-porn. If you were interested in how blocking software actually affects the surfing experience of minors who are forced to use it, perhaps you would focus more on the first number, the percentage of non-porn sites that are blocked. Perhaps, you might say, that as an organization addressing the blocking software issue specifically from a minors' rights point of view, we really should have focused on that number quite a bit! But I did get a bit preoccupied with playing "gotcha" with the blocking companies, focusing on the percentage of blocked sites that were obvious mistakes, because it was frankly too much fun publicizing the absurdly high error rates of their programs, which belied the claims made by most blocking companies that all sites on their blacklist were examined by a human at their company before being added. (Although it seems to have done some good -- as far as I know, no blocking company is making that claim about their product today.)

The error rates were indeed absurdly high; we took a sample of the first 1,000 .com domains in an alphabetical list, ran them through several programs, and found that of the sites blocked, between 20% and 80% (!) were errors. (The median error rate was about 50%, which corresponds to the figure given by Paul Smith in the CIPA trial oral arguments quoted above.) This surprised even critics of blocking software, and skeptics complained that we must have made mistakes or simply fudged the numbers. (The whole point of using the first 1,000 .com domains was that if we had used a random sample and gotten error rates like that, we could have been accused of "stacking the deck" and using a fake random sample that was loaded with known errors and not truly random.) Years later, it came out that the companies whose products we'd tested, had been following a policy that if they found an objectionable site on a given IP address, all sites on that IP would be blocked, on the theory that hosting companies often group porn sites together on the same machine. Trouble was, while this may have often been true for bona fide porn sites, it was not true for most sites that featured just an incidental shot of someone's bare breasts or a large amount of profanity -- but this would also be enough to get all sites blocked at a given IP. So the 80% error rate was about what you'd expect after all.

You might think that a product with an 80% error rate could never survive in the marketplace, but consider who was buying the software. On the one hand, you had schools and companies buying the programs -- but they didn't care whether it worked so much as they cared about being able to show, for liability reasons, that they did something. On the other hand, you had parents who really did care about keeping porn off their computer -- but how many parents really did any thorough testing of the product, other than making sure it blocks the obvious sites like Playboy.com? A serious test could take days. Their kids are the only ones who would end up doing any thorough "testing" of the product, and if they found a way around it, it's not likely that they would tell their parents. With no market pressure to fix problems, an 80% error rate wasn't really surprising.

But even the most vocal critics of blocking software only pointed out that blocking software sometimes blocked sites about plumbing, or soccer, or aluminum siding; we never claimed that most of those sites would be blocked. Even with our high numbers of wrongly blocked sites, if they had been expressed as a percentage of non-porn sites that are blocked, they would have still sounded like a "low error rate".

The moral is, always keep track of what the "error rate" refers to in these debates. By moving around a few variables in a formula, the Department of Justice was able to go from saying in 2003 that blocking software was minimally intrusive, to making a speech in 2006 that made blocking software sound so tragically limiting that you could practically hear the violins playing. (I know, people who live in glass houses... *ahem*)

And what about the ACLU? If the Department of Justice is guilty of flip-flopping, from saying in 2003 that blocking software is a reasonable and narrowly tailored solution, to saying in 2006 that it's clumsy, ineffective, and overbroad, is the ACLU guilty of flip-flopping in the opposite direction?

Actually, the ACLU's position has always been consistent: blocking software has First Amendment problems when used in a school or library, due to overblocking and underblocking errors, but if used in the home it is still a lot more effective than a law like COPA, which would score pathetically on the same scale. As ACLU attorney Chris Hansen stated in opening arguments:

"COPA does not reach the 50% of all speech that is overseas... Filters are the most effective. Almost all of the filters that [expert witness] Mr. Mewett tested were at least 95% effective. Think about the 5% ineffectiveness compared to where we start with COPA being 50% ineffective..."

(Opening arguments, p. 22. Note: Chris Hansen has confirmed that the official transcript is wrong; it has him saying "35%" instead of "95%", which wouldn't make any sense.) As for overbreadth, COPA would criminalize speech by adults, intended for adults, something that no blocking program could ever do -- and as for minimizing collateral damage to innocent sites, does anyone think that even if COPA is upheld, parents will throw out their blocking software?

Even though the ACLU focused on different statistics in the two trials, in both cases they were focusing on the numbers that were relevant to the issue. When talking about constitutional problems with blocking software in schools and libraries, the percentage of blocked sites that are incorrectly blocked, is important, because it's their First Amendment rights that are at issue. The DOJ lawyer talking about all the sites that weren't blocked, was missing the point. If your site is being blocked, it hardly matters to you that for every blocked site there are hundreds that are not. "Hey, your site is not accessible, but don't worry, your competitors' sites are!"

On the other hand, when talking about the use of blocking software in the home, the publisher's First Amendment rights are not at issue; the issues that most parents would care about, are how effective it is, and whether most clean sites are still accessible. Well of course most of them are. Blocking software is not that bad.

Confused? The option to just stop making a big deal out of porn on the Internet is looking better all the time, isn't it?