Turns Out Privacy Groups are Outraged About the OPM Hack—At Me
My response to the estimable Julian Sanchez on privacy groups and the OPM hack. Why expecting privacy groups to have something to say on the subject is not just "stupid posturing."
Published by The Lawfare Institute
in Cooperation With
The other day, I wrote a little piece about the silence among our self-appointed privacy guardians at the monstrous breach of privacy perpetrated by the Chinese in the OPM hack. The piece made the (I think) modest observation that privacy groups—who have denounced NSA collection obsessively though it takes place under the rule of law and with strict restrictions—have had remarkably little to say about the mass collection of the most sensitive sorts of data, and I spectulated about the reason for that silence:
the privacy community is virtually silent. Look on the websites of the major privacy groups and you'll see almost nothing about this program. Don't look for breathless coverage of it on the The Intercept either.
The reason? This giant surveillance program isn't being run by the United States government. It's being run against the U.S. government—by the Chinese government. And for some reason, even the grossest of privacy violations—in this case the pilfering of millions of background investigations and personnel records—just doesn't seem so bad when someone other than the United States is doing it.
I didn't expect this piece to make me many friends, but I have been amused and a bit surprised by the harsh reactions from a number of privacy groups on Twitter. In particular, Harley Geiger of CDT and Chris Soghoian of the ACLU seemed to take particular umbrage---both issuing lengthy streams of tweets denouncing the piece. Neither made points that seem to me to warrant response.
In the flurry of invective, however, there was one point that seemed to me substantial and worth addressing. That was made by the Cato Institute's Julian Sanchez, somewhat crudely, on Twitter, as well as by a correspondent by email:
@benjaminwittes @HarleyGeiger Why would privacy advocates need to weigh in? It's a crime. Of course it's awful. There's no argument!
— Julian Sanchez (@normative) June 16, 2015
@benjaminwittes @HarleyGeiger Condemning a hack nobody in the U.S. policy world defends would just be stupid posturing.
— Julian Sanchez (@normative) June 16, 2015
@benjaminwittes @csoghoian This is from the same genus as "why don't you protest [shitty despotic regime that doesn't care about protests]?"
— Julian Sanchez (@normative) June 18, 2015
@benjaminwittes @csoghoian "Outrage" without a policy lever is just jerking off. Everyone agrees it's awful. What's the point of outrage?
— Julian Sanchez (@normative) June 18, 2015
Is Sanchez right here? Should we understand the silence of privacy groups on this score as just reflecting the fact that there's no controversy, that everyone agrees the conduct is terrible? Sanchez goes on to point out that most advocacy work is directed at one's own government. So maybe the privacy groups are making a tactical judgment that it's better to focus on their own government and its policies than that a foreign authoritarian sovereign over which one has no influence. In this account, the issue is not so much a double standard as a hard-headed assessment of where one's energy is best spent.
There are several reasons why I think this is not an adequate account of the behavior of the privacy groups in this instance, nd to the extent it does explain their behavior, why I think they are grossly misjudging the merits of the matter.
For one thing, human rights groups comment all the time on the behavior of governments over which they have no influence. Glance at the front page of Human Rights Watch's home page and you won't see the implausibility of the group's influencing Russian or Angolan policy inhibiting HRW from talking about what governments are doing. Yes, it's true that democracies subject to human rights suasion tend to get more of it as a result of their responsiveness. But this does not explain the near-total silence on the part of the privacy groups about Chinese behavior on this score. Tilting at authoritarian windmills is part of what human rights advocacy is.
Second and more importantly, privacy issues associated with giant international hacks are unlike other human rights issues in at least one fundamental sense. When China abuses due process or stifles free speech or tortures people, or harvests their organs, its victims are its own people. A U.S. advocacy group can reasonably take the position that, though terrible, this is not really that group's problem but a problem between the Chinese government and its people and civil society.
Conversely, if you're a privacy group devoted to protecting the privacy of Americans, the OPM hack should be unthinkable to ignore. It is, after all, a far bigger threat to the interests you are pledged to protect than is any activity by your own government. You may have an argument for leaving Chinese domestic collection to Chinese civil libertarians to restrain, but to the extent you don't speak up against the bulk collection of the health records of kids of U.S. federal employees, you are tolerating an absurd double standard in which anyone can ride roughshod over Americans' privacy except the United States government.
Recall, moreover, that the whole theory of international outrage at NSA's behavior was that global collection implicates some kind of international social contract, not just the relationship between individuals and their own governments. Remember all that talk about the international right to privacy, that idea—now embraced by the U.S. government—that U.S. collection must take into account the privacy interests of foreigners overseas? U.S. privacy groups have had no trouble invoking the ICCPR to restrain U.S. surveillance practices. Surely, surely, surely they are not more concerned about using the ICCPR to "hold the US to account for its [surveillance] abuses"—as CDT recently put it—than they are in that dcoument's restraining Chinese abuses against U.S. nationals.
To put it simply, whether you're a privacy group focused narrowly on the privacy interests of Americans or a citizen of the world who believes that espionage must be conducted in general with a solicitude for the privacy of all, the sort of collection reflected in this hack ought to be far more upsetting than NSA collection under Section 702 or Executive Order 12333.
There's really only one group of people who should be not outraged by the behavior of the Chinese here: those who, like me and General Michael Michael Hayden, take the bloodless view that this is espionage and that the shame is on us for letting it happen, not on the Chinese for doing it. I articulated this view in my original piece and I stand by it:
For the record, I have no problem with the Chinese going after this kind of data. Espionage is a rough business and the Chinese owe as little to the privacy rights of our citizens as our intelligence services do to the employees of the Chinese government. It's our government's job to protect this material, knowing it could be used to compromise, threaten, or injure its people—not the job of the People's Liberation Army to forebear collection of material that may have real utility.
But you don't get to take this view only with respect to adversary intelligence services, while insisting that your own respect some trancendentally important, and ever growing and morphing, right of international privacy. If you take this view of the OPM hack, you need to also be okay with a lot of NSA activity that has negative collateral consequences for people's privacy.