After a white-supremacist hacker got access to digital records of old applications for admission to Columbia College and passed them on to the New York Times, the Times reported that in 2009 Zohran Mamdani checked boxes identifying his national origin and ancestry as African-American (he is a US citizen — an American — and was born in Uganda — the country in Africa where his paternal ancestors had lived for generations) and Asian (his mother was born in India, where her ancestors had lived for generations).

Questions have since been raised by Liam Scott in the Columbia Journalism Review and others as to the use in a news story of data obtained illegally by an unnamed third party with an unmentioned political bias, and by Dan Froomkin at Presswatchers.org and others as to whether these truthful factual 2009 statements by Mr. Mamdani are newsworthy. The Times has responded to some of these questions in a follow-up article.

But we have other questions that we haven’t seen asked elsewhere. These are questions not for Mr. Mamdani or the Times but for Columbia University:

1. Why does Columbia still have this information about an unsucessful 2009 applicant for admission in its records?
2. Even if there was some reason to retain these records, why were they accessible online, with or without whatever passwords or access restrictions were circumvented by a hacker to obtain them?
3. Now that this incident has made the potential for misuse of records like this apparent, what are Columbia and other institutions and entities with similarly dangerous data doing to expunge it?

At a time when naturalized US citizens, including but not limited to Mr. Mamdani, are being threatened with denaturalization followed by detention and/or expulsion to overseas death camps,  and when pogroms are being carried out by masked armed gangs snatching people off the streets on the basis of perceptions of national origin, these are questions for anyone in charge of a database with a field for citizenship, race, or national origin.

Mr. Mamdani had good reason to apply to Columbia, even if his application may have been a long shot, since as the child of a tenured Columbia professor he would have been entitled to free tuition if admitted. But whatever purpose Columbia may have had in 2009 for asking applicants for admission to its colleges to cateogrize their national origin by continent, that purpose was completed when Mr. Mandani’s application was rejected.

The lesson of this teachable moment is that personally identified information, even information about attributes and activities that were lawful at the time and that were collected for innocent purposes, has the inherent potential for weaponization against innocent individuals — sometimes by unforseen actors in unforseen ways — as long as it is retained. It’s happened before in the US, as when census data on national origin was used to round up Japanese-Americans and send them to concentration camps, and could happen again as long as data like this is collected and retained.

Columbia may claim that it retained this data in case it might have needed it to defend agaisnt potential litigation by unsuccessful applicants. But the statute of limitations for any such litigation related to 2009 admission decisions would have passed years ago.

Columbia may claim that, having collected this data, it retained it for research purposes. But there’s been no indication that it made any attempt to even semi-anonymize this data. And would possible future research use justify retention of information that could endanger past applicants for admission?

Under Canadian or European data privacy law, retaining this data when it was no longer needed for the purposes for which it was collected would be illegal.

This data was collected for the purpose of making admissions decisions in 2009. If there was some adequate justification for retaining this data for possible future use when it was unquestionably no longer useful for that original purpose — which we doubt there was — it could have  been stored on an air-gapped device or media, such as a backup tape or disk locked in an archival vault.

But even that would pose the danger of government-compelled disclosure.

Imagine that you were the director of a business or institution in Germany in 1933. Imgaine that — at a time when it when German Jews still had all the rights of German citizens — you had compiled information about your employees’, students’, customers’, or suppliers’ “nationality” or “race” as indicated on their ID cards, including which Germans were identified as Jewish.

When the government began to redefine German Jews as not German citizens, deny them rights, and exclude them from more and more categories of employment, wouldn’t it have been your moral duty to expunge those records identifying Jews? Then you could truthfully say, if the government demanded to know which of your employees were (under Nazi laws) illegally employed non-citizens, that you had no records of who was a Jew.

The best way to avoid misuse of personal data is not to collect it. If it has been collected, and especially if it is no longer needed for the purpose for which it was collected, the best way to mitigate the risk to the individuals to whom it pertains is to expunge it.

Columbia has no excuse. Nor do other institutions in the same position. No law required Columbia to collect this information about Mr. Mamdani and an untold number of others. No law requires Columbia to retain it. Now Columbia knows, as it should have known all along, how this information can be weaponized.

Columbia and its peers in both the public and private sector should expunge these records — now, before even more damage is done to Mr. Mamdanai and millions of other naturalized US citizens and other immigrants.

In its worst decision ever on demands for ID, the Supreme Court today upheld a Texas law that requires all visitors to some websites to provide the site operator with evidence of their identity and age.

In an opinion by Justice Thomas, six Justices found that requiring ID for age verification as a condition of viewing certain websites only “incidentally” burdens the rights of adults.

The majority reasons backward from the presumed legitimacy of ID requirements in other contexts, such as buying tobacco, that (A) weren’t at issue in this case, and (B) more importantly, don’t involve the exercise of First Amendment or any other rights:

Requiring proof of age is an ordinary and appropriate means of enforcing an age-based limit on obscenity to minors. Age verification is common when laws draw age-based lines, e.g., obtaining alcohol, a firearm, or a driver’s license…. Applying the more demanding standard of strict scrutiny would call into question all age-verification requirements, even longstanding in-person requirements.

As the dissent by Justice Kagan (on behalf of herself and Justices Sotomayor and Jackson) points out, this amounts to deciding on the desired outcome, and then adapting the criteria (in this case, the level of scrutiny applied to the law) to produce that result.

In rebuttal to the dissent on this point, the majority opinion wrongly claims that in-person demands for ID are “uncontroversial” and have never been challenged in court:

Finally, the dissent claims that we engage in “backwards,” results-oriented reasoning because we are unwilling to adopt a position that would call into question the constitutionality of longstanding in-person age-verification requirements. Not so. We appeal to these requirements because they embody a constitutional judgment—made by generations of legislators and by the American people as a whole—that commands our respect. A decision “contrary to long and unchallenged practice… should be approached with great caution,” “no less than an explicit overruling” of a precedent. Payne v. Tennessee, 501 U. S. 808, 835 (1991) (Scalia, J., concurring). It would be perverse if we showed less regard for in-person age-verification requirements simply because their legitimacy is so uncontroversial that the need for a judicial decision upholding them has never arisen.

But that’s not all that’s wrong with this law and this decision upholding it.

The decision and the dissent concern themselves primarily with what level of scrutiny should apply to age-verification laws. They don’t mention the distinction between “age” and “identity”, or the impact of the law on people who don’t have ID — a crucial issue raised in a friend-of-the-court brief by the Electronic Frontier Foundation and others.

For those without government-issued ID or a sufficiently detailed profile with a commercial data broker, “age-verification” amounts to a categorical bar to access to certain Web content.

As we’ve noted previously, “Regardless of whether it would be possible to set up a system by which individuals could provide evidence of age without individually identifying themselves, that’s not how any of the schemes currently being legislated or implemented will work in practice. In order to verify their age, each Internet user will be required to provide a unique digital personal identifier…. Age verification for adult content is a stalking horse for comprehensive content-based and personalized government control of Internet access.”

The Texas law applies to any “commercial entity that knowingly and intentionally publishes or distributes material on an Internet website”, which appears to include both the publisher and the hosting provider.

There’s no way for the publisher or provider of hosting services for a website to know which visitors to the site are located in Texas. To satisfy the Texas law, web publishers and hosting providers worldwide will either have to require ID from all visitors regardless of their location, or try to identify which visitors to the site are located in Texas, and block them or selectively require them to provide ID.

Because the law applies to both publishers and “distributors” (web hosting providers), hosting providers will be not only allowed but required to pass on identifying and location-tracking information about all visitors to site publishers, with no restrictions on how publishers or hosting providers can use, disclose, or or sell this data. The law could, but doesn’t, restrict use of this data to age verification, or restrict its disclosure or sale. Nor does the law restrict the ability of these companies to share this data with governments or to keep secret from individuals how or with whom data about them has been shared.

Some companies will welcome this as a pretext for commercial surveillance they already carry out and would love an excuse to universalize. If anyone objects to publishers’ or hosting providers’ commercial exploitation of visitor identity and location information, they now have the perfect excuses: “Everybody does it” and “The government made us do it.”

Recent events have focused attention on the asymmetry of police demands for ID:

Government agents demand that ordinary citizens provide evidence of our identity, even when we are exercising rights — such as traveling by common carrier — that don’t depend on our identity. But those same government agents typically refuse to provide the same sort of evidence of their identity, even when they are asserting claims to authority that depend on their identity and status as law enforcement officers.

Masked, armed gangs dressed in the mismatched assortment of military-surplus clothing that characterizes “militias” in failed states are snatching people off the streets of US cities and towns and taking them away in unmarked vehicles, some with no license plates.

Meanwhile, elected politicians and their family members were recently assassinated in their homes by a masked individual in a police-like costume who arrived in a police-like vehicle with flashing blue lights.

The law doesn’t require us to obey the orders, or refrain from defending ourselves or others against, anyone who claims to be an officer of the law. But as the law stands, whether we submit or resist, we do so at our own peril.

Any kidnapper or home invader could, and some do, stencil “POLICE” on their body armor and  shout “Police!” before breaking down doors or dragging people away. Rent-a-cops often dress and carry gear designed to make them appear as much like police as possible. Convincing movie-prop badges are available online or in costume and fetish shops.

In these circumstances, verifying the identity and claim to authority of people who might or might not be police can be a matter of life or death. If they aren’t police, and we go along, we could lose our chance at self-defense or escape. But if they are police, they might shoot us if we try to resist, escape, or help others to do so. If we survive the initial encounter, we might be charged with assaulting an officer — a charge that often leads to beatings or worse by police and jailers, even before a defendant makes it to trial.

18 US Code § 111 makes it a Federal felony to “forcibly assault, resist, oppose, impede, intimidate, or interfere with” any Federal law enforcement officer. But what if you can’t tell if an apparent kidnapper or home invader is a Federal law enforcement officer? And what evidence of their identity and status is sufficient to establish their authority and your duty not to resist or impede them?

Read More →