Monday, July 30, 2007

Youth and identity theft

California Assemblymember Mary Hayashi recently held an identity theft workshop in Pleasanton following a credit card scam at two grocery stores in her district.

[Joanne McNabb, chief of the California Office of Privacy Protection] touched on the different things thieves use identities for, some of which included using existing bank account funds, opening new bank accounts, obtaining medical services, employment and even trading the information for narcotics. She said the most common age group affected by ID theft is young adults aged 18-24. Last year 8.4 million adults, including 1 million Californians, had their identities stolen at an average cost of $531 per victim.

Some of the prevention techniques include: never giving out personal information unless you initiate contact, shredding all bills, bank statements, catalog covers, pre-approved credit card offers and checking your credit report regularly. Everyone is entitled to one free credit report from each of the three credit bureaus each year.

It's striking how young the majority of identity theft victims are. Expert Todd Davis explains this phenomenon:

Young people have a lot of earning potential, so they can be issued more credit because they have more time to pay it back...They are not as aware of their credit and credit reports and the thieves know that. And they are using social networking sites, where they aren't as cautious about sharing personal information.

As the NY Times explains, you're never too young to have your identity stolen.

Eavesdropping vs. data mining

via the Washington Post:

A fierce dispute within the Bush administration in early 2004 over a National Security Agency warrantless surveillance program was related to concerns about the NSA's searches of huge computer databases, the New York Times reported today.

Wired blogger Ryan Singel breaks it down:

All the clues and prior reporting point to a widespread data mining program that seems to have involved:

  • real-time computer analysis of the content of phone and internet traffic massive data-mining of the domestic and overseas phone records of nearly every American
  • NSA operators listening in, without warrants, to purely domestic phone calls, using the data-mining and computer sifting to figure out which calls seem suspicious
  • a continual stream of mostly useless leads being fed to FBI counter-terrorism agents

How does this factor into allegations that Attorney General Alberto Gonzales committed the impeachable offense of perjury in his testimony on the surveillance program?

A former administration official says that while the 2004 dispute over the NSA program focused on data-mining, not eavesdropping, the distinction is not sufficient to justify Gonzales’ statements to the Senate Judiciary Committee.

Rep. Jay Inslee (D-WA) will introduce a resolution calling on the Judiciary Committee to begin impeachment proceedings tomorrow.

Friday, July 27, 2007

What identity theft?

From InfoWorld:

The GAO reports that identity theft really isn’t a problem. The problem, apparently, is that the process of notifying consumers whenever their personal financial information has been compromised is confusing us simple-minded folks.

Yes, I’ve got that right. It’s not a comedic headline from The Onion.

...Although the report grants that notifying affected consumers has some value, it often seems more concerned about shielding the vendor than protecting the consumer:

"At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether."

As one commenter notes:

The problem is less with identity theft itself but with the fact that the steps a victim has to go through to correct the problem are flawed. You are guilty until proven innocent with the credit agencies. Even with law enforcement, if your identity is stolen and used for illegal purposes you can be tossed in jail.

One victim testified to that effect during Assemblymember Dave Jones' July 17th hearing on the Top Ten Consumer Complaints. The man described the harrowing experience of being jailed for a theft committed by someone who had used his stolen license as identification. Despite his innocence, he was forced to spend thousands to clear his name.

Identity theft has ranked at number one on the Federal Trade Commission's list of filed complaints for seven years straight.

Telecommunications Privacy Report Card

The Consumer Federation of California Education Foundation (CFCEF) just released an in-depth study of the privacy practices of major telecommunications corporations operating in California.

Of the 18 companies evaluated, 28% received failing grades, 6% received a “D”, and the rest were evenly split between “A’s”, “B’s”, and “C’s” at 22% each.

Our survey shows that many phone companies take the low road, providing only the privacy protection required by law. Phone companies should never share consumer phone calling records without the explicit permission of the customer. However, those companies receiving grades of “A” or above demonstrate that that respecting consumer privacy is not at odds with running a profitable business.

We hope that this report makes valuable information available to California consumers, and advances public policy in support of increasing consumer control over the dissemination of private information.

Monday, July 23, 2007

News and Opinion Wrap-up

Lawyers Say They Have Evidence of Warrantless Surveillance

Earlier this month, the 6th Circuit Court of Appeals in Ohio dismissed a challenge to the so-called Terrorist Surveillance Program because the plaintiffs, a group of lawyers, professors and journalists, could not show they had actually been put under government surveillance.

...But, in one case in Oregon, lawyers say they have actual proof that the government listened in on their clients' phone calls without a warrant, providing a chance to have the courts decide whether the surveillance program is unconstitutional.

Microchips implanted in humans: High-tech helpers, or Big Brother surveillance tools?

...the news that Americans had, for the first time, been injected with electronic identifiers to perform their jobs fired up a debate over the proliferation of ever-more-precise tracking technologies and their ability to erode privacy in the digital age.

Chipping, [critics say], might start with Alzheimer's patients or Army Rangers, but would eventually be suggested for convicts, then parolees, then sex offenders, then illegal aliens — until one day, a majority of Americans, falling into one category or another, would find themselves electronically tagged.

Consumer lists are not so innocent if you can't opt-out

While most consumers probably understand that mailing and similar lists exist, many may be surprised by the type of information available. Want a list of Jewish donors broken down by age and the presence of children? Check the Web. One broker offers lists of the members of more than 40 ethnic groups. Or maybe you would like one of the dozens of lists of users of particular medications. Lists can be broken down by income, geography, marital status, age, and gender.

The sale of such lists raises several issues. One issue is simply privacy. To be sure, some list creators offer consumers an opportunity to opt out of the sale of information about them. But federal law imposes no obligation to offer an opt-out, and even compilers who offer an opt-out may not explain that the failure to opt out may land consumers on a list organized by ethnicity or other private information. Of course, list sellers have little incentive to tell consumers things that may cause them to opt out because lengthier lists are more valuable.

...Rather than enacting comprehensive privacy regulation, the US has proceeded ad hoc, passing legislation in response to particular privacy invasions. For example, Congress answered last year's Hewlett-Packard pretexting scandal by enacting a pretexting statute. As a result, privacy laws are a jumble of irreconcilable rules.

Say Goodbye to that Quaint Notion, Privacy
...part of the issue with sites such as Facebook is the blurring of our public and private personas. There have been reports of prospective employers browsing Facebook sites as part of a background check, and recently Oxford University revealed it had searched the site to collect photographs of students breaking campus rules and issue fines.

...This year, it was revealed a search in Facebook could yield specific, private details about people. A search for women who were politically conservative, Muslim and gay, for instance, would reveal the names and pictures of most such users. The feature was changed by Facebook once the problem became public.

...Facebook's privacy history should leave users concerned. In a interim report by Privacy International this year entitled A Race to the Bottom: Privacy Ranking of Internet Service Companies, the organisation nominated Facebook as a "substantial threat" and gave it its second lowest rating, saying the site did not maintain "strong security mechanisms".

Friday, July 20, 2007

Debunking the "nothing to hide" argument for surveillance

With iPhone frenzy in full effect and the spotlight once again on AT&T, the device's exclusive service provider, it bears remembering the circumstances under which the company last faced serious scrutiny--then for its cooperation with unconstitutional government surveillance.

In the wake of revelations that the National Security Agency was conducting warrantless domestic spying on American citizens, proponents of the program echoed a ubiquitous refrain in its defense. It's a soundbyte-ready response we've heard all too often--"why should I worry, I've got nothing to hide."

Despite this nonchalant dismissal of government surveillance, opponents contend that there should be a great deal of concern. They're disturbed by the disregard for encroachments on civil liberties in the name of an often superficial sense of security. It's an undemocratic tendency that's anathema to the Founders' vision.

Daniel Solove, associate professor of law at George Washington University Law School, has argued alongside privacy advocates against abuses of executive power in the name of national security. In his latest essay featured in the San Diego Law Review, Solove deconstructs the simplistic "nothing to hide" argument in favor of surveillance, exposing its premise as based on false assumptions and a narrow meaning of privacy.

According to Solove, those who employ the "nothing to hide" defense devalue privacy by denying that any problem exists. They believe government surveillance does not constitute a threat to privacy "unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private." Solove explains that this flawed notion, along with gaps in legal protections, are rooted in a narrow conceptualization of what constitutes privacy violations--"a web of related problems that are not connected by a common element, but nevertheless bear some resemblances to each other." He seeks to remedy these issues by laying out a taxonomy containing the plurality of concerns that fall under the rubric of "privacy."

One of the "nothing to hide" argument's fundamental flaws "is with its underlying assumption that privacy is about hiding bad things." Solove points out that this limited understanding neglects the problems associated with data collection, particularly the lack of oversight and accountability on secondary use of personal information and aggregation of data to glean more sensitive information. Data is also used to profile people and project future actions, and "having nothing to hide will not always dispel predictions of future activity," nor will it prevent assumptions based on prejudice or stereotypes. Though one may think he or she has no need to fear surveillance, there are unforeseen circumstances in which even the least sensitive forms of information could be used against people.

Moreover, surveillance creates a chilling effect on free speech, harming not just the individual, but society as a whole by "[reducing] the range of viewpoints being expressed and the degree of freedom with which to engage in political activity." Though the chilling effect itself is difficult to measure, investigations by the ACLU and others have revealed how surveillance powers have been manipulated to target dissenters.

Privacy threats may not play well in a public discourse strangled by sensationalism. Similar to the way global warming has been portrayed in the past, the detrimental cost of ignoring challenges is cast as not as visceral or immediate as some seemingly more tangible matters, and there are countless interests who have a stake in preventing the public from reaching a critical mass of political will. But Solove convincingly makes the point that despite difficulties in pinning down the essence of privacy, protecting personal information from government and corporate invasion still has great social value, even if people put down their guard, mistakenly believing they have "no reason to hide."

Monday, July 16, 2007

RFID and the free market

via RFID Update, the "RFID Industry Daily":

PRI, a California-based think tank with an openly free-market bent, this week released a primer on RFID, privacy, and government efforts at legislation of the technology. Entitled Playing Tag: An RFID Primer, the 11-page report is a worthwhile and concise wrap-up of the issues surrounding privacy and RFID...Not that the report is entirely neutral; consistent with PRI's political leanings, Playing Tag argues firmly against regulation of the technology. "Lawmakers should weigh the pros and cons of this technology, before imposing a regulatory regime that would inhibit the positive benefits of RFID," quoted report author K. Lloyd Billingsley.

RFID Update echoes the common industry refrain that opponents of RFID are fueled by hostility to big business and government, and reflexively driven by an irrational fear and misunderstanding of new technology. However currently pending RFID regulations do not call for instituting an outright ban on the use of RFID, as frantic industry backers contend. The proposals instead require public notification and consent, and recommend a temporary moratorium to allow for further study of the impact of these devices on individuals' rights to privacy and security--values not represented nor protected by market forces. New laws take the necessary precautions and preventive measures to ensure the safety of personally identifiable information.

PRI attempts to refute some of the very real objections to the use of RFID:

Opponents of RFID worry that the police and other government agencies could install RFID scanners in public places and track people through their purchases. Items resold or given as gifts could identify an individual’s social network. RFID tags could be matched with a credit or ATM card for additional data collection. Libraries could use RFID for patron profiling in the post-9/11 world.

Journalist Declan McCullagh raises the possibility of “nightmare legal scenarios that don’t involve the cops.” One party in a divorce case, for example, could seek a subpoena for RFID logs to prove that the spouse was in a certain location at a certain time. McCullagh is not an alarmist, and he values the advantages RFID provides to retailers and consumers. Even these advantages, though, provoke objections.

Shoppers may be unaware that they have purchased products bearing the tags, which could be scanned without their knowledge, permitting retailers to contrive
sales pitches based on the contents of a shopping cart or the items customers are wearing. Store managers could use RFID to monitor the movements of shoppers
within the store and change store layout and product placement accordingly.

The prospect of currency with RFID tags could mean that even those who avoid paying by credit card would not be immune from profiling. Those scanning the tags need not be limited to government snoops, police profilers, or eager retailers. The world of high technology has handed thieves new opportunities. They could scan houses, shopping bags, wallets, and purses—even the trash—to determine the value of an owner’s belongings or the amount of money he is carrying.

According to PRI, these very valid objections are all premised on misinformed assumptions of what even "smart" technology is capable of doing. However given the rapid innovation of the information age, it would be even more naive to think that industry isn't developing technological advancements that could make heightened tracking capabilities more readily available for commercial, surveillance, and illegal purposes. Thus it's the duty of elected officials to defend the public interest and guarantee the safety of this technology before it becomes ubiquitous.

Wednesday, July 11, 2007

NY slated to implement its own "Ring of Steel"

The Lower Manhattan Security Initiative, as the plan is called, will resemble London’s so-called Ring of Steel, an extensive web of cameras and roadblocks designed to detect, track and deter terrorists. British officials said images captured by the cameras helped track suspects after the London subway bombings in 2005 and the car bomb plots last month.

However studies have shown that CCTV cameras do not deter crime, and are not as effective as officers. What's more, profiling is all too common with the use of cameras. According to a study cited in EPIC testimony against proposed video surveillance plans by the DC Metropolitan Police Department,

The gaze of the cameras do not fall equally on all users of the street but on those who are stereotypical predefined as potentially deviant, or through appearance and demeanor are singled out by operators as unrespectable. In this way youth, particularly those already socially and economically marginal, may be subject to even greater levels of authoritative intervention and official stigmatization, and rather than contributing to social justice through the reduction of victimization, CCTV will merely become a tool of injustice through the amplification of differential and discriminatory policing.

Paul J. Browne, chief spokesmen for the NY police, argued that cameras would be recording in “areas where there’s no expectation of privacy,” assuring that “it would be used to intercept a threat coming our way, but not to collect data indiscriminately on individuals.” But Christopher Dunn, a lawyer with the New York Civil Liberties Union expressed concerns with how images might be used once archived, and whether access to them would be effectively limited.

“This program marks a whole new level of police monitoring of New Yorkers and is being done without any public input, outside oversight, or privacy protections for the hundreds of thousands of people who will end up in N.Y.P.D. computers"

Privacy concerns raised over FBI programs

from Democracy Now!

Privacy experts are raising alarm bells about a new FBI program that would pay private companies to hold millions of phone and Internet records the FBI is barred from keeping itself. Companies would be responsible for at least two years of network calling records. The program would allow the FBI to skirt laws banning the collection of data not directly connected to a criminal investigation or intelligence matter. The proposed companies involved are Verizon, MCI and AT&T.

This news comes as we learn that Attorney General Alberto Gonzales knew at the time he was testifying in favor of renewing the Patriot Act that the FBI had abused its powers under the Act to obtain personal information in violation of alleged suspects' civil liberties.

Marcia Hofmann, a lawyer for the nonpartisan Electronic Frontier Foundation, said, "I think these documents raise some very serious questions about how much the attorney general knew about the FBI's misuse of surveillance powers and when he knew it." A lawsuit by Hofmann's group seeking internal FBI documents about NSLs prompted the release of the reports.

Caroline Fredrickson, a lobbyist for the American Civil Liberties Union, said the new documents raise questions about whether Gonzales misled Congress at a moment when lawmakers were poised to renew the Patriot Act and keenly sought assurances that there were no abuses. "It was extremely important," she said of Gonzales's 2005 testimony. "The attorney general said there are no problems with the Patriot Act, and there was no counterevidence at the time."

The FBI is also in the process of developing a computer system to profile terrorists.

Privacy expert David Sobel, senior counsel for the nonprofit advocacy group Electronic Frontier Foundation, said the government's system depends on potentially unreliable data. "If we can't assess the accuracy of the information being fed into the system, it's very hard to assess the effectiveness of the system."

Monday, July 9, 2007

Judges OK warrantless monitoring of web use

According to a San Francisco Appeals Court ruling Friday, internet users should have "no expectation of privacy":

Federal agents do not need a search warrant to monitor a suspect's computer use and determine the e-mail addresses and Web pages the suspect is contacting, a federal appeals court ruled Friday...

The ruling "further erodes our privacy...The great political marketplace of ideas is the Internet, and the government has unbridled access to it," said defense lawyer Micheal Crowley.

This goes contrary to last month's U.S. 6th Circuit Court of Appeals ruling that e-mail messages hosted online should have the same constitutional privacy protections as telephone calls.

From an LAT Editorial:

The 6th Circuit decision is faithful to a long tradition of adapting 4th Amendment protections to new technology. The framers of that amendment may not have foreseen Alexander Graham Bell's invention of the telephone, but that didn't prevent the Supreme Court from ruling in 1967 that warrantless wiretapping violated the Constitution...

Nevertheless, this decision breaks new ground, which may be temporarily plowed over if the government succeeds in dissolving the injunction on appeal.

via ITBlogWatch, law professor Susan Crawford says:

Email messages, unlike transactions disclosed to a bank, are the kinds of things that we expect are and will remain private ... the mere involvement of an intermediary doesn't destroy this expectation of privacy ... [It's] a question that is central to law enforcement, and we can expect that this decision will be challenged in a hundred ways. We depend so much on intermediaries, and the Sixth Circuit decision stands firmly on ground the government won't like.

Unfortunately, not all Sixth Circuit decisions have been so privacy friendly. The Cincinnati based appeals court handed down an extremely disappointing ruling Friday in dismissing the ACLU's case challenging the NSA's warrantless wiretapping program--arguably not because the program was deemed legal, but rather because "plaintiffs could not state with certainty that they had been wiretapped by the National Security Agency."

ACLU Legal Director Steven R. Shapiro slammed the ruling:
As a result of today's decision, the Bush administration has been left free to violate the Foreign Intelligence Surveillance Act, which Congress adopted almost 30 years ago to prevent the executive branch from engaging in precisely this kind of unchecked surveillance. It is important to emphasize that the court today did not uphold the legality of the government's warrantless surveillance activity. Indeed, the only judge to discuss the merits clearly and unequivocally declared that the warrantless surveillance was unlawful.

Friday, July 6, 2007

Limiting Access to Social Security Numbers

Assemblymember Dave Jones' bill, AB 1168 will be considered by the Senate Committee on Judiciary next Tuesday, July 10. The bill would establish a task force to review college and universities' collection, use, storage, and retention of students' social security numbers, and submit a report of its findings and recommendations to the Office of Privacy Protection and to the Assembly and Senate Committees on Judiciary within two years. It would also require local government agencies, the Franchise Tax Board, and the Secretary of State's office to truncate SSNs to four digits before releasing them to the public record.

Assemblymember Jones explains:

Anyone scanning through records at the county recorder’s office has an appallingly high likelihood of stumbling over someone else’s name and social security number. For a criminal intent on ID theft, it’s like an open door to Fort Knox – it’s free gold.

iPhone SSN requirement

Apple and AT&T are demanding customers reveal SSNs to activate their iPhones. That should be the lead of every technology and business article written this week.

It is bad enough that the government might collect data for one (lawful) purpose and then use it for another (nefarious) purpose, but what happens when all data is keyed by a single key, such as a Social Security number (SSN), which itself was never designed for the purpose of personal identification? And what happens when that number is leaked (100 million instances and counting) or stolen (15 million instances and counting)? The opportunities for abuse, both within and outside the system become virtually limitless. (And legislation passed in 2005 has only served to accelerate both the breadth and depth of these opportunities.)


Which is why the iPhone activation mechanism is so troubling, because it compels people in the heat of the moment to do something they should never do if given a moment's thought. Now, I'm sure that it's possible to get a phone activated without giving up one's SSN. I did it with my carrier several years ago by walking the issue up to a VP's desk and posting a $1,000 bond for two years. So it can be done. But should it be so hard? And how are we going to teach our children the importance of protecting personal information when the laws of the state and mainstream corporate behavior make it virtually impossible to do so?

Holding retailers responsible for data breaches

Assemblymember Dave Jones' AB 779 faces approval by the Senate Appropriations Committee later this summer, then a vote by the full Senate before reaching the Governor's desk.

As consumer data breaches and identity theft grow in scope and quantity, consumers need to know exactly who is failing to adequately protect their personal information. For example, TJ Maxx stores parent company allowed 45.6 million credit card numbers to be stolen electronically. AB 779 would enhance consumer protection by properly identifying the entity responsible for the data breach, require better data protection by retailers and allow for reimbursement of relevant costs to credit unions and community banks stemming from the data breach.

California boasts the strongest data privacy laws in the country. The California Security Breach Information Act enacted in 2003 paved the way for AB 779's proposed regulations on retailers by mandating the same notification requirements for financial institutions doing business with state residents. The bill provided the foundation for similar financial security laws in more than half of states across the country. Minnesota lawmakers have passed a bill similar to AB 779--the Minnesota Plastic Card Security Act. Federal legislation is still pending.

Consumer Action spokesman Joe Ridout says
Putting the responsibility on retailers is appropriate when there's been a data reach because retailers simply shrug off the burden and pass the mess they've made off to consumers.

Monday, July 2, 2007

Moratorium on RFIDs in driver's licenses

Sen. Simitian's SB 28 prohibits the DMV from issuing drivers' licenses or ID cards that use radio waves capable of transmitting personal information. The bill is being considered in the Assembly Transportation Committee today.

Simitian calls the legislation a " 'look before you leap approach' that would give officials time to ensure that any technology adopted by the DMV would not violate privacy rights."

Towards a surveillance society

Yesterday Sen. Joseph Liberman (I-CT) used the botched attacks in London as an excuse to promote the expansion of domestic spying at home.

“I hope these terrorist attacks in London wake us up here in America to stop the petty partisan fighting going on about…electronic surveillance,” in apparent reference to the Senate Judiciary Committee’s subpoenas for documents related to Bush’s NSA warrantless wiretapping program.


Lieberman went further in his calls for greater domestic spying. “The Brits have got something smart going. … They have have cameras all over London. … I think it’s just common sense to do that here much more widely.”

In Britain, there is one closed circuit TV camera for every 14 people. Dr. David Murakami-Wood co-wrote a 2006 report on surveillance presented to the government information commissioner. Murakami-Wood described the erosion of privacy to BBC News:

"We really do have a society which is premised both on state secrecy and the state not giving up its supposed right to keep information under control while, at the same time, wanting to know as much as it can about us."

The report coincided with one by the human rights group Privacy International. They rated Britain as the worst-performing Western democracy in their 2006 survey of the ability of countries to protect civilians' privacy, describing it as an "endemic surveillance socity."

And yet despite the prevalence of privacy invasions rationalized by security needs, government spying played no role in foiling these attempted attacks. This fact should undermine grounds for surveillance, not justify curtailing civil liberties even further.