Wednesday, August 29, 2007

The myriad government surveillance databases

Keeping track of the number of spy programs administered by federal law enforcement and the executive branch can get confusing. But with the curtailment of TALON database on antiwar activists and the suspension of the ADVISE system (which sifted through private personally identifiable information without regard to federal privacy regulation), is the Pentagon shifting its priorities? Don't count on it:

The ACLU contends that the Pentagon's stated reason for the program's closure is irrelevant. "People are cautiously optimistic [that] the tide is turning," says Jameel Jaffer, director of the ACLU's National Security Project. "But you have to see that TALON program in the context of the many other surveillance programs that have been introduced over the last five years. We're in a bizarre situation where, for the first time, the government is demanding more and more information about individuals and at the same time making it more difficult for them to get the information that they need in order to evaluate the government and whether it's acting within the law."

Privacy is like a hammer--"You can use it to fix something, or you can use it to give somebody a big bang on the head."

What does the average American think of surveillance? Chronicle Arts and Culture Critic Steven Winn pondered this question last week.

Electronic surveillance destroys our privacy, but few seem to mind:

And how do members of the public react to all this unsought attention? In most cases, they either take it for granted or feel reassured. To a considerable extent, whether through willing acquiescence or willful innocence, people seem surprisingly ready to accept what would have been seen, not so long ago, as alarming invasions of privacy. Indeed, in an age that empowers anyone with a cell phone camera and an Internet connection, we're all free to participate in this surge of information gathering and revelation. All of us can be spied on and engage in some high-visibility spying of our own.

The New York Times News Blog poses the same question to its readers.

But what of corporate surveillance?

A number of privacy experts believe that the real concerns lie less in the public sphere than they do in the largely unregulated environs of commerce.

"It's a simple fact that private companies can collect information about people in ways the government can't," Robert O'Harrow Jr. wrote in his 2005 book "No Place to Hide." "At the same time, they can't be held accountable for their behavior or their mistakes the way government agencies can."

How do people reclaim their privacy?

What's strikingly distinct about privacy in the digital age is not only the thoroughness with which it can be penetrated, but the ease of sharing that information widely. In an odd but somehow perversely logical reaction, self-revelatory tools like YouTube and MySpace have flourished. It's as if people were seizing control of their own privacy and serving it up to the public before anyone can seize it away from them. Gandy labels the trend "counter-exhibitionism, since there's no privacy left."

Friday, August 24, 2007

"Surveillance is the new democracy"

Author Naomi Klein explains how the videoing of protesters at the Security and Prosperity Partnership (SPP) summit has dire implications for democracy hamstrung by "the security state as infotainment":

If videotaping activists meets the legal requirement that dissenting citizens have the right to be seen and heard, what else might fit the bill? How about all the other security cameras that patrolled the summit--the ones filming demonstrators as they got on and off buses and peacefully walked down the street? What about the cellphone calls that were intercepted, the meetings that were infiltrated, the e-mails that were read? According to the new rules set out in Montebello, all of these actions may soon be recast not as infringements on civil liberties but the opposite: proof of our leaders' commitment to direct, unmediated consultation.

In the run-up to the SPP summit, a spate of surveillance scandals helped paint a fuller picture. First, Congress not only failed to curtail the National Security Agency's warrantless wiretapping but opened the door to snooping into bank records, phone call patterns and even physical searches--all without any onus to prove the subject is a threat. Next, the Boston Globe reported on plans to link thousands of CCTV cameras on streets, subways, apartment buildings and businesses into networks capable of tracking suspects in real time. And on August 15, confirmation came that the National Geospatial-Intelligence Agency--the arm of the US military that runs spy planes and satellites over enemy territory--would be fully integrated into the infrastructure of domestic intelligence gathering and local policing, becoming what the agency calls the "eyes" to the NSA's "ears."

The Orwellian parallels--hackneyed as they are--persist.

Wednesday, August 22, 2007

CFC's RFID Fact Sheet

Now that the budget has been passed, Sen. Joe Simitian's SB 28, 29, and 362 are scheduled for their Assembly Third Reading on Monday, August 27th. 28 and 29 address issues surrounding the use of RFID in government-issued documents, and 362 bans forced subcutaneous human implanting of RFID. Sen. Ellen Corbett's SB 388 (also scheduled for a third reading Monday) would require companies to inform customers of tags embedded in credit cards, or other products.

Read the CFC's fact sheet on RFID.

Consumers should always be skeptical of “the sky is falling” claims from industry or government - particularly when their profits and power stand to expand. The solutions authored by Senator’s Simitian and Corbett are reasonable and restrained approaches that balance the beneficial uses of the technology with the need for common sense privacy protections.

DOD pulls plug on Talon database

A step towards curbing surveillance by the executive branch:

The Threat and Local Observation Notice (Talon) database had become a lightning rod for criticism of military intelligence agencies’ monitoring of antiwar protestors. The decision to shut it down resonated with parallel litigation and debate about the legality of federal monitoring of international telecommunications.

...“It was high time for this [Talon] program to be shut down,” said Anthony Romero, executive director of the ACLU, in a press statement. “There should have been no place in a free, democratic society for the military to be accumulating secret data on peaceful demonstrators exercising their First Amendment rights.”

Tuesday, August 21, 2007

"State secrets"

via CNet news:

President Bush and Attorney General Alberto Gonzales have expanded [the "state secrets" privilege] to throw out a lawsuit (PDF) saying that AT&T illegally opened its network to the National Security Agency. Their arguments rest on the principle that even if the president is breaking the law, he can get away with it as long as he invokes national security. Courts would be demoted to a clerical role of noting that the "state secrets" privilege has been invoked and dismissing the case post-haste.

Monday, August 20, 2007

San Diego Union-Tribune piece on RFID

Security chips in cards carry risks, critics say:

“RFID has a million good uses. Tracking cattle, tracking soup is fine,” Simitian said. “When you want to track California citizens, that's where it goes wrong.”

...Simitian calls his goals for tighter security “common sense.”

“Why do we have locks on our doors? Because we have something of value inside,” he said.

An interesting perspective on RFID

Consumers Against Supermarket Privacy Invasion and Numbering Executive Director Katherine Albrecht discusses RFID.

Albrecht is a consumer advocate and author of The Spychips Threat: Why Christians Should Resist RFID and Electronic Surveillance. She takes an unconventional approach in speaking out against RFID: she says it's her duty to sound the alarm for fellow millenarian Christians who see similarities between subcutaneous implanting of spychips and "the mark" described in the Bible's Book of Revelation. For Albrecht, the proliferation of RFID symbolizes not only the slippery slope into totalitarianism, but the impending Apocalypse:

Albrecht sees little joy in what she predicts for RFID, however. "I hope I am wrong," she said, before leaving for an interview with ABC. "I'll take no pleasure in being proven right in a few years."

Senator Joe Simitian's bill to ban forced subcutaneous implanting of RFID in humans is scheduled for a Senate third reading today, and is expected to be signed by the governor.

Thursday, August 16, 2007

Pretexting victims sue HP

From the LA Times:

A group of reporters and their family members whose private telephone records were secretly obtained as part of Hewlett-Packard Co.'s boardroom surveillance scheme sued the technology giant and two former executives Wednesday.

This lawsuit is the latest development in the HP boardroom scandal that erupted last year, sparking public debate and launching a Congressional investigation on the fraudulent gathering of private phone records and personal infromation know as pretexting.

Wednesday, August 15, 2007

Creative data security technique

via The Consumerist: How To De-RFID Your Credit Card

Facebook users easy targets for identity theft

via MacWorld:

Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his other’s maiden name—the old standard used by many financial and other Web sites to get access to account information.

Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.

Here again, consumer education is a vital preventative measure. But so is corporate responsibility and stiffer penalties for identity thieves

Placing the burden on consumers

More and more it seems the onus is being placed on consumers to protect themselves from fraud, with less emphasis on requiring financial institutions and businesses to act as the first line of defense:

Consumer savvy can help prevent identity theft

Online security: best defense is your head

Our digital lifestyles are giving Internet pickpockets new opportunities for online shakedowns.

So consumers and regulators are increasingly demanding more protection from Internet companies. Last week, the advocacy group Center for Democracy and Technology issued a report that said Internet companies are responding by offering more online security and policies, such as erasing search histories.

Security experts, however, say some of the most important protections aren't found online but in the heads of Internet users. All too often online consumers drop their guard, exposing themselves to fraud, spyware and other malicious attacks.

While vigilance is key, it's not a cureall for the often sophisticated strategies of identity theives. That's where legal safeguards come into play.

Tuesday, August 14, 2007

Good privacy practices foster competitive advantage?

A Carnegie Mellon University study entitled “The Effect of Online Privacy Information on Purchasing Behavior” gave some interesting insights on how privacy protections impact consumer decision making in shopping online. Robert Gellman of DMNews provides his analysis:

Participants who received privacy information were more likely to buy from sites offering medium or high levels of privacy. Those who did not see privacy information generally made purchases from the lowest-priced vendor. The suggestion is that people will pay a premium for privacy when privacy information is more accessible. Perhaps surprisingly, the effect was pretty much the same for the non-privacy sensitive purchase as for the privacy sensitive purchase.

In the real world, merchants with good and prominently displayed privacy policies compete against others who either do not have good privacy policies or do not promote their policies. Ordinarily, consumers have little control over the privacy practices of those collecting information, but consumers do control who they do business with. The study does not offer direct conclusions about how consumers react in an environment that includes good, bad and no privacy information.

As much as I would like to say that it is good for business to have and display a pro-consumer privacy policy, I don’t think that conclusion necessarily follows directly from the study, although the study supports the notion. Still, the prospect of higher prices for products sold in a pro-privacy online environment should be intriguing enough to attract the attention of any company selling on the Internet. Better consumer privacy protection and higher prices could be a stunning combination. Maybe it’s time to stop fighting privacy and raise your prices.

Safeguarding consumers' private personal information is, however, fairly low cost--perhaps paying a premium wouldn't even be necessary. Protecting privacy is good for consumers and good for business. If only it were practiced voluntarily.

Monday, August 13, 2007

Consumer columnist's brush with identity theft

The CFC's 2004 Journalist of the Year, David Lazarus, discusses his personal experience being a victim of identity theft in his inaugural column at the LA Times:

Like most victims of ID theft, I couldn't get anyone in law enforcement interested in my case. Only about 1% of cases reportedly result in convictions. So I went after Davis myself.

Long story short, I compiled an extensive file of Davis' doings and whereabouts and then shared the info with a sympathetic investigator working for the U.S. Postal Service. This resulted in Davis' arrest and eventual conviction in 2003 for Social Security fraud.

Because he was in the country illegally, Davis was subsequently deported to his native Jamaica, where, in my more resentful moments, I imagine him kicking it on the beach and smirking about not having to serve a single day in prison for leaving my credit record in tatters.

And that, I hoped, was the end of it. But no. Last week, I was informed that my efforts to buy a home here in Los Angeles were on the verge of collapsing because the claims against Davis filed by the casinos are still on file somewhere. The mortgage company thus saw me as a bad bet.

...After days of frantic negotiations, all the legwork I did on my ID theft finally convinced the top execs of the mortgage company that maybe I'm not quite the credit risk that Davis' casino trespasses would indicate. The loan was approved.

But how is it that, years after Davis was convicted for stealing my identity, he's still screwing up my life? Foley, of the Identity Theft Resource Center, said this wasn't unusual."You think you get everything solved," she said, "and then it's like a ghost that reappears."

"A chip on my shoulder"

An editorial from the SF Chronicle:

This isn't about "demonizing" a technology. It's about using it judiciously. The microchip in your arm -- unlike the toll transmitter on your windshield or the credit card in your wallet -- can't be put away in a vault or tossed out easily. It's there, radiating your identity and perhaps much more, for 10-15 years unless you have it removed at great pain and expense -- assuming your government or employer allows you to do so.

Thursday, August 9, 2007

A progressive examination of the link between immigration and identity theft

While some question whether new social security number verification requirements for employers will deter immigration and halt related cases of identity theft, it's interesting to look at an alternative legal perspective:

Undocumented people will have less motivation to use others' social security numbers if government, financial institutions, and other entities will accept tax identification numbers to identify people (so long as tax identification numbers are freely and unconditionally made available to all by the Internal Revenue Service) for paying taxes, opening bank accounts, obtaining credit, obtaining drivers' licenses, and earning payroll funds, rather than using social security numbers for identity. Unfortunately, every year, social security numbers have been used more often as de facto national identification cards.

Consequently, people sometimes come to us having been criminally charged with using false social security numbers and with related problems. Unfortunately, a conviction for using a false social security number or for purloining others' identity can lead to
negative consequences with the immigration authorities.

Changing the way social security numbers are used would seem to be a positive move not only because it raises the possibility of incorporating undocumented workers into the economic system through a degree of legal recognition, but for reducing instances of identity theft and guarding the confidentiality of social security numbers and privacy in general.

What's driving search engine privacy changes?

via Wired:

The top five U.S. search engines have all recently modified their data retention policies to be more user friendly, due to lawsuits over disclosures, pressure from government regulators and a desire to be perceived by net searchers as less evil than the others, the Center for Democracy and Technology's Deputy Director Ari Schwartz told THREAT LEVEL today regarding the group's release of a report on the changes.

According to the report:

No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors. With consumers sharing more data than ever before online, the time has come to harmonize our nation's privacy laws into a simple, flexible framework.

Wired notes that "CDT distinguishes itself from most privacy groups by working closely with tech companies and with legislators," drawing criticism from fellow advocates at the Center for Digital Democracy. Executive Director Jeffrey Chester called for full disclosure on corporate ties and said the report gave competition undue credit for privacy improvements, failing to sufficiently emphasize the impact of advocates' policy-related pressure. This critique aside, CDD and CDT essentially agree that consumer privacy is not an issue to be determined by market forces alone:

...It is necessary to recognize just how much slack the online advertising and marketing industry has been given with our personal information. The main point is that consumers are at risk; updated federal consumer protection policies are essential to an environment that increasingly uses personal data as its commodity.

Tuesday, August 7, 2007

Real ID implementation stalled

A lack of federal funding for Real ID leaves states in the lurch:

Recent developments suggest that deployment of the controversial Real ID national identification program still faces significant obstacles related to its $11 billion cost and its privacy and security risks.

...Congress included no mandatory protections for privacy in the Real ID Act, said Leslie Harris, executive director of the Center for Democracy and Technology, a nonprofit advocacy group. As currently conceived, the system does not respect basic privacy principles because it collects too much data, is susceptible to mission creep and has too much centralized information, she said.

“The Real ID Act fails every single privacy principle,” Harris said. “I support hardening driver’s licenses, but we have to do it right. Privacy cannot be an add-on after the fact.”

Despite the fact that legislatures in 17 states have taken action opposing the act, Governor Schwarzenegger has sounded indifferent, reluctant to recognize it as an issue for state government. CA is often on the frontline of privacy battles, serving as the bellwether for the rest of the country. Are state officials sitting this one out?

"We're certainly not the rabble-rousers out there trying to lead a rebellion," said Denise Blair, the assistant deputy director of the California Department of Motor Vehicles, referring to Maine's efforts.

Blair, who favors the Real ID Act, did say, however, that it will cause some administrative headaches for California when more than 3 million more people a year are visiting local motor vehicle offices.

Meanwhile, Washington could soon be the first state to release a hybrid ID that combines Real ID and Homeland Security border crossing card requirements. Adding to the controversy surrounding Real ID's privacy loopholes, this card would be the "first driver's license in the country with an embedded RFID chip readable at 20 feet."
Privacy risks might be heightened in Washington because the card design includes an RFID tag to conform with other border-crossing cards such as DHS’ anticipated People Access Security Service card. The PASS card will use a Generation 2 RFID tag that can be read at 20 feet. The PASS card and the hybrid
ID card in Washington are among the first human-identification programs in the world to use such long-distance RFID technology.

The technology is controversial because it was created for warehouse tracking of goods for sale. This type of RFID tag contains no encryption and can be scanned easily by readers at long distances, thus raising privacy and human-tracking concerns.

Google maps expand to Southern CA

"Redrawing the realm of privacy" :

"It is a visual reminder of how our private spaces are really shrinking," said Pam Dixon, executive director of the World Privacy Forum, a San Diego advocacy group. "We've never had the expectation of privacy in public places, but it's the technology that causes us to reexamine this. Computers have very long memories."


"They should build in privacy protection mechanisms as a matter of course," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "I don't see them proactively addressing the privacy implications of their various products, and they need to."

If Google doesn't have the tools now, advocates say, it could in short order, because software companies are working on far more complex technology for recognizing specific faces.

"The Street View issue is part of a broad trend where more and more information is taken from the public," [Kevin Bankston of the Electronic Frontier Foundation] said. "We expect some degree of anonymity in our lives. How does one maintain a free society when all of your activity is scrutinized?"

Some privacy advocates also suggested that Google post notices saying which streets or neighborhoods it planned to target on a given day so that people averse to being photographed could steer clear.

Some interesting insights from readers of the tech savvy blog BoingBoing:

Marcus says,

Google is socialising the cost of privacy protection by choosing an opt-out approach rather than opt-in or an expensive internal review of the collected data. On the other hand, it is privatizing the public data and any profit derived from that. It is thus no less evil than other corporations, and considerably more evil than the NSA or CIA, who at least in principle can be held accountable as public institutions.

Ripley says,

All the discussion on what our privacy rights are in law is interesting, but people should recognize that what's going on here is beyond law, and reveals gaping holes in law.

Folks seem to grasp that pretty readily when it's copyright law, but it's just as true for privacy.

In the same way that law doesn't adequately capture what's important about the AACS code, law doesn't really help us understand what's problematic about google allowing us to watch each other remotely.

Law here has been partly shaped by what was physically possible - we didn't need to have laws about being watched and recorded remotely by people we can't see who may be doing it for fun or profit…or for the government.

…So falling back on what our "rights" are under law is just not going to get us very far.

Also, it's important to ask ask "what if the CIA were doing it" especially because there is nothing stopping them from using the service now, and of course they will. So might health insurance agencies, your boss, stalkers you know, stalkers you don't know, parents of people you are dating, etc etc etc. Alongside all the people/groups who might be unsympathetic to you and take images of you out of context for their own purposes, we should also be concerned about the lack of belief that we have any rights not specifically defined by law.

Monday, August 6, 2007

Defending privacy on multiple fronts

An LA Times op-ed asks whether "Internet shaming turn Average Joes into Big Brother":

When we talk of privacy in the Internet age, we mostly speak of financial information and the mounds of data that search engines keep on our e-behavior. But more and more, digital media and the relative anonymity of the Web enable netizens to expose, call out and shame others in cyberspace.

...It's not so much a centralized authority we fear but our fellow citizens, who now have the capacity to grab little pieces of our lives, pass judgment on them and project them across the globe.

Internet shaming may be one thing, but with a weekend ruling effectively legalizing and expanding the Bush administration's wiretapping program, there are still ample legitimate reasons to be concerned about privacy violations committed by centralized authority:

For the past several months, the White House has been aggressively pressuring Congress to expand the administration's spying powers and update the Foreign Intelligence Surveillance Act (FISA). On Friday, President Bush bemoaned that Congress had not "drafted a bill I can sign." "We've worked hard and in good faith with the Democrats to find a solution, but we are not going to put our national security at risk," said Bush. The House surrendered and voted 227 to 183 on Saturday to endorse the administration-backed legislation, which expands the powers of Attorney General Alberto Gonzales. Bush hailed the bill, which he signed into law yesterday, because it would give the Director of National Intelligence Mike McConnell "the most immediate tools he needs to defeat the intentions of our enemies." But in reality, the White House had rejected a narrower compromise bill endorsed by both McConnell and the congressional leadership. As the New York Times noted, this episode was another attempt by the President to "stampede Congress into a completely unnecessary expansion of his power to spy on Americans."