Monday, March 31, 2008

State Leads Way on RFID Privacy

Washington has now become the national leader in addressing some of the privacy concerns related to the explosion of RFID technology.

In fact, we (CFC) are actively supporting nearly identical legislation as was just signed by Washington's Governor in California - sponsored by Senator Joe Simitian (SB 31) - that would make the malicious scanning of someones identification remotely without their knowledge and consent a felony. Washington actually went a step further by also making it a felony to possess information gained from an RFID-enhanced driver's license...further protecting unsuspecting consumers from having their personal information "skimmed" or their identities stolen.

The Seattle Times Reports:

HB 2729 says personal information on identity cards may be released to law-enforcement agencies only for customs and border-protection purposes. Personally identifying information may be released to law-enforcement agencies for other purposes "only if accompanied by a court order," the law states.

Another bill signed into law, HB 1031, outlaws "skimming," making it a felony for a person to "intentionally scan another person's identification device without that person's prior knowledge and consent for the purpose of fraud, identity theft or any other illegal purpose."


"This is a technology that the consumer is clearly unaware of unless it's pointed out to them," he said. The bill was opposed by the retail and cellphone industries, Morris said. "The RFID chip will be a huge revenue stream for them as they start to move the phone into the place of the credit card."


New Hampshire is poised to go further than Washington. This month, the New Hampshire House voted to ban RFID chip implants in humans and require a notification label on any product that contains RFID chips. The New Hampshire bill bars the state from using RFID chips in driver's licenses, license plates or traffic toll transponders.

Of course, California could become surpass both New Hampshire and Washington as the nation's leader in protecting personal privacy if just a few of the host of RFID related bills making their way through the legislature are signed into law. These include: SB 28, SB 29, SB 30, SB 31, and SB 388.

Click here to read the article in its entirety.

Friday, March 28, 2008

As More Of Our Health Records Move Online, Privacy Concerns Grow

At CFC we've been part of an effort to figure out the best way to protect the privacy of patients in the approaching reality of online and electronic health records. Without getting mired in a discussion of just how much money this will really save, or how long its really going to take to implement, let's delve into the privacy implications of such a move and possible ways to ameliorate them.

We're now seeing a major move by industry giants such as Microsoft and Google coming out with products for this information storing and sharing purpose. So the question that will confront those concerned about privacy will be how to ensure they institute the proper safeguards for patients.

I usually never go to Fox news for anything, but, this article seems to at least do a decent job of broaching the topic, and does quote and source one of the most respected voices in the privacy protection community, Pam Dixon of the World Privacy Forum.

Kristen Gerencher of MarketWatch reports:

Last October, software giant Microsoft unveiled a consumer-focused online platform for personal health records called HealthVault. Internet search behemoth Google is set to follow soon with a launch of its version called Google Health. About 200 companies now offer personal health records, or PHRs, experts say.

Earlier this month, health insurer Aetna announced it's adding to its secure member Web site a sophisticated search tool that brings up multiple resources such as relevant discount programs and a list of local doctors based on search terms that members enter. The company says the changes will complement Aetna's new PHR for members as well.

These developments may be good news for consumers looking to collect, store and selectively share their health-care information in a digital format, coordinate records with their doctors or enter medical questions into an intuitive online search query.

But the elephant in the room is privacy. Consumers who enter sensitive medical information into a PHR want assurance that their data won't be exposed in a way that embarrasses them or, worse, hurts their ability to secure a job or health insurance. Despite many companies' promises and some state laws that set additional privacy standards, there are more questions than answers when it comes to protecting consumers' PHRs, legal experts say.


The potential problem: Many of the companies offering PHRs aren't covered by a federal law called the Health Insurance Portability and Accountability Act of 1996, known as HIPAA, which covers information traded between health-care providers, health insurers and clearinghouses involved in processing payments, said Kevin Lyles, a partner in the health-care practice of law firm Jones Day in Columbus, Ohio.

Outside of those entities HIPAA doesn't apply, he said. "What you're relying on as an individual is the company's promise to you that they won't do anything with your information."


To be sure, Google and Microsoft plan to allow users to control the levels of access they want various parties to have and will offer the ability to revoke that access at any time.
Still, Pritts said consumers need to read and understand two important documents: the privacy policy and the terms of use.

"You can really be surprised by what's in the terms of use if you don't read them," she said. "Hardly anybody reads these. They're dense. They're written in language that's not consumer-friendly and we're used to just hitting 'I accept' and not thinking there's anything hidden in there."


The onus is on the consumer to check and recheck because companies can reserve the right to change their policies at any time, Lyles said. "Typically if they change it it's not going to be retroactive, but if they change it are you going to know? How many companies send privacy policies every year and do you read it for changes? I doubt it."


Aetna expects to nearly double enrollment in its PHRs to 6 million members this year. So far only members have access, but eventually doctors will have access too, Bahl said. The company maintains searches on SmartSource use profile data such as ZIP code, gender, age, benefit plan and health conditions to make results more meaningful, but that they don't include personal identification.

Pam Dixon, executive director of the World Privacy Forum, a public-interest research group in San Diego, said she's concerned about how well members' identities will be protected. "If this were all being done completely anonymously, I think some of the questions would go away but this is not anonymous searching," she said. "I think the greatest potential harm comes from new diseases and things they don't have about you."

This no doubt will be a continuing debate as these systems expand and progress. From my perspective, it always makes so much more sense to take into account all the issues, particularly privacy, BEFORE we jump in head first. Certainly, we can have both an efficient health records system, and healthy protections of individual patient privacy.

Click here to read the article in its entirety.

Thursday, March 27, 2008

Lamar seeing chance to nix Real ID Act

Republican Senator Lamar Alexander is getting ready to lead an effort to repeal REAL ID! I would argure this is yet another example of why we can safely say this law is unraveling before our very eyes. Taking REAL ID on at the federal level is especially heartening, because if successful, all the states would be saved from having to go through this fight individually.

The Hill reports:

Alexander’s target is the 2005 Real ID Act, which mandated that states adopt uniform federal standards for driver’s licenses. Despite the Tennessee Republican’s concerns, he was outnumbered by party colleagues who wanted to stop terrorists from exploiting loose identification laws. This time around, Alexander has leverage. As chairman of the Senate Republican Conference, he is the third-ranking Republican in the chamber. He also has a strong ally in Senate Majority Whip Dick Durbin (D-Ill.), who, like most Democrats, disagrees with the law.


When Congress returns next week, Alexander plans to file an amendment to the fiscal 2009 homeland security appropriations bill that would halt the program until the government finds a way to reimburse states for its cost.


Alexander, however, said he is still fuming over how the law was “stuck into the conference bill that all of us wanted to support, to fund the troops.”

“I objected as strongly as I could,” Alexander said. “But there never was a hearing [in] the Senate of any kind.”

Harper, of the Cato Institute, said such a dubious beginning to the bill may mean an early end. “If you pass a bill without hearings, you’re going to miss stuff,” he said. “And the authors of Real ID missed a lot.”

Click here to read the article in its entirety.

Tuesday, March 25, 2008

California Backs Off Real ID - Montana Wins Round 1

Some good news to report on the REAL ID front! The cracks in the DHS 's National ID plan are starting to widen. First, the California DMV requested an extension while specifically not making any promises as to whether it would actually implement the Act. DHS buckled, and gave the extension anyway.

What makes this important is DHS had originally said it would only grant extensions from the Real ID rules taking effect on May 11 to states that apply by March 31 and promise to implement Real ID by 2010.

But perhaps more importantly, DHS also granted Montana a waiver it explicitly did not ask for. In fact, Montana has specifically stated it will NOT COMPLY with the Act at all. Something tells me we may be seeing the beginning of the end of this abysmal piece of legislation.

From Wired Magazine:

That meant Tuesday's letter looked like enough to join California to the small rebellion against the Real ID rules. For Californians that would mean enduring the same fate facing citizens of South Carolina, Maine, Montana and New Hampshire.

They would have needed to dig out their passport, if they had one, every time they boarded a plane, or go through an extra level of TSA screening at airport metal detectors. Los Angeles and San Francisco airports could have had security lines stretching to the Sierras.

Californians would also have been barred from buying certain medicine, entering federal court buildings or getting help at the Social Security Administration, unless they have a passport. But after Threat Level provided Homeland Security spokesman Laura Keehner with the letter, Keehner said California's commitment to thinking about commitment is good enough.


At issue are long-delayed rules that require states to collect, verify and store birth and marriage certificates for nearly all citizens who have state-issued licenses or identification cards.


DHS says that it is committed to rejecting the rebel states' driver's licenses as acceptable proof of identification come May 11. That means almost every driver's license holder will have to get certified documents and go into the DMV to get a new license -- and many will likely have to go in more than once.

Now to Montana, and Gov. Brian Schweitzer victory in his initial stand off with DHS. Every state considering opposing this Act should look to Montana now:

The federal government won't penalize Montana for refusing to comply with the REAL ID Act, state officials said Friday - and Montanans can use their driver's licenses for identification when they board commercial airplanes.“We just stood our ground,” Gov. Brian Schweitzer said. “We didn't blink, we didn't buckle, and they said OK. We gave up about nothing.”


The state therefore has an extension until Dec. 31, 2009, when the next phase of REAL ID takes effect, Baker said.Schweitzer said he had been negotiating directly with Chertoff, saying Montana driver's licenses have the security provisions that REAL ID is expected to require in the future, but doesn't require now.

“It was becoming the theater of the absurd,” the governor said. “It didn't make sense for them to penalize Montana. They've accepted where we're at and we will continue to use (our licenses) at airports.”

RFID-Hack Hits 1 Billion Digital Access Cards Worldwide

I'm back from my mini-vacation (hence no posts here since Thursday)...just in time to post this article in PC World detailing just how vulnerable RFID technology can be to would be hackers (at least this specific model anyway) and identity thieves.

PC World Reports:

NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes, said ter Horst. One billion passes with the technology have been distributed worldwide, making the security risk a global problem. A spokesperson for the ministry told Webwereld, an IDG affiliate, that it had not yet notified other countries.

The warning comes in a week when two research teams independently demonstrated hacks of the chip's security algorithm.


Criminals can use the hack to clone cards that use the Mifare Classic chip, allowing them to create copies of building access keys or commit identity theft. The chip is used in payment systems worldwide, such as the Oyster Card in the U.K. and the CharlieCard that is used in Boston. Both offer payment systems that allow for wireless transactions.

Our position on this technology is pretty simple: as a society, before we jump head first into the full fledged implementation of any technology that raises these kinds of questions we should take a step back and do the kind of thorough review of the pros and cons first. Then, based on what we find, put in place common sense regulations and safeguards...using the Constitution and our right to privacy as the most important factors in formulating public policy...rather than factors like so called "consumer convenience" and corporate profit.

Click here to read the article in its entirety.

Thursday, March 20, 2008

Next lines of cell phones have privacy implications

Adding to the list of consumer goods that will soon contain RFID tags is the almight cell phone. Thankfully we have David Lazarus of the Los angeles Times (but article is in the Fresno Bee) takes us through the privacy implications of cell phones that will allow each and every one of us to be tracked, anywhwere and everywhere:

But the same chip-based technology that California won't allow to be forcibly placed under people's skin soon will be ubiquitous in cell phones, which the telecommunications industry believes will be used increasingly as electronic wallets to make purchases.


Here's how it'll work: You go to a store, select a pair of khakis and wave your phone in front of a reader at the cash register. The purchase price instantly is deducted from your checking account like a debit card or applied to a credit card account. A record of the purchase also is entered into the store's database. That's very convenient, and undeniably will be a boon to shoppers, merchants and cell phone companies.

What the technology also means, though, is that all cell phone owners, which is nearly everyone, will be technologically "tagged." In theory, anyone -- or any company or government agency -- with a desire to do so would be able to identify you from as far as 300 feet away and track you as you go about your business.

Your cell phone constantly would be broadcasting your location, along with, possibly, your name, address and other potentially sensitive information.


At the moment, the most common form of RFID tagging in this country is what is known as a "passive" emitter. That means the tag has no independent power source and must be activated by an external scanner, usually within a range of 25 feet.

Increasingly, passive tags are being replaced with tiny battery-operated "active" tags that continuously transmit signals as far as 300 feet. Those signals can be picked up by anyone with an RFID scanner.


In 2006, for example, IBM received patent approval for a system that, according to the patent application, could be "used to monitor the person through the store or other areas."

That "or other areas" is what spooks privacy advocates. At the moment, there are few limits on how this technology can be used.

"The notion that we're building a surveillance society is very real," said Sophia Cope, a staff attorney at the Center for Democracy and Technology, which focuses on civil liberties in the digital age.

Click here to read the article in its entirety, and hear some of the ideas being pushed to regulate the technology.

Wednesday, March 19, 2008

Privacy advocate, ACLU hit new Virginia privacy law as misguided

As many know, California passed a law (which was signed) called AB 1168 (Jones) last year that requires state and local government agencies, as well as all colleges and universities in California, to honor consumer expectations of personal privacy by safeguarding Social Security numbers.

In Virginia they're apparently not so lucky. In fact, its worse than that, as the state has decided to target privacy advocates rather than the laws that leave the door open for identity theft.

This one is really hard to believe people, so let's go to Computerworld for the story:

A Virginia-based privacy advocate who has been fighting to stop county and state governments from posting public records containing Social Security numbers on their Web sites is now preparing to do battle against an amendment to a Virginia law that bars individuals from disseminating any of those numbers, even if they obtain them legally from public records.

Far from viewing the bill that amended Virginia's Personal Information Protection Act as a cause for celebration, privacy advocate Betty "BJ" Ostergren claims that it violates her free-speech rights and will do nothing to stop county governments in the state from posting documents without first redacting Social Security numbers and other sensitive data. In fact, Ostergren said the measure seems to have been designed to curtail her campaign to publicize and end that practice.


According to Ostergren and other privacy advocates, county government Web sites in Virginia and elsewhere around the U.S. have become veritable treasure troves of sensitive data for identity thieves and fraudsters. Ostergren, who lives in Virginia's Hanover County, said the bill signed by Kaine will do little to prevent just about anyone worldwide from accessing the public records on county Web sites for a nominal fee. All the amended law does is prohibit people from spreading the information after it is made available to them, she contended.

Ostergren runs a Web site called The Virginia Watchdog, which she uses to highlight the privacy problems that she claims can result from the posting of unredacted tax lien records and other documents on government Web sites. In recent years, she has chronicled dozens of cases in which local governments have inadvertently exposed Social Security numbers and other personal data through their Web sites.

As part of her strategy to highlight the seriousness of the issue, Ostergren has routinely posted on her Web site the Social Security numbers of public figures that she accessed via government sites. The list includes former Florida Gov. Jeb Bush, former Secretary of State Colin Powell, former U.S. House Majority Leader Tom Delay, former Missouri senator Jean Carnahan and several of Virginia's county clerks. Ostergren claims that she posted the numbers to demonstrate the ease with which such information could be obtained and to pressure county officials into taking action.


Ostergren said that in challenging the amendment, her ultimate goal remains convincing the Virginia legislature to stop county clerks from openly posting sensitive personal data. Currently, she claimed, 84 of the 121 county governments in Virginia post unredacted public documents — such as land records, state and federal tax liens, divorce decrees and name change records — on their Web sites.


In a prepared statement issued last week before the governor signed the bill, Kent Willis, executive director of the ACLU's Virginia chapter, said the organization is a "staunch supporter" of laws that would prevent the government from posting Social Security numbers on publicly accessible sites. "But the government can't put the numbers online and then turn around and prevent the public from using those numbers," Willis said. "This is a grossly misplaced bill that attempts to mask the fact that Virginia's lawmakers have failed to prevent Social Security numbers from being placed online in the first place."

I don't know what's the most disturbing aspect of this story:

  • that social security numbers are so easy to find by would be identity thieves;
  • that this proposed law is so utterly useless in dealing with the stated problem;
  • that the Virginia legislature and Governor appear to be targeting Ms. Ostergren because of her efforts to draw attention to these privacy concerns;
  • or that this bill might have something to do with the fact she's posting Social Security numbers of powerful people like Jeb Bush and Colin Powell...versus say, doing something to stop identity thieves from stealing from everyday people?!
Click here to read the article in its entirety.

Tuesday, March 18, 2008

Wiretapping's true danger

This op-ed in the Los Angeles Times by Julian Sanchez on the ongoing debate over the issue of government warrantless wiretapping provides a critical component to the larger debate our nation is currently engaged in (well, some of us).

The point he makes has actually not received the attention it should have to date: that being that the "privacy of the average Joe...obscures the deeper threat that warrantless wiretaps pose to a democratic society. Without meaningful oversight, presidents and intelligence agencies can -- and repeatedly have -- abused their surveillance authority to spy on political enemies and dissenters."

This concern, that for instance, the Bush administration could in fact be using there expanded power to eavesdrop on Americans (and consequently future administrations), with the help of the phone companies, to tap the phones of progressive and anti-war political groups, peace protesters, democratic opponents on the hill, or maybe even bloggers and plain old activists that pose some sort of perceived "threat" to the government.

In fact, FISA was created BECAUSE of these very abuses by President Richard Nixon. So, as I contemplate a future - assuming this administration is successful - in which the government is allowed to wiretap Americans without warrants, and the corporations that help them are immune to prosecution, my number one concern would probably be the way these powers could serve to stifle dissent and preserve power.

This scenario, and these expansive powers, could come in the form of blackmail, character assassination, the gaining of strategic advantage by knowing what your "opponents" are going to do next, or even by the very fact that once a free society allows for the very idea that the government is listening, by definition, this would serve to stifle and suppress those that want to speak out more, but have become afraid.

On that note, let me turn it over to Julian Sanchez's great piece in the LA Times:

The original FISA law was passed in 1978 after a thorough congressional investigation headed by Sen. Frank Church (D-Idaho) revealed that for decades, intelligence analysts -- and the presidents they served -- had spied on the letters and phone conversations of union chiefs, civil rights leaders, journalists, antiwar activists, lobbyists, members of Congress, Supreme Court justices -- even Eleanor Roosevelt and the Rev. Martin Luther King Jr. The Church Committee reports painstakingly documented how the information obtained was often "collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action."


It's probably true that ordinary citizens uninvolved in political activism have little reason to fear being spied on, just as most Americans seldom need to invoke their 1st Amendment right to freedom of speech. But we understand that the 1st Amendment serves a dual role: It protects the private right to speak your mind, but it serves an even more important structural function, ensuring open debate about matters of public importance. You might not care about that first function if you don't plan to say anything controversial. But anyone who lives in a democracy, who is subject to its laws and affected by its policies, ought to care about the second.


Harvard University legal scholar William Stuntz has argued that the framers of the Constitution viewed the 4th Amendment as a mechanism for protecting political dissent...In that light, the security-versus-privacy framing of the contemporary FISA debate seems oddly incomplete. Your personal phone calls and e-mails may be of limited interest to the spymasters of Langley and Ft. Meade. But if you think an executive branch unchecked by courts won't turn its "national security" surveillance powers to political ends -- well, it would be a first.

Click here to read the article in its entirety.

Friday, March 14, 2008

REAL ID Updates: Idaho, Maine, Montana

A couple days ago the good news was that California is beginning to make its move against the REAL ID Act too, hopefully joining the 17 states that have passed legislation through at least one state body opposing the law.

More good news, Idaho's House has just unanimously shot down the law. The New West Boise reports:

The Idaho House passed unanimously yesterday a bill directing the Idaho Department of Transportation not to implement the federal REAL ID Act – a decision that, if passed by the Senate and signed by Governor Butch Otter, could theoretically prevent Idahoans from using their driver’s licenses for boarding planes and opening some kinds of bank accounts.


Assuming the federal government follows through on its threat to forbid citizens from non-REAL ID-complying states from boarding planes using driver’s licenses, Idaho citizens will still be able to use other types of government documents, such as passports.

Also on the REAL ID front, Maine is standing firm in its commitment to oppose the law too...and their battle with the feds appears to have gotten rather heated. reports:

Essentially Real ID sets common standards for all drivers’ licenses and state identity cards nationwide and creates the electronic infrastructure that gives states and the federal government access to each other’s databases of personal information. Early last year an outraged and skeptical Maine legislature almost unanimously passed a bill opposing the new rules and forbidding the state’s participation. Since then at least sixteen other states have passed bills or resolutions similarly opposing.


According to its opponents, Real ID is a massive invasion of personal privacy that offers no assurances of safety or security but will impose a multi-billion-dollar unfunded mandate on the states. Once in place, opponents add, Real ID presents the very real opportunity for “mission creep,” with its use expanding to include prescription drug purchases, banking, employment, and even access to a voting booth.


Opposition to the new regulations has brought together an unusual assortment of players, from the MCLU to George Smith of the Sportsman’s Alliance of Maine to legislative leaders of both parties. In truth, it’s difficult to find anyone in Maine who supports the measure outside the few dozen members of Mainers for a Sensible Immigration Policy, who hope that Real ID is the solution to the illegal immigration problem.


Originally Real ID was promoted as an anti-terrorist measure, but that argument faltered when opponents pointed out that all of the 9/11 hijackers carried valid identification papers that would have passed the Real ID test. Then supporters argued that it would prevent identity theft — until the DHS’ Transportation Security Administration created a Web site that left the personal information of air travelers open to the public.

Now Real ID is being pushed as an anti-illegal immigration program, which makes some people wonder what that has to do with air travel. And since it’s a federal program being implemented by state motor vehicle departments, does that also turn drivers’ license examiners into immigration agents? Matt Dunlap says that’s not in the job description of any of his employees.

And finally, I want to give a little update on how Montana and its Governor Brian Schweitzer's fight with the Homeland Security Department is going. Gov. Schweitzer has been the most outspoken opponent to the law, and has led the effort to get more states to join him.

Montana's local CBS affiliate reports on the growing feud:

Montana Governor Brian Schweitzer says he is standing firm against a federal mandate to enact the federal Real ID Act. This after both of Montana's Senators called on the Department of Homeland Security to scrap a May 11th deadline.

At the security screening at Logan International Airport in Billings, you take off your belt, take off your shoes, empty your pockets and go through the gates. Now imagine having to go through that security screening a second time.


Montana Governor Brian Schweitzer says, "It doesn't make our system more secure- it doesn't create more of a bond between Homeland Security and the States...Homeland Security and the federal government do not have a Real ID. They don't have an ID of any kind, and they freely admit it will be at least seven years before they have an ID."


The Governor has till the end of this month to file for an extension. If not Homeland Security says a Montana drivers' license will not be recognized by the Federal Government. That means any Montanan who goes to the airport with only a Montana drivers license would have to go through security screening a second time.

"In May, Montana citizens will get on any plane in America by just simply showing them their drivers license. And I'll bet the ranch on that," says Schweitzer.

Stay tuned, this battle appears to be increasing in intensity, scope, and importance with each passing day...

Wednesday, March 12, 2008

NSA shifts to e-mail, Web, data-mining dragnet

As Mukasey/Rove/Bush/Wall Street celebrate the wiretapping success that snagged consumer rights hero and anti-Wall Street champion - Governor Spitzer - some ACTUAL disturbing revelations are coming out regarding the NSA.

In 2003, Congress voted to terminate funding for Total Information Awareness (TIA) - not to be confused with the numerous government agencies listed in Orwell's 1984. The TIA was a controversial data mining program set up by the Pentagon that "collected electronic data about people in the U.S. to search for suspicious patterns." The program continued in various forms by being spread across different intelligence agencies.

The Wall Street Journal reported the other day that the National Security Agency (NSA), "once confined to foreign surveillance, has been building essentially the same system." An inquiry by the paper reveals that the agency's "efforts have evolved to reach more broadly into data about people's communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks." Two current officials also told the Wall Street Journal that "the NSA's current combination of programs now largely mirrors the former TIA project. But the NSA offers less privacy protection." "A number of NSA employees" expressed concerns "that the agency may be overstepping its authority by veering into domestic surveillance."

And if you've made the connection between this program, and the fight over FISA and telecom immunity, you are correct...they're very related. In fact, I wonder if this breaking news has played, or will play, an important role in the telecom immunity debate, as this MUST deeply concern the Democrats in the House, and perhaps is a key motivator in their recent "toughening" stance?

If this all doesn't get your attention, check out this comprehensive article on this "Big Brother gone berzerk" program by C-NET:

As more communications traffic travels through fiber links, and as e-mail and text messaging supplant phone calls, the spy agency that once intercepted telegrams is adapting yet again. Recent evidence suggests that the NSA has been focusing on widespread monitoring of e-mail messages and text messages, recording of Web browsing, and other forms of electronic data-mining, all done without court supervision. Taken together, those activities raise unique privacy and oversight concerns greater than those posed by large-scale monitoring of voice communications.

Documents released last week by a security consultant (PDF) indicate that an unnamed major wireless provider has opened its network to the U.S. government, allowing customers' e-mail, text messaging, and Web use to be monitored.


The Republicans' blanket of retroactive immunity would likely cover e-mail providers, search engines, Internet service providers, and instant-messaging services too...the NSA can, "without a judicial warrant," obtain the Subject line and other header information from e-mail messages, plus information about Web sites visited and queries to search engines. Phone records, credit card usage information, and airline passenger data are also reportedly vacuumed up by the NSA.


The Electronic Frontier Foundation's Kurt Opsahl posted a stinging critique of the data-dragnet's legality. Here are some excerpts from what Opsahl wrote, referring to the Journal article:

The infobox incorrectly asserts that the subject lines of email are not "content," and can be obtained without a warrant...But this is contradicted by the Department of Justice's own 2002 Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual, which states that "the subject headers of e-mails are also contents."


The infobox asserts that the NSA can get cellphone location data without a warrant. "The information [obtained by the NSA] can give such transactional information as a cellphone's location..." The issue of obtaining cell phone location information has been contentious for some time, but the vast weight of judicial interpretation is that a probable cause warrant is required.

Perhaps the silver lining in all this - being that these kind of assaults on civil liberties are not totally unexpected anymore - is it will put the Bush Administration on the defensive, and will help give the Democrats the cover, and spines, they need to fight the "Protect America Act" ("American" meaning the telecos and the administration) and reject immunity for these corporate lawbreakers.

Click here to read the article in its entirety.

Tuesday, March 11, 2008

Democrats Seek Alternative on Phone Immunity

Just when you think the Democrats in the House are going to cave in, they show signs of some fight on the issue of giving retroactive immunity to lawbreaking telecom companies that played a key role in the Administrations illegal wiretapping program.

Apparently they are pushing for an alternative that doesn't include Reuters reports in the New York Times:

Democratic lawmakers drew White House fire on Tuesday when they offered an alternative to U.S. President George W. Bush's demand that phone companies that participated in his warrantless domestic spying program receive immunity from lawsuits. Under the Democratic proposal, phone companies would present their defense in a closed-door U.S. district court, with the judge given access to confidential documents about the electronic surveillance begun after the September 11 attacks.


Even if the full House passes the Democratic measure, it appears certain Republicans will block it in the Senate, extending with no apparent end in sight an election-year dispute over national security. Senate Majority Leader Harry Reid, a Nevada Democrat, called the House bill "a tremendous step forward."

I found this interesting, as once again the major corporate media got the facts of the wiretapping program wrong, or they're simply lying about it to not appear too "anti-administration". Why any news outlet would be afraid to report the truth about these criminals is beyond me, but notice this passage:

Shortly after the September 11 attacks, Bush authorized warrantless surveillance. Critics charged he broke the law. Bush said he had the war-time power to do it, but he later put the program under FISA jurisdiction. Terms remain secret.

Sorry to break it to the Times, but the program was started WELL BEFORE 9/11, not only making it clear the administration has been lying about why they really started the program, and, why, if its so critical to our safety, didn't it help STOP 9/11?

I guess the media just doesn't want to deal with questions and contradictions of this seriousness.

Click here to read the article in its entirety.

Anti-Real ID Rebellion Spreads to California

This is good news - as I can tell you first hand - that a significant coalition has formed here in California, with the Consumer Federation of California being one of them, to stop REAL ID implementation in our state.

Further, in light of growing grassroots opposition to the Act, California Assemblyman Nava has introduced a bill to address the numerous problems with the law, particularly those related to privacy, cost, and security.

Wired Magazines Blog detailed these recent developments:

Assemblyman Pedro Nava (D-35) introduced a non-binding resolution to that effect Monday afternoon in response to concerns about privacy, security and the high price of the federal mandate -- which the government's most recent estimate pegs at $4 billion nationally. The feds are only ponying up a token amount of money, but say states can dip into their federal homeland security grants to help pay down the bill.


The resolution, which needs to go through a set of committees in both of California's legislative bodies before coming to a floor vote, would tentatively join California to a group of 17 states that have expressed opposition to the unfunded mandate. Three states have outright rejected Real ID, setting up a showdown on May 11, when the federal government says it will not allow residents of Montana, Maine, South Carolina and New Hampshire to use their state I.D. cards for federal purposes.


California's resolution doesn't go nearly that far, since the state has already gotten the extension, but still might boost the anti-Real ID movement given the state's size, clout and dire finances. If passed, the California resolution (.pdf), known as AJR 51, does not need the signature of California's Republican governor Arnold Schwarzenegger to go into effect.

Click here to read the article in its entirety.

Monday, March 10, 2008

Two new California Bills threaten our privacy

The Consumer Federation of California is actively opposing two recently introduced bills in the California legislature that threaten individual privacy in very distinct and different ways.

SB 1096 (Calderon), raises significant privacy and health care concerns for patients. The bill would allow the sharing of a patient’s confidential medical information regarding prescription drugs among a pharmacy, third party corporations and pharmaceutical companies.

SB 1096 would create an exception to California’s Medical Information Act, and allow sharing of confidential patient drug prescription information without a patient’s consent. The bill’s main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company. Under SB 1096, drug stores would provide confidential patient prescription information to third party businesses. The third party would prepare mailings to patients that would have the appearance of coming from the pharmacy. These third party marketing corporations would, in turn provide patient information to, and receive payment from, pharmaceutical drug manufacturers to send the mailings, ostensibly to remind patients to take their medications or to renew their prescriptions.

To read the rest of our opposition letter, click here.

AB 1899 (Cook), as the Electronic Frontier Foundation (EFF) details, "would allow local law enforcement entities to create and manage at their discretion biometric or other automated identification systems, including DNA and facial recognition technologies. Current law provides for state and national fingerprint and DNA databases with procedures and protections."

As we at CFC have not created an opposition letter yet, I will post some of the passages of EFF's, as they raise some very, very serious concerns about this bill's implications, and the expanding role of "big government/brother" in our lives.

Government databases of individuals generally raise critical privacy and civil liberties concerns. Biometric databases are even more dangerous. Even for familiar and long-used biometrics like fingerprints, grievous errors harming innocent individuals are made.[1] And giving local law enforcement agencies unfettered discretion to create biometric databases of people who are not convicted or charged with any wrongdoing is extremely troubling. Yet AB 1899 lacks any privacy and security precautions.

Article I, section 1 of the California Constitution explicitly grants California citizens the right to privacy, providing that: "All people are by nature free and independent and have inalienable rights. Among these are... pursuing and obtaining...privacy." This right was specifically intended to "prevent government and business interests from stockpiling unnecessary information about us and from misusing information gathered for one purpose in order to serve another purpose or to embarrass us."
[2] The California Supreme Court has said that “if sensitive information is gathered and feasible safeguards are slipshod or nonexistent, or if defendant's legitimate objectives can be readily accomplished by alternative means having little or no impact on privacy interests, the prospect of actionable invasion of privacy is enhanced."[3]

The Department of Justice currently has comprehensive systems and procedures in place for gathering fingerprints and DNA from people and for identification of criminal suspects using fingerprints or DNA obtained from crime scenes (see Penal Code § 11112.1 et seq. and Penal Code §§ 295 et seq.)

Allowing every local law enforcement entity to create its own rules and procedures will lead to disparate privacy standards not to mention different qualities of information gathered. For example, facial recognition software is easily tripped up by changes in hairstyle or facial hair, by aging, weight gain or loss, and by simple disguises. There are high rates of both "false positives" (wrongly matching people with photos of others) and "false negatives" (not catching people in the database).

As identity theft becomes more prevalent, California must take steps to protect the privacy and security rights of its residents. Yet AB 1899 is utterly silent on these critical issues. Accordingly, we must oppose AB 1899. Please feel free to contact me if you have questions about our position.

Both bills are in the earliest of stages, with SB 1096 getting its first hearing on March 12th, and AB 1899 is scheduled for its first hearing on March 11th. We will be carefully monitoring their progress, and taking note of which of our representatives side with the pharmaceutical industry and the police, and which side with the California Constitution and the people.

Friday, March 7, 2008

More FBI Privacy Violations Confirmed

Apparently we've got more to worry about than just illegal wiretapping, government surveillance, data breaches, and REAL ID. Now - due to hearings being held by Democrats on the hill - we know the FBI has been improperly accessing Americans' telephone records, credit reports and Internet traffic for fourth straight years! As one would expect - these privacy abuses - according to the FBI are a result of investigations aimed at tracking terrorists and spies.

Not to worry though, the FBI claims its not their fault, but rather, its the fault of banks, telecommunication companies and other private businesses giving them more personal client data than was requested.

Doesn't that make you feel safer to know? Its not the governments fault, its the corporations that store all of our private information! And remember, they're violating our rights for our own benefit! Thank you FBI, knowing that you're invading my privacy does put my mind at ease, what's the constitution anyway?

Yes, I'm being sarcastic. Here's some of the New York Times story covering these rather unbelievable revelations:

An audit by the inspector general last year found the FBI demanded personal records without official authorization or otherwise collected more data than allowed in dozens of cases between 2003 and 2005. Additionally, last year's audit found that the FBI had underreported to Congress how many national security letters were requested by more than 4,600. The new audit, which examines use of national security letters issued in 2006, ''will identify issues similar to those in the report issued last March,'' Mueller told senators.


The number of national security letters issued by the FBI skyrocketed in the years after the Patriot Act became law in 2001, according to last year's report. Fine's annual review is required by Congress, over the objections of the Bush administration. In 2005, for example, Fine's office found more than 1,000 violations within 19,000 FBI requests to obtain 47,000 records. Each letter issued may contain several requests.


Speaking before the FBI chief, Senate Judiciary Chairman Patrick Leahy, D-Vt., urged Mueller to be more vigilant in correcting what he called ''widespread illegal and improper use of national security letters.''

''Everybody wants to stop terrorists. But we also, though, as Americans, we believe in our privacy rights and we want those protected,'' Leahy said. ''There has to be a better chain of command for this. You cannot just have an FBI agent who decides he'd like to obtain Americans' records, bank records or anything else and do it just because they want to.''


''The credibility factor shows there needs to be outside oversight,'' said former FBI agent Michael German, now a national security adviser for the American Civil Liberties Union. He also cast doubt on the FBI's reforms. ''There were guidelines before, and there were laws before, and the FBI violated those laws,'' German said. ''And the idea that new guidelines would make a difference, I think cuts against rationality.''

Click here to read the article in its entirety.

Thursday, March 6, 2008

Halting Illegal Spying on Americans

This is about as good an argument as you'll find as to why telecom immunity should NOT be granted to companies that participated in the governments illegal spying program, that our Constitution and rule of law should remain sacrosanct, and just how ludicrous the arguments by the administration have become.

It's a good thing this article makes such a great case too, as it was written by Bruce I. Afran and Carl J. Mayer, the two public interest attorneys that filed the first lawsuit against Verizon for illegally turning over customer records to the government.

The article is published on the website They write:

Always willing to go to the mat to defend helpless phone giants, President Bush neglected to mention that the original lawsuits were brought by public interest lawyers like us and the ACLU, not class-action lawyers. This is only one of a series of untruths told by the Bush Administration about the largest domestic spying program in American history. Not least, as reported in this paper in January, the Bush administration took steps to monitor the calls of American citizens before 9/11, not after, as the administration has repeatedly asserted.

The President’s suggestion that it would be “patently unfair” to hold the phone companies liable represents a new low in this administration’s disregard of the law. Congress has long made it a crime for phone carriers to share a subscriber’s phone records with the government without a warrant or subpoena. Both the Electronic Communications Privacy Act and the Stored Communications Act provide for a minimum of $1,000 in damages for each violation of a phone subscriber’s privacy rights.


So far, Democratic leaders in the House have refused to join their Senate colleagues in pushing through the Protect America Act that would have expanded the administration’s domestic spying program and given unprecedented immunity to telephone companies. Had Democrats succumbed to White House pressure, dozens of lawsuits would have been dismissed and, along with them, any legal remedy for the one of the most widespread violations of civil liberties by any U.S. administration.

This is one of the most important civil liberties issues of this generation and House Democrats must stand firm. The President sounds increasingly like the fictional, deluded Dr. Strangelove, only instead of bemoaning a “Doomsday Gap” he incoherently warns of an “Intelligence Gap.” If ever there was an opening for Democrats to blockade an isolated and unpopular administration to protect a popular principle, this is it.

Unfortunately, its still very unclear what the House Democrats are going to do. Some have hinted they want to cut a deal, a bad one at that, while others seems to legitimately want to reject giving these companies immunity at all cost, and no matter how hard the fight. This is what the public must demand.

Tell your representative to stand firm and protect our privacy, the constitution, and the rule of law. Take Action here.

Wednesday, March 5, 2008

FTC settles breach complaint with student lender

I suppose in this instance, the good news is the U.S. Federal Trade Commission (FTC) has settled a complaint against student lender Goal Financial for failing to safeguard personal data - including Social Security numbers - of thousands of its customers. This marks the 17th such case the FTC has brought against companies that violate data security practices.

The bad news is not only was Goal Financial guilty of a major breach of their customers right to privacy, they blatantly LIED and misrepresented their own privacy protection standards in the contracts signed by students whose information was compromised.

Infoworld reports:

Goal Financial allowed two employees to access the personal information of about 7,000 customers and take the information to a competing firm between 2005 and 2006, and the company allowed an employee to sell a hard drive containing the unencrypted personal information of 34,000 customers sometime in 2006, the FTC said. The company failed to protect personal information such as birth dates, Social Security numbers, and income and employment information...


As part of the settlement, Goal Financial must implement a comprehensive information security program and be audited by an independent security professional every other year for 10 years.


The FTC accused the company of violating the agency's Safeguards Rule by failing to adequately assess the risks to consumers’ personal information, adequately restrict access to this information to authorized employees, implement a comprehensive information security program, provide adequate employee training, and, in some instances, contractually require third-party service providers to protect the information.

Goal Financial also violated the FTC's Privacy Rule by providing customers with a privacy policy that contained false or misleading statements and violated the FTC Act by falsely representing to consumers that it implemented reasonable and appropriate measures to protect personal information, the FTC said.

Tuesday, March 4, 2008

Feds Cite Hassles if ID Law Not Followed

As more and more states stand up to the administration's REAL ID Act the question on everyone's mind is "what will happen to those that don't comply"?

For all the background you could possibly need on this "national ID" scam, go to Here's a key passage regarding the Act's relation to individual privacy:

"Real ID would become a key infrastructure for, and dramatically accelerate, the surveillance society that is already being constructed in the United States. Once put in place, it would be used more and more for the routine tracking, monitoring, and regulation of individuals’ movements and activities, it would be exploited by the private sector, and it would expose individuals to greater risk of identity theft and other security risks. Its centralized database would inevitably, over time, become the repository for more and more data on individuals, and would be drawn on for an ever-wider set of purposes."

The New York Times covers the issue...and the rapidly approaching showdown between states and the federal government:

States have less than a month to send a letter to the Homeland Security Department seeking an extension to comply with the Real ID law passed following the 2001 terror attacks. Some states have resisted, saying it is costly, impractical and an invasion of privacy.


To bring the states in line, Chertoff warned that any state that does not seek an extension by the end of March will find that, come May, their residents will not be able to use their licenses to board domestic flights.


In recent years, 17 states passed legislation or resolutions opposing Real ID, but now only a handful appear willing to challenge the government publicly.


If the states do not seek an extention by March 31, their residents will be subjected to secondary screening by security workers before boarding any domestic flight beginning May 11. ''We're not going to buckle under here,'' said Montana Gov. Brian Schweitzer. ''My guess is the people of Montana would be proud to walk through that line.''

Click here to read the article in its entirety.

Monday, March 3, 2008

Use of radio ID tags faces limits

I know its not "American" to say we could learn a lot from Europe when it comes to the issue of privacy protection (England aside)...but alas, it is true. The EU has been ahead of us when it comes to corporate mergers like Google and Doubleclick, and they seem to be a step ahead of us on establishing common sense privacy safeguards for the widespread, and increasing use of RFID technology.

This article in the International Herald Tribune details the ways in which the EU, and European businesses are addressing the various privacy concerns associated with RFID:

...the rapid development of RFID technology is also being regarded cautiously by the authorities in the European Union, who are moving quickly to establish privacy guidelines because the chips - and the information being collected - are not always visible.

Their goal is to raise awareness among consumers that the data-gathering chips are becoming embedded in their lives - in items like credit cards, public transportation passes, work access badges, borrowed library books and supermarket loyalty cards. There are also policy concerns regarding whether retailers could link a customer's credit card data to an RFID tag in a product, allowing clients to be identified when they return to a store.

In late February, the European Commission issued privacy protection proposals to establish a code of conduct for companies using RFID technology, fueling a debate among privacy advocates who seek more openness and trade groups of manufacturers and retailers who want practical guidelines that will allow the developing technology to flourish.


Privacy advocates have hailed what is known as the opt-in principle as a pioneering step by European regulators to establish clear privacy protections in connection with the technology. In February, lawmakers in the U.S. state of Washington also sought to carve out a privacy bill of rights, passing legislation in the state's House of Representatives to make it a felony for businesses to keep personal information gathered from RFID chips without consent from customers.

"For us, consumers have to be protected," said Emilie Berrau, a legal officer for the BEUC, the European Consumers Organization in Brussels. "They haven't asked for the technology, so why should they have the burden of protecting themselves?"


Retailers have tended to use the chips for logistical purposes like tracking deliveries, but companies are starting to get more inventive. A British uniform supplier, Trutex, said it was developing clothing with chips to track schoolchildren, in part because of surveys that showed parents were favorable to the idea.


But even without that prodding, companies are looking for ways to demonstrate their respect for privacy standards. European authorities started financing a €1.2 million, or $1.8 million, pilot project in the summer to create a trans-European "privacy seal of approval" that could be marked on products that meet independent evaluations of privacy standards and could be applied to products using RFID chips. Called the EuroPriSe Project, the program has already accepted 20 companies seeking the seal, according to the project manager, Kirsten Bock.


Bock said it was clear there was a demand for the logos - something akin to popular seals certifying organic products or fair-trade items. The new EuroPriSe program, she said, has had to turn away more than 80 companies during its test phase. And even Schleswig-Holstein, with its regional privacy seal, managed to attract a giant from across the Atlantic seeking a seal for its software, Bock said. At a ceremony last year in Berlin, Schleswig-Holstein officials awarded the privacy seal to Microsoft for its Update 6.0 and Windows Services 2.0.

Click here to read the article in its entirety. I'll be doing a little snooping around to see whether similar ideas as those laid out in this article could be adopted here in the US, and I'll check in with privacy rights champion Senator Joe Simitian's (author of numerous RFID regulation bills) office to see what they think as well.