Wednesday, April 30, 2008

Senators, states beat up on Real ID plans + ACLU Testimony

Well, it was another Senate's Homeland Security and Governmental Affairs Committee Hearing, and that means another REAL ID bashing contest. You'd think we must be getting closer to scrapping this "National ID Card" idea - sprung from the dark recesses of George Orwell's brain - when nearly every Senator seems to oppose it, as does the majority of the states, and the majority of the people, no?

CNet News does its usual good job covering the hearings:

Senators Daniel Akaka (D-Hawaii) and George Voinovich (R-Ohio), who presided over a Tuesday subcommittee hearing revisiting the topic, said they remain particularly troubled by Real ID's multibillion-dollar price tag for state governments. Akaka and others also voiced worries about the mandate's privacy and civil liberties implications.

...

Akaka, for his part, said he will continue to push for passage of the Identification Security Enhancement Act, which he introduced last Feburary. That bill would yank Real ID and replace it with a "negotiated" rulemaking process that was proposed before Real ID was glued onto an emergency Iraq war spending bill that passed unanimously in 2005. Republicans John Sununu and Lamar Alexander and Democrats Patrick Leahy, Jon Tester, and Max Baucus also support the bill, as do influential state officials and civil liberties groups, but it's unclear whether it has the momentum to go anywhere this year.

...

Perhaps the most blistering critique of Real ID on Tuesday came from Tester, who called the program "the worst kind of Washington, D.C., boondoggle." He suggested it was curious that his home state had been granted a deadline extension, even though its attorney general had told Homeland Security that state law did not authorize Montana to implement Real ID, and the state legislature won't even meet again until next January.

...

Tester inquired about why the administration isn't requiring the information encoded on the Real ID cards' bar codes to be encrypted. Baker said Homeland Security decided on that approach because police were concerned about an inability to read the information off cards rapidly during traffic stops.

But there's probably no better or able critic of REAL ID than the ACLU...who also got their turn to testify before the Senate. Caroline Fredrickson, director of the ACLU Washington Legislative Office testified today about the privacy and security concerns with creating a federal identity document every American will need in order to fly on commercial airlines, enter government buildings, or open a bank account.

Fredrickson stated:

"Congress is currently on the path of creating a national ID system that fails to make America more secure while sacrificing individual privacy. Congress still has the opportunity to reconsider this route and put our nation on a better path that adds security and protects the privacy of all Americans. Chairman Akaka’s bill, the Identification Security Enhancement Act of 2007, accomplishes both of these goals. It is now up to Congress to either allow our nation to continue towards an ineffective ID system that leads to a national ID, or repeal the Real ID Act of 2005 and institute ID security that protects our nation and our privacy."

"The Real ID Act of 2005 was hastily passed by Congress, without the proper assessment about cost and implementation. With Real ID, tens of thousands of people will have access to our information in a massive government database. The national database could well become a one-stop shop for identity thieves."

So if I were keeping score, and I am, I'd say REAL ID has badly lost another round. Unless that is, the Homeland Security Department still carries any weight and credibility with you. Or whether their continuous claims that these cards will "protect us from terrorists" make any sense to anyone anymore. I suspect most would answer both of the above questions with a resounding "no".

Monday, April 28, 2008

Should You Trust Your Health Records to Google and Microsoft?

I want to continue covering what is only going to become a more important issue in the months and years to come: the emerging electronic medical records "industry" and the privacy concerns associated with it.

As I have detailed in the past two weeks, there has been a rash of electronic medical record privacy violations as well as a new study published in the The New England Journal of Medicine warning that "the entry of big companies like Microsoft and Google into the field of personal health records could drastically alter the practice of clinical research and raise new challenges to the privacy of patient records."

As I also stated, "you can be sure this issue is only going to become more important in the months and years to come as our medical records will continue their transition into the digital age. That of course means electronic records being shared by increasing numbers of people and in an increasing number of ways and for an increasing number of reasons (many perhaps illegal). In fact, you won't see a health plan these days that doesn't already factor in the claimed costs savings that such electronic records will bring to consumers. Now, that debate is for another time - but a debate that needs to be had right now, is how far will we go to protect our most private information?"

The fact is, currently we have no laws guaranteeing the privacy of digitized health information. And until that time comes, there are serious privacy risks in allowing ones records to be electronically stored by companies like Microsoft and Google.

Erik Larkin of PC World writes an editorial in the Washington Post:

Imagine being able to check your medical history as easily as you can your e-mail. Or being able to provide records to a new doctor at a moment's notice. Google, Microsoft, and others are developing promising systems for storing digital health care records--for free.

But there's a catch (of course). Both the upcomingGoogle Health, currently in private testing, andMicrosoft's public beta of HealthVaultdeal with our most personal information. The two projects will eventually enable doctors and hospitals to add records for hospitalization, doctor visits, and prescriptions (after you give your okay), and will permit you to upload data from devices that you might use at home, such as blood glucose monitors. They could be especially useful for allowing a new doctor to quickly confirm that, for instance, a prescription won't cause problems with other medications you're taking.

The drawback? TheHealth Insurance Portability and Accountability Act (HIPAA), a federal law that governs the confidentiality of health records, doesn't extend to non-health-care companies.

...

But absent any HIPAA or other overarching regulation, McGraw notes, you simply have to trust that the companies will do the right thing. Google and Microsoft are, for the most part, being careful with regard to privacy here, but where my health care records are concerned, I want laws that specifically define what can and can't be done with the information. And I want the company responsible to be punished if someone screws up and releases my data.

...

Another issue: Google and Microsoft use a simple Gmail or Windows Live user name and password to access the records. That's great for convenience, but terrible for security and privacy. Internet criminals commonly try to guess or steal Web mail accounts. It's bad enough when a snoop rifles through your Web mail. Imagine one getting access to all your health records at the same time. Faced with these potential gotchas, I'd wait for the systems and the laws to mature before jumping in.

Click here to read the article in its entirety.

Wednesday, April 23, 2008

Privacy Bills to Watch in California

Now that the California Legislative session is in full swing, I'd like to report on the multitude of privacy bills (including one that we are sponsoring) making there way through the legislature. As usual, California is setting the standard for tough privacy protections, the question is whether the Governor will sign those that make it to his desk:

AB 1779 (Jones) Personal Information: Security Breaches

This bill would require substitute notice of security breach notifications to be submitted to the Office of Privacy Protection. California lacks any centralized reporting process for security breaches. It is therefore difficult for state policy makers to assess or improve upon our state security breach laws. The state may be missing important criminal activity patterns or consumer practices, the analysis of which could help establish better protections for Californians. AB 1779 addresses this need by making the Office of Privacy Protection a repository for security breach notifications.

Status: AB 1779 was read for the first time on the Senate floor on April 22, and was sent on to Committee on RLS. for assignment.

AB 3011 (Huffman) Telephone Records: Subscriber Information

AB 3011 (a CFC sponsored bill) would clarify existing law which prohibits the disclosure of a person's residential landline calling records to apply to cell phone consumers as well. Existing law, Public Utilities Code §2891, prohibits the disclosure of a residential phone subscriber's calling information without the person's consent. However, this law only applies to residential subscribers. It does not currently cover cell phone consumers. Section 2891 was added to the Public Utilities Code in 1986, before the proliferation of cell phones. AB 3011 simply amends Public Utilities Code §2891 to delete the word "residential." In so doing, AB 3011 would clearly establish that the calling records and privacy of cell phone customers have the same protections as residential landline customers.

Status: AB 3011 will be in the Utilities and Commerce Commerce Committee on April 28.

Other Bills to keep an eye on include:

SB 1096 (Calderon) Medical Information - We oppose this bill because it would allow the sharing of confidential patient drug prescription information without the patient's consent.

Status: SB 1096 will be in the Senate Judiciary Committee on April 29.

AB 2059 (Nunez) Mailed Solicitations: Disclosures - a bill that deals with "lead cards" and is supported by the CFC.

Status: AB 2059 will be heard on the Assembly Floor on April 24.

AB 2606 (Emmerson) Bad Check Diversion Program - CFC opposes this bill because the proposed program encourages unscrupulous collection practices, increases harassment of innocent consumers and dilutes oversight and accountability.

Status: AB 2606 will be heard on the Assembly Floor on April 24.

Friday, April 18, 2008

Privacy Advocates: Consumer Education Isn't Enough

You've probably heard those typical industry and government code words used to distract and subvert attempts to protect personal privacy like "consumer education" and "increased disclosure". It shouldn't be any surprise then that two leading privacy protection groups have found that these kinds of industry "solutions" fall well short of protecting the personal and private information of consumers.

In the case of this study by the Electronic Privacy Information Center (EPIC), the Center for Digital Democracy (CDD), and others, the focus was on the effectiveness of the "efforts" of e-commerce sites and online advertisers to educate U.S. consumers about privacy and targeted advertising.

PC World Reports:

The efforts of e-commerce sites and online advertisers to educate U.S. consumers about privacy and targeted advertising aren't enough because many consumers won't take the time to understand the issues...

Leaders of the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) called for Congress to pass online privacy regulations during a forum hosted by the Annenberg School for Communication at the University of Pennsylvania and the University of Southern California. And Susan Grant, director of consumer protection at the Consumer Federation of America, suggested the U.S. government should set up a "do-not-track" list, prohibiting advertisers from tracking online activities, modeled after the do-not-call list governing telemarketers.

Many U.S. consumers don't understand online advertising practices because the ways in which online companies use personal data is constantly changing, said Marc Rotenberg, EPIC's executive director. He pointed to a 2005 University of Pennsylvania survey in which only 25 percent of respondents knew that a Web site having a privacy policy doesn't guarantee that the site refrains from sharing customers' information with companies.

...

U.S. government rules are needed to give online advertisers a code of conduct, said Jeffrey Chester, CDD's executive director. He called interactive online advertising "a virtually invisible, stealth system."

Click here to read the rest of the article.

Thursday, April 17, 2008

Warning on Storage of Health Records

As I mentioned a few days back when the LA Times revealed the rash of electronic medical record privacy violations..."you can be sure this issue is only going to become more important in the months and years to come as our medical records will continue their transition into the digital age. That of course means electronic records being shared by increasing numbers of people and in an increasing number of ways and for an increasing number of reasons (many perhaps illegal).

In fact, you won't see a health plan these days that doesn't already factor in the claimed costs savings that such electronic records will bring to consumers. Now, that debate is for another time - but a debate that needs to be had right now, is how far will we go to protect our most private information?"

Well, we now have more reason to worry, as two leading researchers published an article in The New England Journal of Medicine warning that "the entry of big companies like Microsoft and Google into the field of personal health records could drastically alter the practice of clinical research and raise new challenges to the privacy of patient records."

The New York Times Reports:

The authors, Dr. Kenneth D. Mandl and Dr. Isaac S. Kohane, are longtime proponents of the benefits of electronic patient records to improve care and help individuals make smarter health decisions.

But their concern, stated in the article published Wednesday and in an interview, is that the medical profession and policy makers have not begun to grapple with the implications of companies like Microsoft and Google becoming the hosts for vast stores of patient information. The arrival of these new corporate entrants, the authors write, promises to bring “a seismic change” in the control and stewardship of patient information.

...

But Microsoft and Google, the authors note, are not bound by the privacy restrictions of the Health Insurance Portability and Accountability Act, or Hipaa, the main law that regulates personal data handling and patient privacy. Hipaa, enacted in 1996, did not anticipate Web-based health records systems like the ones Microsoft and Google now offer.

The authors say that consumer control of personal data under the new, unregulated Web systems could open the door to all kinds of marketing and false advertising from parties eager for valuable patient information.

...

But the authors see a need for safeguards, suggesting a mixture of federal regulation — perhaps extending Hipaa to online patient record hosts — contract relationships, certification standards and consumer education programs.

Click here to read the article in its entirety.

Wednesday, April 16, 2008

RFID keeps tabs on Vegas bartenders -- and soon could track you too

RFID technology is rapidly becoming a ubiquitous monitoring tool - and will certainly be utilized in the day to day operations of businesses and government's throughout the world in the near future. This Computer World article - detailing various uses of RFID being contemplated in Las Vegas - serves as an excellent "prep course" in just some of the many ways this technology is being used now, and will be used in the future. As you will notice, the usual spectrum of those uses is covered, spanning from the privacy benign to the "dangerous infringement".

From a public policy perspective, our argument continues to be one of "the devil will be in the details". As in, the extent to which RFID technology poses a privacy threat to the public, directly depends on the protections and precautions we will institute as they are more widely and regularly utilized.

Computer World Reports:

Tucked away in the pouring spouts of the bottles behind bars at MGM Mirage resorts and casinos are RFID tags that measure the flow of liquor, producing data that links to point-of-sale systems. The chipping is part of the loss-control system at MGM Mirage (it has RFID in some casino chips as well), which has 55,000 employees and serves tens of thousands of guests daily. But it is a relatively minor example of how technology is being used, according to Tom Peck, MGM Mirage's senior vice president and CIO. The company has some big plans to deploy a range of technologies that will change how services are delivered.

...

Peck, who appeared at a Gartner Inc. ITexpo forum with Aldo Manzini, MGM Mirage's executive vice president and chief administrative officer, envisions a seamless network — from algorithms that can predict customer wants to systems that will respond to newly arrived hotel guests by automatically turning on lights, adjusting blinds and setting the television to the customer's preferred language. All of it will happen through fiber networks and ZigBee, a short-range wireless network technology in rooms.

...

Another new technology will be room keys that not only open doors, but also keep track of customer preferences and gaming play. But Peck says that this type of technology, which includes RFID and a computer chip, will also likely be "opt-in," since some customers may not want to be tracked.

The business goal, said Manzini, is to be able to use technology to create an experience as close to a personalized concierge service as possible for a very large number of customers, "and the only way we can accomplish that is through technology."

As I have mentioned many times here before, California is leading the way on this issue. A host of bills being proposed by Senator Joe Simitian (as well as Ellen Corbett and others) would go far in protecting privacy and strengthening consumer choice.

In particular, these bills would simply apply existing, widely-accepted State privacy principles and baseline privacy practices and standards to RFID. For more information on these bills, check out our Bill List, esp. SB 28, 29, 30, 31, and 388.

Click here to read the rest of the ComputerWorld article.

Monday, April 14, 2008

Alaska Rejects REAL ID - Nasua Telegraph Editorial Also Opposes Act

It should be no surprise to anyone anymore that the drum beat of opposition among the states to the Bush Administration's National ID Card...I mean, REAL ID Act, is growing louder.

Two tidbits of information to report today. First, Alaska's legislature has voted to stop implementation of the Act entirely.

The Alaska Legislature approved legislation rejecting implementation of the federal Real ID Act. Lawmakers believe the federal law infringes on the fundamental right to privacy of Alaskans and would effectively bring about a national ID card system. The legislation ­SB202- opts Alaska out of REAL ID by forbidding the funding of anything that would further REAL ID compliance. SB202 is sponsored by Sen. Bill Wielechowski, D-Anchorage.

...

The federal Real ID law was passed by Congress in May 2005 as part of a must pass" federal appropriations bill. The law requires driver's licenses and state ID cards to carry what is known as "common machine readable technology," and that means the government can swipe your card every time you use it. The information can be accessed by all other states and will be maintained by a private corporation. The information could even be used by Canada and Mexico due to treaties the United States has with those nations.

...

The Real ID Act ­if enacted-- could take on "Big Brother" proportions. The federal legislation gives the Secretary of Homeland Security the power to require biometric information to the card. That means your fingerprints, a retinal scan - even your DNA can be added to the card.

Many gun owners are also concerned it will be used to create a national gun registry. By opting-out of REAL ID, Alaskans no longer need worry about this.Alaska is not the only state rising up against the Real ID Act. Eighteen other states have passed legislation similar to SB 202 and another eighteen are considering them.

Click here to read the entire statement by the Alaska Senate Bipartisan Working Group.

Also adding to the drumbeat of opposition is New Hampshire - a place one would expect to see a rebellion when it comes to issues related to privacy. In this case, one of the state's major newspapers - the Nashua Telegraph - forcefully editorializes in support of the state's opposition to the act.

The Editorial "N.H. right to reject Real ID program" reads:

Many Real ID opponents are concerned with civil liberties and the potential infringement of privacy rights posed by a national ID system. They argue that the new standards would create greater repositories of data about private citizens at the state license issuing offices, and that this data could be the target of everything from hackers interested in identity theft to federal snooping.

...

The problem with this position, however, is that refusal to participate in the Real ID program may bring a whole different set of inconveniences to New Hampshire residents. If the federal government begins to enforce Real ID requirements at airports and federal buildings, for example, New Hampshire residents with a non-compliant driver's license may find themselves singled out for extra scrutiny.

...

...at some point the federal government will need to find a more permanent resolution for this impasse with states vehemently opposed to the Real ID program. The solution seems to be a reinvention of the program in a way that addresses states' concerns. New Hampshire should be proud that it is one of the states pressuring the federal government to come up with a better solution to this tricky situation.

Click here to read the article in its entirety.

Friday, April 11, 2008

Republicans Dropping Push for Retroactive Immunity + Ron Paul Editorial

First, to the good news. It appears that the Democrats, or in this case, the people and the constitution, may actually win the long, drawn out battle over whether to give retroactive immunity to the telecom companies that helped the government spy on Americans without a warrant.

The word is, House Minority Leader John Boehner (R-OH) is expected to announce today that conservatives will drop their push to pass an update to the Foreign Intelligence Surveillance Act in order to shift their focus to the economy. This strategy was detailed in the inaugural edition of the "Freedom File" e-mail -- "a monthly memo to GOP activists -- from Boehner's political action committee, Freedom Project."

Of course, the most powerful and persuasive voices against the Protect America Act, and the warrantless wiretapping program, were not all Democrats. Ron Paul, Republican Presidential candidate, takes a back seat to no one when it comes to the issue of privacy.

Here's what Congressman Ron Paul said on the House floor regarding what he calls "The Emerging Surveillance State":

Last month, the House amended the 1978 Foreign Intelligence Surveillance Act (FISA) to expand the government’s ability to monitor our private communications. This measure, if it becomes law, will result in more warrantless government surveillance of innocent American citizens.

...

The new FISA bill allows the federal government to compel many more types of companies and individuals to grant the government access to our communications without a warrant. The provisions in the legislation designed to protect Americans from warrantless surveillance are full of loopholes and ambiguities. There is no blanket prohibition against listening in on all American citizens without a warrant.

We have been told that this power to listen in on communications is legal and only targets terrorists. But if what these companies are being compelled to do is legal, why is it necessary to grant them immunity? If what they did in the past was legal and proper, why is it necessary to grant them retroactive immunity?

...

We should remember that former New York governor Eliot Spitzer was brought down by a provision of the PATRIOT Act that required enhanced bank monitoring of certain types of financial transactions. Yet we were told that the PATRIOT Act was needed to catch terrorists, not philanderers. The extraordinary power the government has granted itself to look into our private lives can be used for many purposes unrelated to fighting terrorism. We can even see how expanded federal government surveillance power might be used to do away with political rivals.

The Fourth Amendment to our Constitution requires the government to have a warrant when it wishes to look into the private affairs of individuals. If we are to remain a free society we must defend our rights against any governmental attempt to undermine or bypass the Constitution.


With mounting opposition to REAL ID by states across the country, combined with the recent backtracking by the administration and the Republican Congress on warrantless wiretapping and retroactive immunity, I am feeling just a tinge of optimism! The fight is clearly not over, but privacy appears to be making a bit of a comeback.

Click here for Paul's entire floor speech.

Thursday, April 10, 2008

Effectiveness of medical privacy law is questioned

You can be sure this issue is only going to become bigger and more important in the months and years to come as our medical records will continue their transition into the digital age. That of course means electronic records being shared by increasing numbers of people and in an increasing number of ways and for an increasing number of reasons (many perhaps illegal).

In fact, you won't see a health plan these days that doesn't already factor in the claimed costs savings that such electronic records will bring to consumers. Now, that debate is for another time - but a debate that needs to be had right now, is how far will we go to protect our most private information?

The LA Times reports on some new data suggesting that the current safeguards in place are inadequate:

When Congress passed a federal medical privacy law more than a decade ago, it was hailed as a new level of protection for patients nationwide. But even though the government has received about 34,000 complaints of privacy violations since it officially began enforcing the law five years ago, only a handful of defendants have been criminally prosecuted. The half a dozen or so cases mainly involved clerical workers who pilfered patient information, using it to open credit card accounts or selling it to crooks who tried to bilk Medicare and the Internal Revenue Service.

...

Critics say the government's approach -- which focuses on getting providers to correct violations -- may be too lenient, particularly at a time when medical records are increasingly being shifted from file folders to computers. In addition, a Justice Department legal opinion has stated that the law applies primarily to organizations -- hospitals, health insurance plans and doctors' offices -- and only secondarily to individuals such as the low-level clerks most often implicated in information theft.

...

Some privacy advocates say the law should be changed to give patients and their families explicit authority to specify who can -- and cannot -- see their medical records, although others in the industry argue that such stipulations would be very difficult to enforce.

...

California has its own medical privacy law. Under the 1981 Confidentiality of Medical Information Act, any "person or entity" that "obtains, discloses or uses" patient information without authorization faces civil fines of $2,500 to $250,000. But no one seems to know how often or even whether such fines have been levied.

This will be an issue I will follow regularly on this blog, because as I said in the intro, its only going to get bigger. And from our perspective, privacy comes first, and we would rather fault on the safe, than the sorry side when it comes to information as personal as your medical records.

Click here to read the article in its entirety.

Tuesday, April 8, 2008

FBI Data Transfers Via Telecoms Questioned

As if we didn't have enough reasons to be paranoid! Now I find this. Rather than try and explain how these "connections" between the FBI and telecom companies are used, or could be used, to find out who is calling whom, I think I'll let the Washington Post take that challenge on. Bottom line is, as so often the case these days, the potential for widespread violations of personal privacy boggle the mind.

Ellen Nakashima reports:

The circuits -- little-known electronic connections between telecom firms and FBI monitoring personnel around the country -- are used to tell the government who is calling whom, along with the time and duration of a conversation and even the locations of those involved.

Recently, three Democrats on the House Energy and Commerce Committee, including Chairman John D. Dingell (Mich.), sent a letter to colleagues citing privacy concerns over one of the Quantico circuits and demanding more information about it. Anxieties about whether such electronic links are too intrusive form a backdrop to the continuing congressional debate over modifications to the Foreign Intelligence Surveillance Act, which governs federal surveillance.

Since a 1994 law required telecoms to build electronic interception capabilities into their systems, the FBI has created a network of links between the nation's largest telephone and Internet firms and about 40 FBI offices and Quantico, according to interviews and documents describing the agency's Digital Collection System. The documents were obtained under the Freedom of Information Act by the Electronic Frontier Foundation, a nonprofit advocacy group in San Francisco that specializes in digital-rights issues.

...

"When you're building something like this deeply into the telecommunications infrastructure, when it becomes so technically easy to do, the only thing that stands between legitimate use and abuse is the complete honesty of the persons and agencies using it and the ability to have independent oversight over the system's use," said Lauren Weinstein, a communications systems engineer and co-founder of People for Internet Responsibility, a group that studies Web issues. "It's who watches the listeners."

...

"What they want is an automatic feed, continuously. So you're checking the weather on your mobile device or making a call," and the device would transmit location data automatically. "It's full tracking capability. It's a scary proposition."

In an affidavit circulated on
Capitol Hill, security consultant Babak Pasdar alleged that a telecom carrier he had worked for maintained a high-speed DS-3 digital line that co-workers referred to as "the Quantico Circuit." He said it allowed a third party "unfettered" access to the carrier's wireless network, including billing records and customer data transmitted wirelessly.

He was hired to upgrade network security for
Verizon in 2003; sources other than Pasdar said the carrier in his affidavit is Verizon. Dingell and his colleagues said House members should be given access to information to help them evaluate Pasdar's allegations.

Yet another issue I'll be monitoring here for you. Click here to read the article in its entirety.

Friday, April 4, 2008

Centers Tap Into Personal Databases

If we didn't have enough reasons to lie awake at night worrying about the future of privacy in this country and this administration's wholesale assault on the Constitution! Now we learn - thanks to the Washington Post's efforts - that there are "intelligence centers" (why do these operations always have to sound so Orwellian!?) being run by states across the country that have access to the personal information of millions of Americans, including unlisted cellphone numbers, insurance claims, driver's license photographs and credit reports.

But not to worry they tell us, its all for our own protection! Why does none of this make me feel any safer? This sounds like yet another constitution crushing idea that had been in the works for years before 9/11...which just happened to be the kind of "event" that gave the cover needed to implement such a scheme. The possible abuses are incalculable...

The Washington Post Reports:

Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues.

Though officials have publicly discussed the fusion centers' importance to national security, they have generally declined to elaborate on the centers' activities. But a document that lists resources used by the fusion centers shows how a dozen of the organizations in the northeastern United States rely far more on access to commercial and government databases than had previously been disclosed.

Those details have come to light at a time of debate about domestic intelligence efforts, including eavesdropping and data-aggregation programs at the National Security Agency, and whether the government has enough protections in place to prevent abuses.

...

Government watchdogs, along with some police and intelligence officials, said they worry that the fusion centers do not have enough oversight and are not open enough with the public, in part because they operate under various state rules.

"Fusion centers have grown, really, off the radar screen of public accountability," said Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, a nonpartisan watchdog group in the District. "Congress and the state legislatures need to get a handle over what is going on at all these fusion centers."

...

The centers have been criticized for being secretive, but authorities said that this is largely for security reasons. Activists want to know more about their activities, the kinds of information they collect and how the information is being used.

The Electronic Privacy Information Center filed a lawsuit in Virginia last month seeking the release of records about communication among state fusion center officials and the departments of Homeland Security and Justice. Marc Rotenberg, the privacy center's executive director, said his group was responding to a proposed state law that would sharply limit access to records about the fusion centers' activity.

I'll be watching this story as it develops...hopefully I'm just being paranoid and there's nothing to worry about...but I'm not holding my breath.

Click here to read the article in its entirety.

Thursday, April 3, 2008

Maine Gets Real ID Extension + Senators Grill Chertoff

Tomorrow I'm going to get to the story breaking today about state run "fusion centers" that have access to personal information on millions of Americans, including unlisted cellphone numbers, insurance claims, driver's license photographs and credit reports.

But before I get to that post-9/11 big brother invention I wanted to finish the Real ID "extension debate" story, as Maine, the last state in the union to get one, finally can breath a sigh of relief, as the Department of Homeland Security gave in yesterday. The other half of today's post is the "hopeful assault" on Michael Chertoff by a number of members of the Senate Judiciary Committee. This kind of talk by Senators can only be a good sign...

Wired Magazine reports on Maine's extension:

Citizens of all 50 states are now free to board airplanes using their driver's licenses -- at least unitl 2010, after the final renegade anti-Real ID state -- Maine -- won a time extension Wednesday from deadlines attached to new federal identification rules.

That means that Homeland Security chief Michael Chertoff can now say more secure identification is on the way, while independence-minded states can honestly say they stuck a thumb in the eye of the federal bureaucracy.

On Wednesday, Maine's governor agreed to seek legislation to tighten licensing restrictions, including restricting licenses to residents and those who can prove their legal status in the United States. He did not, however, have to promise the changes would happen.

...

The ACLU claimed victory, saying that DHS capitulated to state's that reject the de facto national ID.

"The Department of Homeland Security, so desperate for a victory around Real ID, has agreed to give Maine an extension based on nothing more than Governor Baldacci’s assurance that he will introduce legislation to bring Maine into compliance," said Barry Steinhardt, director of the ACLU Technology and Liberty Program. "All 50 states, including those that have said they cannot commit to implement the law, have now received extensions, signaling DHS’s continued determination never actually to enforce Real ID. It has nearly perfected the practice of kicking the can down the road."

The Washington Post reports on Chertoff's visit to the Juciary Committee:

Members of the Senate Judiciary Committee criticized the Department of Homeland Security yesterday for pressuring reluctant states to adopt new federally approved driver's licenses, with one accusing Secretary Michael Chertoff of "bullying" the states into compliance under a threat of blocking citizens' travel.

"We ought to engage in a fairer, more productive negotiated rule-making with the states," the committee's chairman, Sen. Patrick J. Leahy (D-Vt.), told Chertoff. "Maybe people want to have a national ID card in their state. In my state, they don't..."Bullying the states is not the answer, nor is threatening their citizens' rights to travel. From Maine to Montana, states have said no."

...

Chertoff told the committee that some federal grants may be available to offset costs and that DHS is trying to be flexible, granting extensions until June 2009. He also listened as several senators complained about a waiting list for naturalizations that stretches beyond a year and will probably mean hundreds of thousands of citizens-to-be will not be able to vote in the November elections.

The first stage of the Real ID abomination is over...I'd say its States 1, Feds 0.

Wednesday, April 2, 2008

Everything You Wanted to Know About the Wiretap Debate

Now that we're in a kind of holding pattern on the issue of Telecom Immunity and illegal warrantless wiretapping, I think this is an especially useful article in Wired Magazine to check out.

First, the good news is - according to articles in the Wall Street Journal and Raw Story - the President seems to be softening his opposition to the House version of the FISA bill, and maybe seeking to negotiate with the Democrats. But, when it comes to this administration, and its relationship to the Constitution and privacy, I am always skeptical until I have absolute verification they haven't broken some kind of law or deeply held value of mine. And even then there could always be a "signing statement" hiding in the fine print.

So, until we get some real news on just what is being negotiated between the parties, and how willing the Democrats are to stand up and fight immunity for the telecom companies, this Q &A on the larger issue at stake is a perfect primer.

Wired Magazine goes step by step through the issue:

So under the proposed new powers, any international e-mail or international phone call I make can be legally intercepted by the government?

Yes. But if the government decides your call has some intelligence value and writes it up in an intelligence report, they are supposed to black out your name or give you a pseudonym. But if your name is necessary to understand the intelligence information, or an official calls up the NSA and asks for your name, they'll identify you. Newsweek reported that this happened to 10,000 people in the United States from January 2004 to May 2005.

They can also use the information from your international communications to decide they need to target all of your calls and use that initial wiretap to get a more invasive one.

I saw ads saying that the Democrats want to make U.S. spies get warrants before listening in on terrorists in Pakistan phoning their comrades in Iraq, thus crippling our intelligence. Why do Democrats hate the United States?

The ads are false. The secret spying court has no authority over what the NSA does overseas. If the NSA finagled a way to wiretap entire cellphone networks in Iraq, Pakistan or Afghanistan, they are free to do so without getting a warrant.

So you may safely ignore attack ads from supposedly nonpartisan groups or columns like this one.

...

If Bush won't sign spying legislation without telecom amnesty and the House won't do that, what then?

The 2007 temporary expansion of spying powers known as the Protect America Act seriously degrades starting in August. Without a bill signed into law before then, the nation's spies will not have much in the way of blanket wiretaps inside the United States.

So if the House and Senate send Bush a bill that expands spying powers, but does not include amnesty, Bush will be forced to choose between powers that he says are necessary to prevent an attack on the country, or amnesty for the phone companies that helped him.

Bush could try to start the programs up again based on his theory of the "unitary executive," but it's unlikely any telecom would help out this time without a court order.

So the NSA would fall back on the long-standing FISA court to get warrants when they want to wiretap inside the United States, or figure out how to wiretap foreigners outside the county, like they used to.

Click here to read the article in its entirety.

Tuesday, April 1, 2008

South Carolina gets Real ID extension, without actually asking for one

Montana now has some company! Two (now 2) states now have told the Department of Homeland Security (DHS) that they are not going to implement the REAL ID Act, yet still were able to get an extension from the government to continue to use their driver's licenses to board planes without being patted down, at least until 2010.

If nothing else, this demonstrates DHS is a little hesitant to start an all out war with the growing number of states that oppose this National ID scam. It just happens that Montana and South Carolina are the only two to refuse to even ask for an extension to meet the Act's requirements yet still have an extension approved. Maine on the other hand is still awaiting its fate, as it also is opposing the Act, and refusing to ask for an extension - thereby risking government penalty.

Computer World Reports:

Looking to defuse another potential test of the federal government's determination to push ahead with its controversial Real ID program, the U.S. Department of Homeland Security today gave South Carolina an extension for complying with the program's requirements — even though the state didn't explicitly request such an extension.

Under
compliance rules issued by the DHS in January, today was the last day for states to seek an extension on meeting a set of Real ID requirements that are supposed to be implemented by May 11. South Carolina and Maine were the only states without extensions at the start of the day, according to the DHS Web site. That put their residents at risk of not being able to use their driver's licenses as identification when checking in for air travel or entering federal buildings after May 11.

...

In a lengthy and blistering section of his letter (download PDF), Sanford cited six specific concerns that he has about the Real ID mandate. They include the program's cost, the expansion of federal powers it entails, and the data privacy and security issues that he said would stem from the creation of a national network of driver's license databases.

...

The Real ID plans have provoked a firestorm of protest from critics, including a data privacy committee within the DHS itself. Much of the concern stems from fears that the program would create a de facto national ID system that would be hard to manage and even harder to secure. There are also fears that the Real ID cards eventually could be used for a wide set of purposes, including surveillance of individuals by the federal government.

...

Sanford also criticized the expectation that states would pick up the cost of implementing Real ID themselves, saying that South Carolina would have to spend nearly $116 million to adopt the provisions of the program.

And he noted that central repositories of personal data "have never proven to be great bulwarks in the world of security." Sanford pointed to various IT security mishaps within federal agencies over the past few years, including the massive data breach at the U.S. Department of Veterans Affairs two years ago.

In California, Assemblyman Pedro Nava (D-35) has introduced a non-binding resolution in response to concerns about privacy, security and the high price of the REAL ID ACT - which the government's most recent estimate pegs at $4 billion nationally. If all goes well, California will join the growing chorus of opposition to the Act...

Click here to read the article in its entirety.