Tuesday, September 30, 2008

Governor Vetoes SB 29 - Historic RFID Regulation Bill

As I've written on this blog many a time, the rapid evolution of ever intrusive technology makes it essential that we draw the line now. As most also know, there are (were now) two privacy protection bills introduced by Senator Joe Simitian (SB 29 and SB 31) awaiting Governor Schwarzenegger's signature or veto. They both addressed privacy concerns and problems with "skimming" - the unauthorized surreptitious reading of RFIDs by persons with malicious intent.

Sadly, Senate Bill 29 was vetoed yesterday. The bill would have required public schools to obtain a parent's voluntary consent before a student is required to carry an RFID-enabled identification card. It also would have required a school to explain to parents the risks RFIDs pose to personal privacy.

This isn't some hypothetical issue. A California school district embedded RFIDs in student IDs without the parents' knowledge, and only stopped after an outcry about the potential for hacking by a child abductor.

It goes without saying that CFC is deeply disappointed the Governor chose to side with RFID industry greed over protecting personal privacy, ensuring child safety, and establishing the right of parents to decide whether it’s acceptable for schools to “chip” their children.

Now all eyes turn to SB 31, which would make it unlawful to skim information from an RFID without the consent of the ID holder. The prohibition does not apply to law enforcement applications such as in prisons, or in valid health emergency situations.

We literally are expecting a decision, assuming it hasn't already happened in the alst hour withuot me getting word, any hour now.

If you haven't already, I suppose there still might be time to send a message to the Governor.

Friday, September 26, 2008

Group tells FTC more RFID security guidance is needed

Since the RFID issue has been front and center lately here in California (at least in the eyes of the privacy protection community) - with two landmark bills on the Governors desk - I thought I should post something about the Electronic Privacy Information Center's (EPIC) suggested RFID security measures to the FTC. The idea of course is to address the risks to consumer safety by the unregulated use of RFID tags that reveal personal data .

First, let me get to the short article in SC Magazine on EPIC's reiterated recommendations (pdf) from 2004 to the FTC at their Transatlantic RFID Workshop on Consumer Privacy and Data Security".

Angela Moscaritolo reports:

Among the guidelines EPIC proposed, RFID operators should make RFID tags and readers visible to customers and should alert customers through a tone, light or other signal when information is being drawn. Tags should be easy to remove and should be anonymous and not collect personal information of customers, if possible.

“We think the FTC has a role to play in safeguarding consumer privacy,” Marc Rotenberg, executive director of EPIC, told SCMagazineUS.com.

EPIC also proposed that RFID operators be prohibited from tracking the movement of RFID subjects without written consent, or using them to snoop on an individual or coercing individuals to keep tags turned on after purchase.

I goes without saying I'm in complete agreement with EPIC on this issue. On that note, here's the general introduction by EPIC explaining their specific list of recommendations taken from their website:

The guidelines are proposed to guide the use of RFID technology in order to protect both private enterprise interests and consumer privacy interests. This means that these guidelines do not address protection of consumer privacy from any governmental action. Rather, they seek to protect consumer privacy from private enterprises. Further, these guidelines focus on use in the retail and manufacturing industry where retailers and manufacturers are beginning to implement item-level RFID tagging to facilitate supply chain efficiency, inventory control, and similar applications.

These guidelines primarily address commercial, private applications which may use RFID tags to draw conclusions about consumers without their knowledge or consent, or that might generate data which could be used for entirely different purposes at a later date.

These guidelines are divided into three parts. Part A addresses the duties of private enterprises that use RFID technology. It imposes minimum requirements on RFID users, recognizing the advantages that RFID technology can provide while at the same time addressing privacy concerns. Part B addresses practices in which the RFID Users should never engage, including tracking, snooping, and coercing consumers to accept live RFID tags or associate their personal data with an RFID application. Finally, Part C states the rights of consumers who are exposed to RFID technology and incorporates some of the Users' duties stated in Part A.

Click here to read the rest of their specific recommendations.

Thursday, September 25, 2008

Homeland Security Detects Terrorist Threats by Reading Your Mind

This is my weekly "holy crap" we're living in an Orwellian nightmare post. Well, maybe we're not there yet, but when you put together just what we know from the past 8 years (i.e. Real ID, Wiretapping, Surveillance, Patriot Act, etc.), what recently took place at the Republican Convention in St. Paul Minnesota, and then stories like these regarding new technologies that can read minds, let's just say being paranoid doesn't mean you're wrong.

Yes, it's our good friends at the Department of Homeland Security and the testing they've been doing of the next generation of security screening — a body scanner that can read your mind. Of course its ONLY to catch those nasty terrorists at airports...yeah, sure it is...

So let's get to the article from none other than Fox News (yes, I realize the irony of the story being from the government's propaganda arm):

Most preventive screening looks for explosives or metals that pose a threat. But a new system called MALINTENT turns the old school approach on its head. This Orwellian-sounding machine detects the person — not the device — set to wreak havoc and terror.

MALINTENT, the brainchild of the cutting-edge Human Factors division in Homeland Security's directorate for Science and Technology, searches your body for non-verbal cues that predict whether you mean harm to your fellow passengers.

It has a series of sensors and imagers that read your body temperature, heart rate and respiration for unconscious tells invisible to the naked eye — signals terrorists and criminals may display in advance of an attack.


So here's how it works. When the sensors identify that something is off, they transmit warning data to analysts, who decide whether to flag passengers for further questioning. The next step involves micro-facial scanning, which involves measuring minute muscle movements in the face for clues to mood and intention.

Homeland Security has developed a system to recognize, define and measure seven primary emotions and emotional cues that are reflected in contractions of facial muscles. MALINTENT identifies these emotions and relays the information back to a security screener almost in real-time.

This whole security array — the scanners and screeners who make up the mobile lab — is called "Future Attribute Screening Technology" — or FAST — because it is designed to get passengers through security in two to four minutes, and often faster.

If you're rushed or stressed, you may send out signals of anxiety, but FAST isn't fooled. It's already good enough to tell the difference between a harried traveler and a terrorist. Even if you sweat heavily by nature, FAST won't mistake you for a baddie.


But the testing — and the device itself — are not without their problems. This invasive scanner, which catalogues your vital signs for non-medical reasons, seems like an uninvited doctor's exam and raises many privacy issues.

Now, I don't know about you, but I found it unsurprising that not one privacy advocate was quoted in this article. I mean, it is Fox News mind you. I don't know if there's a better example of Big Brother, Orwellian wordplay in action than the last paragraph of the article, where it says:

Burns noted his team's goal is to "restore a sense of freedom." Once MALINTENT is rolled out in airports, it could give us a future where we can once again wander onto planes with super-sized cosmetics and all the bottles of water we can carry — and most importantly without that sense of foreboding that has haunted Americans since Sept. 11.

Is it just me, or do you too find the concepts of "freedom" and "government mind reading technology" as antithetical?

Tuesday, September 23, 2008

Tell Governor Schwarzenegger: Protect Our Privacy and Regulate RFIDs

If you are not on our action alert list I highly suggest you sign up. We regularly target critically important bills in the California Legislature that the politicians need to hear from us about. We know this: the corporate lobbyists will be working the halls of the capitol and contributing sizable amounts of loot to wavering legislators.

You can sign up for our alerts (we just did one on two RFID bills sitting on the Governor's desk). All you have to do is go to our home page and type in your email and zip code.

Here's yesterday's alert which you can still take action on:

Tiny computer chips called Radio Frequency Identification (RFID) tags that transmit information about us can be embedded in driver's licenses, student ID's and other government issued cards without our knowledge. These chips allow government agencies to track our whereabouts, are susceptible to a hacker with an RFID scanner, and expose us to the threat of privacy violations, identity theft, property theft, and stalking and tracking. Even protected RFID systems have been hacked, some in a matter of minutes.

The rapid evolution of ever intrusive technology makes it essential that we draw the line now. Two privacy protection bills introduced by Senator Joe Simitian (SB 29 and SB 31) are awaiting Governor Schwarzenegger's signature or veto. They address privacy concerns and problems with "skimming" - the unauthorized surreptitious reading of RFIDs by persons with malicious intent.

Tell the Governor to protect our privacy!

Senate Bill 29 requires public schools to obtain a parent's voluntary consent before a student is required to carry an RFID-enabled identification card. It requires a school to explain to parents the risks RFIDs pose to personal privacy.

Senate Bill 31 makes it unlawful to skim information from an RFID without the consent of the ID holder. The prohibition does not apply to law enforcement applications such as in prisons, or in valid health emergency situations.

Tell the Governor to protect the California Constitution and our personal privacy by supporting SB 29 and 31!

Here's the actual letter that goes to the Governor:

I am writing to urge you to curb and control the use of radio frequency identification (RFID) technology by signing SB 29 and SB 31.

RFID-enabled human identification systems pose clear privacy and information security risks that threaten individual privacy and public safety. These systems can be easily compromised, which exposes device holders to identity theft, surveillance, stalking and tracking, and other serious harm. When the system has been breached, the device holder won’t know it and therefore won’t know to take steps to protect him or herself.

These threats to our privacy and safety are real. Consider:

A California school district embedded RFIDs in student IDs without the parents' knowledge, and only stopped after an outcry about the potential for hacking by a child abductor.

A Dutch prototype for an RFID embedded in a passport was hacked in two hours by a local TV station. Hackers could access fingerprint, photograph, and other data on the RFID tag, perfect for creating a cloned passport.

Successful hacks of the Exxon Mobile key fob, the VeriChip human RFID implant, the California State Capitol building access system, and the new RFID passports show how easy it is to skim and clone poorly protected RFID devices and compromise RFID-dependent security systems.

Senate Bill 29 requires public schools to obtain a parent’s voluntary consent before a student is required to carry an RFID-enabled identification card. It requires a school to explain to parents the risks RFIDs pose to personal privacy.

Senate Bill 31 makes it unlawful to skim information from an RFID without the consent of the ID holder. The prohibition does not apply to law enforcement applications such as in prisons, or in valid health emergency situations.

Organizations across the political spectrum ranging from the ACLU to the Liberty Coalition support these bills. High tech RFID manufacturers have derailed similar legislation by Senator Simitian in the past, and they continue to fight any effort to allow California residents to control the use of RFIDs in government-issued documents.

I urge you to establish an important precedent for privacy protection and against Big Brother snooping by signing SB 29 and SB 31.

The Governor needs to hear from every last one of us as the lobbying against SB 29 in particular is intense. Thanks!

Friday, September 19, 2008

Regulating technology that threatens our privacy + Bad RFID News from New York

As most of the readers of this blog know, there are two critically important RFID bills on Governor Schwarzenegger's desk awaiting his veto or signature.

Before I get to those bills and the broader discussion of RFID technology and the need for common sense regulation, there's some bad news to report from New York. This week, the state became the first to comply with a federal program to embed RFIDs in drivers’ licenses.

Thankfully, California has held off – for now. But with federal highway funds threatened, it may be only a matter of time before we’re all beaming our personal information, signatures and photographs every time we’re behind the wheel.

First, a little background. For decades, retailers have used tiny chips called Radio Frequency Identification devices. These RFIDs transmit information about their products to remote reading devises. Using an RFID to trigger an alarm if someone tries to shoplift clothing is pretty benign, but what if this technology was used to track the daily movements of law abiding citizens?

Seems far-fetched? Think again:

A California school district embedded RFIDs in student IDs without the parents' knowledge, claiming it would ensure that students were accounted for, but the district failed to consider the potential for hacking by a child abductor.

FasTrak transponders make it quicker to cross Bay Area bridges, but the Metropolitan Transportation Commission has released information in messy divorce cases that was used to document when wayward spouses were traveling to places they claimed they weren’t.

The US and other countries embed RFIDs in passports. In the Netherlands, it took a local TV station only two hours to figure out how to hack a prototype RFID in a Dutch passport. Hackers could access fingerprint, photograph, and other data on the RFID tag, perfect for creating a cloned passport.

Hacking is one problem, but the threat to our privacy doesn’t stop there. RFIDs can play a useful role in protecting entry and exit from secure locations such as police stations or prisons, but do we really want government snooping into our whereabouts when it’s none of their business?

The rapid evolution of ever intrusive technology makes it essential that we draw the line now.

Two pieces of legislation by Senator Joe Simitian are awaiting Governor Schwarzenegger’s signature or veto. They address privacy concerns and problems with “skimming” – the unauthorized surreptitious reading of RFIDs by persons with malicious intent.

Senate Bill 29 requires public schools to obtain a parent’s voluntary consent before a student is required to carry an RFID-enabled identification card. It requires a school to explain to parents the risks RFIDs pose to personal privacy.

This bill originated when a school district in Northern California gave students RFID enabled ID cards without first notifying parents. When parents found out, an uproar forced the district to end the program.

Parents, not schools, should decide whether children must carry a tracking devise. Mechanical devices might be useful for tracking cattle. When it comes to our children they are no substitute for teacher and school staff responsibility.

Senate Bill 31 makes it unlawful to skim information from an RFID without the consent of the ID holder. The prohibition does not apply to law enforcement applications such as in prisons, or in valid health emergency situations.

Organizations across the political spectrum ranging from the ACLU to the Liberty Coalition support these bills. High tech RFID manufacturers have derailed similar legislation by Senator Simitian in the past, and they continue to fight any effort to allow California residents to control the use of RFIDs in government-issued documents.

Governor Schwarzenegger should set an important precedent for privacy protection and against Big Brother snooping by signing SB 29 and SB 31.

We (CFC) are in the process of creating an action alert that can be filled out on our website and sent to the Governor urging him to sign these bills. We expect it to be up and ready for you to take action on this coming Monday. Stay tuned!

Wednesday, September 17, 2008

ACLU Asks Court To Strike Down Spying Law

I've been slamming the new FISA "compromise" since the moment it was announced. Sadly, to really change the law back to something reflective of our Constitution's principles it will take a lot more than bloggers yelling and unfortunately, getting enough votes to overturn it doesn't look all that likely either (perhaps with an Obama Presidency this will change).

So let's hope the ACLU's efforts to strike this abomination down altogether is successful! One would hope that this story was worthy of newspaper headlines and tv news anchor lead-ins...but alas, we live in the world of corporate media fluff that will cover just about anything other than big business (like the telecoms in this case) or the Bush administration when it relates to "complicated" issues like the Constitution.

I'd especially urge you to focus on the section of the article detailing the FOREIGN victims of human rights abuses that are especially endangered by the new FISA provisions. In other words there is SO MUCH more than meets the eye when it comes to what we as a nation are sacrificing by allowing our government to monitor our calls and emails. Though the media has missed so much of the real story regarding the true ramifications that such an increase in government power provides them at our expense, these truths are coming out...and I will post them here you can be sure.

So, until we get that kind of coverage for issues THIS IMPORTANT, a big thanks to TMCnet.com for their coverage of the case.

The article by Raju Shanbhag is pretty short, so I'm going to post it here in full:

Claiming that the FISA Amendments Act puts innocent Americans' telephone calls and e-mails at risk, a brief filed in federal court by the American Civil Liberties Union is requesting the court to strike down this law. A part of the ACLU's lawsuit to stop the government from conducting surveillance under the law, this is the first legal brief challenging the constitutionality of the new wiretapping law.

According to ACLU, as the FISA Amendments Act utterly fails to protect U.S. residents' privacy and free speech rights, it is the most sweeping surveillance bill ever enacted by Congress and should be struck down. According to the FISA Amendments Act (FAA), the Bush administration will have virtually unchecked power to intercept the international and in some cases domestic – emails and telephone calls of law-abiding Americans. According to the new law, the government can conduct intrusive surveillance without ever telling a court who it intends to spy on, what phone lines and email addresses it intends to monitor, and where its surveillance targets are located. The government doesn’t even have to disclose why it's conducting the surveillance or whether it suspects any party to the communication of wrongdoing.

The ACLU filed the lawsuit on behalf of victims of human rights abuses located outside the United States and a broad coalition of attorneys and human rights, labor, legal, and media organizations whose work requires them to engage in sensitive and sometimes privileged telephone and email communications with colleagues, clients, journalistic sources, witnesses, experts, foreign government officials.

As the government claims that the surveillance is aimed at collecting foreign intelligence information and targeted at people outside the United States, it will have the power to acquire all of the international communications of U.S. citizens and residents. It can also get hold of all telephone and e-mail communications to and from countries of particular foreign policy interest. It can also access all of the communications of European attorneys who work with American attorneys on behalf of prisoners held at Guantánamo.

The FISA Amendments Act allows the mass acquisition of Americans' international e-mails and telephone calls,” said Jameel Jaffer, Director of the ACLU National Security Project. “The administration has argued that the law is necessary to address the threat of terrorism, but the truth is that the law sweeps much more broadly and implicates all kinds of communications that have nothing to do with terrorism or criminal activity of any kind. The Fourth Amendment was meant to prohibit exactly the kinds of dragnet surveillance that the new law permits.”

Monday, September 15, 2008

What Illegal 'Things' Was the Government Doing in 2001-2004?

Isn't that the million dollar question EVERYONE that cares about the rule of law and the Constitution in this country wants to have answered?

Let's remember, this was the time when the Bush Administration was running - and wanted to continue running - a surveillance program so egregiously illegal and unconstitutional that even ultra conservatives like John Ashcroft and James Comey (and a huge number of Justice Department officials...as many as 30 some say) were threatening to quite if it wasn't ceased and desisted.

The good news is we've just gotten a little closer to understanding what in fact was being done by the criminal syndicate running this White House to the American people during that time. A new book by Barton Gellman on the Cheney Vice Presidency is providing more details on the all out war that was underway between the Administration and Justice Department (and FBI) during a period of time that became so acrimonious that the threatened 'mass resignation" could have legitimately torpedoed the re-election of the President.

The obvious question then becomes just what kind of sick and twisted program was the administration advocating that a near mutiny by the FBI and Justice Department was just barely avoided as a result of their vehement opposition? We know this much already: the "compromise" program that appeased Ashcroft, Comey, Mueller and company was blatantly illegal in its own right, and ended up sparking a national debate, and most certainly is a crime worthy of impeachment (thanks to retroactive immunity for the telecoms we may never know the full truth). It should also be mentioned, that no criminal conspiracy of this magnitude could have succeeded with out - by the least - complicity and cowardice by leading Democrats.

In fact, we know that Pelosi, Hoyer, Harman, and Rockefeller WERE AWARE and were briefed multiple times on the "compromise" plan. While some apparently quietly voiced their disapproval, none had the integrity or courage to do ANYTHING to stop ir, and likewise, anything to expose it once it was discovered the press and public.

Everyone probably remembers the late night Cheney/Gonzales road trip to visit Ashcroft - a practical invalid at that time - to persuade him in his weakened state to give the go ahead for the program. Deputy Attorney General James Comey made it to Aschroft's bedside in time apparently and no coercion took place.

With that general intro, let's get to a great article by Salon.com's Glenn Greenwald on the new book by Barton Gellman:

But whatever it was that the Bush administration was doing in spying on Americans for years prior to March, 2004 was so extreme, so patently illegal, so unconscionable that even these right-wing DOJ Bush appointees, who approved of the ultimate warrantless eavesdropping program, were ready to resign en masse if those spying activities continued.


Think about that: in order to persuade the DOJ officials not to resign, "the surveillance program stopped doing some things, and it did other things differently." What "things" did the NSA stop doing in March, 2004 -- and what "things" did it start doing differently -- in order to convince Ashcroft, Mueller and Comey to remain in their jobs? This is one of the greatest political scandals of the Bush era -- not merely the commission of these illegal acts but the fact that they remain concealed from the public-- and it's also one of the most illustrative episodes of how our Government now works, of the extreme secrecy and illegality that characterizes it at its core, and of the complicity of both parties in all of this.


Of course, we almost certainly would have learned the answers to these questions -- or, at the very least, obtained a judicial ruling that the Government broke the law -- had the telecom lawsuits been allowed to proceed. But thanks to the Congressional leadership of both parties, with the support of both major presidential candidates (though over the opposition of the Democratic Vice Presidential nominee), those lawsuits were killed, stopped in their tracks, when the telecom industry was retroactively immunized for their lawbreaking.

At this point, it is extremely easy to understand why not only the White House and Congressional Republicans, but also the Democratic leadership, was so eager to ensure that this law-breaking remain concealed from the public and that there are never any consequences for it. It's because, as is true for so much of the Bush radicalism and lawbreaking over the years, top Democrats were fully aware of what was taking place and either explicitly endorsed the lawbreaking or, with full complicity, allowed it to continue.


This specific meeting described by Gellman, and the briefings generally, included Nancy Pelosi, Jane Harman, Steney Hoyer, and Jay Rockefeller -- all of whom voted to put an end to the telecom lawsuits (and thereby ensure that these crimes remain concealed), and the latter two of whom were, far and away, the key forces behind the new law that killed the lawsuits looking into these spying activities (and then joined Bush and Cheney at a festive, bipartisan White House signing ceremony to celebrate their joint victory).

If we had an even minimally transparent and open government, or an even theoretically extant opposition party, it would be unthinkable that these crimes would remain concealed, uninvestigated and unpunished. Instead, we have deeply corrupt and complicit leadership in both parties that act in unison to protect the culpable actors (i.e., themselves), while neither reporters nor citizens seem particularly interested in learning about the illegal "things" our Government did for years in spying on us and our communications. Did they listen in on our exclusively domestic calls, read our emails, do physical searches by breaking into our homes all without warrants, engage in other types of equally intrusive and illegal surveillance?


As former DOJ official Marty Lederman wrote last year in the wake of the Comey revelations -- after detailing how extraordinary were these threats to resign from these right-wing DOJ officials -- in a post entitled: "Can You Even Imagine How Bad it Must Have Been?":

If that's the narrow version of the NSA program, just how broad and indiscriminate was the surveillance under the program that Ashcroft, et al. would not approve? . . . This is the real heart of the Comey story -- What happened between September 2001 and October 2003, before Comey and Goldmsith came aboard? Just how radical were the Administration's legal judgments? How extreme were the programs they implemented? How egregious was the lawbreaking?

I would argue that perhaps the greatest tragedy of all this isn't just the crimes - both the known and unknown - but it's the public apathy and the complete disinterest by the corporate media in a story that has such far reaching consequences. Just what we do know could easily qualify for an Oliver Stone political thriller, in which a President is committing felonies against the American public with the aid of a Justice Department that has long since turned the word "Justice" in its title into a cruel joke that no one in this country takes seriously anymore.

And these are just the crimes we know about...even Director Stone might have a hard time envisioning just what kind crimes against the people and the constitution were really underway during those fateful few years between 2001 and 2004.

Thursday, September 11, 2008

Federal Real ID: A Solution Looking for a Problem

It's been quiet on the REAL ID front lately so I thought I'd post a good refresher course on this ad hoc National ID program. I think it could arguably be said there has been no more effective and outspoken opponent in the country to REAL ID than Montana Governor Brian Schweitzer.

On that note then, enjoy the interview of the Governor by Sherry Clark, editor of a weekly newspaper entitled The Liberty Voice:

"The federal government said, we need a system where people can't get on planes and fly them into buildings so they said, the solution would be this Real ID. Well, when it was pointed out to them that 15 of 17 of the hijackers would have qualified for this Real ID, then they said, there's another reason we need this and that's because of all these illegal immigrants.

Now when it was pointed out to them that people who were legal and illegal immigrants would qualify for this Real ID, they said the other reason we need to have this--not those first two reasons--is because there is so much identity theft right now. This is going to make sure that people won't be able to steal your identity.

This has been a solution looking for a problem. But what it's doing is it's giving the federal government the opportunity and the right to track when you get on an airplane, where you are going, when you got there and when you got home; and I haven't found a 10-year period when the federal government hasn't violated individual civil liberties.

This is information that should not be held by the federal government--because you can't trust them. They've demonstrated that for the past 100 years and I suspect the next 100 years would be the same.


So all the governors across the country folded like cheap suits, except a couple of us and sent their letters in. But I said, "Hold on a minute there cowboy! Why are you asking for an extension, if you don't agree we don't even want this thing? You ought to stand up and we'll stare them down!" So me, and the governors of North Carolina, Maine, and New Hampshire did not send in our letters.


Look, since Congress fell off the deep end and passed the PATRIOT ACT and then this Real ID Act, there are some people who have come to their senses. Members of Congress who voted for this kooky idea, are supposed to represent folks back home. Now it's clear they spend most of their time in DC, drink the water and eat the thick steaks provided by lobbyists, but ultimately they have to go home and run for re-election.

He really does break the issue down into it's simplest and most important form: states should just tell the government "no" and they will back down, and the public will stand by their Governor. Makes perfect sense...and we'll see in the coming months and years how effective Mr. Schweitzer is in persuading more Governors to do the same.

Click here to read more.

Tuesday, September 9, 2008

Dealing With I.S.P. Snooping - "The Rise and Fall of Invasive ISP Surveillance"

One of the hot privacy topics of the day - which directly ties to the debate over Net Neutrality - is the danger ISP filtering poses regular old consumers like you and I because of the staggering amount of personal and private information they routinely have access to.

What seems to be generating a lot of buzz right now on this topic is a new paper by Paul Ohm - a former Justice Department official who now is a professor of law at the University of Colorado - entitled “The Rise and Fall of Invasive ISP Surveillance”.

I call it buzz because I found some pretty comprehensive write ups on the paper in both the New York Times and Arstechnica.com.

I'll primarily focus on the New York Times piece, but before I get to that, let me allow Professor Ohm to lay out the crux of his case:

"In modern connected life almost no other entity poses a greater threat to privacy than the ISP. ISPs pose a much greater threat to privacy than other online entities and they even pose a greater threat than offline institutions as well, including doctors, psychiatrists, and lawyers."


Because ISPs pose such a high risk of terrible harm to so many people, and because of the unmistakable signs that things are getting worse, they must be regulated.

Yes, he's saying the threat is greater even than Google.

So what's the big deal you ask? And why has this suddenly become a bigger threat than before? For that answer, let me first quote a clip from Arstechnica before I get to the Times piece:

Internet-savvy users are fully aware of this, of course, but most haven't had major concerns about all that sensitive data they're pushing through the tubes. ISPs have generally been solid on privacy, as Ohm concedes, and they've lacked the technical means to really invade that privacy, anyway. So why all this talk of a privacy apocalypse that will see blood raining from the skies and screams of the damned outside making it tough to keep concentrating on that World of Warcraft session?

The two bulldozers, in Ohm's view, that are remaking the ISP landscape are "deep packet inspection gear" and "tremendous commercial pressures." ISPs at last have the technical capacity to monitor huge amounts of user web traffic in realtime, and advertisers like NebuAd and Phorm are (or were) simultaneously offering large cash payments for access to Internet traffic.

Apart from these two major commercial forces, government mandates also lurk in the background. CALEA rules have forced ISPs to install this sort of gear in order to provide full wiretap access to a user's Internet data stream when required by law.

And content owners have been leaning on governments around the world, which in turn are leaning on ISPs to do something about the illicit P2P problem. Filtering has been one solution beloved of copyright owners, and ISPs like AT&T have even publicly committed to doing so. And then, of course, there's Comcast.

The New York Times elaborates:

Even though Congress has growled loudly enough to get Internet service providers to back off their plans to sell information about their customers’ Web surfing to advertising companies, one prominent legal expert argues that the law governing the issue should still be made tougher.


Mr. Ohm argues that the regulatory issues are still relevant because the Internet providers still have a strong incentive to seek money from advertisers to supplement their monthly fees.

The Electronic Communication Privacy Act, a 1986 law originally meant to keep telephone companies from listening to the calls of their customers, probably applies to some of these Internet monitoring schemes, Mr. Ohm writes. If a court determined that the browsing history of an Internet user represents the “contents of communication,” it could be construed as wiretapping, he wrote. Wiretapping, under the law, is a felony and also is a cause for civil action.


(Ohm) said he was surprised that Internet providers had proceeded as far as they have with plans for these advertising systems...Nonetheless, Mr. Ohm argues that the law is overly complex and ambiguous, and should be clarified. His article proposes simplifying the overall structure:

The new unified law should regulate all monitoring — without distinguishing between whether the monitoring is of content or not — provided it is monitoring of data “of or pertaining to a user, customer, or subscriber.”

He wants to make clear that Internet providers would be allowed to monitor customers to protect themselves, such as to track down a hacker. But that exception would need to be related to a specific incident. Routine and automated monitoring of customers, beyond the minimum needed to operate a network, would be banned.

Finally Mr. Ohm wants to make it much harder for customers to waive their protections by consenting to some boilerplate agreement. Internet users would need to authorize the monitoring of their surfing each time they use the Internet, under the standard he proposes.

Mr. Ohm said he is much more concerned with Internet service providers than with other Web companies, such as Google. Web sites, he said, have the ability to describe what they are doing with customer data on every page, although they may object to doing so. Consumers don’t really interact explicitly with their Internet providers once they set up a connection. Moreover, Internet providers have an unusually broad view of what customers read, buy, watch and listen to.

“Google doesn’t know what I do when I’m on MSN,” he said. “But your I.S.P. does. There is no hiding from your I.S.P.”

I think it goes without saying this is an incredibly important paper to the future of Internet privacy and how we proceed with protecting all users from invasive and intrusive monitoring.

Ohm's paper also seems to dovetail quite nicely with the concept of "network neutrality", because if the power of existing privacy and wiretap laws, as he asserts, can prevent providers from scrutinizing user communications closely, then neither could they discriminate between different types of traffic...which is the gravest of concerns within the Net Neutrality movement.

If the goals of net neutrality can be won through the use of existing "highways" as Ohm believes, rather than building new ones, we might have just gotten a lot closer to the grail: a free, private (relatively) and open Internet for all.

Monday, September 8, 2008

Tyranny on Display at the Republican Convention

The choice of Sarah Palin wasn't the big story of last weeks GOP convention. Nor was the story John McCain's acceptance speech of the Republican Party's nomination for President. The real story - one that went nearly unreported in the corporate media - was the rise of a kind of police state that incorporated the full breadth of the Patriot Act’s provisions to stifle dissent - not capture "terrorists".

If you haven't heard about the stories of armed police raids of protesters homes (BEFORE THE PROTEST), the pepper spraying of innocent bystanders, the intimidation and abuse of journalists, and the mass arrests of American citizens - without charges or the right to Habeus Corpus - simply for utilizing their constitutional right of free speech, then let me help fill you in on some ominous signs that came out of St. Paul.

Before I get to the outstanding article by former New York Times reporter Chris Hedges, let me first let Glenn Greenwald of Salon.com paint a picture of what was really happening in Minnesota:

Protesters here in Minneapolis have been targeted by a series of highly intimidating, sweeping police raids across the city, involving teams of 25-30 officers in riot gear, with semi-automatic weapons drawn, entering homes of those suspected of planning protests, handcuffing and forcing them to lay on the floor, while law enforcement officers searched the homes, seizing computers, journals, and political pamphlets. Last night, members of the St. Paul police department and the Ramsey County sheriff's department handcuffed, photographed and detained dozens of people meeting at a public venue to plan a demonstration, charging them with no crime other than "fire code violations," and early this morning, the Sheriff's department sent teams of officers into at least four Minneapolis area homes where suspected protesters were staying.

Jane Hamsher and I were at two of those homes this morning -- one which had just been raided and one which was in the process of being raided. Each of the raided houses is known by neighbors as a "hippie house," where 5-10 college-aged individuals live in a communal setting, and everyone we spoke with said that there had never been any problems of any kind in those houses, that they were filled with "peaceful kids" who are politically active but entirely unthreatening and friendly. Posted below is the video of the scene, including various interviews, which convey a very clear sense of what is actually going on here.

So now that you have a little of the backdrop for Hedges article, let's remember how the Patriot Act fits into all this. Those that opposed the Act certainly did so in part because it was clear that it was much more about silencing domestic opposition as it was about capturing "real terrorists". Last week in St. Paul confirmed this fear, as the Act, and all it's Constitution stomping provisions, were on display, be it the monitoring of citizen's phone conversations, e-mails, meetings and political opinions to the shutting down of anti-war groups and locking up innocents as terrorists without the right to Habeus Corpus.

There should no longer be any doubt as to the destructive power of the Patriot Act and the threat it poses to each and every Americans civil liberties.

Chris Hedges Reports:

St. Paul is a window into our future. It is a future where, as one protester told me by phone, "people have been pepper-gassed, thrown on the ground by police who had drawn their weapons, had their documents seized and their tattoos photographed before being taken away to jail." It is a future where illegal house raids are carried out. It is a future where vans containing heavily armed paramilitary units circle and film protesters. It is a future where, as the protester said, "people have been pulled from cars because their license plates were on a database and handcuffed, thrown in the back of a squad car and then watched as their vehicles were ransacked and their personal possessions from computers to literature seized." It is a future where constitutional rights mean nothing and where lawful dissent is branded a form of terrorism.


St. Paul was not ultimately about selecting a presidential candidate. It was about the power of the corporate state to carry out pre-emptive searches, seizures and arrests. It was about squads of police in high-tech riot gear, many with drawn semiautomatic weapons, bursting into houses. It was about seized computers, journals and political literature. It was about shutting down independent journalism, even at gunpoint. It was about charging protesters with "conspiracy to commit riot," a rarely used statute that criminalizes legal dissent. It was about 500 people held in open-air detention centers. It was about the rising Orwellian state that has hollowed out the insides of America, cast away all that was good and vital, and donned its skin to shackle us all.

Click here to read more.

Friday, September 5, 2008

Part of state's financial privacy law upheld!!

This is great news!!! At CFC we were very active in establishing the financial privacy law - the broadest of its kind in the nation - that has been tied up in court for more than three years. As usual, particularly in the Bush era, the federal government and big business continue to be persistent in trying to lower the privacy protection bar (just as they have with environmental regulations). In this case, the banks have been arguing that the California statute conflicted with a federal law that set nationwide standards for regulating consumer credit reports.

The good news today is that the court has reinstated a key component of the original financial privacy law - allowing consumers to prevent banks from sharing information with affiliated companies about a customer's savings account or buying habits. What's especially important about this provision is that because regulatory controls over an increasingly consolidated industry have been so drastically loosened, some banks have literally thousands of affiliates in a wide range of fields.

Thus, it wasn't enough to require opt-in for sharing with unaffiliated companies...we needed to be able to opt-in for sharing to affiliated companies as well. And the court has ruled that in BOTH cases we deserve to be in control of who sees OUR information!

Before I get to the San Francisco Chronicle story, here's our official statement:

California Consumers Win Major Financial Privacy Victory!

by Richard Holober, Consumer Federation of California

California consumers just won a huge privacy victory. The federal court ruled that California’s Financial Privacy Law give consumers the right to stop banks and other financial institutions from sharing our personal information with affiliates,” Richard Holober, Executive Director of the Consumer Federation of California stated.

Big banks fought this legislation from 2000 until 2003. After consumer and privacy advocates collected 600,000 signatures to place a privacy initiative on the ballot, banks acquiesced to avoid a disaster at the polls. Senate Bill 1 of 2003 (Speier) became law and California established the nation’s strongest financial privacy protections.

Financial institutions then ran to court to overturn the law. In 2005 the Court of Appeals for the 9th Circuit ruled that federal law pee-empted portions of SB 1 and remanded the matter to the Federal District Court to determine the extent of the preemption. Yesterday the 9th Circuit ruled that the District Court erred in ruling that federal law preempted California from all regulation of personal information sharing within a family of affiliated financial institutions, finding instead that California consumers have the right to restrict the sharing of information that is not related to credit reports.

“This ruling is significant because some large financial institutions have hundreds or even thousands of affiliates. Californians can now tell their banks not to hand out private information regarding what they earn, buy or borrow to hundreds of strangers who have no right to that information,” Holober stated.

The Consumer Federation of California was a founder of Californians for Privacy Now, which sponsored the 2003 ballot initiative drive that pushed the legislature and governor to adopt California’s Financial Information Privacy Act (SB 1).

The San Francisco Chronicle reports:

But in a 2-1 ruling Thursday, the Ninth U.S. Circuit Court of Appeals in San Francisco said portions of the California law had nothing to do with consumer credit and could be salvaged. Those provisions require banks to give customers a chance to object before sharing with affiliates any information that does not involve a customer's fitness for credit, insurance or employment.

For example, Deputy Attorney General Catherine Ysrael, the state's lawyer in the case, said customers provide personal and financial information to banks that maintain their accounts, and their credit card statements might reveal buying patterns that a bank could turn over to affiliated retailers. The law allows customers to block the sharing of such information.


One part of the 2004 law that was not challenged, and has remained in effect, requires banks to seek customers' permission before selling or providing private financial information to unaffiliated companies that are under separate ownership.

But the core of the law was its requirement that financial institutions allow customers to block information sharing with affiliated companies.

Click here to read the rest of the article.

And click here to read the pdf of the court's ruling.

Wednesday, September 3, 2008

Fighting identity theft in California

Just to briefly follow up on yesterday's post regarding the Jones bill that addresses the growing epidemic of identity theft, here's an editorial in the Los Angeles Times urging the Governor to sign the bill:

For the second year straight, lawmakers here have attempted to put California back on track with a measure to prevent companies from storing credit or debit card data after a transaction is completed. That way, even if a system is hacked, there will be no personal customer information for identity thieves to steal.


Assembly Bill 1656, by Dave Jones (D-Sacramento), takes some of the sting out of last year's bill by deleting the mandate that merchants whose records were hacked pay for replacing the consumer's plastic card. But it keeps intact the prohibition against a business storing sensitive authentication and verification data, such as a customer's password or PIN. Payment-related data could not be transmitted over a public network, such as the Internet, unless it is encrypted; businesses would not be permitted to allow employees access to it if their job doesn't require it; and information would have to be deleted after it is no longer needed, under protocols to be adopted by the businesses.

It's unfortunate that the real teeth in many of these bills get stripped by the time it reaches the Governor's desk. Nonetheless, this would represent some solid progress, and I just don't see how the Governor vetoes it.

Click here to read the rest of the article.

Tuesday, September 2, 2008

Calif. bill forces retailers to protect data

It's actually been a pretty productive couple weeks in the Legislature on issues related to privacy. Two RFID regulation bills are now sitting on the Governor's desk, and now Dave Jones bill to force retailers to protect your data - such as the information on your credit card for instance - has also made it to Schwarzeneggers desk to await a signature or a veto.

CFC has actively supported this bill all year, so we are especially happy to see it get out of the legislature.

The San Jose Mercury News reports:

Assemblyman Dave Jones, D-Sacramento, said many businesses fail to take even the most basic measures to protect that information, creating an opening for identity thieves. His bill would prohibit, under most circumstances, any company that takes credit card or debit card information from retaining account numbers, verification codes or personal identification numbers.


...it would require retailers only to pay the cost of notifying customers when their personal data had been compromised. Businesses would have to tell customers when and how the breach occurred, and say who was to blame.

I'd be shocked if the Governor didn't sign this bill, particularly in light of the fact that it passed the Assembly by a vote of 62-1...which kind of drives home the fact that identity theft is becoming a really serious problem in this country.

Click here to read more.