Wednesday, December 31, 2008

Janet Napolitano's Record on Privacy Not So Good

As we continue to wrestle with that all important intersection between civil liberties and technology - one that is becoming more and more difficult to navigate - the importance of understanding how government officials view that issue, and privacy itself, only grows.

Accordingly, there are few public offices of greater importance as related to privacy, technology, and civil liberties than the head of the Homeland Security Department. Thomas Frank - an author I admire greatly - takes this issue on in a recent article in the USA Today I found to be particularly enlightening.

Gov. Janet Napolitano is of course President-elect Barack Obama's pick to run the Homeland Security Department, and she has been an enthusiastic advocate for advanced security technology as a law enforcement tool, raising concerns among civil liberties groups that warn about privacy invasion while drawing praise from law enforcement organizations.

Frank writes:

As Arizona's Democratic governor since 2003, Napolitano has:
Pushed state police to use cameras that scan license plates of moving cars to find vehicles that are stolen or linked to a criminal suspect.
Promoted "face-identification" technology that could help surveillance cameras find wanted people by comparing someone's face with a photo database of suspects.
• Signed a 2007 bill making Arizona one of 12 states that collect and store DNA samples of people accused but not convicted of certain crimes, including murder, burglary, sexual assault and prostitution.
Proposed an optional state ID for legal citizens only that features a radio-frequency chip to allow authorities to read the card. State lawmakers blocked the effort this year.


"She sees technology as the panacea of all our law enforcement problems and immigration issues," said Alessandra Soler Meetze, head of Arizona's American Civil Liberties Union chapter. "It's like she's embracing these technologies without taking the time to appreciate the privacy implications."

...

If confirmed as Homeland Security secretary, Napolitano will have opportunities to deploy technology, including sensors along U.S. borders and airport body scanners that look for weapons on passengers by taking images underneath clothing.

It appears that by the least privacy advocates will have their work cut out for them in the coming years on a host of issues ranging from "face identification" technologies to collection of DNA samples to airport body scanners to technology driven border patrol.

Click here to read the article in its entirety.

Monday, December 29, 2008

Top 10 Security Breaches of 2008

I'll try not to end the year frightening anybody, but 2008 was another reminder that the rapid rise in the number of identity thefts and data security breaches are showing no signs of slowing.

This top 10 list put together by bankinfosecurity.com is enough to worry anyone...but they do provide "valuable lessons learned" for each disaster.

Linda McGlasson reports:

The August arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit cards brings law enforcement closer to closing what is still the largest hack ever. The U.S. Department of Justice brought charges against 11 alleged hackers from around the globe. Some of the hacking gang were nabbed and brought to the U.S. to face trial alongside three U.S.-based defendants. Two of the defendants, Christopher Scott and Damon Patrick Toey, have already pled guilty in the case. Others including the ringleader, Alberto Gonzalez, await trial.

Lesson Learned: The wide-range of the perpetrators brings to light something that those in the cyber intelligence realm have known for some time: Criminal hackers are part of a very mature and multi-billion dollar industry that reaches around the world. No organization is immune to the threat.

...

An unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing on Feb. 27, after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank of Connecticut, which had given Bank of New York Mellon the information so it could offer those consumers an investment opportunity.

Lesson Learned: For Bank of New York Mellon, know that when data is released to a third-party that their security is as good or better than yours. Encryption isn't just something that is good for the data held at an institution; it's also something to consider for data that leaves the institution.

Those were the first two on the list...click here to read about the other eight.

Monday, December 22, 2008

How bad of a mess is Obama inheriting with Real ID?

I just want to briefly follow up on my December 12th post that delved into the question where Obama/Napolitano might stand in regards to REAL ID. In that post, I made the point that we really don't know a whole lot about how the new administration will approach the program. I stated:

Here's what we do know: Janet Napolitano opposed REAL ID as Governor of Arizona, but did so on the grounds that it was too expensive and burdensome for the states to implement. I have yet to read any strong statement from the Director of Homeland Security to be on the issue of privacy and the concept of a National ID card...Making matters worse, or at least less clear, is President Elect Obama's near silence on the issue, with a couple quips here and there about "it being too expensive and burdensome for states", (I'm paraphrasing). Again, this isn't exactly the kind of condemnation and outright opposition we would hope for.

I found a useful addendum to that post in an article written by the same author in Computerworld today. Let's just say the program is an unadulterated mess...

Jaikumar Vijayan writes:

As President-elect Barack Obama prepares to take office, it's unclear how his administration will proceed on the technology-heavy Real ID program. But what is all too clear is that the three-year-old effort to impose identification-card standards on state governments remains mired in controversy.

...

There's no mandate that states issue Real ID cards. But eventually, all citizens will need IDs that comply with the requirements in order to board planes, enter federal buildings and receive federal benefits.

The outpouring of protests has prompted the DHS to ease up on its implementation deadlines. For instance, under the final rules set by the agency last January, existing driver's licenses will continue to be accepted as federal identification until December 2014. And people who are age 50 or above at that time won't have to show Real ID cards for another three years.

...

At this point, the only reasonable way forward is for the DHS to work more cooperatively with states on Real ID implementations instead of continuing to "dangle sabers over their heads," said Chris Dixon, an analyst at Input, a government IT consulting firm in Reston, Va.

I think it goes without saying that an Obama/Napolitano team will bring with it a lot more common sense and basic respect and understanding of the Constitution...but big questions still remain...like are we still headed towards a National ID?

Click here to read the article in its entirety.

Top Congressional Democrats Complicit in Spying Too?

As month after month went by with little or no action from Democrats in Congress on the issue of wiretapping - ending with the passage of a FISA bill that EXPANDED executive power and gave the telecoms retroactive immunity - a question that surely must be posed is why? Why has the Democratic leadership been so asleep at the wheel on this issue?

One prominent reason - many believe - is due to the complicity in the program by leading Congressional Democrats. This argument has been made especially effectively by Salon.com's Glenn Greenwald, and has now been confirmed by none other than Dick Cheney in one of his recent "historical revisionism world tour" interviews. With Cheney one can never tell if he's lying or telling the truth, but I lean towards accepting, at least to a degree, his assertions on this issue. As Greenwald notes, by the least the Democratic leaders Cheney names should respond to his claims...and if they don't, the guilt and complicity become all the more apparent.

Greenwald writes:

Dick Cheney's interview yesterday with Fox's Chris Wallace was filled with significant claims, but certainly among the most significant was his detailed narration of how the administration, and Cheney personally, told numerous Democratic Congressional leaders -- repeatedly and in detail -- about the NSA warrantless eavesdropping program. And, according to Cheney, every one of those Democrats -- every last one -- not only urged its continuation, but insisted that it be kept secret:

...

Either way, Cheney's general claim is as clear as it is incriminating. According to him, key Congressional Democrats were told about the illegal NSA spying program in detail, and they not only actively approved of it, but far beyond that, they insisted that no Congressional authorization should even be sought, based on what was always the patently inane claim that to discuss the fact that the administration was eavesdropping on our conversations without warrants (rather than with warrants, as the law required) would be to reveal our secrets -- "our playbook" -- to Al Qaeda.

It is certainly true that Dick Cheney is not exactly the most scrupulously honest public servant around. In fact, he's almost certainly the opposite. Still, what he said yesterday was merely an expanded and more detailed version of what has previously been publicly reported and, to some degree, confirmed about the knowledge and support of Democratic leaders for the NSA program.

...

Unsurprisingly, Pelosi, Harman and Rockefeller all voted last July to legalize warrantless eavesdropping and to immunize telecoms from liability, thereby ensuring an end to the ongoing investigations into these programs. And though he ultimately cast a meaningless vote against final passage, it was Reid's decisions as Majority Leader which played an instrumental role in ensuring passage of that bill.

One would think that these Democratic leaders would, on their own, want to respond to Cheney's claims about them and deny the truth of those claims. After all, Cheney's statement is nothing less than an accusation that they not only enthusiastically approved, but actively insisted upon the continuation and ongoing secrecy, of a blatantly illegal domestic spying program (one that several of them would, once it was made public, pretend to protest).

Click here to read the article in its entirety.

Thursday, December 18, 2008

CNET Reports: Privacy groups ask Obama for stronger FTC

Now here's a little good news. A who's who in privacy advocacy, including the Privacy Rights Clearinghouse, the Consumer Federation of America, the American Civil Liberties Union, the Center for Digital Democracy, the World Privacy Forum, the Electronic Privacy Information Center, the Privacy Times, the Privacy Journal, the Consumers Union, the Electronic Frontier Foundation, and U.S. PIRG, the federation of state Public Interest Research Groups, met with Obama's transition team earlier in the week to discuss strengthening the Federal Trade Commission...particularly as it relates to consumer privacy.

I can't think of a more respected coalition of organizations to make this important case to the incoming administration...now we'll see whether they're listening.

Stephanie Condon of CNET News reports:

While participating organizations addressed a range of problems and potential solutions, the underlying message was clear: the FTC has for too long allowed industries to self-regulate their online privacy practices--to the detriment of consumers.

...

"We wanted to impress upon the transition team that there are many online privacy issues that need to be the highest priority of the incoming Obama FTC," said Jeff Chester, the executive director of the Center for Digital Democracy. "The last eight years has been a disaster for consumer protection and privacy, and the agency has not really had the interest to work on behalf of consumers to investigate the online ad industry and its harmful and problematic practices."

Along with the need for better regulation of targeted online marketing, the groups discussed the need for more oversight in the data broker industry and privacy policies for medical information, among other things. A range of solutions were offered, from more benchmarks for self-regulated industries to new legislation.

...

...multiple groups at the meeting with the Obama transition team said that behavioral tracking and targeting is still a problem that the FTC needs to address. Susan Grant, director of consumer protection at the Consumer Federation, called the practice "deceptive on its face."

"The FTC approach to this issue is emblematic of its timid and inadequate approach to consumer privacy in general over the past several years," she said. "Information is collected by entities with whom people have no relation, without consumers having any idea of what would be done with that information."

The Consumer Federation is calling for the FTC to establish a "Do Not Track" registry, Grant said. The FTC already oversees the Do Not Call Registry, which lets consumers opt out of receiving telemarketing calls. The registry has been very successful, Hoofnagle said, with telemarketers reporting larger profits and more effective results.

...

The Privacy Rights Clearinghouse, a nonprofit consumer rights group, has received numerous complaints from consumers about companies that sell their personal information, including companies that supposedly violate their own privacy policies, according to the Clearinghouse's director Beth Givens. "This is an unregulated industry that needs to be investigated by the FTC," Givens said. "It's long overdue."

Data brokering may have contributed to the mortgage meltdown of the past year, Hoofnagle said, since Internet users would typically face a deluge of offers from mortgage brokers after making a single inquiry online about how to get a mortgage.

I think you all get the idea...all I can say is I sure would have enjoyed being a fly on the wall at this meeting!

Click here to read the article in its entirety.

Tuesday, December 16, 2008

Has Big Brother Won? Obama's Wiretapping Challenge

I thought this New York Times op-ed on the difficulty that the Bush administrations extensive and illegal wiretapping and surveillance program poses Obama to be a useful precursor in understanding what's ahead for the next President on this most critical of issues.

Throughout the past years one of the arguments I made incessantly here was that once a President is given new and far reaching powers, its very hard for future President's to give those powers up. I would say that's a very human characteristic in fact...but when it comes to our civil liberties and right to privacy, its a human characteristic that should be avoided.

One of the key legacies of the Bush era will be more than the abuse of power by the Executive, but it will be the way in which "the law" no longer seems to even apply to it...and certainly not in any way close to equal to the rest of us. A point Glenn Greenwald of Salon.com recently made I though was especially salient in this regard.

He pointed out that to eavesdrop on a fellow American citizen is a felony offense punishable by five years in prison or a $10,000 fine if done without warrants. "We have laws in place that say that it is a felony punishable by decades in prison to subject detainees in our custody to treatment that violates the Geneva Conventions or that is inhumane or coercive. We know that the president and his top aides have violated these laws. The facts are indisputable that they’ve done so. And yet as a country, as a political class, we’re deciding basically in unison that the president and our highest political officials are free to break the most serious laws that we have, that our citizens have enacted, with complete impunity, without consequences, without being held accountable under the law.

So with that grave and ominous backdrop to the opportunity and challenges awaiting a President Obama, let's get to Patrick Radden Keeke's analysis in today's NYT's:

After a contentious hearing this month on the most controversial aspect of the new law — a blanket grant of immunity to the telecom giants like AT&T that secretly permitted the N.S.A. to siphon off their customers’ communications — a federal judge in San Francisco must decide whether Congress has the authority to bestow absolution on private companies that appear to have violated the law. One paradox is that Bush administration lawyers have claimed from the outset that the surveillance program was entirely legal, yet they remain desperate to prevent any court from testing that claim. Instead, they are in the odd position of advocating immunity for something that they insist is not a crime.

Another paradox, which Barack Obama surely appreciates, is that the real issue underlying the immunity debate is not whether the telecoms should pay damages; it is whether lawsuits against the companies can be used to answer a question that Congress and the press have not: Just how bad was the N.S.A. program, after all?

Mr. Obama says he does not want his first term to become bogged down in any sort of “partisan witch hunt.” Indeed, the sheer extent of executive lawlessness in Washington over the past eight years has left so many wrongs to right that, in the interests of triage, the new president may choose to let bygones be bygones where wiretapping is concerned. But that would be a mistake.

...

The Obama administration cannot enact the kind of thorough course correction on domestic surveillance that is needed without understanding how far off course the intelligence community got in the first place. Mr. Obama, who initially vowed to filibuster the immunity provision but, under pressure in the race against John McCain, backed down and reluctantly supported it, has committed “to have my attorney general conduct a comprehensive review” of N.S.A. surveillance.

That is a promising first step, but it is not enough. Nor is the prospect of reports due next summer from the inspectors general of the N.S.A. and the Justice Department. The good news for Mr. Obama, politically, is that the executive branch should not lead the charge in investigating the wiretapping. Congress should.

...

Without some baseline understanding of what went wrong — and how wrong — in recent years, and without the establishment of some bright line rules of the road, it would be na├»ve to think that there won’t be future abuses. For aggressive intelligence agencies, legal ambiguity is an invitation to excess. Wiretapping can sometimes seem forbiddingly complex, and many Americans just aren’t concerned that the government might monitor their calls. But what is at stake here is not mere personal privacy, but the bedrock American principles of separation of powers and the rule of law.

You can be sure I will be following and covering how this issue unfolds in the coming months and years. Click here to read more.

Friday, December 12, 2008

Where does Obama stand on REAL ID?

I can safely and confidently say that I personally can't answer that question yet, not even close. Here's what we do know: Janet Napolitano opposed REAL ID as Governor of Arizona, but did so on the grounds that it was too expensive and burdensome for the states to implement. I have yet to read any strong statement from the Director of Homeland Security to be on the issue of privacy and the concept of a National ID card. This doesn't exactly make me exude confidence when taking part in discussions regarding the future of the REAL ID Act.

Making matters worse, or at least less clear, is President Elect Obama's near silence on the issue, with a couple quips here and there about "it being too expensive and burdensome for states", (I'm paraphrasing). Again, this isn't exactly the kind of condemnation and outright opposition we would hope for.

Just for a quick refresher course, the Real ID Act was approved by Congress - underhandedly as a rider I might add - and then signed into law by President Bush in 2005 as part of the government's effort to combat terrorism. At the time, few lawmakers even knew what they were voting for, or necessarily supported the concept to begin with.

Since that time the law has evoked widespread criticism from privacy advocates and civil rights groups, which say it would create a de facto national identity card system that would be hard to manage and even harder to secure. To learn everything you ever wanted to about this Big Brother power play check out http://realnightmare.org/.

Over the past couple years states across the country have been putting up a concerted and fairly successful fight against the Federal Government - many refusing to implement the program. Even a DHS advisory committee voiced reservations about the Real ID effort last year because of privacy, security and logistical concerns.

So then, what should we expect from an Obama/Napolitano team on this issue?

To get some help answering this question let's go to Jaikumar Vijayan of Computerworld:

Thus far, Obama himself has made almost no public comments about the Real ID initiative, which calls for driver's licenses and other state-issued IDs to include digital photos and be machine-readable so the information on them can be captured by scanning devices. And on the one occasion in which Obama had an opportunity to vote on an issue related to the Real ID Act in the Senate, he didn't cast a ballot.

Meanwhile, Arizona Gov. Janet Napolitano, Obama's choice to be secretary of the U.S. Department of Homeland Security (DHS) — the agency responsible for implementing the Real ID rules — previously signed a bill barring her state from participating in the program. Given that fact, it's uncertain how effective she would be in pushing for adoption of Real ID in her expected new role or if she would even be inclined to do so in the first place.

...

Other provisions in the Real ID law require participating states to store digital images of IDs for seven to 10 years and for their driver's license databases to be linked to essentially create a single large system with shared access. There's no mandate that states issue Real ID cards. But under the law, all citizens will eventually need ID cards that comply with the Real ID requirements in order to board planes, enter federal buildings and receive benefits from the federal government.

...

...after initially setting a deadline of last March for states to request an extension on meeting an initial set of Real ID requirements that were supposed to be implemented by May, the DHS backed off of threats to begin enforcing the law's rules, even going so far as to issue extensions to states that didn't actually ask for one.

Those moves weren't just an attempt by the DHS to appease state officials who are opposed to Real ID, Harper said, adding that the agency decided to slow down and pass the baton to the next administration. DHS officials "realized there's just no way they're going to win this" by taking a confrontational approach, he said.

...

Estimates that the final tab for the Real ID program could exceed $17 billion also make it a challenge to push forward, according to Harper. Even so, he doesn't expect Obama to seek an outright repeal of the law because that would likely generate criticism that the new president was being soft on terrorism and immigration-control issues.

...

According to Dixon, the one public comment that Obama has made about Real ID came during a primary campaign debate, when he voiced his opposition to the way the law was being implemented and the burdens it imposed on states. A perusal of Obama's Senate voting record on the Project Vote Smart Web site shows that as a senator from Illinois, Obama didn't vote on a proposal relating to Real ID funding.

So all in all, I'm relatively confident that this program as initially envisioned is dead. Too many states don't want anything to do with it, and I don't sense Obama or Napolitano are real enthusiastic about it either. But, there are "middle grounds" that will sure to be discussed and debated, and I can only hope that the President Elect puts the Constitution above any fears he may have of looking "soft on terrorism" by killing REAL ID altogether.

My guess is some kind of hybrid program will evolve, based on some of the things states are already doing, and then coming to some agreement on what "bar" is acceptable for all states to meet the program's required standards. If this is the case, we probably should expect this issue to be far from over, because there are many groups and states out there that believe, on principle, REAL ID is an abomination...and they will not give in easily.

Click here to read more.

Wednesday, December 10, 2008

Surveillance Society: New High-Tech Cameras Are Watching You

Often when I have conversations with people about the ever expanding reach of video surveillance cameras the reaction is usually one of disinterest. Certainly, polls are also not on my side, as large majorities of Americans seem generally fine with having every movement of their existence on tape, and watched by someone (for your protection of course). Of course, we know that cameras DON'T in fact reduce crime and we also know that governments and law enforcement DO abuse our civil liberties when given such authority to monitor us. Those are two BIG strikes in my mind.

I'm still not convinced however, that this general support for such technological surveillance is a done deal, and the argument in favor of FEWER cameras in FEWER locations is a lost one. I believe this to be true for a couple reasons. One, most Americans have no concept of just how often they are being watched or worse, for what purposes. Two, few Americans have any idea the level of abuses such "watchers" are capable of...and if the Bush Administration has taught us anything its that we can't trust government when they are given more power than they know what to do with. My guess is we are just scratching the surface, on issues ranging from wiretapping to surveillance to monitoring, and when that surface is broken, public opinion might just change on this topic.

Well, here's some new data from an article in Popular Mechanics that just might get a few people questioning just how many cameras we need in this country, just how important is it really for us to always be watched, and just exactly what purpose does such an all seeing BIG Brother really serve?

This is a long article so I'll try to post a significant amount of what I consider to be some of the most important passages.

Popular Mechanics Reports:

Most Americans would probably welcome such technology at what clearly is a marquee terrorist target. An ABC News/Washington Post poll in July 2007 found that 71 percent of Americans favor increased video surveillance. What people may not realize, however, is that advanced monitoring systems such as the one at the Statue of Liberty are proliferating around the country. High-profile national security efforts make the news—wiretapping phone conversations, Internet moni­toring—but state-of-the-art surveillance is increasingly being used in more every-day settings. By local police and businesses. In banks, schools and stores. There are an estimated 30 million surveillance cameras now deployed in the United States shooting 4 billion hours of footage a week. Americans are being watched, all of us, almost everywhere.

We have arrived at a unique moment in the history of surveillance. The price of both megapixels and gigabytes has plummeted, making it possible to collect a previously unimaginable quantity and quality of data. Advances in processing power and software, meanwhile, are beginning to allow computers to surmount the greatest limitation of traditional surveillance—the ability of eyeballs to effectively observe the activity on dozens of video screens simultaneously. Computers can't do all the work by themselves, but they can expand the capabilities of humans exponentially.

...

Pathmark archives every transaction of every customer, and the grocery chain is hardly alone. Amazon knows what you read; Netflix, your taste in movies. Search engines such as Google and Yahoo retain your queries for months, and can identify searches by IP address—sometimes by individual computer. Many corporations log your every transaction with a stated goal of reducing fraud and improving marketing efforts. Until fairly recently it was impractical to retain all this data. But now the low cost of digital storage—you can get a terabyte hard drive for less than $350—makes nearly limitless archiving possible.

So what's the problem? "The concern is that information collected for one purpose is used for something entirely different down the road," says Ari Schwartz, deputy director of the Center for Democracy and Technology, a Washington, D.C., think tank. This may sound like a privacy wonk's paranoia. But examples abound. Take E-ZPass. Drivers signed up for the system to speed up toll collection. But 11 states now supply E-ZPass records—when and where a toll was paid, and by whomin response to court orders in criminal cases. Seven of those states provide information in civil cases such as divorce, proving, for instance, that a husband who claimed he was at a meeting in Pennsylvania was actually heading to his lover's house in New Jersey. (New York divorce lawyer Jacalyn Barnett has called E-ZPass the "easy way to show you took the offramp to adultery.")

On a case-by-case basis, the collection of surveillance footage and customer data is usually justifiable and benign. But the totality of information being amassed combined with the relatively fluid flow of that data can be troubling. Corporations often share what they know about customers with government agencies and vice versa. AT&T, for example, is being sued by the Electronic Frontier Foundation, a San Francisco-based civil liberties group, for allowing the National Security Agency almost unlimited access to monitor customers' e-mails, phone calls and Internet browsing activity.

...

In July, New York City officials unveiled the Lower Manhattan Security Initiative, modeled after London's "Ring of Steel," which will include license-plate readers, automated roadblocks and 3000 new surveillance cameras—adding to the 250 already in place. Chicago, meanwhile, which has 560 anti-crime cameras deployed on city streets, revealed plans in September to add a sophisticated IBM video analytic system that would automatically detect abandoned bags, suspicious behaviors (such as a vehicle repeatedly circling the Sears Tower) and vehicles sought by the police. Expanded surveillance is perhaps to be expected for these high-profile cities, but they're hardly alone. Richmond, Calif.; Spokane, Wash.; and Greenville, N.C., are among the cities that have recently announced plans to add electronic spying eyes. According to iSuppli, a market research firm, the global surveillance-camera business is expected to grow from $4.9 billion in 2006 to $9 billion in 2011.

...

So-called "facial profiling" has been surveillance's next big thing for nearly a decade, and it is only now showing tentative signs of feasibility. It's easy to see why people are seduced by the promise of this technology. Twelve bank companies employ 3VR systems at numerous locations, which build a facial template for every single person that enters any branch. If somebody cashes a check that is later determined to be stolen, the person's face can be flagged in the system, and the next time the con artist comes in, the system is supposed to alert the tellers.

...

There's a man in Salt Lake City who knows what I did last summer. Specifically, he knows what I did on Aug. 24, 2007. He knows that I checked my EarthLink e-mail at 1:25 pm, and then blew a half an hour on ESPN's Web site. He also knows that my wife, Anne, wanted new shoes, from Hush Puppies or DSW, and that she synced her electronic planner—"she has quite a busy schedule," the man noted—and downloaded some podcasts. We both printed out passes for free weeklong trials at 24 Hour Fitness, but instead of working out, apparently spent the evening watching a pay-per-view movie. It was Bridge to Terabithia or Zodiac, he thinks.

The man's name is Joe Wilkinson, and he works for Raytheon Oakley Systems. The company specializes in "insider risk management," which means dealing with the problem of employees who, whether through innocent accident or nefarious plot, do things they really shouldn't be doing at work. Oakley's software, developed for the U.S. government and now used by ten Fortune 100 companies, monitors computer use remotely and invisibly. Wilkinson had agreed to run a surveillance trial with me as the subject, and after accessing my computer via the Web, he installed an "agent" that regularly reported my activities back to him.

...

Surveillance of this sort is common. A 2005 survey by the American Management Association and the ePolicy Institute found that 36 percent of companies monitor workers on a keystroke-by-keystroke basis; 55 percent review e-mail messages, and 76 percent monitor Web sites visited. "Total Behavioral Visibility" is Raytheon Oakley's motto. The vice president of marketing, Tom Bennett, knows that some people fear workplace monitoring. But the technology has many positive aspects. "We are not Big Brother," he insists.

...

The debate over surveillance pits the tangible benefits of saving lives and dollars against the abstract ones of preserving privacy and freedom. To many people, the promise of increased security is worth the exchange. History shows that new technologies, once developed, are seldom abandoned, and the computer vision systems being adopted today are transforming America from a society that spies upon a small number of suspicious individuals to one that moni­tors everybody. The question arises: Do people exercise their perfectly legal freedoms as freely when they know they're being watched? As the ACLU's Stanley argues, "You need space in your life to live beyond the gaze of society."

In the end, perhaps that's the biggest problem I have with an all-seeing, all watching two headed corporate and government monster: how does such surveillance effect how people think and behave in a free society? Does it in fact, stifle dissent? Will it slowly but surely create a population more controlled, more docile, and less questioning of the status quo? I believe the answer to each of these questions is yes. Worse, I think this is precisely the wrong direction our species needs to go in order to evolve.

Read the article in its entirety here.

Friday, December 5, 2008

Eric Holder and Privacy: A Preliminary Analysis

I think everyone that cares about privacy and the Constitution will be popping some champagne the minute the Bush era finally ends! As for our past two Attorney Generals, the same kind of relief will be felt knowing that Alberto Gonzales is languishing somewhere in a prison cell (if justice is ever served) and Michael Mukasey is back to work as a judge where he can do far less damage to the civil liberties of American citizens.

The question that is unanswered is what kind of Attorney General will Eric Holder be on the issue of privacy? I've done some preliminay research on this question and have come to an initial conclusion: he's a mixed bag. I want to take you briefly through writings by three privacy experts and you can judge for yourself whether his record is "mixed", or worse than my analysis or better. One note, I'm still awaiting the ACLU's analysis of Holder...I'll post and discuss it here when its released.

I've personally found that when making such judgements of others records and political inclinations it really depends on what kind of curve one is grading on. In other words, does "good" mean in comparison to Alberto Gonzales? Or would "good" mean someone that is truly committed to protecting civil liberties and personal privacy? In the case of Eric Holder, I sense he is mixed, as yes, he's obviously MUCH better than the Bush/Gonzales cabal ever was, but nonetheless, he leaves a lot to offer as well.

Let's begin with one of my absolute "go to" sources on such matters: Glenn Greenwald of Salon.com.

Greenwald writes:

The bulk of what I've read about and from Holder suggests, with a couple of ultimately marginal exceptions, that this appointment would be a very positive step. Digby yesterday quoted at length from an impassioned speech Holder gave in June of this year in which he condemned Guantanamo as an "international embarrassment"; charged that "for the last 6 years the position of leader of the Free World has been largely vacant"; complained that "we authorized torture and we let fear take precedence over the rule of law"; and called for an absolute end both to rendition and warrantless eavesdropping. He proclaimed that "the next president must move immediately to reclaim America's standing in the world as a nation that cherishes and protects individual freedom and basic human rights."

...

All of this is preliminary. It's possible -- even likely -- that more facts will emerge that further shape the assessment of the choice of Holder, one way or the other. He should be asked about his views of holding Bush officials accountable for lawbreaking. He was undoubtedly involved with polices at the Clinton DOJ that many civil libertarians will oppose. Some of those early post-9/11 comments are definitely disturbing. And one can never really know what someone will do with power until they wield it. But on balance -- particularly in light of what he was saying regarding the most extreme Constitutional and executive power abuses of the last eight years and, more importantly, how he was saying it -- this choice, as a preliminary matter, seems like a step in the right direction.

Now let's move to an analysis that is more specifically concerned with Holder's views on Internet privacy. Greenwald notes that Holder's advocacy, in the wake of the 1999 Columbine shooting, of what he called "reasonable regulations in how people interact on the Internet" are vague and almost 10 years ago, but nonetheless should be explored. So let's do that now...

Declan McCullagh of CNET writes:

Eric Holder, President-elect Barack Obama's pick for attorney general, drew applause from liberal Democrats earlier this year when he denounced the Bush administration's warrantless wiretapping program. A review of Holder's public statements, speeches, and testimony when he was a top Justice Department official in the Clinton administration, however, reveals a more nuanced record on privacy. His remarks indicate support for laws mandating Internet traceability, limits on domestic use of encryption, and more restrictions on free speech online. He also called for new powers for federal prosecutors, some of which became law under President Bush as part of the USA Patriot Act.

...

In 1999, Holder said that "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement." A few years later, Gonzales said that Internet service providers must retain certain data for a "reasonable amount of time," and asked Congress to make it mandatory.

...

Marc Rotenberg, executive director of the Electronic Privacy Information Center, believes that Holder's past statements on encryption and surveillance "are fair topics to pursue at the nomination hearing."

But Rotenberg said any statements should be read narrowly and in context--suggesting that Holder may have been referring to data preservation after receiving a court order instead of preemptive data retention--and generally applauded his nomination. "Eric Holder is an outstanding public servant and would be a great attorney general, particularly after the last several years," Rotenberg said. "He is extremely well qualified, highly regarded, and has a deep commitment to the rule of law."

...

Another point of congruence between Holder and his successors can be found in his support for greater law enforcement surveillance powers during the Clinton administration. In early 2000, he asked Congress for a set of new laws, including granting police the ability to obtain nationwide court orders for telephone surveillance. Another targeted cyberstalking. "We recognize the importance the public attaches to individual privacy, and any legislation must be carefully balanced to avoid unnecessary infringement on the privacy rights we hold dear in this country," Holder said.

Now let's conclude with another more critical view of Holder's record by Mike Thompson on the site Beta Culture 11, particularly the issue of data retention and expanding the government's ability to track what we do online (something I'M NOT a fan of):

......Eric Holder is a supporter of the creation of a data retention policy at ISPs to make it easier for the government to track what people do online...Some privacy activists have tried to give him the benefit of the doubt that he was only referring to retaining records that have been requested by the government, but there was no context for that in his speech. Lacking that sort of nuance, we must simply take him at his word that he wants ISPs to get into the game of retaining records of their customers' activities for long periods of time. Whether that is through the government leaning on ISPs until they "voluntarily" adopt such policies or through naked force is immaterial.

A lot of people assume that the Internet is a "public place" and that you have no reasonable guarantee of privacy. To some extent that is true, but the real policy issue here is why should the government take actions which are absolutely guaranteed to diminish what privacy we do have. That's precisely what a data retention policy/mandate would do, as it would leave copious amounts of information about everything from instant messages, to emails, to web site visits exposed on an ISPs network. Such information is ripe for abuse, be it from law enforcement, criminals looking to score a big heist on personal information or curious employees.

Long-term data retention has been the norm in Europe for a while now, and according to one survey, it's already changing the behavior of some non-criminal segments of the German population. That is one of the natural side effects of living in a society where everyone knows that a significant amount of information about all of their electronic communications are stored and possibly monitored by third parties. It goes without saying that raising future generations of America under such a regime is going to have the result of making them generally accept such systematic surveillance as the norm of modern life. Such a thing does not bode well for the long term defense of liberty.

Click here to read the rest of this article.

Frankly, it's Holders views on data retention that concern me most. I, as the above offer, believe that the consequences of a total loss of privacy (and the general acceptance of that loss) is just as much about changing the ways we view civil liberties and interact with one another as it is about being "watched" or "listened in on" by some Big Brother like entity. The real threat is how does just knowing that this is possible effect our minds, our spirits, and our words and actions?

My personal hope is, in terms of the incoming Holder and Obama team, they will be focused on far bigger issues, that are far more related to actually upholding the law and protecting the people than data retention or encryption issues. If that is the case, it is very likely nothing will happen on these fronts, and we won't lose what little privacy we have left. To be sure, the concept of privacy as a Constitutionally protected right is a dying notion. We know this because there was little principled opposition when these issues (data retention and encryption) were being debated by both parties under the Bush Administration, and it's even less likely that a Democratic Congress will challenge Holder if he wants to raise the issue.

As the above author noted, "Despite superficial outrage over the privacy and constitution violations of the Bush Administration, the Democrats have largely shown themselves to have little inherent opposition to the sort of surveillance that this issue presents to the public."

More to come...

Tuesday, December 2, 2008

Courtroom Showdown - Bush Demands Amnesty for Spying Telecoms

When it comes to the issue of privacy and the US Constitution it just doesn't get much bigger than this.

As I write this, lawyers for the Bush administration are attempting to "to convince a federal judge to let stand a law granting retroactive legal immunity to the nation's telecommunications firms, which are accused of transmitting Americans' private communications to the National Security Agency without warrants."

The court battle centers on "nearly four dozen lawsuits filed by civil liberties groups and class action attorneys against AT&T, Verizon, MCI, Sprint and other carriers who allegedly cooperated with the Bush administration's domestic surveillance program in the years following the Sept. 11 terror attacks," Threat Level explains. Among the groups filing suit is the Electronic Frontier Foundation, which argues that the FISA Amendments Act -- granting retroactive immunity at the discretion of the Attorney General by allowing for "the dismissal of the lawsuits over the telecoms' participation in the warrantless surveillance program" -- is unconstitutional.

One bright spot is that Judge Vaughn Walker announced yesterday that he planned to discuss a series of 11 questions during today's hearing, including whether or not there exists "any precedent" for the powers granted to the Attorney General by the FISA Amendments Act. FireDogLake's Marcy Wheeler says that Walker's questions "suggest that Walker is not going to simply roll over and abdicate his Article III function."

Wired Magazine has more:

In July, as part of a wider domestic spying bill, Congress voted to kill the lawsuits and grant retroactive amnesty to any phone companies that helped with the surveillance; President-elect Barack Obama was among those who voted for the law in the Senate.

...

Carl Tobias, a professor at the University of Richmond School of Law, says the immunity legislation, if upheld, "makes it possible to extend immunity to other areas of the law." He agreed, for example, that it would not be far-fetched to imagine Congress immunizing ExxonMobil for the 1989 Valdez oil spill "for national security reasons." A jury awarded about $5 billion in punitive damages in that case, an amount the courts reduced to $500 million.

...

The EFF's case, which has been consolidated with the others in the U.S. District Court of San Francisco, includes so-called whistle-blower documents from a former AT&T technician. The EFF claims the documents describe a secret room in an AT&T building in San Francisco that is wired to share raw internet traffic with the NSA.

The government sought to dismiss the original EFF case, and others that followed, on the grounds that they threatened to expose state secrets. Judge Walker has ruled against the government, saying the case could proceed. The government appealed. But before the appeal was decided, Congress on July 9 gave the president the power to grant immunity to the carriers.

The EFF is now challenging the immunity legislation on the grounds that it seeks to circumvent the Constitution's separation of powers clause, as well as Americans' Fourth Amendment rights against unreasonable searches and seizures.

You can be sure I'll be following this case and reporting back on it here until its resolved. Click here to read more.

Monday, December 1, 2008

ACLU Files Suit Against AT&T and Verizon

I found this tidbit of good news on the ACLU'S website. On November 26th the group filed two lawsuits in state court requesting injunctions against AT&T and Verizon to prevent them from illegally providing the National Security Agency (NSA) with the personal phone records of millions of California customers.

As the ACLU notes in its press release, "The phone records were provided without the consent of their customers and without a warrant, court order or any other legal process. The lawsuits were filed on behalf of more than 100,000 ACLU members statewide and individual plaintiffs including a former Congressman, former linguist for the Army Security Agency, a Constitutional law professor, journalists, psychiatrists, attorneys, and a minister."

More from the release:

According to USA TODAY, shortly after September 11, 2001, AT&T and Verizon unlawfully provided to the NSA the personal calling patterns of millions of California customers, including phone numbers called, and the time, date and direction of the calls without their customer’s knowledge, consent, or proper legal process.

...

Among those whose rights were violated are the following individual plaintiffs who all have compelling reasons for why their phone calls must remain private:

Robert Scheer is a nationally syndicated columnist and journalist at the San Francisco Chronicle, who writes frequently about the war in Iraq and national security issues. He regularly uses his residential phone to make calls to confidential sources. AT&T is his residential telephone provider.

...

...the telephone providers have systematically trampled on the constitutional and statutory rights of millions of innocent Californians:

  • California Constitutional Right to Privacy Violation. AT&T and Verizon have violated the inalienable right to privacy guaranteed in Article I, Section 1 of the California Constitution. This provision was passed overwhelmingly by California voters in 1972 to protect the privacy rights of all and with the precise purpose of prohibiting data sharing of this type.
  • Consumer Protection Violation. AT&T and Verizon have violated California law that prohibits a telephone company from making available a residential subscriber’s personal calling information to another person or company without first obtaining the subscriber’s written consent.

So we know that AT&T and Verizon has repeatedly violated the right to privacy - guaranteed by our State Constitution - of millions of its customers. We also know that this unprecedented illegal and unconstitutional activity coincides with the NSA's recently assembled database of our calls that happens to be the largest the world has ever seen. Together, this represents exactly what the ACLU is arguing: "the systematic strip-mining of the private calls of millions of innocent Americans.”

It goes without saying the court should order AT&T and Verizon to stop turning over Californian’s phone records to the government immediately. What is less certain is what kinds of actions a President Obama might take in restoring the right to privacy and protecting US citizens from the ever growing watchful eye of Big Brother.