Tuesday, April 14, 2009

Obama Administration Update + Cybersecurity Act of 2009 Raises Privacy Concerns

Before I get to some of the privacy concerns that the Electronic Frontier Foundation (EFF) has articulated in regards to the Rockefeller/Snowe Cybersecurity Act I want to give a quick update on the Obama Administration's increasing support of a host of Bush Administration Constitutional (actual anti-Constitutional) positions.

In terms of privacy, the most notable and disturbing development is - according to a story reported by RawStory today - President Obama's endorsement of a Justice Department move to dismiss a case in which the National Security Agency is being sued over its warrantless wiretapping program.

In fact, White House Press Secretary Robert Gibbs stated unequivocally the other day that the President stands firmly behind the dismissal of the lawsuit by the Electronic Frontier Foundation.

Rawstory reports:

The Electronic Frontier foundation is suing the NSA for damages over a program in which the government tracked the phone calls and emails of thousands of Americans following the Sept. 11, 2001 attacks. In their filing Friday, the Justice Department argued that the case should be dismissed because information surrounding the program was a “state secret” and therefore couldn’t be litigated or discussed.

It also proposed that the government was protected by “sovereign immunity” under federal wiretapping statutes and the Patriot Act, arguing that the United States could only face lawsuits if they willfully elected to disclose intelligence obtained by wiretapping. In other words, the motion posited that government agencies couldn’t be sued for spying because they never intentionally told anyone they were engaged in warrantless wiretaps, even if such a program violated the law.

During his presidential campaign, then-Sen. Barack Obama criticized the Bush Administration for its use of “state secrets” as a legal argument to prevent lawsuits from moving forward. His campaign website listed state secrets under the headline “Problems.”


The Obama Justice Department made this claim in February, in response to a suit brought by victims of extraordinary rendition. But the Department’s “sovereign immunity” argument is unexpected. A close review of the Department's brief suggests that the Justice Department took a quote out of context in an effort to bolster their case.

The Department asserts that the United States can’t be sued because it’s specifically excluded under the 1986 Electronic Communications Privacy Act. “In the Wiretap Act and ECPA, Congress expressly preserved sovereign immunity against claims for damages and equitable relief, permitting such claims against only a 'person or entity, other than the United States,'” the Department wrote.

In that section of the law, however, the phrase “other than the United States” is there only because those sections specify the penalties to be used in cases in which the law is violated by someone other than the United States. In contrast, another section of the law specifies penalties for violations of the law by the United States. (More on the law can be read at section 2520 (in chapter 119) and section 2707.)

It's hard to put into words how personally disappointed and saddened I am regarding the Administration's sudden reversal on these Constitutional principles.

We will know a lot more come this Thursday, as it represents the most significant test to date of the Obama Administration's positions on issues of accountability, torture, civil liberties, and transparency. As Constitutional scholar Glenn Greenwald notes:

"...as that day (Thursday) is the latest deadline for the Obama DOJ either to release the three key OLC torture-authorizing memos, release them in heavily redacted form, or refuse to release them at all. It has been widely reported that a "war" has broken out within the Obama administration over their release, with key Bush-era intelligence officials -- such as Obama's top counter-terrorism aide John Brennan and ex-CIA Director Michael Hayden -- demanding the ongoing concealment of the memos.

Those torture memos are reputed to be among the most vivid torture documents of the Bush era, and thus will almost certainly fuel the flames of investigations and prosecution -- both here and internationally. That is what has prompted the "war" over their disclosure. It's hardly a surprise that if you empower the very people most connected to the Bush CIA, there will be substantial forces blocking any attempt to bring accountability under the rule of law for the crimes that were committed.”

Sadly, the signals coming from the Administration have not been good of late. Greenwald also notes:

“In the last week alone, the Obama DOJ (a) attempted to shield Bush's illegal spying programs from judicial review by (yet again) invoking the very "state secrets" argument that Democrats spent years condemning and by inventing a brand new "sovereign immunity" claim that not even the Bush administration espoused, and (b) argued that individuals abducted outside of Afghanistan by the U.S. and then "rendered" to and imprisoned in Bagram have no rights of any kind -- not even to have a hearing to contest the accusations against them -- even if they are not Afghans and were captured far away from any "battlefield." These were merely the latest -- and among the most disturbing -- in a string of episodes in which the Obama administration has explicitly claimed to possess the very presidential powers that Bush critics spent years condemning as radical, lawless and authoritarian.”

I will be watching - and report back here - which of the following three general options Obama chooses to pursue: Full disclosure and release of the Bush memos, a heavily redacted version, or no version at all? Anything less that something at least close to full disclosure will be deeply disappointing to say the least.

Now to EFF's analysis of the Cybersecurity Act of 2009:

The bill as it exists now risks giving the federal government unprecedented power over the Internet without necessarily improving security in the ways that matter most. It should be opposed or radically amended.

Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response.


...the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review. The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act, or financial privacy regulations. Even worse, it isn’t clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well. If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US/CERT mailing list, that could be useful, but that’s not what the bill’s current language does.


Whether the bill is amended or rejected, the question remains what kind of actions would help cybersecurity, and what role the federal government has to play. As security expert Bruce Schneier has pointed out, the true causes of government cyber-insecurity are rather mundane:

GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs.

I'll be following this bill as it progresses...and will be back with more information in the coming days and weeks (i.e. what are its chances of passage, does Obama support it, etc.).

No comments: