Friday, May 29, 2009

NSA Wiretapping Case Nears Conclusion

The continuing and increasingly disappointing Obama Administration on issues of executive power and privacy, may finally get its just deserve today. That's right, Friday, May 29th is the court ordered deadline for the Administration to convince a federal judge not to levy sanctions against the government for “failing to obey the court’s orders” in a key NSA wiretapping lawsuit.

As most of you probably know, the Administration has been ardently defending the Bush administration's warrantless wiretapping program. In this case, the Administration is fighting a lawsuit filed by AT&T customers who claim federal agents illegally intercepted their phone calls and gained access to their records.

As you also may remember, it was "candidate Obama" (apparently this was just a look alike) that very specifically and articulately promised to hearken in a new era of government transparency and accountability, end the Bush DOJ's radical theories of executive power, and reform the PATRIOT Act. Instead, we have seen Obama's own DOJ now argue that under the PATRIOT Act the government shall be entirely unaccountable for surveilling Americans in violation of its own laws.

Worse, over the past few months information continues to trickle out (similar to the issue of torture and the Administration's protection of those crimes) that demonstrates these spying abuses were "significant and systemic" and involve improper interception of "significant amounts" of the emails and telephone calls of Americans, including purely domestic communications; and that, under Bush (prior to the new FISA law), the NSA even eavesdropped - without a warrant - on Congresswoman Jane Harman.

But it gets even worse. We have also come to find out that the government's wiretapping program actually expanded in scope AFTER Congress enacted a new, and supposedly improved, FISA law last July - actually claiming it would better regulate the government's wiretapping powers. Opponents of this bill warned that exactly the kinds of abuses that we now know followed the bills signing would occur.

Sen. Russ Feingold condemned the bill on the ground that it "fails to protect the privacy of law-abiding Americans at home" because "the government can still sweep up and keep the international communications of innocent Americans in the U.S. with no connection to suspected terrorists, with very few safeguards to protect against abuse of this power."

You can check out four recent posts about these revelations - and Obama's crushing silence on the matter - here, here, here, and here.

Obviously I would really like to know more about those specific cases in which probable cause was not established and the tracking was done without warrants. We have seen too many examples of the Bush Administration using surveillance technologies not to protect Americans or "fight terrorism", but rather to stifle dissent, monitor political "enemies" (i.e. peace protesters, environmentalists, Democrats, etc.) and even eavesdrop on journalists.

While these hopes may be pie in the sky dreams when considering the Obama Administration's strict adherence to the Bush line on this issue, at least we are nearing a decision by the that could sanction the Department of Justice for refusing to share documents about the secret program with the plaintiff’s counsel under the agreement that they would still remain secret - even from their clients or the public.

What I do know is that "candidate Obama" would have readily agreed that such a just, straight forward, and fair request from this Judge should be followed without question by the government. Instead, we are forced to wait for the court to step in...

Wired Magazine reports:

U.S. District Judge Vaughn Walker is threatening (.pdf) to summarily decide the 3-year-old lawsuit in favor of the plaintiffs, and award unspecified monetary damages to two American lawyers who claim their telephone calls were illegally intercepted by the NSA under the Bush administration. The lawyer represented a now-defunct Saudi charity that the Treasury Department claimed was linked to terrorism.

If it survived appeal, such a ruling would be a blow to the government, but it would fall far short of deciding the important question the case asks: Can a sitting president, without congressional authority, create a spying program to eavesdrop on Americans’ electronic communications without warrants, as George W. Bush did in the aftermath of the 2001 terror attacks?


The Justice Department, under the Bush and Obama administrations, has repeatedly maintained that the lawsuit should be dismissed because it threatens to expose state secrets....A similar process has been applied to lawyers representing Guantanamo Bay prisoners. This month the Obama administration refused to comply with Walker’s order.


Walker is the same judge overseeing a class-action lawsuit targeting the nation’s telecommunication companies of being complicit in Bush’s once-secret spy program. Congress, with the vote of then-Sen. Barack Obama, legalized the spy program last summer.

That legislation allows electronic eavesdropping of Americans without obtaining a warrant if the subjects of the wiretap are communicating overseas with somebody believed connected to terrorism...The legislation authorizing the spy powers also immunized the telcos from being sued for their part in Bush’s eavesdropping program. Walker is entertaining a constitutional challenge to the immunity legislation.

The good news, and this is just based on what I have read to date, Judge Walker might just be what the doctor ordered...because someone, somehow, has to to check an Executive Branch that seems to have lost control of its senses...or just needs to go back and read the Constitution.

Click here to read more.

Thursday, May 28, 2009

Privacy Advocates Release Guidelines for E-Records Data Breaches

One of the most important challenges for privacy advocates these days is making sure that our nation's transition to electronic medical records includes ironclad data safeguards along with it.

"The ship has sailed" when it comes to whether we are moving forward with the transition to a completely digitized medical records system. The fact is it will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Just one challenge that must be addressed once such a system is in place is how to deal with a data breach. The New York Times recently pointed out this concern: "with paper records the opportunities for breaches are limited to over-the-shoulder glimpses or the occasional lost or stolen files. But when records are kept and transferred electronically, the potential for abuse can become as vast as the Internet."

As such, The Center for American Progress, the Markle Foundation's Connecting for Health Initiative, the Center for Democracy and Technology, and other signatories have provided a series of guidelines for The Department of Health and Human Services in the event of a medical data breach.

Peter P. Swire, a Senior Fellow at American Progress, summed the challenge up thusly:

The health IT initiative depends on the degree to which patients and consumers trust that health information will be protected from inappropriate use and disclosure. Large, unnecessary data breaches could undermine confidence in health care privacy and security. The new data breach guidelines, therefore, are a crucial way to reduce the number of breaches and build privacy and security effectively into the new health IT infrastructure.

Key report guidelines include:

Support the strong encryption and data destruction standards included in the current guidelines.

Recommend adding to the list of accepted technologies and methodologies a one-way hash function, a technical approach that is particularly useful for comparing population-level data sets without unnecessarily exposing patient data.

Urge HHS not to add the “limited data set” to the list of the technologies and methodologies because that approach does not employ the technical levels of protection achieved through encryption and one-way hashing.

Ask HHS to emphasize that the technologies and methodologies are in addition to the existing requirement to use the minimum amount of data necessary to accomplish a particular purpose.

Recommend that HHS carefully examine unintended and possibly negative consequences of creating an exclusion based on biometric approaches to safeguarding devices that contain personal health information.

Recommend careful study of the existing “de-identification” standard under the Health Insurance Portability and Accountability Act medical privacy rule, and consider whether data currently defined as “de-identified” should remain outside of HIPAA, including with respect to breach notification.

Urge HHS to expressly commit to annually reviewing the data breach guidance and set forth a process for doing so.

Recommend HHS use threat profiles as part of this annual review to evaluate the potential of policies, technologies, and methodologies to protect and secure personal health information.

Click here to download the report.

Read more on implementing health IT from CAP:

A Historic Opportunity: Wedding Health Information Technology to Care Delivery Innovation and Provider Payment Reform

Tuesday, May 26, 2009

"Showdown" Over Obama's Embracing of "State Secrets" Looming

As I have written before, one of the great disappointments in the Obama Administration to date has been its embracing of a number of core Bush era arguments related to Executive Power - in particular its adoption of the Bush Administration's interpretation of the "State's Secrets Privilege".

Now, to be fair (or at least open minded and hopeful), Obama has recently said that his Administration was "nearing completion of a thorough review" of the way in which Bush and company invoked the state-secrets privilege - asserting that his lawyers would apply a stricter legal test for the kinds of material that can be protected and that the attorney general must personally sign off on any future cases involving the privilege.

Until his actions meet his words, let's remember that the Obama Administration has been utilizing the Bush interpretation of the State Secrets privilege in its opposition to a lawsuit filed by AT&T customers who claim federal agents illegally intercepted their phone calls and gained access to their records.

This expanded interpretation allows the government to conveniently keep from the public critical information related to possibly criminal and unconstitutional abuses of power...while simultaneously stripping "defendants" (i.e. someone we've been torturing without a trial for 5 years) of the right to use such information in their defense against prosecution.

What is so disturbing about the Obama Administration's adoption of the Bush position is that it completely distorts the original purpose of the State Secrets privilege: the government's right to keep secret specific pieces of evidence or documents that directly relate to the case at hand and that demonstrably pose a threat to national security if released.

Now, the Obama Administration and its predecessor, have been using the privilege as a way to compel dismissal of entire lawsuits in advance based on the claim that any judicial adjudication of even the most illegal secret government programs would harm national security.

No better example of this re-interpretation is the way it has been used to defend Bush and company's warrantless wiretapping program. Thus, rather than embracing transparency and defending privacy, Obama's DOJ has been arguing that under the PATRIOT Act the government shall be entirely unaccountable for surveilling Americans.

To recap: according to the Bush and Obama Administrations, since citizens cannot show their messages were intercepted, they have no right to sue, because all such information is secret. And, disclosure of whether AT&T took part in the program would tip off our enemies, so we can't have that either. How convenient for the Government and their ongoing efforts to cover up gross Constitutional abuses! Government officials are not above the law. If we can continue to fill our jails with non-violent drug users and addicts certainly its not too much to ask that those responsible for breaking the law and subverting the Constitution must also be accountable to the people.

As Glenn Greenwald of noted a few months back:

"That has been the argument of Democrats for quite some time -- as well as civil libertarians such as Russ Feingold and the ACLU, both of whom endorsed that bill: that what was abusive and dangerous about Bush's use of the State Secrets privilege was the preemptive, generalized use of this privilege to force dismissal of entire lawsuits in advance, even where the supposed secret to be concealed was the allegedly criminal activity itself.

And that is exactly the usage that the Obama administration is now defending....What this is clearly about is shielding the U.S. Government and Bush officials from any accountability. Worse, by keeping Bush's secrecy architecture in place, it ensures that any future President -- Obama or any other -- can continue to operate behind an impenetrable wall of secrecy, with no transparency or accountability even for blatantly criminal acts.

With all that said, this was welcomed news. The Washington Post reports:

President Obama vowed last week to rein in the use of a legal privilege that allows the administration to discard lawsuits that involve "state secrets," promising that a new policy is in the works that will quell criticism by civil libertarians. But hours after Obama's speech laid out a "delicate balance" on national security, his Justice Department was criticized by a federal judge in California overseeing a case that has delved deeper than any other into one of the government's most highly classified data-gathering programs.


A bill moving through the Senate, written by Judiciary Committee Chairman Patrick J. Leahy (D-Vt.), would empower federal judges to review sensitive evidence and test government assertions. Neither the White House nor the Justice Department has taken a position on the legislation.

In the Haramain case, officials at the National Security Agency have determined that attorneys for the charity, who mistakenly received documents reflecting that they may have been the subject of government eavesdropping, do not have a "need to know" about the electronic surveillance program.

That has set Justice Department lawyers who are defending the NSA on a collision course with Walker. Both sides in the case must appear before the judge in San Francisco on June 3 to explain their positions and discuss ways to proceed.

Needless to say, Senator Leahy's bill seems to be a critical restraint on an Executive Branch that continues to expand its power, as well as its apparent assertion that often its abuses and those that carried them out, are somehow "above the law".

Friday, May 22, 2009

FCC Wants Right to Search Your Home Without a Warrant

As someone with an extensive educational (and occupational) background in the field of communications, the headline "FCC says it can search any home without a warrant" was a real head turner this morning (and not in a good way).

Can't we all agree that the 4th Amendment has taken enough of a beating over the past 8 years??? Can we not also agree that warrantless government searches of our homes is a grotesque subversion of the Constitution (I would also argue our privacy)?

Apparently, if you're asking the Federal Communications Commission (FCC) either of these questions the answer they will give you is "no". It appears we - as in anyone in this country with a wireless router, cordless phone, remote car-door opener, or even baby monitor or cellphone in the home -were unaware that the FCC claims the right to enter our home "without a warrant at any time of the day or night in order to inspect it."

Gee, and here I thought it was expensive and time consuming to get professional tech support to come to my home! Little did I know I had an entire government agency just waiting and willing to break into my place without notification and check out my tech do what though I'm not completely clear.

This "right" to enter our homes at any time without a warrant, as reported by Wired, is an ""upshot of the rules the agency has followed for years to monitor licensed television and radio stations, and to crack down on pirate radio broadcasters. And the commission maintains the same policy applies to any licensed or unlicensed radio-frequency device."

Who would have known that "pirate radio broadcasters" were such a grave threat that the 4th Amendment must be sacrificed to stop them? So if you're smart, and afraid, you better not be even SUSPECTED of abusing radio frequency energy...or else you may just get an un-announced visit from the FCC.

Let me get right to some of what my privacy advocate friends have to say on this seemingly recent interpretation of the 1934 Communications Act. Electronic Frontier Foundation lawyer Lee Tien said:

It is a major stretch beyond case law to assert that authority with respect to a private home, which is at the heart of the Fourth Amendment’s protection against unreasonable search and seizure. When it is a private home and when you are talking about an over-powered Wi-Fi antenna — the idea they could just go in is honestly quite bizarre.”

As Raw Story reported today, Rogue Radio Research - a company that promotes unlicensed broadcasters - says on its website that agents of the FCC don’t have the right to search homes, stating:

“If FCC agents knock on my door and say they want to talk with me, do I have to answer their questions? No. You have a right to say that you want a lawyer present when and if you speak with them, and that if they will give you their names, you will be back in touch with them. Unless you have been licensed to broadcast, the FCC has no right to ‘inspect’ your home.

If they say they have a right to enter my house without a warrant to see if I have broadcasting equipment, do I have to let them in? No. Under Section 303(n) of Title 47 U.S.C., the FCC has a right to inspect any transmitting devices that must be licensed under the Act. Nonetheless, they must have permission to enter your home, or some other basis for entering beyond their mere supervisorial powers. With proper notice, they do have a right to inspect your communications devices. If they have given you notice of a pending investigation, contact a lawyer immediately.”

Let me get to two more articles detailing this rather disturbing turn of events.

First, writes:

That 1934 Act, however, did not envision a telecommunications environment where it is common for ordinary homeowners to use a variety of RF-generating devices – wireless routers, cell phones, wireless phones, even garage-door openers and baby monitors.

While the FCC continues to maintain it has the right to regulate in-home transmissions associated with RF-radiating devices, experts in Constitutional law express grave doubts that warrantless FCC searches – for example a rogue device causing interference with a local wi-fi operator – would be legal under the Constitution.

"The Supreme Court has said that the government can't make warrantless entries into homes for administrative inspections," Orin Kerr, a George Washington University expert on Constitutional law, tells Wired. In 1967, the Supreme Court ruled for instance that housing inspectors could not forcibly enter residences without a warrant, for example.

The current debate over the 75-year-old communications law stems from an FCC run-in with a Boulder, Colo., radio station that operates without a license: Boulder Free Radio. The FCC has tried repeatedly to shut down the so-called "pirate station."

Wired Magazine adds a few more crucial pieces to this puzzle:

The notice spooked those running “Boulder Free Radio,” who thought it was just tough talk intended to scare them into shutting down, according to one of the station’s leaders, who spoke to on condition of anonymity. “This is an intimidation thing,” he said. “Most people aren’t that dedicated to the cause. I’m not going to let them into my house.”

But refusing the FCC admittance can carry a harsh financial penalty. In a 2007 case, a Corpus Christi, Texas, man got a visit from the FCC’s direction-finders after rebroadcasting an AM radio station through a CB radio in his home. An FCC agent tracked the signal to his house and asked to see the equipment; Donald Winton refused to let him in, but did turn off the radio. Winton was later fined $7,000 for refusing entry to the officer. The fine was reduced to $225 after he proved he had little income.


Administrative search powers are not rare, at least as directed against businesses — fire-safety, food and workplace-safety regulators generally don’t need warrants to enter a business. And despite the broad power, the FCC agents aren’t cops, says Fiske. “The only right they have is to inspect the equipment,” Fiske says. “If they want to seize, they have to work with the U.S. Attorney’s office.”

But if inspectors should notice evidence of unrelated criminal behavior — say, a marijuana plant or stolen property — a Supreme Court decision suggests the search can be used against the resident. In the 1987 case New York v. Burger, two police officers performed a warrantless, administrative search of one Joseph Burger’s automobile junkyard. When he couldn’t produce the proper paperwork, the officers searched the grounds and found stolen vehicles, which they used to prosecute him. The Supreme Court held the search to be legal.

Look, I'm not a paranoid person, and I don't think the FCC is going to come knocking on my door anytime soon. The issue here again is whether a government agency of any kind should be given the power to subvert core Constitutional principles? To me, aside from the variety of abuses such warrantless searches could invite, more importantly is the way such searches, and the "right" the FCC is claiming to carry them out, sets yet another bad precedent - and further erodes the stature and significance of the 4th Amendment (and the protection it provides the public).

I'll be keeping a look out for a Court challenge to the FCC's claim...and report back here.

Wednesday, May 20, 2009

"Whole Body Imaging" - Get Ready to be Creeped Out

"Creepy" is about as apt a description as I can think of for the "Whole Body Imaging" technology - a device that photographs American air travelers as if stripped naked -currently being utilized at some of our nation's airports (and a lot more likely to come).

Here's a question: Did you know that if you're planning to fly soon you may also be digitally strip searched by airport employees? Up until now, the machines were mostly confined to being a voluntary alternative to being patted-down by an agent. However, several airports nationwide have already begun to mandate that all passengers pass through the high-tech machines.

Here's another question: Did you know that the Electronic Privacy Information Center (EPIC) has been trying to convince the Transportation Security Administration (TSA) for years that this gross violation of privacy isn't acceptable in a free society?
Unfortunately, the TSA has recently announced its plans to increase this technology's usage - rather than reduce - by requiring all air passengers be "screened" (i.e. "virtually" strip searched without notice) without exception.

This gives me a little pause, considering that the USA Today reported a TSA official as saying, "You can actually see the sweat on someone's back". But, as is so often the case with these kinds of technologies, the concerns go far deeper than what the technology itself does with the data it collects, but rather, what happens to that data once collected.

Before I get to CNN's article on this topic, let me direct you to the Privacy Coalition's campaign - led by EPIC - to suspend the use of "Whole Body Imaging" altogether. The campaign responds to a policy reversal by the TSA which would make the digital strip search mandatory, instead of voluntary as originally announced.

EPIC and others have, and will continue to argue that there are inadequate safeguards to prevent the misuse of these body images, and are urging Homeland Security Secretary Janet Napolitano to suspend the program and allow for public comment.

CNN reports:

"People need to know what's happening, with no sugar-coating and no spinning," said Coney, who is also coordinator of the Privacy Coalition, a conglomerate of 42 member organizations. She expects other groups to sign on in the push for the technology's suspension until privacy safeguards are in place. Right now, without regulations on what the Transportation Security Administration does with this technology, she said, "We don't have the policy to hold them to what they say. They're writing their own rule book at this point."


The system uses a pair of security officers. The one working the machine never sees the image, which appears on a computer screen behind closed doors elsewhere; and the remotely located officer who sees the image never sees the passenger.

As further protection, a passenger's face is blurred and the image as a whole "resembles a fuzzy negative," said TSA's Lee. The officers monitoring images aren't allowed to bring cameras, cell phones or any recording device into the room, and the computers have been programmed so they have "zero storage capability" and images are "automatically deleted," she added.

But this is of little comfort to Coney, the privacy advocate with EPIC, a public interest research group in Washington. She said she's seen whole-body images captured by similar technology dating back to 2004 that were much clearer than what's represented by the airport machines. "What they're showing you now is a dumbed-down version of what this technology is capable of doing," she said. "Having blurry images shouldn't blur the issue."


Coney said she and other privacy advocates want more oversight, full disclosure for air travelers, and legal language to protect passengers and keep TSA from changing policy down the road. For example, she wants to know what's to stop TSA from using clearer images or different technology later. The computers can't store images now, but what if that changes?


The option of walking through a whole-body scanner or taking a pat-down shouldn't be the final answer, said Chris Calabrese, a lawyer with the American Civil Liberties Union. "A choice between being groped and being stripped, I don't think we should pretend those are the only choices," he said. "People shouldn't be humiliated by their government" in the name of security, nor should they trust that the images will always be kept private. "Screeners at LAX [Los Angeles International Airport]," he speculated, "could make a fortune off naked virtual images of celebrities."

Bruce Schneier, an internationally recognized security technologist, said whole-body imaging technology "works pretty well," privacy rights aside. But he thinks the financial investment was a mistake. In a post-9/11 world, he said, he knows his position isn't "politically tenable," but he believes money would be better spent on intelligence-gathering and investigations.

Once again this argument seems to be wedged right between the clash of our society's insatiable desire to embrace just about any new technological innovation with the ongoing fight to protect the individuals right to privacy.

This issue also seems to fall into another common narrative for those of us that work in the privacy protection arena: Assuming we can't stop the usage of certain new technologies doesn't the public at least have the right to the strictest of oversight, a vigorous, open, and transparent public debate, and ironclad regulations in place?

I would echo the argument made by EPIC director Marc Rotenberg when he said: "One of the big issues is that most people don't understand that these devices are essentially digital cameras. We don't object to the scanning. The problem is that it is too easy for the TSA to record and store images."

The jury is still out on this issue...making it all the more important to check out the Privacy Coalition campaign website.

Click here to read the rest of the CNN article.

Monday, May 18, 2009

Internet Privacy Legislation Coming Soon...

One undeniable truth about the issue of protecting Internet privacy is that public policy continues to lag woefully behind technological innovation on the web, and we are in short supply of smart regulation.

Now, its not that comprehensive privacy legislation has not been tried in the past, because it has, and its failed. There are a lot of reasons for these failures, some of the more obvious nature, like the vast influence and wealth of those interests that oppose such regulations, like the telecommunications industry, be it cable, the telcos, or the Google's of the world.

Another reason that such legislation has been consistently stymied in Congress is the sheer number of Committees it must navigate through just to win a floor vote. Unfortunately for privacy advocates, the reality is that when attempting to regulate the Internet, a host of disparate Committees qualify as "related" enough to require passage through them, from Financial Services to Judiciary, among others.

With that said, the good news is that another major attempt to address this growing disparity between regulatory law and technological innovation is just around the corner. And from first look, it appears it might be a reasonable attempt to finally address what has become one of the holy grail's of the privacy movement: establishing "OPT-IN" as the standard and precedent, rather than this case, this includes how it pertains to behavioral marketing and data collection.

Saul Hansell of the New York Times reports:

But high on his list is a topic that is very much under his discretion: passing a bill to regulate the privacy of Internet users. “Internet users should be able to know what information is collected about them and have the opportunity to opt out,” he said.


But in what could be a big change from current practice, Mr. Boucher wants sites to get explicit permission from users — an “opt in” — if they are going to share information with other companies.


I spoke to Mr. Boucher on the day that Google announced its new plan to track data about customers for advertising. And I asked him about such behavioral targeting, which presents an ad based on what you did on other sites. “That would clearly need an opt in,” he said.

If that’s how a final law is written, it would significantly disrupt a fair number of advertising businesses. And lobbyists for Internet companies and trade groups told me they are preparing to “educate” Mr. Boucher on the benefits of targeted ads.


Of course, there is a very long way to go between a congressman saying he will introduce a bill and the President signing it into law. And other key House and Senate leaders who would be involved in any privacy legislation have yet to articulate clear points of view on the subject. Nor has the Obama administration said anything publicly whether it wants any new privacy laws. But there are certainly signs that the topic is of interest.

The stimulus bill attached tough new privacy controls to the electronic medical records provisions. And Jon Leibowitz, whom the president appointed to head the Federal Trade Commission, is a long-time privacy advocate.

I'm pleased about these developments for a couple of reasons. One, a dialogue and debate of this issue alone is an important step. Two, even if a bill doesn’t make it all the way to the president’s desk, it will no doubt push Internet companies to start taking privacy and the protection of its users data a bit more seriously in hopes of convincing Congress that no such legislation is needed. And three, unlike the past 8 years, we now have a President that I would bet the farm (I have no farm tough) would sign such legislation (in addition to a large Democratic majority that is both more receptive to privacy concerns and most definitely more knowledgeable and versed in Internet related issues than the "flat earthers" of the GOP).

Click here to read more.

Wednesday, May 13, 2009

Op-Ed: Who’s Watching The Watch Lists?

After living through 8 nightmarish years under the Bush regime its hard not to take seriously such government programs as our ever expanding Watch List. And let's be realistic here, we are NOT talking about a list full of hardened terrorists...if the Bush junta taught us anything, it was that ANYONE they considered to be a threat to their very narrow interests could be targeted -and even find themselves in a foreign torture chamber.

Some may not be aware that this Bush created "Terrorist Watch List" (still in existence of course) has eclipsed the 1 million "member" mark, and unlike with say, wealth accumulation, I don't really view this as a positive "achievement." The good news (and the bad), is that the FBI’s own Inspector General has just concluded a comprehensive study of the List - and the findings are troubling.

With that, I came across an op-ed by former Republican Congressman - and recent Libertarian candidate for President - Bob Barr. The piece is entitled "Who's Watching the Watch Lists?", and I think its well worth a read.

Barr writes:

...maintaining a list with more than 1,100,000 entries with only some 68,000 of those entries constituting “known or suspected terrorist identities” — which is what the current watch list is comprised of — is ridiculous. The first list was far too under-inclusive; the current list is far too over-inclusive.

A major part of the problem with the current Watch List, as identified by the Inspector General, is that controls designed to limit and evaluate what names and information go into the system, are simply not followed. For example, the audit found that:

Inaccuracies were rampant
Entries were incomplete
Watch list records are not consistently updated or purged
FBI field offices at times bypassed FBI headquarters in order to circumvent the quality-control mechanisms designed to maintain an accurate Watch List
Many Watch List entries contained information “unrelated to terrorism”

In fact, the audit revealed a process so disorganized that “the actual number of individuals the FBI nominated to the terrorist watchlist since its inception is unknown.”

It would be bad enough if all the inaccurate, irrelevant, outdated, and unnecessary information contained in the Terrorist Watch List related only to foreign persons. The problem is compounded greatly, however, because many of the more than one million entries contain names of and information about American citizens.

Now that we have a little more information to help us formulate a more educated opinion on the veracity of this "list", perhaps we can determine whether this program really serves our interests and those of our nation's security.

I would say it appears we have a two pronged problem. One, innocent people are being needlessly added to this list, and their privacy and own personal security threatened. And two, if the list is so disorganized, mismanaged, and error prone, it can also be concluded that a lot of ACTUAL TERRORISTS (if there even are that many) are probably rather easily evading it.

Of particular concern to those of us who make a habit of, let's just say, questioning authority, its less than re-assuring to ponder the prospects of being improperly placed on such a Watch List by a government that views us as a "threat". Suddenly facing the denial of air travel or a job because we couldn't pass a background check is nothing to scoff at.

Granted, such fears seem a lot less realistic under an Obama Administration than under Bush/Cheney, but that isn't the point. The point is that any such program - under any government - should be run efficiently, accurately, and with the individuals right to privacy playing an integral roll in how such a list is managed and utilized.

Let's hope the Obama Administration takes action to fix these flaws and the threat such programs pose to the privacy of American citizens.

Click here to read the rest of the article.

Tuesday, May 12, 2009

Op-Ed: Data Mining and the Death of Privacy

I probably should have mentioned here that I would be gone for 8 days on a rigorous privacy fact finding mission in Hawaii. Okay, it wasn't rigorous, and it had nothing to do with privacy, but I did snorkel and invade the privacy of numerous dolphins :)

At any rate, I am back from a much needed vacation, and ready to tackle the kinds of feel good stories we love to discuss here, from crimes against the Constitution, invasions of personal privacy by monolithic forces, to our rapidly (de) evolving Orwellian Society :)

Today's op-ed is a little over a week old, but it expands on some of the data mining issues that Bruce Scheier touched on in the last article I posted here. The piece was written by John C. Dvorak of PC Magazine, and entitled "Data Mining and the Death of Privacy".

As I said in my last post's introduction to Bruce Scheier's piece: Whether the issue is security breaches and identity theft, financial privacy and the banking lobby, e-health records, or cloud computing technologies, certainly one question that each can force the consumer to ponder is "Where is my data?"!

One last point, our friends over at the Privacy Rights Clearinghouse - a nonprofit organization that specializes in consumer information and advocacy - has some important recommendations for how to keep your data as safe as possible in today's information intensive world.

Most important, is for consumers to avoid putting all of their free-services eggs into one basket. For example, don't use all of Google's free services, such as gmail, google search, and google docs. Instead, use a free email service of one provider, and choose search from another provider, etc.

Now, with no further ado, here are a few choice clips and the link to today's article:

As you read this column, someone somewhere is probably lurking in your life, plowing through everything you do online to try to learn more about you. And while there are plenty of reasons why a person might want to do this, here's the most likely one: He or she is finding a way to rob you blind by selling you lots of stuff you probably don't need. Why do you acquiesce? Because this person knows your hot buttons well.

Deep information about individuals has always been the holy grail of marketers. If I know everything about your tastes, likes and dislikes, attitudes, and even casual thoughts, I'll bet I can find something you want to buy, and persuade you to buy it from me. Google is now the most dangerous company in the world, not only because it constantly acquires this deep information, but because it keeps striving to do it better and better.


Google has your search information; all the searches you've ever done are documented. It has all the e-mails you've written, and all your tweets are next. Not to mention your blog posts, spreadsheets, and who knows what else. No wonder the company's motto is "Don't be evil." Because the potential is certainly there.

Now I believe that Google does not want to be evil with all this data. It wants to sell advertising. Let's face it, who needs the aggravation of finding a way to exploit every little step you take? What difference does it make to Google whether you are pro-life or a vegan or a member of the alliance to save the red-crested hornbeam? There is some sales angle, yes, but nothing sinister, right?

Well, not on the part of Google. But what about others who may eventually get access to this treasure trove of data? What about a political party that wants to monitor the "enemy"? You have noticed that since the days of Dick Nixon the word "enemy" is used openly to describe the people who do not support the party in power, right? This is a term I do not take lightly. It's loaded and betrays the mind-set of the person using the term. It's not good.

As we see the continuing consolidation of, and even the possible monopolization of information technologies, the concern and fear that forces beyond our control have access to EVERYTHING we've nearly ever done will only will the likelihood that this "power" will be our expense.

Click here to read the rest of the article.

Friday, May 1, 2009

Bruce Scheier Asks (and answers as best one can): "Do You Know Where Your Data Is?"

Whether the issue is security breaches and identity theft, financial privacy and the banking lobby, e-health records, or cloud computing technologies, certainly one question that each can force the consumer to ponder is "Where is my data?"!

This year I've delved a bit into cloud-based documents (i.e. Gmail, Google Docs, Google Calendar, Picasa, and Google Desktop) and how they can be shared with unauthorized users (which lead to the Electronic Privacy Information Center urging the Federal Trade Commission to investigate Google's cloud security promises).

I've also focused quite a bit of attention on the continued efforts by the banking industry to overturn the nation's strongest consumer privacy protections - which gave Californians the right to stop banks and other financial institutions from sharing their personal information, including with “affiliates”.

I've also tackled issues like the sharing (and selling) of personal prescription records by third party marketers and drug companies, legislation that deals with identity theft, and a host of other "where is my data?" related topics.

With all this said, check out this outstanding op-ed in the Wall Street Journal entitled "Do You Know Where Your Data Is?" by privacy expert Bruce Schneier, chief security technology officer of BT and author of "Applied Cryptography" and "Beyond Fear" - among others (and he sits on the board of the Electronic Privacy Information Center).

Schneier expertly connects the dots for us:

Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns.

There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices. Basically, a company shouldn't be able to say one thing and do another: sell used goods as new, lie on ingredients lists, advertise prices that aren't generally available, claim features that don't exist, and so on.

RealAge's privacy policy doesn't mention anything about selling data to drug companies, but buried in its 2,400 words, it does say that "we will share your personal data with third parties to fulfill the services that you have asked us to provide to you." They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent. That's deceptive.

Cloud computing is another technology where users entrust their data to service providers., Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser. Cloud computing has significant benefits for customers and huge profit potential for providers. It's one of the fastest growing IT market segments -- 69% of Americans now use some sort of cloud computing services -- but the business is rife with shady, if not outright deceptive, advertising.


Facebook isn't much better. Its plainly written (and not legally binding) Statement of Principles contains an admirable set of goals, but its denser and more legalistic Statement of Rights and Responsibilities undermines a lot of it. One research group who studies these documents called it democracy theater: Facebook wants the appearance of involving users in governance, without the messiness of actually having to do so. Deceptive.

These issues are not identical. RealAge is hiding what it does with your data. Google is trying to both assure you that your data is safe and duck any responsibility when it's not. Facebook wants to market a democracy but run a dictatorship. But they all involve trying to deceive the customer.


For markets to work, consumers need to be able to make informed buying decisions. They need to understand both the costs and benefits of the products and services they buy. Allowing sellers to manipulate the market by outright lying, or even by hiding vital information, about their products breaks capitalism -- and that's why the government has to step in to ensure markets work smoothly.

Click here to read the rest of the article.