Thursday, July 30, 2009

Legislation to Limit "Deep Packet Inspection" Debated

A few weeks ago I wrote two fairly extensive posts on "deep packet inspection" (DPI) technology, Iran and China's usage of it to monitor its citizens and stifle dissent, American and European company's development and sale of this freedom crushing technology to those nations, the threat that it poses to consumer privacy (and the Internet itself) in OUR country, and how it all ties back to our own little Constitutional crisis known as warrantless wiretapping (read my post from a few weeks back on the latest revelations on that subject).

I suppose the good news is, and the reason I've chosen to do a third post on the subject, is Congress apparently has been paying attention to recent developments. Who knows exactly what it was that triggered this concern, but the technology has been getting a fair amount of not so good press coverage lately, including Amy Goodman's op-ed that was published on the topic a few weeks back, as well as her interview of Josh Silver, executive director of Free Press - an expert on the subject.

Before I get to the article about the legislation currently being debated in a Congressional subcommittee that would limit this technologies usage, let me detail briefly what it is again:

DPI technology is capable of tracking Internet communications in real time, monitoring the content, and deciding which messages or applications will get through the fastest. Further, the Iranians appear to be using DPI "to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes." And, the Chinese government is believed to be using it to implement its "Great Firewall," "widely considered the most advanced and extensive censoring in the world" -- an "arrangement that depends on the cooperation of all the service providers."

Now to the article in Top Tech News:

With more and more consumers always being warned about their identity being stolen, the federal government is looking at more ways to protect the actual identity of consumers. Earlier this year, the U. S. House Energy and Commerce Subcommittee held a hearing looking into what's known in the tech world as "deep packet inspection." If passed by Congress, the legislation would severely limit how Internet service providers monitor their customers.


"It also enables better compliance by Internet service providers with warrants authorizing electronic message intercepts by law enforcement. But its privacy intrusion potential is nothing short of frightening. The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail or attached document is alarming," Rep. Boucher said.

Boucher thinks the legislation could be crafted to give law enforcement the ability to use deep packet inspection, but limit the uses when it comes to so-called "behavioral advertising." Behavior advertising has long been favored by some companies as a way to more effectively spend their advertising dollars. Instead of wasting money in places where ads will not be read by consumers, companies can tweak and target their ad messages more effectively, thus getting more for their advertising dollar.


"Will 'Big Brother' be watching? Will Internet companies gather and sell the information from all of us as an aggregated whole? Will they take our individual information and sell it marketers or worse?" he asked.

"Deep packet inspection will have a broad impact on the Internet," said Ben Scott, policy director of Free Press, the Center for Democracy and Technology and the Electronic Privacy Center in front of the House Subcommittee. "Without this technology, everything you do is sent through the network anonymously. E-mail, sports scores, and family photos -- the network doesn't know or care what you're doing. But with deep packet inspection, it's a whole new ballgame. This technology can track every click. Once a network owner can see what you are doing, they have the power to manipulate your online experience. They can sell your personal information to advertisers. They can block content. They can slow things down or speed things up," said Scott.

Click here to read the article in its entirety.

I'll be keeping an especially close eye on how this legislation progresses. Anytime a technology comes along with these kinds of privacy downsides, its critical to step in early with tough consumer protections. Its always harder to do so after the fact. There is no word yet as to when this legislation could come up for a vote, but lawmakers are hoping to have the legislation through Congress by the end of the summer.

Wednesday, July 29, 2009

Privacy Groups Launch Google Book Search Campaign

Last week the ACLU, Electronic Frontier Foundation, and the Samuelson Clinic launched their Google Book Search privacy campaign. This is one of the projects that ACLU-NC is working on as a part of their dotRights campaign.

Due to time constraints, the bulk of this text is straight from an email I received from the ACLU'S Nicole Ozer, the point person on this project.

On July 28th, the ACLU of Northern California, the Electronic Frontier Foundation, and the Samuelson Clinic at UC Berkeley sent a letter to Google CEO Eric Schmidt, demanding that the company take real steps to protect reader privacy before expanding its Google Book Search service.

The ACLU of Northern California and EFF also sent an action alert to their members, asking them to send letters to Google expressing concern. Click here for the ACLU's alert and go to EFF'S site for theirs.

The letter received extensive press coverage and members of the public have already started responding in very high numbers to the action alert.

* Check out the ACLU's resource page about Google books . EFF's site has one too.
* A blog post is also online at the ACLU of Northern California and at deeplinks at
*Check out the dotrights Facebook page .

Included below is the text and link to the action alert in case you would like to take action or help spread the word.

Don't Let Google Close the Book on Reader Privacy

What you choose to read says a lot about who you are, what you value, and what you believe. That's why libraries and the ACLU have long defended the privacy of readers. I'm writing now to ask your help in protecting reader privacy rights in the digital era. In the near future, Google is planning to dramatically expand its book service, Google Book Search.

The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Without strong privacy protections, all of your browsing and reading history may be collected, tracked, and turned over to the government or third parties without your knowledge or consent.

Please take a minute to email Google CEO Eric Schmidt and demand that Google Book Search protect your freedom to read privately. You should be able to read about anything from politics to health without worrying that someone is looking over your shoulder. Demand that Google pledge to protect your privacy and not stockpile and share information about your reading habits.

The time is now to stop Google Book Search from becoming a one-stop shop for government fishing expeditions into the reading habits of Americans.

Please Take Action!

One last reminder, click here if you want to learn more about Google Book Search and the ACLU's efforts to protect user privacy.

Monday, July 27, 2009

Update: Legislation to Protect Consumer Privacy Appears to be Weakening

One undeniable truth regarding protecting consumer privacy on the Internet is that our public policy continues to lag woefully behind technological innovation. The good news is that Congress is attempting, once again, to address our nation's short supply of smart Internet regulation policies and consumer protections for web users.

In the past, all attempts to pass comprehensive privacy legislation have been killed by the sheer wealth, power, and influence of those corporate interests that oppose being regulated or having their profits reduced, like cable co's, the telcos, and the Google's of the world.

Another reason that such legislation has been consistently stymied in Congress is the relatively high number of Committees Internet related legislation must navigate through just to reach a floor vote, from Financial Services to Judiciary, among others.

With that said, the good news is that another major attempt to address this growing disparity between regulatory law and technological innovation is just around the corner. I remember a that a few months ago, the general consensus regarding this legislation's framework was that it was a solid bill that might even take on what has become one of the holy grail's of the privacy movement: establishing "OPT-IN" as the standard and precedent, rather than this case, this includes how it pertains to behavioral marketing and data collection.

Of course, there is a very long way to go between a congressman saying he will introduce a bill and the President signing it into law. And other key House and Senate leaders who would be involved in any privacy legislation have yet to articulate clear points of view on the subject.

Unfortunately for the legislation, as the PC World article I'm going to post notes, a controversial new study undercuts - in some peoples minds - the need for this legislation. From first glance, one way it does this is through the typical industry canard that argues since privacy advocates can't prove direct harm to consumers from data mining and collection, its not really a problem. I'll get to that straw man another time.

This is disappointing, because what I was looking for is a reaffirmation of the opt-in concept, as well as building momentum behind the legislation. It appears, in addition to this new study, legislators are already backing down on some of the most important privacy provisions that were being floated a few months back.

Here's a few clips from an article in PC World by Grant Gross of IDG News Service:

Legislation that would create privacy regulations for online advertising could cause consumers to get fewer free services and isn't necessary because privacy advocates have shown no harm from data collection, the co-author of a study on online advertising said.


While targeted advertising serves a useful purpose, consumers deserve to know who's collecting their data online and how it's being used, said Representative Cliff Stearns, a Florida Republican. Stearns predicted that Congress would release a draft of privacy legislation later this year. However, Stearns also called for lawmakers to move cautiously. Although some have called for legislation that would require online businesses to get opt-in approval from consumers before collecting any information, Stearns said such a rule would go too far.


Leslie Harris, president and CEO of the Center for Democracy and Technology, and Alan Davidson, director of U.S. public policy for Google, disagreed with the TPI paper's premise that there are trade-offs between privacy protection and data-based Internet services. Transparency about data collection is necessary, Harris said, so that consumers will have confidence in online services. Legislation is needed, she added, because in many cases consumers don't know how much information is being collected about them and how easy it is to identify an individual using a couple of pieces of data.

Online companies can protect user privacy and still deliver useful services, Davidson added. Privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, called the TPI paper flawed. TPI's assertion that new privacy rules could cause major harm to online services is "an absurd, reductionistic, and intellectually-dishonest claim," Chester wrote on his blog.

"Consumer privacy laws are required to ensure that our financial, health and other personal transactions online are conducted in a responsible manner," Chester added. Anyone -- or group -- who believes that we can't have both privacy and a robust online marketplace is out of touch."

Click here to read the rest of the article.

On the bright side, just having this kind of rigorous debate on this topic is a good sign, and a step forward. Two, even if a bill doesn’t make it all the way to the president’s desk, unless its really been gutted, could push Internet companies to start taking privacy and the protection of its users data a bit more seriously in hopes of convincing Congress that such legislation isn't needed. And three, unlike the past 8 years, we now have a President that is exponentially more likely to sign such legislation. And four, Democrats have even larger majorities in both houses, and happen to also be far more receptive to privacy concerns and most definitely more knowledgeable and versed in the techie and wonky world of Internet policy than the GOP.

But in the end, what I suspect to come around the pike, if anything, will be a nearly unrecognizable bill that has been so watered down from months of big business lobbying and damaging amendments it will be barely worth supporting. But, that's my more pessimistic side. I'll follow its progress here of course...

Friday, July 24, 2009

Los Angeles Timed Editorial: Real ID -- a real pain

I know this editorial is about a week old, but for anyone that hasn't read it, I highly recommend you check it out...a hopeful sign to be sure!

It wasn't too long ago that the REAL ID program appeared to be dying a slow death from the steady drip of states voicing their opposition. Unfortunately, an improved yet totally unacceptable version of the act has been gaining steam in the Senate, no doubt buoyed by support from the President and Homeland Security Chief Janet Napolitano.

Little media attention has been given to this new proposal, or the threat it STILL poses to an individual's right to privacy, but perhaps that is beginning to change. Some background:

PASS ID would - just like Real ID - endanger victims of domestic violence by failing to adequately shield their addresses, raise fees associated with identification cards, expose consumers to identity theft and fail to improve our nation's security. In fact, PASS ID proposes to move forward on the one key component of REAL ID that privacy advocates were most opposed to: the creation of a national identification card.

Thankfully, the increasingly nimble and broad coalition of privacy organizations have joined forces to oppose the bill - rightly advocating for the repeal, not the reform of Real ID. Here's a few clips from the recent LA Times editorial, "Real ID -- a real pain":

The law mandates a tamper-proof card that would become the only acceptable form of identification for federal purposes, such as boarding a commercial airliner or entering a federal building. It was clumsily drafted in a way that imposes multibillion-dollar expenses on state governments, enhances opportunities for identity theft, turns state motor vehicle departments into arms of U.S. Immigration and Customs Enforcement and will almost certainly lead to harassment of immigrants, legal or otherwise. Though legislation has recently been introduced in Congress that would repair many of Real ID's faults, it doesn't go far enough. The best way to fix Real ID is to repeal it.


The states are in open revolt against Real ID because of its financial burdens, with 13 passing legislation refusing to participate in the program and at least as many more officially opposing it or considering legislation barring compliance (so far, California has been silent). This has prompted the Department of Homeland Security to repeatedly push back its deadlines.

Currently, states don't have to issue the new licenses until 2017, but they must certify that they are meeting benchmarks toward compliance by Dec. 31. If any state fails to do so, and most will, its residents won't be able to use driver's licenses as ID for boarding a domestic flight, instead being forced to produce a passport or other federally acceptable photo ID.This could cripple the nation's airports -- though it's highly unlikely that the Obama administration would allow that to happen. Unless Real ID is amended or repealed, Homeland Security Secretary Janet Napolitano is likely to push back the deadline once again.

Napolitano is backing a different solution, known as the Pass ID Act:S.1261:. Introduced last month by Sens. Daniel K. Akaka (D-Hawaii) and George V. Voinovich (R-Ohio), the bill was drafted at the behest of the National Governors Assn. and addresses most of the state-level concerns. DMVs would no longer have to verify birth certificates or home addresses, and they wouldn't have to create databases searchable by other states, which would greatly reduce the costs. What's more, the federal government would issue grants to cover most of the other expenses.

Pass ID is an improvement, but it still imposes risks and burdens that outweigh its national security benefits. It mandates storage of identity documents by state officials and immigration checks at the DMV. It complicates efforts by some states to issue driver's licenses to illegal immigrants, because such licenses would require special markings to signal that the bearer is here illegally. We don't oppose sensible measures to enforce our immigration laws, but anything that discourages undocumented immigrants from getting driver's licenses -- as Pass ID would -- endangers all drivers on the road and raises insurance costs for everyone.

Click here to read the rest of the editorial.

I also found an editorial in Indiana's "News Sentinel" published yesterday that makes a similar case as the Times. Its unusual for the mainstream media to publicly oppose laws that are being sold to us as critical to winning the phony "war on terror". The media, for whatever reason, appears to be a potential ally in the fight to defeat PASS ID and the concept of a national identification program. The Sentinel sums it up nicely:

So if we put everything into that one document – make it the be-all and end-all of identification for most Americans – what might we have? An invasion of ordinary citizens' privacy and phony documentation in the hands of identity thieves and potential terrorists that we believe too readily is authentic. This is something to talk about before a national ID becomes reality, don't you think?

For more, click here to read a recent post of mine in which I go into greater detail regarding the key similarities and differences between REAL ID with PASS ID.

Also, in case you were wondering, the privacy coalition opposing the new law includes: ACLU, Campaign for Liberty, Citizens Against Government Waste, Consumer Action, Cyber Privacy Project,, Inc., Electronic Frontier Foundation, Equal Justice Alliance, Leadership Conference on Civil Rights, Liberty Coalition, National Immigration Law Center, National Network to End Domestic Violence, Privacyactivism, Privacy International, Privacy Journal, Privacy Rights Clearinghouse, Rutherford Institute and U.S. Bill of Rights Foundation.

I'll be covering the legislation's progress right here...

Wednesday, July 22, 2009

The NSA's New "Expansion" Project and Data Mining Warehouse

I don't like focusing too much on any single issue here, as there are so many important privacy related stories to discuss. Nonetheless, revelations about the NSA's ongoing warrantless wiretapping program just keep popping up, and I believe it to be an issue that is fundamental to the future of our democracy - and the role "privacy" will play in it.

I mean, if we can't agree that our government does not have the right to listen in on our communications, what can we agree on? And, what do we stand for?

To understand how bad things REMAIN when it comes to this program, one must go back to the original FISA "reform" bill that Democrats caved in on back in July of 2008. Hailed in some quarters as a compromise, the new surveillance law was really nothing of the kind.

The bill was, in short, worse than granting absolute immunity to the telecoms: it was an effort to weaken the legitimacy of the federal courts by having a judge rubber-stamp the dismissal of cases against the telecoms without looking at the substance of what, in fact, was done.

Also under that original bill (which I will get to the part about how these concerns have now been proven correct), the government is now allowed to create new surveillance programs, each lasting a year, that focus on "persons reasonably believed to be located outside the United States." Provided that spying agencies do not "intentionally target" someone "known" to be in the United States, or intend to target "a particular, known person reasonably believed to be in the United States" (and with some other minor caveats), large-scale acquisition of data is permitted.

This was (and is) a radical break from the FISA regime created in 1978, and risks severe harm to Americans' privacy interests. The most important break with FISA is the absence of any individualized warrant requirement: it is now whole collection programs that are authorized and reviewed. And the abandonment of discrete, individualized legislative authorization and judicial review was only the first of the bill's troubling features.

The new provisions also allowed the government to create sweeping new programs that are formally targeted at overseas persons, but that predictably sweep in large numbers of people. The provision's loose language about targets - who do not in fact have to be overseas, only reasonably believed to be overseas - has given the government substantial latitude in crafting the parameters of its searches.

So that's a general summation of the problems I had with the original legislation (that is now law) last year. Glenn Greenwald of also chimed in at the time:

The ACLU specifically identifies the ways in which this bill destroys meaningful limits on the President's power to spy on our international calls and emails. Sen. Russ Feingold condemned the bill on the ground that it "fails to protect the privacy of law-abiding Americans at home" because "the government can still sweep up and keep the international communications of innocent Americans in the U.S. with no connection to suspected terrorists, with very few safeguards to protect against abuse of this power."

Rep. Rush Holt -- who was actually denied time to speak by bill-supporter Silvestre Reyes only to be given time by bill-opponent John Conyers -- condemned the bill because it vests the power to decide who are the "bad guys" in the very people who do the spying. Abolishing eavesdropping safeguards was the central purpose of the FISA bill. It was why Dick Cheney and Michael McConnell were demanding its passage. Yale Law Professor Jack Balkin at the time wrote:

Most Americans don't realize that the FISA compromise comes in two parts. The first part greatly alters FISA by expanding the executive's ability to wiretap and engage in much broader searches of communications than were permissible under the law before. It essentially gives congressional blessing to some but not all of what the executive was doing under President Bush. President Obama will like having Congress authorize these new powers. He'll like it just fine. People aren't paying as much attention to this part of the bill. But they should, because it will define the law of surveillance going forward. It is where your civil liberties will be defined for the next decade.

Now to the evidence regarding what in fact is happening today, and how this new law is being utilized by the Obama Administration. On Monday I posted the San Francisco Chronicle's editorial describing its concerns, and today, I can't help but post James Bamford's article in today, entitled "The NSA is Still Listening to You".

Bamford has authored three books on the NSA alone, including his latest, "The Shadow Factory: The Ultra-Secret NSA From 9/11 to the Eavesdropping on America."

Bamford writes:

This summer, on a remote stretch of desert in central Utah, the National Security Agency will begin work on a massive, 1 million-square-foot data warehouse. Costing more than $1.5 billion, the highly secret facility is designed to house upward of trillions of intercepted phone calls, e-mail messages, Internet searches and other communications intercepted by the agency as part of its expansive eavesdropping operations. The NSA is also completing work on another data warehouse, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

The need for such extraordinary data storage capacity stems in part from the Bush administration's decision to open the NSA's surveillance floodgates following the 9/11 attacks. According to a recently released Inspectors General report, some of the NSA's operations -- such as spying on American citizens without warrants -- were so questionable, if not illegal, that they nearly caused the resignations of the most senior officials of both the FBI and the Justice Department.

Last July, many of those surveillance techniques were codified into law as part of the Foreign Intelligence Surveillance Amendments Act (FAA). In fact, according to the Inspectors General report, "this legislation gave the government even broader authority to intercept international communications" than the warrantless surveillance operations had. Yet despite this increased power, congressional oversight committees have recently discovered that the agency has been over-collecting on the domestic communications of Americans, thus even exceeding the excessive reach granted them by the FAA.


Also troublesome is the fact that the FAA emasculates the Foreign Intelligence Surveillance Court, the one independent check and balance between the agency and the American public. Originally established as a response to the discovery by Congress in the mid-1970s that the NSA had been illegally eavesdropping domestically for decades, the FISA court required the government to show that there was probable cause to believe that its surveillance target was an agent of a foreign government or terrorist group in order to obtain a necessary warrant. But the new law does away with this requirement, and now the NSA does not even have to identify the targets of its surveillance at all as long as it is targeting people outside the U.S., leaving the agency free, for example, to target human rights activists or media organizations overseas, even if they are communicating with family or editors back in the U.S. As former NSA "voice interceptor" Adrienne Kinne told me in my book, "The Shadow Factory: The Ultra-Secret NSA From 9/11 to the Eavesdropping on America," the agency targeted both groups during the Bush administration, including eavesdropping on intimate bedroom conversations.


Among the most striking discoveries to come out of the Inspectors General report was that, despite the enormous expansion of the NSA's capabilities, including turning its giant ear inward for the first time in three decades, no one could point to any significant counterterrorism success. Instead, it warned that while the agency had little difficulty collecting vast amounts of data, the trouble was analyzing it all. It was a problem akin to Jorge Luis Borges' "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word understood. In this "labyrinth of letters," Borges wrote, "there are leagues of senseless cacophonies, verbal jumbles and incoherences." In addition to the civil liberties and constitutional defects in the new surveillance law, another compelling argument against it is that it only increases the amount of "senseless cacophonies" in America's Library of Babel.

Click here to read the article in its entirety.

Once again, I must give special thanks to the ACLU. Today they are appearing in federal court charging that the new FAA statute is unconstitutional. As Bamford also notes, "While the FAA prohibits the agency from intentionally "targeting" people within the U.S., it places virtually no restrictions on the targeting of people outside the U.S. even if those targets are communicating with U.S. citizens and residents. The law essentially allows the agency virtually unfettered access to the international communications of innocent Americans in clear violation of the Fourth Amendment."

Monday, July 20, 2009

San Francisco Chronicle Editorial: Wiretapping STILL Wrong!

If nothing else, we had two major California newspapers editorialize in favor of privacy and civil liberties today, one against the REAL ID Act and another in favor of accountability for the government's warrantless wiretapping program.

For now, I want to focus on the San Francisco Chronicles editorial on wiretapping, and hopefully can get to the Los Angeles Times piece on REAL ID by Wednesday.

As we all should know by now, until exposed by the New York Times, the Bush Administration had an ongoing, four year program that illegally spied on Americans' communications without warrants. Since that time there have been numerous additional revelations regarding this program...with one after the next only adding to the degree to which it subverted our Constitution and most certainly broke the law.

Amazingly, these revelations CONTINUE to leak out, yet we have had no formal investigations or prosecutions to show for it - only a continuation and expansion of the Executive Branch's power to commit similar acts.

Recent Revelations and Reports

Today's editorial in the Chronicle should not come as that big of a surprise in light of recent wiretapping revelations. The first, came about two weeks ago with a new government report that disclosed that President Bush authorized secret surveillance activities that went beyond the previously disclosed NSA program – raising the prospect of additional unlawful conduct.

This new information has led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis. Supporting that conclusion is the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.

Then we got another report, one that has only added to the building uproar (can it just explode already??) against this program and in favor of investigations and prosecutions. This new report, mandated by Congress last year and produced by the inspectors general of five federal agencies, found that other intelligence tools used in assessing security threats posed by terrorists provided more timely and detailed information. In fact, NOT ONE instance could be cited that demonstrated the wiretapping program prevented any attack of any kind, ever. Nor did it lead to the capture of any terrorists.

In light of these facts, one would think that the Obama Administration would come down somewhere at least close to the position that candidate Obama espoused on the campaign trail. Sadly, the opposite has been true. In fact, all we have to show as a nation since this program was exposed is additional protections (and retroactive immunity) to telecom companies for sharing our private information with the government, and more legal cover for the Executive Branch to carry out similar efforts in the future.

Giving telecom companies immunity - another one of Obama's flip flops - serves the dual purpose of protecting the politicians from having the telecom companies share what they know about THEIR crimes!

As a United States Senator, Obama was clear and correct in his assertion that the warrantless wiretapping program was illegal. And, the new Attorney General Eric Holder expressed the same view, both as a private citizen and at his confirmation hearing. As we now all know, both Obama and Holder have completely reversed themselves, by not only refusing to prosecute or investigate the program and/or those that carried it out, but have even expanded their defense of the program in some important key respects.

Another Route: The Courts

The next question - and avenue for privacy advocates to explore - has been in the courts. A few months back, Chief U.S. District Judge Vaughn Walker threw out more than three dozen lawsuits claiming that the nation’s major telecommunications companies had illegally assisted in the wiretapping without warrants program approved by President Bush after the 2001 terrorist attacks.

But, while he said the objections of the privacy groups were not strong enough to override the wishes of Congress, Judge Walker did show some sympathy for the plaintiffs’ claims. He had refused the government’s efforts to invoke the “state secrets” privilege and had moved toward compelling the Justice Department to turn over documents.

The Electronic Frontier Foundation and the ACLU are appealing the case - and perhaps this is where the San Francisco Chronicle Editorial comes into play: Judge Walker kept intact related claims against the government over the wiretapping program, as well as a suit by an Oregon charity that says it has evidence it was a target of wiretapping without warrants.

The Chronicle writes:

When it comes to wiretapping, Obama's position is mind-boggling. In this instance, Department of Justice lawyers are battling to bottle up a surveillance program that has San Francisco roots. One of the prime perches for spying on Americans making overseas calls was a so-called "secret room" in an AT&T office on Folsom Street. With no oversight from the courts or Congress, the telecom giant, along with others, siphoned phone calls and information to federal intelligence agencies after Sept. 11, 2001.

In the current case, several dozen phone customers are before a federal judge here asking that the government turn over data on eavesdropping. A prior suit against the phone companies for going along with the illegal surveillance was dismissed after Congress re-wrote domestic spying rules last year and indemnified the firms. Obama, then a senator, voted for changes in a surprising shift from his campaign-trail rhetoric that heavily criticized the abuses of civil liberties in the war on terrorism.

The Obama team is making the same arguments made by the Bush administration in denying it needs to explain anything. Allowing an open-court case will lay bare state secrets, your honor, and the country will lose a "crown jewel" piece of intelligence gathering, according to one Justice Department attorney. The spying may have been improper, but, sorry, we can't really talk about it.


The decision in his lap isn't an easy one. He can side with Obama lawyers and dismiss the case in the name of national security, a path that courts often take when confronted with a flag-waving invocation of homeland defense. Or he can open up a dark chapter in the nation's history to the plain light of legal examination. Such a decision would definitely roil the waters while the truth surfaces. But since the president won't do it, it's time the courts stepped in.

Click here to read the editorial in full.

What's more, the Obama Administration has really gone two steps further than Bush did in arguing AGAINST shining some sunlight on the government's illegal program by claiming that the US PATRIOT Act renders the U.S. immune from suit under the two remaining key federal surveillance laws: the Wiretap Act and the Stored Communications Act. In other words, the government cannot be held accountable for illegal surveillance under any federal statutes.

Various journalistic accounts have suggested that Bush’s spying program crossed the line from zeroing in on specific surveillance targets to “data-mining” a broad spectrum of electronic communications. It goes without saying this is unconstitutional, but more than that, it demonstrates that the program itself is less about fighting terrorism, and much more about stifling dissent, increasing Executive Branch power, and monitoring "enemies", be they political (anti-war rallies, political opponents, etc.), be they journalists, and sure, be they terrorists too.

As with nearly every Bush Administration crime, the “usual and criminal suspects” are refusing to be interviewed: former CIA Director George Tenet, former Attorney General John Ashcroft, former White House Chief of Staff Andrew Card; former top Cheney aide David Addington; and John Yoo, who served as a deputy assistant attorney general.

And there we are. Still fighting in the courts - this time against the Obama Administration and its patently ludicrous defenses - for some semblance of justice. I'll finish by quoting myself...and hope this finds its way to the desk of Judge Walker :)

To recap: according to the Bush and Obama Administrations, since citizens cannot show their messages were intercepted, they have no right to sue, because all such information is secret. And, disclosure of whether AT&T took part in the program would tip off our enemies, so we can't have that either. How convenient for the Government and their ongoing efforts to cover up gross Constitutional abuses! Government officials are not above the law. If we can continue to fill our jails with non-violent drug users and addicts certainly its not too much to ask that those responsible for breaking the law and subverting the Constitution must be accountable to the people too.

Friday, July 17, 2009

Pay as You Drive Proposals Threaten Privacy

The general concept behind "pay as you drive" programs - providing financial incentives for motorists who reduce their driving - is worthy. But to date, the consumer privacy concerns outweigh the benefits of such plans - at least as currently written.

As the Electronic Frontier Foundation (EFF) noted on Wednesday, one such proposal is being considered here in California, writing:

The California Department of Insurance (DOI) is considering regulations that would enable insurance prices to depend on the precise number of miles a car is driven in a given billing period. But in implementing these "Pay As You Drive" regulations, the DOI appears poised to empower insurance companies to require customers' cars to be outfitted with "black-box" devices that could transmit back to the insurance companies all sorts of data about car motion (acceleration, braking, and so forth) as well as driver behavior (steering and seat-belt wearing).

It was just last year that we (Consumer Federation of California) opposed a bill in the California legislature (AB 2800) that would have done something very similar: amend the mandatory insurance rating factors approved by the voters in 1988 as part of Proposition 103. Proposition 103’s proponent, Consumer Watchdog (formerly the Foundation for Taxpayer and Consumer Rights) worked for many years to win Department of Insurance regulations to implement the intent of the Proposition 103, which among other rating factors, was designed to reward drivers with reduced insurance premiums for driving less.

DOI rules to implement these provisions were adopted in 2006 and are only now taking effect. Proposition 103 requires insurance companies to base the auto insurance rates charged in California primarily on a motorist’s 1) driving safety record, 2) annual miles driven and 3) years of driving experience. Proposition 103 grants the Insurance Commissioner the authority to establish insurance rates through a ratemaking process, provided the rates are designed to further the intent of Proposition 103. The legislature has no authority to set rates under Proposition 103.

In 2006, then-Insurance Commissioner John Garamendi enacted new regulations to enforce the annual mileage factor and require insurance companies to restructure their auto insurance rates to fully comply with the voters’ mandate. At the same time, Commissioner Garamendi promulgated new rules to make it easier for insurers to verify the actual miles driven by their policyholders.

The problems we had with that bill (AB 2800), and the current efforts underway, are numerous. Most notably, it would have created an unfair system of insurance discrimination in which similarly situated policy holders would pay different prices. An insured driver who participates in an insurance company’s optional “green” plan would pay a lower insurance rate than a similarly situated policy holder who drove an identical number of miles but who did not participate in the same insurance company’s “green” plan.

If every other factor about the policy holders is the same, the fact that one is not a participant in a program would unfairly result in a higher premium under that original legislation. Under the current rules, insurers can offer real incentives for realistic mileage reductions. As long as the insurer continues to prioritize the impact of a driver’s safety record, nothing would stop an insurer from offering their insurance product as a legitimately Green Auto Insurance policy.

In order to facilitate insurers’ ability to confidently assess the risk associated with a customer’s mileage, DOI regulations grant insurers the authority to require customers to provide an odometer reading when the mileage verification rules were revised. Insurance companies were also given the authority to request, but not mandate, that customers comply with certain mileage verification requirements including the technological GPS devices contemplated in AB 2800.

As we argued at the time, the proper venue for modifying automobile insurance rates under Proposition 103 is through the rate-setting process of the Department of Insurance, not through legislation.

We won that argument, and now, the good news - if one can call it that - is the DOI has retreated from its prior position (and the threat posed by AB 2800) that these devices should track your location. As EFF points out, "it's still true that every car already has a reliable, tamper-resistant device that verifies actual mileage: an odometer."

But significant privacy concerns remain regarding collection of data on consumers’ driving habits, destinations and other information that is not germane to the objective of verifying the total miles driven.

Jennifer Granick of EFF explains:

...there appear to be no restrictions on what the insurance companies would do with that data — of course, when you drive on the public street, you lose some privacy. But 10 years ago, someone interested in your whereabouts would have had to decide in advance to follow you and then physically follow you. Black boxes can collect information pervasively, silently, and cheaply for any later use by the insurance company, private parties or the government. There is real danger that this information would not only be used to ascertain the political or associational affiliations of drivers, but also to charge more if you drive and park in neighborhoods with high vehicle theft and crime rates, to impose higher premiums for people who drive at night or to link your health insurance rates with location data that reveals your lunchtime trips to McDonald's.

In comments filed with the DOI this week, EFF has argued that it is unacceptable for insurance companies to coercively require customers to accept such devices in their cars, and that the proposed regulations be amended to permit drivers to participate in any verifed actual mileage program via other means (like your car's odometer). EFF also argued that location privacy requires, at a minimum, that the proposed regulations restrict collection of information to the minimum amount necessary, require that the driver be able to independently verify information collected and require that the insurer have an explicit policy about the use and storage of the collected data.

With that said, there is something you can do to protect driver privacy in California: Tell Insurance Commissioner Steve Poizner [contact info] that you agree with EFF's criticisms. Ask him why he wants to allow insurance companies to track drivers? Or how about this: Shouldn't you be tracking insurance companies instead? Thanks to EFF for their work and suggested actions....

Wednesday, July 15, 2009

Privacy Groups Join Forces to Oppose PASS ID

First the good news: the American Civil Liberties Union has joined 17 other civil liberties groups to oppose the Pass ID Act, a bill that intends but fails to fix the flawed Real ID Act of 2005 - which was designed to turn the state driver’s license into a national identity card.

The coalition letter was sent in preparation for a hearing scheduled for TODAY on the Pass ID Act and includes principles that should guide Congress in repealing, not fixing, the Real ID Act of 2005 so that effective driver’s license policy can be developed. While Pass ID eliminates many of the more costly Real ID requirements for the states, it leaves intact the same fundamental structure created by Real ID.

Click here for a recent fairly detailed post of mine comparing REAL ID with PASS ID.

As I have posted on here, I'm afraid to say that even as PASS ID represents a break from, and an improvement of REAL ID, it simply isn't an acceptable alternative to those that cherish privacy and are concerned with the ever expanding power of government in areas related to "national security". The fact is, PASS ID continues the one key component of REAL ID that privacy advocates were most opposed to: the creation of a national identification card.

And that is where my "bad news" comes into play. Not only is PASS ID unacceptable, but its also supported by President Obama and Homeland Security Secretary Janet Napolitano.

For the sake of today though, let's focus on this new 18 group and counting coalition opposing PASS ID, which includes, in addition to the ACLU: Campaign for Liberty, Citizens Against Government Waste, Consumer Action, Cyber Privacy Project,, Inc., Electronic Frontier Foundation, Equal Justice Alliance, Leadership Conference on Civil Rights, Liberty Coalition, National Immigration Law Center, National Network to End Domestic Violence, Privacyactivism, Privacy International, Privacy Journal, Privacy Rights Clearinghouse, Rutherford Institute and U.S. Bill of Rights Foundation.

Unfortunately, very little media attention is being given to this issue yet, or likewise, this coalitions efforts. So, let me communicate their primary concerns before I get to the rather dinky article by the Associated Press regarding this emerging privacy fight (which barely mentions them or their concerns).

These privacy advocates believe that in the most significant measures the Pass ID Act is the same as the Real ID Act. Beyond creating a National ID, both the bill and the law invade American’s privacy, endanger victims of domestic violence by failing to adequately shield their addresses, raise fees associated with identification cards, expose consumers to identity theft and fail to boost security.

Like the privacy groups, many states oppose the de facto national ID as a waste of state tax dollars that will put privacy at risk without any security benefits. Since the Real ID Act passed, 14 states have passed statutes barring participation and 24 states in total have rejected the 2005 law.

With that, here's a few clips from the Associated Press on Senate developments:

Leading senators from both parties expressed a willingness Wednesday to revamp the nation's stalled plan to secure driver's licenses in an effort to thwart terrorists. But some senators raised concerns about elements of a new plan supported by the Obama administration.


The National Governors Association estimates the current law would cost states $4 billion while the new plan could cut the costs to between $1.3 billion and $2 billion. Sen. Daniel Akaka, D-Hawaii, introduced the Pass ID legislation last month. Akaka and other members of the Homeland Security committee would like to get a version of the bill passed before the end of the year.


The Pass ID, by contrast, would not put the home addresses of victims of domestic violence or people in the witness protection program on licenses. Pass ID also would not require that birth certificates be confirmed with the agency that issued them...Unlike the Real ID plan, the Pass ID plan would not require that people have the new driver's licenses to board airplanes. Sen. Susan Collins, R-Maine, expressed concerned this could undermine the purpose of having a secure driver's license.


Under the current law, states have to certify by Dec. 31 they are complying with the Real ID standard to validate immigration status in order to issue a driver's license. Residents of states that don't follow the new standard will not be allowed to board airplanes with their driver's licenses after the end of this year. Napolitano said the Bush administration program is unrealistic because it's too expensive, and the technology necessary to meet the security standards is not available.


Civil liberties groups say the Pass ID would violate privacy rights in the same way the Real ID does. Twenty-four advocacy groups for privacy and other causes — including the American Civil Liberties Union, Citizens Against Government Waste and the National Network to End Domestic Violence — sent Congress a letter opposing both identification programs.

So it appears - while the worst is over (REAL ID) - the "national identification card battle" has been reignited. Stay tuned...

Monday, July 13, 2009

New Warrantless Wiretapping Revelations...and other High Crimes

A new government report has disclosed that President Bush authorized secret surveillance activities that went beyond the previously disclosed NSA program – raising the prospect of additional unlawful conduct. This new internal report reveals that Bush also played a direct role in instructing Alberto Gonzales and Andrew Card to go to former Attorney General John Ashcroft's hospital bed and urge him to personally approve warrantless wiretapping on Americans.

Perhaps most importantly, from a legal standpoint, is that Bush justified his warrantless wiretapping program by relying on Justice Department attorney John Yoo's theories of unlimited presidential wartime powers, and started the spying operation even before Yoo issued a formal opinion.

As Jason Leopold makes clear in his article in ConstiumNews:

Essentially, President Bush took it upon himself to ignore the clear requirement of the 1978 Foreign Intelligence Surveillance Act that all domestic intelligence-related electronic spying must have a warrant from a secret federal court, not just presidential approval. Illegal wiretapping is a felony under federal law.

Additionally, it also notes that...wait for it...the wiretapping program had NO identifiable counterterrorism successes!! And that it "generally played a limited role in the F.B.I.’s overall counterterrorism efforts". The Central Intelligence Agency and other intelligence branches also viewed the program, which allowed eavesdropping without warrants on the international communications of Americans, as a useful tool but could not link it directly to counterterrorism successes, presumably arrests or thwarted plots.


The July 10 report by the inspectors general of the CIA, National Security Agency, Justice Department and Defense Department also didn’t identify any specific terrorist attack that was thwarted by what was known as the President’s Surveillance Program (PSP), although Bush has claimed publicly that his warrantless wiretapping “helped detect and prevent terrorist attacks on our own country.”


Though the undisclosed elements of the PSP remain highly classified, the report gave some hints to its scope by noting that the program originated from a post-9/11 White House request to NSA Director Michael Hayden to consider “what he might do with more authority.”


In other words, the PSP stretched the limits of what the NSA could accomplish with its extraordinary capabilities to collect and analyze electronic communications around the world. Various journalistic accounts have suggested that Bush’s spying program crossed the line from zeroing in on specific surveillance targets to “data-mining” a broad spectrum of electronic communications.


Regarding the PSP, Bush’s White House guided the CIA in hyping the threat of more terrorist attacks, the inspectors general found. At the end of the first CIA-prepared threat assessment after 9/11, the chief of staff for CIA Director George Tenet added a paragraph saying the groups discussed in the memo “possessed the capability and intention to undertake further terrorist attacks within the United States,” the report said.

Tenet’s “Chief of Staff recalled that the [alarming] paragraph was provided to him initially by a senior White House official,” the report said. “The paragraph included the [CIA director’s] recommendation to the President that he authorize the NSA to conduct surveillance under the PSP.”

Having the CIA present as grim a terrorism threat as possible – producing what became known inside the government as the “scary memos” because they were made as scary as possible – was institutionalized as the PSP continued through periodic reauthorizations by Bush, the report said.


Yoo wrote that his ideas would likely be seen as violating the Fourth Amendment. But he said the terrorist attacks on 9/11 and the prospect that future attacks would require the military to be deployed inside the U.S. meant President Bush would "be justified in taking measures which in less troubled conditions could be seen as infringements of individual liberties."Yoo also wrote in the memo that domestic surveillance activities, such as monitoring telephone calls without a court's permission, might be proper notwithstanding the Fourth Amendment’s ban on the government conducting unreasonable searches and seizures, without court warrants.

Again, Jason Leopold's piece fits the larger framework that those of us who oppose this program outright have been constructing for years now: its obviously unconstitutional, but more than that, its really not about fighting terrorism, but much more about stifling dissent, increasing Executive Branch power, and monitoring its "enemies", be they political (anti-war rallies, political opponents, etc.), be they journalists, and sure, be they terrorists too.

From the latest article by James Risen and Eric Lichblau in the New York Times:

While the Bush administration had defended its program of wiretapping without warrants as a vital tool that saved lives, a new government review released Friday said the program’s effectiveness in fighting terrorism was unclear.

The report, mandated by Congress last year and produced by the inspectors general of five federal agencies, found that other intelligence tools used in assessing security threats posed by terrorists provided more timely and detailed information.

Most intelligence officials interviewed “had difficulty citing specific instances” when the National Security Agency’s wiretapping program contributed to successes against terrorists, the report said.

Watch Olbermann's interview the New York Times James Risen on Countdown regarding whether Bush altered CIA threat assessment to justify warrantless surveillance...

And, be sure to also watch Professor Jonathan Turley discuss the various legal implications of all this...and whether the Obama Administration is prepared to anything about it.

Jonathan has more at his blog, in a post entitled "Reports Shows Additional Undisclosed Surveillance Programs — And Likely Unlawful Conduct by Bush Administration". He writes:

A new government report has disclosed that President Bush authorized secret surveillance activities that went beyond the previously disclosed NSA program – raising the prospect of additional unlawful conduct by the Bush Administration. At the same time, a House member has revealed that CIA Director Leon Panetta has shutdown a program that was never revealed to Congress in direct violation of federal law. I will be discussing these stories tonight on MSNBC Countdown.

In a notable change, the report now describes the entire program as the “President’s Surveillance Program,” going beyond the domestic surveillance program. It also highlights the individual who is most accountable for criminal violations as well as the failure of the Obama Administration to allow investigations into unlawful surveillance or torture. As the evidence of such unlawful conduct mounts, the blocking of a criminal investigation by Attorney General Holder grows more serious as an abdication of his oath to uphold our laws.

Notably, the “usual suspects” refused to be interviewed: former CIA Director George Tenet, former Attorney General John Ashcroft, former White House Chief of Staff Andrew Card; former top Cheney aide David Addington; and John Yoo, who served as a deputy assistant attorney general. Given the potential incrimination prospects, they have at least acted in deference to the criminal code even as Holder appears to ignore it.

For those that want a quick rehash of the wiretapping issue, it all began with The New York Times article in December, 2005, that exposed an ongoing, four year program of the Bush administration that illegally spied on Americans' communications without warrants.

Since that time there have been numerous additional revelations regarding this mind numbing, illegal spying program orchestrated by a rogue government run by a mishmash of corporatists, neo-conservatives, and religious fundamentalists (among others)...all with one undeniable shared value: disdain for the Constitution.

It was only a month ago that a New York Times article by James Risen and Eric Lichtblau added to this increasingly tragic narrative almost exactly how one would have predicted: "recent intercepts of the private telephone calls and e-mail messages of Americans are broader than previously acknowledged".

Obama Administration Takes Bush Approach

Sadly, the Bush Administration's illegal warrantless wiretapping program is still alive and well, with the additional protection provided by giving retroactive immunity to the telecom companies for sharing our private information with the government, which serves the dual purpose of protecting the politicians from having the telecom companies share what they know about THEIR crimes!

But worse than that is how the same tactics utilized by Bush and Co. (of course, we don't know what they might have used it for compared to Obama) have been adopted by former critic, and current President, Barack Obama.

As a United States Senator, Obama was clear and correct in his assertion that the warrantless wiretapping program was illegal. And, the new Attorney General Eric Holder expressed the same view, both as a private citizen and at his confirmation hearing. As we now all know, both Obama and Holder have completely reversed themselves, by not only refusing to prosecute or investigate the program and/or those that carried it out, but have even expanded it in some important key respects.

Let me finish with Tim Jones, EFF's Activism and Technology Manager, who pointed out another important evolution of the Obama Administrations position on the power of the Executive Branch:

The Obama Administration goes two steps further than Bush did, and claims that the US PATRIOT Act also renders the U.S. immune from suit under the two remaining key federal surveillance laws: the Wiretap Act and the Stored Communications Act.

Essentially, the Obama Adminstration has claimed that the government cannot be held accountable for illegal surveillance under any federal statutes. The Obama administration's pro-secrecy -- and implicitly pro-warrantless-wiretapping -- stance has disappointed people who remember his campaign-trail criticisms of the last president's "wiretaps without warrants." After eight years of a growing security state, Obama was widely hoped to be the champion of badly eroded civil liberties.

The question now then is this: will this report and these latest revelations of Bush crimes change how the Obama administration views this program and/or whether to prosecute past lawbreakers? Would you be surprised if I said I'm not holding my breath?

Thursday, July 9, 2009

Privacy Concerns Abound Over Google's New ‘Net-based Operating System'

Here we go again. Google's continued "belligerence" when it comes to the issue of privacy begins to become a problem as the size and scope of this company, and the corner it has on market after market, keeps exponentially expanding. Now, I've posted a lot about Google's less than stellar record on privacy in the past, from their lobbying efforts in Congress, to cloud computing, and to its increasing usage and expansion of behavioral marketing techniques.

But please, this is getting to be an almost bi-weekly endeavor now. So let me give the proper backdrop by quoting yours truly:

It's inarguable that Google is rapidly becoming the official technology sponsor of the nation and globe. For the sake of argument, let's just accept this as truth, and assume this company's reach and breadth will only grow. With that in mind, it becomes paramount - and beholden on all those that relish privacy - to keep a close eye on this global leader's attention to this constitutional protection as it relates to their technological innovations.

While it might be an exaggeration to say that Google has been hostile to privacy advocates and their concerns, they've been resistant to say the least. Google has become a concern for advocates for a myriad of reasons, stemming from their lobbying activities to the actual privacy implications of some of their product lines.

So that's the initial framing I like to begin with when discussing Google. As I have established, the company has come under continual fire for its privacy policies for quite sometime. But, the ante has recently been raised with the company's efforts to persuade Congress that its so-called behavioral advertising - which targets users based on their browsing - doesn't pose a threat to privacy. For good reason: Congress is currently considering forcing Google to adopt an opt-in model where users must actively allow Google to collect or share browsing history and user data.

Google’s announcement Wednesday that it will release a new operating system that moves currently computer-based functions to its proprietary Internet “cloud” has brought a new round of questions and concerns to the forefront.

But here's where it starts to get really interesting. Consumer Watchdog, a nonpartisan, nonprofit advocacy group, "has obtained a “confidential” and “proprietary” Google presentation for lawmakers that touts Google’s commitment to “transparency,” but skirts tough questions about its secretive user data tracking, storage and sharing policies."

The group, as I have also posted about in the past, was given a grant to independently monitor Google's activities in Washington as well as in depth analyses of their products' privacy implications. For the past eight or so months, Consumer Watchdog has constructively attempted to engage Google on its privacy problems - and the initial signs have not been comforting.

Let me quote a few more choice clips from Consumer Watchdog's press release before I get to an excellent article on this breaking news from PC World:

Google increasingly spies on what consumers do online, including what web sites they visit; creates dossiers on users’ online behavior without their prior permission; then harvests this private information to sell hundreds of millions of dollars in advertising.

Consumer Watchdog posted the presentation along with an annotated version, prepared by an industry insider, that calls out Google’s deceptions. The group urged lawmakers and the Justice Department to view both versions and consider strict limits on how Google collects and uses its customers’ online behavior.

Click here to view the document

“The Justice Department should be worried when Google tries to obfuscate its data tracking capacity and reach rather than disclose all of it,” said Judy Dugan, research director of Consumer Watchdog. “Congress should demand that Google stop tracking Americans’ online behavior without their prior permission. Whatever Google does will quickly become the industry standard.”

The annotated version of the presentation notes that Google’s strangely labeled path to opting out of this invasive advertising is hidden beneath “layers of privacy policies,” that it takes seven clicks to install a permanent opt-out, and that watching all 38 of Google’s videos explaining its dense privacy policies takes 3.8 hours, nearly as long as Gone With the Wind.


Google’s new operating system could also comb users’ stored documents for information on what the company calls “interest categories.” The depth of this potential data collection is not mentioned in the Google spin document...(that) was provided by an anonymous industry insider familiar with Google’s lobbying who has provided other Google spin documents.


“Google should stop dodging, ducking and weaving when it comes to squaring its do-no-evil pledge with its cyber-spying and ‘confidential’ memos, said Dugan. “The company could eliminate all privacy doubts with a simple page-one button allowing users to affirmatively allow the company to track their personal online habits. Google’s refusal to do so appears to confirm that evading user privacy is essential to its business model.”

Kudos to Consumer Watchdog for their continued outstanding work exposing Google, both in terms of their political tactics and their product shortcomings (when it comes to privacy that is).

Now let's dig a little deeper into Google's new "net based, open-source operating system", and why it is raising questions among privacy advocates about the amount of personal data it will enable the company to collect.

Grant Gross in PC World writes:

Google already collects private data through products like its search engine and its Gmail e-mail service, as well as its AdSense advertising service. The Chrome operating system, to be rolled out on netbook computers next year, gives the company another avenue to collect and monetize personal information, privacy advocates said Wednesday.

"Competition in the OS market should always be welcome, but Google is the special case," said Marc Rotenberg, president of the Electronic Privacy Information Center, a privacy advocacy group. "It has become dominant across many essential Internet services -- search, mail, video, online apps and advertising."

Google has a growing profile of Web users and has been reluctant to support some privacy safeguards, Rotenberg added. For example, Google has been cool to proposals to require that online vendors get opt-in permission before collecting customers' personal data. Rotenberg called on antitrust officials in the U.S. and Europe to "view Google's entry into the OS market with enormous skepticism."

Jeffrey Chester, executive director of the Center for Digital Democracy, another privacy advocate, agreed. "I think the new OS has to be placed under the data collection x-ray by U.S. and E.U. privacy regulators and advocates," he said. "Any expansion into the marketplace by either Google or Microsoft should generate intense scrutiny, especially for the privacy implications."

Click here to read the rest of the article.

It goes without saying I'm in agreement with some of my privacy advocate friends quoted in the above article and press release. So rather than pontificate and repeat their points, let me leave you with five key questions Consumer Watchdog wants Congress to ask Google. Good stuff!

1. Why isn’t Google’s behavioral advertising opt-in rather than opt-out?
2. Why not prominently include a link allowing users to permanently opt-out of Google tracking?
3. 2008: Google says it has no plans to use behavioral advertising… [that] it doesn’t work. What changed?
4. Is Google’s behavioral advertising really about delivering more interesting ads or is it about expanding its data collection and targeting activities?
5. And just for fun… [Consumer Watchdog’s review: “Delicious, don’t-miss, nosy roommate spoof!”]

Wednesday, July 8, 2009

Privacy Concerns And the Cybersecurity Act

We all know that cyber attacks are a real threat in today's information age. We also know that if nothing else, the Obama Administration seems to be extremely technically literate. Those two facts are now coming together in the form of an official Cybersecurity strategy. Little yet is known about the details of the Administration's plan, but some initial signs point to a variety of possible concerns for privacy advocates.

The first hint came a week or so back when it was revealed that the Obama administration would proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site.

It should be noted that President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private-sector networks or Internet traffic," and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems. Each time a private citizen visited a "dot-gov" Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.

This intrusion detection system is known as Einstein, a software program that monitors all government networks. That new system would be designed to not only detect intrusions, but also preemptively block them, preventing the sorts of cyberspying incidents that have plagued the government and military for more than a decade.

Of course this leads to some important questions: Can private data be shielded from unauthorized scrutiny? How much of a role should the NSA play in light of its involvement in warrantless wiretapping during Bush's presidency?

The Washington Post detailed some of the internal debates within the Obama Administration about these very questions:

Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks.

AT&T, the world's largest telecommunications firm, was the Bush administration's choice to participate in the test, which has been delayed for months as the Obama administration determines what elements to preserve, former government officials said. The pilot program was to have begun in February.


The internal controversy reflects the central tension in the debate over how best to defend the nation's mostly private system of computer networks. The techniques that work best, experts say, require the automated scrutiny of e-mail and other electronic communications content -- something that commercial providers already do.

Proponents of involving the government said such efforts should harness the NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said.


Ari Schwartz, a vice president of the Center for Democracy and Technology, was among a group of privacy advocates given a classified briefing in March on the Einstein program. The advocates wanted to ensure that officials had a plan to protect privacy and civil liberties, including shielding such personally identifying data as Internet protocol addresses. "We came away saying they have a lot of work in front of them to get this done right," Schwartz said. "We're looking forward to their next steps."


Bush administration lawyers determined last year that DHS had the legal authority to conduct the Einstein program, and could do so in compliance with existing wiretap and privacy laws, as long as appropriate policies were in place. Last fall, plans for the pilot were proceeding, former officials said. But in the Bush administration's final weeks, AT&T lawyers raised concerns about legal liability, they said. Then-Attorney General Michael B. Mukasey was willing to give AT&T written assurance that it would bear no liability for participating in the program, but both AT&T and the Justice Department agreed that the new administration should issue the certification, they said.

So, that was last week. Today I found another article on this critically important debate in Forbes magazine. Unfortunately, it appears that the more we learn about the direction of the Administration's Cybersecurity plan, the more it feels like the good ole' Bush years (and by that I mean privacy invasive, and civil liberties intrusive).

Andy Greenberg of Forbes reports:

Since Obama's landmark speech on cybersecurity in May, his administration hasn't revealed much about its long-percolating plans to shore up the government's defenses against hackers and cyberspies. But privacy advocates monitoring the initiative are already raising concerns about what they know and what they don't: the details that have trickled out--including the involvement of the National Security Agency--and the veil of classified information that still covers much of the multibillion-dollar project.

"It feels like the Bush administration all over again," says Pam Dixon, executive director of the World Privacy Forum. "Not enough people know the details about these programs to have a good public discussion. We all want good security of government systems, but you have to balance the cloak and dagger elements with civil liberties."


"The same folks are being potentially entrusted with cybersecurity who have already shown that they have no regard for the law," says Lee Tien, an attorney with the Electronic Frontier Foundation, a nonprofit group that sued AT&T for its involvement in those wiretapping programs. "It's troubling that the Obama administration would consider this sort of thing."

At issue is whether government monitoring of networks could lead to intrusion in the digital lives of private citizens, whether through monitoring their visits to government Web sites or by blurring the line between government and private networks, privacy advocates argue. Much of the critical infrastructure that President Obama has spoken of protecting, including the power grid and telecommunications, is owned by the private sector.


But the NSA has rankled others with its growing influence over government cybersecurity. In March, the DHS' top cybersecurity official Rod Beckstrom stepped down in frustration, noting in his resignation letter that the "NSA currently dominates most national cybersecurity efforts" and that "the threats to our democratic processes are significant if all top level network security and monitoring is handled by any one organization."

While the concerns over privacy and the NSA are valid, they could hamper the progress of the Obama administration's cyber plan, says James Lewis, director of the Center for Strategic and International Studies, which authored an influential paper aimed at shaping the president's thinking on cyber issues. "We have technologies that would greatly improve cybersecurity, but their use wouldn't be consistent with our laws on surveillance and privacy," Lewis says, pointing to statutes such as the Electronic Communications Privacy Act of 1986, which disallows wiretaps without a warrant.

Perhaps Obama's privacy promises can be taken at face value, but the trouble remains the lack of transparency around the initiative. This of course is a reoccurring clash: privacy versus national that isn't going away anytime soon. I will withhold judgement until more is known, but it goes without saying I'm not a big fan of the NSA or AT&T, and right now, these are the two pillars of this new monitoring program.

Click here to read the rest of the article.