Wednesday, October 27, 2010

EPIC Grades Obama on Privacy and Civil Liberties

Now, I've written in excruciating detail on this blog about what a total and complete disappointment President Obama has been on issues related to privacy and civil liberties. I never expected his actions as President to fully match his words as a candidate (and constitutional scholar!) - this is rarely EVER the case, particularly when it comes to issues related to national security - but the two seem to be diametrically opposed on nearly every issue.

Sadly, what has become an ironclad, and increasingly dangerous "rule of thumb" in this country, is that once a power is taken by the government (i.e. Patriot Act), or a civil liberty/constitutional protection erased, its gone...NO President, anymore anyway, once elected offers to "give" up power achieved by the President (s) before him. And boy oh boy has this remained true between the privacy eviscerating Administration of George W. Bush and that of President Barack Obama.

Before I get to some of what I believe are his greatest failings, let's get to the Electronic Privacy Information Center (EPIC) Privacy Report Card for President Obama released last week.

EPIC gave the Administration a grade of C in Consumer Privacy, B in Medical Privacy, D in Civil Liberties, and B in Cybersecurity. This year's grades are a drop from the grades given in EPIC's 2009 Privacy Report Card and reflect important privacy developments during the past year.

For me personally, the list of disappointments is getting, literally, too long for me to address these days. So forgive me for reaching back into my archives and getting some help...from myself.

We all know by now the Administration's whole-hearted embrace of Whole-Body-Imaging in airports. As we also now know, both Obama and Holder have completely reversed themselves on the issue of wiretapping, by not only refusing to prosecute or investigate the program and/or those that carried it out, but have even expanded their defense of the program in some important key respects. Telecom immunity? You bet. Justice for those spied on? Hell no.

We also now KNOW, that it was President Obama himself that worked behind the scenes to ensure that absolutely no meaningful reforms to the Patriot Act were adopted...essentially a complete reversal of his positions as a Senator and Presidential candidate. Strange, he doesn't lift a finger for things like the public option or the Consumer Protection Agency, but man, he's one tough customer when it comes to protecting the Patriot Act.

Its as if we're watching a debate between the eloquent, pro-civil liberties "Candidate Obama" and the just as eloquent, anti-constitutional authoritarian, President Obama.

Senator Obama branded the Patriot Act "shoddy and dangerous" and pledged to end it in 2003. In 2005, he pledged to filibuster a Bush-sponsored bill that included several of these exact components recently extended, calling them "just plain wrong" in a Senate speech. He argued:

"Government has decided to go on a fishing expedition through every personal record or private document -- through library books they've read and phone calls they've made...We don't have to settle for a Patriot Act that sacrifices our liberties or our safety -- we can have one that secures both."

But now let's hear from President Obama, who wrote in a letter that he was advocating IN FAVOR of the most abusive provisions in the Act to stand...the same ones he claimed were "shoddy and dangerous" as a Senator.

For instance, business and citizens groups can still have their records examined by the government with minimal checks on how the information can be used and more particularly used against. Individuals often based on flimsiest of evidence can still be targeted for monitoring and surveillance if suspected of being a potential terrorist.

Organizations and individuals can still be slapped with so-called roving wiretaps (taps that can be placed on an individual or group anywhere, anytime) again based on weak evidence or unfounded suspicion....

Now President Obama justifies keeping nearly all of Bush's terror war provisions in place with the standard rationale that the government must have all the weapons needed to deal with the threat of terrorism. If you think I'm confusing Bush and Cheney with Obama, sadly, you're wrong.

Then there was the Administration's radical interpretation and use of the "state secrets" privilege to block courts from hearing a host of information, from torture allegations to wiretapping claims. In other words, for the sole purpose of protecting those that committed crimes that the President vehemently criticized as a Senator and promised to address as a candidate.

We now know that the Administration is going along - in most respects - with the Bush policies of indefinite detention and military tribunals.

And as most are probably aware (I've posted on it recently), Obama is backing a bill that would require all Internet companies to be able to tap into any online communications that they enable.

Trust me, that's just a quick list I've put together...there are many more examples I could give. But for today's purposes, let's see some of what EPIC cites (surely much the same), and a few articles, namely from Computerworld, Networkworld, and Daily Tech.

But, in case you think I'm being too hard on the man, watch the Daily Show's fantastic run down of the Obama "constitutional scholar" candidate vs. Obama "constitution eviscerating" President:

The Daily Show With Jon StewartMon - Thurs 11p / 10c
Respect My Authoritah
Daily Show Full EpisodesPolitical HumorRally to Restore Sanity

Computerworld reports:

On the civil liberties front, for instance, there were high expectations that changes would be made to many programs, including the Patriot Act, the Fusion Centers that were created for sharing intelligence information between local and federal agencies, no-fly lists and the Real-ID national identification program. All of those were programs inherited from the Bush administration, and a year ago it was too early to assess what impact the new administration would have on them, he said.

The fact that little has changed a year later is surprising given the early expectations, Rotenberg said. The Obama administration's failure so far to set up an advisory board for monitoring key issues such as the airport full-body scanner program is troubling, he noted. So too is its relative inaction around controversial programs such as the Patriot Act and the Fusion Center initiative, he said.

Rotenberg also criticized what he claimed has been the Federal Trade Commission's less than aggressive approach in dealing with serious consumer privacy issues stemming from the use of technologies such as Facebook and Google's Buzz and Street View.

Read more here.

Daily Tech also honed in on the numerous outright reversals by the President:

More controversial, however, is the domestic spying efforts closely tied to the terrorism. Namely the National Security Agency (NSA), under the Patriot Act of 2001, was given the right warrantless wiretaps of calls between U.S. and foreign citizens. That alone was controversial enough, but an expose in The New York Times showed that domestic calls between two U.S. citizens were also being intercepted, in what the NSA dubbed an "accident".

A special Obama administration task force consisting of U.S. Department of Justice, Department of Commerce, NSA, Federal Bureau of Investigations, local law enforcement, and more is looking to reinforce warrantless wiretap. The move is perhaps unsurprising, considering that the council shares many of the same experts that mastermind President George W. Bush's original Patriot Act.


Under the proposed changes, telecoms would be mandated to not only prepare for such instances, but also for warrantless wiretapping as spelled out under the Patriot Act. Those telecoms who complied fully would be rewarded with undisclosed incentives, while those who resist or were slow to comply would face fines or other penalties.


Previously detailed nuances of the plan call for the government also to gain new warrantless surveillance powers over other communications resources such as email (e.g. Gmail), text messages (including encrypted services, like RIM's), social networks (e.g. Facebook), and internet forums.

Read more here.

Now to perhaps the most comprehensive article on the subject, NetworkWorld reports:

It's grade card time and President Obama earned a big fat D as is doomed civil liberties, as in does have unchecked authority to kill you, and as in dangerous and overreaching state secrets arguments. It's sad how our right to privacy seems to be decreasing while the government's right to keep secrets seems to be growing. EPIC (Electronic Privacy Information Center) released the 2010 Privacy Report Card (PDF) for the Obama Administration, giving Obama a "D" grade in Civil Liberties. Why? For the same reasons that the ACLU argues that the president does not have the unchecked authority to kill you, and EFF warns that the government is singing the same old state secrecy tune about wiretapping.


The ACLU is fighting against targeted killing and death without due process. Due to state secrets privilege, if you even found out that you were targeted by the CIA to be killed, you couldn't even fight it in court because to mention state secrets jeopardizes national security. You see, the government keeps secret "kill lists," but the Obama administration says that it's a state secret who they plan to assassinate. Former Director of National Intelligence agreed that the government has a license to kill Americans that are secretly labeled terrorists. Since the Obama administration has asserted its authority to carry out "targeted killings" of U.S. citizens outside armed conflict zones, the ACLU is arguing that President Obama does not have unchecked authority to kill you.


The state-secrets doctrine seems as out of control as does what is happening to privacy, civil liberties and human rights during the War on Terror. Just look at how many people in peace groups or activists that have wrongfully been put on watchlists or been labeled as a terrorist. Spying on free speech is at Cold War levels! How soon before speaking out for civil liberties, privacy, freedom is also considered low level terrorism? At the rate things are going, could people who are activists, who are considered "low level terrorist" start to be targeted? In 2009, research showed that 10 or more civilians die for every terrorist killed by drone missiles. If the "CIA's Predator drones targeting software was pirated" and faulty, so that it might "possibly miss its target by as much as 40 feet," could the government then say oops, the software steered it wrong and take out even more alleged enemies of the United States? Would that too be considered a "state secret?"


EFF wrote that the state secrets privilege amounts to an immunity for government law-breaking. The "government has made the same dangerous and overreaching state secrets arguments in the domestic warrantless wiretapping cases." The court had dismissed the legality of the NSA's warrantless dragnet surveillance program "because so many Americans have had their communications and communications records illegally obtained by the government, no single person has legal 'standing' to challenge the ongoing program of government surveillance. In other words: if everyone is being spied on, no one can sue." EFF argued (PDF),"that ruling risks creating a perverse incentive for the government to violate the privacy rights of as many citizens as possible in order to avoid judicial review of its actions." The government says "the same thing it has been arguing for the past five years in every other warrantless wiretapping case: that any attempt by the courts to judge the legality of the alleged surveillance would violate the state secrets privilege and harm national security."

And now the government wants to wiretap the web.

Click here to read more.

To repeat one of my past "conclusions" on this blog: Look, fear as an argument, no matter how ludicrous or exaggerated, trumps privacy these days, as least when it comes to coverage in the corporate media, or positions taken by the entire Republican Party and probably a majority of the Democrats - and now clearly this President.

I find it particularly dismaying that the tables have been so turned that the onus (and derision) has been placed on those that simply believe the government, or corporate America for that matter, should not have access to everything we do, particularly when we have committed no crime. Now we must prove that whatever the latest power the government seeks to enshrine as law won't stop an attack (and if we can't prove this negative, we are endangering Americans!) or how it could specifically harm us...rather than the onus being on those seeking to circumvent our privacy and rights in the name of "national security."

If we can all go back in time for a minute, and remember those dark days of the Bush Administration (i.e. all of them), we should also remember the consistent, vehement, and vocal opposition from the left of Bush assaults on privacy and the constitution, from eavesdropping, to indefinite detention, to state secrets, to the Patriot Act abuses, and so, and so forth.

This vehement opposition was of course warranted, and important. But now that Obama is President, and CONTINUING THESE POLICIES, the same outcry that once existed has become a whimper. No, I'm not talking about groups like the ACLU or EFF, but certainly Democrats in Congress, left wing talk radio, and even newspaper editorial boards.

And why is this silence so damaging? Because a so called "liberal" President, a constitutional scholar no less, has now codified what just a few years ago were rightly considered radical attacks on the Constitution and Rule of Law. Now those very same policies have not only been embraced by the new President, but has been accepted by the Democrats in Congress!! In other words, the ball has just moved WAY towards the neoconservative worldview, and their interpretation of an all powerful Executive Branch.

The idea that because Obama is more intelligent, measured, and schooled in constitutional law than Bush (all of which is true), that this somehow means we should entrust him with near unchecked powers, be it wiretapping, assassination of American citizens, or indefinite detention, is patently absurd. Even if it were true that he would use these powers wisely (which is impossible), what's to say the next President will too?

Glenn Greenwald articulated my point (one I've been making here for quite some time) perfectly in a post of his today, stating: Here again, we see one of the principal and longest-lasting effects of the Obama presidency: to put a pretty, eloquent, progressive face on what (until quite recently) was ostensibly considered by a large segment of the citizenry to be tyrannical right-wing extremism (e.g., indefinite detention, military commissions, "state secrets" used to block judicial review, an endless and always-expanding "War on Terror," immunity for war criminals, rampant corporatism -- and now unchecked presidential assassinations of American citizens), and thus to transform what were once bitter, partisan controversies into harmonious, bipartisan consensus...

Let's all try to ensure that this is NOT one of Obama's lasting legacies.

Thursday, October 21, 2010

Pilot Protests "Digital Strip Search" Machines and How to Opt-Out Yourself

Just about everybody who reads this blog even on an occasional basis knows I have covered the issue of airport body scanners (also known as "whole body imaging") extensively here. Before I get to two very interesting articles today, one on an airline pilot being punished for refusing to go through one himself and the other about a journalist's first hand experience choosing "option b", let me go over a few of the basics.

Most important to understand is that these machines essentially allow airport security to see through your clothing, producing images of digitally naked passengers. Now, I don't want to rehash all that I have written on this subject before because there's a lot I want to get to today, so to find out most everything you need to know about these machines and their privacy implications (among other issues with them), check out my article "The Politics of Fear and Whole Body Imaging" (from January 2010), or check out some of my past posts on the subject, here, here, and here.

To date, my focus has primarily been on
(see my former posts for answers to these questions):
A. whether being viewed essentially naked just to board a plane is in itself a violation of privacy,
B. whether these scanners actually make us "safer",
C. whether the irrational fears of a terrorist attack warrant the increasing encroachments on our civil liberties and quality of life,
D. whether these images are actually protected and won't be somehow shared or saved, E. what forces and corporate interests have the most to gain from pushing this ever expanding surveillance state, and,
F. what does all this mean for the airline passenger - particularly if he/she chooses NOT TO be subjected to these machines (i.e. aggressive pat down)?

As I mentioned above, my past posts answer these questions in detail, and let's just say in each case its much worse than you probably could imagine. I'll summarize some of this at the end of today's blog, but let's get to these two stories that I think add to this ongoing "debate".

First, the Memphis newspaper the Commercial Appeal covered a recent incident with no less than an airline pilot. Wayne Risher reports:

ExpressJet Airlines first officer Michael Roberts drew a line in the sand last Friday morning at Memphis International Airport security Checkpoint C. He left the airport without boarding a flight to his duty base in Houston, refusing a full-body scan and its alternative, a manual pat-down, by Transportation Security Administration

On Tuesday, Roberts, 35, was waiting to find out whether his protest would cost him his job. I'm not trying to throw down the gauntlet with the federal government per se," he said. "I just want to be able to go to work and not be harassed or molested without cause."

"I just kind of had to ask myself 'Where do I stand?' I'm just not comfortable being physically manhandled by a federal security agent every time I go to work." TSA spokesman Jon Allen, citing privacy considerations, wouldn't confirm that Roberts was the person who was turned away by airport police after refusing to comply with TSA security procedures. Roberts was wearing his pilot's uniform and identification at the time.


Roberts said he's not minimizing the importance of tight security to protect air travelers, but he said he doesn't believe TSA has the answer. "I have those (security) concerns as well, but I don't believe this approach is a necessary or effective way to mitigate the threat."

He called TSA a "make-work" jobs program combined with a feel-good effort "to give us a false sense of security to let us believe the folks in Washington are keeping us safe."

Click here to read more.

Before I comment on that, let's get to the article by Mike Adams from the magazine Natural News entitled "How to opt-out of the TSA's naked body scanners at the airport"(another issue some have with these machines is the potential health risks, which are unproven, but nonetheless worth notice). This is of particular interest to me because numerous women commented on a past blog post of mine on how people are treated if they choose to opt-out. Their stories are NOT REASSURING.

Adams, known as the Health Ranger writes:

I encountered my first airport naked body scanner while flying out of California today, and of course I decided to "opt out" of the scan. You do this by telling the blue-shirted TSA agents that you simply wish to opt out of the body scanner. Here's what happened after that:

A TSA agent told me to step to the side and stay put. He then proceeded to shout out loudly enough for all the other travelers and TSA agents to hear, "OPT OUT! OPT OUT!" This is no doubt designed to attract attention (or perhaps humiliation) to those who choose to opt out of the naked
body scanner. I saw no purpose for this verbal alert because the same TSA agent who was yelling this ultimately was the one who patted me down anyway.


Speaking of the naked body scanners, as I was having my crotch swept by the back of the hand of this TSA agent, I was observing other air travelers subjecting themselves to the naked body scanners. They were told to walk into the body scanner staging area and then hold their arms in the air in a pose as if they were under arrest. They were told to freeze in this position for several seconds (perhaps 10 seconds) during which they were being blasted with ionizing radiation that we all know contributes to cancer.

The TSA, of course, will tell you that these machines can't possibly contribute to cancer. But they said the same thing about mammograms, and we now know that mammograms are so harmful to women's health that they actually harm ten women for everyone one woman they help ( So I'm not exactly taking the U.S. government at its word that naked body scanner radiation is "harmless."

As these air travelers were being scanned, their naked body images were appearing on a screen somewhere, of course. Some TSA agent was examining the naked body shape and contours of all these people, and even though we were told by the TSA that the image viewing machines cannot store images, we have since learned that the machines actually do have the capability to store those images ( In addition, rogue TSA employees could simply use their cell phones to take snapshots of what they see on the screen. There are no doubt rules against such behavior, but it's bound to happen sooner or later.

Meanwhile, my own security
screening was proceeding fully clothed. I don't want to broadcast my naked butt cheeks on the TSA's graphic monitors, thank you very much!


The most fascinating part about this entire process was not the verbal broadcast of my opt out status, nor having my crotch swept by the latex-covered back hand of some anonymous TSA agent, but rather the curious fact that I was the only one opting out. Although I must have watched at least a hundred people go through this particular security checkpoint, there wasn't a single other person who opted out of the naked body scan.

They all just lined up like cattle to have their bodies scanned with ionizing radiation. To me, that's just fascinating. That when people are given a choice to opt out of being irradiated, they will choose to just go along with the naked body scan rather than risk standing out by requesting to opt out.

You see, I'm not convinced that the TSA's naked body scanners enhance
air travel security at all. Previous security tests conducted by the FAA show quite clearly that the greatest threat to airplane safety isn't from the passengers but from ground crews, where bombs and other materials can be quite easily smuggled onto planes.

But even though naked body scanners may not enhance air
travel security, they do accomplish something far more intriguing: The successful completion of an experiment in human behavior. If you were to pose the question "Will people line up like cattle to be electronically undressed in front of government security officers?" The answer is now unequivocally YES!

Most people, it turns out, will simply do whatever they're told by government authorities, even if it means giving up their privacy or their freedoms. Almost anything can be sold to the public under the guise of "fighting terrorism" these days, including subjecting your body to what is essentially a low-radiation CT scan at the airport!

I don't know about you, but I don't think I should be required to subject myself to ionizing radiation as a condition of air travel security. Of course, the more technically minded readers among you might counter by saying that high-altitude travel is, all by itself, an
event that subjects you to low levels of ionizing radiation (which is true). But that's all the more reason to not add the body's radiation burden any more than necessary. Americans already get far too much radiation from CT scans and other medical imaging tests (not to mention mammograms). Do we really need to dose peoples' bodies with yet more radiation every time they board an airplane?

Click here to read more.

Let's start with the obvious: there are a myriad of reasons to oppose the widespread use of these scanners, from privacy to cost to practicality to slowing down our run away "fear industrial complex".

As I have argued over and over, including in my speech about the costs of war, we would do well to rethink the words "safe" and "secure". In this instance, what about the concept of "safe" from government intrusiveness and corporate profiteering off fear peddling? Considering the ACTUAL threat posed by terrorists, and the ACTUAL need for these machines, I would argue such intrusion makes us less safe, not more.

Remember, the likelihood that I'll get hit by lightning in one year is 500,000 to 1 while the odds I'll be killed by a terrorist on a plane if I flew constantly over 10 years is 10 million to 1. Does this laughably minuscule risk warrant yet another civil liberties encroachment? Does this irrational fear of being blown up in a plane really warrant supporting wars on countries that did nothing to us, or in this case, wasting HUGE amounts of money on ineffectual security systems?

Again, quoting past blogs I've written, "The bottom line is a rather stark one: Is the loss of freedom, privacy, and quality of life a worthwhile trade-off for unproven protections from a terrorist threat that has a 1 in 10 million chance of killing someone over a ten year time period?

Does this "fear" warrant increasing the already long list of airline passenger indignities?

Could all this hype be just another way to sell more security technologies, soften us up for future wars, increased spending on the military, and the evisceration of our civil liberties? I think, at least to an extent, the answer is yes.

For these reasons and more, privacy advocates continue to argue for increased oversight, full disclosure for air travelers, and legal language to protect passengers and keep the TSA from changing policy down the road. Again, what's to stop the TSA from using clearer images or different technology later?

Are we really to believe the government won't allow these devices to record any data when the easy "go to" excuse for doing so will be the need to gather and store evidence? What about the ability of some hacker in an airport lounge capturing the data using his wi-fi capable PC - and then filing it to a Flickr album, and then telling of its whereabouts on Twitter?

Now, as to the points made by the journalist from Natural News, and add that to the numerous women who commented on a post I did back in July about their experiences, I think a pattern is becoming that appears to be a very concerted effort by airport security to force people to go through the body it through making the alternative body search even more intrusive and uncomfortable, shaming and embarrassing those that refuse, or simply trying to say that they have to, when they don't.

Look, if our two choices are being digitally strip searched, or aggressively felt up, then perhaps a growing consumer backlash against the machines may take shape. At the end of the day, if the flying public revolts against these scanners it will be monumentally more difficult to justify their exorbitant costs.

In Europe they've added another reason to oppose these scanners: it violates child pornography laws. If there is some kind of global public revolt underway, if we are to take the article in Natural News as an indicator, it isn't happening in America - yet.

For me personally, its about more than all the individual points I've made from not making us safer to invading our privacy. This issue matters, as does so many other privacy related debates, because it highlights the way we are allowing "false fears" to drive too much of our public policy decisions and to adversely and artificially influence and affect our lives, opinions, and emotions. Fear is not a principle or pillar to build a healthy society around, particularly when those very fears are being magnified and sold to us by those that have ulterior motives to exaggerate threats.

The trend-line since 9/11 has been all too clear...and we're headed, rapidly, in the wrong direction. Whole Body Imaging is just one piece of a much larger puzzle that indicates privacy as both a right, and an idea is under assault. Lines in the sand must be drawn. Digital strip searches is one of the places we should draw one.

Monday, October 18, 2010

Facebook, Privacy, and the Department of Homeland Security

For a virtual book's worth of posts I've done in the past on Facebook's rather strained and adversarial relationship with privacy just put in "facebook" in the search box in the upper left corner and click search. Due to time constraints (been keeping me from posting here as much as I'd like), rather than rehash all of Facebook's "attack on privacy greatest hits", I want to get straight to what privacy expert Bruce Schneier had to say on the issue last week and then get to some recent revelations coming from documents obtained by the Electronic Frontier Foundation indicating the Department of Homeland Security is big on social network surveillance.

First, Bruce Schneier on how social-networking sites deliberately encourage people to disclose personal details about themselves so the sites will have content to sell to advertisers.

Zdnet reports: "These CEOs are deliberately killing privacy — it's their market — and Facebook is the worst offender," Schneier told reporters at RSA Conference Europe in London. "In the end, Facebook will do its best by its customers, who aren't you [but advertisers]."


Schneier added that people "shouldn't be surprised" that a service paid for by third parties is acting in the interests of those third parties.

Earlier in the day, the security expert said in a conference keynote speech that many social-networking sites only give limited options for privacy. For example, Facebook does not make it easy to delete posts, and those posts are shared with a wide variety of people, Schneier noted.

He told the press conference that organisations are collecting increasing amounts of data on people, to the detriment of privacy. While technical solutions implemented by ISPs would go some way to improving internet privacy, governments should ultimately shoulder the responsibility, he said. "I would like to see governments pass broad data-protection laws," Schneier added.

Now, coupled with Schneier's remarks, I found this bit of related, and concerning news.

Documents obtained by the Electronic Frontier Foundation reveal two forms of tracking: First, surveillance of social networks to investigate applicants for citizenship, and second, the Homeland Security Department's use of a "social networking monitoring center" to collect and analyze public communication during the period of President Obama's inauguration.

A May 2008 memo (obtained by the EFF through a Freedom of Information Act request) by officials at U.S. Citizenship and Immigration Services, a unit of DHS, encourages security employees to "friend" citizenship petitioners on social networking sites as a means of ferreting out fraud.

"Many of these people accept cyber-friends that they don't even know," the document says. "This provides an excellent vantage point for FDNS (Office of Fraud Detection and National Security) to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities."

Here's more from EFF:

Of the two disclosures, the citizenship verification initiative is perhaps the most disconcerting, both for its assumptions about people who use social networking sites and for its potentially deceptive and unethical approach to collecting information. Specifically, the disclosure contains a May 2008 memo by the U.S. Citizenship and Immigration Services (USCIS) entitled Social Networking Sites and Their Importance to FDNS [Office of Fraud Detection and National Security] [PDF] which states:

Narcissistic tendencies in many people fuels a need to have a large group of “friends” link to their pages and many of these people accept cyber-friends that they don’t even know. This provides an excellent vantage point for FDNS to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities.

This social networking gives FDNS an opportunity to reveal fraud by browsing these sites to see if petitioners and beneficiaries are in a valid relationship or are attempting to deceive [United States Citizen and Immigration Services] about their relationship. Once a user posts online, they create a public record and timeline of their activities. In essence, using MySpace and other like sites is akin to doing an unannounced cyber “site-visit” on a [sic] petitioners and beneficiaries.

(Emphasis added). In other words, USCIS is specifically instructing its agents to attempt to “friend” citizenship petitioners and their beneficiaries on social networks in the hope that these users will (perhaps inadvertently) allow agents to monitor their activities for evidence of suspected fraud, including evidence that their relationships might not live up to the USCIS’ standard of a legitimate marriage.

More analysis from EFF: "Of course, there are good reasons for government agencies and law enforcement officials to use all the tools at their disposal, including social networks, to ferret out fraud and other illegal conduct. And while one might just chalk this up to another case of “caveat friendster," it does raise some questions about the agency’s conduct.

First, the memo makes no mention of what level of suspicion, if any, an agent must find before conducting such surveillance, leaving every applicant as a potential target. Nor does the memo address whether or not DHS agents must reveal their government affiliation or even their real name during the friend request, leaving open the possibility that agents could actively deceive online users to infiltrate their social networks and monitor the activities of not only that user, but also the user’s friends, family, and other associates. Finally, the memo makes several assumptions about social networking users that are not necessarily grounded in truth and reveal the author’s lack of understanding of the ways people use social networking sites.

...the memo engages in armchair psychology by assuming a large friend network indicates “narcissistic tendencies.” Second, and perhaps more disturbing, the memo assumes a user’s online profile always accurately reflects her offline life. While Facebook and MySpace would like their users’ profiles to always be current and accurate, users may have valid reasons for keeping some of their offline life out of their online profiles (for example, many users still feel their relationship status is private). Unfortunately, this memo suggests there’s nothing to prevent an exaggerated, harmless or even out-of-date off-hand comment in a status update from quickly becoming the subject of a full citizenship investigation."

Thursday, October 7, 2010

Californa Privacy Bills Signed, Vetoed By Governor

As per usual, I want to briefly go through the fates of the handful of important California privacy bills that made it all the way to Governor Schwarzenegger's desk.

Privacy Bills Signed by Governor

SB 1268 (Simitian) - Protects Privacy of Electronic Toll Users: Representing a major privacy victory was the Governor’s signing of SB 1268. The bill puts in place a number of protections for personally identifiable information of electronic toll collection subscribers, including, but not limited to: travel pattern data, address, telephone number, bank account information, and credit card information.

The bill would restrict transportation agencies from handing over subscriber information unless a law enforcement agency provides a search warrant, or, in cases in which the delay required in seeking a search warrant would result in an imminent danger to the health or safety of a member of the public, a written statement by the law enforcement agency explaining the nature of the situation. In addition, it would provide that in each instance where a subscriber’s personally identifiable information is handed over to a law enforcement agency, the subscriber him or herself must be notified within a reasonable timeframe.

SB 909 (Wright) - Investigative Consumer Reporting Agencies: This bill will require a person who instigates an investigative consumer report for employment purposes to provide a consumer with a Disclosure and Request for Consent for the information to be sent outside of the United States.

SB 1087 (Alquist) - Identity Theft: This bill gives additional rights to victims of identity theft - an increasingly common crime in California - by authorizing restitution for three years of credit report monitoring and for the costs to repair a credit rating. The legislation also expands the definition of what is considered to be identity theft and increases fines and potential incarceration time for those found guilty.

The bill also allows a person who believes that he or she is the victim of identity theft the right to initiate an investigation of the matter by contacting the law enforcement agency with jurisdiction over the person's residence or place of business. The victim may then obtain information from various financial entities concerning the suspected identity theft incident and may further investigate the matter. The victim may also petition a court for an expedited determination of his or her factual innocence concerning misuse of his or her identifying information.

Privacy Bills Vetoed By Governor

SB 1166 (Simitian) - Protecting Personal Information: The Governor’s veto of SB 1166 marks the biggest “privacy disappointment” of the session. Its a particularly stinging loss because, while the Governor vetoed a nearly identical bill last year, he said to bring it back again with just a minor modification - which was made. Apparently, the Governor changed his mind, and consumers will continue to pay the price, here's why:

A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches since 2005, including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

It goes without saying then, that these findings epitomized the need for the Governor to sign SB 1166 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

SB 1166 would have rectified this problem by amending California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also would have required that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Yet the Governor's veto message claims "This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.”

Just ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

SB 482 (Mendoza) – Protecting Financial Privacy: This is another big disappointment, particularly considering how many people's credit scores have suffered due to the Great Recession. This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process.

An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 943 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.

So that's a quick rundown of the privacy bills that we (Consumer Federation of California) had been tracking all year that actually made it to his desk. While the signing of the electronic toll bill was a victory, its difficult to understand the Governor's reasoning for vetoing the credit report and the security breach bills...but then, we are talking about Governor logic, and rational, consistent public policy positions don't really apply.