Wednesday, March 30, 2011

Privacy, the Internet and New Legislation

I've talked a lot about the explosion in data collection, data analysis and use of behavioral marketing on this blog.  For good reason, when there's billions of dollars at stake, and your private information is the currency, there's plenty of reasons to place a big "consumer beware" sign anywhere you are doing something ostensibly "private".

We know for a fact, and they have been sued for it, companies like Google, Yahoo, Microsoft and other Internet companies  track and profile users and then auction off ads targeted at individual consumers in the fractions of a second before a Web page loads. That in itself, may not be all that threatening to most. But it raises some interesting questions: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

We may finally get some answers, and some privacy protections, as there are three separate bills in Congress addressing in one form or another, Internet privacy. The argument from privacy advocates has largely been that this massive and stealth data collection apparatus threatens user privacy and regulators should compel (not hope that) companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

For instance, Internet companies would be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached. More generally, particularly on the issue of privacy on the Internet, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for some of the bills being offered here. So now the question becomes whether they're sufficient. Word is still out on that question.

Before I get to a bit more about the Kerry/McCain legislation, and the The Electronic Privacy Information Center (EPIC) recent comments regarding Internet privacy, let me provide a more detailed description of "behavioral marketing" from Center for Digital Democracy:

Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.

A major infrastructure has emerged to expand and promote the interests of this sector, including online advertising networks, digital marketing specialists, and trade lobbying groups.
The role which online marketing and advertising plays in shaping our new media world, including at the global level, will help determine what kind of society we will create.
  • Will online advertising evolve so that everyone's privacy is truly protected?
  • Will there be only a few gatekeepers determining what editorial content should be supported in order to better serve the interests of advertising, or will we see a vibrant commercial and non-commercial marketplace for news, information, and other content necessary for a civil society?
  • Who will hold the online advertising industry accountable to the public, making its decisions transparent and part of the policy debate?
  • Will the more harmful aspects of interactive marketing - such as threats to public health - be effectively addressed? 
Clearly, as with just about every market, "self regulation" is woefully inadequate...particularly when so much money is at stake. EPIC recently made this point in comments to the FTC urging urging tougher privacy protections, as summarized by NetworkWorld:

The Electronic Privacy Information Center (EPIC) has practically accused the FTC of being derelict in its duties to protect Internet user’s privacy. This attitude is revealed among the public comments filed in response to the FTC’s proposed Policy Framework on privacy.

EPIC has been an advocate of privacy protection for consumers since it was formed in 1994, when the Web was just a baby. EPIC argues in its comment that businesses should be required to adopt clearer privacy policies regarding information they collect on consumers because policies vary widely, are obtuse (sometimes purposely) and frequently change. The group complains that the FTC “mistakenly endorses self-regulation and ‘notice and choice’” of a company’s practices. Furthermore, EPIC says the FTC can already investigate deceptive business practices that invade privacy under Section 5 of the statute under which it operates, but that it doesn't. The FTC "fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers," EPIC states.


To be sure, Internet businesses have good intentions and can point to instances where they have built “privacy by design” into their digital goods and services. Microsoft, for instance, told the FTC it already deletes the IPFirefox 4 has one, too). But Microsoft has made its share of privacy mistakes, such as assisting law enforcement and intelligence agencies in obtaining private user data, failing to encrypt the cloud-stored data of its Live@edu users and reportedly using ads as a cover for data mining.

Microsoft is not the only Internet business with a privacy protection problem, though. EPIC petitioned the FTC in 2009 to investigate Google over security breaches in its cloud computing service. And Facebook, despite numerous complaints about its envelope-pushing data mining practices at the expense of privacy, urged the FTC to provide privacy protection without imposing “restrictions [that] could limit Facebook's ability to innovate.” You’ll have to do better than that Zuck.

Now, to some of the provisions of the Kerry/McCain legislation, as reported in Media Post News:

A draft of privacy legislation floated by Sen. John Kerry (D-Mass.) would give the Federal Trade Commission authority to craft privacy regulations and to operate a Web site where consumers can opt out of online behavioral targeting. The potential measure would generally require companies to notify consumers about the collection of their data, and also allow them to opt out of having data used by third parties, like ad networks.


In addition to the obligation to notify consumers about data collection and allow opt-outs, the bill would require companies to give consumers access to data about them. Further, most companies that collect data would be required to attempt to minimize the amount of information collected and retained.

The bill would apply to a broad swath of data about consumers,
including not only names and phone numbers but also email addresses, if they include names, customer numbers held in cookies and unique device identifiers.

In its current form, the bill requires companies to obtain users' explicit opt-in consent before collecting "sensitive" data, defined expansively as personal information that "if lost, compromised, or disclosed without authorization could result in harm to an individual."

The bill, which currently names Sen. John McCain (R-Ariz.) as co-sponsor, apparently remains a work-in-progress. But some provisions in the current version are virtually certain to be opposed by privacy advocates. For instance, the measure would preempt many state laws. Additionally, consumers wouldn't be allowed to file private lawsuits to enforce the bill.

As Jeff Chester, head of the Center for Digital Democracy, recently said in an article in the UK's Independent, "This is a commercial Orwellian environment. What is at stake is that we are granting influence over our lives to largely invisible and unaccountable digital giants, who have developed a far-reaching system of data collection across platforms and across networks. Alarmingly, information gathered from cookies is more than enough to deduce a person's medical history, sexuality or political views."

But as Chester also admitted in the piece, privacy advocates remain divided on how new regulation should be structured. This is made all the more difficult by the sheer complexity and ubiquitousness of these technologies. The Independent article continues:

If the Internet is to remain an interactive, personal experience, then some amount of data tracking is vital. The questions are: how much, and what for, and who by, and with what kind of opt-in or opt-out mechanisms for consumers? 

The problem is that, behind the contents of any single web page lies an increasingly complex ecosystem of companies using an array of different systems to tailor that web page to suit the reader. At its most basic, a website itself will tailor content. Amazon generates book recommendations for its customers by knowing what they have purchased in the past, for example. Google can predict your search query, and serve the answer faster, because it knows what you have searched for in the past. 

Increasingly, websites are tying up together to make their content more “social”. Facebook users may find information about what their friends are sharing pop up on partner sites such as listings site Yelp. And most controversially, the ads that appear on web pages are often now based on data collected about the user. This so-called “behavioural advertising” may serve up ads for golf clubs to a reader who has a history of visiting golf websites, whether or not the website they are currently looking at is a golf website. 

A study by the Network Advertising Initiative last year found that behavioural advertising was three times more effective, in terms of click-through-rates, and three times as lucrative, in terms of purchases made by the consumer from the advertiser, than traditional online ads that were not personally targeted in this way. And that was a year ago. The effort being made by the advertising industry to hone advertising even more closely to what it thinks the consumer wants to see becomes more sophisticated all the time. 

A new generation of online brokers have sprung up whose key skill is the analysis of large amounts of data. These brokers collect or buy data that can be specifically linked to an IP address or cookies (the little parcels of data left on an individual’s computer as a message to web publishers, which store information such as log-in names or other personal data) and use what they learn to place the most appropriate ads instantaneously on a web page. 


Even assuming consumers can spot the link on their online ads, and know that following it will allow them to opt out, there remain numerous problems over what happens next. The burgeoning number of data collectors and networks involved means that consumers currently have to opt out numerous times if they want to sweep away all behavioural ads.


Last week, European Parliament justice commissioner Viviane Reding said new regulations in the EU would include a right to be forgotten, applied to data collected not just by advertisers but by social networks and other websites, presenting an even bigger technical challenge to the industry. 

In the US, proposals are more modest. One House of Representatives plan would allow behavioural advertising only when consumers have opted in; the bill of rights proposed by Senator John Kerry would reverse that, but would mandate a clear and easy opt-out procedure. What none of the proposals spell out, though, is how, technically, it can be done.

Clearly, I particularly like the sound of what the EU is doing. A rule of thumb for privacy advocates is the "opt-in" choice is ALWAYS preferable to "opt-out". Let's face it, the fact that there's even an opt-out option is often confusing of buried, and likely a few clicks away just to find it. But for me, its more than just the "convenience" argument. It goes deeper than that...its about having control over my information, end of story. If someone wants to borrow something of mine, like my car, I don't have to find a way to opt-out of doing so after they've taken it on a spin, they have to come to me first. The same should be true of what I do in my private time, on the net, or in my home (think smart meter).

In addition, and I've written about this A LOT on this blog, is what really concerns me, is just what are the side effects of living in a society without privacy? Not just on the Internet, or about our personal web surfing habits, but from the watchful eye of government, be it the knowledge that we could be wiretapped, that the smart grid monitors our daily in home habits and that information is sold and stored, that our emails can be intercepted, that our naked bodies must be viewed at airports, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, that RFID tags allow for the tracking of clothes, cars, and phones...and the list goes on.

In other words, more concerning than any single threat posed by any single technology – including on the Internet – is this larger pattern indicating that privacy as both a right and an idea is under siege. As young people grow up with so much of their information so public and accessible to all, including government, I fear their sense, appreciation and understanding of privacy will continue to fade away. The consequences of such a loss would be profound.

I don't think its by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with. 

I'll continue to cover the details, and the progress, of the legislation making its way through congress attempting to address some of these concerns.

Thursday, March 24, 2011

California Privacy Legislation 2011: Books, Credit Reports, and Data Breaches

Some of the official privacy protection legislation is now being debated in the halls of California's state capitol I'd like to make readers aware of. I do this not just because I'll be working on (i.e. Consumer Federation of California) ensuring these bills will become law, but also because California often establishes landmark privacy protections that become templates for which other states mimic. In other words, the importance of these bills cannot be overstated - particularly the new effort to protect the privacy of digital book readers.

SB 602 (Yee) - Reader Privacy Act of 2011

Let's begin with some background regarding why this is such an important issue, straight from letters of support being sent in from privacy advocates: As Californians increasingly turn to electronic books and online book services, it is essential to safeguard the reader’s browsing, buying, and viewing information as such details reveal private information about political and religious beliefs, health concerns, and personal lives.

Digital books are now outselling paperbacks on, readers are turning to online services like Google Books, and analysts expect that over 18-million e-readers will be sold in 2012. As companies collect more detailed reader information -- including books browsed, how long a page is viewed, and even the notes written in the margins -- reading records are becoming a larger target for government surveillance.

In other words, without strong privacy protections, all of our browsing and reading history could be collected, analyzed, and turned over to the government or third parties without our knowledge or consent. In light of what has transpired in this country since the Patriot Act, none of this should sound like undue paranoia - its based on a now long history of corporate and governmental abuses of citizen privacy.

We're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

The concerns of privacy advocates are not hypothetical. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans?

For these reasons and more, it is essential that products like Google Book Search incorporate strong privacy protections, and SB 602 is one big way to ensure this process. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives."

Again, these concerns are not hypothetical. In 2006, the U.S. attorney subpoenaed Amazon for the used book purchase records of over 24,000 customers in the course of a grand jury probe investigating a single individual.

The good news was a federal judge agreed that Amazon should not have to turn over this information about its customers, saying that if word spread over the Internet that the federal government was probing book purchase information , “the chilling effect on e-commerce would frost keyboards across America." 

If there ever was a time to make sure that companies like Google don't put an end to reader privacy as we know it would be now. At present, all Google has done is make a lot of informal statements about privacy, while failing to provide an actual privacy policy with specific promises to consumers.

The ACLU does a good job framing the issue in their Google Book search campaign: What you choose to read says a lot about who you are, what you value, and what you believe. That’s why you should be able to learn about anything from politics to health without worrying that someone is looking over your shoulder. The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins." Without strong privacy protections, all of your browsing and reading history could be collected, analyzed, and turned over to the government or third parties without your knowledge or consent.

This fight has been ongoing in fact, just recently another privacy stalwart, the Electronic Frontier Foundation (EFF), joined the ACLU and the privacy authors and publishers they represent, which include the American Library Association, the Association of Research Libraries and the Association of College and Research Libraries, CDT, EPIC, SFLC, Professor James Grimmelman, urging Google to include privacy protection.

Now let's get back to SB 602, and how it helps address some of the concerns I've highlighted. One, it would ensure that government and third parties cannot access private reading records without proper justification. The bill permits disclosure of personal information related to reading records when an individual consents to the disclosure and where there are exigent circumstances. 

In addition, personal information must be shared when a government entity or private party obtains a warrant or court order upon a showing of a compelling interest, and the warrant or order is the least intrusive means to obtain the information desired.   

Notice and opportunity to contest the order must be given

The Reader Privacy Act would establish clear rules for businesses and standards for government and third party access to reader records. Under SB 602, consumers will be able to feel comfortable using new digital book services and technology without worrying that their personal information will be unprotected. California should promote the use of new technology by ensuring that upgraded technology does not mean downgraded privacy.  

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website. 

Two Privacy Bills Vetoed By Governor Schwarzenegger are Back!

Some more good news to report is the two bills that were MOST disappointingly vetoed last year by Governor Schwarzenegger are back, with much better chances of signage by a more privacy conscious Jerry Brown. For long time readers of this blog, this bill info may sound familiar, but let's review regardless. 

SB 24 (Simitian) - Protecting Personal Information - was vetoed in the form of SB 1166 last year. This was a particularly stinging loss because, while the Governor vetoed a nearly identical bill the year before (that's right...third times a charm!), he said to bring it back again with just a minor modification - which was made. Apparently, the Governor changed his mind.

Here's why this bill is important: A recent study by the Privacy Rights Clearinghouse indicated upwards of 500 million data breaches since 2005, including personal medical records, credit card numbers and Social Security numbers. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

It goes without saying then, that these findings epitomizes the need for SB 24 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

The bill will rectify this problem by amending California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also would have required that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Last year, the Governor's veto message claimed, "This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.”

Strange that the Governor saw fit to speak FOR consumers. Here's an idea, ask yourself whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website.

The second bill that is back from the dead is AB 22 (Mendoza) – Protecting Financial Privacy. Governor Schwarzenegger's veto of this bill was another big disappointment (though largely expected to the Governor's allegiance to big business interests), particularly considering how many people's credit scores have suffered due to the Great Recession. This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process.

An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 22 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.

The fact is, credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.  

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website. 

So that's a quick rundown of the privacy bills that are top on our (Consumer Federation of California) list this year (probably a few more to come). I'll keep anyone interested informed as to their progress throughout this legislative year.

Tuesday, March 22, 2011

Lawsuit Challenging Warrantless Wiretapping Revived by Appeals Court!

I'm not sure what to say because I've become so used to only reporting bad news....but a semblance of justice was achieved yesterday! I speak of the lawsuit challenging the abominable American law that allows  eavesdropping on overseas communications of American citizens. Yes, that case is still alive. On Monday, a federal appeals court said the new rules regarding surveillance had put lawyers, journalists and human rights groups in a “lose-lose situation.”

In other words, the ACLU WON their lawsuit against the US government for unlawful spying on Americans. As David Dayen noted, "The lawsuit specifically challenges the constitutionality of the FISA Amendments Act of 2008, which de facto legalized ongoing warrantless spying on Americans who communicate with parties overseas if a link to terrorism on either end can be established. The Appeals Court basically restored the standing to sue to the plaintiffs. The decision by the 2nd U.S. Circuit Court of Appeals means the ACLU, and other rights groups involved in the suit, might get their day in court."

By now, I think most everyone has a working knowledge of the warrantless wiretapping program under the Bush Administration. Similarly, I think we all probably remember the promises made from candidate Obama about his THEN opposition to giving telecommunication companies immunity for their participation in Bush and company's crimes.

As we now all know, President Obama (and Attorney General Holder for that matter) has completely reversed himself, by not only refusing to prosecute or investigate the program and/or those that carried it out, but even expanding their defense of the program in some important key respects. But, before I get to some of that history, and how it relates to this decision, Wired Magazine has more:

A lower court had ruled the ACLU, Amnesty International, Global Fund for Women, Global Rights, Human Rights Watch, International Criminal Defence Attorneys Association, The Nation magazine, PEN American Center, Service Employees International Union and other plaintiffs did not have standing to bring the case, because they could not demonstrate that they were subject to the eavesdropping.

The groups appealed, arguing that they often work with overseas dissidents who might be targets of the National Security Agency program. Instead of speaking with those people on the phone or through e-mails, the groups asserted that they have had to make expensive overseas trips in a bid to maintain attorney-client confidentiality.

The plaintiffs, some of them journalists, also claim the 2008 legislation chills their speech, and violates their Fourth Amendment privacy rights. Without ruling on the merits of the case, the appeals court on Monday agreed with the plaintiffs that they have ample reason to fear the surveillance program, and thus have legal standing to pursue their claim.

This is VERY important because at least in this case, the judge didn't buy the government's argument that citizens needed to somehow (impossible to do in fact) PROVE they had specifically been wiretapped and that they specifically suffered damage in order to have the right to sue (i.e. "standing"). Of course, how does one do that if when disclosure of who was targeted and why would be a threat to national security, right? You get the idea...its a kind of circular logic that ensures two things: the government gets away with their crimes and the people suffer the consequences.

This leads of course to the other key argument we know is sure to be coming from the government: the state secrets privilege. Now that this judge has at least ruled that those in the lawsuit have a right to sue, even without providing direct evidence of being wiretapped, the question now will become whether plaintiff's can get passed the what has become a radical State Secrets interpretation advocated by both the Bush and Obama Administration's.

Simply put, the State Secrets privilege was once meant for, well, ACTUAL state secrets. No longer. Today, ANYTIME ANYTHING might come out in court that makes the government uncomfortable, like the rights of tortured prisoners that have never had access to a trial, bang, out comes the argument that such knowledge, if made public, would threaten our national security. How convenient, no?

If the Administration continues to be so successful in broadening the scope of this "privilege", the Executive Branch will become even more powerful and unaccountable than it already is - serving to validate and reinforce Vice President Cheney's "unitary executive" theory that gained such traction during the Bush years. 

It was just last year that A federal judge (Vaughn Walker) ruled that "the National Security Agency's program of surveillance without warrants was illegal, rejecting the Obama administration's effort to keep shrouded in secrecy one of the most disputed counter terrorism policies of former President George W. Bush." 

Judge Vaughn Walker ruled that the government had violated a 1978 federal statute requiring court approval for domestic surveillance. In other words, Judge Walker blew the State Secrets argument out of the water. What stopped that case in its tracks you ask? Retroactive immunity for the telecoms complicit in these crimes of course. As you can see, the government has covered all its bases with a kind of rubric's cube of legal hurdles. The good news is we at least cleared one of them yesterday.

Glenn Greenwald has more on the significance of the ruling:

This may sound like a legalistic development but its significance extends far beyond that. Unlike the bastardized Bush/Obama "state secrets" weapon for avoiding judicial review, "standing" is actually a legitimate and important constitutional restriction on a court's jurisdiction.

But what the Bush DOJ and then the Obama DOJ have done is manipulate that important "standing" limitation beyond all recognition into a weapon of full-scale presidential immunity.   If one were to accept their tactic, a President need only break the law in total secrecy and prevent anyone from finding out what exactly he did and to whom he did it.  With that secrecy in place, the DOJ can then tout that secrecy as a means of preventing any judicial challenges to the President's conduct -- which is another way of saying that the President has placed his conduct outside of the rule of law (because we did it in secret, everyone is unable to sue over it).  Obviously, if one can break laws but then block courts from adjudicating allegations of lawbreaking, then one is -- by definition -- free to break the law.  That has been the case thus far with the Bush administration thanks to the warped doctrines it pioneered and the Obama DOJ then swallowed whole.  

This danger is particularly acute in the post-9/11 world where so much of what the Executive branch does of any significance -- I'd say most of what it does -- takes place behind a wall of secrecy.  To allow Presidents to escape all legal challenges on "standing" grounds merely because they managed to conceal the identity of the victims of their lawbreaking would be, in essence, to have laws that apply to Presidents only in theory but not in reality.

The ACLU's Deputy Legal Director, Jameel Jaffer responded to the decision: “The government’s surveillance practices should not be immune from judicial review, and this decision ensures that they won’t be. The law we’ve challenged permits the government to conduct dragnet surveillance of Americans’ international communications, and it has none of the safeguards that the Constitution requires. Now that the appeals court has recognized that our clients have the right to challenge the law, we look forward to pressing that challenge in the trial court.”

Some history is in order here. Let's not forget that a government report disclosed that President Bush authorized secret surveillance activities that went WAY beyond the previously disclosed NSA program – raising the prospect of additional unlawful conduct. Supporting that conclusion was the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.

This report, mandated by Congress in 2009 and produced by the inspectors general of five federal agencies, also found that other intelligence tools used in assessing security threats posed by terrorists provided more timely and detailed information.

In fact, NOT ONE instance could be cited that demonstrated the wiretapping program prevented any attack of any kind, ever. Nor did it lead to the capture of any terrorists. In light of these facts, one would think that the Obama Administration would come down somewhere at least close to the position that candidate Obama espoused on the campaign trail. Sadly, the opposite has been true.

In fact, all we have to show as a nation since this program was exposed is additional protections (and retroactive immunity) to telecom companies for sharing our private information with the government, and more legal cover for the Executive Branch to carry out similar efforts in the future. To date, giving telecom companies immunity has served the dual purpose of protecting the politicians from having the telecom companies share what they know about THEIR crimes! Add to that the hurdles of "standing" and "states secrets", and the enormous challenge to achieve justice becomes apparent.

As for the President, I will go back to something I wrote about his privacy flip flops in the past

"It’s as if we're watching a debate between the eloquent, pro-civil liberties "Candidate Obama" and the just as eloquent, anti-constitutional authoritarian, President Obama.

Senator Obama branded the Patriot Act "shoddy and dangerous" and pledged to end it in 2003. In 2005, he pledged to filibuster a Bush-sponsored bill that included several of these exact components recently extended, calling them "just plain wrong" in a Senate speech. He argued:

"Government has decided to go on a fishing expedition
through every personal record or private document -- through library books they've read and phone calls they've made...We don't have to settle for a Patriot Act that sacrifices our liberties or our safety -- we can have one that secures both."

It goes without saying, Obama reneged on those pledges.

With that, let me conclude with Glenn Greenwald's thoughts on what to take away from yesterday's ruling:

Today's ruling puts at least some brakes -- for now -- on that license of lawlessnessIt rejected the Bush/Obama claim that citizens must prove they have been targeted by an illegal presidential program before they have the right to ask a court to declare it illegal.  Instead, a plaintiff's reasonable fear that their rights are being violated due to enactment of an allegedly unconstitutional law  -- combined with actual harm suffered as a result of that fear -- suffices to allow them to challenge the legality of those actions.  It is, of course, possible that the Supreme Court can review and reverse this ruling, but the Second Circuit is a well-regarded court -- situated on the level immediately below the Supreme Court -- and this well-reasoned decision will have significant sway.  At the very least, this is an important ruling in eroding what is easily one of the worst political problems plaguing America in the post-9/11 world: the ease with which Presidents and their underlings can insulate their secret actions from the rule of law.  

Thursday, March 17, 2011

Digital Privacy, Data Mining, and the Future

Granted, that's a cryptic title...but sometimes privacy in the digital age is a cryptic subject. What are the real threats? How do we quantify them? Or is it all just paranoia - and we should give ourselves up to the Matrix that is Facebook, Google, and all the rest?

None of these questions are easy to answer. But, I do have some thoughts, and I do want to share with you two really comprehensive recent articles, one from MSNBC, and the other in TIME magazine, tackling the larger subject of digital privacy and data mining.

I want to largely provide key pieces of those articles, rather than get overly wordy myself. But, let me open with a few thoughts (yes, I realize I have said these things before), and then we'll get to the articles.

First, just what is "behavioral marketing" - because that's what this is really all about. I've found the description by the Center for Digital Democracy particularly useful:

Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.

A major infrastructure has emerged
to expand and promote the interests of this sector, including online advertising networks, digital marketing specialists, and trade lobbying groups.
  • The role which online marketing and advertising plays in shaping our new media world, including at the global level, will help determine what kind of society we will create.
  • Will online advertising evolve so that everyone's privacy is truly protected?
  • Will there be only a few gatekeepers determining what editorial content should be supported in order to better serve the interests of advertising, or will we see a vibrant commercial and non-commercial marketplace for news, information, and other content necessary for a civil society?
  • Who will hold the online advertising industry accountable to the public, making its decisions transparent and part of the policy debate?
  • Will the more harmful aspects of interactive marketing - such as threats to public health - be effectively addressed?
To give you an idea how important this whole issue is, just last year privacy advocates - including Center for Digital Democracy, U.S. PIRG, and the World Privacy Forum - filed a complaint with federal regulators against tracking and profiling practices used by Google, Yahoo, Microsoft and other Internet companies to auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

The charge was that a "massive and stealth data collection apparatus threatens user privacy," and asks regulators to compel companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

For instance, internet companies would be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached.

Privacy advocates have long argued that when enabled to protect their privacy and control their data people will do so. BUT, not if it’s made difficult, confusing, or time consuming. And this is why new rules, laws are so desperately needed for cyberspace...we need "systems" that will allow users to control their information in an easy, logical, and practical way.

More generally, particularly on the issue of privacy on the internet, as I have written here before, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for some of the bills being offered here.

This leads to a number of important questions, like: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

The argument by some, such as Mark Zuckerberg, is that all information should be public, and as time goes on we'll only be sharing more of it. In addition, we all will benefit from this communal sharing of private information in ways yet to even be discovered. Already, from this sharing, we forge more online friendships and connections, old friends are reconnected, distant parents see pictures of their kids' day-to-day activities, jobs might be more easily found due to our profiles being more public, internet services improve as companies like Facebook and Google learn about peoples' Web browsing histories, sites are able to tailor content to the user, and so on, and so forth.

What concerns me, and some of these concerns are mentioned in both articles I'm going to feature today, is what are the side effects of living in a society without privacy?

I don't think its by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with. 

On that note, let's get to some of the key sections of the article by Bob Sullivan of MSNBC entitled "Why should I care about digital privacy?":

Welcome to the world of privacy experts like Larry Ponemon and Alessandro Acquisti. Their chosen field of work is an area where research can be pretty depressing. Consumer behavior shows, repeatedly, that people just don't care about privacy, no matter how much lip service they might give to the topic. Ponemon's research shows that most U.S. adults — 60 percent —claim they care about privacy but will barely lift a finger in an effort to preserve it. They don't alter Facebook privacy settings, they don't complain when supermarkets demand their phone numbers and they certainly don't insist on encrypted e-mail. LosHuertos' experiment underscores this point well. Even people who have experienced a "privacy mugging" often don't change their behavior.


The usual way to do grab attention to the topic is to trot out privacy nightmares, such as the secret dossiers that hundreds of companies keep on you (they do), the man who was accused of arson because his grocery store records showed he purchased fire starters (he was), or the idea that a potential employer may one day pass on you because your musical tastes suggest you will be late to work three time per week (they could). But privacy nightmares are beginning to feel a bit like the boy who cried wolf. Cyber experts have warned about both a Digital Pearl Harbor and an information Three Mile Island for more than a decade now; doesn't the absence of that kind of disaster show that perhaps privacy is no big deal?


For many, he thinks, there is a sense of learned helplessness — the feeling that their privacy is lost anyway, so why go through the hassle of faking a supermarket loyalty card application? For others, the decision tree is so complex that it's no surprise they usually take the easier option.

"There are so many mental steps we have to go through," he said. "Do I even know there is a potential privacy risk? If I do, do I know I there are alternative strategies, such as adjusting privacy settings? Do I know, or at least feel, that these will be effective, or are they a waste of time? And then, if they are effective, are they too costly in terms of time or effect? After all that, I may very well decide not to take those steps."

For starters, people almost always engage in "hyperbolic discounting" when faced with a privacy choice — they overvalue present benefits and undervalue future costs. You probably do that every day when you convince yourself that an extra cookie or scoop of ice cream is worth the bargain with your waistline. In the realm of privacy, judging such bargains can be impossible. What's the future cost of sharing your phone number with a grocery store? It could be nothing. It could be annoying phone calls or junk mail. It could be intense profiling by a marketer. It could ultimately be an increase to your health premium, as a medical insurance company one day decides you buy too much ice cream every month.

Despite recent rhetoric to the contrary, long ago America decided that there are realms where it's not OK to let consumers make decisions that guaranteed to cause self-harm. We don't let people eat in restaurants that fail health inspections; we don't let people buy buildings that aren't earthquake proof near fault lines; we don't let them buy cars without seat belts — even if all these options were cheaper, or somehow more enjoyable. Why? It's impossible for consumers to really understand the consequences of such actions at the time of the choice. We wouldn't expect every San Francisco home buyer to become an expert seismologist, or every eater to become a biologist. Even if you care nothing for personal safety, it would be a terribly inefficient way to run an economy.

Acquisti thinks it's time that society erected some strict safety rules around privacy issues, and end the charade of 27-page end user license agreements that no one — not even Acquisti — reads. The right answer for the majority of Americans who care about privacy but don't know what to do about it is for leaders to make some tough choices.

There are some efforts under way in that direction. There are no fewer than seven pieces of privacy-related legislation that have either been introduced in the U.S. House of Representatives, or soon will be. The most significant involves creation of the Do Not Track legislation, which would authorize the Federal Trade Commission to create a regime that forced companies to allow users to opt out of various data collection efforts. It would also give consumers a "right of access" to personal information stored by any company — a right Europeans have enjoyed for years. While the law is meant to evoke the very popular Do Not Call list, critics worry that few consumers would take the time required to opt out.

The Financial Information Privacy Act of 2011 would prevent banks from sharing customer information with third parties unless consumers opt-in, a significant step further along in privacy protection. Banks would then have to sell people on the idea of information sharing. (A detailed look at these proposals.)

Timid as they are, virtually all these bills have run up against ferocious industry lobbying. Facebook, among many other firms, has told the FTC it's worried that the Do Not Track initiative would stifle innovation.


Ponemon doesn't see Facebook as a panopticon — yet. But it doesn't have to go that far to put a serious dent in the American dream, he worries. People no longer expect to keep secrets, Ponemon said, which means that every stupid thing you do in high school will follow you around for the rest of your life. He is scared about the implications of that.

"The end of privacy is the end of second chances," Ponemon said. "Some people may think I'm just being a cranky old guy ... but the thing about what made this country great is our ancestors came with nothing. They didn't have a reputation, positive or negative. They could, like my dad, go to Arizona and become a dentist, something he couldn't do in his home country. The ability to reinvent ourselves has made great fortunes. The ability to do that today is significantly diminished because of all the information that is attached to us. Could we have another Thomas Edison now, who dropped out of elementary school in his first year (at age 7)? Maybe not."

Acquisti isn't just worried about the American way of life; he's worried about humanity itself.

"What I fear is the normalization of privacy invasions in a world where we become so adjusted to being public in everything that it is normal," he said. "I fear that world will be a world where we will be less human. Part of being human is having a private sphere and things you only share with special people, or with no one. I fear for the future of that world."

Acquisti, despite his exhaustive research on the subject, said he has no desire to persuade others to change their privacy-related behaviors. People make rational choices every day to share themselves with others, and to great benefit — they form relationships, find work and in extreme cases use social networking tools to fight for freedom, he said. People who want to share everything with everyone have the freedom to do so.

But it's freedom he's most interested in preserving — the freedom of some people to keep their lives private in a world while the costs of doing so are increasingly rising.

"It will become increasingly costly not to be on a social network, just as not having a mobile phone now is," he said. "It will dramatically cut people off from professional and personal life opportunities. The more people who join the social networks, the more costly it becomes for others to be loyal to their views."

In economics, it's called an "externality" — the costs of your choices go up because of factors that have nothing to do with you. On the Internet, it's called the network effect. In reality, it means that someone who has no interest in being on Facebook is now the last to know about last-minute parties, new romances, even weddings and funerals. (We've all heard at least once: "Didn't you see my Facebook post?")

As the network effect deepens, and the majority speeds down its road toward a completely open second life in the virtual world, society must work to preserve the right of the minority's desire to stay private in the first life — not unlike efforts we make today to preserve rights of other minority groups, such as the handicapped, Acquisti said.

"Freedom means making sure people have the option to stay off the grid; the more people surrender, the deeper the network effect, the more the punishment for being disconnected," Acquisti says.

Click here for more...and be sure to read the parts about things you can do to protect your privacy!

Now let's get to the Time magazine piece by Joel Stein entitled Data Mining: How Companies Now Know Everything About You, which goes into more detail about HOW your data is mined and by whom:

The Creep Factor
There is now an enormous multibillion-dollar industry based on the collection and sale of this personal and behavioral data, an industry that Senator John Kerry, chair of the Subcommittee on Communications, Technology and the Internet, is hoping to rein in. Kerry is about to introduce a bill that would require companies to make sure all the stuff they know about you is secured from hackers and to let you inspect everything they have on you, correct any mistakes and opt out of being tracked. He is doing this because, he argues, "There's no code of conduct. There's no standard. There's nothing that safeguards privacy and establishes rules of the road." 

At Senate hearings on privacy beginning March 16, the Federal Trade Commission (FTC) will be weighing in on how to protect consumers. It has already issued a report that calls upon the major browsers to come up with a do-not-track mechanism that allows people to choose not to have their information collected by companies they aren't directly doing business with. Under any such plan, it would likely still be O.K. for Amazon to remember your past orders and make purchase suggestions or for American Express to figure your card was stolen because a recent purchase doesn't fit your precise buying patterns. But it wouldn't be cool if they gave another company that information without your permission. (See "Will FTC's 'Do Not Track' Go Even Further than Expected?")

Taking your information without asking and then profiting from it isn't new: it's the idea behind the phone book, junk mail and telemarketing. Worrying about it is just as old: in 1890, Louis Brandeis argued that printing a photograph without the subject's permission inflicts "mental pain and distress, far greater than could be inflicted by mere bodily harm." Once again, new technology is making us weigh what we're sacrificing in privacy against what we're gaining in instant access to information. Some facts about you were always public — the price of your home, some divorce papers, your criminal records, your political donations — but they were held in different buildings, accessible only by those who filled out annoying forms; now they can be clicked on. Other information was not possible to compile pre-Internet because it would have required sending a person to follow each of us around the mall, listen to our conversations and watch what we read in the newspaper. Now all of those activities happen online — and can be tracked instantaneously. 

Part of the problem people have with data mining is that it seems so creepy. Right after I e-mailed a friend in Texas that I might be coming to town, a suggestion for a restaurant in Houston popped up as a one-line all-text ad above my Gmail inbox. But it's not a barbecue-pit master stalking me, which would indeed be creepy; it's an algorithm designed to give me more useful, specific ads. And while that doesn't sound like all that good a deal in exchange for my private data, if it means that I get to learn when the next Paul Thomas Anderson movie is coming out, when Wilco is playing near my house and when Tom Colicchio is opening a restaurant close by, maybe that's not such a bad return. 

I deeply believe that, but it's still too easy to find our gardens. Your political donations, home value and address have always been public, but you used to have to actually go to all these different places — courthouses, libraries, property-tax assessors' offices — and request documents. "You were private by default and public by effort. Nowadays, you're public by default and private by effort," says Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, an advocacy group for digital rights. "There are all sorts of inferences that can be made about you from the websites you visit, what you buy, who you talk to. What if your employer had access to information about you that shows you have a particular kind of health condition or a woman is pregnant or thinking about it?" Tien worries that political dissidents in other countries, battered women and other groups that need anonymity are vulnerable to data mining. At the very least, he argues, we're responsible to protect special groups, just as Google Street View allows users to request that a particular location, like an abused-women's shelter, not be photographed. (See the top 10 Twitter moments of 2010.)

Other democratic countries have taken much stronger stands than the U.S. has on regulating data mining. Google Street View has been banned by the Czech Republic. Germany — after protests and much debate — decided at the end of last year to allow it but to let people request that their houses not be shown, which nearly 250,000 people had done as of last November. E.U. Justice Commissioner Viviane Reding is about to present a proposal to allow people to correct and erase information about themselves on the Web. "Everyone should have the right to be forgotten," she says. "Due to their painful history in the 20th century, Europeans are naturally more sensitive to the collection and use of their data by public authorities." 

After 9/11, not many Americans protested when concerns about security seemed to trump privacy. Now that privacy issues are being pushed in Congress, companies are making last-ditch efforts to become more transparent. New tools released in February for Firefox and Google Chrome browsers let users block data collecting, though Firefox and Chrome depend on the data miners to respect the users' request, which won't stop unscrupulous companies. In addition to the new browser options, an increasing number of ads have a little i (an Advertising Option Icon), which you can click on to find out exactly which companies are tracking you and what they do. The technology behind the icon is managed by Evidon, the company that provides the Ghostery download. Evidon has gotten more than 500 data-collecting companies to provide their info.

They're not even moving that much faster with the generation that grew up with the Internet. While young people expect more of their data to be mined and used, that doesn't mean they don't care about privacy. "In my research, I found that teenagers live with this underlying anxiety of not knowing the rules of who can look at their information on the Internet. They think schools look at it, they think the government looks at it, they think colleges can look at it, they think employers can look at it, they think Facebook can see everything," says Sherry Turkle, a professor at MIT who is the director of the Initiative on Technology and Self and the author of Alone Together: Why We Expect More from Technology and Less From Each Other. "It's the opposite of the mental state I grew up in. My grandmother took me down to the mailbox in Brooklyn every morning, and she would say, 'It's a federal offense for anyone to look at your mail. That's what makes this country great.' In the old country they'd open your mail, and that's how they knew about you." (Comment on this story.)
Data mining, Turkle argues, is a panopticon: the circular prison invented by 18th century philosopher Jeremy Bentham where you can't tell if you're being observed, so you assume that you always are. "The practical concern is loss of control and loss of identity," says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "It's a little abstract, but that's part of what's taking place."

The Facebook and Google Troves
Our identities, however, were never completely within our control: our friends keep letters we've forgotten writing, our enemies tell stories about us we remember differently, our yearbook photos are in way too many people's houses. Opting out of all those interactions is opting out of society. Which is why Facebook is such a confusing privacy hub point. Many data-mining companies made this argument to me: How can I complain about having my Houston trip data-mined when I'm posting photos of myself with a giant mullet and a gold chain on Facebook and writing columns about how I want a second kid and my wife doesn't? Because, unlike when my data is secretly mined, I get to control what I share. Even narcissists want privacy. "It's the difference between sharing and tracking," says Bret Taylor, Facebook's chief technology officer. 

Since targeted ads are so much more effective than nontargeted ones, websites can charge much more for them. This is why — compared with the old banners and pop-ups — online ads have become smaller and less invasive, and why websites have been able to provide better content and still be free. Besides, the fact that I'm going to Houston is bundled with the information that 999 other people are Houston-bound and is auctioned by a computer; no actual person looks at my name or my Houston-boundness. Advertisers are interested only in tiny chunks of information about my behavior, not my whole profile, which is one of the reasons M. Ryan Calo, a Stanford Law School professor who is director of the school's Consumer Privacy Project, argues that data mining does no actual damage. (See "How Facebook Is Redefining Privacy.")

"We have this feeling of being dogged that's uncomfortable," Calo says, "but the risk of privacy harm isn't necessarily harmful. Let's get serious and talk about what harm really is." The real problem with data mining, Calo and others believe, arises when the data is wrong. "It's one thing to see bad ads because of bad information about you. It's another thing if you're not getting a credit card or a job because of bad information," says Justin Brookman, the former chief of the Internet bureau of the New York attorney general's office, who is now the director of the Center for Democracy and Technology, a nonprofit group in Washington. (Comment on this story.)


In 1989 I augmented some technology at a major financial services company that would track offers made to prospects to become customers, and I remained involved in this industry for 16 more years. I can tell you that most activity of this kind is innocuous and for the most part designed to send targeted advertising offers that will make people happy. However, there definitely are darksides.  Identity theft. Social Security numbers are not supposed to be released except for bonafide activities such as evaluating credit risk.  I have to think it's a violation of law if a financial services company has released your credit card number to a marketing company.  Track down the source of your social security number residing at a marketing company and I believe you will find a violator.  In addition, marketing companies have no real business seeking your social security number so that should be outlawed.

Politics. Companies like Acxiom supply consolidated personal data to political campaigns so that politicians can craft targeted messages to various demographic groups.  Since there are no 'truth in politics' laws, messages that are crafted lies are another misuse of this data.

Consoildated personal data is also used by the FBI.  This can be bad or good depending the FBI's intentions.

I think you get the gist...check out the whole piece here.

While much of this kind of data mining is innocuous, and won't do any specific damage, I would still argue its important to give people more control, or better, force companies to get our permission (i.e. opt-in) before our information is bought and sold. I'd also point out, that by definition, the larger the amount of information about us is stored, the easier it will be to get stolen or accessed by those we don't want to. And finally, because this has been a mammoth post as it is, I worry, again, about the very meaning of privacy, and what the ramifications are of it dissolving completely.

As Bruce Schneier noted, “…lack of privacy shifts power from people to businesses or governments that control their information. If you give an individual privacy, he gets more power…laws protecting digital data that is routinely gathered about people are needed. The only lever that works is the legal lever...Privacy is a basic human need…The real choice then is liberty versus control.”

Wednesday, March 16, 2011

Cenk Uygur on Profits Over Airport Security...

I haven't been posting here as much as I'd like lately due to time constraints, so in the meantime check out this great clip of Cenk Uygur as he goes through how "security industry" lobbyists are influencing the debate over the use of airport body scanners (digital strip search machines). Its a few months old, and god knows I've made this point on this blog, but this is REALLY GOOD.

Welcome to the American revolving door between public officials and corporate America...and all those influence peddlers walking the halls of Congress with campaign cash in hand. The end result in this case is the expenditure of billions in taxpayer dollars on fear driven TSA body scanners that violate our privacy (with the choice of aggressive pat downs for those that choose that "option") while being grossly ineffective, intrusive, expensive, and unnecessary.

Thursday, March 10, 2011

Amidst Continued Opposition REAL ID Delayed - AGAIN

Before I get to the article in CNet News detailing the latest buckling by the Homeland Security Department on the privacy abomination that is REAL ID, let me give you a quick refresher course on the Act and the state revolt that it inspired.

The Real ID Act was approved by Congress - underhandedly as a rider I might add - and then signed into law by President Bush in 2005 as part of the government's effort to combat terrorism.

At the time, few lawmakers even knew what they were voting for, or necessarily supported the concept to begin with. Since that time the law has evoked widespread criticism from privacy advocates and civil rights groups, which say it would create a de facto national identity card system that would be hard to manage and even harder to secure. The law requires states to issue new licenses which are supposed to screen potential terrorists and identify illegal immigrants.

Since the law's enactment, at least 42 states have considered anti-Real ID legislation, and another 24 states have enacted anti-real ID bills or resolutions, and fourteen of those states have passed binding legislation prohibiting participation in the Real ID program. Five more states have already passed resolutions or statutes in 2009 - with Missouri likely becoming the next state to opt out of Real ID if its governor signs legislation currently before him.

Initially, States had until May of 2008 to implement Real ID, but the department extended that until Dec. 31, 2009. If they need more time and have met certain benchmarks, states can request an extension until May 11, 2011. Now that deadline has been moved back again!

This new federal identity document - REAL ID - would ostensibly be required of every American in order to fly on commercial airlines, enter government buildings, open a bank account, and more. The common reaction from citizens and states across the country has centered on the threat it would pose to individual privacy, the high costs states would incur to implement it, the increased danger of identity theft, and the possible loss of freedoms due to expanded government power.

As noted by the Electronic Frontier Foundation (EFF):

Once the IDs and database are in place, their uses will inevitably expand to facilitate a wide range of surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information. A national ID poses similar dangers; for example, because "common machine-readable technology" will be required on every ID, the government and businesses will be able to easily read your private information off the cards in myriad contexts.

For everything that's wrong with the REAL ID Act, check out the REAL NIGHTMARE site.

Now to the latest news. As I mentioned above, the law was set to take effect May 11. But, Homeland Security Secretary Janet Napolitano indicated last week that she plans to delay the deadline for states to comply until at least January 2013. House Republicans have been arguing that we need to implement the law sooner, rather than later, but lawmakers from both sides of the aisle, particularly on the Democratic side, have continued to aggressively oppose the law -  urging straight out repeal.

Unfortunately, we lost the most effective leader against REAL ID last election, Russ Feingold, but we still have Senators like Patrick Leahy, who was quoted last week as praising the decision to delay implementation, stating, "“I have made no secret of my disagreement with this policy, which was rushed through Congress with little debate or consideration. This law has saddled the states with enormous costs and burdened citizens with the prospect of what effectively would be a national identification card. When so many states are struggling with extremely difficult budget choices, the last thing they need is to think about how to pay for this unfunded federal mandate." 

Declan McCullagh reported on Cnet: 

The reason Homeland Security granted the delay is that, apart from some Republican stalwarts in Congress, this law creating a digital nationalized ID is hardly popular, with critics calling it a national ID card. A chart (PDF) updated last month by the National Conference of State Legislatures lists 16 states, including Arizona, Georgia, Oregon, and Washington, with laws forbidding them to comply with Real ID and 8 states, including Colorado, Hawaii, and Illinois, that have enacted resolutions effectively boycotting it.

Once the regulations take full effect, the impact on Americans would be dramatic: Residents of the 24 states mentioned above would not be able to simply use their driver's license to fly or to enter a federal building such as a courthouse, even for jury duty. U.S. passports or military IDs, however, would remain valid for identification.


Because Real ID links state DMV databases, establishes a standard bar code that can be digitally scanned, and mandates that original documents such as birth certificates be verified, backers claim the benefits extend beyond antiterror and ID fraud cases. (Extending it to firearm and prescription drug sales has not been ruled out.)

Homeland Security's announcement today carefully neglected to mention the state-by-state revolt against these federal mandates, with state governments citing privacy, federalism, and funding as reasons for their refusal to cooperate. One estimate puts compliance costs as high as $11 billion.


During the Bush administration, Homeland Security was an unabashed champion of Real ID. But under the Obama administration, the department has been far less effusive in its support of the law, and Napolitano has been quoted as talking about repealing Real ID in hopes of replacing it with something that "accomplishes some of the same goals." As Arizona governor, Napolitano signed a law forbidding the state from complying with Real ID. 

Click here to read more.

The REAL ID program has appeared to be dying a slow death from the steady drip of states voicing their opposition for a long time now. Unfortunately, an improved yet totally unacceptable version of the act was gaining steam in the Senate, no doubt buoyed by support from the President and Homeland Security Chief Janet Napolitano, called PASS ID. Little media attention has been given to this new proposal, or the threat it STILL would pose to an individual's right to privacy.

Many of us - including a broad privacy coalition that opposes Real ID - remain concerned that such a variation of the Act will end up being the "compromise" position. It's not so much what such a compromised ID program would do differently, its what it would have in common: the creation of a national identification card. Whether its PASS ID, REAL ID, or a variation of the two, each would still endanger victims of domestic violence by failing to adequately shield their addresses, raise fees associated with identification cards, expose consumers to identity theft and fail to improve our nation's security.

Do we really want to create a database with all of our personal information in it? 

Here's EFF's take on the larger issues associated with a national ID type it with increased safeguards or not:

Proponents seem to be blind to the systemic impotence of such an identification card scheme. Individuals originally motivated to obtain and use fake IDs will instead use fake identity documents to procure "real" drivers' licenses. PASS ID creates new risks -- it calls for the scanning and storage of copies of applicants' identity documents (birth certificates, visas, etc.). These documents will be stored in databases that will become leaky honeypots of sensitive personal data, prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database.

Despite some alterations to the scheme, PASS ID is still bad for privacy in many of the same ways the REAL ID was. And proponents of the national ID effort seem blissfully unaware of the creepy implications of a "papers please" mentality that may grow from the issuance of mandatory federal identification cards. Despite token provisions that claim to give states the freedom to issue non-federal identification cards, the card will be mandatory for most -- the PASS ID Act seeks to require everyone to show the federally recognized ID for "any official purpose," including boarding a plane or entering a federal building.

In other words, even as REAL ID has been delayed yet again, stay tuned for more alternative approaches that may be slightly more palatable, yet still unacceptable.

Tuesday, March 8, 2011

TSA Steps Up Intrusive Searches - Are Scanners in Public Spaces Next?

In my last post I wrote about some recent positive efforts underway to address what has become a major consumer rights and privacy controversy: airport body scanners ("digital strip search") and the subsequent more aggressive pat down alternative. Unfortunately, three stories caught my this week that indicate something more disturbing. I speak of the latest intrusive TSA security tactics being implemented in Seattle and the revelation that these body scanners and searches are being discussed for the larger public, not just airports.

As you know, I have written extensively on this topic. For my most detailed op-ed on the subject, you can check out my November op-ed in the California Progress Report entitled "A  Hobson's Holiday Travel Choice: Digital Strip Search or Get Groped" in which I explain the many reasons these airport body scanners and the subsequent aggressive pat downs for those that choose that "option", are grossly ineffective, intrusive, expensive, and unnecessary.

On that note, let's get right to the story in the Christian Science Monitor about recently discovered documents showing the TSA  tested similar body scanner technology at a commuter train station in New Jersey and signed contracts for more scanning in public places.

Samantha Murphy reports:

Public interest group Electronic Privacy Information Center (EPIC) published yesterday (March 2) a series of government contracts dated from 2006 to 2008 regarding the possible rollout new anti-terrorism technologies. The Department of Homeland Security’s Transportation Security Administration (TSA) has denied allegations of a public rollout of the technology.

"Transit systems are attractive and visible targets for terrorism because they carry large numbers of people in concentrated, highly repetitious, and predictable patterns that are designed for easy access," the 173-page document said.

The document, which was handed over through a Freedom of Information Act request (FOIA), detailed how backscatter X-ray scanners and video cameras would be tacked on to mobile vans that could scan city streets and intelligent tracking devices could be mounted on buildings and poles. This would be a part of "covert inspection of moving subjects" to monitor pedestrian body and eye movement.

The report also discussed how walk-through screening systems that use active millimeter wave technology would be set up in key locations. This is the same imaging technology currently causing a stir in U.S. airports due to privacy, effectiveness and radiation-related health concerns.


"These technologies are a gross violation of the Fourth Amendment, which guards against unreasonable searches, as travelers undergo a search without any suspicion of wrongdoing," EPIC staff counsel Ginger McCall said. "Whether or not this program has been rolled out or could be rolled out in the future, it needs to be shut down for good."

EPIC – which filed a lawsuit last year against the TSAhas been fighting to suspend backscatter and active millimeter wave technology at airport security checkpoints until concerns about their privacy protection, health effects, religious freedom ramifications and effectiveness are addressed. Court hearings will begin in Washington D.C. on March 9.

Click here to read more.

The USA Today expanded on these revelations, indicating that it was the Department of Homeland Security that was particularly interested in developing "covert body scans" of the public at large.

Thomas Frank reports:

The Homeland Security Department paid contractors millions of dollars to develop and study surveillance systems that could covertly track pedestrians and check under people's clothing with airport-style body scanners as they enter train stations, bus depots or major events, newly released documents show.


A $1.9 million contract with Rapiscan Systems, which makes airport body scanners, asked the company to develop similar machines for "covert inspection of moving subjects" and to find explosives on suicide bombers "through clothing, backpacks and other packages." The contract was signed in 2005.


In 2006, the department signed a $1.3 million contract with Northeastern University in Boston to test systems that could potentially "monitor and track individuals in a crowd." Northeastern studied video cameras, imaging equipment similar to body scanners and radar, which can spot people at a distance.

After receiving Northeastern's reports, Homeland Security decided against trying to develop a prototype machine, Whithorne says.

Using systems to covertly scan pedestrians "would be a clear violation" of laws against unreasonable searches, McCall says. "If you are walking down the street, this allows them to digitally strip-search you and rifle through your belongings without any sort of justification," she says.

Click here to read more.

The fact that there seems to be such intent on expanding, not reducing, the use of not only body scanner technology on the public (who have no reason to be under suspicion), doesn't surprise me of course, but it does send off alarm bells. The admittedly hackneyed term "slippery slope" certainly comes to mind when discussing technologies like these body scanners, same goes for the other "options" being looked into by the Department of Homeland Security, from video surveillance to GPS tracking.

These revelations only serve to validate the concerns of those of us that have fought to rid airports of these technologies and the accompanying aggressive and unreasonable searches. A line must be drawn, clearly.

And that leads me to the third story I wanted to share today. I found this article about the stepped up, and grossly intrusive baggage searches reported by airport passengers in Seattle.

The Seattle Times Reports:

"A lady in a TSA uniform came over, put on her rubber gloves and went up and down the rows of seats, choosing bags to go through,"

Morrison was stunned. She expected to be screened at the designated checkpoint area, or maybe at the gate, where the Transportation Security Administration sometimes randomly checks passengers as they board. This was different. "To me, it just felt like an illegal search performed by a police state," she said.


Is the TSA testing a more aggressive screening procedure in Seattle? I asked the agency.

"TSA officers at airports nationwide routinely screen passengers at the gate area using a variety of methods, including physically searching bags and using explosives detection technology," said agency spokesman Greg Soule. "This additional layer of security is part of our unpredictable approach to keep passengers safe and reduce the risk of dangerous items being carried on planes."

James Morrissey, a University of Illinois biochemistry professor and a frequent air traveler, prefers "intrusive security." "TSA has become a law unto itself, and it routinely tramples the civil rights of the flying public," he says. "Unfortunately, there will always be some people who will be perfectly OK with having their rights trampled in the name of security. But allowing this to happen is very disturbing to me."

Jeff Stollman, a security and privacy consultant in Philadelphia, is irked by "security theater" that offers no real protection against terrorism. "I suspect that a lot of the current controls don't really do that much to improve security," he said.


Supporters of the TSA's more aggressive screening measures point out that no one has to fly, and that Amtrak, Greyhound and personal vehicles are still available.

But similar security searches are now being conducted on trains and in other public areas, including random screenings of mass-transit riders in Washington, D.C., New York and Boston.

The TSA has also indicated that it wants to move the perimeter of aviation security screening beyond the airport, to checkpoints on the road, according to Chris Calabrese, an attorney for the American Civil Liberties Union. If these roving searches are tolerated within the terminal and are allowed to jump to the street, there's no telling what might come next. Conceivably, in the near future the TSA could set up roadblocks to randomly screen automobiles anywhere it pleases.

Click here to read more.

These random bag checks remind me of what's been happening to Metro riders in DC, Boston and New York. In fact, the American Civil Liberties Union has recently stepped up its opposition to Metro's random bag searches, starting a campaign against the new policy and beginning to fish for potential plaintiffs to challenge it in a lawsuit.

The local branches of the activist group said they are taking such steps because they were ignored when they asked to meet with Metro in December. Metro "is on a collision course with the ACLU and its partners," said Johnny Barnes, executive director of the D.C. chapter, as he stood in front of the transit agency's downtown D.C. headquarters. "And it could have been avoided."

University of the District of Columbia law school student Aisha Ching said Metro Transit Police Chief Michael Taborn told riders in a public forum that those who refuse to be searched will be observed, which amounted to being followed for exercising one's right to refuse.She also said having signs about the searches gives riders -- and potential terrorists -- the option to find another entrance or station, making the searches ineffective.  

It goes without saying all this reeks of a surveillance state gone mad. Do we really want to be monitored at all times? Do we want to give ANYONE the right to search us, our bags, and see our naked bodies, just to go on trains and plains...or worse?

As I wrote in my last post, you will find few credible security experts that will advocate for greater use of these machines. So before embracing this latest "terror fix" we would do well to remember that for every specific tactic we target with a new, expensive, and often burdensome security apparatus, the terrorist's tactics themselves will change. Risks can be reduced for a given target, but not eliminated. If we strip searched every single passenger at every airport in the country, terrorists would target shopping malls, trains or movie theaters instead.

As I always feel obliged to do when discussing this topic, let me quote noted security and privacy expert Bruce Schneier as he expounds on this "targeting tactics" strategy: "(it's) magical thinking...Descend on what the terrorists happened to do last time, and we'll all be safe. As if they won't think of something else."

He also had this to say about the body scanners: "I'm not impressed with this security trade-off. Yes, backscatter X-ray machines might be able to detect things that conventional screening might miss. But I already think we're spending too much effort screening airplane passengers at the expense of screening luggage and airport say nothing of the money we should be spending on non-airport security. On the other side, these machines are expensive and the technology is incredibly intrusive. I don't think that people should be subjected to strip searches before they board airplanes."

Perhaps most apt for today's revelations, he also summed up the false dichotomy too often offered the public between security and privacy, when he said, "If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.”

We would do well to remember these basic truths before we wind up waking up in a country in which everything we do is monitored, and the government, or private interests for that matter, has the right to violate the 4th Amendment at will, for no good reason, except that there's a "War on Terror". No thanks...