Wednesday, July 27, 2011

Is the Government Locational Tracking US Citizens Movements?

Is the government using cellular data to track Americans as they move around the U.S.?

That was the question posed to the Mathew Olsen - who is currently at the NSA and has been nominated to lead the National Counterterrorism Center - at his confirmation hearing Tuesday morning in the Senate Select Committee on Intelligence.

Now, one would expect, and certainly hope, that an immediate, forcefully delivered "no" came in response to that question. Unfortunately what we got instead was the acknowledgement that in fact, according to the general counsel of the National Security Agency, "There are certain circumstances where that authority may exist." Providing little more comfort, Olsen went on to say “it is a very complicated question” and that the intelligence community is working on a memo that will provide a better answer for the committee.

I addressed this concern, particularly as it relates to a provision of the Patriot Act, in my article "The Patriot Act and the Quiet Death of the US Bill of Rights". In it I wrote, "In other words, the precedent set by the Patriot Act appears to be serving to accelerate the rapid disintegration of civil liberties in this country.

Of equal concern is what we still don’t know about how the government might be using the Act, highlighted by recent statements made by US Senators regarding what they termed “secret Patriot Act provisions”. Senator Ron Wyden (D-OR), an outspoken critic of the recent reauthorization, stated, "When the American people find out how their government has secretly interpreted the Patriot Act they will be stunned and they will be angry." As a member of the Senate Intelligence Committee Wyden is in a position to know, as he receives classified briefings from the executive branch. 

In recent years, three other current and former members of the US Senate - Mark Udall (D-CO), Dick Durbin (D-IL), and Russ Feingold (D-WI) - have provided similar warnings. We can't be sure what these senators are referring to, but the evidence suggests, and some assert, that the current administration is using Section 215 of the Patriot Act - a provision that gives the government access to "business records" - as the legal basis for the large-scale collection of cell phone location records. 

The fact that in 2009 Sprint disclosed that law enforcement made 8 million requests in 2008 alone for its customer’s cell phone GPS data for purposes of locational tracking should only add to these legitimate privacy concerns

And that's not all. Back in 2009, the Washington Post reported that while serving as a U.S. attorney during the Bush administration, Christopher Christie tracked the whereabouts of citizens through their cell phones without warrants. The ACLU obtained these documents from the Justice Department in an ongoing lawsuit over cell phone tracking. While the documents reveal 79 such cases on or after Sept. 12, 2001, they do not specify how many of the applications were made during Christie's tenure.

Tracking without a warrant disregards an internal U.S. Justice Department recommendation that prosecutors obtain probable cause warrants before gathering location data from cell phones. Of the cases in which probable cause wasn't established, documents showed 19 allowed the most precise tracking available. Those cases occurred after the November 2007 Justice Department recommendation that prosecutors seek warrants.

So we know this has gone on before. Perhaps that's why Senators Wyden and Udall recently introduced an amendment to the Patriot Act (rejected) calling upon the Attorney General to publish a report in the Federal Register that details, without describing specific surveillance programs, the Department's "legal interpretations and analysis necessary to understand the United States Government's official interpretation of" FISA (Because Section 215 of the PATRIOT Act modified FISA, this may be aimed in part at clarifying the reach of Section 215.)

Wyden is also currently working on legislation that could become part of the chamber’s larger effort to set new rules for how and when federal law enforcement can access consumers’ location data. In fact, these Senators have been unusually focused on pushing for tighter rules on when, and under what circumstances, can the government track an individuals cell phone.

Of course all efforts to amend this provision and make the information public has been met by both the Obama and Bush administrations with fierce opposition, and classified briefings...meaning members those who are briefed are constrained from fully voicing their concerns, which make these Senators efforts and cryptic warnings all the more disturbing.
This is why these latest revelations, and Olsen's testimony, is so interesting...and telling.

For more on these hearings and the Olsen testimony check out this video:

Tuesday, July 26, 2011

New Privacy Protections for Library Patrons Coming to California

Some good news to report today. Thanks to a bill by State Senator Joe Simitian - recently signed by the Governor - new privacy protections for library users will take effect on January 1st. There are a lot of reasons why this extra layer of protection was needed - namely the digitization of books and the long record of Patriot Act violations of reader privacy. 

Because libraries were established before the advent of the internet, an individual’s interaction with the library outside of circulation was not protected under state law. It was this loophole that SB 445 will close.

As the San Mateo Daily Journal notes, "Until the bill takes effect, state law provides for limited privacy protection for “registration and circulation” records but is largely silent on privacy protection for the many online interactions a user has through public libraries, including items such a emails or text messages, online courses, computer research and online records of items checked out. Before the Internet, library requests were typically all oral or hand-written...Nowadays, however, librarians more frequently interact with their patrons electronically."


The law should help maintain a person’s medical privacy, for example, if inquiries are made to the library for certain conditions...The new privacy protection could also protect against potential stalkers...


Until the beginning of 2012, all emails, text messages or any other digital correspondence at the library is considered a part of the public record. That fact could potentially allow anyone to access the correspondence through a public records request, possibly exposing heaps of private and sensitive information to the general public.

It is essential to safeguard reader browsing, buying, and viewing of information that could reveal such private information - like political and religious beliefs, health concerns, and personal lives. Do we really want our reading history collected, analyzed, and turned over to the government or third parties without our knowledge or consent.

The concerns of privacy advocates are not hypothetical. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't continue and expand this tactic?

Let me quote the Electronic Frontier Foundation's (a leading advocate for this legislation) Rebecca Jeschke , who wrote, "...the books we choose to read reveal private information about our political and religious beliefs or interests, our health concerns, our financial situation, and our personal and professional lives. Maintaining reader privacy is fundamental to the dignity of Californians, and this principle is well ensconced in state law.  However, with the market for digital books exploding, the law needs an update for the 21st Century.

In Florida, marketers and politicians were requesting email addresses from libraries," said Minow. "This was an awakening to me that we needed to update our laws in California."


A library is now more than just a place to check out books. Computer terminals dominate the floor where bookshelves once stood. Online classes are now replacing the traditional summer reading programs. In this digital environment, patrons' privacy rights were not always protected.

With the new types of interaction and activity between libraries and their patrons, there was no updated code or privacy law to reflect that. Each library had its own privacy regulations with the level of privacy afforded to patrons up to the discretion of the library. With Gov. Jerry Brown signing Simitian's bill into law earlier this month, there is now a uniform across-the-board approach providing full privacy to California library patrons.

Though there were some concerns in the Legislature that the bill would diminish the ability of law enforcement to retrieve library records, the measure was amended to ensure law enforcement would have continued access to all records under legitimate circumstances, such as a court order. Law enforcement will still need a search warrant to obtain library records.

And of course, there's the issue of digital books, which will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait this could paint of your life. 

Thankfully, there's another bill in California that would provide privacy protections for digital book readers too. Without such legislative protection, you can imagine how tempting this information could be to the government or other litigants, like those involved in divorce cases, custody battles, or insurance disputes.

In the case of digital books, we're not talking about just another library - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

Senate Bill 602 (Yee) would update privacy protections in the digital age by preventing the disclosure of information about readers from booksellers without a warrant in a criminal case or a court order in a civil case. It also requires booksellers to report the number and type of requests they receive to track government demands for reader information. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives."

Again, these concerns are not hypothetical. In 2006, the U.S. attorney subpoenaed Amazon for the used book purchase records of over 24,000 customers in the course of a grand jury probe investigating a single individual.

The good news was a federal judge agreed that Amazon should not have to turn over this information about its customers, saying that if word spread over the Internet that the federal government was probing book purchase information, “the chilling effect on e-commerce would frost keyboards across America." 

The ACLU does a good job framing the issue in their Google Book search campaign: What you choose to read says a lot about who you are, what you value, and what you believe. That’s why you should be able to learn about anything from politics to health without worrying that someone is looking over your shoulder. The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins." Without strong privacy protections, all of your browsing and reading history could be collected, analyzed, and turned over to the government or third parties without your knowledge or consent.

Again, thanks to the Patriot Act's "sneak and peak" provision, for the first time in American history, FBI agents are authorized to conduct searches of homes and offices and confiscate your personal property without first notifying you of their intent or their presence. Similarly, the FBI now has the right to come to your place of employment, demand your personal records and question your supervisors and fellow employees, all without notifying you; allowed the government access to your medical records, school records and practically every personal record about you; and allowed the government to secretly demand to see records of books or magazines you’ve checked out in any public library and Internet sites you’ve visited. In fact, at least 545 libraries received such demands in the first year following passage of the Patriot Act.

In other words...this is a VERY REAL privacy that these bills at least begin to address.

Tuesday, July 19, 2011

Federal Appeals Court Rules in Favor of Digital Strip Search Machines

I've written extensively on the topic of the expanding use of airport body scanners ("digital strip search"). For my most detailed op-ed on the subject, you can check out my November piece in the California Progress Report entitled "A  Hobson's Holiday Travel Choice: Digital Strip Search or Get Groped" in which I explain the many reasons these airport body scanners and the subsequent aggressive pat downs for those that choose that "option", are grossly ineffective, intrusive, expensive, and unnecessary."

Not helping the argument for these scanners use are the hordes of security industry lobbyists seeking to pimp these out across the country through the usual fear tactics associated with our surveillance state. The end result in this case is the expenditure of billions in taxpayer dollars on fear driven TSA body scanners that violate American's privacy (with the choice of aggressive pat downs for those that choose that "option") while doing next to nothing to actually prevent terrorism (a miniscule likelihood in and of itself).

Unfortunately, last weeks a Federal Appeals Court ruled against the Electronic Privacy Information Center (EPIC) - which had asked the court to block usage of the devices — "of which 500 more are to be rolled out this year — on grounds that they are an unconstitutional privacy invasion, ineffective and unhealthy to airline passengers."
But, the news wasn't all bad. Wired Magazine has more:
The court said that, whether an administrative search is unreasonable, is a balancing test on how much it intrudes upon an individual’s privacy, and how much that intrusion is needed for the promotion of “legitimate” government interests.

That balance clearly favors the government here,” the court ruled 3-0. The court added that an “AIT scanner, unlike a magnetometer, is capable of detecting, and therefore of deterring, attempts to carry aboard explosives in liquid powder form.” The three-judge appellate panel did not address limited research suggesting that the machines might not detect explosives or even guns taped to a person’s body.

However, the appellate court, which is one stop from the Supreme Court, said that the Transportation Security Administration breached federal law in 2009 when it formally adopted the airport scanners as the “primary” method of screening. The judges said the TSA violated the Administrative Procedures Act for failing to have a 90-day public comment period, and ordered the agency to undertake one.

Judge Douglas Ginsburg, writing for the majority, said the TSA must allow for the 90-day notice-and-comment period because of the new “substantive obligations” on airline passengers. “It is clear that by producing an image of the unclothed passenger, an AIT scanner intrudes upon his or her personal privacy in a way a magnetometer does not. Therefore, regardless whether this is a ‘new substantive burden,’ the change substantively affects the public to a degree sufficient to implicate the policy interests animating notice-and-comment rulemaking, Ginsburg wrote.

Marc Rotenberg, the president of EPIC, the group that brought the challenge, said the decision means the “TSA is now subject to the same rules as other government agencies that help ensure transparency and accountability.” He said “Many Americans object to the airport body scanner program. Now they will have an opportunity to express their views to the TSA and the agency must take their views into account as a matter of law.”
Click here to read more.

Clearly its a good thing that the public will finally have at least a semblance of a "say" in all this - something denied from the outset. I find it interesting however that the court did not take into account the fact that these scanners DON'T WORK! I also would like the court to address the actual likelihood that someone will be killed while flying in a plane (a fraction of the chance you'll be hit by lightning) - or better, whether these scanners would have made any difference if one is killed?

I've always been rather amazed how little these questions ever seem to come up in this debate. You know, questions like the actual threat posed by a terrorist attack, and the actual effectiveness of these scanners to stop it? 

Here's a larger concern however. If we allow such technologies to be used in every airport on passengers that have done nothing to rouse suspicion, we should also wonder whether such usage will expand into other public spaces? A few months ago the USA Today expanded on this concern, indicating that it was the Department of Homeland Security that was particularly interested in developing "covert body scans" of the public at large.

The fact that there seems to be such intent on expanding, not reducing, the use of this body scanner technology on the public (who have no reason to be under suspicion) doesn't surprise me of course, but it does send off alarm bells. The admittedly hackneyed term "slippery slope" certainly comes to mind, just as other "surveillance state options" being looked into by the Department of Homeland Security, from video surveillance to GPS tracking.
As I have written here before, you will find few credible security experts that will advocate for greater use of these machines. So before embracing this latest "terror fix" we would do well to remember that for every specific tactic we target with a new, expensive, and often burdensome security apparatus, the terrorist's tactics themselves will change. Risks can be reduced for a given target, but not eliminated. If we strip searched every single passenger at every airport in the country, terrorists would target shopping malls, trains or movie theaters instead.

Add to these points the fact that these naked images of passengers seem to be everywhere, are easily stored and shared, and that big corporations that profit off our fear are lobbying hard for us to invest in them without proving they're worth the money, and it only becomes more apparent we should scrap them.

Fear is not a principle to build a healthy society around, particularly when those very fears are being magnified by those that have ulterior motives (including financial) for doing so.

Wednesday, July 13, 2011

The Year in Wiretapping and the FBI's Next Generation of Biometrics

I've written a lot in recent months about the FBI's insatiable appetite for power and our apparent willingness to give it to them. In my recent Patriot Act op-ed I detailed ALL THE WAYS in which the FBI has violated the civil liberties of American citizens for all kinds of purposes OTHER than "protecting" us from terrorism.

I also discussed the use of what are called National Security Letters (NSLs) – which allow the FBI, without a court order, to obtain telecommunication, financial and credit records deemed “relevant” to a government investigation. The FBI issues about 50,000 a year and an internal watchdog has repeatedly found the flagrant misuse of this power.

And, I have discussed new guidelines from the Justice Department will allow FBI agents to investigate people and organizations "proactively" without firm evidence for suspecting criminal activity. The new rules will free up agents to infiltrate organizations, search household trash, use surveillance teams, search databases, and conduct lie detector tests, even without suspicion of any wrongdoing.

All in all, its a pretty dismal report card for the health of the US Bill of Rights. Sadly, there's more to report.

Let me begin quickly with the latest op-ed from Julian Sanchez detailing what he termed The Year in Wiretapping. Essentially, it updates a lot of the data I cited in my article. So let's get to the piece to see how our phone line privacy fared last year.

Sanchez writes:

....the annual Wiretap Report was finally released by the Administrative Office of the U.S. Courts, fully two months behind schedule (the first time in over a decade it’s been so late). While we often focus on the growth of the surveillance state in the context of national security and the War on Terror—such as foreign intelligence wiretaps, which aren’t counted in this report—it’s clear that surveillance is on the rise for ordinary law enforcement purposes as well. State and federal investigators obtained 3,194 wiretap orders in 2010, an increase of 34 percent over the previous year, and a whopping 168 percent increase over 2000. Only one wiretap application was denied—which you can choose to take as evidence that law enforcement is extremely scrupulous in seeking applications, or that judges tend to rubber stamp them, according to your preferred level of paranoia....

The average wiretap order swept up the communications of 118 people
(since, of course, each individual target converses with many people, including many innocent people). If there were no overlap between wiretap orders, that would imply 376,892 people affected. Since it’s common for multiple orders to be sought as part of a single investigation, however, many of the same people are presumably being counted as having been caught under more than one wiretap order.  Even on the wildly charitable assumption that only a third of those were unique individuals, though, that  would still be well over 125,000 people spied upon, many innocent of any wrongdoing. 

Though such criminal intercepts are supposed to be “minimized” in realtime, to prevent the recording of innocent conversations, only 26 percent of intercepted communications contained incriminating material—which is to say, nearly three-quarters were innocent communications unrelated to criminal activity. (It’s possible some of these were partial intercepts discontinued once investigators realized the communication wasn’t pertinent—the report doesn’t make that clear.)

It’s worth bearing in mind here that the nature of wiretaps, as opposed to conventional physical searches, is that they always involve invading the privacy of somebody other than the target named in the warrant—indeed, as the numbers show, very many people. You have to wonder what we’d think if traditional physical search warrants permitted police to rifle through the belongings of dozens of innocent people for each genuine criminal.

Still, this invasive technique is still reserved for investigating the most serious violent crimes, right? Alas, no: For 84 percent of wiretap applications (2,675 wiretaps), the most serious offense under investigation involved illegal drugs. Further proof, if proof were needed, that privacy suffers enormous collateral damage in our failed drug war. Drugs have long been the reason for the vast majority of wiretaps, but that trend, too, is on the upswing: Drug cases accounted for “just” 75 percent of intercept orders in 2000.

In other words, as I wrote in my op-ed in describing Patriot Act abuses and the FBI, "Monitoring political groups and activities deemed “threatening” (i.e. environmentalists, peace activists), expanding the already disastrous and wasteful war on drugs, and spying on journalists isn’t about fighting terrorism, it’s about stifling dissent and consolidating power – at the expense of civil liberties. How ironic that the very “tool” hailed as our nation’s protector has instead been used to violate the very Constitutional protections we are allegedly defending from “attack” by outside threats. What was promised as a “temporary”, targeted law to keep us safe from terror has morphed into a rewriting of the Bill of Rights."

But wait...I'm STILL not finished. Now comes word, with special thanks to the Electronic Frontier Foundation's Jennifer Lynch, the FBI is pursuing what can only be called the next generation of Biometrics.

Before I get to some choice clips to Jennifer's article, let me refresh everyone on the concept of biometric identifiers - like fingerprints, facial, and/or iris scans. These essentially match an individual’s personal characteristics against an image or database of images. Initially, the system captures a fingerprint, picture, or some other personal characteristic, and transforms it into a small computer file (often called a template).

The next time someone interacts with the system, it creates another computer file
There are a number of reasons why such technological identifiers should concerns us.

So let's be real clear, creating a database with millions of facial scans and thumbprints raises a host of surveillance, tracking and security question - never mind the cost.

Privacy expert Bruce Schneier recently pointed out some of pro's and con's of a biometrics:

On the strength side, biometrics are hard to forge. It's hard to affix a fake fingerprint to your finger or make your retina look like someone else's. Some people can mimic voices, and make-up artists can change people's faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they've touched, and posted them on the Internet. We haven't yet had an example of a large biometric database being hacked into, but the possibility is there. Biometrics are unique identifiers, but they're not secrets.

With that, let's get to the article by EFF. Lynch writes:

Last week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communities program and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database.

Unlike some government initiatives, NGI has not been a secret program. The FBI brags about it on its website (describing NGI as “bigger, faster, and better”), and both DHS and FBI have, over the past 10+ years, slowly and carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records. However, the fact that NGI is not secret does not make it OK. Currently, the FBI and DHS have separate databases (called IAFIS and IDENT, respectively) that each have the capacity to store an extensive amount of information—including names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race, and date of birth. Within the last few years, DHS and FBI have made their data easily searchable between the agencies. However, both databases remained independent, and were only “unimodal,” meaning they only had one biometric means of identifying someone—usually a fingerprint.


So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are the each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records.

Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise.

Already, the National Institute for Standards and Technology, along with other standards setting bodies, has developed standards for the exchange of biometric data. FBI, DHS and DoD’s current fingerprint databases are interoperable, indicating their systems have been designed (or re-designed) to read each others’ data. NGI will most certainly improve on this standardization. While this is good if you want to check to see if someone applying for a visa is a criminal, it has the potential to be very bad for society. Once data is standardized, it becomes much easier to use as a linking identifier, not just in interactions with the government but also across disparate databases and throughout society. This could mean that instead of being asked for your social security number the next time you apply for insurance, see your doctor, or fill out an apartment rental application, you could be asked for your thumbprint or your iris scan.

This is a big problem if your records are ever compromised because you can’t change your biometric information like you can a unique identifying number such as an SSN. And the many recent security breaches show that we can never fully protect against these kinds of data losses.

The third reason for concern is at the heart of much of our work at EFF. Once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone's actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.”

Click here to read more.

As Bruce Schneier noted, "One more problem with biometrics: they don't fail well. Passwords can be changed, but if someone copies your thumbprint, you're out of luck: you can't update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you're stuck. The failures don't have to be this spectacular: a voiceprint reader might not recognize someone with a sore throat, or a fingerprint reader might fail outside in freezing weather. Biometric systems need to be analyzed in light of these possibilities."

Let's hope that none of this leads to the requirement that ALL AMERICANS carry biometric ID'S at some point, particularly with the fingerprint or the iris as the biometric identifier.

The ACLU put together an excellent fact sheet on a variety of the privacy implications associated with biometric identifiers, including whether biometric images should be collected, which images should be collected (i.e. facial v. thumbprint scan), who has access to those images, and for what purposes being the preliminary privacy questions that should addressed to protect individuals’ constitutional right to privacy.

Similarly, as noted by Lynch, the ACLU also warns (now becoming a reality obviously), of the creation of dossiers about individuals and their activities in which a biometric identifier is used as a unique identifier to catalogue personal information about an individual - which would enable monitoring, tracking and surveillance of individuals. This concern applies to both the government and databrokers/private industry using the same biometric to gather information.

Also noted by the ACLU:

Threat to Anonymity and Anonymous Speech: likelihood rises of using facial recognition to identify and surveil innocent people just walking down the street or engaged in First Amendment protected speech on political or labor issues.

The Supreme Court has found that compelling an individual to disclose his or her political ideas or affiliations to the government deters the exercise of First Amendment rights. The right to anonymous speech, protest and leafleting are critical to our democracy.

o Perceived Infallibility and Inaccuracy: The concept that each of us is unique does not always translate into accurate biometric identification. Computer “matches” must be reviewed visually by people to confirm the accuracy. And, even then, errors are made.

Brandon Mayfield, the Oregon Attorney, was erroneously linked to the 2004 Madrid train bombings after his prints were misidentified and he was held by the FBI for two weeks, though he was never charged. His prints were “identified” through the Integrated Automated Fingerprint Identification System (IAFIS). IAFIS identified a few potential matches that were then reviewed by a fingerprint examiner and an outside experienced fingerprint expert.

Certainly more to come on this issue....

Tuesday, July 12, 2011

Murdoch Hacking Scandal Continues to Expand

Before I get started, here's an excellent interview of John Dean by Keith Olbermann regarding where this incredible scandal is heading...

I want to go straight to the excellent coverage of this growing privacy debacle by Think Progress. Of particular note, Carl Bernsteing has an OUTSTANDING article in Newsweek (entitled “Murdoch’s Watergate.”) essentially blowing the roof off the Murdoch/Fox empire.

As noted by Think Progress, Gordon Brown himself has now joined other members of his Labour Party, members of the royal family, victims of terrorism, murder, and their family members in being targeted with shady or allegedly illegal practices by the newspapers.

Here's more: "Much of the scandal has focused on Rebekah Brooks, the CEO of News International, who was previously editor of the News of the World and the Sun. It was Brooks who contacted the Browns in 2006 to tell them that she had obtained — likely in violation of privacy rules– records showing that their four-month-old son Fraser was suffering from cystic fibrosis. 

But while victims have demanded that Rebekah Brooks resign, Murdoch has given her an “extraordinary show of support,” taking her to dinner yesterday and saying she is his “top priority.”

But Murdoch may soon have bigger problems on his hands. Legal experts told the AP today that his company could face criminal prosecution in the U.S. for his U.K. papers’ alleged bribery of British police officers, which would be a violation of the Foreign Corrupt Practices Act (FCPA). According to the the Department of Justice, “The FCPA prohibits payments made in order to assist the firm in obtaining or retaining business.” 

Thus the papers’ use of bribery to obtain information which helped sell newspapers could fall under the act’s purview. And even though the bribery occurred entirely in Britian, NewsCorp is an American company, incorporated in Delaware, and held accountable for its foreign subsidiary’s actions. Even if the corporation wasn’t directly involved in bribery, it could be found in violation of the law for turning a “blind eye.”

The legal experts told the AP they would be surprised if the Securities and Exchange Commission and the DoJ have not already opened investigations into the matter and said the decision to shutter News of the World was potentially an attempt to limit Murdoch and NewsCorp’s legal exposure. 

NewsCorp is also the parent company of the Wall Street Journal and Fox News, which have largely ignored the scandal."

I'll get to this more in future posts, but suffice it to say, the Murdoch empire is by far the most destructive media/propaganda force in the world today, perhaps in history, just in terms of its reach and scope. I am extremely interested to see where this all leads....

Wednesday, July 6, 2011

Supreme Court Sides with Data Miners Over Prescription Privacy

Just when I think the Supreme Court can't top its disastrous recent record they out due themselves. Don't get me wrong, when it comes to the "privacy rights" of the government and big corporations, the Court's conservative majority come off as radically activist, pro-privacy extremists. But for some reason when it comes to the privacy rights of human beings, this same "pro-privacy" (for powerful interests) cabal resembles the gang who can't shoot straight (or that's read the Constitution).

So just when you thought this group couldn't come up with another twisted ruling designed to strip rights from the people and then "re-gift" them to corporate criminals and the government they (6-3) overrule Vermont's law (what about state's rights??) which prohibits pharmacies from selling information about prescriptions to data mining firms for marketing purposes.

That's right, in the warped, borderline fascist worldview now aggressively applied by the conservative majority on the Supreme Court (shockingly Justice Sotomayor ruled with them), the Vermont statute was ruled an unconstitutional limitation on the First Amendment rights of data mining companies. Got that? More important than YOUR privacy, and YOUR right to keep your most personal medical records private, is the right of corporations seeking to profit OFF your private information.

As EPIC points out, there was a strong dissenting argument written by Justice Stephen Breyer, and joined by Justices Ginsburg and Kagan, which stated that the Vermont statute was a reasonable regulation of commercial activity that did not significantly burden the free speech rights of data miners. Justice Breyer wrote, "[T]he prohibition is justified by the need to ensure unbiased sales presentations, prevent unnecessarily high drug costs, and protect the privacy of prescribing physicians."

EPIC also filed a "friend of the court" brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy.

In fact, in January of this year, the LA Times editorialized, strongly, in favor of Vermont's law. A few key points in the piece are worth repeating now:

    IMS Health Inc. operates in the shadows of the healthcare industry, gathering data that drug makers can use to sell medications more effectively. The data, however, are taken from the prescriptions that doctors write for their patients. That information is at the heart of a dispute over how far states can go to protect privacy — a dispute that has reached the Supreme Court, and one that could broaden the reach of the 1st Amendment in troubling ways.

    IMS and a handful of market research competitors pay pharmacists for the details contained in prescriptions, including the name of the doctor and the patient, the drug prescribed and the dosage. They compile that information into databases that track individual doctors' prescribing habits, replacing patients' names with "de-identified" numbers. Such databases can be valuable to the public, potentially helping to enforce drug laws, find patterns in the spread of disease and spot variations in how medications are used. But the main use — and the one that pays for the databases — is to help pharmaceutical companies persuade physicians to prescribe more of their products.

    That's one of the reasons states across the country have proposed or enacted regulations governing prescription data mining. Drug makers hire legions of sales representatives to pitch physicians in person about new products and new applications for older medications. They pay market researchers millions of dollars for information on individual doctors' prescriptions because it helps them find sick people (chronically sick people in particular) who could be treated with their drugs or who are taking their competitors' medications.


     This month the Supreme Court agreed to consider Vermont's appeal, and we hope the justices will be guided by the dissent written by 2nd Circuit Judge Debra Ann Livingston. As Livingston noted, pharmacies obtain sensitive information about doctors and prescriptions only because the state orders them to gather it for law enforcement reasons. Otherwise, doctors and patients might insist that the data be kept confidential. That information is every bit as sensitive as a hospital chart or a doctor's notes, and should be subject to equally effective protection.

     Just because IMS doesn't supply patients' names to drug companies, that doesn't mean they can't be tracked individually. According to Meredith Jacob of the American University Washington College of Law, the databases assign unique numbers to pharmacies' customers that can be used to follow their prescriptions over time, helping drug makers spot the patients most likely to be customers for their new drugs and market those medicines to their physicians.

    What's worse, the data about prescriptions could conceivably be combined with other records to reveal some patients' names. That's because "de-identified" data may provide clues that enable it to be matched against names in other databases. In one example of this technique cited in a brief by the Electronic Privacy Information Center, a researcher was able to use public records to name more than a third of the supposedly anonymized victims in Chicago's homicide database.

In fact, I've written pretty extensively on this issue myself, as we were part of a coalition that stopped legislation in California that sought to lift such privacy protections that we enjoy here.

As I recently wrote, "The reality that our most private prescription drug records are not in fact private should be of increasing concern to consumers, legislators, and the courts - where the issue is now playing out.

So when you’re talking about efforts to sell private prescription drug records to third parties, so drug manufacturers can better target their products to you (often times in an invasive and dangerous way), its more than just the violation of privacy – it’s the products themselves that should also be of concern.

Recent studies indicate that a whopping sixty-five percent of the country takes a prescription drug. In 2005 alone, we spent $250 billion on them. Another 100,000 Americans die each year from prescription drugs — that’s 270 per day - more than twice as many who are killed in car accidents each day.

Unfortunately, thousands of patients die from prescribed mistakes too, but this study looked only at deaths where our present medical system wouldn’t fault anyone. Tens of thousands of people are dying every year from drugs they took just as the doctor directed. This shows you how dangerous medications are – and why, as you’ll see, privacy is paramount.

For Californians, the good news is we have stricter protections against the selling and sharing of our prescription records than just about any other state (aside from New Hampshire, Maine and Vermont).

It was just a couple years ago that we (Consumer Federation of California) actively opposed (and successfully) legislation that would have allowed the sharing of confidential patient drug prescription information among pharmacies, third party corporations and pharmaceutical companies without a patient's consent.

Californians rightly expect that their private medical records will be held in confidence by their doctors and pharmacists. But, if we had lost this fight, pharmacies could share prescription information with businesses that provide mailings to the patient – ostensibly reminders that patients should continue to take their medications. The reminder would appear to come from the pharmacy, but in fact it would be paid for by the drug manufacturer.

The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company that was being sued for privacy breaches related to patient prescription records.

A patient’s doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition. By intruding upon and confusing this relationship, this bill could have put patients’ health, as well as privacy, at risk.

For example, a physician might discontinue a prescription if a patient complained of an adverse reaction. Unaware of the changed course of treatment, the drug marketing company would continue sending reminders that appear to come from the drug store, urging the patient to keep taking the old prescription. The bill placed no liability on drug markets that provide bad information to patients.

The victory was an important milestone for California’s landmark medical records privacy law – a fight that is now playing out nationwide and in the Supreme Court.

The issue is a stark one: failing to protect prescription records would be a windfall for corporations seeking to track, buy and sell a patient's private medical records. This would represent a significant intrusion by pharmaceutical companies into the privacy of patients. By opening this Pandora's Box, consumers could wind up receiving mailings designed to look as if they came from the pharmacy yet conflict with what their pharmacist or doctor has recommended."

To conclude, here was EPIC's summary argument presented to the Supreme Court:

The Vermont Confidentiality of Prescription Information Law seeks to safeguard the privacy of prescribing information. This is a substantial state interest that is of even greater concern than the record below reveals. The “deidentification” technique adopted by the Respondents in this matter does not adequately safeguard the medical privacy of Vermont residents or the residents of other states whose personal prescribing information could be obtained by data-mining firms and subsequently sold to pharmaceutical companies. These records include the prescriber’s name and address; the name, dosage, and quantity of the drug prescribed; the date and location at which the prescription was filled; and the patient’s age and gender. The only missing element – the patient’s actual name – is concealed by a weak cryptographic technique that does not actually prevent reidentification of the patient by Respondent.

In such circumstance, the Vermont law, and the many other similar state confidentiality laws, seek to safeguard personal information that is without question among the most sensitive and most deserving of protection. Considering also that the state compels the collection of this information for public safety and research purposes, the subsequent disclosure for other unrelated purposes implicates a Constitutional interest in informational privacy.

Unfortunately, the Supreme Court, once again, ruled in favor of the profit interests of the powerful, rather than the privacy rights of the individual.