Privacy Revolt!

Supreme Court Rules Search Warrant Needed to Track People Using GPS

2012-01-24T11:32:00.000-08:00

The fourth amendment isn’t completely dead after all! Whilethis fundamental right to privacy is admittedly in tatters, theSupreme Court ruled yesterday that police must have a warrant in order to track someoneusing a GPS device.

The case in question involved police covertly tracking asuspected cocaine dealer's car usinga GPS device for an extended period of time without getting a warrant. Thequestion before the court largely centered on whether the constant, andextended, use of a secret GPS tracking device violated the Fourth Amendment’sprotection against unreasonable searches and seizures?

Or, is such use of these devices without a warrantacceptable on the grounds that there is no expectation of privacy when inpublic places and that such tracking technology merely makes public surveillanceeasier and more effective?

Clearly, a whole lot was riding on this decision for privacyadvocates. Citizens shouldn’t be concerned that trips to a friend's house, a place of worship, or a therapist's office can be tracked in real time by thegovernment.

Thankfully, in this case, the court agreed: attaching a GPSdevice to a car and tracking its movements is a violation of the FourthAmendment. Unfortunately, the government will likely continue to insist that trackingthe location of cell phones is unaffected by this ruling.

As previously laid out in an article in Wired Magazine,there is an important distinction between traditional surveillance and GPStracking: "Repeated visits to a church, a gym, a bar, or a bookie tell astory not told by any single visit, as does one’s not visiting any of theseplaces over the course of a month. The sequence of a person’s movements canreveal still more; a single trip to a gynecologist’s office tells little abouta woman, but that trip followed a few weeks later by a visit to a baby supplystore tells a different story."

Interestingly, though not surprising, the Court, while inunanimous agreement that a warrant is necessary, came to that conclusion fromvery different perspectives.

Certainly, the stand out Justice was Sonia Sotomayor, whowent much further than her colleagues on the issue of privacy in the digital age - even making a case for revision of the“third-party” doctrine (i.e. we lose Fourth Amendment protection when wedisclose certain information). She wrote, “More fundamentally, it may benecessary to reconsider the premise that an individual has no reasonable expectationof privacy in information voluntarily disclosed to third parties. This approachis ill suited to the digital age, in which people reveal a great deal ofinformation about themselves to third parties in the course of carrying outmundane tasks. People disclose the phone numbers that they dial or text totheir cellular providers; the URLs that they visit and the e-mail addresseswith which they correspond to their Internet service providers; and the books,groceries, and medications they purchase to online retailers.”

On the question of surveillance, she also distanced herselffrom Antonin Scalia’s narrow property rights argument (i.e. by installing thedevice police were violating the suspect’s private property), writing “…thesame technological advances that have made possible nontrespassory surveillancetechniques will also affect the Katz test by shaping the evolution of societalprivacy expectations. Under that rubric, I agree with Justice Alito that, atthe very least, 'longer term GPSmonitoring in investigations of most offenses impinges on expectations ofprivacy.'"

AsJulian Sanchez of the CATO institute noted, the ruling was a big victoryfor privacy advocates and the Fourth Amendment, writing, “This is a pretty bigdeal. Fourth Amendment scholars have been warning for decades—and withincreasing alarm—that modern communications technology could turnconstitutional privacy protections into an empty formality if we’re regarded aswaiving those protections whenever we “expose” information to a third party. Itis inherent to the nature of the Internet and mobile telecommunications, afterall, that almost everything we do online—and, increasingly, much that we dooffline as well—leaves a trace in the vast databases of one corporation oranother.

Sotomayor’s concurrence signals a recognition that we needto move beyond what privacy scholar Daniel Solove has called “The SecrecyParadigm,” which assumes that whatever is not totally secret (or very nearlyso) is effectively “public.” In other words, if your Internet provider has arecord of every Web site you visit, there’s no invasion of privacy when thegovernment decides to have a look at the list. At least one Justice, evidently,recognizes that this is an indefensible inference—and one hopes she’s notalone.”

Does Sotomayor's case against the third party doctrine have any significance for privacy advocates moving forward? TimothyB. Lee of ArsTechnica says yes, writing, “Sotomayor'sdiscussion of the third-party doctrine has no legal significance, since she wasthe only one to sign onto her concurrence. But it could prove to have greatersignificance in the long run. The existence of at least one justice who isskeptical of the doctrine will inspire privacy advocates to raise objections tothe idea in future cases. And one of those cases is likely to reach the highcourt at some point in the future.”

E-Health Records, Data Breaches, and Privacy

2012-01-12T15:05:00.000-08:00

Rather than re-inventing the wheel today, if you want some past posts I've done on electronic health records (EHR's) and the need for strict privacy safeguards that protect consumers, you can go here, here, or here. Generally speaking, I've made the following arguments: yes, this transition from paper to EHR's is inevitable and necessary; yes, such a transition does offer numerous benefits from cost effectiveness to better care; but, and this is a big but, what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Similarly, I have also documented, one medical records data breach after another, some due to hackers/identity thieves and some as a result of gross hospital incompetence and negligence (and more). In addition, I've detailed how states, like California for instance, are trying to create a set of privacy standards for these records that often means merging state rules and federal ones.

Given the lack of consistency, for instance, between California’s Confidentiality of Medical Information Act (CMIA) and the federal HIPAA (The Health Insurance Portability and Accountability Act), there is no single, comprehensive “rule” for the use and disclosure of health information in our state.

Thus the debate taking place over what kind of privacy standards and protections should apply to EHR’s centers around a few core principles: accountability among parties involved in processing electronic transactions, consumer control over how their information is shared and the availability of access to it, transparency (so anyone who accesses files is recorded and made available to the consumer if desired), and system security to ensure a patients private information is protected from identity thieves, overzealous law enforcement, or unwanted marketers.

Now that I've briefly gone over some of the general fundamentals of this very complex issue, I want to discuss two articles that have come out in the past week or so, one about the UC Regents dragging its feet in the lawsuit against it for a medical records data breach at the UCLA Health System, and the other, a MUST READ from the Los Angeles Times Michael Hiltzik entitled (apt for this blog), "Her case shows why healthcare privacy laws exist."

I want to bring these up because they demonstrate, particularly the Los Angeles Times piece, WHY the work that, in California for instance, CalOHII (State of California Office of Health Information Integrity) is doing to come up with ironclad privacy protections for the state to adopt is so important (full disclosure: I'm on the privacy steering committee).

Let's begin with Hiltzik's piece because it truly blows the mind, and brings home why this MATTERS. He writes:

Of all the personal information that you might want to keep private, your medical records are the most important. That's why federal and state laws carry stiff penalties, up to and including jail time, for healthcare providers who let such data loose into the wild.

So you should be aghast at how free and easy Prime Healthcare Services and two executives at Prime-owned Shasta Regional Medical Center have been with the medical chart of a patient named Darlene Courtois. They showed the entire chart to an editor of her hometown newspaper, and Prime's corporate office divulged some of her medical examination results to me (though I didn't ask for them). They didn't have her permission for those disclosures, her daughter says.

...

Here's what state and federal laws have to say: A hospital can't disclose a patient's medical information publicly, such as to a newspaper, without the patient's written authorization. The authorization has to be very specific, designating exactly which records may be disclosed and to whom.

The applicable laws are the federal Health Insurance Portability and Accountability Act of 1996, which is known as HIPAA, and the 2008 California Confidentiality of Medical Information Act. The covered records include any information about an individual's "past, present or future physical or mental health or condition," and "the provision of health care to the individual." (The language comes from the federal government's published privacy rule summary.)

There are a few limited circumstances in which a healthcare provider doesn't need permission. Chiefly these fall into the categories of "treatment, payment and healthcare operations" — in other words, charts can be seen by doctors treating the patient or insurers paying for care, or in connection with hospital functions such as evaluating doctors' competency — and regulatory activities or subpoenas.

...

Under the law, there's no such thing as an implied authorization by a patient for disclosure of personal records, said Linda Ackerman, a San Francisco expert in privacy law.

The office of civil rights of the U.S. Department of Health and Human Services, which enforces HIPAA, put it this way: "There is no 'waiver' that would apply to the release of a chart or medical record to the media without an individual's written authorization."

Several experts told me it doesn't matter if the hospital was trying to contradict misinformation provided by a patient (even if that's what Courtois did, which is debatable). Under the law, patients themselves can divulge anything they wish about their medical conditions and their treatment by a hospital. But a hospital's obligation is to keep its mouth shut. A desire to deflect bad PR is not an excuse. Even if they think they're in the right, the law says healthcare providers have to suffer in silence, the experts say.

Anthony Wright, executive director of the statewide patient advocacy group Health Access California, also mentioned the "chilling precedent" of a hospital company exposing a patient's personal information just because she criticized the company in public. Indeed, the lesson of the Courtois case is clear: Give an interview about your experience at a Prime-owned hospital, and don't be surprised if the hospital responds by exposing the most private details of your medical history to the world.

Click here for more.

I would have to say, in addition to the blatant disregard for the privacy, and the RIGHTS of Darlene Courtois demonstrated by Prime, I find Anthony Wright's point on this serving as a "chilling effect" against patients who may speak out, to be of particular concern. I say this because all too often, as a consumer advocate, industry's from chemical to big pharma to big oil, and on down the line, we see intimidation, obfuscation, and in fact, a factoring in of the damage they cause people and the planet into their business model. I would HATE to think that EHR's could serve as yet one more tool to protect these kinds of corporate interests from proper justice and accountability.

My sense is, that in the case of Prime, its so egregious, there will be accountability, and this chilling effect will not take root. But, that is why I brought up the issue of factoring in the cost of the damage these corporate interests do into their business model: will the damages Prime faces outweigh the benefits, they, and other vultures like them, feel they might get from such intimidation?

This also is why, as Hiltzik rightly states in the articles title, "Her case shows why health care privacy laws exist", and why, INCREASED privacy protections, and increased accountability and enforcement, are also necessary...and must also exist.

On a similar note, let's look at the case of the UCLA Health System data breach and the lawsuit against it (remember, as I pointed out in a recent post, hospitals are NOT doing their job, and spending the required resources to protect these EHR's to date). As the Daily Bruin reports:

The UCLA Health System reported in November 2011 that a hard drive containing more than 16,000 patients’ information had been stolen from the home of a UCLA physician on Sept. 6, 2011.

Social Security numbers and financial information were not among the documents stolen, but they did include first and last names and may have contained birth dates, medical record numbers, addresses and medical record information, according to the Health System’s statement.

The lawsuit claims the September incident was a violation of the California Confidentiality of Medical Information Act, in place to protect the privacy of patients’ personal histories and information. The suit is calling for $1,000 in damages for each patient on the hard drive. The total cost of the suit for the Health System could amount to as much as $16 million, including the legal fees associated with the case.

...

While storing information online is an increasingly common practice, and can certainly coexist with patient privacy rights, the potential for data breach is significantly higher than a paper-based system, said Tena Friery, research director at the Privacy Rights Clearinghouse, a national nonprofit organization focused on consumer privacy protection.

She also cited a 2011 study revealing that 71 percent of health care organizations had suffered a data breach in the last year.

Kabateck was also involved in a case concerning similar violations against Stanford University’s Hospital and Clinics late last year, filed on behalf of 20,000 patients whose information was released onto a public website through a third party.

Click here to read more.

Obviously, this brings me back to the same key points at the article before it...how do we prevent this MASS amounts, in some cases (as in Prime), intentional, data breaches from occurring? This, my friends, is serious business. And, as such, I would urge we seek and demand adequate penalties against those responsible for such breaches to ensure they don't keep happening going forward. This means BOTH privacy standards AND enforcement/security/accountability.

As I wrote in past posts, "If medical records fell into the wrong hands at worst they could be used for a host of purposes unrelated to improving your health: advertisers might flood our email inboxes with even more spam and patients may not feel so comfortable having an honest conversation with their doctor if it could end up for all to see. This treasure trove of personal information would also be a goldmine for insurance companies, drug companies, data mining companies, and software companies....

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"...Clearly, what is MORE than clear now is that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Congress and FBI Seeking to Expand Use of Biometric Identifiers

2012-01-09T13:20:00.000-08:00

A few months back Iposted a pretty extensive blog on Facial Recognition technology and thethreat it poses to individual privacy. As I've done in the past, because I know not everyone can readevery post, I'll repeat a few of my thoughts here today before I get to anoutstanding piece by Tana Ganeva of Alternet not JUST about the massive FBI database- the "largestbiometric database in the world," - containing records forover a hundred million people, but also the agency's plans for NextGeneration Identification (NGI), “a massive, billion-dollar upgrade that willhold iris scans, photos searchable with face recognitiontechnology, palm prints, and measures of gait and voice recordingsalongside records of fingerprints, scars, and tattoos. - particularly inthe workplace (which is especially disturbing).”

For some backdrop on biometrics, you can check out a past post I did aboutanother article by Tana, entitled 5Unexpected Places You Can Be Tracked With Facial Recognition Technology. AsI wrote then, this issue has particular interest to me due to California's recent fight that we (Consumer Federation of California) were deeply involved in - whether biometricidentifiers should be used by the DMV (we were able, with a host of other groups, to stop them).

As for thelarger concern over facial recognition technology, groups from the PrivacyRights Clearinghouse (PRC) to the ACLU to the Electronic Frontier Foundation toEPIC have all been very active in making the case that there is a very realthreat to privacy at stake in determining just how, and when, this technologycan be used.

Again, going back to a prior post, I wrote: "First, let me refresh everyone on the concept of biometric identifiers - like fingerprints,facial, and/or iris scans. These essentially match an individual’spersonal characteristics against an image or database of images. Initially, thesystem captures a fingerprint, picture, or some other personal characteristic,and transforms it into a small computer file (often called a template). Thenext time someone interacts with the system, it creates another computer file.

There are a number of reasons why such technological identifiers shouldconcerns us. So let's be real clear, creating a database with millions offacial scans and thumbprints raises a host of surveillance, tracking andsecurity question - never mind the cost. And as you might expect, suchidentifiers are being utilized by entities ranging from Facebook to the FBI. Infact, the ACLU of California is currently asking for information about lawenforcements’ use of information gathered from facial recognition technology(as well as social networking sites, book providers, GPS tracking devices,automatic license plate readers, public video surveillance cameras)."

But for today’s sake, let’s hone in on the articles by Tana Ganeva in Alternetentitled 5 Things You Should Know About the FBI's Massive New Biometric Database,as well as a piece by the Cato Institute detailing all the ways Congress iscurrently, and aggressively, pushing biometric identifying technologies.

First, let me list the bills, asidentified in the Cato piece that all seek to expand and promote these technologies:

A Reauthorization and Reform Act of 2011, has passed theHouse and awaits action in the Senate. It says that “improved pilot licenses”must be capable “of accommodating a digital photograph, a biometric identifier,and any other unique identifier that the Administrator considers necessary.”
H.R. 1690, the MODERN Security Credentials Act, establishesthat air carriers, airport operators, and governments may not employ or contractfor the services of a person who has been denied a TWIC card. “TWIC” stands for“Transportation Worker Identity Card,” the vain post-9/11 effort to securetransportation facilities from bad people. TWIC cards use biometrics.
The Army deploys biometrics. Public Law 112-10, the Department of Defense and Full-YearContinuing Appropriations Act, 2011 (cost per U.S. family: $13,500+) allowedspending on Army field operating agencies “established to improve theeffectiveness and efficiencies of biometric activities and to integrate commonbiometric technologies throughout the Department of Defense.”
H.R. 1842 is an immigration bill called the Development,Relief, and Education for Alien Minors Act of 2011. (Senate version: S.952) It would allow an otherwise qualified immigrant to get conditionalpermanent resident status only after submitting biometric and biographic datafor use in security and law enforcement background checks.
S. 1258 does roughly the same thing with regard to any lawfulimmigration status. This bill is called the Comprehensive Immigration ReformAct of 2011, one of many attempts at comprehensive reform. In addition torequiring immigrants to submit biometrics, it also requires the government toissue “documentary evidence of lawful prospective immigrant status” thatincludes a digitized photograph and at least one other biometric identifier.The bill would also reinforce the use of biometrics in employer backgroundchecks and at the border.
H.R. 2463, the Border Security Technology Innovation Act of2011, calls for continued study of mobile biometric technologies at the border.The Under Secretary for Science and Technology of the Department of HomelandSecurity would coordinate this research with other biometric identificationprograms within DHS.
H.R. 2895, the Legal Agricultural Workforce Act, wouldcreate a nonimmigrant agricultural worker program. In the program eachnonimmigrant agricultural worker would get an identification card that containsbiometric identifiers, including fingerprints and a digital photograph.
S. 1384, The HARVEST Act of 2011, is similar. In providingfor the temporary employment of foreign agricultural workers, it calls for “asingle machine-readable, tamper-resistant, and counterfeit-resistant document”that verifies the identity of the alien through the use of at least onebiometric identifier.
H.R. 3735, the Medicare Fraud Enforcement and PreventionAct of 2011, would establish a biometric technology pilot program. Thefive-year pilot program would use biometric technology seeking to ensure thatMedicare beneficiaries “are physically present” when receiving items andservices reimbursable under Medicare. How many biometric scanners would have tobe out there for that to work?
S.744, the Passport Identity Verification Act, calls on the Secretary ofState to conduct a study into whether people applying for or renewing passportsshould provide biometric information, including photographs that facilitate theuse of facial recognition technology.
…S. 1604, the Emergency Port of Entry Personnel andInfrastructure Funding Act of 2011, establishes a grant program in which theDepartment of Homeland Security would give cash out to state and local law enforcementfor the purchase of various technologies including “biometric devices.”

Clearly, biometrics is on the “to do” list of our Congress.But it gets worse, and that’s where the FBI’s massive database, and its plansto expand it, comes in.

AsTana Ganeva illustrates:

NGI will expand the type and breadth of information FBIkeeps on all of us," says Sunita Patel of the Center for ConstitutionalRights. "There should be a balance between gathering information for lawenforcement, and gathering information for its own sake."

Here are 5 things you should probably know about NGI:

1. Face Recognition

This month, the FBI is giving police departments in 4 statesaccess to face recognition technology that lets them search the agency'smugshot database with only an image of a face. Police can repay the favorby feeding the FBI mugshots they collect from local arrests, bulking up theagency's database with images of more and more people.

…

2. Iris Scans

Iris-scanning technology is the centerpiece of thesecond-to-last stage in the roll-out of NGI (scheduled for sometime before2014). Iris scans offer up several advantages to law enforcement, both interms of identifying people and fattening up databases.

The pattern of an iris is so unique it can distinguishtwins, and it allegedly stays the same throughout a person's life. Likefacial recognition, iris scans cut out the part where someone has to bearrested or convicted of a crime for law enforcement to grab a record of theirbiometric data.

…

3. Rap-Back System

A lot of the action in the FBI's fingerprint database is inbackground checks for job applicants applying to industries that vet forcriminal history, like taking care of the elderly or children, hospital work,and strangely, being a horse jockey in Michigan. As Cari Athens, writing forthe Michigan Telecommunications and Law Review points out,if a job applicant checks out, the FBI either destroys the prints or returnsthem to the employer. But that's no fun if the goal is to collect vast amountsof biometric data!

…

4. Data Sharing Between Agencies

The roll-out of NGI advances another goal: breaking downbarriers between databases operated by different agencies. One of thedirectives of the billion-dollar project is to grease information swappingbetween the Department of Homeland Security, the State Department, theDepartment of Justice, and the Department of Defense. The DOJ and DHS haveworked toward "interoperatibility" between their databasesfor years. In 2009, the Department of Defense and DOJ also signed onto an agreement to share biometric information.

…

5. NGI and Secure Communities (S-Comm)

One recent test run in interagency data-sharing has not goneparticularly well: Secure Communities, a DHS program that lets local lawenforcement officials run the fingerprints of people booked in jails againstthe IDENT database to check their immigration status and tip off ICE toundocumented immigrants.

Like many policies targeting America's immigrant population,Secure Communities (S-Comm) -- pitched as protection against violent criminals-- devolved into dragnets and mass deportations, with people gettingdragged in for minor offenses like missing business permits and even forreporting crimes. In one incident a woman called the police about adomestic violence incident, only to be ensnared in deportation proceedingsherself. As Marie Diamond points out in ThinkProgress, DHS's immigration databases have so many errors that the program"routinely flags citizens as undocumented immigrants."

…

What could possibly go wrong?

Advancements in the collection of biometric data aredouble-edged: there's the threat of a massive government surveillanceinfrastructure working too well -- e.g., surveillance state-- and there are concerns about its weaknesses, especially in keeping datasecure.

A breach of a sophisticated, multi-modal biometric databasemakes for a nightmarish scenario because the whole point of biometric data isthat it offers unique ways to ID people, so there's no easy fix -- like a passwordchange -- for compromised biometric data. Pointing to the dangers ofidentify theft of biometric data, Patel observes that, "Unlike a password,the algorithm of an iris can't be changed."

Read more here.

As I have often stated, "What concerns me iswhat are the side effects of living in a society without privacy. Where are weleft when the power of corporate or government interests to monitor everythingwe do is absolute?

Whether its the knowledge that everything we do on the internet is followed andstored, that we can be wiretapped for no reason and without a warrant orprobable cause, that smart grid systems monitor our daily in home habits andactions, that our emails can be intercepted, that our naked bodies must beviewed at airports and stored, that our book purchases can be accessed (particularlyif Google gets its way and everything goes electronic), that street cornercameras are watching our every move, and that RFID tags and GPS technologyallow for the tracking of clothes, cars, and phones (and the list goeson)...what is certain is privacy itself is on life support in thiscountry...and without privacy there is no freedom. I also fear how such asurveillance society stifles dissent and discourages grassrootspolitical/social activism that challenges government and corporate power...somethingthat we desperately need more of in this country, not less."

Electronic Health Record Data Breaches Surge

2011-12-22T10:12:00.000-08:00

Most of us have come to the obvious, inevitable realization that we are going to shift (and in fact are doing so right now) what are currently called personal health records from a paper system to an electronic one. Having your medical records computerized and stored electronically promises to reduce medical errors - including prescribing the wrong medications. The National Academy of Sciences' Institute of Medicine estimates between 44,000 and 98,000 people in the United States die each year because of errors such as being prescribed medicine to which they are allergic.

These EHR’S offer an easier way to collect, double-check and complement the information you receive from your physician. At the very least, your records can help you speed through waiting room forms and prompt important conversations with your physicians. If your doctor writes a new prescription, you can use your current medication list to ask about any interactions with the new drug. Or if your records suggest it’s time for a colonoscopy, you might make time to discuss the pros and cons of the procedure.

EHR’S can also allow you to access your health information to prepare for medical appointments. As laid out by Patient Privacy Rights, "It can enable you to communicate better with your healthcare providers about your medical needs. People with chronic health conditions may use them to keep track of such things as how their medications are affecting them, or how they’re feeling from day to day. People with hypertension might want use it to track their blood pressure readings."

Transitioning to a health information exchange will create much more patient data in electronic formats than ever before in history. The privacy threat posed by the interoperability of a national network is a key concern because in order for the records to be readily available and accessible they would have to be linkable and searchable.

If medical records fell into the wrong hands at worst they could be used for a host of purposes unrelated to improving your health: advertisers might flood our email inboxes with even more spam and patients may not feel so comfortable having an honest conversation with their doctor if it could end up for all to see. This treasure trove of personal information would also be a goldmine for insurance companies, drug companies, data mining companies, and software companies.

I give you this backdrop because we are witnessing increasing numbers of data breaches that are exposing - on a mass level - peoples personal health records.

Before I get to the latest news on partly why these breaches are occurring (hospitals skimping on their security costs), let me layout some of the data and its costs we ALREADY knew about:

More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute.
While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years.
Health organizations notified approximately 5.4 million individuals affected by patient health data breaches in 2010, compared to approximately 2.4 million individuals in 2009.
HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals.
In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals.

Now that we've gone over just a few of the reasons why this is all so important, and why concerns articulated by privacy advocates that STRICT privacy safeguards, at every step of the transition process must be implemented have been proven true, lets get to some of the reasons WHY such breaches are occurring.

As Business Week reported:

Data breaches at U.S. health-care providers are increasing as hospitals adopt electronic medical records and mobile technology without spending enough on security to ensure patient privacy, a research group said.

The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a study released today by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group.

Forty-nine percent of health organizations said that lost or stolen devices were to blame for breaches, according to the institute, which surveyed 72 hospitals and health providers. The study didn’t name the organizations surveyed.

...

Fifty-three percent of the organizations surveyed said that inadequate funding was the biggest barrier to preventing data breaches, according to the study.

U.S. data-breach notification laws for health organizations are making providers more aware of their security vulnerabilities, Ponemon said. Data breaches affecting more than 500 people must be reported to the Health and Human Services Department, which posts a list of incidents on its website.

Health providers, insurers and their business partners reported 373 breaches affecting almost 18 million individuals between September 2009 and October of this year, according to the list, which is tended by the Health and Human Services Department’s Office of Civil Rights.

In fact, the Privacy Rights Clearinghouse listed the now notorious Sutter Health data breach as one of the largest of the year. Amber Yoo, the organization's Communications Director recently wrote in the California Progress Report, "Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law....The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.

In addition, Amber points out another massive breach, writing, "Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification."

The good news, as if there is any in all this, is that California recently implemented one of the strongest data breach notification laws in the country - one we here at the Consumer Federation of California worked hard to pass the legislature and convince Governor Brown to sign. Now, thanks to the law, any breached entity must submit their notice letters to the California Attorney General. The AG's office will then post the letters on its website. In addition, the notifications sent to individual who's private information was breached will be clearer, more detailed, with specific recommendations for what to do no next, including who to call.

As for the larger issue of electronic health records, as these breaking news stories make clear, time is running out, because states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute.

We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent, and state laws often conflict with federal ones.

For instance, the federal law on the books only require that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

Clearly, what is MORE than clear now is that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Federal Probe Of Carrier IQ Launched

2011-12-15T09:16:00.000-08:00

For all the background you could ever need on the Carrier IQ controversy check out my recent posts on the subject, starting from earliest to the latest, here, here, and here.

As we know, executives from Carrier IQ — the company whose spying software was secretly installed in as many as 150 million cellphones — went to Washington to answer questions posed by the Federal Trade Commission and the Federal Communications Commission.

As I have written too many times to count on this blog, a lot of this comes down to data ownership and control - as in its OUR data and it should be in OUR control. Clearly, in the case of Carrier IQ and increasing numbers of telecom companies, third party marketers, and many more, we are seeing the invasion of individual privacy on a mass scale, including locational tracking and web search monitoring.

Now to the latest news: The FTC and FCC are looking into this matter closely...but we need and deserve more than just a questioning of Carrier IQ, but an investigation into what companies like AT&T, Sprint and T-Mobile are doing with our data as well.

With that, let's get to the Washington Posts coverage of these new inquiries:

Federal investigators are probing allegations that Carrier IQ software found on about 150 million cellphones tracked user activity and sent the information to cellphone companies without informing consumers, according to government officials...The FTC inquiry was confirmed by officials who spoke on condition of anonymity because it is private. An FTC spokeswoman said she could not confirm or deny whether the agency was investigating Carrier IQ. But a spokesman for Carrier IQ said company executives were cooperating with federal agencies.
...

Carrier IQ has said that its software is not designed to capture keystrokes or the content of messages but that in some cases that might have happened by accident. The data are intended to help improve the user experience with smartphones, the company said.

Woods said Carrier IQ chief executive Larry Lenhart and Coward met with regulators at the FTC and the FCC. The Carrier IQ executives also met with the staffs of three senators — Richard Blumenthal (D-Conn.), Christopher A. Coons (D-Del.) and Al Franken (D-Minn.) — who each had written letters of concern to Lenhart.

Three of the four major cellular providers — AT&T, T-Mobile and Sprint — have said they use the company’s software in line with their own privacy policies. A Verizon spokesman said the program is not on any of the company’s mobile devices. Apple has said it would remove Carrier IQ from iPhones in a future software update.

Rep. Edward J. Markey (D-Mass.) asked the FTC on Dec. 2 to investigate the practices of Carrier IQ as possibly unfair or deceptive. “I have serious concerns about the Carrier IQ software and whether it is secretly collecting users’ personal information, such as the content of text messages,” said Markey, co-chairman of the Bi-Partisan Congressional Privacy Caucus. “Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smartphone.”
...

While Carrier IQ executives were meeting with federal regulators, another controversy about the company erupted in the blogosphere. A response by the FBI to a reporter sparked rumors that the bureau was using the software for domestic surveillance.

The FBI denied a request for information regarding Carrier IQ filed by a reporter for MuckRock News under the Freedom of Information Act. The reporter had asked for “manuals, documents or other written guidance used to access or analyze data” gathered by any Carrier IQ program. In denying the request, the FBI said it had information but could not disclose it, because it was considered “law enforcement records.”

...

The backlash following Eckhart’s research has prompted several lawsuits against the company, mobile carriers and handset makers, including two class action lawsuits in Illinois. A class-action lawsuit has also been filed against AT&T, Sprint Nextel, Apple, T-Mobile USA, HTC, Samsung, Motorola and Carrier IQ by mobile phone customers in Delaware.

Click here to read more.

There are two particularly important developments here, one, that the FTC and FCC are looking into this controversy and two, the fact that the FBI and its potential use of this technology is being discussed and questioned. From the beginning, when I see the potential "uses" of this kind of tracking technology, in addition to the usual concerns, from stalkers to identity thieves to third party marketers, I worry about law enforcement access.

These concerns are especially resonant with me because two major battles over smart phone privacy are being fought in the courts and the California legislature as we speak: one being whether law enforcement can track individuals locations in real time without a warrant, and two, whether law enforcement can search someones smart phone, also without a warrant. Its not much of a leap to also suspect they'd want access to the treasure trove of information being collected by a technology like Carrier IQ.

As I detailed last post, there is debate now over whether Carrier IQ actually collects every keystroke, and therefore the contents of text messages and emails. However, The Electronic Frontier Foundation has just released a technical report on Carrier IQ that concluded that "keystrokes, text message content and other very sensitive information is in fact being transmitted from some phones on which Carrier IQ is installed to third parties."

As CNET reported, "This is most likely inadvertent and "happens when crash reporting tools collect copies of the system logs for debugging purposes," Peter Eckersley, technology projects director for the EFF, wrote in the report.

"Our software does not communicate with Android and does not transmit any files up to Google or anybody else," Coward said today. "Our implementation, the only thing we are sending out is metrics ... if other information is going out of the device to Google or anyone else it has nothing to do with Carrier IQ."

"There should not be personal information written into the Android log files. Applications can get ahold of them, on the one hand, which is not good," he continued. "We've implemented a new procedure as we qualify our software on devices (and) we check that...We saw the Android log file may be receiving messages from our software but ... also from other applications too. So it's a generic issue here with regard to Android log files that the industry needs to address and we point that out in the report."

Clearly there are a lot more questions in need of answers.

As the Free Press noted in a recent action alert, "Mobile phones are the new frontlines in the battle over our right to communicate." As for next steps, I'm also in agreement with Free Press in that its time Congress takes a closer look at the role of companies like AT&T, T-Mobile, and Sprint - particularly as it relates to what's being done with our data.

Does Carrier IQ Record Text Messages and Emails?

2011-12-12T15:58:00.000-08:00

There are now conflicting analyses regarding whether Carrier IQ's software (that was kept secret from consumers) goes as far, and captures as much, information as initially suspected. Now, this is NOT to say there aren't all kinds of questions that remain unanswered, nor is this to say that there still aren't deeply disturbing components to this story (See my past two posts for a complete detailing of this continually evolving story).

But, we now have heard from Carrier IQ's Vice President and a Linux kernel hacker who just completed his own analysis of the software, and they say its incapable of recording keystrokes or "perusing SMS messages and e-mail correspondence."

These assertions contradict the initial claims made by Android developer Trevor Eckhart (and demonstrated on video). Before I get to them, let's be clear on some of the real concerns and questions that remain, including: what the company does with all the data they've been collecting (even if they can't read emails and texts...they still know your searches, location, and app purchases...and more), what kinds of data it collects, why the software was buried so deep within the operating system and without consumer knowledge (or choice), what devices have this code installed, what carriers are aware of it (and what they might be doing with it, if anything), whether government/law enforcement has had any role in this process (including requests for access to data), and many more.

With that said, let's get to the latest analysis of this code from Cnet:

He found that contrary to what a slew of initial -- and erroneous -- reports claimed, the Carrier IQ software is not a keylogger and "cannot" be configured as one. "CarrierIQ cannot record SMS text bodies, web page contents, or email content even if carriers and handset manufacturers wished to abuse it to do so," Rosenberg concludes. "There is simply no metric that contains this
information."

...

Rosenberg determined that Carrier IQ can, as a YouTube video by Trevor Eckhart indicated, record what digits are pressed in the dialer application. But it "cannot record any other keystrokes besides those that occur using the dialer," wrote Rosenberg, who says he has no affiliation or relationship with Carrier IQ.

...

Rosenberg suggested that carriers need to let consumers "opt out of any sort of data collection," that there should be "more transparency on the part of carriers in terms of what data is being collected from users," and that there "needs to be third-party oversight on what data is collected to prevent abuse."

...

It's true that carriers already know what URLs you're visiting when you use their network--meaning that, in many cases, Carrier IQ can be configured to send them data they already have. Privacy concerns arise when a list of URLs is stored on the device and accessible to forensic analysis, when a list of URLs visited on a Wi-Fi network is transmitted, or when encrypted HTTPS URLs are leaked.

Sprint and AT&T, which have acknowledged they use Carrier IQ, have not elaborated on what options they have chosen to enable, except to indicate that the use is consistent with their privacy policies.

Click here to read more.

Network World has a lot more:

In his blogpost, a table lists the metric ID, the metric itself, the data sent, and the "situation" that triggers the metric:

* browser page render event

* location event, which can use GPS or other location data
* HTTP request sent, or response received (the URL, request type, content length, and so on but not page contents)

* network state changes, sending an "internal identifier"

* a range of telephony and radio events (such as a dropped call, service issues, and so on)

* hardware event, sending data such as voltage, temperature, battery level

* key presses, but only in the phone dialer application

* miscellaneous GUI state changes, such as battery state

* starting or receiving a call or a failed call, which sends CallerID, state, and phone number

* application events such as a stopped app, or a new app, sending the application name

* questionnaire event, used when Carrier IQ is configured to present the user with a service questionnaire

* SMS message received or sent, which includes message length, phone, number, status, but no text from the body of the message.

...

HTC's failure to disable the display of the debug statements constitutes a legitimate potential security threat to user information. These are a "risk to privacy," Rosenberg says, and HTC should mitigate that risk by disabling these debugging messages. But it's not a risk created by the CIQ software or the data it is able to collect.

In his blogpost, Rosenberg spells out what the deconstruction of the CIQ code reveals about how the application actually works, as revealed by the metrics enabled for his Samsung phone.

"Taking this information into account, all of the data that is potentially being collected supports Carrier IQ's claims that its data is used for diagnosing and fixing network, application, and hardware failures," Rosenberg concludes. "Every metric in the above table has potential benefits
for improving the user experience on a cell phone network. If carriers want to improve coverage, they need to know when and where calls are dropped. If handset manufacturers want to improve battery life on phones, knowledge of which applications consume the most battery life is essential."

...

Nonetheless, Rosenberg is critical of the way the Carrier IQ application has been implemented in the carrier-manufacturer relationship. End-users should be able to opt out of any sort of data collection; carriers should be clearer and plainer about what data is being collected from the phone, and why; and "there needs to be third-party oversight on what data is collected to prevent abuse."

Finally, he says, the "legality of gathering full URLs with query parameters and other data of this nature should be examined."

Click here to read more.

Due to time constraints, I'm going to have to discuss the interview with the VP of Carrier IQ in a future post, but you can check it out here...its very comprehensive. What I will include is the conclusion reached by reporter Sean Hollister after conducting the interview (who's been all over this story from the outset):

Carrier IQ claims that it is not the source of the insecure log files discovered on HTC devices. Other technical details — including how exactly Carrier IQ stores and transmits its data and how carriers utilize it — are both comforting and disquieting by turns. Although more secure and less nefarious than originally feared, there may still be ample opportunity for malware to access its data. At the very least, how Carrier IQ’s software is implemented on various devices needs wider scrutiny from both security experts and regulators.

...the biggest takeaways are that Carrier IQ and its client operators have logical reasons for taking most of the information they do — and mind you, many forms of personal data, like the contents of SMS and emails, aren’t being tracked at all, and no data is tracked in real time — but by the same token, it feels like there may be a lack of oversight when it comes to mobile privacy.

We are slowly beginning to see a clearer picture of what this all means and what the potential threats to privacy really are...at this point, I think its safe to say that the Carrier IQ software isn't as outwardly nefarious as initially suspected, and perhaps erroneously claimed by Mr. Eckhardt. On the other hand, this in no way should dissuade anyone from demanding more questions be answered - particularly how this code, with this kind of tracking capabilities, EVER could have been slipped into these products without the consumer's knowledge or ability to opt-out (let alone opt-in). This, in itself, is a dangerous precedent.

I think its also important to point out that even the VP of Carrier IQ and the Linux hacker were clear in their support for a consumers right to opt-in to such tracking, as well as their dismay they weren't even given this choice, and the code was kept secret.

Clearly, this entire episode, with its many questions still unanswered, points to the need for GREATER consumer control over data, which could be achieved, at least partially, through a Do Not Track mechanism. Another takeaway from this whole controversy is the need for improved transparency.

Jonathan Zittrain, Harvard Law School professor and cofounder of the Berkman Center for Internet and Society, has an idea for addressing this concern, stating, "It would be good to have some form of auditing function built into our devices. The auditing function can be implemented by Apple and by handset makers through Android. Make it part of the 'About' tab. And it would show with whom the phone has been communicating and the sorts of things it has been sending."

I will continue to follow this story here...

Latest Carrier IQ Revelations: Franken Steps Up, 141 Million "Products" Have Code

2011-12-05T13:57:00.001-08:00

This story is moving fast so I want to get you the latest news regarding the revelations that a secret code (Carrier IQ) was discovered that allowsyour smart phone (and who knows what else) to not only be tracked at all times,but in fact, every key stroke made is monitored and stored – including thecontent of text messages. And perhaps most incredible, the ability to opt-out,let alone opt-in, of this kind of “super surveillance” was not made available,as the fact that this code even existed, or was being utilized, wasn’t even sharedor made known to the consumer.

Now we discover that since the Carrier IQ story broke last week, we’ve learnedthat the company’s spying technology is present on 141 million phones,including Androids and iPhones and possibly models made byBlackBerry, Nokia and other manufacturers.

As I touched on last post, this data collected by Carrier IQ represents a virtual treasure trove of information for thoseseeking to access it, particularly advertisers and the government. And we knowhow willing the telecom industry was to give up such private information to thegovernment in the past, just as we know how the government used the PatriotAct, not to track and catch terrorists, but rather, to target peace protesters (think Occupy)and suspected drug users/dealers.

But government desire to access this data aside, what aboutthe likelihood that a corporate entity is tracking/recording EVERYTHING you do (i.e.where you shop, when you shop, while you shop, what you search for on theinternet, who you talk and text, and what you say and write), then turning thatinformation into a detailed digital profile (98% of Google's profits come from advertising) that they can thensell – for huge profits - to third party advertisers so they can market theirproducts to you more effectively???

Thankfully it didn’t take long for privacy stalwart, Senator AlFranken, to demandanswers, stating, “Consumers need to know that their safety and privacy arebeing protected by the companies they trust with their sensitive information.The revelation that the locations and other sensitive data of millions ofAmericans are being secretly recorded and possibly transmitted is deeplytroubling. This news underscores the need for Congress to act swiftly toprotect the location information and private, sensitive information of consumers.But right now, Carrier IQ has a lot of questions to answer.”

In his letterto Carrier IQ President and CEO Larry Lenhart, he writes, “I am very concernedby recent reports that your company’s software—pre-installed on smartphonesused by millions of Americans—is logging and may be transmittingextraordinarily sensitive information from consumers’ phones, including:

•           when they turntheir phones on;
•           when they turntheir phones off;
•           the phone numbersthey dial;
•           the contents oftext messages they receive;
•           the URLs of thewebsites they visit;
•           the contents oftheir online search queries—even when those searches are encrypted; and
•           the location ofthe customer using the smartphone—even when the customer has expressly deniedpermission for an app that is currently running to access his or her location.

It appears that this software runs automatically every time you turn your phoneon. It also appears that an average user would have no way to know thatthis software is running—and that when that user finds out, he or she will haveno reasonable means to remove or stop it.

He goes on to ask a series of pointed questions in which hedemands answers by December 14th, including (among many), “Is that datatransmitted to Carrier IQ? Is it transmitted to smartphone manufacturers,operating system providers, or carriers? Is it transmitted to any otherthird parties? If Carrier IQ receives this data, does it subsequentlyshare it with third parties? With whom does it share this data? What datais shared?”

Read the whole list of questions...impressive...disturbing. So let's all mark our calendars...as I'm eagerly awaiting answers to them.

As I also pointed out last post, these revelations reaffirm the need for an opt-in, Do-Not-Track mechanism available to all consumers, whetheronline or using something like a smart phone. I would also encourage readers to sign and send the Free Press's action alert: “Tell Congress and the Department of Justice: My mobile phone ismine, and I have the right to be free from being spied on. “

New Smart Phone Privacy Revelations Uncovered

2011-12-01T11:39:00.001-08:00

I wasn't planning on following up my last post entitled "Smart Phones and Privacy" with yet another post about the technology and some of its privacy implications. But, after reading this headline "Your Smartphone Is Spying on You"- on the front page of Yahoo no less - I feel I have little choice.

I'm not going to go over what I just did in my last post, but suffice it to say, I detailed a number of concerns with the technology, including government/law enforcement locational tracking without a warrant or even probable cause as well as law enforcement searching peoples smart phones (also without a warrant).

The context, particularly in light of growing Occupy protests, is important here. We should be wary of giving up more and more information - including location, text messages, and internet searches, to ANYONE, let alone when considering it could fall into the hands of forces that may be seeking to stifle dissent and intimidate (as well as break the law and violate the constitution).

But this article takes the cake!! I know this sounds incredibly Orwellian, but asecret code (Carrier IQ) has been discovered that allows your smart phone to not only trackyou, but take and keep every keystroke you make - even the content of yourtext messages. And perhaps most incredible, the consumer is not even given the ability to opt-out, let alone opt-in!). In fact, the consumer doesn't even know this code is in the phone.

Such information represents a treasure trove of information for all kinds of interests desiring access to it, particularly advertisers and the government. And of course, we know how willing and ready the telecom industry has been to do anything our government wants despite the rights and desires of their customers.

But government aside, what about the basic right to not have EVERYTHING you do recorded (i.e. where you shop, when you shop, while you shop, what you search for on the internet, who you talk and text, and what you say and write), and then have that information turned into a detailed digital profile of you (98% of Google's profits come from advertising), and then have that profile sold on the market for HUGE profits to advertisers so they can market their products to you more effectively??? Its more than our right to privacy that is being violated...its the very idea that we "own" our own private information...and that others can't take it and profit off it without our consent.

So there are two VERY disturbing aspects of this story, from the treasure trove of personal data it offers to a law enforcement, surveillance state apparatus that is becoming increasingly authoritarian, to the "commodity" we, and what we do, has become - but without our control or right to privacy.

If these revelations don't demand an opt-in, Do-Not-Track mechanism available to all consumers, whether online or using something like a smart phone I don't know what does. We should be looking for Congress, and state houses to take this issue up, and start MANDATING that such mechanisms are provided. Perhaps in that sense, this discovery will help this important cause, and legislation that will take it on.

So let's get straight to the article in the Atlantic Wire because I'm practically speechless. Adam Clark Estes reports:

The reason for this invasive Android app seems reasonable enough at face value. Even though it's on most Android, BlackBerry and Nokia devices, most users would never know that Carrier IQ is running in the background, and that's sort of the point. Described on the company's website as software to gain "unprecedented insight into their customers' mobile experience," Carrier IQ is ostensibly supposed to help mobile carriers and device manufacturers gather data in order to improve their products. Tons of applications do this, and you're probably used to those boxes that pop up on your screen and ask if you want to help the company by sending your data back to them. If you're concerned about your privacy, you just tap no and go about your merry computing way. As security-conscious Android developer Trevor Eckhart realized, however, Carrier IQ does not give you this option, and unless you were code-savvy and looking for it, you'd never know it was there. And based on how aggressive the company has been in trying to keep Eckhart quiet about his discovery, it seems like Carrier IQ doesn't want you to know it's there either.…

This week, Eckhart fired back with a 17-minute long video showing in painstaking detail how much data CarrierIQ collects, effectively undercutting the company's denial. It was even logging contents of text messages! Wired posted the video on Tuesday night and cemented CarrierIQ's status "as one of nine reasons to wear a tinfoil hat." The magazine explains how CarrierIQ even undercuts other companies' security measures...

…

Tracking is creepy. In an Orwellian kind of way, it makes people nervous -- especially Americans -- that the government or the corporations or the system is closing in on them and stealing their freedom. Of course, not everybody feels so strongly about privacy, but as long as you can opt out, it should be fine. This seems be where privacy agnostics as well as advocates both get concerned. Some people don't mind being tracked, but nobody wants to be tricked. Last week, Sen. Charles Schumer spoke out about a program at some malls in Virginia and Southern California that were anonymously tracking shoppers' movements by tracking their cell phone signals, and the only way to opt was by not going to the mall. Schumer did not approve. "Personal cell phones are just that -- personal," the New York senator said in a statement. "If retailers want to tap into your phone to see what your shopping patterns are, they can ask you for your permission to do so."The CarrierIQ software is not dissimilar to the shopper tracking program. In fact, it's arguably worse since it follows you everywhere. In the age of social media, everybody is becoming increasingly aware of and often angry about the amount of private data companies are scooping up with or without their consent.

This week, the Federal Trade Commission and Facebook came to an agreement that the social network must make all of their new programs opt-in so as not to break the law by violating users' privacy. Even Mark Zuckerberg admitted in a sincere-sounding blog post that his company had "made a bunch of mistakes" on the privacy front in the past. He went on to detail how "offering people control over the information they share online" was a top priority. This is Mark "Privacy Is Over" Zuckerberg we're talking about here. With Facebook reportedly building its own mobile phone platform, wouldn't it be super ironic if people started defecting from the Android army and switching to the Facebook phone in the name of privacy?

Your move, Google.

Here's the video:

So what to do? Thankfully, it didn'ttake long for the Free Press's"Save the Internet" campaign to jump on this today and provide uswith an opportunity to let Congress and the Justice Department know that we don't appreciate being spied on. Here's some of the language from the action alert (I'll skip the stuff that repeats what I've already included in today'spost), with the link to the action page...interestingly, their experts ALSO madethe connection I did this reeks of like "wiretapping".

Free Press: Tell Justice Department and Congress You Don't Want to Be Spied On!

Are you being watched? A researcher just discovered a hidden application thatrecords what millions of people write, view and search for on their mobilephones. It sends all of that data to a company no one’s ever heard of. And wehave no idea what that company is doing with our information.1

Sounds like 1984. But it’s happening in 2011. Earlier today, Sen. Al Franken demanded answers from thecompany, Carrier IQ, calling its technology "deeply troubling." Wenow need a full investigation.2

Tell Congress and the Department of Justice: My mobile phone ismine, and I have the right to be free from being spied on.

The fact that one company is secretly storing away the dataof millions of mobile phone users — without our knowledge, and with no way forus to opt out — is just incredible. You’d expect this sort of thing from theChinese government — not from a company operating in the present-day U.S.

Take action now to stand up for your mobile freedoms.

This is not only a privacy problem. It’s a democracyproblem. Mobile phones have become the ultimate democracy devices.Activists from Cairo to New York City to Los Angeleshave used their phones to broadcast images of pepper-spraying cops, handcuffedjournalists and squares full of protesters. We must ensure that the mostimportant movements of our time aren’t compromised by data spies with littleregard for our free speech or privacy.

Tell Congress and the Department of Justice: Protect mobilephone users from data spies. Investigate Carrier IQ.

Law professor and former Department of Justice attorney PaulOhm says that Carrier IQ’s snoopware “is very likely a federal wiretap,” whichmeans that the company could be prosecuted for breaking federal law.4 “Consumers need to know that their safety and privacy arebeing protected by the companies they trust with their sensitive information,”Sen. Franken said. “ … Carrier IQ has a lot of questions to answer.”

We agree. Let’s get some answers.

Smart Phones and Privacy

2011-11-28T14:57:00.001-08:00

I want to follow up yet again on my series of posts on the historiccase currently before the Supreme Court that could determine just how much privacy smart phone users can expect in the future. The case in question seeks to determine whether law enforcement should be required to attain a warrant BEFORE trackinga suspect (or alleged suspect) using GPS technology - which all smart phones happen to now have.

Before I get to the article delving into the smart phone aspect of this case, let me provide a brief summary of how we got here: The case in question involved police covertly tracking a suspected cocainedealer's car using a GPS device foran extended period of time without getting a warrant. Thanks to this tracking, thesuspect was initially convicted. But, a ruling by the D.C. Court (by JudgeGinsburg) of Appeals overturned that decision, arguing that the use of a secretGPS tracking device on the man’s vehicle for two months violated the FourthAmendment’s protection against unreasonable searches and seizures. The ideabeing, no one wants to feel as if a government agent is following you whereveryou go - be it a friend's house, aplace of worship, or a therapist'soffice - and certainly innocent Americans shouldn'thave to feel that way.

The problem was that two federal appellate courts had first upheld the use ofGPS devices without warrants on the grounds that we have no expectation ofprivacy when we are in public places and that tracking technology merely makespublic surveillance easier and more effective. Now this case is being heard by the Supreme Court.

Now, in some of my past posts I haven't focused on what this ruling could mean to ALL smart phone users, but instead, simply on the way the police tracked this particular suspect (see past posts for more detail). But let's be real, if law enforcement can argue, and win, the right to track someone's whereabouts without a warrant (or even probable cause) using a device implanted in the car, it goes to reason that this would be done in many cases through an individuals smart phone instead.

And of course, this isn't the only area in which privacy and smart phone technology are being debated. This year in California - to the dismay of civil liberties advocates - the Governor vetoed SB 914 (Leno). The legislation was a response to a recent CaliforniaSupreme Court decision (People v. Diaz) allowing police to rummage through allof the private information on a smart phone as part of an arrest, includingtext messages and e-mails.

SB 914 would have clarified that an arrestee’s smart phonecan only be accessed with a warrant, except in circumstances where there is animmediate threat to public safety or the arresting officer. The billacknowledged that accessing the detailed, private information contained on asmart phone is fundamentally different than searching an arrested person’swallet, cigarettes or pockets. Senator Mark Leno has announced he will bring thislegislation back next year.

Here's more from a BBC News report entitled "How much privacy can smart phone users expect?":

Millions of us happily invade our own privacy every day onTwitter and Facebook, sharing personal details with the world and broadcastingour location in a way previous generations would have found bizarre. Even those who shy away from social media and new technologyin general are not immune. The most basic mobile phones are in constant contactwith the nearest mast, sending information about the whereabouts of their usersto phone companies, who can later hand that data over to the police, ifrequested.

…

There are signs that governments and law enforcementagencies around the world are taking advantage of this increasingly relaxedattitude towards privacy to step up surveillance of citizens. The case currently before the Supreme Court, US vs Jones,hinges on whether police officers should be allowed to plant GPS trackingdevices on suspects' cars without awarrant…Lawyers for the Obama administration argued that Jones did not have a"legitimate expectation of privacy" - the standard legal test in the US for the past45 years - because his car was in a public place.

…

But law enforcement officers no longer have to physicallyplant a bug on a suspect's car orperson. In the US,they are increasingly using mobile phone tracking software.

"Police officers can sit in the comfort of their ownstations and use this technology to watch not just one person, but many people,over long periods of time," says Catherine Crump, an attorney for AmericanCivil Liberties Union. This is far more invasive than traditional surveillance,she argues. "GPS tracking can actually be quite revealing about whoa person is and what they value. It can show where a person goes to church,whether they are in therapy, whether they are an outpatient at a medicalclinic, whether they go to a gun range."

…

But the Londonforce is also reportedly using software that masquerades as a mobile phonenetwork, allowing it to intercept communications and gather data about users ina targeted area, such as a demonstration.

Most civil liberties campaigners do not want the policebanned from using new technology and accept that telecoms companies are"not the Gestapo", as Catherine Crump puts it. But, argues the ACLU lawyer: "People should not have tochoose between using new technology, which is becoming increasingly commonplaceand hard to live without, and giving up their privacy."

Some believe the moment when that choice has to be made hasarrived.

Click here to read more.

Again, my mind goes to social movements and protests and the government's insatiable desire to stifle dissent. These concerns are all the more disconcerting in light of the Occupy protests, and what we already know about how the Patriot Act was used to target peace/anti-war activists.

No doubt in my mind we are indeed reaching a watershed moment - as highlighted by the current case before the Supreme Court. As technology advances, and becomes a more and more integral part of our lives, so too is the opportunity for authorities, both corporate and governmental, to use it in ways that violate our civil liberties.

Smart phones (and the information we have/use on social media like Facebook and Twitter) represent a clear line in the sand that must be drawn...no government has the RIGHT to track our whereabouts OR access all the information now stored in this technology unless they have a warrant.

Surveillance State Ironies

2011-11-22T12:30:00.001-08:00

All the incredible video documenting grotesque police abuse of peaceful protesters across the country provides a bit of irony: Just as we citizens are being increasingly watched by both commercial and governmental interests, so too can we now watch them - and use it to our advantage.

I don't need to go into too much detail regarding our burgeoning surveillance state and our loss of privacy in just about all areas of life. But, consider the bigger picture...as I wrote on this blog in the past, whether its the knowledge that everything we do on the internet is followed and stored, that we can be wiretapped for no reason and without a warrant or probable cause, that smart grid systems monitor our daily in home habits and actions, that our emails can be intercepted, that our naked bodies must be viewed at airports and stored, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, and that RFID tags and GPS technology allow for the tracking of clothes, cars, and phones (and the list goes on)...what is certain is privacy itself is on life support in this country...and without privacy there is no freedom. I also fear how such a surveillance society stifles dissent and discourages grassroots political/social activism that challenges government and corporate power...something that we desperately need more of in this country, not less.

With that overview, I think its particularly fascinating, and ironic, that "we the people" are so effectively documenting, through smart phones and video cameras, the kinds of law enforcement abuses that we otherwise would not have been able to in the past - and thus would have remained unknown and unpunished.

With this in mind, I found an article by one of my favorite writers - Will Pitt of Truthout - that describes how this "Peoples Surveillance State" is being used, particularly in the documenting of the pepper spray incident at UC Davis. Pitt writes:

In the aftermath of September 11, there was a big push tocreate a national surveillance system in the name of nationalsecurity. Cameras were installed at traffic lights, ostensibly to catch peoplerunning red lights and stop signs, but those cameras came with a nifty sidebenefit: they recorded everyone within reach of the lens in their comings andgoings. Cameras were installed at street corners, ostensibly to providesecurity against crime, but again, you were recorded wherever you went. Bankmachines all come with security cameras, and those added to the ever-broadeningweb of national surveillance. Finally, almost every cell phone now comes withsoftware that, so long as the thing is turned on, can track your every step bytriangulating your position via GPS and the cell towers your phone signalbounces off of.

Those with a fealty to the quaint ideals of American civilliberties had, to no great surprise, a big problem with putting this system inplace. Combine the concern over having millions of innocent people on camerawith the fact that the Bush administration decided to spy on pretty mucheveryone by way of the NSA because no one had the guts to stop them, and whatyou had - and have to this day - is a pretty damned paranoid situation whereeveryone is being watched by The Man. Today, it is almost impossible to beanywhere in Americawithout something tracking you. After this technology had been in place for afew years, it even became fodder for cop shows; half the episodes of "Law& Order: SVU" after 2008 involve catching criminals using this web ofeyes and ears. As you can imagine, the bad guys almost never got away.

The basic idea behind setting up this incredibly invasivesystem, if you listen to its advocates, is that security is paramount in theaftermath of 9/11. There were plenty of people, after the Towers came down, whowere very happy to surrender their liberties in the name of security, despiteBenjamin Franklin's warning aboutdeserving neither and losing both. Nowadays, the existence of such a system isestablished fact, leading to yet another bout of cognitive dissonance: those infavor of such a system a few years ago, because it meant the state was lookingout for their safety, are now in all likelihood the same people railing againstthe state with guns on their hips at Tea Party rallies...but that's a brain cramp to be dealt with another day.

The advent of the Occupy movement, the length of time thatmovement has been able to hang fire, and the vast number of cities in which itis taking place, has led to an astonishingly violent reaction from the verystate we are supposedly trusting to watch over our every move. There have beena dozen incidents of gruesome official violence against peaceful, non-violentprotesters, including the near-murder of an Iraq war veteran by police inOakland...violence the likes of which has not been seen in America since thedogs and firehoses days of Birmingham, Alabama.

Last Friday, students at UC Davis in California were subjected to an attack bypolice that beggars likeness. Here'sthe thing, though: this time, it's all onfilm.

If you haven'tseen it yet, what you're looking atis a dozen or so protesters seated with their heads down, arms linked, inpeaceful non-violent resistance. An armored UC Davis police officer calmlypulls out a can of pepper spray the size of a fire extinguisher, shakes it up,and hoses these seated students down from one side to the other and then backagain. Several of the students subjected to this attack required hospitalization,and there is an unconfirmed report that one of the protesters had a UC Daviscop shove the nozzle of his pepper spray canister into her mouth and thenpulled the trigger.

As Pitt also mentions, the result of this video has been millions of hits, calls for the firing of the Chancellor and cops responsible, an investigation of the incident, and even greater resolve in students across the state and country to continue to speak out against ever increasing tuition costs and fee increases (among MANY legitimate complaints). Granted, we will see if justice is served, and we all know that video alone isn't enough to convict even the most glaringly abusive and illegal tactics. Nor does video guarantee real, systemic reforms to what is clearly an increasingly authoritarian, and militarized police force.

But certainly, it VASTLY improves the potential that justice will be realized - and reforms will be instituted. More than anything though, what this kind of peoples surveillance offers is the ability to educate the larger public about what is really going on in this country - particularly when you have the temerity to speak out against "the elites". This education opportunity, and how it might serve to motivate and inspire more people to get involved with their democracy and demand change (as well as make cops think twice about their actions) shouldn't be discounted.

If you want to see what I mean, check out Joshua Holland's Caught on "Camera: Ten Shockingly Violent Police Assault on Occupy Protesters"and consider whether it impacts your opinion on these matters.

The Need for Internet Privacy

2011-11-16T11:07:00.001-08:00

I want to alert everyone to a fantastic op-ed in the San Diego Union Tribune by one of my most relied upon privacy experts - Beth Givens of the Privacy Rights Clearinghouse. But, before I share some choice clips, let me provide some backdrop (taken from what I've written on the blog in the past...as there's no reason to reinvent the wheel) on why this has become such an important privacy debate. The fact is, there's been a virtual explosion in data collection, data analysis and use ofbehavioral marketing on the internet without the requisite privacy protectionsto go along with it. Billions of dollars at stake, and yourprivate information is the currency.

We know for instance, and they have been sued forit, companies like Google, Yahoo, Microsoft and other Internet companies trackand profile users and then auction off ads targeted at individual consumers inthe fractions of a second before a Web page loads.

That in itself, may not be all that threatening to most. But it raises someinteresting questions: What kind of control should we have over our own data?And, what kind of tools should be available for us to protect it? What aboutownership of our data? Should we be compensated for the billions of dollarsbeing made by corporations from their tracking of us? And of course, what ofthe government's access to this newworld of data storage?

The argument from privacy advocates has largely been that this massive andstealth data collection apparatus threatens user privacy and regulators shouldcompel (not hope that) companies to obtain express consent from consumersbefore serving up "behavioral" ads based on their online history.

Moregenerally, particularly on the issue of privacy on the Internet, the fact thatwe have next to no privacy standards as related to these technologicalinnovations and trends is disturbing, and more than enough of a reason forlegislation like California's SB 761 (Do Not Track).

The Do Not Trackflag is a rather simple concept that'salready been built into Firefox and IE9. If users choose to turn on the option,every time they visit a web page the browser will send a message to the site,saying “do not track.”

SB 761 (Lowenthal) would offer consumers such a mechanism, something the bill'ssponsor describe as "one of the most powerful tools available to protectconsumers' privacy." Themechanism will allow anyone online to send Websites the message that they donot want their online activity monitored.

Certainly one strong point of the legislation is that it is in line with publicopinion, as detailed by a poll by Consumer Watchdog last summer that found 80% of Americanssupport a Do Not Track option. In addition, a recent USA Today/Gallup pollfound that most Americans are worried about their privacy and security whenthey use Facebook and Google.

The fact is, there's no longer anyanonymity on the Web. The most personal information about people's online habits is collected and eventually boughtand sold, often instantaneously and invisibly. Data collection practices havebecome a business in themselves, driven by profits at consumers' expense. The Wall Street Journal recentlyhighlighted these practices—which included targeting children—in itsgroundbreaking series "What They Know."

Now let's get to Beth's thoughts on this subject:

Individuals are increasingly using the Internet as theirprimary information source, often seeking information on sensitive matters suchas finances, health, personal relationships, divorce, sexuality, workplacedifficulties and legal conflicts. But few individuals realize the extent to which they arebeing tracked by companies that create rich profiles of their web-browsingactivities. The 2010 Wall Street Journal series, “What They Know,” reportedthat the nation’s top 50 websites installed an average of 64 pieces of trackingtechnology onto each visitor’s computer. Tracking tools go beyond the cookiesmany of us routinely delete. Some companies deploy “Flash cookies” or other“supercookies” that are not only extremely difficult to delete but can also be usedto reinstall cookies that a user has removed.

Such data-gathering and profiling activities are largelyinvisible, except that they can result in the real-time display of behaviorallytargeted ads. You might ask, “What’s the harm in receiving ads based on myweb-surfing history?” In a legislative primer presented to members of Congressby 10 organizations, including ours, several potentially harmful effects ofbehavioral tracking and targeting were identified: (1) targeting economicallydistressed individuals with payday loans and subprime mortgages; (2) sendingads for bogus cures to individuals with serious medical conditions; (3)engaging in discriminatory pricing in which some people are offered products orservices at higher prices than others; and (4) targeting children who lack thejudgment capacity of adults. Further, profiles compiled originally for the adindustry may be sold to non-advertising third parties such as insurance companies.

Harms aside, let’s not forget, simply, the right to privacy.The definition of privacy that guides my organization’s work is the ability ofindividuals to control the use of their personal information. Everyone has adifferent comfort level regarding the collection and use of their personalinformation. We believe individuals’ choices must be respected, no questions asked.

...

However, studies show that robust profiles generated fromanonymous data can be matched with other data sources, offline and online, to determineindividuals’ identities. These days, the anonymity argument is largely a myth. Another myth is that young people are not concerned aboutprivacy. These “digital natives” have not known a world without the Internet,so the argument goes, and they are not worried about their personal informationbeing revealed online. However, a 2009 academic survey found there are nosignificant differences between young adults and older individuals regardingonline privacy concerns. While some believe that in a generation or two,concerns about online privacy will vanish, we at the Privacy RightsClearinghouse are not so quick to accept that argument.

In closing, effective online privacy protection requires amultipronged approach involving policymakers, industry, nonprofits andconsumers. It must not be lost to bogus arguments and unfounded myths.

You can read the rest here.

As I have also written before, its not by accident that weare told by the same interests that profit off our information that privacy isdead, and people don't care about itanymore, or that it will "kill business". Well, that's easy to say when you are the ones developing thecomplicated and difficult to find privacy settings consumers have to deal with- and profiting off our personal information without our consent.

More to the point is the simple, unavoidable fact thatconsumers should have MORE control, not less, over what information of ours isused, shared, and profited off. This basic principle is at the heart of the ACLU's DotRights campaign.

There remains an interesting dichotomy in all this: While people seem to "care" about privacy on onelevel, they tend to do very little to actually protect it. Which in my mind, makeseasy to use, clear options to protect privacy so paramount. Oncepeople are given such a choice, not only will more people choose to "notbe tracked", I think more people will become more AWARE of just how allpervasive such monitoring of nearly everything we do has become."

Cell Phone Providers Urged to Stop Collecting Data on Customer Movements

2011-11-10T10:57:00.001-08:00

In light of the current Supreme Court case regarding the GPS tracking of a suspect by law enforcement, I thought the ACLU's letter to the CEO's of the nation's biggest cell phone providers asking that they "stop routinely collecting and storing data on their customers’ daily movements" was worth delving into today too.

The essential argument by privacy advocates, be it thetracking of a cell phone user, or tracking a suspect's vehicle, is that in either case youshould not be more susceptible to government surveillance. The idea being, noone wants to feel as if a government agent is following you wherever you go -be it a friend's house, a place ofworship, or a therapist's office -and certainly innocent Americans shouldn'thave to feel that way. The other major distinction between such constant, all pervasive surveillance, from say, simply following a person or suspect, is just that: its constant, over time, and all pervasive...unlike a simple "tailing" of a person by authorities.

Before I share some of the ACLU letter, I want to go a little into the back story regarding why cell phone tracking should be a concern for all of us. Consider:

In just a 13-month period, Sprint received over 8 milliondemands for location information;
Michiganpolice sought information about every mobile phone near the site of a plannedlabor protest;
Last spring, researchers revealed that iPhones werecollecting and storing location information;
A few months ago the general counsel of the NationalSecurity Agency suggested to members of Congress that the NSA might have theauthority to collect the location information of American citizens inside the U.S.
The FBI has used 'dragnet'-style warrantless cell phone tracking.

And then there's the Patriot Act. The fact remains that we still don’t know how thegovernment might be using the Act, highlighted by recent statements made by USSenators regarding what they termed “secret Patriot Act provisions”. SenatorRon Wyden (D-OR), an outspoken critic of the recent reauthorization, stated,"When the American people find out how their government has secretlyinterpreted the Patriot Act they will be stunned and they will be angry."As a member of the Senate Intelligence Committee Wyden is in a position toknow, as he receives classified briefings from the executive branch.

In recent years, three other current and former members ofthe US Senate - Mark Udall (D-CO), Dick Durbin (D-IL), and Russ Feingold (D-WI)- have provided similar warnings. We can'tbe sure what thesesenators are referring to, but the evidence suggests, and some assert, that the current administration is usingSection 215 of the Patriot Act - a provision that gives the government accessto "business records" - as the legal basis for the large-scalecollection of cell phone location records.

With that, let's get to what the ACLU urged these CEO's to do (or NOT do):

The fact is our cell phone companies know more about wherewe are throughout the day than our closest friends. One of the byproducts ofthe way cell phones work – staying in constant touch with the nearest celltower – is that our carriers can tell roughly where we are. And over time, thatdata is getting increasingly accurate.

But the major carriers – AT&T, Verizon, T-Mobile and Sprint –don’t just know where we are from moment to moment. They also retain detaileddata about our location for extended periods of time, as we learned recentlywhen we receivedthisdocument in response to our nationalpublic records request on how the authorities are using location data.The carriers also readily share the information they gather with governmentagencies and law enforcement…We pay them money, they provide us with phone anddata services. Being tracked everywhere we go was never part of the bargain…

We don’t know exactly how precise the data the carriersretain is, or how they are using it. Often these days there is often anautomatic, reflexive impulse to retain data – any and all. But it also seemsthat the companies are looking at how to monetize this information as they dowith other information they gather.Verizon,for example, recently announced that it was sellinglocation information about its customers. Although it is doing so onlyon an aggregate basis, that still represents a step closer to sharing our ownindividual movements, which the carriers are surely tempted to do.

Either way, if we roll over and accept this practice, thenwe’ll be accepting a world that totalitarian dictators can only dream of: anentire population carrying location tracking beacons that precisely record theirevery movement. This is not something we should be just taking in stride. It’snot something that we have to accept.

The best protection for privacy is for the carriers to notrecord our locations, even though the phone reveals them, unless we decide togive permission (and not through the fine print in some boilerplateclick-through agreement). We should demand nothing less

You can readthe ACLU’s letter here and you canjoin them in making this demand to your carrier too.

Update on GPS Tracking Case Being Debated by Supreme Court

2011-11-09T11:47:00.000-08:00

I want to follow up on my last post regarding the historic case before the Supreme Court - for which hearings began yesterday - as to whether law enforcement should be required to attain a warrant BEFORE tracking a suspect (or alleged suspect) using GPS technology.

I've written on this case, and issue, extensively on this blog, so I'm not going to rehash all that now (see last post for a decent summary). Suffice it to say, there is a WHOLE lot riding on this case.

For today's purposes, I'm just going to share some excerpts from a variety of news media that covered yesterday's hearings.

As NPR reported:

George Orwell's 1984 was very much on the minds of the Supreme Court on Tuesday, as the justices grappled with a question that pits the use of modern technology in law enforcement against individual privacy interests. At issue is a case testing whether police must obtain a warrant before putting a GPS tracking device on a car to monitor a suspect's movements.

...

Dreeben, in his argument, urged the court to stick to the line it has drawn in the past — no warrant is needed for surveillance of activities conducted on public roads. Chief Justice John Roberts, however, seemed skeptical about applying that rationale to new technologies, asking if the government could "put a GPS device on our cars and monitor us?" Dreeben responded that under the government's theory and the court's precedents, "the justices of this court, when driving on the streets, have no greater expectation of privacy" against a GPS device attached to the car "than they would if the FBI followed them around the clock."

Justice Stephen Breyer struck a more ominous tone, asserting that "if you win this case, then there is nothing to prevent the police or the government from monitoring 24 hours a day the public movements of every citizen in the United States," a scenario that "sounds like 1984." Discussion of Orwell's dystopic novel arose five times during the argument.

Justice Sonia Sotomayor asked Dreeban to explain the difference between the warrantless use of GPS devices and the general search authority that outraged the Founding Fathers and inspired the Fourth Amendment ban on searches without court authorization. Dreeben maintained, however, that putting a GPS device on a car is not a search. And he seemed to suggest that people have different expectations of privacy in an era of technological advances.

That is "too much for me," interjected Justice Elena Kagan, suggesting that people would think their privacy interests are violated by having a robotic device monitoring their movements 24 hours a day.

Read more here.

And this from the New York Times:

On Tuesday, Chief Justice John G. Roberts Jr. said there might be a constitutional difference between discrete pieces of data and the collection of vast amounts of information. “You’re talking about the difference between seeing the little tile and seeing a mosaic,” he said.

But Michael R. Dreeben, a deputy United States solicitor general, said there were no constitutional limits to the government’s ability to track people’s movements in public. He said a device surreptitiously attached to clothing would be permissible so long as it did not convey information from inside a home. He added that the police could track the movements of the justices’ cars without a warrant.

On hearing those statements, Justice Ruth Bader Ginsburg said the “endpoint” of the government’s argument was that “an electronic device, as long as it’s not used inside the house, is O.K.” Mr. Dreeben said that was correct regarding people’s movements in public. Other forms of monitoring — of conversations inside cars, say — were subject to different rules, he said.

That means, Justice Stephen G. Breyer told Mr. Dreeben, that “if you win this case, then there is nothing to prevent the police or the government from monitoring 24 hours a day the public movement of every citizen of the United States.” And that, Justice Breyer said, “sounds like ‘1984.’ ”
...

Mr. Dreeben said, “The court should address the so-called ‘1984’ scenarios if they come to pass, rather than using this case as a vehicle for doing so.” But Justice Sonia Sotomayor indicated that the scenario might have already arrived. “It wouldn’t take that much of a budget, local budget, to place a GPS on every car in the nation,” she said.

...

Justices Samuel A. Alito Jr. and Antonin Scalia said such arbitrary limits should be imposed by legislatures rather than a court.

Read more here.

And finally, the Washington Post also chimed in:

It is allowed under the court’s own precedents, replied Deputy Solicitor General Michael R. Dreeben, and is no different than if the FBI “put its team of surveillance agents around the clock on any individual and follow that individual’s movements as they went around on the public streets.”

But to many of the justices, something did seem different. In an intense hour-long exchange in which the Big Brother of George Orwell’s novel “1984” was referenced six times, the justices wondered how the dizzying pace of technology has changed a person’s reasonable expectation of privacy.

The justices pondered a world in which satellites can zero in on an individual’s house, cameras record the faces at a crowded intersection and individuals instantly announce their every movement to the world on Facebook. They wondered about the government placing tracking devices in overcoats or on license plates.

...

The court is trying to apply the Constitution’s centuries-old protection against unreasonable searches and seizures at a time when devices such as a GPS can essentially do police officers’ work for them.But the justices also appeared conflicted about where to draw a constitutional line.

Stephen C. Leckar, representing Jones, said police should be required to persuade a judge to issue a warrant for each use of a GPS device. But the justices wondered how that squared with their previous rulings that no warrant is needed when the person being targeted was being monitored in public places.

“If there is no invasion of privacy for one day, there is no invasion of privacy for 100 days,” Justice Antonin Scalia said.

Alito said Leckar had not shown that using a GPS device was any different from traditional police surveillance.

Read more here.

Obviously there's no way I can get a real "feel" for which way the court may rule. I'm ALWAYS deeply skeptical that the 4 extremists, and the one conservative, will ever rule in favor of the public interest when either corporate interests, or civil liberties, are concerned. Nonetheless, some of the questions posed by Roberts and Alito are at least modestly hopeful. Of course, the real wildcard, Justice Anthony Kennedy, was not quoted in any of the articles I've seen...and he remains the judge I'll be keeping my eye on.

I think today's editorial in the USA Today hit the nail on the head, "The government's argument is that police don't need a warrant when they track people on public roads where they can be watched by cameras and other drivers — and where police could physically tail them without a warrant.

But of course, the technology changes everything. Even with speed cameras, red-light cameras and a squadron of pursuers, authorities would have a very hard time amassing a record of every place someone travels for 28 days.

The idea is, indeed, Orwellian, not to mention downright "creepy and un-American," to use the words of the chief justice of the 9th Circuit Court of Appeals. At a minimum, police should first have to convince a judge that there's probable cause to issue a search warrant — and use it properly.

The Founding Fathers, brilliant though they were, could not possibly have envisioned GPS technology. But they certainly understood the principles of personal freedom, and two centuries later those haven't changed a bit.

First and foremost, the Constitution they wrote guarantees individual rights against unnecessary government intrusion. Let's hope that when the Supreme Court rules in this case, it does the same.

With that, stay tuned.

Supreme Court to Hear GPS Tracking Case on Tuesday

2011-11-02T14:45:00.000-07:00

I've been covering this case here for a long time now....and its finally about to reach its conclusion. Before I get to the USA Today article detailing the case and its Tuesday Supreme Court hearing, let me summarize some of what I've written on it in the past.

Thecase in question involved police covertly tracking a suspected cocaine dealer's car using a GPS devicefor an extended period of time without getting a warrant. Thanks to this tracking, the suspect was initially convicted. But, a ruling by the D.C. Court (by Judge Ginsburg) of Appeals overturned that decision, arguing that the use of a secretGPS tracking device on the man’s vehicle for two months violated the FourthAmendment’s protection against unreasonable searches and seizures. The ideabeing, no one wants to feel as if a government agent is following you whereveryou go - be it a friend's house, aplace of worship, or a therapist'soffice - and certainly innocent Americans shouldn'thave to feel that way.

The problem was that two federal appellate courts had first upheld the use ofGPS devices without warrants on the grounds that we have no expectation ofprivacy when we are in public places and that tracking technology merely makespublic surveillance easier and more effective. Now this case is scheduled to be heard by the Supreme Court.

Jeffrey Rosen, a law professor at George Washington University, made some important points on this case a few months back I think are worth repeating. He noted, "Judge Ginsburg realized that ubiquitous surveillance for a month is impossible,in practice, without technological enhancements like a GPS device, and that itis therefore qualitatively different than the more limited technologicallyenhanced public surveillance that the Supreme Court has upheld in the past(like using a beeper to help the police follow a car for a 100-mile trip)...If the courtrejects his logic and sides with those who maintain that we have no expectationof privacy in our public movements, surveillance is likely to expand, radicallytransforming our experience of both public and virtual spaces.

For what’s at stake in the Supreme Court case is more than just the future ofGPS tracking: there’s also online surveillance. Facebook, for example,announced in June that it was implementing face-recognition technology thatscans all the photos in its database and automatically suggests identifyingtags that match images of a user’s friends with their names. (After a publicoutcry, Facebook said that users could opt out of the tagging system.) With thehelp of this kind of photo tagging, law enforcement officials could post onFacebook a photo of, say, an anonymous antiwar protester and identify him.

…

To preserve our right to some degree of anonymity in public, we can’t rely onthe courts alone. Fortunately, 15 states have enacted laws imposing criminaland civil penalties for the use of electronic tracking devices in various formsand restricting their use without a warrant. And in June, Senator Ron Wyden,Democrat of Oregon, and Representative Jason Chaffetz, Republican of Utah,introduced the GeolocationPrivacy and Surveillance Act, which would provide federal protectionagainst public surveillance.

Their act would require the government to get a warrant before acquiring thegeolocational information of an American citizen or legal alien; createcriminal penalties for secretly using an electronic device to track someone’smovements; and prohibit commercial service providers from sharing customers’geolocational information without their consent — a necessary restriction at atime of increasing cellphone tracking by private companies.

Clickhere to read more

Aspreviously laid out in the article in Wired Magazine, "Repeatedvisits to a church, a gym, a bar, or a bookie tell a story not told by anysingle visit, as does one’s not visiting any of these places over the course ofa month. The sequence of a person’s movements can reveal still more; a singletrip to a gynecologist’s office tells little about a woman, but that tripfollowed a few weeks later by a visit to a baby supply store tells a differentstory."

So with that backdrop, here's the latest on the case and the upcoming hearing:

In a potentially groundbreaking case on high-tech trackingby police, the Supreme Court will decide whether constant surveillance is suchan intrusion on people's lives thatpolice need a warrant before attaching a GPS device to a person's car.

The case, to be heard Tuesday, tests law enforcement's use of the latest technology to fight crime as itraises the specter of a "Big Brother" government knowing one's every move. GPS tracking lets police engage inround-the-clock surveillance — without a person'sknowledge — over a prolonged period that could seldom be matched by cops on abeat or other traditional observation.

Global PositioningSystem receivers, originally developed for military use, rely on aconstellation of satellites in fixed orbits. Receivers on the ground usesatellite transmissions to calculate the latitude and longitude of a location.Data can be transmitted remotely to police computers and stored.

…

Solicitor General Verrilli is urging the high court to relyon its 1983 ruling in United States v. Knotts, which said the use of abeeper to track a suspect driving to a drug lab was not a search under theFourth Amendment. Verrilli says the lower court hearing Jones' appeal wrongly abandoned a longstanding linebetween private information and information that is "exposed to thepublic," for example, on roadways.

The lower court said, however, that a month of detailedtracking could not be considered "public" in the usual sense becauseit was unlikely anyone would actually have observed all of Jones' travels. Verrilli counters that information doesnot become "less public" simply because it is collected with in amore sophisticated technology.

The high court will also be looking at whether just theinstallation of the device violated Jones'rights. Justice Department lawyers say installing the GPS device was permittedbecause it didn't interfere withJones' driving or take up any spaceinside the vehicle.

Stephen Leckar, representing Jones, tells the justices inhis brief that unrestrained GPS monitoring has become "a grave threat toexpressive and political association, as well as to the personal privacy andsecurity of every individual in the country."

Its important to consider this case in the larger context of an increasingly unjust economic system (AND Judicial system) that's leading people, literally, to the streets in protest. We must, at all costs, now more than ever, stand firm against the ever encroaching and watchful eye of both government and corporate interests.

But don't just take my word for it, check out a recent post I did on the fact that $150 million of taxpayer money has gone to funding a governmentfacility in lower Manhattanwhere Wall Street firm representatives have joined the New York PoliceDepartment to spy on law-abiding citizens simply taking advantage oftheir First Amendment rights.

As Pam Martens wrote, "According to newly unearthed documents, the planning for this high techfacility on lower Broadway dates back six years. In correspondence from 2005that rests quietly in the Securities and Exchange Commission’s archives, NYPDCommissioner Raymond Kelly promised Edward Forst, a Goldman Sachs’ ExecutiveVice President at the time, that the NYPD “is committed to the development andimplementation of a comprehensive security plan for Lower Manhattan . . . Onecomponent of the plan will be a centralized coordination center that willprovide space for full-time, on site representation from Goldman Sachs andother stakeholders.”

And then there's Naomi Wolfe, who was recently arrested for peacefully protesting herself, making another critical point, writing, "America is waking up to what was built while it slept:Private companies have hired away its police (JPMorgan Chase gave $4.6m to theNew York City Police Foundation); the federal Department of Homeland Securityhas given small municipal police forces military-grade weapons systems;citizens' rights to freedom ofspeech and assembly have been stealthily undermined by opaque permitrequirements."

Clearly, this dispute, particularly because it deals with technology that is becoming increasingly ubiquitous (i.e. smartphones, vehicles), will have an enormous impact on future fights over police tactics and our 4th Amendment rights.

Perhaps most persuasive was Judge Ginsburg herself in her decision to overrule the appellate court decision, stating, "Asingle trip to a gynecologist'soffice tells little about a woman, but that trip followed a few weeks later bya visit to a baby supply store tells a different story...A person who knows allof another's travels can deducewhether he is a weekly churchgoer, a heavy drinker, a regular at the gym, anunfaithful husband, an outpatient receiving medical treatment, an associate ofparticular individuals or political groups -- and not just one such fact abouta person, but all such facts."

Let's also remember, back in 2009 welearned that Sprint received 8 million law enforcement requests for GPSlocation data in just one year. While that issue is slightly different than theone headed to the Supreme Court (it was based on putting a GPS tracking devicein the suspects car, rather than tracking the cell phone), the general concernsare applicable: Tracking citizens without a warrant (or even probably cause!).We know these GPS chips can locate a person to within about 30 feet. They're also able to gather less exact location data bytracing mobile phone signals as they ping off cell towers.

The ACLU’s Catherine Crump recently provided one more argument for why the government should not win this case, stating, "What’s atstake in the case is not whether it’s OK for the government to track thelocations of cell phones; we agree that cell-phone tracking is lawful andappropriate in certain situations. The question is whether the governmentshould first have to show that it has good reason to think such tracking willturn up evidence of a crime. We believe it should. This case is not aboutprotecting criminals. It’s about protecting innocent people from unjustifiedviolations of their privacy."

And now we await the decision from a Supreme Court that consistently rules in favor of corporations and a more powerful national security state...and nearly always against the interests of the public good. As usual, all eyes will be on Anthony Kennedy.

Government Demand for Google User Data Spikes...But How and Why Still Unclear

2011-10-26T14:40:00.000-07:00

This story caught my eye, particularly in light of my focus on government surveillance and data privacy on this blog. At first glance, the fact that Google is publicly detailing the the US government's increasing requests for access to its users data is a victory for transparency.

As for the motive, Google is a member of the Due Process Coalition, which supports the reform of a 25-year-old government privacy law that lets law enforcementget access to users’ online communications without having to get a judge’sapproval. This of course, seems like a righteous effort. And to Google's credit, the coalitions other members - which include Amazon, AOL, AT&T,Dropbox, Facebook and Microsoft - provide no such data regarding how often thegovernment requests data or how often they comply.

Of course, there's a whole lot more to this story. First, let's be clear about Google's long, sordid history when it comes to privacy protection. And, let's remember that Google has made a fortune from spying onwhat consumers do online, including what web sites they visit; creates dossierson users’ online behavior without their prior permission; then harvests thisprivate information to sell hundreds of millions of dollars in advertising.

Consider Google's history on this issue, from Google Books tothe loss of "Locational Privacy" to the company's lobbying efforts in Congress, to its cloudcomputing, to its increasingusage and expansion of behavioral marketing techniques, to Google StreetView carsgathering private information from unaware local residents, to the company teaming with the National Security Agency (the agency responsible for such privacy violationgreatest hits as warrantless wiretapping) "for technical assistance" to the infamous Google Buzz.

In other words, I view ANYTHING Google says or apparently does when it comes to privacy with a huge grain of salt. Still, in this case, I want to know what the government is up to, particularly in light of these new figures, and how the Patriot Act fits in. As I said at the beginning of the post, there's more to this story, and these new figures, than meets the eye.

But first, to the figures. AS reported by Wired Magazine:

The number of U.S. government requests for dataon Google users for use in criminal investigations rose 29 percent in the lastsix months, according to data released by the search giant Monday. U.S.government agencies sent Google 5,950 criminal investigation requests for data onGoogle users and services from Jan. 1 to June 30, 2011, an average of 31 a day.That’s compared to 4,601 requests from July 1 to Dec. 31, 2010, the companyreported Tuesday in an updateto its unique transparency tool. Google says it complied in whole or part with 93% of suchrequests, which can include court orders, grand jury subpoenas and other legalinstruments.

It's not what these numbers say that's the problem, its what they don't. Here's the REAL story:

According to Google, the numbers do not include NationalSecurity Letters, a sort-of self-issued subpoena used by the FBI in drug andterrorism cases. At their post–Patriot Act peak, the FBI issued more than50,000 such letters a year, nearly all with gag orders attached to them. Theuse of such letters dipped for a time after the Justice Department’s internalwatchdog unveiled widespread abuses and sloppy procedures, but are on the riseagain. Also not included are national security wiretap and datarequests, known as FISA warrants, that are approved by a secret court in D.C.to combat spies and threats to national security.

These are HUGE hole's in this whole "transparency" facade! Remember, National Security Letters (NSLs) – which allow the FBI, without a courtorder, to obtain telecommunication, financial and credit records deemed“relevant” to a government investigation - were PROVEN to have been flagrantly abused by the FBI perhaps tens of thousands of times.

As Adam Sewer of the American Prospect noted: “It's no secret that the FBI'suse of NSLs - a surveillance tool that allows the FBI to gather reams ofinformation on Americans from third-party entities (like your bank) without awarrant or without suspecting you of a crime - have resulted in widespreadabuses. All that the FBI needs to demand your private information from athird-party entity is an assertion that such information is"relevant" to a national security investigation -- and the NSLs comewith an accompanying gag order that'salmost impossible to challenge in court."

And what of FISA requests??? We know the Patriot Act allowed the government access to Internet sites we've visited as well as to listen in on the phone calls we make. It wasn’t long ago that the idea of our government wiretapping Americancitizens without warrants for purposes other than national security would havebeen revolting. Now its official Government policy – and the telecom companiesthat participated in these crimes have been given retroactive immunity whilecontinuing to make billions off overcharging the same customers they betrayed.

My question is just how many times is Google being asked for our information by our government that falls into these categories?

Let's also remember, there's a clear pattern we should all be aware of when it comes to government access to our data: Facebook reportedly receives up to 100 demands from the government each weekfor information about its users. AOL reportedly receives 1,000 demands a month.In 2006, a U.S. Attorney demanded book purchase records of 24,000 Amazon.comcustomers. Sprint recently disclosed that law enforcement made 8 millionrequests in 2008 alone for its customer’s cell phone GPS data for purposes of locationaltracking.

And if that's not enough, it was Google’s CEO, Eric Schmidt that said "If you have something thatyou don't want anyone to know, maybeyou shouldn't be doing it in thefirst place."

As you let that sink in, he also said: "… the reality is that searchengines including Google do retain this information for some time, and it's important, for example that we are all subject inthe United Statesto the Patriot Act. It is possible that that information could be madeavailable to the authorities."

In other words, the data that we need to be made public is precisely the data not being provided - particularly in light of the growing Occupy Wall Street protests spreading around the country and world. Believe me, the FBI wants access to this information. There may be some good news to report here though, as the agency appears to be increasingly going through the courts to obtain it (though knowing how bad our courts are on privacy its not exactly the time to pop champagne).

The Washington Post details these efforts:

The FBI is increasingly going to court to get personale-mail and Internet usage information as service providers balk at disclosingcustomer data without a judge’s orders. Investigators onceroutinely used administrative subpoenas, called national security letters,seeking information about who sent and received e-mail and what Web sitesindividuals visited. The letters can be issued by FBI field offices on theirown authority, and they obligate the recipients to keep the requests secret.

But more recently, many service providers receiving nationalsecurity letters have limited the information they give to customers’ names,addresses, length of service and phone billing records.

...

Investigators seeking more expansive information over thepast two years have turned to court orders called business record requests. Inthe first three months of this year, more than 80 percent of all businessrecord requests were for Internet records that would previously have beenobtained through national security letters, the FBI said. The FBI made morethan four times as many business records requests in 2010 than in 2009: 96compared with 21, according to Justice Department reports.

In response to concerns expressed by administrationofficials, Judiciary Committee Chairman Patrick J. Leahy (D-Vt.) has introduceda measure that would establish that the FBI can use national security lettersto obtain “dialing, routing, addressing and signaling information.” It wouldnot include the content of an e-mail or other communications, theadministration has said.

The administration, which last year contemplated legislationto expand the authority of national security letters, has not taken a formalposition on the Leahy measure, officials said. But the FBI has told Congressthat the number of business record orders will continue to grow unless a legalchange gives the agency more routine access to customer data.

Civil liberties groups said Leahy’s measure, included in abill to modernize the Electronic Communications Privacy Act, would expand thegovernment’s authority to obtain substantial data about the privatecommunications of individuals without court oversight.

“Our view is data like e-mail ‘to-from’ information is sosensitive that it ought to be available only with a court order,” said GregNojeim, senior counsel at the Center for Democracy and Technology. Privacy advocates said they support requiring the FBI to usecourt orders to seek the data. “This is an example of how the system shouldwork,” said American Civil Liberties Union legislative counsel MichelleRichardson.

Business record requests are also known as Section 215orders, after a provision in the Patriot Act, the law passed after the Sept.11, 2001, terrorist attacks. The provision allows the government to obtain “anytangible thing” if officials can show reasonable grounds that it would berelevant to an authorized terrorism or espionage investigation. The ACLU and the Electronic Frontier Foundation on Wednesdayplan to separately sue the government to force disclosure of its interpretationof Section 215. The groups are following the lead of Sen. Ron Wyden (D-Ore.),who has accused the administration of inappropriately withholding informationabout the law’s use.

In other words, there's a whole lot we still don't know...and a whole lot of reasons, based on past Patriot Act abuses, lax oversight, and the recent increase in efforts by the government to access our data, be it through Google requests we know about, those we don't, as well as FBI's attempts through the court system.

If these new figures released by Google can serve the purpose the company purports it seeks -

to encourage the passage of new laws that will givethe company more leverage to deny government access to people's online communications and activities - then more power to them. In the meantime, I'll remain skeptical and concerned.

Taxpayers Footing Bill For Wall Street Spying...On Us

2011-10-25T10:49:00.000-07:00

I want to follow up on my post last Thursday raising concerns about the way the Patriot Act will be used by law enforcement and the government against Occupy Wall Street protesters. This assertion is based on a long history of Patriot Act abuses - particularly pertaining to the prior targeting of anti-war, environmental, and anti-globalization protests.

As I pointed out, according to a report by the ACLU, there have been 111 incidents of illegal domestic political surveillance since 9/11 in 33 states and the District of Columbia. The report makes it clear that law enforcement and federal officials work closely to monitor the political activity of individuals deemed suspicious, an activity common during the Cold War – including protests, religious activities and other rights protected by the first amendment. The report also noted how the FBI monitors peaceful protest groups and in some cases attempted to prevent protest activities.

Before I get to the article, another concern protesters should have was illustrated by a bill in California (SB 914 - Vetoed by the Governor): police can seize and search your smart phones...and perhaps even download that information (or at least the FBI has such technology).

The legislation was a response to a recent California Supreme Court decision (People v. Diaz) allowing police to rummage through all of the private information on your smart phone as part of an arrest, including your text messages and e-mails. SB 914 would have clarified that an arrestee’s smart phone can only be accessed with a warrant, except in circumstances where there is an immediate threat to public safety or the arresting officer. The bill acknowledged that accessing information on a mobile phone – particularly smart phones that contain all kinds of personal, private information - is fundamentally different than searching an arrested person’s wallet, cigarettes or pockets.

So, while the revelations I want to share with you today are unrelated to the Patriot Act per se, they perfectly illustrate the point I was driving at...which were the inherent threats to privacy and civil liberties Americans, particularly protesters, now face.

The story that caught my eye was by Pam Martens or Counterpunch entitled, "Wall Street Firms Spy on Protesters In Tax-Funded Center".

Would you believe, as the article details, that $150 million of taxpayer money is funding a government facility in lower Manhattan where Wall Street firm representatives have joined the New York Police Department to spy on law-abiding citizens simply taking advantage of their First Amendment rights?

Martens writes:

According to newly unearthed documents, the planning for this high tech facility on lower Broadway dates back six years. In correspondence from 2005 that rests quietly in the Securities and Exchange Commission’s archives, NYPD Commissioner Raymond Kelly promised Edward Forst, a Goldman Sachs’ Executive Vice President at the time, that the NYPD “is committed to the development and implementation of a comprehensive security plan for Lower Manhattan . . . One component of the plan will be a centralized coordination center that will provide space for full-time, on site representation from Goldman Sachs and other stakeholders.”

At the time, Goldman Sachs was in the process of extracting concessions from New York City just short of the Mayor’s first born in exchange for constructing its new headquarters building at 200 West Street, adjacent to the World Financial Center and in the general area of where the new World Trade Center complex would be built. According to the 2005 documents, Goldman’s deal included $1.65 billion in Liberty Bonds, up to $160 million in sales tax abatements for construction materials and tenant furnishings, and the deal-breaker requirement that a security plan that gave it a seat at the NYPD’s Coordination Center would be in place by no later than December 31, 2009.

The surveillance plan became known as the Lower Manhattan Security Initiative and the facility was eventually dubbed the Lower Manhattan Security Coordination Center. It operates round-the-clock. Under the imprimatur of the largest police department in the United States, 2,000 private spy cameras owned by Wall Street firms, together with approximately 1,000 more owned by the NYPD, are relaying live video feeds of people on the streets in lower Manhattan to the center. Once at the center, they can be integrated for analysis. At least 700 cameras scour the midtown area and also relay their live feeds into the downtown center where low-wage NYPD, MTA and Port Authority crime stoppers sit alongside high-wage personnel from Wall Street firms that are currently under at least 51 Federal and state corruption probes for mortgage securitization fraud and other matters.

In addition to video analytics which can, for example, track a person based on the color of their hat or jacket, insiders say the NYPD either has or is working on face recognition software which could track individuals based on facial features. The center is also equipped with live feeds from license plate readers.

According to one person who has toured the center, there are three rows of computer workstations, with approximately two-thirds operated by non-NYPD personnel. The Chief-Leader, the weekly civil service newspaper, identified some of the outside entities that share the space: Goldman Sachs, Citigroup, the Federal Reserve, the New York Stock Exchange. Others say most of the major Wall Street firms have an on-site representative. Two calls and an email to Paul Browne, NYPD Deputy Commissioner of Public Information, seeking the names of the other Wall Street firms at the center were not returned. An email seeking the same information to City Council Member, Peter Vallone, who chairs the Public Safety Committee, was not returned.

...

The project has been funded by New York City taxpayers as well as all U.S. taxpayers through grants from the Federal Department of Homeland Security. On March 26, 2009, the New York Civil Liberties Union (NYCLU) wrote a letter to Commissioner Kelly, noting that even though the system involves “massive expenditures of public money, there have been no public hearings about any aspect of the system…we reject the Department’s assertion of ‘plenary power’ over all matters touching on public safety . . . the Department is of course subject to the laws and Constitution of the United States and of the State of New York as well as to regulation by the New York City Council.”

...

The NYCLU also noted in its letter that it rejected the privacy guidelines for the surveillance operation that the NYPD had posted on its web site for public comment, since there had been no public hearings to formulate these guidelines. It noted further that “the guidelines do not limit police surveillance and databases to suspicious activity . . . there is no independent oversight or monitoring of compliance with the guidelines.”

Read more here.

If that isn't enough, apparently the individual who did write the privacy guidelines for this operation (you can read this in the article) has family ties to both Wall Street firms AND the company that will profit off this very surveillance system.

So for those keeping score, the VERY same criminal enterprises on Wall Street that - through their recklessness and thievery - crashed the global economy and caused untold suffering to literally tens of millions of people, only to get bailed out by the SAME people they scammed...and are now making record profits 3 years later while record numbers are unemployed, living in poverty, and going hungry, are now using OUR MONEY to spy on us!

If that's not enough to make your blood boil, and run out to the nearest Occupy Wall Street (or whichever city you live in ) protests I don't know what will. This story really has it all, from taxpayer fraud to intrusive surveillance to the possible use of facial recognition technology to the creepy collusion of corporate and government authorities to subvert American's constitutional right to privacy and on down the line.

As Pam Martens aptly concludes, "Wall Street is infamous for perverting everything it touches: from the Nasdaq stock market, to stock research issued to the public, to auction rate securities, mortgages sold to Fannie Mae and Freddie Mac, credit default swaps with AIG, and mortgage securitizations. Had a public hearing been held on this massive surveillance sweep of Manhattan by potential felons, hopefully someone might have pondered what was to prevent Wall Street from tracking its employee whistleblowers heading off to the FBI offices or meeting with a reporter. One puzzle has at least been solved. Wall Street’s criminals have not been indicted or sent to jail because they have effectively become the police."

In many ways this story EPITOMIZES exactly why the Occupy movement is both just and righteous...and growing.

As Occupy Wall Street Protests Grow Let's Revisit the Patriot Act

2011-10-20T11:46:00.000-07:00

In light of the growing worldwide Occupy Wall Street protests we would do well to revisit how the Patriot Act has been abused by government, not to catch terrorists, but to stifle dissent and consolidate power. Understanding how its been used in the past should make us all very wary about how its probably being used as we speak, and will be used in the future, to target protesters utilizing their First Amendment right to speak out against a deeply corrupted and unjust economic system.

What’s amazing is this movement didn’t start sooner…if only it had back after the 2008 crash perhaps we could have gotten REAL financial reform. The bottom line is the masses are starting to understand that the economic and political game is rigged….and the only winners are corporations, Wall Street, and the very top of the income ladder. Meanwhile, the middle class is nearly gone and the lower class and poverty is exploding.

Now, just a month after it began we saw large crowds marching in London, Frankfurt, and Rome, in addition to approximately 900 protests in American cities and as many as 2,000 have taken place worldwide.

With that backdrop, let me take you back to some of what I wrote in my op-ed a few months ago entitled "The Patriot Act and the Quiet Death of the US Bill of Rights", with particular attention to the ongoing efforts by a few Senators to expose what they call a "secret" Patriot Act provision.

As you read these DOCUMENTED abuses, keep the Occupy Wall Street protests in mind.

Consider what we know:

•   As Adam Sewer of the American Prospect notes: “It's no secret that the FBI's use of NSLs - a surveillance tool that allows the FBI to gather reams of information on Americans from third-party entities (like your bank) without a warrant or without suspecting you of a crime - have resulted in widespread abuses. All that the FBI needs to demand your private information from a third-party entity is an assertion that such information is "relevant" to a national security investigation -- and the NSLs come with an accompanying gag order that's almost impossible to challenge in court.”
•    NSLs were used by the Bush administration after the Sept. 11, 2001 attacks to demand that libraries turn over the names of books that people had checked out. In fact, there were at least 545 libraries that received such demands in the year following passage of the Patriot Act alone.
•    The Electronic Frontier Foundation (EFF) uncovered "indications that the FBI may have committed upwards of 40,000 possible intelligence violations in the 9 years since 9/11." It said it could find no records of whether anyone was disciplined for the infractions.
•    Under the Bush Administration, the FBI used the Patriot Act to target liberal groups, particularly anti-war, environment, and anti-globalization, during the years between 2001 and 2006 in particular.
•    According to a recent report by the ACLU, there have been 111 incidents of illegal domestic political surveillance since 9/11 in 33 states and the District of Columbia. The report shows that law enforcement and federal officials work closely to monitor the political activity of individuals deemed suspicious, an activity common during the Cold War – including protests, religious activities and other rights protected by the first amendment. The report also noted how the FBI monitors peaceful protest groups and in some cases attempted to prevent protest activities.
•    According to a July 2009 report from the Administrative Office of the U.S. Courts, only three of the 763 "sneak-and-peek" requests in fiscal year 2008 involved terrorism cases. Sixty-five percent were drug related.

In other words, the "precedent" set by the Patriot Act appears to be serving to accelerate the rapid disintegration of civil liberties in this country.

But let's go back to what I wrote on the "secret provision": Of equal concern is what we still don't know about how the government might be using the Act, highlighted by recent statements made by US Senators regarding what they termed "secret Patriot Act provisions". Senator Ron Wyden ( D-OR ), an outspoken critic of the recent reauthorization, stated, "When the American people find out how their government has secretly interpreted the Patriot Act they will be stunned and they will be angry." As a member of the Senate Intelligence Committee Wyden is in a position to know, as he receives classified briefings from the executive branch.

In recent years, three other current and former members of the US Senate - Mark Udall ( D-CO ), Dick Durbin ( D-IL ), and Russ Feingold ( D-WI ) - have provided similar warnings. We can't be sure what these senators are referring to, but the evidence suggests, and some assert, that the current administration is using Section 215 of the Patriot Act - a provision that gives the government access to "business records" - as the legal basis for the large-scale collection of cell phone location records.

The fact that in 2009 Sprint disclosed that law enforcement made 8 million requests in 2008 alone for its customer's cell phone GPS data for purposes of locational tracking should only add to these legitimate privacy concerns.

I bring this issue up, because just a few weeks ago those same Senators, as reported in the New York Times, attempted to bring this issue to light again.

The NYT reports:

Two United States senators...accused the Justice Department of making misleading statements about the legal justification of secret domestic surveillance activities that the government is apparently carrying out under the Patriot Act.

The lawmakers — Ron Wyden of Oregon and Mark Udall of Colorado, both of whom are Democrats on the Senate Intelligence Committee — sent a letter to Attorney General Eric H. Holder Jr. calling for him to “correct the public record” and to ensure that future department statements about the authority the government believes is conveyed by the surveillance law would not be misleading.

...

Mr. Wyden and Mr. Udall have for months been raising concerns that the government has secretly interpreted a part of the Patriot Act in a way that they portray as twisted, allowing the Federal Bureau of Investigation to conduct some kind of unspecified domestic surveillance that they say does not dovetail with a plain reading of the statute.

The dispute has focused on Section 215 of the Patriot Act. It allows a secret national security court to issue an order allowing the F.B.I. to obtain “any tangible things” in connection with a national security investigation. It is sometimes referred to as the “business records” section because public discussion around it has centered on using it to obtain customer information like hotel or credit card records.

But in addition to that kind of collection, the senators contend that the government has also interpreted the provision, based on rulings by the secret national security court, as allowing some other kind of activity that allows the government to obtain private information about people who have no link to a terrorism or espionage case.

Justice Department officials have sought to play down such concerns, saying that both the court and the intelligence committees know about the program. But the two lawmakers contended in their letter that officials have been misleading in their descriptions of the issue to the public.

First, the senators noted that Justice Department officials, under both the Bush and Obama administrations, had described Section 215 orders as allowing the F.B.I. to obtain the same types of records for national security investigations that they could get using a grand jury subpoena for an ordinary criminal investigation. But the two senators said that analogy does not fit with the secret interpretation.

Now let me go back to my analysis of the Patriot Act...again, with the Occupy Protests in mind:

The Patriot Act was sold as an indispensable weapon in the government's arsenal to fight and "win" the "War on Terror". We were assured that the sole purpose of these unprecedented powers granted government were to locate and catch terrorists - not raid the homes of pot dealers and wiretap peace activists. Monitoring political groups and activities deemed "threatening" ( i.e. environmentalists, peace activists ), expanding the already disastrous and wasteful war on drugs, and eavesdropping on journalists isn't about fighting terrorism, it's about stifling dissent and consolidating power - at the expense of civil liberties.

How ironic that the very "tool" hailed as our nation's protector has instead been used to violate the very Constitutional protections we are allegedly defending from "attack" by outside threats. What was promised as a "temporary", targeted law to keep us safe from terror has morphed into a rewriting of the Bill of Rights.

John Whitehead explains: "The Patriot Act drove a stake through the heart of the Bill of Rights, violating at least six of the ten original amendments-the First, Fourth, Fifth, Sixth, Seventh and Eighth Amendments-and possibly the Thirteenth and Fourteenth Amendments, as well. The Patriot Act also redefined terrorism so broadly that many non-terrorist political activities such as protest marches, demonstrations and civil disobedience were considered potential terrorist acts, thereby rendering anyone desiring to engage in protected First Amendment expressive activities as suspects of the surveillance state."

As I also asserted, the Bill of Rights is under siege, particularly the Fourth Amendment, writing, "Some important questions demand answers: Does increasingly intrusive and even unconstitutional anti-terrorism measures actually make us any safer (or less so)? If so, what is the price we are willing to pay for that additional security?

Since 9/11 an undeniable pattern has emerged, from illegal search and seizures to warrantless wiretapping to the GPS tracking of cell phones to airport body scanners to the redefinition of Habeas Corpus to the increasing use of rendition for the purposes of torturing prisoners yet to be charged with a crime to military tribunals replacing courts of law, among many others.

What were once considered unassailable civil liberties granted to ALL citizens are under siege. The consequences of such a loss would be profound. Without the fundamental reform of the Patriot Act I fear this loss will be a permanent, and the American experiment will forever be altered.

So let us hope that the desperately needed, and incredibly hopeful Occupy Wall Street protests, and protesters, are not the target of aggressive and unconstitutional Patriot Act abuses (we've already seen how law enforcement has overreached) - as in the past. Of course, "hoping" is no solution to the constitutional crises we face in this country - epitomized by the Patriot Act (and court rulings like Citizens United).

Just as the protesters are absolutely correct in their focus on wealth disparity, Wall Street corruption and criminality, and our transformation into something resembling an oligarchy more than a true democracy, we should also remember that since 9/11 the US Bill of Rights has been under assault, with the Patriot Act serving as the battering ram. So, while we must address economic justice issues so too must we demand reforms to, and even repeal of, the worst components of a law (the Patriot Act) that was in part DESIGNED to counter and stifle the very protests taking place across this country and world.

A Near Privacy Sweep in California…With One BIG Exception

2011-10-13T10:15:00.000-07:00

It was a near legislative sweep for privacy advocates thisyear as Governor Brown signed all but one of the key privacy bills that reachedhis desk. These include:

SB 602 (Yee) will ensure that government and third partiescannot access private reading records without proper justification. This is nosmall victory being that digital books will store data that can include booksbrowsed, how long a page is viewed, and even the electronic notes written inthe margins. It's not hard to seethe detailed portrait of your life such information could paint.

AB 22 (Mendoza) willprohibit a prospective employer from using consumer credit reports in thehiring process unless it’s directly related to the job. This bill was one ofour top priorities this year for a number of reasons, including: credit reportsdo not have predictive value in determining a worker’s ability to perform jobduties, while a bad credit report might unfairly influence a hiring employer’sattitude toward a job applicant; a significant percentage of credit reports areinaccurate, and correcting such information in a credit report is a tedious,time consuming affair; and millions of peoples credit scores have beendecimated by a Great Recession that was no fault of their own, but in fact dueto the actions of some of the very interests that then arbitrarily determineones credit rating. For all of those reasons and more this legislation was avictory for both privacy and economic justice.

SB 24 (Simitian) willprovide an important upgrade to California's landmark breach notification law. It spells outwhich key details must be included in that notification letter, and would makesure the Attorney General hears about the breach. SB 24 will help consumersmake sense of these notices, and help arm us to stop identity theft. Sony,Citibank, and the Bay Area Rapid Transit District are recent examples ofbusinesses and government agencies whose customers’ records were stolen byhackers.

And just a few weeks ago it was revealed that 300,000Californians’ intimate medical records, along with their social securitynumbers, were viewable for months to anyone with an internet connection, owingto an insurance processing business’ failure to safeguard its electronic datafiles. This massive medical records data breach leads us to another privacyrelated legislative victory: SB 850 (Leno), which will expand theConfidentiality of Medical Information Act to both written and electronichealth records.

Also of note, but not a high priority for CFC this year, was thesigning of SB 208 (Alquist), which will authorize restitution to an identitytheft victim for expenses to monitor a credit report and for the costs torepair a credit rating, and SB 636 (Corbett), which will provide furtherprotection to individuals participating in the Safe at Home Program byprohibiting their addresses and telephone numbers from being posted on theInternet, and establishing crimes for publishing or failing to remove theiridentifying information.

The Big Disappointment: Governor Vetoes SB 914 (Leno) - Police Search of SmartPhones

Currently police can seize and search an individual’s smartphone or android without a warrant, just like a traditional cell phone. SB 914 wouldhave clarified that an arrestee’s cell phone can only be accessed with awarrant, except in circumstances where there is an immediate threat to publicsafety or the arresting officer. It acknowledges that accessing information ona cell phone is fundamentally different than searching an arrested person’swallet, cigarette pack or jeans pockets.

Being that modern cell phones are becoming more like allpurpose computers, and therefore contain ALL KINDS of personal, privateinformation, the authorities should not be granted the right to that informationwithout a warrant.

Unfortunately, in 2007, California's Supreme Court ruled against such a distinction,arguing, "The cell phone was an item (of personal property) on the personat the time of his arrest and during the administrative processing at thepolice station. Because the cell phone was immediately associated withdefendant’s person, (police were) entitled to inspect its contents without awarrant."

But these justices went even further - comparing the cell phone to personaleffects like clothing. Worse, it argued that it wasn'tbecause the police had a particular right in this particular case, or there wassome special exception that allowed such a search, but rather, that noexception was even necessary. In other words, this case was not an exception,but rather the NEW rule: cell phone records are now of little difference thanthe shirt on your back if you'vebeen arrested.

Dissenting Justice Kathryn Werdegar raised similar concernswe have in her opinion: "The majority’s holding ... (grants) police carteblanche, with no showing of exigency, to rummage at leisure through the wealthof personal and business information that can be carried on a mobile phone orhandheld computer merely because the device was taken from an arrestee’sperson...The majority thus sanctions a highly intrusive and unjustified type ofsearch, one meeting neither the warrant requirement nor the reasonablenessrequirement of the Fourth Amendment to the United States Constitution."

In response to the ruling, Jonathan Turley, a Constitutional law expert at George Washington University, secondedJustice’s fourth amendment related concerns, "The Court has left theFourth Amendment in tatters and this ruling is the natural extension of thattrend. While the Framers wanted to require warrants for searches and seizures,the Court now allows the vast majority of searches and seizures to occurwithout warrants. As a result, the California Supreme Court would allow policeto open cell phone files — the modern equivalent of letter and personalmessages.”

In light of increasing economic injustice and incomeinequality, and the likewise growth in number and size in protests across thecountry, granting authorities such powers should be viewed with greatskepticism and caution. As State Senator Mark Leno noted, "If you like toattend political rallies, parades, protests or sit-ins, you might considerleaving your cell phone at home in the unlikely event arrests are made. Arecent California Supreme Court decision allows police to rummage through allof the private information on your smart phone as part of an arrest, includingyour text messages and e-mails. This warrantless search is now legal in California, regardlessof whether the information on the phone is relevant to the arrest or ifcriminal charges are ever filed.”

This fight isn’t over. SenatorMark Leno has indicated he will bring this legislation back next year inanother effort to overturn the state Supreme Court’s ruling. Clearly, in thiscase and many others like it in the age of the Patriot Act and the War onTerror, Governor Brown was mistaken in his veto message when he said the courts are "bettersuited" than legislators to decide when a search is legal. Perhaps in most cases this is true...but not when they are so clearly in conflict with something as fundamental to our basic rights as the Fourth Amendment. Let’s hope wecan change the Governors mind next year.

Facial Recognition Technology Creeping into the American Work Place

2011-10-06T10:17:00.000-07:00

Over a month ago I posted a pretty extensive blog on Facial Recognition technology and thethreat it poses to individual privacy. Because I know not everyone can read every post, I'll repeat a few of my thoughts here today before I get to an outstanding piece by Tana Ganeva of Alternet about the rapid spread of this technology - particularly in the workplace (which is especially disturbing).

The article I commented on here back on September 1st was also from Alternet entitled 5Unexpected Places You Can Be Tracked With Facial Recognition Technology. As I wrote then, this issue hasparticular interest to me due to California's recent fight, that we at theConsumer Federation of California were deeply involved in, over biometricidentifiers being used by the DMV (our Executive Director is quoted in this article).

As for the larger concern over facial recognition technology, groups from the Privacy Rights Clearinghouse (PRC) to the ACLU to the Electronic Frontier Foundation to EPIC have all been very active in making the case that there is a very real threat to privacy at stake in determining just how, and when, this technology can be used.

So let me refresh everyone on theconcept of biometric identifiers - like fingerprints, facial, and/or irisscans. These essentially match an individual’s personal characteristicsagainst an image or database of images. Initially, the system captures afingerprint, picture, or some other personal characteristic, and transforms itinto a small computer file (often called a template). The next time someoneinteracts with the system, it creates another computer file.

There are a number of reasons why such technological identifiers shouldconcerns us. So let's be real clear, creating a database with millions offacial scans and thumbprints raises a host of surveillance, tracking andsecurity question - never mind the cost. And as you might expect, suchidentifiers are being utilized by entities ranging from Facebook to the FBI. Infact, the ACLU of California is currently asking for information about lawenforcements’ use of information gathered from facial recognition technology(as well as social networking sites, book providers, GPS tracking devices,automatic license plate readers, public video surveillance cameras).

But for today’s sake, let’s hone in on the article by Tana Ganeva, because it adds another critical piece to this privacy eviscerating technological puzzle...a piece that happens to tie directly to the increasing shift in power from workers and people to corporations and "owners". We see this deterioration in worker rights and this widening gap between the wealth, influence, and rights of the rich and powerful versus the rest of us in the uprisings in Ohio and Wisconsin, to the Occupy Wall Street protests spreading across the country, to movements like the Take Back the American Dream.

Here's yet another reason I believe this clash has just begun...and not a minute too soon. In here piece entitled, "Biometrics at Pizza Hut and KFC? How Face Recognition and Digital Fingerprinting Are Creeping Into the U.S. Workplace" she writes:

FaceIN uses two cameras to map a worker's face, convertingthe width of their cheekbones, depth of their eye sockets, nose shape, andother unique facial features into an ID code. Every day after that, workerspunch in by standing in front of a machine that recognizes them after atwo-second face scan. Unlike the old-fashioned electronic password, FaceINpromises to tightly monitor when workers come and go, permanently banishing"buddy punching" from the workplace -- the time-honored practice ofcovering for a co-worker who may be running a few minutes late.

...

Face-scanning time clocks were only introduced in the US in 2010, bycompanies like Lathem and Compumatic Time Recorders Inc, which outdoes Lathemby offering a time-clock that recognizes workers in the dark. But biometrics --the science of determining identity through unique physiological features likefingerprints or the pattern of veins -- have been creeping into the Americanworkplace for years. Fingerprint readers, retinal scans, and even machines thatuse palm pressure to ascertain identity are in use in workplaces ranging from theUS Senate to hospitals to construction sites and restaurants.

As you can imagine, the applications vary depending on thework. Namely, the higher up you go on the income ladder, the more likely it isthat biometrics are used to aid security or even protect privacy, like keepinghospital records safe.

In low-wage jobs, advances in biometrics are starting tomanifest in products that monitor and control employee behavior; devices meantto scare workers out leaving early to pick up the kids, running a few minuteslate, or giving friends or family the occasional discount.

...

KFC, Souplantation and Sweet Tomatoes join franchise ownersof Pizza Huts and Popeyes in publicizing their use of the technology. A DigitalPersona rep also says U.are.U is used in Long John Silvers and Wendy'slocations. Hooters' corporate management was so impressed after seeing U.are.Uin action at a few restaurants it has made it corporate policy to equip Hootersacross the land with the machines, the Digital Persona rep told AlterNet.

Other companies including a popular fast food chain, an omnipresentpharmacy, and an upscale furniture store, are keeping quiet about their use ofU.are.U in some of their stores, AlterNet has learned. Their caution seems warranted. Biometrics is a staple ofsci-fi dystopias for a reason, and recent, more public debuts of the technologyhave not gone well. Earlier this summer Facebook faced massive backlash afterexpanding its face recognition tagging software. The German government eventhreatened tosue the site for violating German privacy laws, and the Connecticutattorney general scolded Facebook for making the feature default rather thanletting users opt-in.

…

The American low-wage workplace is not exactly a paragon ofmutual trust and autonomy. There are, after all, managers to oversee employeeactivity and in many fast food joints surveillance cameras effectivelycommunicate the point that workers can be watched at all times.

Nussbaum points out that most supervisors would probably noticeif half of their crew stopped showing up but kept getting paid. The far moreexacting measurement of employee arrivals and departures offered up by thebiometric clock appears designed to capture what a human manager might miss.

An American Payroll Association study cited in DigitalPersona promotional materials estimates that "time theft" accountsfor between 1.5 to 5 percent of payroll costs. But what about the longer-termeconomic impact of worker burnout? Nussbaum has found that workers subjected toincreasing levels of surveillance can suffer physical and psychologicalproblems.

Of course, the emotional and physical health of theirlowest-paid workers has never been top corporate priority. It just doesn't haveto be, since essentially every big economic trend over the past 50 years hasscrewed low-wage workers while ensuring employers have a large supply ofdisposable labor.

Right now is a particularly nasty time to be a member ofAmerica's working poor. Unemploymentrates among high-school graduates hover at around 10 percent -- incomparison, 4.4 percent of college graduates are out of work. This is despitethe fact that what new jobs are being spit up by the anemic economy areprimarily low-wage, according to a February report by the NationalEmployment Law Project which found 49 percent of job growth over the yeartook place in industries like retail.

…

Facebook has become the most public symbol of privacycorrosion, so the site's use of face recognition technology sparked the mostoutrage. But biometric technology is starting to appear in many realms. A fewweeks ago AlterNet compiled a list of unexpected places where face recognitiontechnology can be found besides Facebook. These included ads in Vegas and inthe marketing strategies of companies like Adidas and Kraft, as the LosAngeles Times reported. There's about a 50/50 chance your DMV uses facerecognition to run photographs through a database, according to an estimate bythe EFF's Lee Tien. Police in departments around the country are being equippedwith MORIS, a mobile device that contains face recognition, iris scanning anddigital fingerprints.

One of the things that stands between abuses of thetechnology is the visceral unease it engenders, which often leads to backlashwhen it's too crudely imposed. Getting young people accustomed to beingfingerprinted just to go to work, though, can go a long way toward making thetechnology seem more and more natural, so that it also seems perfectly normalto give your fingerprint to the police when you don't have to, or be OK with acorporation, or strangers on the street, knowing who you are from a snapshot ofyour face.

Click here to read more.

As I have written here numerous times, more than any one technology and intrusive abuse of it, or the latest "war on terror" court ruling stripping us of yet another civil liberty, is a future in which privacy itself is but a distant, distorted memory. Where are weleft when the power of corporate or government interests to monitor everythingwe do is absolute?

As I wrote, "Whether its the knowledge that everything we do on the internet is followed andstored, that we can be wiretapped for no reason and without a warrant orprobable cause, that smart grid systems monitor our daily in home habits andactions, that our emails can be intercepted, that our naked bodies must beviewed at airports and stored, that our book purchases can be accessed (particularlyif Google gets its way and everything goes electronic), that street cornercameras are watching our every move, and that RFID tags and GPS technologyallow for the tracking of clothes, cars, and phones (and the list goeson)...what is certain is privacy itself is on life support in thiscountry...and without privacy there is no freedom. I also fear how such asurveillance society stifles dissent and discourages grassrootspolitical/social activism that challenges government and corporate power...somethingthat we desperately need more of in this country, not less."

The fact that low income workers could now be subjected to constant facial recognition monitoring in the hopes of working them harder, longer, and under even more duress than they already are by an increasingly rich and powerful CEO class is in fact infuriating to me...and represents the clear path our country is on, and has been for over 30 years. And it is this path that is leading to the much needed movement, and protests, starting to take place around this country demanding MORE, not less, worker rights, economic justice, and yes, privacy.

My Interview on AB 22 (Mendoza), and Governor Signs SB 602 (Reader Privacy Act)

2011-10-03T10:31:00.000-07:00

A little less than two weeks ago I put together a major post on job seeker privacy, particularly when it comes to employers increasing use of intrusive background checks, most notably of your credit reports.

Rather than go into detail here again, let me just point you to the interview I did on the Rick Smith Show last week about legislation here in California, AB 22 (Mendoza), that would ban prospective employers from accessing your credit scores unless its directly related to the job your applying for. The Governor has until October 9th to decide.

Now to some great news...the Governor signed Senator Leland Yee's Reader Privacy Act (SB 602) on Sunday.As I've noted in the past here, The privacy threats posed by the explosion of digital books, which will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait this could paint of your life.

Thankfully, this concern will finally be addressed by SB 602 (Yee) - which now will provide important privacy protections for digital book readers. Without such legislative protection, you can imagine how tempting this information could be to the government or other litigants, like those involved in divorce cases, custody battles, or insurance disputes.

In the case of digital books, we're not talking about just another library - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

What the bill will do is update California's privacy protections in the digital age by preventing the disclosure of information about readers from booksellers without a warrant in a criminal case or a court order in a civil case. It also requires booksellers to report the number and type of requests they receive to track government demands for reader information. Without such protections, we're talking about a virtual one-stop shop for government and third party fishing expeditions into the personal details of our lives.

Here's what PC magazine had to say about the legislation being signed:

The bill, known as the Reader Privacy Act of 2011, will require government agencies to obtain a court order before they access customer records from book stores or online retailers. It will officially become law on January 1.

"California law was completely inadequate when it came to protecting one's privacy for book purchases, especially for online shopping and electronic books," said Calif. state Sen. Leland Yee, the bill's sponsor. "Individuals should be free to buy books without fear of government intrusion and witch hunts. If law enforcement has reason to suspect wrongdoing, they should obtain a court order for such information."

Sen. Yee pointed to the McCarthy hearings of the 1950s, where Americans were questioned about whether they had read Marx or Lenin. In the years since September 11, meanwhile, the FBI has sought information from more than 200 libraries, he said.The bill was backed by the American Civil Liberties Union of California (ACLU) and the Electronic Frontier Foundation (EFF), as well as Google, TechNet, and the Consumer Federation of California.

"Reading choices reveal intimate facts about our lives, from our political and religious beliefs to our health concerns. Digital books and book services can paint an even more detailed picture—including books browsed but not read, particular pages viewed, how long spent on each page, and any electronic notes made by the reader," the EFF said in a statement.

"Without strong privacy protections like the ones in the Reader Privacy Act, reading records can be too easily targeted by government scrutiny as well as exposed in legal proceedings like divorce cases and custody battles. Legal protections must keep up with technological advances," said Valerie Small Navarro, Legislative Advocate with the ACLU of California.

Click here to read more.

A REALLY BAD Week for Electronic Health Record Privacy

2011-09-22T14:00:00.000-07:00

Let me begin with an obvious caveat: I'm no Luddite and I COMPLETELY understand the logic behind transitioning to an electronic based health records system.

It was just a few weeks ago that aSan Jose Mercury News sounded a few alarm bells regarding just how"safe" our personal data will be in the coming cyber world reality ofelectronic health records. But after this week, these privacy concerns have just expanded and metastasized significantly. For those that don't know, we (America) are in the midst the massive transition to e-healthrecords, a key component of both President Obama'shealth care proposal as well as the stimulus package itself.

Let me again reiterate that because the three stories I'm going to share with you today, all from this week, epitomize the concerns articulated by privacy advocates is not to say that we shouldn't make this transition, for all the money and even life saving reasons everybody has probably heard by now. But what it DOES say is that STRICT privacy safeguards, at every step of the transition process, must be implemented...from the beginning, not once the Genie is out of the bottle.

And the fact is, as these breaking news stories will make clear, time is running out, because states across the country, including California, are workingto implement such a system, with consumer privacy perhaps the paramount area ofdispute...as I write this!

AS I said, one of the most important challenges for privacy advocateshas been making sure that the transition to electronic medical records includesironclad privacy safeguards along with it. We know such a system will save moneyand improve health care (though how significant these improvements and savingswill be is still in question), but what remains contentious - and rightly so -is the intrinsic threat a massive electronic database containing our mostpersonal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question theconsumers should ponder is "Where is my data and who has access to it and for what purposes?"Or perhaps even more importantly, "can my private data be traced back tome personally and sold to others?"

Before I go on too long, let me get to the three separate articles...the first entitled "Theft of Digital Health Data More Often Inside Job, Report Finds" from Bloomberg Business Week.

The article reports:

Electronic health data breaches are increasingly carried outby “knowledgeable insiders” bent on identity theft or access to prescriptiondrugs, according to a report from PricewaterhouseCoopers LLP.

More than 11 million consumers have had medical data stolenor inappropriately disclosed since September 2009, and the privacy breaches areexpected to rise as more health information is put online, according to thereport released today by the New York-based accounting firm’s health researchinstitute. The most frequently reported issue was the improper use of protectedinformation by an “internal party,” the study found.

The report underscores the need to strengthen privacy andsecurity controls as health records are more frequently stored online andaccessed by portable devices, said James Koenig, co- lead of PwC’s HealthInformation Privacy and Security Practice. Consumer concerns that personalmedical information may be vulnerable to disclosure are likely to increase asthe Obama administration spurs the adoption of digital records.

...

While the report didn’t specify how many security theftswere carried out by insiders, 40 percent of surveyed providers reported anincident of improper internal use of protected health information during thepast two years. Over the past several years, thefts by insiders or disgruntledformer employees have surpassed disclosures by hackers and outsiders, Koenigsaid.

Read the rest here.

Now, if that wasn't enough to get grab your attention and maybe, for a second at least, question the "we don't have time for privacy protection rush" to implement this system correctly and responsibly, there's also an article from Information Week entitled "HHS: Patient Data Breaches Have More Than Doubled".

The article reports:

Health organizations notified approximately 5.4 millionindividuals affected by patient health data breaches in 2010, compared toapproximately 2.4 million individuals in 2009. This according to a reportrecently sent by the Department of Health and Human Services (HHS) to Congress. The report comes several months after the HHS office ofinspector general publishedtwo audits that highlighted the difficulties healthcare deliveryorganizations are facing in their efforts to protect sensitive patientinformation.

HHS' latestreport to Congress revealed that in 2010 theft was the most common cause oflarge breach incidents that affected 500 or more individuals. Among the 207breaches that covered entities such as healthcare providers, health plans, andhealthcare clearinghouses reported last year, 99 incidents involved theft ofpaper records or electronic media, combined affecting approximately 3 millionindividuals.

....

In 2010, the second highest number of data breaches involvedthe loss of electronic media or paper records, with 33 reported cases thataffected more than 1 million individuals. There were 31 breaches that involved unauthorizedaccess to, or uses or disclosures of, protected health information thataffected approximately 1 million individuals. Other breaches included 19incidents resulting from human or technological errors that affectedapproximately 78,663 individuals. Eleven covered entities reported breachescaused by the improper disposal of protected health information that affectedapproximately 70,000 individuals. In Gallagher's view, the increasing number of incidents could mean that the policies and procedures coming from HHS are encouraging the healthcare industry to do a better job of detecting and reporting breaches.

Read the rest here.

But wait...there's more!! A Reuters article entitled "Health industry lacks patient data safeguards: poll" adds yet another wrinkle, which again, totally and completely validates and reinforces claims by privacy advocates that we must put the privacy of patients ahead of the need to get the system up and running as quickly as possible no matter the risks.

The article reports:

A vast majority of hospitals, doctors, pharmacies andinsurers are eager to adapt to increasingly digital patient data. However, lessthan half are addressing implications for privacy and security, a survey ofhealthcare industry executives by PricewaterhouseCoopers LLP found. PwC's HealthResearch Institute interviewed 600 executives in the spring of this year andalso found that less than half of their companies have addressed issues relatedto the use of mobile devices. Less than a quarter have addressed implicationsof social media.

...

U.S.health and drug regulators are expected by the end of the year to finalizetheir updated rules on patient privacy protection, and they also continue toadapt to new technologies coming to health labs and physicians' offices. Some 74 percent of healthcare organizations were planning toexpand the purposes for which they use electronic patient health data, thesurvey found. For instance, that may mean looking across patients to findbetter treatments or tracking records of one patient from doctors and pharmaciesto analyze medication adherence.

But only 47 percent of the companies have or are addressingrelated privacy and security issues, the report said.Reports of security breaches, although many not directlyrelated to health IT, are not uncommon in the health industry.

Just over half of surveyed executives said they were awareof some kind of a privacy or security breach at their companies in the past twoyears, with hospitals being the likelier offenders.

Read the rest of that article here.

As I have written here before on this issue, we all consider our healthcare information to be extremelypersonal and expect the government to protect it from falling into the wronghands. Granted, regulations alone (nor even technical safeguard perhaps) will never be the end all solution when itcomes to privacy in the information age...it must be coupled with publicawareness and the pressure that consumer choice can put on industry.

But as it stands today, there still aren'tuniform standards for electronic medical records. Yes, there are someprotections in the Health Insurance Portability and Accountability Act of 1996,as well as some in the stimulus bill. But key protections are stillabsent.

The prohibition on the sale of medical records is weak andfull of loopholes, nor does it apply to vendors like Microsoft or Google. Bothcompanies have agreed to contracts that say they won'trelease your information, but there is no law mandating that they don't sell the information. If we'velearned anything about corporate behavior in recent years, it’s that withoutironclad, legal requirements, we shouldn'texpect them to behave the way we'dexpect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients whenelectronic medical records are accessed does apply to Google and Microsoft,however, there are safe-harbor provisions that let companies off the hook fromthe notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified whentheir information was disclosed in the course of treatment but not how it wasused. As a result, the patient will not know which hospital personnel looked atthe information or for what purpose.

Look, I don't yet consider myself an expert on this issue, for that, go to World Privacy Forum and read some of the work and research done by Pam Dixon on electronic health record privacy.

Clearly, if today's list of articles, and last months piece in the San Jose Mercury News, tells us anything its that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Protect Your Privacy Rights as a Job Seeker

2011-09-20T12:29:00.000-07:00

I wanted to alert everybody to some excellent new information provided by the Privacy Rights Clearinghouse regarding not just the difficulties facing job seekers, but their privacy rights being violated in this very search (and a bill that helps address one aspect of this problem).

As PRC details in their email blast, "Taylor Thomas is left searching for employment after he is terminated from his job due to the bad economy. Despite being highly qualified for the positions he interviews for, Taylor has one rejection after another. Two of the companies even seem ready to hire him. But, it is as if something happens to change their mind between the interview and the hiring decision. Taylor has almost exhausted his list of potential employers and has landed an interview at what may be his best chance for a job.

Watch the video to find out what’s keeping Taylor from getting hired. Learn your rights about employment background checks, and spread the word! Although Taylor is a fictional character, the situation dramatized on the six-minute video is similar to many complaints we have received from individuals who have contacted our hotline with questions and complaints about background check errors."

Now, before I get to more about YOUR RIGHTS as a job seeker, particularly in what companies/employers can dig up on you and what they can't and shouldn't, let me point you to one bill, on the Governor's desk - AB 22 (Mendoza) - that addresses just one of the many concerns raised by PRC.

AB 22 would ban credit checks frombeing used in the screening process for most job candidates. Clearly this bill is about a lot more than privacy, it strikes at the heart of the increasing shift away from the rights of workers, and the increasing power of corporations and big employers.

As pointed out by bill proponents, including the Consumer Federation of California, when companies vet potential employees they often checkeverything from grade point average to criminal records. More and more, theyare starting to factor in a person'scredit rating as well. But given this economy, this practice is both unfair and counterproductive. The fact is, a credit report is not a good indicator of a person's trustworthiness or work ethic, particularly considering how many people's credit scores have suffered due to the GreatRecession.

AB 22 as also a primary target of one of the more corrupt corporate lobbying organizations this country has ever known - the California Chamber of Commerce. In fact, they even made a video about it, listing it as one of their job killer bills.

All it does is simply prohibit most employers fromconducting credit checks on applicants, unless it is substantially related tothe job. For example, employers could still run credit reports on thosepotentially gaining access to confidential financial information. AB 22 willmean stronger privacy protections, a more fair work environment, and an easiertime securing employment.

So, this was an easy bill to support. It even provides exceptions in caseswhen the job duties include access to cash or other financial assets, when thejob is in law enforcement and in other narrow areas.An employer should not have any right to obtain confidential information thatis not germane to a prospective employee’s job. Credit reports do not havepredictive value in determining a worker’s ability to perform job duties, but abad credit report might unfairly influence a hiring employer’s attitude towarda job applicant.

Unemployed workers are more likely to have suffered some downgrading of theircredit score due to the circumstances of their unemployment; hence reliance oncredit reports as a factor in hiring decisions might adversely impact thosemost in need of a job.

Credit reports are often inaccurate, and could unfairly bias an employer.Correcting mistaken information in a credit report is a tedious, time consumingprocess, and in the meantime, the job applicant is harmed due to errors bycredit reporting entities.

But there's more to the story when it comes to the infringement on the rights of workers by employers. PRC has more:

Whether you are hired or promoted for a job may depend on the information revealed in a background check. Job applicants and existing employees as well as volunteers may be asked to submit to background checks. For some jobs, screening is required by federal or state law. The current emphasis on security and safety has dramatically increased the number of employment background checks conducted.

In short, employers are being cautious. At the same time, applicants and employees fear that employers can dig into the past in ways that have nothing to do with the job.

This guide explains the why and how of background checks. It also tells you what can be covered in a background report, your rights under the Fair Credit Reporting Act, and what you can do to prepare. For more information, go to the References section at the end of this guide. The PRC does not perform background checks.

Why Does an Employer Conduct a Background Check?
What Is Included in a Background Check?
What Cannot be in a Background Check Report?
Who Conducts Background Checks?
Fair Credit Reporting Act and Background Checks
FCRA Update: Workplace Investigations and Annual File Disclosures
Background Checks and Your Credit Report
Investigative Consumer Reports - What Will Your Neighbors Say?
How to Prepare for a Background Check
Resources

It's important to point out, just as when people say "why should I care about being wiretapped, I'm not doing anything wrong!", its the same when people don't seem concerned about background investigations. Let's remember, what YOU think about your history and actions isn't necessarily what might come up, what others might say, or what the government/corporations might interpret. In addition, when did it become okay for some investigator poking around into your personal history?

As PRC correctly points out, "In-depth background checks could unearth information that is irrelevant, taken out of context, or just plain wrong. A further concern is that the report might include information that is illegal to use for hiring purposes or which comes from questionable sources."

And back to the credit check bill, because PRC has some important points to make on why this is important as well:

Often a poor credit rating results from circumstances that are beyond your control. The loss of a job or high medical bills often leads to late payments, even bankruptcy. Still a bank or other financial institution may reason that a solid financial history is a qualifying factor for an employee who has control over substantial sums of money.

However, the same argument cannot be made when a credit check serves only as a kind of character screening. Some states have now recognized the unfairness in this by adopting laws that require a direct relationship to the job before a credit check is made.

Several states have passed laws limiting credit reports for employment decisions with provisions that require a nexus to actual job duties. Those states are: Washington, Oregon, Hawaii, Illinois, Maryland and Connecticut. Similar laws have been introduced in other states.

Finally, let me make one more point from an economic justice perspective. Just how much influence and power do we want to give the banks and credit rating agencies? Do we want our very employment futures dependent on THEIR analysis of our worthiness??? Based on their list of criteria rather than PROVEN lists of what makes a good employee, like education, references, interview ability, and employment history? To that end, let me just briefly expose the grand hypocrisy of the Chamber of Commerce selling themselves as protectors of jobs...and the leading opposition to AB 22:

As the Center for America Progress notes, "While it tells the American public it cares about Americanjobs, the U.S. Chamber of Commerce actually works to send jobs overseas onbehalf of its corporate members, which include some of Asia’stop offshoring companies. Its secretly-funded $75 million political ad campaignattacks the “anti-jobs record” of Sen. BarbaraBoxer (D-CA), Jerry Brown(D-CA), RichardBlumenthal (D-CT), AlexiGiannoulias (D-IL), Rep. DinaTitus (D-NV), and others.

As ThinkProgress previously noted,the Chamber has repeatedly sent out issue alerts attacking Democratic effortsto encourage businesses to hire locally rather than outsourceto foreign counties. The Chamber has also bitterly fought Democrats foropposing unfetteredfree trade deals. The Chamber’s anti-American jobs agenda serves not only theprofit-seeking of right-wing corporate executives in the United States, butalso works to send jobs overseas to the following outsourcing companies, whoare some of the dozens of foreigncorporations that pay member dues to the Chamber of Commerce’s 501c(6)account, which is used to fund its political ads:

– InfoSys, Bangalore, India (at least $15,000 in annualmember dues): “Infosys is the ‘BestOutsourcing Partner’ according to the Waters Rankings for the thirdconsecutive year.”

– KPIT Cummins, Pune, India ($7,500): “Strategic globalnetworking, together with industry-proven practices & processes, give KPITCummins a cuttingedge in the realm of outsourcing.”

– Patni Americas, Mumbai, India ($15,000): “Patni, the world leader in IT outsourcing and businessprocess outsourcing provides offshore software development, globalsourcing, custom software development, and a vast array of product engineeringand IT services to companies worldwide.”

– NIIT Technologies, Delhi, India ($15,000): “[L]eadership inthe area of outsourcing.”

– QuEST Global, Singapore ($7,500): “QuEST is a leaderin the engineering services outsourcing (ESO) space.”

– Rolta, Mumbai, India ($7,500): “Rolta’s global footprintand track record along with its capable off-shoringmodel gives it a unique positioning in this large market.”

– SKP Crossborder Consulting, Mumbai, India ($7,500): “SKP’s coreoutsourcing practice is managed out of a fully equipped, spacious premisesbased in Pune with access to facilities in Mumbai, Hyderabad, Delhi andBangalore.”

– Tata Group, Mumbai, India ($15,000): “[W]orld-classsolutions in outsourcing – business process outsourcing, applicationoutsourcing, infrastructure outsourcing.”

Wipro, Bangalore, India ($15,000): “India’sbiggest destination for U.S. offshoring.”

Let's start to put workers and common sense...and privacy ahead of corporate profits and their insatiable desire to make money for their shareholders rather than protect employees or improve the quality of life of working families.

The Consumer Federation of California urges the Governor to protect the financial privacy of Californians fromunwarranted snooping by prospective employers by signing AB 22. And, be sure to learn everything you can about your rights from PRC's comprehensive expose.

Protecting Anonymity and GPS Tracking

2011-09-14T15:45:00.000-07:00

There was an excellent op-ed in the New York Times this week about a case I've detailed on this blog for a long time now. The case involved the police covertly tracking asuspect’s car using a GPS device for an extended period of time without gettinga warrant.

A ruling in the D.C. Court (by Judge Ginsburg) of Appeals overturned the conviction ofthis suspected cocaine dealer, saying that the use of a secret GPS tracking deviceon the man’s vehicle for two months violated the Fourth Amendment’s protectionagainst unreasonable searches and seizures. The idea being, noone wants to feel as if a government agent is following you wherever you go -be it a friend's house, a place of worship, or a therapist's office - andcertainly innocent Americans shouldn't have to feel that way.

The problem was that two federal appellate courts had first upheld the use of GPSdevices without warrants on the grounds that we have noexpectation of privacy when we are in public places and that trackingtechnology merely makes public surveillance easier and more effective.

Now this case heads to the Supreme Court - and this was the topic of the op-ed by Jeffrey Rosen, a law professor at George Washington University. Rosen writes:

Judge Ginsburg realized that ubiquitous surveillance for amonth is impossible, in practice, without technological enhancements like a GPSdevice, and that it is therefore qualitatively different than the more limitedtechnologically enhanced public surveillance that the Supreme Court has upheldin the past (like using a beeper to help the police follow a car for a 100-miletrip).

The Supreme Court case is an appeal of Judge Ginsburg’sdecision. If the court rejects his logic and sides with those who maintain thatwe have no expectation of privacy in our public movements, surveillance islikely to expand, radically transforming our experience of both public andvirtual spaces.

For what’s at stake in the Supreme Court case is more thanjust the future of GPS tracking: there’s also online surveillance. Facebook,for example, announced in June that it was implementing face-recognitiontechnology that scans all the photos in its database and automaticallysuggests identifying tags that match images of a user’s friends with theirnames. (After a public outcry, Facebook said that users could opt out of thetagging system.) With the help of this kind of photo tagging, law enforcementofficials could post on Facebook a photo of, say, an anonymous antiwar protesterand identify him.

…

To preserve our right to some degree of anonymity in public,we can’t rely on the courts alone. Fortunately, 15 states have enacted lawsimposing criminal and civil penalties for the use of electronic tracking devicesin various forms and restricting their use without a warrant. And in June,Senator Ron Wyden, Democrat of Oregon, and Representative Jason Chaffetz,Republican of Utah, introduced the GeolocationPrivacy and Surveillance Act, which would provide federal protectionagainst public surveillance.

Their act would require the government to get a warrantbefore acquiring the geolocational information of an American citizen or legalalien; create criminal penalties for secretly using an electronic device totrack someone’s movements; and prohibit commercial service providers fromsharing customers’ geolocational information without their consent — a necessaryrestriction at a time of increasing cellphone tracking by private companies.

Click here to read more.

The Electronic Frontier Foundation and the ACLU have rightly argued that it's onething to note someones car location and another to keep hourly data on everysingle stop you make along a specific route for days or months on end. Thegovernment has tried to make the case that no such distinction existed.

The appeals court disagreed. "Society recognizes Jones‘ expectation ofprivacy in his movements over the course of a month as reasonable, and the useof the GPS device to monitor those movements defeated that reasonableexpectation."

Thus the court clearly drew the important distinction between short termmonitoring that’s not much different from a police tail and ongoing, secret andubiquitous tracking.

Aspreviously laid out in the article in Wired Magazine, "Repeated visits to achurch, a gym, a bar, or a bookie tell a story not told by any single visit, asdoes one’s not visiting any of these places over the course of a month. Thesequence of a person’s movements can reveal still more; a single trip to agynecologist’s office tells little about a woman, but that trip followed a fewweeks later by a visit to a baby supply store tells a different story."

ACLU-NCA Legal Director Arthur Spitzer also makes an important point, stating:"GPS tracking enables the police to know when you visit your doctor, yourlawyer, your church, or your lover. And if many people are tracked, GPS datawill show when and where they cross paths. Judicial supervision of thispowerful technology is essential if we are to preserve individual liberty."

In striking down the drug conviction of Antoine Jones, Ginsburg also wrote "A single trip to a gynecologist's office tells little about a woman, butthat trip followed a few weeks later by a visit to a baby supply store tells adifferent story...A person who knows all of another's travels can deduce whetherhe is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithfulhusband, an outpatient receiving medical treatment, an associate of particularindividuals or political groups -- and not just one such fact about a person,but all such facts."

Kevin Bankston, senior staff attorney for the Electronic Frontier Foundation, also illustrated just how important this case is in its implications for cellphone GPS tracking. The federalgovernment has mandated that U.S. cellphone carriers make nearly all theirphones trackable for help in 911 emergencies. However, companies say that thefederal law that allows them to turn over data to law enforcement withoutsubpoenas is prone to abuse.

Let's remember, back in 2009 we learned that Sprint received 8 million lawenforcement requests for GPS location data in just one year. While that issueis slightly different than the one headed to the Supreme Court (it was based on putting aGPS tracking device in the suspects car, rather than tracking the cell phone),the general concerns are applicable: Tracking citizens without a warrant (oreven probably cause!). We know these GPSchips can locate a person to within about 30 feet. They're also able to gatherless exact location data by tracing mobile phone signals as they ping off celltowers.

The ACLU’s Catherine Crump recently hit the nail on the head:"What’s at stake in the case is not whether it’s OK for the government totrack the locations of cell phones; we agree that cell-phone tracking is lawfuland appropriate in certain situations. The question is whether the governmentshould first have to show that it has good reason to think such tracking willturn up evidence of a crime. We believe it should. This case is not aboutprotecting criminals. It’s about protecting innocent people from unjustifiedviolations of their privacy."

All eyes now turn to the Supreme Court (always an ominous proposition these days) this November...

Toure Calls Media Out on 9/11 Coverage and Response

2011-09-11T18:40:00.000-07:00

Check this "television editorial" out by Toure on the Dylan Ratigan Show...quite a courageous presentation in light of the fact that it's the 10th anniversary of 9/11...and he directly takes on the very corporate media that employs him (at least some of the time). He also articulately details all that we have given up as a people since that tragic day - like the fundamental principles of the Constitution itself - in order to address manufactured, artificial (and hyped) fears peddled by our own government, the corporate elite, and the military industrial complex in the name of power, control, and profit.

CA Financial Privacy Bill Passes State Senate (AB 22), On to Governor's Desk

2011-09-08T16:03:00.000-07:00

A bit more good news on the California privacy front to report: AB 22 (Mendoza), a bill that would ban credit checks frombeing used in the screening process for most job candidate passed the State Senate by a razor thin 21 to 17 vote. Clearly this bill is about a lot more than privacy, it strikes at the heart of the increasing shift away from the rights of workers, and the increasing power of corporations and big employers.

As pointed out by bill proponents, including the Consumer Federation of California, when companies vet potential employees they often checkeverything from grade point average to criminal records. More and more, theyare starting to factor in a person'scredit rating as well. But given this economy, this practice is both unfair and counterproductive. The fact is, a credit report is not a good indicator of a person's trustworthiness or work ethic, particularly considering how many people's credit scores have suffered due to the GreatRecession.

AB 22 as also a primary target of one of the more corrupt corporate lobbying organizations this country has ever known - the California Chamber of Commerce. In fact, they even made a video about it, listing it as one of their job killer bills.

Now, before I get to some of the more specific reasons we (CFC) support this legislation, and urge the Governor to sign it, let me just briefly expose the grand hypocrisy of the Chamber of Commerce selling themselves as protectors of jobs.

As the Center for America Progress notes, "While it tells the American public it cares about Americanjobs, the U.S. Chamber of Commerce actually works to send jobs overseas onbehalf of its corporate members, which include some of Asia’stop offshoring companies. Its secretly-funded $75 million political ad campaignattacks the “anti-jobs record” of Sen. BarbaraBoxer (D-CA), Jerry Brown(D-CA), RichardBlumenthal (D-CT), AlexiGiannoulias (D-IL), Rep. DinaTitus (D-NV), and others.

As ThinkProgress previously noted,the Chamber has repeatedly sent out issue alerts attacking Democratic effortsto encourage businesses to hire locally rather than outsourceto foreign counties. The Chamber has also bitterly fought Democrats foropposing unfetteredfree trade deals. The Chamber’s anti-American jobs agenda serves not only theprofit-seeking of right-wing corporate executives in the United States, butalso works to send jobs overseas to the following outsourcing companies, whoare some of the dozens of foreigncorporations that pay member dues to the Chamber of Commerce’s 501c(6)account, which is used to fund its political ads:

– InfoSys, Bangalore, India (at least $15,000 in annualmember dues): “Infosys is the ‘BestOutsourcing Partner’ according to the Waters Rankings for the thirdconsecutive year.”

– KPIT Cummins, Pune, India ($7,500): “Strategic globalnetworking, together with industry-proven practices & processes, give KPITCummins a cuttingedge in the realm of outsourcing.”

– NIIT Technologies, Delhi, India ($15,000): “[L]eadership inthe area of outsourcing.”

– QuEST Global, Singapore ($7,500): “QuEST is a leaderin the engineering services outsourcing (ESO) space.”

– Rolta, Mumbai, India ($7,500): “Rolta’s global footprintand track record along with its capable off-shoringmodel gives it a unique positioning in this large market.”

– Tata Group, Mumbai, India ($15,000): “[W]orld-classsolutions in outsourcing – business process outsourcing, applicationoutsourcing, infrastructure outsourcing.”

Wipro, Bangalore, India ($15,000): “India’sbiggest destination for U.S. offshoring.”

But let's get back to AB 22 (Mendoza). All it does is simply prohibit most employers fromconducting credit checks on applicants, unless it is substantially related tothe job. For example, employers could still run credit reports on thosepotentially gaining access to confidential financial information. AB 22 willmean stronger privacy protections, a more fair work environment, and an easiertime securing employment.

As the California Labor Federation noted, "It is no secret that our economy’s collapse threw thousandsof Californians out of jobs and onto unemployment rolls. The ensuingforeclosure and credit crises also remain painfully familiar to all, as doesthe struggle many unemployed workers face keeping their families fed, clothedand sheltered. The horrible result can range from the occasional missed utilitybill to home foreclosure. There is no doubt that workers’ credit scores havesuffered during this depression.

What many may not know, however, is that some employers havequietly begun conducting credit checks on prospective workers. In fact, morethan 40% of employers say they use credit reports in making employmentdecisions. Evidence also suggests that some supervisors factor credit scoresinto decisions regarding promotion and evaluation of current workers.

In any economic situation, this practice constitutes anunwarranted invasion of privacy. Credit checks are not only poor indicators offuture job success, but the methods used to determine credit scores remainhighly suspect – given evidence that people of color possess arbitrarily andinexplicably low credit scores.

Also, credit ratings agency fraud played no small part inthe housing bubble burst, subsequent economic crisis and the reduced creditscores suffered by so many Americans. In that context, for an employer todiscriminate against someone with a less than stellar credit record isunconscionable.

Wall Street excesses and Congress’ weak response have builtplenty of barriers between the jobless and their prospects for future employment.Allowing employers to use credit checks to deny employment only serves asanother obstacle to getting Californians back to work.

So, this was an easy bill to support. It even provides exceptions in caseswhen the job duties include access to cash or other financial assets, when thejob is in law enforcement and in other narrow areas.An employer should not have any right to obtain confidential information thatis not germane to a prospective employee’s job. Credit reports do not havepredictive value in determining a worker’s ability to perform job duties, but abad credit report might unfairly influence a hiring employer’s attitude towarda job applicant.

Unemployed workers are more likely to have suffered some downgrading of theircredit score due to the circumstances of their unemployment; hence reliance oncredit reports as a factor in hiring decisions might adversely impact thosemost in need of a job.

Credit reports are often inaccurate, and could unfairly bias an employer.Correcting mistaken information in a credit report is a tedious, time consumingprocess, and in the meantime, the job applicant is harmed due to errors bycredit reporting entities.

The Consumer Federation of California urges the Governor to protect the financial privacy of Californians fromunwarranted snooping by prospective employers by signing AB 22.

California Privacy Bills Reach Governor's Desk, One Signed Already

2011-09-06T12:11:00.000-07:00

The Consumer Federation of California has been tracking and supporting a number of privacy related pieces of legislation this year. I'm pleased to report that last week three of them passed out of the legislature with one already being signed into law.

SB 24 - Signed by Governor

SB 24 (Simitian) - a security breach notification bill - was one that we, and a host of other privacy advocates fought to enact for the last four years running, and in each instance was vetoed by then Governor Arnold Schwarzenegger. Thankfully, our luck finally turned with Governor Brown's signature last week.

As detailed in a recent op-ed by CFC's executive director, if you are one of the many Californians who had yourconfidential information compromised in a security breach, you most likelyfound out by receiving a letter in the mail. After reading it, you wereprobably quite upset, but confused about what you should do about it. SB 24will help consumers make sense of these notices, and help arm us to stopidentity theft. Security breaches since 2005 exposed at least 500 millionpersonal records of Americans, according to the Privacy Rights Clearinghouse. Somebreached records contained sensitive data such as social security numbers, bankor credit card numbers or medical information.

Sony,Citibank, and the Bay Area Rapid Transit District are recent examples ofbusinesses and government agencies whose customers’ records were stolen byhackers. Just last week it was revealed that 300,000Californians’ intimate medical records, along with their social securitynumbers, were viewable for months to anyone with an internet connection, owingto an insurance processing business’ failure to safeguard its electronic datafiles.

SB 24 will provide an important upgrade to California'slandmark breach notification law. It spells out which key details must beincluded in that notification letter, and would make sure the Attorney Generalhears about the breach. If a social security number or drivers licensewas exposed, the notice letter explains how to contact major credit agencies.That’s especially important, because it empowers consumers to better monitortheir accounts for evidence of identity theft, and to take concrete steps toprevent identity theft, including freezing your credit report.

Requiring these details also creates a strong incentive forcompanies and state agencies to be careful with your information. No one wantstheir signature at the bottom of that notification letter. It won't come asa surprise to anyone that technology puts our private information, from socialsecurity numbers to medical files, at risk. The exponential growth ofelectronic records -- while beneficial in many respects -- makes breaches morelikely and far more severe.

Losing a filing cabinet with 500 records is difficult.Losing a laptop with 5 million records is all too easy. For this reason, over40 states have adopted security breach notice laws modeled on California law. Privacy notification laws won'tstop every security lapse from happening. But they will make businesses andagencies take more precautions to safeguard their data files. And if you everdo get that dreaded letter in the mail, you'llbe able to do something about it.

SB 602 (Yee) - Reader Privacy Act - Awaits Governor's Decision

The privacy threats posed by the explosion of digital books, which will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait this could paint of your life. Thankfully, this concern is finally being addressed by SB 602 (Yee) - which would provide important privacy protections for digital book readers. Even better, the bill passed the legislature last week and now awaits the Governor's decision.

Without such legislative protection, you can imagine how tempting this information could be to the government or other litigants, like those involved in divorce cases, custody battles, or insurance disputes.

In the case of digital books, we're not talking about just another library - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

Senate Bill 602 (Yee) would update privacy protections in the digital age by preventing the disclosure of information about readers from booksellers without a warrant in a criminal case or a court order in a civil case. It also requires booksellers to report the number and type of requests they receive to track government demands for reader information. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives."

SB 914 (Leno) - Police Search of Smart Phones - Awaits Governor's Decision

The next bill addresses the current loophole in California that essentially allows police, without a warrant, to seize and search individuals smartphones or androids like they do a traditional cell phone. Its not hard to seewhy they should in fact be treated differently, being that modern cell phonesare becoming more like all purpose computers than just phones, and thereforecontain ALL KINDS of personal, private information the authorities have noright to without a warrant.

The problem is that in California,a privacy rights leader I should add, does not provide citizens with suchprotections. In fact, California's top court ruled against privacy in a caseinvolving a 2007 arrest of someone who had purchased drugs from a police informant.Investigators later looked through the individuals phone and found textmessages that implicated him in a drug deal. The suspect appealed theconviction, saying the evidence was gathered in violation of the FourthAmendment, which prohibits unreasonable searches and seizures.

The justices disagreed: "The cell phone was an item (of personal property)on the person at the time of his arrest and during the administrativeprocessing at the police station. Because the cell phone was immediately associatedwith defendant’s person, (police were) entitled to inspect its contents withouta warrant."

But the court went further - comparing the cell phone to personal effects likeclothing. Worse, it argued that it wasn'tbecause the police had a particular right in this particular case, or there wassome special exception that allowed such a search, but rather, it argues thatno exception was even necessary. In other words, this case was not anexception, but rather the NEW rule: cell phone records are now of littledifference than the shirt on your back if you'vebeen arrested. This is a deeply disturbing precedent if it holds.

As State Senator Mark Leno wrote, "If you like to attend political rallies, parades,protests or sit-ins, you might consider leaving your cell phone athome in the unlikely event arrests are made. A recent California Supreme Court decision allowspolice to rummage through all of the private information on your smart phone aspart of an arrest, including your text messages and e-mails. This warrantlesssearch is now legal in California,regardless of whether the information on the phone is relevant to the arrest orif criminal charges are ever filed.

...

Earlier this year I introduced a bill that would protect Californiansagainst the Supreme Court decision allowing warrantless searches of theprivate information contained in portable electronic devices, including cellphones. Senate Bill 914 clarifies that an arrestee’s cell phone can only beaccessed with a warrant, except in circumstances where there is an immediatethreat to public safety or the arresting officer. It acknowledges thataccessing information on a cell phone is fundamentally different than searchingan arrested person’s wallet, cigarette pack or jeans pockets.

While SB 914 provides critical privacy safeguards for Californians,these protections are not new. Until the CaliforniaSupreme Court decision earlier this year, state and local police correctlyassumed that the state’s constitutional privacy protections prohibitedwarrantless searches of cell phones during an arrest. In addition, the Ohio Supreme Court hasruled that cell phone searches require a warrant, and federal law enforcementagencies also abide by the warrant protocol.

In most cases, searching a cell phone immediately during an arrest is anextraordinary measure. Once an arrest is made and the arrestee’s belongings areconfiscated, a warrant for a cell phone search can be obtained if it isimportant to a criminal case. SB 914 will help ensure that a simple arrest –which may or may not lead to charges – is not used as a fishing expeditionto obtain a person’s confidential information.

Read morehere.

All in all, its been a pretty good week on the California privacy front. I'll be back with information on SB 601 and SB 914 once we get a decision from the Governor.

5 Places You Can Be Tracked by Facial Recognition Technology

2011-09-01T13:59:00.000-07:00

Just a few days ago I posted a pretty extensive blog on Facial Recognition technology and the threat it poses to individual privacy. So for the sake of time and repetition I'm not going to go back over the basics (see that post for this), but rather, get straight to a fantastic article from Alternet entitled 5 Unexpected Places You Can Be Tracked With Facial Recognition Technology. Of particular interest to me was the coverage the piece gives to California's own recent fight that we at the Consumer Federation of California were deeply involved in, over biometric identifiers being used by the DMV. As such, our Executive Director, Richard Holober, is quoted in the article as well.

Before I provide some especially choice clips of this article (because it dovetails very well with my recent post on the topic), let me refresh everyone's memories regarding the successful campaign by privacy and consumer groups against the California DMV which resulted in, with just one day to spare, the Joint Legislative BudgetCommittee (JLBC) stepping in to reject the DMV’s proposal to impose sweeping newbiometric technologies - such as facial and thumb print scans - as elements ina renewal of a vendor contract to produce driver’s licenses and ID cards.

At the time, the Consumer Federation of California had joinedorganizations from across the political spectrum – including the ACLU,Electronic Frontier Foundation, California Eagle Forum, Consumers Union,Privacy Activism, Privacy Rights Clearinghouse, and the World Privacy Forum -to urge the legislature to reject the DMV's request on the grounds that anychange of this magnitude should be a policy matter for the legislature todecide, after considering whether it is effective, affordable, and if itcontains the appropriate privacy safeguards.

If the JLBC did not act in time the proposal would havemoved forward. Thankfully, at the very last moment a letter that wasunequivocal in its opposition to the proposal was sent to the DMV from SenatorDenise Ducheny - the Committee Chair.

Clickhere to read the complete letter. Here's a particularly important passage:

"Of particular concern is the proposed use of biometrictechnology as part of the card issuance process and the related privacy issues.I think the Legislature should consider the policy implications of usingbiometrics in the issuance of driver licenses before the department starts touse the technology. In addition, after review and discussions with DMV, theAnalyst concluded that the request was not fully justified, in part because thedepartment was unable to provide key information on the specific costs andbenefits related to the proposed use of biometrics."

Click hereto read the Monday, February 16th article in the San Jose Mercury News,entitled "DMV biometric plan will undergo public hearings".

Here was some of our argument on the DMV Proposal:

On January 14th the California Department of Finance –without notifying the public – sent a letter to inform the state JointLegislative Budget Committee that it planned to issue a new vendor contract forproduction of California Driver’s Licenses, ID cards and Salesperson cardsstarting in June of 2009. Hidden in the fine print, the proposal called for“enhanced” biometric identification in state IDs. Unless this legislativecommittee objects to this plan within 30 days, the Department of Motor Vehicleswill be free to begin implementing the biometric technology.

What are Biometrics?

Biometric technology is the computerized matching of anindividual’s personal characteristics (like a thumbprint or facial scan)against an image or database of images. In other words, the DMV and theDepartment of Finance are seeking to create a massive government database ofbiometric information from virtually every Californian over the age of 16without debate or review - raising significant concerns regarding the increasedsurveillance, monitoring and tracking of individuals.

One would expect, in light of the ongoing and intensifying debate over the REALID Act (a federal plan to create a national identity card based on drivers’licenses) and the increasing number and degree of privacy violations committedby the federal government in recent years, that such a program would be fullydebated, in the open, by our representatives in the State Legislature and withpublic comment, before it could ever be enacted.

Because no such debate has occurred, and no attention has been given to theprivacy concerns such a program warrants, a broad coalition of consumer andprivacy rights advocates joined forces to urge the legislature to reject thisrequest while there’s still time.

Our case against the proposal is twofold.

(1) The first is procedural: the DMV is attempting to use a routine contractrenewal process to effectuate major policy changes.

As the ACLU noted:

• A 30-day expedited opt-out letter to the Legislature is aninappropriate vehicle to move from photographs and thumbprints of millions ofCalifornians to advanced facial recognition technology and biometric systemsthat pose a number of privacy and security concerns if not handled carefully.

• The DMV does not appear to have authority to implementbiometric technologies that the Legislature has considered and rejected overthe years, without the issues being fully considered and addressed in policyand budget hearings.

(2) The second relates to privacy and security: the underlying proposal to usebiometric technologies has yet to establish appropriate safeguards to protectagainst identity theft and unwarranted government snooping into our privatelives.

It’s important to understand the limitations of biometrics as well as theirstrengths. The fact is, biometrics are easy to steal. Our fingerprints are lefteverywhere we touch, and our iris scans are everywhere we look.

According to experts, biometrics work only if two things can be verified by theverifier: one, that the biometric came from the person at the time ofverification, and two, that the biometric matches the master biometric on file.If the system can't do that, it can't work.

You can see more of this original post of mine here.

Now let's get to the article from Alternet:

As face recognition and other biometrics advance, thetechnology has begun to proliferate in two predictable realms: lawenforcement and commerce. Here are 5 places besides Facebook you mightencounter face recognition and other biometric technology -- not that, for themost part, you would know it if you did.

1. The streets of America

In the fall, police officers from 40 departments will hitthe streets armed with the Mobile Offender Recognition and InformationSystem (MORIS) device. The gadget, which attaches to an iPhone, can take aniris scan from 6 inches away, a measure of a person's face from 5 feet away, orelectronic fingerprints, according to Computer vision central. This biometric informationcan be matched to any database of pictures, including, potentially, one of thelargest collections of tagged photos in existence: Facebook. The processis almost instant, so no time for a suspect to opt out of supplying lawenforcement with a record of their biometric data.

...

2. The DMV

Slightly fewer than half of the DMVs in the US have the capacity to run your picture through biometric databases. Ostensibly, these searches are intended to catch people trying to collect multiple IDs from different states. Fair enough. But as EFF's Lee Tien told AlterNet, the DMV can also log into and run a person's face against any government database, including ones that hold criminal records. Last August, former New York Gov. David Paterson and DMV commissioner David Swartz held a triumphant news conference where they announced that more than 100 felony arrests were made through the DMV's facial recognition program.

In the past, the FBI has applied facial recognition technology to the DMV's vast database of photo images in pursuit of suspects, according to the AP...'We see this as sort of creeping Big Brother government, aninvasion of people's privacy,' said Richard Holober, executive director of theSan Mateo-based Consumer Federation of California."

...

3. Las Vegascasinos, and Kraft and Adidas stores

For years Las Vegascasinos have used various forms of facial recognition to identifycard-counters. Now, Vegas is at the forefront of efforts to adapt facialrecognition to more efficiently suck money out of visitors. The LATimes reported last week that the Venetian hotel and casino hasinstalled basic facial recognition software in advertisements. A cameracaptures an image of a person passing by and an algorithm determines theirgender and rough age. The advertisement can then present them with productsmost likely to appeal to their demographic.

...

4. Bars

Inevitably, facial recognition software is also beingdeployed for the purpose of getting people laid. SceneTap, an app developed bya Chicagocompany uses information from facial recognition cameras planted in bars todetermine the ratio of women to men and the average age of customers. As ofJune, 200 bars across the country had signed up to take part, according to Forbes. SceneTap developers assured reporters that the camerasthey're installing in bars do not capture high-enough-quality images to matchthem up to databases or Facebook profiles.

Click here for more.

In my last post I give a short summation of why I find the spread of this technology, and many other privacy related intrusions, so disturbing. It's not that any one violation alone is the problem, its the totality of them all...and the direction it indicates we're headed as a society.

I wrote, "Whether its the knowledge that everything we do on theinternet is followed and stored, that we can be wiretapped for no reason andwithout a warrant or probable cause, that smart grid systems monitor our dailyin home habits and actions, that our emails can be intercepted, that our nakedbodies must be viewed at airports and stored, that our book purchases can beaccessed (particularly if Google gets its way and everything goes electronic),that street corner cameras are watching our every move, and that RFID tags andGPS technology allow for the tracking of clothes, cars, and phones (and the listgoes on)...what is certain is privacy itself is on life support in thiscountry...and without privacy there is no freedom. I also fear how such asurveillance society stifles dissent and discourages grassrootspolitical/social activism that challenges government and corporate power...somethingthat we desperately need more of in this country, not less."

Today's article from Alternet certainly gives me no reason to retract any of this...

The Rise (and Costs) of the American Surveillance State

2011-08-31T10:17:00.000-07:00

The rising costs and scope of today's surveillance state has garnered some much needed attention over the past week, with two quality investigative pieces in the Los Angeles Times, an excellent op-ed by Sarah Jaff on Alternet, and the usual brilliant analysis from Salon.com's Glenn Greenwald. So, I want to briefly navigate some of these articles (and ling to them of course) for you today because I really think it strikes at the heart of what is a very real crisis in this country: the deterioration of privacy and the evisceration of the bill of rights....all under the FALSE guise of "protecting us from terrorism".

I coined a term for this burgeoning security state (and those that "sell it") two years ago as the "Fear-Industrial-Complex", (i.e. Department of Defense, corporate media, talk radio, security technologies industry, Congress, the White House, “the intelligence community”, pundits, weapons/defense contractors, etc.).

Unfortunately, as we approach the 10th anniversary of 9/11, "Terror hysteria" remains a powerful tool to bludgeon the public with in order to rationalize and defend the continuing assault on privacy and civil liberties. Fear, as we all should be very aware of by this time, as it defines our post 9/11 security state, is quite effective in convincing the population they need protection from next to non-existent threats...even when it means relinquishing core constitutional rights.

To this day, the same interests that took advantage of 9/11 to ram through the Patriot Act are out in force - aided this time by a much more influential and powerful “security industry”. And of course, advancements in security technology may serve certain important purposes in specific situations, but more often than not, represent the continuing expansion of Big Brother's ability to monitor and record nearly everything we do - usually under the guise of "keeping us safe".

As I will illustrate today, its not just the loss of privacy that accompanies this surveillance state that is so destructive. In fact, at times of draconian austerity measures being forced on a public already struggling to make ends meet, its the costs of this security state that should also give us pause.

Before I give some of those numbers, we should remember that any meaningful debate over whether we need MORE surveillance and monitoring, be it wiretapping, street cameras, airport body scanners, or internet spying and storage, we might want to ask the question whether such technologies actually make us safer (i.e. are there documented incidences they have led to capturing terrorists plotting against us?)? Two, is there any evidence that they have been abused (or in fact, are they not being used to catch terrorists at all)? Three, is their claimed usefulness somehow jeopardized by the kinds of modest reforms privacy rights groups (and others) advocate? And finally, are we creating dangerous constitutional precedents?

As I have written about numerous times on this blog, there is little to no evidence that the massive expansion of the security state since 9/11 has made us any safer. Yet there’s a long list of incidences of unadulterated government abuse and malpractice for a host of purposes other than fighting terrorism. In other words, the threat this Act, and these particular provisions pose to the basic Constitutional rights of American citizens is not hypothetical, but documented fact.

So let's get to what the Los Angeles Times pieces discovered before we get to some interpretations from Greenwald and Jaff. All I would ask is that while its true, spending "inefficiencies" of this massive security state are important, what's more so is that we must come to realize that its not meant to even fight terrorism... its the security spending and the power it provides the state/corporations itself that is the goal. Terrorism is the marketing ploy to keep this well oiled money and power machine running, and that's all.

Here's some of what the Los Angeles Times found:

Is Homeland Security spending paying off? A decade after the Sept. 11, 2001, attacks on the World Trade Center and the Pentagon, federal and state governments are spending about $75 billion a year on domestic security, setting up sophisticated radio networks, upgrading emergency medical response equipment, installing surveillance cameras and bombproof walls, and outfitting airport screeners to detect an ever-evolving list of mobile explosives. One effect is certain: Homeland Security spending has been a pump-primer for local governments starved by the recession, and has dramatically improved emergency response networks across the country. An entire industry has sprung up to sell an array of products, including high-tech motion sensors and fully outfitted emergency operations trailers. The market is expected to grow to $31 billion by 2014.

The expensive and time-consuming screening now routine for passengers at airport boarding gates has detected plenty of knives, loaded guns and other contraband, but it has never identified a terrorist who was about to board a plane. Only 14 Americans have died in about three dozen instances of Islamic extremist terrorist plots targeted at the U.S. outside war zones since 2001 — most of them involving one or two home-grown plotters.

The spending has been rife with dubious expenditures, including the $557,400 in rescue and communications gear that went to the 1,500 residents of North Pole, Alaska, and a $750,000 anti-terrorism fence — fashioned with 8-foot-high ram-proof wrought iron reinforced with concrete footers — built around a Veterans Affairs hospital in the pastoral hills outside Asheville, N.C.

Now, this list goes on and on, but you get the gist...there's a lot of waste....which reinforces the point I'm making...

But let's get to the second Los Angeles Times piece

The LA Times reports:

Advocates say the expanded surveillance has helped eliminate vulnerabilities identified after the Sept. 11 attacks. Some critics, unconvinced, say the snooping undermines privacy and civil liberties and leads inevitably to abuse. They argue that the new systems have weakened security by burying investigators in irrelevant information.

A robust debate on the intelligence gathering has been impossible, for the simple reason that most of the activity is officially secret. In lawsuits alleging improper eavesdropping, the Justice Department has invoked state secrecy to prevent disclosure of classified information and systems.

In May, two members of the Senate Intelligence Committee said that Americans would be disturbed if they knew about some of the government's data-gathering procedures. But Sens. Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) said they were prohibited from revealing the facts.

Courts have ruled that the government doesn't need a search warrant, which requires a judge's approval, to obtain records held by "third parties," such as hotels, banks, phone companies or Internet providers. So the government has used National Security Letters to get the data, issuing 192,500 of the letters between 2003 and 2006, according to an audit by the Justice Department inspector general. The numbers have dropped sharply since then, but the FBI issued 24,287 National Security Letters last year for data on 14,212 Americans. That's up from a few thousand letters a year before 2001.

"It used to be the case that if the government wanted to find out what you read and what you wrote, it would have to get a warrant and search your home," said Daniel J. Solove, a law professor at George Washington University and the author of numerous books and articles on privacy law.

Now, "it just obtains your Amazon purchase records, your Facebook posts, your Internet browsing history — without you even knowing." "I think it's a world of difference between what a person decides to post publicly and what the FBI collects about them secretly," said Gregory Nojeim, senior counsel at the Center for Democracy & Technology, a Washington-based civil liberties group.

Bush gave the NSA the authority to eavesdrop on Americans communicating with foreigners abroad without first obtaining a FISA warrant, deeming the process too slow. As a U.S. senator, Obama condemned the so-called wireless wiretapping after the New York Times made it public in 2005. But when he ran for president in 2008, Obama voted for legislation that granted retroactive legal immunity to telecommunications companies that had secretly helped the government eavesdrop.

The law also retroactively legalized other forms of surveillance, former intelligence officials say, including "bulk" monitoring that allows the government to intercept all email traffic between America and a range of suspect email addresses in, say, Pakistan.

Privacy advocates say the government should acknowledge how many Americans have had their communications intercepted in recent years. But after Democrats on the House Intelligence Committee requested that information, the Obama administration responded in July that it was "not reasonably possible to identify the number."

You can read more here.

Now, let's get to some of the analysis from Glenn Greenwald of Salon.com, then I'll get to Jaffe who makes the case that the surveillance state also serves to protect the interests of the wealthy elite...which is yet another function of the security state.

But I want to focus on some of Greenwald's points, assertions I have made on this blog quite often too...and that's just how LITTLE of a terrorist threat there really is, and just how totally out of whack our fears are with reality itself. Greenwald writes: "The number of people worldwide who are killed by Muslim-type terrorists, Al Qaeda wannabes, is maybe a few hundred outside of war zones. It's basically the same number of people who die drowning in the bathtub each year," said John Mueller, an Ohio State University professor who has written extensively about the balance between threat and expenditures in fighting terrorism.

Last year, McClatchy characterized this threat in similar terms: "undoubtedly more American citizens died overseas from traffic accidents or intestinal illnesses than from terrorism." The March, 2011, Harper's Index expressed the point this way: "Number of American civilians who died worldwide in terrorist attacks last year: 8 -- Minimum number who died after being struck by lightning: 29." That's the threat in the name of which a vast domestic Security State is constructed, wars and other attacks are and continue to be launched, and trillions of dollars are transferred to the private security and defense contracting industry at exactly the time that Americans -- even as they face massive wealth inequality -- are told that they must sacrifice basic economic security because of budgetary constraints

....

...while the Security State has little to do with addressing ostensible Terrorist threats, it has much to do with targeting perceived domestic and political threats, especially threats brought about by social unrest from austerity and the growing wealth gap...the prime aim of the growing Surveillance State is to impose domestic order, preserve prevailing economic prerogatives and stifle dissent and anticipated unrest.

...

Exaggerating, manipulating and exploiting the Terrorist threat for profit and power has been the biggest scam of the decade; only Wall Street's ability to make the Government prop it up and profit from the crisis it created at the expense of everyone else can compete for that title. Nothing has altered the mindset of the American citizenry more than a decade's worth of fear-mongering. So compelling is fear-based propaganda, so beholden are our government institutions to these private Security State factions, and so unaccountable is the power bestowed by these programs, that even a full decade after the only Terrorist attacks on U.S. soil, its growth continues more or less unabated.

Click here to read more.

Now let's get to the piece by Sarah Jaff entitled "How the Surveillance State Protects the Interests Of the Ultra-Rich", because I think there is NO ISSUE today that shouldn't be viewed through the prism of the class war, namely that of the corporate and wealthy elite against just about everyone else. Now, that's not to say some issues don't involve class, but that's usually because they are being used to DISTRACT us from the class issue, namely the widening gap between the rich and poor.

And in fact, this growing, expensive, and invasive surveillance state is yet another tool in the arsenal of the elites. Jaff writes, "The techniques that were roundly decried by Western leaders when used by Egyptian president Hosni Mubarak against his people's peaceful revolution are suddenly embraced when it comes to unrest at home. Not only that, but techniques honed in the “war on terror” are now being turned on anti-austerity protesters, clamping down on discontent that was created in the first place by policies of the state.

Glenn Greenwald noted this connection in a recent piece, writing:

“The last year has seen an incredible amount of social upheaval, not just in the Arab world but increasingly in the West. The Guardian today documented the significant role which poverty and opportunity deprivation played in the British riots. Austerity misery -- coming soon to the U.S. -- has sparked serious upheavals in numerous Western nations. Even if one takes as pessimistic a view as possible of an apathetic, meek, complacent American populace, it's simply inevitable that some similar form of disorder is in the U.S.'s future as well. As but one example, just consider this extraordinary indicia of pervasive American discontent, from a Gallup finding yesterday.”

That Gallup finding was that only 11 percent of Americans are content with the way things are going in the country.

Greenwald's point, that the surveillance state is actually designed to protect the interests of the ruling class, is supported by Mike Konczal's point, in this July piece:

“From a series of legal codes favoring creditors, a two-tier justice system that ignore abuses in foreclosures and property law, a system of surveillance dedicated to maximum observation on spending, behavior and ultimate collection of those with debt and beyond, there’s been a wide refocusing of the mechanisms of our society towards the crucial obsession of oligarchs: wealth and income defense. Control over money itself is the last component of oligarchical income defense, and it needs to be as contested as much as we contest all the other mechanisms.”

...

As a burgeoning international protest movement takes shape, opposing austerity measures, decrying the wealth gap and rising inequality, and in some cases directly attacking the interests of oligarchs, we're likely to see the surveillance state developed for tracking "terrorists" turned on citizen activists peacefully protesting the actions of their government. And as U.S. elections post-Citizens United will be more and more expensive, look for politicians of both parties to enforce these crackdowns.

Despite growing anger at austerity in other countries, those policies have been embraced by both parties here in the States. Groups like US Uncut have stepped into the fray, pointing out the connection between the tax dodging of banks like Bank of America and other corporations and the slashing of the social safety net for everyone else. The new protest movements are led not only by traditional left groups like labor unions, but a generation of young, wired activists using the Internet for innovative protest and revolutionary activism.

Anger is growing in the US at a stagnant economy, ongoing policies that favor the rich, and little to no help for anyone else. So far we haven't seen the kind of mass protest that's hit Europe, let alone the revolutions of the Arab Spring, but if things don't get any better, the country should prepare for social unrest. And if that happens, expect more peaceful activists to get caught up in the web of the surveillance state.

Click here to read more.

On a similar note, for what its worth, the ACLU of California has attempting to ascertain from the police when, why, and how they are using mobile phone location data and deploying other surveillance technologies to track the people they are responsible for protecting and serving, the ACLU of California sent requests to more than fifty law enforcement agencies across the state today.

In addition to the collection of mobile phone location data, the group is asking the same questions about law enforcements’ use of information gathered from social networking sites, book providers, GPS tracking devices, automatic license plate readers, public video surveillance cameras and facial recognition technology.

Police agencies are being asked for information including:

Statistics on how agencies are obtaining, using, storing and sharing personal information;
The stated purpose for gathering personal information, guidelines on how long the data is kept, when and how it is deleted, and whether privacy safeguards exist;
Training curricula, policies or protocol provided to officers to guide them in the use of these powerful new surveillance tools, including the capture of information from social networking sites like Facebook and Twitter;
Whether police demonstrate probable cause and obtain a warrant to access mobile phone location data and to collect other detailed personal information, or take a dragnet approach that captures data on individuals who are not suspected of wrongdoing;
The effectiveness of the use of digital surveillance in identifying or arresting suspects.

Based on all the information we have to date, these are particularly pertinent questions, and as citizens, our right to get answers to. In a recent op-ed I wrote on how the Patriot Act has been abused since its inception, there is more than ample reason to believe that not only are these increasing surveillance powers ineffective in "preventing terrorism" (which again, is barely a threat), but in fact, AREN'T BEING USED for that purpose in the first place.

In case there is any doubt, let me list some of what I detailed in my article:

The FBI admitted in a recent report to the President’s Intelligence Oversight Board that it violated the law at least 800 times on national security letters, going well beyond even the loose safeguards in the original provision. According to the report the FBI “may have violated the law or government policy as many as 3,000 times” between 2003 and 2007, according to the Justice Department Inspector General, while collecting bank, phone and credit card records using NSLs.
As Adam Sewer of the American Prospect notes: “It's no secret that the FBI's use of NSLs - a surveillance tool that allows the FBI to gather reams of information on Americans from third-party entities (like your bank) without a warrant or without suspecting you of a crime - have resulted in widespread abuses. All that the FBI needs to demand your private information from a third-party entity is an assertion that such information is "relevant" to a national security investigation -- and the NSLs come with an accompanying gag order that's almost impossible to challenge in court.”
NSLs were used by the Bush administration after the Sept. 11, 2001 attacks to demand that libraries turn over the names of books that people had checked out. In fact, there were at least 545 libraries that received such demands in the year following passage of the Patriot Act alone.
The Electronic Frontier Foundation (EFF) uncovered "indications that the FBI may have committed upwards of 40,000 possible intelligence violations in the 9 years since 9/11." It said it could find no records of whether anyone was disciplined for the infractions.
Under the Bush Administration, the FBI used the Patriot Act to target liberal groups, particularly anti-war, environment, and anti-globalization, during the years between 2001 and 2006 in particular.
According to a recent report by the ACLU, there have been 111 incidents of illegal domestic political surveillance since 9/11 in 33 states and the District of Columbia. The report shows that law enforcement and federal officials work closely to monitor the political activity of individuals deemed suspicious, an activity common during the Cold War – including protests, religious activities and other rights protected by the first amendment. The report also noted how the FBI monitors peaceful protest groups and in some cases attempted to prevent protest activities.
According to a July 2009 report from the Administrative Office of the U.S. Courts, only three of the 763 "sneak-and-peek" requests in fiscal year 2008 involved terrorism cases. Sixty-five percent were drug related.

As I also wrote, and this can be applied to more than just the Patriot Act now, "The Patriot Act was sold as an indispensable weapon in the government’s arsenal to fight and “win” the “War on Terror”. We were assured that the sole purpose of these unprecedented powers granted government were to locate and catch terrorists - not raid the homes of pot dealers and wiretap peace activists. Monitoring political groups and activities deemed “threatening” (i.e. environmentalists, peace activists), expanding the already disastrous and wasteful war on drugs, and spying on journalists isn’t about fighting terrorism, it’s about stifling dissent and consolidating power – at the expense of civil liberties.

How ironic that the very “tool” hailed as our nation’s protector has instead been used to violate the very Constitutional protections we are allegedly defending from “attack” by outside threats. What was promised as a “temporary”, targeted law to keep us safe from terror has morphed into a rewriting of the Bill of Rights.

Indeed...we would do well to stop this runaway surveillance state before its too late to do so....

Is Facial Recognition A Top Privacy Issue of Our Time?

2011-08-25T15:15:00.000-07:00

According to privacy stalwarts like the Privacy Rights Clearinghouse (PRC), the ACLU, the Electronic Frontier Foundation and EPIC the answer to this question appears to be a resounding "yes". I speak in particular of an op-ed by Amber Yoo of PRC in today's California Progress Report entitled "Facial Recognition: A Top Privacy Issue of Our Time" that lays out in detail, with accompanying links to other groups work on this topic, just why this burgeoning "security" technology is such a threat.

I have touched on this subject in the past on this blog, particularly when discussing what are called Biometrics. So before I get to some choice clips of Amber's article (and a number of others), let me refresh everyone on the concept of biometric identifiers - like fingerprints, facial, and/or iris scans. These essentially match an individual’s personal characteristics against an image or database of images. Initially, the system captures a fingerprint, picture, or some other personal characteristic, and transforms it into a small computer file (often called a template). The next time someone interacts with the system, it creates another computer file.

There are a number of reasons why such technological identifiers should concerns us. So let's be real clear, creating a database with millions of facial scans and thumbprints raises a host of surveillance, tracking and security question - never mind the cost. And as you might expect, such identifiers are being utilized by entities ranging from Facebook to the FBI. In fact, the ACLU of California is currently asking for information about law enforcements’ use of information gathered from facial recognition technology (as well as social networking sites, book providers, GPS tracking devices, automatic license plate readers, public video surveillance cameras).

As for Facebook, consider the ramifications: there's over 600 million members....and each day members upload over 200 million photos - with the network hosting over 90 billion photos total. Each time a photo is "tagged" its facial recognition technology learns more about what that person looks like.

As PC World noted in a recent article on the subject, "Even if you happen to "opt out" of the facial recognition tagging, Facebook's technology can surely use the tagged photos of you (hey, perhaps even the tagged photos of you that you end up un-tagging) to figure out what you look like. Right now Facebook is using this technology to help people tag photos. But once they have an accurate facial recognition database of several hundred million people?"

But, let's get back to the featured article today from the PRC on facial recognition technology:

Facial recognition technology – especially as the technology becomes more sophisticated – may be one of the gravest privacy threats of our time. It has the potential to remove the anonymity Americans expect in crowds and most public places. There are the obvious “chilling effects” it could have on political demonstrations and speech, concerns being monitored by civil liberties advocates like the ACLU, EPIC, and EFF. However, this technology will also very likely be used in greater capacity in the commercial sector to further target consumers for advertising and discriminatory pricing purposes.

Earlier this month, Carnegie Mellon University researchers released a study detailing three experiments that reveal the possibility of identifying people, both online and in the real world, who may otherwise believe they are anonymous. The researchers took photos of people walking on campus and used facial recognition technology and information publicly available online to figure out their name, age, place of birth and, in some cases, even their Social Security number. Many individuals share a tremendous amount of information about themselves online, and the study demonstrates how easy it is to link this online information to a person using facial recognition technology.

...

In his book Niche Envy, Joseph Turow, a professor at the University of Pennsylvania, explains how companies are using increasingly sophisticated market segmentation methods to offer different prices to different people, a practice known as price discrimination. The more detailed the profile a company can build on someone, the more accurately it can estimate how much that person is willing to spend on a product.

Professor Turow focused primarily on online data collection, but as the Carnegie Mellon study illustrates, facial recognition technology makes it possible to connect someone’s offline identity with his or her online identity without obtaining consent. As facial recognition technology advances and the number of consumers using social media continues to increase, it’s not far-fetched to imagine a scenario where a consumer walks into a store and is treated differently or even sees different prices based on the combination of this biometric data and personal information publicly available online.

A further concern is the unwanted identification of individuals with sensitive circumstances– such as victims of domestic violence, stalking victims, and law enforcement officers.

Click here to read more.

This is yet another CLEAR example of technology outpacing regulation, and the need for increased privacy protections for consumers. It will of course take more than just laws to protect us, it will also take knowledge and personal choice...as in the choice NOT to shop or use products sold by companies that are using such facial recognition technologies.

Of course, the use of this technology goes FAR beyond commercial interests. As the Electronic Frontier Foundation's Jennifer Lynch detailed just a couple months ago, the FBI is pursuing the next generation of Biometrics as I write this...with the Patriot Act no doubt serving as the agency's firewall of protection when it violates our civil liberties and privacy.

Lynch writes:

...the Center for Constitutional Rights (CCRFOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communities program and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database.

Unlike some government initiatives, NGI has not been a secret program. The FBI brags about it on its website (describing NGI as “bigger, faster, and better”), and both DHS and FBI have, over the past 10+ years, slowly and carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records. However, the fact that NGI is not secret does not make it OK. Currently, the FBI and DHS have separate databases (called IAFIS and IDENT, respectively) that each have the capacity to store an extensive amount of information—including names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race, and date of birth. Within the last few years, DHS and FBI have made their data easily searchable between the agencies. However, both databases remained independent, and were only “unimodal,” meaning they only had one biometric means of identifying someone—usually a fingerprint.

...

So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are the each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records.

Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise.

Already, the National Institute for Standards and Technology, along with other standards setting bodies, has developed standards for the exchange of biometric data. FBI, DHS and DoD’s current fingerprint databases are interoperable, indicating their systems have been designed (or re-designed) to read each others’ data. NGI will most certainly improve on this standardization. While this is good if you want to check to see if someone applying for a visa is a criminal, it has the potential to be very bad for society. Once data is standardized, it becomes much easier to use as a linking identifier, not just in interactions with the government but also across disparate databases and throughout society. This could mean that instead of being asked for your social security number the next time you apply for insurance, see your doctor, or fill out an apartment rental application, you could be asked for your thumbprint or your iris scan.

This is a big problem if your records are ever compromised because you can’t change your biometric information like you can a unique identifying number such as an SSN. And the many recent security breaches show that we can never fully protect against these kinds of data losses.

The third reason for concern is at the heart of much of our work at EFF. Once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone's actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.”

Click here to read more.

The ACLU put together an excellent Q&A on facial recognition technology, which, in answering why it represents a threat to privacy, states, "One threat is the fact that facial recognition, in combination with wider use of video surveillance, would be likely to grow increasingly invasive over time. Once installed, this kind of a surveillance system rarely remains confined to its original purpose. New ways of using it suggest themselves, the authorities or operators find them to be an irresistible expansion of their power, and citizens' privacy suffers another blow. Ultimately, the threat is that widespread surveillance will change the character, feel, and quality of American life.

Another problem is the threat of abuse. The use of facial recognition in public places like airports depends on widespread video monitoring, an intrusive form of surveillance that can record in graphic detail personal and private behavior. And experience tells us that video monitoring will be misused. Video camera systems are operated by humans, after all, who bring to the job all their existing prejudices and biases. In Great Britain, for example, which has experimented with the widespread installation of closed circuit video cameras in public places, camera operators have been found to focus disproportionately on people of color, and the mostly male operators frequently focus voyeuristically on women.

While video surveillance by the police isn't as widespread in the U.S., an investigation by the Detroit Free Press (and followup) shows the kind of abuses that can happen. Looking at how a database available to Michigan law enforcement was used, the newspaper found that officers had used it to help their friends or themselves stalk women, threaten motorists, track estranged spouses - even to intimidate political opponents. The unavoidable truth is that the more people who have access to a database, the more likely that there will be abuse.

Facial recognition is especially subject to abuse because it can be used in a passive way that doesn't require the knowledge, consent, or participation of the subject. It's possible to put a camera up anywhere and train it on people; modern cameras can easily view faces from over 100 yards away. People act differently when they are being watched, and have the right to know if their movements and identities are being captured.

And, just to drive this whole post home for you, I found an article on MSNBC yesterday entitled "Post 9/11, surveillance cameras everywhere" (with the subhead, "Security industry boomed for years, but terror is rarely a focus").

Here's a few clips from the piece:

Market research firm IMS Research estimates that more than 30 million surveillance cameras have been sold in the United States in the past decade. Video surveillance alone is a $3.2 billion industry, representing about one-third of the overall security market, according to 2007 figures from the Security Industry Association, a trade group. That was the last time they gathered such data, a spokesman said.

...

Although advanced security measures are now commonplace, they are rarely being used to nab would-be terrorists. Instead, security cameras often serve other purposes, such as catching students or workers who are misbehaving, or tracking down common criminals...The increasing prevalence of security cameras, often assisted these days by facial recognition software, have raised thorny privacy questions as Americans find their images captured with increasing regularity.

...

Privacy advocates warn that we may be too complacent about the fact that our pictures are being taken everywhere from the department store checkout counter to the high school hallway, as well as shared freely on social networks. That data can potentially be used by everyone from marketers to police investigators. “I do think it’s really important when we think about that question of where those data go in the world of social media,” said David Lyon, a professor of surveillance studies at Queen’s University in Canada.

Click here to read more.

As I have written here NUMEROUS times, what concerns me is what are the side effects of living in a society without privacy. Where are we left when the power of corporate or government interests to monitor everything we do is absolute?

Whether its the knowledge that everything we do on the internet is followed and stored, that we can be wiretapped for no reason and without a warrant or probable cause, that smart grid systems monitor our daily in home habits and actions, that our emails can be intercepted, that our naked bodies must be viewed at airports and stored, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, and that RFID tags and GPS technology allow for the tracking of clothes, cars, and phones (and the list goes on)...what is certain is privacy itself is on life support in this country...and without privacy there is no freedom. I also fear how such a surveillance society stifles dissent and discourages grassroots political/social activism that challenges government and corporate power...something that we desperately need more of in this country, not less.

CIA Helped NYPD Covertly Spy on Ethnic Communities and Mosques

2011-08-25T09:11:00.001-07:00

This is INCREDIBLY disturbing...I'll talk more about it in future posts, but for now, check out Keith Olbermann's expose of this disgrace:

Understanding Behavioral Marketing/Online Tracking

2011-08-23T13:00:00.000-07:00

I'd like to alert people to an excellent (though wish it was longer) interview of UC Berkeley privacy expert Chris Hoofnagle in the San Francisco Chronicle. The topic is online privacy and his recent study that found "Despite widening criticism of online tracking, marketers are going to greater lengths than ever to ensure they can monitor online behavior even when consumers take steps to opt out."

As fights over do-not-track rules are taking place both here in California and in DC (both in Congress and the Federal Trade Commission) I thought this to be of particular use for anyone trying to get a better grasp of just what behavioral marketing is all about.

With that, here are some especially pertinent clips from the article/interview:

A noted 2009 paper that Hoofnagle also supervised found that more than half of the most popular websites were employing what's known as flash cookies. Like the standard cookies in Web browsers, these store information that helps identify a unique user, often for the purpose of matching advertising to online behavior.

But flash cookies are more difficult to delete, more efficient at tracking and, the researchers found, often used to back up and "respawn" the standard cookies that users had deleted to avoid monitoring. In other words: Advertisers were deliberately subverting the clearly stated preferences of consumers.

Privacy advocates cried foul, class-action suits ensued and the industry promised to clean up its act.

Whether it actually did was a key question in the study released late last month, which found that while flash cookie use has declined, marketers are using new tools for essentially the same purpose.

Seven of the top 100 sites appeared to be using what's known as HTML5 local storage to back up standard cookies, and two were found to be respawning cookies....Third-party advertisers on the site were still employing the flash cookies, along with another type that takes advantage of the browser's cache, where online data is stored on the computer so it can be delivered faster. This ETag tracking allows advertisers to monitor users, even when they block all cookies and use a private browsing mode.
...

Hoofnagle: "The problem is that, individually, users never have the motivation or technical skills to circumvent the hundreds of companies that are intent upon unique user tracking. They're just outgunned. Most users are using out-of-the-box browsers, so it's very difficult for people to align their settings with their preferences. So the arms race thing raises the question: What is the role for policy?"

...

Q: What's the right policy approach from your point of view?

A: You'll never find a perfect, clean solution. But I'm a fan of data-retention limits. We know from behavioral economics that most people won't turn on do-not-track features, so if you're serious about protecting privacy, if you think there's a value here, you should protect it by default. It would require no user intervention. You would impair the ability of companies and law enforcement to create long-term profiles about people.

...

Q: The industry argues they've given consumers a choice here, allowing them to opt out if they want. Why isn't that enough?

A: Under self-regulatory programs, they allowed people to opt out of targeted advertising if they wanted. But people figured out that what that meant is these companies could still track you, they just couldn't show you online behavioral advertising.

They could still choose to target you in another channel (like direct-mail marketing or telemarketing.) And if you look at all the tracking they do, they can identify you in a fairly trivial way.

Our study also found over 600 third-party hosts of cookies, most of which are not members of any self-regulatory organization (and thus aren't bound to the rules of opt-out programs). They're not even necessarily advertisers, they could be governments. We really don't know who they are.

Click here for the entire interview.

For information on the Do-Not-Track legislation that was sponsored by Consumer Watchdog and authored by State Senator Alan Lowenthal here in California that unfortunately died in committee check out the page I created on it at the Consumer Federation of California site (as it was a bill we supported).

Another Massive E-Health Record Data "Spill"

2011-08-22T15:01:00.000-07:00

A story in the San Jose Mercury News today sounded a few alarm bells regarding just how "safe" our personal data will be in the coming cyber world reality of electronic health records. As many know, the massive transition to e-health records was a key component of both President Obama's health care proposal as well as the stimulus package itself.

Currently, states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute.

One of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad data safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

We all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. Granted, regulations alone will never be the end all solution when it comes to privacy in the information age...it must be coupled with public awareness and the pressure that consumer choice can put on industry.

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent.

The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, it’s that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

In other words, there's a lot of work still to be done on this issue. Now let's get to the latest breach of very private, personal medical information. The San Jose Mercury News reports:

Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see. There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.

...

"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

...

When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.

In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.

Usually when personal data are exposed, it's the result of a network break-in by a hacker or a theft of computer equipment. Sometimes, it can be a simple case of someone mishandling the information. Leaks are more likely the more data are passed around within the health industry's increasingly interconnected networks.

Dozens of companies can be authorized to handle a single person's medical records. The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected.

...

The latest incident is "an eye-opener, and we're going to get eye-opener after eye-opener," says Jim Dempsey, a security and public policy expert at the Center for Democracy & Technology.

As instances of data mishandling become more commonplace, government officials may seek greater control over security policies of companies with access to health care records that aren't currently regulated.

"It should be yet another warning bell for companies: You've got your reputation on the line, and you're also facing enforcement action if you don't pay attention to the security of the data you collect and process," Dempsey says.

For more click here.

In fact, a recent study by Patients Privacy Rights further validated privacy advocates concernsGoogle's scores of a D and F and systems offered by employers and insurers also receiving an F. These are two HUGE providers of what will be the electronic health record "industry" that are still failing us. The group notes:

"The bad news is other companies do not allow patients to control their PHRs. That is a scary thing when you consider that PHRs can store sensitive health information as well as lifestyle habits such as what you eat, how much you drink, and how often you exercise. This information can easily get into the wrong hands, especially if your PHR is offered by an employer or insurer. All PHRs claim to be “patient-centric” and claim that “privacy is important”, but it’s simply not true.

What grades did the PHRs earn?

CapMed’s ICE PHR: C

Google Health: D – Platform F - Partners

Microsoft HealthVault: B – Platform F - Programs

NoMoreClipboard: A

WebMDs: C

PHRs offered by Employers/Insurers: F

...

1) Know that if your PHR is sponsored by your employer or insurer, the odds are VERY GOOD that they have access to all your information. This was quite clear after reviewing a form privacy policy for employer/insurer sponsored PHRs. Sure, not every company is out there to take advantage but personal health information can be used to discriminate, damage reputations and harm opportunities.

2) Every company and product has their own privacy policy. Even if you feel comfortable with a PHRs policy and website, click on a link and leave the site, all bets are off. Any third party that touches your data may not be held to the same standard. This is a key lesson for the Google and Microsoft tools.

...

So what can be done?

1) The public needs to wake up and pay attention. Our personal health information is everywhere and being passed from one company to the next, without our permission or knowledge. If we don’t demand control, we will lose it forever.

2) We need federal laws that make Fair Information Practices the rule for all health information, including PHRs. Data shared for one purpose should be used solely for that purpose unless the patient gives consent for any new use. No single piece of data should be allowed to go to an employer, insurer or other entity without patient permission.

Click here to read the article in its entirety.

Pam Dixon of the World Privacy Forum not too long ago broke some of the challenges we face down, stating "Much of the discussion around PHRs has been oriented toward how they benefit consumers, with almost no meaningful or detailed discussion of the privacy risks. As a result, few consumers have the ability to make genuinely informed decisions about these tools. For example, many consumers assume that because a PHR involves health-related information, that special privacy protections must apply. However, there are different varieties of PHRs and PHR companies, some of which do not fall under the federal privacy rules that are usually applied to health information."

"Many consumers have this deeply held belief that their health information, no matter where it travels, is protected in the same way as when you have a doctor/patient relationship," Dixon said. In reality, consenting to have data transmitted to a non-covered system likely would be viewed as an indication that you had waived your privacy privilege, she added.

Health information stored in commercial PHR systems is also less protected against subpoenas than it otherwise would be, Dixon asserted. Under HIPAA, if someone seeks to subpoena medical records about an individual from a covered entity, the patient has to be informed first. But that protection doesn't apply to PHRs in all instances, she said.

Even more worrisome to Dixon, though, is the potential for protected medical information stored in PHRs to be used for marketing purposes. HIPAA explicitly prohibits such uses, but the terms under which many PHR systems are operated could enable their owners to sell personal health data to marketers, she said.

People should be aware of such issues when choosing whether to use PHR systems, Dixon said. She added that the operators of PHR systems should be required to clearly disclose whether they are covered under HIPAA and what sort of privacy protections they offer.

As we see the continuing consolidation of, and even the possible monopolization of information technologies, the concern and fear that forces beyond our control have access to EVERYTHING we've nearly ever done will only grow...as will the likelihood that this "power" will be abused...at our expense.

The fact that the health-care and drug-industry lobbies are spending so much effort to weaken privacy standards does not bode well either.

This is an issue I'll be following more on this blog in the coming weeks and months now that California is in the midst of establishing its own e-health record privacy regulations.

Federal Court Judge: Police Can't GPS Track Without Warrant

2011-08-16T11:06:00.000-07:00

Before I get to the good news that a Maryland U.S. District Judge recently refused to issue a warrant sought by federal authorities to find a suspect through his cellphone's GPS data, let me provide some backdrop on why this is so important.

Due to technological advancements that allow for nearly ubiquitous tracking of American citizens, combined with the passage (and renewal) of the Patriot Act, the fourth amendment has become an endangered species (if not already gone).

As such, the privacy battleground as related to the tracking of cell phones by police has primarily been in the courts - namely whether probable cause, and a warrant, is necessary for law enforcement to track suspects whereabouts. As one might guess, sadly, the Obama Administration challenged a recent appellate court ruling over what the proper legal standard should be - as in their should be none.

Perhaps there's good reason for the federal government becoming so adamantly opposed to the fourth amendment: Back in 2009, the Washington Post reported that while serving as a U.S. attorney during the Bush administration, Christopher Christie tracked the whereabouts of citizens through their cell phones without warrants. The ACLU obtained these documents from the Justice Department in an ongoing lawsuit over cell phone tracking. While the documents reveal 79 such cases on or after Sept. 12, 2001, they do not specify how many of the applications were made during Christie's tenure.

Tracking without a warrant disregards an internal U.S. Justice Department recommendation that prosecutors obtain probable cause warrants before gathering location data from cell phones. Of the cases in which probable cause wasn't established, documents showed 19 allowed the most precise tracking available. Those cases occurred after the November 2007 Justice Department recommendation that prosecutors seek warrants.

And if that wasn't enough, there was the 2009 revelation that Sprint received 8 million law enforcement requests for GPS location data in just one year.

What's at stake here is whether it's okay for the government to track the locations of cell phone users without having to demonstrate there's good reason to do so. If we've learned anything post Patriot Act, its that law enforcement and the government do abuse unchecked power, even if only in a small minority of the situations.

As the ACLU has pointed out, "it's about protecting criminals. It's about protecting innocent people from unjustified violations of their privacy."

Thankfully, this was the argument, generally speaking, made by this federal judge. The Baltimore Sun reports:

Nearly three dozen ACLU affiliates around the country filed public information requests this month with local police agencies seeking statistics on how often GPS data is sought, how it's used and how it's stored. Congress, meanwhile, has held hearings on cellphone technology and privacy, acknowledging that existing law hasn't kept up with issues raised by the proliferation of smartphones and other devices capable of keeping real-time tabs on their owners.

…

So far courts have come to conflicting conclusions. A federal appeals court overturned a conviction of a Washington man based on a warrantless GPS search, while appellate courts in California and Oregon upheld convictions in their states. The U.S Supreme Court is scheduled to take up the issue in its next term — addressing whether police can place GPS devices on cars to track suspects without obtaining warrants.

...

The American Civil Liberties Union questions how the GPS data is being used by police. The group said last week that police in Michigan sought information for every mobile phone near a planned labor protest, and that Sprint, in just over a year, received 8 million requests from police for global positioning data. The Maryland ACLU chapter is not among those filing information requests.

...

Federal prosecutors thought it would lead to a quick arrest. But what seemed to authorities a reasonable request was to a judge an intrusion into the suspect's privacy. Gauvey wrote that turning down the government's request "does not frustrate or impede law enforcement's important efforts, but rather places them within the Constitutional and statutory framework which balances citizens' rights of privacy against government's protection of society." The judge wrote, however, that her ruling "does place the precise location information out of the government's casual reach."

...

This is where existing laws have failed to keep pace with technology. Typically, search warrants target documents that already exist, called "stored information," according to the legal brief. In seeking GPS data, prosecutors are seeking documents that have not yet been created — where a person will be in the future.

Click here to read more.

Let's be clear...we're talking about something (i.e. GPS tracking) that has been consistently abused and is becoming more and more common. Documents discovered by the ACLU and Electronic Frontier Foundation, in which they argued government tracking without a probable cause or warrant is a violation of the Constitution's Fourth Amendment, has shown that law enforcement violated individual privacy in states across the country.

The essential argument by privacy advocates, be it the tracking of a cell phone user, or placing a tracking device in a suspect's vehicle, is that, whether you're driving a car or carrying a cell phone you should not be more susceptible to government surveillance. The idea being, no one wants to feel as if a government agent is following you wherever you go - be it a friend's house, a place of worship, or a therapist's office - and certainly innocent Americans shouldn't have to feel that way.

As the article alluded to, this will have to be decided by the Supreme Court - which is itself a frightening thought. What I'll be hoping is that the court will understand the important distinction between short term monitoring that’s not much different from a police tail and ongoing, secret and ubiquitous tracking.

Electronic Frontier Foundation and the ACLU have rightly argued that it's one thing to note someone’s car location and another to keep hourly data on every single stop you make along a specific route for days or months on end. The government has tried to make the case that no such distinction existed.

Let's not forget too...the FBI has been using 'dragnet'-style warrantless cell phone tracking...and this could very likely be the "secret patriot act provision" that has garnered attention, and consternation among some Senators in Congress. You can read more about this in a recent article I wrote about the Patriot Act's renewal, but I think Juan Cole might have said it best, writing:

It should be remembered that it is perfectly possible for the police to make a mistake or act maliciously and to monitor someone who is innocent. The ACLU charges that these practices are increasingly common. If police and other security personnel are allowed to engage in domestic surveillance of this sort without a court warrant, they can start following large numbers of innocent people and learn details of their private lives. Just this year, Tacoma, Wash., police engaged in unconstitutional surveillance of anti-war activists, using an employee at a military base, which is even more troubling. Blanket permission for law enforcement to conduct warrantless GPS tracking of activists could reveal their private peccadilloes, which in turn could be used to blackmail them.

...

Part of what defines public and private is a reasonable citizen’s expectations. You wouldn’t expect all your movements for a month to be public, even if they were in an automobile. It is that understandable expectation of privacy that brings the Fourth Amendment into play. Ginsburg continued, “A reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination, and each place he stops and how long he stays there; rather, he expects each of those movements to remain disconnected and anonymous.” The full court of nine judges upheld the three-judge panel’s decision to throw out the case, which was against nightclub owner Antoine Jones.

The federal rulings so far on GPS tracking have been all over the map, so to speak, and that the Fourth Amendment will meaningfully survive the almost cosmic electronic surveillance capabilities of our burgeoning national security state is not at all clear. So far many of our eminent federal judges seem perfectly content with having police officers sneak around in our driveways, with allowing them to attach tracking devices to our private property, and with permitting them then to monitor everywhere we go and everyone we visit, without a warrant, for months at a time. Judge Ginsburg and two colleagues are so far all that stand in the way of this dystopian future becoming our present reality. Unfortunately, because Obama and Holder disagree with Ginsburg, his principled arguments will prevail only if they are permitted to do so by the likes of Antonin Scalia and Clarence Thomas. Welcome to Starship Amerika.

Click here to read more.

I'd also point you to a piece in Computerworld by Darlene Storm. She writes:

If people can be tagged with a GPS-enabled dart in about a blink, and have no idea their movements on public streets are being tracked, then it seems reasonable that the warrantless surveillance violates the Fourth Amendment. In fact, it sounds a bit like stalking; if permitted to be done without a warrant, then it could easily be done on a large scale and without true suspicion.

Despite three other courts of appeal ruling that law enforcement does not need a warrant to use GPS tracking on a vehicle, the D.C. appellate court did not agree. Inside GNSS reported that the D.C. court of appeal wrote, "Continuous human surveillance for a week would require all the time and expense of several police officers, while comparable photographic surveillance would require a net of video cameras so dense and so widespread as to catch a person's every movement, plus the manpower to piece the photographs together...A reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination, and each place he stops and how long he stays there."

...

...Just because the technology exists does not mean it should be used against the people to invade their privacy as if everyone is a criminal. The next thing you know, the authorities will want warrantless wiretaps to search our email. Oh wait..

Click here to read more.

With all of that said....it looks like a whole lot of this will decided by the Supreme Court...let's just hope that 1 of the 5 right wing pseudo fascist member will stand up for the Constitutional rights they so often claim to be dedicated to protecting...

Are New California PUC Smart Grid Privacy Rules Adequate?

2011-08-10T13:02:00.000-07:00

For those that may not know, last year, March 19th to be exact, I spoke before the California Public Utilities Commission regarding the privacy challenges and implications of transitioning to a smart grid electrical system. That's not to say I spoke against the development of such a system, in fact, if implemented correctly, it makes public policy, particularly environmental and economic, sense.

First, briefly: a smart grid system will allow utilities to collect and possibly distribute detailed information about household electricity consumption habits - ice makers will operate only when the washing machine isn't, TVs will shut off when viewers leave the room, air conditioner and heater levels will be operated more efficiently based on time of day and climate. Home gadgets and appliances will be wirelessly connected to the Internet so consumers can access detailed information about their electricity use, and reduce their carbon footprint appropriately.

Soon this technology will be near ubiquitous: Up to three-fourths of the homes in the United States are expected to be placed on the “Smart Grid” in the next decade, and there will be nearly 50 million by 2012. Some foresee it becoming 100 to 1000 times larger than the internet.

But back to the presentation, and then I'll get to the first privacy rules established here in California for this burgeoning electrical system. I happened to be one of three consumer advocates that spoke that day at the CPUC's smart grid workshop...with the focus of that seminar purely on privacy. I suspect I was asked in part due to my op-ed in the California Progress Report, as well as my position at the Consumer Federation of California, and my occasional blog posts here on the topic.

To watch the presentation click here and scroll down to my name - Zack Kaldveer...and click again. The purpose of my presentation, as I will detail here today, was to breakdown ALL the different ways a smart grid system could threaten the privacy of consumers, and the real world damage such privacy violations could cause if the system wasn't developed in a way that put privacy, and consumer control, first.

As I said at the time, "But the paradox of a smart grid system is that what will ostensibly make it an effective tool in reducing energy usage and improving our electric grid – our information - is precisely what makes it a threat to privacy: our information...

The sheer volume of data provided by Smart Grid technologies will make it a prospective goldmine for numerous parties other than the utilities themselves, for reasons other than energy efficiency, and used for purposes that do not benefit the consumer: advertisers and marketers will seek to create and utilize increasingly detailed behavioral profiles, law enforcement and the government will seek to monitor our homes, and criminals will seek to steal identities and rob homes.

As such, without proper safeguards and ironclad rules in place, a myriad of new privacy threats could eventually find their way into every home in America.

Activities that might be revealed through analysis of home appliance use include personal sleep and work habits, cooking and eating schedules, the presence of certain medical equipment and other specialized devices, presence or absence of persons in the home, and activities that might seem to signal illegal behavior.

Personal privacy issues routinely arise when data collected is harmless in isolation, but becomes a threat when combined with other data, or examined by a third party for patterns. In other words, what are the potential “unintended consequences” of such an electrical system? And more importantly, what must we do to ensure that those unintended consequences are never realized?

Such interest in our private data by third parties begs some important questions: How much information should we give up to the grid? Should it be up to the customer to decide? Who stores all that information and for what reasons? How will this information be managed and how long will it be stored? Who will come asking for that information, for what purposes and under what rules? And will there be proper and enforceable accountability for those that abuse our data?

So, with that general description of the system itself, and the related privacy concerns, now let's get to the unanimous vote by the CPUC to adopt the world’s first comprehensive set of rules to ensure that consumers can access the detailed energy usage data gathered by their smart meter — while also protecting the privacy and security of their data. At least...in theory....

The decision applies to the three large investor-owned utilities which serve 80% of Californians with electricity (Pacific Gas & Electric, San Diego Gas & Electric and Southern California Edison). At last count, these three utilities had installed 8 million smart meters. By the end of 2012 they will deploy the final 3 million.

As detailed by the San Francisco Business Times, "The CPUC is requiring utilities to regularly conduct independent security audits of their wireless meters and to restrict the access of third parties, such as energy-efficiency consultants, to customers' personal details. In addition to the privacy and security rules, the commission is requiring utilities to provide pricing, usage, and cost data to customers online and update the data at least on a daily basis. Each day's usage data, along with applicable price and cost details, must be available by the next day...the standards are consistent with privacy and security principles adopted by California's Senate Bill 1476, which former Gov. Arnold Schwarzenegger signed into law last September, and by the Department of Homeland Security

.....

Although hackers and spammers have so far spared digital smart meters and electrical grids from their cyber intrusions, the massive national rollout of devices and grid upgrades planned for this decade cyber thugs.

"In all systems of this type, the install base needs to reach a critical mass before attackers start looking at breaking these things," Jun said.

In June, the Department of Energy announced that a $4.5 billion stimulus program to ramp up smart grid technology projects, matched by $5.5 billion from the private sector, has already led to the installation of 5 million of the nation's meters. The DOE requires that eligible projects include security provisions to protect against hacking, but it doesn't detail what those measures should look like.

"We are putting devices in homes where — if the right investments in security aren't made now — it is going to be impossible to retrofit them," Jun said. "For an industry that is so new and building infrastructure to last 50 years, one of our major challenges is helping people think ahead."

More specifically in relation to the privacy component of the decision, it notes, "Consumers will be able to authorize third parties to receive their backhauled smart meter data data directly from the utility (as opposed to data that comes directly from the meter), to support services such as energy efficiency, demand response, energy advice, and more. The three major utilities will submit to the CPUC applications with specific plans, including which standards they will use — probably the Open Automated Data Exchange (OpenADE) standard in final development by NIST’s Smart Grid Interoperability Panel and the North American Energy Standards Board. The utilities, however, will bear no new liability for the actions of third parties which acquire information via this [mechanism].”

Furthermore, to protect consumer privacy and data security, the CPUC is exercising jurisdiction over third parties who receive data (via the backhaul mechanism) in the course of providing services to utilities, or when authorized by consumers. However, the CPUC is not exercising jurisdiction over third parties who receive energy usage data directly from a device installed at residence or business that receives data via the HAN interface.

In this decision the CPUC relied mainly on existing privacy law, using the Fair Information Practice Principles which the U.S. Department of Homeland Security developed as its privacy framework. To clarify the application of these principles, the CPUC decision includes an appendix with details of its privacy rules.

Here are the FIP principles, all of which are utilized by the CPUC:
1.    Transparency
2.    Individual participation
3.    Purpose specification
4.    Data minimization
5.    Use limitation
6.    Data quality and integrity
7.    Security
8.    Accountability and auditing

Now, there does appear to be a lot of good things about this ruling...and certainly, privacy has been seriously taken into account. But all it takes is one loophole to release the floodgate of privacy violations and loss of consumer control.

Essentially, there are two general concerns (so far) that I have - namely third party jurisdiction and the lack of adequate enforcement mechanisms (to serve as a proper deterrent).

First and foremost, and I have spoken about third parties A LOT on this blog, my concern is the line about the CPUC not using, or suggesting they don't even have, jurisdiction to enforce the same kind of privacy standards that the utilities must abide by as those that will be applied to third parties. Here’s the key passage of their decision:

“The utilities, however, will bear no new liability for the actions of third parties which acquire information via this [mechanism]"

and

"it will not exercise jurisdiction over third parties who receive energy usage data directly from a device installed at residence or business..."

On a similar note, after talking with our staff attorney who has been deeply involved in this debate, there also could be confusion when it comes to definitions of just which devices fall under which category, and which provide maximum privacy protection and which don't. And because of these definitional challenges, third parties will be able to circumvent the registration process by asserting that their devices are “unlocked.” I think that this challenge can be remedied if all parties who sought Smart Grid data would fall under the Commission’s jurisdiction.

The other concern I have, is what appears to be weak penalties for those that violate basic consumer privacy rules. As I understand it, the only real penalty is that they can no longer ask for data…not exactly a powerful deterrent. AS our attorney wrote to the CPUC, “CFC stated that the proposed rules should be modified to reflect a balance in responsibility between customers and utilities/third parties. When it comes to consumer authorized access to energy data, consumers are left to regulate themselves with what CDT states “a heightened responsibility [for consumers] to understand the implications of this disclosure.” Moreover, there is no penalty or enforcement if utilities or third parties violate these privacy rules. CFC supports the Commission’s adoption of requirements that promote customer education, awareness, and empowerment. However, customer empowerment is only one piece of the puzzle when it comes to effective consumer protection. Proper accountability that includes penalties for violations by utilities and third parties is the other piece."

Now, let's say a third party is given access to this data unknowingly or unwittingly by the consumer...what are some potential, specific examples of the kinds of “unintended consequences” that might take place? Well, here's the list I gave personally:

• Travel agencies might start sending you brochures right when your annual family vacation approaches.

• Financial institutions making home mortgage loans might also be interested in their customers’ energy usage records to verify whether the customers are actually living in those houses.

• Law enforcement officials might use our information against us. Consider the predictable desire of police to locate in-home marijuana growers by monitoring household power usage? What about increasingly intrusive surveillance of proclaimed suspects homes?

• Lawyers might seek to subpoena your data in a divorce trial, "Have you ever left your child home alone? If so, how often, and for how long?

• Insurance companies, always seeking to maximize profits by denying coverage or jacking up premiums, might start developing connections between energy use patterns – like eating late at night - and unhealthy tendencies.

• Soon RFID tagged labels – read by smart meters – will be found on more and more of the food and prescription drugs that fill our refrigerators and cabinets. Could our health insurance go up because we eat too much unhealthy food? Might we start receiving mailers trying to sell us new prescription drugs that their detailed behavioral profile has led them to conclude we need?

• Hackers and criminals might seek to falsify power usage, pass on their charges to a neighbor, take down the grid entirely, disconnect others, and plan burglaries with an unprecedented degree of accuracy.

• Some consumers are already getting statements that compare their use to their neighbors. Could we see a system develop in which some are penalized for more “wasteful” usage? What if the comparisons aren't fair? Will details such as the number of occupants be properly taken into account?

• Landlords might be interested in know more about what's happening inside their properties.

• If recent revelations regarding warrantless wiretapping, Patriot Act abuses and increasingly intrusive surveillance techniques are an indicator, we should also expect government agencies to come seeking our data.

As I also said that day, "such privacy implications strike at the heart of the Fourth Amendment, the California Constitution, and a core American value: our right to keep private what goes on in our homes, and the inherent freedom that that right provides us. The challenge that now stands before us is how to both protect consumer privacy while simultaneously empowering customers with the ability to access their data in near real time and potentially share it with entities other than the utility.

It is paramount then that our state’s transition to a smart grid system addresses the potential privacy pitfalls while we are in the early stages of its implementation; because once that genie is out of the bottle it’s difficult to put him back in.

A few principles we should keep in mind as we develop a regulatory framework will be consumer control, informed consent, transparency, security and accountability - including strict limits on the amount of data collected, its use, and the length of time it’s stored.

Such privacy safeguards will increase, not decrease, the long-term viability of, and consumer confidence in, the system itself. The only real conflict I foresee in implementing such a system is between those that want to protect their personal data versus those that seek to access and profit off it; as well as the expected public policy rush to get the system up and running before it’s truly ready.

The endless accumulation of our personal data – combined with the outlandish profits being made off it and growing government demand for it – represents a direct assault on our right to privacy. We would do well to contemplate the steady erosion of this right and its long-term implications.

Corporations, by definition, care about profit, not reducing energy usage, and certainly not protecting privacy, just as governments, particularly federal, care more about access and control.

Rapid technological advancement - without the requisite regulatory safeguards – will only add to the increasing disintegration of privacy rights in this country - something the Smart Grid could come to epitomize if we allow ourselves to be seduced by arguments that claim we have no time to spare or to just “trust” those with inherent conflicts of interest."

At this point, its too early to say whether my warnings have been properly heeded...certainly the jurisdiction issue suggests they have fallen short - so far. But nothing is in stone yet...so I'll keep you posted.

Locational Tracking and the "Secret Patriot Act" Provision

2011-08-03T13:53:00.000-07:00

Just last week, and before that in a recent op-ed I wrote on the Patriot Act, I've mentioned what some call "Secret Patriot Act" provisions and whether they relate to the government using cellular data to track Americans as they move around the U.S.

Here's the key point: the government has been claiming information regarding its interpretations and uses of the Patriot Act - particularly in relation to surveillance of American citizens - is classified. What tipped people like myself off that something was especially fishy were Senators Ron Wyden and Mark Udall sounding the alarm bells consistently and passionately for months now regarding this "secret legal interpretation" of the Patriot Act - one they claim is so broad that it gives the government massive domestic surveillance powers.

Wyden recently even said, "When the American people find out how their government has secretly interpreted the Patriot Act they will be stunned and they will be angry." And, as a member of the Senate Intelligence Committee Wyden is in a position to know, as he receives classified briefings from the executive branch.

Their requests for transparency has of course been met with obfuscation and denial from the Administration and Justice Department.

The good news is that Senator Wyden doesn't appear ready to take "no" for an answer, and is using the re-authorization of the Foreign Intelligence Surveillance Act (FISA) - adopted in 2008 essentially legalizing President George W. Bush’s “warrantless wiretapping” program - as the vehicle to get answers.

This FISA 2.0 law - abhorred by privacy advocates and civil libertarians - is set to expire by the end of next year, and is currently being heard in the Senate's Select Committee on Intelligence, of which Wyden is a member.

Of course, as has become typical when it comes to issues like privacy and surveillance, this proposed 2 1/2-year extension was inserted without any public notice into the Intelligence Authorization Act for the fiscal year that begins Oct. 1.

As AP reported, "The move was unusual because it took place a full year and a half before the law's expiration date. Ordinarily, a proposed extension isn't brought up until closer to the expiration date of the law."

The bad news is that the intelligence bill was approved Monday by the Committee on Intelligence, would extend the 2008 changes until 2015. As the LA Times noted, "Those changes greatly expanded the government’s surveillance authorities. The targets must be foreigners out of the country, but their conversations with Americans are fair game. Senator vows to block surveillance bill over privacy concerns."

Also unfortunately, a measure by Sens. Ron Wyden and Mark Udall that would have forced the U.S. intelligence chief, and by extension the entire intelligence community, to admit that they went too far in their Patriot Act interpretations, was defeated.

Essentially, Wyden and Udall asked that their colleagues include a measure compelling the Director of National Intelligence and the Attorney General to produce a “detailed assessment of the problems posed by the reliance of government agencies” on “interpretations of domestic surveillance authorities that are inconsistent with the understanding of such authorities by the public.”

Specifically, Attorney General Eric Holder and Director of National Intelligence James Clapper would have to produce “a plan for addressing such problems” with secret legal interpretations regarding the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act.

The Committee also rejected an amendment by Wyden and Udall that would have required the Justice Department to estimate how many Americans have been eavesdropped on, in violation of another surveillance law, the FISA Amendments Act of 2008. That amendment was voted down, 7-8.

Now, while we can't be sure what these senators are referring to, the evidence suggests, and some assert, that the current administration is using Section 215 of the Patriot Act - a provision that gives the government access to "business records" - as the legal basis for the large-scale collection of cell phone location records.

And remember, mobile telephone users have LOTS of reasons to be concerned about this too. Consider:

In just a 13-month period, Sprint received over 8 million demands for location information;
Michigan police sought information about every mobile phone near the site of a planned labor protest;
This spring, researchers revealed that iPhones were collecting and storing location information;
Just last week, the general counsel of the National Security Agency suggested to members of Congress that the NSA might have the authority to collect the location information of American citizens inside the U.S.

Watch Wyden here!

Now, in response to this string of setbacks and stonewalling, Senator Wyden is vowing to block the surveillance bill altogether! The Los Angeles Times has more:

Sen. Ron Wyden (D-Ore.) will seek to block passage of an intelligence bill that extends the government’s eavesdropping authorities because the intelligence community won’t say how many Americans are being monitored...

...

"Congress passed the FISA Amendments Act in 2008 in an effort to give the government new authorities to conduct surveillance of foreigners outside the United States,” Wyden said in a statement. “The bill contained an expiration date of December 2012, and the purpose of this expiration date was to force members of Congress to come back in a few years and examine whether these new authorities had been interpreted and implemented as intended,” Wyden wrote. “I believe that Congress has not yet adequately examined this issue, and that there are important questions that need to be answered before the FISA

After first opposing them, then-Sen. Obama voted for the 2008 FISA changes, which gave legal immunity to telecom companies that cooperated with Bush’s spying program. He said he became convinced the capabilities were needed to hunt for terrorists.

...

Wyden also wants to know to what extent the government is tracking the location of Americans using data from their cellphones. Mobile devices are regularly telling their networks where they are, even when the use is not making a call, and that data is regularly used by law enforcement to track criminal suspects and fugitives. Whether intelligence agencies are doing that domestically is an open question.

...

“During a July 2011 committee hearing, the general counsel of the National Security Agency acknowledged that certain legal pleadings by the executive branch and court opinions from the Foreign Intelligence Surveillance Court regarding the Patriot Act are classified,” Wyden and Udall said in dissent included in the Senate committee report on the bill. “We have had the opportunity to review these pleadings and rulings, and we believe that most members of the American public would be very surprised to learn how federal surveillance law is being interpreted in secret.”

...

Wyden said he is placing a “hold” on the bill, a parliamentary maneuver that will make it much more difficult to pass. “I regret that the amendment that Sen. Udall of Colorado and I offered was not adopted, but I obviously plan to keep trying to get more information about the effects of this law,” Wyden said. “I hope that I will find out that no law-abiding Americans, or at least very few, have had their communications reviewed by government agencies as a result of this law, but I believe that I have a responsibility to get concrete facts rather than just hope that this is not the case. And I believe that it would be not be responsible for the Senate to pass a multi-year extension of the FISA Amendments Act until I and others who have concerns have had our questions answered.”

Click here to read more.

While its heartening, and frankly inspiring, to see an elected official stand so strongly in favor of the bill of rights at a time when they are viewed with such disdain by governmental and corporate power, I'm perhaps more disheartened by the fact that the Wyden/Udall Amendments can't even pass out of a Democratic controlled Committee. As for Obama's flip flopping and betrayals on privacy and civil liberties related issues, this is now expected.

It should be noted however that Senator Wyden is by no means on his own in the locational tracking and transparency fight. Just today the ACLU of California demanded information on how police are using surveillance technology to track people. The group has asked for public records from more than 50 police agencies across state focusing on mobile phone location data, GPS tracking, information gathered from social networking sites.

From the groups release: "Demanding to know when, why, and how police are using mobile phone location data and deploying other surveillance technologies to track the people they are responsible for protecting and serving, the ACLU of California sent requests to more than fifty law enforcement agencies across the state today. Today’s requests are part of the ACLU’s Demand your dotRights Campaign, designed to make sure that as technology advances, our privacy rights are not left behind. The Public Request Act inquiries are being filed in coordination with 33 American Civil Liberties Union affiliates across the nation.

“The public has a right to know how and under what circumstances their personal information is being accessed by the government," said Peter Bibring, staff attorney with the ACLU of California. "A detailed history of someone's movements – or the email and photographs stored in their mobile device - is extremely personal and exactly the kind of private information that the Fourth Amendment was written to protect."

In addition to the collection of mobile phone location data, the ACLU of California is asking the same questions about law enforcements’ use of information gathered from social networking sites, book providers, GPS tracking devices, automatic license plate readers, public video surveillance cameras and facial recognition technology.

Police agencies are being asked for information including:

Statistics on how agencies are obtaining, using, storing and sharing personal information;
The stated purpose for gathering personal information, guidelines on how long the data is kept, when and how it is deleted, and whether privacy safeguards exist;
Training curricula, policies or protocol provided to officers to guide them in the use of these powerful new surveillance tools, including the capture of information from social networking sites like Facebook and Twitter;
Whether police demonstrate probable cause and obtain a warrant to access mobile phone location data and to collect other detailed personal information, or take a dragnet approach that captures data on individuals who are not suspected of wrongdoing;
The effectiveness of the use of digital surveillance in identifying or arresting suspects.

“Unless we require transparency on the part of police agencies, powerful new methods of surveillance will become powerful new methods of invading our privacy,” said ACLU of California attorney Linda Lye.

With Congress considering new legislation to better safeguard location information and the U.S. Supreme Court poised to hear a case about the privacy of location data in the context of GPS tracking devices, it is essential for the American public to have a clear picture about when, why, and how law enforcement are obtaining sensitive location information.

“It’s important to understand whether police agencies are using new surveillance technologies in ways that serve legitimate law enforcement goals and actually make us safer,” said ACLU of California attorney David Blair Loy."

The End of Internet Privacy?

2011-08-02T11:38:00.000-07:00

Law enforcement and fearmongering politicians are back with yet another attempt to destroy privacy on the Internet. This time, rather than using the typical "we're protecting you from terrorists" mantra, the

proposed law claims to be necessary in the fight again child pornography!!

Briefly, the bill would require Internet service providers to keep 12-month logs of customers' names, credit card information, and other identifying information that are tied to temporarily assigned network addresses.

So how, might you ask, will tracking American citizens, and storing everything they do over the Internet help stop child pornography? Perhaps it goes without saying that I fail to see how tracking the entire Internet, and all those that use it, will somehow help lock up child pornographers and pedophiles.

But of course, that's not the worst part about it. What's truly frightening is this legislation, as so much in the Patriot Act, treats ALL Americans as criminals until proven otherwise. If law enforcement feels it has a need to find out who visited a website or posted a particular bit of content online, it can.

Are we really ready to give away this much privacy and that much power to the government? Let's be honest here, how can anyone in the world, with a straight face, say our government has LESS surveillance capabilities in the past, rather than MORE??? (an argument often made by law enforcement)

If I remember correctly, after the Sept. 11 terrorist attacks, Congress passed a succession of laws that has made it far easier for law enforcement and security officials to spy on online and other communications with or without warrants.

We already have widespread, massive abuse of National Security Letters (NSLs) – which allow the FBI, without a court order, to obtain telecommunication, financial and credit records deemed “relevant” to a government investigation. The FBI issues about 50,000 a year and an internal watchdog has repeatedly found the flagrant misuse of this power.

Here's a few clips from an excellent article in PC World on this legislation and the reaction of privacy advocates:

The Electronic Frontier Foundation notes that the same data could become available to civil litigants in private lawsuits -- whether it's the recording industry trying to identify downloaders, a company trying to uncover and retaliate against an anonymous critic, or a divorce lawyer looking for dirty laundry. The group, which is asking people to contact lawmakers about the issue, also says that the database created would be a new and valuable target for hackers.

"Essentially what this bill is attempting to do is make it such that you can never post anything online without there being a record indicating that you posted it," said Kevin Bankston, senior staff attorney with the EFF.

…

Gregory Nojeim, director of the Project and Freedom Security and Technology at the Center for Democracy and Technology, also doesn't see that the bill, if eventually made into law, would markedly help catch criminals involved in child pornography.

"It's likely that child pornography cases will be a teeny tiny percentage of the cases in which law enforcement uses data that is retained under the mandate in this bill," he said.Instead, he thinks government and law enforcement entities will use the data to investigate other things such as criminal drug activity or for intelligence investigations.

…

So while it appears the government has been asking ISPs for online information for a while, it's also not clear exactly what information all ISPs are currently tracking.

"It depends on what ISP you're talking about but not all ISPs [currently] log network address assignment," said Bankston. "For example, T-Mobile does not log IP address assignments through its mobile devices [and] based on testimony in an earlier data retention hearing there's at least one major cable internet provider that does not log IP address assignments." There's also a question of how long the ISPs track data.

Click here to read more.

As noted in an article in the Atlantic by Conor Friedersdorf, "

Every right-thinking person abhors child pornography. To combat it, legislators have brought through committee a poorly conceived, over-broad Congressional bill, The Protecting Children from Internet Pornographers Act of 2011. It is arguably the biggest threat to civil liberties now under consideration in the United States. The potential victims: everyone who uses the Internet.

…

A better name for the child pornography bill would be The Encouragement of Blackmail by Law Enforcement Act. At issue is how to catch child pornographers. It's too hard now, say the bill's backers, and I can sympathize. It's their solution that appalls me: under language approved 19 to 10 by a House committee, the firm that sells you Internet access would be required to track all of your Internet activity and save it for 18 months, along with your name, the address where you live, your bank account numbers, your credit card numbers, and IP addresses you've been assigned.

Tracking the private daily behavior of everyone in order to help catch a small number of child criminals is itself the noxious practice of police states. Said an attorney for the Electronic Frontier Foundation: "The data retention mandate in this bill would treat every Internet user like a criminal and threaten the online privacy and free speech rights of every American." Even more troubling is what the government would need to do in order to access this trove of private information: ask for it.

…

doesn't require that someone be under investigation on child pornography charges in order for police to access their Internet history -- being suspected of any crime is enough…

In Communist countries, where the ruling class routinely dug up embarrassing information on citizens as a bulwark against dissent, the secret police never dreamed of an information trove as perfect for targeting innocent people as a full Internet history. Phrases I've Googled in the course of researching this item include "moral panic about child pornography" and "blackmailing enemies with Internet history." For most people, it's easy enough to recall terms you've searched that could be taken out of context, and of course there are lots of Americans who do things online that are perfectly legal, but would be embarrassing if made public even with context: medical problems and adult pornography are only the beginning. How clueless do you have to be to mandate the creation of a huge database that includes that sort of information, especially in the age of Anonymous and Wikileaks? How naive do you have to be to give government unfettered access to it? Have the bill's 25 cosponsors never heard of J. Edgar Hoover?

…

As Julian Sanchez recently wrote on a related subject, "In an era in which an unprecedented quantity of information about our daily activities is stored electronically and is retrievable with a mouse click, internal checks on the government's power to comb those digital databases are more important than ever... If we aren't willing to say enough is enough, our privacy will slip away one tweak at a time."

Click here for more.

Remember, the Internet is the communication tool of choice now for political activism and organizing. Doesn't the fact that we already know how the FBI and even local law enforcement has abused the Patriot Act by monitoring peaceful protest groups and environmentalists and in some cases attempted to prevent protest activities (particularly against the war) provide us with one of the clear motives behind our ever expanding surveillance state?

I for one am not only concerned about our government's efforts to stifle dissent and minimize protest, but also the more general effect such a surveillance state has on human consciousness. I'm not talking new age metaphysics here...I'm talking about basic liberty and freedom...and how when such privacy is taken, power is taken...and how might citizens be effected - adversely - by the knowledge that EVERYTHING they do, whether its writing, speaking, or now searching, is being monitored (and even stored) by the "authorities"?

As I have asked many times before on this blog, is the loss of freedom, privacy, and quality of life a worthwhile trade-off for unproven protections from hyped threats and unproven "solutions"?

This increasingly intrusive surveillance state threatens the very concept of privacy, particularly privacy as a necessary requisite for liberty, which I believe it is. With privacy comes control, with control comes at least a semblance of power. The Internet is where so much of the future of political dialogue, activism, and communication will occur...I think it would be a gross mistake to allow open access to the government...we've seen how the FBI has used such monitoring capabilities when it comes to the telephone or wireless computers.

I question the very premise that the government benefits from, or certainly that we need, such an all encompassing surveillance state. Remember, our military, our CIA, our spying agencies (such as NSA) are every bit corporate as they are governmental: in some cases more so. So complete is the merger that it's the same people who switch seamlessly back and forth between governmental agencies and their private "partners". This means we have not only a vast Secret Government, but one that operates with virtually no democratic accountability and is driven not by National Security concerns but by its own always-expanding private profits and need for greater control.

All this begs the question: who is really benefiting from this expanding surveillance state and why?

Glenn Greenwald, writing about a similar effort last year, encapsulates PERFECTLY my thoughts, stating,

"What makes this trend all the more pernicious is that at exactly the same time that the Government is demanding greater and greater access to what you do and say, it is hiding its own conduct behind an always-higher and more impenetrable wall of secrecy. Everything you do and say must be accessible to them; you can have no secrets from them. But everything they do -- including even criminal acts such as torture, assassinations and warrantless surveillance -- is completely off-limits to you, deemed "state secrets" that not even courts can review in order to determine their legality. This is all driven by Francis Bacon's observation that "knowledge is power": the idea is to make sure that they have full knowledge of what you do (i.e., full power over it), while you have no knowledge about what they do (i.e., no power).

For those insisting that the Government must have the technological ability to eavesdrop on any and all communications in order to stop Terrorists and criminals, what are you going to do about in-person communications? By this logic, the Government should install eavesdropping devices in all private homes and public spaces, provided they promise only to listen in when the law allows them to do so (I believe there was a book written about that once). For those insisting that the Government must have the physical ability to spy on all communications, what objections could one have to such a proposal? We've developed this child-like belief that all Bad Things can be prevented -- we can be Kept Safe from all dangers -- provided we just vest enough power in the Government to protect us all. What we lose from that mentality, however, is quite vast yet rarely counted. A central value of the Internet was that it was supposed to enable the flow of information free from the surveillance and control of governmental and other authorities.

More to come on this issue...and legislation...