Thursday, October 29, 2009

The Privacy Minefield of Online Data

Little time to pontificate today, so let me get right to the article by NPR's Martin Kaste entitled "Online Data Present A Privacy Minefield". In it, one of my "go to" privacy experts - Chris Hoofnagle of the University of California, Berkeley School of Law - is featured.

Kaste writes:

Is privacy still possible? For a lot of people, the answer is no, as companies collect personal data in ever-increasing volumes. Take a site like NextMark.com.

It's a sort of "Google" for mailing lists, where more than 1,400 data vendors offer lists of names — hundreds of thousands of names at a time — all sliced and diced and searchable. If you're looking for a list of people with heart disease, you can find it here. Heart disease plus Hispanic plus over 50? Also available.

...

Even medical data. Federal law prohibits doctors and hospitals from selling health records, but if people voluntarily answer questions on an online health survey, that information is fair game.

The law doesn't restrict what kind of information companies may ask for, and the data industry says more regulations aren't necessary. Industry officials say reputable companies are careful with the information. Companies going through NextMark will "rent" their data through trusted third parties to prevent uncontrolled copying of their lists.

...

...there are also plenty of people who do more than just rely on their gut instincts. They read the privacy policies and the fine print, and try to control who gets their information.

But Chris Hoofnagle says that may be futile. As the head of the privacy programs at the University of California, Berkeley School of Law, he's been tracking the information economy for some time, and he says it's getting harder to make informed decisions.

"As there's been growing awareness of how commercial data brokers operate, they've become more secretive," Hoofnagle says. He says big data brokers are telling the public less about the provenance of their data — where they're getting their information — and he's been tracking this change by saving screenshots of those companies' Web sites.

Data Companies Go Private

As an example, Hoofnagle pulls up screenshots of a big database called Batch Trace, now owned by LexisNexis. As recently as 2002, he says, the site listed the kinds of business that supplied it with data, such as call centers and pizza delivery companies. "As time goes on, this gets thinner and thinner," Hoofnagle says. "By 2006, the provenance is gone."

Click here to read the article in its entirety.

This article brings up that issue I discussed a few weeks back, that being, once people UNDERSTAND what's being done with their data, how its collected and then sold or profited off, we would see a significant outcry...and certainly a demand for increased privacy protections and safeguards.

As I mentioned in that post, a recent survey found 75 percent of Americans said they were opposed to tailored advertising if it meant their behavior surfing the Internet was being tracked. Researchers at the University of California, Berkeley, and the University of Pennsylvania who surveyed 1,000 Americans from June 18 to July 2, concluded there was a deep concern that tracking Internet habits for tailoring ads was wrong.

As it is now, the public is largely unaware of what's really going on out there in cyber space...

Tuesday, October 27, 2009

Truthout op-ed: "The Death of Privacy: Technology and the Challenge for Social Activists"

An op-ed today on Truthout.org delves into both the pro's and con's of our rapidly advancing information and communication based culture, and the increasingly difficult challenge that this advancement presents privacy and social advocates with. As I have often written here, our regulatory framework simply has not kept pace with technological innovation, and this has left gaping holes in our privacy protection infrastructure...leading to a vast array of threats to our civil liberties and more general freedom(s).

At the same time, these technological innovations have also led to a host of positive developments. In the case of Web 2.0 for instance, outside of the obvious benefits of social networking, we have also seen how it helped circulate abuses by the Iranian government during their recent election protests. Similarly, as the author also notes, the ability to film live action with our phones led to a much better understanding of the incident at an Oakland BART station in which police shot and killed a youth in what appears to be in an almost execution style manner (the courts will decide this still).

Another example cited by the author, and with which I agree (though there is a downside too), is the way in which these video technologies have allowed the public - in a number of instances - to document evidence of our political leaders "saying what they think" while not realizing that it would show up on computers around the country within hours.

Examples include McCain's "Bomb Iran" and former disgraced Senator Allen's use of a racist slur in describing a non-white individual in the crowd. Certainly in the case of Allen this helped ensure he was not re-elected...and our nation is better off because of that.

As this article delves into, this conflict between the pro's and con's of technological development is a complicated one, and the very definition of privacy in today's world is changing...as well as making life more and more difficult for privacy advocates.

For instance, on the flip side, we've got this news: In-Q-Tel, "the investment arm of the CIA", has a program that crawls "over half a million web 2.0 sites a day, scraping more than a million posts and conversations taking place on blogs, online forums, Flickr, YouTube, Twitter and Amazon...Then Visible "scores" each post, labeling it as positive or negative, mixed or neutral. It examines how influential a conversation or an author is."

Uh oh...

Tolu Olorunda, a cultural critic whose work appears regularly on BlackCommentator.com and TheDailyVoice.com, writes:

There is something immeasurably insidious about a government that spies on its citizens. And if there is one universal truth, it is that no country has a monopoly on such activities. Whenever a ruling class, from whatever region, begins to feel threatened by the unforeseen, emerging independence of the underclass, one of the next steps taken is to monitor conversations, document strategies and invade privacies. It's an inevitable impulse that bears witness to the fierce determination of Struggle.

So, it should surprise no one that In-Q-Tel, "the investment arm of the CIA," is enlisting the services of Visible Technologies, a software firm notorious for monitoring social networking activities. Noah Shachtman, contributing editor to Wired magazine, reported this new discovery last week.

...


It's key to reject the politics of fear at a critical time such as this. Activists, throughout history, have always understood that fear is perhaps the single most destructive force in any movement. Fear of surveillance, fear of coercion, fear of arrest can extinguish all moral vigor from the most courageous of men and women.


It's easy, following news of the CIA's latest intentions, to shut down one's social networking accounts, or begin engaging in self-censorship. It's easy to cower before the great walls of intrusion. But it's also easy to see this for what it is: a desperate attempt to keep track, and possibly mitigate, this prestigious moment in history - when a growing, global citizenry is beginning to understand that information shouldn't always be funneled to fit a particular narrow interest, that, as Patti Smith once sang, "people have the power" to change the conditions that surround them; that without engaged activism, without accountability brought to bear, without a demand, power would concede nothing - not even the privacies of everyday people.


Click here to read the article in its entirety.

Monday, October 26, 2009

Los Angeles Times Editorial: Privacy and the Patriot Act

Some good news on the media front to report. The Los Angeles Times editorialized on Sunday in support of Patriot Act reforms that would increase protection of individual privacy and civil liberties. Now, the paper doesn't go as far as I have, but they do make a solid case for some important improvements to the Act that somehow didn't survive the Senate Judiciary a few weeks back, but have been resurrected in the House by Representatives John Conyers, Jerrold Nadler and Bobby Scott.

To get a comprehensive breakdown of the PATRIOT Act provisions currently being debated in Congress as well as other important reform proposals being proposed, check out some of my past posts regarding the disappointing legislation that came out of the Judiciary Committee as well as the vastly superior legislation proposed in the House.

Specifically, click here for more about Feingold's Justice Act, click here for more about Obama's broken promises on this issue, click here for my discussion of the "sneak and peak" provision, and click here for more on the "Lone Wolf" provision, and click here for a detailing of the House bill.

Now to the Los Angeles Times Editorial entitled "Privacy and the Patriot Act":

Some parts of the original act were relatively uncontroversial, including those permitting the CIA and the FBI to share information more freely and allowing investigators to seek warrants for "roving wiretaps" targeted at individuals rather than telephone numbers. Others, however, unjustifiably eroded privacy rights. Particularly troubling were rules governing the acquisition of financial and other records that allowed investigators to conduct fishing expeditions -- as long as the documents were deemed "relevant" to a search for terrorists.

In December, three provisions of the Patriot Act are set to expire: those dealing with roving wiretaps and the acquisition of records, and another (added in 2004) that allows surveillance of what are known as “lone wolf” terrorist suspects. All three extensions strike us as reasonable, though in one case further privacy protections are essential.

...

More problematic is the provision allowing court orders for business records and other "tangible things" -- popularly known as the "library records" provision because of fears that investigators would monitor the reading habits of citizens (even though the law doesn't mention library records specifically). The Judiciary Committee bill explicitly makes it harder to obtain library records and requires investigators to show a court that the material sought is reasonably likely to be relevant to an intelligence investigation. Under current law, by contrast, a judge is supposed to presume that the materials are relevant. Even with that refinement, "relevance to an investigation" is too loose a standard for a court order. As Sens. Russell D. Feingold (D-Wis.) and Richard J. Durbin (D-Ill.) proposed, the bill should be revised to require a tighter connection to a particular foreign agent or terrorist.

...

The Patriot Act's greatest threat to personal privacy lies not in any of the provisions set to expire but in the law's expansion of the use of national security letters, subpoenas that allow the FBI to obtain records without a warrant. In 2008, the FBI issued 24,744 letters involving the records of 7,225 people. Not surprisingly, there have been abuses. In 2007, after an investigation of four FBI offices, the Justice Department's inspector general found irregularities in 22% of documents related to the issuance of national security letters. Last year, he found that the FBI had made "significant progress" in correcting violations.

Even so, the criteria for issuing the letters are too vague. At present, the government must merely certify that the information sought is relevant to an authorized investigation. The bill approved by the Judiciary Committee would increase the burden on the government slightly by requiring a written statement of specific facts demonstrating relevance. A narrower amendment by Feingold and Durbin -- which would have required issuance of national security letters to be related to a suspected foreign agent or terrorist or a possible confederate -- was rejected by the committee. It should be added on the Senate floor or in an eventual conference with the House.

Click here to read the entire editorial.

While I disagree with the Times support of the "Lone Wolf" provision, there's a lot here to like...and we need all the help we can get if we are to persuade enough lawmakers to stand up to the fearmongers and defend the Constitution against the full frontal assault the PATRIOT Act represents. If newspapers continue to take a strong stand for PATRIOT Act reforms designed to re-institute some basic protections against government abuse we will all be the better for it...and perhaps some of those frightened lawmakers that worry about being called "soft on terrorism" will find their spines and do what's right.

Friday, October 23, 2009

Where's the Privacy and Civil Liberties Watchdog?

At least, that's the question posed in today's Washington Post by Alan Charles Raul, former vice chairman of the Privacy and Civil Liberties Oversight Board from 2006 to 2008.

I know little of the board Mr. Raul is referring, or the fact that the 9/11 commission recommended its creation, or that it has received little to no attention by either the Executive or Legislative branches since that time.

So, I'll let Mr. Raul do the explaining...as I do find it to be an interesting topic:

In December 2004, Congress implemented many recommendations of the Sept. 11 commission, which acknowledged that effectively combating terrorism "call[ed] for the government to increase its presence in our lives -- for example, by creating standards for . . . identification, by better securing our borders, by sharing information gathered by many different agencies." The panel recommended a Privacy and Civil Liberties Oversight Board "to oversee . . . the commitment the government makes to defend our civil liberties" by advising the president and Cabinet.

Just six months after the legislation was enacted, President Bush announced his plans to nominate former deputy attorney general Carol Dinkins as chairman and me as vice chairman, and to appoint as board members former solicitor general Ted Olson, former assistant secretary of state Frank Taylor and former Clinton White House special counsel Lanny Davis. After the Senate confirmed Dinkins and myself in February 2006, the board was staffed and fully operational the next month. Yet the administration was accused of undue delay in getting the board up and running. Rep. Carolyn B. Maloney (D-N.Y.) repeatedly made comments such as "they have stalled in giving the board adequate funding. They have stalled in making appointments. It is apparent they are not taking this seriously."

...

Unfortunately, in January 2007, the new congressional leadership decided to "reform" the board by reconstituting it as an independent agency, relocated outside the White House. Lawmakers thought the board needed subpoena power to provide its advice and that each member, not just the chairman and vice chairman, should be subject to Senate confirmation. These "reforms" rendered the board a lame duck, and the members and staff who had been painstakingly vetted and briefed were allowed to serve only six more months.

...

While Congress has not pressed President Obama on this, his White House "Cyberspace Policy Review" recognized in May that "[i]t is important to reconstitute the [board] . . . accelerate the selection process for its board members, and consider whether to seek legislative amendments to broaden its scope to include cybersecurity-related issues." Still, the president has not nominated a chairman or members, set aside space, or publicly moved to revitalize oversight of privacy and civil liberties in the fight against terrorism.

The law requires that the board be operational, and prudence suggests that this administration, like the last, could use the oversight. Surely the administration is debating and executing many "close calls" to protect American lives and interests. Surely the president is still authorizing surveillance of possible terrorists who are in this country (like, allegedly, Najibullah Zazi) or their domestic associates; the FBI is still demanding information from businesses about suspicious activity; the National Security Agency must consider data-mining communications and monitoring the Internet; the Treasury is still tracing terrorist finances; the Department of Homeland Security is still searching backgrounds, bodies and laptops at our borders and using domestic satellite imagery to anticipate threats; and more.

Click here to read the article in its entirety.

At first glance, my instinct is to say yes, of course we should have an independent body "to oversee . . . the commitment the government makes to defend our civil liberties" by advising the president and Cabinet. But, I don't want to go further than that at this point until I know more about how this board has, or could, function in actual practice.

The last thing we'd want is a rubber stamp that gives undeserved legitimacy to policies that violate our privacy and civil liberties. However, if there is real potential here to create a check on "Executive Branches Go Wild", them I'm all for it.

Wednesday, October 21, 2009

Bill Introduced by House Democrats would Reform Patriot Act

Before I get to the good news regarding yesterday's introduction by Democratic Representatives John Conyers, Jerrold Nadler and Bobby Scott of their own PATRIOT Act reform legislation, let me briefly summarize why this action is so needed, and why it was likely undertaken.

As most are now aware, two weeks ago the Senate Judiciary Committee forwarded legislation to the full Senate that would reauthorize three expiring provisions of the Patriot Act adopted just after the September 11th attacks. The measures greatly expanded the government’s ability to spy on Americans in the name of national security.

Though Senators Feingold and Durbin put up an admirable fight on a variety of fronts, the committee approved allowing broad warrants to be issued by a secretive court for any type of record, from financial to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation. A proposal that would put limits on such requests was defeated.

Members also renewed the so-called “roving wiretap” provision, allowing the FBI to obtain wiretaps from the secret court, known as the FISA court, without identifying the target or what method of communication is to be tapped.

Finally, the committee renewed the so-called “lone wolf” measure that allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist.

For some of my past posts on the debate in the Judiciary Committee, click here for more about Feingold's Justice Act, click here for more about Obama's broken promises on this issue, click here for my discussion of the "sneak and peak" provision, and click here for more on the "Lone Wolf" provision.

Now let's get back to the new bill — the USA Patriot Amendments Act of 2009 (HR 3845) - submitted yesterday in the House Judiciary Committee.

As rightly noted by the Electronic Frontier Foundation, this is fantastic news:

...the new bill is a significant improvement over the deeply flawed Senate bill, containing a substantial number of significant new checks and balances to the government's spying authorities under the PATRIOT Act — much like Senator Feingold's JUSTICE Act in the Senate, which was supported by EFF.

Not only have Representatives Conyers, Nadler, and Scott introduced a strong PATRIOT reform bill, but they've also gone even farther in seeking to protect their constituents' civil liberties by introducing a second bill (HR 3846) directed at reforming last year's FISA Amendments Act (FAA), which broadly expanded the government's authority to wiretap Americans without warrants and granted immunity to telcos that broke the law by assisting in the NSA's warrantless wiretapping program.

The second bill introduced today — which, amongst other reforms, would prohibit the "bulk collection" of Americans' emails and phone calls under the FAA and would repeal the FAA's telco immunity provision — is available here [PDF], with a section-by-section summary here [PDF]. A press release from House Judiciary describing both bills is available here.

Now let's get to more of the legislation's details, as reported by the Associated Press:

The proposal would eliminate the government's authority to spy on a "lone wolf," a non-U.S. citizen suspected of terrorism who may not be part of a recognized terrorist group. The Justice Department said the government has never used this authority but wants to keep it available.

...

Roving wiretaps still would be allowed, to permit surveillance on multiple phones when a suspect keeps switching cell phones. The bill would restrict surveillance to a single, identifiable target.

And the government still could obtain a court order to seize documents and other tangible items, including business records. The bill would require the government to produce specific facts, to show the items are relevant to an authorized investigation. Recipients of the search orders would be able to immediately challenge them and any gag order preventing disclosure.

The legislation would increase protections for libraries and bookstores. Records seizures would be prohibited if the material would identify patrons.

...

The proposal would repeal the retroactive immunity given to telephone companies, who complied with a Bush administration warrantless wiretapping program. Courts would have to determine whether the complying companies acted properly under laws in effect at the time.

Clearly, there's a lot here for civil libertarians to like. Click here for EFF's section by section review of the bill.

Here's what the three bill authors had to say:

"Over the past eight years, Americans grew tired of the same old scare tactics, designed to fool the public into believing that we needed to give up freedom to be safe from terrorism," said Conyers. "It is a new day and an opportunity for reform." The truth is that we can protect our nation from terrorist threats by giving our government the tools it needs while also ensuring there are checks and balances to protect against abuses."

"This legislation is borne of the necessity to reign in the overbroad provisions of the USA PATRIOT Act and ensure that the law is consistent with constitutional standards," said Nadler. "As we reauthorize expiring provisions of the USA PATRIOT Act, it is essential that we protect our homeland without abusing executive power or unnecessarily compromising the privacy of American citizens. In particular, this bill includes provisions of my legislation to reform National Security Letters — the National Security Letters Reform Act of 2009 – which are critical for protecting Americans against government invasion of privacy and, generally, for restoring critical checks and balances to our government. Notably, the bill would allow Americans to use libraries and bookstores without fear that their choice of books will be monitored by overzealous federal agents."

"Benjamin Franklin got it right when he said, ’those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety,’" said Scott. "These bills assure that we secure our liberties and our freedoms without diminishing either."

I'll be following the progress of this legislation VERY closely here in the coming weeks.

Tuesday, October 20, 2009

Prescription Drug Records and Privacy

As I have written about on this blog in the past, the reality that our most private prescription drug records are not in fact private, is beginning to sink in, both in the minds of consumers as well as some lawmakers.

For Californians, the good news is we have stricter protections against the selling and sharing of our prescription records than just about any other state (aside from New Hampshire, Maine and Vermont).

Before I get to an article detailing the latest prescription drug record revelations, particularly in relation to a case involving Eli Lilly and Co. and CVS Caremark, let me first discuss a battle that we (the Consumer Federation of California) just had in 2007 on this very issue.

The bill that we opposed - and which nearly passed the legislature - would have created an exception to California's Medical Information Act, and allowing the sharing of confidential patient drug prescription information among pharmacies, third party corporations and pharmaceutical companies without a patent's consent.

As we argued at the time, Californians expect that their private medical records will be held in confidence by their doctors and pharmacists. SB 1096 would have allowed pharmacies to share prescription information with businesses that provide mailings to the patient – ostensibly reminders that patients should continue to take their medications.

The reminder would appear to come from the pharmacy, but in fact it would be paid for by the drug manufacturer. The bill's main backer, Adheris Inc., was a subsidiary of inVentiv Health Inc., a drug marketing company currently being sued for privacy breaches related to patient prescription records.

Again, as we argued at the time, a patient’s doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition. By intruding upon and confusing this relationship, this bill could have put patients’ health, as well as privacy, at risk.

For example, a physician might discontinue a prescription if a patient complained of an adverse reaction. Unaware of the changed course of treatment, the drug marketing company would continue sending reminders that appear to come from the drug store, urging the patient to keep taking the old prescription. Worse, the bill placed no liability on drug markets that provide bad information to patients.

The legislative battle was a fierce and contentious one, pitting privacy and consumer groups and physicians against drug store chains and drug marketers. Thanks to a significant public outcry against the legislation - with the help of some excellent reporting on the issue, the bill was defeated.

The San Francisco Chronicle interviewed me about the bill's defeat, in which I stated, "This is a victory for California consumers. It's also a victory for our state's Constitution, which explicitly protects the individual's right to privacy. When it comes to medical prescriptions, there is nothing more private. This bill crossed the line."

I think this California case study serves as a useful tool in understanding what remains at stake for patients privacy around the country, how close California came to losing the protections we enjoy, and, why Congress and the Obama Administration should strengthen our rather lax protections of our prescription records.

With that, let me direct you to an article I found yesterday on IndyStar.com by reporter John Russell, entitled "Think info about your Rx is private? Better think again."

Russell writes:

CVS Caremark, which handles more than 1 billion prescriptions a year, has made no secret that sharing such information is a cornerstone of its business.

...

In a case involving Eli Lilly and Co. and CVS Caremark, it remains unclear how much of a patient's information was switching hands.

CVS Caremark said it sent promotions for the Lilly drug Cymbalta to doctors "who are likely to treat patients with symptoms consistent with fibromyalgia." Lilly said it did not have any information on which patients were taking fibromyalgia drugs.

But in mailings funded by Merck, AstraZeneca and other drug makers, CVS Caremark identified patients by name, date of birth and medications taken. The letters stated that the patients were identified through CVS Caremark prescription claims data as having one or more prescriptions for a certain drug for a certain condition.

...

But is it a violation of patient privacy laws? That is less clear. The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPPA, gives patients certain privacy rights over their medical information -- for example, protection against marketing campaigns.

But some privacy experts say the CVS Caremark mailings don't technically violate HIPPA regulations, because the letters are sent as educational materials to doctors, not as promotional campaigns.

...

CVS Caremark was formed two years ago when CVS, one of the nation's largest drugstore chains with about 7,000 pharmacies, bought pharmacy-benefits manager Caremark Rx for nearly $27 billion, making the combined companies the biggest U.S. buyer of pharmaceuticals.

Pharmacy benefits managers have huge influence over which drugs patients receive by choosing which drugs to place on their formularies. Yet the company's mailings on behalf of drug makers raise questions about where its loyalties lie.


...

According to a patient advocacy group, Change to Win, which represents workers in CVS Caremark plans that cover more than 10 million people, a benefits manager later bought by CVS had misrepresented to doctors and plans that the drugs were cheaper or more effective or both. Actually, the drugs it encouraged patients to use were more costly or less effective.

Click here to read the article in its entirety.

Even if one can make the case, and it holds up in court, that what pharmacies are doing here isn't a violation of HIPPA, by no stretch of the imagination does that make it alright...as clearly it violates the intent of the law. My point is, that if what these companies are doing isn't marketing, than I don't know what is!

But, if this argument can't be won in court, than we need to change the law. Could there be a better time to do this than while we're in the midst of a national debate about health care reform? I say no. As the reporter notes, this practice is beginning to create a backlash among physicians as well as consumers, and its not too much to ask from lawmakers that they push for more transparency.

On that note, the Senate is considering an amendment that would force such companies to disclose much more financial detail about their interactions with drug makers, including how much of the savings they negotiate with drug companies are passed on to consumers. This is a good start. But disclosure isn't enough. I say ban the practice. Period.

Monday, October 19, 2009

"Re-identifying" and the Debate over Electronic Health Record Privacy

An excellent article in New York Times caught my eye today that sounds a few alarm bell regarding just how "safe" our personal data - and likewise that data's connection with us as individuals - will be in the coming cyber world of electronic health records.

When it comes to the issue of e-health records certainly one question the consumer should ponder is "Where is my data and who has access to it?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

According to a new study by two computer scientists at the University of Texas at Austin, "re-identifying" customers was a lot easier than expected, and contradicts claims made by company's promising individual anonymity (in this case by NetFlix).

In other words, just because a customer's name, address, and other specific identifying information were not connected to their movie choices, the researchers were still able to correctly match them up through a process called "de-anonymization".

Such a technique raises concerns that the same process could be used to do the same thing to individuals and their health records.

One of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad data safeguards along with it.

We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Specific privacy guidelines for this transition were recently provided by The Center for American Progress, the Markle Foundation's Connecting for Health Initiative, the Center for Democracy and Technology, and others. Click here to check those out.

I should also probably note that The Electronic Privacy Information Center (EPIC) released their Privacy Report Card for President Obama last month in which they gave the Administration an A- on Medical Privacy (though some privacy advocates disagree with this score), ""giving him full credit for creating important privacy safeguards as part of the network for electronic health records. The privacy language in the HI‐TECH Act makes the bill one of the best privacy laws in years. Still, implementation of privacy safeguards remains a key challenge."

Nonetheless, it does appear that something still needs to be done to prevent the "re-identifying" of customer's with their data.

The New York Times reports:

TIME to revisit the always compelling — and often disconcerting — debate over digital privacy. So, what might your movie picks and your medical records have in common? How about a potentially false sense of control over who can see your user history?

...

By comparing the film preferences of some anonymous Netflix customers with personal profiles on imdb.com, the Internet movie database, the researchers said they easily re-identified some people because they had posted their e-mail addresses or other distinguishing information online.

Vitaly Shmatikov, an associate professor of computer science at the University of Texas at Austin and a co-author of the “de-anonymization” study, says the researchers were able to analyze users’ public postings and connect that to their Netflix preferences — including how a person may have rated films with controversial themes. Those are choices a person may or may not want to make public, Mr. Shmatikov said.

...

Nevertheless, the Texas researchers say they were indeed able to positively identify Netflix customers, and some privacy advocates say their study raises questions about whether newly strengthened laws governing the security of electronic health records — which contain information on diagnoses and treatments entered by health care providers — may offer incomplete privacy protection. Leaked movie preferences might embarrass or stereotype you, they said. But information extracted from medical records and then linked back to you, they said, has the potential to cause social, professional and financial harm.

...

The idea of an entirely paperless medical system holds the promise of more efficient and cost-effective care. And, with the incentive of stimulus package money, many companies are rushing to sell clinical information systems to streamline services like patient scheduling, sample tracking, and billing at hospitals and clinics.

In some cases, the same companies that sell data management systems to hospitals and physicians also store that information and then repackage it to make money on other services.

The clinical information systems market in the United States has sales of $8 billion to $10 billion annually, and about 5 percent of that comes from data and analysis, according to estimates by George Hill, an analyst at Leerink Swann, a health care investment bank.


But by 2020, when a vast majority of American health providers are expected to have electronic health systems, the data mining component alone could generate sales of up to $5 billion, Mr. Hill said. Demand for the data is likely to be robust. Policy makers and hospitals will want to dig into it to analyze physician practices and glean information about patient health trends.

...

There are no current federal laws against re-identification, said Dr. Deborah Peel, a psychiatrist who is a director of Patient Privacy Rights, a nonprofit watchdog group in Austin, Tex. “Once personal health data gets out there, it’s like the Paris Hilton sex tape,” Dr. Peel said. “It is going to be out there forever.”

Click here to read the article in its entirety.

Friday, October 16, 2009

Judiciary Committee Votes to Renew Nearly All of Patriot Act Provisions

I realize this news is about a week old, but I want to at least update everybody regarding the EXTREMELY disappointing vote in the Senate Judiciary Committee that essentially renewed nearly every Constitution crushing component of the Patriot Act (that were up for renewal). As I will note, there were a few very small improvements that in reality were so minuscule, the bill as a whole was still not worth supporting.

Today, I especially want to provide a few long citations from two of today's real privacy heroes in this country: Senator Russ Feingold and Constitutional scholar Glenn Greenwald. I'll also include a few short comments from the ACLU and the Electronic Frontier Foundation (EFF) - two organizations that have been out front on this issue since the inception of the Patriot Act.

The Judiciary Vote

For some of my past posts on this debate in the Judiciary Committee, click here for more about Feingold's Justice Act, click here for more about Obama's broken promises on this issue, click here for my discussion of the "sneak and peak" provision, and click here for more on the "Lone Wolf" provision.

Before I get to the remarks by Senator Feingold, Salon.com's Glenn Greenwald, the ACLU and EFF, here's a brief summation - largely based on an article describing these events in Wired Magazine last week - of the truly disastrous performance by the Senate Judiciary Committee.

Essentially, the Senate committee forwarded legislation to the full Senate that reauthorizes three expiring provisions of the Patriot Act adopted just after the 2001 attacks on the World Trade Center. The measures greatly expanded the government’s ability to spy on Americans in the name of national security.

The 11-8 vote by the Senate Judiciary Committee came as lawmakers hurredly tried to beat a looming deadline. The three provisions expire at year’s end, unless renewed.

Though Senators Feingold and Durbin put up an admirable fight on a variety of fronts, the committee approved allowing broad warrants to be issued by a secretive court for any type of record, from financial to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation. A proposal that would put limits on such requests was defeated.

No vote date for either body has been set. Members also renewed the so-called “roving wiretap” provision, allowing the FBI to obtain wiretaps from the secret court, known as the FISA court, without identifying the target or what method of communication is to be tapped.

Finally, the committee renewed the so-called “lone wolf” measure that allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist.

A Feingold measure (.pdf) to allow that provision to expire was defeated.

Feingold did not submit his amendment to withdraw the immunity Congress granted to the nation’s telecommunications companies last year, one that shields the companies from lawsuits accusing them of funneling Americans’ electronic communications to the National Security Agency without warrants.

With limited exceptions, the committee-approved measure largely resembles existing law. However, one change requires publication of audits, including how many times the government has used the Patriot Act’s provisions, including the number of targets. Much of the government’s public reporting on the topic has been voluntary, and very little is known about how often each power has been used and why.

Another change centered on library records. In order to obtain warrants for them from the FISA court, the new plan requires a tangential connection to a terror investigation or foreign power. The expiring version does not.

With that flurry of heartbreaking news, let's get to reactions.

From Senator Russ Feingold's "diary":

At the beginning of the year, I had high hopes for the Patriot Act reauthorization process. We had just elected a President with a strong civil liberties record in the Senate. His Attorney General had supported some reforms during consideration of the last reauthorization bill in 2005. And Democrats controlled the Senate by such a large margin that our advantage on the Judiciary Committee ended up at 12-7 after Sen. Specter switched parties. Even as recently as 10 days ago, I hoped to be able to support a reauthorization bill introduced by Sen. Leahy that, while narrower than the JUSTICE Act that Senator Durbin and I have championed, did contain several important and necessary protections for the privacy of innocent Americans.

Events over the past two weeks dashed those hopes. Over the course of two business meetings, Sen. Leahy’s bill was diluted to the point that I had to vote against it. It falls well short of what the Congress must do to correct the problems with the Patriot Act.

...Today particularly, I started to feel as if too many members of the committee from both parties are willing to accept uncritically whatever the executive branch says about even the most reasonable proposed changes in the law. Of course we should consider the perspective of the FBI and the Justice Department. Keeping Americans safe is everyone’s priority. But we also need to consider a full range of perspectives and come to our own conclusions about how best to protect the American people and preserve their freedoms.

Protecting the rights of innocent people should be a part of that equation. It's not the Prosecutors’ Committee; it's the Judiciary Committee. And whether the executive branch powers are overbroad is something we have to decide. The only people we should be deferring to are the American people, as we try to protect them from terrorism without infringing on their freedoms.

I am also very troubled that administration officials have been taking positions behind closed doors that they are not taking publicly. I am pleased that we have not heard the type of public fear-mongering from this administration that was such a regular part of the discourse in the past. But if the administration wanted to further water down the already limited reforms in the bill that was on the table, they should have said so openly. Instead, at our only public hearing we were told that the Justice Department did not have positions on the crucial issues about to be discussed.

Then, over the past week, in classified settings, the Department has weighed in against even some of the limited reforms that Sen. Leahy originally proposed. That led to the unusual spectacle today where many members of the committee based their decision to further weaken the bill on a classified briefing held yesterday, but could not fully discuss or debate their reasons. As a member of the Senate Intelligence Committee, I am privy to every bit of the classified information that was referred to today. And nothing presented in the classified briefings justifies the failure to address the real problems with the expiring Patriot Act provisions and other intrusive powers.

Perhaps the most important was the failure to include the reasonable 3-part standard for issuing a FISA business records order under Section 215 of the PATRIOT Act. This standard was in a bill unanimously reported by the Committee, under Republican control, in 2005, and it was in Sen. Leahy’s original bill this year. Last week, Senator Durbin offered an amendment to put the standard back in the bill. It would have ensured that these secret authorities can only be directed at individuals who have some connection to terrorism or espionage. The standard is broad and flexible, but it places some limits on this otherwise very sweeping authority.

Unfortunately, Senator Durbin’s amendment failed. When it did, I hoped the Committee would instead consider at least adopting that same standard for issuing National Security Letters, which are not approved by any court, and which were seriously abused by the FBI. Today, that, too, was rejected.

The bill that passed out of committee did include some positive changes. I was pleased my amendment to reform invasive "sneak and peek" searches was included, as well as my amendment to require the executive branch to issue minimization procedures for NSLs. But these improvements did not make up for the bill’s shortcomings, and I was unable to support it on the final vote.

I appreciate Chairman Leahy’s efforts to achieve a compromise. And I hope to work with him and other members of this committee to make further improvements as this bill goes forward. In the end, however, Democrats have to decide if they are going to stand up for the rights of the American people or allow the FBI to write our laws. For me, that’s not a difficult choice.

Now to Glenn Greenwald's comment:

That's the record which a historian, wedded as faithfully as possible to a narration of indisputable facts, would be compelled to write. And those are just disclosure and transparency issues. None of that has nothing to do with ongoing assertion of detention powers, habeas corpus denials, renditions, the Democrats' active efforts just this week to prevent abuses of the Patriot Act and FISA, etc. (for those with Twitter, just read Marcy Wheeler's infuriating account from the last two hours of how key Democrats in the Senate -- led by Dianne Feinstein and Pat Leahy -- just gutted virtually every effort to rein in Patriot Act and FISA abuses that were sponsored by Feingold, Durbin and even Arlen Specter: ZAZI!!!).

...

The administration loves to posture in public as though they support various reforms -- to lead their wild-eyed supporters to believe they do -- only to work in secret to gut those same reforms....Feingold ended up having to vote against the new Patriot Act bill that he spent all year leading because it was diluted to the point where very little was fixed and some things were actually made worse. When it comes to transparency and civil liberties, that's what the Democratic Congress and White House are. If the record I documented here isn't enough to see that, then take it from someone who sees them up close and personal every day.

The American Civil Liberties Union was similarly disappointed, and Michael Macleod-Ball, Acting Director of the ACLU Washington Legislative Office, stated:

"We are disappointed that further changes were not made to ensure Americans’ civil liberties would be adequately protected by this Patriot Act legislation. This truly was a missed opportunity for the Senate Judiciary Committee to right the wrongs of the Patriot Act and stand up for Americans’ Fourth Amendment rights. The meager improvements made during this markup will certainly be overshadowed by allowing so many horrible amendments to be added to an already weak bill. Congress cannot continue to make this mistake with the Patriot Act again and again. We urge the Senate to adopt amendments on the floor that will bring this bill in line with the Constitution."

Kevin Bankston, the Electronic Frontier Foundation’s senior attorney specializing in free speech and privacy law, stated:

We’re deeply disappointed that the Obama administration sided with the committee Republicans to pass amendments to remove reforms from the already watered-down bill.”

He's referring to seven amendments, five of which were introduced by Senator Jeff Sessions, which removed civil liberties protections and which Sessions said were mostly recommended by the Obama administration’s FBI and Justice Department in closed-door classified briefings.

“We’re very disappointed in the final bill that was voted out of committee. It has fewer reforms than the original bill from Sen. Leahy, and it’s a very far cry from Sen. Feingold and Durbin’s JUSTICE Act.”

The JUSTICE Act would have required the government to specify more clearly the targets of their investigations and their connections to terrorism, to keep the FBI from using its authority to engage in broad-based data-mining of Americans’ phone, library and business records.

Bankston continued: “In 2005, the Judiciary Committee was able to pass much stronger reforms under a Republican administration. Now, in a position of power and with a vaunted supermajority, the Democrats are still bargaining against themselves rather than having a united front and introducing new civil liberties protections. I think it’s because of the White House’s position that these powers need to be renewed. There’s an unwillingness to consider even minor reforms.”

I'll be watching how this all develops now on the House and Senate floors.

Wednesday, October 14, 2009

Governor Schwarzenegger Vetoes Four Important Privacy Bills

I'm a little bit shocked, and obviously very disappointed, that the Governor vetoed all four of the privacy bills that we were advocating on behalf of that were still on his desk until the final few days of this year's session. All but one of these bills achieved overwhelming support in the legislature and had little to no formal opposition (except AB 943).

It was for these reasons that, outside of AB 943 (Mendoza), we were fairly confident the Governor would do the right thing and protect Californians privacy by signing those bills. We were wrong.

Here's a brief description of each of the bills vetoed, and what they would have done:

The biggest disappointment of the bunch was the Governor's veto of SB 20 (Simitian). Let me first explain the legislation, then I'll include the Governor's veto message, answer it, and provide Senator Simitian's response as well.

California currently doesn't require public agencies or businesses to provide any standard set of information about private information breaches to consumers! SB 20 (Simitian) would change this, requiring any person or business that issues a security breach notification to more than 500 residents to also submit the notification electronically to the Attorney General. As consumers, we depend on businesses and government agencies to protect the security of our most intimate financial data.

Unfortunately, privacy breaches occur regularly. In fact, according to the Privacy Rights Clearinghouse, at least 263 million sensitive records have been exposed nationwide since 2005. SB 20 would amend California's security breach notification law to require notices to contain helpful information to potential victims of identity theft or privacy violations. This information includes a description of the breach that occurred and the estimated date of the breach, if that date is known.

SB 20 would also require the breach notice to contain contact information for the major credit reporting agencies if an individual's Social Security number, California driver's license number or California identification card number was exposed. SB 20 would make helpful changes to the current security breach notification statutes to enhance consumer knowledge about, and understanding of, security breaches.

How could anyone be against this? It's about as common sense of an approach as one could come up with in response to the growing problem and reality of data breaches. Its rather simple really, if you are the victim of a data breach, and your private information may have been stolen, you deserve some basic information that will help you most effectively respond.

Now, here's the Governor's veto message...completely lacking any evidence that support his assertions (because none exists):

I am returning Senate Bill 20 without my signature.

This bill would require any agency, person, or business that must issue an information security breach notification pursuant to existing law to also fulfill certain additional requirements pertaining to the security breach notification.

California’s landmark law on data breach notification has had many beneficial results. Informing individuals whose personal information was compromised in a breach of what their risks are and what they can do to protect themselves is an important consumer protection benefit. This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices. Since this measure would place additional unnecessary mandates on businesses without a corresponding consumer benefit, I am unable to sign this bill.

Sincerely,

Arnold Schwarzenegger

My confusion here stems from the Governor's assertion that "there is no evidence that there is a problem with the information provided to consumers". Say what? Ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

SB 20 would have made a good law even better by specifying key details that must be sent to consumers; something not all companies are including voluntarily.

And notifying the Attorney General’s office of data breaches would have enabled law enforcement officials to track breaches, observe trends, and better protect California consumers.

SB 20 would not have placed a substantial burden on businesses either. Under existing law, companies and state agencies must already notify every victim whose personal information is compromised – often many thousands of Californians. This bill would have added that a single copy of the notification letter be submitted electronically to the state Attorney General’s office.

The extra notification details this bill would have required are simple and straightforward: a general description of the breach, what personal information was compromised, and when the breach occurred (if possible to determine when the notice is sent).

In other words, the bill would have helped give consumers ACTIONABLE information that could give them more than just increased peace of mind, but ways to minimize the damage done.

Senator Simitian, who in 2003, was named by Scientific American magazine as one of the “Scientific American 50” technology leaders in recognition of the original data breach legislation this would improve upon, and the recipient in 2007 of the award for Excellence in Public Policy at the RSA Conference, a leading security industry event, responded to the veto:

I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers. No one likes to get the news that personal information about them has been stolen, but when it happens, people are entitled to get the information they need to decide what to do next. This bill would have made one of California’s key consumer protections even better.. That way (i.e. the provision regarding the Attorney General), law enforcement would have been able to get the big picture on data theft."

VETOED: AB 943 (Mendoza) - Credit Reports

This bill would have prohibited a prospective employer from using consumer credit reports in the hiring process. An employer should not have any right to obtain confidential information that is not germane to a prospective employee's job. Credit reports do not have predictive value in determining a worker's ability to perform job duties, but a bad credit report might unfairly influence a hiring employer's attitude toward a job applicant. AB 943 would provide exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement, and in other narrow areas.

Click here to read our letter to the Governor urging he sign this bill.

VETOED: AB 811 (John Perez) - Check Cashers

This bill would have prohibited check cashers from manufacturing and selling false identification cards, or identification cards that closely resemble a state drivers' license card, by making it subject to a fine between the amount of $250 and $1,000, or imprisonment in a county jail for not more than a year, or both. AB 811 also would seek to prohibit a check casher from requiring a customer to purchase a check cashing identification card to access services. Increasing the penalty for manufacturing and selling false identification cards will not only discourage check cashers from following this practice, it will also punish any person who would manufacture and sell false IDs to minors.

Click here to read our letter to the Governor urging he sign this bill.

VETOED:261 (Salas) - Student Privacy

This bill would have clarified that California students' privacy rights allow limited access to student records by law enforcement and election officials to further juvenile justice and voter registration, respectively. AB 261 is a conformity measure that would bring the California Education Code into compliance with the federal Family Educational Rights and Privacy Act (FERPA).

Conformity with federal law is needed to ensure that the state can retain its eligibility for the more than $1.13 billion it receives annually in federal grants for the provision of special education services to students with special needs. AB 261 would come at no cost to the state as it simply provides that California is in compliance with what is already required under federal law.

Click here to read our letter to the Governor urging he sign this bill.

All in all a bad year for California privacy advocates....

Friday, October 9, 2009

Behaviorial Targeting: Opinion Poll and Progress of New Legislation

About five weeks ago a coalition of ten consumer and privacy advocacy organizations called on Congress to enact legislation to protect consumer privacy in response to threats from the growing practices of online behavioral tracking and targeting.

The coalition consists of the Consumer Federation of America, Center for Digital Democracy, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, and The World Privacy Forums. As I mentioned at the time, this is a very impressive coalition speaking out on a very important privacy issue at a very important time.

As I also wrote then, I would be following the progress of legislative efforts to provide some privacy "rules of the game" before the Internet, and companies ever expanding ability and desire to create extensive profiles on nearly every aspect of our lives gets out of hand.

I'm posting on this topic again today because I have yet to report the findings (announced a few days ago) of a new poll that flies in the face of the typical industry argument that "consumers want ads targeted to their interests while on the net." Now, at first glance, this seems like a reasonable assertion...that is, until consumers understand how these marketers acquire the knowledge and insight necessary to target those ads to them.

Before I get to this new poll, and the progress of new legislation in Congress, let me provide a short explanation of what in fact behavioral targeting on the Internet is by quoting a few passages from the above coalition's legislative primer entitled "Online Behavioral Tracking and Targeting Concerns and Solutions":

Privacy is a fundamental right in the United States. For four decades, the foundation of U.S. privacy policies has been based on Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. Those principles ensure that individuals are able to control their personal information, help to protect human dignity, hold accountable organizations that collect personal data, promote good business practices, and limit the risk of identity theft.

Developments in the digital age urgently require the application of Fair Information Practices to new business practices. Today, electronic information from consumers is collected, compiled, and sold; all done without reasonable safeguards. Consumers are increasingly relying on the Internet and other digital services for a wide range of transactions and services, many of which involve their most sensitive affairs, including health, financial, and other personal matters.

At the same time many companies are now engaging in behavioral advertising, which involves the surreptitious tracking and targeting of consumers. Click by click, consumers’ online activities – the searches they make, the Web pages they visit, the content they view, the videos they watch and their other interactions on social networking sites, the content of emails they send and receive, how they spend money online, their physical locations using mobile Web devices, and other data – are logged into an expanding profile and analyzed in order to target them with more "relevant" advertising.

Now let's get to today's article by Reuters:

U.S. marketers and consumer advocates are preparing for battle over the rules governing online advertising tailored to individual browsing habits, often tracked and collected without notice or permission. The U.S. Congress is due to intervene in the issue in the coming weeks, with a bill in the House of Representatives that would oblige websites to state explicitly how they use the information and allow those using the site to opt out. A billion-dollar industry and consumer privacy are at stake.

...

But 75 percent of Americans said in a recent survey they were opposed to tailored advertising if it meant their behavior surfing the Internet was being tracked...Researchers at the University of California, Berkeley, and the University of Pennsylvania who surveyed 1,000 Americans from June 18 to July 2 concluded there was a deep concern that tracking Internet habits for tailoring ads was wrong.

...

Targeted ads account for $1.1 billion -- up from $500 million in 2007 -- or 4.5 percent of the overall $24.5 billion dollars projected for online advertising in 2009, according to eMarketer estimates. In Washington, Democratic Representative Rick Boucher and other House members are introducing bipartisan legislation later this year aimed at helping consumers better understand what information is collected about them and how it is used.

...

The bill would oblige websites to display a privacy policy and explain to users how their information was collected and how it would be used. It would also require sites to allow visitors to opt out of having their data used to create an advertisers' profile.

Last winter the Federal Trade Commission published guidelines for advertisers, which prompted the ad industry to put out its own set of self-regulatory principles in July. Government agencies and consumer advocates argue that some form of regulation is needed to inform and protect consumers when they go online.

...

Consumers have been tracked and followed by advertisers in the offline world for generations, often through credit card information, or supermarket cards. But the Internet raises the stakes because "people are living their lives online, for essential transactions," said Jeff Chester, of the consumer protection group Center for Digital Democracy.

Click here to read the article in its entirety.

To read a couple of my past, and more extensive posts on this topic, go here, and here.

Thursday, October 8, 2009

Letter to Google: Take Time to Add Privacy Protections into Google Book Search

With the approaching launch of Google Books just around the corner, and a court settlement regarding Google Book Search still in negotiations, there's a whole lot of attention being given this issue by privacy advocates. The ACLU, Electronic Frontier Foundation, and the Samuelson Clinic even launched a Google Book Search privacy campaign - just one component of the ACLU-NC's dotrights project.

As EFF noted on their website yesterday: The Court considering the Google Book Search case granted the parties more time to renegotiate the settlement. The Court had received approximately 435 submissions about the settlement by both class members and amici. The American Library Association did a helpful analysis that estimates that 390 of the submissions object to the settlement and another 8 submissions support the settlement but with significant reservations. Shortly thereafter, the Department of Justice weighed in with serious reservations as well, leading the plaintiffs to seek the extension. The Court will still meet with the parties for a status conference on October 7.

So what is "Google Book Search" and why are privacy advocates so concerned?

The ACLU does a good job framing the issue: What you choose to read says a lot about who you are, what you value, and what you believe. That’s why you should be able to learn about anything from politics to health without worrying that someone is looking over your shoulder. The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins." Without strong privacy protections, all of your browsing and reading history could be collected, analyzed, and turned over to the government or third parties without your knowledge or consent.

As I wrote a month back, we're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

The concerns of privacy advocates are not hypothetical - nor should they be discarded as paranoia. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information.

Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans? For these reasons and more, it is essential that Google Book Search incorporate strong privacy protections.

That leads me to today's post. Yesterday, EFF along with the ACLU and the privacy authors and publishers they represent, which include the American Library Association, the Association of Research Libraries and the Association of College and Research Libraries, CDT, EPIC, SFLC, Professor James Grimmelman sent a joint letter to Google urging it to include privacy protections along with its reconsidered Google Book Search Settlement.

A key passage from the letter reads:

As you know, the failure of the settlement to ensure that readers using the Google Book Search services will have their privacy protected as much as readers using physical books has been a key concern for many authors, libraries and the reading public. It is the basis for some objections to the settlement, but has also been raised as a concern by those who support the settlement.

As author Jonathan Lethem put it, “now is the moment to make sure that Google Book Search is as private as the world of physical books. If future readers know that they are leaving a digital trail for others to follow, they may shy away from important but eccentric intellectual journeys.”

While we appreciate the statements made in the privacy policy released in early September, that policy does not go far enough. We believe that it is vital that Google commit to additional privacy protections and that such commitments be enforceable by the court presiding over the settlement.

The Electronic Frontier Foundation, the Center for Democracy & Technology, and the Electronic Privacy Information Center in their respective briefs have offered recommendations, many of which are quite similar, and would be happy to assist you in navigating any real or perceived differences between them. As the plaintiffs’ motion correctly notes, “depending on the contours of the amended settlement agreement, some objectors may no longer object and would choose not to travel to New York at all for the hearing.”

Providing real, enforceable privacy protections may help reduce the number of objections that the court must consider as the case moves forward.

Click here to read the letter.

Seems like a reasonable and mutually beneficial request to Google: Take your time to implement the privacy suggestions made by the organizations and experts that are the most committed and knowledgeable on this issue.

Tuesday, October 6, 2009

What's Wrong with the Patriot Act's "Lone Wolf" Provision?

There are a whole bunch of reasons Congress should not renew the PATRIOT Act's "lone wolf" provision. Over the past week I've been honing in on the deliberations going on in the Senate regarding whether to renew - as has been requested by the Obama Administration - three key sunsetting provisions of the Patriot Act.

One is continuing to allow FISA to authorize broad warrants for most any type of records, including those held by banks, libraries and doctors.

Another is the so-called “roving wiretap” provision which allows the FBI to obtain wiretaps without identifying the target or what method of communication is to be tapped.

And the third, which I want to discuss in detail today, is the "lone wolf" provision, which allows FISA court warrants for the electronic monitoring of a person even without showing that the suspect is an agent of a foreign power or a terrorist. Needless to say, this is an INCREDIBLY broad interpretation that theoretically could endanger the rights of nearly anyone for nearly any reason.

But just on the merits alone, how often or likely is it that there will be an international terrorist acting independently of any organization or country?

Before I get to an excellent op-ed from the libertarian monthly magazine Reason, let me cite a related passage from the ACLU's seminal report called Reclaiming Patriotism. In the section on "Relaxed FISA Standards", it reads:

Section 218 of the Patriot Act amended FISA to eliminate the requirement that the primary purpose of a FISA search or surveillance must be to gather foreign intelligence. Under the Patriot Act’s amendment, the government needs to show only that a significant purpose of the search or surveillance is to gather foreign information in order to obtain authorization from the FISC. This seemingly minor change allows the government to use FISA to circumvent the basic protections of the Fourth Amendment, even where criminal prosecution is the government’s primary purpose for conducting the search or surveillance.

This amendment allows the government to conduct intrusive investigations to gather evidence for use in criminal trials without establishing probable cause of illegal activity before a neutral and disinterested magistrate, and without providing notice required with ordinary warrants. Instead, the government can obtain authorization for secret searches from a secret and unaccountable court based on an assertion of probable cause that the target is an "agent of a foreign power," a representation the court must accept unless "clearly erroneous." An improperly targeted person has no way of knowing his or her rights have been violated, so the government can never be held accountable.

Lowering evidentiary standards does not make it easier for the government to spy on the guilty. Rather, it makes it more likely that the innocent will be unfairly ensnared in overzealous investigations.

Now to the article in Reason entitled "Keepng Lone Wolves from the Door":

The extraordinary tools available to investigators under the Foreign Intelligence Surveillance Act (FISA), passed over 30 years ago in response to revelations of endemic executive abuse of spying powers, were originally designed to cover only "agents of foreign powers." The PATRIOT Act's "lone wolf" provision severed that necessary link for the first time, authorizing FISA spying within the United States on any "non-U.S. person" who "engages in international terrorism or activities in preparation therefor," and allowing the statute's definition of an "agent of a foreign power" to apply to suspects who, well, aren't. Justice Department officials say they've never used that power, but they'd like to keep it the arsenal just in case.

As with so many of the post-9/11 intelligence reforms, the lone wolf provision has its genesis in the misguided assumption that every intelligence failure is evidence that investigators need more power. In the aftermath of the attacks, it was initially alleged that FBI investigators who had wanted to obtain a warrant to search the belongings of so-called "20th hijacker" Zacarias Moussaoui were unable to do so because FISA lacked a "lone wolf" provision. But a blistering 2003 report from the Senate Judiciary Committee tells a very different story. It notes that on 9/11, investigators were able to obtain a conventional warrant using the exact same evidence that had previously been considered insufficient.

Worse, the Committee found that supervisors at FBI Headquarters had failed to link related reports from different field offices, or to pass those reports on to the lawyers tasked with determining when a FISA warrant should be sought. Officials in charge, the Senate discovered, fundamentally misunderstood such crucial legal standards as "probable cause" and falsely believed that they could not seek a FISA order unless a target could specifically be tied to a particular, already-recognized terror group.

...

While it's difficult to be an unwitting "member" of a terror group, nothing in the law requires that the contribution a lone wolf makes to terror activities be a knowing one. And while definitions of an "agent of a foreign power" applicable to citizens explicitly prohibit investigations conducted wholly on the basis of protected First Amendment activities, PATRIOT appears to permit "lone wolves" to be targeted merely on the basis of advocacy. Finally, while the criminal law requires "preparation" for terrorism to include a "substantial step" in the direction of carrying out an attack, the Justice Department has suggested that FISA's definition does not. Thus, not only may lone wolf suspects be monitored despite the absence of ties to a terror group, they may not even need to be engaged in criminal conduct.

...

All of these significant differences make sense in the context of spying aimed at a member of an international terrorist conspiracy. But the lone wolf provision effectively aims a Howitzer at a gnat, allowing souped-up tools designed for Al Qaeda and the KGB to be used against people more reasonably seen as criminal suspects-and in the process, against any Americans who happen to have interactions with them.

Click here to read the article in its entirety.

What's important about the "Lone Wolf" provision to keep in mind for the purposes of the debate taking place in the Senate is that of the two competing reform proposals offered up by Sen. Patrick Leahy and Sen. Russ Feingold, it is only Feingold's that allows this authority to expire entirely.

To read more about Senator Feingold's Justice Act, and how he proposes to deal with so many of the Patriot Act's inherently unconstitutional provisions, go here.