Thursday, September 30, 2010

Bruce Schneier on Obama's "Wiretap the Internet" Plan

I don't want to rehash everything I wrote on Tuesday, so to get my extensive coverage of this issue just go to Tuesday's post (below). What I do want to do however, is share the thoughts of privacy expert Bruce Schneier on a soon to be submitted bill that would require all Internet companies to be able to tap into any online communications that they enable.

Schneier adds some critical details to what I wrote about in my last piece, including the US becoming an exporter of a draconian surveillance infrastructure (thus making matters worse for those struggling for freedom), to the system being hacked and used by "other than government" interests for "other than law enforcement" means, to the fact that such an infrastructure would be too costly with no real benefit...except the loss of privacy and the increased threat of identity threat. Wow...sounds like a winner!

Its fairly short in length, so I'm going to post Scheier's piece on CNN.com in full:

On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones.

The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures.

The proposal may seem extreme, but -- unfortunately -- it's not unique. Just a few months ago, the governments of the United Arab Emirates, Saudi Arabia and India threatened to ban BlackBerry devices unless the company made eavesdropping easier. China has already built a massive internet surveillance system to better control its citizens.

Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later.

Obama isn't the first U.S. president to seek expanded digital eavesdropping. The 1994 CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States.

These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that's obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.

Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different.

Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don't. Any surveillance and control system must itself be secured, and we're not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations?

These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn't always match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and famous people like former President Bill Clinton.

The most serious known misuse of a telecommunications surveillance infrastructure took place in Greece. Between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government -- the prime minister and the ministers of defense, foreign affairs and justice -- and other prominent people. Ericsson built this wiretapping capability into Vodafone's products, but enabled it only for governments that requested it. Greece wasn't one of those governments, but some still unknown party -- a rival political group? organized crime? -- figured out how to surreptitiously turn the feature on.

Surveillance infrastructure is easy to export. Once surveillance capabilities are built into Skype or Gmail or your BlackBerry, it's easy for more totalitarian countries to demand the same access; after all, the technical work has already been done.

Western companies such as Siemens, Nokia and Secure Computing built Iran's surveillance infrastructure, and U.S. companies like L-1 Identity Solutions helped build China's electronic police state. The next generation of worldwide citizen control will be paid for by countries like the United States.

We should be embarrassed to export eavesdropping capabilities. Secure, surveillance-free systems protect the lives of people in totalitarian countries around the world. They allow people to exchange ideas even when the government wants to limit free exchange. They power citizen journalism, political movements and social change. For example, Twitter's anonymity saved the lives of Iranian dissidents -- anonymity that many governments want to eliminate.

Yes, communications technologies are used by both the good guys and the bad guys. But the good guys far outnumber the bad guys, and it's far more valuable to make sure they're secure than it is to cripple them on the off chance it might help catch a bad guy. It's like the FBI demanding that no automobiles drive above 50 mph, so they can more easily pursue getaway cars. It might or might not work -- but, regardless, the cost to society of the resulting slowdown would be enormous.

It's bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.

Tuesday, September 28, 2010

Obama's (and Bush's) War On Privacy Targets The Internet

Wow...what can I say? Obama Administration seeks to "Wiretap the internet"...what's not to like about the sound of that news headline!?

Now, I've written in excruciating detail on this blog about what a total and complete disappointment President Obama has been on issues related to privacy and civil liberties. I'm not going to say that I expected his actions as President to fully match his words as a candidate (and constitutional scholar!). This is rarely EVER the case, particularly when it comes to issues related to national security, but this is getting downright ridiculous.

Sadly, what has become an ironclad, and increasingly dangerous "rule of thumb" in this country, is once a power is taken by the government (i.e. Patriot Act), or a civil liberty/constitutional protection erased, its gone...NO President, anymore anyway, once elected offers to "give" up power achieved by the President (s) before him. And boy oh boy has this remained true between the privacy eviscerating Administration of George W. Bush and that of President Barack Obama.

Now, before I get to the OUTSTANDING analysis of this leaked Administration proposal by Salon.com's Glenn Greenwald, let me first provide a bit more backdrop on it. Be it the Washington Post, New York Times or the San Jose Mercury News, the essential story is this: National security and U.S. law enforcement officials are preparing to submit a bill to Congress that would require all Internet companies to be able to tap into any online communications that they enable. While government officials say the legislation is needed because much communication among criminals and terrorists has moved online, privacy advocates called the proposal dangerous and excessive.

I want to provide a couple quotes from some of my privacy advocate friends too: Jeff Chester, executive director of the Center for Digital Democracy, a group that promotes the rights and interests of online consumers, said it "would give away the digital keys to our consumer data kingdom. This is too much to give away to any government, Republican or Democrat. This proposal should be fought by civil libertarians, consumers and business leaders."

The bill, which hasn't yet been released, would require companies that provide encrypted communications to be able to break into those coded signals upon receiving a legal wiretapping order,

Similarly, and thankfully, privacy advocates are challenging the claim that U.S. officials are losing their policing abilities. Let's be honest here, how can anyone in the world, with a straight face, say our government has LESS surveillance capabilities in the past, rather than MORE???

If I remember correctly, after the Sept. 11 terrorist attacks, Congress passed a succession of laws that has made it far easier for law enforcement and security officials to spy on online and other communications with or without warrants.

Marc Rotenberg, president of the Electronic Privacy Information Center, an online civil liberties group noted how the government "has also amassed massive databases of electronic information that it can use in investigations."

Privacy advocates are also arguing that providing a "back door" into online communications to allow government officials to spy on them would make those communications fundamentally insecure, providing a point of vulnerability that hackers could exploit. In Greece in 2005, hackers used just such a back door to eavesdrop on phone calls made by the prime minister and other officials.

"This is a bad idea," Rotenberg said. "Not just bad in the sense that it opens the door to Big Brother surveillance, but it "... puts Internet users and companies at greater risk of identity theft, corporate espionage and surreptitious spying."

James X. Dempsey, vice president of the Center for Democracy and Technology, an Internet policy group, said the proposal had "huge implications" and challenged "fundamental elements of the Internet revolution" -- including its decentralized design.

"They are really asking for the authority to redesign services that take advantage of the unique, and now pervasive, architecture of the Internet," he said. "They basically want to turn back the clock and make Internet services function the way that the telephone system used to function."


Kevin Bankston, senior staff attorney at the Electronic Frontier Foundation, took issue with the move. "This proposal is a drastic anti-privacy, anti-security, anti-innovation solution in search of a problem.

He noted that in an official 2009 review of 2,400 federal, state and local law enforcement applications for wiretap orders, "encryption was encountered during one state wiretap, but did not prevent officials from obtaining the plain text of the communications."

But some additional context is needed on this I think. Consider also that a government report was just released (see my last post) detailing just how lawless the FBI's monitoring of "suspects", mostly peace activists and left wing protesters (non-violent of course), were...all under the guise of the Patriot Act and the phony "war on terror" (that pretty much justifies everything in the eyes of government now).

The spying could take the form of listening to phone calls, intercepting wireless communications, harassing photographers or infiltrating protest groups. Also discovered was the way in which agencies' are increasingly connected through various information sharing measures, making it more likely that information collected on an individual by a small police department could end up in an FBI or CIA database.

Remember, the Internet is the communication tool of choice now for political activism and organizing. Doesn't the fact that the report also noted how the FBI monitored peaceful protest groups and in some cases attempted to prevent protest activities (particularly against the war) provide us with one of the clear motives behind the Administration's plan to "wiretap the Internet"?

Or, if you don't believe that is its motive, and you believe, unlike the Bush Administration, it will be wise and judicious in its use of these monitoring capabilities, then what about the next Administration? Sorry, but I don't trust a "President Romney, Huckabee, Giuliani, or Palin" further than I can throw them.

Sadly, even though we have a Democratic President, a constitutional scholar that ran on protecting privacy no less, our expanding surveillance state has not been restrained, in fact its been accelerated.

Sometimes I'm astonished how little people on the left have come to grips with the fact that on issues ranging from indefinite detention to rendition to wiretapping to ASSASSINATION OF AMERICAN citizens to use of state secrets to defend Bush Administration civil liberties assaults (something Obama rightly criticized as a candidate) to now OPPOSING whistleblower protections (which he advocated in support of as candidate) to his embrace of all the key Patriot Act provisions he so adamantly criticized as a candidate (and recently even fought behind the scenes to ensure NO REFORMS were added that might protect civil liberties) to his support for whole body imaging machines in airports to his efforts to expand the use of National Security Letters, this President is no different, whatsoever, than Bush.

Just this past week we learned that the FBI "searched eight addresses in Minneapolis and Chicago," including the home of a well-known Palestinian American anti-war activist. The attorney for the activist believes that a recent Supreme Court case that allowed prosecution of humanitarian groups seen as aiding terrorists may be responsible for the raid. Now imagine the FBI with the power to monitor all internet advocacy and communications?

Also, JUST THIS WEEK, the Obama administration employed a "state secrets" defense to urge a federal judge to dismiss a lawsuit brought by civil liberties groups who say the targeting of a U.S. citizen for killing overseas is illegal.

With all of that, let's get to Glenn Greenwald's thoughts on this (we tend to REALLY see things similarly):

The tyrannical mentality of the UAE, Saudi and Bush DHS authorities are far from aberrational. They are perfectly representative of how the current U.S. administration thinks as well: every communication and all other human transactions must be subject to government surveillance. Nothing may be beyond the reach of official spying agencies. There must be no such thing as true privacy from government authorities.

Anyone who thinks that is hyperbole should simply read two articles today describing efforts of the Obama administration to obliterate remaining vestiges of privacy. The first is this New York Times article by Charlie Savage, which describes how the Obama administration will propose new legislation to mandate that the U.S. Government have access to all forms of communications, "including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct 'peer to peer' messaging like Skype." In other words, the U.S. Government is taking exactly the position of the UAE and the Saudis: no communications are permitted to be beyond the surveillance reach of U.S. authorities.

...

Then there is this article in The Washington Post this morning, which reports that "[t]he Obama administration wants to require U.S. banks to report all electronic money transfers into and out of the country, a dramatic expansion in efforts to counter terrorist financing and money laundering." Whereas banks are now required to report all such transactions over $10,000 or which are otherwise suspicious, "the new rule would require banks to disclose even the smallest transfers." "The proposal also calls for banks to provide annually the Social Security numbers for all wire-transfer senders and recipients." It would create a centralized database enabling the U.S. Government to monitor a vastly expanded range of financial transactions engaged in by people who are under no suspicion whatsoever of criminal activity...

...

That concept -- that the U.S. Government should not be monitoring, surveilling and collecting data on individuals who are not under criminal investigation -- was once the hallmark of basic American liberty, so uncontroversial as to require no defense. But decades of effective fear-mongering over everything from Communists to drug kingpins -- and particularly the last decade of invoking the all-justifying, Scary mantra of Terrorism -- has reduced much of the American citizenry into a frightened and meek puddle of acquiescence which not only tolerates, but craves, a complete deprivation of privacy.

Needless to say, both articles this morning are suffused with quotes from government officials tossing around the standard clichés about Scary Terrorists, Drug Lords, and other cartoon menaces hauled out to justify every expansion of government power and every reduction of individual privacy (that, of course, was the same rationale invoked by UAE and Saudi officials: "The UAE issued a statement explaining the decision, saying it had come because 'certain Blackberry services' allow users to avoid 'any legal accountability', raising 'judicial, social and national security concerns'.").

Leave aside the fact that endlessly increasing government surviellance is not only ineffective in detecting Terrorist plots and other crimes, but is actually counterproductive, as it swamps the Government with more data than it can possibly process and manage. What these Obama proposals illustrates is just how far we've descended in the security/liberty debate, where only the former consideration has value, while the latter has none. Whereas it was once axiomatic that the Government should not spy on citizens who have done nothing wrong, that belief is now relegated to the civil libertarian fringes.

...


What makes this trend all the more pernicious is that at exactly the same time that the Government is demanding greater and greater access to what you do and say, it is hiding its own conduct behind an always-higher and more impenetrable wall of secrecy. Everything you do and say must be accessible to them; you can have no secrets from them. But everything they do -- including even criminal acts such as torture, assassinations and warrantless surveillance -- is completely off-limits to you, deemed "state secrets" that not even courts can review in order to determine their legality. This is all driven by Francis Bacon's observation that "knowledge is power": the idea is to make sure that they have full knowledge of what you do (i.e., full power over it), while you have no knowledge about what they do (i.e., no power).

For those insisting that the Government must have the technological ability to eavesdrop on any and all communications in order to stop Terrorists and criminals, what are you going to do about in-person communications? By this logic, the Government should install eavesdropping devices in all private homes and public spaces, provided they promise only to listen in when the law allows them to do so (I believe there was a book written about that once). For those insisting that the Government must have the physical ability to spy on all communications, what objections could one have to such a proposal? We've developed this child-like belief that all Bad Things can be prevented -- we can be Kept Safe from all dangers -- provided we just vest enough power in the Government to protect us all. What we lose from that mentality, however, is quite vast yet rarely counted. A central value of the Internet was that it was supposed to enable the flow of information free from the surveillance and control of governmental and other authorities.

Click here to read the rest of Greenwald's post.

Its hard for me to add much to Greenwald's points, as they're so right on. Its obviously hard to argue that privacy, as both a right and an idea, isn't literally whithering away on the vine before our very eyes.

Fear as an argument, no matter how ludicrous or exaggerated, trumps privacy these days, as least when it comes to coverage in the corporate media, or positions taken by the entire Republican Party and probably a majority of the Democrats. I find it particularly dismaying that the tables have been so turned that the onus (and derision) has been placed on those that simply believe the government, or corporate America for that matter, should not have access to everything we do, particularly when we have committed no crime. Now we must prove that whatever the latest power the government seeks to enshrine as law won't stop an attack (and if we can't prove this negative, we are endangering Americans!)or how it could specifically harm us...rather than the onus being on those seeking to circumvent our privacy and rights in the name of "national security."

As I have asked many times before on this blog, is the loss of freedom, privacy, and quality of life a worthwhile trade-off for unproven protections from a terrorist threat that is far less a concern that being struck by lightening?

This increasingly intrusive surveillance state threatens the very concept of privacy, particularly privacy as a necessary requisite for liberty, which I believe it is. With privacy comes control, with control comes at least a semblance of power. The Internet is where so much of the future of political dialogue, activism, and communication will occur...I think it would be a gross mistake to allow open access to the government...we've seen how the FBI has used such monitoring capabilities when it comes to the telephone or wireless computers.

The likelihood a terrorist like Bin Laden will destroy us is extremely low…but the likelihood that our banana republic economy will is extremely high (made only higher by the amount we spend on “defending” against a mythical “enemy”). Yet, we are being led to believe there is this grave, terrorist threat out there…and there's no amount of resources we won't spend to "fight it."

I question the very premise that the government benefits from, or certainly that we need, such an all encompassing surveillance state. Remember, our military, our CIA, our spying agencies (such as NSA) are every bit corporate as they are governmental: in some cases more so. So complete is the merger that it's the same people who switch seamlessly back and forth between governmental agencies and their private "partners". This means we have not only a vast Secret Government, but one that operates with virtually no democratic accountability and is driven not by National Security concerns but by its own always-expanding private profits.

All this begs the question: who is really benefiting from this expanding surveillance state and why? More on that in future posts...

Wednesday, September 22, 2010

Justice Department: FBI Investigations of Left Leaning Groups "Improper"

I want everyone to go back in time for a bit and remember the dark days of the Bush Administration. In this case, it was the Administration's use of the Patriot Act to vastly expand the reach of the FBI, particularly in its monitoring of left leaning political advocacy groups inside the United States...all to protect us from terrorism of course (sarcasm).

One of the most damning charges the Justice Department was attempting to determine the validity of was whether the FBI targeted these groups because of their specific political "beliefs" and/or for political purposes?

As the Washington Post reports, the Justice Department concluded that on one hand, the "FBI improperly investigated some left-leaning U.S. advocacy groups after the Sept. 11, 2001, attacks...citing cases in which agents put activists on terrorist watch lists even though they were planning nonviolent civil disobedience."

But, on the other hand, the investigation stops short of asserting the FBI targeted specific groups due to their politics, which I find a bit contradictory, writing, "A report by Inspector General Glenn A. Fine absolved the FBI of the most serious allegation: that domestic groups were targeted purely for their activism against the Iraq war and other political activity, which would have violated their First Amendment rights. Civil liberties groups and congressional Democrats had accused the FBI of employing such tactics during George W. Bush's administration.

Now, before I get to a bit more of the article and the report, I want to go back a bit to describe some of what we know about the FBI's use of the Patriot Act under the Bush Administration to target liberal groups, particularly anti-war ones during the years between 2001 and 2006 in particular.

First, according to a recent report by the ACLU, there have been 111 incidents of illegal domestic political surveillance since 9/11 in 33 states and the District of Columbia.

The report shows that law enforcement and federal officials work closely to monitor the political activity of individuals deemed suspicious, an activity that was previously common during the Cold War. That includes protests, religious activities and other rights protected by the first amendment.

The spying could take the form of listening to phone calls, intercepting wireless communications, harassing photographers or infiltrating protest groups. Also discovered was the way in which agencies' are increasingly connected through various information sharing measures, making it more likely that information collected on an individual by a small police department could end up in an FBI or CIA database.

The report also noted how the FBI monitors peaceful protest groups and in some cases attempts to prevent protest activities. Its not hard to make the obvious connection between the increase in domestic political surveillance to an erosion of the standards of privacy and civil liberties in the wake of 9/11. The Patriot Act of course serves as exhibit A, as it authorized law enforcement to use tools domestically that were formerly restricted to hostile groups in foreign nations.

This all sounds VERY POLITICAL to me...otherwise where are all the examples of right wing groups being monitored? This discrepancy is particularly questionable when considering its right wing types that tend to be those advocating violence, even government overthrow, rather than peace.

And let's be clear, just because its now 2010 and we have a Democratic President, that doesn't mean this expanding surveillance state has in any way been restrained. The Patriot Act's key provisions allowing this kind of government surveillance in the first place were all renewed.

And worse, in recent months it was none other than the Department Of Justice itself that has been pressuring Congress to expand its power to obtain records of Americans' private Internet activity through the use of National Security Letters (NSLs).

All of this of course is part of a much larger trend that paints a disturbing narrative, a narrative that points in one direction only: an increasingly intrusive surveillance state with an Executive Branch getting dangerously close to being above the law.

It is just a technical matter, the Obama administration says: We just need to make a slight change in a law to make clear that we have the right to see the names of anyone’s e-mail correspondents and their Web browsing history without the messy complication of asking a judge for permission. To get this information, the F.B.I. simply has to ask for it in the form of a national security letter, which is an administrative request that does not require a judge’s signature.

These national security letters are the same vehicles that the Bush administration used after the Sept. 11, 2001, attacks to demand that libraries turn over the names of books that people had checked out. The F.B.I. used these letters hundreds of thousands of times to demand records of phone calls and other communications, and the Pentagon used them to get records from banks and consumer credit agencies. Internal investigations of both agencies found widespread misuse of the power, and little oversight into how it was wielded.

In other words, this is simply about removing one last protection we have from FBI surveillance abuses, namely, federal judges and courts and the scrutiny they could supply to requests for sensitive information made by the government. We know, for a fact, that under the Bush Administration the VAST MAJORITY of Patriot Act abuses had nothing to do with terrorism, or trying to actually catch terrorists or stop terrorist acts.

No, what makes this kind of expansion of surveillance capabilities so dangerous is that they are more often than not used to target political enemies (think peace protesters, anti-globalization protesters) or just small time drug dealers. Let's hope the President does not get rewarded the same way his predecessor did every time he starts crying about the big bad terrorist wolf.

The concern of course is that once these expanded surveillance powers (and others) are accepted, even codified, by the "left" no less, they are untouchable...and what were once considered inalienable rights, are now gone, for good.

As Glenn Greenwald noted last year,The problem is never that the U.S. Government lacks sufficient power to engage in surveillance, interceptions, intelligence-gathering and the like. Long before 9/11 -- from the Cold War -- we have vested extraordinarily broad surveillance powers in the U.S. Government to the point that we have turned ourselves into a National Security and Surveillance State. Terrorist attacks do not happen because there are too many restrictions on the government's ability to eavesdrop and intercept communications, or because there are too many safeguards and checks. If anything, the opposite is true: the excesses of the Surveillance State -- and the steady abolition of oversights and limits -- have made detection of plots far less likely. Despite that, we have an insatiable appetite -- especially when we're frightened anew -- to vest more and more unrestricted spying and other powers in our Government, which -- like all governments -- is more than happy to accept it.”

So please keep all of the above in mind when reading this Washington Post article and the findings by the Justice Department...and ask yourself, were these surveillance jobs politically motivated? I can't see how you can conclude they weren't...

More from the article:

...the report cited what it called "troubling" FBI practices in the Bush administration's monitoring of domestic groups between 2001 and 2006. In one instance, the report said, FBI officials falsely said an agent photographed antiwar demonstrators as part of a terrorism investigation, which led FBI Director Robert S. Mueller III to unintentionally give incorrect information about the incident to Congress.

In another, agents investigated members of the environmental advocacy group Greenpeace over their protest activities "with little or no basis," the report said. Agents kept the case open for more than three years, even though no charges were filed, and put the activists on a terrorist watch list, it said.

The groups that were monitored, which also include a Catholic organization that advocates for peace, compared the FBI's actions to questionable domestic spying tactics the bureau usedagainst antiwar demonstrators and others in the 1960s under longtime director J. Edgar Hoover.

"The use of McCarthyite tactics against PETA and other groups that speak out against cruelty to animals and exploitative corporate and government practices is un-American, unconstitutional, and against the interests of a healthy democracy,'' said a statement from People for the Ethical Treatment of Animals, an animal rights group that was among those monitored.


...

Civil liberties groups have long accused the bureau of overreacting to the hijackings by improperly monitoring antiwar demonstrators and environmental groups. Fine's investigation began in 2006 after the American Civil Liberties Union released documents, obtained through the Freedom of Information Act, that it said showed that the FBI was monitoring left-leaning groups.

Michael German, an ACLU senior policy counsel and former FBI agent, said Fine's report "clearly shows that the FBI was improperly spying on people's First Amendment-protected activity, and that the FBI didn't have enough internal controls to prevent abuse.''

Fine's report says that in some cases, agents began investigations of people affiliated with activist groups for "factually weak" reasons. In others, the report said, the FBI extended probes "without adequate basis" and improperly kept information about activist groups in its files.

Much of the report is about a 2002 antiwar protest sponsored by the Thomas Merton Center, a Pittsburgh-based organization dedicated to promoting peace.

Mark Berry, a probationary FBI agent with little anti-terrorism experience, attended the rally and photographed demonstrators distributing leaflets. An internal FBI document said the bureau was investigating "Pittsburgh anti-war activity,'' the report said.


Read more here.

Friday, September 17, 2010

EPIC Sues To Get More Info About Google/NSA Relationship

This headline in the Los Angeles Times caught my eye today. Now, I wrote about the original story surrounding the shady relationship between notorious privacy villain - Google - and notorious civil liberties violator - the National Security Administration - back in February of this year.

Now, we've got some movement on it, as evidenced by the privacy rights group Electronic Privacy Information Center (EPIC) suing the spy agency because it won't divulge information about its reported agreement to help the Internet company defend itself against foreign cyber attacks.

Before we get to the article, let me refresh your memory on the story, using some of what I wrote back in February:

"It's inarguable that Google is rapidly becoming the official technology sponsor of the nation and globe. For the sake of argument, let's just accept this as truth, and assume this company's reach and breadth will only grow. With that in mind, it becomes paramount - and beholden on all those that relish privacy - to keep a close eye on this global leader's attention to privacy as it relates to their technological innovations."

My problems with the NSA are too numerous to detail here for you now, but let's just say they aren't known for their deep respect for privacy or the fourth amendment. In other words, we have the largest search engine company in the world teaming up with the federal agency in charge of global electronic surveillance...and what they're doing is confidential. Hmmm....

Noah Shachtman of Wired magazine makes some important points to consider:

The NSA and its predecessors also have a long history of spying on huge numbers of people, both at home and abroad. During the Cold War, the agency worked with companies like Western Union to intercept and read millions of telegrams. During the war on terror years, the NSA teamed up with the telecommunications companies to eavesdrop on customers’ phone calls and internet traffic right from the telcos’ switching stations. And even after the agency pledged to clean up its act — and was given wide new latitude to spy on whom they liked – the NSA was still caught “overcollecting” on U.S. citizens.

According to The New York Times, the agency even “tried to wiretap a member of Congress without a warrant.”

All of which makes the NSA a particularly untrustworthy partner for a company that is almost wholly reliant on its customers’ trust and goodwill. We all know that Google automatically reads our Gmail and scans our Google Calendars and dives into our Google searches, all in an attempt to put the most relevant ads in front of us. But we’ve tolerated the automated intrusions, because Google’s products are so good, and we believed that the company was sincere in its “don’t be evil” mantra.

That’s a lot harder to swallow, when Google starts working cheek-to-jowl with the overcollectors. The company pinkie-swears that its agreement with the NSA won’t violate the company’s privacy policies or compromise user data. Those promises are a little hard to believe, given the NSA’s track record of getting private enterprises to cooperate, and Google’s willingness to take this first step.

So what exactly is the agreement between these two behemoths? That, unfortunately, isn't really clear - unless you believe those oh so trustworthy "anonymous sources". Here's what the New York Times had to say about the deal:

By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”

...


On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists. In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers.

In other words, there's a lot still "unknown" here, outside of a few anonymous sources assuring us there will be no disclosures of proprietary data, on say, the tens of millions of google users. I'd also argue that it brings some perhaps some undesired, but needed attention on the Constitution subverting ways of the NSA.

As Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group, noted: “Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world."

He also believes the agreement covers much more than the Google hack, particularly in light of the fact that the search giant and intelligence agency were in talks prior to Google discovering that it had been hacked, stating, “What they’ve told you is that this is about an investigation of a hack involving China. I think and have good reason to believe that there’s a lot more going on.”

Wired magazine adds some needed depth to the Post and Times stories:

On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.

The FOIA request also seeks NSA communications with Google regarding Google’s failure to encrypt Gmail and cloud computing services. Rotenberg says EPIC wants to know what role the NSA has played in shaping privacy and security standards for Google’s services.
EPIC also filed a lawsuit against the NSA and the National Security Council, seeking a key document governing the government’s broader national cybersecurity policy, which has been shrouded in secrecy.

“We can’t afford to have secret cybersecurity policy that impacts the privacy rights of millions of internet users,” said Rotenberg.


...

Matthew Aid, NSA historian and author of The Secret Sentry, said the move troubled him. “I’m a little uncomfortable with Google cooperating this closely with the nation’s largest intelligence agency, even if it’s strictly for defensive purposes,” he told the Post.

The NSA has been embroiled since 2005 in allegations that the agency violated federal laws in conducting illegal surveillance of Americans’ phone and internet communications. Giving the agency authority over coordination of the government’s cybersecurity plan — which would include working with telecoms and other critical companies in the private sector — could put the agency in the position of surreptitiously monitoring communications.

I want to conclude by going back to Noah Shachtman of Wired magazine, and his take on the business angle in all this:

Google may need help in fighting off these hacks. But turning to Ft. Meade could wind up permanently damaging the company’s image — and the foundation of its incredible success. Already, the Russian press are talking about Google’s decision to spy with NSA, for instance. Hackers might be able to compromise some of Google’s services, for a little while. The association with the NSA could permanently cripple the company. The telegram companies and the old-school telcos were virtually monopolies; customers had nowhere to turn, if they wanted private communications. Bing and Yahoo Mail are just a click away.

There...now we're ready to look at the new developments. The Los Angeles Times reports:

The ad hoc and secretive nature of Google's arrangement with the federal spy agency also spotlights what some experts said was the lack of a clear federal plan to deal with the growing vulnerability of U.S. computer infrastructure to cyber intrusions launched from foreign countries. At risk are power grids, banks and other crucial public services.

...

The nonprofit Electronic Privacy Information Center, which has tangled with Google in the past over the security of its Gmail e-mail system, filed a request under the Freedom of Information Act for documents related to any agreement between Google and the NSA. The NSA denied the request, and on Monday the privacy group took the agency to court, seeking to force it to hand over records.

"As of 2009, Gmail had roughly 146 million monthly users, all of whom would be affected by any relationship between the NSA and Google," the privacy group's request said. "In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship. Neither Google nor the NSA has provided information regarding their relationship."

There probably isn't a significant privacy concern in the NSA's dealings with Google, said Richard Clarke, a top national security official in the Clinton and Bush administrations and author of "Cyber War: The Next Threat to National Security and What to Do About It." "But the easy way for Google and NSA to prove that is by letting an outside group come in and find out," Clarke said.

....

In a statement, NSA declined to confirm or deny its relationship with Google. "NSA works with a broad range of commercial partners and research associates to ensure the availability of secure, tailored solutions," the statement said.

A Google spokesman declined to comment Monday, but in January, the company issued a statement saying it was "working with the relevant U.S. authorities" in response to the cyber attack.


Click here for the article in its entirety.

I don't think I need to add much to all this...I don't know what may, or may not be going on between these two Goliaths. But I do know that WE should know. So cheers to EPIC for keeping on this...as will I here...

Thursday, September 9, 2010

More On "Chipping" (RFID) School Children

I wanted to follow up just a bit on my last post (see below) about a preschool in Richmond digitally tracking children using microchips embedded into their jersey tops. As I wrote last Friday, the question for me comes down to whether the minor benefits associated with this monitoring outweigh the myriad of potential pitfalls associated with an ever expanding surveillance state.

My answer to this question of course was "no", its not a worthwhile trade off. The focus of my concerns in that last post was on the larger deleterious effect, I believe, constant, ubiquitous monitoring has on human consciousness itself, and worse, how it functions to stifle dissent in an ostensibly "free" society.

Now, before I get to some additional problems with chipping kids enumerated by my friend at the ACLU, Nicole Ozer, let me restate my conclusion from last week. I wrote:

"This issue is far from over. The rapid evolution of RFID technology and its uses makes it essential that we draw common sense lines now. Whether its video cameras on every street corner, RFID tags in our clothes and cars, or government wiretapping and corporate surveillance, or social networking sites like Facebook, or Smart Grid metering and in home monitoring technologies, or just about anything created by Google, the trend line is all too clear.

More concerning than any single threat posed by any single technology – including chipping children – is this larger pattern indicating that privacy as both a right and an idea is under siege.

As young people grow up with so much of their information so public and accessible to all, including government, and nearly every action they take is in some way being recorded and/or monitored, I fear their sense, appreciation and understanding of privacy will continue to fade away.

The consequences of such a loss would be profound. Yes, there are lots of more tangible, and immediate threats associated with the loss of privacy, from identity theft to intimidation to stalking. But, what concerns me most about the trajectory we're on is how does the knowledge that EVERYTHING you do is being watched and recorded effect human consciousness? Could we actually be stifling young peoples' creativity, their courage to dissent, and perhaps even their individuality, if they're conditioned at such a young age to accept being monitored and watched at all times?

Specifically, how does a lifetime of being constantly surveilled effect human behavior? Could it lessen peoples courage to stand up to authority (a prerequisite for a functioning democracy)? Is this all just another way to steadily stifle, and even eliminate dissent - dissent that is needed now more than ever?

But let me now transition to some more specific privacy threats these RFID chips pose to the children themselves. Remember, these chips function somewhat like a GPS system - and thus expose these children to stalking, tracking and identity theft.

Here's some of what the ACLU'S Nicole Ozer had to say:

While school officials and parents may have been sold on these tags as a "cost-saving measure," we are concerned that the real price of insecure RFID technology is the privacy and safety of small children. RFID has been billed as a "proven technology," but what’s actually been proven time and again (PDF) since the ACLU first looked at this issue in 2005 is just how insecure RFID chips can be:

* RFID chips in US passport cards were cracked and copied from a distance of 30-feet using $250 in parts bought from eBay (2009).
* RFID chips used in building access cards across the country were cracked and copied with a handheld device the size of a standard cell phone that was built using spare parts costing $20 (2007).
* California State Capitol RFID-based identification cards were cracked and copied and access was gained to member-only, secure entrances (2006).
* RFID chips implanted in humans were cracked and copied (PDF) (2006).
* The RFID chips used in the Dutch and British e-passport were cracked (PDF) (2006).

Without real security, RFID chips could actually make preschoolers more vulnerable to tracking, stalking, and kidnapping. Someone who wants to do children harm could potentially sit in a car across the street and scan the children’s jerseys without teachers, school officials, parents, or children ever knowing that any information has been read. And if this information can be read, it can be copied easily to a duplicate chip. A child could be taken off campus while the duplicate chip continues to tell RFID readers that the child is safely at school.

...

If the price for parents going to Head Start is that your kids are tracked and potentially made unsafe, that's not acceptable. These chips are really high powered. They can be read up to 100 meters away which means someone could pick up the signal from across the street from the center. So rather than make the kids safer they may be making them more vulnerable.

These are just the tip of the security issues—and we haven’t even touched on the core privacy concerns. The editors of Scientific American said it well back in May 2005: "Tagging … kids becomes a form of indoctrination into an emerging surveillance society that young minds should be learning to question."

At this point, we have far more questions than answers about the RFID system in use in Richmond:

*
What security measures are in place on the RFID chips?
* How will data collected from the chips be used? How long will it be kept?
* Were parents given a choice whether or not to have their child "chipped?"
* Were parents told how RFID technology works, what the privacy and security risks are, and what the school has done to make sure the chips are secure and compliant with student privacy laws?
* And did the County consider these questions before they received a federal grant for this program?

You can read the rest of her blog here.

To once again reiterate what I said last week, these kinds of mechanical devices might be useful for tracking cattle, but when it comes to children, RFID’s are no substitute for teacher and school staff responsibility.

And I would add, again, that in addition to these chips exposing to children to stalking, tracking and identity theft, it all strikes me as feeling a bit too much like Orwell's 1984 or Huxley's Brave New World. It's not that I'm that frightened about how this surveillance will be used against people, though that's a real concern too, but more so, I fear how this loss of privacy and freedom negatively effects consciousness - creating a more docile, servile populace.

Wednesday, September 1, 2010

Tracking Preschoolers With RFID Tags?

When I read the story today about a preschool in Richmond digitally tracking children using microchips embedded into their jersey tops I was immediately reminded of legislation I worked on a few years ago partially addressing this very issue. And of course, I also had that old "slippery slope" argument immediately come to mind when I picture all these chipped kids with digital markers tracking everywhere they go as some administrator watches.

The legislation I'm referring to (and an op-ed I had published about it) would have required any school seeking to chip their students to first ask the parents for permission. Seems like a straight forward, no brainer, right? Well, that's what we thought, until the Governor vetoed the legislation, even in the face of overwhelming support in the legislature and in the public.

Before I get into more reasons why I generally don't like the idea of chipping kids for tracking purposes, let's clarify what we're talking about. Essentially, the school is tagging the children's clothes with monitoring devices that transmit a signal to sensors installed throughout their buildings, ostensibly helping administrators secure the child's whereabouts at all times. Parents will also digitally sign the child in and out of school, thereby eliminating the need for attendance records filed by hand.

Okay, so maybe there are a few pro's to such monitoring. And at least in this case, unlike the situation I wrote about in my article, the parents are at least involved and aware. The question of course is whether the minor benefits associated with this monitoring outweigh the potential pitfalls associated with an ever expanding surveillance state.

Now let's first go back to that legislation the Governor vetoed and what I wrote at the time:

In 2005 a tiny school district in Northern California inadvertently ignited a statewide debate over the appropriate use of modern technologies in the school system. The technology in question was Radio Frequency Identification, or RFID, which the district had embedded in student badges without parents' knowledge. The children were required to carry these tracking devices or suffer suspension.

Controversy erupted when parents discovered that the new badges - which function somewhat like a GPS system - exposed their children to stalking, tracking and identity theft. Worse, the children were “chipped” without parental notice or consent. The district had intended to use the technology to remotely monitor student movement on campus; even installing readers on the bathroom doors. Parents rightly objected, strongly, but it wasn’t until a media firestorm was ignited that the district backed down.

Had the district engaged parents in a conversation before installing the RFID-enhanced ID system the community’s sensitivities and concerns could perhaps have been adequately balanced with the districts goals of enhancing campus safety and improving attendance recording.

Unfortunately that’s not how it happened, but that’s how it should have happened.

Given the controversial nature of RFID technologies, and the inherent risks associated with it, school districts should be required to notify parents and get their consent BEFORE “chipping” their children.

Schools are already required to get parental permission for sex education, field trips, and in some cases, student cell-phone use on campus.

If the Sutter case illustrates nothing else, it’s that parents, not schools, should decide whether children must carry a tracking devise. Mechanical devices might be useful for tracking cattle, but when it comes to our children, RFID’s are no substitute for teacher and school staff responsibility.

Parental notification and consent would also provide an important check on district incentives to use invasive RFID-systems. Because schools receive funding based on attendance, a financial incentive exists to closely monitor student presence on campus. But there is a line that can be crossed – RFID monitors in the bathroom, for example – between sensible oversight and invasion of privacy.

Absent a countervailing force in defense of student privacy, the district’s natural tendency will be to secure its interests at the expense of the students’. Parents can only function as this countervailing force if they are granted their rightful seat at the table. Currently, no such right exists!

The Governor had an opportunity to rectify this injustice in the form of Senate Bill (SB) 29 by Senator Joe Simitian (D-Palo Alto). The legislation was specifically crafted as a response to the Sutter County incident and to ensure that in the future schools notify parents and get their consent before embedding students with RFID-enabled tracking devices.

This pragmatic measure – remarkably and painstakingly moderate so as to be in tune with the Governor’s general sensibilities - was supported by nearly every state legislator and organizations spanning the political spectrum from the ACLU to the Liberty Coalition to the Parents and Teachers Association to the Consumer Federation of California.

Nonetheless, the Governor vetoed the bill – and missed an important opportunity to ensure child safety, protect personal privacy, and defend the rights of California parents.

Now let's go to the story in California Watch about this Contra Costa situation:

Tracking microchips have become popular in recent years as the technology of choice for pet owners, prison guards and cattle wranglers. But the rapid social acceptance of such technology troubles some civil rights and privacy advocates.

....

Cedric Laurant, a lawyer with the Electronic Privacy Information Center, said this about Brittan's microchip program in 2005:

Monitoring children with RFID tags is a very bad idea. It treats children like livestock or shipment pallets, thereby breaching their right to dignity and privacy they have as human beings. Any small gain in administrative efficiency and security is not worth the money spent and the privacy and dignity lost.


Click here to read more.

This issue is far from over. The rapid evolution of RFID technology and its uses makes it essential that we draw common sense lines now. Whether its video cameras on every street corner, RFID tags in our clothes and cars, or government wiretapping and corporate surveillance, or social networking sites like Facebook, or Smart Grid metering and in home monitoring technologies, or just about anything created by Google, the trend line is all too clear.

More concerning than any single threat posed by any single technology – including chipping children – is this larger pattern indicating that privacy as both a right and an idea is under siege.

As young people grow up with so much of their information so public and accessible to all, including government, and nearly every action they take is in some way being recorded and/or monitored, I fear their sense, appreciation and understanding of privacy will continue to fade away.

The consequences of such a loss would be profound. Yes, there are lots of more tangible, and immediate threats associated with the loss of privacy, from identity theft to intimidation to stalking. But, what concerns me most about the trajectory we're on is how does the knowledge that EVERYTHING you do is being watched and recorded effect human consciousness? Could we actually be stifling young peoples' creativity, their courage to dissent, and perhaps even their individuality, if they're conditioned at such a young age to accept being monitored and watched at all times?

Specifically, how does a lifetime of being constantly surveilled effect human behavior? Could it lessen peoples courage to stand up to authority (a prerequisite for a functioning democracy)? Is this all just another way to steadily stifle, and even eliminate dissent - dissent that is needed now more than ever?

I have to say, this all starts to sound too much like Orwell's 1984 or Huxley's Brave New World. It's not that I'm that frightened about how this surveillance will be used against people, though that's a real concern too, but more so, I fear how this loss of privacy and freedom negatively effects consciousness - creating a more docile, servile populace.

As noted privacy expert Bruce Schneier recently stated:

“…lack of privacy shifts power from people to businesses or governments that control their information. If you give an individual privacy, he gets more power…laws protecting digital data that is routinely gathered about people are needed. The only lever that works is the legal lever...Privacy is a basic human need…The real choice then is liberty versus control.”