A battle over the detention of more than 1,200 people is redefining the balance between individual liberties and national security.

[ ... ]

The main combatants are the attorney general and federal prosecutors on one side and a network of public defenders, immigration and criminal defense lawyers, civil libertarians and some constitutional scholars on the other, with federal judges in between.

The government's record has so far been decidedly mixed. As it has pushed civil liberties protections to their limits, the courts, particularly at the trial level, have pushed back, stopping well short of endorsing Mr. Ashcroft's tactics or the rationales he has offered to justify them. Federal judges have, however, allowed the government to hold two American citizens without charges in military brigs, indefinitely, incommunicado and without a road map for how they might even challenge their detentions.

In the nation's history, the greatest battles over the reach of government power have occurred against the backdrop of wartime. Some scholars say the current restrictions on civil liberties are relatively minor by historical standards and in light of the risks the nation faces.

New York Times - free registration required Privacy vs. Security on Campus.

When the news broke a week ago that a Princeton admissions officer had used the Social Security numbers of applicants to his school to view Yale University's Web site for admissions, privacy advocates were aghast not only at his act, but also at the Yale site's lack of security.

In one online forum, Richard Wiggins, an author and information technology specialist at Michigan State University, noted that most businesses with online customer accounts have learned that Social Security numbers alone offer poor security, and issue personal identification numbers as well.

It's odd that some colleges should be behind the curve in online security, since at many of them the student ID is a "smart card" that unlocks dorm doors, pays for meals at the commons and checks out books at the library, with each use providing a potential stream of data that can be used to track and monitor student activities. Health centers store medical data, and financial aid offices know each family's finances down to the penny. In addition, campuses, especially urban ones, bristle with security cameras.

"The total surveillance society is happening in the dorms sooner than anywhere else," said Peter P. Swire, a law professor at Ohio State University who was the chief counselor for privacy in the Clinton administration's Office of Management and Budget. "We don't have national ID cards, but we have student ID cards."

The campus, then, is becoming a testing ground for the kinds of security measures that are being recommended for the rest of the nation. "This is the laboratory for the future we want to have," Mr. Swire said.

The Tampa Tribune - `But Officer, I Didn't Do Anything!'.

LAKELAND - They call it a ``Voluntary Roadside Interview.''

But for hundreds of motorists flagged down by state troopers Monday on Interstate 4, there was nothing voluntary about it.

Off-duty troopers, hired at $30 an hour, picked motorists at random and directed them to pull off the interstate into a rest stop, where Palm Pilot- toting interviewers waited.

No, this roadside checkpoint wasn't looking for drunken drivers. The survey, which will cost about $150,000, was commissioned by the Florida High Speed Rail Authority to gauge public interest in riding a proposed 120 mph bullet train.

The experience left some motorists wondering what's next: Publix hiring troopers to corral interstate travelers for a marketing survey?

``They freaked me out,'' said Alan Kent, pulled over Monday on his way home to Clearwater after a concert. ``I thought they had pulled me over to search me.''

A woman traveling with Kent, who declined to give her name, was even more blunt: ``It's illegal,'' she said.

Not true, survey officials say. They said they checked with a lawyer for the Florida Department of Transportation.

``The bottom line is, we can do it. It's well within the law,'' said Adrian Share of HNTB Corp., general consultants for the rail authority. ``With the cooperation of state troopers, the state is allowed to pull people over just to seek information.''

[ ... ]

But Farouk Kahn of Orlando said the authority's methods were sneaky.

Instead of signs saying ``Traffic Survey Ahead,'' westbound traffic was greeted with red cones, ``Reduced Speed Ahead'' signs and drawings of men digging.

``I thought there was construction going on or something,'' Kahn said. ``It's like a tricky thing. You should tell the people instead of saying one thing and then doing something else.''

CNET NEWS.COM By Declan McCullagh - Is privacy the next casualty?

WASHINGTON--Sen. Mike DeWine is crusading to hand the FBI new powers to eavesdrop on immigrants and other non-citizens living in America.

The Ohio Republican, a former county prosecutor, is proposing that police need only have a "suspicion" that someone has links to terrorism before being able to spy on that person or snoop through their home.

DeWine's bill does not authorize the Feds to target American citizens or green card holders. But it does mean that the mere "suspicion" of illicit activities would be enough to wiretap the phones and bug the e-mail communications of tourists or legal immigrants who hold H-1B, B-2, TN-1, or student visas.

"We must give our intelligence community the tools they need to closely monitor non-United States persons who want to harm Americans," DeWine asserts. "I believe these changes are necessary for our government to protect Americans."

What DeWine's proposal seeks to do is unleash the full power of the mighty Foreign Intelligence Surveillance Act (FISA) against immigrants, tourists and visitors to the United States who are suspects in terrorism investigations. Currently, it's difficult for federal police to use FISA against non-Americans; DeWine's bill and a related bill introduced by Sen. Chuck Schumer, D-N.Y., would make it far easier.

As part of its post-Watergate reforms, Congress enacted FISA in 1978. Because the purpose of the law was to target foreign intelligence agents, the law granted police vast powers. An example: FISA permits the FBI to conduct warrantless physical searches and electronic surveillance against non-Americans--no court order required.

FISA even states that the attorney general may "may authorize physical searches without a court order...for periods of up to one year."

FISA isn't limited to traditional phone wiretapping. There's an entire section devoted to electronic surveillance, permitting "the installation or use of an electronic, mechanical or other surveillance device." That's a flexible definition that stretches to include the FBI's Carnivore Net-surveillance system, keystroke loggers and remotely-installed surveillance systems like the FBI's Magic Lantern spyware.

But up until now, FBI agents have had to claim that they had "probable cause" to believe that a non-American was connected with a crime and was also a member of an international terrorist group. If DeWine and Schumer get their way, mere "suspicion" of any terrorist link is good enough.

Their proposals go too far. For much of the last decade, Congress has been handing more and more power to federal law enforcement. And since the attacks of Sept. 11, politicians have steadfastly dismissed privacy concerns in an attempt to bolster security by any means possible. It's reasonable to take steps to increase security, of course, but unreasonable to ignore the costs of the new rules on privacy and America's long-standing concept of limited government.

CNET NEWS.COM - Japan launches national IDs.

Japan launched a compulsory ID system on Monday in the face of stiff protests calling it a violation of privacy and a temptation to hackers.

A group of academics and activists presented the Home Affairs Ministry with a petition demanding the government halt the program, which links municipal computer systems and gives each Japanese citizen an 11-digit identification number.

The group filed a court case at the end of last month, demanding the system be abolished because it is unconstitutional.

New Scientist - "Trojan horse" rides in encryption program .

The creators of a free and widely used application for controlling computers securely over the internet are struggling to learn how a "Trojan horse" program was sneaked into the latest release of their code.

The Trojan horse turned "OpenSSH" from a reliable network security tool into a convenient back door into networks for hackers.

On the second day after the latest version of OpenSSH was released and made available for download, developers discovered that the original package had been swapped for one containing a Trojan horse. The checksum, which identifies a program cryptographically, was found to be different from the original.

Ollie Whitehouse, a UK-based researcher with the US computer security firm @Stake, says the potential for damage has been limited because the fake program was spotted fairly quickly.

"Had it been left for longer it could have been worse," he says. "OpenSSH is the de facto standard for many systems."

As the program was installed, the Trojan horse attempted to communicate with another computer on the internet and await further commands.

Political News from Wired News - Glitches in Japanese ID System.

Japan's first identification system, meant to streamline the cumbersome national bureaucracy, got out of the gate Monday with plenty of teething problems. Then there are the people who just don't like it, of course.

TOKYO -- Computer glitches and protests marked Monday's launch of Japan's first nationwide identification system, a registry that is supposed to streamline the country's often cumbersome, paper-heavy bureaucracy.

The computer network, which links local resident registries across the nation, has been a flashpoint of controversy since its inception. Opponents say it tramples individual privacy and can be used by the government to quell public dissent.

[ ... ]

"Although we are not against the registry system in principle, we believe there are some privacy and security issues that still have not been dealt with," said spokesman Satoshi Arai of the national bar association, which has formally lodged its concerns with the government.

Yahoo! News - Japan Launches ID Network Amid 'Big Brother' Angst.

TOKYO (Reuters) - Japan launched a compulsory ID system on Monday aimed at bringing government into the electronic age in the face of stiff protests calling it a violation of privacy and a temptation to hackers.

A group of academics and activists presented the Home Affairs Ministry with a petition demanding the government halt the program, which links municipal computer systems and gives each Japanese citizen an 11-digit identification number.

They filed a court case at the end of last month, demanding the system be abolished because it was unconstitutional.

"We don't want to be under government surveillance, stop the resident registry system," shouted a small band of protesters outside the ministry.

[ ... ]

The new database stores personal data -- names, addresses, dates of birth, gender and the new ID numbers -- for each of Japan's 126 million citizens, making it easier for them to obtain documents for a variety of public services and benefits.

But at least five municipalities, including Suginami Ward in western Tokyo, are refusing to join the system, while Mayor Hiroshi Nakada of Yokohama, Japan's second-largest city, said on Friday that residents would be allowed to choose whether to take part.

Seiji Osaka, mayor of Niseko in Hokkaido, said his town might withdraw from the system in September if personal information was not being fully protected.

About four million of Japan's 127 million people live in municipalities that are refusing to introduce the system, media said.

Slashdot | Your Rights Online - Governmental ID System in Japan.

Kaan writes: "Japan just launched a mandatory, nationwide ID system whereby every citizen is assigned an 11-digit identification number. The database stores personal data (name, address, date of birth, gender, possibly more data) for each person. At least five municipalities are refusing to join the system, which accounts for ~4 million of the 127 million total. While some Japanese folks are refusing to cooperate, most are going along with it. Is this the beginning of the end of privacy in Japan? How much longer until we see something like that in the U.S.?"

New York Times - free registration required Rumsfeld Moves to Strengthen His Grip on Military Intelligence.

Defense Secretary Donald H. Rumsfeld is moving to strengthen his control over the military's intelligence apparatus, and his first step has been to propose a civilian post reporting directly to him to manage the vast and expensive operation.

His effort to establish a new position, the undersecretary of defense for intelligence, potentially sets up a turf war for dominance over the American intelligence community.

A senior Defense Department official familiar with the secretary's thinking on intelligence matters said earlier this week that Mr. Rumsfeld was "not fighting for turf for turf's sake."

"He's an organizational man," the official said. "He wants these agencies to match functions and missions," with a single civilian official to coordinate the Pentagon's many intelligence holdings.

Many officials say they expect Mr. Rumsfeld's special adviser on intelligence policy, Richard L. Haver, to be named to the post, which would be the highest-ranking intelligence position in the Pentagon, if Congress approves it. Mr. Haver, who also has close ties to Vice President Dick Cheney, has been in charge of developing the reorganization plan on behalf of Mr. Rumsfeld.

Mr. Haver, a longtime naval intelligence officer who was Mr. Cheney's special assistant for intelligence when he was defense secretary, was in charge of intelligence policy for the Bush administration's transition team.

New York Times - free registration required Judge Orders U.S. to Release Names of 9/11 Detainees.

A federal judge ruled today that the Bush administration had no right to conceal the identities of hundreds of people arrested after the Sept. 11 terror attacks, and she ordered that most of their names be released within 15 days.

The ruling by Judge Gladys Kessler of Federal District Court dealt a significant setback to the government's policy of secret detentions, mostly of immigrants, in connection with the Sept. 11 investigation. Judge Kessler rejected the Justice Department's arguments that disclosure of the names would impede its investigation of terrorists.

She said that while it was the obligation of the executive branch to ensure the physical security of American citizens, "the first priority of the judicial branch must be to ensure that our government always operates within the statutory and constitutional constraints which distinguish a democracy from a dictatorship."

"Unquestionably," she added, "the public's interest in learning the identity of those arrested and detained is essential to verifying whether the government is operating within the bounds of law."

Judge Kessler's opinion in the case, which had been brought by a broad coalition of groups, including some civil liberties organizations, was the latest ruling issued in the handful of cases now making their way up the federal court system challenging some of the government's policies put in place after the Sept. 11 attacks.

InfoWorld - Fair use or foul play?

The other day I found a video of a kids' movie I bought for my son years ago. Because my son has long outgrown the video, do I have the right to give it to a friend with kids young enough to appreciate it?

I have found myself frequently raising this example in correspondence with readers about abuses of traditional fair use, free speech, and first-sale rights under the Digital Millennium Copyright Act (DMCA). With Congress considering even nastier laws that would hardwire copyright-holder protections into all types of digital devices, readers see many complex and troubling issues on the horizon.

[ ... ]

So returning to my kid's old video, do I have the right to give it away or even resell it? Under traditional interpretation of copyright law, there's no question that I do. And because it's an old video, I don't have to worry about whether or not it will play in my friend's VCR.

Why should that change because a company decides to slap a license agreement on its product or insert a copy protection scheme in it? It shouldn't. Yet in the DMCA era, it seems as if it does. Congress has already sold out some very basic rights, and with elections coming and campaign coffers needing to be filled, our politicians appear eager to sell out some more. What can we do about it? I recommend you go to http://www.eff.org and learn how you can tell your representatives that you have a vote and plan to use it.

CourtTV.Com - Trials - Dozen to face French wiretapping trial .

PARIS (AP) -- A French judge has ordered 12 people, including a top aide to former Socialist President Francois Mitterrand, to stand trial for allegedly wiretapping leading lawyers, politicians and journalists two decades ago, judicial officials said Friday.

The long-standing case was opened in 1993 after complaints were filed against former officials at the Elysee presidential palace for alleged illegal telephone tapping between 1983 and 1986.

Investigating Judge Jean-Paul Valat did not fix a date for the trial, which is not likely to begin before 2004, the officials said, speaking on condition of anonymity.

Among those under investigation in the wiretap scandal are Gilles Menage, the late Mitterrand's former Cabinet director, and Louis Schweitzer, the Cabinet chief of former Prime Minister Laurent Fabius, now a top Socialist Party leader.

The scandal led to widespread fears in France about threats to democracy and left many wondering about the freedoms of their powerful president.

WirelessWeek.com - Privacy Ruling Falls Flat With Industry.

WASHINGTON--The wireless industry and privacy advocates will remain on the sidelines as the FCC opts out of creating specific rules for location privacy protections.

The FCC last week denied CTIA's request for more rules concerning the privacy of customer information-including notice, consent, security and integrity of that data. The FCC's move could further fuel industry uncertainty about location information and privacy obligations, including the weighty issue of whether opt-in consent can be assumed or whether it can never be implied.

The ruling comes on the heels of a recent FCC decision that further defined protection of customer proprietary network information, or CPNI, which both wireline and wireless carriers use. Despite that ruling, wireless carriers argue the nature of wireless and wireline technologies differs significantly enough to warrant separate rules for wireless.

CTIA has been working since 2000 to get more definition and protection for wireless customers' location data, information it contends is unique to wireless customers and carriers. The information would allow customers to be pinpointed as to their relative locations in a mobile network.

O'Reilly Network: Protecting Privacy with Translucent Databases. by Simson Garfinkel, author of Web Security, Privacy & Commerce, 2nd Edition

Unfortunately, the security on the Yale Web site was atrocious: all anybody needed to look up a student's record was that student's name, social security number (SSN), and date of birth. And it just so happened that the officials at Princeton had this same information for the most highly-contested applicants. So in April, when the Web site went live, Princeton's admissions office sprang to action as well, allegedly downloading admissions decisions from the Yale Web site on at least 18 separate occasions. The most highly sought-after applicant? President Bush's niece Lauren Bush, according to an article that appeared in The Washington Post. (Read about it at http://www.washingtonpost.com/wp-dyn/articles/A2983-2002Jul25.html and http://www.washingtonpost.com/wp-dyn/articles/A2983-2002Jul25.html .)

Most of the cyber-security professionals I've spoken with have taken a decidedly "blame-the-victim" approach with this latest story of Web site hackery. Assuming that the allegations are true, it's terrible that an administrator at Princeton would engage in such patently illegal activities. But what's even worse, they say, is that Yale would deploy a Web application so poorly conceived and implemented.

To be sure, Yale is not alone in deploying systems with poor security for personal information. Many banks and credit card companies continue to treat widely-circulated personal information, like SSNs and birthdays, as if this information is secret, available only to the bank account holder or credit card applicant. Clearly it is not, as evidenced by the national epidemic in identity fraud. But financial organizations have been stymied in their attempts to find a better means for verifying the identity of account applicants -- people with whom, by definition, the banks have no current relationship.

[ ... ]

A translucent database uses cryptographic methods like hash functions and public key cryptography to mathematically protect information so that it cannot be wrongly divulged -- not even to a crooked database administrator. Translucent databases provide for unparalleled protection of sensitive information, be that information personal, corporate, or academic. Yet, with one notable exception, translucent databases are practically unknown and unused in IT today.

The Unix password file is the one translucent database that is in wide use today. When you log into a Unix computer, you're asked to provide a username and a password. If you type the correct information, you're logged in.

CNET NEWS.COM - Feds: Security leaks must end .

LAS VEGAS--Security researchers and hackers who find vulnerabilities need to realize that discretion is more important than valor, several federal security experts said at the Defcon hacking conference here this weekend.

Additionally, federal officials said they would use the government's massive purchasing power to force developers to improve the security of their products.

While acknowledging that software makers continue to release buggy products, Richard Schaeffer, deputy director of the National Security Agency, stressed that publicizing a vulnerability without warning and before a patch has been created could potentially threaten U.S. computing systems.

[ ... ]

The debate over disclosing vulnerabilities has heated up as software security has become a high priority in government and industry. Security researchers who find vulnerabilities often use the information to embarrass companies and score public relations points for their own firms. Conversely, software makers frequently fail to find or disclose problems in a timely manner.

Early last week, for example, Hewlett-Packard threatened a security researcher with a lawsuit for releasing information about a flaw in Tru64, the company's high-end server software. HP backed off the threat Thursday.

The Register (UK) - Microsoft EULA asks for root rights - again.

An addition to Microsoft's End User Licensing Agreement has alarmed Register readers.

Windows XP Service Pack 1 and Windows 2000 Service Pack 3 contain a new condition which asks you to allow Windows to go and install future updates.

"You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer," is the new bit you'll be interested in.

Consent-based push, then. And pretty similar to what you already get in Windows Update, for sure. But what's it doing in the installation sequence?

"I don't agree to let Microsoft 'automatically' (for which, read 'at Microsoft's discretion, and without my knowledge or consent'), install 'updates or fixes' (for which, read 'digital rights management facilties') so I hit 'I don't agree' and cancelled out," writes Joel Hanes from Santa Clara, CA.

Slashdot | Your Rights Online - More MS EULA Fun.

gray code writes: "The Register is reporting that Microsoft has placed an interesting wrinkle in the EULA of WinXP SP1 and Win2k SP3 that asks for the same remote admin rights as the Windows Media Player patch that raised such an uproar. I think I'll be leaving my Win2k box at SP2, thank you very much." --- Update: 08/04 15:05 GMT by T: Helix150 writes that a separate EULA for W2K's SP3 --- "contains this nasty bit: 'You may not disclose the results of any benchmark test of the .NET Framework component of the OS Components to any third party without Microsoft's prior written approval.' Hmmm..."

CNET NEWS.COM - Vigilante hacking touted as virus cure. Can vigilantism save computers from the next big virus threat?

Striking back against a computer that is attacking you may be illegal under U.S. law, but a security researcher says people should be allowed to neutralize one that is unwittingly spreading destructive Internet worms such as Nimda.

"Arguably the biggest threat the Internet faces today is the propagation of a big worm," said Timothy Mullen, chief information officer of AnchorIS, at the Defcon hacker conference here.

Slashdot | Your Rights Online - All We Want Is Whatever's On Your Machine.

kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"