Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations, Senior Counsel, Trust and Safety for online auction powerhouse eBay, recently addressed a group of law enforcement officials regarding eBay's policies for cooperating with government investigations. Below are verbatim quotations from his briefing at the recent CyberCrime 2003 conference:

We [eBay] try to make rules to make it difficult for people to commit fraud and easy for you [law enforcement agencies] to investigate. One is our Privacy policy. I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information. [emphasis added]

We do not require a subpoena except for very limited circumstances. We require a subpoena when we need the financial information from the site, credit card info or sometimes IP information.

In other words, without a subpoena, eBay will provide all sorts of information to any law enforcement agency for any reason whatsoever. For more about eBay's law enforcement-friendly policy, read on.

Without a subpoena, eBay will provide the following information regarding an eBay user to law enforcement:

Full Name, User ID, Email Address, Street Address, State, City, Zip Code, Phone Number, Country, Company, Password, Secondary Phone, Gender, Personal or Business, Shipping information (Name, Street Address, City, State, Zip)

In addition eBay will provide the following transaction information:

Bidding History on an Item, Other Items for Sale, Feedback about a user, Bidding history of a user, Prices paid for items, Feedback rating, and Chat Room/Bulletin Board (!).

[ ... ]

That's all you need, a fax on law enforcement letterhead. No reason, no justification, and eBay starts feeding information to law enforcement. Remember when everyone got excited about the bookstore that was subpoened by Ken Starr in order to determine what books Monica Lewinski purchased? Remember how the bookstore fought the subpoena? eBay doesn't even require a subpoena. eBay would have turned over the info with a mere request.

Follow the link and read on for more.

CNET NEWS.COM By Declan McCullagh - Perspective: Closer to a national ID plan?

A little-known company called EagleCheck is hoping to provide a standardized identity check technique that governments and corporations will use to verify that you are who you claim to be.

EagleCheck, a privately held firm in Cleveland proposes that whenever someone uses a driver's license or a passport for identity verification, the ID's authenticity will be checked through EagleCheck's network that is tied to state motor vehicle and federal databases. The databases will respond by saying whether the ID is valid.

I ran into David Akers, EagleCheck's president, last week in a Senate office building where he was hawking his system to a crowd of politicians understandably nervous about Threat Level Orange, Osama bin Laden, and possible terrorist attacks sparked by a loominginvasion of Iraq. Stacked on a table were brochures warning in stark crimson letters that "EagleCheck could have flagged" 14 of the 19 terrorists who hijacked planes on Sept. 11, 2001, because some had used expired visas and stolen passports.

Akers has had some success so far. In December, the Transportation Security Administration gave permission for EagleCheck to link its systems "to government databases" in a pair of test projects at the Cleveland and Akron, Ohio airports.

>But EagleCheck isn't limiting its marketing plan to airport security. "We are certainly looking at a variety of other applications other than airports," said Akers, listing bars, banks, government buildings--in short, wherever ID is required--as possible customers.

If EagleCheck or a similar system succeeds, it raises the specter of something akin to a national identity card, a concept that Americans have shunned in the past but could return in a more high-tech form. (In a column last summer, I wrote about how the White House was pressuring state governments to move in this direction by standardizing on driver's licenses.)

[ ... ]

It's true that many of us already use our driver's license as a general form of identification. But a true national ID would be different in two important ways: First, it would be tied to a back-end database so all verifications would be logged with the time, date and location. Second, you likely would be required to show it on demand to police, shrinking our sphere of anonymity even more.

One problem with such a system is that it would not thwart terrorists who--if you believe the FBI--are already living in the United States and likely could obtain a valid identity card either legally or illegally. Administering such a database would require a massive bureaucracy, and the inevitable errors or glitches would eliminate an innocent person's freedom to travel from one place to another until they were corrected.

If EagleCheck or a system like it succeeds, it becomes eerily possible to imagine a future in which identity card readers are omnipresent, girding us in a constant mesh of surveillance. Want to pick up your car from the parking garage? Insert your identity card and forefinger in the reader first. Going to work at the office or coming home to an apartment building? Better make sure you have that microchipped card with you. Have any unpaid parking tickets anywhere in the United States? Better just stay at home.

Needless to say, this massive database would end up bursting with detailed records of all our life's activities. It would be incredibly valuable to police and create an irresistible temptation for misuse, either through corrupt officials or through electronic intrusions. I'm not saying that such a scenario is happening today. It isn't. But it's possible, and if there's another terrorist attack on the United States, all bets are off.

Business News from Wired News - New Privacy Menace: Cell Phones?.

Concert halls, art museums, gym locker rooms and other public places where photography is greatly discouraged may have problems from another device -- cell phones.

Cell phones with attachable cameras or cameras embedded in them have become so ubiquitous in Hong Kong, for example, that gyms there are prohibiting people from making calls in the locker room.

Privacy International - Stupid Security. Privacy International's "Stupid Security" Competition

[ ... ]

It's become a global menace. From the nightclub in Berlin that demands the home address of its patrons, to the phone company in Britain that won't let anyone pay more than fifty pounds a month from a bank account, the world has become infested with bumptious administrators competing to hinder or harass you. And often for no good reason whatever.

The sensitive and sensible folk at Privacy International have endured enough of this treatment. So until March 15th 2003 we are running an international competition to discover the world's most pointless, intrusive, stupid and self-serving security measures.

The competition is open to anyone. Winners will be announced at the 13th Computers, Freedom & Privacy conference in New York on April 3rd.

Culture News from Wired News - Are You Scared Stupid? Do Tell.

"Privacy International "says security measures are getting more and more ridiculous. The organization invites the public to e-mail stories in a competition for the world's most pointless security measure.

[ ... ]

"I suspect that there are valid security measures in place, it's just hard to see them amidst all the moronic idiocy," Davies said. "These days anyone with an 80 percent polyester uniform and a badge can get away with telling the public to do anything they please."

Slashdot | Book Review - Mission Critical Security Planner.

Kerberos99 writes "Mission Critical Security Planner is a timely and important book from Eric Greenberg, author of Network Application Frameworks (reviewed on Slashdot and used as a text in many CS courses). In Mission Critical Security Planner (MCSP),Greenberg advocates an actionable, meaningful security approach that doesn't get hung up on methodology or reliance on abstract standards, like DoD and other common standards." --- Read on for the rest of Kerberos99's review.

The Chronicle of Higher Education 2/21/2003 - Control Issues. Microsoft's plan to improve computer security could set off fight over use of online materials

[ ... ]

Colleges would decide whether to buy Palladium-capable software and hardware, and then whether to activate Palladium's security functions. But practically speaking, they would face enormous pressures to do so, especially if publishers of books, journals, software, and other electronic "content" were to adopt Microsoft's standard to deliver their materials online. The publishers could dictate that colleges had to use Palladium or else be denied access to the material. That worries many in academe, who believe that publishers would use Palladium to bar some uses of digital materials to which scholars argue that they are entitled under copyright law. That loss may outweigh the advantages of tighter security over student records, the critics say.

"If Palladium is adopted, and if other technology vendors exploit it fully to restrict access to copyrighted works, education and research will suffer," says Edward W. Felten, an associate professor of computer science at Princeton University, who was the U.S. Justice Department's chief computer-science expert in its antitrust case against Microsoft.

[ ... ]

Palladium's software components will be part of the next major version of Windows, which Microsoft has said it may release toward the end of 2004. Some hardware components that Palladium needs, including a security chip, are available already in a notebook computer, the IBM ThinkPad T30. Chip manufacturers and the major computer companies -- Dell, "Gateway", Hew-lett-Packard, and IBM, among others -- have begun work to redesign PC's so that they will work with Palladium software.

A key component of Microsoft's new technology is the "nexus," a minisystem that runs in a sealed-off area in the computer's memory, where private transactions can be conducted, and where designated security and copyright policies would be enforced. In theory, the nexus is immune to many of the problems that plague Windows machines, like viruses.

[ ... ]

"It's definitely going to solve a lot of security problems, but it's like any kind of new technology," says William A. Arbaugh, an assistant professor of computer science at the University of Maryland at College Park. "It can do good or evil."

Whether it is used for "good" or "evil," he says, will depend on who gets to control the technology -- colleges or the publishers whose "content" the colleges use.

[ ... ]

With Palladium, owners of content would gain at the expense of consumers of content, including professors and students, says Eben Moglen, a professor of law and legal history at Columbia University. In fact, if Palladium were to become a widely accepted way of protecting copyrighted material, Mr. Moglen says, it would create "a closed system, in which each piece of knowledge in the world is identified with a particular owner, and that owner has a right to resist its copying, modification, and redistribution."

In such a scenario, he says, "the very concept of fair use has been lost."

Ross Anderson, who holds a faculty post as a reader in security engineering at the University of Cambridge's Computer Laboratory, says Palladium will "turn the clock back" to the days before online information was widely available.

[ ... ]

Some critics, like Mr. Schiller, say Palladium might achieve the results intended by the Uniform Computer Information Transactions Act, a model law devised by the National Conference of Commissioners on Uniform State Laws, which has been enacted only in Maryland and Virginia. UCITA is "an attempt to give these software licenses the force of a signed contract, even though you didn't sign a contract," Mr. Schiller says. With Palladium, technology would "enforce" the licenses de facto, he says.

Microsoft insists that its new technology is a neutral platform. "It is certainly possible that an application vendor could choose to use [Palladium] to evaluate and enforce some software licensing terms," acknowledges Ms. Carroll. But "at the end of the day," she says, "the terms of the license for an application are strictly an issue between the vendor and the university."

Others think Palladium would be an anti-competitive tool in the hands of software publishers, especially Microsoft, which, in 1999, was found guilty by a federal-district court of monopolistic practices. With Palladium, software publishers could decide to create programs that refuse to work with rival programs, a tactic that is difficult for them to get away with now, says Seth Schoen, a staff technologist at the Electronic Frontier Foundation, a group that promotes civil liberties in cyberspace.

[ ... ]

Will MIT, whose researchers have studied Palladium, want to run it? Maybe not, says Mr. Schiller, the university's network manager. "Personally, I would never use this technology," he says. As for MIT, though, it's an open question, he says. "Palladium has to become more real for us to really decide if we can use it."

"If I had my druthers, I'd love the technology to be available and used for all the good things we could use it for," Mr. Schiller says. "But I'm enough of a realist to know that's not how it's going to play out."

Slashdot | Your Rights Online - Palladium's Power To Deny.

BrianWCarver writes "The Chronicle of Higher Education has the most detailed article I've yet seen on Microsoft's Palladium architecture. The article discusses the potential Palladium has to give publishers power to eliminate fair use and the potential for software manufacturers to use Palladium to enforce shrink-wrap licenses. Comments from several great sources including, Ed Felten (Freedom to Tinker), Eben Moglen (pro-bono counsel for the Free Software Foundation and recent Slashdot interviewee), and Seth Schoen (Electronic Frontier Foundation) among many others. Key quotations from article: Palladium could create 'a closed system, in which each piece of knowledge in the world is identified with a particular owner, and that owner has a right to resist its copying, modification, and redistribution. In such a scenario the very concept of fair use has been lost.' 'Palladium will "turn the clock back" to the days before online information was widely available.' and 'Microsoft could decide to lock everything up.'"