Paul Hardwick: Violations

Justice Department takes aim at image-sharing sites | CNET News.com

Sun, 04 Mar 2007 04:12:46 GMT

The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET News.com has learned.

That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to News.com by several people who attended the meeting.

A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address.

Only universities and libraries would be excluded, one participant said. "There's a PR concern with including the libraries, so we're not going to include them," the participant quoted the Justice Department as saying. "We know we're going to get a pushback, so we're not going to do that."

Attorney General Alberto Gonzales has been lobbying Congress for mandatory data retention, calling it a "national problem that requires federal legislation." Gonzales has convened earlier private meetings to pressure industry representatives. And last month, Republicans introduced a mandatory data retention bill in the U.S. House of Representatives that would let the attorney general dictate what must be stored and for how long.

TIA becomes ADVISE | Free Government Information (FGI)

Fri, 02 Mar 2007 02:13:23 GMT

Congress killed the Total Information Awareness (TIA) program in 2003 and several new programs have been reported to take its place. (See Total Information Awareness just changed its name FGI, 2006-02-26.) A forthcoming GAO report looks at the use of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) system.

New Profiling Program Raises Privacy Concerns - washingtonpost.com

Wed, 28 Feb 2007 23:36:54 GMT

The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations. Similar to a Pentagon program killed by Congress in 2003 over concerns about civil liberties, the new program could take effect as soon as next year.

But researchers testing the system are likely to already have violated privacy laws by reviewing real information, instead of fake data, according to a source familiar with a congressional investigation into the $42.5 million program.

Bearing the unwieldy name Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), the program is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information, including audio and visual, and extract suspicious people, places and other elements based on their links and behavioral patterns.

The privacy violation, described in a Government Accountability Office report that is due out soon, was one of three by separate government data mining programs, according to the GAO. "Undoubtedly there are likely to be more," GAO Comptroller David M. Walker said in a recent congressional hearing.

The violations involved the government's use of citizens' private information without proper notification to the public and using the data for a purpose different than originally envisioned, said the source, who declined to be identified because the report is not yet public.

The issue lies at the heart of the debate over whether pattern-based data mining -- or searching for bad guys without a known suspect -- can succeed without invading people's privacy and violating their civil liberties.

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

AT&T Whistleblower Wins Award.

Thu, 22 Feb 2007 16:28:40 GMT

AT&T Whistleblower Wins Award.

Whistleblower Mark Klein will get some well-deserved acknowledgement when he receives a James Madison Freedom of Information Award next month. The award could hardly find a more deserving recipient [~] Klein is the former AT&T technician who exposed the extent of the government's warrantless wiretapping program

In early 2006, Klein came forward with internal AT&T documents that show the company cooperated with the NSA's secret program to eavesdrop on internet communications, in violation of federal wiretapping laws and the Fourth Amendment. Klein's evidence demonstrates that in at least one of AT&T's facilities, internet traffic was diverted to a secret, secure room to which only the NSA had access.

All of the documents have been used in EFF's court case, which is currently under review by the Ninth Circuit Court of Appeals and a portion have been made broadly available on the internet since April, 2006.

In the words of EFF Staff Attorney Kurt Opsahl, Klein is [base "]a true American hero.[per thou] This public recognition of his bravery in defense of the public's right to know is richly deserved.

[EFF: Deep Links]

Judge Refuses to Release Critical Documents in AT&T Surveillance Case.

Thu, 22 Feb 2007 15:56:51 GMT

Judge Refuses to Release Critical Documents in AT&T Surveillance Case.

Klein Declaration and Other Internal Documents to Stay Sealed for Now

San Francisco - A federal judge in San Francisco today denied requests from media groups to unseal critical evidence in the Electronic Frontier Foundation's (EFF's) class-action lawsuit against AT&T.

EFF's suit accuses the telecom giant of collaborating with the National Security Agency (NSA) in illegal spying on millions of ordinary Americans. The sealed evidence includes a declaration by Mark Klein, a retired AT&T telecommunications technician, as well as several internal AT&T documents and portions of a declaration from EFF's expert witness. Some of the evidence was previously released in redacted form, while other evidence is still completely unavailable to the media and the public.

"We're disappointed that the court did not choose to unseal all of the documents that include or refer to the evidence presented by Mark Klein and our expert, J. Scott Marcus. The government has already agreed that the evidence is neither classified nor a state secret, and is only being held under seal because of AT&T's weak trade secrecy claims," said Cindy Cohn, EFF's Legal Director. "Given that the privacy of millions of Americans is at stake, we strongly believe that the public would benefit from seeing this evidence for themselves."

Today's order is in response to a December hearing on the sealing issue. U.S. District Court Judge Vaughn Walker granted the media groups' request to intervene in the case, and said that he might revisit the unsealing motion at a later date.

For Judge Walker's full order:
http://www.eff.org/legal/cases/att/order_media_unsealing.pdf

For more on EFF's case against AT&T:
http://www.eff.org/legal/cases/att/

Contacts:

Cindy Cohn
Legal Director
Electronic Frontier Foundation
cindy@eff.org

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

[EFF: Breaking News]

Judge Denies Complete Stay in AT&T Surveillance Case.

Thu, 22 Feb 2007 15:55:14 GMT

Judge Denies Complete Stay in AT&T Surveillance Case.

Government and AT&T Cannot Freeze Proceedings During Appeal

San Francisco - A federal judge today ruled that the Electronic Frontier Foundation (EFF) can go forward with elements of its class action lawsuit against AT&T for collaborating with the government on illegal spying in ordinary Americans -- despite the government and AT&T's request to freeze proceedings during an appeal.

In his ruling, U.S. District Court Judge Vaughn Walker opened the door to beginning the discovery process, allowing EFF to ask "limited and targeted" questions as long as those questions do not overlap with the issues under consideration in the 9th U.S. Circuit Court of Appeals.

"The government wanted to put this case in the deep freeze," said EFF Staff Attorney Kurt Opsahl. "Instead, the court has invited us to move forward with some targeted questions. We're glad to accept that invitation, which will allow progress while respecting the government's national security concerns."

Judge Walker also refused to implement a blanket stay on the other telecommunications surveillance cases transferred to his court. He ruled that unless the parties stipulate to a stay, then "defendants will answer or otherwise respond to the complaint" by March 29. Earlier today, Judge Walker denied requests from media groups to unseal critical evidence in the AT&T case.

Judge Walker did grant the media groups' request to intervene, and said he might revisit the unsealing issue at a later date.

For Judge Walker's full order:
http://www.eff.org/legal/cases/att/stayorder220.pdf

For more on EFF's case against AT&T:
http://www.eff.org/legal/cases/att/

Contacts:

Kurt Opsahl
Staff Attorney
Electronic Frontier Foundation
kurt@eff.org

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

[EFF: Breaking News]

EFF: DeepLinks - RIAA to ISPs: Help Us Sue Your Customers Better

Sun, 18 Feb 2007 23:53:10 GMT

As if suing thousands of music fans isn't bad enough, now the RIAA wants to conscript ISPs into helping them streamline the shakedowns. The major record labels sent a letter to ISPs across the country asking them to trade away customers' rights and make the overzealous file sharing lawsuits more profitable -- and the RIAA even has the audacity to suggest that this is all for your own good.

ISPs currently have no obligation to maintain IP log files, and that's a good thing when it comes to protecting your privacy. Those log files can serve as Internet breadcrumbs -- your ISP and any third party that has access to them can retrace your online activities.

But the RIAA wants ISPs to maintain (and disclose) a customer's IP logs for six months whenever the RIAA says the user may have infringed copyright. In exchange, the record companies will reduce its initial lawsuit settlement demands. Of course, the actual customer would have no say in the matter. The RIAA letter says it wants the information kept because it could "exculpate" the customer, but of course those same records can also implicate the user. Funny, the labels don't mention that.

EFF and others have long warned that copyright claims could become an altar on which personal privacy is sacrificed. Now the RIAA wants your ISP to voluntarily wield the knife, and there's no telling what else the RIAA might ask for once this cut has been made.

The RIAA also wants ISPs to keep customers in the dark about their legal options. Before the RIAA has even verified that the user is correctly identified, it wants ISPs to send along a note saying the user might be sued and can already settle potential claims. At the same time, the RIAA scolds ISPs for giving information to their customers that could help provide sound legal counsel. Instead, the RIAA wants ISPs to direct subscribers solely to the RIAA.

Is AT&T helping the NSA ? First your phone calls and now your e-mails (For Your Eyes Only? ) NOW | PBS.

Sun, 18 Feb 2007 19:53:13 GMT

For Your Eyes Only? NOW | PBS

This week, NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private e-mails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the U.S. government to spy on e-mail traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos.

For Your Eyes Only? (Breaking the Story) NOW | PBS

Sun, 18 Feb 2007 19:43:54 GMT

NOW's Deborah Runcie speaks to journalist Ryan Singel, who covers civil liberty and privacy issues, about his investigative work involving AT&T and the government's alleged secret surveillance of personal electronic mail. Singel's coverage appeared in Wired News.

Judge Limits New York Police Taping - New York Times

Fri, 16 Feb 2007 15:44:49 GMT

In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled yesterday that the police must stop the routine videotaping of people at public gatherings unless there is an indication that unlawful activity may occur.

Four years ago, at the request of the city, the same judge, Charles S. Haight Jr., gave the police greater authority to investigate political, social and religious groups.

In yesterday's ruling, Judge Haight, of United States District Court in Manhattan, found that by videotaping people who were exercising their right to free speech and breaking no laws, the Police Department had ignored the milder limits he had imposed on it in 2003.

Citing two events in 2005 -- a march in Harlem and a demonstration by homeless people in front of the home of Mayor Michael R. Bloomberg -- the judge said the city had offered scant justification for videotaping the people involved.

"There was no reason to suspect or anticipate that unlawful or terrorist activity might occur," he wrote, "or that pertinent information about or evidence of such activity might be obtained by filming the earnest faces of those concerned citizens and the signs by which they hoped to convey their message to a public official."

While he called the police conduct "egregious," Judge Haight also offered an unusual judicial mea culpa, taking responsibility for his own words in a 2003 order that he conceded had not been "a model of clarity."

The restrictions on videotaping do not apply to bridges, tunnels, airports, subways or street traffic, Judge Haight noted, but are meant to control police surveillance at events where people gather to exercise their rights under the First Amendment.

"No reasonable person, and surely not this court, is unaware of the perils the New York public faces and the crucial importance of the N.Y.P.D.'s efforts to detect, prevent and punish those who would cause others harm," Judge Haight wrote.

Jethro M. Eisenstein, one of the lawyers who challenged the videotaping practices, said that Judge Haight's ruling would make it possible to contest other surveillance tactics, including the use of undercover officers at political gatherings. In recent years, police officers have disguised themselves as protesters, shouted feigned objections when uniformed officers were making arrests, and pretended to be mourners at a memorial event for bicycle riders killed in traffic accidents.

"This was a major push by the corporation counsel to say that the guidelines are nice but they're yesterday's news, and that the security establishment's view of what is important trumps civil liberties," Mr. Eisenstein said. "Judge Haight is saying that's just not the way we're doing things in New York City."

A spokesman for Police Commissioner Raymond W. Kelly referred questions about the ruling to the city's lawyers, who noted that Judge Haight did not set a deadline for destroying the tapes it had already made, and that the judge did not find the city had violated the First Amendment.

TSA - Not Living Up to Its Middle Name.

Thu, 15 Feb 2007 00:31:50 GMT

TSA - Not Living Up to Its Middle Name.

The Transportation Security Administration is extending an olive branch to airline travelers who have been delayed or prevented from boarding a plane on account of their name matching an identical one on the agency's "no-fly" list. The TSA recently created a Web site designed to help disgruntled detainees clear their name. However, the would-be passenger must supply some personal data, including date and place of birth, as well as identifying numbers for a driver's license, birth certificate or passport.

This could be a useful service. But TSA is not living up to its middle name - Security. TSA and the contractor that built the site have overlooked a key piece of cyber protection. The site requests a lot of personal information. When a person clicks on "submit form," it transmits an individual's data to TSA without the benefit of the secure data transfer offered by secure sockets layer. In a site secured by SSL, a Web address begins with an "https://" rather than "http://".

Consider what this means for a passenger who is stewing in the airport terminal after missing his flight because a TSA screener confused him with that other Robert Johnson on the TSA's special list. The good Mr. Johnson is told he can try to prevent this misunderstanding from happening again if he submits data requested by the travel identity verification site. He pops open his laptop, hops on the airport terminal's wireless network, completes the form and clicks "submit." Meanwhile, a digital terrorist on the other side of the terminal has just captured the data Johnson submitted because it was sent without SSL.

A tip o' the hat to Chris Soghoian, the boarding pass hacker who spotted this latest transportation security foible.

Noted cryptologist and security expert Bruce Schneier is fond of saying that so much of the Homeland Security Department's protections are "security theater." He says they are constructs designed not necessarily to make us more secure but rather to make us feel more secure. I think that aptly captures much of what is sold to the public in the name of physical and Internet security. But a security device should at least adhere to the physician's motto -- to do no harm.

Update, 9:10 a.m.:Some folks have written in to say they've seen the site offer an SSL certificate but that it warns of a certificate error. If you navigate to the submission form from the main page by clicking on the Traveler Identity Verification form link, it takes you to this page, which offers two links to the same form -- one beginning in "https://" (the link at the top), and another one halfway down the page that does not offer the SSL certificate.

Those commenting so far were visiting the site in Firefox, but when I visit the SSL page in Internet Explorer 7, it gives me a warning page that says "There is a problem with this Web site's security certificate. We recommend that you close this webpage and do not continue to this website."

[Security Fix]

RIAA Admits ISPs Have Misidentified "John Does".

Wed, 14 Feb 2007 00:33:16 GMT

RIAA Admits ISPs Have Misidentified "John Does". NewYorkCountryLawyer writes "The RIAA has sent out a letter to the ISPs telling them to stop making mistakes in identifying subscribers, and offering a 'Pre-Doe settlement option' -- with a discount of '$1000 or more' -- to their subscribers, if and only if the ISP agrees to preserve its logs for 180 days. Other interesting points in the letter (PDF): the RIAA will be launching a web site for 'early settlements,' www.p2plawsuits.com; the letter asks the ISPs to notify the RIAA if they have previously 'misidentified a subscriber account in response to a subpoena' or become aware of 'technical information... that causes you to question the information that you provided in response to our clients' subpoena'; it notes that ISPs have identified 'John Does' who were not even subscribers of the ISP at the time of the infringement; and it requests that ISPs furnish their underlying log files, not just names and addresses, when responding to RIAA subpoenas." [Slashdot: Your Rights Online]

GOP revives ISP-tracking legislation | CNET News.com

Sat, 10 Feb 2007 01:38:41 GMT

All Internet service providers would need to track their customers' online activities to aid police in future investigations under legislation introduced Tuesday as part of a Republican "law and order agenda."

Employees of any Internet provider who fail to store that information face fines and prison terms of up to one year, the bill says. The U.S. Justice Department could order the companies to store those records forever.

UK to jail privacy violators

Wed, 07 Feb 2007 19:52:28 GMT

In a move to crack down on the illegal trade in personal information UK courts will soon start jailing people who trade in, or deliberately misuse, the personal data of others, according to the Department for Constitutional Affairs.

Today's decision follows a public consultation on increasing penalties for deliberate and wilful misuse of personal data and is part of the Government's strategy on data sharing to deliver better public services to individuals.

The British Government has been increasingly concerned about an apparent growth in the trade in personal data, especially to companies that engage in spam email and cold calling marketing tactics, and under the new regulation, offenders could face up to two years in prison.

The current penalty of a small fine in the Data Protection Act have not provided a sufficiently strong deterrent.

Jail for Selling Email Lists to Spammers.

Wed, 07 Feb 2007 19:39:19 GMT

Jail for Selling Email Lists to Spammers. amigoro writes "UK will start jailing the people who trade in email addresses, or any other personal data. The current Data Protection Act only fines people who do that, but the money one can make from trading in personal information was far higher than the measly GBP 5000 one had to pay if caught. The new regulations will result in a two year prison sentence for violating the Act." [Slashdot: Your Rights Online]

US Set on Expansion of Security DNA Collection.

Mon, 05 Feb 2007 19:28:59 GMT

US Set on Expansion of Security DNA Collection. An anonymous reader dropped us a link to this New York Times article about a 'vast expansion' of DNA sampling here in the US. A little-noticed rider to the January 2006 renewal of the 'Violence Against Women Act' allows government agencies to collect DNA samples from any individual arrested by federal authorities, and from every illegal immigrant held for any length of time by US agents. The goal is to make DNA collection as routine a part of detainment as fingerprinting and photography. Privacy experts and immigrant rights groups are decrying this initiative already. Many are also skeptical of lab throughput, as FBI analysts indicate this may increase intake by as much as a million samples per year. There is already a backlog of 150,000 samples waiting to be entered into the agency's database. [Slashdot: Your Rights Online]

TiVo and User Privacy.

Mon, 05 Feb 2007 18:40:02 GMT

TiVo and User Privacy.

The San Francisco Chronicle reports that TiVo is collecting and selling data on what parts of broadcasts people are rewinding for review and what commercials they are skipping. Dubbed [base "]StopWatch,[per thou] this data-collection practice reflects the growing ease with which various media and Internet service providers can collect and exploit vast amounts of information about consumers[base '] everyday habits.

TiVo maintains that there is little privacy threat to end users, arguing that [base "]We don[base ']t know what any particular person is watching,[per thou] and [base "]We only know what a random, anonymous sampling of our user base is watching.[per thou] While it is probably true that they are only accessing and selling a random, anonymous sampling of usage data, the larger concern is that user data is collected and stored in the first place. The fact that they only sample a random subset of the data is only a temporary comfort (and perhaps only a temporarily self-imposed restriction). And given the aftermath of AOL[base ']s botched release of [base "]anonymized[per thou] user data, I have less comfort with TiVo[base ']s claim that the data is truly anonymous.

TiVo is trying to do the right thing, but I[base ']m concerned that their execution might fail. Time will tell. (And this would make an excellent case study for any student looking to explore the privacy implications of new media technologies[sigma]hint hint)

[michaelzimmer.org]

TiVo sees if you skip those ads

Mon, 05 Feb 2007 18:37:53 GMT

TiVo revealed the other day that it's offering TV networks and ad agencies a chance to receive second-by- second data about which programs the company's 4.5 million subscribers are watching and, more importantly, which commercials people are skipping.

This raises a pair of troubling questions: Is TiVo, which revolutionized TV viewing with its digital video recording technology, now watching what people watch? And is it selling that sensitive info to advertisers and others?

The answers, apparently, are no and no.

"I promise with my hand on a Bible that your data is not being archived and sold," said Todd Juenger, TiVo's vice president and general manager of audience research and measurement.

"We don't know what any particular person is watching," he said. "We only know what a random, anonymous sampling of our user base is watching."

Still, privacy advocates say TiVo's new data service -- dubbed StopWatch -- reflects the growing ease with which companies could, if they so choose, collect and exploit vast amounts of information about consumers' everyday habits.

"It's a constant struggle to maintain your privacy in the modern era," said Kurt Opsahl, a staff attorney at San Francisco's Electronic Frontier Foundation. "We have entered an era in which more and more information about you is being collected and maintained."

He added: "In the past, you had a lot of privacy protection because information about you was too difficult to collect and sort. Now that protection is gone because computers can do it."

TiVo's potential to monitor (and embarrass) millions of people was made clear in 2004 after Janet Jackson's right breast made a surprise appearance during the Super Bowl halftime show.

TiVo reported that this fleeting glimpse of celebrity flesh "drew the biggest spike in audience reaction TiVo has ever measured ... as hundreds of thousands of households used TiVo's unique capabilities to pause and replay live television to view the incident again and again."

Sowing the Seeds of Surveillance.

Fri, 02 Feb 2007 06:49:55 GMT

Sowing the Seeds of Surveillance. History suggests the spy technology we build to catch terrorists will eventually be used to bust minor scofflaws. Commentary by Jennifer Granick. [Wired News: Security Blanket]

The Seattle Times: Local News: PSE to pay $995,000 for violating consumer privacy rules

Mon, 29 Jan 2007 18:00:49 GMT

SEATTLE - Puget Sound Energy will pay $995,000 for violating consumer privacy laws by giving information on thousands of customers to an outside marketing company and will permanently abolish the program under a settlement approved Monday by the state Utilities and Transportation Commission.

Under the settlement agreement, the utility agreed to pay a $900,000 penalty, contribute $95,000 to its low-income heating assistance program and avoid such violations in future.

PSE will comply, utility spokeswoman Martha Monfreid said Monday.

"We discontinued the program last March as soon as the commission raised the issue of there being privacy issues," she said.

The utility acknowledged transferring, through its PSE Connections marketing program, more than 65,000 phone calls, as well as basic information on new and relocating customers, to Georgia-based Allconnect, Inc. between November 2001 and March 2006.

Due to a two-year statute of limitations, only 18,992 call transfers were made subject to penalties.

Under state regulations, privately owned gas and electric companies cannot release or sell customer information to a third party for marketing purposes without written permission from customers.

"We conclude that PSE intentionally violated the rule as part of a corporate decision to sell its customers' private information for financial gain," the commission said in its written decision.

Wired News: Hillary: The Privacy Candidate?

Mon, 29 Jan 2007 02:24:38 GMT

The issue of digital-era privacy did not make it to the top of Sen. Hillary Rodham Clinton's legislative to-do list at the Saturday launch of her presidential campaign. But for those who look, the New York Democrat has clearly staked out her positions on the esoteric subject, and they're sending electronic civil libertarians' hearts a twitter.

Clinton, the presidential front-runner among Democrats in way-early polling, addressed electronic privacy issues at a constitutional law conference in Washington, D.C. last June. There she unveiled a proposed "Privacy Bill of Rights" that would, among other things, give Americans the right to know what's being done with their personal information, and offer consumers an unprecedented level of control over how that data is used.

"At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date," Clinton said.

These ideas have long been championed by consumer groups and civil liberties advocates, but are largely strangers to presidential campaigns. Other Democrats who have announced presidential exploratory committees for the 2008 election -- including Illinois Sen. Barack Obama and 2004 vice presidential candidate John Edwards -- have worked on privacy issues through their careers as government officials. But Clinton's approach is notable for its range and detail, say privacy advocates.

"Sen. Clinton's plan is well-informed and the most sophisticated statement in recent years by a presidential candidate on privacy issues," said Chris Hoofnagle, a law professor at UC Berkeley's School of Law. "She grasps consumers' frustrations with the annoyance of direct marketing, but also the more important point that a lack of privacy can lead to lost opportunities and oppressive social control."

Clinton's stance on consumer privacy hearkens back to the debates of the '90s when Congress and the public began agonizing over the question of who should wield the most control over consumers' transactional data. Her general policy position is that companies should cede more control to consumers, and that new legislation should be enacted to make it easier for consumers to recover monetary damages from companies that violate their privacy policies.

For example, Clinton said that financial companies as a rule should not be allowed to share consumers' transactional information without first obtaining their permission. Under current law, financial institutions freely share certain kinds of customer information unless consumers specifically opt-out.

Google Antiphishing Site Exposed Private User Data.

Sat, 27 Jan 2007 23:49:15 GMT

Google Antiphishing Site Exposed Private User Data. Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services. [Slashdot: Your Rights Online]

Gonzales Questions Habeas Corpus | BaltimoreChronicle.com

Sat, 27 Jan 2007 22:52:09 GMT

In one of the most chilling public statements ever made by a U.S. Attorney General, Alberto Gonzales questioned whether the U.S. Constitution grants habeas corpus rights of a fair trial to every American.

Responding to questions from Sen. Arlen Specter at a Senate Judiciary Committee hearing on Jan. 18, Gonzales argued that the Constitution doesn't explicitly bestow habeas corpus rights; it merely says when the so-called Great Writ can be suspended.

"There is no expressed grant of habeas in the Constitution; there's a prohibition against taking it away," Gonzales said.

Gonzales's remark left Specter, the committee's ranking Republican, stammering.

"Wait a minute," Specter interjected. "The Constitution says you can't take it away except in case of rebellion or invasion. Doesn't that mean you have the right of habeas corpus unless there's a rebellion or invasion?"

Gonzales continued, "The Constitution doesn't say every individual in the United States or citizen is hereby granted or assured the right of habeas corpus. It doesn't say that. It simply says the right shall not be suspended" except in cases of rebellion or invasion."

"You may be treading on your interdiction of violating common sense," Specter said.

While Gonzales's statement has a measure of quibbling precision to it, his logic is troubling because it would suggest that many other fundamental rights that Americans hold dear also don't exist because the Constitution often spells out those rights in the negative.

For instance, the First Amendment declares that "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."

Applying Gonzales's reasoning, one could argue that the First Amendment doesn't explicitly say Americans have the right to worship as they choose, speak as they wish or assemble peacefully. The amendment simply bars the government, i.e. Congress, from passing laws that would impinge on these rights.

Similarly, Article I, Section 9, of the Constitution states that "the privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it."

The clear meaning of the clause, as interpreted for more than two centuries, is that the Founders recognized the long-established English law principle of habeas corpus, which guarantees people the right of due process, such as formal charges and a fair trial.

That Attorney General Gonzales would express such an extraordinary opinion, doubting the constitutional protection of habeas corpus, suggests either a sophomoric mind or an unwillingness to respect this well-established right, one that the Founders considered so important that they embedded it in the original text of the Constitution.

Sen. Rockefeller Promises Scrutiny of NSA Spying Program.

Sat, 27 Jan 2007 20:27:41 GMT

Sen. Rockefeller Promises Scrutiny of NSA Spying Program.

Over five years since it first began, the NSA's massive domestic spying program remains shrouded in secrecy. Despite the President's determination to dodge meaningful oversight, key members of the newly elected Congress may soon take steps to rein in this illegal activity.

In an interview with the LA Times, Senator John Rockefeller, the new Chairman of the Senate Intelligence Committee, "rejected the Bush administration's claim that it had brought a controversial domestic spying program into compliance with the law, saying he wanted strict new rules requiring the government to obtain a separate warrant every time it places a wiretap on a U.S. resident."

The article also notes that "The committee recently designated eight members of its staff to examine the NSA program and to begin drafting new requests for documents that the Bush administration had refused to turn over to the panel [~] including the initial presidential order authorizing the domestic surveillance program."

Take action now to support immediate and thorough investigations into the NSA spying program.

[EFF: Deep Links]

Maine rejects Real ID Act | CNET News.com

Sat, 27 Jan 2007 20:20:03 GMT

Maine overwhelmingly rejected federal requirements for national identification cards on Thursday, marking the first formal state opposition to controversial legislation scheduled to go in effect for Americans next year.

Both chambers of the Maine legislature approved a resolution saying the state flatly "refuses" to force its citizens to use driver's licenses that comply with digital ID standards, which were established under the 2005 Real ID Act. It asks the U.S. Congress to repeal the law.

The vote represents a political setback for the U.S. Department of Homeland Security and Republicans in Washington, D.C., which have argued that nationalized ID cards for all Americans would help in the fight against terrorists.

"I have faith that the Democrats in Congress will hear this from many states and will find a way to repeal or amend this in the coming months," House Majority Leader Hannah Pingree, a Democrat, said in a telephone interview after the vote. "It's not only a huge federal mandate, but it's a huge mandate from the federal government asking us to do something we don't have any interest in doing."

The Real ID Act says that, starting around May 2008, Americans will need a federally approved ID card--a U.S. passport will also qualify--to travel on an airplane, open a bank account, collect Social Security payments or take advantage of nearly any government service. States will have to conduct checks of their citizens' identification papers, and driver's licenses likely will be reissued to comply with Homeland Security requirements.

TrackStick: Amateur Surveillance.

Fri, 26 Jan 2007 15:38:13 GMT

TrackStick: Amateur Surveillance.

I just received a (spam) e-mail asking me if I'm interested in becoming a reseller of the TrackStick or TrackStick Pro. Um, no.

TrackStick is a GPS tracking device featuring software integrated with Google Maps to enable tracking of oneself (I suppose) and amateur surveillance of others (more likely). The device records its location, time, date, speed, heading and altitude at preset intervals. With over 1Mb of memory, they claim it can store months of travel information. Downloading the data to their software allows the user to trace the devices activity via Google Maps and even Google Earth. The screenshot to the right reveals that a device was at a shopping mall on Sept 16 at 4:33pm and stayed there for 6 minutes.

The basic version looks like a typical USB flash drive. You can simply drop it in your wife's purse or kids backpack, and they'd probably never know. The sales pitch touts various applications:

Find where your kids have beenVerify
employee driving routesReview
family members driving habitsWatch
large shipment routesKnow
where anything or anyone has been

The Pro version is meant to be permanently installed on vehicles and features tamper resistant labels so you know if your employee or loved one has become suspicious and tries to remove the device.

Amateur surveillance has never been so easy...

[michaelzimmer.org]

Editor: Links removed since I don't want to help the products search ranking in any way. Hmm, They didn't ask me to sell their product. Should I be happy or insulted ;-)

Trial begins soon on N.H.'s prescription privacy law - Boston.com

Tue, 23 Jan 2007 00:53:46 GMT

CONCORD, N.H. --A new state law barring data mining companies from getting information about individual doctors' drug prescribing habits will go on trial next week in federal court.The law, which took effect last June, made New Hampshire the first state to try to block drug manufacturers' hard-sell tactics by restricting access to data that identifies individual doctors.

The law is supposed to prevent drug company sales representatives from learning which doctors favor brand name drugs or generics, and which are more willing to try new drugs.

Bulk data including prescribers' zip codes, location and medical specialties may be released under the law, and the information also may be used for care management, clinical trials or education.

Two companies that collect, analyze and sell such information sued the state days after the law took effect, arguing it violates the U.S. Constitution by impeding free speech in the "marketplace of ideas."

New Hampshire represents fewer than 1 percent of prescriptions written nationwide. But IMS Health Inc. and Verispan LLC fear other states could follow suit, harming access to valuable information.

IMS Health executive Randolph Frankel said such data, used for detailed profiles of doctors and hospitals, can help consumers make better choices and can better inform public health decisions.

PSE penalized for illegal release of private customer data | NWCN.com | News for Seattle, Washington

Tue, 23 Jan 2007 00:48:23 GMT

OLYMPIA - State regulators on Monday penalized Puget Sound Energy nearly $1 million for violating consumer privacy laws by intentionally sharing customers' private information with an outside marketing partner without the customers' written permission.

The Washington Utilities and Transportation Commission accepted a settlement that calls for PSE to pay a $900,000 penalty, contribute an additional $95,000 to low-income heating assistance and permanently cease the marketing program that released private customer information in violation of state law.

Under the settlement, PSE acknowledged transferring more than 65,000 phone calls to an outside marketing firm without the customers' written permission over a five-year period.

In March 2006, the UTC began an investigation into a report that PSE call-center employees were transferring some customer calls and information to Allconnect, Inc., a Georgia-based marketing company. Known as PSE Connections, the program marketed household services, such as telephone, newspaper and lawn services, to PSE's residential customers.

PSE received payment for transferring these residential customers to Allconnect. After PSE transferred a call and customer information, Allconnect would confirm the service order and then market additional services.

U.S. Agency Tries to Fix No-Fly List Mistakes - washingtonpost.com

Tue, 23 Jan 2007 00:25:09 GMT

Every time Kiernan O'Dwyer arrived at the airport after traveling overseas in recent years, he was flagged as a potential terrorist. But his uniform was a dead giveaway to his true identity: He is a veteran pilot for American Airlines.

U.S. customs agents have stopped him about 80 times since 2003, apparently because his name and birth date nearly match those of an Irish Republican Army leader, one of at least 300,000 names on the U.S. government's watch lists. O'Dwyer falls under an unenviable category of false positives, people who are wrongly detained because some of their personal information matches that of a terrorist or other suspect.

The number of misidentifications is unknown, according to government auditors, but it has caused headaches for a cross-section of travelers, including nuns, infants and members of Congress. The U.S. Customs and Border Protection agency, under the jurisdiction of the Homeland Security Department, said it was trying to remedy the problem with a system to prevent unwarranted detentions on international flights.

An agency official said in an interview that the system, launched in February 2006, has eliminated about 17,500 detentions involving people entering the country at airports, seaports and at land borders. It is part of what the government says is an effort to prevent terrorism while not inconveniencing travelers or violating their privacy and civil liberties, though it is not yet applied to domestic flights.

The challenge is complicated by the vast and growing databases of electronically stored personal information that draw on different agencies' records, which must be continually updated to be accurate. Federal agencies and airlines are using computer-driven algorithms to compare travelers' names against watch lists.

Under the new system, which overrides Customs and Border Protection's main database, people continue to be stopped if their name appears on a watch list. But if the follow-up screening clears them, customs agents make note of that so the next time they travel, those people should not be detained.

Google, Yahoo, Microsoft, Others to Address Human Rights Violations.

Sun, 21 Jan 2007 04:21:32 GMT

Google, Yahoo, Microsoft, Others to Address Human Rights Violations.

An important press release came out this week regarding a coalition of Internet companies, IT providers, human rights organizations, and academics joining forces to address human rights violations enabled by technologies and practices by some of the member organizations, such as providing means of surveillance for regimes like China to identify and jail dissident citizens. From the release:

A diverse group of companies, academics, investors, technology leaders and human rights organizations announced today its intention to seek solutions to the free expression and privacy challenges faced by technology and communications companies doing business internationally.

The process " which aims to produce a set of principles guiding company behavior when faced with laws, regulations and policies that interfere with the achievement of human rights " marks a new phase in efforts that these groups began in 2006.

Last year, Google, Microsoft, Vodafone and Yahoo!, with the facilitation of Business for Social Responsibility (BSR) and advice from the Berkman Center for Internet & Society at Harvard Law School, initiated a series of dialogues to gain a fuller understanding of free expression and privacy as they relate to the use of technology worldwide.

At the same time, the Center for Democracy and Technology (CDT) was also convening technology leaders, investors and human rights advocates to discuss how to advance civil liberties on the Internet in the face of laws that run contrary to international standards for human rights.

Both processes benefited from dialogue, research and policy expertise on internet filtering and surveillance practices from the OpenNet Consensus, a coalition of academic institutions including the University of California Berkeley's Graduate School of Journalism and School of Law-Boalt Hall, the Berkman Center and others.

The new combined group, in addition to developing the principles, seeks to advance their effectiveness by establishing a framework to implement the principles, hold signatories accountable and provide for ongoing learning.

"Technology companies have played a vital role building the economy and providing tools important for democratic reform in developing countries. But some governments have found ways to turn technology against their citizens -- monitoring legitimate online activities and censoring democratic material," CDT Executive Director Leslie Harris said. "It is vital that we identify solutions that preserve the enormous democratic value provided by technological development, while at the same time protecting the human rights and civil liberties of those who stand to benefit from that expansion."

More commentary John Palfrey and Rebecca MacKinoon, as well as Yahoo itself.

[michaelzimmer.org]

Deletions in Army Manual Raise Wiretapping Concerns - New York Times

Wed, 17 Jan 2007 18:52:51 GMT

WASHINGTON, Jan. 13 -- Deep into an updated Army manual, the deletion of 10 words has left some national security experts wondering whether government lawyers are again asserting the executive branch's right to wiretap Americans without a court warrant.

The manual, described by the Army as a "major revision" to intelligence-gathering guidelines, addresses policies and procedures for wiretapping Americans, among other issues.

The original guidelines, from 1984, said the Army could seek to wiretap people inside the United States on an emergency basis by going to the secret court set up by the Foreign Intelligence Surveillance Act, known as FISA, or by obtaining certification from the attorney general "issued under the authority of section 102(a) of the Act."

That last phrase is missing from the latest manual, which says simply that the Army can seek emergency wiretapping authority pursuant to an order issued by the FISA court "or upon attorney general authorization." It makes no mention of the attorney general doing so under FISA.

Bush administration officials said that the wording change was insignificant, adding that the Army would follow FISA requirements if it sought to wiretap an American.

But the manual's language worries some national security experts. "The administration does not get to make up its own rules," said Steven Aftergood, who runs a project on government secrecy for the Federation of American Scientists.

VOA News - US Senate Judiciary Committee Examines Privacy Issues

Wed, 17 Jan 2007 18:30:07 GMT

The Senate Judiciary Committee met Wednesday to hear whether government databases that store information about U.S. citizens violate the privacy rights of U.S. citizens. VOA's Sean Maroney reports from Washington.

The incoming chairman of the Senate Judiciary Committee, Patrick Leahy of Vermont, made clear his priorities by devoting the committee's first hearing of the year to an examination of the data-mining computer programs used by the government.

U.S. authorities say the programs, by enabling them to search through large computer banks of information, help them to identify terrorists or criminals.

But Leahy expressed concern that by using the programs the Bush administration has ignored privacy laws, sidestepped Congress and violated citizens' right to privacy.

"All I want is the administration to follow the law," he said. "They want us to follow the law. They ought to follow the law... We all want to stop terrorists, but we don't want to make our own government treat us - all of us - like we are terrorists."

Feds Check Credit Reports Without a Subpoena.

Tue, 16 Jan 2007 20:56:23 GMT

Feds Check Credit Reports Without a Subpoena. An anonymous reader points out that, by using National Security Letters, the FBI and other agencies can legally pull your credit report. The letters have been used by the FBI (mostly) but in some cases by the CIA and Defense Department. From the article: "'These statutory tools may provide key leads for counterintelligence and counterterrorism investigations,' Whitman said. 'Because these are requests for information rather than court orders, a DOD request under the NSL statutes cannot be compelled absent court involvement.'" Recipients of the letters, banks and credit bureaus, usually hand over the requested information voluntarily. A posting at tothecenter.com quotes the Vice President on the use of the letters: "It's perfectly legitimate activity. There's nothing wrong or illegal with it. It doesn't violate people's civil rights... The Defense Department gets involved because we've got hundreds of bases inside the United States that are potential terrorist targets."[Slashdot: Your Rights Online]

New Plan In UK For "Big Brother" Database.

Mon, 15 Jan 2007 05:51:25 GMT

New Plan In UK For "Big Brother" Database. POPE Mad Mitch writes "The BBC is reporting that Tony Blair is going to unveil plans on Monday to build a single database to pull together and share every piece of personal data from all government departments. The claimed justification is to improve public services. The opposition party and the Information Commission have both condemned the plan as another step towards a 'Big Brother' society. Sharing information in this way is currently prohibited by the 'over-zealous' data protection legislation. An attempt to build a similar database was a key part of the, now severely delayed, ID card scheme." [Slashdot: Your Rights Online]

Kansas: Concern Over Abortion Records - New York Times

Wed, 10 Jan 2007 20:23:34 GMT

The state attorney general, Paul Morrison, left, said he was concerned that patient records his predecessor gathered in a failed effort to prosecute an abortion doctor might have been copied, making them insecure. The former attorney general, Phill Kline, had appointed a special prosecutor to handle the case against the doctor, George Tiller. Mr. Morrison said he planned to fire the prosecutor, Don McKinney, who in the past has protested outside Dr. Tiller's clinic. But he said Mr. Kline had already given Mr. McKinney partial records on about 90 clinic patients. Mr. McKinney did not return a call seeking comment.

Sentinel & Enterprise - Bush violating personal privacy rights again

Wed, 10 Jan 2007 02:59:26 GMT

The White House denies it, but personal privacy has taken another big hit at the hands of the Bush administration.

The president has decreed that his agents do not need a search warrant to open and read first class mail. Traditionally -- and by law -- the government has had to go before a judge to justify a request to open a private letter.

But in one of the president's notorious signing statements -- and he has issued more than 750 of them, more than all other presidents combined, according to the ABA -- the president said he could order warrantless searches of the mail in "exigent" circumstances.

"Exigent" is a spongy word, meaning urgent. And who gets to decide when circumstances are urgent? The Decider himself.

In signing statements that the president appends to bills Congress has passed, Bush reserved the right to interpret the legislation as he sees fit or even ignore it altogether. He has earlier asserted the right to eavesdrop electronically without warrants.

US admits privacy breach on airline data.

Wed, 10 Jan 2007 01:40:22 GMT

US admits privacy breach on airline data.

Information grab

The US Government has admitted that it broke privacy laws in its domestic airline passenger data scheme. The Homeland Security Department has admitted that it gathered more information than it had said it would.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Web stalkers to get face search plug-in.

Mon, 08 Jan 2007 19:32:12 GMT

Web stalkers to get face search plug-in.

Polar Rose dodges thorny issues

Opinion If privacy campaigners think the internet has given them stomach ulcers, they ain't seen the latest in facial recognition web search yet.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Face Recognition for Online Photo Searches Sparks Privacy Fears

Sat, 06 Jan 2007 22:34:51 GMT

A new type of search engine using facial recognition technology could soon be able to pinpoint images of a person among the billions of photos posted online--even if their name does not appear.

A Swedish company named Polar Rose plans to launch its service for facial searches tied to the photo-sharing site Flickr within a couple weeks.

In the next few months the firm hopes to expand the service to search images across the entire Web.

The technology promises enhanced photo finding that would make it easier to find people on the Internet.

But privacy advocates are concerned that Polar Rose and similar facial-mapping search engines will violate people's rights and potentially aid criminals.

Lee Tien is an attorney at the Electronic Frontier Foundation, an Internet watchdog group that focuses on privacy and civil liberties.

"Photos [posted online] are effectively anonymous now," Tien said, unless they are labeled with some sort if identifying text. "But if Polar Rose works the way they say it will, that's all going to change."

Tien said that this kind of technology could aid stalkers in tracking down their victims, or it could allow employers, insurance companies, and the government to pry into people's lives more than some of us would like.

Editor: The situation is currently being discused in a public discussion area over at Flickr itself. Stewart who works for Flickr and is one of the original big wigs commented early today in the thread. He said:

As far as I know they've never been in touch with us (I'll ask around internally). Judging from the screenshot, it looks like an explicit opt-in feature (which makes sense if they need people to identify the faces in the photos). If it's not opt-in, we'll have a look at how it works and see how people feel and do the right thing :)

Unfortunately from looking at many of tghe other user comments, many people still don't get it. Probably because they don't understand the linking together of data from many variuos sources/databases. Many seem to think that if its not all in one monolithic database, its not connected.

DOJ pushes FBI to broaden data sharing with outside agencies.

Sat, 06 Jan 2007 21:55:34 GMT

DOJ pushes FBI to broaden data sharing with outside agencies. The Department of Justice is pushing its operating units to speed up and expand their information-sharing efforts, and it has directed its CIO to work with them to devise plans for doing so. [Computerworld Data Mining News]

Proposal expands DNA use by police - S.C. program would be nation's most-aggressive - Post and Courier | Charleston.net

Thu, 04 Jan 2007 18:11:48 GMT

COLUMBIA - Police would have the power to seize DNA samples from anyone arrested for a crime - from shoplifting to murder - under legislation proposed by state lawmakers.

The measure would provide South Carolina with the most aggressive DNA sampling program in the nation, allowing authorities to collect a person's genetic profile for even petty offenses before he or she is tried for the crime.

Senate Pro Tem Glenn McConnell said the proposed legislation is part of a package of bills aimed at cracking down on increasing violence. Maintaining a bank of DNA samples will help police solve cases quicker and aid in the investigations of cold cases while also ensuring the falsely accused aren't prosecuted for crimes they didn't commit, he said.

Some civil rights advocates are afraid the legislation on DNA sampling goes too far, although McConnell said it has safeguards built in to ensure constitutional rights are protected.

Barbara Joslin of Charleston, a spokeswoman for the American Civil Liberties Union of South Carolina, said the organization stands against DNA collection unless DNA is part of the crime scene evidence. Otherwise, it's seen as a privacy offense and a steady decline of rights, she said.

[...]

Still, the bill would take South Carolina farther along this road than any other state. The federal government and seven states currently allow DNA samples to be taken from suspects at the time of arrest. But those states, which include California, Louisiana and Virginia, limit it to specific violent offenses or felony arrests, said Lisa Hurst, a government-affairs consultant with DNAResource.com, which tracks DNA usage by law enforcement.

New York recently enacted a measure requiring DNA samples in connection with a wide array of misdemeanor offenses, but the offender has to be convicted first, Hurst said.

[...]

"It is no more invasive than fingerprinting," McConnell said. "What could be wrong with it? I don't see where it infringes on anyone's rights. I see a tremendous amount of benefit for the law-abiding public."

Charleston School of Law professor Miller Shealy, a former federal prosecutor, said DNA technology has become widely accepted and that the courts commonly allow its use in criminal cases. But the courts have yet to weigh in on whether genetic material can be collected routinely during the booking process just to maintain a crime-solving database, he said.

"Can you just automatically get it? That's a line the courts have not officially ruled on yet," he said.

South Carolina's samples helped feed the national DNA databank overseen by the FBI.

Bush Claims Mail Can Be Opened Without Warrant.

Thu, 04 Jan 2007 17:39:49 GMT

Bush Claims Mail Can Be Opened Without Warrant. don_combatant writes to note that President Bush claimed new powers to search US Mail without a warrant. He made this claim in a "signing statement" at the time he signed a postal overhaul bill into law on December 20. The signing statement directly contradicts part of the bill he signed, which explicitly reinforces protections of first-class mail from searches without a court's approval. According to the article, "A top Senate Intelligence Committee aide promised a review of Bush's move." [Slashdot: Your Rights Online]

The Seattle Times: Nation & World: Bush says feds can open mail without warrant

Thu, 04 Jan 2007 17:37:43 GMT

President Bush quietly has claimed sweeping new powers to open Americans' mail without a judge's warrant.

Bush asserted the new authority Dec. 20 after signing legislation that overhauls some postal regulations. He then issued a "signing statement" that declared his right to open mail under emergency conditions, contrary to existing law and contradicting the bill he had just signed, according to experts who have reviewed it.

A White House spokeswoman disputed claims that the move gives Bush any new powers, saying the Constitution allows such searches.

Still, the move, one year after The New York Times' disclosure of a secret program that allowed warrantless monitoring of Americans' phone calls and e-mail, caught Capitol Hill by surprise.

"Despite the president's statement that he may be able to circumvent a basic privacy protection, the new postal law continues to prohibit the government from snooping into people's mail without a warrant," said Rep. Henry Waxman, D-Calif., the incoming House Government Reform Committee chairman, who co-sponsored the bill.

Experts said the new powers could be easily abused and used to vacuum up large amounts of mail.

"The [Bush] signing statement claims authority to open domestic mail without a warrant, and that would be new and quite alarming," said Kate Martin, director of the Center for National Security Studies in Washington.

"You have to be concerned," a senior U.S. official agreed. "It takes executive-branch authority beyond anything we've ever known."

A top Senate Intelligence Committee aide promised a review of Bush's move.

Justice Dept. Database Stirs Privacy Fears - washingtonpost.com

Tue, 02 Jan 2007 04:54:28 GMT

Size and Scope of the Interagency Investigative Tool Worry Civil Libertarians

The Justice Department is building a massive database that allows state and local police officers around the country to search millions of case files from the FBI, Drug Enforcement Administration and other federal law enforcement agencies, according to Justice officials.

The system, known as "OneDOJ," already holds approximately 1 million case records and is projected to triple in size over the next three years, Justice officials said. The files include investigative reports, criminal-history information, details of offenses, and the names, addresses and other information of criminal suspects or targets, officials said.

[...]

But civil-liberties and privacy advocates say the scale and contents of such a database raise immediate privacy and civil rights concerns, in part because tens of thousands of local police officers could gain access to personal details about people who have not been arrested or charged with crimes.

The little-noticed program has been coming together over the past year and a half. It already is in use in pilot projects with local police in Seattle, San Diego and a handful of other areas, officials said. About 150 separate police agencies have access, officials said.

But in a memorandum sent last week to the FBI, U.S. attorneys and other senior Justice officials, Deputy Attorney General Paul J. McNulty announced that the program will be expanded immediately to 15 additional regions and that federal authorities will "accelerate . . . efforts to share information from both open and closed cases."

Eventually, the department hopes, the database will be a central mechanism for sharing federal law enforcement information with local and state investigators, who now run checks individually, and often manually, with Justice's five main law enforcement agencies: the FBI, the DEA, the U.S. Marshals Service, the Bureau of Prisons and the Bureau of Alcohol, Tobacco, Firearms and Explosives.

Within three years, officials said, about 750 law enforcement agencies nationwide will have access.

[...]

Barry Steinhardt, director of the Technology and Liberty Project at the American Civil Liberties Union, said the main problem is one of "garbage in, garbage out," because case files frequently include erroneous or unproved allegations.

"Raw police files or FBI reports can never be verified and can never be corrected," Steinhardt said. "That is a problem with even more formal and controlled systems. The idea that they're creating another whole system that is going to be full of inaccurate information is just chilling."

Steinhardt noted that in 2003, the FBI announced that it would no longer meet the Privacy Act's accuracy requirements for the National Crime Information Center, its main criminal-background-check database, which is used by 80,000 law enforcement agencies across the country.

OneDOJ to Offer National Criminal Database to Law Enforcement.

Tue, 02 Jan 2007 04:43:46 GMT

OneDOJ to Offer National Criminal Database to Law Enforcement. Degrees writes "The Washington Post is reporting that the Justice Department is building a massive database, known as 'OneDOJ'. The system allows state and local police officers around the country to search millions of case files from the FBI, Drug Enforcement Administration and other federal law enforcement agencies. The system already holds approximately 1 million case records and is projected to triple in size over the next three years. The files include investigative reports, criminal-history information, details of offenses, and the names, addresses and other information of criminal suspects or targets. From the article: 'Civil-liberties and privacy advocates say the scale and contents of such a database raise immediate privacy and civil rights concerns, in part because tens of thousands of local police officers could gain access to personal details about people who have not been arrested or charged with crimes. The little-noticed program has been coming together over the past year and a half. It already is in use in pilot projects with local police in Seattle, San Diego and a handful of other areas, officials said.'" [Slashdot: Your Rights Online]

Telegraph | News | US 'licence to snoop' on British air travellers

Tue, 02 Jan 2007 03:04:24 GMT

Britons flying to America could have their credit card and email accounts inspected by the United States authorities following a deal struck by Brussels and Washington.

By using a credit card to book a flight, passengers face having other transactions on the card inspected by the American authorities. Providing an email address to an airline could also lead to scrutiny of other messages sent or received on that account.

The extent of the demands were disclosed in "undertakings" given by the US Department of Homeland Security to the European Union and published by the Department for Transport after a Freedom of Information request.

About four million Britons travel to America each year and the released document shows that the US has demanded access to far more data than previously realised.

Not only will such material be available when combating terrorism but the Americans have asserted the right to the same information when dealing with other serious crimes.

Shami Chakrabarti, the director of the human rights group Liberty, expressed horror at the extent of the information made available. "It is a complete handover of the rights of people travelling to the United States," she said.

Flying To the US? Pay In Cash.

Tue, 02 Jan 2007 03:00:33 GMT

Flying To the US? Pay In Cash. pin_gween writes to point us to a report in the Telegraph that British travelers using a credit card to purchase their ticket may now have their credit card and email accounts inspected by US authorities. This has been true since October, when the US and the EU agreed about what information the US could demand from airlines and how this information would be handled. But details of the agreement only recently came to light following a Freedom of Information request. The US says it will "encourage" US carriers to reciprocate to any requests by European governments. From the article: "[T]he Americans are entitled to 34 separate pieces of Passenger Name Record (PNR) data... Initially, such material could be inspected for seven days but a reduced number of US officials could view it for three and a half years. Should any record be inspected during this period, the file could remain open for eight years...'It is pretty horrendous, particularly when you couple it with our one-sided extradition arrangements with the US,' said [a human rights activist]. 'It is making the act of buying a ticket a gateway to a host of personal email and financial information. While there are safeguards, it appears you would have to go to a US court to assert your rights.'" [Slashdot: Your Rights Online]

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Fri, 29 Dec 2006 00:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Computers, Freedom and Privacy 2007 - Call For Proposals

Fri, 29 Dec 2006 00:37:58 GMT

Call For Proposals - The deadline for proposals is January 20, 2006

The Program Committee of the Seventeenth Conference on Computers, Freedom, and Privacy (CFP2007) seeks your proposals for innovative conference sessions and speakers.

Secure Flight Violated Federal Privacy Law, Homeland Security Privacy Office Finds - Electronic Privacy Information Center

Fri, 29 Dec 2006 00:27:12 GMT

A report from the privacy office of the Department of Homeland Security has found that information provided by the DHS about the airline screening system was misleading and incomplete. The DHS report follows a 2005 Government Accountability Office statement and documents obtained by EPIC in 2004 which revealed that the government airline screening system would make extensive use of commercial data without informing the public as required by law. As condition of funding the Department of Homeland Security, Congress suspended the Secure Flight program. Separately, the DHS Privacy office issued a report on the now defunct MATRIX project. More information at the EPIC Secure Flight page. (Dec. 22)

Security Plan Challenged.

Thu, 21 Dec 2006 15:49:42 GMT

Security Plan Challenged. Privacy group sues feds to learn how data is gathered, kept on travelers. [PC World: Latest Technology News]

Sony Rootkit Payout: $1.5 Million.

Wed, 20 Dec 2006 05:55:08 GMT

Sony Rootkit Payout: $1.5 Million. The settlement between Sony BMG Music Entertainment and the states of California and Texas also includes free albums for affected consumers. In Listening Post. [Wired News: Top Stories]

State AGs Reach Settlement on Sony BMG Rootkit Debacle.

Wed, 20 Dec 2006 03:08:00 GMT

State AGs Reach Settlement on Sony BMG Rootkit Debacle.

Over a year since infecting CD purchasers' computers with flawed copy protection software, Sony BMG has reached a settlement with several state attorneys general (AGs) over the rootkit debacle. We've reviewed the Texas settlement agreement, which appears to be similar to agreements reached in other states, and it looks like the AGs used their investigatory and enforcement powers to obtain important additional relief for consumers.

Among other things, the settlement requires Sony BMG to compensate consumers whose computers were damaged by the XCP or Media Max software and to continue providing the settlement benefits obtained in the private litigation for an additional six months (through June 30, 2007).

Equally important are Sony BMG's future obligations. If Sony uses DRM on its CDs in the future, it will have to provide detailed pre- and post-sale disclosures to customers, provide an easy uninstaller, and notify consumers if it finds security flaws in the software.

Well done, AGs!

The Texas agreement is available here. Background regarding the Sony BMG litigation is available here.

[EFF: Deep Links]

100 Million Victims of Data Theft.

Mon, 18 Dec 2006 20:39:22 GMT

100 Million Victims of Data Theft. jcatcw writes "With the latest significant data breach -- theft of a Boeing laptop with unencrypted personal information on 382,000 employees -- the Privacy Rights Clearinghouse estimates that the total number of data breach victims has passed 100 million since they started tracking in February 2005. The director, Beth Givens, admits 'the number 100 million is largely a fictional number,' but it surely errs on the low side. Since California is still the only state with disclosure laws, incidents are difficult to analyze fully. However, Congress this week passed a bill requiring that the Department of Veterans Affairs report breaches." [Slashdot: Your Rights Online]

Consumers Willing to Trade Privacy for Personalization, Survey Says

Thu, 14 Dec 2006 20:06:40 GMT

Consumers Willing to Trade Privacy for Personalization, Survey Says.

A new study by ChoiceStream, a (surprise!) provider of online personalization products, announces their latest personalization survey reveals an increasing number of web users are willing to provide personal information in order to receive personalized services. From the summary at EContent:

According to the survey, the number of consumers willing to provide demographic information in exchange for a personalized online experience has grown over the past year, increasing 24% to a total of 57% of all respondents. The Survey also finds an increase in the number of consumers willing to allow websites to track their clicks and purchases, increasing 34% from the previous year. However, the results show no significant decline in the number of consumers concerned about the security of their personal data online, with 62% expressing concern in 2006 vs. 63% in 2005.

I can[base ']t find a link to the report (here is the 2005 version [PDF]), but this is an interesting trend. My first reaction is to wonder how informed general Internet users are about the potential to aggregate and transfer personal information they decide to provide to gain some level of personalization. Do users think their information remains generally anonymous? Do they presume it is only used for personalization, and not aggregated for other purposes, or made available to other organizations (marketers, law enforcement, etc). Much more work needs to be done to fully understand people[base ']s preferences and expectations regarding the use of their personal data for personalization services.

[via Pogo Was Right]

[michaelzimmer.org]

Erosion of the Secret Ballot

Tue, 12 Dec 2006 19:15:33 GMT

Erosion of the Secret Ballot.

Voting technology has changed greatly in recent years, leading to problems with accuracy and auditability. These are important, but another trend has gotten less attention: the gradual erosion of the secret ballot.

It[base ']s useful to distinguish two separate conceptions of the secret ballot. Let[base ']s define weak secrecy to mean that the voter has the option of keeping his ballot secret, and strong secrecy to mean that the voter is forced to keep his ballot secret. To put it another way, weak secrecy means the ballot is secret if the voter cooperates in maintaining its secrecy; strong secrecy means the ballot is secret even if the voter wants to reveal it.

The difference is important. No system can stop a voter from telling somebody how he voted. But strong secrecy prevents the voter from proving how he voted, whereas weak secrecy does not rule out such a proof. Strong secrecy therefore deters vote buying and coercion, by stopping a vote buyer from confirming that he is getting what he wants [~] a voter can take the payment, or pretend to knuckle under to the coercion, while still voting however he likes. With weak secrecy, the buyer or coercer can demand proof.

In theory, our electoral system is supposed to provide strong secrecy, as a corrective to an unfortunate history of vote buying and coercion. But in practice, our system provides only weak secrecy.

The main culprit is voting by mail. A mail-in absentee ballot is only weakly secret, the voter can mark and mail the ballot in front of a third party, or the voter can just give the blank ballot to the third party to be filled out. Any voter who wants to reveal his vote can request an absentee ballot. (Some states allow absentee voting only for specific reasons, but in practice people who are willing to sell their votes will also be willing to lie about their justification for absentee voting.)

Strong secrecy seems to require the voter to cast his ballot in a private booth, which can only be guaranteed at an officially run polling place.

The trend toward voting by mail is just one of the forces eroding the secret ballot. Some e-voting technologies fail to provide even weak secrecy, for example by recording ballots in the order they were cast, thereby allowing officials or pollwatchers who record the order of voters[base '] appearance (as happens in many places) to connect each recorded vote to a voter.

Worse yet, even if a complex voting technology does protect secrecy, this may do little good if voters aren[base ']t confident that the system really protects them. If everybody [base "]knows[per thou] that the party boss can tell who votes the wrong way, the value of secrecy will be lost no matter what the technology does. For this reason, the trend toward complex black-box technologies may neutralize the benefits of secrecy.

If secrecy is being eroded, we can respond by trying to restore it, or we can decide instead to give up on secrecy or fall back to weak secrecy. Merely pretending to enforce strong secrecy looks like a recipe for bad policy.

(Thanks to Alex Halderman and Harlan Yu for helpful conversations on this topic.)

[Freedom to Tinker]

Market Research Company Secretly Installs Spyware.

Tue, 12 Dec 2006 03:05:46 GMT

Market Research Company Secretly Installs Spyware. An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall." [Slashdot: Your Rights Online]

How Pop-Ups Could Brand You a Pervert or Crook.

Tue, 12 Dec 2006 02:52:49 GMT

How Pop-Ups Could Brand You a Pervert or Crook.

Greetings. A New York Times article today explores the problem of Web-based "pop-up" ads being used to artificially inflate Web traffic.

I'd like to point out a potentially much more serious problem related to pop-ups that can access arbitrary Web sites -- they could be used for purposes that could get innocent Web users into major legal problems.

The issue of sites triggering unsolicited access to other sites is not new. In a message over a year ago ("Google's new feature creates another user privacy problem"), I discussed how Google's triggering of top item "prefetch" in returned search results could result in Firefox browsers visiting the referenced site -- and collecting any associated cookies -- without users' knowledge (I also suggested ways to prevent this behavior).

The essential problem is that Web logs that record users' access to sites would record such visits as if they had been voluntarily initiated by those users. If those destinations happen to be sites with various forms of "illicit" materials that could be the subject of government or other investigations that would go digging through associated access logs... well, you can imagine the possible complications.

Google's prefetch behavior is an example of a well-intended feature with unfortunate negative side-effects.

On the other hand, the sorts of nefarious pop-ups described in the NYT piece have much greater potential for intentionally serious sorts of damage, since they can be far more flexible and directed than simple Web prefetches, and so could put innocent consumers at even greater risk. They might not only access pages that could get people arrested (perhaps c-porn?), but also download files that could trigger RIAA and/or MPAA "automatic" lawsuits, or any number of other nightmare scenarios.

It's fair to ask why anyone might want to set loose such technical monsters on innocent victims. The simple answer is that there are quite a few people out there who just want to score a point -- to prove that they can do it -- plus of course the sick minds who enjoy watching other people suffer.

[Lauren Weinstein's Blog]

NATIONAL JOURNAL: No Secret... Maybe (12/08/2006)

Tue, 12 Dec 2006 02:47:14 GMT

"I've talked about the collection of this data and the analysis of this data incessantly," Chertoff said in an interview this week at his office. By "this data," Chertoff means the international passenger name records (PNRs) that airlines give to Homeland Security screeners. Each PNR contains basics such as a passenger's name, address, and seat assignment, but also details how the ticket was paid, whom the person is traveling with, and what telephone number the passenger used to book the reservation.

The screeners analyze PNRs, including those of American citizens traveling abroad, as well as passport information, to see if anyone can be connected to a terrorist. But in the past two months, nearly 50 organizations and individuals have contacted the department to express varying degrees of concern and outrage over the computer program that actually performs this analysis: the Automated Targeting System. That's because, in addition to crunching data, ATS tags every international traveler with a "risk assessment," which security officers use when deciding whether to interrogate passengers or to keep them from flying. Once generated, those assessments may stay locked in ATS for as long as 40 years, and it is unlikely that passengers could ever know precisely what their risk rating is and how it was calculated.

This is news to just about every major privacy and civil-liberties watchdog in the country; they thought that Homeland Security officials only wanted to use passenger data to target terrorists and assign risk ratings but had refrained from actually doing so. They believed that ATS was being used only to identify risky cargo aboard ships. So, did the watchdogs miss something?