Site Meter

Category: Privacy (Electronic Surveillance)

0

Data Mining and the Security-Liberty Debate

I’ve written a short essay (about 20 pages), entitled Data Mining and the Security-Liberty Debate, for an upcoming symposium on surveillance for the U. Chicago Law Review. The symposium website is here. The symposium looks to be a terrific event. The event will be held on June 15-16, 2007 (registration information is available at the symposium website). Besides myself, participants include Julie Cohen, Ronald Lee, Ira Rubenstein, Ken Bamberger, Deirdre Mulligan, Timothy Muris, Lior Strahilevitz, Anita Allen, Thomas Brown , Richard A. Epstein , Orin Kerr, Patricia Bellia, Richard A. Posner, Paul Schwartz, and Chris Slogobin.

terror-in-the-balance.gifMy paper can be downloaded at the symposium website or at this SSRN link. In the essay, I take on some common arguments about data mining and the debate between security and liberty.

In particular, I critique arguments by Richard Posner, William Stuntz, and a provocative new book by Eric Posner and Adrian Vermeule called Terror in the Balance: Security, Liberty, and the Courts. Posner and Vermeule argue tthat in times of crisis, courts and legislatures should defer to the executive on issues of national security. I spend a considerable part of my essay critiquing their argument.

The essay’s abstract:

In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government’s assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining’s security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

2

Enforcing the Surveillance Laws

fbi1a.jpgAs many of the recent revelations of government surveillance and information gathering are revealing, government agencies such as the FBI and NSA are violating the law. Recently, the DOJ investigation into the FBI’s use of NSLs reveals many violations of law. So where are the penalties?

In the latest surveillance scandal, the FBI says that it is sorry. According to the New York Times:

Mr. Mueller embraced responsibility for the lapses, detailed in a report by the inspector general of the Justice Department, and promised to do everything he could to avoid repeating them. . . .

Mr. Mueller left open the possibility that some F.B.I. employees might be disciplined for their errors involving national security letters. In response to a question, he said there had been “no discussion” on whether he should step down.

One of the problems with the law is that it doesn’t say much with regard to penalties for NSLs. When the FBI contravenes the law, is the only sanction that they must apologize, appear contrite, and say that they might possibly discipline a few folks? The law provides extraordinary powers to the FBI when it comes to NSLs, and these are issued in tense situations of national security, so it is predictable that overzealousness and abuses might occur. That’s why the law needs to be more than a guideline. It needs enforcement teeth.

Another interesting aspect of the NSL provision in the Electronic Communications Privacy Act, 18 U.S.C. § 2709, is that it doesn’t appear to specify any penalties for Internet Service Providers that don’t comply. The statute says that an ISP “shall comply” with an NSL and it imposes a gag order. But what’s the penalty for not complying? The statute doesn’t appear to specify one. Does anybody know what the penalty is?

5

National Security Letter Violations by the FBI

fbi6.jpgAccording to the a DOJ investigation, the FBI has violated the law on several occasions in connection with the issuance of National Security Letters (NSLs). A NSL is a demand letter issued to a particular entity or organization to turn over various record and data pertaining to individuals. They do not require probable cause, a warrant, or even judicial oversight. They also come with a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued. Compliance is mandatory.

There are several NSL provisions in various federal statutes: (1) Electronic Communications Privacy Act, 18 U.S.C. § 2709 (FBI can compel communications companies to disclose customer information); (2) Right to Financial Privacy Act, 12 U.S.C. § 3414(a)(5) (FBI can compel financial institutions to disclose customer information); (3) Fair Credit Reporting Act, 15 U.S.C. § 1681u (FBI can compel credit reporting agencies to disclose records on individuals).

According to the Washington Post:

A Justice Department investigation has found pervasive errors in the FBI’s use of its power to secretly demand telephone, e-mail and financial records in national security cases, officials with access to the report said yesterday.

The inspector general’s audit found 22 possible breaches of internal FBI and Justice Department regulations — some of which were potential violations of law — in a sampling of 293 “national security letters.” The letters were used by the FBI to obtain the personal records of U.S. residents or visitors between 2003 and 2005. The FBI identified 26 potential violations in other cases.

The study revealed a range of errors:

Read More

4

Best and Worst Internet Laws

[Preface: I've already overstayed my guest visit, but before I go, I want to say thanks to the Concurring Opinions team for the opportunity to blog here, and thanks to all of you for the great comments and stimulating dialogue. A complete index of my guest blog posts. Meanwhile, I'll keep blogging on technology and marketing law at my main blog and on all other topics at my personal blog. Hope to see you there!]

Over the past dozen years, the lure of regulating the Internet has proven irresistible to legislators. For example, in the 109th Congress, almost 1,100 introduced bills referenced the word “Internet.” This legislative activity doesn’t always come to fruition. Still, in total, hundreds of Internet laws have been passed by Congress and the states. This body of work is now large enough that we can identify some winners and losers. So in the spirit of good fun, I offer an opinionated list of my personal votes for the best and worst Internet statutes in the United States.

[Keep reading for the list]

Read More

3

Hewlett Packard Pays for Privacy . . . and Copyright?

hewlett-packard.jpgHewlett Packard has agreed to pay $14.5 million to resolve a lawsuit by the California attorney general over its phone records scandal. From the New York Times:

Hewlett-Packard said Thursday that it would pay $14.5 million to settle a lawsuit by the California attorney general over the company’s use of private detectives to obtain private phone records of board members and journalists.

The company is paying $650,000 in fines for “statutory damages,” but the bulk of the money, $13.5 million, is going to create a state-administered Privacy and Piracy Fund. The fund is to finance the investigation of consumer privacy violations and of intellectual-property theft, including the copying of movies and music.

“We wanted very much to enhance our ability to enforce our laws against property theft,” Bill Lockyer, the attorney general, said in an interview.

From the article, it sounds as though most of the money will go to helping the state help businesses police copyright. The purpose of the settled lawsuit was purportedly to protect privacy, and I am perplexed at how protecting against copyright piracy suddenly became an aspect of the settlement. I sure hope that the fund from the settlement is mostly used to protect consumer privacy, not as one more arrow in the music and movie industry’s copyright quiver.

For more about the HP scandal, see this terrific post by guest blogger Timothy Glynn.

1

How Does the US Rank Among Countries in Privacy Protection?

privacy-intl-ranking2.jpg

privacy-intl-ranking-key.jpgHow does the United States rank among countries in privacy protection? Practically at the bottom according to a ranking by Privacy International, a UK-based privacy advocacy group. The ranking is based on Privacy and Human Rights, an annual report about privacy laws around the world published by Privacy International and the Electronic Privacy Information Center. Here’s the ratings table and here’s the briefing paper for the table. Unfortunately, every time I try to access the PDF file of the briefing paper that explains the rankings, it not only fails to load, but it also crashes my browser, whether Firefox or Explorer.

The press release for the rankings states:

Read More

0

Xoxohth 1.1: The Past and Present

[This is Part I, Section 1, of the project I announced here. The goal of today's installment is to set out the history of the XO board, and briefly describe its present statistics.]

goldencalf.jpgHugs and Kisses, Hope this Helps

The genesis of XO was less gripping, bloody, tortured, significant and miraculous than the Exodus, a tale which it otherwise resembles in important respects.

The community started as a group of posters at the Princeton Review Discussion Board [PR]. Some individuals began at PR in 1997-1998, as they were applying to college, and continued posting in that forum after matriculation. The reason that people spent time – sometimes 20 hours a week or more – at PR will become familiar:

Before I started law school, I posted on the former incarnation of xoxo (which was then run by the Princeton Review) because it was a wide-open and mostly unmanaged discussion. In one sitting I could have the most sober and serious conversations as well as the most silly and immature b******* sessions, all with the same group of people. The other, more “mature” boards were by comparison intellectual wastelands, partly because they were so “sober” and “mature.” All the really smart people shunned those boring boards in favor of pr (now xoxo).

But not all individuals were looking for information: some were actually, weirdly, (slumming) older alumni.

The standard foundation story holds that in March, 2004, PR switched to a new software format that users found irritating because it (1) enabled IP tracking; (2) discouraged use of multiple aliases; (3) discouraged abusive language through moderation and banning; and (4) eliminated the “‘tree’ format and switching to a vBulletin-type format that was heavily despised by most users.” See here and here and here for some posts from the period. One emailer explains:

The only moderators were Jeff Adams, a Princeton Review employee, and TPR Droid, who was a long-time poster that Jeff hired to moderate the board when he wasn’t around. Anger at TPR Droid’s moderation style was one of the main reasons for the initial rift — while Jeff was even-handed with deletions and bannings, many people felt Droid had an agenda since he would ban people for criticizing his favored posters, or delete racist threads directed at Jews and Christians while refusing to delete equally hateful threads about Muslims.

A group of users decided to leave PR as a group. However,

The law boarders didn’t know about the existence of xoxohth. [A user with the handle Rowan] organized an AIM chat and people were brainstorming ideas of how to re-create the board. I think rk even drafted a letter looking for corporate sponsorship . . . In the very beginning, the law and college boards were one. During those heady first days, all personal wars were called off – Edgar Martinez, Julia, RWA, LawyerBird got along – but soon order was restored and things returned to normal.

Obviously, the domain name had been purchased before problems on the PR board became exigent. According to a WHOIS search, the purchase of the xoxohth domain occurred on January 29, 2004. The buyer was Jarret Cohen, now in business in Pennsylvania. As you can see from this screenshot of the early board, it was intended to be a replacement for the PR community. Contrary to Eugene’s speculations, xoxohth is not a dungeons and dragons reference. It seems to stand for xoxo (hugs and kisses) plus hth (hope this helps).

It is also worth noting that there was an early worry that the former PR community would split into a college (XO) faction and a law faction, located at the JD2B board. A source comments:

[W]hen Marshall [Camp, JD2B's owner] found out the xo board existed, he not only deleted the JD2B message board, but prominently linked to the board on his site and actively sent traffic our way; basically we were treated as JD2B’s unofficial messageboard.

That site probably accounted for 50-75% of our referring URL traffic in the early days

Organizational Control

Cohen’s – alias Rachmiel – and another user known as Boondocks (from the comics strip?) coded the initial software for the board, which (of course) was unmoderated. Boondocks, I am given to understand, is an African-American man who, though one of XO’s founders, forewent an administrative role after the first two months of the board’s existence.

Instead, in about May, 2004, Anthony Ciolli, a Penn Law student, became partners with Cohen. My sense is that Ciolli – alias “Great Teacher Onizuka” (manga comic reference?) – and Cohen split the board’s revenues 50/50, and share operational control over the permissions on the site.

Read More

7

Hewlett-Packard, Privacy, and Consent

hewlett-packard.jpgThe recent scandal at Hewlett-Packard has had remarkable staying power. Like most others, I was taken aback by the investigatory methods HP officials used to find the source of boardroom leaks. They crossed the line, certainly as a normative matter, and, if the California indictments are any indication, as a legal one too.

Now let’s add a twist: What if members of HP’s Board of Directors had agreed in advance to be spied on? Say they had agreed when they were named to the board that HP could conduct unannounced investigations and surveillance of their personal contacts and communications – including access to personal phone and other records – if necessary to protect firm interests. And suppose this consent was “narrowly tailored” in the sense that such an investigation would occur only after HP officials determined that there had been a leak, it most likely had originated with a board member, and further leaks would potentially harm the legitimate interests of the corporation. I wonder whether such prior consent would change many individuals’ views of at least some of HP’s actions.

Read More

0

The Digital Person: Now in Paperback

digital-person-1.jpgI’m pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls “digital dossiers”—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Links to reviews of the book are at The Digital Person website.

8

The Ten Greatest Privacy Disasters

Wired News lists what it considers to be the 10 greatest privacy disasters:

10. ChoicePoint data spill

9. VA laptop theft

8. CardSystems hacked

7. Discovery of data on used hard drives for sale

6. Philip Agee’s revenge

5. Amy Boyer’s murder

4. Testing CAPPS II

3. COINTELPRO

2. AT&T lets the NSA listen to all phone calls

1. The creation of the Social Security Number

See the Wired article for its explanations. It’s a good list, but there are a few problems. Although we still don’t know all the details of the NSA surveillance program, it’s not worse than COINTELPRO, which involved massive surveillance of a wide range of groups, the wiretapping of Martin Luther King, Jr., attempts to blackmail King, and more. The Social Security Number has indeed led a ton of problems, but the fault doesn’t lie with its creation. Rather, the problem is mostly the expanding use of the number and the failure of the government to reign in government agencies and business from using it. CAPPS II, while flawed in its conception, should not be so high on the list.

Some notable omissions: Where’s Total Information Awareness? What about Olmstead v. United States, 277 U.S. 438 (1928), where the Supreme Court held that the Fourth Amendment didn’t regulate wiretapping? Olmstead led to nearly 40 years of extensive abuses of wiretapping before it was overruled. There are countless other Supreme Court 4th Amendment cases that could arguably be listed, but I’d definitely include Miller v. United States, 425 U.S. 435 (1976), which created the third party doctrine which holds that the Fourth Amendment does not apply to personal records possessed by third parties. Another possible inclusion: The birth of J. Edgar Hoover.

Hat Tip: Bruce Schneier