Archive for the ‘Privacy (National Security)’ Category
Making the Internet Safer, the NSA Way
posted by Danielle Citron
Securing our networked environment is both crucial and difficult. Six months ago, President Obama declared his Administration’s commitment to protect cyberspace from sabotage of all stripes. For the President, the rise of online theft, electronic espionage, and military-related cyber assaults necessitated the appointment of a cyber czar to protect our cyber “national assets.” The President has tried to fill that spot: Shane Harris of National Journal explains that “more candidates had declined the job than were still in the running for it.” And despite our failed efforts at CoOp to recruit Orin Kerr for the job, the cyber czar position remains empty.
This state of affairs may be due to the difficult nature of the task at hand. Former NSA head General Michael Hayden recently said: “There is no regime for us to work within to respond to cyberattack. We are in a place where technology has long outstripped policy–let alone law–in term of what’s available. We are going to have to rely on heroism instead of a plan.” If Hayden has it right, it is no wonder that no one wants the job.
Nonetheless, the Administration may have already charted its path, one that entrusts the National Security Agency with protecting cyberspace. According to the National Journal, Lt. General Keith B. Alexander, the NSA’s director, has been “setting up the central nervous system in the government’s campaign to defend cyberspace.” The NSA will now, unlike the past, help oversee the networks of civilian government and privately-owned, criticial infrastructure (dams, railroads, hospitals, banks, food industry, hotels, telecommunications, postal, shipping, retail, transportation, and well everything else). This is true even though DHS is charged with defending civilian networks and coordinating private sector protection. Homeland Security Security Secretary Janet Napolitano said that NSA will provide DHS “technical assistance” on this issue. In short, DHS will rely on the NSA for the tools, expertise, and resources to protect cyberspace.
So the NSA apparently will be overseeing and securing private networks, the same NSA that engaged in wholesale warrantless surveillance of Americans after 9/11 (and the agency that monitored telegrams coming in and out of the United States to detect individuals with communist ties in the 1950s and 1960s)? Congress has, of course, limited the NSA’s warrantless wiretapping and the President has promised us greater transparency in government decision-making. Nonetheless, NSA’s oversight over privately-owned systems and wholesale access to their contents raises serious concerns. And because the NSA will direct these efforts in the name of national security and intelligence, little transparency will be forthcoming. On another note, the question remains whether it was agency turf-war antics that led to Melissa Hathaway’s decision to leave government–she was the DHS official and most senior cyber expert in the White House who had been a leading candidate for the cyber czar post. At the time of her resignation, Hathaway told the Washington Post that she “wasn’t willing to continue to wait any longer,” and she wasn’t “empowered” to make any changes.
October 6, 2009 at 9:12 am
Posted in: Architecture, Cyberlaw, Privacy, Privacy (Law Enforcement), Privacy (National Security), Technology, Uncategorized
Print This Post
One Comment
Tweeting for the Party
posted by Danielle Citron
During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters. President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape. To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.
Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front. The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer. Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority. AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.
No matter the current political victor in this social media landscape, Government 2.0 is here to stay. It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking. Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings. But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like. Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.
September 28, 2009 at 12:11 pm
Posted in: Cyberlaw, Google & Search Engines, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Social Network Websites, Technology, Uncategorized
Print This Post
No Comments
Understanding Privacy in Paperback
posted by Daniel Solove
I’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.
Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.
September 14, 2009 at 7:36 am
Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)
Print This Post
No Comments
Mainstreaming Accountability
posted by Dave Hoffman
Ninth Circuit Judge Milan Smith, who just rejected John Ashcroft’s claim of qualified immunity in Abdullah Al-Kid v. John Ashcroft, wrote that the Bush Administration’s alleged practice of abusing of the material witness statute was “repugnant to the Constitution, and a painful reminder of some of the most ignominious chapters of our national history.”
Notably, Judge Smith was quoted last year saying the following about the Ninth Circuit:
[Smith] credits this “mainstreaming” [evidenced in a lower reversal rate] of the Circuit to two main factors: the reduction in influence by Carter appointees and the changing dynamic of the confirmation process.
“It’s very rare anymore that you’re [going to] have three Carter judges sitting together [on a panel],” said Smith.
Smith believes the current composition of the Circuit explains the reduction in extreme opinions: “We have 27 active judges and 22 senior judges [on the Circuit] . . . . Of those, Carter appointed 15 in total.”
Of the 15 Carter appointees, two have passed away, one has retired completely from the court, and nine have moved into senior status, a form of semi-retirement whereby a judge vacates his seat and hears a diminished caseload but keeps his full salary. Almost every Carter appointee is now over the age of 70, and Smith stated that it will not be long before the remainder of them “leave this vale of tears.” Only three Carter appointees remain active, including former Chief Judge Mary M. Schroeder and well-known Judge Stephen Reinhardt. According to Smith, the less critical atmosphere which allowed the appointment of these more strident and ideological judges changed during the Reagan administration.
I wonder how the Carter-holdouts felt about this set of comments when they appeared? Maybe Judge Smith was misquoted. But if this article represents his thought, it’s pretty clear that he seems himself as a pragmatic “mainstream” conservative, who wants to be seen as reasoanble and apolitical, making his evident annoyance with the government’s position in the Ashcroft case all that much more remarkable.
September 5, 2009 at 2:41 pm
Posted in: Privacy (National Security), Supreme Court
Print This Post
No Comments
I See Code: Plain View and Computer Searches
posted by Deven Desai
The Ninth Circuit has taken a swat computer searches and the plain view doctrine (pdf). I have not yet read the entire opinion but Orin Kerr has a series of posts about the decision here. And Shaun Martin, for whom I have a ton of respect as well, covers the case here. Shaun’s post captures how well-written the opinion is: “In my dreams I could write an opinion this good. It’s clear. It’s concise. It provides meaningful, systemic guidelines. It’s just. It’s got a keen sense of both the practical way the world works as well as the dangers inherent in certain conduct. In short, it’s exactly what I want in a wide-ranging opinion that makes meaningful precedent. … If you only read a dozen Ninth Circuit opinions this year, this should be amongst them.”
Dan and others will likely have more to say, so stay tuned, folks. As Orin notes, “This is really new territory, so it will be interesting to see how it plays out. I suspect we’ll find out soon, as there are a lot of these cases.” In the interim, here are three paragraphs worth reading:
The point of the Tamura procedures is to maintain the privacy of materials that are intermingled with seizable materials, and to avoid turning a limited search for particular information into a general search of office file systems and computer databases. If the government can’t be sure whether data may be concealed, compressed, erased or booby-trapped without carefully examining the contents of every file—and we have no cavil with this general proposition—then everything the government chooses to seize will, under this theory, automatically come into plain view. Since the government agents ultimately decide how much to actually take, this will create a powerful incentive for them to seize more rather than less: Why stop at the list of all baseball players when you can seize the entire Tracey Directory? Why just that directory and not the entire hard drive? Why just this computer and not the one in the next room and the next room after that? Can’t find the computer? Seize the Zip disks under the bed in the room where the computer once might have been. See United States v. Hill, 322 F. Supp. 2d 1081 (C.D. Cal. 2004). Let’s take everything back to the lab, have a good look around and see what we might stumble upon.
This would make a mockery of Tamura and render the carefully crafted safeguards in the Central District warrant a nullity. All three judges below rejected this construction, and with good reason. One phrase in the warrant cannot be read as eviscerating the other parts, which would be the result if the “otherwise legally seized” language were read to permit the government to keep anything one of its agents happened to see while performing a forensic analysis of a hard drive. The phrase is more plausibly construed as referring to any evidence that the government is entitled to retain entirely independent of this seizure.
To avoid this illogical result, the government should, in future warrant applications, forswear reliance on the plain view doctrine or any similar doctrine that would allow it to retain data to which it has gained access only because it was required to segregate seizable from non-seizable data. If the government doesn’t consent to such a waiver, the magistrate judge should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether.
August 27, 2009 at 6:01 am
Tags: Balco, Fourth Amendment, Judge Kozinski, Ninth Circuit
Posted in: Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
One Comment
Surveillance Facebook-Style: It’s Your Party and You Can Cry If You Want To
posted by Danielle Citron
The U.K.’s Register reports that British police stormed a man’s birthday barbeque party because his invite to 15 Facebook friends advertised an “all night party.” Before the party could really begin, police showed up in four cars, a riot van, and a helicopter, ordering the birthday boy to shut the party down or face arrest. With an appropriate amount of humor, Andrew Poole, the birthday trouble-maker, explained: “What the police did was come in and stop 15 people eating hamburgers.” What would possess the Facebook Precinct to bother here? Section 63 of the Criminal Justice and Public Order Act 1994 grants police powers to remove individuals attending or preparing for a “rave,” defined as playing amplified music “wholly or predominantly characterised by the emission of a succession of repetitive beats.”
This incident demonstrates the perils of a society that monitors and mines Facebook communications. The costs to liberty include blows to free expression and association. Brits will surely think twice about wall messages and “what I am doing now” missives that include talk of parties and other activities subject to misinterpretation. The costs to society: the misdirection of police from real threats to society and wasted resources spent breaking up a birthday bash (the helicopter time apparently cost 200 pounds and tack on the police efforts, including any investigation they conducted and time at the party, and gas for the four cars and van). So with Facebook surveillance the British may get less liberty and less security.
Commentators on the Register story noted their relief at living in the United States. They suggested that law enforcement and security officials would never be so foolish as to monitor Facebook traffic. Think again. The NSA’s Advanced Research Development Activity (ARDA) has funded research on the “Semantic Analytics on Social Networks: Experiences in Addressing the Problem of Conflict of Interest Detection,” which discusses how intelligence about people can be extracted from social networks. ARDA’s role is to spend NSA money on research that can “solve some of the most critical problems facing the U.S. intelligence community.” ARDA’s function is to make sense of the massive amount of data that the NSA collects.
Should Americans be worried about intelligence profiling a la Facebook? Many might think that the use of privacy settings on social networking sites would obviate the problem. First, studies suggest that most social networking site users use the default privacy settings, which are often the least privacy protecting and may reveal much of a user’s musings. Second, this assumption presumes that third party sites will not turn over social networking data, which they own, to the government, either for a pretty price or in the face of a subpoena or warrant. This assumption may be faulty. So what is all of the fuss? Automated intelligence profiling has obvious costs, such as the ones posed by the birthday party bust. It also has less apparent ones, such as mining misleading social networking data with other not-so reliable private and public database date and, poof, people end up on government watchlists.
Stock Xchange Photo
July 19, 2009 at 4:01 am
Posted in: Anonymity, Architecture, Cyberlaw, Google & Search Engines, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Technology, Uncategorized
Print This Post
2 Comments
On the Rumored Cyber Security Czar Candidate: Let’s Look Before We Leap
posted by Danielle Citron
According to Time magazine, former Congressman Tom Davis has emerged as a front runner for the newly created Cyber Security Czar position. The Time piece cited Davis’s authorship of the Federal Information Security Management Act of 2002, his work as chair of the Subcommittee on Technology and Procurement policy, his connections to the IT community through his former district, and his current work at Deloitte as some of the reasons supporting his candidacy.
President Obama has stressed that privacy is key to the government’s cyber security efforts. Davis’s record on privacy issues, however, is troubling. As Wired’s Ryan Singel reports, Davis has been on the “wrong side of privacy issues.” Davis supported the controversial REAL ID Act.” He attempted to undo a measure that ultimately put a chief privacy officer in every major government agency. He embraced the Bush Administration’s expansion of government wiretapping powers. Aside from his spotty record on privacy, Davis’s congressional record suggests that he does not share the President’s regard for government transparency. He helped pass the Critical Infrastructure Act, which created an exemption to FOIA for information provided DHS by private companies concerning its oversight of critical infrastructure. Hopefully, the President will consider these issues before making his final decision.
June 23, 2009 at 4:29 pm
Posted in: Privacy, Privacy (Gossip & Shaming), Privacy (Law Enforcement), Privacy (National Security), Technology, Uncategorized
Print This Post
One Comment
The Many Deaths of Privacy
posted by Frank Pasquale
As they follow the fascinating and heartening “Twitter Revolution” in Tehran, commentators worry that “the regime is prepared to detain dissidents — reportedly using Facebook and Twitter to locate them.” Yesterday also saw new reports of controversy over domestic surveillance by the US National Security Agency. Apparently the “agency routinely examined large volumes of Americans’ e-mail messages without court warrants.” Commentators like Glenn Greenwald and our own Dan Solove have done a great job explaining the legal details of NSA surveillance. I just want to comment on some of broader social trends that explain the upward ratchet of surveillance around the world.
Worries about the “death of privacy” have been prevalent for some time. We increasingly lack control over (or even awareness of) the digital profiles kept about us by businesses and governments. Another form of privacy—that at the core of the public-private divide—has also been in decline over the past couple decades. As the essays in Freeman and Minow’s book Government by Contract show, “privatization” is often less an arm’s length transaction between government and business than a veritable marriage of institutions. The recent explosion of public-private partnerships in the finance and auto industries further erodes the distinction between government and business. As William J. Novak’s essay in Government by Contract observes, much of what we think of as purely private markets are creatures of state action:
Read the rest of this post »
June 18, 2009 at 8:00 am
Posted in: Google & Search Engines, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Social Network Websites
Print This Post
No Comments
Terrorist Watchlist, Troubling Flaws Revealed
posted by Danielle Citron
Last week, I wrote about how crude algorithms in the name-matching “No Fly” system produce an outsize number of false positives as a matter of deliberate policy. We are willing to tolerate additional delays so that we can stop terrorists from flying. Yesterday, the DOJ’s Office of the Inspector General issued a report that seriously calls into question the bargain that we have struck with regard to the “No Fly” system. The report explains that the FBI (the agency amassing the list that is then matched to travelers’ names) has incorrectly kept 24,000 names on the terrorist watch list on the basis of outdated and irrelevant information, while “missing people with genuine ties to terrorism who s
hould have been on the list.” According to the report, these mistakes not only posed a risk to national security due to the failure to flag actual terrorist suspects, but also created unnecessary delays and detentions for innocent travelers. A fact of great concern: the Inspector General sampled 216 FBI terrorism investigations and found that in 15% of them, a total of 35 subjects were not referred to the list even though they should have been.
During a talk that I gave last week for Princeton University’s Center on Information Technology Policy, Ed Felten (who served on TSA’s Secure Flight Study Group where he studied the No-Fly mechanism) explained that there are two aspects to the no-fly list, one that puts names on the list and the other that checks airline reservations against the list. The two parts operate separately from each other. The FBI heads up the first part, putting names on the list through a secret process that seemingly requires that people on the list be a sufficiently serious threat to aviation security. The other part is the one that I wrote about last week: a data-matching system that checks travelers’ names against the list. Because the matching algorithm requires only an approximate match (because flight reservations so often have misspelled names), we have many false positives so that we can sweep within the system the right match, i.e., the terrorist suspect, along with many innocent others.
So here is the rub: we are willing to live with so many false positives because we trust those amassing the list to ensure that it is accurate and complete. In other words, it worth all of those false positives if indeed they serve the greater good. Yes, we will endure the delay and perhaps inability to fly if indeed our names are akin to someone’s who is correctly suspected to be a terrorist. But preventing innocent individuals from flying, or subjecting them to questioning, based on matches with other innocent people’s names while failing to do enough homework so that you let real terrorist subjects board airplanes with no hassle? Really? This report suggests reconsidering having a “No Fly” system in its current form at all.
Thanks to Wikimedia Commons for the picture
May 7, 2009 at 7:03 am
Posted in: Administrative Law, Current Events, Government Secrecy, Privacy (National Security), Technology, Uncategorized
Print This Post
No Comments
Fixing the “No Fly” List and Redress Mess
posted by Danielle Citron
As travelers no doubt know, the “No Fly” computer matching system routinely labels innocent individuals as terrorists. Over half of the tends of thousands of matches sent to the Terrorist Screening Center between 2003 and 2006 were misidentifications. The “No Fly” system has targeted two U.S. Senators, airplane crew members, and an eight-year old boy. These false positives stem from faulty information stored in “No Fly” databases and from the crude matching algorithms that cannot distinguish between the same or similar names. This system is over-inclusive as a matter of policy: as Ed Felten explains, we tolerate high rates of false positives to lower the rates of false negatives and the concomitant disaster accompanying the error in letting terrorists board airplanes.
At present, approximately 3,800 people a month file redress claims with the DHS Traveler and Redress Inquiry Program (DHS TRIP), which by all accounts has not fixed the problem. Wired blogger Ryan Singel explains that some “lucky ones are given a ‘cleared letter’ and a redress number to help prove they are the terrorist the government is looking for.” Nonetheless, the House Subcommittee on Transportation Security and Infrastructure notes that individuals who have successfully gone through the redress process “continue to experience problems.”
Recent developments suggest that the redress process, and the troubled “No Fly” list, is in for some tinkering. Wired reports that the TSA has begun taking over the job of comparing airline passengers against its terrorist watchlist, relieving airlines of that duty. Under the Secure Flight program, passengers will be required to provide their date of birth and gender when booking flights. The TSA hopes that Secure Flight will reduce the number of false positives and help those who have applied to DHS TRIP for redress. But how TSA will actually do so is somewhat of a mystery as its spokeswoman Lauren Gaches has said that “TSA does not maintain the list and cannot add or remove any names.” In addition, the House recently passed the FAST Redress Act, which would set up an office within DHS to address redress claims in a “timely and fair” manner and require DHS to create a “Comprehensive Cleared List” of people who were wrongly included on the “No Fly” list. The bill, currently under consideration in the Senate, may move the ball in the right direction, providing some kind of procedural due process (though short of technological due process) and some means to clear yourself (perhaps by an official “I am not a terrorist card”).
April 27, 2009 at 7:53 am
Posted in: Administrative Law, Privacy (National Security)
Print This Post
2 Comments
Tracking Online Behavior to Combat Terror in the U.K.
posted by Danielle Citron
As of last week, all Internet traffic in the United Kingdom will be archived for a year’s time. The British government has adopted the European Union directive requiring Internet access providers to store their users’ email traffic (i.e., the authors, date, and time of messages, not the messages themselves), VoIP calls (traditional phone calls are already monitored pursuant to previously adopted EU directive), and web surfing. Hundreds of public agencies, including law enforcement, will have access to data reservoirs teeming with personal information to fight “crime and terrorism.” The U.K. is poised to amass more data from the private sector in the name of counter-terrorism, considering proposals to require social networking sites, such as Facebook, to retain its British users’ records. The British government has adopted a threat model of governance: emergencies demand extraordinary measures to protect security, no matter the cost to other liberties.
The Obama Administration may not be as opposed to the U.K. approach as might be assumed. In the same week that the British adopted data retention as part of its anti-terror strategy, the Department of Justice vigorously defended the National Security Agency’s surveillance of countless Americans. In Jewel v. NSA, Electronic Frontier Foundation’s lawsuit challenging the National Security Agency’s warrantless wiretapping of Americans, the DOJ invoked the state secrets doctrine, insisting that the case must be dismissed without further inquiry in order to prevent “exceptionally grave harm to national security.” The DOJ also argued that the U.S. Patriot Act immunizes the U.S. from liability under federal wiretapping laws and the Stored Communications Act, going even further than the Bush Administration’s invocation of sovereign immunity for FISA violations. The emergency model of executive power may be here to stay.
April 11, 2009 at 4:07 pm
Posted in: Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
No Comments
The Year in Privacy Books: 2008
posted by Daniel Solove
Here’s a list of notable books about information privacy published in 2008. Pick up a few to help stimulate the economy, save the publishing business, and learn more about privacy:
Colin J. Bennett, The Privacy Advocates: Resisting the Spread of Surveillance (MIT Press 2008)
A very informative account of those who work in the privacy advocacy community.
A great collection of essays, from a symposium at Stanford Law School. A bit dated — the symposium was held in 2003 — but still worth reading. I have a piece in the book discussing data security vulnerabilities and the law — originally penned back in 2003, so I can say “told ya so!”
The best and most comprehensive intellectual history of the Fourth Amendment ever written.
Cory Doctorow, Little Brother (Tor Teen 2008)
A contemporary version of Orwell’s 1984 — thought-provoking and engaging fiction, as usual from Doctorow.
December 27, 2008 at 1:54 pm
Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
5 Comments
Uncle Sam’s Corporate Helpers in the War on Terror
posted by Danielle Citron
Jon Michaels has written a superb article, “All the President’s Spies: Private-Public Intelligence Partnerships in the War on Terror,” recently published by California Law Review, which criticizes the Bush Administration’s informal intelligence-gathering partnerships with private actors, including data brokers, FedEx, and Western Union. As the article explores, this “privitization” of intelligence gathering has operated in the shadows, without legislative or judicial oversight. Michaels’s piece suggests reforms to enhance the accountability of such practices that the Obama Administration and the newly-elected Congress would be wise to heed.
Here is the abstract:
Commentators who have examined the Executive’s post-September 11 practice of persuading corporations to enter into informal and, at times, unlawful intelligence-gathering partnerships have largely viewed the participating firms as co-conspirators, unwitting pawns, or coerced captives of the Executive-and understandably so. After all, participating corporations have been instrumental in enabling U.S. intelligence officials to conduct domestic surveillance and intelligence activities outside of the congressionally imposed framework of court orders and subpoenas, and also outside of the ambit of inter-branch oversight. Yet despite their track record as enablers, corporations are uniquely positioned to help rein in the currently unregulated practices.
This Article analyzes corporate-government agreements and provides the rationale and blueprint for shifting the principal locus of compliance with existing laws (and oversight obligations) from the intelligence officials to the corporations. The inquiry begins by laying out the Article’s fundamental postulates: the intelligence agencies depend on private actors for information gathering; the Executive is institutionally predisposed to seek maximum discretion in conducting intelligence operations, both because of the overwhelming pressure to thwart acts of terrorism and because its officials are relatively immune from serious legal or political sanction for proceeding ultra vires; and, the Executive may choose to conduct intelligence policy through informal collaborations notwithstanding the legal, political, and economic harms these shadowy bargains may generate.
November 13, 2008 at 2:29 pm
Posted in: Privacy (National Security)
Print This Post
4 Comments
FBI Surveillance of Norman Mailer
posted by Daniel Solove
The Washington Post has an interesting article about the FBI’s surveillance of author Norman Mailer:
In the summer of 1962, FBI Director J. Edgar Hoover was scanning his morning Washington Post when an item on Page A15 caught his eye. Norman Mailer’s most recent article in Esquire magazine had mocked Jacqueline Kennedy for, among other things, being excessively soft-spoken for a first lady.
Hoover scribbled a note: “Let me have memo on Norman Mailer.”
Over the next 15 years, FBI agents closely tracked the grand and mundane aspects of the acclaimed novelist’s life, according to previously confidential government files. Agents questioned his friends, scoured his passport file, thumbed through his best-selling books and circulated his photo among informants. They kept records on his appearances at writers conferences, talk shows and peace rallies. They noted the volume of envelopes in his mailbox and jotted down who received his Christmas cards. They posed as his friend, chatted with his father and more than once knocked on his door disguised as deliverymen.
The Mailer file wasn’t publicly known until very recently. According to the Washington Post article:
The bureau’s first confidential memo on Mailer, dated June 29, 1962, noted that the writer “admitted being a ‘Leftist’” and said that he had described the FBI as a “secret police organization” that should be abolished. An informant claimed that Mailer had been invited to a 1953 reception at the Polish Consulate in New York, though it was unknown whether he had attended. The memo quoted Louis Budenz, a former managing editor of the Daily Worker who broke with the Communist Party in 1945, as saying Mailer was a “concealed Communist.”
Apparently, if you want to avoid having an FBI file, don’t mock the First Lady and don’t criticize the FBI.
November 11, 2008 at 2:38 pm
Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
8 Comments
Skepticism About Fighting Terrorists With Data Mining
posted by Danielle Citron
According to the New York TImes, the British government is considering setting up a database of all phone, email, and Internet traffic in the country to assist in efforts to fight terrorism and crime. Officials suggested that a database could store all phone numbers dailed, web sites visited, and email addresses contacted by everyone in Britain without storing the content of the phone calls or email messages.
To be sure, such a database would raise serious privacy concerns. But it also provokes a first-order question of whether such databases are even useful in spotting terrorists. The answer to that question appears to be “no.” Recent reports suggest that “data mining is not the silver bullet that that architects of programs such as Total Information Awareness believe them to be.” The National Research Council recently produced a 376-report on data mining, counter-terrorism, and American democracy, which explains that “[a]utomated identification of terrorists through data mining (or any other known methodology) is neither feasible as an objective nor desirable as a goal of technology development efforts.” Although data mining has remarkable success in predicting consumer behavior for advertising and credit card reporting agencies, it has much less success predicting the behavior of terrorists. As ars technica reporter Jon Stokes explains, unlike a computer program’s ability to compare a consumer’s credit history with the history of millions of consumers to predict a person’s likelihood of delinquency, no large dataset of terrorist behavior exists that “can be used to train a data mining application to predict an individual’s intention to commit an act of terror with any degree of confidence.” The NRC report also explains that not only is the training data lacking but the data that the program would be mining has been purposefully corrupted by the terrorists themselves. Terrorists disguise their activities using operational security measures such as code words and encryption, rendering the data that would be mined suspect. In much the same way that credit scores would be worthless if borrowers could manipulate their credit history, data mining for terrorist activities may be a non-starter as terrorists no doubt manipulate the data trails that they leave as they make phone calls and surf the Internet.
October 24, 2008 at 1:55 pm
Posted in: Privacy (National Security)
Print This Post
No Comments
NSA Surveillance: Having a Laugh at the Expense of Your Privacy
posted by Daniel Solove
ABC News reports about a new scandal arising out of the NSA Surveillance Program:
Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.
According to one of the intercept operators, “US military officers, American journalists and American aid workers were routinely intercepted and “collected on” as they called their offices or homes in the United States.” Another intercept operator independently confirmed what the first one had reported.
Not only did they listen in on private conversations, with no connection to terrorism, but they also shared calls that they deemed interesting or funny:
Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of “cuts” that were available on each operator’s computer.
“Hey, check this out,” Faulk says he would be told, “there’s good phone sex or there’s some pillow talk, pull up this call, it’s really funny, go check it out. It would be some colonel making pillow talk and we would say, ‘Wow, this was crazy’,” Faulk told ABC News.
Faulk said he joined in to listen, and talk about it during breaks in Back Hall’s “smoke pit,” but ended up feeling badly about his actions. . . .
In testimony before Congress, then-NSA director Gen. Michael Hayden, now director of the CIA, said private conversations of Americans are not intercepted.
“It’s not for the heck of it. We are narrowly focused and drilled on protecting the nation against al Qaeda and those organizations who are affiliated with it,” Gen. Hayden testified.
More from the ABC story here.
I’m not surprised by this story. It is a common problem with government surveillance to reach beyond its limits, and for surveillance officials to disseminate information they find humorous or entertaining. For example, it has happened with CCTV in the UK. Hopefully, next year’s Congress will do a thorough investigation.
October 9, 2008 at 10:20 am
Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
No Comments
Agent Mulder Redux
posted by Danielle Citron
Arstechnica reports that the U.K.’s National Hi-Tech Crime Unit will be producing to the United States government a British citizen who allegedly infiltrated computer systems run by the United States military and numerous federal agencies, including the Pentagon. It appears that the British hacker was searching for proof of “alien life.” U.S. Attorney Paul McNulty of the Eastern District of Virginia intends to pursue charges under the Computer Fraud and Abuse Act, which could result in serious jail time and significant fines.
Computer hacking to steal credit cards, trade secrets, and other valuable information is widespread. Although the pursuit of computer crimes has been slow to evolve, this extradition request and the recent arrest of 11 members of an international identity theft ring that stole 41 million credit and debit card numbers may signal to would-be hackers that they face the real risk of prosecution. It would be heartening to see the Department of Justice put its resources behind pursuing hackers who inflict serious financial and personal harm. Perhaps we could call any uptick in such prosecutions as the Mulder Effect.
September 10, 2008 at 6:56 am
Posted in: Privacy (National Security)
Print This Post
No Comments
The Clear and Present Danger of Cyber Warfare
posted by Danielle Citron
Malicious hacking and denial of service attacks are potent weapons of twenty-first century warfare. Recently, Russian and Georgian hackers attacked vital websites in each other’s countries as troops fought on the ground. They shut down government portals. Hackers defaced government websites (e.g., routing visitors to the Georgian President’s website to a site that portrayed him as a modern-day Hitler). Although cyber attackers have not yet significantly disrupted or destroyed government systems in the United States, they have stolen sensitive information about weapon systems from the U.S. government and its defense contractors. Cyber attackers invaded the State Department’s highly sensitive Bureau of Intelligence and Research, posing a risk to CIA operatives in embassies around the world. Online espionage is a serious problem—attacks on military networks were up 55% last year. U.S. officials reportedly believe the attacks come from the Chinese government.
The United States seems to appreciate the dangers of cyber warfare. According to Business Week, the U.S. is engaged in a classified operation to detect, track, and disarm intrusions on the government’s most critical networks. President Bush signed an order known as the Cyber Initiative to overhaul the government’s cyber defenses at a cost in the tens of billions. However, in testimony before the Senate Armed Services Committee, National Intelligence Director McConnell asserted that the “federal government is not well protected.” He warned that attackers can enter information systems and destroy data and systems related to the “money supply, electric-power distribution, and transportation sequencing.”
Despite attention to the matter in the U.S., the better part of the world does not take cyber warfare seriously, leaving their networks increasingly vulnerable to attack. This is not unusual—few appreciated the importance and potency of propaganda campaigns at the beginning of World War II until the power of such propaganda became readily apparent and deeply rooted. Broad attention should be paid to cyber attacks. Online sabotage compounds the dangers inherent in national conflicts. Nations may be unable to decelerate tensions through online communications. Cyber attacks convey inaccurate information that can inflame public option, limiting leaders’ political room to defuse tensions. The dangers of cyber warfare thus should not under-estimated.
September 2, 2008 at 4:58 pm
Posted in: Architecture, Current Events, Privacy (National Security)
Print This Post
One Comment
The New Foreign Intelligence Surveillance Act
posted by Daniel Solove
I have been following the new FISA Amendments Act of 2008, but I have refrained from chiming in, as many others have been doing terrific blogging on the issue. Of particular note:
* David Kris, A Guide to the New FISA Bill (I, II, III)
* Wes Alwan, Understanding Recent Changes to FISA — A Visual Guide (Flowchart)
* Orin Kerr, The New FISA Law and the Misleading Media Coverage of It
* Marty Lederman, The Privacy-Protective Components of the New FISA Law
* Jack Balkin, The New FISA Law and the Construction of the National Surveillance State
I’ve been particularly dismayed at the Democrats’ strategy in dealing with the FISA Amendments. Why bother to try to negotiate a FISA compromise with a presidential administration that has shown nothing but contempt for the law to begin with? The Bush Administration, instead of going to Congress and requesting a change in the FISA, went ahead and blatantly violated that law. And the Administration said it would continue to violate the law, so what’s the pressing need to fix the FISA, especially when negotiating with an Administration that only will meet you about 2% of the way? Why force Obama to make a difficult choice about voting on the law, risking either looking weak on security or like a sell-out? Why not wait a few months and then pass a law with a new administration, one that will hopefully be easier to negotiate with? And how is this law any more binding on a president who says he has the right to violate a law based on his Article II powers?
Future presidents can learn a lot from all this — do exactly what the Bush Administration did! If the law holds you back, don’t first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That’s the lesson. You spit in Congress’s face, and they’ll give you what you want.
The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security.
That’s the direction we’re heading in — more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability — with most of the oversight being very general, not particularly rigorous, and nearly always secret — and with the public being almost completely shut out of the process. But don’t worry, you shouldn’t get too upset about all this. You probably won’t know much about it. They’ll keep the dirty details from you, because what you don’t know can’t hurt you.
July 11, 2008 at 8:31 pm
Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
14 Comments
The Privacy Paradox
posted by Daniel Solove
Over at the New York Times’s Bits blog, Brad Stone writes:
Researchers call this the privacy paradox: normally sane people have inconsistent and contradictory impulses and opinions when it comes to their safeguarding their own private information.
Now some new research is beginning to document and quantify the privacy paradox. In a talk presented at the Security and Human Behavior Workshop here in Boston this week, Carnegie Mellon behavioral economist George Loewenstein previewed a soon-to-be-published research study he conducted with two colleagues.
Their findings: Our privacy principles are wobbly. We are more or less likely to open up depending on who is asking, how they ask and in what context.
In one interesting experiment, students who were provided strong promises of confidentiality were less forthcoming about personal details than students who weren’t provided such promises. The researchers explained this behavior as based on the fact that when an issue is raised in people’s minds, they think about it more and are likely to be more concerned about it. Ironically, promising people that their privacy will be protected actually makes them think more about the dangers of their privacy being breached.
There is indeed a growing body of research that examines why people frequently state in polls that they value privacy highly yet in practice trade their privacy away for trinkets or minor increases in convenience. The work of Professor Alessandro Acquisti explores some of the reasons why people might not make rational decisions regarding privacy despite their desire to protect it.
I have also written about this in my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). In particular, I argue that looking at expectations of privacy is the wrong approach toward understanding privacy:
If a more empirical approach to determining reasonable expectations of privacy were employed, how should the analysis be carried out? Reasonable expectations could be established by taking a poll. But there are several difficulties with such an approach. First, should the poll be local or national or worldwide? Different communities will likely differ in their expectations of privacy. Second, people’s stated preferences often differ from their actions. Economists Alessandro Acquisti and Jens Grossklags observe that “recent surveys, anecdotal evidence, and experiments have highlighted an apparent dichotomy between privacy attitudes and actual behavior. . . . [I]ndividuals are willing to trade privacy for convenience or to bargain the release of personal information in exchange for relatively small rewards.” This disjunction leads Strahilevitz to argue that what people say means less than what they do. “Behavioral data,” he contends, “is thus preferable to survey data in privacy.”
But care must be used in interpreting behavior because several factors can affect people’s decisions about privacy. Acquisti and Grossklags point to the problem of information asymmetries, when people lack adequate knowledge of how their personal information will be used, and bounded rationality, when people have difficulty applying what they know to complex situations. Some privacy problems shape behavior. People often surrender personal data to companies because they perceive that they do not have much choice. They might also do so because they lack knowledge about the potential future uses of the information. Part of the privacy problem in these cases involves people’s limited bargaining power respecting privacy and inability to assess the privacy risks. Thus looking at people’s behavior might present a skewed picture of societal expectations of privacy.
July 3, 2008 at 1:04 pm
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
6 Comments
