When you hear that E-Verify and REAL ID databases will be secure, be sure to ponder this. (Via FREEDOMand[STUFF].org)
Privacy, Security & Government Surveillance 
The concept of deep packet inspection has come up a couple of times here at the Progress & Freedom Foundation’s Aspen Summit. And I’ve been interested to find people in other fora talking about deep packet inspection in the way they used to talk about cookies: “You’ll get to like once you understand what it is.”
I’m not so sure. Here’s a sample discussion of the issue among us TLFers, conducted on Twitter yesterday. (I’ve reorganized the tweets, so you can read from top to bottom.)
Over on Techdirt, Mike Masnick discusses an interesting new survey that highlights the sharp disconnect between how much we claim privacy matters to us and how far we’re willing to go to safeguard it. America Online polled 1,000 users in the United Kingdom, and the results further reinforce what other recent studies have suggested:
The study found 84% of users say they carefully guard their info online — but when tested, 89% of people actually did give away info in the same exact survey.
The AOL survey brings to mind security guru Bruce Schneier’s insightful quip on privacy from back in 2001:
If McDonald’s in the United States would give away a free hamburger for a DNA sample they would be handing out free lunches around the clock. So people care about their privacy, but they don’t care to pay for it.
When presented with the option of sacrificing a bit of privacy for something of value, like a chocolate bar or a free gift certificate, many users are surprisingly willing to dole out data to third parties for commercial use. And the value of personal details to marketers is massive. As social networking sites and ad-serving networks amass ever greater knowledge of our hobbies, political views, and even our favorite music, these sites are getting better at mining data to tailor ads with pinpoint precision, commanding high click rates while sustaining server farms and original content publishers.
Sometimes, items come across my desk(top) that are almost too obvious to make note of, but it’s probably worthwhile to highlight the e-passport.
Adam Laurie and Jeroen van Beek, at the Black Hat security conference in Las Vegas, showed the Business Technology Blog how to capture and change information stored on chips included in new passports from many countries. . . . Laurie showed us his son’s British passport, in which he embedded a chip that displays Osama Bin Laden’s photograph. The passports have a key needed to access the electronic information, but it is taken from information found in the passport like the date of birth. Laurie was able in about four hours to decipher the key and use an RFID scanner to steal the digital information from a passport contained in a sealed envelope.
The State Department implemented the e-passport with no sense of the ends it was trying to achieve. Naturally, the means it chose weren’t well suited.
Though I don’t think you’re going to cost-effectively stop or slow terrorism at the borders, Customs and Border Patrol may be less able to interdict bad people at the borders because of the e-passport misadventure.
A friend has forwarded me the apology that Clear apparently sent out to all its members today. A laptop with information about new enrollees went missing for a while. It’s a minor security breach, but these things tend to get overblown, so there’s no alternative but to address it forthrightly. Er, no good alternative . . . .
My reason for not using Clear, by the way, is not the risk of breaches like this. It’s registering with the government (through Clear) for preferential treatment when traveling. Other than that, Clear is a very cool privately issued credentialing system whose virtues I regularly tout.
Clear’s apology, after the break: Continue reading →
The strange bedfellows in the Accountability Now PAC are organizing a money bomb for August 8th, and are asking bloggers to post things like this:
If you were outraged by the FISA “compromise” that immunized law-breaking on the part of telecommunications companies – and if your outrage lasts – you might want to join in the fun.
Anyone interested in the long-running debate over how to balance online privacy with anonymity and free speech, whether Section 230‘s broad immunity for Internet intermediaries should be revised, and whether we need new privacy legislation must read the important and enthralling NYT Magazine piece “The Trolls Among Us” by Mattathias Schwartz about the very real problem of Internet “trolls“–a term dating to the 1980s and defined as “someone who intentionally disrupts online communities.”
While all trolls “do it for the lulz” (“for kicks” in Web-speak) they range from the merely puckish to the truly “malwebolent.” For some, trolling is essentially senseless web-harassment or “violence” (e.g., griefers), while for others it is intended to make a narrow point or even as part of a broader movement. These purposeful trolls might be thought of as the Yippies of the Internet, whose generally harmless anti-war counter-cutural antics in the late 1960s were the subject of the star-crossed Vice President Spiro T. Agnew‘s witticism:
And if the hippies and the yippies and the disrupters of the systems that Washington and Lincoln as presidents brought forth in this country will shut up and work within our free system of government, I will lower my voice.
But the more extreme of these “disrupters of systems” might also be compared to the plainly terroristic Weathermen or even the more familiar Al-Qaeda. While Schwartz himself does not explicitly draw such comparisons, the scenario he paints of human cruelty is truly nightmarish: After reading his article before heading to bed last night, I myself had Kafka-esque dreams about complete strangers invading my own privacy for no intelligible reason. So I can certainly appreciate how terrifying Schwartz’s story will be to many readers, especially those less familiar with the Internet or simply less comfortable with the increasing readiness of so many younger Internet users to broadcast their lives online.
But Schwartz leaves unanswered two important questions. The first question he does not ask: Just how widespread is trolling? However real and tragic for its victims, without having some sense of the scale of the problem, it is difficult to answer the second question Schwartz raises but, wisely, does not presume to answer: What should be done about it? The policy implications of Schwartz’s article might be summed up as follows: Do we need new laws or should we focus on some combination of enforcing existing laws, user education and technological solutions? While Schwartz focuses on trolling, the same questions can be asked about other forms of malwebolence–best exemplified by the high-profile online defamation Autoadmit.com case, which demonstrates the effectiveness of existing legal tools to deal with such problems.
First, an excerpt:
[W]hen you search with Cuil, we do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies (more on this later). Your search history is your business, not ours.
Next, the obligatory read the whole thing.
Because you can. It’s just a little over 500 words.
Frankly, I don’t expect the scholars, lawyers, and judges who have been steeping in traditional Fourth Amendment doctrine their entire careers to get the thesis of my recent American University Law Review article. But you can! And, eventually, if I do enough work, they will.
Here are some highlights from the introduction to “Reforming Fourth Amendment Privacy Doctrine“:
Since 1967, the Supreme Court and lower courts have relied too heavily on an unreliable test that arose from the leading Fourth Amendment case, Katz v. United States. Distracted by Justice Harlan’s concurrence in the case and befuddled by the concept of “privacy,” courts have ignored the simple rule of the actual holding in Katz and conditioned Fourth Amendment rights on surmises about privacy “expectations.” Privacy is a real thing that need not be a matter of conjecture. The Katz Court held that personal information was protected by the Fourth Amendment because, as a factual matter, the defendant had kept it private. Installing a wiretap to overcome Katz’s use of law and physics to conceal information was unreasonable without a warrant. The Court did not base its holding on open-ended “expectations” or “reasonableness,” as Justice Harlan’s concurrence suggested, but on the affirmative steps Katz took to conceal that information. . . . If an individual has secured the privacy of particular information, the Fourth Amendment focuses on the reasonableness of the government’s actions in undoing that privacy, not on the reasonableness of the individual’s expectations.
There’s an interesting contrast between Bamford’s book about the NSA and Theoharis’s tome on the FBI. Theoharis documents an agency that was, at least under J. Edgar Hoover, basically criminal. Between World War II and Watergate, it put legitimate criminal investigation on the back burner while it focused on Hoover’s personal priorities of blackmail, voyeurism, and political manipulation. In contrast, Bamford, writing in 2001, portrays the NSA as a basically law-abiding agency that has yet to seriously abuse its massive powers. In some cases, such as Project SHAMROCK, the NSA did things that were technically illegal, but as Bamford tells it they were nonetheless scrupulous about obeying the spirit of the law, suppressing information about US persons if they were not directly related to legitimate intelligence-gathering or law-enforcement activities.
As we see on pp. 450-1, Bamford in 2001 saw the threats from the NSA as largely theoretical:
NSA’s major push into law enforcement came with the fall of the Berlin Wall and the collapse of communism. “Because the Soviet Union was no longer a threat,” said Baker, “some of the resources devoted to extracting its secrets could be turned to other tasks, to other foreign targets. But some of those foreign targets had a domestic tinge. As topics like international narcotics trafficking, terrorism, alien smuggling, and Russian organized crime rose in priority for the intelligence community, it became harder to distinguish betweeen targets of law enforcement and those of national security.”
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.