Privacy, Security & Government Surveillance

I mentioned briefly earlier the expansion of the US-VISIT program to collecting ten fingerprints. I’ve done more thinking on it, and will now victimize you with that.

The Department of Homeland Security announced this week that it would begin collecting 10 fingerprints from foreign visitors to the United States, an extension of the US-VISIT program. This looks like another self-injurious overreaction to the threat of terrorism.

I don’t think collecting ten fingerprints in the US-VISIT program violates civil liberties. People have a diminished right against search and seizure at our international borders. But it is a serious privacy concern for visitors to the U.S.

Their biometrics are entered into a U.S. government database and they have no idea what may be done with that information in the future. DHS keeps that data for 75 years. Yes, lawful visitors to this country, who come to snap pictures of the Statue of Liberty and teach their kids about the United States, go into a U.S. government database for the rest of their lives. It’s just insulting to the millions of good people who want to visit us.

With that, let’s do a rough cost-benefit analysis of collecting 10 fingerprints from foreign visitors to the U.S. It appears to be another security program whose costs outweigh its benefits.

Continue reading →

Visitors to the United States are now being required to share 10 fingerprints on entering the country. Here’s the text of a release the DHS is sending around. (I’ll link to it when I find it online.)

WASHINGTON – The U.S. Department of Homeland Security (DHS) is now collecting additional fingerprints from international visitors arriving at Washington Dulles International Airport (Dulles). The change is part of the department’s upgrade from two- to 10-fingerprint collection in order to enhance security and fingerprint matching accuracy.

“Anyone who’s watched the news or seen crimes solved on television shows can appreciate the power of biometrics,” said Homeland Security Secretary Michael Chertoff. “They help the legitimate traveler proceed more quickly while protecting their identity and enable our frontline personnel to focus even greater attention on potential security risks. Biometrics tell the story that the unknown terrorist tries to conceal, and it causes them to question whether they’ve ever left a print behind.”

I wonder how visitors from other countries feel being asked to submit fingerprints and go through biometric background checks just to come here and visit. I’m not sure we’re the beacon of liberty we used to be.

Shane Harris of National Journal has a good article out on the telecom immunity question.

Privacy is a dimension of goods and services just like any other – price, quality, customer service, “green” values, etc. As rarely as the consuming public demands privacy (alas), it’s worth pointing out when it does. I think the Facebook “beacon” brouhaha is a good example.

As I have yet to believe in the ‘phenomenon’ of social networking, I haven’t followed it carefully, but Facebook rolled out an ‘ingenious’ advertising program that – incidentally – was very privacy-invasive. After a week or two of unceasing derision from a number of quarters, the company has admitted error and backed away.

Now, I believe that this is the market functioning. The most persistent (and obnoxious!) critic of Facebook in my field of vision was ValleyWag. But MoveOn.org also petitioned the company, another iteration of market pressure – any such communication from the public implicitly threatens direct action against a company’s bottom line.

Others may believe that threatened complaints to the FTC prompted Facebook to see the error in its ways. These folks would accordingly credit government regulation and the threat of regulation.

It would be worth studying as an empirical matter what inputs Facebook CEO Mark Zuckerberg was exposed to, and what most influenced him and his team. I bet the derision of commentators and his local, tech-industry peers was strongest. That’s the market working.

But I’d be happy to consider better surmise – or even actual evidence!

Though I haven’t studied the company’s involvement in REAL ID promotion, my sense is that identification technology provider Digimarc has staked a lot on the national ID law. So it is with some pleasure that I note the announcement by their Chairman and CEO, Bruce Davis, that the company will fail to turn a profit this year.

Davis said the 2008 outlook is also clouded by the uncertainty over federal regulations for an identification system known as Real ID. The CEO said the revenue effects from the completion of regulations may not occur until late 2008 or 2009.

Actually, Bruce, the revenue affects from the completion of the regulations may not occur at all.

When I talk about identification issues, I often go to my wallet and show the “fake” ID that I carry with me. Several people have asked me over time where to get one.

I use this card whenever I get “bogus” ID requests – requests at hotels, office buildings, and such where they have no business seeing my ID and they don’t get anything from doing so.

The card has only been refused twice – once at the Sears Tower in Chicago, and once when I tried to use it at airport security. (Regulations there specify government-issued ID. I went through secondary search because I told them I didn’t have one.) Everywhere else, they are just checking to see that you are carrying a card. I haven’t tried to use the card for proof of age – most jursidictions require government-issued ID for this purpose.

The card I use has accurate information on it (except for my weight . . .), but it reflects my own assertions about myself, rather than any government’s or other card issuer’s. It’s very exciting to use this card the first few times. You really feel like you’re getting away with something. In fact, you’re just proving to yourself that “identity checks” are empty ritual.

More people should do this, so why don’t you join in the fun?

YouFinishIt.com is where I got mine. They have a nice array of cards that appear quite fancy and official looking. I got the “Standard Identification” card.

To my knowledge, none of their cards are knock-offs of any other issuers’ cards, and I don’t recommend using cards like this for any fraudulent purpose. I don’t think presenting an ID with inaccurate identifiers is fraudulent when the recipient does not rely on that information. It’s like tipping your hat to someone whom you don’t really mean to wish well. So, go for it!

Ed Felten has announced a workshop at Princeton’s Center for Information Technology Policy called “Computing in the Cloud.”

“Computing in the cloud” refers to the trend toward online services that run in a Web browser and store users’ information in a provider’s data center. Examples include webmail services such as Hotmail and Gmail, online photo sites such as Flickr, social networks such as Facebook and Myspace, office suites such as Google Docs, markets such as eBay, and many more.

This is an important subject and the workshop looks like it will explore some very interesting issues. Among them is the increasingly outdated doctrine that information held by third parties cannot be the subject of Fourth Amendment protection. (The problem was summarized well by Julian Sanchez on TechDirt a few days ago.)

Here’s my problem: The Internet is not a cloud! It is a network of telecommunications providers and Internet service providers that have legal commitments to one another and to end-users. I’m concerned with talk of the Internet or computing as happening in a “cloud” because this could be used to deny the rights and responsibilities of each actor in the network.

Clouds drop water as rain at random across the earth. The Internet should not do that with data, and we shouldn’t talk about it as a thing that could.

The Honorable Peter Hoekstra has taken to the august (virtual) pages of National Review to further muddy the waters of the debate over Joe Klein’s column. It would take a lot more time than I’ve got to untangle all the distortions and obfuscations of his arguments, so let me just jump to his particularly egregious concluding paragraphs:

It’s hard to imagine General Eisenhower going to court to ask for permission to conduct the D-Day invasion on the off-chance Americans might be on the beaches of Normandy. Yet this is exactly what Democrats want to force Admiral McConnell to do to conduct terrorist surveillance. At the end of the day, we should be honest that this is not a legal debate, but a political one. It highlights the fact that Democrats believe that lawyering-up foreign intelligence to guard against every imagined or potential civil-liberties concern is more important than ensuring that we have the full capability to conduct quick and effective surveillance of foreign al-Qaeda targets in foreign countries. I’ll welcome that debate anytime.

Now, in the first place, absolutely no one is proposing that the FISA court have jurisdiction over wiretapping activities that occur overseas. If the US Army wants to tap an Iraqi cell phone tower, or if the CIA wants to tap an underseas optical cable outside of the US territorial waters, neither the current FISA law nor any proposed changes would require court oversight of those activities. So the Eisenhower hypothetical is a total non-sequitur. Unless General Eisenhower somehow needed to tap American phone lines in order to carry out the D-Day invasion, none of the bills under consideration would have had any effect on his activities.

He says he’s worried about the ability to “conduct quick and effective surveillance of foreign al-Qaeda targets in foreign countries.” But the only time the Restore Act would require judicial scrutiny of “surveillance of foreign al-Qaeda targets in foreign countries” is when that surveillance requires ordering American telecom companies to install wiretaps on American soil, and when one end of that communication is likely to be on American soil. That’s a tiny fraction of our foreign intelligence-gathering activities, and so the Restore Act would place a correspondingly small burden on the executive branch.

Finally, when Hoekstra talks about “lawyering-up foreign intelligence,” he neglects to mention that every single proposed bill, the Restore Act included, expands the executive branch’s ability to engage in warrantless surveillance and restricts the courts’ oversight role compared to the status quo. Nobody is “lawyering up” anything. The debate is between Democrats who support only modest reductions in judicial oversight and a White House that is demanding the complete emasculation of judicial oversight of domestic-to-foreign eavesdropping.

Wow. Here, in its entirety, is Time’s “correction” to Joe Klein’s error-ridden column on the Restore Act:

In the original version of this story, Joe Klein wrote that the House Democratic version of the Foreign Intelligence Surveillance Act (FISA) would allow a court review of individual foreign surveillance targets. Republicans believe the bill can be interpreted that way, but Democrats don’t.

Glenn Greenwald gets this exactly right:

Leave aside the false description of what Klein wrote. He didn’t say “that the House Democratic version of the Foreign Intelligence Surveillance Act (FISA) would allow a court review of individual foreign surveillance targets.” He said that their bill “would require the surveillance of every foreign-terrorist target’s calls to be approved by the FISA court” and “would give terrorists the same legal protections as Americans.” But the Editor’s false characterization of Klein’s original lie about the House FISA bill is the least of the issues here.

Continue reading →