USA Today is backing off its previous claims that BellSouth and Verizon shared customer calling records with the NSA, but is sticking by its contentions that AT&T did so. The paper now says that it can’t definitively confirm that BellSouth or Verizon participated in the program, although it says four Congressional sources say that “Verizon’s subsidiary MCI did turn over records to the NSA.”
Of course, the fact that
USA Today can’t prove that records were turned over by Verizon or BellSouth doesn’t mean it didn’t happen. Which is why programs like this ought not to be conducted in secret. Voters and customers deserve to know if they’re being spied on. There might be legitimate reasons for such spying, but if so the president should be willing to publicly ask Congress for authorization for the program, so there can be a public debate about its costs and benefits. (and no, such a debate wouldn’t compromise national security: terrorists already know their phones might be tapped, and are presumably already taking measures to avoid detection)
Luckily, EFF’s lawsuit was filed against the company that everyone seems to agree has been cooperating with the NSA’s spying program.
Ed Felten wraps up his excellent series on high-tech wiretapping by considering the risks of abuse created by the existence of pervasive wiretapping infrastructure:
The best argument against content-triggered wiretaps is the risk of abuse. By “abuse” I mean the use of wiretaps, or information gleaned from wiretaps, illegally or for the wrong reasons. Any wiretapping regime is subject to some kind of abuse–even if we ban all wiretapping by the authorities, they could still wiretap illegally. So the risk of abuse is not a new problem in the high-tech world.
But it is a worse problem than it was before. The reason is that to carry out content-triggered wiretaps, we have to build an infrastructure that makes all communications available to devices managed by the authorities. This infrastructure enables new kinds of abuse, for example the use of content-based triggers to detect political dissent or, given enough storage space, the recording of every communication for later (mis)use.
Such serious abuses are not likely, but given the harm they could do, even a tiny chance that they could occur must be taken seriously. The infrastructure of content-triggered wiretaps is the infrastructure of a police state. We don’t live in a police state, but we should worry about building police state infrastructure. To make matters worse, I don’t see any technological way to limit such a system to justified uses. Our only real protections would be oversight and the threat of legal sanctions against abusers.
I think this is a good point, but I think it’s actually much worse than that. Here’s the problem: the ultimate safeguard of our freedom is the possibility of public backlash. When Richard Nixon was caught abusing the power of the presidency, the resulting public backlash forced him out of office. In my opinion, President Bush has also been caught abusing the powers of his office, but so far there’s been no comparable public outrage.
Continue reading →
Today seems to be the day for Missouri NSA stories! Salon is reporting that an AT&T network operations center in Bridgetown, MO, (a St. Louis suburb) has had a secret room since 2002 being used by a government agency:
In interviews with Salon, the former AT&T workers said that only government officials or AT&T employees with top-secret security clearance are admitted to the room, located inside AT&T’s facility in Bridgeton. The room’s tight security includes a biometric “mantrap” or highly sophisticated double door, secured with retinal and fingerprint scanners. The former workers say company supervisors told them that employees working inside the room were “monitoring network traffic” and that the room was being used by “a government agency.”
The details provided by the two former workers about the Bridgeton room bear the distinctive earmarks of an operation run by the National Security Agency, according to two intelligence experts with extensive knowledge of the NSA and its operations. In addition to the room’s high-tech security, those intelligence experts told Salon, the exhaustive vetting process AT&T workers were put through before being granted top-secret security clearance points to the NSA, an agency known as much for its intense secrecy as its technological sophistication.
Fortunately, the NSA says it ” takes its legal responsibilities seriously and operates within the law,” so there’s probably nothing to worry about.
That’s probably the only time you’ll ever see that headline on TLF, but my hometown paper has a front page article describing how Missouri telecom regulators have subpoenaed AT&T for details on any information they might have shared with the NSA:
The subpoenas, along with a growing number of legal challenges here and elsewhere, set the stage for confrontations between civil liberties and national security – and between state and federal governments.
The challenges accuse the government of abusing anti-terrorism laws, and AT&T of allowing government agencies to monitor millions of phone calls and e-mails without legal authority.
For its part, AT&T says it is in a tough spot – the company says it is bound by national security laws not to reveal what it might have done.
Confrontation of some sort seems all but certain. The regulators served their subpoenas Monday after receiving a letter last week from AT&T that says the company cannot and will not answer any questions.
Frankly, I hope AT&T’s spot gets a lot tougher before this is all over. Maybe next time they’ll take the high road like Qwest and tell the NSA to come back when they have a warrant.
The Washington Post reports today that “Virginia’s public and private colleges and universities soon will be required to submit the names and Social Security numbers of tens of thousands of students they accept each year to state police for cross-checking against sexual offender registries.” The law, recently signed by Gov. Tim Kaine, is aimed at tracking sex offenders. It “also requires Department of Motor Vehicles officials to turn over personal information to police any time a Virginian applies for a license or change of address.”
“I’ve got two kids in college right now,” said Kenneth W. Stolle (R-Virginia Beach), the bill’s chief sponsor in the state Senate. “You’re going to have a . . . hard time explaining to me why my daughter is living next door to a sexual offender. My guess is every parent out there would have the same expectation that I do.”
Since it doesn’t take more than a stolen laptop to put 2.2 million identities in jeopardy, and since one person’s Social Security number can be used fraudulently by up to 80 different people, I’m not sure I want my information spread any wider than it already has to be. And it’s not clear to me why I, an innocent (I assure you) private citizen is forced to get a background check before I can enroll in a private institution, which may otherwise not care about my background. If your daughter is living next to a ex-offender, it’s because that’s life. What’s next? Legislating safety scissors and circles of paper?
Vacation? What vacation? There’s WiFi in my Frankfurt rental apartment! I’m here attending the opening round of the World Cup, Adam’s most-loved sport, and tickets to the games have RFID chips embedded in them.
Last week, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee met in San Francisco. The most interesting thing about the meeting to me was leaving without showing ID at the airport. But one of the items of highest interest at the meeting was a draft report put forward by a subcommittee of the DPIAC suggesting that RFID should be disfavored for human tracking.
It was subject to some exaggerated reporting, and some RFID industry folks went into a bit of a tizzy. Penny-wise-and-pound-foolishly, they seem to believe that they should preserve the multi-million-chip market for RFID in identification cards, even though doing so frustrates and delays the development of a market for RFID on the packaging of consumer goods, which easily could reach tens or hundreds of billions of tags.
In a near analogy to tagging identification documents, the World Cup has issued a couple million tickets with RFID chips embedded in them. Getting RFID readers into German stadiums makes it likely that club teams will use RFID chips in their tickets henceforth. Kudos to the wily Phillips Corporation for using its World Cup sponsorship to create an installed base of RFID-using venues.
So let’s look at how mighty RFID adds value to the soccer ticket – and what part of any value goes to fans, organizers, or RFID manufacturers and integrators (after the jump).
Continue reading →
The DC Circuit Court of Appeals has ruled that VoIP-based telephone companies are subject to CALEA, the 1994 law mandating that phone companies install infrastructure to facilitate court-ordered wiretaps. The FCC has set a deadline of May 2007 for all VoIP providers to comply.
Back in October, when the FCC first announced its intention to expand CALEA to cover VoIP providers, Sen. Leahy, one of CALEA’s sponsors, objected:
Congress recognized the unique architecture of the Internet and explicitly excluded it from the scope of CALEA’s surveillance design mandates, and we did that to allow Congress to re-visit the appropriateness of such an extension as the Internet developed. Any extension of CALEA–a law written for the telephone system in 1994–to the Internet in 2005 would be inconsistent with congressional intent.
I don’t think it’s obvious how the courts should have ruled here. Vonage
does present itself as an alternative to a traditional phone line, and it does interface extensively with the PSTN. Although I’d rather the federal government have as little power over the Internet as possible, it’s not clear to me that Vonage and its ilk shouldn’t be classified as telephone companies.
What is clear, though, is that the FCC’s definitional headaches will only get worse. Skype is very careful to emphasize that it’s not a replacement for phone service, and the vast majority of Skype users call other Skype users without using the PSTN. There are pure VoIP services like Apple’s iChat and Google Talk that don’t interface with the PSTN at all. And then there are services like XBox Live that allow users to chat with one another during video games. If the FCC is going to start requiring Vonage and (perhaps) Skype to comply with CALEA, they’re going to have to decide how “phone like” an application has to be before it gets classified as such.
And of course, CALEA’s not the only regulatory scheme that applies to phone companies. We’ve also got Universal Service fees, E911 service, and probably others. If the FCC piles too many requirements on services it classifies as “phone like,” it’ll lead to the fragmentation of phone connectivity, as “pure” VoIP applications refuse to interface with the PSTN for fear of triggering all those regulatory obligations. That will mean that grandma with her land line can’t call junior on his Google phone. That wouldn’t be the end of the world, but it’s probably not what the FCC is trying to accomplish.
The data retention issue is joined. “Data retention” is the idea of requiring companies to hold on to data about their customers in case the authorities later find it would be useful to them.
I don’t think enough can be said about what a perversion of law enforcement in the United States this would be. Because the Fourth Amendment inconveniently requires the government to have reasonable grounds to investigate people, Congress and the Department of Justice are considering outsourcing the task by requiring the corporate sector to conduct mass surveillance.
In a series of articles, Declan McCullagh of C|Net News lays out the latest. A project of law enforcement that has already taken root in the supposed privacy haven of Europe, data retention is a major increment toward a Big Brother state.
There will be plenty to say if this goes forward, but a few things are worth highlighting:
- There is no sound distinction between collecting “traffic data” and collecting “content.” Indeed, traffic data – records of phone calls, connections to the Internet, and so on – can be very revealing information. Once ISPs are required to collect and keep one, they are bound to end up required to collect and keep the rest.
- There is no intellectual distinction between retaining data for a short time and retaining data for a long time (and the cost of doing so will drop). The government’s original demand – a brief window into Americans’ data, “for further review” – will expand along the time dimension, ineluctably, and we will not be able to bargain with Internet service providers for privacy protections that deep-six past embarassments and pecadilloes.
- Information is not just “there” for the taking. Some in law enforcement may believe that information, once produced, should be available to them. Not true. Information has qualities equivalent to property. We constantly hoard it, share it, hide it, and broadcast it in the course of directing our lives. A government mandate that prevents this takes power from all of us. And does so in direct contravention of founding principles.
Online security expert Bruce Schneier has an excellent article on the NSA spying program:
Data mining works best when you’re searching for a well-defined profile, a reasonable number of attacks per year, and a low cost of false alarms. Credit-card fraud is one of data mining’s success stories: All credit-card companies mine their transaction databases for data for spending patterns that indicate a stolen card.
Many credit-card thieves share a pattern–purchase expensive luxury goods, purchase things that can be easily fenced, etc.–and data mining systems can minimize the losses in many cases by shutting down the card. In addition, the cost of false alarms is only a phone call to the cardholder asking him to verify a couple of purchases. The cardholders don’t even resent these phone calls–as long as they’re infrequent–so the cost is just a few minutes of operator time.
Terrorist plots are different; there is no well-defined profile and attacks are very rare. This means that data-mining systems won’t uncover any terrorist plots until they are very accurate, and that even very accurate systems will be so flooded with false alarms that they will be useless…
Finding terrorism plots is not a problem that lends itself to data mining. It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier. We’d be far better off putting people in charge of investigating potential plots and letting them direct the computers, instead of putting the computers in charge and letting them decide who should be investigated.
By allowing the NSA to eavesdrop on us all, we’re not trading privacy for security. We’re giving up privacy without getting any security in return.
(Hat tip: Derek)
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.