Wired has dicussion and documentation of how the National Security Agency conducts Internet surveillance, according to former AT&T technician Mark Klein.
Privacy, Security & Government Surveillance 
The Department of Homeland Security’s Data Privacy and Integrity Advisory Committee will be considering a report on the use of RFID in identification documents at its meeting June 7th in San Francisco. A draft of the report has been posted with a request for comments.
The report has already generated a little attention. This Government Computer News story overstates the tone of the report, but it’s good.
From the DHS Privacy Committee Web site:
The Use of RFID for Human Identification (PDF, 15 pages–127 KB) The DHS Emerging Applications and Technology Subcommittee of the Privacy Advisory Committee is seeking comments on this draft report. This report will be considered by the full Committee during the June 7, 2006 public Advisory Committee meeting in San Francisco, CA. Please provide any comments in writing to privacycommittee@dhs.gov, by postal mail, or by fax by 12:00 p.m. EST on May 22, 2006. All Comments will be considered on an ongoing basis.
TechLawJournal has carefully parsed the statements issued by Verizon and BellSouth denying participation in the NSA spying program. I’ll quote TLJ liberally here, with permission.
Regarding the BellSouth statement, TLJ notes that it took three working days and two weekend days to prepare a three paragraph response. As to the substance:
BellSouth uses the phrases “customer calling information” and “customer calling records”. In contrast, the USA Today article uses the phrases “phone call records” and “domestic call records”. BellSouth associates the word “customer” with the word “record”. There is a difference between what USA Today wrote, and what BellSouth now denies.On Verizon’s May 16 statement:BellSouth portrays the USA Today article as asserting that BellSouth provided customer identifying information combined with the customer’s call information. In fact, the USA Today article only asserts that BellSouth turned over call information. Moreover, the USA Today article points out the difference. It states that “Customers’ names, street addresses and other personal information are not being handed over as part of NSA’s domestic program”. The article added that “But the phone numbers the NSA collects can easily be cross-checked with other databases to obtain that information.”
Thus, the BellSouth statement denies something that USA Today did not assert, and leaves undenied that which USA Today did actually assert.
Of course, it is another question whether BellSouth, in writing its statement, understood there to be a difference between “customer calling records” and “phone call records”, and intended its statement to constitute a non-denial.
Verizon’s six paragraph statement is longer than BellSouth’s, but employs the same approach. It restates the assertions of USA Today, with variations, and then denies its restatements.This is helpful insight from a dogged, indpendent reporter. And subscription rates are not too expensive either.Verizon uses the phrases “customers’ domestic calls”, “customer phone records”, and “customer records or call data”. Like BellSouth, it adds the word “customer”. USA Today wrote about “phone call records”, without the word “customer”.
Verizon does at one point deny that it provided “any call data”, but it then immediately follows this with the phrase “from those records”, which is a reference back to “customer phone records”. This leaves open the possibility that it provided “call data” that it retrieved from a database other that “customer phone records”.
Matthew Yglesias has a fantastic post about what’s wrong with data-mining programs like that apparently being deployed by the NSA:
The problem is that when you’re searching for a rare condition, like being a terrorist, even a very precise statistical tool is going to overwhelmingly give you false positives. Ordinarily, when people are doing statistical analyses they take 95 percent confidence to constitute a statistically meaningful result. But there are 200 million people in the NSA pool and only a handful of terrorists. How many? Let’s be generous and say there are 200 al-Qaeda sleeper agents in the USA. Then you apply a 95 percent accurate statistical filter to 200 million people. What you’re going to wind up with are 10 terrorists labeled non-terrorists, 190 terrorists labeled terrorists, and a whopping 10 million non-terrorists labeled terrorists. That’s a process that works. You’ve reduced the size of your search pool by an order of magnitude. The program “works.” But what does it really accomplish? In practice, nothing. The NSA can’t hand the FBI the names of 10 million Americans and ask them to investigate–that would be a silly waste of time. Now what you can do is that if in addition to your secret, illegal, oversight-free call records database you’re also running a secret, illegal, oversight-free wiretapping operation is start listening to the content of everyone in the 10 million group’s conversations. Obviously, the manpower’s not going to exist to actually listen to all that, but maybe you have another data-mining algorithm that can run on the content. Say this one is also 95 percent accurate. That means 10 more terrorists will get away. And 7.5 million innocent people will be off the hook. But you’re still left with a pool of 2.5 million innocent people and only 180 terrorists left under suspicion. What you would do with that information just isn’t clear to me. There’s still not enough manpower to do serious investigations into all those people. And it would be insanely abusive anyway to subject such a huge group to invasive investigations when over 99.9 percent of them are totally innocent. Trying to compile a list of “people with Arab-sounding names” would be about as effective as these two computer algorithms.
So you’re not likely to catch many terrorists with a program like that. What such a database would be useful for is harrassment and blackmail. Want to know who’s been spilling White House gossip to the New York Times? All you need is the reporter’s phone number and you can dramatically narrow down the list of likely leakers. Want to find out if a political opponent has a mistress? Pull up a list of his phone calls over the previous 6 months and you’ll have a short list in a matter of minutes.
Matt concludes:
In a lot of ways, that’s the most troubling aspect of this. You have a program that would be much more effective for abusive uses than it would be for its ostensible purpose. The people ultimately in charge of the program have a well-earned repuation for dishonesty and a well-earned reputation for hardball politics. They’ve gone out of their way to make sure that the program operates in total secrecy and is subject to no meaningful oversight. Why on earth would you want a program like that?
Update: Obviously 5% of 10 million is 500,000, not 2.5 million. I don’t think that really affects his argument, though.
Over at the Cato blog, Radley Balko reports that James Sensenbrenner has prepared legislation to require your ISP to maintain records of your online activities to assist law enforcement officials. For the children, of course:
In addition, Sensenbrenner’s legislation–expected to be announced as early as this week–also would create a federal felony targeted at bloggers, search engines, e-mail service providers and many other Web sites. It’s aimed at any site that might have “reason to believe” it facilitates access to child pornography–through hyperlinks or a discussion forum, for instance. Speaking to the National Center for Missing and Exploited Children last month, Gonzales warned of the dangers of pedophiles using the Internet anonymously and called for new laws from Congress. “At the most basic level, the Internet is used as a tool for sending and receiving large amounts of child pornography on a relatively anonymous basis,” Gonzales said.
I’ll just say I don’t think that sounds like a good idea.
First things first. For those interested in yelling at your Member of Congress, Privacilla.org has info and advice.
Now that I have a respite from my whirlwind NSA-spying media tour, I’m asking myself (and you): Who is to blame?
I’ve spent years arguing that market processes are the best way to get privacy on the terms consumers want it. And for all my troubles, I get this?! Businesses regularly share information with the government, even informally. A privacy outrage, no?
Well, let’s see. I think it is. But I’m not consumers. I’m just a consumer. The average consumer is a little more concerned with terrorism and proportionately more sanguine about privacy. That’s why a key to winning this privacy debate is getting the risk of terrorism in perspective.
My favorite article ever is John Mueller’s A False Sense of Insecurity? Read the whole thing. (If I wanted to read a whole thing, I wouldn’t be on a freakin’ blog right now.) How about this: If you are outraged by talk of ‘George Orwell’ and ‘privacy’ while there’s a war on, then shut up, sit down, and read the whole thing. ;-)
But back to some self-criticism. I am a proponent of the free market, but three out of four large telecommunications providers, in whose tender mercies I would place your privacy, sold us out. Time to commit sepuku? Begin my David-Brock-style conversion from libertarian to . . . not libertarian? Are the Communications Act, the Stored Communications Act, the Cable Act, and all kinds of other regulatory statutes with privacy mandates our saviours?
Not so fast, because comparisons are best made between comparables, not between real and ideal. It’s not like the phones only just started getting used for surveillance recently. The Nation reports this week that telephone and telegraph companies began assisting the NSA during the 1940s. When Ma Bell owed its existence to a government-enforced monopoly, was it in a position to bite the hand that feeds? No. Indeed, it probably let that hand go a lot of places that we would characterize as “inappropriate touching.”
So before anyone goes lambasting the private sector for this – and no one has, but it might be deserved – I wonder whether it is the decreasing control of telecommunications by government (combined with some significant overreach by the current Administration) that has brought the practice of mass surveillance to light.
Qwest, the one hold out against the NSA, recognized the privacy interests of its customers. The importance of privacy to many consumers may have moved Qwest from on-the-fence to refusing the NSA. Now, the seam that opened up between Qwest, the others, and the NSA is one into which cable telephony can move, for example. Their superior (statutory) protection for privacy is in the paper today. VoIP providers like Skype have a real opportunity to point out that communications on their services are encrypted end-to-end, making it difficult – though not impossible – to snoop on the content of calls.
I am not proud today of the telecommunications sector. And I hasten to remind people at a time like this that I am an advocate of markets, not businesses. I’m putting this post in the “When Capitalists Go Bad” category for a reason.
But – with the caveat that this thought deserves more thinking – I believe this failure of businesses to protect privacy is more a product of government arm-twisting and excess than the failure of markets to serve consumers’ demands for privacy which, as I said above, are unnecessarily diminished by the “War on Terror.”
Orin Kerr has a lengthy analysis of the latest NSA spying revelations. He concludes that it doesn’t violate the Fourth Amendment but likely runs afoul of several statutes. This paragraph didn’t strike me as being quite right:
The legality of the program under FISA is somewhat similar to the legality of the NSA program we learned about a few months ago. The key question is, did the monitoring constitute “electronic surveillance” under FISA, and if so, does the Authorization to Use Military Force allow it? Note that FISA’s definition of “electronic surveillance” goes beyond accessing only content information and extends to some non-content information. If the program did involve “electronic surveillance” under FISA, then we’re right back to the same question that has been raised about the legality of the known NSA domestic surveillance program. If that’s right, your views of the legality of the new NSA program will pretty much coincide with your views of the legality of the NSA program disclosed a few months ago.
It seems to me that one of the arguments frequently deployed by the president and his supporters is that the wiretapping program only targetted calls international calls. On this theory, FISA doesn’t apply at all because FISA only governs domestic surveillance. I don’t think I buy that agument, but I can easily see someone who does concluding that the wire-tapping program is legal, but this new program is not.
Remember how the administration said it was only monitoring international calls? Well, never mind. It turns out that the NSA is building a database of every phone call made in the United States:
The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans–most of whom aren’t suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews. “It’s the largest database ever assembled in the world,” said one person, who, like the others who agreed to talk about the NSA’s activities, declined to be identified by name or affiliation. The agency’s goal is “to create a database of every call ever made” within the nation’s borders, this person added.
Having the NSA know who I called is less creepy than having them all recorded. But it’s still creepy. And probably illegal.
Your Nanny State and your Big Brother are getting together for a drink – and the drink’s on Intelli-Check. Heineken USA has announced proudly that they are going to use Intelli-Check-equipped mobile scanners to verify the ages of drinkers at events where their products are sold.
Surely, this pleases and appeases groups like Mothers Against Drunk Drivers (but don’t hold your breath for these neo-prohibitionists to settle their war against drinking just because alcohol sellers are encouraging responsibility).
If MADD needed any encouragement to support automated age verification, they must have gotten it along with the corporate contribution that Intelli-Check sent along. Indeed, MADD and Intelli-Check are a team. The Intelli-Check Web site also touts the state laws that give affirmative defenses to merchants who use scanners to prove the age and identity of people purchasing alcohol and tobacco products.
So alcohol sellers are being corralled into electronic identity verification. Young drinkers are being corralled into it too, and being conditioned to carry and show identification as a matter of routine.
Thing is, this routine is the groundwork for the surveillance system that everyone should be concerned with. Particularly as identification is conducted by machine, the opportunities to record information about people expand.
Of course, Intelli-Check promotes limits on the use of data that is collected via their scanners but, just as surely, the scanners are technically capable of collecting all data on a card. It’s a simple matter of changing policy to convert the system from age verification to comprehensive surveillance.
Our identification and credentialing systems are designed for the benefit of institutions and not individuals. As I argue in my forthcoming book, these systems should share only the information necessary to complete transactions. Need proof of age? You should be able to provide proof of age, not ID.
The technology already exists. The Clear card proves to the Transportation Security Administration that people are approved to use Registered Traveler lines at the Orlando airport, but it doesn’t identify travelers to the TSA. If the feds can handle that in the national security context, your local ABC should be able to handle it for booze control.
Last week was the Cato debate between Cato scholars Roger Pilon and Bob Levy on the NSA surveillance issue. Like Ricahrd Epstein and Mark Moller, my sympathies were with Bob Levy, who argued that the president can’t simply ignore FISA when he decides it interferes with his conduct of the war on terrorism.
I’m not really qualified to get into the constitutional questions, which Levy handled ably, but I did want to comment on Pilon’s substantive argument about why the program was necessary. He quoted two people to make his case. First, he quoted the following from a Wall Street Journal article by Judge Posner:
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.