Wednesday, December 2, 2009

Data collection and retention policies of social networking sites

The Electronic Frontier Foundation (EFF), working with the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley, School of Law (Samuelson Clinic), filed suit today against a half-dozen US government agencies for refusing to disclose their policies for using social networking sites for investigations, data-collection, and surveillance.

Recent news reports have publicized the government's use of social networking data as evidence in various investigations, and Congress is currently considering several pieces of legislation that may increase protections for consumers who use social-networking websites and other online tools. In response, the Samuelson Clinic made over a dozen Freedom of Information Act (FOIA) requests on behalf of EFF to the Central Intelligence Agency, the Department of Justice, the Department of Homeland Security, and other agencies, asking for information about how the government collects and uses this sensitive information.When several agencies did not respond to the FOIA requests, the Samuelson Clinic filed suit on behalf of EFF. The lawsuit demands immediate processing and release of all records concerning policies for the use of social networking sites in government investigations.

Interesting related reads:
* Myspace Law Enforcement Guide.

Because MySpace functions as both an “electronic communications” and “remote computing” service as defined under ECPA (Electronic Communications Privacy Act, 18 U.S.C. § 2701), ECPA mandates that MySpace disclose certain user information only in response to specific types of government process, including subpoenas, court orders, and search warrants.Generally speaking, ECPA permits the disclosure of basic user identity, log-in information, and stored files (photos, videos, blogs) in response to a subpoena, but requires a court order under § 2703(d) to disclose additional user records, or search warrant to authorize disclosure of private user messages. The rules may differ also depending on whether law enforcement seeks stored, historical information, or to capture information prospectively. For example, if law enforcement seeks ongoing information about a user’s IP address each time they log-in to their account, the law would require a pen register/trap and trace order.

MySpace permits users to exchange private mail messages with other MySpace members. These communications are sent from and held for users on MySpace servers. ECPA generally restricts disclosure of private user communications less than 180 days old except in response to a search warrant. 18 U.S.C. § 2703(a).

Under 18 U.S.C. §§ 2702(b)(8) and 2702(c)(4), MySpace is permitted to disclose information, including user identity, log-in, private messages and other information voluntarily to a federal, state, or local governmental entity when MySpace believes in good faith that an emergency involving danger of death or serious physical injury to any person requires such disclosure without delay.

Data retention
The basic identity information entered by a user in creating a profile, as well as data (blog entries, user profile information, etc.) and images contained in an account are maintained as long as the user has not removed or edited the content from the profile. Once a change is made by the user, the previously existing information is overwritten.

Private inbox messages -- Private messages are retained until the user removes them (MySpace cannot recover deleted messages).

Private sent messages -- 14 days

User identity and date in the user profile is generally available for up to ten days after account deletion. Other stored files, such as photos, may be lost at the time of account deletion.

No mail (inbox or sent mail) is available for deleted accounts.

MySpace will honor requests by law enforcement to preserve information in accordance with 18 U.S.C. § 2703(f). In response to such requests, MySpace will preserve the specific information identified in the request for 90 days, and for an additional 90 days if the law enforcement entity requests the original period be extended.


* Old Facebook Subpoena/Search Warrant Guidance. Less detailed than myspace.

Types of information available

The User Neoprint, which includes
• Profile Contact Information
• Mini-Feed
• Status Update History
• Shares
• Notes
• Gifts, Public and Private
• Wall Postings
• Messages
• Friend Listing, with Friends Facebook ID’s
• Groups Listing, with Facebook Group ID’s

All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birthdate
Contact email addresses
Address
City
State
Zip
Phone
Cell
Work phone
Screen name (Usually for AOL Messenger / iChat)
Website

If a profile is changed or updated, deleted content is not retained, and cannot be produced. Any messages or wall postings deleted by the user are not retained and cannot be produced.

Where a group is known, we will provide a list of users currently registered in a group.

Tuesday, December 1, 2009

News: US SWIFT Access Granted

From the Lift: The EU has agreed a nine month interim deal to allow the US non reciprocal access to SWIFT banking data. Germany and Austria, reported as threatening a veto over the privacy implications of such a deal, abstained. A unanimous vote was required, not counting abstentions as votes against. The agreement can be annulled in the Spring, when the European Parliament will have to give their assent to the plan.

The Register quotes an EU official as saying that "The truth is that we in Europe don’t have the technical ability to interpret this stuff," and that this is the reason why "We rely on the Americans to process it and pass it on as intelligence." Many European intelligence agencies end up as beneficiaries in the arrangement as they are not permitted by their home countries to gather such information themselves. In the event, delegates were apparantly put under huge pressure from US representatives to pass the deal:

The pressure from the Americans was "massive," say diplomats in Brussels. U.S. Secretary of State Hillary Clinton apparently told her European counterparts that the fate of the West hung in the balance. And in the capital cities of Europe, American ambassadors stormed governments like door-to-door salespeople. As one EU foreign minister put it, "they pulled out all the moral and political stops."

Thursday, November 26, 2009

News: SWIFT Update

The Legalift reported last week that 4 Countries remain opposed to the draft agreement granting US access to SWIFT banking transfers records. Germany's justice minister says that Berlin is uncomfortable with the plan and France, Austria and Finland have also signalled discontent with the scheme.

The draft plan is significantly different from the resolution issued by the European Parliament on the issue. 'Terrorism' is left undefined, requirements for judicial oversight are nowhere to be seen and the restriction of access to the specific issue of 'terrorism financing' is loosened to "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". Ralf Bendrath has a round up of all these issues and many more.

If a decision is not reached by November 30th, then, as the Lisbon Treaty kicks in on December the 1st, the European Parliament may have much more say in the process (and it is likely to take another 6 months). Germany and Austria are reported to be under pressure to drop their opposition.

News: IMP Still Budgetted for 2016 Release

After mention was left out of the Queen's Speech, there was a lot of speculation that, in response to political pressure, plans for the Interception Modernisation Programme to monitor all electronic communications had been abandoned.

The Register reveals that the £2Bn remains in the Home Office's financial plans, scheduled for completion in 2016.

News: Facial Recognition Technology to be used at Cardiff Airport

Frome the Register: Cardiff now joins Manchester Airport in allowing inbound passengers to have their passports checked automatically with facial recognition systems. The option is available for adults with chipped biometric passports, issued since 2006, which, amongst other information, have a picture of the holder encoded on them that can be compared to the subject checking through.

The article refers to the embarassing revelations last year that facial recognition technology in use at Manchester airport was unable to distinguish between pictures of Wynona Ryder and Osama Bin Laden. This happened because the machines initially gave far too many false negatives, and in reponse staff turned the settings so low they effectively 'switched them off'.

Wednesday, November 18, 2009

News: Biometrics to be Used to Identify 'Outsiders' in Afghanistan

From the Sunday Times: in Afghanistan biometrics such as fingerprints, retina scans or DNA tests are being proposed as a means to draw up "gated communities" in which outsider 'rebels' can be swiftly identified. In Basra, patrolling US soldiers are being issued with iPODs with a list of all local people.

Brigadier James Cowan, the new commander of British forces in Afghanistan, gave an interview to the Sunday Times in which he emphasised the importance of reassuring the local population of UK and US ability to provide security.

For the brigadier it is all about challenging the Taliban’s rule of fear: “What you have to do is create communities where people wish to be separate from the enemy because they have the confidence to be separate from them.”

Cowan’s staff have embarked on a huge exercise known as “human terrain mapping”. It involves not only delineating tribal boundaries, but also family networks, land ownership and all the possible grievances that can be exploited by the Taliban.

News: UK T-Mobile Staff Sold Private Data

From BBC News: T-Mobile staff sold customer data on to other mobile phone companies to target people coming to the end of their contract for coldcalls. Thousands of customers and millions of records were involved. The Information Commissioner has said he is preparing a prosecution.

News: Swiss take Google Street View to Court

From the Register: Swiss Federal Data Protection and Information Commissioner (FDPIC) Hans-Peter Thur is taking Google Street View to court, unsatisfied with the privacy enhancing blurring Google have offered in the Street View images so far:

Thür's patience has now run out, and his office said in a statement: "In its written response on 14 October 2009, Google for the most part declined to comply with the requests. For these reasons, the FDPIC has decided to take the matter further and to take legal action before the Federal Administrative Court."

AFP notes that Google has insisted it's "absolutely convinced that Swiss View is legal in Switzerland."

News: New Datamining System to Detect 'Deviations' on the High Seas

From the Register: The US Navy is to use new computer monitoring software to detect 'deviations' in normal behaviour at sea. Dubbed 'PANDA' (Predictive Analysis for Naval Deployment Activities), the system will examine data on worldwide shipping movements for evidence of unusual and threatening behaviour:

The idea is that the Office of Naval Intelligence will deploy PANDA at its National Maritime Intelligence Centre in Maryland, where the new tech will be able to monitor tracking information covering much of the watery globe.

As well as information fed in by US warships, monitoring stations, patrol aircraft and so on, the US intelligence community is also known to make extensive use of radar spy satellites able to scan vast swathes of ocean from orbit and pick out any ships.

News: New Policy on UK DNA Retention

From the Guardian: Police have announced that they are to retain the DNA of those released without charge. Home Office Ministers say they want a 6 year limit (having previously sought a 12 year limit) for retaining profiles. Ministers are also advocating indefinite retention of those arrested on suspicion of terrorism or other national security provisions. Those convicted of any offence remain on the database for life. The Tories say they would implement the Scottish system whereby the profile of those unconvicted of any offence is destroyed on release from prison:

The national DNA database is already the largest in the world, with the profiles of 4.5 million people already recorded. They include 850,000 DNA profiles of people who have never been charged with or convicted of a crime. The need to find a new regime follows a landmark ruling in the S and Marper case by the European court of human rights, which ruled that the Home Office's current regime of "blanket and indefinite" retention of innocent people's DNA was illegal.

News: ICO to Fine Companies £500,000 For Serious Data Breaches

From Panopticon Blog: The Information Commissioner is to get powers to deliver civil penalty notices on a data controller for a serious contravention of the data protection principles if the contravention is:

1) Deliberate or reckless
2) Of a sort that is likely to cause substantial damage or distress

The post makes two criticisms: first, the proposed cap of £500,000, as large as it might seem, compares less favourably with other regulator's powers to fine up to 10% of an organisations turnover. Second, as the government ultimately pays for many of the organisations in question, imposing large fines may have 'a slightly unreal quality to it'.

Comment: Murderer Requests Wikipedia Anonymity

Following up on the news that a convicted murderer wants Wikipedia to remove references to his crime. There's a controversy over what laws the various different versions of Wikipedia fall under - a German privacy law coming into tension US right to free, truthful speech. I'm not interested in this legal question so much as I am the more general question of what rights of privacy anyone ought to be entitled to from Wikipedia.

Some have pointed out that the identity of the actor's killer is a matter of public record, and so some might want to claim that placing this information on Wikipedia makes no difference to the individual's privacy. I find that unconvincing - clearly wikipedia has more prominence than a court record. Where the issue is the criminal's ability to get on with day to day life I'm sure the appearance of the information on Wikipedia makes a material difference.

Surely some information which is interesting and publicly verifiable ought not to appear on Wikipedia because of its intrusiveness. For example, I imagine the past romantic relationships of public figures could be established on at least some occasions, but unless it reveals something of legitimate interest to the public (such as a politician caught in a possible conflict of interest) such material should not be published. Likewise public figures' children, except where they are notable in their own right (as a child actor, say), should basically be left alone. (I assume this is the present policy - Obama's children do not have pages, despite the vast amount of press coverage of their first day of school, their new puppy etc.)

So where does this murderer fit in? As far as I have seen, nobody has argued for any legitimate public interest in the killer's identity - nothing hangs on who did it, it isn't necessary to any understanding of why the actor died, say. As such, I can't see any need for the information to appear in the article.

News: Murderer Requests Wikipedia Anonymity

From EFF: Lawyers Stopp and Stopp have sent a 'cease and desist' letter to the German and English language versions of Wikipedia requesting that the page about German actor Walter Sedlmayr, remove all mention of their client's murdering him.

Under German law, as 15 years have elapsed, he has returned to having the status of any other private citizen and, it is argued, is entitled to anonymity in order to facilitate 'reintegration into society'.

Comment: What's Worse?

The discussion of the UK plans for the 'Big Brother Database' has me wondering: What's worse, centralised storage of this communications data, or forcing ISPs and Mobile Phone companies to hold on the data for long periods of time?

Clearly this data is incredibly sensitive, and there are good reasons to want to restrict anyone's access to it. But, were such information to be stored, what would be worse? The idea of a centrally held database tends to make for bigger headlines, calling to mind, as it does, the vision of faceless government bureaucrats poring over our intimate secrets.

And the risk of government officials abusing such private information is indeed one of the reasons one would want to restrict access. But it's only one of the reasons. Surely another is the risk of any sort of public disclosure of this information. It is intrusive for anybody I haven't chosen to do so to view information about who I telephone or what websites I visit. But this information tends to be of much more interest to our neighbours, friends and work colleagues and of virtually zero interest to government. In deciding which is worse, one of the matters I think we should consider is which arrangement makes it less likely for some data breach to result in unauthorised access to my data.

Some will point to the many cases where various levels of government have proven hopelessly careless with our information (to the point of accidentally releasing vetting records with details of debt, extra marital affairs, drug use and use of prostitutes). But I don't think we can simplify this to a case of 'private sector good, public sector bad': some of the most notorious cases of releasing private information have been the fault of businesses - just think of the AOL scandal when records of people's searches were released, to remain posted in the internet to this very day. Private companies have a commercial interest in avoiding such scandals, to be sure, but is that any safer than trusting it to government?

Comment: UK Gov Plans Shelved

The shelving of plans for the Interception Modernisation Programme (IMP) has been reported in a number of different ways. According to the Independent this was effectively 'a cancellation of the Big Brother database' while the BBC reported that the UK surveillance plan was 'to go ahead'. In this confusion Slashdot resorted to the headline 'In the UK, Big Brother Recedes and Advances'.

I think the Register has this one right. The post makes three points:

1) Next years general election (probably to take place in May) makes this a bad time to bring forward legislation that might provoke negative headlines. (Henry Porter has a nice point about the timing as well: with all the recent column inches covering the 20th anniversary of the Berlin Wall coming down, proposing big increases in surveillance invites comparisons with the Stasi all too easily).

2) Internet Service Providers, whose cooperation is needed for the scheme, are currently resistent. Before proceeding, government has to convince them of its merits and feasibility.

3) The players who want this (GCHQ, SOCA, ACPO, the Security Service, the Child Exploitation and Online Protection Agency and the Met) are not going away anytime soon:

Note that GCHQ and friends will still be around after the next election, as will their demands for IMP.

Ever the political pragmatists, the Tories know this well, and the section of shadow justice minister Dominic Grieve's recent speech on reversing the rise of the surveillance state was notably soft on IMP.

He said a Conservative government would submit the proposals to the Information Commissioner's Office to assess their impact on privacy. The ICO has already said it believes the case for mass surveillance of the internet has not been made.

News: UK Gov Plans to Snoop on Internet and Mobile Use Shelved

From the Guardian: a previously mooted £2bn surveillance project for keeping tabs of all British citizens' email, internet use, mobile calls and texts, is to be left out of the upcoming Queens Speech, laying out the legislative plans for the coming year:

The Home Office ditched plans earlier this year for a central database tracking all phone, text, email and internet use. Instead ministers want internet service providers and phone companies to store this data for access by police and security services. The data includes who contacts whom, when, where and how – but not the content of what was said or written.

The Home Office summary of the responses to its consultation published shows that the internet and phone industry want assurances that they will be compensated for the costs involved and also fear technical problems.

Monday, November 16, 2009

Inadequate Information Sharing Again Cited as Key Problem

In the recent Fort Hood shooting incident, inadequate information sharing is again being cited as a critical flaw in government strategies to prevent acts of violence. The gunman, Maj. Nidal Malik Hasan, had come onto the FBI’s radar screen when he established contact with a radical imam believed to have ties to al Qaeda. When Hasan later underwent an FBI background check in the process of purchasing the firearm, which authorities believe he later used to open fire on soldiers at the Fort Hood base, the fact that Hasan was purchasing a gun was not shared with the Joint Terrorism Task Force (led by the FBI). The FBI, meanwhile, has issued a statement that their investigation had concluded that Hasan “was not involved in terrorist activities or terrorist planning.” Additionally, at least one military investigator was involved in that investigation, however, the fact that Hasan was under investigation was not communicated generally to military officials (see this story from ABC); that kind of disclosure beyond the Task Force requires the authorization of the Task Force supervisor from the FBI (see FBI Statement).

Monday, November 9, 2009

News: Resolution on International Privacy Standards Adopted

A resolution for International Standards on the Protection of Personal Data and Privacy was adopted at the 31st International Conference of Data Protection and Privacy Commissioners. A copy of the Resolution is available in Spanish here.

Friday, November 6, 2009

News: UK Local Authority use of RIPA to be Restricted

From the Times: The Home Secretary Alan Johnson has announced curbs to the surveillance powers of local authorities. Computer Weekly summarises the important proposals as follows:

• raise the rank of the authorising officer to at least director level;

• give elected councillors a role in overseeing how local authorities use covert investigatory techniques;

• require voters' communications with MPs on constituency business to be treated as confidential information, and therefore subject to authorisation by a higher rank of officer;

• treat covert surveillance of legal consultations as "intrusive" rather than "directed" surveillance, meaning it can be carried out only by very few public authorities.

• clarify the test of necessity and proportionality so that powers will not be used to investigate dog fouling or people putting bins out a day early;

News: More than 1 in 10 in UK on DNA Database

From the Telegraph: English and Welsh police have taken DNA samples from more than 5,500,000 people. Combined with Scotland and Northern Ireland there are almost 6,000,000 people on what the Telegraph are reporting to be the largest DNA database in the world.

News: Companies Clumsily Disclosing your Info may be Forced to go Public

From The Register: The EC is considering passing new laws that would make it mandatory for organisations which accidentally lose personal data to inform the people concerned and relevant authorities:

Supporters of such schemes say that the fear of public recriminations for data loss will improve companies' performances, while opponents fear that if every breach is revealed the public will become desensitised to the issue of data loss.

News: Romanian Constitutional Court Strikes Down Data Retention Directive

From EDRI: The Romanian Consitutional Court (CCR) has declared the Data Retention Directive incompatible with the Romanian constitution. The case was initiated by a Romanian NGO, the Civil Society Commissariat, who sued its mobile phone company for retaining traffic data according to the new regulations, forcing a CCR ruling on the law's constitutionality:

CCR has accepted the motion for law's unconstitutionality through decision 1258/2009, based on the breach of article 28 of the Romanian Constitution, which stipulates the secrecy of correspondence. Other articles invoked were articles 25, 26 and 30 which deal with freedom of movement, privacy and freedom of expression respectively.

Wednesday, November 4, 2009

Conference News: Madrid Global Privacy Conference & Declaration

I’ve just gotten back from a privacy conference in Madrid titled “Global Privacy Standards for a Global World” which was organized by The Public Voice. One highlight of the conference was the presentation of a Civil Society Declaration calling for the development of international privacy standards — and perhaps most controversially — a moratorium on “the development or implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers, and embedded RFID tags, subject to a full and transparent evaluation by independent authorities and democratic debate." Numerous organizations and individuals have signed the statement (already dubbed “The Madrid Declaration”) and you can, too, by sending an e-mail to privacyATDatos-personalesDOTorg.

Another highlight was an emphatic speech by Stavros Lambrinidis, Vice President of the EU Parliament, declaring that the growing scope of surveillance within the western world is incompatible with democratic society and urging everyone not to simply allow the expanding creep of the level of surveillance to continue unchecked. There is a danger that the ultimate surveillance society will not emerge under a totalitarian regime, he claimed, but rather with citizens’ unreflected “consent.” You can have a look at what else was discussed by calling up the conference agenda here.

One special guest not listed on the program was a representative of Un barrio feliz – a grass-roots movement which has sprung up in opposition to plans to install a system of video surveillance cameras in Madrid’s Lavapiés district. You can view the movement’s blog in Spanish here. One major complaint was that the police have not been forthcoming concerning the plan and the underlying reasons for it. We heard that the local police have cited different grounds for installing camera systems in other neighborhoods (in one case – pick-pocketing, in another – prostitution), and that cameras were needed in Lavapiés because unsavory characters inhabited or frequented the area. The speaker from Un barrio feliz, however, reported that crime statistics indicate that criminal incidents have been decreasing in Lavapiés, making the police’s explanation all the more baffling. Lambrinidis picked up on these examples in his speech to question whether many of the methods of surveillance that have been proposed or implemented could be deemed necessary, proportional, and appropriate in a legal sense.

Friday, October 30, 2009

Comment: This Week on 'the Surveillance State'

There was a really interesting discussion of the DNA Database and the prospect of the 'Surveillance State' on UK politics show This Week last night. The show's hosts include MPs Diane Abbott (Labour) and Michael Portillo (Conservative).

Nobody wanted to defend the increased use of surveillance, and the (to my mind crucial) issue of the chilling effect on civic engagement got an airing, but what I found really interesting was the analysis of politician's (lack of) role in this process. In particular Abbott focused on the fact that very few of the measures discussed have actually had a chance to be debated by the legislature, while recent ministers in the executive see their role as arguing for government policy rather than running their government departments, leaving career civil servants a lot of influence over day to day governance.

Portillo makes another interesting claim: politicians tend to be risk averse, and thus much of what looks like an aggressive pursuit of 'a surveillance state' is rather politicians wishing to avoid any possibility of criticism or sense of liability for occasions where a criminal can't be caught who might have been with the help of CCTV, or the DNA database say. It is because the argument against increases in surveillance is more difficult to make, that Britain has drifted in this direction, rather than because this necessarily reflects the politicians' assessments of the principles involved.

Wednesday, October 28, 2009

Dutch Police Don't Know How to Delete Intercepted Calls

From Slashdot:

"The law in the Netherlands says that intercepted phone calls between attorneys and their clients must be destroyed. But the Dutch government has been keeping under wraps for years that no one has the foggiest clue how to delete them (Google translation). Now, an email (PDF) from the National Police Services Agency (KLPD) has surfaced, revealing that the working of the technology in question is a NetApp trade secret. The Dutch police are now trying to get their Israeli supplier Verint to tell them how to delete tapped calls and comply with the law. Meanwhile, attorneys in the Netherlands remain afraid to use their phones."

News: New Kind of Body Scanner Researched

From CNN: Homeland Security in the US is funding research for a new kind of body scanner. Named 'Future Attribute Screening Technology', or FAST, instead of directly detecting criminal activity the scanners which would measure 'natural signals from the body' - things like heart rate, breathing, body temperature and fidgeting - to determine whether the subject was suspiciously nervous, say. The project has come in for some criticism:

Civil liberties groups maintain this screening technology is an invasion of privacy.

"Nobody has the right to look at my intimate bodily functions, my breathing, my perspiration rate, my heart rate, from afar," said Joe Stanley of the ACLU.

How to Use Surveillance

Via privacydigest.com - there's an interesting National Public Radio story on the investigation that has led to terrorism charges against Najibullah Zazi, a Denver area shuttle bus driver. It's being claimed that this is a textbook case for showing how surveillance techniques are used in successful cases:

Officials say FBI agents in Denver and New York had been tracking Zazi for some time — and experts analyzing the case say the way law enforcement gathered evidence against Zazi and possible co-conspirators may be a textbook case of how to conduct a terrorism investigation. The FBI used a blend of wiretaps and subpoenas, search warrants and local police, among other things, to build its case.

"I think what's striking about the Zazi case is not so much that new tools were being used, but that old tools were being used in a comprehensive fashion," says Sam Rascoff, who used to work terrorism cases for the New York Police Department's intelligence unit. "And that they were being stitched together in a thoughtful, strategic way, so that one tool naturally gave way to another."

Monday, October 19, 2009

News: More on facial recognition technology

According to a report from USA Today, the FBI has begun trials of facial recognition technology in North Carolina. Reportedly, the trials helped to identify a suspect to a double homicide who had seemingly relocated to North Carolina from California and assumed a false name. FBI officers took a photo from the suspect’s California driver’s license and ran it against the photos contained in North Carolina’s Department of Motor Vehicles database. From “dozens” of potential matches, an FBI investigator zeroed in on one particular individual. That individual has now been placed under arrest. Marc Rotenberg of EPIC, however, questioned how effective the use of such technologies will be in counter-terrorist efforts since good photos of terrorists will rarely be available in DMV databases or elsewhere.

Wednesday, October 14, 2009

Comment: 'Naked' Scanners on Trial

There's a good post at SpyBlog on the news of Manchester Airport's trial of Rapiscan's 'Naked' Body Scanners. The post makes a number of claims:
  • There's no 'safe' amount of ionising radiation.
  • The fact that the 'viewer' is hidden in another room, a measure designed to make the process less invasive, raises some new problems. If you can't see them, for one thing there's no way the public can know whether they're being 'examined' by a man or a woman: for some people that is going to be a big deal, and may be particularly problematic for certain cultural or religious minorities.
  • Defenders say no copies can be made of the 'naked' images (this has been repeated in a series of articles that have then illustrated the story with a digital camera screen grab). The system runs on a computer, so it seems inescapable that anyone with maintenance access has access to the images. Also, if the viewers are going to be in a separate room, how are they going to be prevented from taking pictures with a camera or mobile phone? Further surveillance, perhaps with CCTV cameras? I think setting up a system which is sufficiently thorough to rule out this sort of abuse without itself transmitting a further copy of the scanned passenger's picture is going to be difficult.
  • The use of these machines on children may actually be a violation of the 'draconian, inflexible and often bureaucratically misinterpreted Protection of Children Act 1978'. I don't know whether this interpretation of the law is correct (the wikipedia article linked to lists 'prevention, detection or investigation of crime' as a legitimate defence). Regardless, it is striking that the law should be so intensely relaxed about children's naked bodies being on display as soon as the word 'security' is mentioned.

News: 'Naked' Scanners Now on Trial at UK Airport

From BBC news: Rapiscan Body Scanners are under trial at Manchester Airport. The scanners reveal clear images of any concealed weapons or explosives. However they also reveal clear images of the naked body - and any surgery, piercings or disabilities the person being scanned might have.

Manchester Airport have defended the trial, pointing out that the images are viewed in a different room from where the scanning takes place, breaking the link between the 'naked picture' and the person in question. They also point out that that pictures will not be stored.

Sarah Barrett, head of customer experience at the airport, said most passengers did not like the traditional "pat down" search.

At Manchester Airport's Terminal 2, where the machine has been introduced, passengers will no longer have to remove their coats, shoes and belts as they go through security checks.

Ms Barrett said: "This scanner completely takes away the hassle of needing to undress."

Monday, October 12, 2009

News: Targeted Billboard Ads Using DVLA Data

From Spyblog: The Mail reports that Castrol, the motor oil company, has been conducting an innovative advertising campaign - they were using giant billboards to display targeted messages directing a particular vehicle to use specified fuel. A typical message you can see in the article reads ' 1 DF L The right oil for your car is: Castrol Magnatec 5W-30 A1'.

The campaign was making novel use of Automatic Number Plate Recognition technology, but the big question is how Castrol has come by the data about the drivers held by Driver and Vehicle Licensing Agency. The DVLA sells the data it holds on 34,000,000 drivers to a number of organisations. The article reports that sources admit that in this case the data was passed on from one of these to a third-party contractor who then themselves sold it in contravention of the ban on using registration numbers for marketing purposes:

Liberal Democrat transport spokesman Norman Baker said: ‘This completely inappropriate and unacceptable behaviour by the DVLA shows how cavalier it is with motorists’ information.
‘They don’t even check what the end use is. It seems all you have to do is ask and the DVLA will give, no matter who you are and for what purpose. It’s outrageous this was allowed to happen.’
The row is a fresh embarrassment for the DVLA and raises new questions about how highly sensitive drivers’ information is handled by the agency.
The Mail on Sunday has previously revealed that the agency was selling motorists’ names and home addresses to convicted criminals. In the past five years the DVLA has earned £15million from selling the names and addresses of more than six million motorists.

Wednesday, October 7, 2009

Comment: Lies and Faces

The ABA Journal has published an interesting article on ongoing efforts to develop a better lie detector. Particular focus is placed on the use of various technologies such as EEGs and MRI to obtain a picture of brain activity. But the article also discusses the use of technology to examine eye movement and detect minute changes in facial expression. A number of critics have questioned the reliability of such methods. Given that the article appears in a publication of a lawyers’ professional association, it is not surprising that it places particular emphasis on the potential use of these technologies to develop evidence to be used in criminal prosecution. But, are there other ways that these methods might be implemented in the counter-terrorist context? Many of us have been put through little interview sessions at the airport during “heightened threat levels” before being permitted to board a flight. The idea behind these interviews being that the observation of our behavior when answering these questions as well as the actual content of the answers themselves might give us away if we have anything sinister planned. Immigration officials also generally ask us some questions before allowing us to enter a different country – although these interviews have a broader purpose than merely trying to ferret out terrorists. Might some government decide these interviews could be made more effective if we were having our brain activity, eye or facial movements scanned while they were being carried out?

On the subject of facial recognition technology, this area seems to be getting more and more attention, particularly in the security sector. There’s been a project at the University of Zurich which examined facial expression and emotion as well as their relevance for facial recognition technology. In order to be effective, this kind of technology will have to match faces that change in all manner of ways in the course of everyday human activity to static ID-photos that have been recorded in a database.

There’s also been a thread of research that has aimed at developing technology that can detect "abnormal behavior" or emerging dangerous situations - see for instance John's earlier post on INDECT. I can see how these two threads could merge where facial recognition technology would be used not only for identification but also in threat detection: i.e., the attribution of certain emotions to facial images could be used to determine whether dangerous or abnormal behavior is present.

Thursday, October 1, 2009

News: Zurich Police Regulations Regarding Surveillance Ruled Unconstitutional

The Swiss Federal Court has ruled that certain amendments to Zurich cantonal police regulations that pertain to surveillance are unconstitutional. According to a story in the Neuer Zürcher Zeitung, provisions concerning both the scope of surveillance and the duration for which surveillance footage might be preserved were among those which the court deemed to be in violation of constitutional protections. The court found that the amendments would permit both plain and covert surveillance throughout all public spaces within the Canton and that this lack of constraint represented an impermissible encroachment upon the freedom and private sphere of citizens. Another provision would have permitted film footage from surveillance activities to be preserved for up to a year or until related investigations had been concluded. According to the NZZ, the court held that the maximum period for preservation of such records is 100 days, thus demonstrating agreement with a decision which had been reached two years earlier in a case from the Canton of St. Gallen.

Monday, September 28, 2009

News: Swiss Federal Roads Office considers introducing GPS surveillance for speeders

According to an article in Dem Bund, the Federal Roads Office has supported a suggestion to force known speeders to have a GPS device installed in their cars that would allow federal authorities to identify if the driver violates speed limits. The measure would be a condition for the reinstatement of a driver's license which had previously been revoked for excessive speeding.

Friday, September 25, 2009

Update: Border Laptop Searches

From Privacy.org I previously reported on searches of laptops at US borders, now the Department of Homeland Security have published a Privacy Impact assessment declaring that laptops are equivalent to briefcases and backpacks and that it has authority to seize the devices and copy stored data whether or not wrongdoing is suspected.

News: Programme Can Reveal the Sexual Orientation of Social Network Users

From Privacy.org: 2 students at MIT have developed a program, nicknamed project Gaydar, which will predict sexual orientation on the basis of who the individual 'friends' on social networking sites:


“Even if you don’t affirmatively post revealing information, simply publishing your friends’ list may reveal sensitive information about you, or it may lead people to make assumptions about you that are incorrect,” said Kevin Bankston, senior staff attorney for the Electronic Frontier Foundation, a nonprofit digital rights organization in San Francisco. “Certainly if most or many of your friends are of a particular religious or political or sexual category, others may conclude you are part of the same category - even if you haven’t said so yourself.”

Thursday, September 24, 2009

News: UK Environment Agency's use of RIPA Slammed

The Daily Telegraph reports that government officials investigating 'illegal disposal of waste' improperly tracked cars and trespassed on private property under home office advice. The Office of Surveillance Commissioners found evidence of the breeches last year, but the tactics continued to be used until the Environment Agency recently announced a suspension of their use 'pending a legal judgement':

Reports from recent inspections show that “fundamental flaws” were discovered in some of its operations. The surveillance commissioner has also repeatedly raised concerns over the proportionality of the Environment Agency’s operations.
The reports – marked “restricted” - show that in 2007 the Home Office advised officials that “affixing a magnetic device to a vehicle on the public highway” was “not a criminal offence” and “putting an arm into a wheel arch or under the frame of a vehicle is straining the concept of trespass.”


The Environment Agency continues to trial a network of informants and intends to contruct 'a national spy network' the Commissioner reported.

EU Funding New Database to be used to Identify 'Abnormal Behaviour'

From the Daily Telegraph: the EU is funding a 5 year project entitled INDECT (Intelligent information system supporting observation, searching and detection for security of citizens in urban environment) which aims 'to develop computer programmes which act as "agents" to monitor and process information from web sites, discussion forums, file servers, peer-to-peer networks and even individual computers' in order to identify so called 'abnormal' behaviour.

A number of interest groups have criticised the program:


Stephen Booth, an Open Europe analyst who has helped compile a dossier on the
European justice agenda, said these developments and projects such as Indect
sounded "Orwellian" and raised serious questions about individual liberty.
"This is all pretty scary stuff in my book. These projects would involve a huge invasion of privacy and citizens need to ask themselves whether the EU should be spending their taxes on them," he said. "The EU lacks sufficient checks and balances and there is no evidence that anyone has ever asked 'is this actually in the best interests of our citizens?'"

[Liberty's Shami Chakrabarti commented] "Profiling whole populations instead of monitoring individual suspects is a sinister step in any society. "It's dangerous enough at national level, but on a Europe-wide scale the idea becomes positively
chilling."

News: EP Resolution on US SWIFT Access

From EDRI: I previously reported the concerns about the US access to European banking data. Now the European Parliament have passed a resolution insisting on the need for a new agreement:


The EP believes that the transfer requests should be "based on specific, targeted cases, limited in time and subject to judicial authorisation, and that any subsequent processing is limited to data which disclose a link with persons or organisations under examination in the US" and that "EU citizens and enterprises are granted the same defence rights and procedural guarantees and the same right of access to justice as exist in the EU and that the legality and proportionality of the transfer requests are open to judicial review in the US". In order to prevent any abuse, the transferred data should be "subject to the same judicial redress mechanisms as would apply to data held within the EU, including compensation in the event of unlawful processing of personal data." The resolution also asks for a reciprocity mechanism that would oblige the US authorities to equally transfer relevant financial data to the competent EU authorities, upon request.

News: UK ID Card Design and New ID Commissioner Unveiled

We can now see what UK ID cards will look like. There is an interesting post at Spy Blog asking some important questions:

Will the ID Card number be randomly allocated, or will it betray information about the ID Card controllee, through batch sequences, which can also help to break the cryptographic protections on the Contactless / RFID chip, just as happened with the Netherlands biometric passport ?

The post at Spy Blog also criticises the limitations of the powers of the new ID Commissioner, Sir Joseph Pilling:

The National Identity Scheme Commissioner is specifically forbidden by the
terms of reference which appoint him under the Identity Cards Act 2006 section 22 Appointment of National Identity Scheme Commissioner to look into the following activities, which are exactly the secret activities which are the most likely to abuse the National Identity Register, and which therefore should be scrutinised the most:


(4) The matters to be kept under review by the Commissioner do not
include--
(a) the exercise of powers which under this Act are exercisable by
statutory instrument or by statutory rule for the purposes of the Statutory
Rules (Northern Ireland) Order 1979 (S.I. 1979/1573 (N.I. 12));
(b) appeals against civil penalties;
(c) the operation of so much of this Act or of any
subordinate legislation as imposes or relates to criminal offences;
(d) the provision of information to the Director-General of the Security Service, the
Chief of the Secret Intelligence Service or the Director of the Government Communications Headquarters;
(e) the provision to another member of the
intelligence services, in accordance with regulations under section 21(5), of
information that may be provided to that Director-General, Chief or Director;
(f) the exercise by the Secretary of State of his powers under
section 38; or
(g) arrangements made for the purposes of anything mentioned in paragraphs (a) to (f).

News: Insurers Offering Discounts to Put Cameras in Cars

From Slashdot: A car insurer is offering discounts to teen drivers who participate in the Teen Safe Driver scheme, whereby a camera is fixed under the rear view mirror. The recordings are sent to a third party analysis sender who then provide parents with footage and an assessment of the safety of the driving. Teen Safe maintain the footage would never be shared with insurers.

News: Newly Obtained Declassified Documents Reveal More Details about FBI's NSAC

Wired has run a story on the FBI’s National Security Branch Analysis Center (NSAC) based on newly obtained declassified documents. The Center makes use of a database system that includes “tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store.” The author of the article speculates that a number of businesses may be voluntarily providing records on specifically named individuals at the FBI’s request – as was the case with JetBlue and passenger records. The database system is being used both for counter-terrorist efforts as well as other criminal investigations. Among the things the system currently contains according to Wired:
• International travel records of citizens and foreigners

• Financial forms filed with the Treasury by banks and casinos

• 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites

• 730 records from rental-car company Avis

• 165 credit card transaction histories from Sears

• Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint

• A reverse White Pages with 696 million names and addresses tied to U.S. phone numbers

• Log data on all calls made by federal prison inmates

• A list of all active pilots

• 500,000 names of suspected terrorists from the Unified Terrorist Watch List

• Nearly 3 million records on people cleared to drive hazardous materials on the nation’s highways

• Telephone records and wiretapped conversations captured by FBI investigations

• 17,000 traveler itineraries from the Airlines Reporting Corporation

Wired reports that the database system is being used in conjunction with a meta-search engine and link and pattern analysis software.

Friday, September 11, 2009

News: EC Proposes Police Access to Asylum Fingerprint Database

The Eurodac Database, which holds fingerprints for asylum seekers and other irregular border crossers, can currently only be accessed by national authorities dealing with asylum requests. Under the proposed legislation, however, Europol and national police services would gain access for fighting serious crime and terrorism. Human Rights groups have criticised the proposals:

The European Council on Refugees and Exiles (ECRE) has said the move could potentially put asylum-seekers in danger, since Europol has the right to exchange data with other EU bodies and with non-EU countries. “How would it be ensured that information about people fleeing persecution doesn't reach their persecutors?”, Bjarte Vandvik, the ECRE's secretary-general, has said.

Comment: Henry Porter on DNA and Certainty

Henry Porter at the Guardian reports on new research that DNA samples can be fabricated. He argues that this severely undermines the argument for mass DNA databases of everybody's DNA:

Police officers in the past have been tempted to "fit up" those they believe guilty of a crime. It is easy to imagine how DNA might, in the future, be manufactured to gain a rock solid conviction against a person who was proving inconvenient to the authorities. We may chose to doubt that this will ever happen but legislators must allow for the possibility. Whatever the advances we celebrate today the actual anniversary of the Jeffrey's discovery – it is vital to absorb that DNA evidence is not fool proof.

George Bush Airport Testing New Body Scanners

From privacy.org: George Bush Airport Houston has started testing Millimetre Wave and Backscatter Body Scanners.

Both technologies provide clear images of the subject's naked body.

Comment: Brown on the Wilson Doctrine

Spyblog has a very interesting comment on Brown's response to a written question by David Davis as to whether any MP has been subject to official surveillance or interception of communications in the last two years. Brown replies as follows: 'The Wilson doctrine continues to apply to all forms of surveillance and interception that are subject to authorisation by Secretary of State warrant.'

The author calls attention to the careful wording 'all forms of surveillance and interception that are subject to authorisation by Secretary of State warrant' would appear to only apply to:

  1. Interception of Communications (electronic or postal) under the Regulation of Investigatory Powers Act 2000 Part 1 Chapter 1., which requires a Warrant or a Certificate signed by a Secretary of State (either the Home Secretary or the Foreign Secretary, usually)
  2. A property interference and / or interference with wireless telegraphy warrant under the Intelligence Services Act 1994 sections 5 to 7

But leave out:

  • GCHQ or any other public body authorised to intercept electronic communications, not via a Warrant but via a more general Certificate (e.g. for snooping, in bulk, on transatlantic fibre optic cables or satellite communications)

  • Police units using the Police Act 1997 Part III powers

    • Property Interference i.e. authorised breaking and entering into homes or vehicles, usually to plant electronic bugging or tracking devices.
  • Police or intelligence agency units using the rest of the Regulation of Investigatory Powers Act 2000 for: the various kinds of Surveillance:
    • Directed Surveillance

    • Covert Surveillance
    • Intrusive Surveillance

    • The use of Covert Human Intelligence Sources (CHIS) - informants and infiltrators
    • Seizure of cryptographic keys and / or de-crypted plaintext.
    • Communications Data:

      • Subscriber Details - Name and Address of land line or registered mobile phones<
    • Location Based Services Data (instantaneous and historical tracking of mobile phone handsets)
    • Communications Traffic Data (itemised phone bills, who called who and when "friendship trees", email server logfiles, internet access log files etc.

The Police or Military covert surveillance units (but not the Intelligence Agencies, without a Warrant) could also use the Counter Terrorism Act 2008 section 18 Material not subject to existing statutory restrictions


  • DNA or fingerprint samples obtained in secret, through Property Interference or by Confidential Human Intelligence Sources

There are "official surveillance" techniques and Databases which are not covered by RIPA e.g.


  • Automatic Number Plate Recognition (the Metropolitan Police have access to all of the Transport for London Congestion Charge ANPR data "in bulk, in real time", exempt from the Data Protection Act).

  • Passenger Name Records, credit card and email details data slurped from Airline, Train and Ferry Booking Systems
  • Transport for London Oyster Travel Smart Card data
  • The planned National Identity Register / ID Card scheme
  • Literally millions of CCTV surveillance cameras and recording devices
  • There are also other Government Departments which have granted themselves snooping powers, which fall outside of the RIPA or Intelligence Services legal frameworks:

    News: ACPO Publish Policy Advice on the Use of ANPR

    From Spyblog: The Association of Chief Police Officers has published its 'Practice Advice on the Management and Use of Automatic Number Plate Recognition'.

    The post calls attention to the potential for the guidelines to result in 'false positives' and innocent people being flagged up for stop and search. Also some categories for 'flagging' vehicles do not seem to be indicative in any way of having any involvement in criminality such as 'Protest' - presubably flagging the driver as involved in protests. The full pdf can be found here

    News: FOI Request Reveals DHS Travel Records

    From Slashdot: A US citizen's FOI request has revealed what information the DHS is storing on travellers. The info listed includes:

    • Credit card number and expiration (really)
    • IP address used to make web travel reservations
    • Hotel information and itinerary
    • Full Name, birth date and passport number
    • Full airline itinerary, including flight numbers and seat numbers
    • Cruise ship itinerary
    • Phone numbers, incl. business, home & cell
    • Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

    News: Italy to Create National DNA Database

    EDRI reports that after a long process the Italian Parliament has passed law 85 ratifying the Prum Convention and creating the legal basis for an Italian National DNA Database. EDRI is scathing, however, about the lack of safeguards built into the legislation. Particularly of note:
    • "Lacks any general provision that would oblige all the responsible parties to adopt serious and adequate security measures against unauthorized access, data tampering, and illegal handling of data and information."
    • It says "nothing about the need for a properly established chain of custody...[making it]...impossible for a "planted" or "altered" sample to be used."
    • Nothing is said "about the effect of an improperly managed chain of custody on admissibility of the samples as evidence in Court"
    • "Law enforcement officers can access the NDNA database without prior authorisation from the prosecutor or the judge that is responsible for the investigation involving the sample or profile in question (under Italian law, law enforcement bodies are under the direction and control of the public prosecutor). Since the article is silent about the matter, only future court decisions will determine whether prior authorization is needed to access the NDNA database, thus leaving wide open a window of several years in which "anything can happen".
    • Requires "neither the positive identification of the personnel accessing the NDNA database and material in the central lab, nor the secure logging of access to and activity involving the profile and sample."
    • Does not "clearly identify who is in charge of ordering the destruction of samples and profiles."
    • Punishment for a public officer "that communicates or uses data and information without authorization, or for purposes other than those stipulated specifically in the law" is negligible: "a jail term of between one and three years...[which in practice could be reduced to]... "a final jail term of less than six months that could be avoided by simply paying a fine."
    • By leaving white collar crime profiles out the legislation opens the door to the database skewing, say, the racial balance of future crime statistics.

    News: More Complaints About Google Street View

    EDRI: Complaints against Google in France and Switzerland. The French Data Protection Agency (CNIL) has reported several complaints against Google Street View, citing flaws and delays in the blurring technology leaving some people's images untouched, and calling for other sensitive visible information - such as access to people's homes - to also be blurred. Google had earlier agreed to improvements and deletion of some raw images before the EC's Article 29 Working Party.

    Meanwhile in Switzerland the country's Data Protection Commissioner have called for the interruption of Street View less than a week after it went live, demanding that the blurring technology be improved. This is a demand they have agreed to, but that has not reassured everyone in the debate:

    Sébastien Fanti, a lawyer specialised in Internet issues, warns on the fact that all the data gathered by Google is available to US authorities as according to the USA Patriot Act, any US government agency has access to data collected anywhere in the world by US firms, even without a court order. "If the CIA asks to see what was going on in Zurich this spring, Google isn't going to provide blurred images," says Fanti.

    Google's Switzerland spokesman Matthias Meyer admitted that the companies is collaborating with authorities but stated that "What we are putting on line are photos of the past. Once they've been taken they don't change, nothing is shown in real time."

    News: Belgian Justice Minister Wants 2 Year Retention of Data

    EDRI: In Belgium, discussions on implementing the EU's controvertial Data Retention Directive have sparked the proposal to retain electronic communication traffic data for 2 years, citing the needs of the police and the prosecutors office. That figure has been disputed by the Belgian ISP association, who express concern about costs to customers, and the Belgian Data Protection Authority.

    Comment: Locational Privacy

    From the Electronic Frontier Foundation: There's a New York Times piece on the way that in the space of a few years, locational privacy has gone from near absolute to practically zero, as a side effect of new convenient technology:

    What can be done? As much as possible, location-specific information should not be collected in the first place, or not in personally identifiable form. There are many ways, as the Electronic Frontier Foundation notes, to use cryptography and anonymization to protect locational privacy. To tell you about nearby coffee shops, a cellphone application needs to know where you are. It does not need to know who you are.

    When locational information is collected, people should be given advance notice and a chance to opt out. Data should be erased as soon as its main purpose is met. After you pay your E-ZPass bill, there is no reason for the government to keep records of your travel.

    Thursday, September 3, 2009

    News: Facebook Adopts Improved Privacy Controls

    From Jurist: Following discussions with the Office of Privacy Commissioner of Canada, Facebook have announced that they would give users more control over the information they share through their profiles.

    News: ECHR Affirms Prisoner's Right to Private Medical Correspondence

    From the Register: The European Court of Human Rights has affirmed the rights of prisoners to private medical correspondence under Article 8. This overturns the UK Court of Appeal's 2004 ruling that medical correspondence did not have the same privacy rights as communication with an MP.

    News: Scottish Government Seeks to Curb Data Collection

    From the Register: The Scottish Government has proposed a series of ID management and Privacy Principles to constrain Public Bodies. These move away from the trend "of building up very large public databases of personal information.":

    "Organisations should avoid creating large centralised databases of personal information and store personal and transactional data separately," said a statement outlining the plans. "People should only be asked for identity when necessary and they should be asked for as little information as possible."

    News: UK Government Plans to Link ID Cards to Criminal Records

    From Slashdot: Previously Government Ministers had denied that the ID database would contain criminal records, but have now admitted to a feasibility study on linking the National Identity Database to the Criminal Records Bureau. In a written statment they said that:

    This research is still in the early stages of feasibility and several options are being considered as part of this work, including options for the use of ID card data and fingerprints. The CRB is not considering the use of other biometrics at this stage,

    News: Fears of More US Access to EU Banking Details

    From European Digital Rights: SWIFT (Society for Worldwide Interbank Financial Telecommunication) intends to open a new European focussed server in Switzerland. In 2006 it was revealed that the US government had access to SWIFT transactions via the Terrorist Finance Tracker Program.

    The EC is drafting a new agreement on access with US authorities in advance of the new server, to the exclusion of the European Parliament and heavy criticism of MEPs. The Commission claim they are trying to negotiate a better deal, although this will apparently not include any EU access to US banking transactions.

    In the meanwhile the Council of Foreign Ministers authorised the Swedish Presidency to negotiate a temporary agreement whereby information would be granted on a per request basis and could be stored in the US for up to five years.

    News: New DHS Privacy Standards

    From the ACLU: The Department of Homeland Security have released new privacy standards on border searches of electronic devices. The ACLU are calling it "a good first step, but not enough to protect privacy or curtail profiling":

    “There are two key aspects of this new policy worth applauding – the limitations on the time that electronic devices can be held by Customs officers and requirements that information from electronic devices only be retained if there is probable cause that a crime has been committed. These procedural safeguards recognize that the old system was invasive and harmed many innocent travelers.

    “But unless and until the government requires agents to have individualized suspicion before reviewing such sensitive information as medical records, legal papers and financial information, even the most elaborate procedural safeguards will be insufficient for the government to live up to its constitutional obligations. It is now time for Congress to act and create concrete standards for searches and directly confront the problem of racial and religious profiling.”

    News: EDPS Opinion on ITS

    From European Digital Rights: The European Data Protection Supervisor Peter Hustinx has issued his opinion on the EC's plan to step up plans for the Intelligent Transport Systems - applications using information and communication technologies such as GPS embedded in different modes of transport. He is calling for:
    • More clarity with regard to the legal requirements of data protection accross Europe
    • Data Controllers to be clearly identified: "as they will bear the responsibility to ensure that privacy and data protection considerations are implemented at all levels of the chain of processing."
    • Appropriate safeguards "so that the use of location technologies is not intrusive from a privacy viewpoint. This should notably require further clarification as to the specific circumstances in which a vehicle will be tracked, strictly limiting the use of location devices to what is necessary for that purpose and ensuring that location data are not disclosed to unauthorized recipients".
    • Implementation "with due respect for data protection principles and practical safeguards on security"
    • Gathered data not to be used "for further purposes that are incompatible with those for which they were collected" - calling for Privacy by Design in ITS applications
    • Privacy and data protection to be built in from the beginning
    • Data Protection Authorities such as itself and the Article 29 Working Party to be involved through consultation on all ITS deployment initiatives.

    News: Another Case of Intimate Information Lost

    From the Register: Repair Management Services of Blackburn lost a laptop computer containing personal details of 37,000 people and information on 1,900 people's driving convictions. The information was stored on an unencrypted laptop and left in an unlocked vehicle, where it was stolen:

    "Personal information is valuable," said Sally-anne Poole, head of enforcement and investigations at the ICO. “In this case, it also involved the details of criminal convictions which, if accessed, could potentially result in distress being caused to the individuals concerned."

    The trade body has made a written undertaking to the ICO committing it to encrypting machines and to training staff in its information policies and procedures to try to ensure that such an incident is not repeated.

    Of course, disclosure of this sort of information has been considerably more significant in some cases than others.

    Comment: ACLU Seeks Info on Border Laptop Searches

    One interesting aspect of the previous post is the issue of assessing searches of laptop computers:
    The court rejected the argument that a laptop is like a human mind because of its ability to record ideas and emails, and held instead that a laptop is the same as closed containers such as purses and wallets.
    While clearly it would be silly to take the analogy between human minds and any inanimate object literally (pace some of my more extreme philosophical friends) there is clearly a real issue here. Not all searches of 'closed containers' or other objects are going to be on a par here - its reasonable to expect a search of my diary to be much more invasive than searching my lunchbox. Laptop computers record some of the most intimate information about us. Surely this is a distinction that ought to be recognised?

    News: ACLU Seeks Info on Border Laptop Searches

    The Jurist reports that the ACLU is filing a lawsuit to acquire documents on US Customs and Borders policy of searching traveller's laptops. They claim these searches may violate fourth amendment protection against 'unreasonable search and seizure' - searches are conducted on the basis of 'unindividualized suspicion'

    In April of last year, the US Court of Appeals for the Ninth Circuit Ruled that reasonable suspicion is not necessary for a warrantless search of a laptop or other digital device at the border due to inherent national security interests. The court rejected the argument that a laptop is like a human mind because of its ability to record ideas and emails, and held instead that a laptop is the same as closed containers such as purses and wallets.

    Zurich DETECTER Site Launched

    We've set up a few webpages related to the DETECTER project on the University of Zurich's website. The pages provide some information about Work Package 6, contact information for the researchers involved, and will provide a platform for any future publications that may come out in connection with the project. The "homepage" for the site is accessible here.

    Tuesday, September 1, 2009

    Update: Registered Traveler

    FederalComputerWeek reports that two members of the US House of Representatives have urged the TSA not to delete traveller information that is held in the TSA’s database for the Registered Traveler Program, the Central Information Management System (CIMS). The Representatives are concerned that the deletion of the data would hamper the continuation of the program.

    I discussed the Registered Traveler Program in a post concerning the CLEAR program last month. Verified Identity Pass, Inc., mentioned in the FederalComputerWeek article, is the parent company of CLEAR.

    Tuesday, August 18, 2009

    Who Should Have Access to What When?

    Stories surfaced recently that two police officers in the State of Georgia in the US ran an unwarranted background check on President Obama. Evidently, the Secret Service alerted the local county government that computers within their system had been used to access information on the President. As a result, the two officers in question have been placed on suspension. Remarkably, a similar incident occurred in Pennsylvania involving a Philadelphia police officer shortly thereafter.

    These incidents bring two issues to mind:

    First is the issue of access controls or access monitoring with respect to information systems and databases containing personal information. On the one hand, it’s refreshing to know that the kind of controls are in place to allow the Secret Service to know that someone from a particular computer network has accessed information on the President stored on criminal justice systems. Yet, clearly the Secret Service is not going to be extending this kind of safeguard to too many people beyond the President, Vice-President, and potentially their families. It’s also unclear to what extent anyone within the network of federal and state agencies that have access to this information runs audits to ensure that other unwarranted access has not been made. With respect to at least one of the databases in question, the FBI’s National Crime Information Center database—which I discuss below—there are local agencies that oversee the administration of the system of access to the database within their locality (state, territory, etc). This agency is “responsible for monitoring system use, enforcing system discipline and security, and assuring that all users follow operating procedures.” Yet, according to on article that appeared on Slate, it was “common practice” in one locality for police “to run checks for friends and family, and to run prank names to alleviate boredom.”

    Then again, I’m not sure how you would structure such an audit given the fact that probably anyone who gets pulled over by police for even the slightest traffic violation can legitimately be subjected to such a background check (Another interesting question is whether anyone has ever challenged the legitimacy of allowing officers to call up this variety of information during a routine traffic stop). Multiple system queries issued in relatively quick succession might be one indication of abuse, but this kind of action wouldn’t be inappropriate where multiple individuals have been stopped for suspicious activities. Perhaps looking for checks run on notable figures such as President Obama might be another way to catch some illegitimate use of the system, but it would not provide much of a safeguard for the majority of citizens. At any rate, my point is to draw out an issue pertaining to the “watching of the watchers” and potential remedies for “violations” on the part of the watchers. This issue of providing access controls and auditing capabilities is likely to be a significant theme in Work Package 6 of the DETECTER Project, which I am working on.

    The second issue concerns the actual extent of information that access to a particular system grants—and in the context of these incidents, information sharing or consolidation among different data collecting agencies. The fact is, I don’t know exactly what information is featured in these background check queries; according to the article on Slate, it may vary from police agency to police agency since different agencies may have different access policies and procedures. I would guess they would contain: name, date of birth, height, weight, gender, eye color, address (all of these are standard things included on US driver’s licenses), driver’s license number and state of issue (perhaps even for past driver’s license numbers, too?), vehicle registration information, list of outstanding parking tickets or fines, list of traffic viola-tions, list of arrests, list of criminal convictions, list of outstanding warrants or other All-Points-Bulletin type notices (including e.g. Interpol notices), perhaps even social security number and driver’s license photo. The Slate account adds aliases, tattoos, scars, and other distinguishing marks. However, these clearly would only be available if you had been arrested. As for fingerprints, I know of at least one state that requires fingerprinting when issuing a driver’s license. Otherwise, these also would not generally be available without a prior arrest.

    But where does this information come from? According to the Slate article, the information is culled from a number of different databases. Alongside local databases, the primary source for data from all states as well as certain federal information is the National Crime Information Center database mentioned above (see also this page maintained by the Federation of American Scientists). According to the Slate article, not every police officer will necessarily have direct access to this database from his or her squad car. Thus, at least in some places, there are built-in safeguards to limit the extent of information that is made available without some justification on the part of the officer.

    Yet the trend has been toward increased availability of information—including increased information sharing and extending the reach of intelligence and criminal justice resources to include more and more databases and data sources. An initiative known as MATRIX (Multi-State Anti-Terrorism Information Exchange)—I’m guessing they didn’t see the movie—represented one effort in the US in the early to mid-2000s to pool information and resources for the support of a better (and perhaps more extensive?) information system. Accounts vary, but some claimed the system would provide access to records from a number of public sources in addition to the usual law enforcement databases. One account, for instance, claimed that things such as credit information, marriage and divorce records, names of business associates, neighbors’ addresses and telephone numbers would also be made available (Duane D. Stanford and Joey Ledford, “State to Link Up Private Data,” Atlanta Journal-Constitution, October 10, 2003, cited by the ACLU in this report). There was certainly discussion of incorporating the use of an analytic system developed by a private corporation which would also include access to that corporation’s databases that held “billions of public and commercial records.” The fear that the new system would provide local police with access to an enormous variety of personal information gave forth to public uproar. Probably at least in part due to that backlash, most of the states that had initially signed on to the program gradually began to withdraw involvement.

    There’s a lot more to be said on this subject of what is the appropriate extent of information that should be readily available—particularly in light of the potential for misuse. Especially in the context of national security intelligence, it is often not clear what information is of significance to prevent terrorist attacks. There is this idea, perhaps reflected in programs like DARPA’s Total Information Awareness (or “Terrorist Information Awareness” if you prefer), that if only the greatest possible amount of information were available for analysis, analysts would be able to pick up on patterns of “suspicious” activity before incidents occur. I’ll perhaps save further discussion of this subject for a future post. But beyond the question of the extent to which we should permit data aggregation, there are also the issues of what extent of existing information should be made available to whom and under what circumstances.

    Monday, August 10, 2009

    One in Every 78 Adults Surveilled by Councils in Britain Last Year

    The Liberal Democrat party is speaking out on Council Snooping after revelations that an average of 1,500 surveillance requests were made every day in Britain last year - equivalent to one in every 78 adults having been targeted across the year.

    I've talked about surveillance by Local Authorities before, but these figures just seem out of all proportion to any justifiable role for spying by councils. I assume the numbers will look smaller once one takes into account that many of these requests will be for repeat surveillance of the same people (though I've no idea by how much).

    The Lib Dem solution is for the power to grant surveillance requests to be taken away from government and handed over to magistrates:

    We have sleepwalked into a surveillance state, but without adequate safeguards. Having the home secretary in charge of authorisation is like asking the fox to guard the hen house. The government forgets that George Orwell's 1984 was a warning and not a blueprint.

    Is there anything at all to be said in defence of the law as it currently stands? Are there, for example, any scenarios in which really necessary Council surveillance requests would be likely to be turned down by a magistrate? (What could such scenarios be?) And does anyone disagree that Councils are using these powers far too often?

    Friday, August 7, 2009

    Update: People v. Weaver

    People v. Weaver, the New York case that was the subject of an earlier blog entry, has been published in the New York Reports at 12 N.Y.3d 433. The opinion may also be found on Lexis and Westlaw under the citations 2009 N.Y. LEXIS 944 and 2009 WL 1286044 (N.Y.), respectively.

    Tuesday, August 4, 2009

    UAE Mobile Provider Installs Spyware on Customers' Blackberries

    Wired and Silicon Valley have reported that a mobile telephony provider in the United Arab Emirates installed spyware on the Blackberries of subscribers to its services. Blackberry users were prompted to download a software update. Once the update was installed, however, users complained that their device’s performance was adversely impacted and that their batteries were quickly exhausted. As it turned out, the update had the device contact a certain server for registration. The high number of devices which attempted to connect to the server simultaneously caused the server to crash. As each Blackberry regularly tried to contact the server after the initial failure, this action quickly used up the device’s battery levels.

    Code analysts reported that the update included code to permit surveillance of the Blackberry’s contents and communications, although this feature was deactivated upon initial download. The code was evidently written by US-based company SS8, which provides surveillance solutions to telecommunications providers as well as products for intelligence and law enforcement. As reported on Wired, analysis by the company Veracode suggested that the installation of the surveillance software on the user’s handheld device, as opposed to relying on surveillance at the server level, would prevent the use of messaging encryption from frustrating attempts to examine communications being sent from and received by the device. Rather than intercepting messages en transit over the server, the code would have the device deliver copies of the content stored there to a special server. These copies would be in unencrypted form since they would be either generated prior to the application of encryption in the case of sent messages, or have been decrypted by the user’s key in the case of received messages.

    Monday, August 3, 2009

    Lack of Clarity with respect to fate of CLEAR data?

    Anita Ramasastry recently wrote an article (Note: at the time of this post, this link no longer pointed to the correct article; until this problem is corrected, you may find the original article here in Google's cache) for FindLaw discussing the imminent demise of CLEAR—a private company which worked in conjunction with the Transportation Security Administration to offer customers less hassle at airport security in exchange for giving up some of their privacy (and payment of an annual membership fee). Perhaps it was inevitable that some enterprising American would develop this kind of business model following the ever increasingly burdensome and inconvenient security measures being imposed at airports subsequent to 9/11. One might question, however, whether the federal government should have allowed it (See also this article for criticism that CLEAR failed to deliver on its “promise”). The business model was made possible by the TSA’s "Registered Traveler" program.

    Although CLEAR was not the only provider of such services in the US, it was the most popular with approximately 165,000 members, according to Ramasastry. She reports that members had to provide CLEAR with biometric data in the form of fingerprints and iris scans to participate in the program. This data was then encoded on the member’s CLEAR card, which had to be tendered to bypass the standard security checkpoint lines. Now that CLEAR is going out of business, what will happen to all the personal data they hold, Ramasastry asks: Will it be sold to one or more other companies? Will the TSA claim it? What say does each member have as to what will happen with his or her data?

    Unlike the EU, the US doesn’t have any overarching legal instrument that establishes a basic framework for the handling of personal data. And as Ramasastry points out, CLEAR, as a private company is not subject to the same kinds of privacy regulations as government agencies. But should companies that operate in this area not be subject to the same privacy standards as government bodies? Or should the TSA be authorized to intervene to secure personal data on behalf of former customers of CLEAR? An announcement on the CLEAR website reassures customers of its commitment to protect their personally identifiable information. Yet, even assuming CLEAR had a strong corporate privacy policy in place, it’s UNclear how the company will ensure that that policy is upheld if it ends up being liquidated in bankruptcy. Not to mention, former customers may find it difficult if not impossible to seek compensation for any violation of the policy. The website also speaks of TSA/ federal requirements. But, one source has suggested that neither TSA nor the Dept. of Homeland Security have any relevant requirements in place. The TSA website itself states that “all RT [Registered Traveler] service providers were obligated to follow data security standards to continue offering service [following the initial pilot project]. Each service provider's use of data, however, is regulated under its own privacy policy and by its relationship with its customers and sponsoring airport or airline.” (emphasis added) The only data usage requirement that the TSA imposed may have been that “RT service providers . . . use customer data only for purposes of the RT program unless customers expressly opted-in to other uses.”

    In the meantime, the other two Registered Traveler operators, FLO, Corp. and Vigilant Solutions, have reportedly also both closed down the special security clearance lanes they operated at US airports.