Schneier on Security
A blog covering security and security technology.
« Ignoring the "Great Firewall of China" |
| Applying CALEA to VoIP »
June 28, 2006
Congress Learns How Little Privacy We Have
Almost every piece of personal information that Americans try to keep secret -- including bank account statements, e-mail messages and telephone records -- is semi-public and available for sale.
That was the lesson Congress learned over the last week during a series of hearings aimed at exposing peddlers of personal data, from whom banks, car dealers, jealous lovers and even some law enforcement officers have covertly purchased information to use as they wish.
The committee subpoenaed representatives from 11 companies that use the Internet and phone calls to obtain, market, and sell personal data, but they refused to talk.
All invoked their constitutional right to not incriminate themselves when asked whether they sold "personal, non-public information" that had been obtained by lying or impersonating someone.
Posted on June 28, 2006 at 7:39 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
They took the 5th, no surprise there then.
Afterall they don't trust the Government not to release their personal details by bad reducting etc ;)
I wonder why congress is even talking to these people? These companies know that they're in a grey area if not outright breaking the law to collect the information. However, once they have the information, I don't think there's a way to prevent them from selling it. I think the only thing that keeps the large data aggregators from collecting and selling all of this grey market information is that laws could be passed that would make it impossible for them to continue to service a contract for the data.
If you fill out a warrantee registration or mail in rebate, the company you send it to is going to sell that information for marketing purposes. They don't disclose what they're doing with the information you provide, because once they have it, they legally own it. Nobody would send those things in if they came out and said "our warrantee registration cards go directly to a large data aggregator to minimize the time it takes for your personal information and preferences to get sold to other marketing companies."
Most people aren't going to mail in copies of their bank statements and phone records to get some rebate, so the companies get this information from other sources. There's no real incentive for phone companies or banks to do anything more than fire people caught stealing data. Easy access to data is an assumption made in most internal applications, so it would be a tremendous effort to try to secure the data.
I wish there was a legal definition of terrorism. To me, marketing my personal data is terrorism. Since suspected terrorists now how no constitutional protections at all in USA, those subpoenaed representatives would be forced to speak in my book...
Not sure why anybody is surprised by this, there is no "right to privacy" in the US. Whatever an organization with lots of money (RIAA for example) wants to pass through congress, it gets. Even if they pass something called a "privacy act" it will be formal codification of companies being allowed to do whatevernell they want to and all you can do about it is bankrupt yourself trying to sue them, if youre even allowed to do that. Lawyers make all the laws, and they only benefit lawyers.
The best investment privacy advocacy groups could make would be to legally obtain as much information as possible about members of Congress, and then request a meeting to discuss their dossiers.
@TimH: terrorism does have a legal definition, and thank heavens, it does not include everything. The problem is not constitutional protections of basic rights, it is the lack of ownership of personal data. In most EU countries, your personal data is your property, and companies may handle it only with your permission (which you can retract anytime). Violating this is a crime (so police can and does investigate), and you can also sue for compensation in a civil law court. This is an effective deterrent.
I thought we were supposed to be provided an opt-in or opt-out checkbox for the use of our information.
@ Mike Sherwood
The way to get these companies to behave themselves is to make it illegal to be in possession of information not released to them by that person.
The only real problem(s) with this would be:
#1. Credit reporting agencies: they collect information about you from different sources.
#2. The cost for all those companies to go through and clean up their databases and verify that they have that data directly from that person.
Otherwise ... over time, all of your information will become available, for a price.
Congress investigates when it has zero interest in pursuing the real answers that involve proactive / progressive legislation and need to make a show. See : Enron scandal, 9-11 Comission, Baseball Steroids, Gas Company Profits, SUV safety, etc ad nauseum.
Now maybe if the headline said:
"Congress CARES How Little Privacy We Have"
until it does...
We're already at the point where all of the information is available for a price. In the US, there is already so much information out there and so much money in it that there's no way to pass a law granting individuals rights to their own information.
The only way to make a meaningful impact would be to collect all of the information on every senior executive in every large corporation and every elected representative of the government, and sell it to anyone with the money. I wonder if it would be legal to offer to sell individuals exclusive rights to their own information in a particular database. It's like extortion, but phrased as a legitimate business transaction.
Brandioch: your proposed law would shut down the press. Investigative reporting consists almost entirely of information about people that those people would not want to be public.
> I wonder why congress is even talking to these people?
I believe they were subpoenaed to appear.
Isn't purchasing stolen goods a crime? Why would the same not hold true for information? There's no "grey area" here, it's just plain illegal. This is more of the intentional blurring of legality -- see also signing statements, warrantless wiretapping, etc.
And if distributing stolen information is NOT a crime, I don't see how all the former owners of the "information" contained in an mp3 of copyrighted music can get so upset about it being distributed on the internet.
It cuts both ways, regardless of the nature of the information. Welcome to my world, MPAA suckers.
Where is the USA legal definition of terrorism please? Or the EU's?
enough whining! the question is, how do we protect ourselves from this? for phone records, i took some pretty good initial measures:
fake first initial while applying for service. i believe that this is what miraculously kept me out of the stalker sites, even though i'm the owner of public record here.
opted out of verizon's program for selling my data.
use of *67 to prevent my number from being captured by people/entities i don't trust.
my cellphone is a prepaid tracfone. i suspect that it's harder for a pretexter to get info from tracfone than from a standard monthly billed account, but i'm not sure. there are no periodic statements with a tracfone, and god help the pretexter who gets the same woman in the eastern european call center i got when i initially activated it under a nom de phone. when my first year of service ran out, i had to blow my cover with a credit card to keep the phone alive. if i wanted to go to extra effort, i understand there are now websites where you plug in your credit card info, and for a small fee they give you a new card number/expiration date good for a one-shot deal.
does anybody else have any other suggestions for keeping our private phone records private?
In the UK, terrorism used to be the commision (or planning) of a crime of violence for political motives. Political motives mean "with the intention of influencing publis opinion or government policy". Smack Hilary Clinton over the head to steal her money is not terrorism. Smack her to punish Bill
However now thought has been brought into it, which makes it much harder.
Saying "Child murderes should get the needle" is reasonable. "Blasphemers should be beheaded" is not
I'm still looking for the definition of a terrorist that is part of the legal framework of USA, EU in general, or UK in particular.
I don't think it exists.
Define terrorism? What, you don't trust the Administration?
In New Hampshire, there was an incident where a woman was murdered by a stalker. The stalker had obtained the victim's Social Security number and work address from an information broker Web site to locate the individual. The New Hampshire Supreme Court ruled that information brokers can face civil liability as a result of providing personal information to third parties.
How about copyrighting your personal information? If you could manage to do that (I don't know how), you could sue for breach of copyright if the information was disseminated in an unauthorised way, in the same way as if someone had copied and distributed a book, music or software. A neat idea if you could get it to work
Title 18 of the US Code defines Federal crimes. I can't get to Cornell's library right now, but it appears that USC 18 Part 1 Chapter 113B Section 2332b says ``Federal crime of terrorism'' means an offense that --
(A) is calculated to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct...'' and then goes on to specify a long list of laws, one of which must be violated, to satisfy the definition. Note that as long as agents of the government follow its laws, they cannot, by definition, commit a Federal crime of terrorism. So if they repealed a law against murder, it would not be a Federal act of terrorism to murder people.
I suppose if it doesn't transcend state boundaries or involve Federal property, then it would be up to each state to define terrorism for themselves.
In a book I have, it states that there are almost as many definitions of terrorism as there are terrorists. One could say it is "the threat of violence and fear to cause change". Or, a bit more generally, "a strategy whereby violence is used to produce certain effects in groups of people so as to attain some political end or ends".
In 1937, an International Convention on Terrorism defined terrorism as; "(1) a willful or international act, (2) an act with a terror purpose, (3) an act with an outcome of death, grievous bodily harm or loss of liberty to a set of instrumental targets, (4) an outcome of damage to or destruction of public property as instrumental targets, and (5) acts calculated to endanger the lives of the members of the public".
In 1972, the Secretary General said terrorism was "(1) an act which had a terror outcome, (2) an act which had instrumental or immediate victims, (3) an act which had primary targets, whether populations, broad groups of people, or small groups of people, (4) acts of violence, and (5) acts with a political purpose".
Wolfe (1978) sees terrorism as being primarily political in nature, and as such, defines terorrism as "the threat or use of deliberate violence, indiscriminantly or selectively, against either enemies or allies to achieve a political end".
The FBI once defined terrorism as the "unlawful use of force or violence against persons or property to intimidate or coerce a government, civilian population, or any segment thereof, in furtherance of political or social objectives". I've heard they have broadened it since then to include violation of any law, but I am not certain.
Netanyahu defined terrorism as "the deliberate and systematic murder, maiming and menacing of the innnocent to inspire fear for political ends".
And so on. I think what the last definition almost captures is that terrorism is often an act commited against one person or group to influence another person or group. It reminds me of "Apocalypse Now", where the Viet Cong cut off the arms of the villagers who were innoculated by US forces; in that case, the act had dual targets, scaring villagers into not accepting vaccinations, and making US forces question the wisdom of continuing to provide such vaccinations, or indeed do anything to "win the hearts and minds" of the Vietnamese. Point being; terrorists often don't target the people who make the decisions, they use their empathy for their fellow human against them.
Thanks! This means that using any form of leverage to persuade a Senator or Rep. into voting a certain way counts as "to influence or affect the conduct of government by intimidation or coercion".
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.