Schneier on Security
A blog covering security and security technology.
« The Sony Rootkit Saga Continues |
| Australian Minister's Sensible Comments on Airline Security Sparks Outcry »
November 22, 2005
Surveillance and Oversight
Christmas 2003, Las Vegas. Intelligence hinted at a terrorist attack on New Year's Eve. In the absence of any real evidence, the FBI tried to compile a real-time database of everyone who was visiting the city. It collected customer data from airlines, hotels, casinos, rental car companies, even storage locker rental companies. All this information went into a massive database -- probably close to a million people overall -- that the FBI's computers analyzed, looking for links to known terrorists. Of course, no terrorist attack occurred and no plot was discovered: The intelligence was wrong.
A typical American citizen spending the holidays in Vegas might be surprised to learn that the FBI collected his personal data, but this kind of thing is increasingly common. Since 9/11, the FBI has been collecting all sorts of personal information on ordinary Americans, and it shows no signs of letting up.
The FBI has two basic tools for gathering information on large groups of Americans. Both were created in the 1970s to gather information solely on foreign terrorists and spies. Both were greatly expanded by the USA Patriot Act and other laws, and are now routinely used against ordinary, law-abiding Americans who have no connection to terrorism. Together, they represent an enormous increase in police power in the United States.
The first are FISA warrants (sometimes called Section 215 warrants, after the section of the Patriot Act that expanded their scope). These are issued in secret, by a secret court. The second are national security letters, less well known but much more powerful, and which FBI field supervisors can issue all by themselves. The exact numbers are secret, but a recent Washington Post article estimated that 30,000 letters each year demand telephone records, banking data, customer data, library records, and so on.
In both cases, the recipients of these orders are prohibited by law from disclosing the fact that they received them. And two years ago, Attorney General John Ashcroft rescinded a 1995 guideline that this information be destroyed if it is not relevant to whatever investigation it was collected for. Now, it can be saved indefinitely, and disseminated freely.
September 2005, Rotterdam. The police had already identified some of the 250 suspects in a soccer riot from the previous April, but most were unidentified but captured on video. In an effort to help, they sent text messages to 17,000 phones known to be in the vicinity of the riots, asking that anyone with information contact the police. The result was more evidence, and more arrests.
The differences between the Rotterdam and Las Vegas incidents are instructive. The Rotterdam police needed specific data for a specific purpose. Its members worked with federal justice officials to ensure that they complied with the country's strict privacy laws. They obtained the phone numbers without any names attached, and deleted them immediately after sending the single text message. And their actions were public, widely reported in the press.
On the other hand, the FBI has no judicial oversight. With only a vague hinting that a Las Vegas attack might occur, the bureau vacuumed up an enormous amount of information. First its members tried asking for the data; then they turned to national security letters and, in some cases, subpoenas. There was no requirement to delete the data, and there is every reason to believe that the FBI still has it all. And the bureau worked in secret; the only reason we know this happened is that the operation leaked.
These differences illustrate four principles that should guide our use of personal information by the police. The first is oversight: In order to obtain personal information, the police should be required to show probable cause, and convince a judge to issue a warrant for the specific information needed. Second, minimization: The police should only get the specific information they need, and not any more. Nor should they be allowed to collect large blocks of information in order to go on "fishing expeditions," looking for suspicious behavior. The third is transparency: The public should know, if not immediately then eventually, what information the police are getting and how it is being used. And fourth, destruction. Any data the police obtains should be destroyed immediately after its court-authorized purpose is achieved. The police should not be able to hold on to it, just in case it might become useful at some future date.
This isn't about our ability to combat terrorism; it's about police power. Traditional law already gives police enormous power to peer into the personal lives of people, to use new crime-fighting technologies, and to correlate that information. But unfettered police power quickly resembles a police state, and checks on that power make us all safer.
As more of our lives become digital, we leave an ever-widening audit trail in our wake. This information has enormous social value -- not just for national security and law enforcement, but for purposes as mundane as using cell-phone data to track road congestion, and as important as using medical data to track the spread of diseases. Our challenge is to make this information available when and where it needs to be, but also to protect the principles of privacy and liberty our country is built on.
This essay originally appeared in the Minneapolis Star-Tribune.
Posted on November 22, 2005 at 6:06 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think individuals need to pay attention to what they do that may leak information about them.
There are times you may want to leave that cell phone at home (or in the car). After all if you are at that game and something happens do you want to become part of the investigation?
Holding on to old emails? What if that old high school friend gets in trouble with the law? Anything in your archive folder that could be taken wrong?
All I can say is, thank God I live in the UK. (Though no doubt someone will point out that equally heinous things go on over here to in the name of justice.)
The 'probable cause' notion started as a reasonable idea but has become a sick joke.
If 9 out of 10 times the 'probable cause' warrant is proven wrong, there never was any 'probable' to it: the proposition was improbable.
Judges rubberstamp the warrants, interpreting 'probable' as 'possible', or 'conceivable', or 'plausible'. In the check-and-balance column, mark them as 'hopelessly flawed'.
Occasionally, a judge will grandstand and reject a warrant. So the cops will go back and jazz up a better one, or go to another judge. The net effect is a mere delay, not a stop.
Worse yet, judges never check grounds for the warrants: they always take the cops at face value. They don't do any fact-checking. All it takes is a good story presented well enough, and scribble-scribble, it's a valid warrant.
IMHO, this aspect is a lost cause. Law enforcement defeated it decades ago. It is not fixable.
I think separation of the data from its purpose should be required for law enforcement. If the databases were created by private companies, there would be someone with civil and criminal liability if the information were misused. It would also be in the company's best interests to ensure they are complying with the requirements of the contract, regardless of the desires of law enforcement agencies. If the data has a certain operational lifespan, it would be deleted at the end. There is negligible additional cost for someone to keep data indefinitely if they are inclined to do so.
Data from numerous sources are fed into databases for marketing purposes. Factors like which magazines you subscribe to, organizations you're a member of, etc are used to determine your probability of responding to a particular marketing offer. For credit offers, there are legal restrictions about who can have access to characteristic data and who can have personally identifiable data. The two groups must be kept separated to minimize the chances of discrimination.
When much more diverse and specific sources of data are used for the purposes of incrimination, why do we apply a lesser standard?
The biggest danger in these databases is the underlying assumption that correlation is causation. For marketing purposes, it's ok to make fundamental logical errors like that. I'm not too hip to the idea of law enforcement using the same tactics.
Trying to keep your personal information private is more difficult than many think. There is a lot of money out there chasing that information and there are plenty of providers. It's much easier to intentionally poison the databases with false or misleading information. I haven't had a cell phone for almost 5 years if you go by official records.
Why would anyone want to leave their cell phone at home or in the car to avoid an investigation? If you want to cover up something you're doing, leave the phone in someone else's car so the phone location is independent of yours. If you're not doing anything wrong, you can turn your phone off for privacy or even accept that you might be asked questions if you're a witness to a crime. Being part of an investigation isn't always a bad thing.
The email scenario is just silly. How is someone going to search your old emails unless you're being investigated? You can come up with a scenario to justify anything, but that doesn't make it reasonable. I have some data, including email, that's well over 10 years old. I'm not going to purge it just in case someone I know gets in trouble.
It's possible that computer security people would be branded as info-terrorists in the future. That's not going to stop me from associating with people or posting places like this with my real name.
Holding on to old emails? What if that old high school friend gets in trouble with the law? Anything in your archive folder that could be taken wrong?
If the emails are in your personal possession (on your hard drive) and not stored on a server anywhere then this is less problematic.
Great Article. I have made awareness of the Patriot known in my circle. I just wish more people honestly cared; I wish the news covered it more.
"I think individuals need to pay attention to what they do that may leak information about them."
Hope you don't mind your ISP tracking your online movements by IP address. Don't want the gubment to know what you read? Better go to a cyber cafe. Oh, and bring your fake ID.
And, in the next few years, you'd better start microwaving your clothes too. And your wallet, it won't be long before the treasury decides that RFID tags would be great in all our bills. Of course, eventually you won't be able to use bills with dead RFID tags, because the store's readers won't accept them. Oh well, there's always the barter system.
> And two years ago, Attorney General John
> Ashcroft rescinded a 1995 guideline that this
> information be destroyed if it is not relevant to
> whatever investigation it was collected for.
And that, my friends, is fundamentally unconstitutional. There's a reason why the fourth ammendment requires warrants to "particularly describ[e] the place to be searched, and the persons or things to be seized."
As always, a great piece. I wonder if we can pinpoint the day our ability to be annonymous in this society died?
The American people need to ask themselves, "Is there a limit to government power that we can agree upon, even if it means not preventing a terrorist attack?"
So far the government is acting as though there is no limit, on the assumption that anything is acceptable if it prevents a terrorist attack. Some people feel this way, many others don't.
That's what the current torture debate is about - without the threat of torture, interrogation becomes far less effective, but is our Society willing to accept that limitation?
James Governor's linked posting touches on one of the more worrying aspects of this information gathering: the potential for blackmail. I would wager that everybody in the country does something every day that is technically illegal or that they would want to keep a secret from the world at large. Having this kind of information gathering means that whoever has access to the data can harvest it to find these tidbits and use them as leverage.
The potential for abuse is incredible -- well intentioned or not.
"So, you don't want to spy on your neighbors? Well, how about we let xxx know about your yyy? -- Yes, I thought so... Thank you for your cooperation."
Isn't that the point? There are far too many laws for anyone to know all of them, let alone everyone. How many of the laws everyone "knows" are actually correct? I've heard a lot of impressions of what is legal and illegal that are just plain wrong. In a police state, it's all about selective enforcement.
What's even worse than the technically illegal activities are the ones that are perfectly legal, but unpopular with the people in charge. It's not very hard to prosecute someone for something they didn't do if you have a ton of verifiable facts that sound like they support your story.
All of these threats you are discussing are actually old hat. They are getting worse, esp since 9-11, but have been around and getting worse for decades.
For more information there are several very good books, The State Vs the People: The Rise of the American Police State, by Claire Wolfe and Aaron Zelman, and available from Mazel Freedom Press or Loompanics Unlimited, which describes the situation as of 9-11. A final chapter was added right after 9-11 as the book was going to press.
Also virtually anything by James Bovard. His "Freedom in Chains" and "Lost Rights" pretty well document how bad the situation was in the mid- to late-90s.
Also there is a website www.ccops.org/ for Concerned Citizens Opposed to Police States that you might want to check out.
Sorry, I just visited ccops.org, apparently CCOPS lost the domain name sometime since I last visited it.
you are primarily responsible for protecting your privacy, not the government. the founders were smart enough to realize that government grows naturally, organically, and they wrote in the constitution as many restraints upon it as they could think of. i don't believe that whining about the government in this context is any more appropriate than if you kept a feeder pig in your back yard for a year, fed it all the table scraps and grain it could eat, then started complaining about the size of the hog. like our fathers and mothers before us, we're all responsible for overfeeding this thing, the thing itself has no moral sense and is no more evil than a wolf eating a lamb. there are choices we can make as individuals that can do a pretty good job of cloaking and protecting us as individuals from the universal surveillance milieu, protecting against specifically targeted surveillance is more difficult. there are also a number of simple mistakes to avoid. very private citizens don't address privacy protection at infrequent intervals, it's woven unconsciously into the choices they make every day.
I'm a little confused at what you all have to hide. I don't care if the government reads my email, watches my bank account, etc. Oh no - I applied for a mortgage and the government knows!!! The end is near.
Sam, the problem isn't necessary valid uses of such data. The problem is illegal uses of such data. For example, knowledge that you applied for a mortgage could be misused by an unscrupulous person who sells the data to your landlord, who raises the rent knowing that you are looking to leave.
The fundamental assumption that people have who don't care that the government knows what they do is: Government employees always have your personal interests at heart.
Newsflash: They Don't!
Before 9/11 the FBI just bought all that stuff from ChoicePoint. Do they still do that?
Do you leave your front door open so everyone can walk in and see what you have? Why not? You have nothing to hide.
You don't because there is a risk that something bad can happen with that scenario. All sorts of people do bad things because they have the opportunity to.
"Before 9/11 the FBI just bought all that stuff from ChoicePoint. Do they still do that?"
Yes. It seems like they buy a lot of data from commercial data brokers, both domestic and international.
well, gall darnit, i thought what happened in vegas stayed in vegas. you can't even believe what they tell you on the TV any more.
I think such legislation should be extended beyond the authorities and throughout healthcare: I'm the keeper of my medical records, and I can give them to certain authorities for uses that I approve of, but those authorities must destroy them after they've been used for said purpose, or when I ask them to do so. HIPPA becomes a lot simpler, etc etc.
Sorry folks - the UK is a lot worse.
Tony Blair is collecting information on every motor vehicle movement "just in case". Originally it was for tracking "serious organised crime", now it's for "tax and MOT avoidance", but they want to put the cameras every 400m - checking tax disks every 15 seconds????!!!
This makes the US look like privacy heaven.
Thing is, our intellegence services (like ex-MI5 head Stella Rimmington) actually seem to be level headed (see her recent ID card comments) - it's the police that appear to be backing TonyB and asking for massive intrusions into privacy.
In the UK the police have forgot that they are there to excersise the law, and not to create it.
Perhaps the bigger and more pertinent question is: "How come nobody cares?"
As long as the average American remains ignorant of the truth of what's going on, the steady, inexorable erosion of our privacy rights will march on unimpeded. What if someday it goes too far and the implicitly enumerated right to privacy in the Constitution becomes but a quaint notion of years past?
I once heard that somewhere around 50% of my generation (18-25) can't even point out New York on a map. This scares me. Ignorant people are easily deluded. If the future of America can't even grasp basic geography, how on earth are they going to rise up and prevent our privacy from being trampled? Will they even notice?
That being said, the average person, when informed with the facts, is intelligent and capable of concluding for themselves what is right. But until Americans receive those facts, the elitists in power will continue to take advantage of those who elect them into office.
"Its members worked with federal justice officials [...]"
The Netherlands being a Kingdom there are no 'federal' justice officials here. I think the proper term would be 'officials from the Ministry of Justice', but I think what was meant were officials of the Public Prosecutor's Office.
Actually, the Dutch Data Protection Authority has started an investigation in August into the legality of using those 17,000 phone numbers. There is no verdict as yet.
Unfortunately the situation is already bad in the UK. Under section 44 of the Terrorism Act, the Police can arrest you without the need for any reasonable suspicion. They can then get fingerprints, palm prints and DNA samples. They will keep these forever. I've started to compile a list of all these nice things happening in the UK. See http://gizmonaut.net/bits/police_state.html
And as has already been pointed on this blog, for an account of how it happens see http://gizmonaut.net/bits/suspect.html
FISC--the court established by the Foreign Intelligence Surveillance Act--is not a secret court. The judges appointed to FISC are public record: names like Royce Lamberth, William Stafford, Stanley Brotman and more. (If memory serves, it's a ten-judge panel.)
It's true that FISC's hearings are secret, but that's not to say they're without judicial review. There's an entire appellate court dedicated to providing oversight and appeals from FISC (FISCR, the "FIS Court of Review"). This appellate court is composed of jurists hand-picked by the Chief Justice of the United States. My understanding is they report directly to the Chief Justice, and that despite rarely meeting as a panel they're actively engaged in providing oversight.
There's a lot--a _lot_--of room for criticism of the FISC and FISCR process. The proceedings are extremely secretive, there's little public knowledge of the cases they hear or their jurisprudence, there's... etc.
But when we start talking about "secret courts", it sounds like we're talking about a court which nobody knows about, nobody knows who's on it, and nobody knows who controls them or who has oversight. That's just not the case here.
No, these 'secret courts' are in fact secret courts. The public's business is conducted in secrecy. The people are not only not invited, they are prohibited from participating. Secret courts have secret trials.
These priciples are common sense in Europe. It's not that everyone follows them, but they have been legislated quite a few years ago.
The examples you give are indeed great but I feel that one shouldn't need a two-page article (or so) to understand such basic things...
sam, i've got some good news for you. you don't need to keep paying ten bucks a pill to pfizer for your viagra!
Terrorism in the US has been a spectacular success, way beyond what the original crime achieved. What started as a systematic failure to share some information that could have (might have, maybe have) prevented the attack has turned into a police state that really is much worse than IRAQ, because you're supposed to protect freedom. Shame on the USA, same on the law makers and same on all the people of the US for continuing to allow this continue.
You make it sound as if, somehow, the location of New York is being kept secret. People have the information, what they lack is the interest.
I don't think it's so simple. We now know the intelligence was faulty. Because that New Year's Eve passed and nothing happened.
Now let's put ourselves in the shoes of the FBI Director, with intel on his desk indicating that something nasty is going down in Vegas in a couple of weeks. The intel is deemed serious enough but there is no lead connecting the source to the people carrying out the attack. Or there is not enough time to walk up that chain.
What would you do ? Collecting everybody's damn name within a 100 mile-radius and try to find the needle in the haystack is not as dumb as it sounds, in the absence of any alternative that would produce any better results.
Sure, it's easy to snipe from the sidelines and pontificate after the fact that this was an outlandish thing to do.
I agree with Bruce that the FBI should not be able to keep those records, and be monitored for compliance.
But absent any more information about the actual intel that was acted on, I don't consider it out of bounds for them to have the power to carry out such a search. Also, let's not assume that this is the only thing the FBI did to try and squash this attach.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.