Page 13 of 35
Last month I posted Susan Landau’s testimony before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security on government eavesdropping. In fairness to the other side, here’s testimony of Valerie Caproni, General Counsel of the FBI.
The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges:
[The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct.
Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint staff have no police powers, that contrary to TSA claims, passengers have the right to fly without providing ID, and yes, passengers are free to video record checkpoints as long as images on screening monitors aren’t captured.
“Annoying the TSA is not a crime,” the blog post states. “Photography is not a crime. You have the right to fly without ID, and to photograph, film, and record what happens.”
And a recent Dilbert is about the TSA.
EDITED TO ADD (1/10): Details and links.
Interesting research:
We looked at the standard legal documents issued by the certificate authorities or “CAs,” including exemplar Subscriber Agreements (agreements between CAs and website operators); “Certification Practice Statements” (statements by CAs outlining their business practices); and Relying Party Agreements (purported agreements between CAs and “relying parties,” such as end-users). What we found was surprising:
- “Relying Party Agreements” purport to bind end-users to their terms despite the apparent absence of any mechanism to either affirmatively alert the end-user as to the existence of the supposed Agreements or afford the end-user an opportunity to register his or her acceptance or rejection of the Agreements’ terms
- Certification Practice Statements that suffer from the same problem (i.e. no affirmative notice to the end-user and no meaningful opportunity for acceptance or rejection of terms)
There were other issues as well. For example, the Relying Party Agreements and Certification Practice Statements set forth various obligations on the part of end-users (i.e. “relying parties”) such as: the requirement that end-users make an independent determination of whether it is reasonable to trust a website offering a secure connection (isn’t that the whole point of having a CA, so that the end-user doesn’t have to do that?); the requirement that the end-user be familiar with the crypto software and processes used to carry out the authentication process; and the end-user’s duty to indemnify and hold harmless the CA in the event of legal claims by third parties.
Paper here.
EDITED TO ADD (2/10)> Matt Blaze on CAs.
Interesting interview with Viviane Reding, the vice president of the EU Justice Commission and head of privacy regulation:
The basic values in Europe are that we have the right to our own private, personal data. It’s mine. And if one agrees to give that data,then it is available. That is known as opt-in consent and we’ve had that as law since 1995.
[…]
Protection of individuals is not the question of voluntary action. For us, it is written in our charter of fundamental rights that everyone has the right to the protection of their data.
Differences in privacy law between the US and the EU are going to be a big issue in 2011.
Jeffrey Rosen opines:
Although the Supreme Court hasn’t evaluated airport screening technology, lower courts have emphasized, as the U.S. Court of Appeals for the 9th Circuit ruled in 2007, that “a particular airport security screening search is constitutionally reasonable provided that it ‘is no more extensive nor intensive than necessary, in the light of current technology, to detect the presence of weapons or explosives.'”
In a 2006 opinion for the U.S. Court of Appeals for the 3rd Circuit, then-Judge Samuel Alito stressed that screening procedures must be both “minimally intrusive” and “effective” – in other words, they must be “well-tailored to protect personal privacy,” and they must deliver on their promise of discovering serious threats. Alito upheld the practices at an airport checkpoint where passengers were first screened with walk-through magnetometers and then, if they set off an alarm, with hand-held wands. He wrote that airport searches are reasonable if they escalate “in invasiveness only after a lower level of screening disclose[s] a reason to conduct a more probing search.”
As currently used in U.S. airports, the new full-body scanners fail all of Alito’s tests.
In other news, The New York Times wrote an editorial in favor of the scanners. I was surprised.
On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren’t as easy to monitor as traditional telephones.
The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures.
The proposal may seem extreme, but—unfortunately—it’s not unique. Just a few months ago, the governments of the United Arab Emirates, Saudi Arabia and India threatened to ban BlackBerry devices unless the company made eavesdropping easier. China has already built a massive internet surveillance system to better control its citizens.
Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later.
Obama isn’t the first U.S. president to seek expanded digital eavesdropping. The 1994 CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States.
These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that’s obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.
Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different.
Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don’t. Any surveillance and control system must itself be secured, and we’re not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations?
These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn’t always match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and famous people like former President Bill Clinton.
The most serious known misuse of a telecommunications surveillance infrastructure took place in Greece. Between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government—the prime minister and the ministers of defense, foreign affairs and justice—and other prominent people. Ericsson built this wiretapping capability into Vodafone’s products, but enabled it only for governments that requested it. Greece wasn’t one of those governments, but some still unknown party—a rival political group? organized crime?—figured out how to surreptitiously turn the feature on.
Surveillance infrastructure is easy to export. Once surveillance capabilities are built into Skype or Gmail or your BlackBerry, it’s easy for more totalitarian countries to demand the same access; after all, the technical work has already been done.
Western companies such as Siemens, Nokia and Secure Computing built Iran’s surveillance infrastructure, and U.S. companies like L-1 Identity Solutions helped build China’s electronic police state. The next generation of worldwide citizen control will be paid for by countries like the United States.
We should be embarrassed to export eavesdropping capabilities. Secure, surveillance-free systems protect the lives of people in totalitarian countries around the world. They allow people to exchange ideas even when the government wants to limit free exchange. They power citizen journalism, political movements and social change. For example, Twitter’s anonymity saved the lives of Iranian dissidents—anonymity that many governments want to eliminate.
Yes, communications technologies are used by both the good guys and the bad guys. But the good guys far outnumber the bad guys, and it’s far more valuable to make sure they’re secure than it is to cripple them on the off chance it might help catch a bad guy. It’s like the FBI demanding that no automobiles drive above 50 mph, so they can more easily pursue getaway cars. It might or might not work—but, regardless, the cost to society of the resulting slowdown would be enormous.
It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.
This essay previously appeared on CNN.com, and was a rewrite of a 2009 op ed on MPR News Q—which itself was based in part on a 2007 Washington Post op ed by Susan Landau.
I was detained last night by federal authorities at San Francisco International Airport for refusing to answer questions about why I had travelled outside the United States.
The end result is that, after waiting for about half an hour and refusing to answer further questions, I was released because U.S. citizens who have produced proof of citizenship and a written customs declaration are not obligated to answer questions.
This is beyond stupid:
The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary’s computer network overseas—but it is still wrestling with how to pursue the strategy legally.
The department is developing a range of weapons capabilities, including tools that would allow “attack and exploitation of adversary information systems” and that can “deceive, deny, disrupt, degrade and destroy” information and information systems, according to Defense Department budget documents.
But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries’ sovereignty.
“Some” officials are questioning it. The rest are trying to ignore the issue.
I wrote about this back in 2007.
Full-body scanners in roving vans:
American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents, Joe Reiss, a vice president of marketing at the company told me in an interview.
This should be no different than the Kyllo case, where the Supreme Court ruled that the police needed a warrant before they can use a thermal sensor on a building to search for marijuana growers.
Held: Where, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment “search,” and is presumptively unreasonable without a warrant.
Sidebar photo of Bruce Schneier by Joe MacInnis.