[infowarrior] - OpEd: What Are They Doing With All Our Data?
http://www.courant.com/news/opinion/op_ed/hc-donohue0117.artjan17,0,992533.s tory?coll=hc-headlines-oped What Are They Doing With All Our Data? Laura K. Donohue January 17 2006 Congress will soon hold hearings on the National Security Agency's domestic spying program, secretly authorized by President Bush in 2002. But that program is just the tip of the iceberg. Since Sept. 11, 2001, the expansion of efforts to gather and analyze information on U.S. citizens is nothing short of staggering. The government collects vast troves of data, including consumer credit histories and medical and travel records. Databases track Americans' networks of friends, family and associates, not just to identify who is a terrorist but to try to predict who might become one. Remember Total Information Awareness, retired Adm. John Poindexter's effort to harness all government and commercial databases to preempt national security threats? The idea was that disparate, seemingly mundane behaviors can reveal criminal intent when viewed together. More disturbing, it assumed that deviance from social norms can be an early indicator of terrorism. Congress killed that program in 2003, but according to the Associated Press, many related projects continued. The Defense Advanced Research Projects Agency runs a data-mining program called Evidence Extraction and Link Discovery, which connects pieces of information from vast amounts of data sources. The Defense Intelligence Agency trawls intelligence records and the Internet to identify Americans connected to foreign terrorists. The CIA reportedly runs Quantum Leap, which gathers personal information on individuals from private and public sources. In 2002, Congress authorized $500 million for the Homeland Security Department to develop data mining and other advanced analytical tools. In 2004, the General Accounting Office surveyed 128 federal departments and agencies to determine the extent of data mining. It found 199 operations, 14 of which related to counterterrorism. What type of information could these mine? Your tax, education, vehicle, criminal and welfare records for starters. But also other digital data, such as your travel, medical and insurance records - and DNA tests. Section 505 of the Patriot Act (innocuously titled Miscellaneous National Security Authorities) extends the type of information the government can obtain without a warrant to include credit card records, bank account numbers and information on Internet use. Your checking account may tell which charities or political causes you support. Your credit card statements show where you shop, and your supermarket frequent-buyer-card records may indicate whether you keep kosher or follow an Islamic halal diet. Internet searches record your interests, down to what, exactly, you read. Faith forums or chat rooms offer a window into your thoughts and beliefs. E-mail and telephone conversations contain intimate details of your life. A University of Illinois study found that in the 12 months following Sept. 11, federal agents made at least 545 visits to libraries to obtain information about patrons. This isn't just data surveillance. It's psychological surveillance. Many Americans might approve of data mining to find terrorists. But not all of the inquiries necessarily relate to terrorism. The Patriot Act allows law enforcement officers to get sneak and peek warrants to search a home for any suspected crime - and to wait months or even years to tell the owner they were there. Last July, the Justice Department told the House Judiciary Committee that only 12 percent of the 153 sneak and peek warrants it received were related to terrorism investigations. The FBI has used Patriot Act powers to break into a judge's chambers and to procure records from medical clinics. Documents obtained by the American Civil Liberties Union recently revealed that the FBI used other new powers to eavesdrop on environmental, political and religious organizations. When Congress looks into domestic spying in the war on terror, it should ask a series of questions: First, what information, exactly, is being collected? Are other programs besides the president's NSA initiative ignoring traditional warrant requirements? Are federal agencies dodging weak privacy laws by outsourcing the job to private contractors? Second, who has access to the data once it is collected, and what legal restrictions are set on how it can be used or shared? Third, who authorized data mining, and is its use restricted to identifying terrorists? Fourth, what is the collective effect of these programs on citizens' rights? Privacy certainly suffers, but as individuals begin to feel inhibited in what they say and do, free speech and freedom of assembly also erode. Fifth, how do these data collection and mining operations deal with error? As anyone who's tried to dispute an erroneous credit report can attest, once computer networks exchange data, it may be difficult to
[infowarrior] - JSG: Mass Spying Means Gross Errors
Mass Spying Means Gross Errors http://www.wired.com/news/columns/1,70035-0.html By Jennifer Granick | Also by this reporter The United States government either currently has, or soon will have, new technology that makes mass surveillance possible. The next question for citizens and other policy makers is whether and when to use this capability. Often, people say that we must do anything and everything to stop terrorism. This answer is easy in a world where we know that technologies of mass surveillance, or TMS, are effective against terrorism, where we have unlimited resources for national security, and where there's no cost when the technology malfunctions, is intentionally abused or innocently misused. We don't live in that fictional world, so as citizens and policy makers, we have more-difficult choices to make. Recent government surveillance programs demonstrate our increased capacity for mass surveillance. For example, the Communications Assistance for Law Enforcement Act, or CALEA, requires phone companies to build mass surveillance capabilities into their networks. Privacy advocate Phil Zimmerman has pointed out that through CALEA the FBI requested technological surveillance capabilities far beyond the capacity of the judicial system to approve warrants or the FBI to monitor. This suggests that law enforcement plans to automate or computerize the monitoring process -- probably by deploying voice-recognition technology to look for hits that could be followed up on with human-monitored wiretaps. Proposals to install face-recognition technology at airports and public gatherings, to data-mine collections of government and commercial databases, and to profile airline passengers are feasible only with modern technology. When it broke the illegal wiretap story, The New York Times stated that it was withholding certain technical information not publicly known about U.S. surveillance capabilities. Commentators from Ars Technica and other publications assembled comments from officials familiar with the program that, in total, suggested that the National Security Agency was using new technological capabilities. These comments included President Bush's effort to distinguish between detecting terrorism, for which he claims no warrant is required, and monitoring terrorists, for which he claims the FISA warrant process is designed and followed: We use FISA still. But FISA is for long-term monitoring. There is a difference between detecting so we can prevent, and monitoring. And it's important to know the distinction between the two. We used the (FISA) process to monitor. But also we've got to be able to detect and prevent. The president is correct that FISA only allows targeted surveillance of identified or particularly described individuals. He's wrong to suggest that the FISA warrant requirement doesn't apply to mass surveillance. To the contrary, it means our current laws generally prohibit mass surveillance of American citizens without probable cause. But should they? Now that we have the power, should we use it? Harvard Law School professor Charles Fried argues that mass surveillance is an urgent necessity: In the context of the post-9/11 threat, which includes sleeper cells and sleeper operatives in the United States, no other form of surveillance is likely to be feasible and effective. But this kind of surveillance may not fit into the forms for court orders because their function is to identify targets, not to conduct surveillance of targets already identified. Even retroactive authorization may be too cumbersome and in any event would not reach the initial broad scan that narrows the universe for further scrutiny. Moreover, it is likely that at the first, broadest stages of the scan, no human being is involved -- only computers. Finally, it is also possible that the disclosure of any details about the search and scan strategies and the algorithms used to sift through them would immediately allow countermeasures by our enemies to evade or defeat them. In concluding that TMS are required, Fried makes several assumptions. He assumes that mass surveillance is effective. He assumes that other intelligence methods and prevention techniques, including human monitoring, developing sources, reducing incentives to support or hide terrorists, physical security and tracing financial and material assistance from terrorist groups, will not be feasible, and will be less, rather than more, necessary if we utilize TMS. He suggests that the enemy's ability to defeat surveillance is a function of public disclosure of the search techniques. Each of these assumptions deserves further scrutiny. There are few, if any, studies demonstrating the effectiveness of mass surveillance. People with something to hide are adept at speaking in codes. Teenagers tell their parents they are going to the movies when they are going to drink beer. Attackers know to misspell the victim's name, as journalist Daniel Pearl's
[infowarrior] - New Firefox feature eases spying on users
New Firefox feature eases spying on users http://weblogs.mozillazine.org/darin/archives/009594.html A new proposed feautre in Firefox/Mozilla automates a common web-linking technique in a way that raises grave concerns about user-privacy. A common practice for some web-sites is to send people who click on links to a server that first counts their click and then redirects them to the link's destination. Firefox's new ping attribute proposal for links lets web-authors do this in a less-transparent, but more efficient way, so that when you click on a link, a ping is sent to a server (or group of servers) to notify it of your click while your browser loads the destination page. I'm sure this may raise some eye-brows among privacy conscious folks, but please know that this change is being considered with the utmost regard for user privacy. The point of this feature is to enable link tracking mechanisms commonly employed on the web to get out of the critical path and thereby reduce the time required for users to see the page they clicked on. Many websites will employ redirects to have all link clicks on their site first go back to them so they can know what you are doing and then redirect your browser to the site you thought you were going to. The net result is that you end up waiting for the redirect to occur before your browser even begins to load the site that you want to go to. This can have a significant impact on page load performance. I understand the motivation for this, but the implementation sounds fishy. I'd prefer a system that obtained user-consent for any pinging that took place, and that allowed ping-blocking by site, ping-server or across all sites. That would let users control their experience and their privacy. Otherwise, this feature just eases the technological burdens associated with spying on users. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.