The Internet Surveillance State

March 30, 2013

One of the hardy perennial issues that comes up in discussions of our ever more wired (and wireless) lives is personal privacy.  Technology in general has invalidated some traditional assumptions about privacy.  For example, at the time the US Constitution was being written, I doubt that anyone worried much about the possibility of having a private conversation.  All anyone had to do, in an age before electronic eavesdropping, parabolic microphones, and the like, was to go indoors and shut the door, or walk to the center of a large open space.  It might be somewhat more difficult to conceal the fact that some conversation took place, but it was relatively easy to ensure that the actual words spoken were private.

Similarly, before the advent of computer data  bases, getting together a comprehensive set of information about an individual took a good deal of work.  Even records that were legally public (e.g., wills, land records) took some effort to obtain, since they existed only on paper, probably moldering away in some obscure courthouse annex.  Even if you collected a bunch of this data, putting it all together was a job in itself.

People whose attitudes date back to those days often say something like, “I have nothing to hide; why should I care?”  They are often surprised at the amount of personal information that can be assembled via technical means.  The development of the Internet and network connectivity in general has made it easy to access enormous amounts of data, and to categorize and correlate it automatically.  Even supposedly “anonymized” data is not all that secure.

Bruce Schneier, security guru and author of several excellent books on security (including Applied Cryptography,  Secrets and Lies, Beyond Fear, and his latest book, Liars and Outliers), as well as the Schneier on Security blog, has posted an excellent, thought provoking article on “Our Internet Surveillance State”.  He begins the article, which appeared originally on the CNN site, with “three data points”: the identification of some Chinese military hackers, the identification (and subsequent arrest) of Hector Monsegur. a leader of the LulzSec hacker movement, and the disclosure of the affair between Paula Broadwell and former CIA Director Gen. David Petraeus.  All three of these incidents were the direct result of Internet surveillance.

Schneier’s basic thesis is that we have arrived at a situation where Internet-based surveillance is nearly ubiquitous and almost impossible to evade.

This is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.

Many people are aware that their Internet activity can be tracked by using browser cookies, and I’ve written about the possibility of identifying individuals by the characteristics of their Web browser.  And many sites that people routinely visit have links, not always obvious, to other sites.  Those Facebook “Like” buttons that you see everywhere load data and scripts from Facebook’s servers, and provide a mechanism to track you — you don’t even need to click on the button.  There are many methods by which you can be watched, and it is practically impossible to avoid them all, all of the time.

If you forget even once to enable your protections, or click on the wrong link, or type the wrong thing, and you’ve permanently attached your name to whatever anonymous service you’re using. Monsegur slipped up once, and the FBI got him. If the director of the CIA can’t maintain his privacy on the Internet, we’ve got no hope.

As Schneier also points out, this is not a problem that is likely to be solved by market forces.  None of the collectors and users of surveillance data has any incentive, economic or otherwise, to change things.

Governments are happy to use the data corporations collect — occasionally demanding that they collect more and save it longer — to spy on us. And corporations are happy to buy data from governments.

Although there are some organizations, such as the Electronic Privacy Information Center [EPIC]  and the Electronic Frontier Foundation [EFF], that try to increase awareness of privacy issues, there is no well-organized constituency for privacy.  The result of all this, as Schneier says, is an Internet without privacy.

TSA Pulls Plug on “Porno Scanners”

January 21, 2013

I have written several times about the ongoing controversy over the US Transportation Safety Administration’s [TSA] use of full-body scanners (which the TSA calls “Advanced Imaging Technology”[AIT]) as part of its security protocol for screening air travelers.   The machines began to be introduced in the fall of 2010, and immediately created controversy.  One criticism, voiced by many security professionals, was that the effectiveness of the machines was questionable.  Another issue was the very detailed anatomical images produced by the devices, which led some privacy advocates to dub them “Porno Scanners”.  There was also a safety concern with one type of scanner, which uses backscatter X-ray technology, since it would expose the passenger to a small dose of ionizing radiation.  (A second type of scanner, which uses millimeter-wavelength radio waves, does not involve radiation exposure.)

Last summer, there were also developments in a court case, brought by a group of plaintiffs led by the Electronic Privacy Information Center [EPIC], challenging the use of the AIT devices, and asking the court to force the TSA to follow the normal review process for new government regulations.  On July 15, 2011, the US Circuit Court of Appeals for the District of Columbia had ruled that the TSA had to follow the normal procedure for issuing new regulations, as specified in the Administrative Procedures Act of 1946.  The TSA has now begun to comply with the review process, and has commissioned the National Academy of Sciences to look at the question of radiation exposure from the X-ray devices. It has also, as ordered by Congress, moved to replace the “anatomically correct” scan images with generic body images generated by software.

Now, according to an article at the Washington Post, the TSA has decided to remove 174 of the backscatter X-ray scanners from airports, because the vendor has not managed to equip them with the new generic-imaging software.

The Transportation Security Administration will remove 174 full-body scanners from airport security checkpoints, ending a $40 million contract for the machines, which caused a uproar because they revealed spectral naked forms of passengers.

TSA Administrator John S. Pistole issued the order this week after concluding that new software that made the machines less intrusive could not be developed by a June 1 deadline mandated by Congress.

The new software has apparently been successfully developed for the millimeter-wave scanners, which will continue to be used, and which will replace most of the X-ray machines that are being removed.

I have felt all along that the most disturbing part of this story was not the “porno” images, or even the safety questions, but the TSA’s apparent attitude that, because the machines were being used to “prevent terrorism”, it could just ignore inconvenient laws and regulations.  So this climb-down is a good thing, though it will doubtless be “spun” as something else.

There are also brief articles on this story at Ars Technica and Wired.

Court to TSA, Again: Follow the Law

August 4, 2012

Back in 2010, a group led by the Electronic Privacy Information Center [EPIC] filed a lawsuit challenging the use of full-body scanners by the US Transportation Security Administration [TSA], on the grounds of privacy, possible health risks, and questionable effectiveness.  On July 15, 2011, the US Circuit Court of Appeals for the District of Columbia ruled that the TSA had to follow the normal procedure for issuing new regulations, as specified in the Administrative Procedures Act of 1946.  Basically, this involves the TSA’s publication of the proposed regulations in the Federal Register, solicitation of public comments over a reasonable time period, and then justification for the regulation in light of the submitted comments.

A year later, as reported in an article at Ars Technica, the TSA had apparently ignored both the requirements of the statute and the Court’s order, so EPIC has returned to court with a mandamus petition to enforce the original order.  This past Wednesday, the Court issued an order [PDF] that the Department of Homeland Security (of which the TSA is a part) respond to the petition on or before August 30.

I can’t think of any sensible reason that the TSA should be excused from following the normal rule-making procedure.  It’s perfectly obvious what the intended purpose of the scanners is, so there is nothing there to give away; and it’s hard to see how allowing public comment could be harmful — it might even help.

Requiring the TSA to follow the formal rule-making procedure is important, because one of the essential steps in that process is the solicitation of public feedback. American travelers will have the opportunity to voice their concerns about the TSA’s policy, and the agency will be required to respond to those concerns. Given that so many of the TSA’s policies are shrouded in secrecy, forcing the TSA to explain its policies will be a much-needed source of transparency.

There is also a petition at the site that requests that President Obama order the TSA to comply with the law and with the court order.  (Jim Harper, Director of Information Policy Studies at the Cato Institute, discusses the petition in an OpEd article at Ars Technica.)   The petition currently has more than 19,000 signatures; if it gets 25,000 by August 9, the administration’s policy requires it to provide a formal response.  You have to register at the site in order to sign, but that requires only an E-mail address.

%d bloggers like this: