Tuesday, January 10, 2006

The "Privacy Crisis"

This is an appendix to "Privacy: Variations on the Theme of Liberty."

In the first half of 2005, when "identity theft" and the possibility of a national ID card were hot stories, I was sure that the mainstream media would declare a "privacy crisis." But the MSM has the attention span of a fly, and so its gaze wandered to other issues, not the least of them being the indictment of VP Cheney's chief of staff for allegedly having committed a crime by lying about something he might or might not have said about a crime that probably wasn't committed. The MSM returned to the privacy issue in a big way with the disclosure in December that President Bush had authorized warrantless intercepts by the National Security Agency of communications between persons in the U.S. and overseas.

Here, then, is a summary of what the media -- if they had the attention span of a two-year old -- would call a "privacy crisis."

My exposure to the "privacy crisis" began on February 5, 2005, when I watched "this amusing advert" (courtesy: Alex Tabarrok at Marginal Revolution).

In late February and early March I learned of the massive thefts of personal information from databases at ChoicePoint and LexixNexis. Those thefts led predictably to calls for more stringent regulation of private data aggregators, which in mid-March encountered resistance on the part of ChoicePoint and LexisNexis to a ban on the sale of Social Security numbers.

Also in mid-March, Glen Whitman of Agoraphilia weighed in with "Accomplices to Identity Theft," which points to an MSN Money article that pins some of the blame for identity theft on lenders:
Now that intruders have raided a second big consumer database, we're bound to hear lots more calls for increased federal oversight of the companies that buy and sell our personal information.

What will get far less attention, unfortunately, is the fact that these incursions wouldn't be so incredibly damaging to consumers' finances if lenders didn't make that information worth stealing in the first place.

Think about it: The only reason an identity thief cares about knowing your Social Security Number or other private data is that it can be used to open accounts in your name and commit fraud. Lax verification procedures at credit card companies and other financial institutions make that possible -- even easy.

“Companies are so eager to grant credit,” said Linda Foley, executive director of the Identity Theft Resource Center, “that they will grant it to almost anyone for any reason.”
(Whitman reasonably asked whether "lenders [should] be made liable for damages to identity theft victims, or punished in some other way when they facilitate identity theft, in order to give them an incentive to adopt more scrupulous lending practices?")

On March 27, Wired News worried me with a report that "Amazon Knows Who You Are"; thus:
Amazon.com has one potentially big advantage over its rival online retailers: It knows things about you that you may not know yourself.

Though plenty of companies have detailed systems for tracking customer habits, both critics and boosters say Amazon is the trailblazer, having collected information longer and used it more proactively. It even received a patent recently on technology aimed at tracking information about the people for whom its customers buy gifts.

Amazon sees such data gathering as the best way to keep customers happy and loyal, a relationship-building technique that analysts consider potentially crucial to besting other online competitors.

"In general, we collect as much information as possible such that we can provide you with the best feedback," said Werner Vogels, Amazon's chief technology officer.

But some privacy advocates believe Amazon is getting dangerously close to becoming Big Brother with your credit card number.

I was next faced with William Safire's dire warning about the end of privacy in his April 10 review of Robert O'Harrow Jr.'s No Place to Hide and Patrick Radden Keefe's Chatter: Dispatches from the Secret World of Global Eavesdropping:
O'Harrow notes that many consumers find it convenient to be in a marketing dossier that knows their personal preferences, habits, income, professional and sexual activity, entertainment and travel interests and foibles. These intimately profiled people are untroubled by the device placed in the car they rent that records their speed and location, the keystroke logger that reads the characters they type, the plastic hotel key that transmits the frequency and time of entries and exits or the hidden camera that takes their picture at a Super Bowl or tourist attraction. They fill out cards revealing personal data to get a warranty, unaware that the warranties are already provided by law. ''Even as people fret about corporate intrusiveness,'' O'Harrow writes about a searching survey of subscribers taken by Conde Nast Publications, ''they often willingly, even eagerly, part with intimate details about their lives.''

Such acquiescence ends -- for a while -- when snoopers get caught spilling their data to thieves or exposing the extent of their operations. The industry took some heat when a young New Hampshire woman was murdered by a stalker who bought her Social Security number and address from an online information service. But its lobbyists managed to extract the teeth from Senator Judd Gregg's proposed legislation, and the intercorporate trading of supposedly confidential Social Security numbers has mushroomed.
Safire moved on to "snooping" by the government and its links to private data-mining:
When an article in The New York Times by John Markoff, followed by another in The Washington Post by O'Harrow, revealed the Pentagon's intensely invasive Total Information Awareness program headed by Vice Admiral John Poindexter of Iran-Contra infamy, a conservative scandalmonger took umbrage. (''Safire's column was like a blowtorch on dry tinder,'' O'Harrow writes in the book's only colorful simile.) The Poindexter program's slogan, ''Knowledge Is Power,'' struck many as Orwellian. Senators Ron Wyden and Russell D. Feingold were able to limit funding for the government-sponsored data mining, and Poindexter soon resigned. A Pentagon group later found that ''T.I.A. was a flawed effort to achieve worthwhile ends'' and called for ''clear rules and policy guidance, adopted through an open and credible political process.'' But O'Harrow reports in ''No Place to Hide'' that a former Poindexter colleague at T.I.A. ''said government interest in the program's research actually broadened after it was apparently killed by Congress.''

There are many issues swirling around in the maelstrom of utterances about privacy....

Of all the companies in the security-industrial complex, none is more dominant or acquisitive than ChoicePoint of Alpharetta, Ga. This data giant collects, stores, analyzes and sells literally billions of demographic, marketing and criminal records to police departments and government agencies that might otherwise be criticized (or de-funded) for building a national identity base to make American citizens prove they are who they say they are. With its employee-screening, shoplifter-blacklisting and credit-reporting arms, ChoicePoint is also, in the author's words, ''a National Nanny that for a fee could watch or assess the background of virtually anybody.''...

A second book -- not as eye-opening as O'Harrow's original reporting but a short course in what little we know of international government surveillance -- is ''Chatter: Dispatches from the Secret World of Global Eavesdropping,'' by Patrick Radden Keefe. This third-year student at Yale Law School dares to make his first book an examination of what he calls the liberty-security matrix....

Keefe's useful research primer on today's surveillance society, and especially O'Harrow's breakthrough reporting on the noxious nexus of government and commercial snooping, open the way for the creation of privacy beats for journalism's coming generation of search engineers. A small furor is growing about the abuse of security that leads to identity theft. We'll see how long the furor lasts before the commercial-public security combine again slams privacy against the wall of secrecy....
I next wrung my hands about the national ID card that seems to be in the making (via Wired News):

02:00 AM May. 12, 2005 PT

Legislation supporting a standardized national driver's license may have won unanimous approval in the Senate on Tuesday, but the bill's apparently smooth passage left some jagged edges in its wake....

Supporters of the bill say it would prevent terrorists and undocumented immigrants from obtaining legitimate documents that would help them move freely through the country. Last year, the 9/11 Commission called for tightening control over government-issued IDs because 18 of the 19 hijackers in the Sept. 11, 2001, terror attacks used U.S. IDs to pass through airport security.

But opponents of the bill say it would create a national ID card and a de facto national database -- a concept that Congress rejected when it was first proposed several years ago.

The act would force states to produce standardized, tamper-resistant driver's licenses that would include machine-readable, encoded data. States wouldn't be required to comply. But those that don't comply would create hardship for residents, who wouldn't be able to use their licenses as official identification to travel on airplanes, collect federal benefits or gain access to federal buildings.

On July 15 Wired News reported on a bill now before Congress that "strives to protect privacy":

A bipartisan group of senators introduced comprehensive identity-theft legislation Thursday that throws some of the burden for preventing the increasingly common crime onto businesses and other organizations that collect personal information. The new legislation also would give consumers more control over their personal data.

The Identity Theft Protection Act, introduced in the Senate commerce committee by a bipartisan coalition, addresses problems with recent high-profile data breaches by requiring entities that collect sensitive information, such as Social Security numbers, to secure the data physically and technologically and to notify consumers nationwide when data is compromised.

The bill also allows consumers to freeze their credit reports to help prevent unauthorized parties from accessing private data or opening new credit accounts in an individual's name without their permission.

On July 17 Wired News reported about the threat of "Google-opoly":

Google is at once a powerful search engine and a growing e-mail provider. It runs a blogging service, makes software to speed web traffic and has ambitions to become a digital library. And it is developing a payments service.

Although many internet users eagerly await each new technology from Google, its rapid expansion is also prompting concerns that the company may know too much: what you read, where you surf and travel, whom you write.

"This is a lot of personal information in a single basket," said Chris Hoofnagle, senior counsel with the Electronic Privacy Information Center. "Google is becoming one of the largest privacy risks on the internet."

An InformationWeek Weblog entry dated November 4 had this to say about "spychips":

"Spychips" is a scary new book out by consumer-privacy advocates Katherine Albrecht and Liz McIntyre, and it should be must-reading for anyone who doesn't "get" the concerns over RFID chips. Even if half of what the book says in the planning or thinking stages is true, that's more than enough to make anyone nervous about the potential -- or even planned, if the authors are to be believed -- misuse of this technology.

Albrecht is by no means without bias here -- she also is the founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIN), which, among other things, has organized events such as the recent consumer protest against RFID use at a Dallas Wal-Mart. She definitely has an ax to grind.

So it would be easy to dismiss the concerns highlighted in the book, and the evidence backing them were it not for where Albrecht and McIntyre dug up some of this stuff. They wielded the Freedom Of Information Act, hunted through corporate Web sites, crawled through company reports, and excavated some very interesting proposals filed at the patent office.
They even checked up on the government. Much of this is stuff you could track yourself, except for perhaps a page with what Albrecht claimed was misleading information on RFID, which allegedly was removed from a medical-products company's Web site after the publication of "Spychips."

McIntyre is quoted in a CASPIN release saying that "...companies like IBM, Procter & Gamble, Bank of America, BellSouth, and Philips will also have some explaining to do when people read about their patent pending ways to use RFID to track people through the things they wear, carry, and throw away. Consumers will realize these companies have an RFID agenda that should concern us all." Like what? Well, like embedding the chips in shoes so that the wearer can be tracked in RFID reader-equipped buildings. There is even a reference to a company that wants to implant RFID chips inside of people. How nice.

Indeed, as RFID reporter Laurie Sullivan notes in a recent story, the start of what has privacy advocates and some consumers worried is already happening: "Check the next Hewlett-Packard printer you buy at Wal-Mart or that Ann Taylor blouse you picked up. Chances are a radio-frequency ID tag came home with your purchase."

I don't think anyone cares about the really neat uses of RFID -- to track Alzheimer patients or newborns, manage inventory, or track the shipment of goods. Sun, for example, is trialing an RFID-fueled asset-tracking service that supposedly lets the company verify any item's location and physical characteristics within an hour, without linking to a network. And Ford just announced an RFID just-in-time delivery system, which will enable better coordination of 40 to 50 shipments a day of truck parts. Lots of people would like their appliances and cars to alert them before a major failure.

But none of this changes the fact that RFID can be used badly, invasively, and secretly, something "Spychips" makes plenty clear. Even potentially useful applications, such as installing biometric or RFID chips in passports and licenses, have as many cons as there are pros. It's worth stopping to take a breath and think this stuff out. Which is what some people are doing.

Sullivan has reported on a bill pending in the California Senate that is seeking to put a three-year moratorium on using RFID chips in various government-issued documents -- driver's licenses, library cards, etc. And in a somewhat related action, Microsoft is pushing for a national, federal standard on protecting consumer data. Obviously, one of the concerns about RFID tracking is who will have access to any data that is collected.

To get an idea of where Albrecht is coming from, and to judge her views on RFID for yourself, listen to Sullivan's two-part podcast with the privacy advocate and author. You can access part one here.
Not to let the Patriot Act go unmentioned, there's this (from Wired News of November 6):
Lawmakers expressed concern Sunday [November 6] that the FBI was aggressively pushing the powers of the anti-terrorist USA Patriot Act to access private phone and financial records of ordinary people.

"We should be looking at that very closely," said Sen. Joseph Biden (D-Delaware), who is a member of the Senate Judiciary Committee. "It appears to me that this is, if not abused, being close to abused."

Sen. Chuck Hagel (R-Nebraska), a member of the Senate Intelligence Committee, agreed, saying the government's expanded power highlights the risks of balancing national security against individual rights.

"It does point up how dangerous this can be," said Hagel, who appeared with Biden on ABC's This Week.

Under the Patriot Act, the FBI issues more than 30,000 national security letters allowing the investigations each year, a hundredfold increase over historic norms, The Washington Post reported Sunday, quoting unnamed government sources.

The security letters, which were first used in the 1970s, allow access to people's phone and e-mail records, as well as financial data and the internet sites they surf. The 2001 Patriot Act removed the requirement that the records sought be those of someone under suspicion.

As a result, FBI agents can review the digital records of a citizen as long as the bureau can certify that the person's records are "relevant" to a terrorist investigation. . . .

Issued by the FBI without review by a judge, the letters are used to obtain electronic records from "electronic communications service providers." Such providers include internet service companies but also universities, public interest organizations and almost all libraries, because most provide access to the internet.

Last September in an ACLU lawsuit, a federal judge in New York struck down this provision as unconstitutional on grounds that it restrains free speech and bars or deters judicial challenges to government searches. That ruling has been suspended pending an appeal to the New York-based 2nd U.S. Circuit Court of Appeals.

In a hearing last week the court suggested it might require the government to permit libraries, major corporations and other groups to challenge FBI demands for records.

The Patriot Act provision involving national security letters was enacted permanently in 2001, so it was not part of Congress' debate last summer over extending some Patriot Act provisions.

As the Dec. 31 deadline has approached for Congress to renew provisions of the act, the House and Senate have voted to make noncompliance with a national security letter a criminal offense.

Finally, on December 16, The New York Times disclosed the NSA intercepts, about which an editorialist at Wired News erroneously wrote this:
This week, The New York Times revealed that the Bush administration ignored the Foreign Intelligence Surveillance Act, or FISA, and intercepted telephone calls and e-mails from American citizens without a warrant. FISA requires that investigators provide a judge with evidence that there's reason to believe the person they plan to place under surveillance is an agent of a foreign power. . . .

There is no legal justification for these warrantless interceptions, which included calls to and from American citizens.
John Schmidt, a former associate attorney general in the Clinton administration, set the record straight:
President Bush's post- Sept. 11, 2001, authorization to the National Security Agency to carry out electronic surveillance into private phone calls and e-mails is consistent with court decisions and with the positions of the Justice Department under prior presidents.

The president authorized the NSA program in response to the 9/11 terrorist attacks on America. An identifiable group, Al Qaeda, was responsible and believed to be planning future attacks in the United States. Electronic surveillance of communications to or from those who might plausibly be members of or in contact with Al Qaeda was probably the only means of obtaining information about what its members were planning next. No one except the president and the few officials with access to the NSA program can know how valuable such surveillance has been in protecting the nation.

In the Supreme Court's 1972 Keith decision holding that the president does not have inherent authority to order wiretapping without warrants to combat domestic threats, the court said explicitly that it was not questioning the president's authority to take such action in response to threats from abroad.

Four federal courts of appeal subsequently faced the issue squarely and held that the president has inherent authority to authorize wiretapping for foreign intelligence purposes without judicial warrant. . . .

The passage of the Foreign Intelligence Surveillance Act in 1978 did not alter the constitutional situation. That law created the Foreign Intelligence Surveillance Court that can authorize surveillance directed at an "agent of a foreign power," which includes a foreign terrorist group. Thus, Congress put its weight behind the constitutionality of such surveillance in compliance with the law's procedures.

But as the 2002 Court of Review noted, if the president has inherent authority to conduct warrantless searches, "FISA could not encroach on the president's constitutional power."

Every president since FISA's passage has asserted that he retained inherent power to go beyond the act's terms. Under President Clinton, deputy Atty. Gen. Jamie Gorelick testified that "the Department of Justice believes, and the case law supports, that the president has inherent authority to conduct warrantless physical searches for foreign intelligence purposes." . . .

Should we be afraid of this inherent presidential power? Of course. If surveillance is used only for the purpose of preventing another Sept. 11 type of attack or a similar threat, the harm of interfering with the privacy of people in this country is minimal and the benefit is immense. The danger is that surveillance will not be used solely for that narrow and extraordinary purpose.

But we cannot eliminate the need for extraordinary action in the kind of unforeseen circumstances presented by Sept.11. I do not believe the Constitution allows Congress to take away from the president the inherent authority to act in response to a foreign attack. That inherent power is reason to be careful about who we elect as president, but it is authority we have needed in the past and, in the light of history, could well need again.
(For more on the NSA issue, go here and follow the links at the end of the post.)