Secondary Screening: September 2004 Archives

September 2004 Archives

« August 2004 | Main | October 2004 »

September 30, 2004 | Gilmore v. Ashcroft Update:

Justice Department lawyers filed their reponse to John Gilmore's lawsuit against the secret requirement that airline passengers must show identification or face extra screening before boarding a plane.

It's an odd case for a lot of reasons -- not least of which is that the government's lawyers keep insisting that they will neither confirm nor deny the existence of the rule -- even as Wednesday's filing admitted that the government had published the existence of the rule elsewhere.

There's more here in my story today:

Internet entrepreneur Gilmore first challenged the constitutionality of requiring airlines to ask passengers to show identification in U.S. District Court in San Francisco in July 2002, but the government refused to tell that court whether the rule existed.
Gilmore argued that the rule is vague, since no one knows what kind of identification is adequate and the penalties are unknown. He said he opposes Americans being subjected to a secret law. The rule impinges upon the right to travel and leaves people open to unreasonable searches, he added.

In Wednesday's filing, the government continued to stonewall about the existence of the identification-or-search requirement.

But they did acknowledge that

The Transportation Security Administration published notice of the identification portion of the requirement in a little-noticed May 2004 Federal Register filing about maritime security. That notice, which expanded the reach of secrecy rules for information classified as "sensitive security information," carved out an exception to secrecy for cases when the government needs to publicize a rule to ensure "compliance."

"For instance, as part of its security rules, TSA requires airlines to ask passengers for identification at check-in," the filing read. "Although this requirement is part of a security procedure that is sensitive security information, TSA has released this information to the public in order to facilitate the secure and efficient processing of passengers when they arrive at an airport."

Now, the question is did the TSA intentionally include the identification requirement as the example. Or did they do this inadvertantly, and the DoJ lawyers simply noticed it when they were researching their brief?

At least one of Gilmore's lawyers thinks its the former and that the TSA included the info to aviod further legal challenges.

William Simpich, one of Gilmore's lawyers, questioned the timing and manner of the TSA's filing, calling it embarrassing.
"They are trying to hide what they are doing from the American people," Simpich said.

The government filed the notice just after Gilmore's original case was dismissed, and Simpich claimed the government hid the notice to avoid future legal challenges since such orders generally have to be challenged within 60 days.

But perhaps even more interesting is the government's argument that the identification requirement isn't a law, it's simply a way to detect those who break the law:

Justice Department lawyers also argued that Gilmore cannot challenge the requirement because it is not a law, it is a law enforcement technique.
"The identification-or-search requirement is simply a technique used to detect possible violations of the law, such as the prohibition on carrying a weapon or explosive onto the plane," they wrote. "While passengers have a right to know the law (that they cannot bring weapons on board), they have no due process entitlement to advance notice of how the Government might attempt to discover whether the law is being broken."

Simpich dismissed that argument as absurd doublespeak.

"Drugs are against the law," Simpich said. "So blowing through your house to look for drugs is a law enforcement technique that you can't challenge, either."

This case gets more and more interesting every time Gilmore or the government files papers...

As good old Mr. Drudge says, developing...

Posted by Ryan Singel at 03:07 PM

September 23, 2004 | FreeIpods Scam keeps on rolling

Over at Wired News, Leander Kahney follows up on the FreeIpods.com scammers, who do business as Gratis Internet of Washington, D.C..

Seems there's been a lot of complaints (besides my rant here) about the company:

Wired News has been inundated with complaints about spam, mishandled accounts and shipping delays.
Earlier this month, Jim Youll, a 39-year-old CTO from Cambridge, Massachusetts, signed up with a virgin e-mail address and within hours started receiving spam.

"This is not an encouraging trend," he said, "and these are not targeted ads. They are garden-variety junk spams."

Aaron Shier, a 19-year-old student from Hamilton, New York, sent numerous unanswered queries to the company while waiting nearly 40 days to receive his iPod. When he did get it, it was from Hewlett-Packard, not the Apple Computer one he ordered.

"I am still getting spammed and so are the people who signed up for me," he said. "They stay true to their word that they will get you out a product, but their customer service is miserable."

And what about their spam practices?

Martin and Jewell denied e-mail addresses are sold to third parties, and said there's a clear unsubscribe mechanism for opting out of their marketing list. (Wired News received complaints that the unsubscribe mechanism doesn't work.)
After the interview, Martin and Jewell said they will discontinue sending marketing e-mails.

Hmm, when I tried to opt out, they said it would take up to a week to stop the emails, though it only took them two hours to send the first ones.

Co-founders Peter Martin and Rob Jewell must be having the same problem trying to stop all the emails, cause I got two more of them today from these scammers.

Either that or these "above-the-board businessmen" told Leander a bald-faced lie.

(Note just got another spam from these slimeballs as I was writing this.)

Anyone up for calling Mr. Robert Jewell to see which one it was?

202-595-9123 ext.712. rob@gratisinternet.com

Posted by Ryan Singel at 11:38 AM | Comments (6) | TrackBack

September 22, 2004 | Homeland Security History

As a reporter who covers anti-terrorism efforts, it's my job to be skeptical of databases created by the Department of Homeland Security.

Another part of my job is to look through the Federal Register on a regular basis.

For those unfamiliar, it is the daily public notice of what decisions the executive branch is making or is planning to make.

It's informative, hilarious and packed with minutiae (including this little bit from Wednesday's edition about the size requirement for pearl onions from Idaho).

One of the other announcements Wednesday is that the DHS is creating "a new system of records entitled 'Oral History Program: The History of the Department of Homeland Security.'"

The Department has hired a "Departmental Historian who is developing a complete history of the department by conducting interviews with the individuals who participated in its creation and development."

This will include oral history interviews with "DHS employees and former employees, including political appointees, civilian, and military personnel assigned or detailed to the DHS, and other individuals who volunteer to be interviewed for the purpose of providing information for a history of DHS."

I can already name ten people whose interviews I'd love to read.

Of course, DHS will never let reporters near this stuff, though, right?

Wrong.

Routine uses include: "the news media and the public, unless it is determined that release of the specific information would constitute an unwarranted invasion of personal privacy;"

Now the question is, will folks answer truthfully if they know the public and media can see their answers, and even if they do, will any truly revealing stuff survive the redactors in the FOIA office?

And by "revealing stuff" I am not just talking about where the bodies might be buried (note to current DHS readers -- that's both tongue-in-cheek and non-literal).

What I really want to read are some true stories about bureaucratic tangling over policy issues. From what I know and what I can accurately guess, that's where the true history really is.

Posted by Ryan Singel at 11:46 PM | TrackBack

September 22, 2004 | Secure Flight Test Announced

CAPPS 3.0 (renamed Secure Flight by the TSA to differentiate it from the controversial CAPPS 2.0 proposal), will be tested starting in November.

Airlines, according to a proposed order unveiled Tuesday, will have to turn over their reservation databases from June 2004.

Some more details from my story in Wired News today.

Secure Flight will expand on the current use of watch lists by using a centralized terrorist watch list run by the Terrorist Screening Center housed at the FBI.
The center's director, Donna A. Bucella, told Congress in March the list is now 120,000 names long.

The centralization, while long planned, embraces one of the key recommendations of the 9/11 commission, according to TSA spokeswoman Yolanda Clark.

TSA wants to run the test with real data to make sure its centralized system can handle checking 2 million passengers a day and to see if the use of a larger -- but centralized -- watch list will increase or decrease the number of people erroneously fingered by the system.

The TSA will also test the effectiveness of verifying passenger identities using commercial databases such as those operated by data giants LexisNexis and Acxiom.

Now, as we saw today, the expanded terrorist watch list will catch more people, including those, like Cat Stevens, who the government suspects may have donated money to terrorist groups.

Cat Stevens was snared by the Customs and Border Protection agency which is responsible for vetting flights in to the country. The TSA has responsibility inside the country, via the proposed Secure Flight and the current smaller operated by the airlines.

Secure Flight will use the exact same watch list.

Now the TSA hopes that bringing the lists in-house will prevent misidentifications using the watch lists, to keep Teddy Kennedy and every David Nelson in the country from being flagged for extra screening.

I've yet to hear a good explanation of how this will happen, unless the TSA requires passengers to provide more information when booking a flight. Otherwise there is no way to know from an airline reservation, whether the Teddy Kennedy booking a flight is the one wanted by the list or the senior senator from Massachusetts.

The list itself may have more information (e.g. can include more sensitive intelligence information) but a huge percentage of airline reservations do NOT include home phone numbers or addresses (many travel agents, including Travelocity, insert their own addresses and phone numbers in those slots).

There's going to be a lot more to this story.

Airlines are not doing well financially, and I believe that they will resist much of Secure Flight if they believe any of these three things: 1) Secure Flight won't speed up screening, 2) Airlines will have to pay substantial and ongoing costs to keep their computers in contact with the TSAs or 3) a substantial part of the public thinks the system is stupid, ineffective or invasive.

Now the TSA needs to prove that the system really will work, That means it has to hit the trifecta -- it has to be simulaneously efficient, uninvasive and effective at keeping real threats off planes.

Given the program's history, that is no small task.

Posted by Ryan Singel at 04:37 PM

September 20, 2004 | Times Gets CAPPS II History Wrong

Matthew Wald and John Schwartz of the New York Times both advance and rewrite the story of CAPPS II in this story published in the Sunday edition.

Wald and Schwartz lay out a history whereby CAPPS II suffered from mission creep and became, over time, a bloated program that was just as focused on catching criminals as it was on keeping terrorists off planes.

The story leans heavily on successive draft copies of "privacy impact statements" -- a required step for new federal databases under Lieberman's E-Governmnent of 2002. It is however a new process and few agencies know how do them, except for those such as the IRS who have been writing them for years as a way to make sure privacy is built into a system at the beginning, not tacked on later when under fire.

Those documents were acquired by the Electronic Privacy Information Center through a FOIA request and then a follow-up lawsuit. The lawsuit was necessary because the Transportation Security Administration wanted to withhold the drafts.

Wald and Schwartz try to use the documents to show how the program expanded in 2003.

They write:

But what began as a program intended to focus narrowly on terrorism in air travel expanded greatly as it developed. The agency developed a series of "Privacy Impact Assessments" for CAPPS 2 as required by federal law. These assessments are the documents that the privacy center obtained. The first draft of the privacy assessment stated the purpose of the program in one concise paragraph, saying that CAPPS 2 information "may be disclosed to federal, state, local and international law enforcement officials who have jurisdiction over the airframe and/or the individual who is a known or suspected foreign territorial or who is a threat to aviation safety, civil aviation or national security."
By the third draft, in July 2003, there were 15 paragraphs, saying the system could be used in other cases of violent crime by "appropriate federal, state, local, international, or foreign agencies or authorities." The third version of the privacy statement also included contractors, consultants, "other federal agencies conducting litigation, as well as the General Services Administration and the National Archives." The expansion of the program's mission has been reflected in public statements by Homeland Security officials, as well.

In May 2003, Adm. James Loy, then director of the Transportation Security Administration, said that the program would not be used as a trolling net for criminals. "The ax murderer that gets on the airplane with a clean record in New Orleans and goes to Los Angeles and commits his or her crime, that is not the person we are trying to keep off that airplane at the moment," Admiral Loy said in Congressional testimony.

By July 2003, however, the chief privacy officer of the Department of Homeland Security, Nuala O'Connor Kelly, said the system could be used to detain a passenger who had "an outstanding warrant for a crime of violence." But there were to be limits. "You're not going to get pulled over because you ran a red light," she said, "because I did one the other day."

So essentially, according to the Times and TSA insiders, CAPPS II started off as something narrow, then expanded, and now the TSA is going to revert to the early, more politically palatable version.

A nice clean narrative.

But it is wrong.

One needs only to look at the first CAPPS II Privacy Act Notice, which was published in the Federal Register on January 15, 2003.

Unlike PIAs, Privacy Act notices have been around since the 1970s. They say what kind of information will be in a database, who has to provide the info, what the penalties are for non-compliance, how long the records will be held and who the records will be shared with.

And this particular notice was the bureaucratic announcement of CAPPS II. It preceded work by the TSA on the Privacy Impact Assessment, (that makes sense because the PIA has a later deadline by law and is more complicated).

And what was in the first privacy act notice? CAPPS II could look for anyone who violated any law and the TSA could share info in the system with just about anyone.

Though I have not seen the PIAs, from my conversation last week with EPIC and reading the description in the Times article, it is fair to say that the first document about CAPPS detailed a system BROADER in scope than the final draft PIA, that the Times says proves that CAPPS II expanded.

Here's an only slightly edited list of what the January 15, 2003 Privacy Act notice said about information sharing:

Information may be disclosed from this system as follows: (1) To appropriate Federal, State, territorial, tribal, local, international, or foreign agencies responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license, where TSA becomes aware of an indication of a violation or potential violation of civil or criminal law or regulation. (2) To contractors, grantees, experts, consultants, agents and other non-Federal employees ... ... (5) To a Federal, State, or local agency, where such agency has requested information relevant or necessary for the hiring or retention of an individual, or issuance of a security clearance, license, contract, grant, or other benefit. (6) To the news media .... (7) To the Department of State, or other Federal agencies concerned with visas and immigration, and to agencies in the Intelligence Community, ... (8) To international and foreign governmental authorities in accordance with law and formal or informal international agreements. ... (10) To airports and aircraft operators, to the extent the disclosure is deemed required in the interests of transportation security. (11) To the National Archives and Records Administration (NARA) ...

So why then did the first draft PIA talk about a narrow system? And why did each successive draft grow longer and more descriptive?

Three words. Chief Privacy Officer.

The Department of Homeland Security hired Nuala O'Connor Kelly in March 2003.

My educated hunch is that O'Connor Kelly, who is a proceduralist at heart, kept sending the PIA back to the TSA precisely because the PIA was not an accurate description of CAPPS II.

I know from other documents that the TSA did not know how to write a PIA and relied on a template the TSA got from the Department of Transportation.

The Times version is just plain wrong. CAPPS II was intended from the start to be uber-comprehensive passenger screening system that would use and feed law enforcement and intelligence databases.

The new version of CAPPS II, Secure Flight, does not go back to the original model of CAPPS II. It goes further back. How far back is hard to say due to the TSA's unwillingness to give reporters additional details, but I will attempt to find out a little more this week.

Posted by Ryan Singel at 12:01 AM

September 15, 2004 | Looks Like Ivan, But It's Just Construction

Things might look a little funny around here for a few days, but fear not. A better layout and design is on the way. The indomitable Beth French is doing a real design for this site, replacing my bad Z indexes with some nicely designed and very solid tables.

The site will soon have more readable fonts, some graphics and links you can actually see. It will also actually render well in browsers such as Safari.

I'll announce when the redesign is complete and ask for comments or bug reports then, but till that time, please bear with whatever ugliness you see. However, if any links don't work in the meantime, please send me email at ryan AT OR AROUND secondaryscreening.net.

Posted by Ryan Singel at 11:14 PM | Comments (1) | TrackBack

September 15, 2004 | REDACTED

Congressman Henry Waxman, the ranking member on the Committee for Government Reform, had committee staff release a report on Government Secrecy, focussing on the Freedom of Information Act, the abuse of the "Sensitive Security Information" designation (SSI) by government employees, and Bush Administration presidential directives that will keep presidential files out of the hands of historians for years to come.

The report (PDF) -- while admittedly a partisan effort --, convincingly details this administration's extreme emphasis on secrecy.

Here's another example, taken from a FOIA released by the Army in response to a request for records about the JetBlue/Torch Concepts data transfer. For those of you who don't remember the details, the Army hired Torch Concepts to test a data-mining algorithm to see if it pre-emptively tell the difference between terrorists and regular airline passengers. The Army says the study was intended to help with Army facility security.

Torch, with JetBlue's permission, augmented JetBlue's passenger records with social security numbers, addresses, and financial information it purchased from Acxiom, a massive data marketing firm linked to CAPPS II and the Total Information Awareness program.

The first image comes from the recommendation page in a report given to a homeland security conference in 2003. That report was found on the Internet by Edward Hasbrouck and can be found in full here (PDF).

The following image is what the Army decided was too sensitive to reveal, even though this document is still available on the Internet.

Now the Army says it has no intention of going forward with its program and there is no evidence I'm aware of that they have or are pursuing access to airline passenger records for a base security program.

But if that's so, why is the Army afraid to make it public that its contractor found that it would be useful for the government to have a "lifetime" accounting of your travels?

My less-paranoid guess? FOIA officials believe that anything that looks embarrassing or revelatory should be redacted, regardless of whether there is actually a covering exemption. And since the law has no punishment for over-redacting and the Attorney General has said his lawyers will defend most any redaction, that's why FOIA requests are generally exercises in frustration.

The Army also prepared a report on the study for an oversight committee (TAPAC). Links to all testimony to the committee here and links to the Army's presentation is here.

Dr. Thomas H. Killion, Acting Deputy Assistant Secretary for Research and Technology/Chief Scientist gave the presentation.

The Army gave me a copy of his testimony (which I'd already seen), but blacked out one thing. Dr. Killion's name on the front page of the document.

It's absurd to argue that his privacy would be invaded by releasing his name on a report delivered publicly.

Why did they do it? Why not? There's no penalty for blocking it out.

Still there was some good information in this particular FOIA, and I'll try to get to scanning and analyzing it soon.

And by soon, I mean sooner than the TSA is getting to FOIA requests about JetBlue and about CAPPS II contractors who got airline records from other airlines (despite months of TSA denials to the contrary). Though it's been almost a year since the first of these FOIAs were filed and though they were granted expedited processing (after much unneccessary stonewalling on their part), the TSA has not released any of these documents.

Posted by Ryan Singel at 04:48 PM | Comments (1) | TrackBack

September 14, 2004 | DoT Clears Northwest

The Department of Transportation dismissed EPIC's complaint about Northwest Airline's secret sharing of passenger data in 2001 with NASA researchers working on passenger screening algorithms.

(Normally such a complaint would be filed with the Federal Trade Commission, but if airlines engage in unfair business practices, the DOT has jurisdiction.)

Also in related news, a judge threw out another passenger class action against Northwest last week.

I don't find the ruling (PDF) surprising. When I wrote about the transfer for Wired News back in January, I noted that Northwest's privacy policy was unclear enough to give the airline an out. JetBlue's very strict privacy policy very clearly outlawed its transfer of passenger data to the Army's contractor, Torch Concepts. (They admitted as much and apologized in that case, but have yet to acknowledge two other transfers, let alone that they too violated the company's privacy policy.)

Here's the relevant grafs (full story here):

Northwest maintains that it did not violate that policy by giving the records to the government.
But while the Northwest website's privacy policy promises users that they are in complete control of the information they provide, the body of the policy only specifically prohibits Northwest from selling its records.

[EPIC attorney David] Sobel called that an "absurd reading of the privacy policy."

That disagreement is central to whether Northwest will face lawsuits or federal censure for deceptive business practices, as passengers have little protection under federal law.

American privacy laws are a complex patchwork, covering some data, such as financial and health information and information in government databases, while leaving the rest, including travel data, protected only by a company's privacy policy, which itself is optional.

But the point is not to say I told you so, but to point out how strong the DOT ruling is.

In fact the ruling almost seems to say that any airline privacy policy that provides even a modicum of privacy protection would be illegal.

The DOT argues that because Northwest has to share info with the DOT by regulation and with law enforcement upon subpoena, their privacy policy's promise that "you are in complete control" has no meaning.

DOT assistant counsel Samuel Podberesky argues that wording implies a passenger would have the right to stop Northwest from turning over data when the airline was legally required, so the statement does not block any transfers of data.

This reading is tortured and has an unintended side effect: it legitimizes companies who make sweeping promises of privacy rights in privacy policies, and then hide their true practices in fine print.

Take Northwest's policy. It only expressly bans the company from "selling" its list. Most people would take this to mean the company could not give its list to outside companies for money.

Northwest could however lease its list to another company for 100 years, and I'd bet you Podberesky would find no harm.

Also note that Podberesky totally failed to address EPIC's contention that the transfer violated EU privacy law since some of the affected fliers certainly booked their tickets from Europe.

That's surprising given his assurances to the European Commission in 2000 that his office took privacy and the EU data protection directive seriously:

The Department of Transportation encourages self-regulation as the least intrusive and most efficient means of ensuring the privacy of information provided by consumers to airlines and accordingly supports the establishment of a "safe harbor" regime that would enable airlines to comply with the requirements of the European Union's privacy directive as regards transfers outside the EU. The Department recognizes, however, that for self-regulatory efforts to work, it is essential that the airlines that commit to the privacy principles set forth in the "safe harbor" regime in fact abide by them. In this regard, self-regulation should be backed by law enforcement. Therefore, using its existing consumer protection statutory authority, the Department will ensure airline compliance with privacy commitments made to the public, and pursue referrals of alleged non-compliance that we receive from self-regulatory organizations and others, including European Union member states.

Posted by Ryan Singel at 11:03 PM | TrackBack

September 14, 2004 | DOT: Northwest in the clear

The Department of Transportation dismissed EPIC's complaint about Northwest Airline's secret sharing of passenger data in 2001 with NASA researchers working on passenger screening algorithms.

(Normally such a complaint would be filed with the Federal Trade Commission, but if airlines engage in unfair business practices, the DOT has jurisdiction.)

Also in related news, a judge threw out another passenger class action against Northwest last week.

Here's the relevant grafs (full story here):

Northwest maintains that it did not violate that policy by giving the records to the government.
But while the Northwest website's privacy policy promises users that they are in complete control of the information they provide, the body of the policy only specifically prohibits Northwest from selling its records.

[EPIC attorney David] Sobel called that an "absurd reading of the privacy policy."

That disagreement is central to whether Northwest will face lawsuits or federal censure for deceptive business practices, as passengers have little protection under federal law.

American privacy laws are a complex patchwork, covering some data, such as financial and health information and information in government databases, while leaving the rest, including travel data, protected only by a company's privacy policy, which itself is optional.

But the point is not to say I told you so, but to point out how strong the DOT ruling is.

In fact the ruling almost seems to say that any airline privacy policy that provides even a modicum of privacy protection would be illegal.

Take Northwest's policy. It only expressly bans the company from "selling" its list. Most people would take this to mean the company could not give its list to outside companies for money.

Northwest could however lease its list to another company for 100 years, and I'd bet you Podberesky would find no harm.

Also note that Podberesky totally failed to address EPIC's contention that the transfer violated EU privacy law since some of the affected fliers certainly booked their tickets from Europe.

That's surprising given his assurances to the European Commission in 2000 that his office took privacy and the EU data protection directive seriously:

The Department of Transportation encourages self-regulation as the least intrusive and most efficient means of ensuring the privacy of information provided by consumers to airlines and accordingly supports the establishment of a "safe harbor" regime that would enable airlines to comply with the requirements of the European Union's privacy directive as regards transfers outside the EU. The Department recognizes, however, that for self-regulatory efforts to work, it is essential that the airlines that commit to the privacy principles set forth in the "safe harbor" regime in fact abide by them. In this regard, self-regulation should be backed by law enforcement. Therefore, using its existing consumer protection statutory authority, the Department will ensure airline compliance with privacy commitments made to the public, and pursue referrals of alleged non-compliance that we receive from self-regulatory organizations and others, including European Union member states.

Posted by Ryan Singel at 11:01 PM | TrackBack

September 10, 2004 | Chicago Not Learning UK Lessons

Using money from the Department of Homeland Security, Chicago plans to install a net of 2000 surveillance cameras monitored by 'smart' motion-sensing software, according to Debbie Howlett of the USA TODAY.

I wrote a story a while ago for In These Times about Washington, D.C. police plans to emulate London's 150,000 cameras.

Here's a couple of excerpts from that piece:

London has an estimated 150,000 public cameras, which it uses, in part, to levy an approximately $8 charge on all cars entering the city center. However, crime rates have gone up in England, despite the 2.5 million cameras nationwide.
...

Privacy groups say they are trying to prevent the government from revisiting the widespread surveillance abuses of the ’60s and ’70s as chronicled in the congressional Church Report, which disclosed that the FBI had a list of 26,000 people to be detained in the event of a national emergency.

Johnny Barnes, executive director of the Washington ACLU, worries just as much about the self-imposed censorship that cameras can create, especially in D.C. “We don’t know how many people won’t exercise their First Amendment rights because they are afraid of surveillance,” Barnes says.

The City Council, which held extensive hearings on the cameras in December, will return to the issue in coming months.

The ACLU argues that if camera surveillance takes hold in our nation’s capital, proponents of cameras will use it as a model for the rest of the country. Says Barnes: “We ran from a British-style system in 1776, and we should run from it now.”

Someone please explain to me why the Department of Homeland Security is funding this effort, but does not have enough money to put radiological screening devices at every port.

For my money, I'd prefer safety to surveillance.

Posted by Ryan Singel at 12:10 PM

September 08, 2004 | Civil Liberties Board v. 1.Congress

Senators Joe Lieberman and John McCain introduced legislation yesterday that would turn nearly all of the 9-11 Commission's recommendations into law.

This was a pretty mighty undertaking, not just because the recommendations are both wide and controversial, but also because the commission's report was written in layman's language, not legislative legalese.

The legislation (which clocks in at about 300 electrifying pages) includes specifics for a civil liberties board.

I've been following the 9-11 Commission's recommendation to create a civil liberties board both here on this blog and at Wired News.

President Bush created his version on August 27, establishing a board staffed with high-level administration officials who are tasked mainly with helping to formulate policy.

That board was roundly criticized by the privacy community, which thinks the board should be more independent and be focused on investigations.

According to one high-level government official, that criticism is unwarranted since the President's board will be highly influential and its creation shows that the administration cares about civil liberties.

I am currently working on a story about the Lieberman-McCain proposal, but here's what the bill proposes (PDF).

The full bill (PDF) can be found here on the Senate Governmental Affairs Committee website.

A summary is here (PDF).

More back story and details later.

Posted by Ryan Singel at 12:33 PM | TrackBack

September 02, 2004 | Congressional Research Service Reports

The Federation of American Scientists has posted a few Congressional Research Service studies related to the 9/11 Commission's report. (via BeSpacific.com).

The first (PDF) is a quick roundup of airline passenger safety recommendations made by the 9/11 commission and has a concise discussion of some of the thorny issues surrounding passenger and cargo screening.

The second (PDF) deals with the proposal to create a civil liberties board, which I've written about here, here, and over here.

President Bush established a board last Friday, while Congress is currently debating behind closed office doors what kind of board they will build.

The report gives some fine background on the proposal and suggests four models for Congress to consider.

These include the Office for Emergency Management, which, in the 1940s, investigated "complaints of alleged discrimination involving race, creed, color, or national origin, in federal agencies, industries performing federal contracts or otherwise essential to the [WW II] war effort."

The second model cited is the United States Commission on Civil Rights, which has the authority to investigate and issue reports -- but has no enforcement authority.

The CRS also points to the Intelligence Oversight Board (IOB) of the President’s Foreign Intelligence Advisory Board (PFIAB).

The IOB is a five-member board tasked with "informing the President of any intelligence activities that any board member believed to be in violation of the Constitution, statutory law, or presidential orders or directives; and forwarding to the Attorney General reports received concerning intelligence activities that the board believed might be unlawful.

And finally, the CRS report points to the Defense Privacy Board, which is supposed to "coordinate and direct all Department of Defense (DOD) privacy activities."

I know nothing of the last two boards, but I do know that the Army Inspector General never mentioned the final board at all when it released its report finding its contractor, Torch Concepts, did not violate the Privacy Act when it tested data-mining algorithms on JetBlue passenger data.

That alone makes me think it is not a good model to follow if you want an effective commission.

Endnote: JetBlue, of course, massively violated its privacy policy when it turned the 5 million itineraries over to the contractor in September 2002.

Though the company apologized for its actions -- calling it a one-time occurence designed to help with anti-terrorism programs--, TSA chief Admiral David Stone told Congress under oath that JetBlue actually turned over data to the government or its contractors 3 times in total. JetBlue has never publicly acknoledged these other transfers.

Posted by Ryan Singel at 04:52 PM | TrackBack

September 02, 2004 | Shoe Boxes

Transportation Security Administration officials have removed the check-your-shoes ahead of time metal detectors boxes from airports such as O'Hare and Hartsfield-Jackson International, saying the boxes were not "certified," according to this article by Kirstin Tagami in the Atlanta Journal-Constitution.

The TSA is not against the idea, per se, they just want their own certified version.

The boxes have a funny backstory – they were made by an Eagle Scout, but what's interesting about the boxes is that they were allowed in the first place.

The whole premise behind the boxes is that they will let passengers learn ahead of time whether or not their shoes will set off a metal detector. If the indicator light on the box blinks when you put your shoe on it, you would be wise to take them off and send them through the x-ray machine, instead of wearing them through the metal detector.

Sounds like a good idea, especially for newbie travellers. (I'm always wearing heavy leather shoes with metal eyelets so I just always take them off.)

But if this is a good idea, why not install pre-sreening metal detector walk-through portals, so people can figure out if say their belt or the lighter in their pockets?

Or for that matter, why not let people know ahead of time by calling in or pre-checking in whether they will be selected for extra-screening (the SSSS on their tickets, which means, of course, secondary screening).

None of that sounds like a particularly good idea, since it would allow a person who plans to hijack or bomb a plane to test whether they are likely to be caught boarding a plane.

But the principle is the same as that of the shoe-checking boxes.

Nothing stops anyone from testing their shoes and then just walking out of the airport.

If we are worried about people like Richard Reid -- the notorious suicide shoe-bomber -- getting explosives or weapons on a plane, do we really want to give them a way to check how well they hid their contraband before having to go through screening?

That said, I confess to being not so worried about another attempt by Islamic terrorists to hijack an airliner – which I think is a trick you can only pull off once, al a Ender's Game.

What I do worry about when I get on an airline is another attempt to bomb the plane from within. That can be done many ways, either through a checked-in bomb, a bomb secreted in commercial cargo packed in the belly of a passenger plane, Richard Reid shoe-bomber-style, or Ramzi Yousef wrist-watch/explosive fluid-in-a-bottle style.

Which is to say, the TSA needs to augments its magnetic detectors with some trace-explosive detection equipment, do a better job screening commercial cargo and require airlines to extend positive passenger bag matching (the process of making sure every checked bag on a plane has a corresponding passenger) to all transfer flights.

Posted by Ryan Singel at 01:08 PM | TrackBack

September 01, 2004 | FreeIPods.com both Pyramid Scheme and a Privacy Scam

So I was interested in seeing how freeipods.com worked, so I visited their site. To get any information on how the program works, you have to provide them with an email address.

They make it clear they will market to you on behalf of other companies.

Within two hours, I got two spams originating from this shady marketing company. Now it is not such a big deal, since I wasn't dumb enough to use my main account and I also use a fantastic open-source Bayesian spam filter so I could kill the emails in no time.

But check out this policy:

Additionally, when you open, preview or click on the advertising portion of our e-mails and/or those of our marketing partners and/or affiliates of CashinEmail.com, you have agreed to the terms set forth in our Privacy Policy and agree that as a function of opening, previewing or clicking on the advertising portion of our e-mails, that you will receive new or additional marketing communications from us, our marketing partners and/or affiliates of CashinEmail.com.

If I read the email or preview it, I've agreed to get more spam?

So of course, I tried opting out. Seems that will take them some time however, according to the opt-out message.

Funny how technology works. Seems this company can ADD email addresses to a database and then use that address in a mass mailing within two hours.

But taking an email address out? Whew, that's a hard one. They say it will take them a week. That's 84 times longer than it took to add an address...

But let's not forget the real problem, which is that the whole operation is a pyramid scheme (albeit a legal one)

All it takes is calculator.

Updating the classic pyramid scheme, freeipods will reward those who get in early. But the twist is in store for those who get in later. In a traditional scheme, late arrivals lose lots of money.

In freeipods scheme, those people don't lose, they actually get something: unending emails touting holiday vacations and AOL sign-up disks mailed to their house every week for life.

Imagine that early on, 10,000 people joined and signed up (as one must at freeipods) for an offer from Ebay or AOL or BMG .

They collectively need to get 50,000 people to do the same to get their ipods.

Those 50,000 need to get 250,000 people to sign up.

Now if the thrid level people want to get Ipods, they need to find 1.25 million new people. And those people need to find 6.25 million people.

And the 6.25 million people need to find 37.5 million, who need to find 187.5 million new suckers.

And those suckers need to find over 937.5 million people with bad math skills.

And those people need to find 4.687 billion people who really have no clue to sign up.

At this point, the pyramid would have to stop without some new breakthrough on the part of SETI.

Sum total: 1.17 billion people with new ipods. 4.69 billion without. (And the proportions are worse the earlier it stops.)

Granted that's a lot of new iPods, but that's also a lot MORE people who thought they were gonna get the coolest new toy on the planet but will not.

But, I'm sure those losers will love all the "permission-based" marketing they will get as a consolation prize.

Posted by Ryan Singel at 03:47 PM | Comments (1) | TrackBack

September 01, 2004 | Clinton Privacy Czar on Civil Liberties Board

Law Professor Peter Swire, who served as President Clinton's chief advisor for privacy, has published an editorial on the Bush Administration's establishment of a civil liberties board.

My story in Wired News about the board and the very critical reception it got in the privacy community can be found here.

Congress is working on its own version – but it will complement, not replace, the administration's.

This might actually be a good thing. I understand that many people pushed hard to get on the civil liberties board and that there's a good chance it will be effective at the policy level.

But it is not set up like an independent, investigative body. That gives Congress some leeway to do just that.

So, what we might end up with is a very high level policy board (though as Swire points out, it makes more sense to put an inter-agency group in the White House, rather than in the DOJ), AND a fairly powerful investigative watchdog board.

This might just be the right thing.

We'll have to see what Congress comes up with and also see what the Board does, starting with its first meeting, which has to happen within about two weeks.

Posted by Ryan Singel at 12:41 PM | TrackBack