| July 2005 Archives | « June 2005 | Main | August 2005 » |
July 28, 2005 | Freedom From the Press
A federal court judge has ruled that the government can hide the names of Homeland Security bureaucrats from Freedom of Information Act requesters.
Employees working on anti-terrorism projects whose names were made public might be harassed by irate citizens or targetted by terrorists, according to this ruling (.pdf) by D.C. District Court Judge Ricardo Urbina.
Additionally, government employees should be shielded from reporters with phones, according to the judge.
The documents released by the defendants will likely be published on the Internet once released to the plaintiff, and it is likely that readers of the plaintiff’s reports, including media reporters as well as private individuals, would seek out the employees mentioned for further information.
The ruling concerns a lawsuit filed by the Electronic Privacy Information Center, which is seeking government records about secret transfers of airline records to the Transportation Security Administration.
This might be a smart rule if you were talking about employees working in Iraq's bureaucracy and its a smart rule for protecting the names of law enforcement agents.
But this is not Iraq. It is highly doubtful that Al Qaeda is going to start targetting mid-level government workers who make decisions about where to deploy the latest x-ray technology.
And it's not as if we've had a spate of assassinations of officials whose names have appeared in the press or testify to Congress.
Knowing the name of the high-ranking bureaucrat who made decisions about making end-runs around Federal law is useful for transparent governance.
I want to know, and the public should too, if the guy who approved a secret data transfer later got a big bonus or a promotion.
Granted maybe the public doesn't need to know the name of every low level employee, but in this case, I think it would be at the very least useful to know the name of the following person (taken from a request I filed that was very similiar to EPIC's).
Posted by Ryan Singel at 12:57 PM | TrackBack
July 25, 2005 | Your Phone is Smarter than You AreTechnology has only just recently made it easy to search our own personal computers, but soon, we may have ways to search our own lives as recorded by our cell phones.
Nathan Eagle of MIT's Media Lab shows how it might be done.
Cell phones know whom you called and which calls you dodged, but they can also record where you went, how much sleep you got and predict what you're going to do next.At least, these are the capabilities of 100 customized phones given to students and employees at the Massachusetts Institute of Technology -- and they may be coming soon to your cell phone.
The phones were part of a Ph.D. project by MIT Media Lab researcher Nathan Eagle, who handed out the devices as a way to document the lives of students and employees of MIT, ranging from first-year undergrads and MBA students to Media Lab employees and professors.
Eagle's Reality Mining project logged 350,000 hours of data over nine months about the location, proximity, activity and communication of volunteers, and was quickly able to guess whether two people were friends or just co-workers. It also found that MBA students actually do spend $45,000 a year to build monster Rolodexes, and that first-year college students -- even those who attend MIT -- lead chaotic lives.
He and his team were able to create detailed views of life at the Media Lab, by observing how late people stayed at the lab, when they called one another and how much sleep students got.
Given enough data, Eagle's algorithms were able to predict what people -- especially professors and Media Lab employees -- would do next and be right up to 85 percent of the time.
Find more in today's Wired News here.
I've mostly forgotten all my friend's phone numbers now that my cell phone stores them for me.
In the future, will I forget where I've been since my phone will remember it?
Posted by Ryan Singel at 03:52 PM | TrackBack
July 22, 2005 | TSA Broke The Law, GAO FindsTSA employees did indeed violate federal law when it secretly expanded the nature and extent of testing of a new passenger screening system, according to congressional investigators.
The head of the Secure Flight program, Justin Olberman, has tried to downplay the extent of the program's violations of privacy law in briefings to the press by leaving out crucial infromation and describing the violations as "technical."
Transportation Security Administration's chief spokesman Mark Hatfield went further by lying to this reporter about whether the TSA ever received data from private data companies.
Today's letter from the Government Accountablity Office to Congress makes clear that the TSA's actions were more than just "technical" violations of the nation's privacy laws.
In fact, the letter shows this is just the latest in a string of privacy scandals at the TSA that have involved millions of passenger records and repeated false statements to Congress and the media.
During the course of our ongoing review of the Secure Flight program, we found that TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA’s use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register that included descriptions of how such information would be used.However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data
records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA’s actions, the public did not receive the full protections of the Privacy Act.
That's not the most damning prose, but its pretty clear the GAO, who was *supposed* to be keeping a close eye on the TSA, feels like they got misled.
In fact, no other program in the government is supposed to be as closely monitored by the GAO as Secure Flight.
It's unclear whether anyone at TSA will actually get prosecuted for this violation of the law or not, though Homeland Security's chief privacy officer is investigating.
Whole 16 page report is here. (.pdf)
UPDATE: Senators Susan Collins (R-Maine) and Joe Lieberman (D-Conn), the heads of the Government Affairs Committee, had this to say in a letter to DHS head Michael Chertoff:
[T]he Privacy Act, which is based on internationally recognized fair information practices, is intended to allow citizens “to learn how their personal information is collected, maintained, used and disseminated by the federal government.” We understand that, in response to GAO’s assertions, TSA took corrective actions to inform the public of its actual test protocols through updated Privacy Notices. However, that action does not excuse TSA’s failure to meet basic Privacy Act requirements in carrying out this program.
Given fundamental concerns surrounding the government’s use of personal information and the unfortunate history of TSA’s passenger prescreening program, careless missteps such as this jeopardize the public trust and DHS’ ability to deploy a much-needed, new system.
Posted by Ryan Singel at 01:09 PM | TrackBack
July 21, 2005 | Backpacks that Go Bloom(berg)New York City mayor Michael Bloomberg has ordered the city's finest to randomly search bags belonging to subway riders, according to AP writer Sara Kugler.
The announcement came just hours after a second set of bombs exploded in London's Underground.
Police Commissioner Raymond Kelly promised that officers would not engage in racial profiling, and that passengers will be free to "turn around and leave" rather than consent to a search.
Crazy Kelly: "Our policy isn't just useless; Our policy is in-sa-a-a-ne!"
No, really. NYC's subways carry twice as many people daily as the ENTIRE NATION's 77 commercial airlines do.
And New York cops are gonna stop New Yorkers and ask to look in their bags? New Yorkers????
This sounds like a boondoggle dreamed up by double-dating suburban couples discussing Fox News headlines while eating poppers at Bennigans, not the considered pronouncement of the mayor of a damn great nation's best city.
Asked whether the searches might create bottlenecks at subway entrances, Kelly suggested the searches would be of a small enough sampling of passengers that only individuals, rather than whole crowds, would be delayed."We are going to do it in a reasonable commonsense way," he said.
Reporters generally don't laugh out loud at stupid policy announcements.
Instead they write stories that look like this.
Update: Added a sentence or two to amplify my incredulity.
Update: There's some good to and fro, some mention of the constitution, security theatre and deterrence value going on over in the comments at Political Animal.
Posted by Ryan Singel at 12:02 PM | Comments (1) | TrackBack
July 15, 2005 | Acxiom's High Tech HackerBack in 2003, Acxiom acknowledged it had been hacked and sensitive data it owned had been downloaded.
Axciom said the offender was a crazy smart hacker who fitznagled his way through their heavy-duty black ice who only got a smigden of data.
Recent news suggests you should put down your diet coke so it won't snort through your nose.
Here's what Acxiom said in 2003.
"An individual, who was a former employee of an Acxiom client, was arrested in conjunction with this incident," the company said in a statement Friday. "According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through hacking of encrypted passwords."The Little Rock, Ark.-based firm said the stolen information was retrieved. "Law enforcement has notified Acxiom that they do not believe that any of the data has been released to other parties or used for fraudulent purposes," the company said.
The breach involved one external FTP server outside Acxiom's firewall that is used to transfer files back and forth between Acxiom and its clients. The company said no internal databases were accessed and no breach penetrated its firewall. Additionally, the firm said only a small percentage of its clients' data was involved in the incident.
Full story from Internet News here.
The alleged ne'erdowell Scott Levine, who ran a greyhat email company called SniperMail.com, is now on trial in Florida.
Levine downloaded credit card numbers and other sensitive data on millions of Americans from Amazon Acxiom using an FTP server, according to testimony.
Evidently, Snipermail was selling email addresses to Acxiom and in the process of FTPing files to Acxiom, Levine discovered that the password for uploading files was the SAME as the one for downloading, according to the Arkansas Democrat-Gazette's Katherine Marks.
Another employee testified Levine was not only aware that he’d illegally downloaded data from Acxiom Corp. but he also encouraged him to download more."I would jokingly say, ‘Oops, I downloaded a file off the Acxiom server,’ and Levine would say, ‘Get more’" Jeffrey Burstein, Snipermail.com’s lead technician, testified.
[...][Mike] Castro [Levine's brother-in-law] said that Snipermail. com obtained a password from Acxiom to upload data to the company. Employees were amazed to find that they could also use the password to pull information from Acxiom, he said.
"We couldn’t believe such a high-tech company would forget to change the password on something like that," Castro testified.
Levine used this security lapse to download 8.2 gigs of customer data.
One assumes that's gigs of text files and spreadsheets. Gigs that belong to Axciom's other clients.
8.2 gigs. One hopes there were some heavy-duty video files in there because otherwise, that's a lot of credit card numbers.
Full story here (reg req).
Update: Remove erroneous substitution of Amazon for Acxiom in one sentence. Amazon was on the brain.
Posted by Ryan Singel at 11:59 AM | Comments (2) | TrackBack
July 07, 2005 | Not ExcusedI'm with Adam.
Posted by Ryan Singel at 11:13 AM | TrackBack
July 07, 2005 | Citizens of LondonI'm frankly amazed by the calm and poise of Londoners I've seen on television this morning.
We all knew this was coming again -- we just didn't know if it was going to be Auckland, Paris, Berlin, Rome or Chicago.
Turns out this time, the fundamentalists decided to slaughter the cosmopolitans in London.
My thoughts are with the families of those who died, with those who managed to make it out of the tunnels, and with all those in London shaken by the blasts.
Maybe one day, our worst will stop feeding their worst and their worst will stop feeding our worst and us cosmopolitans will no longer feel brave getting on the El, the J line or the Paris Metro.
And just to note, London's thousands of surveillance cameras proved themselves not so helpful in stopping the attacks.
It will, however, be interesting to see what, if any, evidence they provide to investigators.