Tag: EPIC

NSA Spying in the Courts

The National Security Agency’s collection of every American’s telephone dialing information is hotly contested in the court of public opinion and in Congress. It is now seeing its first test in the courts since its existence was revealed.

The Electronic Privacy Information Center, arguing that it has no other recourse, has filed an extraordinary appeal to the Supreme Court of the order requiring Verizon to turn over telephone calling information en masse to the government. EPIC is a Verizon customer that communicates by telephone with confidential sources, government officials, and its legal counsel.

Cato senior fellow and Georgetown University law professor Randy Barnett joined me this week on a brief to the Court urging it to accept the case so it can resolve statutory and constitutional issues that have “precipitated a juridical privacy crisis.”

The brief first argues that the Foreign Intelligence Surveillance Act does not authorize a sweeping warrant for all communications data. The law requires such a warrant to show relevance to an existing investigation, which is impossible when the data is gathered in support of future, entirely speculative investigations. Not only the text of the statute, but Congress’s intent and the structure of the statute support this interpretation.

Comment on TSA Strip-Search Machine Policy—And Attend Our Event April 2nd

You can now comment on the TSA’s proposed rule regarding its use of strip-search machines on American travelers at our nation’s airports.

Under a July 2011 court order requiring it to do so, the TSA finally proposed the rule that explains its airport procedures with respect to strip-search machines. You can now know your rights and obligations in that process, how to opt-out of the strip-search machines, and where to register complaints if you feel you’ve been treated badly.

Just kidding!

This is the two-sentence statement it proposed to add to existing language about passenger screening:

(d) The screening and inspection described in (a) may include the use of advanced imaging technology. For purposes of this section, advanced imaging technology is defined as screening technology used to detect concealed anomalies without requiring physical contact with the individual being screened.

It took 20 months to produce these two sentences, which allow the TSA to do whatever it wants. My initial thoughts were to find TSA contemptuous of the court’s order and wronly using secrecy to hide the analysis of its policies.

We’ll be discussing the proposal at a Cato policy forum next Tuesday, April 2nd, called “Travel Surveillance, Traveler Intrusion,” starting at noon Eastern. Like most Cato events, it will be live-streamed.

The event is a two-fer. Not only will we hear from Ginger McCall of the Electronic Privacy Information Center, the organization that brought the suit that finally produced this rulemaking. We’ll also hear from Ed Hasbrouck, whose research reveals just how intensively the U.S. government monitors the air travel of every American.

Feel free to move about the country? Just wait until you learn how your movements are tracked—before and after you get your digital strip-search or prison-style pat-down.

Register now!

Silicon Valley Doesn’t Care About Privacy, Security

That’s the buzz in the face of the revelation that a mobile social network called Path was copying address book information from users’ iPhones without notifying them. Path’s voluble CEO David Morin dismissed this as a problem until, as Nick Bilton put it on the New York TimesBits blog, he “became uncharacteristically quiet as the Internet disagreed and erupted in outrage.”

After Morin belatedly apologized and promised to destroy the wrongly gotten data, some of Silicon Valley’s heavyweights closed ranks around him. This raises the question whether “the management philosophy of ‘ask for forgiveness, not permission’ is becoming the ‘industry best practice’ ” in Silicon Valley.

Since the first big privacy firestorm (which I put in 1999, with DoubleClick/Abacus), cultural differences have been at the core of these controversies. The people inside the offending companies are utterly focused on the amazing things they plan to do with consumer data. In relation to their astoundingly (ahem) path-breaking plans, they can’t see how anyone could object. They’re wrong, of course, and when they meet sufficient resistance, they and their peers have to adjust to the reality that people don’t see the value they believe they’ll provide nor do people consent to the uses of data they’re making.

This conversation—the push and pull between innovative-excessive companies and a more reticent public made up of engineers, advocates, and ordinary people—is where the privacy policies of the future are being set. When we see legislation proposed in Congress and enforcement action from the FTC, these things are whitecaps on much more substantial waves of societal development.

An interesting contrast is the (ahem) innovative lawsuit that the Electronic Privacy Information Center filed against the Federal Trade Commission last week. EPIC is asking the court to compel the FTC to act against Google, which recently changed and streamlined its privacy policies. EPIC is unlikely to prevail—the court will be loathe to deprive the agency of discretion this way—but EPIC is working very hard to make Washington, D.C. the center of society when it comes to privacy and related values.

Washington, D.C. has no capacity to tune the balances between privacy and other values. And Silicon Valley is not a sentient being. (Heck, it’s not even a valley!) If a certain disregard for privacy and data security has developed among innovators over-excited about their plans for the digital world, that’s wrong. If a company misusing data has harmed consumers, it should pay to make those consumers whole. Path is, of course, paying various reputation costs for getting it crosswise to consumer sentiment.

And that’s the right thing. The company should answer to the community (and no other authority). This conversation is the corrective.

Where to Report and Discuss TSA Abuses

With the TSA sticking by its policy of requiring select air travelers to submit to visual observation or physical touching of their private areas before they can fly, a number of groups are collecting reports and facilitating public discussion.

The American Civil Liberties Union has put up a page on which to report TSA screening abuses.

The Electronic Privacy Information Center has a “Body Scanner Incident Report” page.

And the U.S. Travel Association has a site called “Your Travel Voice,” and a related Facebook page where people can share their stories and air their views.

The activism site StopDigitalStripSearches.org also has a Facebook page.

The TSA has a complaint form you can fill out, of course.

When you post to a Facebook page, obviously you’ll be sharing your story publicly. If you communicate with any of the organizations, you might specify whether you consent to sharing your name and your story with the media. Doing so can facilitate getting more stories and more public discussion of the government’s policies.

A “National Opt-Out Day” has been called for November 24th.

I’ve written about the strip/grope policy in terms of risk management, and suggested that acceptance of some small risk is probably superior to strip/grope or a budding national ID system. In his post ”Body Scanner Blues,” David Rittgers recaps and expands on his New York Post editorial.

Topics:

EPIC: Suspend Airport Body Scanners

Last week, the Electronic Privacy Information Center released a petition from a group it spearheaded, asking the Department of Homeland Security to suspend deployment of whole-body imaging (aka “strip-search machines”) at airports.

The petition is a thorough attack on the utility of the machines, the process (or lack of process) by which DHS has moved forward on deployment, and the suitability of the privacy protections the agency has claimed for the machines and computers that display denuded images of air travelers.

The petition sets up a variety of legal challenges to the use of the machines and the process DHS has used in deploying them.

Whole-body imaging was in retreat in the latter part of last year when an amendment to severely limit their use passed the House of Representatives. The December 25 terror attempt, in which a quantity of explosives was smuggled aboard a U.S.-bound airplane in a passenger’s underpants, gave the upper hand to the strip-search machines. But the DHS has moved forward precipitously with detection technology before, wasting millions of dollars. It may be doing so again.

My current assessment remains that strip-search machines provide a small margin of security at a very high risk to privacy. TSA efforts to control privacy risks have been welcome, though they may not be enough. The public may rationally judge that the security gained is not worth the privacy lost.

Wouldn’t it be nice if decisions about security were handled in a voluntary rather than a coercive environment? With airlines providing choice to consumers about security and privacy trade-offs? As it is, with government-run airline security, all will have to abide by the choices of the group that “wins” the debate.

EPIC on PASS ID: a National ID Card

The Electronic Privacy Information Center has produced a very thorough analysis of the PASS ID Act, which would revive the REAL ID national ID program.

The EPIC analysis states flatly, “The bill would establish a national ID card,” and, “The intent of this legislation is to facilitate a National ID system.”

That’s quite a contrast to Ari Schwartz at the Center for Democracy and Technology, who alone believes that PASS ID “prevents the creation of a National ID system.”