Tag: privacy

E-Verify: The Surveillance Solution

The federal government will keep data about every person submitted to the “E-Verify” background check system for 10 years.

At least that’s my read of the slightly unclear notice describing the “United States Citizenship Immigration Services 009 Compliance Tracking and Monitoring System” in today’s Federal Register. (A second notice exempts this data from many protections of the Privacy Act.)

To make sure that people aren’t abusing E-Verify, the United States Citizenship and Immigration Services Verification Division, Monitoring and Compliance Branch will watch how the system is used. It will look for misuse, such as when a single Social Security Number is submitted to the system many times, which suggests that it is being used fraudulently.

How do you look for this kind of misuse (and others, more clever)? You collect all the data that goes into the system and mine it for patterns consistent with misuse.

The notice purports to limit the range of people whose data will be held in the system, listing “Individuals who are the subject of E-Verify or SAVE verifications and whose employer is subject to compliance activities.” But if the Monitoring Compliance Branch is going to find what it’s looking for, it’s going to look at data about all individuals submitted to E-Verify. “Employer subject to compliance activities” is not a limitation because all employers will be subject to “compliance activities” simply for using the system.

In my paper on electronic employment eligibility verification systems like E-Verify, I wrote how such systems “would add to the data stores throughout the federal government that continually amass information about the lives, livelihoods, activities, and interests of everyone—especially law-abiding citizens.”

It’s in the DNA of E-Verify to facilitate surveillance of every American worker. Today’s Federal Register notice is confirmation of that.

Computers Freedom & Privacy 2009

The Computers Freedom & Privacy conference is consistently one of the most interesting and forward-looking privacy conferences. This year, it’s at George Washington University in Washington, D.C. June 1-4.

I helped organize it this time, though by no means does the event skew libertarian. What it does is bring together people of all ideologies to discuss common concerns about the present and future state of privacy.

I’ll be speaking on a panel called “The Future of Security vs. Privacy” on Tuesday, June 2nd. Here’s the program page. And here’s the registration page if any of this whets your appetite.

Justice Scalia Makes Sense; Law Professor Responds by Instructing Class to be a Collective Jerk

In January, Justice Antonin Scalia made some remarks about privacy at the Institute of American and Talmudic Law. The AP reported:

Scalia said he was largely untroubled by such Internet tracking. “I don’t find that particularly offensive,” he said. “I don’t find it a secret what I buy, unless it’s shameful.”

He added there’s some information that’s private, “but it doesn’t include what groceries I buy.”

In response to this commonsensical provocation, Fordham University law professor Joel Reidenberg had his class compile a 15-page dossier on Scalia, “including his home address, the value of his home, his home phone number, the movies he likes, his food preferences, his wife’s personal e-mail address, and ‘photos of his lovely grandchildren.’”

Reidenberg apparently sent the file to Justice Scalia, eliciting this response:

I stand by my remark at the Institute of American and Talmudic Law conference that it is silly to think that every single datum about my life is private. I was referring, of course, to whether every single datum about my life deserves privacy protection in law.

It is not a rare phenomenon that what is legal may also be quite irresponsible. That appears in the First Amendment context all the time. What can be said often should not be said. Prof. Reidenberg’s exercise is an example of perfectly legal, abominably poor judgment. Since he was not teaching a course in judgment, I presume he felt no responsibility to display any.

Being a jerk to Justice Scalia didn’t help Professor Reidenberg make his point, whatever it may be.

According to the Above the Law blog, Reidenberg believes that “technological constraints should be built into the infrastructure of online networks in recognition of users’ privacy rights.” He may also think the Nile should flow the other direction, but having his students dig up graves in Egypt won’t advance that cause.

DoJ Fails to Report Electronic Surveillance Activities

Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content - who is talking to whom, how often, and for how long.)

The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:

The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).

EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.

It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.

Limiting the TSA’s Use of “Strip Search Machines”

I wrote here in February about the push and pull over “strip search machines,” also known as “whole-body imaging” and “millimeter wave scanning.”

The question is joined: How do you maintain privacy with a technology that’s fundamentally intrusive? Maybe by using it less. This week, Rep. Jason Chaffetz (R-UT) introduced a bill to limit the use of whole-body imaging.

H.R. 2027, the Aircraft Passenger Whole-Body Imaging Limitations Act of 2009, would place several limits:

  • Whole-body imaging could not be the sole or primary method of screening a passenger, and it could only be used as a follow-up to other methods like metal detection.
  • Passengers would have the right to opt for a pat-down search instead of whole-body imaging.
  • Passengers subject to whole-body imaging would have to be provided information about the technology and the images it generates, on privacy policies, and the right to have the pat-down search instead.
  • Images of passengers generated by whole-body imaging technology could not be stored, transferred, shared, or copied in any form after the passenger has passed through the security system.

Most of these protections are already TSA policy, but agency policies are relatively easy to change compared to federal law. Without limitations like this, these machines are on the natural, mission-creepy path to becoming mandatory.

Rules, of course, were made to be broken, and it’s only a matter of time — federal law or not — before TSA agents without proper supervision find a way to capture images contrary to policy. (Agent in secure area guides Hollywood starlet to strip search machine, sends SMS message to image reviewer, who takes camera-phone snap. TMZ devotes a week to the story, and the ensuing investigation reveals that this has been happening at airports throughout the country to hundreds of women travelers.)

So this bill is a step forward, but from a very backwards position. Ultimately, as I wrote before, the solution is to return responsibility for security to the airlines and airports, who are most interested in and capable of balancing all the factors that go into safe travel, including passengers’ privacy, comfort, and peace of mind.