US unveils more privacy-friendly no-fly list

Apparently the American government is about to implement its latest version of the no-fly list, without data mining using commercial sources. It looks a lot like the Canadian "Passenger Protect" program:

Even Bruce Schneier thinks it shows common sense.

Feds offer simpler flight screening plan on Yahoo! News

By MICHAEL J. SNIFFEN, Associated Press Writer

Thu Aug 9, 6:34 PM ET

The government proposed a new version of its airline passenger screening program Thursday, stripped of the data mining that aroused privacy concerns and led Congress to block earlier versions.

It's been three years since the Sept. 11 Commission recommended and Congress ordered that the government take over from the airlines the job of comparing passenger lists with watch lists of known terrorist suspects to keep them off flights. Even this new version of the Secure Flight program is open for public comment and will be tested this fall before it can be implemented fully in 2008.

The third version of the program, once known as CAPPS II, drew positive reviews from privacy advocates and members of Congress who had objected to more elaborate earlier versions. Congress enacted legislation blocking earlier plans to collect private commercial data — like credit card records or travel histories — about all domestic air travelers in an effort to predict which ones might be terrorists.

The new plan would require passengers to give their full name when they make their reservations — either in person, by phone or online. They also will be asked if they are willing to provide their date of birth and gender at that time to reduce the chance of false positive matches with names on the watch lists.

"Finally, this appears to have a coherent, narrow and rational focus," said James Dempsey of the Center for Democracy and Technology, a privacy advocacy group. "This is a vast improvement over what we've seen before."

Even Democrats in Congress were cautiously positive.

"They've been slow to admit that minimizing invasions and breaches of Americans' privacy is part of their job," said Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. "We will evaluate these steps to see if they measure up."

House Homeland Security Chairman Bennie Thompson, D-Miss., said he hoped the administration would stay alert to privacy issues. "I am extremely disappointed it has taken three years and passage of several pieces of legislation to get us to step one."

Thompson added that he hoped it was a sign of foresight that the new plan was announced along with new screening arrangements for international travelers.

At a news conference at Reagan National Airport, Homeland Security Secretary Michael Chertoff also announced that starting six months from now airlines operating international flights will be required to send the government their passenger list data before the planes take off rather than afterward, as is now the case.

Earlier sharing of passenger information is designed to give U.S. authorities more time to identify terrorists like Richard Reid, who attempted to light a shoe bomb on a trans-Atlantic flight in December 2001, and keep them off planes.

"Now the airlines give us their manifests after the plane has left the ground and that is too late," Chertoff said.

The Homeland Security chief said he was unaware of any specific, credible threat against airlines. But based on recent car bomb attempts in Great Britain and public statements by terrorists, he repeated his view that "we are entering a period where the threat is somewhat heightened."

"Look at the history of al-Qaida," Chertoff said. "The airplane has been a consistent favorite target of theirs."

On the domestic side, transferring watch-list checks to Transportation Security Administration officers "should provide more security and more consistency, and thus reduce misidentifications" that have frustrated passengers, Chertoff said.

Existing screening has been widely ridiculed because people like Sen. Edward M. Kennedy, D-Mass., other members of Congress and even infants have been blocked from boarding or delayed because their names are similar to names on the lists.

Chertoff said the new domestic system will avoid activities envisioned earlier that raised privacy concerns.

"Secure Flight will not harm personal passenger privacy," Chertoff said. "It won't collect commercial data (about passengers). It will not assign risk scores and will not attempt to predict behaviors."

Such plans alarmed Congress so much that it barred implementing the program until it passed 10 tests to ensure privacy and accuracy. The Government Accountability Office, Congress' auditing arm, found the previous version failed almost all of them.

Currently, only a passenger's full name is required when reservations are made although date of birth and gender usually become known to transportation security officers later in the boarding process.

Transportation Security Administrator Kip Hawley said volunteering those two items earlier would reduce misidentifications in watch-list matching.

"With the full name, we can resolve 95 percent of the cases correctly. The date of birth adds 3.5 percent to that, and the gender adds another one percent," Hawley said.

Privacy advocates like Dempsey and Bruce Schneier, chief technology officer at the security company BT Counterpane, also were pleased with limits on how long most records will be kept. A check that produces no match — which will be the case for the vast majority of travelers — would be kept only seven days. A false positive match would be kept seven years. Confirmed matches would be kept 99 years.

"On the surface, it looks pretty good," Schneier said. "I'm cautiously optimistic. It's nice to see some common sense."

The "but I've got nothing to hide" argument

Daniel Solove, at the University of George Washtington School of Law, has written an interesting article on the "But I've got nothing to hide." Here's a link to the download site and the introduction:

SSRN-'I've Got Nothing to Hide' and Other Misunderstandings of Privacy by Daniel Solove

INTRODUCTION

Since the September 11 attacks, the government has been engaging in
extensive surveillance and data mining. Regarding surveillance, in December
2005, the New York Times revealed that after September 11, the Bush
Administration secretly authorized the National Security Administration
(NSA) to engage in warrantless wiretapping of American citizens’ telephone
calls.2 As for data mining, which involves analyzing personal data for patterns
of suspicious behavior, the government has begun numerous programs. In
2002, the media revealed that the Department of Defense was constructing a
data mining project, called “Total Information Awareness” (TIA), under the
leadership of Admiral John Poindexter. The vision for TIA was to gather a
variety of information about people, including financial, educational, health,
and other data. The information would then be analyzed for suspicious
behavior patterns. According to Poindexter: “The only way to detect . . .
terrorists is to look for patterns of activity that are based on observations from
past terrorist attacks as well as estimates about how terrorists will adapt to our
measures to avoid detection.”3 When the program came to light, a public
outcry erupted, and the U.S. Senate subsequently voted to deny the program
funding, ultimately leading to its demise. Nevertheless, many components of
TIA continue on in various government agencies, though in a less systematic
and more clandestine fashion.4

In May 2006, USA Today broke the story that the NSA had obtained
customer records from several major phone companies and was analyzing
them to identify potential terrorists.5 The telephone call database is reported to
be the “largest database ever assembled in the world.”6 In June 2006, the New
York Times reported that the U.S. government had been accessing bank records
from the Society for Worldwide Interbank Financial Transactions (SWIFT),
which handles financial transactions for thousands of banks around the world.7
Many people responded with outrage at these announcements, but many others
did not perceive much of a problem. The reason for their lack of concern, they
explained, was because: “I’ve got nothing to hide.”

The argument that no privacy problem exists if a person has nothing to
hide is frequently made in connection with many privacy issues. When the
government engages in surveillance, many people believe that there is no
threat to privacy unless the government uncovers unlawful activity, in which
case a person has no legitimate justification to claim that it remain private.

Thus, if an individual engages only in legal activity, she has nothing to worry
about. When it comes to the government collecting and analyzing personal
information, many people contend that a privacy harm exists only if skeletons
in the closet are revealed. For example, suppose the government examines
one’s telephone records and finds out that a person made calls to her parents, a
friend in Canada, a video store, and a pizza delivery shop. “So what?” that
person might say. “I’m not embarrassed or humiliated by this information. If
anybody asks me, I’ll gladly tell them what stores I shop at. I have nothing to
hide.”

The “nothing to hide” argument and its variants are quite prevalent in
popular discourse about privacy. Data security expert Bruce Schneier calls it
the “most common retort against privacy advocates”8 Legal scholar Geoffrey
Stone refers to it as “all-too-common refrain.”9 The “nothing to hide”
argument is one of the primary arguments made when balancing privacy
against security. In its most compelling form, it is an argument that the
privacy interest is generally minimal to trivial, thus making the balance against
security concerns a foreordained victory for security. Sometimes the “nothing
to hide” argument is posed as a question: “If you have nothing to hide, then
what do you have to fear?” Others ask: “If you aren’t doing anything wrong,
then what do you have to hide?”

In this essay, I will explore the “nothing to hide” argument and its variants
in more depth. Grappling with the “nothing to hide” argument is important, as
the argument reflects the sentiments of a wide percentage of the population. In
popular discourse, the “nothing to hide” argument’s superficial incantations
can readily be refuted. But when the argument is made in its strongest form, it
is far more formidable.

In order to respond to the “nothing to hide” argument, it is imperative that
we have a theory about what privacy is and why it is valuable. At its core, the
“nothing to hide” argument emerges from a conception of privacy and its
value. What exactly is “privacy”? How valuable is privacy and how do we
assess its value? How do we weigh privacy against countervailing values?
These questions have long plagued those seeking to develop a theory of
privacy and justifications for its legal protection.
This essay begins in Part I by discussing the “nothing to hide” argument.
First, I introduce the argument as it often exists in popular discourse and
examine frequent ways of responding to the argument. Second, I present the
argument in what I believe to be its strongest form. In Part II, I briefly discuss
my work thus far on conceptualizing privacy. I explain why existing theories
of privacy have been unsatisfactory, have led to confusion, and have impeded
the development of effective legal and policy responses to privacy problems.
In Part III, I argue that the “nothing to hide” argument—even in its strongest
form—stems from certain faulty assumptions about privacy and its value. The
problem, in short, is not with finding an answer to the question: “If you’ve got
nothing to hide, then what do you have to fear?” The problem is in the very
question itself.

Respectful surveillance?

Last week, Bruce Schneier linked to an article on "respectful cameras" that can recognize faces and obscure them with an oval. The oval can be removed in the event of an investigation. See: Schneier on Security: Surveillance Cameras that Obscure Faces. But one commentator says it's just the "illusion of privacy".

Schneier calls for a data privacy law

In Wired, security and privacy guru Bruce Schneier is calling for a comprehensive privacy law in the United States: Our Data, Ourselves.

Cleanse or secure your electronics before crossing the border

Over the past weeks, I've done a lot of travelling. First to Geneva and then to the US. On both occasions, I had to be very mindful of what information I have on my laptop and my USB drives, since I am subject to the Personal Information International Disclosure Protection Act.

This new law prohibits the export of personal information by Nova Scotia public bodies and their service providers. As a lawyer to a number of public bodies and an instructor at Dalhousie Law School, my laptop an blackberry are subject to those laws. Since I didn't want to go to the bother of asking the chief executive of each public body I work for wheter I had one-off permission to take their data with me (and since I wouldn't need their data on the road), I had to delete all traces of such personal information from my portable electronics.

While this is a concern for public bodies in Nova Scotia and their service providers, it's also a concern for anyone who is crossing the border into the United States as increasingly customs officers are scrutinizing laptops at the border.

Bruce Schneier, who always has interesting things to say, has an article in the Guardian on how to secure your laptops if you're taking them into the US. It's a good read and probably something to bookmark to read next time you're crossing the frontier: Read me first: Taking your laptop into the US? Be sure to hide all your data first Technology The Guardian.

Identity Theft Cartoon

Thanks to Schneier on Security for the link.

Whole disk encryption made easy

If you have laptop, you should read Bruce Schneier's commentary in Wired: How Does Bruce Schneier Protect His Laptop Data? With His Fists -- and PGP.

Salesforce.com leak leads to targeting phishing attacks

An employee of Salesforce.com has been taken in by a phishing scam and had his credentials compromised. The fraudsters have since used data from the vast ASP an in attempt to defraud a handful of users. See Schneier on Security: Targeted Phishing from Salesforce.com Leak and Salesforce.com Acknowledges Data Loss - Security Fix.

NJ hospital suspends 27 for peeking at celebrity's medical record

CNN is reporting that 27 employees of the Palisades Medical Center in North Bergen, New Jersey, hav been suspended for a month without pay for looking at actor George Clooney's medical records without a valid reason for doing to. See: 27 suspended for Clooney file peek - CNN.com. (via Schneier on Security: 27 Suspended for Looking at George Clooney's Personal Data).

Schneier on Security vs. Privacy

Here's a really great read from Bruce Schneier:

Schneier on Security: Security vs. Privacy

If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"

I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.

It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.

If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

This essay originally appeared on Wired.com

This is staggeringly stupid and dangerous

A company has developed an RFID tattoo, that has all the benefits of RFID implantation, but without the messy chip. The chip is replaced by a tattoo. The company is touting its benefits in traceability of the meat supply, but is also suggesting that it may be useful in soldiers:

Industrial Control Designline RFID Ink

... The ink also could be used to track and rescue soldiers, Pydynowski said.

"It could help identify friends or foes, prevent friendly fire, and help save soldiers' lives," he said. "It's a very scary proposition when you're dealing with humans, but with military personnel, we're talking about saving soldiers' lives and it may be something worthwhile."

I can't imagine anything more dangerous than tagging all soliders with a tracking device that may be hacked by the other side. Instead of saving lives, it may result in wholesale destruction. I wonder how long it would be before we saw RFID activated IEDs? Not long, I expect.

Thanks to Schneier for the link.