Author: Sasha_Romanosky

This story courtesy of Akiva Miller:

“Reuters reported yesterday that the Drug Enforcement Administration (DEA) has been starting criminal investigations of drug-related offenses based on information obtained from  from intelligence intercepts, wiretaps, informants and a massive database of telephone records – information that usually cannot be used in criminal investigations not related to national security matters. The DEA agents were directed to “recreate” the investigative trail to effectively cover up where the information originated. This practice violates defendants’ constitutional rights to a fair trial. http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805

This Reuters context piece helps explain how this practice differs from the NSA Surveillance program, and is a far worse violation of civil rights: http://www.reuters.com/article/2013/08/05/us-dea-sod-nsa-idUSBRE9740AI20130805

Meanwhile, USA Today reported that the Justice Department is now reviewing the DEA’s techniques:  http://www.usatoday.com/story/news/nation/2013/08/05/justice-dea-special-operations-shield/2620439/

This revelation exposes how surveillance practices are going beyond the narrow realm of national security needs and are increasingly being employed against Americans for ordinary law enforcement purposes – the very realm where civil rights are vital safeguards against agency violation. Now that unlawful surveillance has been exposed in the fairly controversial area of drug enforcement, one can imagine the reaction if it turns out other agencies are using similar tactics: How would businesses react if the IRS were illegally obtaining their phone records, and then started a “random” audit on its secret surveillance target? Or how would gun rights supporters feel if the ATF Bureau were listening to phone conversations and arresting unregistered gun owners claiming “reliable informants” had led them to their targets? It wil also be interesting to see how this will affect the convictions of drug-related charges who may have been victims of these tactics. ”

Position 1: Snowden is a whistleblower and what the government is doing is illegal: http://www.whistleblower-insider.com/the-simmering-storm-over-americas-secret-surveillance-court/

Position 2: Snowden leaked classified documents improperly, and in fact, there are many controls and restrictions governing surveillance: See this talk by  Robert Litt (General Counsel of the Office of the Director of National Intelligenceat) at a recent a Brookings event http://www.c-spanvideo.org/program/GovernmentInte

http://www.aclu.org/blog/technology-and-liberty-national-security/police-documents-license-plate-scanners-reveal-mass

26000 pages of law enforcement data reveal: low hit rate, lots of variation across states and cities with regard to data retention policies.

Possibly, because the idea is faulty. Something which this program in Texas is experiencing. Though, they seem to be replacing RFID with hundreds (!) of surveillance cameras. And why? To enjoy more federal funding.

See the following link

I was invited to be a panelist at this year’s Personal Democracy and Freedom (PDF) conference held here in New York City. The panel was titled, “Battling Big Brother” and the idea was to comment on the degree to which individuals may be caught up in collateral damage from government collection and mining of data for the purpose of national security. I great question, indeed!

I wanted to make a few comments on that panel, and thought I’d reproduce some of them for this blog below.

I’m sure by now everyone is familiar with the hype around collecting and mining big data for individual patterns. And it’s not going to shock anyone to state that government, just as with private sector (e.g. facebook and google) have great interest in doing this.

As far as commercial interests are concerned, from what I see, these often focus on advertising — how can content providers effectively identify their visitors in order to present them with relevant ads? On one hand, the consumer benefits are obvious. Think of all the free online services and mobile apps that we use every day — they are likely supported by advertising. On the other hand, there are privacy concerns when people are tracked, and other personal characteristics inferred, without their consent (e.g. target pregnancy girl). Moreover, there may be economic consequences from price discrimination which may also be seen as unfair. E.g. when those of higher income receive greater discounts than lower income people.

Public interests of big data include, among other things, law enforcement and national security. But they have an advantage that private sector doesn’t in their ability to link many more kinds of disparate data sources and make more important inferences. They can combine CCTVs, drones, and of course, data collected from the private sector like phone records, emails, search engines, and network traffic from ISPs. I think we can all agree that the benefits of preventing bombings, and cyber attacks using these big data sources are large. What is of debate is how state agencies go about that and what tradeoffs we are willing to accept (e.g. PRISM and Verzion phone metadata collection).

I now want to talk for a few minutes about two recent news stories that I think are relevant to this discussion. The first is this week’s supreme court decision to allow DNA collection at the time of arrest for a violent crime. Ostensibly, this is done to because of the strong force of recidivism: the notion that a criminal caught for one crime may have committed some other, unresolved crime. The novelty — and risk — is that DNA is thought to be a better detection mechanism than fingerprints because it’s more difficult to conceal one’s DNA at a crime scene. But again, consequences occur when we feel that the government is overstepping its authority — when they suddenly have access to data we don’t think they otherwise should.  What interests me most about the ruling, however, is the question: does DNA collection really work? I think there is a legitimate issue of whether law enforcement is more effective when they can obtain this information. I think this is important because if many more criminals are caught who would otherwise not be, then it becomes a discussion of tradeoffs. However, if there is no measurable effect, then the policy seems strictly bad.  Similar questions can — and probably should — be asked of other forms of government data collection and surveillance: unless  there is clear evidence of the effectiveness, where is the justification?

The other story is one authorizing military commanders to engage in what’s called ‘active defense.’ i.e. to hit back at attackers who conduct cyber attacks on military systems. The benefits of this style of defense have been debated (at least) in the IT security community for many years, and it’s interesting to see acknowledgement of this kind of behavior by the military now. Perhaps this is due to reportedly dramatic increase in espionage from China.  There have also been calls by private companies (e.g,. those victimized by loss of IP) to engage in the same kind of behavior. What is not clear, however, is what force of retaliation is suggested, and what kind of collateral damage may be caused by this.

Now, to the question of what can individuals do? On one hand there are a host of privacy enhancing technologies and practices that individuals can employ: when searching online, you can use duckduckgo; when looking to browse anonymously you can use TOR; when purchasing groceries, you can use someone else’s loyalty card number; you can choose not to register a DC metro card; etc, etc. This makes us very empowered as consumers. However, on the other hand, at some point, you *will* leave a digital trail. You will need to go outside (where you’re likely to be captured on CCTV); you will need to buy something with a credit card, or take out a loan (adding to your credit profile); make a call on your cell phone; or you will simply forget to use one of those PETs.  And so I’m quite conflicted regarding the extent to which individuals really have any power to control their digital trails at all.  To me, the persistence and ubiquity online tracking and surveillance as an unstoppable force and that while we may be able to redact some entries from the mountains of data files we leave, I don’t see any practical solution to avoiding creation of those files to begin with.

PDF Program: http://personaldemocracy.com/conferences/nyc/2013/program

I recently had a chance to learn about and speak with folks from a company called comScore. Essentially, this company offers free stuff to consumers in exchange for tracking all their web browsing activity. And they can get very detailed information about one’s buying habits. This can be very good for research, and potentially socially useful in other ways (advertising, etc).

However, collecting that much personal browsing information about so many consumers (millions) seems very very risky. I’ll even go so far as to suggest a ticking timebomb of liability because of the concern of a data breach (i.e. some one hacking into the company stealing all this information). As it turns out, that liability is coming from consumer concerns that the company collected and sold data without the consumers’ consent. (now, I’m not really sure how people would be unaware of that, given that this is the company’s business model).

I’ve examined privacy litigation in previous work (here: http://ssrn.com/abstract=1986461) and based on our work, that the class was certified in this current laswuist suggests bad news for comScore. We found that class certification was very strongly correlated with settlement. I don’t know how big the class will finally be, but if it does get into the millions, multiply that by the statutory damages from their ECPA and SCA claims and yikes!

See: http://www.paulhastings.com/publications-items/blog/post/caveat-vendor/2013/04/10/certification-of-privacy-class-harbinger-of-things-to-come-#page=1

In a follow up to the FTC’s interest in understanding how data collectors obtain and use person consumer data, they have again posted a request for comments regarding the interconnectedness of IT devices. This means IP medical devices, wireless routers in cars, and all other forms of ubiquitous computing with the capability of communicating with other devices. Specifically, it seems they want to better understand the security and privacy implications of these devices: where are we going and what does it all mean?

Great questions! The call is available here: http://www.ftc.gov/opa/2013/04/internetthings.shtm

As a result of a recent Executive Order, the Administration is seeking comments on ways to protect national security. I was invited to submit comments to the Department of Commerce on this topic. There is a legitimate difficulty with understanding and developing public policies in order to protect privacy, or achieving secure IT systems.

Balance.

How much prviacy should we have? How much security should there be? No one really knows, yet everyone has an opinion. And most opinions are reasonable. In the case of IT security, this has been an outstanding questions for 20 years now. Maybe about half that for privacy.  In my Comment, I make the argument that while most consumer advocates want “more spending!” I suggest that “more” may not be “better.” The reason is because of waste. It is wasteful to spend more for a benefit that is less than the cost. So firms, just like individuals, should balance costs with benefits. It’s wasteful to do otherwise.

In my Comment I next present policy mechanisms that can be used to address this balance. Not necessarily ways to find the optimal level of security or privacy protection, but ways the government can induce better (i.e. optimal) behaviors. I talk about regulation, disclosure, taxes, liability, nudging, etc. These approaches all have their benefits AND limitations. So it’s not a matter of which is best, but understanding the conditions under which each are appropriate (or not). I find it all very fascinating, and hopefully you do too.

I then next discuss cyberinsurance. As you might imagine, this is an insurance product that firms purchase in order to reduce the cost of data breaches and security incidents. In short, this insurance covers losses that the firm itself suffers from being hacked (for instance), and fines or regulatory sanctions, and 3rd party liability from any resulting lawsuits. The market may be big now, but it is expected to approach $1 billion in total premiums. That’s a lot. (Though, to put it in perspective, it would be nice to know the size of other corporate insurance markets. If any reader knows, please send me a note.)

What is most interesting about insurance, is the ability — or at least the potential — to help reduce risky behavior for the insured, and across an industry. Despite moral hazard, there do appear to be practical ways to reduce risky behavior, and even to induce actors to become more safe. It’s a wonderful opportunity. And more over, insurance companies have available to them data that would be invaluable at determining which security controls are best at preventing data and privacy breaches. My Comment concludes with a plea to insurance carriers to work with researchers like me in answering those questions. It can be done, and I’d love to try!

The formal call: http://www.ntia.doc.gov/federal-register-notice/2013/notice-inquiry-incentives-adopt-improved-cybersecurity-practices

My comments: http://www.ntia.doc.gov/federal-register-notice/2013/comments-incentives-adopt-improved-cybersecurity-practices-noi#comment-29922

cheers,

Sasha

For those interested in the emerging FAA policies regarding drone use, be sure to check out their upcoming web forum.

http://www.faa.gov/about/initiatives/uas/

Interesting foresight that some have. According to their own blog, The 5 Point Cafe (a self-described dive bar) in Seattle, WA has already begun banning google glasses: http://the5pointcafe.com/google-glasses-banned/ .

This presents an interesting tension between the right for any private entity to define its own terms, and the expectation of privacy that one should (should not) enjoy in a ‘public’ space. i.e. to what extent is a ‘private’ bar a public space?