/dev/mull

Justice Department spies on millions of cars: WSJ

Reuters) - The Justice Department has been secretly gathering and storing hundreds of millions of records about motorists in an effort to build a national database that tracks the movement of vehicles across the country, the Wall Street Journal reported on Monday.

The newspaper said the main aim of the license plate tracking program run by the Drug Enforcement Administration was to seize automobiles, money and other assets to fight drug trafficking, according to one government document.

But the use of the database had expanded to include hunting for vehicles linked to other possible crimes, including kidnapping, killings and rape suspects, the paper said, citing current and former officials and government documents.

...

The Journal quoted Senator Patrick Leahy, the senior Democrat on the Senate Judiciary Committee, as saying the use of license plate readers "raises significant privacy concerns."

...

meanwhile,
the obamacare website sends your data to net.advertising and tracking companies (a little more detail about what the government decided advertisers needed to know about you)

the economist has a special section on how advertisers (and their data brokers) spy on people. it has various juicy quotes from advertisers admitting how much they know, but i think the best example of what they want to know about people is from a full-page ad that ran in the middle of the print edition's report.

it's from some databroker called "quαntcast" -- aw, isn't that cute? -- showing an asian woman surrounded by a bunch of random facts about what she's doing on line:

"watched 3 videos on the theory of feng shui yesterday"
"read 12 articles on the health benefits of kale and aoriju in the last 6 days"
"spent 9 hours on websites about portland hot spots over the past three weeks"

their slogan: "we're not really psychic. but we're pretty close." with the caption "quantcast advertising knows your customer's next move, and gets you to them first." how charming. perhaps that doesn't bother you. would the copy:

"read 12 articles on bladder cancer in the last 6 days"
"spent 9 hours on websites about portland hospitals over the past three weeks"

? it's all the same to them.


i'm intrigued by a statement in the last article in the section:

A study by BCG suggests it is a myth that youngsters are more comfortable than older people with sensitive data about them being collected online. The privacy of personal data remains a big concern for around 75% of consumers in most countries. American and European consumers share similar views about online privacy—although their respective regulators do not.

i'm rather surprised, since americans appear rather blasé about the various thefts of personal information.


the LA times ran a story on privacy problems with police cameras that discussed the subject rather well. just a few highlights:

1) orwell on wheels

Some observers have raised the possibility that such cameras would not only be used to review officer behavior — to potentially overbearing levels, if used to crack down on minor disciplinary infractions — but someday also may be used with facial-recognition technology the way many departments already use license-plate scanners.

"Are these cameras going to eventually be hooked up to these systems where cops can scan the street and pick out anybody's face or anybody's car to see if they have an outstanding warrant?" asked Trevor Timm, executive director of the Freedom of the Press Foundation and an analyst of surveillance and transparency issues. "I think a lot of these communities that have problems with police will have problems with that, too."

2) pointlessly broad disclosure:

Such video "sometimes captures people at the worst moments of their lives," American Civil Liberties Union senior policy analyst Jay Stanley said.

"You don't want to see videos of that uploaded to the Internet for titillation and gawking," he said.

Video from dashboard cameras in police cars, a more widely used technology, has long been exploited for entertainment purposes. Internet users have posted dash-cam videos of arrests of naked women to YouTube, and TMZ sometimes obtains police videos of athletes and celebrities during minor or embarrassing traffic stops, turning officers into unwitting paparazzi.

i've never been really clear on why states seem to think any information they have on private citizens is public. a few states -- delaware among them -- have adopted laws requiring folks wanting information the police have about private citizens, such as recordings of 911 calls -- to demonstrate a newsworthy purpose (or something like that) and explicitly forbids release of information for titillation or entertainment.

3) retention of excess information:

The newly released federal report also suggests that departments should clearly outline policies for how long they will keep video recordings before deletion; 60- or 90-day holding periods are common, unless the video is used as criminal evidence or has been flagged in a complaint.

OTOH, a little pity for the cops:

The extra layer of scrutiny is also a labor concern for some police unions, who are worried that a tool intended for transparency will be diverted for workforce surveillance.

poor bastards, being treated like suspects without cause! but hey, if they've got nothing to hide, what's the problem, right?


reuters has a story about what information smartphone manufacturers and software writers are secretly gathering about people. it's a good survey of current problems.

lots of people have already discussed the supremes' ruling in riley v california, and in any case, i think the supremes themselves did a fine job summarizing their logic:

One of the most notable distinguishing features of modern cell phones is their immense storage capacity. Before cell phones, a search of a person was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy. See Kerr, Foreword: Accounting for Technological Change, 36 Harv. J. L. & Pub.Pol’y 403, 404–405 (2013). Most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so. And if they did, they would have to drag behind them a trunk of the sort held to require a search warrant in Chadwick, supra, rather than a container the size of the cigarette package in Robinson.

(p 17)

( what i think is most significant about the ruling is what it says about the supremes' thinking on privacy and rights in general. )

...in reverse order

SCOTUSblog discusses former supreme john stevens' statements to the senate's rules and administration, which mentions:

Third, Stevens urged members of Congress to enact campaign finance regulations that distinguish between money provided by constituents and others, such as corporations and individuals who live elsewhere. As support for that distinction, he cited a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit – authored by Judge Brett Kavanaugh, a well-respected conservative judge – which upheld a federal prohibition on campaign expenditures by non-citizens to support or oppose candidates for political office. The regulation was justified, Stevens explained, because it advanced the federal interest in preventing foreigners from participating in U.S. elections, but it did not restrict their ability to speak about more general issues. That same logic, in his view, would apply to the distinction that he would draw between constituents and non-voters.

while stevens really wanted to push for his laundry list of amendments, i'm intrigued by the idea that current case law permits such a distinction to limit not how much people can spend on elections, but who can.

i'd wondered if such things were possible, though i'd thought about it on a state-by-state basis rather than a constituency-by-constituency basis. i'd be just as happy with that, since for some important offices (governors, federal senators) there's no difference.

OTOH, allowing such small groups to donate to campaigns may produce undue influence by a handful of wealthy individuals in those areas, since wealthy people with other political ideas living elsewhere can't oppose them. it also really drives home the importance of constituency boundaries and keeping them away from those who would abuse them by gerrymandering.

---

SCOTUSblog also mentions (twice) last week's cases on the privacy of cell phones -- and specifically, smart phones -- carried by people the police arrest. unlike previous oral arguements which have yielded juicy tidbits revealing the how the supremes are planning to rule, the arguements in these cases just show that the judges are trying to figure out how they should treat electronic data.

sure, i'm pleased that they didn't say that the police could do whatever they wanted, but it's not clear how far they'll go in requiring the police to show cause before randomly riffling through people's private information for fun and possible political gain. of course, for those interested in technical rather than legal protection, the old mantra still applies: encrypt, encrypt, ok!

---

a couple of months ago, judge lucy koh of the US district court of northern california tossed the attempt to form a single class of people suing google for reading their email. google, for its part, doesn't deny that it routinely reads people's email to advertise at them and build up dossiers on them, but insists that despite federal eavesdropping laws, that its ok, even for people who haven't agreed to its worthless "privacy policy" nor people unaware that gmail is acting as the mail servers for other domains. a number of judges, including judge koh, have called bullshit on this claim. however, that's not what i was interested in now.

i was trying to find out if the plaintiffs have attempted to put together new classes for class-action suits, since the judge canned their attempt to put everybody in one class. i found one attorney's list of current cases, but there's no further information there. the actual court records are behind PACER's paywall, so i can't tell if there's been official action on the case either.

both are unfortunate, since -- if i follow the judge's reasoning correctly -- the single large class could be broken up into a few smaller classes, but each would still hold millions of people. that is: gmail users who were deceived by google's non-disclosure that google was reading their email (as various judges have held), other people sending to gmail addresses (who knew that google was handling the email, but not that google was routinely reading it to keep tabs on them, and people sending email to other addresses handled by gmail (who had no idea at all that google was involved). those should still be large enough to make google regret its nosiness.

Target data breach put down to access details stolen from contractor lazy, incompetent network administration

WASHINGTON, Feb. 6 (UPI) -- Failure to properly segregate systems handling payment card data in its network led to the massive data breach at Target last month, a U.S. researcher says.

Hackers who broke into the retailer's network did so by using login credentials stolen from [Fazio Mechanical Services,] a heating, ventilation and air conditioning company that does work for Target at a number of locations, security blogger Brian Krebs reported Wednesday.

...

Target had apparently granted Fazio access rights to its network so it could remotely monitor energy consumption and temperatures at various stores.

...

a few days ago, the folks who run the big store chains whined that hackers have the upper hand, but the reality is more prosaic: they're lazy and inept (both articles lack specifics, but i'm too tired to dig the details out of the testimony).

i've used secure networks before, so it can be done. one was isolated from the rest of the world by an air gap (didn't connect to the net); hack that, dude. the other had elaborate defense in depth from layers of clever routers, firewalls, DMZs, and so on from the usual well-known arsenal; it was theoretically vulnerable, but given the number of mk. 1 eyeballs that watched its log digests all the time, practical attacks would be challenging. (SOP for that one was fail safe, too; i'd heard that people had pulled the plug even on vague suspicions.)

so, target and the rest could manage if they care. it just takes work.

but OTOH, i don't think we need new federal law though. i think existing liability law would work just fine, with one clarification: let those who hold confidential information bear all the losses if they lose it. i know there are instances in liability law like that for bailments; that's why car repair shops (et al) take precautions with other people's stuff.

if one guesses that the average value of the information the hackers made off with from the target job was ~$100/person, target would be looking at a ~$7 billion liability. their insurers wouldn't put up with their cluelessness. the owners of the elaborately-defended network had certain legal obligations that "whoopsie!" didn't get them out of; they didn't build those defenses because their geeks thought it would be cool. i suspect retailers would feel the same way in the same situation.

A black box in your car? Some see a source of tax revenue

By Evan Halper

WASHINGTON — As America's road planners struggle to find the cash to mend a crumbling highway system, many are beginning to see a solution in a little black box that fits neatly by the dashboard of your car.

The devices, which track every mile a motorist drives and transmit that information to bureaucrats, are at the center of a controversial attempt in Washington and state planning offices to overhaul the outdated system for funding America's major roads.

The usually dull arena of highway planning has suddenly spawned intense debate and colorful alliances. Libertarians have joined environmental groups in lobbying to allow government to use the little boxes to keep track of the miles you drive, and possibly where you drive them — then use the information to draw up a tax bill.

...

And while Congress can't agree on whether to proceed, several states are not waiting. They are exploring how, over the next decade, they can move to a system in which drivers pay per mile of road they roll over. Thousands of motorists have already taken the black boxes, some of which have GPS monitoring, for a test drive.

...

In Nevada, where about 50 volunteers' cars were equipped with the devices not long ago, drivers were uneasy about the government being able to monitor their every move.

"Concerns about Big Brother and those sorts of things were a major problem," said Alauddin Khan, who directs strategic and performance management at the Nevada Department of Transportation. "It was not something people wanted."

As the trial got underway, the ACLU of Nevada warned on its website: "It would be fairly easy to turn these devices into full-fledged tracking devices.... There is no need to build an enormous, unwieldy technological infrastructure that will inevitably be expanded to keep records of individuals' everyday comings and goings."

Nevada is among several states now scrambling to find affordable technology that would allow the state to keep track of how many miles a car is being driven, but not exactly where and at what time. If you can do that, Khan said, the public gets more comfortable.

...

it's that last paragraph that gets to me. my car has such a device already; it's called an "odometer". the (federal) government need not know anything else about my driving to send me a road-usage bill.

for the states, of course, there's the problem that many people drive at least a little bit on other states' roads. but my off-the-cuff answer is so what? the ostrich algorithm works perfectly fine for this: i'd pay my road usage tax to delaware, even though i do some driving in the bordering states... AFAI'm concerned, that's approximately balanced out by people driving on roads in delaware. (i deliberately avoided the construction "delaware's roads", since the federal government subsidizes a lot of road construction, which renders the issue of specific cost-accounting moot.)

European Union mulls new rules on data privacy aimed at U.S.

BRUSSELS, Oct. 17 (UPI) -- The European Union says it is close to finalizing new rules aimed at curbing questionable transfers of data from EU countries to the Unites States.

...

The new rules would make it harder for U.S. Internet servers and social media providers to transfer European data to third countries, subject them to EU rather than American laws, and authorize severe fines possibly running into the billions for non-compliance, Britain's The Guardian reported Thursday.

...

the interesting part is that if an american is willing to use a proxy with a european endpoint and claim to be european, facecrook et al appear to be stuck taking you at your word, lest the eurocrats spank them. this may be of some value to y'all.


meanwhile, the previous big baddie, darth vader, claims to have worried that people would hack his life-support unit:

Former Vice President Dick Cheney came clean in an interview to CBS' "60 Minutes," revealing that when he had a device implanted to regulate his heartbeat in 2007, he had his doctors disable its wireless capabilities to prevent against a possible assassination attempt.

Cheney said that at the time, he was concerned about reports that hackers could break into the devices and kill their owners.

in his case, i wouldn't say that that's an unreasonable fear.

U.S. spy agencies face big layoffs in government shutdown

(Reuters) - More than 70 percent of the civilians working for U.S. spy agencies have been deemed "non-essential" employees and face temporary layoffs due to the government shutdown that began on Tuesday, three officials familiar with the matter said.

The agencies affected are the Central Intelligence Agency, the Office of Director of National Intelligence and 15 others, the officials said.

The CIA expects to furlough about 12,500 civilians working for the agency, according to the sources. But specific numbers for other agencies were not immediately clear, the officials told Reuters. The CIA and White House declined to comment.

...

These agencies include the Defense Intelligence Agency and the National Security Agency, whose secretive electronic eavesdropping methods recently become the focus of controversy following leaks by former contractor Edward Snowden.

...

"The Intelligence Community's ability to identify threats and provide information for a broad set of national security decisions will be diminished for the duration," Turner said.

...

i'm amused that "non-essential" personnel are apparently vital to the country's ability to identify threats. assuming there are any; the little we know about no such agency's domestic spying says they've found one threat thereby.


WRT the underlying tempest in a teapot du jour, i'm surprised that neither party can count. no, i don't mean count the political or economic costs of their game of chicken, but something more direct. it appears that the republicans are unable to count to 51 (or 67, depending on how your look at it) and the democrats are unable to count 218. that is, while both parties are fighting over a substantive issue, neither one appears to be engaging in the usual political wheeling-and-dealing that gets votes from people nominally opposed to that issue. i find this strange, since both parties have moderate and extreme (or pragmatic and ideological) wings.

i'm not sure which party would have an easier job if it tried. OT1H, the democrats appear to, since the GOP is already fragmented on the issue, and speaker boehner seems barely able to keep them agreeing on tactics. OTOH, the republicans need only peel a handful of democratic senators away from their party for a simple majority; surely, there must be some red meat they can think of tossing some democratic senator up for re-election during the mid-terms.

on various other limbs... ideological shoving matches are fun until somebody loses their seat... and both sides appear confident that the other guys will take the blame for this boo-boo. round two is coming up soon enough, so i can see both sides wanting to "appear strong" to their respective political bases, even if that makes them look like stubborn asses to everybody else. also, i have to wonder what's going on behind the scenes despite the public posturing. i expect something is, even if it's curt and icy. (hm... that sounds like a name of random new product chosen by focus grope. i wonder what sort of thing it is.)

NSA shares raw intelligence including Americans' data with Israel

The National Security Agency routinely shares raw intelligence data with Israel without first sifting it to remove information about US citizens, a top-secret document provided to the Guardian by whistleblower Edward Snowden reveals.

Details of the intelligence-sharing agreement are laid out in a memorandum of understanding between the NSA and its Israeli counterpart that shows the US government handed over intercepted communications likely to contain phone calls and emails of American citizens. The agreement places no legally binding limits on the use of the data by the Israelis.

The disclosure that the NSA agreed to provide raw intelligence data to a foreign country contrasts with assurances from the Obama administration that there are rigorous safeguards to protect the privacy of US citizens caught in the dragnet. The intelligence community calls this process "minimization", but the memorandum makes clear that the information shared with the Israelis would be in its pre-minimized state.

...

...The memorandum says: "Raw Sigint includes, but is not limited to, unevaluated and unminimized transcripts, gists, facsimiles, telex, voice and Digital Network Intelligence metadata and content."

...

The memorandum of understanding, which the Guardian is publishing in full, allows Israel to retain "any files containing the identities of US persons" for up to a year. The agreement requests only that the Israelis should consult the NSA's special liaison adviser when such data is found.

Notably, a much stricter rule was set for US government communications found in the raw intelligence. The Israelis were required to "destroy upon recognition" any communication "that is either to or from an official of the US government". Such communications included those of "officials of the executive branch (including the White House, cabinet departments, and independent agencies), the US House of Representatives and Senate (member and staff) and the US federal court system (including, but not limited to, the supreme court)".

It is not clear whether any communications involving members of US Congress or the federal courts have been included in the raw data provided by the NSA, nor is it clear how or why the NSA would be in possession of such communications. In 2009, however, the New York Times reported on "the agency's attempt to wiretap a member of Congress, without court approval, on an overseas trip".

...

really, there's no need to keep reading. despite the guardian's disclaimer, the implication is clear: the NSA is spying on the congress and the judiciary. long-time readers of this journal may recall that the possibility that the executive might track the congress and the Supremes was something the Supremes brought up during oral arguments about US v Jones. they weren't happy that warrantless GPS tracking might allow that, so i can only imagine their displeasure at finding out that the executive has been intercepting their calls... and email... and web browsing habits.

suddenly, i've gone from wondering if the Supremes will grant EPIC's mandamus petition to wondering if any part of the so-called "patriot" act will survive their extremely broad ruling on that petition.

it's a page from the censored version of the one FISC ruling they've deigned to declare safe for democracy. (i forgot where i got the file from, so i'm linking to my copy. the file has been rasterized to prevent easy quoting.)

other pages are better, but a lot of vital information is still censored, like what exactly the NSA is up to. however, the administration did let a few bits slip through:



there's a word for repeatedly making "substantial misrepresentation"s to a court. it starts with "p" and usually ends with a long prison term. i'd like to hope the Supremes take the administration's repeated lying to its lapdog secret court into account when granting considering EPIC's mandamus petition.

( another example of the security state out of control )