A 51 page privacy impact assessment on how the Department of Homeland Security inspects electronic devices at the border.
Archive for the ‘National Security’ Category
What if any government had the opportunity to rewrite history, to paste over unflattering narratives and emphasize its purported strengths? I know, unfortunately that isn’t a rhetorical question.
What if 1984, George Orwell’s classic novel about the tyranny of oppression and never-ending surveillance, had been seized and rewritten to promote the work of Oceania, the government in power?
That’s the premise behind Alexander Charchar’s delicate reworking of the book’s cover art.
“ … That which is hard to ignore, is the fact that it’s ugly. Horribly ugly. It’s centered text to the left, with no thought of kerning or, even though an attempt has been made, to have the lines of text balanced. Perfect for a world where such detail in the arts is ignored and, in a sense, repulsed by those with political muscle …”
Charchar felt that previous cover art was intended to reflect the design sensibilities of the decade (the book has been through so many reprintings, there are dozens of past covers ) rather than the anti-totalitarian message Orwell intended to drive into the reader’s heart and mind.
How would a government like that of Oceania approach its communications with its citizens? As a rough and functional necessity – much like the brutalist approach to architecture?
That certainly strikes a chord if you lived through the second half of the twentieth century, when totalitarian governments in Europe and Asia largely emphasized homogeneity and efficiency over creativity.
It’s also a contrast with the reality we face today, where governments continually experiment with nuanced and targeted messages designed to build support for increased security and ever more invasive surveillance measures.
Sitting in the audience at the Computers, Freedom and Privacy 2009 conference (wiki, Twitter stream, blog, ustream live broadcast) today, I’ve heard several speakers try to discuss how privacy relates to concepts like national security, surveillance, information security and Web 2.0 applications. At the core of each discussion is an ongoing (some would say never-ending) debate: does privacy come at the expense of this other “X” element?
In effect, will we have to trade some of the impact, the effectiveness, or the positive gains of (in one case) Web 2.0 innovations in order to maintain contemporary privacy protections?
Some Web 2.0 advocates question whether privacy advocates (like us) are reflecting the needs or desires of actual users when we argue for privacy protections and strict data protection regimes.
Peter Swire, an Ohio State University professor and former privacy official in the Clinton administration, made the blunt observation today that:
” … the Web 2.0 movement is opposed to the privacy movement … they don’t ‘get’ privacy as central or moral a purpose as people who have been coming to [this conference] … “
You see, the Web 2.0 movement favours the greater and wider distribution of information. Access to more information is empowering. The assumption is that a more transparent and communicative society (especially government) will lead to more representative government and increased democratic participation (if only in issues of particular relevance to individual voters).
Privacy advocates, on the other hand, have long maintained that minimizing access to data is the best way to safeguard data and personal privacy. It’s not necessarily locking every piece of data in a secure box, but certainly making sure each individual has a close eye on the keys to the box containing their own information.
On a different panel, Bruce Schneier, the noted security commentator, noted that “in the New World, there will be more information, but it will not be fair.” He drew a distinction about who is required to disclose data or personal information: the government or the individual citizen.
” … open government laws enforce liberty … forcing transparency in principle enforces control …”
Sunshine legislation may open government to be more accountable for its actions. Increased information collection about individuals, whether through surveillance, through interception, interrogation or simply through increased identification requirements, could lead to more restrictions on how that individual leads their life.
Is there any reason to fear that a largely transparent society, built upon the energy and optimism of innovators like Web 2.0 developers, could produce an environment where individuals are more exposed, perhaps to monitoring, surveillance and control?
As I mentioned, these are ongoing debates. Bruce Schneier injected a dose of reality during his comments:
” … data is the pollution problem of the information age … [today, we ] look back to the Industrial Age and wonder how they dealt with all that pollution …”
In 2000, this 15-year-old hacker brought down some of the most heavily visited websites on the net: Amazon, eBay, CNN, Yahoo!. At the time, reports claimed the hack caused a billion dollars’ worth of damage to these companies.
Since that time, cybercrime has become big business, with some reports suggesting it’s on par with or bigger than the illicit drug trade. Identity theft features prominently in this underground frontier, with credit card information and entire identities up for sale by the thousands.
Tonight, CBC is airing Web Warriors, a one-hour documentary with an exclusive look at the world of hackers, and the cyber-sleuths who pursue them. If you miss it on TV, the entire documentary is available on CBC’s site as well.
And on the subject of teenage hackers, we’d like to point you towards Little Brother, the novel for young adults by BoingBoing blog coeditor Cory Doctorow. Little Brother takes place in the not-so-distant future where a group of teens use technology to protest the ever-increasing government surveillance around them. It’s a story that looks at hacking, jamming and surveillance, and offers insight into the privacy vs. security debate…all through the eyes of a 17-year-old.
On October 11, In 22 cities across Europe, citizens demonstrated to express their concerns over what they see as the increasing growth in government-created surveillance societies. October 11 was Freedom Not Fear Day, organized by the German Working Group on Data Retention.
In Berlin alone, over 15,000 protesters gathered in a rally that ended at the Brandenburg Gate. (The organizers have argued that 15,000 is a lowball number from the authorities, and the actual number could be closer to 50,000.) Peaceful and creative action took place throughout Europe, including art performances in Vienna, public lectures in Rome, and the construction of a collage made from uploaded photos of UK surveillance equipment and tactics in London.
“Surveillance mania is spreading. Governments and businesses register, monitor and control our behaviour ever more thoroughly. No matter what we do, who we phone and talk to, where we go, whom we are friends with, what our interests are, which groups we participate in – “big brother” government and “little brothers” in business know it more and more thoroughly. The resulting lack of privacy and confidentiality is putting at risk the freedom of confession, the freedom of speech as well as the work of doctors, helplines, lawyers and journalists.
The manifold agenda of security sector reform encompasses the convergence of police, intelligence agencies and the military, threatening to melt down the division and balance of powers. Using methods of mass surveillance, the borderless cooperation of the military, intelligence services and police authorities is leading towards the construction of “Fortresses” in Europe and on other continents, directed against refugees and different-looking people but also affecting, for example, political activists, the poor and under-priviledged, and sports fans.
People who constantly feel watched and under surveillance cannot freely and courageously stand up for their rights and for a just society. Mass surveillance is thereby threatening the fabric of a democratic and open society. Mass surveillance is also endangering the work and commitment of civil society organizations.
Surveillance, distrust and fear are gradually transforming our society into one of uncritical consumers who have “nothing to hide” and – in a vain attempt to achieve total security – are prepared to give up their freedoms. We do not want to live in such a society!
We believe the respect for our privacy to be an important part of our human dignity. A free and open society cannot exist without unconditionally private spaces and communications.”
In the United States, Freedom Not Fear Day was supported by a number of NGOs, including the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC). Together, they issued a release calling for an end to watch lists and data profiling programs that fail to comply with the federal Privacy Act, the establishment of comprehensive data protection legislation, and the repeal of the Patriot Act.
But Freedom Not Fear Day was a decidedly more subdued affair in the U.S. Besides this endorsement and statement issued by EPIC, EFF and IP Justice, no other activities appear to have been scheduled to commemorate Freedom Not Fear Day in Washington D.C. Canadian activities were similarly subdued: the official website notes that a light projection was planned for Toronto’s City Hall but information on who organized it and how it turned out couldn’t be found.
Granted, the roots of Freedom Not Fear Day are in Berlin and the global day of action seems to have spread to other European capitals but it’s interesting to note that North Americans seem reluctant to stand up to the notion of “security theatre“.
The rising cost of air travel might be the least of your worries when flying in the future.
The Washington Times has reported that the U.S. Department of Homeland Security has expressed interest in a “security bracelet” developed by Canadian-based Lamperd Less Lethal, a company specializing in firearms training and specialized civil defence equipment. Lamperd proposes, in this corporate video, that air passengers would be fitted with a bracelet containing boarding pass information, the passenger’s personal information and the ability to track a passenger’s whereabouts. As well, the device would be equipped with Electro-Muscular Disruption technology or EMD, meaning air crew could remotely deliver a shock to the bracelet-wearer, immobilizing the wearer for several minutes. The bracelet, given to the passenger at check-in, would be worn for the duration of the flight and could not be taken off until the passenger reaches his or her destination.
Lamperd claims in its video that, “Given the choice…many, if not most passengers would happily opt for the extra security of the EMD security bracelet.”
Given recent studies that show increased skepticism among the general public over how their personal information is often handled, and coupled with growing doubts over whether many of these post-9/11 security measures actually make us safer, we have our doubts: would passengers be prepared to put their desire for security before their own concerns over how such a bracelet could be (mis)used? Could a security bracelet really be effective in deterring terrorism, or does it just make people feel safer without actually improving anything?
“This allegation stemmed from a misleading video posted on the Lamberd Website which depicts an ID bracelet that would contain identifying information as well as the ability to stun the wearer. The company claims to connect use of such a device to DHS and TSA, but no discussions between these agencies has ever taken place. …
This concept was never funded or supported by the DHS or TSA and hasn’t even been discussed for two years.”
The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.
As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:
10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.
9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.
8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.
7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?
6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.
5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.
4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)
3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.
2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.
1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.
Read this for more information.
Last Saturday, the French newspaper La Presse published an article about the Nexus program. The article, written by Jean-Philippe Brunet from Ogilvy Renault, highlights the advantages of the program; in particular, its capacity to save travelers some time.
The program is an agreement between Canada and the United States to share voluntarily given personal information to produce an identity card that makes the process of crossing the border less of a hassle.
To participate, you simply have to fill out a form that asks for all your addresses, your employment history from the last 5 years, $50 in administration fees and copies of your passport, your driver’s licence (front and back), and your birth certificate. Once the form is filled and signed, it is then evaluated by both countries that decide if you make it to the next (heavy duty) step – an interview where you will be fingerprinted and have your iris scanned. Pass this test and you’ll receive your Nexus Card that will enable you to “go home earlier and spend time with your family or catch up on your sleep”.
In Canada, your personal information is yours and the government has to ask you permission to share that information with a third party. Not so in the U.S. In fact, the minute you sign that form, you are authorizing the U.S. government, under section 215 of the PATRIOT Act, to obtain any document or personal information under terrorist claims without your consent or knowledge and to share that information with whomever they chose. (The Information and Privacy Commissioner for British Columbia has published a report on Privacy and the PATRIOT Act as well.)
It’s for you to decide: catch up on your sleep, or have peace of mind knowing your personal information is safe and not shared with anybody.
Two weeks ago, the provincial government of British Columbia announced that it would be making enhanced driver’s licences (EDLs) available to eligible B.C. residents. These licences – a first in Canada – would be recognized as an alternative to a passport at the Canada-U.S. border.
What makes them “enhanced”? The B.C. version of the EDL will feature a Canadian flag, a special code used by border authorities, and most importantly, a radio frequency identification (RFID) chip. These chips contain unique identifier numbers which can be read by RFID scanners at U.S. border entry points.
While the RFID chips in B.C.’s EDLs will only contain unique identifier numbers, it is possible to store other types of personal information on these chips. The technology also makes it possible to track the movements of individuals carrying driver’s licences enhanced with RFID chips.
The potential for misuse of personal information or a breach of security exists, and as other provinces consider whether they want to implement their own EDLs, there’s a need for a public discussion about those risks.
Today, Canada’s information and privacy commissioners kick-started that discussion by issuing a joint resolution outlining the steps that will need to be taken to ensure that the privacy and security of our personal information are respected if and when EDL programs are implemented. (You can also read the news release here.)
“We have a saying in this business: ‘Privacy and security are a zero-sum game.'”
This quote is attributed to Ed Giorgio, a former chief code breaker at the National Security Agency and current security consultant who is working on a plan proposed by the American government to closely monitor all Internet traffic in order to protect their information architecture from attack.
It’s not an uncommon belief among security experts that privacy and security are at opposite ends of a spectrum – in order to have one, you have to give up the other.
The problem with this perspective, though, is that it ignores the complementary nature of the two. As security guru Bruce Schneier responds, “Privacy is part of our security against government abuse.”
Worse, perpetuating this myth forces people to take one side over the other. If you want to protect your country from a crippling attack on its information architecture, you shouldn’t mind having your Google searches and personal emails scanned – or so the logic goes. The flip side of this logic implicates privacy advocates and defenders of civil liberty as ambivalent to national security concerns, or worse, traitors to their country.
It seems the better approach is to recognize that privacy and security can happily co-exist and that governments can develop policies that respect and protect the privacy of its citizens while ensuring national security against the threat of attack.