Monday, May 11, 2009

My latest FOIA: DOJ's use of "hotwatch" orders for credit card transaction data

(sent by fax this morning)

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning the use of “hotwatch” orders directing credit card issuers to disclose prospective credit card transaction information.


On October 11, 2005, the US Attorney from the Eastern District of New York submitted a court filing in the case of In re Application For Pen Register and Trap and Trace Device With Cell Site Location Authority (Magistrate's Docket No. 05-1093), which related to the use of pen register requests for mobile phone location records.

In that case, the US Attorney’s office relied on authority they believed was contained in the All Writs Act to justify their request for customer location information.

In support of its claim, the office revealed that:
Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction.

A Google search reveals no other mentions of “hotwatch” orders other than the government’s filing in this case. Likewise, a search of Federal and State cases via Lexis Nexis reveals no other information.

I request any records, including memoranda, policies, procedures, legal opinions and statistics concerning the use of “hotwatch” orders or other requests for prospective credit card transaction information. The scope for this request shall include all documents created between January 01, 2000 and May 10, 2009.

Sunday, May 10, 2009

FBI budget request raises questions

From ABC News:
The budget request shows that the FBI is currently developing a new "Advanced Electronic Surveillance" program which is being funded at $233.9 million for 2010. The program has 133 employees, 15 of whom are agents.

According to the budget documents released Thursday, the program, otherwise known as "Going Dark," supports the FBI's electronic surveillance intelligence collection and evidence gathering capabilities, as well as those of the greater Intelligence Community.

"The term 'Going Dark' does not refer to a specific capability, but is a program name for the part of the FBI, Operational Technology Division's (OTD) lawful interception program which is shared with other law enforcement agencies," an FBI spokesman said.

... the program is designed to help the agency deal with changing technology and ways to intercept phone calls such as those used by VOIP (Voice Over Internet Protocol) phones or technology such as Skype.

That is rather interesting, considering that in 2008, there were only 10 electronic communications intercept court orders requested nation wide (by both Federal and State law enforcement). As for Skype and other encrypted communications -- again in 2008, only two instances of encryption were encountered, and neither posed a barrier to investigators, who were still able to obtain the information they wanted.

So. Either we're paying 23 million in development/staff costs per intercept (assuming the number has stayed the same since 2008), electronic intercepts have jumped in number by an order of magnitude, or.... the FBI and other agencies are engaging in electronic surveillance in a way that evades the traditional reporting requirements for wiretap and intercept orders. I wonder which it is?

Kudos to Yahoo

I've been in Europe for a couple days now. I've logged into my Gmail account every day, and not seen any form of notice. However, I saw this today when logging into my Yahoo! junk mail account.

(click to see a larger image)

I've never seen anything like this before, from any Internet provider. Does this mean that if I log into my Gmail and Hotmail account from Europe or Asia, that the companies do not mirror my inbox on nearby servers? What about caching?

Is Yahoo the only one that mirrors, or simply the only one to disclose it to customers?

Whatever the case, good for Yahoo for being forthcoming, and for giving users the choice.

Now, if only they'd offer their users SSL encryption for the full Webmail session (and not just the username/password), perhaps they might get a bit more regular praise from this blog.

Tuesday, May 05, 2009

TACO: Admitting Defeat

My Targeted Advertising Cookie Opt-Out tool is now comfortably over 10,000 active users. It has also now been added to Mozilla's list of recommended add-ons, and is thus prominently featured in parts of

This seemed like a good time to reevaluate my TACO strategy. In particular, I have decided to admit defeat in my rather futile attempt to bully Microsoft and Yahoo into better protecting the privacy of their users. I have come to realize that the benefits of protecting TACO users from Yahoo and Microsoft's behavioral advertising simply outweighs any potential pressure I might be applying to these companies.

Over the past two month, 5 different online advertising companies have switched to a non-identifiable opt-out cookie. My original (and somewhat naive) plan was to refuse to add support in TACO for any company which did not provide opted out users with complete anonymity. That is, once the user opted out, the company would cease installing any other identifiable cookies into that user's browser.

The fact is that users are really only given a single way of expressing their interest in having some privacy -- the behavioral advertising opt-out. While many companies interpret this as "We will still collect lots of data on you, but won't use it to customize advertisements", many users are likely to interpret it as a more comprehensive "stop tracking me, don't collect any identifiable data on me, and don't show me any targeted advertisements."

While I still believe that advertisers should offer this latter form of opt-out to end users, they currently do not, and I now realize that I do not have the power to force Yahoo and Microsoft down this path. For such a change to be made, the US Federal Trade Commission or Congress would need to take more of an interest.

For now, I continue to reject any support for advertisers whose opt-out mechanism itself is 100% identifiable. That is, while Yahoo and Microsoft offer a generic opt-out, they also force other identifiable cookies upon the end-user. Other advertising companies, such as Specific Media and Fetchback only offer identifiable opt-out cookies, which I believe are an unreasonable invasion of end-user privacy.

Version 1.7 of TACO is now available for experimental download, and it will be automatically rolled out to all TACO users in a few days, once the Mozilla team has reviewed the changes to make sure there is nothing malicious in the code.