Tuesday, May 24, 2011

Senators hint at DOJ's secret reinterpretation and use of Section 215 of the Patriot Act


According to two Democratic Senators, the Department of Justice has secretly reinterpreted a controversial provision contained in the USA Patriot Act to give the government surveillance powers that are "inconsistent with the public’s understanding of these laws." The senators also accuse DOJ of misleading the American public when describing the use of this legal authority.

This disclosure builds on previous cryptic statements from DOJ officials regarding the use of "Section 215" powers for "sensitive collection program," and Senator Russ Feingold regarding repeated abuses of Section 215 that he was not permitted to publicly describe.

Although FBI Director Robert Mueller revealed earlier this year that the FBI has used Section 215 powers to monitor the sale of hydrogen peroxide, such data collection is unlikely to be the "sensitive collection program" about which several senators have tried to alert the public.

If I had to make a wild guess, I suspect it is likely related to warrantless, massive scale collection of geo-location information from cellular phones.

Secret reinterpretations of the law

Marcy Wheeler reported this evening that Senators Wyden and Udall, both of whom are on the Intelligence committee have submitted an amendment (pdf) as part of the rushed, bipartisan effort to reauthorize Patriot Act. The amendment is noteworthy not because of the changes to the law it proposes, but the information it reveals:

(6) United States Government officials should not secretly reinterpret public laws and statutes in a manner that is inconsistent with the public’s understanding of these laws, and should not describe the execution of these laws in a way that misinforms or misleads the public;

(7) On February 2, 2011, the congressional intelligence committees received a secret report from the Attorney General and the Director of National Intelligence that has been publicly described as pertaining to intelligence collection authorities that are subject to expiration under section 224 of the USA PATRIOT Act (Public Law 107–56; 115 Stat. 295); and

(8) while it is entirely appropriate for particular intelligence collection techniques to be kept secret, the laws that authorize such techniques, and the United States Government’s official interpretation of these laws, should not be kept secret but should instead be transparent to the public, so that these laws can be the subject of informed public debate and consideration.

For those of you who don't read legalese, this means that the Department of Justice has secretly reinterpreted a controversial provision in the Patriot Act, likely Section 215, and is using it in a way that is inconsistent with the public's understanding of the law.

DOJ has already admitted that Section 215 is being used for a "sensitive collection program"

On September 22, 2009, Todd Hinnen, then the Deputy Assistant Attorney General for law and policy in DOJ’s National Security Division testified before the House Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties in support of the reauthorization of key provisions of the USA PATRIOT Act.

During his oral testimony, Mr. Hinnen stated that:
"The business records provision [Section 215] allows the government to obtain any tangible thing it demonstrates to the FISA court is relevant to a counterterrorism or counterintelligence investigation.

This provision is used to obtain critical information from the businesses unwittingly used by terrorists in their travel, plotting, preparation for, communication regarding, and execution of attacks.

It also supports an important, sensitive collection program about which many members of the subcommittee or their staffs have been briefed."

Section 215 has been repeatedly abused

On October 1, 2009, Senator Feingold made several statements regarding abuses of Section 215 during a Senate Judiciary Committee markup hearing:

"I remain concerned that critical information about the implementation of the Patriot Act remains classified. Information that I believe, would have a significant impact on the debate..... There is also information about the use of Section 215 orders that I believe Congress and the American People deserve to know. It is unfortunate that we cannot discuss this information today.

Mr Chairman, I am also a member of the intelligence Committee. I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting.

I want to specifically disagree with Senator Kyle's statement that just the fact that there haven't been abuses of the other provisions which are Sunsetted. That is not my view of Section 215. I believe section 215 has been misused as well."

Likewise, after the Senate rejected several reforms of Section 215 powers in 2009, Senator Durbin told his colleagues that:
"[T]he real reason for resisting this obvious, common-sense modification of Section 215 is unfortunately cloaked in secrecy. Some day that cloak will be lifted, and future generations will whether ask our actions today meet the test of a democratic society: transparency, accountability, and fidelity to the rule of law and our Constitution."

Clearly, there are many unanswered questions - we do not know what kind of data collection is occurring, and why it is problematic enough to cause four senators to speak up publicly. However, given that four senators have now spoken up, this strongly suggests that there is something seriously rotten going on.

Tuesday, May 03, 2011

Industry-created "privacy enhancing" abandonware

Industry loves self regulation and why shouldn't it? Given the choice between strong enforcement by a federal agency, and scout's honor promises, industry would be foolish to support a strong FTC.

Unfortunately, the self-regulatory groups and organizations that are created in response to the threat of regulation are often extremely short lived.

Pam Dixon noted this in her her comment (pdf) submitted in response to the FTC's recent privacy report:
[I]ndustry knows that the Commission’s attention span is limited. When the Commission showed interest in online privacy in the years before 2000, industry responded by developing and loudly trumpeting a host of privacy self-regulatory activities. Most of these activities were strictly for the purpose of convincing policy makers at the Commission and elsewhere that regulation or legislation was a bad idea. All of these activities actually or effectively disappeared as soon as new appointees to the Commission demonstrated a lack of interest in regulatory or legislative approaches to privacy.

[These include:]

The Individual Reference Services Group (IRSG) was announced in 1997 as a self-regulatory organization for companies that provide information that identifies or locates individuals. The group terminated in 2001.

The Privacy Leadership Initiative began in 2000 to promote self regulation and to support privacy educational activities for business and for consumers. The organization lasted about two years.

The Online Privacy Alliance began in 1998 with an interest in promoting industry self regulation for privacy. OPA’s last reported activity appears to have taken place in 2001, although its website continues to exist and shows signs of an update in 2011.

The Network Advertising Initiative had its origins in 1999, when the Federal Trade Commission showed interest in the privacy effects of online behavioral targeting. By 2003, when FTC interest in privacy regulation had evaporated, the NAI had only two members. Enforcement and audit activity lapsed as well. NAI did nothing to fulfill its promises or keep its standards up to date with current technology until 2008, when FTC interest increased

Industry created privacy enhancing software is made for regulators, not consumers

A few weeks ago, Ryan Singel at Wired wrote about Google's curious lack of support for Do Not Track (DNT). Rather than embracing the DNT header supported by the three other major browser vendors, Google is instead pushing the 3rd party browser plugins it has released that make it possible for consumers to retain their opt out cookies.

As I told Ryan then:
"[Google's] opt-out cookies and their plug-in are not aimed at consumers," Soghoian says. "They are aimed at policy makers. Their purpose is to give them something to talk about when they get called in front of Congress. No one is using this plug-in and they don’t expect anyone to use it."
Soon after this piece was published, I received a bit of pushback from several friends in Washington, who felt I was unfairly slamming the company.

However, when you actually examine the history of the industry's privacy enhancing technologies, they seem awfully similar to the short-lived self regulatory organizations that Pam Dixon highlighted.

Privacy enhancing abandonware

On March 11, 2009, Google entered the behavioral advertising market. On the same day, Google released its Advertising Cookie Opt-out Plugin for Firefox and Internet Explorer. The browser plugin permanently saves the DoubleClick opt-out cookie, enabling users to retain their opt-out status even after clearing all cookies.

Google's tool was a genuine innovation in privacy enhancing technologies. Furthermore, as the tool was released under an open source license, I was able to take the source code, expand it, and turn it into TACO, which opted consumers out of dozens of different ad networks.

The initial release of Google's plugin worked with Firefox 1.5 through 3.0.

In June 2009, Mozilla released Firefox 3.5. It took Google nearly two weeks to release an update to its plugin that was compatible with the new version of the browser.

One year later, Mozilla released Firefox 3.6 in January 2010. This time, it took more than a month for Google to release an updated version of the add-on.

Most recently, on March 22, 2011, Mozilla released Firefox 4.0. More than 5 weeks later, Google still has not released an updated version of its opt out add-on.

Google can perhaps be forgiven for ignoring the users of its Firefox privacy add-on -- the company's attention seems to have shifted to its new plugin: Keep My Opt Outs, which only supports the company's Chrome Browser (the tool was quickly rushed out announced on the same day that Mozilla announced its support for Do Not Track).

Similarly, in November 2009, the Network Advertising Initiative (an organization representing many of the major ad networks) released its own Firefox plugin that makes opt out cookies permanent. NAI Executive Director Charles Curran told one journalist that "this [tool] has been a recognition of criticism of opt-outs that are recorded in cookies. It's essentially designed to prevent the standard sweep of cookies that you get from a cookie cache dump...It's designed to work with the browser functionality."

As with Google's plugin, although it has been more than 5 weeks since the the release of Firefox 4.0, the NAI plugin still has not been updated to support it.

Why updates are important

When a user upgrades to a new version of Firefox, the browser will check for available updates to all installed browser plugins. Any plugins that have not been updated to support the new browser release will be disabled. This is obviously a pretty big problem, which is why Mozilla actively encourages developers to make sure that their addons support upcoming versions of the browser. For the 4.0 version of Firefox, which was released in March, Mozilla started harassing add-on developers as far back as November, 2010.

As such, there are likely tens of thousands (if not more) users of Firefox 4.0 whose Advertising Cookie Opt-out Plugin is currently disabled due to incompatibility. The moment these users clear their cookies (something some many have configured to happen automatically when they restart their browser), they will lose their doubleclick.net behavioral advertising opt out cookie. Likewise, the thousands of Firefox 4.0 users who had previously installed the NAI opt out plugin have now lost the opt out cookie persistence that they were promised.

These firms have created privacy enhancing technologies and then loudly advertised them to consumers and regulators. Unfortunately, now that the attention of regulators has shifted to Do Not Track, both Google and the NAI appear to have abandoned the users of their respective plugins. Neither firm has provided their users with sufficient notice to let them know the impact, or let them know what other options they have to continue to maintain their opt out choices.

Perhaps the FTC will take notice?