We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Privacy Wrap

A couple of interesting stories caught my eye.

First, the Queen is working hard to use legal means to include privacy clauses in the employment contracts with palace employees, in an effort to prevent leaks and protect the privacy of the Royal Family.

The new contracts cover more than 300 staff from gardeners and cleaners to the lord chamberlain, but will also affect those working for other leading members of the royal family such as the Prince of Wales whose accounts are published separately.

The move forms part of a broader royal strategy, including the appointment of a director responsible for internal security and vetting, aimed at halting the spate of damaging leaks in recent years.

It is a sign of the times that the palace requires a Director for Internal Security to provide them with a modicum of privacy.

Meanwhile, in another sign of the times, US airlines and the US government are under fire for privacy breaches during background checks.

Four airlines — including Continental, Delta, America West and Frontier — and at least two reservation systems provided the information to the government or its contractors, the acting head of the Transportation Security Administration, David Stone, told a Senate committee. Some of the companies denied that.

The agency previously had said only two airlines had done so.

Sen. Joe Lieberman of Connecticut, top Democrat on the Senate Governmental Affairs Committee, said the agency ”may have violated” the Privacy Act, which says the government must notify the public if it intends to collect records on people.

An agency spokeswoman, Yolanda Clark, said the Homeland Security Department’s privacy officer is investigating the agency’s involvement in the data-sharing from airlines. The information, known as passenger name records, includes credit card numbers, travel reservation details, address and telephone number. It also could mean meal requests, which can indicate a passenger’s religion or ethnicity.

The potential for abuse here seems clear, and I hope that firm action is taken to prevent a reoccurance.

Sky to Broadcast Pub CCTV Footage

Here’s one I almost missed:

CCTV footage sought for TV show

According to The Publican, Sky are seeking pub landlords who can provide them with “dramatic or funny” CCTV footage. Faces of those “not involved in the incident” will, of course, be blurred out.

Which implies that faces of those who are involved will be visible. Maybe acceptable if the footage shows a crime – but what if it’s just “funny”?

I don’t know about you but I reckon my friends would recognise me even with a blurry face (situation normal?).

My Mum definitely would.

Data Surveillance

Most Americans do not care about exposing themselves to massive data surveillance but they should, says George Washington University law professor and New Republic legal affairs editor Jeffrey Rosen in his new book, “The Naked Crowd.” Rosen discussed technology and the uneasy balance between security and privacy on April 20 at 2 p.m. on washingtonpost.com.

Jeffrey Rosen: The book is a response to a challenge by my friend and teacher Lawrence Lessig, who writes about cyberspace. We were on a panel about liberty and security after 9/11, and I denounced the British surveillance cameras, which I had just written about for the New York Times magazine, as a feel good technology that violated privacy without increasing security. Lessig politely but firmly called me a Luddite. These technologies will proliferate whether you like it or not, he said, and you should learn enough about them to be able to describe how they can be designed in ways that protect privacy rather than threatening it. I took Lessig’s challenge seriously, and spent a year learning about the technologies and describing the legal and architectural choices they pose. The rest of the book followed naturally, and it’s an attempt to think through the behavior of the relevant actors who will decide whether good or bad technologies are adopted — that is, the public, the executive, the courts, and the Congress.

If at first you don’t succeed….

The Australian government has long desired to force ISP’s and Internet content Hosts to take responsibility for the activities of their clients. An attempt to do this in 1999 was defeated, but the authorites are back for more.

The draft bill states that ISPs are required to determine whether their services are used for “illegal conduct or speech.”

Paragraph 152 of the Explanatory Notes to the draft bill says that “Possible action that could be taken by ISPs and Internet Content Hosts (ICHs) so as not to facilitate use of a carriage service by another person that breaches proposed subsection 474.16(1) includes an ISP ceasing to provide Internet services to that person or an ICH ceasing to host a particular Website containing content that breaches the proposed offence.”

Obviously, the implication is clear- should this measure get up, ISP’s will be legally required to be much more aggressive in their surveillance of their customers; a gross breach of their privacy.

(Via Whirlpool.net.au)

Senators Question TSA Denials

Wired has a follow-up reporting on the controversy surrounding the airline companies hand-over passanger data to government contractors (TSA)designing and testing CAPPSII in 2002.

Two senators on Wednesday asked the Transportation Security Administration whether the agency violated federal rules by helping its contractors acquire passenger data, and why the agency told government investigators it didn’t have such data.

The senators also pressed the TSA for an explanation of why it hadn’t revealed the transfer of millions of passenger records to government contractors. Senate members had asked TSA officials directly whether they had done so, but the answer was no.

Two TSA agency spokesmen also denied to Wired News that any data transfer had taken place, saying that the project did not need data at the time.

But this week, American Airlines became the third airline to reveal that it turned over millions of passenger records to the government without informing the passengers. JetBlue and Northwest Airlines had earlier revealed that they too had transferred passenger records to government contractors. For the past eight months, TSA officials and spokesmen have repeatedly denied that any data transfer occurred. Two senators, Susan Collins (R-Maine) and Joe Lieberman (D-Connecticut) wrote:

We are concerned by potential Privacy Act and other implications of this reported incident. Moreover, TSA told the press, the General Accounting Office and Congress that it had not used any real-world data to test CAPPS II.

American Airlines has now indicated that it provided over 1 million passenger itineraries at TSA’s request, which raises the question of why agency officials told GAO that it did not have access to such data.

And there was much fudging as you can read in the article

Getting under my skin

The news just goes from bad to worse on the RFID front. Trevor Mendham quoted Tesco CEO Sir Terry Leahy as saying that RFID tracks products, not people, but American tech company Applied Digital Solutions, through it’s subsidiary Verichip Corporation, has already broken through that barrier.

They have developed a RFID product that is implanted in the victim.

The VeriChip minaturized Radio Freqency Identifcation (RFID) Device is the core of all VeriChip applications. About the size of a grain of rice, each VeriChip contains a unique verification number, which can be used to access a subscriber-supplied database providing personal related information. And unlike conventional forms of identification, VeriChip cannot be lost, stolen, misplaced or counterfeited.

Once implanted just under the skin, via a quick, painless outpatient procedure (much like getting a shot), the VeriChip can be scanned when necessary with a proprietary VeriChip scanner. A small amount of Radio Freqency Energy passes from the scanner energizing the dormant VeriChip, which then emits a radio frequency signal transmitting the individuals unique verification (VeriChipID) number. The VeriChip Subscriber Number then provides instant access to the Global VeriChip Subscriber (GVS) Registry – through secure, password protected web access to subscriber-supplied information. This data is maintained by state-of-the-art GVS Registry Operations Centers located in Riverside, California and Owings, Maryland.

It’s a password protected website- anyone with knowlege of the internet knows that password protected websites are not that secure; anyone that says that they can guarantee the security of such a webserver is whistling in the wind.

It’s rather like that dreadful George Lucas film, The Phantom Menace, where the slaves are fitted with a tracking device. Verichip Corp. doesn’t have slaves in their sights as a target market- they have a wider target market in mind.

VeriChip products are being actively developed for a variety of security, defense, homeland security and secure-access applications, such as authorized access control to government and private sector facilities, research
laboratories, and sensitive transportation resources, including the area of airport security.

In these markets, VeriChip is able to function as standalone
personal verification technology or it is able to operate in conjunction with other security devices such as ID badges and advanced biometrics.

In the financial arena, VeriChip has enormous potential as a personal verification technology that could help curb identity theft and prevent fraudulent access to banking and credit card accounts.

In other words, they are after a world where everyone is fitted with these devices. Does Big Blunkett own shares in this company? At the moment, they are working with gun manufacturers. Who will be next?

Affairs of the Heart and Phone

Plenty of people around the world by now know of the allegations of philandering made against the English footballer David Beckham, based on claims made to the media, and also on transcripts of SMS phone messages that are said to have been sent between Beckham and one Rebecca Loos.

The ins and outs of the affair are none of our concern, but what did concern me was this explainatory article in The Advertiser:

He apparently even has offered to produce his mobile phone records to prove his innocence. It may surprise some mobile phone users that some carriers retain details of text messages.

In Australia, Telstra keeps SMS messages for up to 28 days and Optus keeps theirs for three days.

I have three questions here. First, why are telephone companies keeping records of these things at all, and second, why is there such a large difference between Telstra, the dominant company that is still half owned by the government, and Optus (which is now owned by Singtel, the phone arm of the Singaporean government.) And thirdly, why are these messages apparently so insecure?

Are you the master of your own data?

As a follow up on the issue of privacy and personal data protection, here is an article that is a part of a special report on Protecting your ID by Silicon.com. Their conclusion is on the timid side but deserves to be noted:

It is tempting to say data will leak, as sure as vulnerabilities in complex software will be discovered or spam will be sent. But let’s not be fooled. Sensible data protection regimes around the world – and the UK should be applauded for its progress in this area – can make a difference. They will do much to protect some of our most valuable assets – the information that relates to us.

Privacy, business and government

Mark Cornish of Adam Smith Blog has a post on privacy with very pertinent comments on consumer loyalty cards.

Rather than worrying about businesses using data in order to make their shopping experience more tailored to individual customers, we should be worrying about the number of civil servants allowed to snoop on their fellow citizens. According to the Foundation for Information Policy Research police and other officials are making around a million requests for access to data held by net and telephone companies each year. Customs and Excise have 200 staff authorised to use the snooping authority and had sought access 35000 times in the last year. The Inland Revenue accessing such data a further 11700 times in the last year. Do we allow too much snooping, or is it important for fighting crime?

I have not yet got around to everyday bashing of these everyday invasions of privacy. Some would say it is a trade-off – you get a discount and they get your data – but the balance of power is certainly not even. I especially detest the Nectar card that is a joint effort to collect customer data by Sainsbury’s, BP, Debenhams and Barclaycard, with Vodafone, Ford, Threshers, Victoria Wine, Wine Rack, Bottoms Up and Adams, Childrenswear, London Energy, Seeboard Energy, SWEB energy, All:sports joining gradually.

You can see why this line of apparel appeals to me…

“One billion people to get biometrics and RFID tracking by 2015”

No, that’s not some sick April Fool joke. In fact it’s a headline from the respected silicon.com

The article reports that civil liberties groups worldwide are objecting to plans by the International Civil Aviation Organisation (ICAO) to incorporate biometrics and RFID chips in all passports. This would be linked to a global identity database.

The plans, to be discussed by the ICAO next week, would make biometrics and tagging compulsory by 2015.

The ICAO’s preferred biometric is facial recognition, which was recently described by the Economist Intelligence Unit as having the potential to ensure that “privacy, as it has existed in the public sphere, will in effect be wiped out”.

Cross-posted from The RFID Scanner

European Parliament Rejects US Demands for Passenger Information

The BBC reports that the European Parliament’s civil liberties committee has rejected the EU Commission’s agreement to automatically pass personal information about transatlantic passengers to US authorities. The committee concluded that:

“The agreement with the United States is not on a level that… gives enough protection to EU citizens”

Unfortunately, as the BBC article points out, the infamous EU democratic deficit means that “The parliament’s opinion has no legal force”.

Fighting for Right Not to Show ID

Wired writes about the case of a Nevada rancher who covets his privacy. Dudley Hiibel refused to hand over his identification to a police officer in 2000, an act which landed him in jail and his name on the U.S. Supreme Court’s docket.

At issue in the case, which will be heard March 22, is whether individuals stopped during an investigation of a possible crime must identify themselves to the police. Nevada state law says that individuals must do so if a police officer has reasonable suspicion that a crime has been or will be committed.

Hiibel’s attorneys argue that in such situations, known as Terry stops, individuals already have the right to not answer questions and that requiring individuals to show identification violates the Fourth and Fifth Amendments’ protections against unreasonable searches and self-incrimination.

The case runs as follows: Police responded to a report of an altercation between Hiibel and his daughter in Hiibel’s pickup parked on the side of the road. Hiibel was outside the pickup when deputies arrived and asked for his identification before asking about the alleged fight. A tape of the incident shows Hiibel refused 11 requests to produce identification, after which the deputy arrested him for impeding a police officer.

Police then arrested Hiibel’s daughter, Mimi, when she protested the arrest of her father. Both her charge of resisting arrest and the domestic violence charges against Hiibel were later dismissed. He was, however, found guilty of obstructing a police officer and fined $250, but the public defenders on the case appealed the conviction to a district court and the Nevada Supreme Court. Hiibel said:

I feel quite strongly I have a right to remain silent and I didn’t commit a crime. (The deputy) demanded my papers. I exerted my rights as a free American and I was cuffed and taken to jail.

Harriet Cummings, one of three Nevada public defenders working on the case, said that while the case might seem like “no big deal,” the legal issues at stake are huge.

This goes to the very nature of what our society is going to be like. We believe that exercising your right to remain silent should not be something that can cause you to be imprisoned.

If an officer acting under suspicion that a crime has been committed comes up to a person, starts asking questions and demands identification, and if the person, as Mr. Hiibel did, declines that demand, they can be hauled off to jail. And we think that is not something that should happen in a free society.

Solicitor General’s Office and the National Association of Police Organizations also filed briefs supporting the identification requirement, arguing that it was a necessary and not overly intrusive tool in fighting crime and terrorism. Here we have it, crime and terrorism wheeled out yet again…

Though the hearing is still weeks away, the case is already being widely debated in the blogosphere, thanks to the publicity efforts of privacy advocate Bill Scannell.

And on the topic of databases and governments – the Electronic Privacy Information Center’s brief ties the identification requirement to large-scale law enforcement databases, such as the FBI’s criminal database. The problem, according to EPIC staff attorney Marcia Hofmann, is not just that a police officer can use a driver’s license to pull up reams of data on a person from massive databases. It’s also that the encounter itself will be added to the system, Hofmann said.

Every little time something like this happens, the police question you and want to know who you are, it’s an incident that gets put into a database. And there will be a record of it thereafter, regardless of whether you did anything wrong.