Privacy and Security

A story in yesterday’s Wall Street Journal titled NSA’s Domestic Spying Grows as Agency Sweeps Up Data (subscription required) reports that–

According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA’s own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge’s approval when a link to al Qaeda is suspected.

The NSA’s enterprise involves a cluster of powerful intelligence-gathering programs, all of which sparked civil-liberties complaints when they came to light. They include a Federal Bureau of Investigation program to track telecommunications data once known as Carnivore, now called the Digital Collection System, and a U.S. arrangement with the world’s main international banking clearinghouse to track money movements.

The effort also ties into data from an ad-hoc collection of so-called “black programs” whose existence is undisclosed, the current and former officials say. Many of the programs in various agencies began years before the 9/11 attacks but have since been given greater reach. Among them, current and former intelligence officials say, is a longstanding Treasury Department program to collect individual financial data including wire transfers and credit-card transactions.

An NSA spokeswoman stated that the Agency “strictly follows laws and regulations designed to preserve every American’s privacy rights under the Fourth Amendment to the U.S. Constitution.” If you find comfort in that statement, consider this description of how the Agency uses its expanded domestic surveillance authority to pursue leads:

If a person suspected of terrorist connections is believed to be in a U.S. city — for instance, Detroit, a community with a high concentration of Muslim Americans –the government’s spy systems may be directed to collect and analyze all electronic communications into and out of the city. The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information collected “doesn’t generally include the contents of conversations or emails.” Generally. That’s a word we lawyers use to say “most of the time we don’t, unless we do.” Even without such content the NSA can identify the parties to phone calls and emails, their locations, and their cell phone numbers. The telecoms enable the NSA’s efforts either by copying all data through their switches to share with the NSA, or by ceding control to the NSA over the switches. The White House is pushing a bill that would immunize the telecoms from liability for privacy claims arising from this data collection. The NSA domestic surveillance program includes elements of and technology from the Pentagon’s Total Information Awareness initiative that Congress defunded in 2003 following criticism of TIA’s potential for civil rights abuses. Before it was killed the Pentagon renamed TIA to Terrorist Information Awareness to make it seem less creepy. Now the NSA is implementing TIA through its “black budget,” beyond effective non-NSA scrutiny.

The Journal story reminded me of a recent Wired column by the always-prescient Bruce Schneier: What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites. Schneir’s column focuses on a proposal from National Intelligence Director Michael McConnell to monitor all–“that’s right, all–” Internet communications:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. “Google has records that could help in a cyber-investigation,” he said. Giorgio warned me, “We have a saying in this business: ‘Privacy and security are a zero-sum game.'”

This states it as baldly as one can. This administration’s top intelligence personnel consider every increase in security to require a corresponding decrease in privacy. As Scheier states “I’m sure they have that saying in their business. And it’s precisely why, when people in their business are in charge of government, it becomes a police state.” Scheier says privacy versus security is a false dichotomy, that the true dichotomy is between liberty and control–and that “liberty requires both security and privacy.”

AG Declares War on IP Infringement

This precis on GigaLaw caught my eye: “The Bush administration isn’t ready to curtail its crackdown on copyright crimes as Attorney General Alberto Gonzales asked Congress for stronger criminal penalties for repeat offenders and stiffer penalties for counterfeiters who cause people to be injured or die.” Huh? Counterfeiters who cause people to be injured or die? The linked article passed along this tidbit of information without comment or explanation (not a strength, perhaps, of The Hollywood Reporter). I had to understand the link between copyright infringement and death.

The reason for this alarming warning is the Intellectual Property Protection Act of 2007, proposed on Monday to Congress (see here and here) by beleaguered Attorney General Alberto Gonzales.* (Aside: read this article from today’s New York Times. It describes how Gonzales, then White House Counsel, along with White House chief of staff Andrew Card, tried to convince Attorney General John Ashcroft, hospitalized and “critically ill with pancreatitis,” to renew the National Security Agency’s clandestine domestic surveillance program. Ashcroft, an architect of the USA-PATRIOT Act and no civil rights zealot, refused to renew the program due to his concerns about its constitutionality.) Gonzales’s proposed act would criminalize copyright infringement far beyond current law. Among other things it would:

  • Increased penalties for repeat offenders,
  • Expand forfeiture provisions for criminal copyright infringement (which means one’s computer, iPod, or house could be taken upon conviction, just as if the person were a drug dealer),
  • Empower the federal government to engage in wiretap surveillance in copyright investigations,
  • Criminalize attempted copyright infringement, and
  • Impose prison sentences of up to 20 years for infringement that results in bodily harm, or life if the infringing activity results in death. Examples of such potentially physically-harmful infringement include (per Wired) “hawking bogus Lipitor or adding a fake “UL” logo to a power cable that doesn’t meet Underwriters Laboratories’ safety standards.”

The Act does not yet have a House or Senate sponsor. If it passes it imagine the possibilities: Law and Order: Piracy Unit. “Now drop those blank CDs, put your hands over your head, and back away from the computer!”

*A Google search for the exact phrase produced 3,490 results. A search for those words not in that exact order produced 44,600 results. How many results does it take for this guy to resign?