Big Brother

By way of TPM: Brian Ross and Richard Esposito at ABC News report that the federal government is tracking the phone numbers that reporters call in an effort to root out confidential sources.

In case you haven’t been keeping score, the Bush administration claims they don’t need a warrant to:

• Listen to phone calls where at least one participant is outside the country.
• Automatically intercept, store, transcribe and process phone conversations and email that are entirely domestic, so long as the contents of the communication (the actual conversation, or the body of the email) are not listened to by a human until a secret FISA warrant is obtained. The “metadata” information that they consider unprotected includes date, from and to fields of email and the time, duration, and phone numbers called by tens of millions of Americans, including phone calls by reporters who break stories that embarrass the administration.

So far the administration’s response to criticism that such warrantless surveillance is illegal has been to threaten the people with leaking evidence of their criminal activities with prosecution, no doubt trying to ferret out the whistleblowers by trolling through the phone logs of every reporter who’s mentioned the subject.

Update: fixed typo.

Declining to answer questions about revelations that Vice President Dick Cheney argued for allowing the NSA to intercept entirely domestic telephone calls and e-mail without warrants, his spokeswoman simply responded:

“As the administration, including the vice president, has said, this is terrorist surveillance, not domestic surveillance.”

The response follows last week’s revelation in USA Today that the NSA has secretly collected the phone records of tens of millions of terrorists currently living in the United States.

For those of you in the Boston area, there’s a day-long Workshop on Data Surveillance and Privacy Protection at Harvard on Saturday, June 3rd. Registration is free (though you need to register to attend), and it looks like a good set of speakers. (Link via Simson Garfinkel.)

The ACLU is hosting an online national town-hall meeting tonight (6pm PDT / 9pm EDT) called Our Freedom at Risk: Spying, Secrecy and Presidential Power. The ACLU has a strong opinion on the matter, obviously, but hopefully it’ll still provide more light than heat. Questions are being taken via the Web, and archives will show up within 24 hours at the ACLU town hall site.

I saw this sign on the MBTA a few days ago, a part of their whole post-9-11-world Transit Watch Program.

Is it just me, or did this whole “Traitors Are Everywhere” schtick cross the line into self-parody a good while ago?

EFF is sounding a warning about Google Desktop’s latest Search Remote Computers function. The function itself sounds nice: one search command to search all your documents and viewed webpages regardless of what computer they’re on. Trouble is, Google does it by uploading all those sensitive documents to their own servers in case your laptop or other computers are off-line.

I think Google has a pretty good moral compasses, but (as I mentioned when GMail came out) there are fundamental risks with this sort of centralized system regardless of the trustworthiness of the company running them. As EFF’s alert points out, many legal protections enjoyed by information stored on your own home computer are lost when stored with an online service provider:

The privacy problem arises because the Electronic Communication Privacy Act of 1986, or ECPA, gives only limited privacy protection to emails and other files that are stored with online service providers—much less privacy than the legal protections for the same information when it’s on your computer at home. And even that lower level of legal protection could disappear if Google uses your data for marketing purposes. Google says it is not yet scanning the files it copies from your hard drive in order to serve targeted advertising, but it hasn’t ruled out the possibility, and Google’s current privacy policy appears to allow it.

I can imagine other legal and practical questions as well. For example, if Google Desktop wound up uploading a researcher’s company-confidential tech reports, would that count as “disclosure” and thus prevent him from filing for a patent on his work? And if a laptop running the software is opened in a foreign airport (e.g. China), can the local Google office be subjected to subpoena under that country’s own laws?

Saturday’s Washington Post article on the NSA’s domestic eavesdropping program has a short aside I find rather chilling (emphasis mine):

Even with 38,000 employees, the NSA is incapable of translating, transcribing and analyzing more than a fraction of the conversations it intercepts. For years, including in public testimony by Hayden, the agency has acknowledged use of automated equipment to analyze the contents and guide analysts to the most important ones.

According to one knowledgeable source, the warrantless program also uses those methods. That is significant to the public debate because this kind of filtering intrudes into content, and machines “listen” to more Americans than humans do. NSA rules since the late 1970s, when machine filtering was far less capable, have said “acquisition” of content does not take place until a conversation is intercepted and processed “into an intelligible form intended for human inspection.”

When I was in the Software Agents Group at MIT in the late ’90s, we had lots of discussion about whether people would be legally responsible for the actions of automated software programs (agents) they use. If I tell eBay’s software to bid up to a given price, can I be held to that agreement even though the “agent” did the bidding and not me? If I knowingly write and unleash an intelligent virus, am I responsible for the damage it causes? The answer to these questions has to be yes if responsibility means anything in our increasingly automated society, and the question would be completely ludicrous were it not for the complexity of what software can now do without our direct intervention. Imagine the murder defense “I didn’t kill those people, my gun did!” And yet, this is the logic being used by the NSA when they claim eavesdropping only counts if the interception is shown to a human. “I didn’t spy on innocent Americans, my software did it!”

There are times where being watched by electronic eyes is preferable to being watched by humans. For example, I trust that Google’s automated system will only use my email to generate relevant advertisements (and nothing else) more than I would if they had humans reading and tagging every email by hand. However, in the NSA’s case their software is doing exactly what they themselves are prohibited from doing both by statute and the Fourth Amendment, namely looking for illegal activity by trolling through mountains of private domestic communications without probable cause. Even if the software only produced a human-readable summary or a ranked list of suspicious people, that output would be tainted just as surely as if an NSA analyst had produced it.

(Thanks to Nelson both for the link and the reminder to donate to the ACLU.)

Boing Boing reports that Apple’s iTunes 6.0.2 has a new “feature” where clicking on a song in your playlist pops up related albums on sale at the iTunes Music Store in a little window at the bottom. Apple does it by sending the song, artist, album, genre and ID to Apple (presumably — the IP addresses are in the 69.144.123.xx range, which is Akamai).

GET /WebObjects/MZSearch.woa/wa/ministoreMatch?an=Music+From+The+Motion+Picture&gn=soundtrack&kind=song&pn=Austin+Powers+-+The+Spy+Who+Shagged+Me HTTP/1.1

This is rightly being decried as spyware (really, how could it not be?) though at least iTunes will stop announcing what you’re listening to if you close the mini-store window (using the new “box with up-arrow” button in the lower-right corner).

My PhD thesis was all about designing software that provides information based on what you’re doing and I have a soft spot for applications like this, but I see three fundamental problems in what Apple has done here. First and most importantly, the mini-store is for their benefit rather than mine — they’re taking advantage of the impulse buyer in all of us, hoping we’ll make purchases we wouldn’t make if we had time to think about it. Second, their application requires that personal (if not personally identifiable) information be sent over the net rather than processed locally, with no idea how long the info is kept or how it might be used. Music collections are personal things, and even if I liked the mini-store application I’d think twice about clicking on a lewd song for fear of how that info might be used or eventually tied back to me. Finally and most obviously wrong, they’re snooping without asking, which is just plain rude and makes me distrust the company and the software.

Update 1/12/05:As Charles points out in the comments, MacOSXHints reports that Apple has told them that absolutely no information is (currently) being collected from the MiniStore. I’m glad to hear it (and would have been a little surprised if it was otherwise), but it doesn’t change my not liking such data going beyond the bounds of my own domain. If the Mini-store was actually useful to me I might be willing to make that sacrifice, but as it is it’s just annoying.

Tom Owad over at Applefritter has a nice simple example of the kind of homebrew data aggregation that’s possible with just a little bit of programming knowledge and a home internet connection.

The thing that scares me about data mining is not that super-secret information about me is revealed — my Amazon wish-list doesn’t contain anything I’d be embarrassed or concerned if it was seen by any of my friends or for that matter 99% of the other people in the world. And odds are good that anyone bothering to look me up by name or go to my website will fall into that category. The trouble is that if I pop up in a trolling-expedition at all it’s much more likely the troller is among that 1% of the people that I would be upset about reading my wish-list. Ed McMahon doesn’t mine the Internet to pick winners of the Publishers Sweepstakes, but over-zealous FBI agents do look for people promoting the wrong politics, companies look for suckers to blast with seemingly perfect-for-you product announcements, con artists look for rich recently-widowed women above a certain age, and pedophiles look for young latch-key kids with their own webcams.

From Bruce Schneier’s Cryptogram, in a recent post comparing Bush’s recent (and continuing!) wiretapping to Project Shamrock in the 1960s:

Bush’s eavesdropping program was explicitly anticipated in 1978, and made illegal by FISA. There might not have been fax machines, or e-mail, or the Internet, but the NSA did the exact same thing with telegrams.

We can decide as a society that we need to revisit FISA. We can debate the relative merits of police-state surveillance tactics and counterterrorism. We can discuss the prohibitions against spying on American citizens without a warrant, crossing over that abyss that Church warned us about twenty years ago. But the president can’t simply decide that the law doesn’t apply to him.

This issue is not about terrorism. It’s not about intelligence gathering. It’s about the executive branch of the United States ignoring a law, passed by the legislative branch and signed by President Jimmy Carter: a law that directs the judicial branch to monitor eavesdropping on Americans in national security investigations.

It’s not the spying, it’s the illegality.

Personally, I think it’s the illegality and the spying, but in the name of keeping the debate clear I’m happy to keep the two arguments separate.