White Hat, Black Hat, Bleeding Heart

Julia Horwitz imageLet's start with the Heartbleed bug.

Since the announcement of Heartbleed last week, everyone has been paying attention to security vulnerabilities - a typically niche technical subject. Most internet users are, rightfully, concerned. What can they can do to protect themselves in the short term? What can Internet providers and government agencies do to help protect them in the long run? In a series of posts, I will identify and discuss the technology and policy issues involved in this important question: how can we keep the Internet secure and protect user privacy?


There Are No OLC Opinions About PRISM or 215, So Who Decided It Was Legal?

Alan Butler imageIn light of the President's recent announcement that the NSA's bulk collection of telephone metadata will end, there is a renewed interest in Congress to revise U.S. surveillance laws. At the same time, the Privacy and Civil Liberties Oversight board is conducting its review of the bulk collection of international communications under the Section 702 / PRISM program. While these oversight and reform efforts are underway, it is important to consider the policy-making process that authorized these programs in the first place.

Two Freedom of Information Act cases, one brought by EPIC following the disclosures last summer and another brought by the ACLU several years before, attempt to get to the heart of this question. Both cases lead to the same shocking conclusion - that the Department of Justice Office of Legal Counsel, which played a central role in the initial decision to implement the warrantless wiretapping program, was not involved in the decision to transition those surveillance programs to new FISA authorities.


The FBI is "Working" on an Updated Privacy Statement for Facial Recognition

Jeramie Scott imageFacial recognition technology presents a serious risk to privacy and civil liberties because it can so easily be deployed covertly, from a distance, and on a mass scale. There is little to no precautions that can be taken to prevent collection of one's image. Participation in society inevitably involves exposing one's face, whether it's on the public streets or through social media. Ubiquitous and near-effortless identification eliminates an individual's ability to control their identity and poses special risk to the First Amendment rights of free association and free expression, particularly for those who engage in lawful protests. The FBI's ever expanding use of facial recognition technology could render anonymous free speech virtually impossible.

For at least 10 years, the FBI has been testing and using facial recognition. This is evidenced by a February 19, 2004 Privacy Impact Assessment ("PIA") conducted by the FBI for the "Computer Aided Facial Recognition Project." The project sought to assist the University of Sheffield in its testing of a particular method of facial recognition. The PIA makes clear that the FBI wanted "to develop a semi-automated tool enabling FBI examiners to extract facial landmark measurements from question images (such as, bank Surveillance photos) and conduct one-on-one comparisons with known images of a suspect in custody."

More recently, the FBI has been working on incorporating facial recognition technology into its Next Generation Identification ("NGI") program.


Sometimes In Class Action Settlements Plaintiffs Gain Nothing, But Risk Everything

Julia Horwitz imageWhen I refer to the Constitution's "Double Jeopardy Clause," people know what I mean. You can't be tried twice for the same crime. Many have seen the Ashley Judd movie, where her character is wrongly convicted of a murder and therefore free to kill with impunity when she is released form prison. But there is a counterpoint to the Double Jeopardy Clause, and it kind of works the other way. You can't relitigate an issue you've already brought to court. That concept is called res judicata, and it creates an interesting problem when applied to consumer class action lawsuits, like the recent Facebook privacy suit.


Offensive Cyber Operations and America's Grand Strategy Mistake

David Husband image

There should be a serious, public debate about the value of offensive cyber operations for American security versus the costs. There are indications that this debate has occurred behind the scenes, but if we have learned anything from the NSA surveillance scandal, it is that the American people should be involved in the debate. It is the American people who should be setting the terms of whether we should even engage in this war and, if we choose to do so, to what extent we should prosecute the war. This debate, quite frankly, should be far more public than it has been. It is high time that Americans are aware of what is being done in our name in the realm of national security, when the potential blowback and costs are so high.


New Reports Reveal Flaw in Government's Justification for NSA Metadata Program

Alan Butler imageNew reports from the Wall Street Journal and the Washington Post reveal that the NSA's collection of telephone call records under Section 215 of the USA PATRIOT Act is not as "comprehensive" as the Government previously described. Officials now estimate that less than 30% of domestic calls are collected under the 215 program because the collection does not cover records from most cell phone carriers. This severely undercuts the government's two main justifications for the bulk metadata collection program: (1) that it is necessary to have comprehensive call records to conduct link analysis and (2) that querying the database can provide "peace of mind" by indicating that no terrorist links exist. In light of this new revelation, it is now more clear than ever that this program is ineffective and has to end.

But let's look in a bit more detail at how both justifications fall apart because the NSA collects a skewed subset of telephone records.


Welcome to EPIC's Privacy Rights Blog!

Today EPIC is launching our Privacy Rights Blog. The goal of the blog is to expand on our coverage of emerging privacy and open government issues by publishing extended posts written by EPIC staff and special guests. We will post our thoughts on recent news items, legal developments, and policy issues. If you have comments, questions, or suggestions for future blog topics, please contact us at blog [at] epic [dot] org. Thanks for reading!


Failing Grade: Education Records and Student Privacy

Alan Butler imageWith the increasing collection and commercialization of education records, student privacy is sure to be a key policy issue in 2014. Because of this, EPIC has assembled an expert panel for January 14, 2014, to assess the current challenges and discuss recommendations. Senator Ed Markey, who has been a longtime champion of privacy rights, will keynote this lively discussion and set out recommendations for new safeguards. Our event, Failing Grade: Education Records and Student Privacy, will feature the Education Department's Chief Privacy Officer Kathleen Styles, Fordham Law Professor Joel Reidenberg, and EPIC Advisory Board members Pablo Molina and Dr. Deborah Peel.

In 2013, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asked why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter stated, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children."


License Plate Readers - Will the FBI Ever Address Their Privacy Implications?

Jeramie Scott imageThe FBI has been testing and using License Plate Readers (LPRs) for years, yet recently received Freedom of Information Act documents indicate that they still haven't fully addressed LPR's privacy implications.

As of March 2011, the Federal Bureau of Investigation has at least 1 federal agency, 10 state agencies, and 71 local agencies participating in License Plate Reader (LPR) projects that compare license plates against the National Crime Information Center (NCIC) database the FBI runs. LPRs are often placed on top of law enforcement vehicles or at strategic locations like the entry points of bridges or tunnels.


Does the Fourth Amendment Protect International Packages?

Alan Butler image According to a recent report by the German news site Der Speigel, the NSA's elite hacking division, known as Tailored Access Operations or TAO, has worked with the CIA and FBI to intercept and install surveillance software on laptops ordered by certain targets. This process, called "interdiction," involves diverting the shipments to a secure facility, installing special software, then repackaging and sending the devices to their final destination. While Fourth Amendment protections might not apply to these packages once they leave the country, the seizure and reconfiguration of consumer products by the NSA is a significant privacy intrusion. These operations, if they were to take place within the United States, present two interesting Fourth Amendment issues that are not commonly discussed: the protection afforded to commercial packages in general, and international packages specifically.