Privacy Working Group

After a failed bombing aboard a Detroit-bound plane on Christmas day, it looks like Umar Farouk Abdulmutallab (the “underwear bomber”) will do for whole-body imaging what Richard Reid (the “shoe bomber”) did for the rule that all shoes be sent through an x-ray scanner.

Whole body imaging (known in the media as a “virtual strip search”) uses either backscatter X-rays or millimeter wave technology to create a detailed view of the passenger’s body by constructing images from the X-ray photons or radiation reflected by the body.  As I have noted before, whole-body imaging is one of the most effective way of detecting passengers carrying weapons or explosives.  Nobody expects this to be a silver bullet in the fight against terror, but it may very well be an important layer in improving the security of air travel.

Unfortunately, most of the public debate over whole-body imaging has not focused on the merits or shortcomings of the technology, but rather on the privacy implications of the technology.  Groups like Center for Democracy and Technology (CDT), Electronic Privacy and Information Center (EPIC) and the Privacy Coalition have all argued vehemently against the technology because of supposed privacy fears, even going so far as to demand that the Transportation Security Administration (TSA) suspend all use of the technology.  These privacy fears have even made their way to Congress where Rep. Jason Chaffetz (R-UT), who introduced legislation to restrict the use of whole-body imaging, stated “You don’t have to look at my wife and 8-year-old daughter naked to secure an airplane.”

Even in nations that appear to be pushing forward with the technology, privacy objections are causing officials to impose restrictions that reduce the effectiveness of the technology.  For example, in the United Kingdom officials announced that they would exempt individuals under the age of 18 from going whole-body imaging requirements because of fears that they would be creating indecent images of children.  But if the technology poses no privacy risks, then why are children being excluded from searches?  (And does anybody else see the glaring security problem with publicly announcing that an entire group of people will never be subjected to this type of screening?)

While this technology can be used to violate personal privacy, it does not have to.  In this sense, it is no different from other security measures already in use like video cameras or pat-downs that, if used improperly, could result in serious violations of personal privacy. More importantly, used with appropriate controls, a traveler’s privacy can be protected without reducing the effectiveness of the technology.  Various controls can be used to ensure privacy, including any combination of the following:

• Blurring recognizable facial features (like this)
• Only showing “chalk-line” body outlines (like this)
• Banning equipment that can store the images of passengers
• Isolating the screeners who view the images of passengers from the actual passengers
• Prohibiting recording equipment in the computer rooms displaying images of passengers
• Audits to ensure that government officials properly implement privacy controls
• Stiff penalties for violations of privacy controls
• Whistleblower protection for reports of privacy violations

Ensuring privacy is important, and government officials should welcome ideas on how best to preserve privacy, but privacy should not be a barrier to implementation if the technology is effective.  The decision about whether or not to invest in full-body imaging technology should be based on strategic risk management, not privacy fears based on speculation and worst-case scenarios.

Is this technology the most effective use of limited resources to stop terrorism?  If so, then scan away.

In today’s Hill there is a story about potential privacy legislation on the horizon:

Online privacy is a hot conversation topic these days.

Facebook and Google are updating their privacy settings. Reps. Rick Boucher (D-Va.), Cliff Stearns (R-Fla.) and Bobby Rush (D-Ill.) are working on broad privacy legislation. Advocacy groups are ramping up their calls for more strict privacy standards on the Web. 

This could be either a very good or a very bad thing.  Just the threat of government involvement may be enough to get the private sector moving:

“Privacy is our No. 1 challenge,” said Tim Sparapani, Facebook’s public policy director. “It also happens to be our No. 1 opportunity.”

Wednesday night, Facebook founder Mark Zuckerberg announced in a blog post that users will soon be able to control who sees each individual piece of content they post or upload to the site. Zuckerberg asked users to review and update their privacy settings over the next few weeks as the changes are rolled out.

Sparapani said Facebook is such a new technology that missteps tend to be sensationalized, which leads to knee-jerk reaction and regulation.

Google recently introduced a “dashboard” showing users what information the company has about them. Pablo Chavez, Google senior policy counsel, said the company has realized that “it’s much better to be very transparent” about its practices.

Needless to say, privacy advocates on both sides of the political aisle will be watching these developments very closely.

This week CBC News reported a Canadian woman, as a result of photographs posted to her Facebook profile, lost her long-term sick leave benefits. Natalie Blanchard, diagnosed as clinically depressed by her doctor, had been on leave for a year and a half.  According to the article:

When Blanchard called Manulife, the company said that “I’m available to work, because of Facebook,” she told CBC News this week.

She said her insurance agent described several pictures Blanchard posted on the popular social networking site, including ones showing her having a good time at a Chippendales bar show, at her birthday party and on a sun holiday — evidence that she is no longer depressed, Manulife said.

Blanchard said she notified Manulife that she was taking a trip, and she’s shocked the company would investigate her in such a manner and interpret her photos that way.

What is particularly interesting about this case is Blanchard’s Facebook profile had been locked to unapproved Facebook users and it is unclear how her insurer was able to access the photographs.  However, her insurer, Manulife, did confirm it uses Facebook.

ZDNet recently posted an article on SunGuard Availability Services Chief Technology Officer’s predictions for cloud computing in 2010.  His vision for the rapidly growing world of cloud computing included:

• Cloud computing will become a mainstream, widely used technology.
• With increased demand, cloud computing providers’ success will being to differentiate between those that provide reliable, solid products and those that simply rest on buzz words and hype to market their offerings.
• Enterprise-grade, cloud-based backup, replication and recovery tools will begin to appear as part of cloud computing service provider offerings.

These predictions seem to have already gained momentum with companies, like Microsoft, who are clearly taking steps to assert their cloud computing presence.  This week, the Associated Press reported Microsoft will be releasing Azure – a tool used for building software which runs over the internet – out of test mode this coming January and will eventually charge for its use.

One important consideration that is already contentious among experts in the cloud computing field, and central to this blog, is privacy.  With cloud computing clearly on the rise, the public will need to begin considering the privacy implications that may accompany a business farming out the management of data and software to an external organization.

I was watching CNN last night and they interviewed Evan Ratliff, writer for Wired magazine.  In September he set up a challenge:  he was going to disappear and readers were encouraged to try and find him.  A reward of $5,000 was offered.  According to Wired:

What followed Evan’s disappearance was the most fun journalistic experience I’ve ever participated in. Evan began by leaving a few clues about his location: He sold his car in Las Vegas, pulled money out of an ATM in Santa Monica and even snuck into an interview on Venice Beach with Sometimes Daily.

Meanwhile, the hunt grew. The Facebook group devoted to finding Evan expanded to about 1,000 members and a counter group was formed, with people in it conspiring to keep him hidden. Fake Evans appeared online, fake photos of his travels appeared on Flickr, his friends talked to hunters just the way they would talk to private investigators, clues began to pile up, moles sabotaged real hunters. And a few non-Evan Evans were spotted too.

Eventually the hunters, congregating on Twitter and IRC channels, had created a remarkably detailed profileof Evan — from what he liked to do, to what he liked to eat. Meanwhile, the brilliant Mike Selinker fromLone Shark Games(aka @dusky_wireworm) planted clues that the hunters were sometimes able to solve incredibly fast, and other times, not so fast. He even once stumped his wonderful colleague, Teeuwynn Woodruff, who was helping to lead the hunt but who wasn’t given any inside information.

With just 10 days to go until Evan collected his prize, things started heating up. He was almost captured at a soccer game in Salt Lake City. Then, thanks to some clever sleuthing by someone with connections at Delta, nearly nabbed in the Atlanta airport. Meanwhile, without Evan knowing it, Jeff Reifman at newscloud had uncovered his aliases and was hot on his trail. By late this past weekend, Jeff and a team of other trusted hunters were closing in and had tracked him to Louisiana.

The intriguing privacy aspect is what Wired said after he was caught:

It was an amazing experiment in what privacy means in the digital age (and how much Google knows about us!), how hard it is to escape one’s identity online and how to track people. It was also an experiment for Evan in what it’s like to try to start life as someone new.

 We already know that the government is watching and tracking us.  The question is whether or not we are comfortable with that and what to do to ensure a person’s privacy in this ever growing world of data collection.

Just remember there is always somebody watching you, whether you like it or not.

The Transportation Security Administration is testing new safety technology combining the fun of a video game with the intrusiveness of a strip search.  According to The Hill:

The $20 million trial program called Future Attribute Screening Technology (FAST) combines an eye-tracking device that gauges abnormal pupil sizes; a laser radar that reads the person’s heart and respiration rate; and a thermal camera that can pick up changes in skin’s temperature, all while the person stands on a Nintendo Wii Fit balance board.

The balance board used in the system is being tested to see if it can detect tiny movements not visible to the human eye, Chandler said. When those movements are paired with other physiological indicators, they could suggest mal-intent, he said.

“No one sign will tell us if someone is planning to do harm. We’re trying to determine if any combination of signals can separate out potential threats. It will always be a security officer’s decision if a person warrants additional screening. The idea is to provide those decision-makers with additional information they can use.”

This $20 million trial program should be halted immediately.  Rep. Jason Chaffetz (R-Utah) hit the nail on the head when he said:

“It’s crazy what you have to do to get on an airplane,” he said in an interview. “I’m on an airplane every three or four days. I want the airplane to be as secure as possible, but oh my goodness, you get treated like a criminal.”

Privacy and national security are not mutually exclusive, you can have both.  This program must be stopped immediately.

As the 2010 Census gets underway, many people continue to raise privacy objections. While most of these objections are just to government collection of data in general, some relate specifically to technology. As I’ve written before, unfounded fears such as these have even led the Census Bureau to backtrack on using technology like the Internet to collect census data, which would help lower costs and increase the response rate. Check out this video from Newsy.com that contrasts the privacy objections of some individuals with the benefits of conducting a well-run census.

Last week Governor David Patterson (D-NY) announced New York will be receiving $3 million dollars in federal funding to strengthen local and state level government cyber security efforts as a result of the 2010 Department of Homeland Security Appropriations Act recently signed by President Obama.

The new funding will bolster New York’s current cyber security infrastructure which supports local and state governments nationwide and will be employed by the Multi-State Information Sharing and Analysis Center (MS-ISAC), which is operated by New York State’s Office of Cyber Security and Critical Infrastructure Coordination.  According to the press release:

This expanded infrastructure would provide a representative sample of system and network activity for enhancing situational awareness not only of New York State’s cyber security infrastructure, but that of state, local and territorial government networks across the country. It would also enable more timely cyber incident identification and response while providing more resources for developing and implementing appropriate mitigation strategies tailored specifically to state, local and territorial government cyber resources.

Considering the incredible amount of data we entrust to the digital world, it’s heartening to see the federal government is taking measures to ensure American privacy and security online.  However, there is always more that can be done as criminals tactics online are continually becoming more sophisticated.  Hopefully, Congress continues their efforts to improve national security online.

An October 19 story on CNN.com illustrates some of the privacy concerns with social networking sites such as Facebook and MySpace.:

If you’re on Facebook, Twitter or any other social networking site, you could be the next victim.  That’s because more cyberthieves are targeting increasingly popular social networking sites that provide a gold mine of personal information, according to the FBI. Since 2006, nearly 3,200 account hijacking cases have been reported to the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance.

This shows that new technology also means thieves look for new ways to steal money or personal information.  And we all know that personal information is gold in the hands of the wrong people.

This story should be a stark reminder of the importance of the private sector ensuring people’s privacy when accessing any website rather than any short sighted government regulation/intervention.

The mercurial way that thieves move from one scam to another hinders any slow moivng legislative body from passing effective legislation.  Just as thieves started working on counterfeiting new $20 bills as soon as they were released, they will find ways around any legislation.  Remember, the United States federal government is the same entity that still operates a dairy subsidy that was instituted in 1937 as a temporary program.

The government needs to be flexible when it comes to stopping cyber crimes and there needs to be stronger enforcement and penalties to act as real deterrents.

CNN.com reported on yet another email-based identity theft scam, this one involving the impending 2010 Census. Let’s be clear – the U.S. Census Bureau does not, under any circumstances, ask for personal information via email; people who responded to these types of information requests for the Census via email were simply the latest to be duped by cybercriminals.

We are seeing that the current trend is toward scams that involve “popular trends and current events,” the upcoming census being one example. These scams use timeliness to their advantage, and whatever semblance of legitimacy they have can fool people into revealing important personal information – PIN codes, Social Security numbers, and credit card numbers.

How does one protect oneself against this kind of fraudulent activity? Michael Kaiser, executive director of the National Cyber Security Alliance, encourages people to ask a simple question that could save a lot of hassle: “Why would a website need this information?” If you don’t have a good answer for that question, then odds are you shouldn’t supply the site with your information. Online consumers are also urged to read the privacy policies of the websites that they use to make transactions: it is stated in the policy whether or not the information you give to the site will be handed over to third parties.

In short, the key to online consumer security is in the hands of the consumer. Be discerning, exercise caution and good judgment when revealing your personal information online. In Kaiser’s words – “Don’t fill it out if you don’t want to.” That simple rule could save you a lot of hassle when it comes to your “PII” online.