I’ve mentioned the Government-Private partnership on snooping before, in particular a speech given by Michael Chertoff who was remarkably candid on how the government and the private sector can work together, whereby the private sector can “create a marketplace for the technology and a marketplace for the systems”. He was talking specifically about screening travellers, but they apply equally well to the current NSA scandal. Business Week recently reported that purchasing “commercially collected data allows the government to dodge certain privacy rules”.
The Business Week article refers to a U.S. Government Accountability report that privacy issues and challenges facing Federal agencies. The summary notes that “Advances in information technology make it easier than ever for the federal government to obtain and process personal information about citizens and residents in many ways and for many purposes.” The reason they were investigating was “To ensure that the privacy rights of individuals are respected, this information must be properly protected in accordance with current law”.
One of the areas the USGA focused on was information resellers, “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to … both private-sector businesses and government agencies.” They also noted that these resellers have “amassed extensive amounts of personal information about large numbers of Americans, and federal agencies access this information for a variety of reasons.” But they found that “the acquisition [and practices for handling] of personal information from resellers by DHS, Justice, the Department of State, and the Social Security Administration … did not always reflect the Fair Information Practices.” As an example of problems, they pointed to (surprise) the Department of Homeland Security’s use of reseller data to screen airline passengers under it’s Transportation Security Administration program:
TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices, as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSAĆ¢??s use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register that included descriptions of how such information would be used. However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSAĆ¢??s actions, the public did not receive the full protections of the Privacy Act.
Good examples of information resellers would be ChoicePoint and LexisNexis. You’ve probably heard about ChoicePoint before, from Greg Palast’s expose on the Florida voting debacle, news of their data leaks, and revelations that ChoicePoint sold “extensive personal data about millions of citizens” from Mexico and several other South American countries to the US government. LexisNexis has also had its fair share of controversy when it turned out they too had security breaches of data and tried to cover it up.
So far, it doesn’t look like information resellers have got a good track record of holding onto their data, and usage of that data by government agencies don’t seem to respect privacy, either.
The Business Week article specifically points at NeuStar – while not really an information reseller, they do specialise in helping “phone company clients comply with “subpoenas, court orders, and law enforcement agency requests under electronic surveillance laws”. TPMuckraker has a great article covering them, stating that AT&T, BellSouth and Verizon are their clients. Says TPMuckraker:
In a pitch to service providers, it bills itself as a “scapegoat” for hire, presumably allowing phone companies to deny responsibility for or involvement in turning over their records to the government. … NeuStar actually has an advantage over its competitors: it’s not just an FBI-friendly third party, it’s a major routing company. According to their web site, “Nearly every telephone call placed is routed using NeuStar’s system, and every telecommunications service provider is one of NeuStar’s customers.”
NeuStar have, however, denied any involvement and ArsTechnica’s Hannibal agrees with this. His argument seems convincing. Also, while he recognises that “There seems to be a consensus emerging” that an information reseller is involved, he believes this is wrong: the denials from BellSouth et al are simply lies, and that they’re “gambling they’ll never be called on it.”
If their execs were called to testify before Congress the Bush administration would assert executive privilege to prevent them from having to give incriminating testimony. And as far as a possible day on in court goes, federal invocation of the state secrets privilege will neutralize any potential legal liability. … Wired’s whistleblower, Mark Klein, has already revealed that the telcos themselves are in fact collaborating with the NSA by letting them install secret rooms full of traffic snooping hardware on telco property. So the telcos are so neck deep in this NSA program that any talk of third parties is pointless.
Ok, so NeuStar is probably a dead horse, but the increasingly secret and co-operative triangle between government, big business, and technology is a major problem. This is not just specific to the US, but increasingly a world-wide problem for anyone plugged in to our electric nervous system.
Communication technology always has been used as a surveillance tool, from the telephone to faxes to mobiles and so on, but never before has the opportunity to analyse the population with dataveillance (see Roger Clarke’s excellent paper on this topic). We too-readily accept and condone what happens with a shrug of the shoulders as long as we can still buy our stuff. As Chertoff said in his speech, consumers could “see value in having a biometric card”, and then we gladly give up information “for it in return for getting some kind of trusted traveler status”.
Where does it end? Seeing value in having an Arphid implanted in your arm? The coming Day of the Arphids with its Internet of Things does not bode well if we are increasingly happy to relenquish our movements, habits and thoughts to the private sector just for them, in turn, to hand it over to the government once we’ve received some reward. If this is what we’re doing now with our existing communication and electronic networks, what will we be prepared to do with Arphids in your possessions? Allow the government to make sure you’re not reading the wrong sorts of books?
Bruce Schneier said it best recently on Wired:
Too many wrongly characterize the debate as “security versus privacy.” The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that’s why we should champion privacy even when we have nothing to hide.
Thank God for people like the EFF.