thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Tuesday, October 31, 2006

Privacy and Identity - IGF workshop outcomes

The workshop on privacy and identity we held together with the LSE information systems group this morning sparked an interesting discussion. Christian Möller gave some examples of how privacy is not only important in itself, but how it also is a necessary condition for freedom of expression. Microsoft' Jerry Fishenden presented their InfoCards concept and the "7 Laws of Identity" as one approach on how to handle user data based on different credentials. While most of the panelists agreed that this is a good basis for a start, and especially welcomed the company's recent efforts to make it more privay-friendly, Jan Schallaböck and Mary Rundle pointed at one major drawback: Once you have sent your personal information to a company - no matter if through InfoCards or another system - you can not control what happens with it afterwards. Jan, who is with the data protection authority of the German land of Schleswig-Holstein, therefore presented the ideas, concepts and systems developed in the EU-funded Privacy and Identity Management in Europe (PRIME) project as an alternative. Their model is that user data given to web service providers will have “sticky privacy policy” attached to it in the form of meta-data. This meta-data will move with the personal data and can help ensure that it is only used or tranferred in a way the user has agreed to. Mary from NetDialogue suggested to have in in a similar way as the Creative Commons license: Privacy Policies should be human readable, lawyer readable, and machine readable. The advantages would be that the users can better decide how they "licence" the use of their data to other parties. Mary even presented a very nice series of icons that symbolize different use policies. This approach might be one way to address the failure or "myth of user empowerment", as Ives Poullet called it. Stephanie Perrin, research director at the Office of the Privacy Commissioner of Canada, finished by saying that the privacy community has to become much more involved in international technical standardization processes. As always, time was too short. Therefore, we will discuss a collaborative follow-up process later this evening.

Thursday, October 26, 2006

Privacy and Identity Frenzy

This must have been a concerted PR campaign. Two weeks ago Microsoft published its "Privacy Guidelines for Developing Software Products and Services", last week the privacy commissioner of Ontario released a privacy-enhanced version of Microsoft's Kim Cameron's "7 Laws of Identity", a few days later the Burton Group gave a first hint on their upcoming "Laws of Relation", and now Microsoft has released a whitepaper called "Privacy characteristics of the Identity Metasystem".

While I like the new privacy twist to the identity discussion, I am also sceptical of all the hype. The summary of the White Paper for example states that "Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Union’s privacy regime". While this may or may not be true, the construction of an identity layer is not necessarily a good thing in the grand scheme of things. InfoCards and other online ID systems will in the mid-term converge with government-driven digital identity systems like RFID passports, publicly-certified signatures, or the German "job card" and "health card" - two items that will be rolled out on a major scale among the population soon and also have built-in signature functions. If the technology is adopted widely enough, we have an identification layer that reaches from the internet to many meatspace areas.

While this can be helpful, we also might end up with effecively prohibiting anonymous internet use after the next big [your favourite terrorism event here]. Indications for this are rising, no matter if you look at the US, China or Germany. Remember: As with institutions - if you build technology that can structure the social fabric and govern people, try not only to imagine what good it can do. Try to also imagine what your worst enemy could use it for.

Monday, October 23, 2006

Privacy Workshops at the Internet Governance Forum

The programme for the two privacy workshops I am co-organizing at the first IGF meeting is finally finished. They will take place on Tuesday, 31st October, and we are looking forward to fruitful workshops with a diverse range of perspectives. Speakers include representatives from the Data Protection Commissioners, Microsoft, the OSCE, Privacy International, the Internet Service Providers' Assiciation of South Africa, the Public Interest Registry, or the Association for Progressive Communication - to name a few. But we don't really see them as speakers and much more as participants, as the whole idea is to get something done and collaborate on the two themes, identity management and development. I'll post more about the outcomes when the event is over.

More news on the IGF in general will be here and here. It seems to become a really huge event - more than 1500 people have registered. I only hope we still get something constructive done there.

Sunday, October 22, 2006

Beers for Fears! Fingerprinting pub guests in the UK

In the UK, the government is rolling out a nation-wide system for fingerprinting every guest in a pub. The system called "InTouch" by CreativeCode is already running as a pilot in the small town of Yeovil. The "biometric membership-system" is storing a hash of the fingerprint together with a photo of the guest and the name and other data. The landlord can add information on incidents and "anti-social behaviour", and will also get statistics on when a guest normally shows up etc. The system is also managing pub bans issued by PubWatch, a collaboration of landlords and police. The terminals are networked, so all connected pubs can exchange the data, and a ban can be issued not only for one location, but for all pubs in a neighborhood.

Why on earth would a pub owner want to have his guest fingerprinted, you ask? Well, as the Register reports,

some licensees were not happy to have their punters fingerprinted.
The district council has been using sticks and carrots to change this:

Not only does the council let them open later if they join the scheme, but the system costs them only £1.50 a day to run. (...) New licences stipulate that a landlord who doesn't install fingerprint security and fails to show a "considerable" reduction in alcohol-related violence, will be put on report by the police and have their licences revoked.

The UK Home Office paid the expenses for the system (£6,000) through its "Safer, Stronger Communities" funding, and has also decided to fund similar systems in Coventry, Hull and Sheffield.

The UK has become a laboratory for new technologies of control and discipline in recent years. The city of Peterborough has established a web-based "most wanted" list of terrorists litter dropping evil-doers, and the Blair government is running a major campaign against "anti-social behaviour". This all goes far beyond the "war on terror" or usual privacy-invasive state activities. It aims at the grey area between legal and illegal, and the pub ban obviously is not following established criminal procedures like getting a court decision before any punishment.

Social scientists have long diagnosed the end of the "neutralized state" (Carl Schmitt). I wrote about this eight years ago, and already back then quoted politicians from the Green Party in Germany who asked for more police actions against activities that are not "socially acceptable". This role for the state as the guardian of public behaviour - morality, that is - is relatively new and not envisioned in liberal political theory. Social norms had traditionally been stabilized in direct interactions among the population or in moral institutions like the churches, without the state interfering. Places like pubs by the way are an important locus of this kind of social integration of communities. It seems that under conditions of globalized and sharpened capitalism, the social fabric is being torn apart, which is also indicated by a growing socio-economic gap between the upper and the lower social classes (there is a wild public debate in Germany about this at the moment). Instead of dealing with the difficult global sources of these problems, the nation-state within its territorial limits seems to be focusing on the symptoms instead.

The important issue is then: Who has the power to define "social" and "normal" behaviour? How is this democratically controlled? How do we ensure this does not end in a culture of repressive "normality", of intolerance? The New York City policing model under mayor Giuliani also was an early prototype of this trend, and it is no coincidence that it was called "zero tolerance".

Via Rabenhorst

Saturday, October 21, 2006

Identity and Relations, or: yet another interesting law

The Burton group is cooking up something really interesting. A new entry in their identity blog says that
the overarching goal isn’t to issue everyone an ID, but rather to promote relationship, community, collaboration, and interaction.
So, instead of focusing on the identity of single persons and its management, they are working on the relationship. They try to
develop laws of relation. Our focus is on the connection or the network, rather than on the end points.
The first law (as in natural observed law, not moral obligation) they came up with is the
Law of Relational Symmetry: The party in control of the terms of a relationship controls the relationship and, in the absence of symmetrical countervailing controls, will eventually exploit the other participants.

This resembles something very common in the social sciences, which deal with social relationships in their manyfold forms and functions. Political science for example distinguishes between different forms of power. You can have decision power in a specific setting and situation, but you can also have structural power by controlling the setting and situation - who is admitted, what is on the agenda, in which order do people speak or vote? (For a good overview see Frank Baumgartner's encyclopedia entry on political agendas.)

Coming more or less from there, they develop a nice critique of the hip idea of "user-centric identity management":
user-centric identity (as currently constituted) doesn’t achieve symmetry in person-to-organization relationships, and so such relationships will continue to drift toward exploitive results.
The question then is:
Why should a person be required to submit personal information to the relationship at all? Doing so puts a person at tremendous risk, while organizations divulge very little sensitive information in return.
While I follow the Burton folks until here, I don't share their conclusion at all. What do we learn from this empirical law if we want to make the world a better place? They suggest to level the playing field by granting the same legal rights that corporations have to persons, and end with the odd concept of "Limited Liability Persona". I don't think this would address the problem. If you have less liability as a person, how on earth would this keep organizations and corporations from abusing your personal identity information? I would put it exactly the other way around and increase the liability of corporations instead.

But in general, the problem is much deeper. The fact that large and functionally differentiated societies have to rely on abstract and formal (or as Max Weber said: bureaucratic) organizations will always maintain this asymmetry. (And it is not only based on the way the identities are defined in the relationship, but also on the relationship itself: A consumer-shop relationship is different from an employee-company relationship.) The individual is in a structurally weaker position than the organization. To make sure the latter does not overly exploit this asymmetry, societies have developed laws: For consumer protection, labour relations, the right to strike, telecom regulation and so on. The one organization that has basically unlimited liability (and has to jump in in cases of large damage even if it's nature's or other organizations' fault) of course is the state. The way to ensure the state does not exploit its strength against the citizens' will is simple: By voting and elections.

Turning this discussion back to user-centric identity again, a way of improving the relationship here would be having the users vote about the way they want to have the identity systems designed. While this is not really feasable in practice, the users' perspectives should at least be involved somehow. This argument is founded in the normative theory of legitimacy: If Microsoft and the others succeed, the identiy meta-system currently developing for the internet will be a global standard. Because of network effects, there will be no real choice (or "exit" option) for the users anymore once the standard is established. You will be able to choose between different products, but you will not be able to choose the standard they implement - just as is the case with TCP/IP or GSM. Therefore, the way the standard is defined - substantially and procedurally - is relevant. Political science has recently started to look into standard-setting organizations from this perspective of normative theory, and Larry Lessig's book on code as the law of cyberspace is also making this point.

On another level, it is about the two faces of power again: It's one thing to be able to raise your voice in a global process that defines a technical standard for identity management, but it is another thing to be able to say if you want any standard at all. The latter question has never really been discussed for the internet, but the fierce political struggle over introducing ID cards in the UK shows that we can't take for granted that everybody wants an identity infrastructure in the first place.

Update: Can anyone tell me who wrote the Burton Group blog entry? My feed reader tells me it was posted by Gerry Gebel, but the entry itself says Mike Neuenschwander. I want to credit the right person here (even if it obviously was the outcome of a collaborative thinking process).
Update II: It was Mike Neuenschwander.

Friday, October 20, 2006

Laws of Identity 2.0 (now privacy turbocharged)

Ann Cavoukian, the Privacy Commissioner of Ontario, has released an updated version of the "7 Laws of Identity". She calls them "privacy-embedded laws of identity". The original "7 laws" were developed by Kim Cameron, Microsoft's chief identity architect, and are regarded the lessons learned from the failure of Passport, the company's single sign-on service that nobody beyond MSN ever used. Cavoukian's new version is adding a more privacy-conscious twist to them. The old Law # 1 for example read:
User control and consent: Technical identity systems must only reveal information identifying a user with the user’s consent.
The new Law #1 now states:
Personal control and consent: Technical identity systems must only reveal information identifying a user with the user’s consent. Personal control is fundamental to privacy, as is freedom of choice. Consent is pivotal to both.
An interesting attempt by state regulators to engage the technology community. The accompanying white paper directly addresses the concerns a lot of privacy advocates have with the general idea of an identiy metasystem for the internet:
"Care must be taken that a universal, interoperable identity metasystem does not get distorted and become an infrastructure of universal surveillance."
If the identity layer can be built and used in a way that will solve any of these dangers is not yet clear to me, but I am rather sceptical.

Other voices: The Globe & Mail has a very positive story about this - by an old friend of Kim Cameron. Stefan Brands from Credentica is also applauding the paper, and he shows where MS Cardspace does not (yet?) meet its expectations. But Ben Laurie (who's paper on identity as surveillance is a good sobering read) is annoyed by the "complete bullshit in the paper". And while Chris Linfoot warns that "something wacky's brewing over there in Ontario", Monique at SoMisguided writes ironically "We can go on blindly through the digital day, superman Microsoft is watching our back."

Tuesday, October 17, 2006

The European way: "surveillance while protecting privacy"

The EU has announced to fund 15 more research projects "to combat terrorism", each of them with € 1 Million on average. While many of them deal with new gadgets for detecting explosives, harmful microbes and related ideas, a few of them are more, well, interesting for this blog:
Enhancing surveillance and tracking while protecting civil liberties and privacy
The i-TRACS (Counter-Terrorism identification and tracking system using the analysis of communications, financial and travel data) project aims to develop an innovative advanced tracking and surveillance system consolidating and integrating multiple information data sources...
Does this ring a bell? Communications data retention, SWIFT, passenger name records?
...to arrive at a socially acceptable solution in terms of civil liberties and the privacy. (...) The i- TRACS consortium has the confluence of expertise to empower the required and justifiable data intelligence gathering of evidence in order to track and hopefully halt prima facie suspected criminal activities.
So they want to do datamining in communications, financial, and travel data to gather intelligence (not "evidence"), in order to halt suspect criminals? Oh, above it even said "terrorism" - well, never mind, you bloody mp3-sharing terrorist! And did I hear anyone saying Total Information Awareness?

It gets even better. Remember, the title says "while protecting civil liberties and privacy"? How are they going to do this?
One of the partners is a civil liberties group.
Wopee, this will save us. The project leader is a French company called CICOM, which seems to be some business or research incubator, and which is not known in the privacy field I am aware of. So in the end, a yet unknown civil liberties group that is accountable to no one will make sure that surveillance in Europe is "protecting civil liberties and privacy"?

This project is also interesting:
Tracking potentially suspicious persons
The main goal of HAMLeT (Hazardous Material Localisation & Person Tracking) is the classification and tracking of potentially suspicious persons for focusing the attention of security personnel (...). [A]n individual chemical sensor is unable to localize hazardous material and to associate it to an individual person. Within the integrative approach of HAMLeT, this deficiency is compensated in dynamic multiple person scenarios by fusing the output of several chemical sensors with kinematical data from laser range-scanning or video sensors to be used for multiple person tracking.

So, while it sounds like "we only track people who smell like semtex", one side-effect of this project will be to know how to use "laser range-scanning or video sensors (...) for multiple person tracking". Add this to the face-scan experiments in public places that have just started in Mainz main station last week, and you get the idea.

And then you have mySWIFT on steroids:

Combating money laundering and terrorism financing
GATE (Next Generation of Anti-Terrorist Financing Methods) will study new adaptive multidisciplinary modelling techniques to detect criminal behaviour by flagging suspicious human behaviours...
"Suspicious behaviour" can only be determined when you a) have a norm that defines normal behavior, and b) detect deviations before you have any suspicion from other sources (otherwise, it would not be suspicion, but evidence). In other words: You have to do data-mining in close-to-real-time (because you want to avoid the data to pile up - and of course, you want to prevent snakes from entering a plane in the first place) and detect suspicion. In what kind of data again? Ah, yes:
...for anti-money laundering/anti terrorism financing. It will combine intelligence from within individual financial institutions with computational trust modelling and mining intelligence.
So the idea is to develop a prototype for monitoring all financial transactions in Europe? No:
The project will identify, design, deploy and validate models in real conditions within banks...
They actually already want to deploy it in banks!
...to capture more complex behaviours including multidisciplinary aspects beyond utilising transaction data from financial institutions, such as demographics, social networks, lifestyle or cultural behaviours.
So they want to combine my age (demographics), my shopping or web surfing habits (lifestyle), my concert or theater visits (cultural behaviours), and my MySpace, openBC and whatever Web2.0 data plus my phone and address books (social networks), in order to detect terrorism financing? Get real. In the end they will want to find out for which small lecture I forgot to file the 50€ remuneration with the tax authorities, because I took a train to XYZ without knowing anyone there, not even among my openBC contacts. And they will say "Boy, this can be seen as money laundering, and yeah, we just have the technology to do it."

On a related note, the EU Commissioner for Justice & Home Affairs, Franco Frattini, said in August that the Internet should be made a "hostile environment" for terrorists. Spyblog asked him back then how the EU intends to do this, and now got an answer back from Jonathan Faull, Director General for Justice, Freedom and Security at the Commission. The answers are telling. Take the first question:
Are you proposing a European Union version of the national level firewall content filtering and censorware software such as is used in the "Great Firewall of China" or in Saudi Arabia and other repressive regimes?
The Commission's answer is more like a "no, we never decided to do data retention, and we think the SWIFT scandal is in fact a scandal":
At such an early stage of our consultations it would be premature to speak about a specific solution, however we can certainly reassure European citizens regarding the commitment of the European Union to the respect of human rights, which applies to all fields where it is competent, including the fight against terrorism. Indeed, as Article 6 of the [Treaty of the European Union] sets out, the European Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms, and the rule of law. In consequence, policy options undermining such principles will be necessarily ruled out as opposed to the democratic values that are common to all Member States and constitute the basis of our society.
The Register has a nice summary for the above:

Relieved? We know we were. So even if Europe does build a Great Firewall it won’t be one that undermines our basic principles, right…

Friday, October 13, 2006

RFID Tags, or: What was the problem we don't have the solution for?

This sounds like a serious candidate for the stupid security award. Luckily, Techdirt already has the right comment:
Some researchers in London say that tagging every passenger in airports with RFID could help fight terrorism. Well, they could give everybody some chewing gum, and that might help fight terrorism, too. (...) Clearly technology has a lot to offer security, but that doesn't mean that simply applying some technology like RFID without any real thought is a good idea.

Thursday, October 12, 2006

Germany pushing for more Internet Surveillance in EU-USA

The German minister for internal affairs, Wolfgang Schäuble, has just secured 132 Mio Euros extra, against the protest of the finance minister, Peer Steinbrück. The money will be spent over the next three years for the domestic intelligence agency, the federal police agency, and the federal agency for information security, and will, according to news reports, mostly be used for internet surveillance. Schäuble is planning to establish an "Internet Monitoring and Analysis Unit" (Internet Monitoring- und Analysestelle, IMAS) under the auspices of the domestic intelligence agency. About 50 agents are supposed to patrol the net for "suspicious activities" there.

It is unclear what the exact task of this center will be. They might only be surfing the web and trying to learn Arabic, but as they are part of the intelligence service, they also will be able to break into computers and snoop into private communication. The federal crime agency (BKA) is also working on a central database for Internet investigations. German law enforcement agencies are already "patrolling" the public parts of the Internet without initial suspicion, and have established a coordination agency for this as early as 1998.

These developments will not stay in Germany. When Schäuble was in Washington DC recently, he already agreed with Homeland Security Secretary Michael Chertoff to set up a German-American Task Force for controlling the Internet and for information exchange.

The German government, and especially minister Schäuble, is already pushing the idea of having an internet surveillance unit in each EU members state as "best practice". While there is noisy protest from EU parliamentarians against the sharing of EU citizens' flight data with US agencies at the moment, the governments are preparing a transatlantic zone of intelligence sharing and joint surveillance. This became clear when EU domestic affairs commissioner Frattini said that the EU member states could share retained traffic data with the US, and the indications in the last few days that EU governments would love to use the air passenger data themselves.

Expect the worst for next year here, when Germany will have the EU presidency and the G8 presidency at the same time. German governments have a reputation for coming up with the most boring names for their surveillance projects, while the substance being not much different to "total information awareness". The difference is that nobody notices it.

Tuesday, October 10, 2006

Open Letter to George W. Bush

Pavel Mayer has written an open letter to George W. Bush that is worth reading. It is an attempt to explain why even a person like him ("who enjoys a comfortable life in a western european democratic society (...) grateful for the peace, liberty, security and the comparatively high standard of living") is deeply concerned about where the world is heading under George Bush's leadership. It is not the usual open letter, as it is quite long. This is just a short quote:
Extraordinary power requires an extraordinary noble character - normal humans easily get corrupted by it, so the arrogance of your administration is just a normal human reaction. It does not mean that you are all bad guys. It just means that you were not extraordinary enough to be up to the gargantuan tasks you faced, and when you felt it deep inside, you couldn’t admit it, because to admit your failures you all would have needed even more nobility of mind than would have saved you from failing in the first place. So you lied to yourself until you all believed that you are doing a great job, while the gap between reality and your perception widened.
The whole letter has a nice mixture of sober analysis and a certain candor in style. It reminds me of what Hannah Arendt used to call the "power of judgment".

I especially like the introduction, where he brings an argument from democratic theory:
like most people on this planet I never had a chance to vote for or against you becoming president, although your decisions have quite an impact on my life and the society I live in. Therefore I feel to have the right to question your actions and address you in person
We have been working on the normative aspects of global governance in our research project, and the question of how to ensure the legitimacy of global policies under circumstances short of a world government is not easy to answer. An emerging global public sphere like the blogosphere is certainly one step in the right direction. I hope this letter gets enough attention so at least the spin doctors in the White House and many American voters read it and think about it.

But see for yourself. And please digg it or spread the word otherwise.

PS: For those of you who have been following the discussion about if "we lost the war" against the police state or not, Pavel also wrote a concise reply: "Why we have not lost the war".

Monday, October 09, 2006

Identity of Names, Blogs, Corners, Bands, and Parks

It is really funny when there are two blogs on identity management that happen to have exactly the same name: Stefan Brands at Credentica and Nishant Kaushik at Oracle both run a blog called "Identity Corner". Seems like Nishant has finally noticed it and is now re-naming his blog. I read both of them and personally don't care about the headline on the website, because my feed reader filters them into folders named the way I want. And as long as the URL is different, you can easily distinguish them anyway. What do they think domain names were invented for? For the identification of different websites, stupid!

But it is interesting how branding, trademarks and identity intertwine here. Another story on this: There is a Lincoln Park in almost every American town, and you would not mistake "Lincoln-Park.WashingtonDC.org" for "Lincoln-Park.Los-Angeles.net", would you? Interestingly, some people did this with the band Linkin Park. It's a nice story about marketing and domain names: Their singer Chester Bennington
thought that it would be a good name for the band because there are Lincoln Parks all over the country. He figured that the band would be recognized as a local band no matter where they went. (...) However, since the domain name "lincolnPark.com" was already taken and the band couldn't afford to purchase it, they changed the spelling from "Lincoln" to "Linkin" so they could purchase the domain name "linkinPark.com".
In fact, this final name search also appeared after a couple of name conflicts. And the story is that many people in fact thought they were a local band before they became famous. So following Linkin Parks' example, my suggestion to Nishant for the new name of his blog would be something like "Identiti Korner". This also sounds much more Web2.0 - if you like it or not.

You are what you do? Behavioural data and identification technologies

Authentication or identification techniques are often divided into something you have (a key, a chipcard), something you know (a password, your mother's maiden name), or something you are (your fingerprint, your retina). I already wrote about why I think the term "what you are" should not be used for biometric data, because you have fingers, you don't be them.

Here is a new angle: Increasingly, researchers are working on identifying people by what they do. At the University of Leicester, according to the Telegraph,
"scientists are analysing the way people write mobile phone text messages so police can use them as evidence." (more from the New Scientist)
At the same time, researchers at the University of Pennsylvania are trying to identify users by their browsers' clickstream data:
"We develop formal methods to solve this problem and thereby determine the optimal amount of user data that must be aggregated before unique clickprints can be deemed to exist."
And at the Georgia Institute of Technology, researchers are trying to identify you by the way you walk:
One primary focus of our work is on gait recognition. We propose a technique that recovers static body and stride parameters of subjects as they walk.
They also have most clearly spelled out what this is all about:
This approach is an example of an activity-specific biometric: a method of extracting some identifying properties of an individual or of an individual's behavior that is only applicable when a person is performing that specific action.
As I said, the core of all this is: You are identified by what you do and how you do it.

The problems I can imagine here are manyfold. Michael Zimmer points at clickstream identification and anonymous web browsing:
Would Amazon monitor your clickstream data (when you are logged in) in order to provide better recommendations for you? Would they sell that data to 3rd parties? Could they identify you if you aren’t logged in?
It could get worse when this kind of evidence is used in court. I am not a legal expert, but the way I understand criminal procedures is that you have an individual and an action, and you convict the individual for this action based on witnesses or other evidence. What happens if the identification of the suspect is itself done by measuring some action? Especially if this action is phone text messaging or web surfing, you can easily think of reverse-engineering the identification mechanism and blaming the crime on someone else.

Of course, this "identification by actions" model can be taken even further, like: "This must be him - we know his shopping patterns". Scary, yes. But analytically, I also think that there needs to be some conceptual clarification. While this all resembles graphology, calling it "biometrics" is missing the point. What you do and how you behave is clearly different from what your retina looks like. And the way you type your text messages is not dependent on your body, but on how you communicate on the language - not speech - level.

Saturday, October 07, 2006

Passenger Records and the Institutional Mechanisms of Privacy Protection

A small detail on the EU-US agreement over the transfer of air passenger name records (PNR), and a non-related statement by US president George W. Bush, taken together give a nice highlight on the institutional mechanisms of privacy protection.

EU commissioner Frattini told the press yesterday that under the new PNR agreement, the passenger data will be accessible to other
US agencies involved in counter-terrorism and law enforcement "on the condition that these have a comparable level of data protection". This formulation of course is absurd if you allow the basically unlimited transfer of data, as the core idea of data protection consists in the protection against further transfer. (It is also interesting, because under the 1995 EU data protection directive, data transfers to third countries are only allowed if there is an "adequate" level of protection.) But let us accept it for the moment. What could be a comparable level of protection?

Institutionally, the EU has adopted the German idea of a special privacy and data protection commissioner within government agencies or companies. This officer has to be independent from executive orders, because his or her job is exactly to provide control over the way the agency or company handles personal data of citizens, customers, or employees. The public data protection commissioners in
Europe are also independent because they are elected by the national parliaments. The model has become quite popular in the last ten years. Many US-based corporations now also have their chief privacy officers (CPOs) which basically fulfill the same task.

The Department of Homeland Security was the first government agency in the
US that ever got a chief privacy officer. The position was institutionalized with the Homeland Security Act of 2002 (section 222) which established the department. By doing this, the Bush government tried to attenuate the harsh criticism from privacy advocates against the surveillance and data-mining programs concentrated in the DHS. But the DHS chief privacy officer is not independent. He (currently Hugo Teufel, III) is nominated by the secretary for homeland security and is reporting to the executive branch it is supposed to control, not to Congress. At the annual international conferences of privacy and data protection commissioners, the DHS privacy officer therefore was never really recognized as "one of them", and was not allowed to participate as a peer in the internal meetings of national commissioners.

Congress has repeatedly tried to increase the independence of the DHS CPO. This was done again in the
2007 spending bill for the Homeland Security Department. Section 522 states that

None of the funds made available in this Act may be used by any person other than the Privacy Officer appointed under section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made to, delay, or prohibit the transmission to Congress of any report prepared under paragraph (6) of such section.

This is a complicated way (because it's a spending bill) of saying that only the privacy officer can edit the reports about how the department obeys privacy rules. Now, president Bush, when he signed the bill yesterday, attached a signing statement to it, which gives himself the authority to make changes to the agency's privacy office annual and other reports. Bush directs that

"the executive branch shall construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch."
Do not assume that the DHS privacy officer has been a sharp watchdog yet. For example, the report on privacy protection of passenger name record information, published by his office in September 2005, basically says "everything is great and data is protected perfectly". So Bush is just insisting on his last word as the commander-in-chief.

It becomes clearer if you look at the big picture: The EU allows the DHS to transfer passenger data to other agencies if they have a comparable level of data protection. The other departments and agencies do not have privacy officers who could ensure this level of protection is really enforced. The DHS privacy officer does not have a level of independence comparable to his European colleagues. But even if he wants to report breaches of the weak privacy protection levels in US government agencies, President Bush and the White House can do the final editing of the reports and tell the privacy officer to shut up. So, the EU is giving its citizens' data away, and what it gets in return is no more than a "trust us" from the
US government. It reminds me of a recent statement by the German Ministry of Finances in the SWIFT affair. When asked by a conservative (!) member of parliament about the possibility of the US using the finacial data for economic espionage, the spokesman replied: Yes, they had discussed this with their American counterpart, but the US government would not see this danger.

The idea of having an independent privacy commissioner was one way of substituting this “trust me” model with institutionalized checks and balances. This is what democracy is all about, compared to authoritarian systems: Not having to trust the government, but instead controlling it.

Terminator 1.0: unmanned systems shooting autonomously

The U.S. Department of Defense is working on unmanned systems that can fire their weapons independent of a human operator giving the order. Jane's Defence Weekly reports:
A proposal, unveiled publicly in September but never before publicised, would give "armed autonomous systems" the authority to shoot to destroy hostile weapon systems but not suspected combatants.
The proposal emerged in the Naval Surface Warfare Center, is based on work done at the Defense Safety Working Group, and is titled 'A Concept of Operations for Armed Autonomous Systems'. It was presented at the Disruptive Technology Conference sponsored by the National Defense Industries Association in September.
"Let's design our armed unmanned systems to automatically ID, target and neutralise or destroy the weapons used by our enemies - not the people using the weapons. This gives us the possibility of disarming a threat force without the need for killing them."
Legal experts contacted by Jane's were not convinced:
The laws of armed conflict require that for any attack to be legitimate, the attacker must be able to discriminate between combatants and civilians, as well as avoid creating damage that is disproportionate to the threat.
I wrote my diploma thesis about "new technologies and the change of civil-military relations" in 1998. One of the findings was that the self-image of the professional soldier was contested and becoming unstable when hackers, information specialists and journalists were considered an important part of the battlefield as part of the "information warfare" and similar paradigms. US military pilots freaked out over the notion of an air force without pilots, just using unmanned, but still remotely-controlled aerial vehicles (UAVs). Until now, soldiers have been regarded the only persons legitimately being allowed to use violence for more than the immediate defence against violence - the famous "killing people and breaking things" rule. I wonder how they think about an autonomus machine competing on their turf.

To quote my University of Bremen colleague and digital culture researcher Christoph Engemann, who alerted me of this story: "Terminator T1.0 is underway".

GigaNet: 1st internet governance research symposium, Athens

The Global Internet Governance Academic Network (GigaNet) will be holding its first annual symposium in Athens on 29 October 2006. GigaNet plans to organize symposia to be held on site prior to the annual meetings of the new UN Internet Governance Forum (IGF). This event is the first in that series, and the full programe has just been finished. Participation is free of charge.

I have been part of the startup team since the kick-off conference in June, but still had to have my proposal vetted by the peers. Luckily, I was accepted for the theory panel. I will talk about "Hybrid Regimes, Power, and Legitimacy in Global Governance: Insights from Internet Privacy Regulation". Hope to see many of you there!

Because the preparation time for this first meeting was too short, we will not have full papers, but just presentations. I still hope (and think) that there will be some kind of online remote participation and documentation.

Surveillance and Society CfP: Smart Borders and Mobilities

Surveillance studies have become a distinct field of research lately. It is one of these interdisciplinary research areas that is not defined by a special theoretical or methodological approach, but by a common field of study. David Lyon and others have helped a lot to define surveillance as "social sorting" and come up with interesting historical, sociological, political, and technical approaches, and while Michel Foucault is considered one of the ancestors, there is still a lot to learn, especially in the context of new technologies and globalization dynamics.

The peer-reviewed online journal "Surveillance and Society" is now looking for contributions for an issue on "Smart Borders and Mobilities: Spaces, Zones, Enclosures". Submissions should be sent to Emily Smith at by 1 March 2007. The publication date is september 2007 (yes, even with open access online publishing, peer review processes take this long).

Friday, October 06, 2006

Transatlantic Surveillance Cooperation

The US and the EU have just agreed on a new deal to transfer passenger data to the US Department of Homeland Security. This was necessary after the European Court of Justice had ruled the old agreement illegal under EU law in May. Under the new agreement, airlines will have to actively send the data to US agencies, while before the latter had direct and full access to the booking systems since 2004. The US also did not get the extension of the data set they had asked for. On the other hand, the EU agreed that the data will be easier shared with other US agencies. The agreement will formally be signed next week, it seems. It will be valid until June 2007, and the EU and the US will start negotiations over a long-term agreement in November.

There is an interesting point about transatlantic politics here: EU Justice Commissioner Frattini made clear that the EU also wants access to data from the American side. This will probably become part of the new package deal. It resembles Frattini's announcement that US law enforcement agencies will also be able to access personal data stored under the EU data retention directive, the European hurry to establish biometric passports after the US requested this, or the attempt by European governments to ignore the secret transfer of European financial data to the US government.

The pattern is familiar: European governments are complying with US pressure and arguing with "grey zones" or "legal vacuums", where they should in fact enforce European privacy legislation. But in the end, European law enforcement and intelligence agencies are not too unhappy about it. Altogether, they are slowly establishing a transatlantic identification, surveillance and profiling system, and they can easily pass the buck to the other side of the ocean for each single step.

Update: This just came in, but still confirms the pattern:
UK and US immigration databases have been linked in an intelligence sharing experiment that could lead to permanent trans-Atlantic data stores of wanted and suspected people.

Monday, October 02, 2006

Debugging Anti-Terrorism

Sometimes formal expressions are just way more to the point than words, and this is just lovely: Kevin Poulsen explains why the U.S. bill legalizing limited judicial rights for terrorist suspects is based on one simple programming error. Check the following code and see if you find the bug:
if (person = terrorist) {
punish_severely();
} else {
exit(-1);
}
The solution is here. Let's hope the Supreme Court is good enough in debugging.