The more recent historical thread of which SARs are a part includes the Terrorism Information and Prevention System (TIPS), Threat and Local Observation Notices (TALON), and the current Guardian and e-Guardian systems maintained by the FBI. Much of the activity we are seeing today appears reminiscent of intelligence abuses chronicled in the Church reports.

In 1975, Senator Frank Church (D-ID) chaired the “United States Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities.” Over a period of nine months, the committee interviewed more than 800 officials and held 250 executive and 21 public hearings, investigating widespread intelligence abuses by the CIA, FBI and NSA. The Church Committee’s 14 reports, issued between 1975 and 1976, have been called the most thorough investigation of US intelligence agencies ever released to the public.

Here is a selection from BOOK II, A. Violating and Ignoring the Law:

MAJOR FINDING

The Committee finds that the domestic activities of the intelligence community at times violated specific statutory prohibitions and infringed the constitutional rights of American citizens. 1 The legal questions involved in intelligence programs were often not considered. On other occasions, they were intentionally disregarded in the belief that because the programs served the “national security” the law did not apply. While intelligence officers on occasion failed to disclose to their superiors programs which were illegal or of questionable legality, the Committee finds that the most serious breaches of duty were those of senior officials, who were responsible for controlling intelligence activities and generally failed to assure compliance with the law.

Subfindings

(a) In its attempt to implement instructions to protect the security of the United States, the intelligence community engaged in some activities which violated statutory law and the constitutional rights of American citizens.

(b) Legal issues were often overlooked by many of the intelligence officers who directed these operations. Some held a pragmatic view of intelligence activities that did not regularly attach sufficient significance to questions of legality. The question raised was usually not whether a particular program was legal or ethical, but whether it worked.

(c) On some occasions when agency officials did assume, or were told, that a program was illegal, they still permitted it to continue. They justified their conduct in some cases on the ground that the failure of “the enemy” to play by the rules granted them the right to do likewise, and in other cases on the ground that the “national security” permitted programs that would otherwise be illegal.

(d) Internal recognition of the illegality or the questionable legality of many of these activities frequently led to a tightening of security rather than to their termination. Partly to avoid exposure and a public “flap,” knowledge of these programs was tightly held within the agencies, special filing procedures were used, and “cover stories” were devised.

(e) On occasion, intelligence agencies failed to disclose candidly their programs and practices to their own General Counsels, and to Attorneys General, Presidents, and Congress.

(f) The internal inspection mechanisms of the CIA and the FBI did not keep — and, in the case of the FBI, were not designed to keep — the activities of those agencies within legal bounds. Their primary concern was efficiency, not legality or propriety.

(g) When senior administration officials with a duty to control domestic intelligence activities knew, or had a basis for suspecting, that questionable activities had occurred, they often responded with silence or approval. In certain cases, they were presented with a partial description of a program but did not ask for details, thereby abdicating their responsibility. In other cases, they were fully aware of the nature of the practice and implicitly or explicitly approved it.

I will post a few more excerpts from the reports before drawing some parallels to the present SAR initiative.

The case involved the police search of Alabama resident Bennie Dean Herring’s truck. After a local crime database indicated Herring was wanted for arrest in a neighboring county, police searched his truck, finding methamphetamines and and an illegal firearm. Minutes after the search, attempting to retrieve the original arrest warrant from the system, police realized that the warrant had expired five months earlier.

Herring later challenged his arrest in court, arguing that the exclusionary principle of the Fourth Amendment, which prevents evidence obtained in an illegal search from being presented in court, applied in his case.

In the Supreme Court ruling, the 5-4 majority held “When police mistakes leading to an unlawful search are the result of isolated negligence attenuated from the search, rather than systemic error or reckless disregard of constitutional requirements,the exclusionary rule does not apply.”

In their unsuccessful Amicus brief to the court, EPIC warned that in an age where the use of electronic databases is increasing, removing database errors from the exclusionary principle would extinguish a key motivation for accuracy.

To allow law enforcement agencies to rely on inaccurate data will exacerbate further a problem that implicates both the fairness of the criminal justice system as well as the design and operation of government information systems….to permit a good faith reliance on data that is inaccurate, incomplete, or out of date will actually exacerbate the problem and increase the likelihood of unfair treatment in the criminal justice system.

Tom Goldstein at SCOTUS Blog points out a key aspect of how the decision might impact police conduct:

The opinion has nothing to do with the fact that the error here is one of recordkeeping. It applies fully to negligence by police officers in their day-to-day determination whether there is probable cause to conduct a search. If the officer makes an objectively reasonable mistake – i.e., he is merely negligent – the exclusionary rule does not apply to whatever evidence he finds. Put another way, the Supreme Court today extended the good faith exception to ordinary police conduct….

The rubber will hit the road in cases in which the officers’ error is one of fact, not law. Herring is such a case – the officer is said to have reasonably relied on the information provided by a police warrant clerk. But what about the more common circumstance in which an officer, based on information not provided by anyone else, negligently but erroneously concludes that probable cause exists. For example, the officer believes that an individual is wanted for arrest but doesn’t call to confirm that fact, or the officer believes that a bag contains marijuana but a closer inspection would have shown otherwise. In the past, those cases would have automatically triggered the exclusionary rule – the Fourth Amendment violation required exclusion.

And the data about circumventing users is much more sensitive than the data about most ISP users. These are the histories of users browsing sites that are not only blocked (and therefore mostly sensitive in one way or another) but blocked by an authoritarian country with an active policy and practice of persecuting dissidents. The mere act of anyone, let alone projects proclaiming themselves for internet freedom, storing this data is very bad practice. Any data that is stored can be potentially be shared or stolen. The best way to make sure that dangerous data like this does not get into the wrong hands is not to store it in the first place.

Since the posting, both Peter Li, head of technology at GIFC and Bill Xia, CEO of DynaWeb, have stated that none of the partner sites sell individual user data. In a comment posted at Roberts’ blog, Li states:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The GIFC partner who runs the ranking service, the World Gates’ Inc, has been notified, and that FAQ entry has been removed. Thank you for discovering the problem.

Given the solid reputations of the people involved, I have no cause to question or doubt this explanation. The entire incident, however, raises some important questions about anonymizing services and private VPNs and the danger of misplaced trust. It also leaves some questions unanswered about how user data is stored by these individual circumvention services and how such data might become accessible to state policing organizations at some future date. I agree with Roberts that the only way to ensure that data is not available is “not to store it in the first place.” To date, there are no laws in the US that require ISPs or web service providers to store user data, so such a service remains within the realm of possibility, at least for the time being.

Full story at Secrecy News.

Photo, ID required in Beijing Internet cafes

When Zhang Lihong entered Suosi Internet cafe in Xicheng District, Beijing Oct. 16, she noticed something new on the counter- a machine with a digital camera and scanner.

“Please have your photo taken, and your ID card scanned here,” the clerk stood up and said.

Zhang was confused and wanted to know why she had to do this. The clerk explained that authorities are trying to crack down on Internet misuse in the city.

The 24-year-old’s photo and a copy of her resident identity card were sent to the Municipal Law Enforcement Agency of Beijing and placed in a file.

Zhang was then given a four-digit password, escorted to a computer, and told to enter her information on an interface to activate the computer.

“You don’t need to go through the same process again when you visit Internet cafes like us,” the clerk explained. “By providing your ID number, you can check in after we verify your filed information.”

Zhang smiled as she started to surf the Internet.

“This is a reasonable measure. You spend two minutes and you can enjoy a healthier virtual world,” she said. “Today, there are many hackers, net rumors being spread around and people sending erotic content. Now that users have their images taken, they dare not do bad things.”

A spokeswoman from the Municipal Law Enforcement Agency of Beijing said 1,500 Internet cafes in 14 districts and counties of the city have the same device. It is called the Beijing Internet Cafe Customer Registration Device.

“By the middle of December, Internet cafes in another four districts and counties of Beijing will receive these devices,” said the spokeswoman who wanted to remain anonymous.

“The new device annoyed me a lot at first,” said Li Yunfei, the manager of Suosi Internet Cafe. “80% of my customers just went away when they saw the device. My cafe was like an empty classroom.”

After a month, people become used to it, however, and Li’s turnover recovered.

“After all, I need to use it, or I will be fined and will lose my reputation,” Li said.

Jia Fei, the manager of Hailetong Internet Cafe, a chain with more than 500 computers, believes the new system makes his work more efficient.

“Now I can easily track the exact online time of my customers and when they switch to other computers,” Jia said. “If someone commits Internet crimes, I can help the police to pin him.”

Ma Zhengnan expressed relief when she heard about the new devices outside an Internet cafe near her 18-year-old son’s high school.

“This can keep students away from indulging in computer games,” Ma said.

However, some netizens dislike the law enforcement initiative.

“I will not go to Internet cafes any more,” said Li Weiwei. “Who knows if my personal information is being exposed to people with bad motives.”

(Xinhua News Agency October 17, 2008)

Will governments be able to subpoena server log data after it is anonymized? Will anonymized data still be able to identify an individual user by cookie or IP address? Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. Logs anonymization does not guarantee that the government will not be able to identify a specific computer or user, but it does add another layer of privacy protection to our users’ data.

Will this policy change make it more difficult for law enforcement to prevent and detect crime or child exploitation? No, current laws allow the government to request that companies preserve user data. We regularly comply with such laws.

What happens to the logs at the end of the expiration date? Are they deleted? At the end of the expiration date we will still keep server logs but they will be anonymized.

At the time, the process of anonymization involved deleting the first four digits of the IP address and altering associated individual cookie data in an unspecified way. With the new 9 month policy, Google states that it might do something different. The only thing that this policy means is that your search logs data older than nine months will not be used for services like “automatic search correction,” which corrects typos on the fly based on your prior search patterns, or to serve you ads. It does not mean that your personal search behavior older than 9 months won’t be accessible to state policing organizations.

Instead of joining the Tor network directly, thereby revealing your intention, you first connect to a computer set up by your friends or colleagues, who then introduce you to the Tor network (a “virtual bridge”, they call it). Because the Chinese cannot know in advance who these friends of yours will be (technically speaking, their IP address), they cannot pre-empt by blacklisting. Once you do connect through the bridge to the Tor network, it is almost impossible for surveillance agencies to know that you are using Tor.

Microsoft device helps police pluck evidence from cyberscene of crime
By Benjamin J. Romano
Seattle Times technology reporter

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides free.

“These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”

Law-enforcement officials from agencies in 35 countries are in Redmond this week to talk about how technology can help fight crime. Microsoft held a similar event in 2006. Discussions there led to the creation of COFEE.

Smith compared the Internet of today to London and other Industrial Revolution cities in the early 1800s. As people flocked from small communities where everyone knew each other, an anonymity emerged in the cities and a rise in crime followed.

The social aspects of Web 2.0 are like “new digital cities,” Smith said. Publishers, interested in creating huge audiences to sell advertising, let people participate anonymously.

That’s allowing “criminals to infiltrate the community, become part of the conversation and persuade people to part with personal information,” Smith said.

Children are particularly at risk to anonymous predators or those with false identities. “Criminals seek to win a child’s confidence in cyberspace and meet in real space,” Smith cautioned.

Expertise and technology like COFEE are needed to investigate cybercrime, and, increasingly, real-world crimes.

“So many of our crimes today, just as our lives, involve the Internet and other digital evidence,” said Lisa Johnson, who heads the Special Assault Unit in the King County Prosecuting Attorney’s Office.

A suspect’s online activities can corroborate a crime or dispel an alibi, she said.

The 35 individual law-enforcement agencies in King County, for example, don’t have the resources to investigate the explosion of digital evidence they seize, said Johnson, who attended the conference.

“They might even choose not to seize it because they don’t know what to do with it,” she said. “… We’ve kind of equated it to asking specific law-enforcement agencies to do their own DNA analysis. You can’t possibly do that.”

Johnson said the prosecutor’s office, the Washington Attorney General’s Office and Microsoft are working on a proposal to the Legislature to fund computer forensic crime labs.

Microsoft also got credit for other public-private partnerships around law enforcement.

Jean-Michel Louboutin, Interpol’s executive director of police services, said only 10 of 50 African countries have dedicated cybercrime investigative units.

“The digital divide is no exaggeration,” he told the conference. “Even in countries with dedicated cybercrime units, expertise is often too scarce.”

He credited Microsoft for helping Interpol develop training materials and international databases used to prevent child abuse.

Smith acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said.

Benjamin J. Romano: 206-464-2149 or bromano@seattletimes.com

Copyright © 2008 The Seattle Times Company

From January 2005 to September 2007, Verizon provided data to federal authorities “on an emergency basis” 720 times. The records included Internet protocol addresses as well as phone data. In that period, Verizon turned over information a total of 94,000 times to federal authorities armed with a subpoena or court order. The information was mainly used for a range of criminal investigations including counter-terrorism investigations (The Washington Post, October 16, 2007).

In August 2007, the United States’ National Intelligence Director Mike McConnell revealed that fewer than 100 people inside the United States are monitored under the Foreign Intelligence Surveillance Act (FISA) warrants. However, he said, thousands of people overseas are monitored (The Associated Press, August 23, 2007). The FBI is embarking on a 1 billion U.S. dollars effort to build the world’s largest computer database of peoples’ physical characteristics, called Next Generation Identification, a project that would give the government unprecedented abilities to identify individuals in the United States and abroad. The increasing use of biometrics for identification is raising questions about the ability of Americans to avoid unwanted scrutiny (FBI Prepares Vast Database Of Biometrics, The Washington Post, December 22, 2007).

Statistics show that the government’s illegal dragnet electronic surveillance has put sensitive personal information from millions of people at risk. 477 breaches into government databases were found in 2006 alone. More than 162 million records were reported lost or stolen in 2007, triple the 49.7 million that went missing in 2006 (USA Today website, December 10, 2007). In July 2007, the Homeland Security Department granted more than 4 million U.S. dollars to install 175 video cameras on the streets of cities including St. Paul, Madison (Wisconsin State) and Pittsburgh. The Boston Globe estimated that up to hundreds of millions of dollars were being spent by the department to install new surveillance systems around the country, accelerating the rise of a “surveillance society” (The Boston Globe, August 12, 2007).