And the data about circumventing users is much more sensitive than the data about most ISP users. These are the histories of users browsing sites that are not only blocked (and therefore mostly sensitive in one way or another) but blocked by an authoritarian country with an active policy and practice of persecuting dissidents. The mere act of anyone, let alone projects proclaiming themselves for internet freedom, storing this data is very bad practice. Any data that is stored can be potentially be shared or stolen. The best way to make sure that dangerous data like this does not get into the wrong hands is not to store it in the first place.

Since the posting, both Peter Li, head of technology at GIFC and Bill Xia, CEO of DynaWeb, have stated that none of the partner sites sell individual user data. In a comment posted at Roberts’ blog, Li states:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The GIFC partner who runs the ranking service, the World Gates’ Inc, has been notified, and that FAQ entry has been removed. Thank you for discovering the problem.

Given the solid reputations of the people involved, I have no cause to question or doubt this explanation. The entire incident, however, raises some important questions about anonymizing services and private VPNs and the danger of misplaced trust. It also leaves some questions unanswered about how user data is stored by these individual circumvention services and how such data might become accessible to state policing organizations at some future date. I agree with Roberts that the only way to ensure that data is not available is “not to store it in the first place.” To date, there are no laws in the US that require ISPs or web service providers to store user data, so such a service remains within the realm of possibility, at least for the time being.

Even government officials responsible for administering these systems appear confused over terminology. During a 2006 Senate Judiciary Committee hearing, senator Patrick Leahy asked FBI director Robert Mueller if his agency’s Investigative Data Warehouse (IDW) system linked to the Automated Targeting System (ATS) run by the Department of Homeland Security (DHS). The conversation has a bit of a who’s on first quality:

LEAHY: Does the IDW database share information or otherwise interface with the ATS data- mining program?
MUELLER: The ATS data-mining program? I’m not familiar with what you’re referring to, sir.
LEAHY: Just talking about the ATS.
MUELLER: You mean DHS?
LEAHY: The DHS — well, they call it ATS. I realize we’re using acronyms, but this is the one that checks on everybody crossing our borders. And you have the Department of Homeland Security’s automated targeting system.
Does your database interface with that? Does it share information with it?
MUELLER: I do not believe so. But, again, I would have to go back and check. I do not believe so.

The most comprehensive effort to date to map the overall “domestic intelligence” system of the U.S. is this map produced by the RAND corporation as part of its 2008 monograph, “Reorganizing U.S. Domestic Intelligence.”

RAND Map of US Domestic Intelligence (pdf)

For hardcore surveillance wonks, this map is a true treasure trove. The map identifies and shows key connections between federal departments and agencies and their data systems — extant, proposed and decommissioned — as well as private sector entities.

As useful as this map is, it’s not without its weaknesses. Perhaps most importantly, the map gives no sense of hierarchy, suggesting that all data systems are somehow equal. Some systems have a higher “document gravity,” meaning that records from other systems tend to flow into them. A perfect example of this would be the Investigative Data Warehouse (IDW) which the FBI has claimed will store “all data than can be legally stored together.” One could imagine a map layout in which those systems with the highest document gravity appeared at the bottom, while those with the least gravity and narrowest topical coverage appeared at the top. This of course, might make it difficult to keep systems clustered within their respective institutions, but it would help journalist watchdogs and activists focus on the most important systems. Another problem with the map is that, although it shows explicit data sharing paths between systems, it obscures their developmental relationships.

The DOD’s decommissioned Threat and Local Observation Notice (TALON) reporting system, for example, is shown organizationally connected to the now defunct Counter-intelligence Field Activity (CIFA) and is linked as a data source for the also defunct Joint Protection Enterprise Network (JPEN) system (RAND’s map appears to have been produced before CIFA and JPEN were formally shut down, showing only TALON with an X through it). Although the precursor system to the DOD-wide standard TALON reports, the Air Force’s Eagle Eyes System, appears in the map, it is separated by six degrees, connected only via the DOD hub itself. A map that focused more on the evolution of the overall dossier system might show the Eagle Eyes system flowing into TALON/JPEN and then flowing into the FBI’s Guardian/eGuardian system, where DOD TALON reports are now filed. This case is particularly interesting because the basic threat reporting model adopted by the Department of Defense appears to have been transferred across institutional boundaries to the FBI. This is an excellent example of how former boundaries between record keeping systems and their parent institutions in the U.S. are disappearing, and how innovations within one agency can now more easily be adopted by other agencies due to a reduction in both policy and technological constraints.

With pride, he sees his company’s algorithms helping drive internet surveillance to perfection. “There are many different demands – early warning, policy support, competitive spying between government departments. In the end, this will create a whole industry.”

If this represents a shift, however, from targeting individual trouble makers to attempting to read and predict shifts in overall public opinion, I’m not sure how this is a step backward. Although the article is painfully short on details, a quick look at the company’s own web site suggests the technology, called InfoRadar, is much like that offered by Umbria, the social media analysis division of J.D. Power and Associates.

Will governments be able to subpoena server log data after it is anonymized? Will anonymized data still be able to identify an individual user by cookie or IP address? Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. Logs anonymization does not guarantee that the government will not be able to identify a specific computer or user, but it does add another layer of privacy protection to our users’ data.

Will this policy change make it more difficult for law enforcement to prevent and detect crime or child exploitation? No, current laws allow the government to request that companies preserve user data. We regularly comply with such laws.

What happens to the logs at the end of the expiration date? Are they deleted? At the end of the expiration date we will still keep server logs but they will be anonymized.

At the time, the process of anonymization involved deleting the first four digits of the IP address and altering associated individual cookie data in an unspecified way. With the new 9 month policy, Google states that it might do something different. The only thing that this policy means is that your search logs data older than nine months will not be used for services like “automatic search correction,” which corrects typos on the fly based on your prior search patterns, or to serve you ads. It does not mean that your personal search behavior older than 9 months won’t be accessible to state policing organizations.

Microsoft device helps police pluck evidence from cyberscene of crime
By Benjamin J. Romano
Seattle Times technology reporter

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides free.

“These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”

Law-enforcement officials from agencies in 35 countries are in Redmond this week to talk about how technology can help fight crime. Microsoft held a similar event in 2006. Discussions there led to the creation of COFEE.

Smith compared the Internet of today to London and other Industrial Revolution cities in the early 1800s. As people flocked from small communities where everyone knew each other, an anonymity emerged in the cities and a rise in crime followed.

The social aspects of Web 2.0 are like “new digital cities,” Smith said. Publishers, interested in creating huge audiences to sell advertising, let people participate anonymously.

That’s allowing “criminals to infiltrate the community, become part of the conversation and persuade people to part with personal information,” Smith said.

Children are particularly at risk to anonymous predators or those with false identities. “Criminals seek to win a child’s confidence in cyberspace and meet in real space,” Smith cautioned.

Expertise and technology like COFEE are needed to investigate cybercrime, and, increasingly, real-world crimes.

“So many of our crimes today, just as our lives, involve the Internet and other digital evidence,” said Lisa Johnson, who heads the Special Assault Unit in the King County Prosecuting Attorney’s Office.

A suspect’s online activities can corroborate a crime or dispel an alibi, she said.

The 35 individual law-enforcement agencies in King County, for example, don’t have the resources to investigate the explosion of digital evidence they seize, said Johnson, who attended the conference.

“They might even choose not to seize it because they don’t know what to do with it,” she said. “… We’ve kind of equated it to asking specific law-enforcement agencies to do their own DNA analysis. You can’t possibly do that.”

Johnson said the prosecutor’s office, the Washington Attorney General’s Office and Microsoft are working on a proposal to the Legislature to fund computer forensic crime labs.

Microsoft also got credit for other public-private partnerships around law enforcement.

Jean-Michel Louboutin, Interpol’s executive director of police services, said only 10 of 50 African countries have dedicated cybercrime investigative units.

“The digital divide is no exaggeration,” he told the conference. “Even in countries with dedicated cybercrime units, expertise is often too scarce.”

He credited Microsoft for helping Interpol develop training materials and international databases used to prevent child abuse.

Smith acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said.

Benjamin J. Romano: 206-464-2149 or bromano@seattletimes.com

Copyright © 2008 The Seattle Times Company

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It’s been a week since the Senate voted 68-29 to push forward a revised FISA bill that would retroactively immunize telecommunication companies and Internet service providers from prosecution for illegal wiretapping. A number of close friends and associates engaged in voicing their shock and dismay at this blatant disregard for law. While I appreciate, in a sense, this general form of upset with the rising surveillance state, I find it equally dismaying that people have chosen to lock on to this one issue “telecom immunity,” as somehow being the defining struggle. It’s a tiny, tiny component of a much larger problem. A problem that threatens democracy and individual autonomy.

In January, Privacy International released its second annual international privacy index, the result of a survey of 47 countries. Not only was the U.S. among four new countries to join the the UK, Russia, Malaysia and China as endemic surveillance societies, but U.S. privacy protections are actually ranked below China in statutory privacy protection and “surveillance of medical financial, and movement.” Last week, the Washington Post reported that customs agents at U.S. borders reserve the right to temporarily sequester laptops, cell phones and other electronic devices and download data stored on those devices, and engage in this practice with some regularity. Now Amtrak has announced that travels on its trains nationwide will be subject to random searches of their carry on bags.

According to the courts, Americans do not have a reasonable expectation of privacy for most of the web sites they visit on the web. More specifically, any specific website visited that has its own top level domain name and its own unique IP address are registered with your service provider and may be accessed by the government without a court order. (see US v Forrester, 2007).

Virtually all the personally identifiable information (PII) produced in cyberspace can easily be transmogrified into ‘evidence’ even if it was gathered illegally (see US v Jarrett, 2003, p. 7). Ones Facebook profile can be used as evidence in both civil and criminal charges.

The Privacy Act of 1974, which was intended to strictly limit the sharing of data between federal data bases, has all but been abandoned. Vast federal “systems of records” (National Directory of New Hires, National Center for Education Statistics, mtDNA Population Database, National Crime Information Center) are increasingly interconnected with state and private data sources in massive clearing houses such as the Investigative Data Warehouse (IDW) and OneDOJ. This practice of information sharing is being institutionalized within new “fusion centers” popping up all over the country. This dismantling of the Privacy Act is officially denied using the following rationale: data sharing across departments in the government is now a matter of “routine use” during the War On Terror.

According to Donald Kerr, the principal deputy director of U.S. national intelligence, no American should expect to speak or act today without casting a data shadow that is visible to the federal government.

Barring some radical reinterpretations of online space and boundaries, the Fourth Amendment seems doomed to irrelevancy. “Reasonable expectation” of privacy is always relative and will easily accommodate the surveillance “function creep” without limit. The only hope for resistance is a public with a reinvigorated sense of privacy and its connection to true individual autonomy.

As we watch what happens in the House, we must keep in mind that the battle against excessive state surveillance will not be won or lost with this bill. Most importantly, people whose interest in privacy values have been rekindled with this recent Senate betrayal should not feel victorious if this latest attempt at immunity is somehow scuttled. While the public sphere has been focused on the importance of wiretapping, it appears to have neglected the rapid emergence of a dossier society, highly reminiscent of Kafka’s The Trial.

The whole dossier continues to circulate, as the regular official routine demands, passing on to the highest Courts, being referred to the lower ones again, and then swinging backwards and forwards with greater or smaller oscillations, longer or shorter delays….No document is ever lost, the Court never forgets anything. One day – quite unexpectedly – some judge will take up the documents and look at them attentively….And the case begins all over again?” asked K. almost incredulously. “Certainly” said the painter. (Kafka, The Trial, 1925, cited in Solove, 2004, pp. 36-37)

While we fight what appears to be a losing battle over real-time wiretapping we have lost control over our papers and effects, and thus the construction of our own identity. It’s time to look beyond FISA.

Most disappointing, the hard decisions on how to implement Real ID — including how to protect privacy — have been left to the states. Simply put, there are no privacy rules. States are simply encouraged to follow a set of “best practices” for protecting privacy. But there are no consequences if states choose not to do so and thus no guarantees that the personal information collected for Real ID won’t be used for a variety of state and even federal uses, populating and repopulating numerous government databases and easily available to businesses and other interests.

In preparation for the Beijing Olympics and a series of other international events, some American companies are helping the Chinese government design and install one of the most comprehensive high-tech public surveillance systems in the world.

When told of the companies’ transactions, critics of China’s human rights record said the work violated the spirit of a sanctions law Congress passed after the Tiananmen Square killings.

The Commerce Department, however, says the sophisticated systems that Honeywell, General Electric, United Technologies and I.B.M. are installing do not run afoul of the ban on providing China with “crime control or detection instruments or equipment.”

full story …

This ability to weave S3 into an existing network and video surveillance infrastructure is an important selling point for the product, Donahue said. “It’s expensive to get that video infrastructure in place just for even basic analog cameras,” she said. “So what we do is, we can hook in your analog cameras and reuse that infrastructure, put in IP-based cameras and then architect it so that we can do the right level of analytics.”

The system is also being integrated into the surveillance networks of Chicago and New York. For a detailed explanation of the technology, see the IBM white paper, S3-R1: The IBM Smart Surveillance System- Release 1. (pdf).