And the data about circumventing users is much more sensitive than the data about most ISP users. These are the histories of users browsing sites that are not only blocked (and therefore mostly sensitive in one way or another) but blocked by an authoritarian country with an active policy and practice of persecuting dissidents. The mere act of anyone, let alone projects proclaiming themselves for internet freedom, storing this data is very bad practice. Any data that is stored can be potentially be shared or stolen. The best way to make sure that dangerous data like this does not get into the wrong hands is not to store it in the first place.

Since the posting, both Peter Li, head of technology at GIFC and Bill Xia, CEO of DynaWeb, have stated that none of the partner sites sell individual user data. In a comment posted at Roberts’ blog, Li states:

We apologize for the confusion here. The anti-censorship ranking service is provided by one of the GIFC partners. It only publishes the popularity ranks of destination websites users visit through our anti-censorship tools. It is similar to alexa.com but is only limited to anti-censorship web traffic.

The ranking service is not authorized to access, nor can it access, the data users transmit on the wire. It is not authorized to release logs containing information on the websites any individual user visits either.

The FAQ for the ranking service was not written properly, as originally “user” there meant website owners who may be interested in getting detailed statistics on how their websites are visited through our anti-censorship tools. We apologize that we have overlooked the wording.

The GIFC partner who runs the ranking service, the World Gates’ Inc, has been notified, and that FAQ entry has been removed. Thank you for discovering the problem.

Given the solid reputations of the people involved, I have no cause to question or doubt this explanation. The entire incident, however, raises some important questions about anonymizing services and private VPNs and the danger of misplaced trust. It also leaves some questions unanswered about how user data is stored by these individual circumvention services and how such data might become accessible to state policing organizations at some future date. I agree with Roberts that the only way to ensure that data is not available is “not to store it in the first place.” To date, there are no laws in the US that require ISPs or web service providers to store user data, so such a service remains within the realm of possibility, at least for the time being.

Photo, ID required in Beijing Internet cafes

When Zhang Lihong entered Suosi Internet cafe in Xicheng District, Beijing Oct. 16, she noticed something new on the counter- a machine with a digital camera and scanner.

“Please have your photo taken, and your ID card scanned here,” the clerk stood up and said.

Zhang was confused and wanted to know why she had to do this. The clerk explained that authorities are trying to crack down on Internet misuse in the city.

The 24-year-old’s photo and a copy of her resident identity card were sent to the Municipal Law Enforcement Agency of Beijing and placed in a file.

Zhang was then given a four-digit password, escorted to a computer, and told to enter her information on an interface to activate the computer.

“You don’t need to go through the same process again when you visit Internet cafes like us,” the clerk explained. “By providing your ID number, you can check in after we verify your filed information.”

Zhang smiled as she started to surf the Internet.

“This is a reasonable measure. You spend two minutes and you can enjoy a healthier virtual world,” she said. “Today, there are many hackers, net rumors being spread around and people sending erotic content. Now that users have their images taken, they dare not do bad things.”

A spokeswoman from the Municipal Law Enforcement Agency of Beijing said 1,500 Internet cafes in 14 districts and counties of the city have the same device. It is called the Beijing Internet Cafe Customer Registration Device.

“By the middle of December, Internet cafes in another four districts and counties of Beijing will receive these devices,” said the spokeswoman who wanted to remain anonymous.

“The new device annoyed me a lot at first,” said Li Yunfei, the manager of Suosi Internet Cafe. “80% of my customers just went away when they saw the device. My cafe was like an empty classroom.”

After a month, people become used to it, however, and Li’s turnover recovered.

“After all, I need to use it, or I will be fined and will lose my reputation,” Li said.

Jia Fei, the manager of Hailetong Internet Cafe, a chain with more than 500 computers, believes the new system makes his work more efficient.

“Now I can easily track the exact online time of my customers and when they switch to other computers,” Jia said. “If someone commits Internet crimes, I can help the police to pin him.”

Ma Zhengnan expressed relief when she heard about the new devices outside an Internet cafe near her 18-year-old son’s high school.

“This can keep students away from indulging in computer games,” Ma said.

However, some netizens dislike the law enforcement initiative.

“I will not go to Internet cafes any more,” said Li Weiwei. “Who knows if my personal information is being exposed to people with bad motives.”

(Xinhua News Agency October 17, 2008)

Will governments be able to subpoena server log data after it is anonymized? Will anonymized data still be able to identify an individual user by cookie or IP address? Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information. Logs anonymization does not guarantee that the government will not be able to identify a specific computer or user, but it does add another layer of privacy protection to our users’ data.

Will this policy change make it more difficult for law enforcement to prevent and detect crime or child exploitation? No, current laws allow the government to request that companies preserve user data. We regularly comply with such laws.

What happens to the logs at the end of the expiration date? Are they deleted? At the end of the expiration date we will still keep server logs but they will be anonymized.

At the time, the process of anonymization involved deleting the first four digits of the IP address and altering associated individual cookie data in an unspecified way. With the new 9 month policy, Google states that it might do something different. The only thing that this policy means is that your search logs data older than nine months will not be used for services like “automatic search correction,” which corrects typos on the fly based on your prior search patterns, or to serve you ads. It does not mean that your personal search behavior older than 9 months won’t be accessible to state policing organizations.

From January 2005 to September 2007, Verizon provided data to federal authorities “on an emergency basis” 720 times. The records included Internet protocol addresses as well as phone data. In that period, Verizon turned over information a total of 94,000 times to federal authorities armed with a subpoena or court order. The information was mainly used for a range of criminal investigations including counter-terrorism investigations (The Washington Post, October 16, 2007).

In August 2007, the United States’ National Intelligence Director Mike McConnell revealed that fewer than 100 people inside the United States are monitored under the Foreign Intelligence Surveillance Act (FISA) warrants. However, he said, thousands of people overseas are monitored (The Associated Press, August 23, 2007). The FBI is embarking on a 1 billion U.S. dollars effort to build the world’s largest computer database of peoples’ physical characteristics, called Next Generation Identification, a project that would give the government unprecedented abilities to identify individuals in the United States and abroad. The increasing use of biometrics for identification is raising questions about the ability of Americans to avoid unwanted scrutiny (FBI Prepares Vast Database Of Biometrics, The Washington Post, December 22, 2007).

Statistics show that the government’s illegal dragnet electronic surveillance has put sensitive personal information from millions of people at risk. 477 breaches into government databases were found in 2006 alone. More than 162 million records were reported lost or stolen in 2007, triple the 49.7 million that went missing in 2006 (USA Today website, December 10, 2007). In July 2007, the Homeland Security Department granted more than 4 million U.S. dollars to install 175 video cameras on the streets of cities including St. Paul, Madison (Wisconsin State) and Pittsburgh. The Boston Globe estimated that up to hundreds of millions of dollars were being spent by the department to install new surveillance systems around the country, accelerating the rise of a “surveillance society” (The Boston Globe, August 12, 2007).

It is worth noting that these kinds of initiatives are not unique to Chinese politics. Last fall, Donald Kerr, the principal deputy director of U.S. national intelligence, stated that no American should expect to speak or act today without casting a data shadow that is visible to the federal government. Last week, Kentucky lawmaker Tim Couch submitted a bill that would “would require anyone who contributes to a website to register their real name, address and e-mail address with that site.”

Although the current Beijing government initiative focuses only on net cafe users and not people going online from work or home, there is a long history of failed state government attempts to have customers of net cafes register their real names. With the Olympics fast approaching, the stakes may be a bit different. This bears watching.

Update: the original story, in Chinese, is at CE.CN (China Economics Network), dated March 11.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It’s been a week since the Senate voted 68-29 to push forward a revised FISA bill that would retroactively immunize telecommunication companies and Internet service providers from prosecution for illegal wiretapping. A number of close friends and associates engaged in voicing their shock and dismay at this blatant disregard for law. While I appreciate, in a sense, this general form of upset with the rising surveillance state, I find it equally dismaying that people have chosen to lock on to this one issue “telecom immunity,” as somehow being the defining struggle. It’s a tiny, tiny component of a much larger problem. A problem that threatens democracy and individual autonomy.

In January, Privacy International released its second annual international privacy index, the result of a survey of 47 countries. Not only was the U.S. among four new countries to join the the UK, Russia, Malaysia and China as endemic surveillance societies, but U.S. privacy protections are actually ranked below China in statutory privacy protection and “surveillance of medical financial, and movement.” Last week, the Washington Post reported that customs agents at U.S. borders reserve the right to temporarily sequester laptops, cell phones and other electronic devices and download data stored on those devices, and engage in this practice with some regularity. Now Amtrak has announced that travels on its trains nationwide will be subject to random searches of their carry on bags.

According to the courts, Americans do not have a reasonable expectation of privacy for most of the web sites they visit on the web. More specifically, any specific website visited that has its own top level domain name and its own unique IP address are registered with your service provider and may be accessed by the government without a court order. (see US v Forrester, 2007).

Virtually all the personally identifiable information (PII) produced in cyberspace can easily be transmogrified into ‘evidence’ even if it was gathered illegally (see US v Jarrett, 2003, p. 7). Ones Facebook profile can be used as evidence in both civil and criminal charges.

The Privacy Act of 1974, which was intended to strictly limit the sharing of data between federal data bases, has all but been abandoned. Vast federal “systems of records” (National Directory of New Hires, National Center for Education Statistics, mtDNA Population Database, National Crime Information Center) are increasingly interconnected with state and private data sources in massive clearing houses such as the Investigative Data Warehouse (IDW) and OneDOJ. This practice of information sharing is being institutionalized within new “fusion centers” popping up all over the country. This dismantling of the Privacy Act is officially denied using the following rationale: data sharing across departments in the government is now a matter of “routine use” during the War On Terror.

According to Donald Kerr, the principal deputy director of U.S. national intelligence, no American should expect to speak or act today without casting a data shadow that is visible to the federal government.

Barring some radical reinterpretations of online space and boundaries, the Fourth Amendment seems doomed to irrelevancy. “Reasonable expectation” of privacy is always relative and will easily accommodate the surveillance “function creep” without limit. The only hope for resistance is a public with a reinvigorated sense of privacy and its connection to true individual autonomy.

As we watch what happens in the House, we must keep in mind that the battle against excessive state surveillance will not be won or lost with this bill. Most importantly, people whose interest in privacy values have been rekindled with this recent Senate betrayal should not feel victorious if this latest attempt at immunity is somehow scuttled. While the public sphere has been focused on the importance of wiretapping, it appears to have neglected the rapid emergence of a dossier society, highly reminiscent of Kafka’s The Trial.

The whole dossier continues to circulate, as the regular official routine demands, passing on to the highest Courts, being referred to the lower ones again, and then swinging backwards and forwards with greater or smaller oscillations, longer or shorter delays….No document is ever lost, the Court never forgets anything. One day – quite unexpectedly – some judge will take up the documents and look at them attentively….And the case begins all over again?” asked K. almost incredulously. “Certainly” said the painter. (Kafka, The Trial, 1925, cited in Solove, 2004, pp. 36-37)

While we fight what appears to be a losing battle over real-time wiretapping we have lost control over our papers and effects, and thus the construction of our own identity. It’s time to look beyond FISA.

Most disappointing, the hard decisions on how to implement Real ID — including how to protect privacy — have been left to the states. Simply put, there are no privacy rules. States are simply encouraged to follow a set of “best practices” for protecting privacy. But there are no consequences if states choose not to do so and thus no guarantees that the personal information collected for Real ID won’t be used for a variety of state and even federal uses, populating and repopulating numerous government databases and easily available to businesses and other interests.

This ability to weave S3 into an existing network and video surveillance infrastructure is an important selling point for the product, Donahue said. “It’s expensive to get that video infrastructure in place just for even basic analog cameras,” she said. “So what we do is, we can hook in your analog cameras and reuse that infrastructure, put in IP-based cameras and then architect it so that we can do the right level of analytics.”

The system is also being integrated into the surveillance networks of Chicago and New York. For a detailed explanation of the technology, see the IBM white paper, S3-R1: The IBM Smart Surveillance System- Release 1. (pdf).

In Boulder, two days ago, a rosy-cheeked thirtysomething mother of two small children, in soft yoga velours, started to tear up when she said to me: “I want to take action but I am so scared. I look at my kids and I am scared. How do you deal with fear? Is it safer for them if I act or stay quiet? I don’t want to get on a list.” In D.C., before that, a beefy, handsome civil servant, a government department head — probably a Republican — confides in a lowered voice that he is scared to sign the new ID requirement for all government employees, that exposes all his most personal information to the State — but he is scared not to sign it: “If I don’t, I lose my job, my house. It’s like the German National ID card,” he said quietly. This morning in Denver I talked for almost an hour to a brave, much-decorated high-level military man who is not only on the watch list for his criticism of the administration — his family is now on the list. His elderly mother is on the list. His teenage son is on the list. He has flown many dangerous combat missions over the course of his military career, but his voice cracks when he talks about the possibility that he is exposing his children to harassment.

Jim Spencer, a former columnist for the Denver Post who has been critical of the Bush administration, told me today that I could use his name: he is on the watch list. An attorney contacts me to say that she told her colleagues at the Justice Department not to torture a detainee; she says she then faced a criminal investigation, a professional referral, saw her emails deleted — and now she is on the watch list. I was told last night that a leader of Code Pink, the anti-war women’s action group, was refused entry to Canada. I hear from a tech guy who works for the airlines — again, probably a Republican — that once you are on the list you never get off. Someone else says that his friend opened his luggage to find a letter from the TSA saying that they did not appreciate his reading material.

The full post, American Tears is here.