What is the world coming to when our leaders use scare tactics to get what they want? (Rhetorical question, of course.) But that's exactly what happened when backers of the so-called "Internet Kill Switch" evoked images of foreign hackers opening flood gates and drowning citizens.

“We are very concerned about an electronic control system that could cause the floodgates to come open at the Hoover Dam and kill thousands of people in the process,” said Brandon Milhorn, staff director of the Senate Homeland Security and Governmental Affairs Committee. ”That’s a significant concern.”

Not only is that not a significant concern, it turns out not even to be an insignificant concern. But the false information was no insignificant matter to the Bureau of Reclamation, which runs the power-generating facility on the Arizona-Nevada border.

“I’d like to point out that this is not a factual example, because Hoover Dam and important facilities like it are not connected to the internet,” Peter Soeth, a spokesman for the bureau, said in an e-mail. “These types of facilities are protected by multiple layers of security, including physical separation from the internet, that are in place because of multiple security mandates and good business practices.”

Yesterday we posted a poll to get your opinion on this issue. Please take a moment to make your voice heard.

In the aftermath of Egypt and Tunisia's government-imposed Internet shut-downs, there has been a lot of talk this week about the U.S. Senate's Internet "Kill Switch" bill. No one argues that our networks are vulnerable to attack. Senators say they have committed to this power only to protect against "external cyber attacks". This raises several questions and deserves serious debate:

• In a global network, is there really a distinction between internal and external threats?
• Under what circumstances would the President use this power, and with what oversight?
• Could the financial damage of isolating U.S. commerce from foreign customers outweigh the potential damage from attack?
• Does the risk of an "Egyptian-style" shut-down really exist in Western Democracies, and if it does, is it a fair trade-off for national security?

That leads to today's poll question: Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Of course, there are few perfect Yes/No answers in this world. Please feel free to share your comments below, and we encourage you to use the "Like" and "Share" buttons to elicit more opinions from others.

Some have suggested that our legislation would empower the president to deny U.S. citizens access to the Internet. Nothing could be further from the truth.
-Joseph Lieberman (I-Conn.)

In a statement issued this week, Senators' Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and  Tom Carper (D-Del.) said that their intent was to allow the president "to protect the U.S. from external cyber attacks," not to shut down the Internet.

Aside from the obvious civil liberties concerns, the problem I see is largely a mechanical one, and it demonstrates the Senators' lack of fundamental understanding when it comes to the world in which they legislate: By the time a cyber attack is apparent, it's no longer likely an "external" threat. The most effective attacks known today are distributed amongst a multitude of machines in various locations, making it impossible to protect citizens without shutting down the Internet -- if such a thing could even be accomplished in this country.

The U.S. network infrastructure is much more complex and diverse than that of Egypt. In part, that has to do with the shear differences in scale. But, perhaps surprisingly, it also has to do with the age of our network. Parts of our interconnected network go back five decades. Some interconnected networks predate the Internet itself. And these are interconnected with new infrastructure being added every day without the need for government knowledge or consent.

Most importantly, when the Advanced Research Projects Agency Network (ARPANET) was conceived, it was specifically designed to survive and reroute against an outage. That means, depending on the final draft, the law would likely be either ineffective, dangerous, or both.

Last month the US Federal Trade Commission testified before Congress in order to establish "Do Not Track" legislation, challenging companies to either self-regulate, or face potentially stiff laws prohibiting the tracking of Internet users. This week the US Department of Justice testified before congress to establish regulations requiring data retention for the purposes of investigation and prosecution.

"Data retention is fundamental to the department's work in investigating and prosecuting almost every type of crime," US deputy assistant attorney general Jason Weinstein told a congressional subcommittee on Tuesday. "In some ways, the problem of investigations being stymied by a lack of data retention is growing worse." Weinstein acknowledged that greater data retention requirements raise legitimate privacy concerns but "any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe."

Emphasizing the vast disparity between the testimony of  these two Federal organizations is the following statement from the FTC's own prepared statement to Congress expressing a principal of "reasonable security and limited retention for consumer data" among companies collecting sensitive data.

"A key to protecting privacy is to minimize the amount of data collected and held by ISPs and online companies in the first place," according to John Morris, general counsel at the non-profit Center for Democracy & Technology. "Mandatory data retention laws would require companies to maintain large databases of subscribers' personal information, which would be vulnerable to hackers, accidental disclosure, and government or other third party access."

The DOJ's request would require "an entire industry to retain billions of discrete electronic records due to the possibility that a tiny percentage of them might contain evidence related to a crime," says Kate Dean, executive director of the Internet Service Provider Association. "We think that it is important to weigh that potential value against the impact on the millions of innocent Internet users' privacy."

A byproduct of life in the 21st Century is that many of the perks of a post-centennial lifestyle require the abdication of a fair bit of privacy to cyberspace. That means that the paper records that once required a search warrant to read (and maybe the forceful extraction from your cold-dead-hands), are now in the possession of companies who don't. Of course there's Facebook and Twitter. Those didn't exist in the 20th. Century. But, what about your phone records and email? While your phone company has long been subject to a warrant or subpoena, in the 21st. Century new "self-service" tools have been developed to help telcos manage the onslaught of requests made particularly attractive by the fact that most of us carry what amounts to a homing-beacon in our pockets. Similarly, while email has always been an attractive source of discovery, until recently most of it resided on each correspondent's physical, and virtual, desktop waiting to get written-over by something more current. Today, it's more likely been put out to pasture in a seemingly-endless "server farm", waiting to be picked by a custodian of records.

Even our personal computers, which have always required a search warrant, and often require a cascading series of search warrants covering various regions of storage space and categories of searches, are rapidly being replaced by windows to the web -- sleek sheets of glass and sculpted-aluminum that act as a portal to your virtual existence. Like a supermodel, these tablets are thin and beautiful, but two-dimensional, with very little substance inside. What makes these devices a reality today is a combination of near-ubiquitous Internet connectivity and access to your personal online data once it's established. Even the notion of "backing up" is becoming a thing of the past, because the data you see, isn't really here. It's somewhere else, presumably safe from destruction, but not necessarily from dissemination. Like many things in life, it's a trade-off.

But, not when it comes to fighting crime. The shift of discovery from physical space to cyberspace is a decided advantage for law enforcement. In fact, Google reports that it responded to more than 4200 discovery requests in the first-half of 2010 alone. One of the reasons these requests have become so popular is that online data is easier seize than a laptop, and often much more useful. Much of what can be had requires no search warrant at all, and thanks to online tools, can be had without even so much as contacting the service provider. Why? Because, unlike the data on your hard drive, you don't necessarily own your data when it's stored in cyberspace.

The Electronic Communications Privacy Act was enacted by Congress in 1986 -- long before most people had access to the Internet, email, or a cellphone. When Mark Zuckerberg's only friends were his stuffed animals. Mind you, it was revolutionary for it's time -- enacted to extend government restrictions on wire taps from telephone calls to also include transmissions of electronic data by computer. But, it doesn't address current evolution. Today, far more can be gleaned from a historical records search than any telephone wiretap. Perhaps that's why last year the Department of Justice argued in favor of warantless email searches. Or why in the same year the DOJ argued that cellphone users had abdicated any expectation of privacy by using a service that stores location data.

Read more at http://www.nytimes.com/2011/01/10/technology/10privacy.html?_r=2&pagewanted=2&ref=technology

Careful What You Click F

Actress Winona Ryder doesn't use the Internet. She just got her first smartphone, but finds it unpredictable. She had a laptop, but rarely used it.

She's fearful of technology. And that just might make her smarter than you.

As evidenced in her "Late Night" interview with Jimmy Fallon, these days, such concerns are the fodder for comedians. It's the current equivalent of being afraid to drive or swim. In the late 20th. Century, it might have been a fear of handing one's money over to an ATM machine. Or more recently, making a purchase online. But, well over 30,000 people died in car accidents in 2009. Another 24,000 were injured. In a similar period, more that 3000 people died from drowning. Fear is not necessarily a bad thing. Not if it keeps you safe.

Most of us either fear what we don't know, or fear what we do. There's also a whole complicated subset of irrational, or misguided fears that really fall into the first category. According to her own interview, Ryder falls into the former classification.

Ryder told Fallon, "We're a button away from joining Al Queda!"

How many times have you accidentally opted yourself into joining a mailing list because you forgot to un-approve your pre-approved consent? What about that time when you accidentally installed a bunch of "trial-ware" that came along with a program you legitimately wanted to use. Somewhere, before or after the end-user-license agreement you didn't read, it may have been an option. In the 90's one of my attorney-client's accidentally sold a good investment when he was dabbling with online day trading. I have met people who accidentally purchased cars on eBay. Meanwhile, I promise (though I don't recommend confirming it) that many forms of contraband are just a few clicks, or even a typo, away from where you sit this very moment. Last Summer I gave National Public Radio (NPR) a glimpse into just how easy it can be. Even if you bleed apple pie filling, you're still just a click away from looking like someone else.

I haven't tried it myself, but I'll bet joining Al Queda requires, at least, the completion of an annoying CAPTCHA in order to submit a membership application.  While I'm sure Ryder has no interest in joining, just the accusation, or even a rumor, that she ever supported a terrorist organization, or had some other frighting interest, could be just as detrimental. Remember Christine O'Donnell, the Republican Party's most famous witch? In some parts of the country that's harder to understand than extremism.

Ryder: "We're a button away from joining Al Queda."

Remember, Ryder works in the industry that was most famously asked, "Are you, or have you ever been a member of the Communist Party?"

Maybe -- even if unwittingly -- she's on to something. Maybe we'd have several thousand fewer vehicular deaths every year if more drivers understood the engineering that goes into the highway, or a car, it's tires, or even just its brakes and safety systems. Sure, it might scare a few people out of driving altogether. But it might make the rest think a little harder before they accelerated into a turn, or tried to beat a red light across a wet intersection. Maybe, if more people really understood the Internet better before hopping on the "Information Superhighway", law enforcement might have fewer accidents to investigate.

Via EFF:

What do an online donation to the International Red Cross, a bank transfer to family members living in Vietnam, and a payment sent through PayPal for an expensive rug in Turkey have in common? The government wants to know about them. And, if new rules proposed by the Financial Crimes Enforcement Network, or FinCEN, go into effect, the government will — along with your name, address, bank account number, and other sensitive financial information.

In September, FinCEN, an agency component of the Department of the Treasury, proposed a set of rules (pdf) that would require banks and money transmitters to report to the government any cross-border electronic funds transfer. Yesterday, we submitted a comment (pdf) opposing the agency’s proposal.

Essentially, under the proposed rules, anytime you electronically transfer money into or out of the country, the government wants to know. The proposed rules require banks and money transmitters, like PayPal or Western Union, to submit reports documenting the amount of money sent or received, where that money came from, and where it is going. Depending on the type of transfer, a variety of information would be included in the reports, including the name, address, bank account number, and taxpayer ID number of the sender; the amount and currency of the funds transfer; and the name and address of the recipient. Passport numbers or alien ID numbers could also be required for some transfers.

The government wants reports on all electronic bank-to-bank transfers, regardless of whether the transfer is $1 or $1,000,000. For money transmitters, reports would be filed for transfers at or above $1,000. FinCEN estimates it will receive 750 million reports every year, and the agency wants to keep the data for ten years. Once the reports are filed with FinCEN, other federal law enforcement agencies — the FBI, IRS, ICE, and the DEA — would all have access to the data.

Shortly after FinCEN announced the rules in September, EFF filed a FOIA request seeking documentation that would justify the agency’s law enforcement need for the regulations. We also sought information demonstrating that FinCEN had taken adequate data-security precautions for handling such a massive amount of sensitive information. The agency produced some records, but the documents provided no evidence that the proposed rules are necessary to deter money laundering and terrorism financing, or that the agency had adequately assessed the privacy implications of the proposed rules.

In our comment, we opposed the rules for three reasons:

1. The new reports are unlikely to be effective in preventing terrorism financing — the primary impetus behind the regulations in the first place.

2. While the agency sought the advice of financial institutions, other law enforcement agencies, and even foreign governments when developing the rule, FinCEN never solicited the opinions of privacy advocates during the drafting process.

3. The agency has not provided any evidence that the technological systems are in place to safely receive, transmit, and store the vast quantities of highly-sensitive information the rules would require.

We strongly oppose the government’s attempt to pry into the sensitive financial dealings of citizens, especially when there is no demonstrated need and no evidence that the agency is equipped to handle that much sensitive information. Comments on the proposed rules are due December 29th, and can be submitted here. We urge you to join us in opposing these intrusive new regulations.

Read full article at http://www.eff.org/deeplinks/2010/12/sending-money-overseas-holidays-government-wants

Source: Freebase

Via Gawker:

The Department of Justice has subpoenaed many people's Twitter accounts who were associated with WikiLeaks. The subpoena states that there is "reasonable ground to believe that the records or other information sought are relevant and material to an ongoing criminal investigation."

Read full article at http://feeds.gawker.com/~r/gizmodo/full/~3/JyTdxSjSU5o/department-of-justice-subpoenas-twitter-records-of-wikileaks-volunteers

It's sometimes hard to remember, but it wasn't that long ago that most carry-on's bypassed so much as an x-ray screening. Then came the obligatory laptop and shoe removal. And, eventually, the "drink 'em or lose 'em" rule, accompanied by the ever-perplexing debate over what constitutes a "liquid", and how many ounces of it you can carry through a TSA line.

(I once overheard a TSA agent explaining to a traveler that, "anything that can be liquefied is a liquid". I felt compelled to explain that, at the right temperature, the whole airplane could be liquefied--but kept my mouth shut, for fear of missing my flight.)

In recent months, some international travelers have been greeted with an indignity that makes the "patdown" look like a "fist-bump". In the past 10 months, over 1000 people had their laptop computers "detained" and subsequently searched. Most would assume that this was with probable cause, but, the DHS maintains that probable cause is not required for such a search.

What some might consider an electronic cavity search, became policy in 2008 when the Department of Homeland Security's U.S. Customs and Border Enforcement published their "Policy Regarding Border Search of Information" (July 16, 2008), which, among other things, allowed Custom's Agents broad discretion to detain "electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search." Though protocols were established for an "expeditious" response time by assisting agencies, no definition for "reasonable period" was provided.

The rationale cited for this policy, is described in its fourth paragraph, "Review of Information in the Course of Border Search":  "In the course of a border search, and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States..." While, in the past, this objective could be met with a visual inspection, computers, iPods, smart-phones, and the like, require complex procedures, software and hardware to preserve the integrity of the data being examined. Therefore, such a search is typically conducted in a laboratory setting, and not something that cannot likely be accomplished during even the longest of layovers.

The DHS provides the following definition of a "detention":

"A detention occurs when CBP or ICE determines that the devices need to be kept for further examination to determine if there is probable cause to seize as evidence of a crime and/or for forfeiture. This is a temporary detention of the device during an ongoing border search. Many factors may result in a detention, for example, time constraints due to connecting flights, the large volume of information to be examined, the need to use off-site tools and expertise during the search (e.g., an ICE forensic lab), or the need for translation or other specialized services to understand the information on the device. In a detention, CBP or ICE will keep either the original device (e.g., the laptop) or an exact duplicate copy of the information stored on the device, so as to allow the traveler to proceed with the original device. Once the border search has concluded, the device will be returned to the traveler unless there is probable cause to seize the device. Any copies of the information in the possession of CBP or ICE will be destroyed unless retention of the information is necessary for law enforcement purposes and appropriate within CBP or ICE Privacy Act systems of records."

Effectively, a "detention" is a seizure without probable cause, followed by an unwarranted search. Fortunately, the CBP has taken measures to assure that it only retains information from "detained" devices that are consistent with probable cause, as outlined in Section D:

"Absent probable cause, CBP may only retain documents relating to immigration matters, consistent with the privacy and data protection standards of the system in which such information is retained."

And,

"Except as noted in this section, if after reviewing information, there exists no probable cause to seize the information, CBP will retain no copies of the information."

Which should make passengers a little less uncomfortable, if not a little less violated--were it not for the following:

"Officers may encounter information in documents or electronic devices that is in a foreign language and/or encrypted. To assist CBP in determining the meaning of such information, CBP may seek translation and/or decryption assistance  from other Federal agencies or entities."

The FBI could, for example, aid in this circumstance. But:

At the conclusion of the requested assistance, all information must be returned to CBP as expeditiously as possible. In addition, the assisting Federal agency or entity must certify to CBP that all copies of the information transferred to that agency or entity have been
destroyed... In the event that any original documents or devices are transmitted, they must not be destroyed; they are to be returned to CBP unless seized based on probable cause by the assisting agency.

And that, of course, reads like an invitation to convert a random search without probable cause from one agency, into a "line of sight" search by another.

Now, more than a year later, come new rules intended to preserve passengers' rights and insure domestic tranquility. On August 20, 2009 DHS Secretary Janet Napolitano announced new directives said to "strike the balance between respecting the civil liberties and privacy of all travelers while ensuring DHS can take the lawful actions necessary to secure our borders."

Unfortunately, the new rules won't change much, other than the definition of "reasonable period". According to a "Privacy Impact Assessment for the
Border Searches of Electronic Devices", published by the DHS:

"For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist."

Devices may, however, be released to Immigration and Customs Enforcement Agents for further examination.

"As federal criminal investigators, ICE Special Agents are empowered to make investigative decisions based on the particular facts and circumstances of each case... The ICE Directive requires that Special Agents complete the border search of any detained electronic device or information in a reasonable time, but typically no longer than 30 days, depending on the facts and circumstances of the particular search. The length of detention depends on several factors, but primarily the amount of information requiring review and the format of that information, which can greatly affect the amount of time necessary to complete a search."

What about sensitive, say attorney-client privileged or classified materials?

"Officers may encounter materials that appear to be legal in nature, or an individual may assert that certain information is protected by attorney-client or attorney work product privilege. Legal materials are not necessarily exempt from a border search, but they may be subject to the following special handling procedures: If an Officer suspects that the content of such a material may constitute evidence of a crime or otherwise pertain to a determination within the jurisdiction of CBP, the Officer must seek advice from the CBP Associate/Assistant Chief Counsel before conducting a search of the material..."

Of course, one would anticipate that many lawyers might carry "evidence of a crime", or multiple crimes, on their laptops. Though, quite honestly, I doubt that this is the intention, the ambiguity should not be taken lightly.

Effectively, little has changed, except perhaps the use of FedEx and UPS by people who really have something to hide.

USCBP: Policy Regarding Border Search of Information (2008) U.S. Customs and Border Protection Policy Regarding Border Search of Information (July 16, 2008) size: 160.67KB added: 31/08/2009 popularity: 1

USCBP: Inspection of Electronic Devices (Tearsheet) U.S. Customs & Border Protection: "Inspection of Electronic Devices". size: 39.52KB added: 31/08/2009 popularity: 0

USCBP: Border Search of Information (2009) U.S. Customs & Border Protection: Border Search of Information (August 20, 2009) size: 4.87MB added: 31/08/2009 popularity: 1

Privacy Impact Assessment for the Border Searches of Electronic Devices (2009) Department of Homeland Security Privacy Impact Assessment for the Border Searches of Electronic Devices (August 25, 2009) size: 5.64MB added: 01/09/2009 popularity: 2

ICE: Border Searches of Electronic Devices (2009) Immigration and Customs Enforcement Policy for Border Searches of Electronic Devices (August 18, 2009) size: 452.57KB added: 01/09/2009 popularity: 0

TrueCrypt Real-time on-the-fly industry-recognized encryption of entire hard drive, portion, or removable media. (FREE / Peer-Reviewed / Multi-OS) size: added: 01/09/2009 popularity: 178

It looks like, for some, the stimulus package wasn't enough. In an ironic twist, the man often criticized for moving Trillions from the Federal Reserve Bank into the hands of failing corporations has had a far lesser sum removed from his personal bank account.

"Federal Reserve Chairman Ben Bernanke has been a victim of identity theft. His credit card company became suspicious when they noticed repeated purchases of large, failing American car companies."

- Conan O'Brien (Aired August 27, 2009)

Just days after President Obama announced Bernanke's renomination to the Federal Reserve, officials revealed that Fed Chairman Ben Bernanke was a victim of a wide-spread identity theft ring that used, "stolen personal identifying information, bank and bank record information, personal checks, and other access devices belonging to individual victims, to impersonate those victims at various bank branches throughout the country," according to the U.S. Attorney's Office.

"Identity theft is a serious crime that affects millions of Americans each year," Mr. Bernanke said through a Fed spokesman. "Our family was but one of 500 separate instances traced to one crime ring."

Though there's really nothing funny about identity theft, it just goes to prove that the problem is so pervasive that anyone can fall victim.