[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips October 23, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx, sairy@xxxxxxxxx;
- Subject: Clips October 23, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 23 Oct 2003 11:10:09 -0400
Clips October 23,
2003
ARTICLES
Students Fight E-Vote Firm
Senate Votes 97-0 To Restrict E-Mail Ads
US raids online pharmacies
FBI request to erase classified files nixed
See you later, anti-Gators?
DHS team bounced 200 at borders
Senate panel OKs security bills, agency file-sharing crackdown
Citing privacy law, senators seek probe of JetBlue
Protection orders to be delivered electronically
Plumbing Depths of Data Mining
*******************************
Wired News
Students Fight E-Vote Firm
A group of students at Swarthmore College in Pennsylvania has launched an
"electronic civil disobedience" campaign against voting machine
maker Diebold Election Systems.
The students are protesting efforts by Diebold to prevent them and other
website owners from linking to some 15,000 internal company memos that
reveal the company was aware of security flaws in its e-voting software
for years but sold the faulty systems to states anyway. The memos were
leaked to voting activists and journalists by a hacker who broke into an
insecure Diebold FTP server in March.
Diebold has been sending out cease-and-desist letters to force websites
and ISPs to take down the memos, which the company says were stolen from
its server in violation of copyright law. It has been using the Digital
Millennium Copyright Act, or DMCA, to force ISPs to take down sites
hosting the memos or sites containing links to the memos.
Diebold did not respond to Wired News' requests for comment.
Bev Harris, owner of the Black Box Voting site and author of a book on
the electronic voting industry, was one of the first people to post the
memos before a letter from Diebold threatened her with litigation.
Half a dozen other people hosting the memos in the United States, Canada,
Italy and New Zealand also have received letters forcing them to take the
material down.
Why War?, a nonprofit student organization at Swarthmore, and the
Swarthmore Coalition for the Digital Commons, also composed of Swarthmore
students, announced plans to defy Diebold and their college ISP.
Why War? posted the memos on its website about two weeks ago but moved
them to a student's computer after the college ISP received a
cease-and-desist letter.
The college notified the student, who wishes to remain anonymous, that it
would disconnect his Internet service if he didn't remove the memos. But
Luke Smith, a sophomore, said students are planning to bypass that threat
by hosting the memos on different machines. Each time one machine is shut
down by Diebold, they will move the memos to another machine, passing
them from student to student.
"They're using copyright law as a means of suppressing information
that needs to be public," Smith said. "It's a great example of
how copyright law can be against the public good rather than for it, as
it was originally intended."
He added, "It's not like people are reading these memos in order to
steal Diebold's election system. (The company is) trying to use this law,
and specifically the mandatory take-down section, to conceal flaws that
directly affect the validity of election results. This is a threat to our
democracy."
The DMCA, passed by Congress in 1998, includes a "safe harbor"
provision that allows ISPs to remove material from the Web that allegedly
violates a copyright without suffering legal repercussions from the
person who posted the material. The law allows the ISP to remove the
content for a minimum of 10 days.
Will Doherty, media relations director for the Electronic Frontier
Foundation, said companies have been using the safe-harbor provision to
stifle free speech online, and ISPs have caved in to the threats rather
than risk facing legal action from the copyright holder.
"We support the right of Swarthmore students or anyone for that
matter to link to or to publish information about electronic voting
systems that is vital to debate over democratic process," Doherty
said.
Doherty and the EFF launched their own resistance campaign last week
after a news site, the Independent Media Center, and its Internet
provider, the Online Policy Group, received a cease-and-desist letter
from Diebold. In addition to his position at EFF, Doherty is executive
director of the Online Policy Group, a nonprofit organization that
focuses on digital privacy and rights issues.
The Independent Media Center didn't actually post the Diebold memos on
its site. However, Diebold objected when a contributor to the news
service posted links to other sites that were hosting the memos.
Even if the Independent Media Center had posted the memos, Doherty said
the Online Policy Group still would support its right to do so.
"These documents indicate the potential for widespread election
fraud in the U.S. or wherever else Diebold voting machines are being
used," he said.
The Diebold memos contain a trove of information about the internal
workings of the electronic voting machine manufacturer, which has been
criticized for poor programming practices.
Among the revelations in the memos was news that the Microsoft Access
database used by the Diebold system to count votes was not protected by a
password. This means anyone could alter votes by entering the database
through an insecure backdoor, via physical access to the machine or
remotely, via the phone system.
The memos also reveal that the audit log, which records any activity in
the Access database, could be easily altered so that an intruder could
erase a record of the intrusion.
These security flaws were pointed out to Diebold in 2001 in memos from a
firm that was being paid to audit and certify the software. A Diebold
engineer responded by saying the company preferred not to
password-protect the database because it was easier for them (presumably
Diebold employees) to go into the software and do "end-runs" in
the system -- a term that describes when someone changes software to fix
or work around coding problems.
Other memos indicate that patches were installed in systems after the
systems already were certified and delivered to states.
In a January 2002 memo, Ken Clark, a Diebold engineer, discussed
modifying voting software designed for machines in California. Because
the state was likely to reject a change so late in the game, he proposed
making the change as a bug fix to pass muster with election officials
rather than undergoing lengthy certification procedures.
Smith, who plans to major in computational linguistics, said members of
the public wouldn't have to fight to expose Diebold's business practices
if election officials were doing their job.
"It would be great if they were more rigorous but apparently they've
dropped the ball because these systems have already been
implemented," he said. "There's a definite need to make this
info public."
Smith said he's surprised by Diebold's stance regarding the memos.
"If I were Diebold I wouldn't claim copyright protection; I'd claim
I hadn't written the memos," he said. "They knowingly created a
system that doesn't even have a semblance of security. And then they pass
it off on the American public in the name of modernization."
Smith said his group plans to launch a campaign this week to recruit more
students to participate in the revolt.
"We're advocating freedom of information and open-source
standards," he said. "If there's anything the public has an
inherent right to look in on, it's voting technology. That's why we're
pushing this."
*******************************
Washington Post
Senate Votes 97-0 To Restrict E-Mail Ads
Bill Could Lead to No-Spam Registry
By Jonathan Krim
Thursday, October 23, 2003; Page A01
The Senate approved the nation's first federal anti-spam legislation last
night after reaching a compromise that also opens the door to a national
no-spam registry similar to the do-not-call list for
telemarketers.
The bill, sponsored by Sens. Conrad Burns (R-Mont.) and Ron Wyden
(D-Ore.), was approved 97 to 0. It targets the most unsavory senders of
unsolicited commercial e-mail by prohibiting messages that peddle
financial scams, fraudulent body-enhancement products and pornography.
The legislation also draws on amendments from Sens. Patrick J. Leahy
(D-Vt.) and Orrin G. Hatch (R-Utah) that would criminalize the techniques
used by spammers to thwart detection -- disguising identities, masking
the locations of computers used to send junk e-mail and automating spam
attacks.
The action comes as spam's stranglehold on e-mail communication is
growing. By some estimates, spam now accounts for 60 percent of all
e-mail traffic and is costing businesses and consumers roughly $10
billion per year.
In a poll released yesterday by the Pew Internet & American Life
Project, 25 percent of respondents said that spam is causing them to
curtail their use of e-mail.
The Burns-Wyden bill has been supported by the marketing, retailing and
Internet-access industries, which argue that a federal law should be
written carefully to avoid inhibiting legitimate marketers from sending
e-mail advertising that consumers may want.
But several anti-spam and consumer groups have argued that the bill has
too many loopholes that could enable so-called legitimate marketers to
bombard consumers with unwanted e-mail.
The bill would preempt all state anti-spam laws, some of which are
tougher than the Burns-Wyden bill. And it would prohibit private lawsuits
against spammers, allowing suits only by providers of e-mail accounts,
such as Yahoo Inc., Microsoft Corp., EarthLink Inc. and America Online
Inc., all of which also market to their own members.
But after months of negotiations, the bill now includes a provision,
supported by some opponents of spam, that directs the Federal Trade
Commission to come up with a plan for a no-spam registry.
The registry, proposed by Sen. Charles E. Schumer (D-N.Y.) and supported
by a range of groups including the Christian Coalition of America and the
Coalition Against Unsolicited Commercial Email, would be similar to the
FTC's do-not-call list, which prohibits telemarketers from calling any
phone number that consumers place on the list.
The direct-marketing industry won a preliminary court challenge to the
list, but the FTC is enforcing it pending an appeal. In the meantime, the
list has been wildly popular, attracting more than 50 million
numbers.
To date, however, FTC Chairman Timothy J. Muris has opposed a no-spam
registry, arguing that it would be unenforceable because spammers would
ignore it and that it would be hard to keep the e-mail addresses
secure.
Supporters of a registry say it would at least control many ostensibly
legitimate marketers that fail to honor consumer requests to be free of
unwanted mail.
Schumer's plan also allows for entire e-mail domains to be put on the
list, so that marketers could be prevented from sending any unwanted
commercial mail to employees at a certain domain -- say,
washingtonpost.com.
The bill stops short of mandating the registry, instead directing the FTC
to develop a registry system within six months and to document technical
hurdles.
An FTC official said last night that the agency's position on a registry
has not changed and that even if a workable system could be devised, the
bill does not provide for the substantial additional resources that would
be required to implement it.
The official said that to protect the e-mail addresses on the list,
marketers would have to submit their databases to the agency, which would
then scrub them of names on the registry and return them.
"If we were to continue to believe it wouldn't work, Congress would
have to change the law" to force the FTC to institute the registry,
the official said.
But Schumer said that he is confident "this is a now a downhill
road, as opposed to an uphill road" to getting a registry, and that
the odds are high that one will be in place in a year.
The White House issued a statement yesterday supporting passage of the
Burns-Wyden bill, though it did not address the registry question.
Yahoo and Microsoft, two of the largest Internet service providers, also
endorsed the bill yesterday, although they have opposed the registry
notion. The Coalition Against Unsolicited Commercial Email, which had
criticized the bill as being weak, also gave tentative support.
A similar bill in the House -- though without a registry provision -- is
still at the House Energy and Commerce Committee, where several
legislators want its language strengthened.
Committee Chairman W.J. "Billy" Tauzin (R.-La.) and Judiciary
Committee Chairman F. James Sensenbrenner Jr. (R-Wis.), two of the House
bill's sponsors, were embarrassed by revelations over the summer that
their staffs had been working closely with the marketing and retailing
industries in crafting the original version of the bill.
Some provisions have been changed, but not enough to break the logjam,
said one committee staff member. Differences between a House bill and the
Senate version would have to be reconciled in conference
committee.
Many in the business community are particularly anxious for a federal law
because they want it to supersede existing state laws that they consider
draconian.
In a memo sent out Tuesday to industry organizations, the U.S. Chamber of
Commerce said that a new California law set to take effect Jan. 1 would
hurt "almost every type of business across the
country."
The law, authored by California state Sen. Kevin Murray (D-Los Angeles),
prohibits all unsolicited commercial e-mail unless consumers have first
given their permission to receive it, a system known as
"opt-in" and supported by consumer groups.
The congressional bills are "opt-out," meaning that companies
can send e-mail but must honor consumers' requests to be free of future
mailings.
Joseph Rubin, the chamber's executive director of technology and
e-commerce, said many of his members fear that their marketing lists
would not qualify as opt-in under the terms of the California
law.
Many marketers also argue that one federal law will be easier to enforce
than a patchwork of state regulations.
"It sort of boggles the mind," responded Murray, who said that
no major corporation opposed his bill. "They have a rational
interest in uniformity of laws, but why not do the law that is the
strongest?"
*******************************
USA Today
Spam beginning to hurt e-mail use, report says
10/22/2003 6:22 PM
WASHINGTON (Reuters) The billions of "spam" messages that
cross the Internet daily are beginning to erode users' faith in e-mail
communications, according to a report released Wednesday.
Half of all Internet users say spam has made them less trusting of all
e-mail in general, the Pew Internet and American Life Project found,
while one in four say they now use e-mail less because of spam.
The nonprofit group's June survey of 1,400 Internet users found that most
feel they can do little to block the billions of get-rich-quick schemes,
ersatz painkillers, and other unwanted pitches that arrive in their
inboxes on a daily basis.
More than half said the flood of spam makes it difficult to find messages
they do want.
Spam now comprises roughly half of all e-mail messages, according to
several estimates, costing businesses billions of dollars in wasted
bandwidth and lost productivity.
Most respondents said they did not post their e-mail addresses to Web
sites in an effort to keep off spammers' lists, and many said they used
filters to block spam at work or home.
But others admitted to behavior likely to perpetuate the problem. Some 7%
said they had bought a product or service that was offered in an
unsolicited e-mail, while one-third said they had clicked a link to get
more information.
Two-thirds said they had clicked a link to be removed from a spammer's
e-mail list, an activity consumer advocates say is likely only to
generate more spam.
The Senate was debating an anti-spam measure Wednesday, and several
similar bills have been introduced in the House of Representatives.
*******************************
Australian IT
US raids online pharmacies
Catherine Wilson
OCTOBER 23, 2003
US FEDERAL agents have raided a third pharmacy as part of an
investigation into an internet-based network distributing diet drugs,
sleep aids and other prescriptions based on online customer
questionnaires.
The seizure of boxes full of colourful capsules at Rx Network of South
Florida came a day after a hearing on licenses stripped from another
pharmacy, Lifeline Pharmacy, and its wholesale supplier, C&H
Wholesale, in the same suburban office complex.
The US Drug Enforcement Administration (DEA) claims all three companies
violate federal licensing rules by filling orders for people who answer
questionnaires and order prescriptions over the internet without seeing
the authorising physician.
Lawyers for the pharmacy say federal law and regulations and laws in most
states do not go as far as a DEA policy saying doctors must perform
physical examinations before prescribing controlled medicine.
"They have valid prescriptions," Rx Network attorney Sean
Ellsworth said. "When Rx Network receives a prescription and there's
any question about the legitimacy of a prescription, a phone call is made
to that doctor."
The DEA's suspension of Rx Network's license on Wednesday came six months
after the state put the company on probation and fined it $US48,000
($68,000) for negligently dispensing excessive drugs 24 times.
DEA Drug Operations Chief Betsy Willis said that doctors are obligated to
make sure they are prescribing drugs for valid medical reasons.
"If a pharmacist fills a prescription knowing that it is based
solely upon a two-minute telephone consultation or an online
questionnaire, the pharmacist is also violating the law," she said.
Rx Network has dispensed more than 19 million doses of drugs since it
received its license in February 2001, the DEA said. Lifeline sold 2.9
million doses of prescription drugs, mostly for weight loss and sleep
aids, to online customers in less than three months this year.
Neither Rx Network, Lifeline or C&H had web sites that sell
prescription drugs, but the pharmacies received prescriptions via email.
Lifeline and C&H are jointly owned, but Rx Network has different
owners.
*******************************
USA Today
FBI request to erase classified files nixed
By Ted Bridis, Associated Press
10/22/2003 2:08 PM
WASHINGTON The Justice Department sought extraordinary permission
to let the FBI conduct a search-and-destroy mission on any computers
harboring classified information about a 1980s case that temporarily
became public in a lawsuit. A federal judge, however, rejected the idea.
The request from federal prosecutors in Sacramento, was considered highly
unusual by legal experts because it did not specify which computers the
government believed might contain the classified information or how
agents would retrieve and destroy information that already had been made
public.
"This stuns me," said Kate Martin, director for the
Washington-based Center for National Security Studies. "I have never
heard of them asking for such authority before. It's very disturbing that
the FBI is contemplating going out and secretly examining hard-drives to
see whether they contain this information."
Justice officials said they were reviewing whether to refile their
request.
At issue are two court filings in a lawsuit brought by a former FBI
counterintelligence agent. The filings made brief references to a
one-month undercover trip overseas in late 1987 by the agent, Lok T. Lau,
who was fired for shoplifting more than a decade later and is suing over
his dismissal.
The documents still containing the classified material were
available from the courthouse for up to 19 days and copies already have
been published on the Internet, including the Web site for the
Sacramento-based California First Amendment Coalition, an open-government
group.
The organization's lawyer, Terry Francke, said Tuesday he had not yet
been contacted by prosecutors or the FBI.
The government didn't tell the judge how it might determine who copied
the classified material onto the computers, nor did it suggest whether it
already has searched anyone's hard drives for the documents.
The unorthodox legal skirmish in Sacramento occurs amid heightened
sensitivity within the Bush administration over intelligence leaks, as
the Justice Department tries to find out who revealed the name of the
undercover CIA officer married to former Ambassador Joseph C. Wilson.
"It's completely unheard of that the FBI would try to exercise that
kind of control," said James X. Dempsey, an expert on national
security with the Center for Democracy and Technology in Washington.
U.S. District Judge Garland E. Burrell Jr. agreed with the government's
request to remove the classified documents from the court file and
substitute sanitized versions. But in his decision last week, Burrell
rejected as "unsupported by authority" the government's broader
request to seek out and delete any electronic copies that might have been
downloaded onto others' computers before they were effectively sealed.
The classified sections of the court papers describe a covert mission by
Lau in November 1987 to a country he doesn't identify. Lau said he was
warned the night before his trip that one of the FBI's "highly
placed assets" betrayed his identity as an undercover FBI agent,
but, to avoid confirming the disclosure, he did not cancel the trip.
"Personnel armed with machine guns were a constant reminder to me of
my fate if something went wrong, and there were frequent roadblocks on my
route of travel," Lau wrote. "I anticipated death on several
occasions, but I somehow survived it all."
Lau argued that the stress of his undercover assignments led to what he
describes as his "aberrant" behavior that resulted in his
firing. He said he was unconcerned he might be prosecuted for disclosing
classified information, noting that he withheld some details from his
court papers, such as the country where his mission took place.
"I know the bureau will try to prosecute me and discredit me at
every opportunity," Lau said. "Whatever national security
argument the FBI is making is hogwash."
Burrell denied the government's Oct. 10 motion "without
prejudice," meaning prosecutors may renew their request.
Assistant U.S. Attorney Kristin S. Door said she was researching laws
that might support such a decision. Door acknowledged that even she
doesn't have sufficient government clearance to read the classified
documents.
"We're hoping there has been no harm," Door said. "As soon
as the FBI determined it was classified, we moved promptly to try to
retrieve it from the public record."
*******************************
CNET News.com
See you later, anti-Gators?
Last modified: October 22, 2003, 12:21 PM PDT
By Paul Festa
Staff Writer, CNET News.com
In an effort to improve its corporate reputation, adware company Gator
has launched a legal offensive to divorce its name from the hated term
"spyware"--and so far its strategy is paying off.
In response to a libel lawsuit, an antispyware company has settled with
Gator and pulled Web pages critical of the company, its practices and its
software. And other spyware foes are getting the message.
"There is this feeling out there that they won the lawsuit, and
people are starting to get scared," said one employee of a
spyware-removal company, who asked not to be named. "We haven't been
sued, but we've heard that other companies are being sued for saying this
and that, so we've changed our language" on the company Web site.
Gator often distributes its application by bundling it with popular free
software like Kazaa and other peer-to-peer programs. When downloaded,
Gator's application serves pop-up and pop-under ads to people while
they're surfing the Web or when they visit specific sites. Ads can be
keyed to sites so that a pitch for low mortgage rates, say, can appear
when a surfer visits a rival financial company's site.
The distinction between such "adware," which can report back to
its creator with information about the computer user's surfing habits, so
as to allow for supposedly more effective ad serving, and
"spyware," which similarly monitors surfing habits and serves
up ads, is sometimes a hazy one, and lies at the heart of Gator's libel
suit.
Gator maintains that its software differs from spyware in that people are
clearly notified before they download it, and in that they do so in
exchange for a service, like the peer-to-peer software. Spyware,
the company maintains, is surreptitiously installed and gives the
unwitting computer user no benefit.
But critics of adware companies question how clearly such downloads are
marked--PC users may suddenly be deluged with pop-ups and have no idea
where they're coming from--and protest that companies like Gator are
collecting information without sufficiently accounting for what they do
with it.
The defendant in the Gator libel suit, PC Pitstop, offers software to
cleanse computers of spyware and other undesirable code, and until
signing a preliminary settlement with Gator on Sept. 30, vociferously
targeted Gator's application.
In settling the suit, which alleged false advertising, unfair business
practices, trade libel, defamation and tortious interference, PC Pitstop
apparently removed several pages from its Web site that referred to
Gator's application as spyware--along with many that went beyond that to
urge action against Gator itself.
Executives for both companies declined to discuss settlement terms,
citing a confidentiality agreement. But Gator advised a reporter to
"go to their new site and draw your own conclusions" about what
PC Pitstop did to comply with the settlement.
PC Pitstop used to publish pages on its Spyware Information Center titled
"Is Gator Spyware?" the "Gator Boycott List," and the
"Gator Quiz." Those pages are now gone. But as of Tuesday, they
could still be found in the Google cache, which keeps copies of missing
or unavailable Web pages for a limited time. (By Wednesday the cache of
those pages had expired.)
"PC Pitstop believes that Gator products degrade the quality of a
user's PC experience," read the cached PC Pitstop page urging a
boycott of companies advertising through Gator. "This belief is
based on our hands-on use of Gator products and experience with hundreds
of systems in our forums....Although Gator Corporation likes to make a
distinction and call their products 'adware,' other sources make no such
distinction. Independent research has shown that they collect extensive
information and have not clearly explained how the information is used
once it reaches the Gator servers."
A Gator executive said the suit, filed in U.S. District Court for the
Northern District of California, was part of a larger strategy to educate
spyware-removers about the company's software--and to put an end to the
practice of calling it "spyware."
"If we find anyone publicly calling us spyware, we correct it and
take action if necessary," said Scott Eagle, Gator's senior vice
president of marketing.
In addition to going on the offensive against detractors, Gator has spent
significant time in court defending its practices against the charges of
companies that run Web sites that Gator has targeted with its ads.
Gator in February settled litigation brought against it by the New York
Post, The New York Times, Dow Jones and other media companies. The
Washington Post, L.L. Bean and Extended Stay America have sued the
company, and their consolidated lawsuit will be decided by the Judicial
Panel on Multidistrict Litigation in Washington, D.C.
Meanwhile, the courts have smiled on a company that operates a similar ad
network. Last month, WhenU survived a legal challenge brought against it
by moving company U-Haul after WhenU served ads for U-Haul's competitors
on top of U-Haul Web pages.
Eagle declined to comment on other specific spyware-busters, such as the
New York City-based Enigma Software Group or InterMute, in Braintree,
Mass. Those companies have advertised that they can rid computers of
Gator--but their Web sites no longer mention the software. Eagle said he
could not talk about ongoing actions.
Enigma Software Group could not be reached for comment. InterMute, which
previously has spoken openly against Gator, declined to comment.
"Companies like Gator are the Goliath that average computer users
are up against in the war for online privacy," Ed English, CEO of
InterMute, said last month in an interview with CNET News.com.
Gator said it would take on its critics on a case-by-case basis.
"There are going to be detractor sites," Eagle said. "What
we can do is focus on education and getting the word out there. We have
discussions on this topic whenever we need to."
For its part, PC Pitstop said that, whatever the terms of its settlement,
it continued to target Gator's software on people's computers.
"PC Pitstop detects a variety of situations that we would consider
problems, including certain software that we didn't think was in the best
interest of the end user," said Dave Methvin, chief technology
officer for the Web-based start-up. "We currently detect and
recommend removal of Gator."
*******************************
Government Computer News
10/22/03
DHS team bounced 200 at borders
By Wilson P. Dizard III
The Homeland Security Department denied entry this year to 200 foreigners
who attempted to enter the country as students, undersecretary for Border
and Transportation Security Directorate Asa Hutchinson said today.
"We believe they posed a risk to America," he said.
Using the Student and Exchange Visitor Information System, which tracks
foreign students, the directorate?s response team rejected the
applicants, Hutchinson told attendees at a conference held by the U.S.
Chamber of Commerce.
"The team responded to more than 8,000 calls," Hutchinson said.
In some cases, schools that the foreigners claimed they were attending
had no record of them, and in others the students had been expelled.
SEVIS has come under fire for system problems, with congressional
hearings and a General Accounting Office report revealing malfunctions.
Hutchinson said the directorate has worked with schools to correct the
problems. About 800,000 individuals are recorded in SEVIS and the system
processed entry by about 300,000 students for the academic year that
began in September.
The directorate plans to issue a regulation imposing a $100 fee on
foreigners who register with SEVIS for the first time, Hutchinson said.
DHS officials expect the fee to generate more than $30 million annually.
Congress provided $36 million to the Immigration and Naturalization
Servicenow part of DHSto start SEVIS but did not provide continuing
funding.
"We had two options," Hutchinson said. "We could put the
burden on taxpayers or on the people who receive the benefit."
*******************************
Government Executive
October 22, 2003
Senate panel OKs security bills, agency file-sharing crackdown
By Greta Wodele, National Journal's Technology Daily
The Senate Governmental Affairs Committee on Wednesday unanimously
approved several bills that would address homeland security and
technology issues.
One bill, S. 1612, would create a new office within the Homeland Security
Department to provide local and state "first responders" to
emergencies with counter-terrorism technology. Committee Chairwoman Susan
Collins, R-Maine, authored the measure, which would authorizes $50
million annually to establish and run a competitive grant program based
on new criteria.
Four national law enforcement organizations, including the Fraternal
Order of Police, National Sheriffs' Association, International
Association of Chiefs of Police and Major Cities Chiefs, endorsed the
bill. It aims to fill a "technology gap" left by the
department's traditional grant program, which cannot be used to purchase
counter-terrorism technologies.
"By providing counter-terrorism technology to law enforcement
agencies, we can help our first responders to become 'first preventers,'
" Collins said.
The committee also approved measures, S. 1567 and H.R. 1416, that would
institute financial accountability at Homeland Security and fix drafting
mistakes in the law that created the department. One correction to the
law, which was enacted in January, would add language that had been
omitted from a provision defining "critical
infrastructure."
Michigan Democrat Carl Levin said he also wants language included in a
committee report for H.R. 1416 to clarify that the correction would not
expand the definition of critical infrastructure. He said an expanded
definition might affect an exemption from the Freedom of Information Act
for critical infrastructure.
The bill also would address language in the law that gave Homeland
Security Secretary Tom Ridge immigration-related powers and duties
previously reserved for the attorney general, John Ashcroft. A committee
aide questioned whether senators on the Judiciary Committee would support
the bill when the full Senate votes because of the jurisdiction issue
between Homeland Security and the Justice Department, which Ashcroft
heads.
The panel also approved a bill, H.R. 3159, that would require federal
departments to address security and privacy vulnerabilities to computer
networks that have arisen because of Internet file-sharing technology.
The House passed the measure earlier this month.
*******************************
Computerworld
Citing privacy law, senators seek probe of JetBlue
Lawmakers want to know if federal privacy laws were broken
Story by Dan Verton
OCTOBER 22, 2003 ( COMPUTERWORLD ) - WASHINGTON -- Lawmakers from the
Senate Governmental Affairs and Armed Services Committees have asked
Secretary of Defense Donald Rumsfeld to look into whether federal privacy
protection laws were violated when JetBlue Airways Corp. provided more
than 5 million passenger names, addresses, phone numbers and travel
itineraries to a Pentagon contractor working on a proof-of-concept
passenger-screening system.
In a letter to Rumsfeld on Oct. 17, Governmental Affairs Committee
Chairman Susan Collins (R-Maine), presidential candidate Sen. Joseph
Lieberman (D-Conn.) and Armed Services Committee member Carl Levin
(D-Mich.) said the data sharing between Forest Hills, N.Y.-based JetBlue
and Huntsville, Ala.-based Torch Concepts Inc. suggest "the
contractor may have violated the Privacy Act of 1974." They also
said the information sharing raises "disturbing questions about the
reliability of safeguards in place at the Defense Department to protect
Americans' privacy."
The proof-of-concept system is Torch's Acumen technology, which is
designed to conduct intelligent pattern-recognition searches and identify
latent relationships and behaviors that could point to potential
terrorist threats. The company first started working with the U.S. Army
on the technology in May 2002.
However, officials from the Transportation Security Administration, which
is now part of the U.S. Department of Homeland Security, allegedly helped
Torch purchase data on real passengers from Little Rock, Ark.-based Axiom
Corp. for use in a test of the system. Torch then attempted to draw
inferences as to which data elements best distinguish normal JetBlue
passengers from past terrorists.
While some privacy groups have called for legal action in the matter,
congressional interest has focused even greater attention on the possible
misuse of the passenger information.
The Privacy Act requires federal agencies to publish a notice in the
Federal Register when a "system of records" is established. The
notice must describe what information about individuals the system will
contain, and it must describe how an individual can gain access to any
information pertaining to him. Likewise, the Privacy Act prohibits
disclosure of the personal information, including disclosure to other
agencies.
"The Privacy Act makes agencies responsible for ensuring that
contractors comply with the law's terms when establishing a system of
records on the agency's behalf," the senators wrote in their letter.
"Torch Concepts may well have created a system of records, as
defined by the Act, as the contractor was collecting and maintaining
personal information."
According to Collins, Lieberman and Levin, lawmakers are unaware of any
Privacy Act notice having been published by the Pentagon for this
particular system. "In the absence of such public notice, there is
less likelihood of public discussion and Congressional oversight
concerning adequacy of privacy protections," the senators wrote.
"It also appears that passenger information was shared with others,
which may constitute a violation of the Act."
The senators also said that the Privacy Act and its criminal penalties
apply to defense contractors in the same way as to employees of the
government and that the Defense Department has an "affirmative
obligation" to ensure compliance by its contractor. "We
question whether that has happened in this case," they wrote.
*******************************
USA Today
Protection orders to be delivered electronically
10/22/2003 5:50 PM
BISMARCK, N.D. (AP) Domestic violence protection orders will be
delivered electronically to North Dakota law enforcement agencies by the
end of the year, the state court administrator says.
The Web-based program will enter the protection orders in a state
registry and in a national domestic violence registry, Ted Gladden said.
"If officers have computers in their cars, they'll be able to bring
the actual copy of the order up on the computer and read what the
provisions are," Gladden said.
Under the current system, officers have to contact a county in which the
protection order was issued to get details, he said. The electronic
system has been tested in Burleigh County, he said, and domestic violence
advocates and court clerks are being trained to use it.
"In some locations, where they've got Internet access, the advocates
will be entering the petition information on computer, so that when
somebody sits down at a safe house and is working with an advocate, they
can go in and enter all the vital information," Gladden said.
"In other locations, where they don't have Internet access, that
data will be entered by court personnel," he said.
The cost of the system is estimated at about $50,000.
*******************************
Wired News
Plumbing Depths of Data Mining
02:00 AM Oct. 23, 2003 PT
WASHINGTON -- On this, everyone in the gold-tinged, eagle-frescoed Senate
conference room agreed: Federal authorities badly want to be able to comb
the data trails of ordinary people in order to spot terrorists. But what
-- if any -- limits should be put on that frighteningly invasive power? A
panel of lawmakers, think tankers, data miners and civil libertarians
assembled here Tuesday couldn't even begin to make up their minds.
Congress has yanked the funding for Terrorism Information Awareness, the
Pentagon's notorious überdatabase effort. But research into TIA-like
projects continues, essentially unrestricted. Tomes of regulations tell
spooks and cops and g-men how they can amass intelligence and gather
evidence. But much of the data mined by these children of TIA -- like
itineraries, school transcripts and credit card receipts -- might not
fall under those traditional definitions. There's only a vague sense that
these database-combing programs can't be allowed to grow out of
control.
"When somebody buys a ticket on Delta Airlines in Munich, Germany,
if there's any potential for (that person to have) a suspicious
background, I want bells and whistles to go off on that computer,"
Sen. Saxby Chambliss (R-Ga.) told the group of 25 or so policy makers
assembled in the Russell Senate Office Building's third floor by the
Potomac Institute for Policy Studies, a Washington think tank. But
Congress "won't allow (intelligence) agencies" to "truly
gather information on people's personal lives."
Nice words. But as Jim Dempsey, executive director of the Center for
Democracy & Technology, notes, "none of us really have the
answer" for how to put them into action.
"We haven't begun to figure it out," added Brandon Milhorn, the
counsel for the Senate Select Committee on Intelligence.
For example, the panel's moderator, Daniel Gallington, a longtime Justice
and Defense Department official turned Potomac research fellow, floated a
seemingly innocuous idea: that information legally collected by the FBI,
CIA and local law enforcers should be combined and made searchable. Since
9/11, information sharing has become a mantra among these groups, after
all.
But even this close-to-clichéd notion was met with resistance. A
"global database" could be much harder to correct than a mosaic
of distributed information centers, noted Peter Raven-Hansen, a professor
of national security law at George Washington University. A single
misspelling could associate an innocent person with suspicious
activities, marking that person as a potential enemy of the state for a
lifetime.
There are two ways, generally, that an unfortunate soul could wind up on
this master list, in theory. Both are problematic. The FBI, looking for
terrorists, has the authority to examine broad swaths of the population
-- without their knowledge. Does that mean that everyone who has ever
been to flight school or visited a mosque now is on the suspect database?
Local cops, on the other hand, investigate people for specific crimes. So
is anyone who's ever been convicted for selling a dime bag of marijuana
added to the global database for terrorism forever?
These questions concerning how to structure a search get only more
complicated when the data is collected by private companies, not the
government. After all, looking at the criminal record of a drug dealer is
a whole lot less problematic than examining grandma's credit card
receipts.
Dr. Robert Popp -- who briefly oversaw TIA and similar efforts for Darpa,
the Pentagon's research arm -- extended the idea of "selective
revelation" to solve this problem. The idea is that broad sweeps
through the infosphere would be anonymous, at first. He said
"statistics, not a list of names" would be the result of
searches for people applying for truck drivers' licenses and ordering
lots of fuel and fertilizer, for instance.
Specific peoples' identities would only be revealed if the query became
more focused -- a hunt, say, for the few individuals with truck licenses
who bought fertilizer in New Jersey during the week of May 14. Such
revelations would be approved by a judge, the thinking goes, similar to
the way that wiretaps of potential spies have been overseen since the
'70s.
That's hardly a comforting model for civil libertarians. The Foreign
Intelligence Surveillance Court, which approves such procedures, meets in
secret. The people who are investigated have no way of defending
themselves before this tribunal; they're not even represented, in fact.
No wonder, then, that the government's win-loss record before the court
puts the Yankees to shame: about 13,500 wiretaps approved to two turned
down, according to professor Raven-Hansen's estimates.
Despite these concerns, Milhorn, with the Senate's intelligence
committee, said he thinks this court -- and similar means of oversight --
will handle data-mining requests just fine.
"There's a history of restrictions on collection by intelligence
agencies and law enforcement -- a history of restriction on disseminating
that information," he said. "To me, while there might be
modifications at the edges, the general rules have been in place for
20-some-odd years."
Gallington, the panel's moderator, isn't so sure. When the
intelligence-gathering regulations were written in the '70s, lawmakers
couldn't have imagined the massive loads of information companies now
routinely collect on their customers. Nor could they have foreseen how
keen the feds would be to get their hands on this private-sector data.
That's why, he said, there ought to be a whole new set of rules -- and a
whole new system of oversight -- for the information gathered in the
fight against terror.
Article on End to funding of TIA
http://www.wired.com/news/privacy/0,1848,60588,00.html
*******************************