[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips October 23, 2003

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx, sairy@xxxxxxxxx;
Subject: Clips October 23, 2003
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Thu, 23 Oct 2003 11:10:09 -0400

Clips October 23, 2003

ARTICLES

Students Fight E-Vote Firm
Senate Votes 97-0 To Restrict E-Mail Ads
US raids online pharmacies
FBI request to erase classified files nixed
See you later, anti-Gators?
DHS team bounced 200 at borders
Senate panel OKs security bills, agency file-sharing crackdown
Citing privacy law, senators seek probe of JetBlue
Protection orders to be delivered electronically
Plumbing Depths of Data Mining
*******************************
Wired News
Students Fight E-Vote Firm

A group of students at Swarthmore College in Pennsylvania has launched an "electronic civil disobedience" campaign against voting machine maker Diebold Election Systems.

The students are protesting efforts by Diebold to prevent them and other website owners from linking to some 15,000 internal company memos that reveal the company was aware of security flaws in its e-voting software for years but sold the faulty systems to states anyway. The memos were leaked to voting activists and journalists by a hacker who broke into an insecure Diebold FTP server in March.

Diebold has been sending out cease-and-desist letters to force websites and ISPs to take down the memos, which the company says were stolen from its server in violation of copyright law. It has been using the Digital Millennium Copyright Act, or DMCA, to force ISPs to take down sites hosting the memos or sites containing links to the memos.

Diebold did not respond to Wired News' requests for comment.

Bev Harris, owner of the Black Box Voting site and author of a book on the electronic voting industry, was one of the first people to post the memos before a letter from Diebold threatened her with litigation.

Half a dozen other people hosting the memos in the United States, Canada, Italy and New Zealand also have received letters forcing them to take the material down.

Why War?, a nonprofit student organization at Swarthmore, and the Swarthmore Coalition for the Digital Commons, also composed of Swarthmore students, announced plans to defy Diebold and their college ISP.

Why War? posted the memos on its website about two weeks ago but moved them to a student's computer after the college ISP received a cease-and-desist letter.

The college notified the student, who wishes to remain anonymous, that it would disconnect his Internet service if he didn't remove the memos. But Luke Smith, a sophomore, said students are planning to bypass that threat by hosting the memos on different machines. Each time one machine is shut down by Diebold, they will move the memos to another machine, passing them from student to student.

"They're using copyright law as a means of suppressing information that needs to be public," Smith said. "It's a great example of how copyright law can be against the public good rather than for it, as it was originally intended."

He added, "It's not like people are reading these memos in order to steal Diebold's election system. (The company is) trying to use this law, and specifically the mandatory take-down section, to conceal flaws that directly affect the validity of election results. This is a threat to our democracy."

The DMCA, passed by Congress in 1998, includes a "safe harbor" provision that allows ISPs to remove material from the Web that allegedly violates a copyright without suffering legal repercussions from the person who posted the material. The law allows the ISP to remove the content for a minimum of 10 days.

Will Doherty, media relations director for the Electronic Frontier Foundation, said companies have been using the safe-harbor provision to stifle free speech online, and ISPs have caved in to the threats rather than risk facing legal action from the copyright holder.

"We support the right of Swarthmore students or anyone for that matter to link to or to publish information about electronic voting systems that is vital to debate over democratic process," Doherty said.

Doherty and the EFF launched their own resistance campaign last week after a news site, the Independent Media Center, and its Internet provider, the Online Policy Group, received a cease-and-desist letter from Diebold. In addition to his position at EFF, Doherty is executive director of the Online Policy Group, a nonprofit organization that focuses on digital privacy and rights issues.

The Independent Media Center didn't actually post the Diebold memos on its site. However, Diebold objected when a contributor to the news service posted links to other sites that were hosting the memos.

Even if the Independent Media Center had posted the memos, Doherty said the Online Policy Group still would support its right to do so.

"These documents indicate the potential for widespread election fraud in the U.S. or wherever else Diebold voting machines are being used," he said.

The Diebold memos contain a trove of information about the internal workings of the electronic voting machine manufacturer, which has been criticized for poor programming practices.

Among the revelations in the memos was news that the Microsoft Access database used by the Diebold system to count votes was not protected by a password. This means anyone could alter votes by entering the database through an insecure backdoor, via physical access to the machine or remotely, via the phone system.

The memos also reveal that the audit log, which records any activity in the Access database, could be easily altered so that an intruder could erase a record of the intrusion.

These security flaws were pointed out to Diebold in 2001 in memos from a firm that was being paid to audit and certify the software. A Diebold engineer responded by saying the company preferred not to password-protect the database because it was easier for them (presumably Diebold employees) to go into the software and do "end-runs" in the system -- a term that describes when someone changes software to fix or work around coding problems.

Other memos indicate that patches were installed in systems after the systems already were certified and delivered to states.

In a January 2002 memo, Ken Clark, a Diebold engineer, discussed modifying voting software designed for machines in California. Because the state was likely to reject a change so late in the game, he proposed making the change as a bug fix to pass muster with election officials rather than undergoing lengthy certification procedures.

Smith, who plans to major in computational linguistics, said members of the public wouldn't have to fight to expose Diebold's business practices if election officials were doing their job.

"It would be great if they were more rigorous but apparently they've dropped the ball because these systems have already been implemented," he said. "There's a definite need to make this info public."

Smith said he's surprised by Diebold's stance regarding the memos.

"If I were Diebold I wouldn't claim copyright protection; I'd claim I hadn't written the memos," he said. "They knowingly created a system that doesn't even have a semblance of security. And then they pass it off on the American public in the name of modernization."

Smith said his group plans to launch a campaign this week to recruit more students to participate in the revolt.

"We're advocating freedom of information and open-source standards," he said. "If there's anything the public has an inherent right to look in on, it's voting technology. That's why we're pushing this."
*******************************
Washington Post
Senate Votes 97-0 To Restrict E-Mail Ads
Bill Could Lead to No-Spam Registry
By Jonathan Krim
Thursday, October 23, 2003; Page A01

The Senate approved the nation's first federal anti-spam legislation last night after reaching a compromise that also opens the door to a national no-spam registry similar to the do-not-call list for telemarketers.

The bill, sponsored by Sens. Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), was approved 97 to 0. It targets the most unsavory senders of unsolicited commercial e-mail by prohibiting messages that peddle financial scams, fraudulent body-enhancement products and pornography.

The legislation also draws on amendments from Sens. Patrick J. Leahy (D-Vt.) and Orrin G. Hatch (R-Utah) that would criminalize the techniques used by spammers to thwart detection -- disguising identities, masking the locations of computers used to send junk e-mail and automating spam attacks.

The action comes as spam's stranglehold on e-mail communication is growing. By some estimates, spam now accounts for 60 percent of all e-mail traffic and is costing businesses and consumers roughly $10 billion per year.

In a poll released yesterday by the Pew Internet & American Life Project, 25 percent of respondents said that spam is causing them to curtail their use of e-mail.

The Burns-Wyden bill has been supported by the marketing, retailing and Internet-access industries, which argue that a federal law should be written carefully to avoid inhibiting legitimate marketers from sending e-mail advertising that consumers may want.

But several anti-spam and consumer groups have argued that the bill has too many loopholes that could enable so-called legitimate marketers to bombard consumers with unwanted e-mail.

The bill would preempt all state anti-spam laws, some of which are tougher than the Burns-Wyden bill. And it would prohibit private lawsuits against spammers, allowing suits only by providers of e-mail accounts, such as Yahoo Inc., Microsoft Corp., EarthLink Inc. and America Online Inc., all of which also market to their own members.

But after months of negotiations, the bill now includes a provision, supported by some opponents of spam, that directs the Federal Trade Commission to come up with a plan for a no-spam registry.

The registry, proposed by Sen. Charles E. Schumer (D-N.Y.) and supported by a range of groups including the Christian Coalition of America and the Coalition Against Unsolicited Commercial Email, would be similar to the FTC's do-not-call list, which prohibits telemarketers from calling any phone number that consumers place on the list.

The direct-marketing industry won a preliminary court challenge to the list, but the FTC is enforcing it pending an appeal. In the meantime, the list has been wildly popular, attracting more than 50 million numbers.

To date, however, FTC Chairman Timothy J. Muris has opposed a no-spam registry, arguing that it would be unenforceable because spammers would ignore it and that it would be hard to keep the e-mail addresses secure.

Supporters of a registry say it would at least control many ostensibly legitimate marketers that fail to honor consumer requests to be free of unwanted mail.

Schumer's plan also allows for entire e-mail domains to be put on the list, so that marketers could be prevented from sending any unwanted commercial mail to employees at a certain domain -- say, washingtonpost.com.

The bill stops short of mandating the registry, instead directing the FTC to develop a registry system within six months and to document technical hurdles.

An FTC official said last night that the agency's position on a registry has not changed and that even if a workable system could be devised, the bill does not provide for the substantial additional resources that would be required to implement it.

The official said that to protect the e-mail addresses on the list, marketers would have to submit their databases to the agency, which would then scrub them of names on the registry and return them.

"If we were to continue to believe it wouldn't work, Congress would have to change the law" to force the FTC to institute the registry, the official said.

But Schumer said that he is confident "this is a now a downhill road, as opposed to an uphill road" to getting a registry, and that the odds are high that one will be in place in a year.

The White House issued a statement yesterday supporting passage of the Burns-Wyden bill, though it did not address the registry question.

Yahoo and Microsoft, two of the largest Internet service providers, also endorsed the bill yesterday, although they have opposed the registry notion. The Coalition Against Unsolicited Commercial Email, which had criticized the bill as being weak, also gave tentative support.

A similar bill in the House -- though without a registry provision -- is still at the House Energy and Commerce Committee, where several legislators want its language strengthened.

Committee Chairman W.J. "Billy" Tauzin (R.-La.) and Judiciary Committee Chairman F. James Sensenbrenner Jr. (R-Wis.), two of the House bill's sponsors, were embarrassed by revelations over the summer that their staffs had been working closely with the marketing and retailing industries in crafting the original version of the bill.

Some provisions have been changed, but not enough to break the logjam, said one committee staff member. Differences between a House bill and the Senate version would have to be reconciled in conference committee.

Many in the business community are particularly anxious for a federal law because they want it to supersede existing state laws that they consider draconian.

In a memo sent out Tuesday to industry organizations, the U.S. Chamber of Commerce said that a new California law set to take effect Jan. 1 would hurt "almost every type of business across the country."

The law, authored by California state Sen. Kevin Murray (D-Los Angeles), prohibits all unsolicited commercial e-mail unless consumers have first given their permission to receive it, a system known as "opt-in" and supported by consumer groups.

The congressional bills are "opt-out," meaning that companies can send e-mail but must honor consumers' requests to be free of future mailings.

Joseph Rubin, the chamber's executive director of technology and e-commerce, said many of his members fear that their marketing lists would not qualify as opt-in under the terms of the California law.

Many marketers also argue that one federal law will be easier to enforce than a patchwork of state regulations.

"It sort of boggles the mind," responded Murray, who said that no major corporation opposed his bill. "They have a rational interest in uniformity of laws, but why not do the law that is the strongest?"
*******************************
USA Today
Spam beginning to hurt e-mail use, report says
10/22/2003 6:22 PM

WASHINGTON (Reuters) The billions of "spam" messages that cross the Internet daily are beginning to erode users' faith in e-mail communications, according to a report released Wednesday.

Half of all Internet users say spam has made them less trusting of all e-mail in general, the Pew Internet and American Life Project found, while one in four say they now use e-mail less because of spam.

The nonprofit group's June survey of 1,400 Internet users found that most feel they can do little to block the billions of get-rich-quick schemes, ersatz painkillers, and other unwanted pitches that arrive in their inboxes on a daily basis.

More than half said the flood of spam makes it difficult to find messages they do want.

Spam now comprises roughly half of all e-mail messages, according to several estimates, costing businesses billions of dollars in wasted bandwidth and lost productivity.

Most respondents said they did not post their e-mail addresses to Web sites in an effort to keep off spammers' lists, and many said they used filters to block spam at work or home.

But others admitted to behavior likely to perpetuate the problem. Some 7% said they had bought a product or service that was offered in an unsolicited e-mail, while one-third said they had clicked a link to get more information.

Two-thirds said they had clicked a link to be removed from a spammer's e-mail list, an activity consumer advocates say is likely only to generate more spam.

The Senate was debating an anti-spam measure Wednesday, and several similar bills have been introduced in the House of Representatives.
*******************************
Australian IT
US raids online pharmacies
Catherine Wilson
OCTOBER 23, 2003

US FEDERAL agents have raided a third pharmacy as part of an investigation into an internet-based network distributing diet drugs, sleep aids and other prescriptions based on online customer questionnaires.

The seizure of boxes full of colourful capsules at Rx Network of South Florida came a day after a hearing on licenses stripped from another pharmacy, Lifeline Pharmacy, and its wholesale supplier, C&H Wholesale, in the same suburban office complex.
The US Drug Enforcement Administration (DEA) claims all three companies violate federal licensing rules by filling orders for people who answer questionnaires and order prescriptions over the internet without seeing the authorising physician.

Lawyers for the pharmacy say federal law and regulations and laws in most states do not go as far as a DEA policy saying doctors must perform physical examinations before prescribing controlled medicine.

"They have valid prescriptions," Rx Network attorney Sean Ellsworth said. "When Rx Network receives a prescription and there's any question about the legitimacy of a prescription, a phone call is made to that doctor."

The DEA's suspension of Rx Network's license on Wednesday came six months after the state put the company on probation and fined it $US48,000 ($68,000) for negligently dispensing excessive drugs 24 times.

DEA Drug Operations Chief Betsy Willis said that doctors are obligated to make sure they are prescribing drugs for valid medical reasons.

"If a pharmacist fills a prescription knowing that it is based solely upon a two-minute telephone consultation or an online questionnaire, the pharmacist is also violating the law," she said.

Rx Network has dispensed more than 19 million doses of drugs since it received its license in February 2001, the DEA said. Lifeline sold 2.9 million doses of prescription drugs, mostly for weight loss and sleep aids, to online customers in less than three months this year.

Neither Rx Network, Lifeline or C&H had web sites that sell prescription drugs, but the pharmacies received prescriptions via email. Lifeline and C&H are jointly owned, but Rx Network has different owners.
*******************************
USA Today
FBI request to erase classified files nixed
By Ted Bridis, Associated Press
10/22/2003 2:08 PM

WASHINGTON The Justice Department sought extraordinary permission to let the FBI conduct a search-and-destroy mission on any computers harboring classified information about a 1980s case that temporarily became public in a lawsuit. A federal judge, however, rejected the idea.
The request from federal prosecutors in Sacramento, was considered highly unusual by legal experts because it did not specify which computers the government believed might contain the classified information or how agents would retrieve and destroy information that already had been made public.

"This stuns me," said Kate Martin, director for the Washington-based Center for National Security Studies. "I have never heard of them asking for such authority before. It's very disturbing that the FBI is contemplating going out and secretly examining hard-drives to see whether they contain this information."

Justice officials said they were reviewing whether to refile their request.

At issue are two court filings in a lawsuit brought by a former FBI counterintelligence agent. The filings made brief references to a one-month undercover trip overseas in late 1987 by the agent, Lok T. Lau, who was fired for shoplifting more than a decade later and is suing over his dismissal.

The documents still containing the classified material were available from the courthouse for up to 19 days and copies already have been published on the Internet, including the Web site for the Sacramento-based California First Amendment Coalition, an open-government group.

The organization's lawyer, Terry Francke, said Tuesday he had not yet been contacted by prosecutors or the FBI.

The government didn't tell the judge how it might determine who copied the classified material onto the computers, nor did it suggest whether it already has searched anyone's hard drives for the documents.

The unorthodox legal skirmish in Sacramento occurs amid heightened sensitivity within the Bush administration over intelligence leaks, as the Justice Department tries to find out who revealed the name of the undercover CIA officer married to former Ambassador Joseph C. Wilson.

"It's completely unheard of that the FBI would try to exercise that kind of control," said James X. Dempsey, an expert on national security with the Center for Democracy and Technology in Washington.

U.S. District Judge Garland E. Burrell Jr. agreed with the government's request to remove the classified documents from the court file and substitute sanitized versions. But in his decision last week, Burrell rejected as "unsupported by authority" the government's broader request to seek out and delete any electronic copies that might have been downloaded onto others' computers before they were effectively sealed.

The classified sections of the court papers describe a covert mission by Lau in November 1987 to a country he doesn't identify. Lau said he was warned the night before his trip that one of the FBI's "highly placed assets" betrayed his identity as an undercover FBI agent, but, to avoid confirming the disclosure, he did not cancel the trip.

"Personnel armed with machine guns were a constant reminder to me of my fate if something went wrong, and there were frequent roadblocks on my route of travel," Lau wrote. "I anticipated death on several occasions, but I somehow survived it all."

Lau argued that the stress of his undercover assignments led to what he describes as his "aberrant" behavior that resulted in his firing. He said he was unconcerned he might be prosecuted for disclosing classified information, noting that he withheld some details from his court papers, such as the country where his mission took place.

"I know the bureau will try to prosecute me and discredit me at every opportunity," Lau said. "Whatever national security argument the FBI is making is hogwash."

Burrell denied the government's Oct. 10 motion "without prejudice," meaning prosecutors may renew their request.

Assistant U.S. Attorney Kristin S. Door said she was researching laws that might support such a decision. Door acknowledged that even she doesn't have sufficient government clearance to read the classified documents.

"We're hoping there has been no harm," Door said. "As soon as the FBI determined it was classified, we moved promptly to try to retrieve it from the public record."
*******************************
CNET News.com
See you later, anti-Gators?
Last modified: October 22, 2003, 12:21 PM PDT
By Paul Festa
Staff Writer, CNET News.com

In an effort to improve its corporate reputation, adware company Gator has launched a legal offensive to divorce its name from the hated term "spyware"--and so far its strategy is paying off.

In response to a libel lawsuit, an antispyware company has settled with Gator and pulled Web pages critical of the company, its practices and its software. And other spyware foes are getting the message.

"There is this feeling out there that they won the lawsuit, and people are starting to get scared," said one employee of a spyware-removal company, who asked not to be named. "We haven't been sued, but we've heard that other companies are being sued for saying this and that, so we've changed our language" on the company Web site.

Gator often distributes its application by bundling it with popular free software like Kazaa and other peer-to-peer programs. When downloaded, Gator's application serves pop-up and pop-under ads to people while they're surfing the Web or when they visit specific sites. Ads can be keyed to sites so that a pitch for low mortgage rates, say, can appear when a surfer visits a rival financial company's site.

The distinction between such "adware," which can report back to its creator with information about the computer user's surfing habits, so as to allow for supposedly more effective ad serving, and "spyware," which similarly monitors surfing habits and serves up ads, is sometimes a hazy one, and lies at the heart of Gator's libel suit.

Gator maintains that its software differs from spyware in that people are clearly notified before they download it, and in that they do so in exchange for a service, like the peer-to-peer software. Spyware, the company maintains, is surreptitiously installed and gives the unwitting computer user no benefit.

But critics of adware companies question how clearly such downloads are marked--PC users may suddenly be deluged with pop-ups and have no idea where they're coming from--and protest that companies like Gator are collecting information without sufficiently accounting for what they do with it.

The defendant in the Gator libel suit, PC Pitstop, offers software to cleanse computers of spyware and other undesirable code, and until signing a preliminary settlement with Gator on Sept. 30, vociferously targeted Gator's application.

In settling the suit, which alleged false advertising, unfair business practices, trade libel, defamation and tortious interference, PC Pitstop apparently removed several pages from its Web site that referred to Gator's application as spyware--along with many that went beyond that to urge action against Gator itself.

Executives for both companies declined to discuss settlement terms, citing a confidentiality agreement. But Gator advised a reporter to "go to their new site and draw your own conclusions" about what PC Pitstop did to comply with the settlement.

PC Pitstop used to publish pages on its Spyware Information Center titled "Is Gator Spyware?" the "Gator Boycott List," and the "Gator Quiz." Those pages are now gone. But as of Tuesday, they could still be found in the Google cache, which keeps copies of missing or unavailable Web pages for a limited time. (By Wednesday the cache of those pages had expired.)

"PC Pitstop believes that Gator products degrade the quality of a user's PC experience," read the cached PC Pitstop page urging a boycott of companies advertising through Gator. "This belief is based on our hands-on use of Gator products and experience with hundreds of systems in our forums....Although Gator Corporation likes to make a distinction and call their products 'adware,' other sources make no such distinction. Independent research has shown that they collect extensive information and have not clearly explained how the information is used once it reaches the Gator servers."

A Gator executive said the suit, filed in U.S. District Court for the Northern District of California, was part of a larger strategy to educate spyware-removers about the company's software--and to put an end to the practice of calling it "spyware."

"If we find anyone publicly calling us spyware, we correct it and take action if necessary," said Scott Eagle, Gator's senior vice president of marketing.

In addition to going on the offensive against detractors, Gator has spent significant time in court defending its practices against the charges of companies that run Web sites that Gator has targeted with its ads.

Gator in February settled litigation brought against it by the New York Post, The New York Times, Dow Jones and other media companies. The Washington Post, L.L. Bean and Extended Stay America have sued the company, and their consolidated lawsuit will be decided by the Judicial Panel on Multidistrict Litigation in Washington, D.C.

Meanwhile, the courts have smiled on a company that operates a similar ad network. Last month, WhenU survived a legal challenge brought against it by moving company U-Haul after WhenU served ads for U-Haul's competitors on top of U-Haul Web pages.

Eagle declined to comment on other specific spyware-busters, such as the New York City-based Enigma Software Group or InterMute, in Braintree, Mass. Those companies have advertised that they can rid computers of Gator--but their Web sites no longer mention the software. Eagle said he could not talk about ongoing actions.

Enigma Software Group could not be reached for comment. InterMute, which previously has spoken openly against Gator, declined to comment.

"Companies like Gator are the Goliath that average computer users are up against in the war for online privacy," Ed English, CEO of InterMute, said last month in an interview with CNET News.com.

Gator said it would take on its critics on a case-by-case basis.

"There are going to be detractor sites," Eagle said. "What we can do is focus on education and getting the word out there. We have discussions on this topic whenever we need to."

For its part, PC Pitstop said that, whatever the terms of its settlement, it continued to target Gator's software on people's computers.

"PC Pitstop detects a variety of situations that we would consider problems, including certain software that we didn't think was in the best interest of the end user," said Dave Methvin, chief technology officer for the Web-based start-up. "We currently detect and recommend removal of Gator."
*******************************
Government Computer News
10/22/03
DHS team bounced 200 at borders
By Wilson P. Dizard III

The Homeland Security Department denied entry this year to 200 foreigners who attempted to enter the country as students, undersecretary for Border and Transportation Security Directorate Asa Hutchinson said today.

"We believe they posed a risk to America," he said.

Using the Student and Exchange Visitor Information System, which tracks foreign students, the directorate?s response team rejected the applicants, Hutchinson told attendees at a conference held by the U.S. Chamber of Commerce.

"The team responded to more than 8,000 calls," Hutchinson said.

In some cases, schools that the foreigners claimed they were attending had no record of them, and in others the students had been expelled.

SEVIS has come under fire for system problems, with congressional hearings and a General Accounting Office report revealing malfunctions.

Hutchinson said the directorate has worked with schools to correct the problems. About 800,000 individuals are recorded in SEVIS and the system processed entry by about 300,000 students for the academic year that began in September.

The directorate plans to issue a regulation imposing a $100 fee on foreigners who register with SEVIS for the first time, Hutchinson said. DHS officials expect the fee to generate more than $30 million annually. Congress provided $36 million to the Immigration and Naturalization Servicenow part of DHSto start SEVIS but did not provide continuing funding.

"We had two options," Hutchinson said. "We could put the burden on taxpayers or on the people who receive the benefit."
*******************************
Government Executive
October 22, 2003
Senate panel OKs security bills, agency file-sharing crackdown
By Greta Wodele, National Journal's Technology Daily

The Senate Governmental Affairs Committee on Wednesday unanimously approved several bills that would address homeland security and technology issues.

One bill, S. 1612, would create a new office within the Homeland Security Department to provide local and state "first responders" to emergencies with counter-terrorism technology. Committee Chairwoman Susan Collins, R-Maine, authored the measure, which would authorizes $50 million annually to establish and run a competitive grant program based on new criteria.

Four national law enforcement organizations, including the Fraternal Order of Police, National Sheriffs' Association, International Association of Chiefs of Police and Major Cities Chiefs, endorsed the bill. It aims to fill a "technology gap" left by the department's traditional grant program, which cannot be used to purchase counter-terrorism technologies.

"By providing counter-terrorism technology to law enforcement agencies, we can help our first responders to become 'first preventers,' " Collins said.

The committee also approved measures, S. 1567 and H.R. 1416, that would institute financial accountability at Homeland Security and fix drafting mistakes in the law that created the department. One correction to the law, which was enacted in January, would add language that had been omitted from a provision defining "critical infrastructure."

Michigan Democrat Carl Levin said he also wants language included in a committee report for H.R. 1416 to clarify that the correction would not expand the definition of critical infrastructure. He said an expanded definition might affect an exemption from the Freedom of Information Act for critical infrastructure.

The bill also would address language in the law that gave Homeland Security Secretary Tom Ridge immigration-related powers and duties previously reserved for the attorney general, John Ashcroft. A committee aide questioned whether senators on the Judiciary Committee would support the bill when the full Senate votes because of the jurisdiction issue between Homeland Security and the Justice Department, which Ashcroft heads.

The panel also approved a bill, H.R. 3159, that would require federal departments to address security and privacy vulnerabilities to computer networks that have arisen because of Internet file-sharing technology. The House passed the measure earlier this month.
*******************************
Computerworld
Citing privacy law, senators seek probe of JetBlue
Lawmakers want to know if federal privacy laws were broken
Story by Dan Verton

OCTOBER 22, 2003 ( COMPUTERWORLD ) - WASHINGTON -- Lawmakers from the Senate Governmental Affairs and Armed Services Committees have asked Secretary of Defense Donald Rumsfeld to look into whether federal privacy protection laws were violated when JetBlue Airways Corp. provided more than 5 million passenger names, addresses, phone numbers and travel itineraries to a Pentagon contractor working on a proof-of-concept passenger-screening system.

In a letter to Rumsfeld on Oct. 17, Governmental Affairs Committee Chairman Susan Collins (R-Maine), presidential candidate Sen. Joseph Lieberman (D-Conn.) and Armed Services Committee member Carl Levin (D-Mich.) said the data sharing between Forest Hills, N.Y.-based JetBlue and Huntsville, Ala.-based Torch Concepts Inc. suggest "the contractor may have violated the Privacy Act of 1974." They also said the information sharing raises "disturbing questions about the reliability of safeguards in place at the Defense Department to protect Americans' privacy."

The proof-of-concept system is Torch's Acumen technology, which is designed to conduct intelligent pattern-recognition searches and identify latent relationships and behaviors that could point to potential terrorist threats. The company first started working with the U.S. Army on the technology in May 2002.

However, officials from the Transportation Security Administration, which is now part of the U.S. Department of Homeland Security, allegedly helped Torch purchase data on real passengers from Little Rock, Ark.-based Axiom Corp. for use in a test of the system. Torch then attempted to draw inferences as to which data elements best distinguish normal JetBlue passengers from past terrorists.

While some privacy groups have called for legal action in the matter, congressional interest has focused even greater attention on the possible misuse of the passenger information.

The Privacy Act requires federal agencies to publish a notice in the Federal Register when a "system of records" is established. The notice must describe what information about individuals the system will contain, and it must describe how an individual can gain access to any information pertaining to him. Likewise, the Privacy Act prohibits disclosure of the personal information, including disclosure to other agencies.

"The Privacy Act makes agencies responsible for ensuring that contractors comply with the law's terms when establishing a system of records on the agency's behalf," the senators wrote in their letter. "Torch Concepts may well have created a system of records, as defined by the Act, as the contractor was collecting and maintaining personal information."

According to Collins, Lieberman and Levin, lawmakers are unaware of any Privacy Act notice having been published by the Pentagon for this particular system. "In the absence of such public notice, there is less likelihood of public discussion and Congressional oversight concerning adequacy of privacy protections," the senators wrote. "It also appears that passenger information was shared with others, which may constitute a violation of the Act."

The senators also said that the Privacy Act and its criminal penalties apply to defense contractors in the same way as to employees of the government and that the Defense Department has an "affirmative obligation" to ensure compliance by its contractor. "We question whether that has happened in this case," they wrote.
*******************************
USA Today
Protection orders to be delivered electronically
10/22/2003 5:50 PM

BISMARCK, N.D. (AP) Domestic violence protection orders will be delivered electronically to North Dakota law enforcement agencies by the end of the year, the state court administrator says.
The Web-based program will enter the protection orders in a state registry and in a national domestic violence registry, Ted Gladden said.

"If officers have computers in their cars, they'll be able to bring the actual copy of the order up on the computer and read what the provisions are," Gladden said.

Under the current system, officers have to contact a county in which the protection order was issued to get details, he said. The electronic system has been tested in Burleigh County, he said, and domestic violence advocates and court clerks are being trained to use it.

"In some locations, where they've got Internet access, the advocates will be entering the petition information on computer, so that when somebody sits down at a safe house and is working with an advocate, they can go in and enter all the vital information," Gladden said.

"In other locations, where they don't have Internet access, that data will be entered by court personnel," he said.

The cost of the system is estimated at about $50,000.
*******************************
Wired News
Plumbing Depths of Data Mining
02:00 AM Oct. 23, 2003 PT

WASHINGTON -- On this, everyone in the gold-tinged, eagle-frescoed Senate conference room agreed: Federal authorities badly want to be able to comb the data trails of ordinary people in order to spot terrorists. But what -- if any -- limits should be put on that frighteningly invasive power? A panel of lawmakers, think tankers, data miners and civil libertarians assembled here Tuesday couldn't even begin to make up their minds.

Congress has yanked the funding for Terrorism Information Awareness, the Pentagon's notorious überdatabase effort. But research into TIA-like projects continues, essentially unrestricted. Tomes of regulations tell spooks and cops and g-men how they can amass intelligence and gather evidence. But much of the data mined by these children of TIA -- like itineraries, school transcripts and credit card receipts -- might not fall under those traditional definitions. There's only a vague sense that these database-combing programs can't be allowed to grow out of control.

"When somebody buys a ticket on Delta Airlines in Munich, Germany, if there's any potential for (that person to have) a suspicious background, I want bells and whistles to go off on that computer," Sen. Saxby Chambliss (R-Ga.) told the group of 25 or so policy makers assembled in the Russell Senate Office Building's third floor by the Potomac Institute for Policy Studies, a Washington think tank. But Congress "won't allow (intelligence) agencies" to "truly gather information on people's personal lives."

Nice words. But as Jim Dempsey, executive director of the Center for Democracy & Technology, notes, "none of us really have the answer" for how to put them into action.

"We haven't begun to figure it out," added Brandon Milhorn, the counsel for the Senate Select Committee on Intelligence.

For example, the panel's moderator, Daniel Gallington, a longtime Justice and Defense Department official turned Potomac research fellow, floated a seemingly innocuous idea: that information legally collected by the FBI, CIA and local law enforcers should be combined and made searchable. Since 9/11, information sharing has become a mantra among these groups, after all.

But even this close-to-clichéd notion was met with resistance. A "global database" could be much harder to correct than a mosaic of distributed information centers, noted Peter Raven-Hansen, a professor of national security law at George Washington University. A single misspelling could associate an innocent person with suspicious activities, marking that person as a potential enemy of the state for a lifetime.

There are two ways, generally, that an unfortunate soul could wind up on this master list, in theory. Both are problematic. The FBI, looking for terrorists, has the authority to examine broad swaths of the population -- without their knowledge. Does that mean that everyone who has ever been to flight school or visited a mosque now is on the suspect database? Local cops, on the other hand, investigate people for specific crimes. So is anyone who's ever been convicted for selling a dime bag of marijuana added to the global database for terrorism forever?

These questions concerning how to structure a search get only more complicated when the data is collected by private companies, not the government. After all, looking at the criminal record of a drug dealer is a whole lot less problematic than examining grandma's credit card receipts.

Dr. Robert Popp -- who briefly oversaw TIA and similar efforts for Darpa, the Pentagon's research arm -- extended the idea of "selective revelation" to solve this problem. The idea is that broad sweeps through the infosphere would be anonymous, at first. He said "statistics, not a list of names" would be the result of searches for people applying for truck drivers' licenses and ordering lots of fuel and fertilizer, for instance.

Specific peoples' identities would only be revealed if the query became more focused -- a hunt, say, for the few individuals with truck licenses who bought fertilizer in New Jersey during the week of May 14. Such revelations would be approved by a judge, the thinking goes, similar to the way that wiretaps of potential spies have been overseen since the '70s.

That's hardly a comforting model for civil libertarians. The Foreign Intelligence Surveillance Court, which approves such procedures, meets in secret. The people who are investigated have no way of defending themselves before this tribunal; they're not even represented, in fact. No wonder, then, that the government's win-loss record before the court puts the Yankees to shame: about 13,500 wiretaps approved to two turned down, according to professor Raven-Hansen's estimates.

Despite these concerns, Milhorn, with the Senate's intelligence committee, said he thinks this court -- and similar means of oversight -- will handle data-mining requests just fine.

"There's a history of restrictions on collection by intelligence agencies and law enforcement -- a history of restriction on disseminating that information," he said. "To me, while there might be modifications at the edges, the general rules have been in place for 20-some-odd years."

Gallington, the panel's moderator, isn't so sure. When the intelligence-gathering regulations were written in the '70s, lawmakers couldn't have imagined the massive loads of information companies now routinely collect on their customers. Nor could they have foreseen how keen the feds would be to get their hands on this private-sector data. That's why, he said, there ought to be a whole new set of rules -- and a whole new system of oversight -- for the information gathered in the fight against terror.

Article on End to funding of TIA http://www.wired.com/news/privacy/0,1848,60588,00.html
*******************************

Prev by Date: ACM TechNews - Wednesday, October 22, 2003
Next by Date: USSN 043-03 (October 24, 2003)
Previous by thread: ACM TechNews - Wednesday, October 22, 2003
Next by thread: USSN 043-03 (October 24, 2003)
Index(es):
- Date
- Thread