The Departments of State and Homeland Security want to create a passport card — intended to be a cheaper and more efficient alternative to the passport book — for Americans returning to the U.S. from Canada, Mexico or the Caribbean by land or sea. The departments have proposed to put a Radio Frequency Identification (RFID) tag in the passport card that can be read from several yards away. CDT submitted comments on Jan. 7 explaining that the passport card proposal raises a host of privacy and security concerns.

CDT explained that the RFID technology proposed for the passport card is inappropriate for human identification and proof of citizenship. It is an inherently insecure technology originally designed to increase the efficiency of the supply chain by permitting fast, unhindered long-range wireless communication between product tags and computerized readers. CDT highlighted the Departments’ failure to explain how cardholders’ privacy will be protected — in particular, how the RFID-enabled passport card will not be used to track individuals, or be used as another unique identifier (like the Social Security Number) to link to vast amounts of personal information unrelated to border management. Furthermore, CDT noted that if the passport card were made properly secure, the purported benefits of the chosen RFID technology (i.e., lower cost and increased efficiency) would disappear – thus calling into question the desirability of the entire passport card program.

We submitted follow-up comments on January 23 related to a nuanced but important technical issue. We had asserted that the RFID protocol chosen for the passport card calls for a 32-bit password that controls access to a tag’s unique number. We argued, however, that the password is discoverable, thus enabling the discovery of the tag’s unique number and creating a significant privacy risk for the cardholder. After we submitted our initial comments, we learned that although an earlier iteration of the RIFD protocol did provide for a password to control access to a tag’s unique number, the current version does not include such a password. In our follow up comments, we urged the Departments to clarify whether the RFID-enabled passport card will use a password as a security mechanism, and what privacy risks exist both with and without a password.

This past weekend, OpenCRS reached an important milestone.  The website, maintained by CDT, hit three million reports downloaded.  The website, as of this writing, contains 11,361 CRS reports that have been collected in a number of ways, including collections from groups such as the Federation of American Scientists and the National Council for Science and the Environment, and from individual citizens requesting reports from Members of Congress, then submitting them to OpenCRS.  The one way they haven’t been collected is straight from the Congressional Research Service itself.

CRS has been a closed book for a long time, and it’s about to get just a bit worse, as Steven Aftergood from Secrecy News reports.  The director of CRS has put in place a new media interaction policy intended to limit CRS researchers’ communications with the media.  We’re not convinced that closing off CRS even further is the right move at this point in time.

Aftergood’s blog post contained an additional interesting note that caught my eye, however, as he points out that CRS is becoming more and more important to the society at large, and to the media in particular.  He mentions that “the number of citations to CRS in the Nexis news database rose from 2,076 in 2004 to 3,101 in 2005 to 4,179 in 2006.”  I think it’s no great coincidence that OpenCRS was launched in the summer of 2005, providing the media with access to the CRS reports they needed to write their stories.

Anyone interested in seeing more CRS reports can do two things: First, check out the front page of OpenCRS and request the report we have listed on the top from your Congressman.  Second, ask your Representative and Senators to support the McCain/Leahy/Shays efforts to force CRS to make its reports readily available to the public.

Earlier today we released our comprehensive legislative recommendations for 2007. This Congress will face a lot of big decisions — on issues ranging from privacy to free speech — that could have lasting impact on the Internet as we know it. In light of the growing attempts among lawmakers in recent years to exert greater control over Internet, that’s a somewhat unnerving concept. But by the same token, this Congress will have a great many opportunities to reestablish an approach to high-tech policy that respects both civil liberties and innovation.

Our agenda, which we’ll be distributing to key lawmakers in Congress in the coming days, includes a short treatise on what lawmakers need to know about Internet policymaking, as well as issue-by-issue legislative recommendations.

The underlying message is this: the Internet did not evolve to become one of the most robust, democratic communications tools the world has ever known by accident. An important element of the Internet’s success can be attributed to policymakers who realized early on that the Internet was different than anything they had yet encountered, and as such it required a different regulatory approach. That message remains true today, and that’s what we’ll be telling lawmakers as the 110th Congress gathers steam.

Earlier today we announced our participation in a joint effort intended to address the challenging civil liberties issues that arise when technology companies expand internationally. The joint process actually ties together several independent efforts begun by major high companies, academics and public interest advocates, including a series of consultations that CDT coordinated last year.

From our perspective, there are few technology policy issues in the International arena of greater concern, and we deeply commend all of the technology companies, academic leaders, human rights advocates, investors and others who have agreed to participate in the process. Particular commendation is due the high-tech companies that have been at the vanguard of this effort. Their commitment to getting out ahead of a difficult issue like this sets a very good example.

As I said in our press release: “Technology companies have played a vital role building the economy and providing tools important for democratic reform in developing countries. But some governments have found ways to turn technology against their citizens — monitoring legitimate online activities and censoring democratic material It is vital that we identify solutions that preserve the enormous democratic value provided by technological development, while at the same time protecting the human rights and civil liberties of those who stand to benefit from that expansion.”

This is an issue that will require a nuanced approach. People in developing nations stand to benefit enormously from technological expansion, and its a trend we should be encouraging, but it is incumbent that the broad technology community also identify solutions to ensure that such development strengthens, rather than weakens free expression and liberty in those countries.

Today’s announcement is an early step, but a very important one. CDT is committed to doing everything it can to make the joint process a success.

Senator Russ Feingold (D-Wisc.) and a bipartisan group of 23 Senators have introducuced a bill, S.223 that would require Senate candidates to file their campaign finance reports electronically. This bill is long overdue, and Feingold should be applauded for pushing this issue. Frankly, the Senate should be embarrassed if this bill is not promptly passed into law.

Candidates for the House of Representatives are required to file their campaign finance reports electronically. The Federal Election Commission can then turn around and immediately make the reports available online. Senate candidates’ reports, in contrast, are only filed in paper form, and it takes a huge amount of effort to key in the data so it is searchable in electronic form. This means, for example, that the last report that is due before a Senate election may not be searchable online until after the election. S.223 would fix this imbalance and make Senate campaign info as readily available as House info.

The availability of campaign finance reports in electronic form has greatly heightened the ability of the public — including political bloggers — to scrutinize the campaign spending of candidates, which has in turn increased the transparency of election campaigns. The blogosphere should strongly support this bill.

The Senate Judiciary Committee used its first hearing of the new Congress to examine the privacy and national security issues associated with government data mining programs. Our Executive Director, Leslie Harris, testified. I watched online. Like any Congressional hearing, things wandered a bit (I learned that former Rep. Bob Barr is in the Borat movie), but it is clear that some Senators are seriously trying to find ways to advance national security without sacrificing privacy, due process, and accountability. The hearing also demonstrated that getting there won’t be easy.

All the witnesses agreed that “data mining” is hard to define. CDT believes that a good enough definition — at least for policymaking purposes — would focus on predictive or pattern-based scans of large sets of data, where the goal is to assign risk scores or find individuals whose behavior matches some pattern believed to be associated with terrorist or criminal behavior. This definition would exclude one-to-one searches, such as comparing air passenger lists against watch-lists of suspected terrorists, which pose a different set of problems. It would exclude link analysis, where the government starts with some known or suspected terrorist and tries to draw a picture of the enterprise of which he may be a part, a technique that seems quite close to traditional law enforcement and intelligence. It would include the Automated Targeting System, which the government recently admitted it is using to assign a risk assessment to all travelers entering or leaving the US, including citizens. (Last month, CDT joined other privacy groups in comments examining the problems associated with the secret re-direction of ATS against individuals).

Today’s witnesses generally agreed that the Executive Branch should be more transparent — at least with Congress — about what data mining programs the government is running. Senators Feingold (D-WI), Sununu (R-NH) and others introduced today a bill that would require the Executive Branch to report to Congress on its use of predictive or pattern-based data mining. It would seem indisputable that such a law would be an appropriate first step, at the very least from a good government standpoint: how are the intelligence and homeland security agencies spending their money?

(more…)

This year promises to be extremely busy on the tech policy front. One of our first acts of 2007 was to urge the Departments of State and Homeland Security to rethink a proposal for the creation of a high-tech ID card that could be used in place of a passport by Americans who make frequent trips to Canada, Mexico and the Caribbean.

The PASS (People Access Security Service) card would use RFID (radio frequency identification) technology to identify citizens as they approach U.S. land border crossings. Theoretically, the cards would be a little cheaper than passport books, and would allow for swifter crossings, since citizens could be identified from many feet away. Sounds good in theory, but the RFID standard proposed for the PASS card was intended to track inventory, not to be used on cards linked to a wealth of sensitive personal data. This technology was designed specifically to be insecure to increase supply chain efficiency. Using if for something as sensitive as managing border crossings in a post-9/11 world raises serious questions about both privacy and security.

In our comments, submitted this past weekend, we urge policy makers to determine whether it would be worth trying to fix the problems with the PASS card proposal. Addressing the security and privacy concerns associated with the PASS cards may make them nearly as expensive as the new electronic passports. Since cost savings has been cited as one of the key advantages of the cards, policymakers may want to rethink the program altogether. It is also unclear to us whether there is any great benefit in being able to identify a PASS cardholder from 20 feet away. Border agents will still need to get up close to make sure that the information on the face of the card and the information pulled from the back-end database matches the person crossing the border, so its likely that the promised convenience of the card may not materialize as expected.