Back in April, I blogged about how Department of Homeland Security Secretary Michael Chertoff was “dead wrong” when he testified before the Senate that personal information can’t be “skimmed” from an unencrypted barcode, which all driver’s licenses will have under the REAL ID program. Chertoff completely denied that there are any privacy risks associated with the REAL ID card’s “machine-readable zone.”

Sen. Feingold, D-WI, was right to question Chertoff’s testimony that day and followed up with a letter asking the Secretary to further explain why he thought citizens’ personal information wasn’t at risk or why they couldn’t be tracked by scanning REAL ID cards during a multitude of transactions. Just this week, DHS responded to Sen. Feingold via letter. The Department again shirked responsibility for ensuring that Americans’ personal information stored on REAL ID cards is protected and not accessible by unauthorized parties – businesses and government agencies alike.

As with virtually all REAL ID privacy issues, DHS has punted the security of the machine-readable zone (i.e., barcode) to the states. CDT has consistently highlighted this as a key privacy issue (among many), arguing that the REAL ID program in total should be scrapped. Or, at the very least, the privacy and security shortfalls should be addressed by new legislation. Congress must act soon because DHS clearly can’t be trusted to meaningfully protect personal privacy.

Chertoff did not sign the DHS response letter. This saved the Secretary the embarrassment of admitting that he was the one who was wrong on this matter and not the privacy advocates seeking to protect the security of Americans from identity theft and other threats by raising the issue.

A federal appellate court ruled that the government can freely search and save the files travelers maintain on their laptops when coming back to the U.S. from an out of country trip. The case, United States v. Arnold, No. 06-50581, 2008 U.S. App. LEXIS 8590 (9th Cir., April 21, 2008) has put business travelers in a tizzy and may pique the attention of members of Congress.

The case turns on the travails of Michael Arnold. As Arnold was re-entering the U.S. from a trip to the Philippines, he was pulled out of line at the checkpoint, questioned about his travels, and directed by an official of U.S. Customs and Border Patrol (CBP) to turn on his computer so they could verify that it was functioning. CBP officials opened files that appeared on the computer’s desktop screen, discovered that they contained pictures of nude women, then opened other files and found images depicting what they believed to be child pornography. Arnold was arrested and his computer was seized.
(more…)

Nine days ago, Sophia Cope blogged about how Homeland Secretary Secretary Michael Chertoff suggested that REAL IDs cannot be skimmed, in sharp contrast to DHS REAL ID Regs, which clearly say that the REAL ID is at risk of skimming. Today, CDT Fellow Peter Swire blogged on the Center for American Progress Web site about a new Chertoff statement where he said that “fingerprints aren’t ‘Personal Data.’” Swire shows that this comment lies in sharp contrast to DHS’ stated policy that fingerprints are “personally identifiable information.”

It is now time for DHS to make clear, is Chertoff purposely suggesting changes to existing policy or are these both misstatements?

Department of Homeland Security Secretary Michael Chertoff has a hard job. Among other things, it’s his responsibility to make sure that our country isn’t attacked by terrorists and that undocumented immigrants don’t cross our borders. So it’s understandable when he vociferously defends his Department’s efforts at “protecting the homeland.” But it’s inexcusable when the guy is simply factually (and vociferously) wrong on an important policy issue.

On April 2, Chertoff, testifying before the Senate Judiciary Committee during a hearing on DHS oversight, had the gall to say that public interests groups have been putting out “misinformation” and are “dead wrong” about the privacy and civil liberties risks of REAL ID. Yet it was the Secretary who put out misinformation and was dead wrong about the risk of the wrong people gaining access to personal information stored in the REAL ID card’s “machine-readable zone” (MRZ).

Specifically, Chertoff said – in response to a question from Sen. Feingold – that it would be impossible to “skim” personal information off REAL ID cards, all of which will have a DHS-mandated two-dimensional (2D) barcode as the MRZ. An MRZ is a section of an ID card that stores digitized personal information that can be quickly scanned and collected by an electronic reader. Other MRZ examples are the common magnetic stripe or the one-dimensional bar code like those seen on grocery packages. Chertoff asserted that the skimming of personal information can only happen with RFID chips. He also said that DHS is not mandating that REAL ID cards have an RFID chip (this actually is true).

While CDT is glad that DHS is not mandating an RFID chip for REAL ID cards, the Secretary is nevertheless – in his words – dead wrong. The RFID chip isn’t the only “machine-readable zone” that can be scanned and from which personal information can be collected. Police officers regularly scan the various MRZs of state driver’s licenses, as do businesses such as bars that seek to verify that patrons are over 21.

(more…)

Washington, D.C. recently joined the club of cities, including Chicago, San Francisco, New York, Baltimore, and Philadelphia, that conduct live monitoring of citizens through closed circuit television cameras (CCTV).

Hundreds of millions of dollars granted by the Department of Homeland Security to state and local governments has greatly expanded the use of CCTV in the U.S. since 2001. Yet there are no national standards to ensure that video surveillance programs are effective and do not trample our right to privacy and other civil liberties. In light of the questionable efficacy, and a myriad of privacy concerns associated with CCTV, the leadership within DHS needs to step up and take the lead in implementing appropriate use policies.

The D.C. Metropolitan Police Department has followed the national trend of greater surveillance in public areas. It has installed 73 CCTV surveillance cameras since August 2006, and as of November of 2007, has been live-monitoring 54 of them. And in 2008, it will use $630,000 of DHS grant money to replace 18 cameras in the downtown area. D.C. officers can rotate angles for a different view, zoom in on faces, and pick up license plates from cars several blocks away. Live monitoring has been widely criticized due to the large number of criminal and institutional abuses that have taken place. Widely noted abuse cases have sprung up both in the U.S. and around the world where officers have gathered evidence through CCTV ogle women, look into bedroom windows, watch couples in romantic situations, to target minorities, and monitor political activities - just to name a few.
(more…)

Administration officials are complaining about House Democrats stalling legislation that would grant immunity to any telecommunications carrier that assisted with its domestic spying program. Without that immunity cloak, the White House says, telecoms will hesitate to cooperate with such programs in the future.

It’s true that telecom assistance is crucial to successful electronic surveillance. But what’s getting lost in all the heated rhetoric is that telecoms, under current law, already have immunity when they assist in lawful electronic surveillance. Congress specifically gave telecoms that legal cover in the Foreign Intelligence Surveillance Act.
(more…)

The heated rhetoric this week of trying to place blame for the expiration of the Protect American Act (PAA) obscures important civil liberties issues surrounding intelligence surveillance.

No doubt: the President is playing politics with national security by trying to corner House Democrats into accepting a deeply flawed Senate bill.

And for what? Most of the government’s intelligence surveillance authorities survive, despite the sunset of the PAA; expiration of that law will have little immediate effect. That’s because the PAA allows surveillance authorizations to continue at least six months after the sunset date. Read that sentence again.

If a new surveillance target is identified after the law sunsets, in most cases intelligence agents will be able to add the target to an existing authorization. Moreover, the Foreign Intelligence Surveillance Act itself – which the PAA amended – is still in place and is no doubt still being used to authorize surveillance. In short, the NSA isn’t “going dark” when the PAA expires.
(more…)

Last month, after almost three years, the Department of Homeland Security released its much-anticipated final regulations to implement the controversial REAL ID Act of 2005.

In light of DHS’ final rules, CDT released an analysis of the REAL ID program, concluding that REAL ID will do little to make the driver’s license a more reliable identity document, but will create huge privacy and civil liberties risks for hundreds of millions of Americans.

We listed five main criticisms of REAL ID:

• The REAL ID card will become a de facto national ID card, particularly if it becomes required for more purposes. We recently blogged about such “mission creep.”
• REAL ID will likely result in the creation of a central ID database, which will threaten the privacy and security of 240 million Americans. I recently wrote an op-ed piece about this issue, which DHS has for the time being left unresolved. And when DHS is finally ready make a decision about what technical architecture will be built to implement REAL ID, the Department will likely not solicit public input.
• DHS is mandating a standardized and unencrypted Machine-Readable Zone (MRZ), which will facilitate intrusive tracking by both government and commercial entities, thereby exacerbating a serious existing problem.
• Following a lack of explicit Congressional authority under the Act, DHS failed to adopt meaningful privacy and security standards for the protection of personal information in the REAL ID system.
• In a related initiative, DHS is creating driver’s licenses with imbedded, insecure RFID chips (”Enhanced Driver’s Licenses”) that will threaten the personal privacy and security of American citizens, without Congressional oversight or an administrative rulemaking.

(more…)

Just five days after the Department of Homeland Security released the final regulations to implement the REAL ID Act, DHS Assistant Secretary for Policy Stewart Baker suggested yet another terrifying use of the controversial ID card: to buy Sudafed. This followed the Department’s official position in the final rules that it has no intention of turning REAL ID into a national ID card, and will limit its required uses to those called for in the law. But Baker’s suggestion is just the sort of mission creep that worries us here at CDT.

In the final regulations, DHS appropriately limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, Baker suggested that REAL ID could also help combat methamphetamine production: “If you have good ID… you make it much harder for the meth labs to function in this country.” Listen to Baker’s speech at the Heritage Foundation.
(more…)

The Office of Management and Budget has been quietly ramping up its privacy requirements. Since the security scare of having a Veteran Affairs laptop containing the personal information of 26.5 million veteran and active-duty military stolen was resolved, OMB has offered no less than six memos related to privacy:

M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007) (43 pages, 251 kb);

M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (22 pages, 228 kb);

Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) (12 pages, 1,903 kb);

M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 17, 2006) (42 pages, 301 kb);

M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006) (2 pages, 41 kb);

M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006) (2 pages, 50 kb).

And on Friday they issued an eighth memo:

M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008). Among other things, this guidance requires agencies to report on privacy issues including those that are not covered by the Privacy Act.

While this is a positive step and shows that OMB is indeed beginning to show real leadership on privacy issues (in contrast to GAO’s June 2003 report entitled Privacy Act: OMB Leadership Needed to Improve Agency Compliance), CDT is still urging OMB to move forward, including efforts toward best practices for privacy impact assessments (PIAs) as we explained in our recent testimony on E-Government Act Reauthorization in front of the Senate Homeland Security and Government Affairs Committee. OMB has been supportive of the passage of this legislation, but could move forward with best practices even without it.