The heated rhetoric this week of trying to place blame for the expiration of the Protect American Act (PAA) obscures important civil liberties issues surrounding intelligence surveillance.

No doubt: the President is playing politics with national security by trying to corner House Democrats into accepting a deeply flawed Senate bill.

And for what? Most of the government’s intelligence surveillance authorities survive, despite the sunset of the PAA; expiration of that law will have little immediate effect. That’s because the PAA allows surveillance authorizations to continue at least six months after the sunset date. Read that sentence again.

If a new surveillance target is identified after the law sunsets, in most cases intelligence agents will be able to add the target to an existing authorization. Moreover, the Foreign Intelligence Surveillance Act itself – which the PAA amended – is still in place and is no doubt still being used to authorize surveillance. In short, the NSA isn’t “going dark” when the PAA expires.
(more…)

Last month, after almost three years, the Department of Homeland Security released its much-anticipated final regulations to implement the controversial REAL ID Act of 2005.

In light of DHS’ final rules, CDT released an analysis of the REAL ID program, concluding that REAL ID will do little to make the driver’s license a more reliable identity document, but will create huge privacy and civil liberties risks for hundreds of millions of Americans.

We listed five main criticisms of REAL ID:

• The REAL ID card will become a de facto national ID card, particularly if it becomes required for more purposes. We recently blogged about such “mission creep.”
• REAL ID will likely result in the creation of a central ID database, which will threaten the privacy and security of 240 million Americans. I recently wrote an op-ed piece about this issue, which DHS has for the time being left unresolved. And when DHS is finally ready make a decision about what technical architecture will be built to implement REAL ID, the Department will likely not solicit public input.
• DHS is mandating a standardized and unencrypted Machine-Readable Zone (MRZ), which will facilitate intrusive tracking by both government and commercial entities, thereby exacerbating a serious existing problem.
• Following a lack of explicit Congressional authority under the Act, DHS failed to adopt meaningful privacy and security standards for the protection of personal information in the REAL ID system.
• In a related initiative, DHS is creating driver’s licenses with imbedded, insecure RFID chips (”Enhanced Driver’s Licenses”) that will threaten the personal privacy and security of American citizens, without Congressional oversight or an administrative rulemaking.

(more…)

Just five days after the Department of Homeland Security released the final regulations to implement the REAL ID Act, DHS Assistant Secretary for Policy Stewart Baker suggested yet another terrifying use of the controversial ID card: to buy Sudafed. This followed the Department’s official position in the final rules that it has no intention of turning REAL ID into a national ID card, and will limit its required uses to those called for in the law. But Baker’s suggestion is just the sort of mission creep that worries us here at CDT.

In the final regulations, DHS appropriately limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, Baker suggested that REAL ID could also help combat methamphetamine production: “If you have good ID… you make it much harder for the meth labs to function in this country.” Listen to Baker’s speech at the Heritage Foundation.
(more…)

The Office of Management and Budget has been quietly ramping up its privacy requirements. Since the security scare of having a Veteran Affairs laptop containing the personal information of 26.5 million veteran and active-duty military stolen was resolved, OMB has offered no less than six memos related to privacy:

M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007) (43 pages, 251 kb);

M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (22 pages, 228 kb);

Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) (12 pages, 1,903 kb);

M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 17, 2006) (42 pages, 301 kb);

M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006) (2 pages, 41 kb);

M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006) (2 pages, 50 kb).

And on Friday they issued an eighth memo:

M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008). Among other things, this guidance requires agencies to report on privacy issues including those that are not covered by the Privacy Act.

While this is a positive step and shows that OMB is indeed beginning to show real leadership on privacy issues (in contrast to GAO’s June 2003 report entitled Privacy Act: OMB Leadership Needed to Improve Agency Compliance), CDT is still urging OMB to move forward, including efforts toward best practices for privacy impact assessments (PIAs) as we explained in our recent testimony on E-Government Act Reauthorization in front of the Senate Homeland Security and Government Affairs Committee. OMB has been supportive of the passage of this legislation, but could move forward with best practices even without it.

This week’s highlighted report:

The Foreign Intelligence Surveillance Act: A Brief Overview of Selected Issues
RL34279 Dec. 7th, 2007

From the report’s summary:

This report briefly outlines three such issues and touches upon some of the perspectives reflected in the ongoing debate. These issues include the inherent and often dynamic tension between national security and civil liberties, particularly rights of privacy and free speech; the need identified by the Director of National Intelligence (DNI), Admiral Mike McConnell, for the Intelligence Community to be able to efficiently and effectively collect foreign intelligence information from the communications of foreign persons located outside the United States in a changing, fast paced, and technologically sophisticated international environment, and the differing approaches suggested to meet this need; and limitations of liability for those electronic communication service providers who furnish aid to the federal government in its foreign intelligence collection.

CDT’s OpenCRS project collects and indexes Congressional Research Service (CRS) reports and makes them available to the public free of charge. Each week, PolicyBeta features a CRS report on an important topic. For more reports, or to help contribute new reports to the OpenCRS database, visit the Web site.

Recently, some strong criticism has been voiced about a Congressional proposal entitled “The Violent Radicalization and Homegrown Terrorism Prevention Act.” While some valid points are being made, the fervor and attention being given the bill is disproportionate in light of greater and more urgent threats to civil liberties. Moreover, there is actually a good intent behind the bill: to study the potential problem of homegrown terrorism and develop a rational response. The bill would create a study commission. Rather than opposing the bill, civil liberties advocates should work to improve it and then, if it becomes law, to show the Commission and the public why dissent is an antidote to terrorism, not a precursor to it.

Summary of the Violent Radicalization Bill
The bill that is drawing attention is H.R. 1955, written by Rep. Jane Harman (D-CA), who happens to be one of the most thoughtful and approachable Members of Congress on issues of national security and civil liberties. The bill passed the House on October 23, 2007, by a vote of 404 to 6. A companion bill in the Senate is S. 1959, introduced by Sen. Susan Collins (R-ME), another respected and responsible lawmaker.

The House version would do two things: It would establish a National Commission, variously called the “National Commission on the Prevention of Violent Radicalization and Homegrown Terrorism” or the “National Commission on the Prevention of Violent Radicalization and Ideologically Based Violence.” And it would direct the Secretary of Homeland Security to establish or designate a university-based Center for Excellence “to study the social, criminal, political, psychological, and economic roots of violent radicalization and homegrown terrorism in the United States and methods that can be utilized by Federal, State, local, and tribal homeland security officials to mitigate violent radicalization and homegrown terrorism.”
(more…)

The REAL ID boondoggle drags on. The REAL ID Act was passed in 2005 yet the Department of Homeland Security still has not issued implementing regulations. Proposed regulations were published by DHS in March of this year. Now there are rumblings that the final regulations, initially expected late summer, will be released around Christmas or even after the New Year.

Back in May we submitted extensive comments to DHS highlighting the utter lack of meaningful privacy and security standards for the protection of personal information in the proposed regulations. Now some believe that the final regulations will be even more stripped down than the proposed regulations were. This doesn’t bode well for privacy or security, and underscores what CDT and many other civil liberties advocates have been saying for a long time: the REAL ID Act itself is fundamentally flawed and must be revisited by Congress.

In particular, the REAL ID Act paves the way for making centrally accessible highly sensitive personal information on virtually every American, including copies of birth certificates, Social Security Cards, passports and other personal documents. This will create an extremely valuable central source of identification data that would be vulnerable to terrorists, ID thieves, and unscrupulous DMV or other state and federal employees.

(more…)

I have nothing against the French. I never ordered “Freedom Fries” with my hamburger; the French Foreign Legion helped fuel my adolescent fantasies of adventure and wanderlust; and much later Brigitte Bardot helped fuel my… well, you get my drift. But I admit to being peeved at them for the hubris contained in the recent announcement of a three-way pact among the French government, Internet Service Providers, and the entertainment industry to try and crack down on illegal file sharing.

The agreement puts ISPs at the forefront of a scheme requiring the companies to monitor each citizen’s online activity on the chance that illegal file sharing might be happening, an act that instantly turns ISPs into a de facto cyber-police force.
(more…)

It’s a no-brainer that the federal government needs a robust and effective program for protecting its computer networks. However, a new cyber-security initiative being shopped by the White House to Congress and others, including CDT and fellow privacy advocates, raises long-standing concerns over the role of the National Security Agency in securing unclassified computer networks.

The NSA has long had a dual role: Wearing its signals intelligence hat, the agency spies on our adversaries, cracking their computer networks and breaking their codes. Turning that hat around, the NSA also is responsible for protecting U.S. government communications from interception.
(more…)

CDT’s OpenCRS project collects and indexes Congressional Research Service (CRS) reports and makes them available to the public free of charge. Each week, PolicyBeta features a CRS report on an important topic. For more reports, or to help contribute new reports to the OpenCRS database, visit the Web site.

This week’s report addresses the use of “National Security Letters,” an extremely powerful tool that law enforcement can use to onbtain criminal suspects’ personal and business records. CDT Policy Director Jim Dempsey testified before Congress on the use of NSLs in March.

National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments
RS22406 - March 20, 2007