Consumer Watch: National Security vs. Online Privacy
By now, you've probably heard a lot of debate over the
The Patriot Act is complex and powerful. It broadens the definition of terrorism and increases the penalties for terrorism.
Some of the more sweeping changes involve electronic surveillance. The act permits federal investigators to use more-powerful tools to monitor phone calls, e-mail messages, and even Web surfing. We all hope that means agents will be better able to arrest terrorists and foil their plans. But the changes also mean we now have even less guarantee of privacy on the Net. The new law, along with new surveillance tools, will create a dragnet wide enough that anyone's e-mail note, text chat, or search inquiry might be snared.
What are the implications of this new type of surveillance for your Internet privacy? It's difficult to say exactly. The Patriot Act is vague on many key points. And understandably, law enforcement officials aren't eager to reveal details about tools like the controversial Internet surveillance system, DCS1000 (more commonly recognized by its previous name, Carnivore). "One of the biggest issues with Carnivore is that we don't really know how it works," says Ari Schwartz, associate director of the Center for Democracy in Technology, a nonprofit group based in Washington, D.C., that focuses on preserving privacy and civil liberties on the Internet.
It's probably fair to say that joking in an e-mail about planting a bomb is a very bad idea these days. And researching biological terror techniques over the Internet could conceivably draw suspicion.
Am I saying that the FBI will break down your door if you run a Google search on anthrax? Of course not. Surveillance will naturally focus on people about whom authorities have a solid basis for suspicion. Investigators will treat most other traffic as just so much white noise. But the new security measures do make some old advice even more valuable: Never write anything in an e-mail that you wouldn't write on the back of a postcard.
The Patriot Act extends to Internet-based communications the use of pen-register and trap-and-trace orders, techniques designed in the '60s and '70s to capture numbers dialed to and from a particular telephone. Investigators can get permission to use the techniques fairly easily. They need not establish probable cause--reasonable suspicion that a targeted individual has been or will be involved in a crime--and judges are required to approve all reasonable requests related to criminal investigations.
Now that such surveillance will apply to Net communications, though, investigators could gather much more than just phone numbers. When a suspect sends an e-mail message, investigators could discover not only the recipient's identity, but also the subject line and perhaps even the body of the message. The act doesn't clearly define what constitutes electronic content that can permissibly be captured. The FBI's solution: Let federal agents make the decision and take responsibility for excising inadmissible material.
The new law opens the door for increased use of Carnivore and similar broad-based electronic surveillance systems. Used at an Internet service provider, Carnivore gives authorities easy access to all Internet communications to and from the ISP's entire membership. Although the act requires the FBI to work with the ISP, it places few restrictions on who can be monitored, so theoretically any subscriber identified by law enforcement as relevant to an investigation could be targeted. Investigators don't need to establish probable cause in advance.
The act also loosens the rules for roving wiretaps, conferring broad authority to listen in on a suspect's communications. Under previous laws, officials had to specify certain phone lines they wanted to monitor, along with proof that their suspect used them. Federal authorities said that the old rules were outdated, since many people have phone lines at home, a mobile phone, and Internet access at home, at work, and even at Starbucks. The act lets agents wiretap any phone line--again, without showing probable cause--and monitor everything on that line whether the suspect is using it or not.
Suppose that investigators believed a terrorist was using Internet connections on PCs at a library. Under the new law, authorities could monitor all PCs with Internet connections at that library and monitor the e-mail, Web browsing, and other traffic of everyone who used them--all for an indefinite period.
Our national security depends on improved electronic surveillance, according to Senator Patrick Leahy (D-Vermont), a key player in crafting the new legislation. "To prevent future terrorist attacks, we must improve our intelligence-gathering capabilities, and make sure that intelligence about potential terrorists is shared with necessary actors throughout the government," Leahy said during a recent congressional hearing on terrorism.
Civil libertarians counter that the Patriot Act erodes fundamental freedoms and may even make some investigations more difficult. "First Amendment rights are also at stake since communications and associations will be chilled if they're subject to government snooping," says Nadine Strossen, a professor at New York Law School and president of the American Civil Liberties Union. With the new law, Strossen says, investigators may be so deluged with data that spotting the real threats will be impossible. "This sweeping surveillance is at best inefficient, at worst counterproductive," she says.
If you're like me, you may find yourself agreeing, at least in part,
with both Leahy and Strossen. Striking the right balance between security and
individual liberty in these scary times is a difficult and contentious
undertaking. It's a debate whose outcome we all have a stake in. Go to
The national tragedy of September 11 changed almost every facet of American life. It's sad--but not surprising--that it will change our virtual lives as well.
For obvious reasons, I have a predilection for seeking technological solutions to problems. But unfortunately, when it comes to combating terrorism, many proposed technological solutions just aren't solid enough to be entrusted with such a critical job.
Following the September 11 attacks, a lot of very smart people recommended that we use new technologies to fight terrorism on our soil. Law enforcement and government officials proposed using biometric scanning devices in transit systems. And companies large and small expressed interest in face recognition software, which could be used to identify and track suspected criminals.
Much of the ensuing debate has centered on the loss of privacy that employing these techniques might cause. But that focus ignores another important point: These technologies have fundamental flaws that terrorists could exploit relatively easily.
Biometric devices turn physical characteristics--such as fingerprints or patterns in the eye's retina--into data that computers can use to identify people. When they first appeared, biometric devices had severe accuracy problems. When set at their most sensitive level, these devices might lock you out of your workstation because of a paper cut on your thumb. When reset to a lower level of sensitivity, they might grant access to someone with a fingerprint or retinal pattern similar to yours. Biometric products work better now than they did two years ago, but they still aren't faultless and can't be relied upon when lives are at stake.
And the accuracy of the scanners isn't the only weak link in the system. Behind a hand-scanner biometric network at an airport, for instance, is a database containing the handprint data of all people authorized to enter secure areas. To get around the scanners, determined terrorists could use an insider or a hacker to plant counterfeit data in the database, associating their own handprints with the names of legitimate airport employees. The terrorists then wouldn't need fake fingerprints or high-tech contraptions to fool the biometric network--they could simply use their own hands to gain access to the airport tarmac.
Face recognition software has a similar technological vulnerability. The software takes images from security cameras and turns people's faces into sets of data that can be used for subsequent identification. But even the companies that make such software admit that the angle of the camera, the lighting--even a hat--can perplex the system and ruin its effectiveness.
Regrettably, there's no quick technological fix to the problem of terrorism. But that's a vitally important fact to know. Trusting a bad security system is worse than having no system at all.
I've been unable to access my e-mail since EarthLink bought my ISP,