Category Archives: national security

PCLOB issues report on U.S. government surveillance under Section 702 of FISA [UPDATED]

Posted on by

0

pclob-report

The pre-release version of the Privacy and Civil Liberties Oversight Board’s Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA) is now available online. [PDF]

Short version: The board found little legally awry with surveillance conducted under Section 702 of FISA, which permits the federal government to compel United States companies to assist them in conducting surveillance targeting foreign people and entities, noting that it was a strong, effective tool for counterterrorism. The extensive report explores the legal rationales for such surveillance and lists ten recommendations in its report. The scope of digital surveillance was detailed  in The Washington Post on Monday, which reported that only four countries in the world (the USA, Canada, UK, New Zealand and Australia) are not subject to the surveillance enabled by legal authority to intercept communications.

Context from Gregory McNeal in Forbes:

“Section 702 of FISA has not received the same level of attention as the 215 metadata collection program, largely because the program is not directly targeted at U.S. persons. However, under Section 702, the government can collect the contents of communications (for example examining email and other communications), rather than mere metadata, which it collects under Section 215.”

“702 is also a more powerful program because under it the government can collect the content of U.S. persons communications, if those persons are communicating with a foreign target. This means that U.S. persons communications can be incidentally collected by the agency, such as when two non-U.S. persons discuss a U.S. person. Communications of or concerning U.S. persons that are acquired in these ways may be retained and used by the government, subject to applicable rules and requirements. The communications of U.S. persons may also be collected by mistake, as when a U.S. person is erroneously targeted or in the event of a technological malfunction, resulting in “inadvertent” collection. In such cases, however, the applicable rules generally require the communications to be destroyed. Another circumstance where 702 collection has raised concerns is the collection of so-called “about” communication. An “about” communication is one in which the selector of a targeted person (such as that person’s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication.” The PCLOB addresses each of these issues in their report.”

The PCLOB did find that “certain aspects of the program’s implementation raise privacy concerns,” specifically the “scope of the incidental collection of U.S. persons’ communications” when intelligence analysts targeted other individuals or entities.

As Josh Gerstein reported in Politico, the PCLOB “divided over key reforms to government collection of large volumes of email and other data from popular web businesses and from the backbone of the Internet. A preliminary report released Tuesday night hows that some of the proposals for changes to the Section 702 program caused a previously unseen split on the five-member Privacy and Civil Liberties Oversight Board: Two liberal members of the commission urged more aggressive safeguards, but a well-known privacy activist on the panel joined with two conservatives to withhold official endorsement of some of those changes.”

As Gerstein pointed out in a tweet, that means that reforms proposed in the House as Representatives go further than those recommended by the independent, bipartisan agency within the executive branch vested with the authority “to review and analyze actions the executive branch takes to protect the Nation from terrorism, ensuring the need for such actions is balanced with the need to protect privacy and civil liberties” and “ensure that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the Nation against terrorism”

Perhaps even more problematically, the PCLOB wrote in the report that “the government is presently unable to assess the scope of the incidental collection of U.S. person information under the program.”

As Matt Sledge observed in the Huffington Post, the report’s authors “express frustration that the NSA and other government agencies have been unable to furnish estimates of the incidental collection of Americans’ communications, which ‘hampers attempts to gauge whether the program appropriately balances national security interests with the privacy of U.S. persons.’

But without signs of abuse, the board concludes privacy intrusions are justified in protecting against threats to the U.S. Nevertheless, the board suggests that the government take on the ‘backdoor searches’ that have alarmed Wyden. In those searches, the government searches through the content of communications collected while targeting foreigners for search terms associated with U.S. citizens and residents. The House voted in June to end such searches. The searches ‘push the program close to the line of constitutional reasonableness,’ the privacy board report says, but it doesn’t recommend ending them.

Privacy and civil liberties advocates issued swift expressions of dismay about the constitutionality of the surveillance and questioned the strength of the recommendations.

“The Board’s report is a tremendous disappointment,” said Nuala O’Connor, the president of the Center for Democracy and Technology, in a statement. “Even in the few instances where it recognizes the privacy implications of these programs, it provides little reassurance to all who care about digital civil liberties. The weak recommendations in the report offer no serious reform of government intrusions on the lives of individuals. It also offers scant support to the U.S. tech industry in its efforts to alleviate customer concerns about NSA surveillance, which continue to harm the industry in the global marketplace,” she added.

“If there is a silver lining, it is that the Board recognized that surveillance of people abroad implicates their human rights, as well as the constitutional rights of people in the U.S.,” said Greg Nojeim, director of the Center’s Project on Freedom, Security and Technology.  “However, the Board defers until a future date its consideration of human rights and leaves it to Congress to address the important constitutional issues.”

“If the Board’s last report on the bulk collection of phone records was a bombshell, this one is a dud,” said Kevin Bankston, policy director of New America’s Open Technology Institute (OTI).

“If the Board’s last report on the bulk collection of phone records was a bombshell, this one is a dud.  The surveillance authority the Board examined in this report, Section 702 of 2008’s FISA Amendments Act, is in many ways much more worrisome than the bulk collection program.  As the Board itself explains, that law has been used to authorize the NSA’s wiretapping of the entire Internet backbone, so that the NSA can scan untold numbers of our emails and other online messages for information about tens of thousands of targets that the NSA chooses without individualized court approval.  Yet the reforms the Board recommends today regarding this awesome surveillance power are much weaker than those in their last report, and essentially boil down to suggesting that the government should do more and better paperwork and develop stricter internal protocols as a check against abuse.

“As Chief Justice Roberts said just last week, “the Founders did not fight a revolution to gain the right to government agency protocols,” they fought to require search warrants that are based on probable cause and specifically identify who or what can be searched.  Yet as we know from documents released earlier this week, government agents are searching through the data they’ve acquired through this surveillance authority–an authority that was sold to Congress as being targeted at people outside the US–tens of thousands of times a year without having to get a warrant first.

“The fact that the Board has endorsed such warrantless rummaging through our communications, just weeks after the House of Representatives voted almost three to one to defund the NSA’s “backdoor” searches of Americans’ data, is a striking disappointment.  The Board is supposed to be an independent watchdog that aggressively seeks to protect our privacy against government overreach, rather than undermining privacy by proposing reforms that are even weaker than those that a broad bipartisan majority of the House has already endorsed.

“We are grateful to the Board for its last report and are grateful to them now for laying out, in the clearest and most comprehensive way we’ve seen so far, exactly how the NSA is using its surveillance authority.  But Congress shouldn’t wait for the NSA to take the Board’s weak set of recommendations and get its own house in order.  Congress should instead move forward with strong reforms that protect our privacy and that tell the NSA, as the Supreme Court told the government last week: if you want our data you need to come back with a warrant.”

The Electronic Frontier Foundation was even stronger, with Cindy Cohn calling the PCLOB report “legally flawed and factually incomplete.”

Hiding behind the “complexity” of the technology, it gives short shrift to the very serious privacy concerns that the surveillance has rightly raised for millions of Americans. The board also deferred considering whether the surveillance infringed the privacy of many millions more foreigners abroad.

The board skips over the essential privacy problem with the 702 “upstream” program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government’s methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts.  This content collection is the centerpiece of EFF’s Jewel v. NSA case, a lawsuit battling government spying filed back in 2008.

Trevor Timm, writing in the Guardian, said the PCLOB “chickened out of making any real reform proposals” and questioned why one member of the panel didn’t support more aggressive recommendations in

“More bizarrely, one of the holdouts on the panel for calling for real reform is supposed to be a civil liberties advocate. The Center for Democracy and Technology’s vice president, James Dempsey, had the chance to side with two other, more liberal members on the four-person panel to recommend the FBI get court approval before rummaging through the NSA’s vast databases, but shamefully he didn’t.

Now, as the Senate takes up a weakened House bill along with the House’s strengthened backdoor-proof amendment, it’s time to put focus back on sweeping reform. And while the PCLOB may not have said much in the way of recommendations, now Congress will have to. To help, a coalition of groups (including my current employer, Freedom of the Press Foundation) have graded each and every representative in Washington on the NSA issue. The debate certainly isn’t going away – it’s just a question of whether the public will put enough pressure on Congress to change.”

Editor’s note: This post has been substantially rewritten. More statements were added, and the headline has been amended.

PCAST report on big data and privacy emphasizes value of encryption, need for policy

Posted on by

2

pcast-4-4-2014 (1)
April 4, 2014 meeting of PCAST at National Academy of Sciences

This week, the President’s Council of Advisors on Science and Technology (PCAST) met to discuss and vote to approve a new report on big data and privacy.

UPDATE: The White House published the findings of its review on big data today, including the PCAST review of technologies underpinning big data (PDF), discussed below.

As White House special advisor John Podesta noted in January, the PCAST has been conducting a study “to explore in-depth the technological dimensions of the intersection of big data and privacy.” Earlier this week, the Associated Press interviewed Podesta about the results of the review, reporting that the White House had learned of the potential for discrimination through the use of data aggregation and analysis. These are precisely the privacy concerns that stem from data collection that I wrote about earlier this spring. Here’s the PCAST’s list of “things happening today or very soon” that provide examples of technologies that can have benefits but pose privacy risks:

 Pioneered more than a decade ago, devices mounted on utility poles are able to sense the radio stations
being listened to by passing drivers, with the results sold to advertisers.26
 In 2011, automatic license‐plate readers were in use by three quarters of local police departments
surveyed.  Within 5 years, 25% of departments expect to have them installed on all patrol cars, alerting
police when a vehicle associated with an outstanding warrant is in view.27  Meanwhile, civilian uses of
license‐plate readers are emerging, leveraging cloud platforms and promising multiple ways of using the
information collected.28
 Experts at the Massachusetts Institute of Technology and the Cambridge Police Department have used a
machine‐learning algorithm to identify which burglaries likely were committed by the same offender,
thus aiding police investigators.29
 Differential pricing (offering different prices to different customers for essentially the same goods) has
become familiar in domains such as airline tickets and college costs.  Big data may increase the power
and prevalence of this practice and may also decrease even further its transparency.30
 reSpace offers machine‐learning algorithms to the gaming industry that may detect
early signs of gambling addiction or other aberrant behavior among online players.31
 Retailers like CVS and AutoZone analyze their customers’ shopping patterns to improve the layout of
their stores and stock the products their customers want in a particular location.32  By tracking cell
phones, RetailNext offers bricks‐and‐mortar retailers the chance to recognize returning customers, just
as cookies allow them to be recognized by on‐line merchants.33  Similar WiFi tracking technology could
detect how many people are in a closed room (and in some cases their identities).
 The retailer Target inferred that a teenage customer was pregnant and, by mailing her coupons
intended to be useful, unintentionally disclosed this fact to her father.34
 The author of an anonymous book, magazine article, or web posting is frequently “outed” by informal
crowd sourcing, fueled by the natural curiosity of many unrelated individuals.35
 Social media and public sources of records make it easy for anyone to infer the network of friends and
associates of most people who are active on the web, and many who are not.36
 Marist College in Poughkeepsie, New York, uses predictive modeling to identify college students who are
at risk of dropping out, allowing it to target additional support to those in need.37
 The Durkheim Project, funded by the U.S. Department of Defense, analyzes social‐media behavior to
detect early signs of suicidal thoughts among veterans.38
 LendUp, a California‐based startup, sought to use nontraditional data sources such as social media to
provide credit to underserved individuals.  Because of the challenges in ensuring accuracy and fairness,
however, they have been unable to proceed.

The PCAST meeting was open to the public through a teleconference line. I called in and took rough notes on the discussion of the forthcoming report as it progressed. My notes on the comments of professors Susan Graham and Bill Press offer sufficient insight and into the forthcoming report, however, that I thought the public value of publishing them was warranted today, given the ongoing national debate regarding data collection, analysis, privacy and surveillance. The following should not be considered verbatim or an official transcript. The emphases below are mine, as are the words of [brackets]. For that, look for the PCAST to make a recording and transcript available online in the future, at its archive of past meetings.

 

graham-sSusan Graham: Our charge was to look at confluence of big data and privacy, to summarize current tech and the way technology is moving in foreseeable future, including its influence the way we think about privacy.

The first thing that’s very very obvious is that personal data in electronic form is pervasive. Traditional data that was in health and financial [paper] records is now electronic and online. Users provide info about themselves in exchange for various services. They use Web browsers and share their interests. They provide information via social media, Facebook, LinkedIn, Twitter. There is [also] data collected that is invisible, from public cameras, microphones, and sensors.

What is unusual about this environment and big data is the ability to do analysis in huge corpuses of that data. We can learn things from the data that allow us to provide a lot of societal benefits. There is an enormous amount of patient data, data about about disease, and data about genetics. By putting it together, we can learn about treatment. With enough data, we can look at rare diseases, and learn what has been effective. We could not have done this otherwise.

We can analyze more online information about education and learning, not only MOOCs but lots of learning environments. [Analysis] can tell teachers how to present material effectively, to do comparisons about whether one presentation of information works better than another, or analyze how well assessments work with learning styles.
Certain visual information is comprehensible, certain verbal information is hard to understand. Understanding different learning styles [can enable] develop customized teaching.

The reason this all works is the profound nature of analysis. This is the idea of data fusion, where you take multiple sources of information, combine them, which provides much richer picture of some phenomenon. If you look at patterns of human movements on public transport, or pollution measures, or weather, maybe we can predict dynamics caused by human context.

We can use statistics to do statistics-based pattern recognition on large amounts of data. One of the things that we understand about this statistics-based approach is that it might not be 100% accurate if map down to the individual providing data in these patterns. We have to very careful not to make mistakes about individuals because we make [an inference] about a population.

How do we think about privacy? We looked at it from the point of view of harms. There are a variety of ways in which results of big data can create harm, including inappropriate disclosures [of personal information], potential discrimination against groups, classes, or individuals, and embarrassment to individuals or groups.

We turned to what tech has to offer in helping to reduce harms. We looked at a number of technologies in use now. We looked at a bunch coming down the pike. We looked at several tech in use, some of which become less effective because of pervasivesness [of data] and depth of analytics.

We traditionally have controlled [data] collection. We have seen some data collection from cameras and sensors that people don’t know about. If you don’t know, it’s hard to control.

Tech creates many concerns. We have looked at methods coming down the pike. Some are more robust and responsive. We have a number of draft recommendations that we are still working out.

Part of privacy is protecting the data using security methods. That needs to continue. It needs to be used routinely. Security is not the same as privacy, though security helps to protect privacy. There are a number of approaches that are now used by hand that with sufficient research could be automated could be used more reliably, so they scale.

There needs to be more research and education about education about privacy. Professionals need to understand how to treat privacy concerns anytime they deal with personal data. We need to create a large group of professionals who understand privacy, and privacy concerns, in tech.

Technology alone cannot reduce privacy risks. There has to be a policy as well. It was not our role to say what that policy should be. We need to lead by example by using good privacy protecting practices in what the government does and increasingly what the private sector does.

pressBill Press: We tried throughout to think of scenarios and examples. There’s a whole chapter [in the report] devoted explicitly to that.

They range from things being done today, present technology, even though they are not all known to people, to our extrapolations to the outer limits, of what might well happen in next ten years. We tried to balance examples by showing both benefits, they’re great, and they raise challenges, they raise the possibility of new privacy issues.

In another aspect, in Chapter 3, we tried to survey technologies from both sides, with both tech going to bring benefits, those that will protect [people], and also those that will raise concerns.

In our technology survey, we were very much helped by the team at the National Science Foundation. They provided a very clear, detailed outline of where they thought that technology was going.

This was part of our outreach to a large number of experts and members of the public. That doesn’t mean that they agree with our conclusions.

Eric Lander: Can you take everybody through analysis of encryption? Are people using much more? What are the limits?

Graham: The idea behind classical encryption is that when data is stored, when it’s sitting around in a database, let’s say, encryption entangles the representation of the data so that it can’t be read without using a mathematical algorithm and a key to convert a seemingly set of meaningless set of bits into something reasonable.

The same technology, where you convert and change meaningless bits, is used when you send data from one place to another. So, if someone is scanning traffic on internet, you can’t read it. Over the years, we’ve developed pretty robust ways of doing encryption.

The weak link is that to use data, you have to read it, and it becomes unencrypted. Security technologists worry about it being read in the short time.

Encryption technology is vulnerable. The key that unlocks the data is itself vulnerable to theft or getting the wrong user to decrypt.

Both problems of encryption are active topics of research on how to use data without being able to read it. There research on increasingly robustness of encryption, so if a key is disclosed, you haven’t lost everything and you can protect some of data or future encryption of new data. This reduces risk a great deal and is important to use. Encryption alone doesn’t protect.

Unknown Speaker: People read of breaches derived from security. I see a different set of issues of privacy from big data vs those in security. Can you distinguish them?

Bill Press: Privacy and security are different issues. Security is necessary to have good privacy in the technological sense if communications are insecure, they clearly can’t be private. This goes beyond, to where parties that are authorized, in a security sense, to see the information. Privacy is much closer to values. security is much closer to protocols.

Interesting thing is that this is less about purely tech elements — everyone can agree on right protocol, eventually. These things that go beyond and have to do with values.

On data journalism, accountability and society in the Second Machine Age

Posted on by

1

On Monday, I delivered a short talk on data journalism, networked transparency, algorithmic transparency and the public interest at the Data & Society Research Institute’s workshop on the social, cultural & ethical dimensions of “big data”. The forum was convened by the Data & Society Research Institute and hosted at New York University’s Information Law Institute at the White House Office of Science and Technology Policy, as part of an ongoing review on big data and privacy ordered by President Barack Obama.

Video of the talk is below, along with the slides I used. You can view all of the videos from the workshop, along with the public plenary on Monday evening, on YouTube or at the workshop page.

Here’s the presentation, with embedded hyperlinks to the organizations, projects and examples discussed:

For more on the “Second Machine Age” referenced in the title, read the new book by Erik Brynjolfsson and Andrew McAfee.

Federal government agencies receive .91 GPA in FOIA compliance from Center for Effective Government

Posted on by

3

Today, the Center for Effective Government released a scorecard for access to information from the 15 United States federal government agencies that received the most Freedom of Information Act (FOIA) requests, focusing upon an analysis of their performance in 2013.

The results of the report (PDF) for the agencies weren’t pretty: if you computed a grade point average from this open government report card (and I did) the federal government would receive a D for its performance. 7 agencies outright failed, with the State Department receiving the worst grade (37%).

The grades were based upon:

  1. How well agencies processed FOIA requests, including the rate of disclosure, fullness of information provided, and timeliness of the response
  2. How well the agencies established rules of information access, including the effectiveness of agency polices on withholding information and communications with requestors
  3. Creating user-friendly websites, including features that facilitate the flow of information to citizens, associated online services, and up-to-date reading rooms

The report is released at an interesting historic moment for the United States, with Sunshine Week just around the corner. The United States House of Representatives just unanimously passed a FOIA Reform Act that is substantially modeled upon the Obama administration’s proposals for FOIA reforms, advanced as part of the second National Open Government Action Plan. If the Senate takes up that bill and passes it, it would be one of the most important, substantive achievements in institutionalizing open government beyond this administration.

The Citizens for Responsibility and Ethics in Washington have disputed the accuracy of this scorecard, based upon the high rating for the Department of Justice. CREW counsel Anne Weismann:

It is appropriate and fair to recognize agencies that are fulfilling their obligations under the FOIA. But CEG’s latest report does a huge disservice to all requesters by falsely inflating DOJ’s performance, and ignoring the myriad ways in which that agency — a supposed leader on the FOIA front — ignores, if not flouts, its obligations under the statute.

Last Friday, I spoke with Sean Moulton, the director of open government policy at the Center for Effective Government, about the contents of the report and the state of FOIA in the federal government, from the status quo to what needs to be done. Our interview, lightly edited for content and clarity, follows.

What was the methodology behind the report?

Moulton: Our goal was to keep this very quantifiable, very exact, and to try and lay out some specifics. We thought about what the components were necessary for a successful FOIA program. The processing numbers that come out each year are a very rich area for data. They’re extremely important: if you’re not processing quickly and releasing information, you can’t be successful, regardless of other components.

We did think that there are two other areas that are important. First, online services. Let’s face it, the majority of us live online in a big way. It’s a requirement now for agencies to be living there as well. Then, the rules. They’re explained to the agencies and the public, in how they’re going to do things when they get a request. A lot of the agencies have outdated rules. Their current practices may be different, and they may be doing things that the rules don’t say they have to, but without them, they may stop. Consistent rules are essential for consistent long term performance.

A few months back, we released a report that laid out what we felt were best practices for FOIA regulations. We went through a review of dozens of agencies, in terms of their FOIA regulations, and identified key issues, such as communicating with the requester, how you manage confidential business information, how you handle appeals, and how you handle timelines. Then we found inside existing regulations the best ways this was being handled. It really helped us here, when we got to the rules. We used that as our roadmap. We knew agencies were already doing these things, and making that commitment. The main thing we measured under the rules were the items from that best practices report that were common already. If things were universal, we didn’t want to call a best practice, but a normal practice.

Is FOIA compliance better under the Obama administration, more than 4 years after the Open Government Directive?

Moulton: In general, I think FOIA is improving in this administration. Certainly, the administration itself is investing a great deal of energy and resources in trying to make greater improvements in FOIA, but it’s challenging. None of this has penetrated into national security issues.

I think it’s more of a challenge than the administration thought it would be. It’s different from other things, like open data or better websites. The FOIA process has become entrenched. The biggest open government wins were in areas where they were breaking new ground. There wasn’t a culture or way of doing this or problems that were inherited. They were building from the beginning. With FOIA, there was a long history. Some agencies may see FOIA as some sort of burden, and not part of their mission. They may think of it as a distraction from their mission, in fact. When the Department of Transportation puts out information, it usually gets used in the service of their mission. Many agencies haven’t internalized that.

There’s also the issue of backlogs, bureaucracy, lack of technology or technology that doesn’t work that well — but they’re locked into it.

What about redaction issues? Can you be FOIA compliant without actually honoring the intent of the request?

Moulton: We’re very aware of this as well. The data is just not there to evaluate that. We wish it was. The most you get right now is “fully granted” or “partly granted.” That’s incredibly vague. You can redact 99% or 1% and claim it’s partially redacted, either way. We have no indicator and no data on how much is being released. It’s frustrating, because something like that would help us get a better sense on whether agencies would benefit would new policies

We do know that the percentage of full grants has dropped every year, for 12 years, from the Clinton administration all the way through the Bush administration to today. It’s such a gray area. It’s hard to say whether it’s a terrible thing or a modest change.

Has the Obama administration’s focus on open government made any difference?

Moulton: I think it has. There were a couple of agencies that got together on FOIA reform. The EPA led the team, with the U.S. National Archives and the Commerce Department, to build a new FOIA tool. The outward-facing part of the tool enables a user to go to a single spot, request and track it. Other people could come and search FOIA’ed documents. Behind the scenes, federal workers could use the tool to forward requests back and forth. This fits into what the administration has been trying to do, using technology better in government

Another example, again at the EPA, is where they’ve put together a proactive disclosure website. They got a lot of requests, like if there are inquiries about properties, environmental history, like leaks and spills, and set up a site where you could look up real estate. They did this because they went to FOIA requests and see what people wanted. That has cut down their requests to a certain percentage.

Has there been increasing FOIA demand in recent years, affecting compliance?

Moulton: I do think FOIA requests have been increasing. We’ll see what this next year of data shows. We have seen a pretty significant increase, after a significant decrease in the Bush administration. That may be because this administration keeps speaking about open government, which leads to more hopeful requestors. We fully expect that in 2013, there will be more requests than the prior year.

DHS gets the biggest number of all, but that’s not surprising when we look at the size of it. It’s second biggest agency, after Defense, and the biggest domestic facing agency. when you start talking about things like immigration and FEMA, which go deep into communities and people’s lives, in ways that have a lot impact, that makes sense.

What about the Department of Justice’s record?

Moulton: Well, DoJ got the second highest rating, but we know they have a mixed record. There are things you can’t measure and quantify, in terms of culture and attitude. I do know there were concerns about the online portal, in terms of the turf war between agencies. There were concerns about whether the tech was flexible, in terms of meeting all agency needs. If you want to build a government-wide tool, it needs to have real flexibility. The portal changed the dialogue entirely

Is FOIA performance a sufficient metric to analyze any administration’s performance on open government?

Moulton: We should step back further and look at the broader picture, if we’re going to talk about open government. This administration has done things, outside of FOIA, to try to open up records and data. They’ve built better online tools for people to get information. You have to consider all of those things.

Does that include efforts like the Intelligence Community Tumblr?

Moulton: That’s a good example. One thing this administration did early on is to identify social media outlets. We should be going there. We can’t make citizens come to us. We should go to where people are. The administration pushed early on that agencies should be able to use Tumblr and Twitter and Facebook and Flickr and so on.

Is this social media use “propaganda,” as some members of the media have suggested?

Moulton: That’s really hard to decide. I think it can result in that. It has the potential to be misused to sidestep the media, and not have good interaction with the media, which is another important outlet. People get a lot of their information from the media. Government needs to have good relationship.

I don’t think that’s the intention, though, just as under Clinton, when they started setting up websites for the first time. That’s what the Internet is for: sharing information. That’s what social media can be used for, so let’s use what’s there.

Privacy and Civil Liberties Report Finds NSA bulk phone records program illegal and ineffective

Posted on by

0

Earlier this afternoon, I emailed info@pclob.gov in search of the report that the New York Times  and Washington Post had obtained and reported upon this morning. 2 hours later, I received a response: www.pclob.gov. There, visitors can now find, download and read a “Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court” and separate statements by Elisebeth Collins Cook  Rachel Brand. As Charlie Savage and Ellen Nakashima reported, Cook and Brand dissented from the report’s recommendation to end the collection of phone records under the 215 programs of the USA Patriot Act.

The privacy and civil liberties board’s report is strongly critical of the impact that mass surveillance has upon the privacy and civil liberties of American citizens, along with billions of other people around the world.

“The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215, implicates constitutional concerns under the First and Fourth Amendments, raises serious threats to privacy and civil liberties as a policy matter, and has shown only limited value. As a result, the Board recommends that the government end the program.”

PCLOB Board Members meet with President Obama on June 21, 2013​. Photo by Pete Souza.

PCLOB Board Members meet with President Obama on June 21, 2013​. Photo by Pete Souza.

While President Obama met with the board and heard their recommendations prior to his speech last week, his administration is disputing its legal analysis.

“We disagree with the board’s analysis on the legality,” said Caitlin Hayden, spokeswoman for the White House National Security Council, in an e-mail to Bloomberg News. “The administration believes that the program is lawful.”

House Intelligence Committee Chairman Mike Rogers (R-MI) was also critical of the report’s findings. “I am disappointed that three members of the Board decided to step well beyond their policy and oversight role and conducted a legal review of a program that has been thoroughly reviewed,” he said in a statement.

The Electronic Frontier Foundation hailed the report as a vindication of its position on the consitutionality of the programs.

“The board’s other recommendations—increasing transparency and changing the FISA court in important ways—similarly reflect a nearly universal consensus that significant reform is needed,” wrote Mark Rumold, a staff attorney. “In the coming weeks, PCLOB is set to release a second report addressing the NSA’s collection under Section 702 of the FISA Amendments Act. We hope that the board will apply similar principles and recognize the threat of mass surveillance to the privacy rights of all people, not just American citizens.”

Will White House epetitions drive change or disillusionment?

Posted on by

1

20131213-220556.jpg

An epetition for The White House that really worked? Yep. 

P.J. Vogt, a producer for NPR’s “On The Media,” was surprised to find that a “We the People” epetition had played a role in the FCC moving to make a deal with wireless carriers that will allow consumers to unlock their cellphones.

He’s not alone. Historic lows in trust in the federal government mean that any progress toward a positive outcome — like legal unlocking of mobile devices — is viewed skeptically in public discourse.

Should carriers actually allow consumers to unlock those devices, it would be the the open government platform has now played a role in U.S. history.

I’ve been following the White House epetition system since it launched, more than 2 years ago. Prior to the 2012 election, this open government effort was a relatively slow burn, in terms of growth. Until the fall of 2012, the most significant role it had played came in January of that year, when the White House took an official position on petitions on the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA), changing the political context for the bills.

As I’ve observed before, on the evening of December 20, 2012, however, President Barack Obama responded to 32 different e-petitions related to gun violence. It was the first direct response to an e-petition at The White House by a President of the United States. While this remains the only e-petition that the President has responded to personally, before or since, it was a milestone in digital government, marking the first time that the President spoke directly to the people through the Internet about an issue they had collectively asked to be addressed using the Internet.

By January 2013, it had 5 million users. Now, there are over 10 million. It’s the first open government platform to reach that scale of use, in no small part due to the epic response to the Death Star petition that drew both Internet-wide and mainstream media attention.

And here’s the thing: most of those users are satisfied with the responses. Not all of them have resulted in policy shifts — in fact, only a few have, like a rulemaking on online puppy mills — but the ones that did are significant: SOPA/PIPA, increasing public access to scientific research online, and supporting consumers unlocking their mobile devices.

More challenging requests lie ahead. An epetition for the administration to reform the Electronic Communications Privacy Act just passed the 100,000 signature threshold this week, requiring a response.

The epetition will join a dozen or so popular online petitions that have passed the threshold, some of which have lingered unanswered for over a year.

This tardiness of response might lead critics of the administration to conclude that this White House putting off public responses to popular petitions it finds politically inconvenient, like the one to pardon Edward Snowden.

Even if that’s the case, if this trend continues, these epetitions from the American people look a bit less like a useless exercise in democracy theater at week’s end.

In 2014, the White House has announced a plan to launch a public version of the application programming interface (API) for “We The People,” enabling third parties to build applications on top of it.

Should mainstream adoption continue, American citizens may find a bonafide means to exercise their right to petition the United States government for the redress of grievances in the public desire of the twenty-first century.

HHS CISO: “no successful security attacks on Healthcare.gov”

Posted on by

0

obamacare-hackOne of the persistent concerns about Healthcare.gov regards the security of the federal health insurance exchange marketplace, as I reported for Politico Magazine this month. At least one glaring security flaw remained unpatched until the end of October. Despite the “big fix” announced on December 1, the security of the website and the backend systems behind it have not only remained in doubt, given issues that have come out in Congressional testimony but have now become the subject of contentious exchanges between the United States House Oversight Committee and the Department of Health and Human Services, which operates them.

Today, Democrats on the House Energy and Commerce Committee released a memorandum regarding a security briefing on the Affordable Care Act (embedded below) that includes a summary of a classified briefing from Dr. Kevin Charest, the HHS Chief Information Security Officer, and Ned Holland, HHS Assistant Secretary for Administration. The memorandum states that “there have been no successful security attacks on Healthcare.gov. In it, Dr. Charest is quoted as saying that “no person or group has hacked into Healthcare.gov, and no person or group has maliciously accessed any personally identifiable information from users.”

The authors of the memorandum, Representatives Henry A. Waxman and Diana DeGette, write that “the information provided in the briefing was reassuring,” given the assurances of the chief information security officer that “the security of Healthcare.gov has not been breached, and hackers have had no access to personally identifiable information.”

Despite this letter, it’s not clear whether the Healthcare.gov security concerns that TrustedSec has highlighted have been addressed. Given the continued focus of Congressional committees on the issue, expect more assessments and audits to emerge in the future.

Public Interest Declassification Board asked for public comment on prioritization

Posted on by

0

Top-Secret-stamp

David Ferriero, the Archivist of the United States, published a new blog post this week regarding prioritizing the declassification of government secrets.

“The Public Interest Declassification Board (PIDB) recently hosted an open meeting to discuss its recommendations to the President on Transforming the Security Classification System, focusing on declassification prioritization,” he said.

The task before the National Declassification Center is massive, with an estimated backlog of 354 million pages awaiting final declassification review.

The nation’s archivist has asked the public for input on the approach it should take. Should the National Archives “make declassification decisions because of their topicality or ‘gradually declassify everything in an orderly and systematic way’?” he asked. “Or do some of both? Your thoughts?”

For more on this, read Steven Aftergood’s post on declassification prioritization and then weigh in transforming classification, if you’re so inclined.