Memo from D.C., by Lisa Graves, Senior Counsel for Legislative Strategy

Senate Judiciary Committee Chairman Arlen Specter has attracted some good press for his saber rattling on President Bush’s warrantless wiretapping program, but behind the headlines his bill, co-authored with Vice President Dick Cheney, would basically repeal the Fourth Amendment protections that were written into the Foreign Intelligence Surveillance Act in the wake of Watergate. As they say in the East, a sword is useless in the hands of a coward, which really means that empty threats to hold the president accountable are basically useless.

And so far no “leader” on the hill has been willing to issue a subpoena to the White House or the telecommunication companies to pierce through the rhetoric to find out how many Americans are having their Fourth Amendment and statutory rights to privacy violated by the NSA at the president’s direction. The only way to get a subpoena for the truth issued from the hill is for there to be a majority willing to hold the president accountable and issue the legal command for the truth. This isn’t a partisan issue–it’s a constitutional issue and party loyalty should not trump the checks and balances designed to safeguard our liberty.

The lack of any real check against the president from Congress was evident in the blank check some in Congress tried to give the president right before they left for August vacations. Actually, the check isn’t blank–it’s filled in for the exact amount of power sought by the president: unlimited power to engage in warrantless wiretapping, without any mandatory judicial check. Here’s what happened:

The Senate Judiciary Committee room was packed on Thursday, August 3rd, as many lobbyists and Senate staff waited to see if there would be a vote on the Cheney-Specter bill. Administration lobbyists sat in their usual seats behind the Republican staffers and while the cordoned off press area was overflowing. Slowly, the Members’ chairs filled as Senator Specter waited for a quorum so he could push for a vote on his bill.

Once a sufficient number of Senators showed up, he starting asking for a vote on his extremely controversial and extreme bill to legalize the president’s spying on Americans. But, as you might imagine, members of Congress wanted to debate this radical effort to re-write the law. Actually, most of the debate came from the Democratic side of the room, while Republicans chatted amongst themselves, having already pledged to due what Dick wants, Vice President Cheney that is.

Senator Leahy spoke strongly against the bill, as did Senator Durbin. Then Senator Feinstein began her eloquent and thoughtful remarks. Mid-way through, Chairman Specter interrupted her to ask her how much longer since Republican Senators were eager to vote and leave, and she politely continued. When she concluded the chairman noted that she had spoken for a whole 15 minutes, actually not very long when you consider what is at stake as Senator Leahy pointed out–especially since she serves on both the Judiciary and Intelligence Committees, has been briefed into some of the NSA programs and still opposes the Cheney-Specter bill.

Senator Specter actually asserted that his bill’s language that the president should be able to wiretap outside of FISA was language already in the Foreign Intelligence Surveillance Act, which would be mistaken, to say the least. Senator DeWine spoke in favor of approving the NSA’s surveillance program and as Senator Feingold and Schumer sought recognition, the clock high on the wall by the frieze of astrological signs (clearly from a different era) buzzed to signal a vote on the floor of the Senate.

Senator Specter recessed the hearing to reconvene in the president’s room right next to the Senate chamber right after the vote. Staff and press quickly gathered materials and began the walk toward the Capitol on the nearly 100 degree day. We had to run the gantlet to get into the room, which is hard for the public to access. Once staff and press assembled in the room with big, old red leather chairs, Senator Specter entered the room. He hit the gavel hard and said someone had invoked the “two-hour” rule. The rule prevents the committee from meeting for two hours past the beginning of that legislative day. This is so members can participate in floor debates in spite of endless committee meetings.

Several people in the bipartisan crowd wanted to applaud or do the wave, but did not. The Senator was obviously disappointed and joked that if there were no objections he would report his bill. He gaveled the meeting to a conclusion, saying he would get the bill out in September. Staff and press drained from the room, as my allies and I took advantage of the big red chairs and cool room to finally breathe a sigh of relief. It seemed that we had been holding our breath all morning and for months, hoping to make it through the summer without these bad NSA bills getting a vote and rolling back our fundamental rights.

As we left that day, staffers were joking that the jets to whisk members away were fueling on the tarmacs and that we would just have jet fumes in a few short hours. And honestly nothing could have smelled better than that, given how hard the White House had been pushing to get the bill it wrote signed by a vote so it could cash out our rights.

Thank you to the ACLU for allowing me to blog here, and to all of you who sent in questions. Apologies to those I missed, but I didn’t have time to get to them all.

I started this week of guest blogging by posting my essay on the future of privacy. I’d like close with my essay on the value of privacy:

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (”Who watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest — or just blackmail — with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies — whoever they happen to be at the time.

Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance.

More here.

It was demonstrated today at the BlackHat conference.

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country’s e-passport, since all of them will be adhering to the same ICAO standard.

In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker — Walluf, Germany-based ACG Identification Technologies — but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

He then launched a program that border patrol stations use to read the passports — called Golden Reader Tool and made by secunet Security Networks — and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.

Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader — which can also act as a writer — and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.

As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.

The result was a blank document that looks, to electronic passport readers, like the original passport.

I’ve long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I — mistakenly — withdrew my objections based on the security measures the State Department was taking.

That’s silly. I’m not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.

Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won’t be perfect. And a passport has a ten-year lifetime. It’s sheer folly to believe the passport security won’t be hacked in that time. This hack took only two weeks!

The best way to solve a security problem is not to have it at all. If there’s an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there’s no RFID chip, then the security problem is solved.

Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can’t do, I am opposed to the idea.

Crossposted to the Schneier on Security blog.

There has been an enormous push by the government to field data mining technologies, in the belief that these can be effective in foiling terrorism. I wrote about this back in March, comparing data mining’s effectiveness in catching credit-card fraudsters (good) with its effectiveness in catching terrorists (bad).

I wrote this in 2004 for the San Francisco Chronicle, but it’s still important.

In recent years there has been an increased use of identification checks as a security measure. Airlines always demand photo IDs, and hotels increasingly do so. They’re often required for admittance into government buildings, and sometimes even hospitals. Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that’s just not so. In most cases, identification has very little to do with security.

Let’s debunk the myths:

First, verifying that someone has a photo ID is a completely useless security measure. All the Sept. 11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver’s licenses for all 50 states, good enough to fool anyone who isn’t paying close attention, are available on the Internet. Or if you don’t want to buy IDs online, just ask any teenager where to get a fake ID.

Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention.

Our goal is to somehow identify the few bad guys scattered in the sea of good guys. In an ideal world, what we would want is some kind of ID that denotes intention. We’d want all terrorists to carry a card that says “evildoer” and everyone else to carry a card that said “honest person who won’t try to hijack or blow up anything.” Then, security would be easy. We would just look at people’s IDs and, if they were evildoers, we wouldn’t let them on the airplane or into the building.

This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you’re likely to be an evildoer. This is the basis behind CAPPS-2, the government’s new airline passenger profiling system. People are divided into two categories based on various criteria: the traveler’s address, credit history and police and tax records; flight origin and destination; whether the ticket was purchased by cash, check or credit card; whether the ticket is one way or round trip; whether the traveler is alone or with a larger party; how frequently the traveler flies; and how long before departure the ticket was purchased.

Profiling has two very dangerous failure modes. The first one is obvious. Profiling’s intent is to divide people into two categories: people who may be evildoers and need to be screened more carefully, and people who are less likely to be evildoers and can be screened less carefully.

But any such system will create a third, and very dangerous, category: evildoers who don’t fit the profile. Oklahoma City bomber Timothy McVeigh, Washington-area sniper John Allen Muhammed and many of the Sept. 11 terrorists had no previous links to terrorism. The Unabomber taught mathematics at UC Berkeley. The Palestinians have demonstrated that they can recruit suicide bombers with no previous record of anti-Israeli activities. Even the Sept. 11 hijackers went out of their way to establish a normal-looking profile; frequent-flier numbers, a history of first-class travel and so on. Evildoers can also engage in identity theft, and steal the identity — and profile — of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.

The rest is here.

Taking a cue from a useless American idea, the UK has announced a system of threat levels:

“Threat levels are designed to give a broad indication of the likelihood of a terrorist attack,” the intelligence.gov.uk website said in a posting. “They are based on the assessment of a range of factors including current intelligence, recent events and what is known about terrorist intentions and capabilities. This information may well be incomplete and decisions about the appropriate security response are made with this in mind.”

Unlike the previous secret grading system offering seven levels of threat, the new system has been simplified to five, starting with “low,” meaning an attack is unlikely, to “critical,” meaning an attack is expected imminently. Unlike American threat assessments, the British system is not color-coded.

The current level is “severe”:

“Severe” is the second-highest threat level, but the Web site did not say what kind of attack was likely. The assessment is roughly the same as it has been for a year.

I wrote about the stupidity of this sort of system back in 2004:

In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.

The problem is that the warnings don’t do any of this. Because they are so vague and so frequent, and because they don’t recommend any useful actions that people can take, terror threat warnings don’t prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.

And the alerts don’t result in a more vigilant America. It’s one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it’s obvious when the danger is imminent and when it’s over. People can do useful things in response to a hurricane warning; then there is a discrete period when their lives are markedly different, and they feel there was utility in the higher alert mode, even if nothing came of it.

It’s quite another thing to tell people to be on alert, but not to alter their plans?as Americans were instructed last Christmas. A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Indeed, it inspires terror itself. Compare people’s reactions to hurricane threats with their reactions to earthquake threats. According to scientists, California is expecting a huge earthquake sometime in the next two hundred years. Even though the magnitude of the disaster will be enormous, people just can’t stay alert for two centuries. The news seems to have generated the same levels of short-term fear and long-term apathy in Californians that the terrorist warnings do. It’s human nature; people simply can’t be vigilant indefinitely.

[...]

This all implies that if the government is going to issue a threat warning at all, it should provide as many details as possible. But this is a catch-22: Unfortunately, there’s an absolute limit to how much information the government can reveal. The classified nature of the intelligence that goes into these threat alerts precludes the government from giving the public all the information it would need to be meaningfully prepared.

[...]

A terror alert that instills a vague feeling of dread or panic echoes the very tactics of the terrorists. There are essentially two ways to terrorize people. The first is to do something spectacularly horrible, like flying airplanes into skyscrapers and killing thousands of people. The second is to keep people living in fear with the threat of doing something horrible. Decades ago, that was one of the IRA’s major aims. Inadvertently, the DHS is achieving the same thing.

There’s another downside to incessant threat warnings, one that happens when everyone realizes that they have been abused for political purposes. Call it the “Boy Who Cried Wolf” problem. After too many false alarms, the public will become inured to them. Already this has happened. Many Americans ignore terrorist threat warnings; many even ridicule them. The Bush administration lost considerable respect when it was revealed that August’s New York/Washington warning was based on three-year-old information. And the more recent warning that terrorists might target cheap prescription drugs from Canada was assumed universally to be politics-as-usual.

Repeated warnings do more harm than good, by needlessly creating fear and confusion among those who still trust the government, and anesthetizing everyone else to any future alerts that might be important. And every false alarm makes the next terror alert less effective.

The Bush administration used this system largely as a political tool. Perhaps Tony Blair has the same idea.

Crossposted to the Schneier on Security blog

Last week I blogged about airplane sky marshals writing reports on innocent travelers in order to meet a quota. Insane, I know.

The ACLU has asked the Chief Privacy Officer of the Department of Homeland Security to investigate.

“How can I run a blog without being subject to government surveillance? It seems the only way is to use a service hosted in Europe, never add anyone to my friends list, and never mention my location or other personally identifiable info.” — Anonymous from California

True anonymity on the Internet is very difficult. There are many ways you can be tracked via your ISP and your computer. I like Tor, an anonymous Internet communications system that uses a protocol called onion routing to hide your identity, and wish more people would sign up as nodes on the service. (Products like Anonymizer take some steps to hide your identity on the Internet, but they’re best in conjunction with something like Tor.) Used properly, Tor offers real anonymity on the Internet, both for surfing and for posting blog entries.

As to anonymous blogging, the Electronic Frontier Foundation has some great ideas in their “How to Blog Safely” guide. I recommend reading that.

I wrote about this back in March:

It’s easier than you think to create your own police department in the United States.

Yosef Maiwandi formed the San Gabriel Valley Transit Authority — a tiny, privately run nonprofit organization that provides bus rides to disabled people and senior citizens. It operates out of an auto repair shop. Then, because the law seems to allow transit companies to form their own police departments, he formed the San Gabriel Valley Transit Authority Police Department. As a thank you, he made Stefan Eriksson a deputy police commissioner of the San Gabriel Transit Authority Police’s anti-terrorism division, and gave him business cards.

More here.

While we’re on the subject of automobiles, here’s a great article from Wired on stealing cars with high-tech RFID locks. It seems that the criminals have learned how to steal these cars, but the insurance companies refuse to believe it.