December 29, 2005

Hackers Rebel Against Spy Cams

This is my story on the Chaos Communication Congress computer hacking conference that I filed for Wired News fom Berlin yesterday. Great talks here and lots of interesting people.

BERLIN -- When the Austrian government passed a law this year allowing police to install closed-circuit surveillance cameras in public spaces without a court order, the Austrian civil liberties group Quintessenz vowed to watch the watchers.

Members of the organization worked out a way to intercept the camera images with an inexpensive, 1-GHz satellite receiver. The signal could then be descrambled using hardware designed to enhance copy-protected video as it's transferred from DVD to VHS tape.

The Quintessenz activists then began figuring out how to blind the cameras with balloons, lasers and infrared devices.

And, just for fun, the group created an anonymous surveillance system that uses face-recognition software to place a black stripe over the eyes of people whose images are recorded.

Quintessenz members Adrian Dabrowski and Martin Slunksy presented their video-surveillance research at the 22nd annual Chaos Communication Congress here this week. Five hundred hackers jammed into a meeting room for a presentation that fit nicely into CCC's 2005 theme of "private investigations."

Slunksy pointed out that searching for special strings in Google, such as axis-cgi/, will return links that access internet-connected cameras around the world. Quintessenz developers entered these Google results into a database, analyzed the IP addresses and set up a website that gives users the ability to search by country or topic -- and then rate the cameras.

"You can use this to see if you are being watched in your daily life," said Dabrowski.

The conference, hosted by Germany's Chaos Computer Club, featured many discussions on data interception and pushing back the unprecedented onslaught of surveillance technologies.

Even the Dutch, once known as hacker-friendly, politically progressive Europeans, are now fearful and demanding more cameras on their streets, said Rop Gonggrijp, founder of Dutch ISP Xs4All.

Gonggrijp says the Dutch chief of police has announced the intention to store large amounts of surveillance data and mine it to determine who to pressure and question. "People are screaming for more control," said Gonggrijp.

Dutch journalist Brenno de Winter warned that the European Parliament's support for data retention doesn't ensure security, and makes citizens vulnerable to automated traffic analysis of who communicates with whom through phone calls and internet connections. "What we have seen is a system that fails because we miss out on too much information, and even if we have all that information, it doesn't give us the right information and it is easy to circumvent," said de Winter.

CCC member and security researcher Frank Rieger said hackers should provide secure communications for political and social movements and encourage the widespread use of anonymity technologies. He said people on the other side of the camera need to be laughed at and shamed.

"It must not be cool anymore to have access to this data," said Rieger, who argued that Western societies are becoming democratically legitimized police states ruled by an unaccountable elite. "We have enough technical knowledge to turn this around; let's expose them in public, publish everything we know about them and let them know how it feels to be under surveillance."

The four-day Chaos Computer Congress is meeting near Alexanderplatz in the former East Berlin, where more than a half-million people rallied for political reform five days before the fall of the Berlin Wall.

In his keynote address, Joichi Ito, general manager of international operations for Technorati, warned that the internet could itself become a walled-in network controlled by the International Telecommunication Union, Microsoft and telecommunications companies.

Ito said these restrictions would stifle free speech and the ability to question authority without retribution. "An open network is more important for democracy than the right to bear arms and the right to vote," said Ito. "Voice is more important than votes."

Posted by ann at 09:26 AM | Comments (3)

December 08, 2005

Government Drops Charges Against Davis

The government dropped all charges against Deborah Davis yesterday for failing to show her ID on a Denver public bus. Officials claim that passengers still have to show ID to transit through the Denver Federal Center, but said there were no clear signs to inform them of this requirement. Davis’ lawyers are not going away. Her arrest gives them standing to sue the federal government for false arrest. The lawyers are now negotiating with federal officials to prevent the ID requirement from being enforced on Denver city buses.

“We are very pleased that they dropped charges against Ms. Davis,” her volunteer attorney Gail Johnson told the Rocky Mountain News. "But sign or no sign, she and other Colorado citizens continue to have the constitutional right to travel by public bus without being forced to show identification to federal agents. I think if the government is going to insist on continuing to violate the constitutional rights of our citizens, then they are going to find themselves back in court on this one."

The scheduled rally in support of Davis will still be held on December 9 to protest demand for ID. A group of Davis’ supporters, reporters and lawyers will then take a “victory ride” through the Federal Center on Route 100. Some are planning not to show their IDs. Johnson told the Rocky Mountain News that lawyers are standing by in Denver to provide legal representation for anyone arrested.

Posted by ann at 12:36 AM | Comments (0)

August 23, 2005

Questions About TSA Records Requests

By Ann Harrison

Thanks to everyone who wrote in with questions about requesting their TSA records under the Privacy Act. I was thrown by my horse this weekend and spent a few days limping around. But I'm back in the saddle now to answer your questions.

Scott wanted to know if I had requested my records, and if so, what did they say. I have just sent my own request off - so I can't tell you yet what my records say. The four Alaskan plaintiffs who asked for their TSA records have not received their records either - hence their lawsuit. We'll keep you posted Scott. In the meantime, I encourage you to request your own and find out for yourself.

Robb wanted to know what to do if he discovered his TSA travel records were inaccurate. Write to the TSA and correct them. If you don't, they may confuse you with someone else or violate your rights based on flawed data. Henry wanted to know how to file a Freedom of Information Act (FOIA) request with the TSA. According to my brother, Jim Harrison, who filed the Privacy Act request on behalf of the Alaskan plaintiffs, the TSA treats Privacy Act requests just like a FOIA request - so you don't have to write a separate letter for records under FOIA. Just use the sample Privacy Act request letter as a template for both requests

Fred informed me that I had a misspelling in my sample TSA letter which I corrected. Thank you Fred. Adam wanted to add some fancy wordsmithing to my sample TSA letter. You can if you want, but I advise against it. The letter I posted is based on one with precise legal language that the TSA accepted as an actual Privacy Act request.

Neil wanted to know if he should put in a request for his TSA records even if he hadn't flown in June 2004. The answer is - yes! The TSA vacumed up not only the names of people who the airlines said flew in June 2004, but also variations on those names. This means that even if you didn't fly at that time, your name may still be in the TSA test database for Secure Flight. So go ahead and request your records anyhow.

If you have more questions about accessing your TSA travel records, please let me know. I want to encourage you to get those records and find out what kind of data the government has gathered.

Posted by ann at 02:00 PM | Comments (4)

August 19, 2005

Demand Your Data! Exercise The Right To Your Travel Records Held By The TSA

By Ann Harrison

Are you curious what kind of information the U.S. government has collected about you to test their Secure Flight passenger screening system? Want to find out whether the system works? Did you fly in the U.S. during June 2004? Four Alaskans sued the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) yesterday to find out what happened to their travel data.

In direct violation of the Privacy Act, TSA has collected over 100 million records from commercial data providers to test Secure Flight. If your records are contained in this database, you have a right to obtain them. What would happen if thousands of people requested their TSA travel records every day?

You can request your travel and commercial records under the Privacy Act, but you better do it before TSA destroys the information. TSA spokeswoman Deirdre O’Sullivan told Wired News that the TSA has only destroyed some passenger name records (PNR) from airlines and travel agents, but not information TSA gathered from commercial data bases. You can request both your PNR and commercial data with a Privacy Act request.

According to Wired News, TSA has received only three requests for flight records, including the Alaskans. TSA should hear from more people concerned about what kind of data profiling they’re being subjected to each time they fly. Go ahead, see what the government's got on you. Find out how accurate it is.

Below is a sample Privacy Act request to the TSA based on a letter sent by the Alaskan plaintiffs requesting their PNR and commercial data under the Act. You can use it as a model for your own letter. While Privacy Requests are made to the FOIA division, this letter makes it clear that this is a Privacy Act, not a FOIA request. Do not allow TSA to attempt to confuse the two as they have been known to do.

Transportation Security Administration
TSA-20, West Tower, FOIA Division
601 South 12th Street
Arlington, VA 22202-4220

Dear Transportation Security Administration,

This letter constitutes a request under the 5 U.S.C. §552a. I request copies of all information relating to myself contained in the system of records established to test the Secure Flight Program. My request is for all information contained in each and every category of records in the system as listed in the notice to establish the system of records [Docket No. TSA-2004-19160]. These categories include information obtained by U.S. aircraft operators, other Federal agencies, including Federal law enforcement and intelligence agencies, and commercial data providers. Should TSA provide less than a complete copy of all records relating to myself contained in this system of records, I request a detailed explanation as to the reason for denying or not fully complying with my request.

My full name is:

My current address is:

My date of birth is:

My place of birth is:

I promise to pay reasonable fees incurred in the copying of these documents up to the amount of $25. If the estimated fees will be greater than that amount, please contact me before such expenses are incurred.

If you deny all or any part of this request, please cite each specific exemption that forms the basis of your refusal to release the information and notify me of the appeal procedures available under the law.

Pursuant to 28 USCS §1726 and in compliance with 6 CFR 5.21(d), I declare (certify, verify, or state) under penalty of perjury that the foregoing is true and correct.

Executed on this date:


Posted by ann at 01:23 AM | Comments (24)

August 18, 2005

Alaskans Sue For Release of Secure Flight Records

By Ann Harrison

I have just returned from Europe to discover that democratic heroism is alive and well in America. Four courageous Alaskans sued the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) today demanding information from TSA’s illegal database of flight records and commercial data.

The Alaskans charge that the government violated the Privacy Act of 1974 by failing to disclose - and then possibly destroying – their airline travel records which were used to test the TSA’s proposed “Secure Flight” passenger screening program. Alaskans are a tough bunch. They make it clear on their official web site. that they don't like the government snooping around their private business and then lying to Congress about it.

Last month, the Government Accounting Office, Congress’ watchdog agency, said TSA violated the Privacy Act by failing to disclose the use of 100 million commercial data records in the testing of Secure Flight.

If you don't want to wade through that tedious 16-page document, read instead the
damning letter sent to the DHS by Senators Susan Collins (R-ME) and Joseph Lieberman (D-CT) concerning TSA's illegal data collection practices. Senator Collins is the Chairman and Senator Lieberman is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee which has oversight of the DHS.

The Privacy Act requires the government to give notice when it collects data on its citizens, and it allows people to access their records held in government databases. I suggest you use it to examine your own travel records to see how accurate they are and how closely the government is tracking you.

Both the Privacy Act, and DHS’s own Privacy Act Procedures, also forbids the destruction of records that are part of a pending request, appeal or lawsuit under the Act - raising questions about whether the TSA is involved in the destruction of evidence.

The complaint, filed in U.S. District Court in Anchorage, was accompanied by a motion for a preliminary injunction asking the court to prevent the agencies from destroying any further records used to test Secure Flight. My brother Jim is the attorney representing these Alaskans and he’s made me, his older sister, very proud.

The Secure Flight program, which is set for full roll-out next year, is a revised version of a discredited proposal for a passenger profiling system known as the Computer Assisted Passenger Prescreening System or CAPPS II which the Alaskan plaintiffs also opposed. Secure Flight, which has proven just as controversial, is intended to prevent terrorists from boarding domestic commercial flights by comparing Passenger Name Records (PNR) data provided by the airlines to the government’s so-called “no-fly” lists or other watch lists.

The airline’s PNR data sent to the government vary by airline, but they usually include your full name, address, and phone number. These records will also include information on your travel plans such as your credit card number, frequent flier number and itinerary. The airlines don’t actually store the reservation data, it’s kept by companies called Computerized Reservation Systems (CRS) which are used by airlines, hotel and car rental agencies.

The airlines are currently responsible checking their passengers against government watch lists. When Secure Flight is launched, the government will compare the passenger names against their new watch list using the System of Records that the Alaskans oppose.

The TSA has been testing the Secure Flight system by ordering 72 domestic airlines to release passenger travel records for domestic travel during the month of June 2004. The four Alaskan plaintiffs, Dr. John David, Sarah Huntley, Charles Beckley, and William Beck, said they traveled in the month of June and have been trying for three months to acquire copies of their travel records.

Wired News reported that the federal government said it destroyed 3 million of the 15 million PNR records it collected to test Secure Flight because they were no longer needed for testing. The records were deleted on April 19, two months before TSA announced that it was deleting the records.

Nobody who traveled in June 2004 gave the government permission to access or delete their travel data. But the TSA used these PNR records to create a dossier on these travelers, comparing their names to its controversial terrorism watch list that reportedly contains over 120,000 names. The TSA has already issued - or will issue - a secret Security Directive ordering all airlines to turn over their passenger records for this purpose.

The TSA had to order the airlines to turn over the data after it was revealed last year that several airlines, including Jet Blue, Northwest and American, secretly gave the government personal information on 12 million passengers without the travelers’ permission or knowledge. According to an Inspector General’s report, the TSA was less than honest about its role in collecting the data which sparked class action lawsuits against the airlines and government data contractors.

In Alaska, where the plaintiffs live and work, air travel is a necessary form or transportation in remote areas unreachable by other transportation. The Alaskans charge in their complaint that the creation of identity based national security systems, such as Secure Flight, weakens long-standing individual rights and lessens protections against government abuse of power.

Secure Flight essentially creates a system of internal border controls compromising not only privacy rights, but the Constitutional right to freedom of travel and assembly. Harrison says his clients don’t want the federal government telling them whether they can travel and screen them with databases based on secret parameters.

The Creation of A Secret Database

The TSA has continued to mislead the public about their creation of screening databases for Secure Flight. The TSA stated in its official Privacy Act notice that it would not store commercial data on airline passengers. But documents printed in the Federal Register in June revealed that the TSA gave about 42,000 passenger name records to a Virginia-based contractor named EagleForce Associates. EagleForce compared the records to information from three commercial data aggregators.

The commercial data included first, last and middle names, home address and phone number, name suffix, second surname, spouse first name, gender, second address, third address, zip code and latitude and longitude of the address. EagleForce produced CD-ROMS with the commercial data that TSA stored and used for watchlist match testing.

The TSA admitted in a revised Privacy Act statement in June that it was using and storing commercial data. TSA spokesman Mark Hatfield was quoted by the Associated Press on June 21st saying that it was routine to change Privacy Act statements during testing and that access to the data was highly restricted. “Secure Flight is being built on an airtight privacy platform, and the GAO and Congress are providing close oversight every step of the way,” Hatfield told the AP.

But according to the GAO report, the TSA permitted EagleForce to expand the passenger names from 42,000 to about 200,000 by generating variations on names. This scooped up the data of people who may not even have flown in June. Data aggregators working for EagleForce also provided social security numbers of passengers even through the government claims it never requested this data.

The private companies who manage this commercial data will determine whether you are who you say you are. They will also run federal, state and local criminal background checks and decide whether you are color coded green (which means you pass normally through airport security), yellow (which would require you to undergo additional screening) or red (which would bar you from an airplane as a potential terrorist and possibly result in your arrest on outstanding warrants - or the warrants of someone who they have mistaken for you.)

The TSA does not require any of these databases to actually be accurate. Those who have been wrongly placed on this list quickly find out how difficult it is to get the error corrected or review their data.

Getting The Records

Secure Flight program director Justin Oberman told Wired News that that it is possible that the TSA never collected flight records for the Alaskans since airlines process 60 million flight records a month and TSA received only 15 million records for June 2004.

But the Alaskan plaintiffs had every reason to think that their travel records might be contained in the System of Records used to test Secure Flight. Plaintiffs Dr. John A. Davis, superintendent of the remote Bering Strait School District and Charles Beckley, coordinator of technology for the school district, repeatedly flew inside the U.S. on commercial airlines during the month of June. Plaintiffs Sally Huntley and Bill Beck are travel agents whose agent information is likely contained within hundreds of passenger name records on tickets they booked for their customers during the month of June 2004.

When TSA provided notice that they were creating their Secure Flight System of Records in September 2004, the Privacy Act allowed for individuals to request any of this data. On May 8, the plaintiffs filed their Privacy Act requests for both their PNR and information on them provided by commercial database firms. But when the plaintiffs requested their records from TSA, the agency gave them the round around.

On June 20, 2005, the American Civil Liberties Union issued a press release noting that the TSA was set to disclose in the Federal Register that the agency had indeed collected and stored personal data about airline travelers despite a Congressional ban - and promises by the agency that it would not do so. The ACLU pointed out that “the secret collection of personal data from private companies shows a complete disregard for the privacy of Americans.”

On June 22, the TSA replied to the Alaskan’s request for their records by informing them that “[a] search within the Transportation Security Administration (TSA) was conducted and no documents responsive to your requests were located.”

On the same day the TSA told plaintiffs that they couldn’t find their records, the TSA filed a notice in the Federal Register admitting that commercial data had been included in the records and stating that it had decided to destroy “certain copies of the original [records] provided by the air carriers.” The notice also sought to amend the existing record system to include commercial data and identified the commercial data providers as Insight, Acxiom, and Qsent. “Can an agency just destroy the records and say ‘sorry,’ they don’t have them any more?” asked Harrison?

The plaintiffs immediately appealed the TSA’s conclusion that their records could not be located. They cautioned TSA not to destroy any part of their System of Records and asked for the confirmation of any destruction of data.

Oddly, a month after the plaintiffs appealed TSA’s conclusion that their records could not be located, TSA came back and asked the plaintiffs to disclose which airlines they traveled on and when so “an adequate search of the records” could be performed. Harrison immediately provided TSA with the requested information. But despite repeated requests and administrative appeals by plaintiffs that their records not be destroyed, the Alaskans have not been notified that the destruction of these records has been halted. TSA has exceeded its 30 day limit for replying to the request.

The Alaskans are now demanding that that the court order the TSA and the DHS to immediately disclose what records contained in the System of Records to test Secure Flight were destroyed, by whom and when. They want to court to declare that TSA and DHS violated the Privacy Act and their own rules to comply with the Privacy Act. And of course, the plaintiffs want the court to force TSA and DHS to hand over copies of their personal travel dossiers and comply with the law.

Harrison said he was contacted today by TSA who denied that they had any information about his clients.

Posted by ann at 08:16 PM | Comments (0)