Loss of Privacy

A bill [pdf] making its way through the Hawaiian state legislature would force ISPs to retain all users’ data for two years, allowing tracking of all web site data. This information would then be available to law enforcement without a warrant. All they need to do is ask for it.

The measure, H.B. 2288, says “Internet destination history information” and “subscriber’s information” such as name and address must be saved for two years.

Democrat Jill Tokuda, the Hawaii Senate’s majority whip, who introduced a companion bill, S.B. 2530, in the Senate, told CNET that her legislation was intended to address concerns raised by Rep. Kymberly Pine, the first Republican elected to her Oahu district since statehood and the House minority floor leader.

“I was asked to introduce the Senate companions on these Internet security related bills by Representative Kymberly Marcos Pine after her own personal experience in this area,” Tokuda said. “I would defer to her on the origins of these bills as she has done the research and outreach, and been the main champion of this effort.”

Pine, who did not immediately respond to queries, has been targeted by a disgruntled Web designer, Eric Ryan, who launched KymPineIsACrook.com and claims she owes him money, according to an article last summer in the Hawaii Reporter. Her e-mail account was also reportedly hacked around the same time. The article said Pine would advocate for “tougher cyber laws at the Hawaii State Capitol” as a result.

“We must do everything we can to protect the people of Hawaii from these attacks and give prosecutors the tools to ensure justice is served for victims,” Pine said at the time.

The problem here is that this a personal, knee-jerk response to a specific situation that can be taken care of already with the appropriate laws already on the books. What Kym Pine doesn’t realize is that this bill will have unintended consequences for her. If this bill were to become a law, she would be subjected to it as well. You can guarantee that people will start requesting information about her. It will not make her life any easier and people like Eric Ryan will use it to harass her further.

This bill has no privacy protections, no encryption protocols, and doesn’t limit anyone from selling the data collected. It does, however, remove the restriction of law that the police must obtain a court order before obtaining the information. Law enforcement merely needs to request the data.

Politicians need to start learning the law that is already out there and using it to prosecute people if they think the law is being broken. These types of laws do nothing other than erode the privacy that Americans already have and take for granted. Stomping on the fourth and fourteenth amendments should not be an option.

EDIT: Due to pressure, the Hawaiian legislature has decided to table the bill.

A Colorado judge has ruled that a defendant must decrypt her PGP- encrypted hard drives and allow the police to look at the device for incriminating evidence.

Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be “compelled in any criminal case to be a witness against himself,” which has become known as the right to avoid self-incrimination.

“I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well.

Although the defendant in the case intends to appeal, there are conflicting decisions already on the books.

In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That’s “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination,” the court ruled (PDF).

A year earlier, a Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.

The debate as to whether or not decrypting a computer by a defendant is a violation of the fifth amendment will continue as more cases like these come to trial. On the one side the argument is that decryption is similar to handing over the keys to a storage or safe deposit box while, on the other, privacy advocates state that giving up any information to decrypt a computer is the equivalent of testifying against oneself.

Also of note is that, in this particular case, the prosecution has to prove that she has the means to decrypt the laptop. If she is unable to do so, there is little else the prosecution can do.

As it stands right now, there is case law for both sides and it does not appear as if the debate is going to be settled any time soon. At some point, this issue will reach the Supreme Court because there are far too many conflicting points on both sides, in numerous cases, for the issue to be clear.

More malls are testing out the latest technology to track individuals while they shop at the mall.

Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by monitoring the signals from their cell phones.

“We won’t be looking at singular shoppers,” said Stephanie Shriver-Engdahl, vice president of digital strategy for Forest City. “The system monitors patterns of movement. We can see, like migrating birds, where people are going to.”

Still, the company is preemptively notifying customers by hanging small signs around the shopping centers. Consumers can opt out by turning off their phones.

This is a disingenuous response from the company as it is already known that turning off the phone will still leave you subject to being tracked.

The tracking system, called FootPath Technology, works through a series of antennas positioned throughout the shopping center that capture the unique identification number assigned to each phone (similar to a computer’s IP address), and tracks its movement throughout the stores.

The system can’t take photos or collect data on what shoppers have purchased. And it doesn’t collect any personal details associated with the ID, like the user’s name or phone number. That information is fiercely protected by mobile carriers, and often can be legally obtained only through a court order.

“It’s just not invasive of privacy,” she said. “There are no risks to privacy, so I don’t see why anyone would opt out.”

The risks to privacy include the fact that the data collected with the cell phone can be matched to video surveillance cameras in the mall. Your credit card information is also tracked when you make a purchase. Once vendors start to share the information, how anonymous is that data really going to be when joining these databases is such an easy task?

“Most of this information is harmless and nobody ever does anything nefarious with it,” said Sucharita Mulpuru, retail analyst at Forrester Research. “But the reality is, what happens when you start having hackers potentially having access to this information and being able to track your movements?”

This is precisely why this sort of research shouldn’t be conducted. The risks outweigh the data that the company can cull later. Just how easy is it to gather the data? Go to the mall with an android phone and start up DroidSheep. Within minutes, you’ll have a nice collection of facebook logins.

As I have suggested before, take the battery out of your phone before you leave for the mall or leave it at home. It’s the only way to be sure you won’t be tracked.

A paralegal at a law firm donated recycled paper to her child’s elementary school, which was full of person information.

It may have been a mistake, but there are serious HIPAA violation implications for the law firm.

In Farmington Hills, Michigan intelligent lights will soon be keeping a watchful eye over its citizens. But is it really for entertainment and safety or a gross invasion of privacy?

“In each lighting fixture or each lighting pole, there is processor very much like an iPhone. And it takes inputs and outputs and talks back and forth. And the poles actually talk to each other,” said Ron Harwood.

When you step come into view of the street light, there is a camera that spots you, and the person on the other side sees you by white specs on a black screen. The camera senses that somebody is there, and if wants, it can even take your picture.

The system is also capable of recording conversations making critics cry invasion of privacy.

“This is not a system with spook technology. It’s much more transparent. It can just talk to you and say, don’t fall over Niagara Falls,” said Harwood.

It may be able to just make a stupid joke about Niagara Falls, but the fact that it can spot you, track you, and record your conversations is, indeed, spook technology. It’s worrisome that people are simply accepting a program such as this as the normal course of events. If no one in Farmington Hills fights against it, it will start showing up elsewhere in the United States.