Thursday, September 30, 2004
Overview of the Section 2709 Patriot Act decision
U.S. PATRIOT Act Decision Rendered in NY September 29, 2004- Finding its lack of judicial review and restraint on speech unconstitutional. Decision is stayed for 90 days for government action
An important provision of the controversial U.S. PATRIOT Act was struck down on September 29, 2004 by a NY Federal District Court judge. The judge voluntarily stayed the decision for 90 days to permit the government to appeal the decision before it goes into effect or solve the constitutional flaws he identified.
U.S.C. 18 §2709 is a section of the PATRIOT Act that permits the FBI to demand certain customer records from an Internet service provider or a telecommunications company that are “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.” These demands are made in a special form of administrative subpoena called a “national security letter” (an “NSL”). Once formally issued, the NSL recipients may not disclose anything about the NSL, including that it was ever even issued.
The ACLU, acting in advocacy role and as counsel to an ISP plaintiff, brought an action to declare U.S.C. 18 §2709 unconstitutional under several grounds. These include challenges to the broad subpoena powers under the First, Fourth and Five Amendments to the U.S. Constitution without judicial oversight, as well as challenges of the non-disclosure provision as a prior restraint of speech under the First Amendment.
The decision holds that (1) the restriction on any disclosure about the NSL or its issuance, to anyone, in perpetuity is overbroad and open-ended and, as such, violates the First Amendment of the U.S. Constitution and (2) the NSL recipient’s inability to have the NSL reviewed by a court violates the Fourth Amendment to the U.S. Constitution. Because the court held that the restraint subsection under the statute could not be severed from the remainder of the statutory provisions, the entire §2709 would have to be struck down.
Without this special provision, the FBI would have to obtain a search warrant or court order to access the customer records. That in turn requires that the request be presented to a magistrate or judge before being issued. Unique to the NSL is that no prior review is made by any member of the judiciary and that its recipient cannot seek judicial review of the propriety of the NSL, or its scope before complying (or even after compliance, under the gag provision). NSLs are not unique to the U.S. PATRIOT Act. They are used in several other national security regulatory schemes.
The judge spent several pages discussing the importance of the environment under which the law was first enacted, in response to the terrorist attacks of September 11th. decision discusses the need to constantly balance governmental efficiencies against fundamental liberties. While recognizing that the balance is rarely easy, the court held that the balance always is stacked in favor of fundamental liberties at the cost of efficiencies. Mindful of the crisis atmosphere and the real risks of terrorism post- September 11th, the decision quotes from previous decisions noting that the greatest risk to fundamental liberties come during times of great crisis. Courts during these times must use enhanced vigilance not to compromise these liberties in the name of expediency.
Solutions could be proposed allowing for a sealed and private judicial proceeding perhaps, should the NSL recipient seek judicial review. There may be other ways to save the intent of the provision and address the needs of our law enforcement agencies in the fight against terrorism. But all would require legislative action.
The Decision in ACLU v. Ashcroft
Patriot Act Provision is thrown out by Court - effective date is delayed 60 days to allow government time to appeal
National Security Letter authority under the PATRIOT act was found unconstitutional today by a NY Federal District Court judge. The provision that was struck down restricted internet service providers and other bsuinesses from informing anyone of the government's request for information. This could have been interpreted by some as preventing them from being able to consult counsel about any demands, among other actions.
see next post in this blog for a link to the decision itself and a more detailed analysis.
Wednesday, September 29, 2004
Privacy - the basics
I may write about complicated laws and technology implications, but when it comes to privacy we should always concentrate on the obvious first.
While flying back from the West Coast today, I had a layover in Houston Airport. While sitting there having my lunch, a man at the next table was speaking loudly on his cell phone, explaining to one of his vendors/partners that his company was going to announce the shut down of a project and explaining the details of legal and logistical problems they were facing. His shirt conveyed the name of his company, which was confirmed in the conversation. He said he had just come from a special secret briefing on this. He also stated that the shutdown was the result of adverse PR and potential lawsuits for failure to have the servers delivered and working on time.
I wasn't intentionally eavesdropping. I was bored and sitting there with a lukewarm pizza and not much else to do. Hise voice levels were such that even if I had something better to do, I would have been privy to his life story whether I wanted to or not.
His company could have invested millions in security technology and contingencies. Biometrics and RFIDs could be used to make sure that only the right people pass into the inner sanctums. All e-mails and electronic data could be encrypted with a billion bit encryption. And it wouldn't have made one whit of a difference. I still would have known everything I needed to know to short his company's stock, or write an article announcing these important shutdowns long before his PR department knew what was happening.
And if I, or one of my friends, represented the potential plaintiffs in any legal action, I would have a lead. In law a small lead can make all the difference in the world.
What's the basic point here?
Think before you conduct business, especially confidential business, in public. Use code names and only state essentials if you are forced to make that call over lunch at an airport. Convenience in this case should not outweigh good judgment.
when I've recovered from my jetlag, I'll share a story about a lawyer who blew his case by asking for my advice online.
Saturday, September 25, 2004
Cybercrimes, identity theft and phishing...Oh! My!!
I was recently asked to speak at a quarterly meeting of the San Francisco electronic crimes task force. They presented a pre-release briefing of their upcoming report on phishing and financial crimes online. While I was well acquainted with standard phishing schemes (where you are asked to log into your account to check it for security breaches, and the site is spoofed and designed just to steal your logins information and money), as well as the Nigerian schemes (my husband, father, brother, etc. Had billions and I just need you, the only trustworthy person in the world to help me get out the billions, just send me $5000), but a few new ones surprised me.
I found it was even more surprising to find out that I had been a victim of one of these.
The scheme goes this way:
You are searching for popular and expensive software (Microsoft's Office Pro, or Macromedia Studio, or Adobe illustrator) and find a site that promises you full legal copies for a mere fraction of their normal price. You give them your credit card information, and the product never arrives. Your account is never charged either, so you don't panic.
Then your account information is sold by the criminals to others who do charge your account or otherwise steal your identity.
In the work I do on preventing cybercrimes and helping people stay safe and use the Internet responsibly, I investigate sites all the time. The former head of our security team gave me a URL to a website that promised full length pre-release or recent release motion pictures. The website claimed you could download them from the subscriber section. I joined to investigate their service for our program to prevent motion picture piracy. No videos were there, or none could be downloaded. I couldn't even report it, since they weren't facilitating piracy. I shrugged it off and contacted my credit card company to stop the charge. They did. But I didn't know to tell them to stop the hundreds of other charges that were placed on my account when the account information was sold by the criminals from the site.
It took months to get it all to stop. And while Citibank (my creditcard company) was incredible in this, it was a serious problem and major inconvenience changing all accounts and watching for more fraud. Luckily, I have a policy of only using one of my cards for all e-transactions to make it easier to watch for fraud, so only one account was stolen.
At the meeting I learned that piracy is very often used as an inducement to financial fraud. These fake sites induce you to buy motion pictures, videos, music, software and other trademarked goods (such as designer luxury watches, electronics and pocketbooks, etc.) by giving you a price you can't refuse. Then they sell your information to others.
Some offer you credit cards or mortgages online, and when you complete the application they get everything they need to steal your entire financial identity.
Fortunately, while stopping the phishing itself isn't very easy (different technologies require a myriad of solutions), avoiding becoming a victim of cybercrime is much easier than you think.
It's all a matter of knowing whom to trust and making sure that you are really at the site you wanted to visit. It may take an extra click or two to get ther or confirm things are okay, but in the scheme of things, it's well worth the finger motion. :-)
Saturday, September 11, 2004
Parry's Blog - the children's story honoring the bravery of search and rescue dogs on September 11th
Friday, September 10, 2004
Cyberbullying and cyber bullies
When I wrote my UK book in 1999, I had to include an entire chapter on cyberbullying. It was and continues to be a very important issue for parents in the UK. In the U.S. pornography online and kids exposure to inappropriate information was more important. This reflects the difference in attitudes on bullying generally, I suspect. In the US we expect ourselves and our children to be tough...stand up to bullies.
The recent article in the NY Times and International Herald Tribune has created a ground swell of interest in cyberbullying. Parents are surprised by its existence and the level of harassment and pain involved. They are amazed when their quiet, normally respectful preteen or teen is accused of being a cyberbully. And few understand thirdparty cyberbulying or cyberbullying by proxy, when the victim is actually attacked by third parties based on provocations instigated by the real cyberbully.
I was recently interviewed by a leading international newspaper, by someone I know and respect. When I told her about the level of cyberbullying we have experienced from her country, among others, it was met with skeptism. How could we have handled that many cases and received that many inquiries if the local parent Internet safety groups were not aware of the problem?
I was shocked initially. Then I asked her to reach out to local children herslef. And my experiences were quickly verified by children sharing stories about how the cyberbully others and have been victimized by cyberbullies.
How could this problem escape parents? I have been talking about it for many years. But perhaps our calling it cyberharassment, rather than the kid-centric "cyberbullying" has confused people. Protecting children from other children is and has been a serious problem for many years.
Part of the probem is that cyberbullying victims, like their cyberharassment victim adult counterparts don't and shouldn't come forward to the media. This inevitably subjects them to more cyberbullying and cyberharassment, sometimes by their original harassers and sometimes by copycats. Without a real victim and a real story, the media piece either sounds like unsubstantiated hype or has little impact. But my job is to protect children, not subject them to media exposure and further exploitation.
This creates a catch 22. Without real stories, no one will fully appreciate the degree of the problem, but no victim should come forward because they will become victimized again.
Instead, reach out to your kids and their friends. Ask them what's going on. Let's find ways to create awareness on this probme without exposing children to ridicule and further pain. You shouldn't have to ask me for information about what your children are facing online. Ask them instead. They need to know you're there and that you care. You can learn more about this problem at internetsuperheroes.org, our new site that uses Marvel characters to teach responsible Internet use.
Then, if you need my help...e-mail me at firstname.lastname@example.org or reach out to email@example.com. We're happy to help.
Thursday, September 09, 2004
A great privacy law blog from Canada by David Fraser, a privacy lawyer there: PIPEDA and Canadian Privacy Law
PIPEDA and Canadian Privacy LawWell thought out, great links and notes of recent developments. It's a blog I watch.
Monday, September 06, 2004
Get a Life from Parry's Blog
Parry's BlogFor the rest of you who live online, my ruminations are nothing new. One of these days, I'll actually get a life! :-)
Friday, September 03, 2004
MSNBC - Cell phones and kids: Do they mix?
MSNBC - Cell phones and kids: Do they mix?Kids are using mobile phones ot cyberbully each other these days. And few parents udnerstand that while they may police their kids' use of chatrooms, no one is policing their use of SMS and other text-messaging applications from their cell phones. And photo and video capabilites haven't escaped tween and teen abuse either. Cell phones are great for kids, but parents should take to their kids about more than running up long distance charges. It's all about responsible use of technology.
Unintended Consequences: February 2004 Archives - A great blog!
Unintended Consequences: February 2004 ArchivesI was searching for references ot WiredSafety.org, the non-profit help group I run, and discovered this blog (after noting a reference to us). I was very impressed with Doug's writing and his approach, using questions after a posting. I'll watch his blog, and suggest you do too.
How to avoid sending something that can get you into trouble online
Internet Super Heroes - Cyberbullying, Flaming and Cyberstalking [CFC] for Kids, Tweens and Teens This is the piece I talked about in Think Before You Click Send. Many people are viewed as being rude, hostile or predatory merely becasue of a misunderstandning. (What we have here is a failure ot communicate! :-) for those of you too young to recognize that quote, forgive me, my age shows. :-))
Its a good checklist for the workplace as well. You are welcome to use it in employee training, as long as you credit me and InternetSuperHeroes.org.
IM, e-mail and interactive communications are designed for quick and casual communications. Becasue of this, we tend ot forget to check things before sending, and even if we remember, may not be willing to take the time. (As you may have noticed, I need a spelling checker on everything I do, and often don't bother...you may find yourself trying to figure out what I am attempting to say, it's so garbled :-( )
But do as I say, not as I do...and you'll be much better off. :-)
Thinking before sending...
Internet Super Heroes - Cyberbullying, Flaming and Cyberstalking [CFC]for Kids, Tweens and Teens I wrote this piece in connection with an article that appeared in the NY Times last week on cyberbullying. It featured our work, among others in this area. To coordinate with the piece, we pre-launched the cyberbullying section of InternetSuperHeroes.org, the new good cybercitizenship and responsible surfing page using Marvel characters.
This article, "Think Before You Click Send" works just as well for workplace cyberabuse issues and adult everyday interactive communication issues. At WiredSafety.org we spend more time helping victims of cyberstalking and cyberharassment than anything else. That's becasue people do things online they would never do in real life.
This, and a related article about a rant list might help you avoid doing something you may regret online.