Spying on the Homefront

Tomorrow night on PBS's Frontline is "Spying on the Homefront":

FRONTLINE addresses an issue of major consequence for all Americans: Is the Bush administration's domestic war on terrorism jeopardizing our civil liberties? Reporter Hedrick Smith presents new material on how the National Security Agency's domestic surveillance program works and examines clashing viewpoints on whether the president has violated the Foreign Intelligence Surveillance Act (FISA) and infringed on constitutional protections. In another dramatic story, the program shows how the FBI vacuumed up records on 250,000 ordinary Americans who chose Las Vegas as the destination for their Christmas-New Year's holiday, and the subsequent revelation that the FBI has misused National Security Letters to gather information. Probing such projects as Total Information Awareness, and its little known successors, Smith discloses that even former government intelligence officials now worry that the combination of new security threats, advances in communications technologies, and radical interpretations of presidential authority may be threatening the privacy of Americans.

(Via the Electronic Frontier Foundation.)

CALEA compliance day

Today's the day that providers of VoIP and broadband Internet in the United States must comply with CALEA, mandating that they supply a way for law enforcement to eavesdrop on any communications carried over those mechanisms. I suspect many VoIP providers are in compliance but that fewer broadband Internet providers are, since the draft standard for CALEA for data over broadband Internet only came out in March. (And if you'd like to read the standard, it will cost you $164 for the PDF or $185 for a paper copy.)

Bob Hagen at the Global Crossing blog points out some free tools that can be used to protect your privacy.

Ron Paul in Phoenix

Last night I attended a small event where Rep. Ron Paul (R-TX) spoke about his candidacy for president as a Republican. I found it a bit of a disappointment. On the plus side, he is making opposition to both the drug war and the war in Iraq a major part of his campaign. He also opposes warrantless wiretapping, the USA PATRIOT Act, and the Military Commissions Act. And in response to a question from one of several atheists present, he indicated his support for the separation of church and state (and opposition to Bush's faith-based initiatives). On the minus side, his stance on illegal immigration is to "secure the border," deny benefits to illegal immigrants, and eliminate birthright citizenship. New Mexico Gov. Bill Richardson's stance on illegal immigration (double Border Patrol officers, implement a guest worker program, and provide a mechanism for illegal immigrants to pay a fine and become legal residents) makes a whole lot more sense than that. Also on the minus side, as Sameer Parekh has pointed out at his blog, his stance on free trade is to oppose anything that he sees as a compromise on free trade (like major free trade agreements), which makes him look like he's pandering to protectionists--his web page makes no indication that he support free trade, which strikes me as dishonest.

Nutjob Arizona State Senator Karen Johnson was there, and she asked a question about Bush's "stealth campaign" to establish a North American Union; Paul responded that he opposes creation of such an entity and a common currency for such an economic area (the "amero"). This is going into WorldNetDaily and Alex Jones conspiracy theorist territory, conflating the Security and Prosperity Partnership of North America (a meeting between the three heads of state to increase economic cooperation) with the ideas of Robert Pastor, a professor at American University, about creating a political union. If the EU can't approve a Constitution (with France and the Netherlands rejecting it) and still has holdouts on the euro (Britain and Norway), how likely is it that countries as different as the U.S., Mexico, and Canada would combine into a single political entity?

I'm glad Ron Paul has provided a consistent voice in Congress against the war in Iraq and erosion of our civil liberties in the name of the global war on terror, but I'm afraid he probably wouldn't make a very good president (though I did make a small contribution to his campaign which I'm feeling some buyer's remorse for this morning). My preference is to see a Democratic president and split control of Congress--gridlock seems to be the most effective way of achieving economic growth and slowing the erosion of our civil liberties.

UPDATE (April 12, 2007): The argument that Paul makes about illegal immigration--that we should stop it because of the impact on welfare--is aptly turned on its head in this post from last year at David Friedman's blog.

UPDATE (February 11, 2008): Here's a debunking of a number of Ron Paul claims, including the NAFTA superhighway.

Global Crossing criticizes wiretapping rules

News.com has a nice article about how Global Crossing (my employer) has criticized the extension of CALEA wiretapping rules to VoIP and broadband:

Paul Kouroupas, vice president of regulatory affairs for Global Crossing, strongly criticized the Federal Communications Commission's broadening of a 1994 law--originally intended to cover telephone providers--as disproportionately costly, complex, and riddled with privacy concerns. His company is one of the world's largest Internet backbone providers.

"Our customers are large Fortune 500 companies--not too many of those companies are conducting drug deals or terrorist activities out of Merrill Lynch's offices or using their phones in that way," Kouroupas said at an event here sponsored by the DC Bar Association. "By and large we don't get wiretap requests, yet we're faced with the costs to come into compliance," which he estimated at $1 million.

I think that's a conservative estimate.

The ineffectiveness of TRUSTe

The TRUSTe program is supposed to certify that a website has a reasonable privacy policy. But Ben Edelman has cross-referenced TRUSTe certifications with SiteAdvisor ratings, and found that sites with TRUSTe certifications are twice as likely as those without to be listed as "untrustworthy" in SiteAdvisor's database--meaning that they send out spam, distribute spyware, etc.

Edelman calls out four particularly notorious sites that have or have had TRUSTe certification: Direct-Revenue.com, Funwebproducts.com, Maxmoolah.com, and Webhancer.com. All four are heavily involved with spyware. Direct Revenue and Maxmoolah have had their TRUSTe certifications revoked, but should never have been certified in the first place if TRUSTe was doing the validation they should have been doing.

TRUSTe has long been criticized by anti-spammers for giving certifications to organizations that don't deserve them.

Ryan Singel has raised similar questions about TRUSTe's reliability.

AT&T sues data brokers selling phone call records

AT&T has filed a lawsuit against 25 unnamed data brokers for using "pretexting" to obtain customer call data records. These data brokers would pose as the legitimate customers in order to obtain billing records for third parties for a fee. Data brokers selling this data over the Internet got some negative public attention last summer and in January of this year, but Congress has not made pretexting illegal for phone records the way it is for financial records. It came out in June of this year that law enforcement and federal agencies were active customers of these data brokers, using them to obtain data without having to go through the process of getting warrants.

The Electronic Privacy Information Center already filed an FTC complaint against one data broker, Bestpeoplesearch.com.

Judge grants injunction against warrantless wiretapping

Although the ACLU's lawsuit against AT&T in Illinois was thrown out, a separate case in Michigan filed on January 17 of this year against the NSA for warrantless wiretapping without approval of the FISA Court has resulted in a ruling by U.S. District Judge Anna Diggs Taylor that the practice is unconstitutional and must stop immediately. This is not the final decision in the case, but the granting of an injunction for the plaintiff.

The Electronic Frontier Foundation's lawsuit against AT&T also continues.

AOL releases user search data, tied to individual users

AOL has published logs showing web activity data for 650,000 users--it's 20 million searches in about 800MB. Although the AOL screen names were converted to random numbers, the numbers are consistent across an individual user's activity and in many cases is no doubt sufficient to identify the individual based on ego surfing and other activity.

As Tech Crunch points out:

The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with “buy ecstasy” and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.

The Paradigm Shift blog notes an instance of an AOL user who appears to be plotting to kill his wife (though there are, of course, possible innocent explanations). Commenters note that over 100 users used search terms which included references to child porn. There is no doubt that this will be used to argue for greater release of data to the government with fewer safeguards against misuse; commenters have already made the claim that "if you don’t do anything wrong, then you have nothing to be afraid of - even if people can view your search history." Commenter Robert follows up with a good response:

Do you ever search for your SSN#, phone number and/or name on line to see if it was posted without your consent? Do you ever worry your day care provider might be a child molester so you search for child molestation and the care takers name or their business name? Do you ever want to find ways to explain sex to your teen age daughter? Gee I wonder what those search terms might look like? Are you famous? Imagine if you type in the name of restaurant you want to go to and the word paparazzi to see if they are known to hang there. Let’s hope they do not see that? Oh, do you have a rare disease or maybe you are pregnant and are looking for clinic in your area so you type in your zip code? In a rural areas that might leave oh 1-30 people it could be? Oh, maybe you think your son is gay? I wonder what you would search for then? Do you have any fetishes or other unusual hobby that might be embarrassing for people to know about but is not illegal. Remember that rural issue again? Getting it yet, because I could go on and on. This is an personal invasion at its most basic level. Not only does it expose personal details of peoples lives, but it is open to wild misinterpretations. Take the wife killing search. Has anyone thought they were simply looking for news they had heard of on the topic, looking for a good book they had heard about with that topic whose title they could not remember, were a wife worried their husband was thinking about this, or maybe that it was exactly what they were looking for but it was only a private fantasy that let them cool off one day after an angry argument? Without context any term can seem scandalous or even criminal. Finally, there is the greater issue. When you start taking away more and more privacy. Each time you chip away at the greater fundamental concept that you deserve this right at all.

Releasing this data to the general public was sheer idiocy on AOL's part (and apparently a mistake), and demonstrates that an AOL account is not a good idea even when it's free.

The data has been downloaded hundreds of times and is now being redistributed on other websites.

UPDATE August 8, 2006: AOL has admitted and apologized for its mistake. News.com has an article which gives some more examples of the kind of information that can be gleaned from the search records.

Republican playbook for 2006 elections leaked

A 91-page document describing the Republican strategy for the 2006 elections has been leaked and is available online (PDF). The document was obtained by The Raw Story website, which has published a summary:

The document, signed by Senators Rick Santorum (R-PA) and Kay Bailey Hutchison (R-TX), reveals plans to focus Republican Senatorial campaigns on three themes.

Next week, Republicans will tout efforts to "secure America's prosperity" through a variety of programs. Plans for small business health insurance pooling, spending reductions, increased domestic oil drilling, and "permanent death tax reform" are all to be pushed at the state level.

Mid-month, Republicans are expected to shift gears, focusing voter's attention instead on a variety of values-based initiatives. "Democrats oppose preserving a clear definition of marriage, are blocking child custody protections, and have obstructed the confirmation of fair judges," the document reads. "Republicans are committed to protecting these traditional values by fostering a culture of life, protecting children, banning internet gambling and upholding the rule of law."

Stem cell bills, though vetoed by President Bush are also to be championed by Republicans, even as they promote a law preventing "fetus farming," a practice lawmakers believe could one day result from stem cell research. Strangely, a section touting various types of stem cell funding set to be promoted by Republicans is followed by another section, headlined, "Setting The Record Straight: President Bush's Stem Cell Policy Is Working."

Also included in the Republican values push will be the Child Custody Protection Act, which would make "it a federal crime to circumvent state parental involvement laws by taking a minor across state lines for an abortion."

Republicans then plan to spend the month's remaining two weeks promoting the party's efforts in regard to homeland security.

Approval of Attorney General Alberto Gonzales' plan for new, court-martial-like trials for terror detainees seems to be a priority, as are funding for the US-Mexico border fence, employee background checks for port security workers and improvement of the national emergency alert system.

The section seems more concerned, however, with defending the Republican record on security, promoting positive statements by the Iraqi Prime Minister, and combating Democratic criticism. For instance, terror suspect surveillance is listed as a priority, and "liberal newspaper" reports about NSA wiretap programs are criticised, but future programs are not listed among other proposed laws.

Hat tip to Jack Kolb on the SKEPTIC mailing list.

Extending CALEA to VoIP: a bad idea

The Information Technology Association of America (ITAA) has issued a report on “Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP” (21-page PDF) by Steven Bellovin, Matt Blaze, Ernest Brickell, Clinton Brooks, Vinton Cerf, Whitfield Diffie, Susan Landau, Jon Peterson, and John Treichler. This report comes at a time when the FCC and courts have already ruled that VoIP and facilities-based broadband providers must provide lawful interception capabilities under CALEA for VoIP services that are “interconnected” with the publicly-switched telephone network (PSTN).

The report effectively argues that in order to extend CALEA compliance to VoIP, “it is necessary either to eliminate the flexibility that Internet communications allow—thus making VoIP essentially a copy of the PSTN—or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous.”

The report gives a good basic explanation of VoIP (which comes in a variety of possible flavors), an explanation of pre-CALEA wiretapping and current CALEA wiretapping (including cellular telephone wiretapping and roving wiretaps), and then describes the similarities and differences between the Internet and the PSTN.

It then describes the issues of security raised by applying CALEA to VoIP and the risks to innovation created by applying CALEA to VoIP.

Two of the key problems for applying CALEA to VoIP are:

• VoIP mobility. A VoIP phone can be plugged in anywhere on the Internet, for non-facilities-based VoIP providers like Vonage. The network that connects the VoIP phone to the Internet—which is the one in a position to intercept the call data--need not be the network of the VoIP provider, or have any relationship with the VoIP provider.
• VoIP identity agility. A VoIP user can have multiple VoIP providers and easily switch between them from moment to moment. The owner of the Internet access network is not in a position to know who a VoIP user is purchasing VoIP services from. They are in a position to be able to intercept and detect what VoIP providers the user connects to directly, but not if the VoIP user is using encrypted traffic through proxies.

Further problems are caused by the fact that the communications between two VoIP phones is peer-to-peer, and the routing of a call at the IP layer can change in mid-call. Because of the former issue, the call contents may not traverse the VoIP provider's network, and thus it will not be in a position to intercept (unless it behaves like the PSTN, forcing the call contents to also come through its network, using SIP proxies/RTP relays). In order to truly be able to intercept all VoIP calls using VoIP as it is designed, there would have to be cooperation between the VoIP user’s access provider of the moment (which could be any Internet provider—a WiFi hotspot, a friend’s ISP, a hotel’s Internet connection) and the VoIP provider being used—but law enforcement may not be in a position to know either of these. The kind of cooperation required would have to be very rapid, with interception equipment and systems already in place and able to eavesdrop wherever the voice traffic may flow, upon appropriate request. This would require extensive coordination across every VoIP and Internet provider in the United States of a sort that doesn’t exist today. It would require extremely careful design and implementation to avoid creating vulnerabilities that would allow this incredibly complex infrastructure to be exploited by unauthorized users--but with so many parties involved, I think that's a pipe dream. This incident with cellular telephony in Greece shows what can already happen today with unauthorized parties exploiting CALEA technology.

And the FCC has ordered that it be in place by May 14, 2007. There’s no way that’s remotely possible--note that the FCC gave ordinary wireline telephone companies over a decade to implement CALEA in the PSTN, and it has been an extremely difficult and expensive process. At best, by the deadline facilities-based VoIP providers will be able to provide interception for call traffic that goes across their own networks, and apparently be forced to do that for all traffic (or else there would be a way to distinguish calls being rerouted for interception from all other calls). And if that's the only kind of VoIP that is permitted, VoIP innovation is stifled.

One company that has been pushing hard for these extensions of CALEA is Verisign. They have been doing so because they want to act as the one-stop-shop for U.S. law enforcement, setting up their own infrastructure to interconnect with all Internet and VoIP providers to provide everything from subpoena handling to wiretapping services under contract to the providers. This would effectively hand off wiretapping capability to a third party, working on behalf of the government, over which the individual providers would have little oversight.

For more on CALEA, see the Electronic Frontier Foundation's CALEA website. For more on the history and politics of wiretapping, see Whitfield Diffie and Susan Landau's excellent book, Privacy on the Line: The Politics of Wiretapping and Encryption.

UPDATE July 7, 2006: I've updated the above text in light of Charles' comment, to make it more accurate about interception by forcing VoIP calls to route through the VoIP provider's network.

Digital camera blocking technology

Researchers at Georgia Tech have come up with a technology for preventing video cameras from working. The setup uses sensors to detect cameras from the reflectivity and shape of CCD sensors (or is it actually detecting the lens?), then directs a beam of light (potentially a laser) at the CCDs to prevent it from recording images. The prospective uses they suggest include prevention of piracy in movie theaters and as a countermeasure against espionage. Their small-area technology is apparently close to ready for commercialization, but the large-area version still has a ways to go.

The camera-neutralization technology "may never work against single-lens reflex cameras."

Let's hope it doesn't become a technology used to prevent the documentation of abuses, governmental or otherwise.

More details on apparent NSA interception at AT&T

Salon.com has a new article on a room in an AT&T facility in Bridgeton, MO (a St. Louis suburb) that may be an NSA interception facility. The room is protected by a man trap and biometric security, and the AT&T employees who are permitted to enter it had to get Top Secret security clearances. The work orders for setting up a similar room in a San Francisco AT&T office, reported by former AT&T worker Mark Klein, came from Bridgeton.

The Electronic Frontier Foundation has an ongoing class-action lawsuit against AT&T over its involvement in illegal NSA wiretapping.

"Banner farms" and spyware

Ben Edelman continues his valuable research with an exposure of Hula Direct's "banner farms" which are being used to display banner ads through popups, driven by spyware installations:

Hula cannot write off its spyware-sourced traffic as a mere anomaly or glitch. I have received Hula popups from multiple spyware programs over many months. Throughout that period, I have never arrived at any Hula site in any way other than from spyware -- never as a popup or popunder served on any bona fide web site, in my personal casual web surfing or in my professional examination of web sites and advertising practices. From these facts, I can only conclude that spyware popups are a substantial source of traffic to Hula's sites.

Edelman also notes that most of Hula's ads include JavaScript code or HTML refresh meta tags to automatically reload the ads fairly quickly. The effect is to display more ads, and to show the ads for a shorter time than the advertisers are expecting.

Hula doesn't have a direct relationship with its advertisers (Edelman notes the relationships of cash and traffic flow), but they are being complacent and allowing it to happen. Some of the advertisers: Vonage, Verizon, Circuit City.

Finally, Edelman notes that some of the ad networks being used by Hula have taken notice and started to take action. One ad network, Red McCombs Media, refused to pay a $200,000+ bill from Hula and has been sued by them for breach of contract.

Late 1990s NSA program

The Baltimore Sun has reported on a shelved 1990s NSA program to collect and analyze phone records which had the following features:

*Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.

Perhaps this program was brought back after 9/11? If such records were maintained with phone number and caller information encrypted until needed, and decrypted only with appropriate legal authorization, would that enable Verizon and BellSouth to truthfully deny having supplied the records to the NSA? I don't think so, unless the system was in the possession of the phone companies and didn't release data to the NSA until legal authorization was obtained. But would such a system be objectionable? So long as the controls genuinely prevented abuse and legal authorizations were really obtained for each use, I don't think it would be. (Via Talking Points Memo.)

BTW, in a New York Times story in which Verizon denied turning over records to the NSA (which BellSouth has also denied), Tony Rutkowski of Verisign is quoted suggesting that the NSA may have collected long-distance phone records rather than local calls. The article notes that Verizon's denial seems to leave the door open to the possibility that MCI, which Verizon recently acquired, had turned over data. Verisign, it should be noted, has been attempting to develop a business where it acts as a third-party manager for subpoenas and wiretapping for phone companies. While the telcos have strongly attempted to block attempts by the government to expand its wiretapping capabilities into the VOIP and Internet arenas (in part on the grounds that the CALEA statutes do not cover them, and also because the infrastructure expense is placed entirely on the telcos), Verisign has supported the government's efforts, as these filed comments with the FCC make clear (red means support for expanded government wiretapping capability, blue means opposition).

You'll note that Verisign is uniformly supportive of the government, and of the three telcos that have come under fire for giving data to the NSA, two are uniformly opposed (BellSouth and SBC (now AT&T)) and one is partly opposed and partly supportive (Verizon). I'm happy to note that my employer, Global Crossing, is not only on record as opposed, but filed comments which addressed more of the issues than most of the other filers.

(UPDATE May 19, 2006: Apparently the 1990s program was called ThinThread.)

Details of AT&T cooperation with the NSA emerge

Details of AT&T's cooperation with the National Security Agency are beginning to emerge as a result of the Electronic Frontier Foundation's lawsuit against AT&T, as described by Wired:

AT&T provided National Security Agency eavesdroppers with full access to its customers' phone calls, and shunted its customers' internet traffic to data-mining equipment installed in a secret room in its San Francisco switching center, according to a former AT&T worker cooperating in the Electronic Frontier Foundation's lawsuit against the company.

Mark Klein, a retired AT&T communications technician, submitted an affidavit in support of the EFF's lawsuit this week. That class action lawsuit, filed in federal court in San Francisco last January, alleges that AT&T violated federal and state laws by surreptitiously allowing the government to monitor phone and internet communications of AT&T customers without warrants.

On Wednesday, the EFF asked the court to issue an injunction prohibiting AT&T from continuing the alleged wiretapping, and filed a number of documents under seal, including three AT&T documents that purportedly explain how the wiretapping system works.

According to a statement released by Klein's attorney, an NSA agent showed up at the San Francisco switching center in 2002 to interview a management-level technician for a special job. In January 2003, Klein observed a new room being built adjacent to the room housing AT&T's #4ESS switching equipment, which is responsible for routing long distance and international calls.

The account says that AT&T's Internet peering traffic, as well as voice traffic, is being intercepted:

"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal," Klein wrote.

The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, according to Klein's statement.

The secret room also included data-mining equipment called a Narus STA 6400, "known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets," according to Klein's statement.

This information goes well beyond what had already been determined about AT&T's gigantic call detail record (CDR) database, Daytona, that preserves a record of decades of telephone calls. That database included only the phone numbers and dates and times, not the actual content of the calls. This new information, by contrast, suggests the ability to actually intercept the content of voice calls and Internet data transmission.

AT&T's 1.9-trillion-call database

John Markoff has a story in the New York Times about AT&T's "Daytona" database, which has a record of 1.9 trillion calls from over the last several decades. The Electronic Frontier Foundation, which has filed a lawsuit against AT&T for cooperating with the NSA's warrantless interception program, asserts that this database has been used by the NSA for data mining.

"Checking every phone call ever made is an example of old think," he said.

He was alluding to databases maintained at an AT&T data center in Kansas, which now contain electronic records of 1.92 trillion telephone calls, going back decades. The Electronic Frontier Foundation, a digital-rights advocacy group, has asserted in a lawsuit that the AT&T Daytona system, a giant storehouse of calling records and Internet message routing information, was the foundation of the N.S.A.'s effort to mine telephone records without a warrant.

An AT&T spokeswoman said the company would not comment on the claim, or generally on matters of national security or customer privacy.

But the mining of the databases in other law enforcement investigations is well established, with documented results. One application of the database technology, called Security Call Analysis and Monitoring Platform, or Scamp, offers access to about nine weeks of calling information. It currently handles about 70,000 queries a month from fraud and law enforcement investigators, according to AT&T documents.

A former AT&T official who had detailed knowledge of the call-record database said the Daytona system takes great care to make certain that anyone using the database — whether AT&T employee or law enforcement official with a subpoena — sees only information he or she is authorized to see, and that an audit trail keeps track of all users. Such information is frequently used to build models of suspects' social networks.

The official, speaking on condition of anonymity because he was discussing sensitive corporate matters, said every telephone call generated a record: number called, time of call, duration of call, billing category and other details. While the database does not contain such billing data as names, addresses and credit card numbers, those records are in a linked database that can be tapped by authorized users.

New calls are entered into the database immediately after they end, the official said, adding, "I would characterize it as near real time."

(Via Bruce Schneier's blog.)

Illicit wiretapping of Greek politicians was done through legitimate code

Bruce Schneier reports on the technical details of how about 100 Greek politicians and offices, including the U.S. Embassy in Athens and the Greek prime minister, were illictly tapped. What was originally referred to as "malicious code" turned out to be eavesdropping code in Vodafone's mobile phone software that was present for law enforcement interception. The same kind of code is present in U.S. phone switches as required by CALEA. As Schneier points out, "when you build surveillance mechanisms into communication systems, you invite the bad guys to use those mechanisms for their own purposes."

The Secret FISA Court

Via Steve's No Direction Home Page:

Apparently presidential wiretapping is frowned upon--when it's done by Clinton.

Some of the reader comments are hilarious, viz.:

"Any chance of Bush rolling some of this back?"

"As quietly as possible (although it sometimes breaks out into the open, usually with the sound of gunfire and the death of innocents), a "shadow government" has been set up all around us my friend. It's foundation is not the constitution, but Executive Orders, Presidential Procalamations, Secret Acts, and Emergency Powers."

"This is wherein the danger lies in the precedent set by the Clinton criminal administration. God only knows who will be in power next, but there are no checks and balances anymore. This is exactly the SORT of thing I've been protesting all along. Libs just don't see this!"

Schneier and Paulos on automated wiretapping

Security and cryptography expert Bruce Schneier gave a talk yesterday to the ACLU Washington's membership conference at which he argued that massive automated wiretapping generates too many false alarms to be useful, as described in the Seattle Times. As a commenter on Schneier's blog notes, mathematician John Allen Paulos (author of Innumeracy and A Mathematician Plays the Stock Market, both of which I highly recommend), writing in a New York Times op-ed titled "Panning for Terrorists," makes the same point.

The problem is essentially the same one that makes it pointless to engage in programs of blanket drug-testing of grade school children or mandatory HIV testing in order to obtain a marriage license--the population being tested contains such a small number of people who meet the criteria being tested for, which means that even a highly accurate test returns vastly more false positives than true positives.

Paulos points out that a 99-percent-accurate sorting mechanism for detecting terrorist conversations, on a population of 300 million Americans that includes one-in-a-million with terrorist ties (300) will identify 297 of them, along with 3 million innocent Americans. That's 297 true positives and 3 million false positives, producing a new sample population that is .009% terrorists and 99.99% innocent Americans who may be wrongly investigated.

ACLU files lawsuit against warrantless wiretapping

The ACLU has filed a lawsuit against the NSA asking for an injunction against warrantless interception of communications to international destinations. The plaintiffs include James Bamford (author of The Puzzle Palace, Body of Secrets, and A Pretext for War), Christopher Hitchens, Greenpeace, Larry Diamond of the Hoover Institution, the Council on American-Islamic Relations, the National Association of Criminal Defense Lawyers, and others.