The Department of Homeland Security’s Privacy Office has released a new Privacy Impact Assessment (DHS pdf; archive pdf) cybersecurity program Einstein. It is a Bush-era pilot program, continued under Obama, that seeks to have private telecommunications companies route the Internet traffic of civilian government agencies through hardware and software that would search for and block malicious computer codes; see more here and here. Recently, the Constitution Project included a discussion of EINSTEIN and privacy and civil liberties in a report, “Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy” (Project pdf; archive pdf), calling on Congress to include strong privacy protections in any cybersecurity legislation it adopts.

From the Privacy Impact Assessment:

The Department of Homeland Security (DHS) and the Department of Defense (DoD) are jointly undertaking a proof of concept known as the Joint Cybersecurity Services Pilot (JCSP). The JCSP extends the existing operations of the Defense Industrial Base (DIB) Exploratory Cybersecurity Initiative (DIB Opt-In Pilot) and shifts the operational relationship with the CSPs in the pilot to DHS. The JCSP is part of overall efforts by DHS and DoD to enable the provision of cybersecurity capabilities enhanced by U.S. government information to protect critical infrastructure information systems and networks. The purpose of the JCSP is to enhance the cybersecurity of participating DIB critical infrastructure entities and to protect sensitive DoD information and DIB intellectual property that directly supports DoD missions or the development of DoD capabilities from unauthorized access, exfiltration, and exploitation. [...] Read more »

The Associated Press reports on the U.S. no-fly list. In 2003, Homeland Security Presidential Directive No. 6 consolidated administration of the no-fly, selectee and other security watchlists under the jurisdiction of the Terrorist Screening Center. In 2009, the Justice Department’s Inspector General released a report (pdf) reported substantial problems with the terrorist watchlists. “The Federal Bureau of Investigation has improperly kept nearly 24,000 people on a terrorist watch list based on outdated or sometimes irrelevant information, while it missed others with legitimate terror ties who should have been on the list,”said the New York Times. Here are a few stories in the archives about problems with watchlists.

The Associated Press reports:

Even as the Obama administration says it’s close to defeating al-Qaeda, the size of the government’s secret list of suspected terrorists who are banned from flying to or within the United States has more than doubled in the past year, the Associated Press has learned.

The no-fly list jumped from about 10,000 known or suspected terrorists one year ago to about 21,000, according to government figures provided to the AP. Most people on the list are from other countries; about 500 are Americans.

The flood of new names began after the failed Christmas 2009 bombing of a Detroit-bound jetliner. The government lowered the standard for putting people on the list, and then scoured its files for anyone who qualified. The government will not disclose who is on its list or why someone might have been placed on it. [...] Read more »

The New York Times reports on negotiations concerning the sharing of traveler data between European Union countries and the United States:

BRUSSELS — Raising the stakes in a trans-Atlantic struggle over data privacy, an influential lawmaker said Tuesday that the European Parliament should reject a deal between the European Union and the United States that aims at sharing information about air passengers as a way to fight serious crime and terrorism.

Sophie in ’t Veld, a Dutch member of the Parliament who previously helped lead efforts to block an initiative for sharing banking information with the United States, said the air passenger deal failed to address earlier concerns raised by the Parliament, and was incompatible with other European legislation. [...]

A majority of E.U. member governments approved the air passenger deal in December, although Germany and Austria abstained because they still had serious concerns about the effects of the deal on privacy.

Ms. in ’t Veld’s recommendation is not binding, but if she gathers enough support the Parliament could block the agreement when it comes to a vote in April. Read more »

Last week, we discussed the US Supreme Court ruling in the case of United States v. Jones. In a unanimous decision (Supreme Court pdf; archive pdf), the court held that police do need a valid warrant to place a GPS device on a vehicle. The majority opinion was premised on the fact that there was a physical trespass, or intrusion, by putting the device on the vehicle. It did not decide an issue of privacy, and a New York Times editorial criticizes the Supreme Court ruling for being too narrow:

The Supreme Court ruled unanimously on Monday that the police violated the Constitution when they hid a Global Positioning System tracking device on the car of Antoine Jones and monitored his movements for 28 days. It put law enforcement on notice that most GPS electronic surveillance will be suspect without a judge’s warrant.

As welcome as the ruling was, the court left too many questions unanswered. It did not say how long this kind of surveillance can go on before requiring a warrant or what types of crimes justify GPS monitoring. It did not say what the rule would be if the police had tracked Mr. Jones with a technology not hidden on his car. Read more »

In the last few months, there have been reports about how smartphone users’ data could be quietly gathered and used by companies via software from a company called Carrier IQ. Sen. Al Franken (D-Minn.), chairman of the subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee, wrote to Carrier IQ demanding answers about how this technology affects cellphone users’ privacy. European officials are investigating the company for possible privacy violations. Carrier IQ spoke with the Wall Street Journal about its software.

Now, the Hill reports that Rep. Ed Markey (D-Mass), a co-chairman of the House caucus on privacy, has released a discussion draft (pdf) of the Mobile Device Privacy Act, which would require telecommunications providers such as Verizon, AT&T and Sprint to reveal if they are using data-tracking software such as Carrier IQ on mobile devices:

Consumers would have to consent to any data collection or transmission, and third parties would have to have policies in place to secure the data they collect.

Companies that want to transfer data to third parties would have to file applications with the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC). Read more »

The Washington Post reports on a lawsuit by employees at the Food and Drug Administration over the privacy of their personal e-mail. The story is a good reminder that technology can allow employers to see and record whatever you do on a work computer. There can be questions as to the legality of employers doing so in various cases, such as this one:

The Food and Drug Administration secretly monitored the personal e-mail of a group of its own scientists and doctors after they warned Congress that the agency was approving medical devices that they believed posed unacceptable risks to patients, government documents show.

The surveillance — detailed in e-mails and memos unearthed by six of the scientists and doctors, who filed a lawsuit against the FDA in U.S. District Court in Washington last week — took place over two years as the plaintiffs accessed their personal Gmail accounts from government computers.

Information garnered this way eventually contributed to the harassment or dismissal of all six of the FDA employees, the suit alleges. All had worked in an office responsible for reviewing devices for cancer screening and other purposes.

Copies of the e-mails show that, starting in January 2009, the FDA intercepted communications with congressional staffers and draft versions of whistleblower complaints complete with editing notes in the margins. [...] Read more »