The Department of Homeland Security’s Privacy Office has released a new Privacy Impact Assessment (DHS pdf; archive pdf) cybersecurity program Einstein. It is a Bush-era pilot program, continued under Obama, that seeks to have private telecommunications companies route the Internet traffic of civilian government agencies through hardware and software that would search for and block malicious computer codes; see more here and here. Recently, the Constitution Project included a discussion of EINSTEIN and privacy and civil liberties in a report, “Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy” (Project pdf; archive pdf), calling on Congress to include strong privacy protections in any cybersecurity legislation it adopts.

From the Privacy Impact Assessment:

The Department of Homeland Security (DHS) and the Department of Defense (DoD) are jointly undertaking a proof of concept known as the Joint Cybersecurity Services Pilot (JCSP). The JCSP extends the existing operations of the Defense Industrial Base (DIB) Exploratory Cybersecurity Initiative (DIB Opt-In Pilot) and shifts the operational relationship with the CSPs in the pilot to DHS. The JCSP is part of overall efforts by DHS and DoD to enable the provision of cybersecurity capabilities enhanced by U.S. government information to protect critical infrastructure information systems and networks. The purpose of the JCSP is to enhance the cybersecurity of participating DIB critical infrastructure entities and to protect sensitive DoD information and DIB intellectual property that directly supports DoD missions or the development of DoD capabilities from unauthorized access, exfiltration, and exploitation. [...] Read more »

The scandal about the alleged hacking of thousands of British citizens’ phones by the UK News of the World led to that newspaper’s closing and the questioning of owner Rupert Murdoch and his son, James Murdoch, by British officials. (It also led to much discussion about the privacy and security of telephone voicemail systems.) Now, the New York Times reports that the voicemail hacking scandal has spread to the Murdochs’ Times of London and it could include e-mail hacking:

The hacking scandal at Rupert Murdoch’s British newspapers took a new turn on Thursday when a lawmaker said police investigations had spread to the flagship Times of London. The revelation came a day after lawyers said an e-mail referring to “a nightmare scenario” of legal repercussions from widespread phone hacking at the News of the World tabloid was deleted from James Murdoch’s computer less than two weeks before the police opened investigations.

The lawmaker, Tom Watson, from the opposition Labour Party, who has been a central figure in the inquiries into phone hacking, said in a message on Twitter that Scotland Yard had “confirmed to me they are investigating” The Times “over e-mail hacking.” [...]

The development was significant in two regards: it focused attention on e-mail hacking rather than the illicit voice mail interception at the center of inquiries so far, and it suggested that the most august of the Murdoch publications in Britain was not immune from scrutiny. Read more »

The Associated Press reports on the U.S. no-fly list. In 2003, Homeland Security Presidential Directive No. 6 consolidated administration of the no-fly, selectee and other security watchlists under the jurisdiction of the Terrorist Screening Center. In 2009, the Justice Department’s Inspector General released a report (pdf) reported substantial problems with the terrorist watchlists. “The Federal Bureau of Investigation has improperly kept nearly 24,000 people on a terrorist watch list based on outdated or sometimes irrelevant information, while it missed others with legitimate terror ties who should have been on the list,”said the New York Times. Here are a few stories in the archives about problems with watchlists.

The Associated Press reports:

Even as the Obama administration says it’s close to defeating al-Qaeda, the size of the government’s secret list of suspected terrorists who are banned from flying to or within the United States has more than doubled in the past year, the Associated Press has learned.

The no-fly list jumped from about 10,000 known or suspected terrorists one year ago to about 21,000, according to government figures provided to the AP. Most people on the list are from other countries; about 500 are Americans.

The flood of new names began after the failed Christmas 2009 bombing of a Detroit-bound jetliner. The government lowered the standard for putting people on the list, and then scoured its files for anyone who qualified. The government will not disclose who is on its list or why someone might have been placed on it. [...] Read more »

The New York Times reports on negotiations concerning the sharing of traveler data between European Union countries and the United States:

BRUSSELS — Raising the stakes in a trans-Atlantic struggle over data privacy, an influential lawmaker said Tuesday that the European Parliament should reject a deal between the European Union and the United States that aims at sharing information about air passengers as a way to fight serious crime and terrorism.

Sophie in ’t Veld, a Dutch member of the Parliament who previously helped lead efforts to block an initiative for sharing banking information with the United States, said the air passenger deal failed to address earlier concerns raised by the Parliament, and was incompatible with other European legislation. [...]

A majority of E.U. member governments approved the air passenger deal in December, although Germany and Austria abstained because they still had serious concerns about the effects of the deal on privacy.

Ms. in ’t Veld’s recommendation is not binding, but if she gathers enough support the Parliament could block the agreement when it comes to a vote in April. Read more »

Illinois Attorney General Lisa Madigan recognized International Data Privacy Day and released the latest Information Security and Security Breach Notification Guidance (Illinois AG pdf; archive pdf). “In releasing her Information Security & Security Breach Response Guide, Madigan encouraged businesses and government agencies to establish an Information Security Program to understand the scope of the personal information they collect and to train employees how to properly maintain and handle information to prevent security breaches, which in turn can help prevent identity theft,” a press release said.

Here’s information from the guidance’s introduction:

The Illinois Personal Information Protection Act requires notification to Illinois residents in the event of an unauthorized acquisition of their personal information. Read more »

Last week, we discussed the US Supreme Court ruling in the case of United States v. Jones. In a unanimous decision (Supreme Court pdf; archive pdf), the court held that police do need a valid warrant to place a GPS device on a vehicle. The majority opinion was premised on the fact that there was a physical trespass, or intrusion, by putting the device on the vehicle. It did not decide an issue of privacy, and a New York Times editorial criticizes the Supreme Court ruling for being too narrow:

The Supreme Court ruled unanimously on Monday that the police violated the Constitution when they hid a Global Positioning System tracking device on the car of Antoine Jones and monitored his movements for 28 days. It put law enforcement on notice that most GPS electronic surveillance will be suspect without a judge’s warrant.

As welcome as the ruling was, the court left too many questions unanswered. It did not say how long this kind of surveillance can go on before requiring a warrant or what types of crimes justify GPS monitoring. It did not say what the rule would be if the police had tracked Mr. Jones with a technology not hidden on his car. Read more »