Selling Terror

September 11 brought out the opportunists in Washington, and Silicon Valley

By David Banisar

For a few days following the events of September 11th, it appeared that the national psyche was changed, and perhaps in a positive way. It looked like people would get over the petty tiffs of the roaring-90's and come together to work for ways to improve our society.

But sociologists say that in times of crisis people fall back on familiar routines. So it comes as no surprise that many people are using the excuse of terrorism and the tragedy in New York for their political and economic benefit, with serious consequences for privacy and security.

It is a given that the politicians would provide the negative leadership in this realm. In September, the Senate passed the first of several anti-terrorism bills with 30 minutes of discussion. When I was a kid, we learned in civics class that the Senate was the greatest debating body in the world, yet they spent less time figuring out how to carve up the Constitution than they did eating lunch that day.

Then the White House offered its bill -- rehashing nearly every proposal rejected for Constitutional problems in the last 20 years. Following some reasoned discussion in the House and secret deals in the Senate, we now have the USA-Patriot Act, approved with no debate in the House, and only Senator Russ Feingold opposing it in the Senate.

Very little in the bill has to do with terror, and much of it has to do with a government wish list of powers that they have been demanding for years but could not get before. It allows secret searches of people's homes, not limiting them to terrorism cases, but permitting them when investigating any type of crime. It permits national orders for wiretaps, which mostly will be used for drug cases, and easier access to email and other stored communications using a search warrant, rather than a wiretap order.

The Act includes expanded use of Carnivore to intercept Web traffic without a real court order, and, best of all, creates the crime of "cyber-terrorism" for interfering with various government machines, so the next time the FBI or DOJ is embarrassed by some 12-year-old defacing their Web site, they will be able to lock the kid up for twenty years.

As if to make it clearer that the government is going to be less accountable with all these new powers, Attorney General Ashcroft sent a memo to employees at federal agencies who handle Freedom of Information Act (FOIA) requests telling them that they should be more restrictive with release of all information, and that the Justice Department would defend their secrecy in court, if need be. President Bush has also reportedly signed off on a plan to limit FOIA in the name of protecting critical infrastructure, so now the public will never know how insecure networks are.

One Nation, One Database to Abuse Another bad idea that has come back into currency is the national I.D. card. This idea is like herpes -- it shows up every so often, causes a lot of pain, is treated, and goes away to come back another day. What is different this time is it's the tech companies, so desperate for sales, that are out in front pushing it, instead of the politicians who still remember the pain from last time.

Tech lord Larry Ellison at Oracle wants to sell a national I.D. card and link all the government and private databases together. He has offered the software to the government for free, but doesn't mention the fat consulting fees and software upgrades, and all the people who will have to buy his software to be compatible.

Not wanting to be overshadowed in calls for privacy invasions, Scott "you have no privacy (because we sell the hardware to invade it) so get over it" McNealy proposes national I.D. cards based on Java. With Sun's stock tanking at $10 a share, McNealy must be getting desperate to raise the value of his options a bit more.

The privacy implications of creating a giant tracking system of all people in the U.S. does not seem to bother these modern Masters of the Universe. After all corporate profits and ego are more important than the little people.

And of course no one bothers to mention the security aspects of creating a giant national database linking all of a person's activities and movements together, accessible to all cops in the name of fighting terrorism.

This would likely be grafted to the current backbone of law enforcement databases, the National Crime Information Center (NCIC), which is notoriously insecure. Cops, private detectives and others regularly abuse it. The U.S. General Accounting Office (GAO) looked at the security of the system in 1993, and found that there were 50,000 authorized users, and little or no access controls and audit trails. The GAO found many incidents of abuse, including one in which an ex-cop in Arizona used it to track down his former girlfriend and kill her.

Things have not gotten any better in the intervening time. In January 2001, prosecutors charged Los Angeles DEA agent Emilio Calatayud with peddling information from NCIC and two other law enforcement databases to a private investigator for six years, charging between $60 and $80 per search. (Calatayud has plead not guilty and is set for trial in December).

And in July 2001, the Detroit Free Press ran a two-part series on police abuses of the Michigan Law Enforcement Information Network, which is part of the NCIC. The paper found "Over the past five years, more than 90 Michigan police officers, dispatchers, federal agents and security guards have abused the Law Enforcement Information Network. In many cases, abusers turned a valuable crime-fighting tool into a personal search engine for home addresses, for driving records and for criminal files of love interests, colleagues, bosses or rivals."

Imagine what they will use it for when every aspect of your life is accessible from the mobile data terminal (that's the one encrypted with the sophisticated ASCII encryption scheme) in every police car.

Pushing Facial Identification Technology But the award for the slimiest opportunists must go to the facial recognition software companies. Following September 11, Visionics Corporation put out a press release for a "Framework For Protecting Civilization" and called for the U.S. to link cameras from public and private organizations to the FBI through the Internet. Tom Colatosti, the CEO of Visionics competitor Viisage, chimed in with this gem, told to Reuters: "I am frustrated and, in fact, feel guilty that we allowed all of this dialogue around this red herring called privacy to get in the way of deployment."

Both companies forget to mention that the technology is so inaccurate for identification that it would be worthless for counter-terrorism. The U.S. Department of Defense found that in real world testing facial recognition had an inaccuracy rate of over 30 percent. Former Monty Python actor John Cleese was able to fool one system currently in use in the U.K. by donning a fake beard and earrings.

These questions about utility are not keeping the technology from being implemented in at least ten U.S. airports including DC National, Oakland and Boston Logan.

Do we really feel safer knowing that the police will think that one-third of all people are terrorists because the technology is telling them so? If this is saving civilization, I think I'd prefer a cave somewhere, thanks, because the cops are going to be too busy chasing phantoms to protect anyone.

This is not just a U.S. phenomenon. Governments around the world are using the tragedy as an excuse to adopt new restrictive laws. The Canadian Parliament is pushing through a bill that would increase wiretapping, allow the CSE (NSA's baby Canadian brother) to monitor domestic calls, adopt the controversial COE Cybercrime treaty without a debate, and limit the ability of people to access government records. In the U.K., the government is proposing changes to regulations to require ISPs to retain data on net traffic for one year.

We're left with lots of new schemes and technologies that are likely to be time and resource wasting and counterproductive and lead to less security. So much for the end of business as usual. At least there are plenty of candidates for the Big Brother Awards next year. We may have to come up with new categories to make sure no one is left out.

David Banisar is a research fellow at the Harvard Information Infrastructure Project at the Kennedy School of Government at Harvard University and Deputy-Director of Privacy International.