Computing Applications Staying connected

Private Lives

Laws governing surveillance must keep pace with technology.
  1. Introduction
  2. Surf and Its Turf
  3. I Spy
  4. Tech Support
  5. Author

Some know it as the Terrorist Surveillance Program. Others call it domestic spying. Whatever the name, regardless of the politics, privacy in communications has landed center stage. And the tech community has a lot at stake in how the curtain falls on the issue.

Even the idea that our intimate conversations between family and friends are fodder for a stranger’s ears or eyes is disconcerting. Some folks expect privacy to be an inherent component of communicating. But we’ve already given up some privacy for the benefit of convenient communication. Ride any train or walk down any city sidewalk and you can’t help but be bombarded by cell phone gabbers barking out personal information into their handsets, their voices stinging our ears. Personally, I’m still a little caught off guard when I call someone and they answer greeting me by name. Good old caller ID has taken the surprise out of incoming calls, and screening phone calls has never been more convenient. The solution? Dial *67 or pay your service provider to block caller ID. You’ve got to go that extra inch for that strand of anonymity.

But late last year, the conversations surrounding a person’s right to privacy during communication shifted from annoyance—how did that telemarketer get my phone number anyway? And why were my cell phone records purchased by a third party?—to one of Constitutional Law. The New York Times broke the story that President Bush had authorized surveillance without going through the normal procedures of getting court approval. The National Security Agency (NSA) had been authorized to collect international phone calls or email communication made within the U.S. without a warrant, if the person was believed to have a link to Al Qaeda or terrorism.

Critics declared that such action—the spying on U.S. citizens without going through the proper legal channels—was in violation of the 1978 Foreign Intelligence Surveillance Act (FISA). FISA spelled out that "probable cause" had to be proven that a person had links to terrorism before government could conduct surveillance. The Terrorist Surveillance Program takes that threshold down a notch, by allowing NSA officials to snoop as long as there is a "reason to believe" Al Qaeda or terrorist activity is part of a phone call.

Supporters pointed out that it wasn’t Joe Average’s conversations that the government was interested in. The wiretapping applied only to a small population: those persons believed to be communicating directly with terrorists. Such surveillance conducted without alerting the target, they argued, was a necessary weapon in the U.S. anti-terrorism arsenal. Or, as one retired judge put it: "You can’t play poker with all up cards."

Following the press reports, the Bush administration vehemently defended the plan. Wiretaps without warrants were justified in President Bush’s position of protecting the nation’s security. Besides, Congress had given President Bush the authority just days after the horrific attacks of Sept. 11, 2001 to use "all necessary and appropriate military force" against terrorists. The Patriot Act had his back.

Debates ensued. Wouldn’t such measures grease the already slippery slope of privacy erosion and, if left unchecked, become a sinister tool for prying into people’s private lives? Lawsuits bubbled (one such class action suit filed Jan. 31, 2006 by the EFF against AT&T charges the telecom giant not only violated U.S. law but its customers’ privacy in a "massive and illegal program to wiretap and data-mine Americans’ communications."). Congressional hearings were scheduled. Suddenly everyone was questioning how the interpretation of laws governing what was permissible could be so unclear.

Back to Top

Surf and Its Turf

The subject of privacy in communication grew more flammable when weeks later, Internet giant Google was fighting the government about a subpoena the Mountain View, Calif.-based company had received in summer 2005. Google was asked to provide information from its database—randomly chosen Web site addresses—as well as the text of searches conducted over one-week period. The Department of Justice asked for the information so it could resuscitate its Child Online Protection Act (COPA) and demonstrate that federal laws are more effective than filtering software for protecting children.

What most disturbed many Internet users was that they knew how often they type in a query to Google. In almost a stream of consciousness, a word or phrase could be typed into Google’s form, with the user unaware of what significance a particular search might have to a third party. Discussions raged on that the Internet, once perceived as an anonymous medium, was as translucent to the user’s identity as two metal cans haphazardly strung together. From the pundits, it was all countered with the sentiment that rooting out terrorists and putting an end to child pornography could only be seen as a reasonable cause. If you’ve done nothing wrong, you don’t have to worry about who is listening.

At approximately the same time, Google appeared in more headlines when it decided to enter the China market and hand over some control on what customers can view on search pages at the government’s request. It all had the making of the "perfect storm" for privacy issues, according to Cindy Cohn, legal director at the civil liberties group Electronic Frontier Foundation.

Google’s dilemma bled the privacy concerns of the voice network over to the data network, and mixed in the responsibilities of service providers and technology makers. Should customers expect such privacy when talking on their phones, when using the Net, or when thumbing with their Blackberry? Yes, say experts.

"If a third party has your info—mobile or landline—they should have obligations to keep that secret unless they get lawful process, and any violation of that is illegal," says Cohn.

But a service provider is at the mercy of lawful process. "The service providers have to do what they are asked for by the government," says telecom industry analyst Jeff Kagan. "So the bottom line is, with electronic and wireless communications we are fooling ourselves if we think it is private."

Complying with subpoenas is one thing, selling out to a third party interest is another. With security as a prominent concern, however, market experts say service providers promising shored-up networks, and strong business ethics not to divulge information unnecessarily could strike a market advantage.

"An assurance not to misuse the personal data by the service provider would be a better stand in the market, which is an inbound expectation of the general public," says Sathya Durga, analyst at market research firm Frost & Sullivan.

Google wasn’t the first Internet player to hear the knock on the door from federal agents. Internet behemoths Yahoo, MSN, and America Online have also been requested, and have also complied, to supply search records from their databases. It’s not that the Internet was overlooked by lawmakers. In 1994, Congress submitted guidelines to service providers in order to enable their networks to be more accessible to requests for information from law enforcement, and CALEA, or Communications Assistance for Law Enforcement Act, was born. There’s also the Electronic Communications Privacy Act, which governs the interception and disclosure of communications, including stored communication.

With the accelerated rate of progress of the technology, the art of surveillance detection might get much tougher down the road.

It was a relief to Google when, back in March, a federal judge was leaning toward making off limits the search terms used by customers, but giving the Department of Justice access to some of Google’s indexed Web sites, according to news reports. Google saw the move as justification of its own user privacy concerns regarding the DOJ’s request.

"At a minimum, we’ve come a long way from the initial subpoena request, which was for billions of URLs and an entire week’s worth of search queries," according to Nicole Wong, associate general counsel at Google. "When the government was asked to justify their demand they conceded that they needed much less." After negotiations, and before the judge’s ruling, the government had reduced its initial numbers sought to 50,000 URLs and 5,000 search queries.

Back to Top

I Spy

Paul Herrmann, founder of eVestigations and a former head of global IT security at a major pharmaceutical company, knows firsthand the sophistication of surveillance tools. That’s because eVestigations specializes in sniffing out such surveillance, be it in the form of an active bug that’s detected by the energy it emits or a more stealth inactive one, which could require more specialized equipment such as X-ray devices and non-linear junction detectors (NLJD) to detect, he says. But with the accelerated rate of progress of the technology, the art of surveillance detection might get much tougher down the road.

"There’s the possibility that in five years’ time, it will be impossible to detect some of the government things that made it out to the commercial market," says Herrmann.

Technology on the mobile front is also giving cause for privacy debates. This spring, a GPS-enabled phone will be marketed in the U.S. as a means for parents to track the whereabouts of their child. Verizon Wireless is scheduled to launch the service, rumored to be dubbed Verizon Chaperone, this month with plans to roll out additional location-based offerings. The service will be available on Verizon’s kid-oriented phone, tagged Migo.

Verizon Wireless’ move will likely be followed by others in the wireless realm. That’s because wireless operators years ago had to comply with federal mandates governing that the general location of a wireless phone could be pinpointed when a user was calling 911. The GPS, or global positioning system, chip embedded in mobile handsets was initially a means for fulfilling regulation. But with a niche—parents who want to know if their child leaves a friend’s house—the technology will be used for more lucrative commercial services. And possible infractions of privacy.

Such location-based services have been promised for years because of their convenience and potential to add revenues to wireless operators’ coffers, but many were stalled due to privacy concerns of users hesitant to have their whereabouts pinpointed. Likewise, other wireless technologies with major commercial applications, like RFID, have huge promise of increasing efficiency, cutting costs, preventing inventory loss and providing better customer service and applications, if they are encouraged to develop, say experts. But these technologies have also raised privacy concerns for their tracking-of-information nature (see "Inside Risks" column in this issue). Other developing technologies, like real-time locating systems (RTLS) and IP-based surveillance, haven’t yet registered on the privacy-scare screen but as they gain market share, they too will face scrutiny.

"As the market is expected to grow, it becomes highly essential that government needs to recommend an in-depth study of the technology and make relevant laws pertaining to the utility of the technology," Durga says.

Back to Top

Tech Support

What now? The EFF’s Cohn calls on the technology community to be cognizant of such privacy dilemmas that await it, and the public. In the aftermath of the Google situation, for instance, Cohn asks if Internet search firms really need to collect and retain massive amounts of information about user habits or usage patterns in searches in their databases. Or does keeping such potentially inflammatory information just invite requests for exposure?

"We are promoting among techs to think about how they can configure tools they put out there in a way that promotes privacy and protects people," Cohn says.

Service providers, technology gurus and lawmakers will be expected to see privacy safeguards as an important component of technology development, say experts, or technology will get a sharp kick in the shins.

"If the relevant steps are not taken, the market for such advanced technology is expected to suffer as the public and other privacy groups are going to raise their voices against such technologies," warns Durga.

In the end, advances in surveillance and technology will, and should, continue at an awe-inspiring pace. Let’s just hope the laws and the ethics that determine how that technology is used don’t get lost in the dust.

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More