I'm thinking about some kind of campaign to coincide with the new Congress, something to drum up debate and discussion on the rapidly eroding nature of privacy in America, perhaps revamping the proposed amendment (though I still like the current draft for its simplicity).  A few days driving through the desert might help me bring some clarity to this project.

Skepticism in the courtroom doesn't always translate into "favorable" opinions.  What I do find interesting about the report, however, is the suggestion by Judge Sentelle (apparently echoed by Judge Edwards) that pure Internet calling (e.g. the original Skype) may be exempt from CALEA, but VoIP services that connect to the traditional telephone network (e.g. Vonage, AT&T CallVantage, Verizon Broadwing) are likely covered.  I'm curious to see how this line of reasoning might  affect the SkypeOut and SkypeIn plans (which do connect to the PSTN) now that Skype is a wholly-owned subsidiary of eBay, as well as AOL's plan to begin offering telephone numbers on its voice/instant messaging service.

Technorati: CALEA, VoIP, Skype, DC Circuit

One of the joys of being a rank amateur at this quasi-journalistic stuff is that I have the luxury of starting an article and then waiting six months to finish the story when it becomes timely again.  In this case, the topic is the costs and potential damage from CALEA, the Communications Assistance for Law Enforcement Act. Jointly administered by the FCC and FBI, CALEA sets out various requirements for telephone companies to open their networks for wiretapping and other surveillance.  Notably, CALEA is an act about technical standards for communications companies, not a separate authorization for wiretapping by the FBI or other law enforcement agencies.

Last summer, the FCC decided (PDF) that CALEA requires participation and assistance from all "interconnected VoIP providers" and "broadband Internet access service providers", not just the traditional telephone companies.  In other words, all the cable companies and broadband ISPs, along with any of the "VoIP-out" and "VoIP-in" services, are responsible for installing equipment that allows law enforcement to tap and intercept communications across those circuits or lines. Last Wednesday, the FCC reaffirmed (PDF) its August 2005 order and the implementation deadline of May 14, 2007 for all affected parties.

The Electronic Frontier Foundation (with the usual cast of fellow travellers) has challenged this expansion of CALEA and just yesterday argued its case before the Court of Appeals for the DC Circuit (the highest-ranking "administrative law" court in the country). The foundation of the EFF's argument is pretty simple: there are already enough wiretapping laws, and the ones already on the books are being honored primarily in the breach.

Aside from the privacy advocates, the other major (and potentially unexpected) protest to this expansion of CALEA is coming from U.S. colleges and universities.  Since larger universities often operate their own phone switches and nearly always operate IP networks connected to the Internet, the expanded CALEA smacks them squarely across the teeth.  The universities seem to be more concerned about cost than about higher principles of free speech and privacy... but at least they're speaking up. For additional perspectives, please check out Ars Technica's continuing coverage of the issue.

Personally, I'm torn on this topic.  Is it right for ISPs and telcos to say "sorry, we have no technological hooks into VoIP traffic" in the face of a legitimate (and judicially authorized) wiretap request?  Is it right for the government to pass this cost to private industry?  Will CALEA-type requirements lead to Ed Whitacre's tiered and segregated Internet, where VoIP traffic gets tagged and shunted into separate "pipes" where interceptions can occur?  Will the law prohibit encryption of VoIP traffic?  Far more questions than answers, to be sure... all I can say is "stay tuned."

Technorati: CALEA, FCC, FBI, EFF, surveillance, wiretaps, VoIP

Cellphone Tracking:

Among the newish strategies in the encroachment on personal liberties: tracking individuals via their mobile phones. The State of Missouri says it will use the data only to help MoDOT unravel traffic knots -- and if you believe that, then take a look back to my earlier entry reporting on the first briefing on Missouri's plan (plus Oregon's similar experimentations).  And if that weren't enough, take a look at a recent US court ruling allowing the FBI to engage in warrantless cellphone tracking.  The court opinion seems related to Judge Richard Posner's assertion that  "there's no invasion of privacy in automated data capture and mining" -- a disturbing notion pretty much any way I can slice it.  The Brits are also getting in on the mobile phone action -- through WorldTracker  (SMS-fueled web tracking) and similar programs -- though the BBC article does suggest that the publicity is leading to reform... wish I could say the same about the US.

Data Retention:

The uproar has died down for the moment, but rest assured that the Electronic Frontier Foundation is moving forward with its litigation against "the new AT&T" for its participation in the presidentially-sanctioned (but putatively illegal) domestic surveillance program. Perhaps the Senate hearings headed by Arlen Specter (R-PA) will help swing the spotlight back around again.  The ACLU offers a funky map / schematic demonstrating the infrastructure of the surveillance efforts AND rechristened the former "Echelon Watch" pages as "NSA Watch" while Ars Technica offers its own look at the NSA technology in play.

Across the pond, the European Union staged a significant attack on personal privacy by permitting a wide range of communications surveillance, including mandatory logging of all end-user communications by telcos and perhaps ISPs.  One Irish MEP is challenging the actionon parliamentary / procedural grounds, but action seems to have quieted down once again (perhaps due to continued negotiations?). Of course, if Microsoft's vision of a "secure and trusted" future comes to pass, it will take far more than one MEP to make an effective stand for the public.  Meanwhile, the UK is considering cameras on the highways to record license plates -- not because the driver is accused of running a red light, but because they can.

An extended piece in the Washington Post (and follow-up on-line chat) from November cataloged the FBI's powers today under the USAPATRIOT Act.  I'd hope that some of our politicians revisit this story before the inevitable conference committee about the re-authorization of the act.  (I only expect a committee because the House will give away even more than the Senate did, leaving us with a "lesser of two evils" scenario -- always a positive outcome in an election year.)  Note also that the FBI has rolled back the reinstatement of headquarters tours (once a hallmark of any trip to the nation's capital and increasingly relevant in this day of "CSI" and "Law and Order" overload) have been cancelled until 2007.  Anyone want to bet against an extension of that re-entry date to at least 2009 (assuming a change in administrations at that point)?

Finally, there's really not much to say about the "sale of cellphone records" stories that garnered attention in the US and Canada, except that the cellcos are definitely going to have to work on defeating the social engineering tricks used for many of the "breaches."  Rogue employees will always exist -- so the challenge is one of being able to identify activity early (instead of just cracking down after the fact).

Random Entry:

Like any number of "is this microphone on? gaffes, I'd like to think that the Houston (TX) police chief was simply musing aloud when he suggested that the city should have cameras in every home.  "If you are not doing anything wrong, why should worry about it?"  The inevitable wise-ass response (courtesy of BoingBoing): a reward (now close to $2000) to the person who catches the chief on video commiting an illegal act.

Similarly, people seem shocked that Internet service providers might be able to associate IP addresses (whether static or dynamically allocated) to particular subscribers.  The BBC freaked over ISPs receiving court orders to turn over subscriber information on alleged file sharing sites, while the New York Times sounded the alarm bell over similar tactics in US federal and state courts for a variety of criminal and civil cases.

I'm not asking "isn't this horrible?" though -- my questions are more along the lines of "why did it take so long to be an issue?" and "don't we want courts involved in defending individual privacy?".  The RIAA has been issuing blanket subpoenas and John Doe lawsuits (where it knows something about a defendant but not the true legal identity) against alleged file-sharers for nearly two and a half years, with the EFF offering advice on countermeasures.  Six years ago, I was filing my own John Doe complaints in federal courts to get subpoena authority against AOL, Yahoo!, Microsoft, and small ISPs.  (*)

Society as a whole is probably benefitted by some limits on private corporation's data retention.  If Google really wants to "do no evil," it can certainly adopt a 90- or 180-day retention policy for search results -- some IP tracking is probably relevant to support AdSense payout and whatnot, but longer retentions are an invitation for more snooping by lawyers.  I'd also suggest that Google and other content providers need to reassert themselves -- for example, reviewing the sufficiency of complaints before responding to subpoenas.  Privacy and data usage disclosures are required from finance companies (banks, credit cards, insurance) -- but they're good policy across the board.

Furthermore, I applaud the role of the courts in this debate.  In my cases, I always felt that my John Doe complaints had to be bulletproof before I'd file and begin issuing subpoenas.  The RIAA is learning that lesson the hard way -- although courts don't (and realistically can't) review complaints before plaintiffs start firing off subpoenas, they will waste no time in slamming frivolous or badly-formed complaints.  I want the courts as a check on requests, even if it is after the fact. 

Requiring notice to a target isn't such a bad idea either, even in many criminal cases (assuming we still respect the notion of "innocent until proven guilty" buried within the Fifth and Sixth Amendments).   As for the national security trump card, prosecutors can still go through the FISA court (for international communications) or get a legitimate ex parte court order and supervision (for purely domestic situations).

And (tying it all back together) an explicit Constitutional amendment identifying and defending an individual's right to privacy can only bolster the provisions I've suggested above.

Judge DeMoss starts out predictably enough -- searching for the word "privacy" in the U.S. Constitution and not finding it.  He then makes a valiant effort to sidestep the Ninth Amendment (reserving unenumerated rights to the citizens) by arguing that the judicial recognition of unenumerated rights violates the Constitution.  In other words, people may have unenumerated rights but the courts can't recognize or protect them.  To the extent that "natural law" exists, this argument strikes me as a huge error in logic -- if the Ninth Amendment means anything, then the courts have to be able to protect the rights retained by the people despite the lack of enumeration. (A subsequent letter to the editor makes this point with somewhat more vitriol.)

In the end, however, I agree with Judge DeMoss that the best way to defend privacy is to create an affirmative right rather than relying on the unenumerated penumbras and emanations of the Ninth Amendment.  I would look to the more standard amendment process, despite the hurdles -- but Judge DeMoss advocates a direct national referendum. I don't believe that Congress would approve a national referendum this year -- there's no way the House wants to encourage turn-out at the polls when every seat is theoretically (and some truly are) in play -- but I can see movement that would turn the issue over to the states for ratification.  Anyway, if strict constructionists have begun advocating for change, then perhaps there's a hope for all of us.

Kinsley muddies the waters by trying to offer a general defense of the left, but I'll take a shot at redefining the main point -- unclear and indeterminate "ends" (how exactly does one wage a physical war against an abstract concept like "terror"?) certainly can't justify a set of "means" that involve trampling the fundamental compact between the people and their government. 

I'm not sure that my proposal goes far enough to protect against this kind of abuse, though the existence of clear Congressional instructions for this exceptional use of executive power is arguably enough.  What happens, however, when we learn that purely domestic communications have also been intercepted and scanned and evaluated?  Is the grand high poobah of law-and-economics, Richard Posner, right when he writes or chats that collection, compilation, and filtering of electronic communications is completely legit?  (Stay tuned for further discussions on that one...)