On Monday, a joint Commons and Lords committee published a report urging Google and other sites to take proactive steps to monitor their search results in order to protect the privacy of certain individuals. As a result, a committee of Parliamentary members has begun pushing for legislation to force search engines and social networks to censor themselves. The committee, set up by the prime minister, arose out of increasing controversies and injunctions to protect people’s online image.
Committee chair John Whittingale stated, "It is clear that media self-regulation under the [Press Complaints Commission] did not work. We therefore wish to see a stronger self-regulatory system that is seen to be effective and commands the confidence of the public." Citing the high cost of legal action, the committee claims that self-regulation by companies would be the optimal way of dealing with claims of privacy violation.
There have been an increasing number of censorship cases in the UK. In February, members of the UK Parliament concluded in a report that the Internet plays a major role in the radicalization of terrorists and called on the government to pressure Internet Service Providers in Britain and abroad to censor online speech. On a more local level, a small district court in Swansea sentenced a university student to jail for 56 days after admitting to have posted racially offensive comments on Twitter about soccer player Fabrice Muamba who had collapsed from cardiac arrest during a game in March. The district judge, after calling the comments “vile and abhorrent,” told the student, "I have no choice but to impose an immediate custodial sentence to reflect the public outrage at what you have done.”
Censorship is most alarming when states use state security or supposed social appropriateness to justify their action. The fact of the matter is that speech is speech. When governments and their courts are left to decide what kind of speech is “good” or “bad” for society, there's an increased threat that those authorities will abuse their power to silence anyone in the name of the public good.
United Arab Emirates
United Arab Emirates authorities briefly detained Islamic scholar and political activist, Mohammed Abdel-Razzaq al-Siddiq, on Sunday for comments he made on Twitter. Mohammed was arrested for criticizing a sheik of one of the emirates (city-states). He was arrested Sunday at dawn and was released by the end of the day.
Earlier this month, blogger and activist Saleh AlDhufair was arrested for criticizing repressive actions by state authorities on his Twitter account and blog. He remains imprisoned and could face up to 5 years in prisons under new far-reaching cyber crime laws. Last summer, Emirati authorities imprisoned five activists, who were subsequently pardoned by the president in November.
Pakistani authorities shut down mobile phone networks for a day in one of the state’s four provinces of Balochistan. The day was March 23, a national day known as Pakistan Day celebrating the first adoption of the constitution and its status as the first Islamic republic. The southern province was struck with chaos as people began to report blocked communications throughout the region, justified in the name of “national security.” As one of the poorest regions in the country, Balochistan has had a long history of conflict with the Pakistani government due to an ongoing separatist movement that began with their refusal to accede to the state.
Such bans are gross violation of citizens’ consumer rights and Telcos should have put some pressure on the authorities to push back on such hegemonic decisions…We demand from the Government to uphold the fundamental rights of its citizens and stop playing the false alarms of “national security” to curb fundamental rights, especially freedom of expression, speech and opinion.
While the state undoubtedly has a responsibility to uphold its citizens’ free speech rights, companies providing the services also have a duty to respect its customer’s rights as well. Since the Pakistani Ministry of Information Technology backed out of its plans to subsidize a national filtering and blocking system, there is strong concern about the next steps the government will take to implement other forms of censorship of Internet and mobile communications.
A Bangladeshi court order from last week marks another recent incident of increased censorships efforts in the South Asian country. The court ordered the shutdown of five Facebook pages and a website for content deemed blasphemous against Islam, while demanding content hosts and creators to be brought to justice for “uploading indecent materials.” The most chilling aspect of the order is that the court expresses a desire to find ways of facilitating future blockage of website and pages.
Two university teachers initiated the takedowns when they filed a suit complaining about the pages and their supposed negative effects on “religious sentiments.” This latest move comes following Bengali authorities’ increased monitoring of Facebook for political expression. EFF will be monitoring future efforts in Bangladesh to block content online.
Facebook has been a popular place for Syrian Internet activists to share their opposition to the Assad regime ever since the site was unblocked by the Syrian government in early 2011. While some interpreted the Assad regime's decision to allow access to Facebook as a positive sign, others feared that the government had made Facebook available for the purpose of entrapping Syrian activists.
In the past month, EFF has reported on several instances of pro-Syrian-government hackers targeting Syrian Internet activists using malware spread through chats and emails, as well as updates downloaded from a fake YouTube site. Most recently, we've seen reports from Syrian opposition networking specialists of a phishing attack aimed at Syrian activists, spread primarily on pro-revolution forums on Facebook.
The screenshot below shows the phishing link accompanied by the following text in Arabic: Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this.
The screenshot below displays the link in a comment under a pro-revolution video. The phishing link is accompanied by the following text in Arabic: Urgent. The thug Sharif Shihada was arrested by the Free Army. Captured by Ahrar Al Qlamoun battalion... please spread the video of him denouncing the Syrian Regime... Allahu Akbar, victory to our revolution and Free Army.
The screenshot below shows the fake Facebook login page. Note the non-Facebook URL in the URL bar of the browser.
Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.
This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists increasing in number and using increasingly diverse methods. We will continue to keep a close eye on developments.
Last week, Forbes’ Andy Greenberg investigated a dangerous but largely underreported problem in Internet security: the sale of zero-day exploits to customers not intending to fix the flaws. Zero-day exploits are hacking techniques that take advantage of software vulnerabilities that haven’t been disclosed to the developer or the public. Some companies have built successful businesses by discovering security flaws in software such as operating systems and popular browsers like Google Chrome and Microsoft Internet Explorer, and then selling zero-day exploits to high-paying customers—which are often governments.
France-based VUPEN is one of the highest-profile firms trafficking in zero-day exploits. Earlier this month at the CanSecWest information security conference, VUPEN declined to participate in the Google-sponsored Pwnium hacking competition, where security researchers were awarded up to $60,000 if they could defeat the Chrome browser’s security and then explain to Google how they did it. Instead, VUPEN—sitting feet away from Google engineers running the competition—successfully compromised Chrome, but then refused to disclose their method to Google to help fix the flaw and make the browser safer for users.
“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million.
But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful.
Regardless of who the buyers are, anysecurity researcher selling zero-day exploits to those who take advantage of vulnerabilities rather than fixing the software is responsible for making the Internet less secure for users. The existence of a marketplace for such transactions does not legitimize the practice, and security researchers should never turn a blind eye to their ethical responsibility to help improve technology. We should help ensure the Internet promotes freedom and safety, and is not a system to control and oppress.
The governments who buy zero-day exploits also bear responsibility here. The administration has repeatedly warned of a crippling cyber-attack to our infrastructure and Congress is in the midst of debating an expansive new "cybersecurity" bill that, as EFF previously explained, will likely invade users’ privacy in the name of promoting Internet security. Yet the sale and use of exploits that leave ordinary users of popular software vulnerable—a real cybersecurity threat—remains unmentioned in this cybersecurity debate.
The U.S. government has the ability to make us more secure right now with no new legislation. Anyone—including the U.S. government—who has knowledge of security vulnerabilities should notify the affected companies and help fix the problems. Keeping flaws under wraps makes millions of Internet users less safe. If exploits are used to conduct attacks on network infrastructure, either in other countries or the U.S., those who sell exploits could be complicit in such acts.
A good cybersecurity discussion would address this issue head-on. If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal. Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology—and its users—vulnerable to attack.
UPDATE: A prior version of this post stated that in Andy Greenberg's story, a hacker named the Grugq "implies the only reason he doesn't sell to Middle Eastern countries is they don’t pay enough." In fact, the article said the Grugq "limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more." We regret the error.
Issa Report Gives Federal Government C-minus on FOIA Processing
The US House Committee on Oversight and Government Reform, chaired by Darrell Issa (R-CA), released a report (pdf) that graded the federal government and its agencies on their ability to manage FOIA requests. We've documented extensively the lackoftransparency in the current administration, and, for advocates following the issue, there was no surprise that the Committee's report gave the federal government a C-minus. In addition to the government's C-minus grade overall, the Department of Justice (DOJ), the Department of Defense (DOD), and the Department of Homeland Security (DHS) each individually received D’s.
To conduct the report, Rep. Issa sought information about the FOIA tracking systems of 100 federal agencies. In particular, Rep. Issa requested an electronic, sortable copy of the agency’s FOIA processing “logs,” containing various information on requests and the agency’s processing of those requests. Many agencies produced incomplete logs, produced logs that tracked FOIA requests inconsistently, or couldn’t produce logs in a sortable electronic format at all. The report concluded with an ominous warning: "When agencies cannot even produce FOIA logs with basic information to Congress, it raises serious concerns about their ability to meet their legal obligations to FOIA requesters."
Administration Officials Defend Against FOIA Faults
After the release of the above-mentioned report, on March 21 a subcommittee of the US House Committee on Oversight and Government Reform held a hearing titled, "FOIA in the 21st Century: Using Technology to Improve Transparency in Government." The hearing focused on the creation of a central FOIA website for citizens to access unified FOIA instructions, but also saw witnesses defending their FOIA stats. Witnesses included administration officials from the Department of Justice, the National Archives, and the Environmental Protection Agency. Melanie Pustay, the Director of DOJ’s FOIA office, defended the government's transparency record stating that the government released records in part or in full in response to 93.1% of requests where records were located and processed for disclosure. However, releasing records, and releasing meaningful records, are often two distinct things. EFF frequently receives records that disclose virtually nothing about the topic or that have such substantial (and often arbitrary) redactions that the records are meaningless.
While the centralized FOIA website is a step in a more transparent direction, DOJ should start by concentrating on making meaningful responses to FOIA requests.
Push for Transparency in Bradley Manning Court-Martial
On Thursday, Michael Ratner, president of the Center for Constitutional Rights and the lawyer who represents Wikileaks and Julian Assange, called (pdf) on the military court in Bradley Manning's case to release documents relating to Manning's military trial. Ratner pointed to the presumption in military law of public court martials and the public’s compelling interest in access to the trial and court documents.
Ratner's letter follows a March 12 letter, (pdf) spearheaded by the Reporters Committee For Freedom of the Press and signed by more than 40 news organizations, to the General Counsel of the Department of Defense requesting DOD implement measures that will allow media organizations to review documents relating to the Manning case. The organizations asked DOD to immediately post all filings, decisions, and transcripts that don't require full classification online; to post those that do need classification review within 15 days; and to adopt other measures that will enhance the public’s access to Manning’s court-martial.
The U.S. legislature has cybersecurity on the brain. In the coming months, Congress and the Senate will consider a confusing variety of cybersecurity bills--including H.R. 3523 (Rogers), H.R. 3674 (Lungren), S. 2105 (Lieberman), and S. 215 (McCain)--all of which purport to keep U.S. companies and infrastructure safe from “cyberattacks." But as Congress continues to weigh this legislation and negotiate potential amendments, users should ask some serious questions about how these proposals will affect civil liberties, and tell Congress that we won't stand for cybersecurity bills that undermine our civil liberties. Here are four hard questions that Congressmembers should be asking about these bills--the answers to which the bills disagree on or dodge entirely.
Who will be in charge of cybersecurity?
The Rogers bill (H.R. 3523) proposes to put the military-intelligence community in charge of cybersecurity while the Lungren bill (H.R. 3674) keeps it under civilian control by putting it in the hands of the Department of Homeland Security. Given the National Security Agency’s history of secrecy and over-classification, military control of cybersecurity is a potentially disastrous outcome for those who are concerned with counter-balancing hysteria over “cyberwarfare” and “cybercrime” with respect for privacy and civil liberties. Civilian control over cybersecurity is essential if there is to be any degree of openness and transparency in U.S. cybersecurity policy.
Governmental cybersecurity programs must aim to achieve security through openness and the use of transparent, accountable processes. Governments have a special duty to their citizens to guard their privacy and civil liberties, as well as a duty to be accountable for their use of taxpayer dollars. Government programs are, by their very nature, not competing in a marketplace, where there are sometimes strong financial incentives for the clever use of secretive practices. Additionally, the sprawling nature of U.S. infrastructure decreases the likelihood of keeping secrets against adversaries and increases the potential benefits of constructive scrutiny from all corners. Simply put: open is better, and there is no way cybersecurity policy will be open under military control.
What exactly is a “cybersecurity threat?”
At this time, most of the proposed cybersecurity bills grant the government broad powers in the event of a “cybersecurity threat.” Unfortunately, we don’t know what that means. EFF has raised detailed concerns about the potential harm this vague language could do if the existing legislative proposals are passed into law. In brief, broad definitions potentially implicate tools and behaviors that security experts would NOT reasonably consider to be cybersecurity threat indicators. Just using a proxy or anonymizing service such as Tor, encryption to protect your data, or measuring your ISP’s network performance could all be construed as “cybersecurity threats” in some of these legislative proposals. People who take measures to protect their own privacy and security online in ways that EFF regularly recommends and supports could potentially be treated like criminals. And even under a more generous reading of the language, legitimate security research would be targeted and security researchers could find themselves under perpetual scrutiny as potential “cybercriminals.”
What does "information sharing" mean?
All of the proposed cybersecurity bills mandate some kind of “information sharing” or “government assistance” between the U.S. government and the private companies that have access to so much of our personal data, including email, web searches, GPS data, and our social graphs. Companies are encouraged to share information about “cyber threats” or incidents with the government, and to that end it provides them with immunity when sharing information about threats.
Some of the proposals balance this information-sharing with privacy oversight, to make sure that shared information does not impinge on individual privacy or civil liberties, but proposals such as the Rogers bill contain no such protective language. The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for “cybersecurity purposes.” Just invoking “cybersecurity threats” is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law. Additionally, the Rogers bill places almost no restrictions on what kinds of information can be collected and how it can be used, so long as the companies can claim it was motivated by “cybersecurity purposes.” S. 2105 (Lieberman) and S. 2151 (McCain) contain similarly dangerous provisions.
As if that wasn't bad enough, "information sharing" is often just a euphemism for surveillance and countermeasures, including monitoring email, filtering content, or blocking access to websites.
Will the cybersecurity bills improve our security or not?
Ideally, cybersecurity legislation would benefit U.S. citizens by protecting government systems and infrastructure in a manner that is open, accountable, transparent, and respectful of citizens’ privacy and civil liberties. Unfortunately, there are aspects of the proposed cybersecurity bills that lead us to believe the American people will not be coming out on top.
There is little doubt that the Internet could stand to be a safer place. Major operating systems have security vulnerabilities, as do plenty of other commercial off-the-shelf software. The Internet could use more encryption, more secure protocols, and better authentication schemes. But the cybersecurity bills don't do any of these things. Instead of creating incentives for better defensive Internet security, the proposed bills take an offensive posture: more monitoring, more surveillance, and more disclosure of your private information. Not only will the cybersecurity bills fail to make us safer, they will put users' privacy and security at risk.
Earlier today, the Federal Trade Commission (FTC) released its final report on digital consumer privacy issues after more than 450 companies, advocacy groups and individuals commented on the December 2010 draft report. The final report creates strong guidelines for protecting consumer privacy choices in the online world. The guidelines include supporting the Do Not Track browser header, advocating federal privacy legislation, and tackling the issue of online data brokers. We’re pleased by the flexible and user-centric nature of the privacy report, but we will continue to monitor how such principles are actually enacted.
Do Not Track & W3C
Echoing the support from the Obama Administration in its recent privacy white paper, the FTC praised the Do Not Track flag, which would provide an in-browser setting that users could use to tell companies that they do not want to be tracked around the web. While acknowledging the important steps media and advertising consortiums like the Digital Advertising Alliance have made toward better informing users about how behavioral advertising works, the FTC emphasized the World Wide Web Consortium’s (W3C) ongoing effort to craft meaningful standards to govern tracking in its multistakeholder process, which includes representatives from EFF. These meaningful standards will ensure that Do Not Track does not become a weakened "Do Not Target" standard. The Commission report stated: “The W3C group has made substantial progress toward a standard that is workable in the desktop and mobile settings, and has published two working drafts of its standard documents. The group’s goal is to complete a consensus standard in the coming months.”
The issue of Do Not Track versus Do Not Target is fundamental to online behavioral tracking. In a dissenting opinion, Commissioner J. Thomas Rosch raised questions about industry figures such as the Digital Advertising Alliance’s influence on W3C process: “It may be that the firms professing an interest in self-regulation are really talking about a “Do Not Target” mechanism, which would only prevent a firm from serving targeted ads, rather than a “Do Not Track” mechanism, which would prevent the collection of consumer data altogether.”
We share Commissioner Rosch’s concerns. EFF is working through the W3C process with the good faith belief that the consensus end-result will provide users with a meaningful form of protection from tracking, not just the display of targeted advertisements. By continuing to engage in this forum with both industry figures and other consumer advocates, EFF is committed to ensuring that a real Do Not Track mechanism is created and we’re sending representatives to Washington D.C. next month to fight for users and innovators in the next W3C meeting.
We were pleased that the FTC sang the praises of the HTTPS Everywhere Firefox Addon (developed by EFF and the Tor Project) as a mechanism to give users privacy and security when they browse the web. If you haven’t downloaded HTTPS Everywhere, you should do it now—it’s free in both senses of the word and we’ve even got a beta version available for Chrome.
Advocacy groups like the Privacy Rights Clearinghouse and the World Privacy Forum have done substantial work articulating the privacy concerns around data brokers. “Data brokers” is a loose term to describe a wide amalgamation of different companies who collect data on individuals through public, semi-public, and occasionally private sources in both the online and offline worlds and then repurpose this data for business purposes, such as selling data in bulk to large advertisers or creating websites that list individual profiles of individuals. As the FTC correctly noted, many consumers are unaware that these companies exist. As the Privacy Rights Clearinghouse explains on its site, companies in this largely unregulated industry may not offer users a way to opt out of having data included in broker lists, may charge fees to have data removed, and may repost data at a later date that was suppressed at a user’s request.
The FTC articulated the problems with data brokers and reaffirmed its support for legislation that would provide individuals with access to their personal data held by these companies. In addition, the FTC urged the data broker industry to create a central website that would explain the access rights and other options (e.g. opt out choices) available to consumers and links to exercising these choices. Notably, the Privacy Rights Clearinghouse has already gotten things started with its Online Data Vendors List.
We think this is a strong first step, but the FTC could easily have urged data brokers to provide a single website through which users can opt-out of having their data listedby any online data brokers. Right now, not all data brokers provide users with a method to opt-out of having their data personally display personal data listed. A user who wants her information removed from these sites has little legal weight to force companies to respect her choice. One exception to this is California’s recently passed Personal Information: Internet Disclosure Prohibition. Introduced by Senator Ellen Corbett, the law prohibits websites from intentionally posting the home addresses of individuals enrolled in California’s Safe at Home program (such as victims of stalking and domestic violence who enroll in the state-wide address protection program). Outside of this very narrow category of users, individuals have no right to have their data suppressed from publicly displayed data broker records.
In general, we’re pleased by the new privacy framework set forth by the Commission. We hope Congress, the Commerce Department, and industry figures will turn to it as they continue crafting policy around user data in coming years.
You might remember that late last year, Congress passed the America Invents Act, a largely toothless law that fails to address many of the biggest problems facing the patent system. In implementing that new law, the Patent and Trademark Office issued proposed guidelines for certain supplemental examination procedures. The PTO also recommended a huge increase in fees for filing certain patent reexaminations. As you might guess, this is a terrible idea.
It's vitally important that public interest groups like EFF and small entities who may lack substantial resources be able to participate in reexams at the PTO. Raising the fees for filing reexams to $17,750 (for filing alone!) promises to discourage that important third-party participation, which the Patent Office claims to care much about. Today, we filed comments with the Patent Office saying as much, and urging the Office to reconsider the fee increase – or at least carve out an exception for public interest groups and other small entities. The Patent Office should use this opportunity to encourage the type of participation in the reexam process that benefits inventors, users, and an agenda that promotes innovation.
On Thursday, U.S. Attorney General Eric Holder signed expansive new guidelines for terrorism analysts, allowing the National Counter Terrorism Center (NCTC) to mirror entire federal databases containing personal information and hold onto the information for an extended period of time—even if the person is not suspected of any involvement in terrorism. (Read the guidelines here).
Despite the “terrorism” justification, the new rules affect every single American. The agency now has free rein to, as the New York Times’ Charlie Savage put it, “retrieve, store and search information about Americans gathered by government agencies for purposes other than national security threats” and expands the amount of time the government can keep private information on innocent individuals by a factor of ten.
The guidelines will lengthen to five years — from 180 days — the amount of time the center can retain private information about Americans when there is no suspicion that they are tied to terrorism, intelligence officials said. The guidelines are also expected to result in the center making more copies of entire databases and “data mining them” using complex algorithms to search for patterns that could indicate a threat. (emphasis ours)
Journalist Marcy Wheeler summed the new guidelines up nicely saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”
The administration claims that the changes in the rules for the NCTC—as well as for the Office of the Director of National Intelligence (DNI), which oversees the nation’s intelligence agencies—are in response to the government’s failure to connect the dots in the so-called “underwear bomber” case at the end of 2009, yet there was no explanation of how holding onto innocent Americans’ private data for five years would have stopped the bombing attempt.
Disturbingly, “oversight” for these expansive new guidelines is being directed by the DNI’s "Civil Liberties Protection Officer" Joel Alexander, who is so concerned about Americans’ privacy and civil liberties that he, as Marcy Wheeler notes, found no civil liberties concerns with the National Security Agency’s illegal warrantless wiretapping program when he reviewed it during President George W. Bush’s administration.
As other civil liberties organizations have noted, the new guidelines are reminiscent of the Orwellian-sounding “Total Information Awareness” program George Bush tried but failed to get through Congress in 2003—again in the name of defending the nation from terrorists. The program, as the New York Timesexplained, sparked an “outcry” and partially shut down Congress because it “proposed fusing vast archives of electronic records — like travel records, credit card transactions, phone calls and more — and searching for patterns of a hidden terrorist cell.”
The New York Timesreported, the new NCTC guidelines “are silent about the use of commercial data — like credit card and travel records — that may have been acquired by other agencies,” but information first obtained by private corporations has ended up in federal databases before. In one example, Wired Magazinefound FBI databases contained “200 million records transferred from private data brokers like ChoicePoint, 55,000 entries on customers of Wyndham hotels, and numerous other travel and commercial records.” The FBI would be one of the agencies sharing intelligence with the NCTC.
Despite Congress’ utter rejection of the “Total Information Awareness” program (TIA) in 2003, this is the second time this month the administration has been accused of instituting the program piecemeal. In his detailed report on the NSA’s new “data center” in Utah, Wired Magazine’s James Bamford remarked that the new data storage complex is “the realization” of the TIA program, as it’s expected to store and catalog “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches.”
Unfortunately, the new NCTC guidelines are yet another example of the government using the word “terrorism” to infringe on the rights of innocent Americans. Aside from the NSA’s aforementioned warrantless wiretapping program, we have seen the Patriot Act overwhelmingly used in criminal investigations not involving terrorism, despite its original stated purpose. As PBS Frontline’s Azmat Khan noted in response to the new guidelines, investigative journalist Dana Priest has previously reported how “many states have yet to use their vast and growing anti-terror apparatus to capture any terrorists; instead the government has built a massive database that collects, stores and analyzes information on thousands of U.S. citizens and residents, many of whom have not been accused of any wrongdoing.”
This problem has been well documented for years, yet Congress and both the Bush and Obama administrations have continued to use terrorism as a justification for expansive laws, and Americans’ constitutional rights have become collateral damage.