22 June 2013

Truly, deeply, sincerely

One of the joys of teaching the inaugural intensive Privacy, Confidentiality Access Law unit at UC Law last week was being able to leverage the PRISM furore and Australia's Senate inquiry into the anaemic 'Data Alert' (better labelled 'Data Breach') Bill.

There's nothing like researching and teaching in a topical area. Today we have the announcement via the NY Times that "Facebook has inadvertently exposed six million users’ phone numbers and e-mail addresses to unauthorized viewers over the last year". Ouch.

The NYT reports that
Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have.
Facebook’s security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until Friday afternoon, when it published a message on its blog explaining the situation.
A Facebook spokesman said the delay was because of a company procedure stipulating that regulators and affected users be notified before making a public announcement.
“We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said on its blog.
While the privacy breach was limited, “It’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” it added.
The no doubt heartfelt commitment that the problem will never ever occur again is alas very formulaic, the same sort of flannel that we see time and time again.

Reuters meanwhile reports that "The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices".
 The exceptions to policies barring the use of such devices could make it easier for rogue employees to remove sensitive documents. But officials say waivers go to people who update software and run helpdesk services for the Pentagon's vast computer network and are needed to run the system efficiently....
Storage devices have been a concern at the Defense Department since the 2008 Buckshot Yankee incident, in which a malicious software worm known as agent.btz was uploaded to military networks by a thumb drive.
Then-Deputy Secretary Bill Lynn declassified the incident in 2010 and U.S. Cyber Command, which was established in the wake of Buckshot Yankee, banned the devices.
About that same time, according to prosecutors, Private Bradley Manning, an Army intelligence analyst, copied thousands of documents onto CDs and a digital camera card and leaked them to the anti-secrecy website WikiLeaks. ...
While use of flash drives is largely barred, exceptions are granted to systems administrators who install software and manage helpdesk services for the department's millions of computers and nearly 600,000 mobile devices in some 15,000 networked groups.
Lieutenant Colonel Damien Pickart, a Pentagon spokesman, said the department was unable to specify how many exceptions had been given because authority is delegated to smaller units within the service and is not tracked at the department level.
Given the size of the system, it could be in the thousands, he said.
Do we - and should we - care about surveillance? 'The Dangers of Surveillance' by Neil M. Richards in (2013) 126 Harvard Law Review argues that
 From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our culture is full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance. 
This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of “surveillance studies,” I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It ialso gives the watcher power over the watched, creating the the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance. 
At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance. First, we must recognize that surveillance transcends the public-private divide. Even if we are ultimately more concerned with government surveillance, any solution must grapple with the complex relationships between government and corporate watchers. Second, we must recognize that secret surveillance is illegitimate, and prohibit the creation of any domestic surveillance programs whose existence is secret. Third, we should recognize that total surveillance is illegitimate and reject the idea that it is acceptable for the government to record all Internet activity without authorization. Fourth, we must recognize that surveillance is harmful. Surveillance menaces intellectual privacy and increases the risk of blackmail, coercion, and discrimination; accordingly, we must recognize surveillance as a harm in constitutional standing doctrine.