Depends on who you talk to.

In Blown to Bits, we talk about citizen vigilantism—people taking vengeance on people they see doing bad things, or just snapping pictures of crimes being committed, pictures that may help identify the culprits. The digital explosion has engendered a lot more of this, for both better and worse—we once did not all have cameras on us all the time.

Of course, a technology generation later, we all have not just still cameras, but audio recorders and video cameras too—in cell phones and even iPods. And people are whipping them out when they observe arrests being made, and are using the recordings to embarrass the the police, or to help in the defense of the party being arrested.

Except now, as the Boston Globe reports,  the police are increasingly fighting back, accusing those making the recordings of illegal surveillance, under wiretapping statutes. It’s a fascinating story. Some of the convictions are standing up in Massachusetts—the Supreme Judicial Court ruled in a split decision that the wiretapping statutes apply, unless the recording was made in a public manner. So people hiding the microphone in their sleeve or the camera in their coat may well be in trouble. Chief Justice Margaret Marshall was in the minority, opining

Citizens have a particularly important role to play when the official conduct at issue is that of the police. Their role cannot be performed if citizens must fear criminal reprisals when they seek to hold government officials responsible by recording, secretly recording on occasion, an interaction between a citizen and a police officer.

I don’t envy the police their job. Hell, I wouldn’t be happy if people were video-recording my  every movement while I was doing my job. But what the police are doing while making an arrest seems to me a public act by definition. In other situations (all those traffic-stop videos we see) the police themselves make sure everything is recorded these days. Can’t see why recording the police arresting someone in the public square wouldn’t fall within citizens’ rights.

Incredibly, the signals between the unmanned drones being used in Iraq and Afghanistan and their base stations are transmitted in the clear — unencrypted. The insurgents have figured that out and are watching the same scenes that our military is watching. The Wall Street Journal says the system has been “hacked,.” Not really — no more, as a colleague put it to me, than someone who buys a police scanner is “hacking” the police radio system.

Encrypting signals is easy, obvious, and taken for granted. How could the system have been designed and deployed without it?

Google has released a dashboard tool that makes it easy for you to review all the settings and preferences you’ve provided for the various Google products you use (Docs, YouTube, Gmail, etc.). The short video here shows you how to access it. (Basically, pull down the Settings menu in the top right of the Google home page, select Google Account Settings, and then select Dashboard and log in a second time.) It’s a bit sobering to see what you’ve told Google about yourself, and what documents of yours Google has, all in one place.

Of course, Google actually knows a lot more about you, or may, than what you’ve said in response to the various invitations it has given you to fill in forms. The Dashboard doesn’t reveal what Google may have concluded about you by retaining and analyzing your searches, for example. You can observe a lot by watching, as the great Yogi Berra said and Google knows better than anyone. The Dashboard gives you no information or control about the privacy threat from inferred data rather than explicit question answering.

For more, see the ComputerWorld article.

A year ago we blogged about the guidelines issued by Department of Homeland Security Director Michael Chertoff about laptop searches at the border. As I wrote at the time,

The Department of Homeland Security may take your laptop at the U.S. border and remove it to an off-site location for as long as it wants. Doesn’t matter if you are a U.S. citizen. There it may examine its contents and have any text it contains translated.

WITHOUT HAVING ANY REASON TO THINK YOU HAVE DONE ANYTHING WRONG.

I was far from the only person perturbed by this policy. It was rational in its way — they can search your suitcase, so why not your laptop? — and yet it was disturbing. Only in recent years have people routinely walked around with their entire life histories in readable format. Why should the government not be required to show probable cause before reading your love letters and personal photos from a decade ago? And then there was the fact that laptops of doctors and lawyers have lots of information about other people on them. Aren’t they entitled to some protection from the curiosity of border guards?

Now Janet Napolitano has issued new guidelines that tighten things up a bit. Here is the CNN story; here is the DHS press release, and here are the rules themselves (pdf, 10 pages).

In essence, DHS has put limits on how long the laptops can be held (5 days) and has guaranteed the person whose laptop is being inspected the right to be in the room at the time agents are inspecting the laptop (though not necessarily the privilege of watching what they are doing).  But left in place is the basic right of DHS to look at any laptop it wishes without having to provide any reason for doing so.

The release says only a tiny fraction of laptops have been inspected while the earlier policy was in place, which is nice, but no guarantee that an individual agent may not adopt a different standard.

Whole disk encryption, which is increasingly standard for business laptops, should be standard for private citizens taking their laptops on international trips. The policy document addresses this possibility too:

Officers may sometimes have technical difficulties in conducting the search of electronic devices such that technical assistance is needed to continue the border search. Also, in some cases Offtcers may encounter information in electronic devices that requires technical assistance to determine the meaning of such information, such as, for example, information that is in a foreign language andlor encrypted (including information that is password protected or otherwise not readily reviewable). In such situations, Officers may transmit electronic devices or copies of information contained therein to seek technical assistance from other federal agencies. Officers may seek such assistance with or without individualized suspicion.

So make your encryption key long enough so it can’t be cracked in five days. (My understanding of US court precedents is that the government can’t compel you to disclose your encryption key — though it may be able to obtain a warrant to search your home and your leather appointment book for the place you wrote it down.)

Altogether this new policy seems to me to leave too much to the discretion of the border officials. I recognize that we’d love to catch terrorists carrying blueprints of their targets, but I suspect that some of those searches are for bad pictures. If the number of laptops they want to search is so small, it should not be a big problem for them to get judicial approval before searching them.

‚Ķ the US State Department reports that US Immigration checks the Facebook pages of people seeking to enter the US, looking for signs of fraud. I’d love to know what other parts of the government look at Facebook for what other purposes.

That article has some other remarkable passages, about State Dept web browsers and the Sec’y of State on peanut butter.

Evgeny Morozov has a scary report at the NPR web site that should serve as a reminder of how hard it now is to keep our various personae separate when our social life is conducted online. I’ll quote, rather than paraphrase, what happened to an Iranian-American woman.

On passing through the immigration control at the airport in Tehran, she was asked by the officers if she has a Facebook account. When she said “no”, the officers pulled up a laptop and searched for her name on Facebook. They found her account and noted down the names of her Facebook friends.

Scary and creepy. But why, exactly? It’s not like the information was rummaged out of her personal papers or extracted by torture. Anyone who uses Facebook much knows that the list of your friends is usually public information. Hundreds of millions of people could have gotten the same information without the woman even being aware that it was happening. This poor woman probably felt that her Iranian identity was separate from her American identity. And the Iranian authorities, who surely have been frustrated by the Internet’s connecting capabilities, have figured out that there is another side to that coin.

Think about it. There is absolutely no reason to think that ANY government would not do the same thing. Nobody needs a search warrant to find out who your “friends” are — they just need your name. Any police officer or boarder guard anywhere in the world could do the same thing. So could any employer or prospective employer, college admissions officer, etc.

Unless, that is, you change Facebook’s default privacy settings. Go to Settings, and select Privacy Settings. On the page that comes up, look under Search Result Content. Uncheck “My Friend List.” There may be a few other boxes you’ll want to uncheck too. Don’t forget to click Save Changes.

The City of Bozeman, Montana is demanding that those applying for jobs supply passwords for their accounts with social networking sites such as Facebook and Myspace, apparently so the City can check out what kind of acquaintances they have. What about the guarantee in the Montana constitution, which states, “the right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest”? Well, says the City’s attorney, that has to be balanced against the need “to make sure the people that we hire have the highest moral character and are a good fit for the City.” Montana is a funny state, not as individualistic as the mythology of Western America might make you think. Nor are Facebook and Myspace as private as their terminology may lead users to expect. Still, I’m guessing the city won’t keep this practice up long — for one thing, “good fit” tests are easily abused, and for another, these sites typically have a term of service such as (to quote Facebook’s) “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.”

In Blown to Bits we spend all of Chapter 5 making the argument that (a) perfect secrecy is possible through public key encryption and (b) almost no one encrypts their email anyway. Why this would be the case is one of those small mysteries of the universe. Few of us actually know people who know that their email has been read, but most of the time we’d have no way to know that. If you are sitting in Starbucks and the guy with the double mocha latte is running a packet sniffer, you’d never know the difference.

Today’s New York Times has the kind of story that might lead more people to take the issue seriously. It seems likely that the NSA is snooping on more email than they’d like to admit. The simple fact that the cost of surveillance has plummeted in itself makes abuse more likely. (THe NSA doesn’t need to loiter at Starbucks. They can get access to ISPs’ switching equipment.)

If you use Google’s Gmail, you can encrypt all your mail. The preference setting is pretty obscure, and you have to opt-in: the default is no encryption. Chris Soghoian, I, and a number of other computer scientists and security experts have just called on Google to make encryption the default. Our letter explains it all: You can read it here.

The swine flu panic is going to be electronically mediated in a way no previous threat to public health has been. Flu information sites have sprung up in which news stories and data are being aggregated — the Flu Wiki Forum and Wikia’s Flu Wiki, which has a nice Google map mashup showing where the cases are.

The intrepid and slightly paranoid (I know he won’t mind my saying so) Chris Soghoian has another angle in his post on Swine Flu and the Threat to Privacy. Eight students from one New York City school are suspected of having contracted this strain of influenza while on a school trip to Mexico. If they were suspected terrorists, the government would by this time have gotten their cell phone carriers to turn over lists of all the people they had telephoned recently. It would be easy enough — yes, this is true — to ask the carriers to turn over lists of the names of all people with cell phones that had been within 100 feet of one of the students’ cell phones during their Mexico trip or thereafter. Now stored cell phone geolocation information isn’t that precise, so the data request would probably yield a lot of false positives — people in the same general area but not that close.

The information may well have been collected already. And that may well be exactly the right thing to do. After all, the first rule of epidemics is that controlling them becomes exponentially harder if they are allowed to spread; you don’t wait until they are severe before reacting. Do we know? If the data has been collected, do we have any confidence that it isn’t going to be repurposed, and that it will be discarded eventually?