After a little hiatus, I’ve returned to this blog. Some real content is soon to come.

From RollingStone’s article about China’s “Golden Shield”:

In Shenzhen one night, I have dinner with a U.S. business consultant named Stephen Herrington. Before he started lecturing at Chinese business schools, teaching students concepts like brand management, Herrington was a military-intelligence officer, ascending to the rank of lieutenant colonel. What he is seeing in the Pearl River Delta, he tells me, is scaring the hell out of him — and not for what it means to China.”

I can guarantee you that there are people in the Bush administration who are studying the use of surveillance technologies being developed here and have at least skeletal plans to implement them at home,” he says. “We can already see it in New York with CCTV cameras. Once you have the cameras in place, you have the infrastructure for a powerful tracking system. I’m worried about what this will mean if the U.S. government goes totalitarian and starts employing these technologies more than they are already. I’m worried about the threat this poses to American democracy.”

Herrington pauses. “George W. Bush,” he adds, “would do what they are doing here in a heartbeat if he could.”

Fortunately, somebody actually cares that this kind of thing not be setup in the US. Unfortunately, this man cannot see that the US has already devolved into a totalitarian regime.

…or at least that’s what the International Tax Review is reporting in their May 6th, 2008 article that can be found here. I could not determine how true this is just from the article. The statements they link to don’t show anything but the VFSC’s main page when I click the link.

Article excerpts follow.

Australia’s investigation of tax evasion by individuals and businesses has forced the Pacific tax haven of Vanuatu to reverse its long standing policy of banking secrecy.

As part of the operation called Project Wickenby, a long-running multi-agency inquiry into the abuse of offshore financial centres, Australian Federal Police (AFP) officers arrested a senior accountant, Robert Agius, in Perth in Western Australia.

Following the arrest of Agius, the Vanuatu Financial Services Commission (VFSC), the jurisdiction’s regulator, said that it would overturn its policy of banking secrecy. A complete overhaul of Vanuatu’s legal structure related to companies would be introduced shortly and put into force by the end of the year. Australia’s tax commissioner Michael D’Ascenzo has previously identified Vanuatu as the chief target of the tax office.

The commissioner of the VFSC, George Andrews, said the regulator would, in future, penalise Vanuatu institutions which provided services allowing Australian citizens and companies to avoid domestic tax. All company and trust service providers will be licensed by the VFSC and any breaches of regulation could lead to revocation of an operating licence.

That is sad and too bad. Why they don’t just sign some treaties and make some agreements with Australia and maybe New Zealand in the future, I don’t know. That’s what they should do. Don’t just throw it all away! Say it ain’t so, Vanuatu!

It is funny how the article mentions that the bank accounts they busted were set up with Westpac and ANZ, because those two banks aren’t covered by Vanuatu’s banking secrecy legistlation. They are domestic banks and only the offshore banks are protected (bound by secrecy laws).

…and Other General Privacy-Friendly E-mail Tips

You can fight back very effectively whenever you’re filling out of those forms on the internet that want you to disclose your name and other information about yourself that you may feel is none of their business, and you know they don’t need it to provide you the service but you want their service. It’s easy too!

The first thing to remember, of course, is that you don’t have to give them real information in most cases. Now, this may be a violation of their Terms in some cases, but sometimes it is not and reality has it that it’s near impossible for them to verify your information. Most of the time, all they want your information for is marketing, and who wants junkmail? So you can just put in “Joe Blow” and “123 Main St.” and all that good stuff. If it’s on a corporate or government form, I usually claim I don’t have an e-mail address. That’s just one less piece of information they have on me. I suggest you do the same whenever possible.

Sometimes you need an e-mail address and you need your e-mail address to work so you can use the service. You have to be able to get e-mail from these people. There are various services that you can use instead of giving them your real e-mail address however.

The first and easiest option is to give them a “disposable” e-mail address. If you don’t mind others being able to read these e-mails, you can give any e-mail address with the following domain names after the @ symbol:

• Mailinator.com
• PookMail.com
• TemporaryInbox.com
• SlopsBox.com
• Dodgeit.com (Not available as of this writing)

Then just go to the corresponding website, put that address in and you can read any e-mail they sent you right there.

For example, you could just make up TheCrackFox123925091501@mailinator.com and put that in the form you are filling out to sign up for, say, BayWords.com. Then just go to www.mailinator.com and type TheCrackFox123925091501 into the login there and you can see and read any e-mail sent to that address lately. Nifty trick, eh? Just FYI, I prefer www.pookmail.com. Mailinator.com is blocked on some sites because it is becoming better known.

Next we have free, temporary e-mail forwarding to your real inbox. With this, you can type in a pre-arranged junk e-mail address and it will forward all that e-mail to your real e-mail address for a pre-defined amount of time. The services that you can setup a forwarding address with are the following:

• TrashMail.net
• MailExpire
• TemporaryForwarding.com
• EndJunk.com
• Walala.org
• FreeAutoBot

Many of these have the option of using some generic domain name too. For example, TemporaryForwarding.com will let you use mx0.wwwnew.eu, bodhi.lawlita.com or mail.htl22.at as the domain name of your new e-mail forwarding or temp address.

Those are pretty good techniques for limiting spam from the companies you sign up for services with.

While I’m on the topic, I suppose I’ll briefly go into sending anonymous e-mails. Sometimes I want to send anonymous e-mails, just “one-offs,” to various organizations or to myself for later retrieval but I don’t want to or can’t log into my webmail account. So here’s what I do…

I just go to one of the following sites and send a free, anonymized e-mail that doesn’t even require making an account. You can just type in the recipient and message and send away…

• MailFreeOnline
• SendAnonymousEmail.net
• Anonymouse Anonymous e-Mail (time delayed)

The last one there is an “Anonymous Remailer.”

Another similar method of info-sending can be had through:

• WillSelfDestruct

…although that’s a tad more complicated. That one will just send your e-mail recipient a password to get access to an encrypted webpage with your message on it.

That’s about it for now. Enjoy the links.

P.S. …and just a little nugget of fuzziness for your noggin: MySpace does not need your real e-mail address. I signed up once with something similar to not-an-e-mailaddy@not-an-e-mailaddy123.com (obviously not real), and I can still login to this day. No need for confirmation, but if they ever change that, you can use a temporary e-mail address.

Eliot Spitzer’s downfall raises a question: Is there a fail-safe way to pay for naughty things? (with inserted comments from the Privacy Oriented blogger)

FORBES / Nathan Vardi
March 2008 (in April 7th Edition of Forbes)

New York’s governor was felled not by “Kristen”–but by Osama bin Laden. Since Sept. 11 stronger anti-money laundering rules and new technology have made it tougher to hide dirty transactions of all sorts. As a result, the feds are just as likely to nab a high-profile john as they are a terrorist or drug dealer. “It’s very difficult to avoid creating a paper trail,” says Gregory Baldwin, a lawyer specializing in money laundering issues in Miami. “If you try too hard, you can trip a wire.” In other words, it’s easier to cheat on a spouse than to cheat the system. Here are five ways spenders try to cover their tracks.

1. Wires/Transfers.

If accusations in court filings and the rumors are true, Spitzer’s mistake was to wire funds to QAT, a front company used by the Emperors Club V.I.P. There was a time when money wiring (via, say, Western Union) was a good way to move dirty money undetected. But now such transfers, especially to suspicious entities, raise red flags. Both banks and money services are required to record wire transfers of $3,000 or more and take note of who received the money. That’s what helped nail Matthew Thompkins, a New Yorker who was sentenced last year to 23 years for operating a national underage prostitution ring. He moved a total of $850,000, in increments of less than $3,000 at a time, via U.S. Postal Service money orders and Western Union transfers. Financial institutions are required to keep an especially careful eye on so-called politically exposed persons, usually meaning foreign government officials. But many banks have decided to expand the definition to include U.S. politicians.

2. Credit cards. You’d think felons would know better, yet that’s partly how the feds collected evidence against Dennis Paris. Convicted of running a Hartford, Conn. sex-trafficking ring that used underage girls (including a 14-year-old), Paris has been fined $1.5 million and is facing life in prison. Court documents make these claims: Pretending to operate an escort service and using front companies with innocuous names, Paris walked around town with a mobile credit-card processor. His clients paid for prostitutes with Visa, MasterCard and Discover cards. Sex chits were processed by First Data Corp.

Discover Financial Services says it got wise to Paris–it won’t say how–and shut down his account within three months. Visa, MasterCard and First Data decline to comment. Neither First Data nor the card companies have been accused of wrongdoing.

The use of credit cards to pay for unsavory goods or services (especially, pornography) happens more than credit card companies admit. But these companies do have software designed to spot suspicious transactions, which must be reported to the feds. The industry shares a database to help identify illegal behavior, not only to help the government stop criminals but also to mitigate fraud losses, which run into billions. “Think algorithms and models and different software and Web crawlers,” says Christine Elliott, an American Express spokesperson. Despite the safeguards, however, Amex cards were used to purchase sex from the Emperors Club, according to the criminal complaint, apparently without triggering the criminal investigation.

3. Prepaid cards. “Spitzer should have used a stored-value card and put money on that,” says Gregory Calpakis, executive director of the Association of Certified Anti-Money Laundering Specialists in Miami. “It is almost an untraceable instrument.” Prepaid cards have become a big money laundering concern for the feds. American Express sells gift cards with denominations as high as $500 that can be purchased at retailers anonymously (that is, with cash) and without limit. The company points out that customers can’t bank with the card or use it outside the U.S. But other stored-value cards, often branded by Visa or MasterCard, can be accessed for cash via atms worldwide and reloaded with cash online or at checkout counters without a bank account or face-to-face identity verification. Law enforcers have seen drug dealers use these cards, and they fear that terrorists rely on them, too.

(Blogger comment: These types of pre-paid cards are getting harder and harder to come by.)

Sallie Wamsley-Saxon pleaded guilty in February to running a prostitution service in Charlotte, N.C., using prepaid cards from Green Dot Corp. to move cash, say court filings. Over a two-year period she took in fees from prostitutes (sometimes via her PayPal account) and transferred $120,501 to her Green Dot cards, each with a $2,500 maximum. She used the funds partly to pay for the hookers’ hotel rooms, according to court filings. “What we do is a reasonable measure to know the identity of each customer,” says John Ricci, general counsel for Green Dot, which apparently didn’t get wise to Wamsley-Saxon (someone tipped off the cops) but cooperated with the investigation.

(Blogger comment: Why would anyone use Green Dot cards? They require a Social Security Number!)

4. Digital currency. According to the Justice Department, between 1999 and 2005 child pornographers, hackers and identity thieves made use of e-gold, an online payment system in the Caribbean. Users provide an e-mail address to e-gold, then go to a currency exchange (like Cambist.net) to swap greenbacks, euros, yen and so forth for digital currency backed by gold; from there the customer is free to conduct anonymous transactions anywhere in the world. The feds indicted e-gold last year for money laundering and illegal money transmitting because it operated without an appropriate license. The company pleaded not guilty, and its lawyer, Andrew Ittleman, says e-gold fully complied with anti-money-laundering laws and did not need a license to operate.

(Blogger comment: Don’t use e-gold or Cambist.net - There are much better alternatives for both services. E-GOLD LTD, the Nevis company, is run out of Florida by Florida residents on servers located in Florida and is owned by a Delaware company with offices in Florida. Much better alternatives for holding digital gold or other currencies and keeping private are Pecunix or WebMoney or Liberty Reserve, and probably soon-to-be, e-grams. Likewise, Cambist.net has bad service and there are better alternatives.)

5. Cash. Unless you’re unlucky enough to get marked bills, cash is still very hard to trace, says Fred L. Abrams, a New York City asset-recovery lawyer. Client No. 9 (Kristen’s benefactor) eventually arrived at that insight, paying $4,300 in bills in his final dealings with the Emperors Club, says the complaint.

Deposits or withdrawals that total more than $10,000 within the same day automatically prompt a currency transaction report to the federal government. Smaller amounts will also be picked up by software monitors if they fit a suspicious pattern. Slicing up transactions to avoid detection–a.k.a. structuring–is illegal. Structuring and money laundering account for half the 600,000 suspicious activity reports banks now file with the feds annually, compared with 162,720 sars at the start of the decade. (In a bizarre case, Riggs Bank, the Wall Street Journal reported, filed sars on former U.S. Senator Bob Dole, after regular withdrawals of up to $8,000 in 2004; no wrongdoing was ever alleged.)

So what’s the safe way to get a wad of cash out of the bank? Take it in small and regular doses. Withdrawing $1,200 every week for a high earner is probably not going to trigger an alarm, says Clemente Vazquez-Bello, a lawyer in Miami who advises banks on anti-money-laundering regulations. And if it does, have a good explanation ready. You’re within your rights to be a big spender at restaurants and flea markets where credit cards are not accepted.

Have a good explanation for taking cash out of my bank account? OK, I’ve got one: It’s my money and it’s none of your damn business what I’m doing with it! Moreover, I’m perfectly within my rights to withdraw every damn dime of my money from my bank account, in cash, at any time, with no explanation. I have a right to spend all the money I own any way and anywhere I please.

Could it be that the US telecom company, Verizon, archives all the old greetings and messages that go on clients’ voicemail boxes? I’d not be surprised if all the phone companies with the capabilities did this. An even more interesting question is, “if I delete a voicemail, is it still archived?”

From the Associated Press, via a March 19th FoxNews.com article, comes the feel-good story about an old man’s stolen memories that were restored by the venerable, neighborly phone company:

Lost Voicemail of Man’s Dead Wife Restored by Phone Company

IRVINGTON, N.Y. — An 80-year-old man who thought he’d lost the only recording of his dead wife’s voice can hear her again, any time he wants. When Verizon upgraded Charles Whiting’s telephone service, his wife’s voice, saying, “Catherine Whiting,” disappeared from his voicemail system.

She had died in 2005 and Whiting said he listened to her voice every day for comfort. He blamed Verizon for the loss, saying, “Now they took her voice away.”

But Verizon had archived all the old greetings and messages. Company spokesman John Bonomo said Tuesday that a contractor found the recording and restored it to the new voicemail system.

“I’m glad they rescued it,” Whiting said. “I’m very happy.”

Pity America’s poor civil libertarians. In recent weeks, the papers have been full of stories about the warehousing of information on Americans by the National Security Agency, the interception of financial information by the CIA, the stripping of authority from a civilian intelligence oversight board by the White House, and the compilation of suspicious activity reports from banks by the Treasury Department. On Thursday, Justice Department Inspector General Glenn Fine released a report documenting continuing misuse of Patriot Act powers by the FBI. And to judge from the reaction in the country, nobody cares.

A quick tally of the record of civil liberties erosion in the United States since 9/11 suggests that the majority of Americans are ready to trade diminished privacy, and protection from search and seizure, in exchange for the promise of increased protection of their physical security. Polling consistently supports that conclusion, and Congress has largely behaved accordingly, granting increased leeway to law enforcement and the intelligence community to spy and collect data on Americans. Even when the White House, the FBI or the intelligence agencies have acted outside of laws protecting those rights — such as the Foreign Intelligence Surveillance Act — the public has by and large shrugged and, through their elected representatives, suggested changing the laws to accommodate activities that may be in breach of them.

Civil libertarians are in a state of despair. “People don’t realize how damaging it is to a democratic society to allow the government to warehouse information about innocent Americans,” says Mike German, national security counsel at the American Civil Liberties Union.

Or do they? In all the examples of diminished civil liberties, there are few, if any, where the motivating factor was something other than law and order or national security. There are no scandalous examples of the White House using the Patriot Act powers for political purposes or of individual agents using them for personal gain. The Justice IG report released Thursday, for example, examined some 50,000 National Security Letters issued in 2006 to see whether the FBI misused that specialized kind of warrantless subpoena. The IG found some continuing abuse of the power, but blamed it for the most part on sloppiness and bad management, not nefarious intent. In a press release accompanying the report, Fine said, “The FBI and Department of Justice have shown a commitment to addressing these problems.”

There may, nonetheless, be reasons to feel wary of the civil liberties vs. security trade-off into which Americans have bought. If the misuse documented in the Justice IG report stems from incompetence, Americans may not be getting the security they bargain for in sacrificing their civil liberties. It’s also possible the Justice IG may yet find among the abused Patriot Act powers examples of an FBI agent stalking his girlfriend or doing a favor for a political operative friend. Fine is still preparing a report on the illegal use of “exigent letters” in unauthorized demands for records from business.

For now, however, civil libertarians will have to continue to argue that the danger lies not in how the government’s expanded powers are being used now, but how they might be used in the future. “The government can collect information about the average citizen without any concern for their rights, but the citizen can’t find out what the government is doing, and that’s inimical to government of we the people,” says the ACLU’s German. So far, that argument hasn’t convinced the people.

Terror Fight Blurs Line Over Domain; Tracking Email

WASHINGTON, D.C. — Five years ago, Congress killed an experimental Pentagon antiterrorism program meant to vacuum up electronic data about people in the U.S. to search for suspicious patterns. Opponents called it too broad an intrusion on Americans’ privacy, even after the Sept. 11 terrorist attacks.

But the data-sifting effort didn’t disappear. The National Security Agency, once confined to foreign surveillance, has been building essentially the same system.

The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people’s communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks.

Congress now is hotly debating domestic spying powers under the main law governing U.S. surveillance aimed at foreign threats. An expansion of those powers expired last month and awaits renewal, which could be voted on in the House of Representatives this week. The biggest point of contention over the law, the Foreign Intelligence Surveillance Act, is whether telecommunications and other companies should be made immune from liability for assisting government surveillance.

Largely missing from the public discussion is the role of the highly secretive NSA in analyzing that data, collected through little-known arrangements that can blur the lines between domestic and foreign intelligence gathering. Supporters say the NSA is serving as a key bulwark against foreign terrorists and that it would be reckless to constrain the agency’s mission. The NSA says it is scrupulously following all applicable laws and that it keeps Congress fully informed of its activities.

According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns. Then they spit out leads to be explored by counterterrorism programs across the U.S. government, such as the NSA’s own Terrorist Surveillance Program, formed to intercept phone calls and emails between the U.S. and overseas without a judge’s approval when a link to al Qaeda is suspected.

The NSA’s enterprise involves a cluster of powerful intelligence-gathering programs, all of which sparked civil-liberties complaints when they came to light. They include a Federal Bureau of Investigation program to track telecommunications data once known as Carnivore, now called the Digital Collection System, and a U.S. arrangement with the world’s main international banking clearinghouse to track money movements.

The effort also ties into data from an ad-hoc collection of so-called “black programs” whose existence is undisclosed, the current and former officials say. Many of the programs in various agencies began years before the 9/11 attacks but have since been given greater reach. Among them, current and former intelligence officials say, is a longstanding Treasury Department program to collect individual financial data including wire transfers and credit-card transactions.

It isn’t clear how many of the different kinds of data are combined and analyzed together in one database by the NSA. An intelligence official said the agency’s work links to about a dozen antiterror programs in all.

A number of NSA employees have expressed concerns that the agency may be overstepping its authority by veering into domestic surveillance. And the constitutional question of whether the government can examine such a large array of information without violating an individual’s reasonable expectation of privacy “has never really been resolved,” said Suzanne Spaulding, a national-security lawyer who has worked for both parties on Capitol Hill.

NSA officials say the agency’s own investigations remain focused only on foreign threats, but it’s increasingly difficult to distinguish between domestic and international communications in a digital era, so they need to sweep up more information.

The Fourth Amendment

In response to the Sept. 11 attacks, then NSA-chief Gen. Michael Hayden has said he used his authority to expand the NSA’s capabilities under a 1981 executive order governing the agency. Another presidential order issued shortly after the attacks, the text of which is classified, opened the door for the NSA to incorporate more domestic data in its searches, one senior intelligence official said.

The NSA “strictly follows laws and regulations designed to preserve every American’s privacy rights under the Fourth Amendment to the U.S. Constitution,” agency spokeswoman Judith Emmel said in a statement, referring to the protection against unreasonable searches and seizures. The Office of the Director of National Intelligence, which oversees the NSA in conjunction with the Pentagon, added in a statement that intelligence agencies operate “within an extensive legal and policy framework” and inform Congress of their activities “as required by the law.” It pointed out that the 9/11 Commission recommended in 2004 that intelligence agencies analyze “all relevant sources of information” and share their databases.

Two former officials familiar with the data-sifting efforts said they work by starting with some sort of lead, like a phone number or Internet address. In partnership with the FBI, the systems then can track all domestic and foreign transactions of people associated with that item — and then the people who associated with them, and so on, casting a gradually wider net. An intelligence official described more of a rapid-response effect: If a person suspected of terrorist connections is believed to be in a U.S. city — for instance, Detroit, a community with a high concentration of Muslim Americans — the government’s spy systems may be directed to collect and analyze all electronic communications into and out of the city.

The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing. The system also would collect information about other people, including those in the U.S., who communicated with people in Detroit.

The information doesn’t generally include the contents of conversations or emails. But it can give such transactional information as a cellphone’s location, whom a person is calling, and what Web sites he or she is visiting. For an email, the data haul can include the identities of the sender and recipient and the subject line, but not the content of the message.

Intelligence agencies have used administrative subpoenas issued by the FBI — which don’t need a judge’s signature — to collect and analyze such data, current and former intelligence officials said. If that data provided “reasonable suspicion” that a person, whether foreign or from the U.S., was linked to al Qaeda, intelligence officers could eavesdrop under the NSA’s Terrorist Surveillance Program.

The White House wants to give companies that assist government surveillance immunity from lawsuits alleging an invasion of privacy, but Democrats in Congress have been blocking it. The Terrorist Surveillance Program has spurred 38 lawsuits against companies. Current and former intelligence officials say telecom companies’ concern comes chiefly because they are giving the government unlimited access to a copy of the flow of communications, through a network of switches at U.S. telecommunications hubs that duplicate all the data running through it. It isn’t clear whether the government or telecom companies control the switches, but companies process some of the data for the NSA, the current and former officials say.

On Friday, the House Energy and Commerce Committee released a letter warning colleagues to look more deeply into how telecommunications data are being accessed, citing an allegation by the head of a New York-based computer security firm that a wireless carrier that hired him was giving unfettered access to data to an entity called “Quantico Circuit.” Quantico is a Marine base that houses the FBI Academy; senior FBI official Anthony DiClemente said the bureau “does not have ‘unfettered access’ to any communication provider’s network.”

The political debate over the telecom information comes as intelligence agencies seek to change traditional definitions of how to balance privacy rights against investigative needs. Donald Kerr, the deputy director of national intelligence, told a conference of intelligence officials in October that the government needs new rules. Since many people routinely post details of their lives on social-networking sites such as MySpace, he said, their identity shouldn’t need the same protection as in the past. Instead, only their “essential privacy,” or “what they would wish to protect about their lives and affairs,” should be veiled, he said, without providing examples.

Social-Network Analysis

The NSA uses its own high-powered version of social-network analysis to search for possible new patterns and links to terrorism. The Pentagon’s experimental Total Information Awareness program, later renamed Terrorism Information Awareness, was an early research effort on the same concept, designed to bring together and analyze as much and as many varied kinds of data as possible. Congress eliminated funding for the program in 2003 before it began operating. But it permitted some of the research to continue and TIA technology to be used for foreign surveillance.

Some of it was shifted to the NSA — which also is funded by the Pentagon — and put in the so-called black budget, where it would receive less scrutiny and bolster other data-sifting efforts, current and former intelligence officials said. “When it got taken apart, it didn’t get thrown away,” says a former top government official familiar with the TIA program.

Two current officials also said the NSA’s current combination of programs now largely mirrors the former TIA project. But the NSA offers less privacy protection. TIA developers researched ways to limit the use of the system for broad searches of individuals’ data, such as requiring intelligence officers to get leads from other sources first. The NSA effort lacks those controls, as well as controls that it developed in the 1990s for an earlier data-sweeping attempt.

Sen. Ron Wyden, an Oregon Democrat and member of the Senate Intelligence Committee who led the charge to kill TIA, says “the administration is trying to bring as much of the philosophy of operation Total Information Awareness as it can into the programs they’re using today.” The issue has been overshadowed by the fight over telecoms’ immunity, he said. “There’s not been as much discussion in the Congress as there ought to be.”

Opportunity for Debate

But Sen. Kit Bond of Missouri, the ranking Republican on the committee, said by email his committee colleagues have had “ample opportunity for debate” behind closed doors and that each intelligence program has specific legal authorization and oversight. He cautioned against seeing a group of intelligence programs as “a mythical ‘big brother’ program,” adding, “that’s not what is happening today.”

The legality of data-sweeping relies largely on the government’s interpretation of a 1979 Supreme Court ruling allowing records of phone calls — but not actual conversations — to be collected without a judge issuing a warrant. Multiple laws require a court order for so-called “transactional’” records of electronic communications, but the 2001 Patriot Act lowered the standard for such an order in some cases, and in others made records accessible using FBI administrative subpoenas called “national security letters.” (Read the ruling.)

A debate is brewing among legal and technology scholars over whether there should be privacy protections when a wide variety of transactional data are brought together to paint what is essentially a profile of an individual’s behavior. “You know everything I’m doing, you know what happened, and you haven’t listened to any of the contents” of the communications, said Susan Landau, co-author of a book on electronic privacy and a senior engineer at Sun Microsystems Laboratories. “Transactional information is remarkably revelatory.”

Ms. Spaulding, the national-security lawyer, said it’s “extremely questionable” to assume Americans don’t have a reasonable expectation of privacy for data such as the subject-header of an email or a Web address from an Internet search, because those are more like the content of a communication than a phone number. “These are questions that require discussion and debate,” she said. “This is one of the problems with doing it all in secret.”

Gen. Hayden, the former NSA chief and now Central Intelligence Agency director, in January 2006 publicly defended the activities of the Terrorist Surveillance Program after it was disclosed by the New York Times. He said it was “not a driftnet over Lackawanna or Fremont or Dearborn, grabbing all communications and then sifting them out.” Rather, he said, it was carefully targeted at terrorists. However, some intelligence officials now say the broader NSA effort amounts to a driftnet. A portion of the activity, the NSA’s access to domestic phone records, was disclosed by a USA Today article in 2006.

The NSA, which President Truman created in 1952 through a classified presidential order to be America’s ears abroad, has for decades been the country’s largest and most secretive intelligence agency. The order confined NSA spying to “foreign governments,” and during the Cold War the NSA developed a reputation as the world’s premier code-breaking operation. But in the 1970s, the NSA and other intelligence agencies were found to be using their spy tools to monitor Americans for political purposes. That led to the original FISA legislation in 1978, which included an explicit ban on the NSA eavesdropping in the U.S. without a warrant.

Big advances in telecommunications and database technology led to unprecedented data-collection efforts in the 1990s. One was the FBI’s Carnivore program, which raised fears when it was in disclosed in 2000 that it might collect telecommunications information about law-abiding individuals. But the ground shifted after 9/11. Requests for analysis of any data that might hint at terrorist activity flooded from the White House and other agencies into NSA’s Fort Meade, Md., headquarters outside Washington, D.C., one former NSA official recalls. At the time, “We’re scrambling, trying to find any piece of data we can to find the answers,” the official said.

The 2002 congressional inquiry into the 9/11 attacks criticized the NSA for holding back information, which NSA officials said they were doing to protect the privacy of U.S. citizens. “NSA did not want to be perceived as targeting individuals in the United States” and considered such surveillance the FBI’s job, the inquiry concluded.

FBI-NSA Projects

The NSA quietly redefined its role. Joint FBI-NSA projects “expanded exponentially,” said Jack Cloonan, a longtime FBI veteran who investigated al Qaeda. He pointed to national-security letter requests: They rose from 8,500 in 2000 to 47,000 in 2005, according to a Justice Department inspector general’s report last year. It also said the letters permitted the potentially illegal collection of thousands of records of people in the U.S. from 2003-05. Last Wednesday, FBI Director Robert Mueller said the bureau had found additional instances in 2006.

It isn’t known how many Americans’ data have been swept into the NSA’s systems. The Treasury, for instance, built its database “to look at all the world’s financial transactions” and gave the NSA access to it about 15 years ago, said a former NSA official. The data include domestic and international money flows between bank accounts and credit-card information, according to current and former intelligence officials.

The NSA receives from Treasury weekly batches of this data and adds it to a database at its headquarters. Prior to 9/11, the database was used to pursue specific leads, but afterward, the effort was expanded to hunt for suspicious patterns.

Through the Treasury, the NSA also can access the database of the Society for Worldwide Interbank Financial Telecommunication, or Swift, the Belgium-based clearinghouse for records of international transactions between financial institutions, current and former officials said. The U.S. acknowledged in 2006 that the CIA and Treasury had access to Swift’s database, but said the NSA’s Terrorism Surveillance Program was separate and that the NSA provided only “technical assistance.” A Treasury spokesman said the agency had no comment.

Through the Department of Homeland Security, airline passenger data also are accessed and analyzed for suspicious patterns, such as five unrelated people who repeatedly fly together, current and former intelligence officials said. Homeland Security shares information with other agencies only “on a limited basis,” spokesman Russ Knocke said.

NSA gets access to the flow of data from telecommunications switches through the FBI, according to current and former officials. It also has a partnership with FBI’s Digital Collection system, providing access to Internet providers and other companies. The existence of a shadow hub to copy information about AT&T Corp. telecommunications in San Francisco is alleged in a lawsuit against AT&T filed by the civil-liberties group Electronic Frontier Foundation, based on documents provided by a former AT&T official. In that lawsuit, a former technology adviser to the Federal Communications Commission says in a sworn declaration that there could be 15 to 20 such operations around the country. Current and former intelligence officials confirmed a domestic network of hubs, but didn’t know the number. “As a matter of policy and law, we can not discuss matters that are classified,” said FBI spokesman John Miller.

The budget for the NSA’s data-sifting effort is classified, but one official estimated it surpasses $1 billion. The FBI is requesting to nearly double the budget for the Digital Collection System in 2009, compared with last year, requesting $42 million. “Not only do demands for information continue to increase, but also the requirement to facilitate information sharing does,” says a budget justification document, noting an “expansion of electronic surveillance activity in frequency, sophistication, and linguistic needs.”

New-ish privacy threats have emerged, however unlikely, and this includes a threat to your encrypted information. From Popular Mechanics’ April ‘08 Issue:

“Individuals, companies and federal agencies could all be at risk from foreign governments or criminal enterprises. A computer chip built with a subtle error might allow an identity-theft ring to hack past the encryption used to connect customers with their banks. Flash memory hidden inside a corporation’s networked printers could save an image file of every document it printed, then send out the information.”

The entire article is reprinted below, for archiving’s sake:

This past January, two brothers from Texas, Michael and Robert Edman, appeared in court to face federal charges of selling counterfeit computer equipment to, among others, the Air Force, Marine Corps, Federal Aviation Administration, Department of Energy, numerous universities and defense contractors such as Lockheed Martin. According to prosecutors, the pair, working largely out of Michael Edman’s house in the rural town of Richmond, bought cheap network cards from a supplier in China. They also purchased labels and boxes carrying the logo of Cisco Systems, the U.S.-based hardware giant. Until a source in China tipped off the FBI, no one could tell that the parts were Cisco knockoffs rather than the real thing.

An attorney for the Edmans says that they, too, were victims—duped by overseas suppliers. But one thing is clear: The case is about a lot more than trademark infringement. Security experts warn that as supply chains become more global and more opaque, no one can be sure what parts are going into the computers that run, well, everything—from air traffic control towers to banks to weapons systems. Secretary of Homeland Security Michael Chertoff raised the issue recently at a briefing attended by Popular Mechanics and others. “Increasingly when you buy computers they have components that originate … all around the world,” he said. “We need to look at … how we assure that people are not embedding in very small components … that can be triggered remotely.”

Software vulnerabilities and online scams receive plenty of public attention. Viruses, Trojan horses, spyware, phishing schemes that trick people into providing financial data—all have made headlines in recent years. The emerging hardware threat is different. Imagine buying a computer, printer, monitor, router or other device in which malevolent instructions, or at least security loopholes, are etched permanently into the silicon.

Individuals, companies and federal agencies could all be at risk from foreign governments or criminal enterprises. A computer chip built with a subtle error might allow an identity-theft ring to hack past the encryption used to connect customers with their banks. Flash memory hidden inside a corporation’s networked printers could save an image file of every document it printed, then send out the information. In a disturbing national-security scenario, overseas agents might be able to hard-wire instructions to bring down a Department of Defense system on a predetermined date or in response to an external trigger. In the time it took to bring the systems back online, a military assault could be underway.

Shadowy Threat

When a software problem is detected, thousands or millions of computers can be fixed within hours with a software patch. Discover a malevolent hardware component, however, and machines need to be fixed one by one by one. On a large network it could take months—if the problem were detected at all.

“There are a whole bunch of functions inside each chip that you have no direct access to,” says Stephen Kent, chief information security scientist for BBN Technologies and a member of the Intelligence Science Board, which advises U.S. intelligence agencies. “We passed the point a long time ago when you could combinatorially test all the possible inputs for a complex chip. If somebody hid a function that, given the right inputs, could cause the chip to do something surprising, it’s not clear how you could test for that.”

Such tampering wouldn’t have to occur in a factory where computer components were built. In fact, repair businesses and subcontractors may pose a greater danger. “A skilled and capable adversary could replace a chip on a circuit board with a very similar one,” says John Pironti, a security expert for information technology consulting firm Getronics. “But this chip would have malicious instructions added to the programming.” The strategy wouldn’t be practical for running a broad identity-theft operation, but it might allow spies to focus an attack on a valuable corporate or government target—gaining access to equipment, then doctoring it with hidden functions.

However, not all experts agree that the risk is severe. After all, there’s never been a report of a foreign country or criminal outfit using such technology to steal information or commit sabotage. (The United States did successfully conduct such a mission against the Soviet Union during the Cold War.)

“It’s certainly possible for the world’s major espionage services to secretly plant vulnerabilities in our microprocessors, but the threat is overblown,” says Bruce Schneier, chief technology officer of the data security company BT Counterpane. “Why would anyone go through the effort and take the risk, when there are thousands of vulnerabilities in our computers, networks and operating systems waiting to be discovered with only a few hours’ work?”

The National Security Agency and Defense Department aren’t convinced. There’s no way to know if they are reacting to an imminent danger or simply swinging at shadows, but security professionals are scrambling to guard their electronics supply chains.

Building Chips in China

In September 2007, Intel broke ground on “Fab 68,” a silicon-wafer fabricating plant in Dalian, China. The plant is Intel’s first chip manufacturing facility in China, but the company already operates facilities for testing, as well as research and development, all over the world, from India to Costa Rica to Russia. Rival AMD is planning to build a fab in India. Several other American chipmakers, including Applied Materials and National Semiconductor, have facilities in China. In all, less than 25 percent of the world’s chipmaking capacity is still located within the United States.

The companies that move offshore are trying to stay competitive in commercial markets. As a side effect of globalization, however, the Defense Department is finding itself with fewer domestic sources of the specialized chips—often outdated by Best Buy standards—that help run weapons platforms that range from advanced aircraft to missile guidance systems. These are the electronic components that might pose the most inviting target for a foreign power.

The NSA is trying to counter the threat with a program called Trusted Foundry Access that accredits companies that supply specialized electronics to government agencies. Ten companies have joined the program since 2004—the inaugural deal, with IBM, cost the government a reported $600 million. To participate, manufacturers need to take measures such as obtaining security clearances for staff members and quarantining computer design tools from the Internet. Further, “The facilities must be on-shore or in a closely allied country,” says a Defense Department official involved with the program.

One potential flaw in the program is that it covers “just a slice of the life cycle,” says Jim Gosler, a Sandia National Laboratories researcher who has spent time probing U.S. electronics systems to identify vulnerabilities. “You have to make sure the component stays trusted—they get out and about” once the equipment leaves the factory and goes into service.

More critically, even well-funded initiatives can’t permanently withstand the forces pushing microchip production offshore. Ultimately, trying too hard to isolate American chip-making might simply help foreign-owned chip manufacturers challenge U.S. dominance in the field. “It’s a pretty hairy situation to look out 10 or 15 years and have to ask, ‘Where are we going to get our technology?’” the Defense official says.

DARPA, the Defense Advanced Research Projects Agency, does have another plan. Through a new initiative called Trust in ICs (microchips are also called integrated circuits or ICs), the agency has contracted with Raytheon, MIT, Johns Hopkins University and others to find ways to protect chips from tampering and to detect vulnerabilities if they do occur.

Ultimately, though, chips may be too complex to secure completely. “Even if you found something, you could never be confident you found everything,” Gosler says. “That’s the awful nature of this business.”