Saturday, May 28, 2011

Saturday 05-28-11

There’s a Secret Patriot Act, Senator Says

You may think you understand how the Patriot Act allows the government to spy on its citizens. Sen. Ron Wyden (D-Oregon) says it’s worse than you’ve heard.

Congress is set to reauthorize three controversial provisions of the surveillance law as early as Thursday. But Wyden says that what Congress will renew is a mere fig leaf for a far broader legal interpretation of the Patriot Act that the government keeps to itself — entirely in secret. Worse, there are hints that the government uses this secret interpretation to gather what one Patriot-watcher calls a “dragnet” for massive amounts of information on private citizens; the government portrays its data-collection efforts much differently.

“We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,” Wyden tells Danger Room in an interview in his Senate office. “When you’ve got that kind of a gap, you’re going to have a problem on your hands.”

What exactly does Wyden mean by that? As a member of the intelligence committee, he laments that he can’t precisely explain without disclosing classified information. But one component of the Patriot Act in particular gives him immense pause: the so-called “business-records provision,” which empowers the FBI to get businesses, medical offices, banks and other organizations to turn over any “tangible things” it deems relevant to a security investigation.

“It is fair to say that the business-records provision is a part of the Patriot Act that I am extremely interested in reforming,” Wyden says. “I know a fair amount about how it’s interpreted, and I am going to keep pushing, as I have, to get more information about how the Patriot Act is being interpreted declassified. I think the public has a right to public debate about it.”

That’s why Wyden and his colleague Sen. Mark Udall offered an amendment on Tuesday to the Patriot Act reauthorization.

The amendment, first reported by Marcy Wheeler, blasts the administration for “secretly reinterpret[ing] public laws and statutes.” It would compel the Attorney General to “publicly disclose the United States Government’s official interpretation of the USA Patriot Act.” And, intriguingly, it refers to “intelligence-collection authorities” embedded in the Patriot Act that the administration briefed the Senate about in February.


Wyden says he “can’t answer” any specific questions about how the government thinks it can use the Patriot Act. That would risk revealing classified information — something Wyden considers an abuse of government secrecy. He believes the techniques themselves should stay secret, but the rationale for using their legal use under Patriot ought to be disclosed.

“I draw a sharp line between the secret interpretation of the law, which I believe is a growing problem, and protecting operations and methods in the intelligence area, which have to be protected,” he says.

Surveillance under the business-records provisions has recently spiked. The Justice Department’s official disclosure on its use of the Patriot Act, delivered to Congress in April, reported that the government asked the Foreign Intelligence Surveillance Court for approval to collect business records 96 times in 2010 — up from just 21 requests the year before. The court didn’t reject a single request. But it “modified” those requests 43 times, indicating to some Patriot-watchers that a broadening of the provision is underway.

“The FISA Court is a pretty permissive body, so that suggests something novel or particularly aggressive, not just in volume, but in the nature of the request,” says Michelle Richardson, the ACLU’s resident Patriot Act lobbyist. “No one has tipped their hand on this in the slightest. But we’ve come to the conclusion that this is some kind of bulk collection. It wouldn’t be surprising to me if it’s some kind of internet or communication-records dragnet.” (Full disclosure: My fiancée works for the ACLU.)

The FBI deferred comment on any secret interpretation of the Patriot Act to the Justice Department. The Justice Department said it wouldn’t have any comment beyond a bit of March congressional testimony from its top national security official, Todd Hinnen, who presented the type of material collected as far more individualized and specific: “driver’s license records, hotel records, car-rental records, apartment-leasing records, credit card records, and the like.”

But that’s not what Udall sees. He warned in a Tuesday statement about the government’s “unfettered” access to bulk citizen data, like “a cellphone company’s phone records.” In a Senate floor speech on Tuesday, Udall urged Congress to restrict the Patriot Act’s business-records seizures to “terrorism investigations” — something the ostensible counterterrorism measure has never required in its nearly 10-year existence.

Indeed, Hinnen allowed himself an out in his March testimony, saying that the business-record provision “also” enabled “important and highly sensitive intelligence-collection operations” to take place. Wheeler speculates those operations include “using geolocation data from cellphones to collect information on the whereabouts of Americans” — something our sister blog Threat Level has reported on extensively.

It’s worth noting that Wyden is pushing a bill providing greater privacy protections for geolocation info.

For now, Wyden’s considering his options ahead of the Patriot Act vote on Thursday. He wants to compel as much disclosure as he can on the secret interpretation, arguing that a shadow broadening of the Patriot Act sets a dangerous precedent.

“I’m talking about instances where the government is relying on secret interpretations of what the law says without telling the public what those interpretations are,” Wyden says, “and the reliance on secret interpretations of the law is growing.”

http://www.wired.com/dangerroom/2011/05/secret-patriot-act


Automotive Black Boxes, Minus the Gray Area

Update 5:30 p.m. May 24: An earlier version of this story incorrectly stated that the National Highway Traffic Safety Administration will require that all new vehicles have an event data recorder. The agency is at this point only considering such a requirement.

The National Highway Traffic Safety Administration will later this year propose a requirement that all new vehicles contain an event data recorder, known more commonly as a “black box.” The device, similar to those found in aircraft, records vehicle inputs and, in the event of a crash, provides a snapshot of the final moments before impact.

That snapshot could be viewed by law enforcement, insurance companies and automakers. The device cannot be turned off, and you’ll probably know little more about it than the legal disclosure you’ll find in the owner’s manual.

The proposal looks to some like a gross overreach of government authority, or perhaps an effort by Uncle Sam, the insurance industry and even the automakers to keep tabs on what drivers are doing. But if you’re driving a car with airbags, chances are there’s already one of these devices under your hood.

Automakers have long installed electronic data recorders in their automobiles, and the National Highway Traffic Safety Administration has since late 2006 required automakers to tell consumers about the devices. That federal rule also outlines what information is recorded and stipulates that it be used to increase vehicle safety.

Now the National Highway Traffic Safety Administration is considering a proposal that would “expand the availability and future utility of EDR data” — in other words, a possible requirement that all automobiles have the devices. The proposal is expected sometime this year. A separate discussion would outline exactly what data would be collected.

Both proposals follow rules adopted in 2006, and how they affect you depends upon where you live and what data points it records. How much it will affect you in the future may depend on a new set of standards that spell out exactly what data is collected and who can access it.


An Incomplete Record
On August 17, 2002, two teenage girls in Pembroke Pines, Florida, died when their vehicle was struck by a Pontiac Firebird Firehawk driven by Edwin Matos. The girls were backing out of their driveway; investigators accessed the vehicle’s data recorder and discovered Matos had been traveling 114 mph in a residential area moments before impact.

Matos was convicted on two counts of manslaughter, but his lawyer appealed the admission of the data recorder evidence, arguing it may have malfunctioned because the car had been extensively modified. The attorney also argued the evidence was based on an evolving technology. The Florida Supreme Court upheld the conviction, however, establishing precedent in that state that data gleaned from event data recorders is admissible in court.

There are two important facts to note in this case. First, Matos was driving in Florida, one of 37 states with no statutes barring the disclosure of such data. While car companies initially claimed ownership of the data, courts eventually ruled that it belongs to vehicle owners and lessees. No federal laws govern access to black box data, and state laws eventually clarified how much data other parties could access.

“The state statutes, starting with one in California, arose out of consumer complaints about insurance companies getting the data without the vehicle owner even knowing that the data existed or had been accessed,” said Dorothy Glancy, a lawyer and professor at Santa Clara Law with extensive experience studying issues of privacy and transportation.

In most of the 13 other states, however, Matos’ black box data still would have been available to police officers armed with a warrant.

“Law enforcement generally has access to the data,” Glancy said.

The second important fact is that, though the court denied Matos’ appeal, the question of the data’s validity remained. Most manufacturers currently use proprietary systems that require specialized interpretation, and many individual event data recorders do not survive crashes intact. Other courts have ruled against the admission of the data.

Setting a Standard

The lack of uniformity concerns Tom Kowalick. He chairs the Institute of Electrical and Electronics Engineers P1616 Standards Working Group on Motor Vehicle Event Data Recorders, one of three panels aiming to set universal standards for event data recorders (EDR).

“Until recently, there has been no industry-standard or recommended practice governing EDR format, method of retrieval, or procedure for archival,” Kowalick said. “Even for a given automaker, there may not be standardized format. This lack of standardization has been an impediment to national-level studies of vehicle and roadside crash safety.”

Standards proposed in 2008 would ensure that data once available only to automakers IS publicly accessible. The new standards would make accessibility universal and prevent data tampering such as odometer fraud.

“It also addresses concerns over privacy rights by establishing standards protecting data from misuse,” Kowalick said.

The standards also propose specific guidelines and technology to prevent the modification, removal or deactivation of an event data recorder.

Those regulations would, in theory, make black box data more reliable than what is currently collected. But they also would prevent drivers from controlling the collection of information — information that they own.

“I am not sure why consumers would want a system in their vehicles that they could not control,” Glancy said.

For What Purpose?

Before shunning new cars and buying a 1953 MG TD to avoid secret tracking devices, it helps to see how the information gleaned from event data recorders is used.

General Motors has been a leader in event data recorder technology, installing them in nearly all vehicles with airbags since the early 1990s. It currently installs Bosch EDRs in all vehicles sold in North America. The technology has evolved and now collects as many as 30 data points, said Brian Everest, GM’s senior manager of field incidents.

“In the early ’90s we could get diagnostic data, seatbelt use and crash severity,” Everest said. “Currently, we can get crash severity, buckle status, precrash data related to how many events the vehicle may have been in and brake application.”

The newest vehicles also can determine steering input and whether lane departure warning systems were turned on.

That info is invaluable in determining how a car responds in a crash. With a vehicle owner or lessee’s permission, crash investigators with access to the data pass on the EDR records to GM, which can determine whether vehicle systems or driver error contributed to an accident. They also can discover what vehicle systems and technologies prevented serious injuries or death.

“It’s about trying to understand what a particular system’s performance did before a crash,” Everest said.

In addition to helping a manufacturer prevent future crashes or injuries, it can also help in defending an automaker against claims of vehicle defects.

“In a great many cases, we can use data to understand whether it had any merit to it or not,” Everest said.

Sometimes the information vindicates an automaker, such as in the case of Toyota’s recent unintended acceleration debacle. Investigators could look directly at vehicle inputs to determine what occurred in each case. In other cases — a problem with unintended low-speed airbag deployment in a 1996 Chevrolet Cavalier, for example — the data reveals a legitimate vehicle defect and leads to a recall being issued.

Safety In The Future

While automakers might like to examine every aspect of a crash, there comes a point where too much data would overload researchers and the relatively inexpensive computers used in vehicles. The last thing car makers — or consumers — want is to increase the price of a vehicle to pay for super-sophisticated event data recorders.

“We’re definitely supportive of additional data,” Everest said. “The drawback on parameters is that you want to understand how it would affect the system,” balancing the need for data with the computing power available from a low-cost EDR.

Other concerns involve law enforcement access to enhanced electronic data recorders or whether dealers or insurance companies could use that data to deny or support claims.

“It usually depends on state law whether they need a subpoena or a warrant,” Glancy said. “Lots of data just gets accessed at the crash scene or the tow yard, as I understand actual practice.”

Whether that information was accessed and interpreted by a trained professional would determine how it held up in court. Insurance companies’ access and use of the data would again be up to state law, said Glancy.

Several insurance companies contacted by Wired.com declined to comment on the issue, but Leah Knapp, a spokesperson for Progressive Insurance, offered that company’s policy. “Our position on EDRs is that we would only use that data in a claims investigation with customer consent or if we’re required to do so by law,” she said. Knapp stressed that manufacturer-installed EDRs are different than incentive programs run by insurance companies that offer a discount for customers who voluntarily install monitoring devices on their vehicles.

Though dealers have access to EDR records, Everest said he knew of no instance where the information was used to void a warranty claim by proving that a customer abused a vehicle.

“Automakers have a duty to warn vehicle owners about safety recalls and the like,” Glancy said. “But you would have to look at the particular warranty to see what would be covered and what would not.” Still, she said she’d “expect that they would” eventually be able to access such data.

It comes down to a balancing act between an individual’s right to privacy and automakers’ need for data to determine the cause of a crash, between the need for a robust reporting system and the computing power available, between state interests in protecting consumers and insurance companies. Whether that balance tilts in favor of drivers remains to be seen — but at least EDR standards ensure a level starting point.

http://www.wired.com/autopia/2011/05/automotive-black-boxes/

Additional related story

http://detnews.com/article/20110526/AUTO01/105260436/1148/U.S.-to-propose-mandatory-vehicle-‘black-boxes’

No comments:

Post a Comment