Friday, November 26, 2004

All Your (Airline) Data Are Belong To U.S.

Been to the United States this summer? Well, then all your data may now be in the hands of the (only slightly Orwellian sounding) Transport Security Administration, as this article in Wired News reveals:
“U.S. airlines turned over a month's worth of passenger data Tuesday to Homeland Security officials, who want to test a massive, centralized passenger-screening system.
The Transportation Security Administration ordered America's 72 airlines to turn over their June 2004 domestic passenger flight records by Tuesday afternoon. The airlines had initially questioned the order because of privacy concerns, but they all complied.
The agency wants the records -- which can include credit card numbers, phone numbers and health information -- to test a system called Secure Flight.”
This is hoped to save you from terrorism in the future. In the meantime, a couple of people may be tempted to use this cache of data for browsing purposes: linking names with credit card numbers, linking phone numbers with addresses, checking where someone really went that June morning... Ever heard of “mission creep”? Once the data are there, one can think of so many useful things to do with them.

You think I'm being paranoid? Did you know that between 1989 and 1998, more than 1500 employees of the US Internal Revenue Service had been investigated or disciplined for using government computers to browse through tax returns of friends, relatives, neighbors, enemies, and celebrities?

[Source: “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?” (David Brin), p. 55]

Thursday, November 18, 2004

Germany and privacy: change is under way

Germany -- or more precisely: the Federal Republic of Germany -- used to be a shining example of privacy and data protection. Undoubtedly spurred on by the experience of Nazi totalitarianism in the 1930s and 40s and the example of the Communist surveillance state GDR as next door neighbour, (then) West-German politicians were early adopters of comprehensive data protection legislation in the 1970s. In the early 1980s the Federal Constitutional Court further strengthened German citizens' protection by acknowledging a "right of informational self-determination". But now Germany's position as a country with one of the strictest privacy protections in the European Union is about to change -- and there is little public debate about it.

In two areas that are central to informational privacy, legal changes will soon alter the landscape substantially: the state will soon have comprehensive access to citizens' financial information, and it will be able to monitor email communications. To add insult to injury, none of this will be paid for by the state -- the citizens themselves will have to foot the bill for being snooped upon.

According to the "Telekommunikations-Überwachungsverordnung" (see here for some [German language] information) all ISPs have to install "spy boxes" that filter all email traffic for addresses of suspects and then copy the respective data packets straight to the authorities. While that regulation entered into force already in May 2003, implementation had been delayed until now. But from January 2005 the German state will be able to monitor all email traffic. What little public debate there is on this does not centre on what this means for privacy or civil rights; the only voices present are those of the ISPs complaining about the cost burden this places on them (more information here).

Three months later, in an effort to root out tax evasion, German inland revenue, social services and the labour office will gain access to citizens' financial accounts -- with the help of BaFin, the German financial services regulator. Information about financial accounts can be had without cause or concrete suspicion -- which German weekly Der Spiegel likened to issuing spare keys to citizens' houses on the reasoning that they might hoard stolen goods there. And again the costs of all this have to be borne by the banks -- who will likely pass it on to their customers. Do citizens have to be informed of the act, at least afterwards? No. And no judge will be involved either.

A small German cooperative bank (Volksbank Raesfeld, more information here) has now brought the issue before the Federal Constitutional Court. Interestingly the various German banking associations have remained silent on this (where are you, Josef Ackermann, when you are needed? one is tempted to ask...). When the judges will decide (probably some time in late 2005) we will see more clearly whether they uphold their views on the "right to informational self-determination" or not -- and whether Germany's position on privacy and data protection will really have changed.

Update The German Data Protection Officer, at a conference aptly entitled "20 years after Orwell", today bemoaned these developments. You can find the text of his speech here.