March­ing to­ward a ‘Data­base of Ruin’

The Washington Post - - WASHINGTON FORUM - BY PAUL OHM The writer is a pro­fes­sor at Ge­orge­town Univer­sity Law Cen­ter and fac­ulty direc­tor of the Ge­orge­town Cen­ter on Pri­vacy and Tech­nol­ogy.

Many are out­raged about con­gres­sional ef­forts to evis­cer­ate In­ter­net pri­vacy reg­u­la­tions set by the Fed­eral Com­mu­ni­ca­tions Com­mis­sion un­der Pres­i­dent Barack Obama. But a fright­en­ing as­pect to the bill re­mains un­der­ap­pre­ci­ated: If signed, it could re­sult in the great­est leg­isla­tive ex­pan­sion of the FBI’s sur­veil­lance power since 2001’s Pa­triot Act.

Don’t be­lieve any­one who sug­gests that the law merely re­turns us to the state of the world be­fore the FCC fi­nal­ized its land­mark pri­vacy rules in Oc­to­ber. The ob­vi­ous rea­son In­ter­net ser­vice providers burned through time, money, po­lit­i­cal cap­i­tal and cus­tomer good­will to push for this law was to ask for a green light to en­gage in sig­nif­i­cantly more user sur­veil­lance than they had ever be­fore had the au­dac­ity to try.

This must be the rea­son, be­cause on pa­per, the law ac­com­plishes lit­tle. Pres­i­dent Trump’s hand­picked choice to head the FCC, Ajit Pai, al­ready be­gan work to roll back these rules in a more or­derly fash­ion. Make no mis­take: ISPs aren’t just ask­ing for re­lief from a sup­pos­edly oner­ous rule; they want Con­gress’s bless­ing. Once Trump signs the bill, di­min­ish­ing the FCC’s power to po­lice pri­vacy on­line, ISPs will feel em­pow­ered — per­haps even en­cour­aged — by Repub­li­cans (no Democrats voted for this mea­sure) to spy on all of us as they never have be­fore. And spy they will.

How, then, does this law — which would di­rectly af­fect only pri­vate be­hav­ior — ben­e­fit the FBI? From 2001 to 2005, I worked for the Justice Depart­ment and spent a lot of my time ad­vis­ing law-en­force­ment agents and pros­e­cu­tors who wanted to track In­ter­net be­hav­ior. Many of our in­ves­ti­ga­tions led di­rectly to a spe­cific IP ad­dress — the iden­ti­fier for a par­tic­u­lar com­puter or de­vice — which then prompted a re­quest to an ISP for more in­for­ma­tion. Tens of thou­sands, if not hun­dreds of thou­sands, of these re­quests ar­rive at ISPs around the coun­try ev­ery year.

Many — per­haps most — of these re­quests do not in­volve crim­i­nals; in­stead, they lead to vic­tims of crimes, mere wit­nesses or oth­er­wise in­no­cent peo­ple. These re­quests have typ­i­cally sought only in­for­ma­tion about the iden­tity of the per­son as­so­ci­ated with the IP ad­dress be­cause the FBI un­der­stands that this is the only in­for­ma­tion ISPs tend to col­lect.

But be­cause of the way ISPs are likely to re­act to this law, FBI agents and other law-en­force­ment of­fi­cials will un­der­stand that ISPs will be able to re­veal much more about ev­ery one of us. By adding a sin­gle short para­graph to an ap­pli­ca­tion for a court or­der through the Stored Com­mu­ni­ca­tions Act (this wouldn’t even a re­quire a search war­rant), the FBI would be able to or­der your ISP to di­vulge ev­ery web­site you have con­tacted and ev­ery app you have used. In cases in which the FBI has ob­tained a search war­rant, it could ask your ISP to re­veal ev­ery sin­gle piece of con­tent that it has a record of you hav­ing viewed — over the course of years. Our gov­ern­ment-ac­cess laws do not re­quire the FBI to tell you about these re­quests, and the FBI al­most al­ways forces a gag or­der on ISPs, en­sur­ing that you will never find out.

To be clear, noth­ing in this new law would ex­pressly give the FBI any new power. But old, out­dated laws such as the Elec­tronic Com­mu­ni­ca­tions Pri­vacy Act tend to ex­pand FBI power when­ever a pri­vate ac­tor be­gins to track our be­hav­ior in new ways. What the new law would do is give ISPs the in­cen­tive and the con­gres­sional and pres­i­den­tial seal of ap­proval to con­struct the rich­est data­base of Web surf­ing and ap­pusage be­hav­ior the world has ever seen. This will be a hon­ey­pot at­tract­ing the FBI and other law-en­force­ment agen­cies like flies.

A lit­tle less than a decade ago, I in­tro­duced the idea of the “Data­base of Ruin” — a dig­i­tal dossier con­tain­ing one fact about each of us that we wouldn’t want any­one else to know. Since I coined this phrase, I have watched with con­cern as this data­base has con­tin­ued to grow and take shape. Com­pa­nies such as Google, Face­book, Ama­zon, Uber and many oth­ers have each con­structed their own pieces of it.

But never has one in­dus­try been cut loose to gen­er­ate one spine of in­for­ma­tion that could serve the needs of law en­force­ment so well — un­til now. Con­gress just ap­proved the sin­gle great­est ex­pan­sion of the Data­base of Ruin to date — and Ver­i­zon, Com­cast, AT&T, Time Warner, Cen­tu­ryLink and the rest of our broad­band providers are rac­ing to build it.


Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.