- Security vs. Civil Liberties
▪ 2003By Stephen J. PhillipsTechnology was at the forefront of international efforts to fight terrorism and bolster security in 2002 in the wake of the terrorist attacks in the U.S. on Sept. 11, 2001. The rush to deploy new technologies and to give law-enforcement officials new investigative powers in cyberspace sparked concerns for the civil liberties of law-abiding citizens. For other observers, however, the threat posed by religious extremists and other shadowy groups bent on mass destruction gave security precedence over freedom.In the U.S. debate continued on the implications of the antiterrorist USA PATRIOT Act enacted in October 2001. The new law, aimed at empowering authorities to move more nimbly against terrorist threats, relaxed legal checks on surveillance, granting the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) a freer hand to gather data electronically on citizens and resident foreigners. The legislation, approved by a sweeping majority in Congress, reduced the need for subpoenas, court orders, or warrants for eavesdropping on Internet communications, monitoring financial transactions, and obtaining individuals' electronic records. As part of criminal investigations, law-enforcement and intelligence agencies were authorized to track the Web sites that suspects visited and identify those to whom they sent e-mail. Internet service providers were required to turn over data on customers' Web-surfing habits to authorities on demand.Many of the measures were hailed as necessary revisions of surveillance laws to keep increasingly sophisticated and determined terrorists at bay. Civil liberties advocates, however, worried that the PATRIOT Act's easing of judicial oversight and vague definition of legitimate subjects for electronic surveillance opened it to abuse and could cast the legal dragnet too wide in the search for incriminating evidence. The legislation paved the way for wider deployment of the controversial FBI program formerly known as Carnivore—renamed, less menacingly, DCS 1000—which sifts e-mail for particular addresses or specific text strings (sequences of characters). In December 2001 it was reported that the FBI had developed “Magic Lantern,” a so-called Trojan horse program designed to crack encrypted files and e-mails. The program could implant itself surreptitiously in a suspect's computer via an e-mail message and then record keystrokes to obtain the user's passwords. In mid-2002 the Department of Justice (DOJ) announced Operation TIPS (Terrorism Information and Prevention System), a plan to recruit workers such as mail carriers and utility meter readers as informants to spot and report “suspicious activity.”Concerns about government access to personal information were not limited to the U.S. In June the British government, amid a public outcry, shelved plans to give local government units and other administrative bodies the right to access an individual's telephone and e-mail records. Such privileges were given only to police, tax authorities, and security agencies. Across the world, debate raged over national identity cards to verify people's identity and to screen access to potential terrorist targets. Compulsory identification schemes, based on laminated ID cards, had been long-standing in countries as diverse as China, Argentina, Germany, and Spain. The latest proposals, however, based on cards bearing unique biological identifiers—such as an iris scan or a digitized thumbprint—known as biometrics, as well as a microchip programmed with additional personal details. In September 2001 Malaysia mandated such a “smart card,” dubbed the Mykad, for all citizens over the age of 12. Meanwhile, Hong Kong geared up to overhaul its compulsory ID system with smart cards for its 6.8 million inhabitants in 2003. Officials hoped to crack down on illegal immigrants while easing bottlenecks at the territory's border with China. Border crossers would have their thumbprint scanned by an optical reader and—instead of waiting hours for their papers to be read—could pass through the checkpoint in a matter of seconds if the print matched the digital replica on their card.In July 2002 British ministers began a six-month public consultation to determine how an ID card scheme could be administered. The measure faced opposition from various quarters, ranging from civil libertarians objecting to citizens' being treated as suspects to individuals concerned about bureaucratic overheads. Such a scheme would not come cheap either. The cost of issuing biometrics cards to the 60.2 million population was put at £3.1 billion (about $4.8 billion). Belgium planned to issue ID cards with embedded digital signatures.Identity-authentication proposals were also contentious in the U.S. As an alternative to building an infrastructure from scratch, driver's licenses held by up to 200 million Americans—more than 87% of the adult population—offered an obvious starting point for a de facto national scheme. The Driver's License Modernization Act of 2002, proposed in May, sought to set nationwide standards for licenses issued by each of the 50 states that would include embedded chips and biometrics data. Under the plan the cards would be linked to networked databases, allowing officials to check out any suspicious activity quickly.Others were disquieted by the spectre of Big Brother. They feared that cards linked to databases would turn into internal passports to monitor citizens' movements. Privacy groups called for the U.S. government at the very least to spell out the uses to which data gleaned from credential checks could be put—anticipating “function creep,” the tendency for information to be used for purposes beyond those originally envisaged. Public support for a national identity scheme also appeared to cool as the memory of September 11 receded. A Pew Research Center poll conducted immediately after the attacks returned a 70% approval rating for such a scheme, but support had dwindled to 26% by March 2002, according to a survey by Gartner Group.The Enhanced Border Security and Visa Entry Reform Act mandated that by Oct. 26, 2003, all U.S. visas, as well as passports issued by visa-waiver countries, such as Australia, must be machine-readable and tamper-resistant and must incorporate biometric identifiers. In October 2002 the Immigration and Naturalization Service began fingerprinting foreign visitors on arrival from designated, mainly Middle Eastern, countries.Other technologies under consideration included scanners—tested at Orlando (Fla.) International Airport—that deployed low-level X-rays to subject airline passengers to virtual strip searches. Supporters said such drastic measures were necessary to deal with suicide bombers prepared to conceal explosives in body cavities, but critics branded them invasive. Another biometrics application put through its paces was facial-recognition cameras, or “facecams.” Such technology uses software to map facial characteristics, sounding an alarm if a certain proportion of features picked up by a camera match those of police mugshots. It has been used in London to collar criminals since 1998. In 2002 such cameras were installed in several American cities and airports. The systems, also condemned by civil libertarians as intrusive, proved unreliable. Cameras tested at Palm Beach (Fla.) International Airport failed more than half the time to identify employees whose features were programmed into the database, while a trial in nearby Tampa did not make a single match in six months of use. Moreover, biometrics are only as effective as the comprehensiveness of the background information archives they scrutinize. Technologically sophisticated face scans or thumbprint matching probably would not have identified, much less foiled, the September 11 hijackers, as only 2 of the 19 were on the CIA's “watch list.”While no security panacea, technology puts some powerful counterterrorism tools at the disposal of governments, but the debate in 2002 showed that leaders must plot a judicious path to ensure that new techniques do not undermine the freedoms they are intended to protect.Stephen J. Phillips is a freelance journalist and a U.S.-based information technology writer for the Financial Times.
* * *