FISA Bill Passes: How To Maintain Your Privacy

So many of us are familiar with the passage of the bill yesterday that revamped the 30 year old FISA legislation. Much of it is indeed scary, especially if we are to anticipate that our congressional representatives will not be very pro-active.

The proponents of the bill say that it does go a long way to protecting our rights as citizens. In some ways, they are correct, it does. However, the act's oversight hinges exclusively on the power and will of congress to pro-actively request information and review such information from the Executive or Judicial branches, mainly the DOJ. At its bare minimum, the act allows a 30-day window in which surveillance may occur without full oversight, and even a 7-day window where no notification needs to be given. If congress elects, they can limit the reports given to the Intelligence and Judiciary committees to a whopping 6 month maximum interval. Congress can, however, increase the frequency to whatever they wish (every week, every month, etc...). The Judicial Branch, represented by the FISA court as well as reports to the Chief Justice, are given a 30 day period to review authorizations on acts which may already be in progress, before concluding that the surveillance violates any part of FISA. Surveillance actions that are determined to violate protocol are either required to cease, or are amended, allowing the review period to be extended further.

In our old system, if evidence was brought to our attention that such surveillance was happening to us, we could challenge the action in civil courts. We could even hold those accountable as conspirators. This is the justice system that many conservatives have celebrated as being the "stick" of deterrence to law breaking which is supposed to protect our rights and our freedom. The new FISA legislation effectively guts this process. We no longer have the authority to challenge acts such as this when they are occurring as actions by the Justice Department and other Executive Branch offices. Rather, we must petition our congress to do act on our behalf. In the event that the Executive Branch and a majority of the Legislative Branch are in collusion, we are really left hanging. The bill actually does unfortunately provide an indemnity clause to protect private telecommunications entities from judgement should their activity become public knowledge.

What is even worse is that the bill also allows the government to pay "at the prevailing rate" the telecoms for their time developing and enacting these programs. This is like subsidizing their interests in the data stockpiling business, which has become a growing concern for victims of identity theft and fraud in recent years, while becoming a highly lucrative business for advertisers and mass-marketing industries.

So what are we to do? Well, in all of the bill's focus on interactions and building a system of disclosure within the three branches of government, they do not once discuss any restrictions of the so-called "target" (you). If you are an avid user of the Internet for communication, then you are already involved in a communications model that is highly unregulated. In fact, your reading this article right now has probably been catalogued by any number of private or government servers on networks between your home computer and the server that this is published from. There's sort of an anonymity there, but not really. So many of us in the IT and security fields generally act online as if everything we do is being logged and/or monitored. We should all start acting the same way for telephone communication too. This isn't an endorsement, it is just an observation that now that this has passed, we have to live with it.

So, about a decade ago a project came out for computers named Pretty Good Privacy. The idea was to encourage everyone on the Internet to adopt a means for peer-to-peer, individual, private encryption of communication. The basic idea: You encrypt a message to your recipient in a manner that only they can decrypt, you cannot even decrypt your own messages to others after you encrypt them. The other party uses the same method (with a different encryption "key") to reply in a message from them to you. In order for this to work, you two need to get together and exchange your "encryption keys" with one another. There are all sorts of systems on the Internet for making this really easy so that just about anyone can perform this exchange, without having to be troubled by keeping long numbers written down. When you receive a message encrypted to you, you use a different "decryption key" that you always keep very private, to read the message. Due to this mathematical feat, you are safely able to publish your own encryption key anywhere, and it can't be used to read your messages. It can only be used to talk to you securely.

Well, another project that I recently followed has been gaining momentum lately: The Openmoko Project. This is a project to create a 100% open phone+pda platform. Basically, it is just like someone's Palm Treo or iPhone, but the software and hardware are completely open to see, modify, and contribute. This allows anybody with the capability to build their own communications hardware from the current design. You can also purchase existing hardware for a bit less than an iPhone, and then install whatever software you wish. The project even has a database of user-contributed software that you can install.

So, why not push to marry the two? Using bluetooth or wifi, you could allow to people to exchange their encryption keys while keeping their decryption keys securely hidden in the device. It is already popular for a number of people to secure their cell phone with a PIN, so relying upon that concept for keypad locking is not far-fetched. When you receive an incoming call, if it is from someone who you have their encryption key, then all your digitized voice data sent to them is automatically encrypted. When you make an outgoing call, the same rule can apply. If both parties have each others' encryption information, they will automatically have a two-way encrypted call. A popular fad is the wireless exchange of "business e-cards" between people at meetings. The exchange of this encryption information can be performed in the same manner. It could even safely be done semi-automatically (click or press a key to confirm or decline the exchange).

The beauty of this is that the use of encryption like this makes using electronic surveillance just a waste of time and resources for the entity that is doing it (whether governmental or commercial). They'll collect no useful data. This system basically empowers us to take back our privacy not only from FISA, but also from overzealous commercial entities as well.