ALA Resolution on Edward Snowden


I wholeheartedly support the adoption of the resolution (in whole below) being presented at ALA Midwinter. The revelations from the documents leaked by Snowden have done more to raise awareness about the dangers of an unfettered and expanded PATRIOT Act than anything else in the last 10 years. The fact that this information has Fourth Amendment implications should also be of concern. I am appalled (though not entirely surprised) by the audacity and scale of the collection that is being done by the NSA. Even worse is the decryption efforts that put all of our private data at risk. This is of particular concern as people move more and more of their personal health data online. If the NSA is collecting data “on the fly” that includes such personal information as genomic profiles, that is definitely cause for concern and should be addressed.

I urge everyone to talk to your ALA representatives and ask them to support the adoption of this resolution.

Resolution on Whistleblower Edward Snowden

Whereas, in 2004 ALA passed a “Resolution on Securing Government Accountability through Whistleblower Protection” affirming its “support for accountable government and the role of whistleblowers in reporting abuse, fraud, and waste in governmental activities” (CD#20.7, 2004); and

Whereas, in 2008 ALA passed a “Resolution Commending the FBI Whistleblower Who Exposed Abuses on the Use of Exigent National Security Letters” stating that ALA “commends Mr. Bassem Youssef for bringing these serious abuses before the ALA and the American public,” and “supports and defends Mr. Youssef’s right to report on FBI abuses,” and “urges the FBI to desist from any retaliation against Mr. Youssef for speaking before us” CD#20.5, 2008); and

Whereas, in 2011 ALA passed a “Resolution on Access to and Classification of Government Information,” which urged “Congress to pass legislation that expands protections for whistleblowers in the Federal government, such as the Whistleblower Protection Enhancement Act of 2010” (CD#19.1, 2011); and also urged “the U.S. President, Congress, the federal courts, and executive and legislative agencies to defend the inalienable right of the press and citizens to disseminate information to the public about national security issues and to refrain from initiatives that impair these rights” (CD#19.1, 2011); and

Whereas, in 2013 ALA passed a “Resolution on the Need for Reforms for the Intelligence Community to Support Privacy, open Government, Government Transparency, and Accountability,” which

1. reaffirmed “its unwavering support for the fundamental principles that are the foundation of our free and democratic society, including a system of public accountability, government transparency, and oversight that supports people’s right to know about and participate in our government”;

2. referred to recent “revelations related to NSA’s surveillance activities conducted pursuant to orders issued by the Foreign Intelligent Surveillance Court (FISC) under Sections 215 and 702 of the USA PATRIOT Act”;

3. in light of these revelations, called upon “upon the U.S. Congress, President Obama, and the Courts to reform our nation’s climate of secrecy, overclassification, and secret law regarding national security and surveillance, to align with these democratic principles”;

4. stated that ALA “values access to the documents disclosing the extent of public surveillance and government secrecy as access to these documents now enables the critical public discourse and debate needed to address the balance between our civil liberties and national security” and noted that “these disclosures enable libraries to support such discourse and debate by providing information and resources and for deliberative dialogue and community engagement”;

5. noted that ALA “remains concerned about due process for the people who have led us to these revelations”; and

6. expressed “its thanks and appreciation to the members of Congress who work to protect our privacy and civil liberties” (CD#19.2 and CD#20.40); and

Whereas, Edward Snowden, formerly a computer specialist for a contractor employed by the National Security Agency, has admitted to providing to the news media the recently disclosed classified documents revealing mass NSA surveillance of the U.S. and global publics; and

Whereas, Edward Snowden has explained that his “sole motive” in revealing this information was “to inform the public as to that which was done in their name and that which is done against them”; and

Whereas, In June 2013 both the ALA membership and ALA Council explicitly recognized “Edward Snowden as a whistleblower who, in releasing information that documents government attacks on privacy, free speech, and freedom of association, has performed a valuable service in launching a national dialogue about transparency, domestic surveillance, and overclassification,” (MMD#5, 2013; CD#39, 2013) but this resolution was effectively rescinded by the adoption of a substitute resolution (CD#19.2 and CD#20.40); and

Whereas, as a direct consequence of the Snowden revelations, numerous bills have been introduced in Congress limiting the mass collection of data of U.S. citizens; and

Whereas, despite his temporary asylum in Russia, Edward Snowden faces the possibility of eventual extradition and prosecution for releasing this information; now, therefore be it

Resolved, that the American Library Association (ALA):

recognizes Edward Snowden as a whistleblower who, in releasing information that documents the mass surveillance programs of the National Security Agency has performed a valuable service in launching a dialogue about transparency, government surveillance, and over classification.

Citations
CD#20.7, 2004

http://www.ala.org/offices/sites/ala.org.offices/files/content/wo/reference/colresolutions/PDFs/000002-CD20.7.pdf

CD#20.5, 2008

http://www.ala.org/offices/sites/ala.org.offices/files/content/wo/reference/colresolutions/PDFs/COL%20Resolution%20on%20Ba.pdf

CD,#19.1, 2011 http://www.ala.org/aboutala/sites/ala.org.aboutala/files/content/governance/council/council_documents/2011mw_council_docus/cd19_19_1_ifc.pdf

CD#19.2 and CD#20.40, 2013 http://www.oif.ala.org/oif/?p=4803

MMD#5, 2013 and CD#39, 2013 http://www.ala.org/aboutala/sites/ala.org.aboutala/files/content/governance/council/council_documents/2013_annual_council_docs/cd_39_edward_snowden-%28ff%29.pdf

FISA and NSA Resolutions Introduced in the 113th Congress (Revised 11/1/13) http://www.ala.org/advocacy/sites/ala.org.advocacy/files/content/privacyconfidentiality/fisa_nsa_113th_congress.pdf

Advertisements

Quantified Self, Privacy, and PATRIOTism


This was a paper that I wrote for my Intellectual Property and Information Law class Fall 2013. I’m sharing it here, along with the presentation slides because I think it is important information to disseminate. A classmate asked under what circumstances I would use Personalized Genomic testing. I replied that it would have to be covered under HIPAA protections for me to consider using it. As such, I pitched the idea to the Henry Ford Health System earlier in the semester as a concierge service.

The Quantified Self, Privacy and PATRIOTism

This paper will explore the emerging field of the Quantified Self, in particular the use of personalized genomic testing. As consumers document more and more of their personal lives online, it is important to consider the security of such information. Knowing where the information is stored and who has access to it is imperative for consumers. The impact of the PATRIOT Act on electronic surveillance and the implications for the quantified self will also be discussed.

What is the Quantified Self?

The quantified self is about turning your daily activities, habits, and bodily functions into parsable data. Individuals can use this data to learn more about themselves and, in some cases, attempt to change their behaviors. The Quantified Self (QS) movement began during 2008 with Gary Wolf in San Francisco. It has grown to include contingent groups in 23 other cities around the United States.

In some ways, we have always quantified our lives, but until recently, it was in the form of journals or diaries and tracking was done once or twice per day. Dr. Kent Bottles notes four reasons for the increased momentum,

“First, electronic sensors got smaller and better. Second, people started carrying powerful computing devices, typically disguised as mobile phones. Third, social media made it seem normal to share everything. And fourth, we began to get an inkling of the rise of the global superintelligence known as the cloud.” (2012)

Now individuals can collect reams of data not just once day but minute-by-minute including aspects like heart rate, skin temperature, mood, ovulation cycles, sleep quality, and quantity. In the last several years, the devices involved have also diversified to include the FitBit, smart scales, sleep tracking headbands and the recently developed smart tooth sensor that is wifi enabled to track your oral activity such as eating and drinking. (Li, Chen, Chen, Huang, & Chu, 2013)

Emerging technologies follow two curves. The first is the diffusion of innovations curve (innovator, early adopters, early majority, late majority, laggards) that was developed by Everett Rogers. This is a bell curve that accounts for the portion of a population who adopt innovations at a given time in the life cycle of the technology. As noted by Bottles, Quantified Self is still in the early adopter range (about 20% of the population has adopted it in some way), with scholarly study and widespread notice just now starting. The second caveat is concerning the hype cycle. Gartner, a technology and information advisory and consulting firm releases a report every year that frames the emerging technologies for the year within Fenn’s Hype Cycle. (Gartner, 2013) Fenn’s cycle includes the stages of enthusiasm that are experienced as innovative markets emerge. As excitement grows, enthusiasm reaches “the Peak of Inflated Expectations, the subsequent disappointment that leads to the Trough of Disillusionment and gradual success over time that concludes in the Slope of Enlightenment and the Plateau of Productivity.” (Bottles, 2012) Figure 1 is the Hype Cycle as illustrated by Gartner for 2013. As you can see, they mark Quantified self as still in the early stages of initial enthusiasm with an expectation for it to plateau in the next 2-5 years.

Gartner Hype Cycle 2013
http://www.gartner.com/technology/research/hype-cycles/
Figure 1 Gartner Hype Cycle

Healthcare providers have begun to watch the progression of this trend. There is conjecture that personalized healthcare could be integral for helping patients with chronic illness, with perhaps limited application in the healthier population. (Bottles, 2012) While there are many possible ways individuals can attain, “self knowledge through numbers” (Beato, 2012), an emerging market is developing within the QS community. They are attempting to map deeply personal attributes such as the microbiome (the micro-organisms of the human gut), the metabolome (the waxing and waning of metabolites such as hormones in the human system) and the genome (the full genetic heredity of the individual).

What is personalized genomic testing?

Personalized genomic testing, or direct-to-consumer (DTC) genomic testing, involves providing a saliva sample to a testing company. That company then analyzes your sample and provides you with a personalized report. The service can range from $2000 for a full genomic sequencing and review with a qualified geneticist to $99 that includes only well known genomic markers with distinct causal relationships to disease. The two most popular services for lay people are AncestryDNA and 23andMe. AncestryDNA is a service provided through the genealogy site ancestry.com. This testing focuses primarily on ethnicity and connecting distant relatives.

“23andMe’s mission is to be the world’s trusted source of personal genetic information.” (23andMe, 2013) This lab provides both ancestry and disease related metrics using SNP genotyping (mapping about 1% of the genome). It is worth noting here that although SNP genotyping covers only a small portion of the genome, it can be used to accurately identify individuals if there is a comparative sample. (Abravaya, et al., 2003) In order to complete the testing, users have to register with 23andMe, provide financial information for ordering, provide a saliva sample, connect registration information and the barcode for the sample, and access results via the web interface.

What does Privacy Mean in this Context?

The 23andMe site correctly notes that GINA (Genetic Information Non-Discrimination Act) helps to protect the consumer. This was legislation enacted in 2008. It prevents employers and insurance companies from discriminating based on genetic information. (NIH, 2013) 23andMe has a separate privacy policy provided to consumers regarding the collection and storage of their information by the company.

Key types of information they collect and store are registration information, genetic information, self-reported information, user content, web behavior, and referral information. Interestingly, they provide users with a condensed “highlights” version of their privacy policy with a link to the full policy at the end. This statement is not included in the condensed version:

“Under certain circumstances Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders, or in coordination with regulatory authorities. You acknowledge and agree that 23andMe is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal or regulatory process (such as judicial proceeding, court order or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws and regulations; (b) enforce the 23andMe TOS; (c) respond to claims that any content violates the rights of third parties; (d) protect the rights, property, or personal safety of 23andMe, its employees, its users, its clients, and the public. In the event we are required by law to make a disclosure, we will notify you through the contact information you have provided to us in advance, unless doing so would violate the law or a court order.” (23andMe, 2013)

Additionally, they note in the privacy policy that they use, “a range of reasonable physical, technical, and administrative measures to safeguard your Personal Information…In particular, all connections to and from our website and mobile application are encrypted using Secure Socket Layer (SSL) technology.” (23andMe, 2013) Finally, the company shares that anonymous samples are against their terms of service.

Until this year, the discussions around quantified self and privacy focused primarily on the fact that, “Forgetting is the highest form of forgiving, and our inability to pinpoint exactly how we deploy our energies and resources allows us to live comfortably in the face of our own mediocrity.” (Beato, 2012) In other words, personal surveillance was destructive only in that it is persistent across time in a way that memory is not. This year however, the conversation has taken a marked turn following the whistle blowing efforts of Edward Snowden.

The PATRIOT Act and the rise of NSA surveillance
As Bob Fraser noted in his class discussion of the PATRIOT Act, the Foreign Intelligence Surveillance Act (FISA) came into being long before the PATRIOT Act. FISA put limits on the surveillance of U.S. citizens by the government and provided for Congressional and Judicial oversight of surveillance efforts. FISA became the primary source of search warrants for the National Security Agency (NSA) both with and without court order in the case of electronic surveillance. With the passage of the PATRIOT Act in 2001, several changes reduced the rigor required to obtain domestic intelligence including the relaxation of wiretapping standards and a reduction in the amount of Congressional oversight required. Section 505 of the PATRIOT Act provided for one of the mechanisms for reducing oversight, National Security Letters (NSL). These letters, independent from subpoenas, are served to record holders such as libraries and internet service providers.

Whistle blowers existed as early as 2002 stating that the NSA was collecting massive amounts of domestic data through electronic surveillance. (Kelley, 2013) Snowden, however, released startling data related to the efforts of the NSA to decrypt the internet. As noted in the joint publication by The Guardian, The New York Times and ProPublica,

“The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, internet chats, and phone calls of Americans and others around the world…” (Perlroth, Larson, & Shane, 2013)

This allows the NSA to collect vast amounts of information “on the fly” so there is no need for them to provide NSLs to the owners of the servers. This dragnet style of collection is allowed because the data often crosses borders en route from one server to the next. (Gellman & Soltani, 2013) The types of encryption thought to have been broken include Secure Socket Layer (SSL); the type used by 23andMe.

Applying this to the information collected and stored by 23andMe and you have the potential to not only have identifiable DNA information on the users of the service, but, if you have multiple family members using the service, their DNA can be used to positively identify you. 23andMe reports a user base numbering nearly half a million. Their policy of disallowing anonymous testing ensures that surveillance agencies can attach persons to their DNA profiles and other personal information.

23andMe is in the news this past week because of a crumbling relationship with the Food and Drug Administration (FDA) about the use of genetic results by consumers. The FDA warns that consumes are initiating self-diagnosis and preventative treatment based on SNP genotyping which is less accurate than full genomic sequencing. Charles Seife, in writing for Scientific American, noted that self-diagnosis and treatment should be the least of our worries. “The Personal Genome Service isn’t primarily intended to be a medical device. It is a mechanism meant to be a front end for a massive information-gathering operation against an unwitting public.” (2013) He goes on to acknowledge that this may sound paranoid, but in comparing the service to, for example Google, you could see how an altruistic start may morph over time. Congress is in the process of trying to legislate the NSA back into oversight, but Quantified Self is likely to continue growing along with voluntary sharing of information on the internet. As with many emerging technologies, it is difficult to predict the outcome that such transparency will bring.



Works Cited

23andMe. (2013, Nov 28). Privacy Policy. Retrieved from 23andMe: https://www.23andme.com/about/privacy/

Abravaya, K., Huff, J., Marshall, R., Merchant, B., Mullen, C., Schneider, G., & Robinson, J. (2003). Molecular beacons as diagnostic tools: technology and applications. Clinical Chemistry and Laboratory Medicine, 468-74.

Beato, G. (2012, Jan). The Quantified Self. Reason, pp. 18-20.

Bottles, K. (2012). Will the Quantified Self Movement Take Off in Health Care? Physician Executive Journal, 38(5), 74-75.

Gartner. (2013, August 19). Gartner Press Release. Retrieved from Gartner: http://www.gartner.com/newsroom/id/2575515

Gellman, B., & Soltani, A. (2013, Oct 14). The Washington Post: National Security. Retrieved from The Washington Post: http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

Kelley, M. (2013, Jun 27). Business Insider Military and Defense. Retrieved from Business Insider: http://www.businessinsider.com/nsa-whistleblower-william-binney-was-right-2013-6

Li, C.-Y., Chen, Y.-C., Chen, W.-J., Huang, P., & Chu, H.-h. (2013, Sept). Sensor-Embedded Teeth for Oral Activity Recognition. Taipei, Taiwan.

NIH. (2013, Nov 28). The Genetic Information Non-Discrimination Act Factsheet. Retrieved from NIH RePORT: http://report.nih.gov/nihfactsheets/ViewFactSheet.aspx?csid=81

Perlroth, N., Larson, J., & Shane, S. (2013, Sept 5). The New York Times – U.S. Retrieved from The New York Times: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=1&pagewanted=all&

Seife, C. (2013, 11 27). Scientific American. Retrieved from Scientific American: http://www.scientificamerican.com/article.cfm?id=23andme-is-terrifying-but-not-for-reasons-fda

Sensenbrenner, J., & Leahy, J. (2013, Nov 28). The USA Freedom Act. Retrieved from http://sensenbrenner.house.gov/legislation/theusafreedomact.htm