EINSTEIN's Threat to Online Privacy?

Apr 22, 2008
By:
Nicole A. Ozer

Page Media

ACLU of Northern CA

Is the federal government gearing up to spy on Internet users who visit .gov websites? That was one of the concerns at a hearing on the Department of Homeland Security's (DHS) cybersecurity program called "EINSTEIN".

The goal of EINSTEIN is to track and detect attacks on federal networks, whether those attacks are meant to disable network nodes, or actually penetrate and steal information. The program already exists as a "passive traffic-monitoring system that records basic data such as the originating IP address of a packet, its size, and where the packet came from and where it is headed." DHS wants to expand EINSTEIN to cover more federal agency networks and to include real-time traffic analysis.

Legislators attending the House Committee on Homeland Security hearing expressed substantial concern about giving even more powers to DHS. Rep. Paul Broun (R-Ga.) said, "This looks almost like the fox guarding the henhouse. I'm not convinced that privacy is going to be protected in developing these systems." Rep. Jane Harman (D-Ca.) cautioned, "I can assure you constituents of mine listening to this hearing are thinking about this as the government sets up a new spy network. What would you advise me to tell my constituents (who want to know) how I'm going to stop this latest government spy network?"

Homeland Security Under Secretary Robert Jamison responded, "We have privacy and civil rights folks involved in this. We're in the process doing a privacy impact assessment for the new capability as we move forward." However, he refused to give further details outside of a classified session. Karen Evans, administrator for OMB's Electronic Government and Information Technology division, reiterated this, saying that concerned citizens should look at the assessments and privacy policy, as well as make public comments about the program.

Security expert James Lewis doesn't see a need to worry. "For Einstein to really affect privacy, you'd need to monitor and collect the communications, store them, and analyze them (e.g. have somebody actually read the content). I'm told that DHS won't store Einstein data and won't be analyzing it, which greatly reduces any risk to privacy."

But privacy advocates are concerned about the expansion of EINSTEIN. Jim Lewis, a former foreign service official and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, worries about private citizens and the analysis of their activity on federal website. "When John Q. Citizen visits the Department of Agriculture Web site, what are the guarantees on his privacy?" Lewis asks. "We're moving into an arena of monitoring that hasn't been covered by existing privacy rules."

Having privacy impact assessments and policies are necessary but not sufficient to protect privacy. Nor are promises to not retain the data after the traffic analysis – there needs to be regular, consistent oversight and monitoring of the program – the kind of oversight that DID NOT occur to prevent the abuse of National Security Letters by the FBI . Cyber-security is a very critical issue, but developing more ways to snoop on the online activities of innocent Americans, with no showing of suspicious or harmful activity is not the way to deal with it. As the Congressional leaders understood, this program should not go forward.