My Op-Ed in the L.A. Times, http://www.latimes.com/..., is about the Einstein 3 program, a Bush brainchild that Obama plans to adopt. It's flown largely under the radar screen, or been eclipsed by this week's harmonic convergence of Bush secrecy programs, and government-run assassination plots trump domestic spying in the grand scheme of things.
Coincidence of PR ploy? After the first public mention of the Einstein 3 program in the New York Times, July 4 cyber attacks hobbled government and business Web sites in the United States and South Korea. North Korea was initially blamed, though evidence now shows that the attacks originated from IP addresses in 16 countries.
Unfortunately, the Obama administration reportedly is proceeding with a Bush-era plan to use the National Security Agency (N.S.A.) to screen government computer traffic on private-sector networks. AT&T is slated to be the likely test site. This classified pilot program, named "Einstein 3," is in development, but not yet rolled out. It takes the two worst offenders from President Bush's secret surveillance program and puts them in charge of scrutinizing all Internet traffic going to or from federal government agencies.
Despite its name, the Einstein 3 program is more genie than genius -- an omnipotent force (run by the NSA, coutesy of AT&T's "secret rooms") that does the government's bidding (spying). The last time around, this sort of scheme was known as the "special access" program. It should have been called the "unconstitutional access program."
Einstein 3 supposedly is meant to protect government networks from hackers. But cyber-security experts -- such as my client at the Government Accountability Project, Babak Pasdar, who blew the whistle on a mysterious "Quantico Circuit" while working for a major service provider -- agree that Einstein 3 offers no intrinsic security value. The program is implemented where servers exchange traffic between one another -- in the heart of a network system rather than at the perimeter, which interfaces with the outside world. This is similar to a home security system that only monitors the central interior of a house, rather than keeping an eye on the actual doors (and the purpose of hackers may simply be to enter).
Moreover, Einstein 3 focuses on collecting, processing and analyzing all person-to-person communications content rather than looking for hacker and malicious software attack patterns directed at government sites and installations -- which should raise eyebrows.
The prospect of NSA involvement in secret surveillance should set off alarm bells. The intelligence community lost any benefit of the doubt the last time it collected and read Americans' domestic e-mail messages without court warrants. Einstein 3 is based primarily on covert technologies developed by the NSA for the purposes of wiretapping.
The telecom companies also have lost their privacy creds. In a tacit admission that the proposed new program is problematic and probably illegal, AT&T has sought written assurances from the administration that it will not be legally liable for participating in the program. The company was sued over its role in aiding Bush's electronic eavesdropping on Americans and, along with other telecoms, received retroactive immunity from Congress for their lawbreaking.
Earlier incarnations of the Einstein program observe pre-determined signatures (specific patterns of network traffic), but Einstein 3 would look at the content of e-mails and other messages sent over government systems.
Additionally, while Einstein 1 and Einstein 2 passively observe information, Einstein 3 technology plans to use "active sensors." This is a tactic used by malware developers and is a popular feature of spyware that clogs up the Internet, slows down PCs and tips off hackers by emitting signals.
And most disturbingly, according to the Department of Homeland Security's 2008 "Privacy Impact Assessment," while earlier iterations of Einstein implemented signatures based on malicious computer codes, Einstein 3 could include signatures based on personally identifiable information. The privacy implications are great. Any citizen logging on to a ".gov" website would trigger this.
The IRS and other governmental agencies collect sensitive personal information for legitimate and limited purposes. However, strict confidentiality rules apply to that information. Although the Department of Homeland Security (another agency with a sordid history), which is managing the program, insists that
the main focus is to identify malicious code,
we've heard such empty reassurances before.
Media reports indicate that government officials recently acknowledged during closed meetings of the House and Senate Intelligence and Judiciary committees that Americans' e-mails that were improperly gathered or read during Bush's warrantless wiretapping program -- even under the relaxed 2008 intelligence surveillance law -- were not just an "incidental byproduct." According to a former NSA analyst and two intelligence analysts interviewed by the New York Times, the e-mails could number in the millions.
Further, a government review of the Bush wiretapping program, released Friday, questioned the effectiveness of the surveillance efforts.
President Obama's federalization of many private systems and his adoption of the Bush administration's spying tactics are on a collision course that would expose many Americans' private data and communications to government scrutiny. I suspect that the public would be appalled that a taxpayer's financial information or a patient's medical records would be available to, much less perused by, the NSA. There are far less invasive network defenses that can secure government computing environments, such as upgrading good old-fashioned firewalls and filtering routers.
Obama came into office vested with vast new surveillance powers, which he voted for while in Congress. Attyorney General Holder, while painstakingly avoiding the word "illegal," called the original Bush snooping "unwise." But instead of trying to put the genie back in the bottle, Obama is considering expanding its power.
This is antithetical to basic civil liberties and privacy protections that are the core of a democratic society. Perhaps we can draw a lesson from the real Einstein, who ultimately regretted his role in urging the development of dangerous technology -- the atomic bomb -- and spent the rest of his life advocating against it.