
Ars editor learns feds have his old IP addresses, full credit card numbers - sinak
http://arstechnica.com/tech-policy/2014/07/ars-editor-learns-feds-have-his-old-ip-addresses-full-credit-card-numbers
======
dominotw
I was taken into a special investigation room at port of entry at Ohare
Airport because I happened to live with 2 muslim roommates( both of them had
mohammed in their names) for a mere matter of 2 months. I was shocked to find
out that they knew where I lived, with whom ( i was not even on the lease) for
past 10 years , my complete travel internaries every time I flew, all my
credit cards numbers and who knows what else.

I am glad general public is waking up to this finally.

~~~
mahranch
" _because I happened to live with 2 muslim roommates_ "

I just want to play devil's advocate for a moment; You say this nonchalantly,
but that's the most important bit of your statement. If one of those two
roommates were under investigation or were on some watch-list (for a valid
reason or not), you should _fully_ expect the FBI to keep tabs on those who
they were living with. That would include you. Now whether they were watching
your ex-roommates for a good reason is neither here nor there, but the fact
remains that the FBI wouldn't be doing their jobs if they didn't keep tabs on
you, someone whom they were living with.

~~~
x1798DE
> _Now whether they were watching your ex-roommates for a good reason is
> neither here nor there, but the fact remains that the FBI wouldn 't be doing
> their jobs if they didn't keep tabs on you, someone whom they were living
> with._

This is patently untrue surveillance state propaganda. The job of law
enforcement is not to prevent any crime from ever happening by following
around _potential_ criminals or associates of possible criminals. The fact
that we're even OK with there being a watchlist at all is a bit disturbing to
me.

~~~
mseebach
No, that is actually the job of law enforcement. That is what Bruce Schneier
means when he talks about good intelligence work and good law enforcement work
as protection against terrorism, as opposed to security theatre.

Or, put another way: planning to commit a crime (criminal conspiracy) is
itself a crime. Being a suspect of a crime is a valid reason for law
enforcement to watch someone. Associating closely with someone who's part of a
conspiracy could very reasonably put you under suspicion for being part of the
conspiracy (although it's not evidence against you, of course).

Of course, the lines between when people are reasonably suspected of crimes
has been moved far and fast in the wrong direction and needs to be pushed
back.

------
majke
This is the comment I wrote almost a year ago:
[https://news.ycombinator.com/item?id=6870933](https://news.ycombinator.com/item?id=6870933)

I was not aware the USA has so many information about every single travel.
According to this [1] they record everything.

\- amtrack

\- trains in the EU (including sit numbers)

\- bus travel in the EU

\- plane travel in the EU on a carrier that doesn't fly to the US

\- hotel reservations

\- pedestrian border crossing

Everything.

[1] [http://hasbrouck.org/articles/Hasbrouck-
Cato-2APR2013.pdf](http://hasbrouck.org/articles/Hasbrouck-Cato-2APR2013.pdf)

~~~
morsch
Thanks for the link. He presents solid evidence. The inspection notes from his
border crossings on the final pages are particularly chilling.

~~~
late2part
I can't find the actual inspection notes - can you tell me where to find them?

~~~
lepht
Check the last three pages of the linked PDF... pretty chilling stuff

------
coldcode
The article makes it sound like OTAs and airlines are to blame for what goes
into a PNR. Note that for decades the PNR was the only record of your requests
to buy a ticket, change seats, meals etc. Basically think of it as a database
record (in a flat database sort of way). Even in a modern environment the data
in SABRE and Amadeus and Travelport (the companies that provide the massive
databases for most all airlines in the world) still isn't much better than a
PNR. These systems date back to the 60's. What is disturbing that the US
Government apparently demanded the entire PNR before the trip. For decades
PNR's were routinely deleted soon after the trip happened unless manually
extended (to provide for refunds). Apparently HS insisted that the entire PNR
be given to them without allowing any kind of scrubbing first. This is what is
ridiculous. But people who regard your data as their personal fiefdom could
care less about your security or privacy.

~~~
vitd
No, I think he has a legitimate claim that the airlines are putting too much
information into the database. His credit card number should not be in the
clear in the PNR database. That's just ridiculous.

------
opendais
This is just depressing, honestly. It is pretty clear they just want to
collect all of the data "just in case" you might one day become a suspect. :/

Sadly, unless you can convince the electorate to keep kicking people out until
things change...nothing will change.

~~~
logn
This issue is bigger than just voting in new politicians. It's on the order of
slavery, women's suffrage, the "trail of tears", prohibition, civil rights in
the South, etc. In other words, to reign in surveillance will take enormous
will on the part of the people to change deeply rooted systems of government
and power that reach far beyond any single politician.

Unfortunately I don't think the people have the will to change this currently
because the harm being done is so well hidden, even after Snowden's
revelations.

~~~
opendais
> This issue is bigger than just voting in new politicians.

If you kick out enough politicians in a Democracy, you get a completely new
majority government. We need to kick out about 55% of Congress.

~~~
logn
But aside from that you have corporations profiting from surveillance,
numerous gov't employees and contractors involved, judges receiving perks and
legal bribes, existing surveillance legislation and court precedent, state and
local employees/contractors (from traffic cops to fusion center workers) whose
work is based on surveillance data, foreign governments who do much of the
same the US does, a media that has been bought off and consolidated.

~~~
opendais
Yes. And with the right laws you can reduce that to reasonable levels.

~~~
maccard
A number of those laws already exist, but are ignored or have exploitable
loopholes. How do you know define reasonable assumption for getting a warrant
to search someones home? If you need tangible evidence for that, then the
warrant is basically pointless because you ahve what you need already.

PCI compliance for instace is clearly being violated here, as are numerous
data protection acts; the issue is that nobody is accountable for it

~~~
opendais
> A number of those laws already exist, but are ignored or have exploitable
> loopholes.

You need to replace Congress to close loopholes. You need to replace the
President & Congress to replace the Supreme Court & enforce the laws.

Seems all politics to me.

~~~
rurban
And what to do with the executive? And what do you with the legislative? Only
the supreme court can be replaced by politicians.

There's no other way out than start telling people the truth. Which might
start with independent media and education. But US people are already even
more indoctrinated than in the 30ies with Goebbels.

Seems all press and misinformation to me.

~~~
opendais
> And what to do with the executive? And what do you with the legislative?
> Only the supreme court can be replaced by politicians.

Read up. :/ I already said that.

> Which might start with independent media and education. But US people are
> already even more indoctrinated than in the 30ies with Goebbels.

That's ridiculous.

------
ilaksh
Clearly this is not a valid system that we can tolerate.

I think that the internet is key to making the most dominant systems
irrelevant which will make way for more compositional, less hierarchical, and
more open, structures and systems. Theoretically those dominant systems have
already demonstrated their irrelevance, we just need to make that a practical
reality.

We need alternative internets in order to do that.

A more diverse information infrastructure may be key to providing not only
personal privacy but also security.

~~~
olefoo
> I think that the internet is key to making the most dominant systems
> irrelevant

That has been the rhetoric, but the practical application seems to be
centralizing to one or two dominant players in a given market. From an
economic perspective the frictionless nature of the internet and the limited
attention span of the humans that use it seems to result in one platform
outperforming all others and leads in customer acquisition fading slowly if at
all.

Having alternate internets might increase the friction enough to encourage
diversity; but the end users desire to use the "best" solution for their
problems will probably result in these alternate internets being knit
together.

In sum. There are forces at work that your solution does not address.

~~~
ilaksh
What forces and how do you address them?

~~~
olefoo
The stubborn refusal of humans to act as though they were identical
frictionless spherical humanoids of uniform density and heat transfer
characteristics. And their stubborn insistence on acting like self-interested
jerks who put their own comfort, well-being and survival well ahead of the
interests of any of their con-specifics; much less any other animals sentient
or otherwise.

------
staunch
"People don't like to be meddled with. We tell them what to do, what to think,
don't run, don't walk. We're in their homes and in their heads and we haven't
the right. We're meddlesome." \-- River Tam

------
dm2
Does submitting a FOIA request make any of that information public?

Would I have to submit a FOIA request to all agencies to get a comprehensive
list of my information?

I personally think that this should be required for private businesses as
well. I would like to see all information Google, Amazon, Facebook, LinkedIn,
etc has about me, I think I should have the right to know that information
too.

~~~
greenyoda
I seem to remember that companies may be required to show you their data about
you under European privacy laws (which are much stricter than in the US).
There was a story a while ago of someone submitting such a request to Facebook
and getting back a PDF file containing hundreds of pages.

~~~
dm2
VERY interesting...

[http://nakedsecurity.sophos.com/2011/11/17/facebook-
clenches...](http://nakedsecurity.sophos.com/2011/11/17/facebook-clenches-
fists-around-users-data-in-midst-of-irish-audit/)

[http://bits.blogs.nytimes.com/2013/11/12/in-europe-
thousands...](http://bits.blogs.nytimes.com/2013/11/12/in-europe-thousands-of-
requests-for-facebook-data/)

[http://www.zdnet.com/blog/facebook/reddit-users-overwhelm-
fa...](http://www.zdnet.com/blog/facebook/reddit-users-overwhelm-facebook-
with-data-requests/4165)

[http://www.geek.com/news/facebook-stores-up-to-800-pages-
of-...](http://www.geek.com/news/facebook-stores-up-to-800-pages-of-personal-
data-per-user-account-1424807/)

We need more of this. People have the right to know. I'm sure much of this
data comes from them purchasing it from other sources (companies that go out
of business, LexisNexis, other "partners"). Actually I think people should
also have the right to request that companies delete this data permanently,
but good luck getting that bill passed.

I wonder what if the percentage of people who closed their Facebook account
spiked after receiving this information.

I've built data-mining / warehousing systems for companies before, if I didn't
do it they would fire me and someone else would build it. Consumer protection
and privacy laws are important and lacking, just my opinion of course.

~~~
Qantourisc
I wonder if they have a file on me, even though I don't use facebook and a lot
of blocking tools. Anyone tried? Not even sure how to request the data, when
you have no account .

~~~
dm2
Probably.

Friends and family install Facebook mobile app, all of their contacts are sent
to facebook which includes your phone number and email addresses. More data is
gathered from other random sources online. Possibly even pictures from your
college or mugshots.

Just imagine the data that was taken from the people who installed that
LinkedIn "send all of your email through us" app.

------
ewang1
I wonder if the government can be fined for violation of PCI. Or perhaps the
airline companies for providing it to the gov't in the first place.

~~~
iancarroll
As I understand it, you will only be fined contractually as part of a card
acceptance agreement, so the government can't be charged.

~~~
SilasX
But since the government accepts electronic payment cards ...

~~~
iancarroll
I'm pretty sure there's a scope to those agreements.

------
pbreit
The alternative is slightly higher risk of some sort of incident? I think I'd
prefer that =my= government not spy on me.

------
greenyoda
Duplicate of:
[https://news.ycombinator.com/item?id=8057315](https://news.ycombinator.com/item?id=8057315)

~~~
josephlord
Yeah I guess my title or my timing was off, this version got much more
interest.

------
iancarroll
Is this not against PCI at all?

~~~
wefarrell
PCI isn't a law.

~~~
iancarroll
PCI might not be a law, but you will get large fines from who you process
with, sometimes monthly!

[http://www.pcistandard.com/pci-standard/card-association-
fin...](http://www.pcistandard.com/pci-standard/card-association-fines/)

------
jusben1369
Feds not feds. Lower case is a totally different and real word. So sloppy.

~~~
bequanna
Does it matter? Given the context, 99.9% of people will infer the correct
meaning regardless of the capitalization.

~~~
jusben1369
It's so lazy and presumes all readers are speaking english as their first
language.

