Tag Archives: Medill Washington

ISIS beheading videos used as clickbait to draw ‘frustrated achievers’ to its ranks

Medill Professor Josh Meyer (left), moderates a discussion between Richard Andres (center) and Omer Taspinar, both professors at the National War College in Washington D.C. (Mary Cirincione/MEDILL)

Medill Professor Josh Meyer (left), moderates a discussion between Richard Andres (center) and Omer Taspinar, both professors at the National War College in Washington D.C. (Mary Cirincione/MEDILL)

Gap between aspirations and expectations leaves Western Muslim youth open to radicalization

WASHINGTON—The global reach of ISIS has left an indelible mark on the media worldwide, providing cautionary tales on the susceptibility of western Muslim youth as some young people leave their homes to join terrorist ranks abroad. Drawn by a savvy use of social media and digital propaganda, their shared story is becoming more common.

“Social media has spread radicalism globally to people who normally wouldn’t be exposed to it,” according to Richard Andres, a professor of national security strategy at the National War College. The ease of access made possible by 140-character tweets, messages and videos has created a new playing field, he said, enabling terrorist organizations to penetrate groups of dissatisfied people in mass.

Authorities picked up three Denver teens en route to Syria last fall, while another three fled East London in February. All six were active online, maintaining Facebook and Twitter accounts where they interacted with extremist points of view.

“Social media click-washes you over time,” something Andres likens to brainwashing. This process pulls readers and viewers “further and further toward the extreme” with every click, he said.

Speaking at a National Press Club event Monday sponsored by the Medill National Security Journalism Initiative, Andres said those initial clicks are fueled by innate prejudices: “We’re attracted to things that confirm our biases.” It’s a slippery slope from there as social media users access more content aligned with a single view point, he said. “Like a cult, it will isolate you … making you more and more extreme.”

That’s all part of its strategic approach, he said. Those brutal beheading and execution videos regularly released by ISIS were never part of the endgame. They’re clickbait.

“We like sensation. Human beings are attracted by sensation and so people tend to click on the more sensational link,” Andres said. Once they do that, ISIS can further its primary mission by “linking those social media users with major headlines and gain legitimacy.” That means linking to real stories describing the group’s presence, violence and aims.

According to a study released late January by the International Centre for the Study of Radicalisation and Political Violence, one-fifth of all foreign fighters joining ISIS are westerners. Of an estimated 20,000 worldwide, more than 4,000 recruits have come from Europe, while 100 have come from the U.S. Young Internet users appear to account for the majority.

Speaking at the same event, Brookings fellow Omer Taspinar described a crisis of identity, as some young Western Muslims appear integrated into their communities, but in reality suffer degrees of alienation. “They don’t feel that they belong to their immigrant groups,’ or their parents’ generation … They have an identity problem and in that sense they feel uprooted, that they don’t belong anywhere.”

At that point it becomes an issue of relative deprivation, Taspinar explained. These radical teens aren’t uneducated or down-trodden. Most are bilingual, even trilingual. “The evidence that we have from profiling terrorist groups is that most of the time, masterminds [and] people who are successful terrorists … are not really poor. They’re middle class and they’re educated,” Taspinar said.

But their grievances are real and they’re wildly discontented, he added. Many are either unemployed or underemployed, leaving them vulnerable to clickbait propaganda. “There’s a growing gap between expectations and opportunities,” Taspinar said. Increasing rates of education in Europe coupled with unemployment problems have resulted in broad dissatisfaction.

“So they’re looking for something bigger than themselves. [They’re] looking for a cause to attach themselves to.” And that cause is the self-proclaimed Islamic State, Taspinar said, as youths embrace the rise of a caliphate as their reason for being.

Will a new China-led investment bank be a responsible stakeholder environmentally? Experts weigh in

WASHINGTON — After several European allies applied to join the Asian Infrastructure Investment Bank this week, U.S. officials have begun to soften their critical view on the China-backed initiative.

“We do not ask any country to choose ties with the U.S. to the exclusion of anyone else,” Deputy Secretary of the State Tony Blinken said Tuesday in a speech at the Brookings Institution, the centrist think tank.

Tony Blinken talks about China’s role in Central Asia development

Blinken restated the White House’s earlier concerns about the standards the China-backed will use for making decisions. Treasury Secretary Jack Lew also remarked at a congressional hearing last week that anyone joining the AIIB need to ask those questions.

The AIIB’s operation plan won’t be revealed until later this year. But it is said the bank will model itself after existing development banks, giving founding members the most voting power. China will also reportedly give up veto power, which eased concerns from many countries.

Blinken worries the AIIB could “dilute the standard” of existing institutions

On one front, the environment, the AIIB is not a copy of World Bank

In the “Environmental and Social Framework” released last June, the World Bank sets specific requirements on labor and working conditions, resource efficiency and pollution protection, community health and safety, and three other categories of environmental and social standards. All are mandatory in order to reduce poverty and increase prosperity in a sustainable manner worldwide, the World Bank asserts.

Chen Bin, a commentator in the outspoken Chinese newspaper, Southern Weekly, however, said it’s “inconsiderate” to ask AIIB to stick to and carry out these criteria.

China’s Finance Minister Lou Jiwei said at a recent Asian-Pacific Economic Cooperation meeting that the bank is aimed at promoting connectivity among Asian countries, through commercial infrastructure investment instead of poverty reduction.

Largely commercial, AIIB sets itself apart from the World Bank and the Asian Development Bank, led by Japan, both committed to public welfare. This leaves more space as well as questions in how the bank will select the programs and infrastructures in which to invest.

“The World Bank and other existing multilateral development assistance organizations have strong rules to promote sustainable and inclusive growth,” said Scott Kennedy, director of Project on Chinese Business & Political Economy at the Center for Strategic and International Studies. “China’s bilateral foreign assistance to date is filled with examples where there has been insufficient attention to protecting the environment and ensuring safe and fair treatment of workers. And a substantial portion of this aid has benefitted Chinese companies. Hence, there is good reason to have some concerns about how the AIIB will operate,” he said.

AIIB currently has 30 prospective founding members, including Great Britain, France, Germany and Italy. Seventeen other countries and regions, including Australia and Taiwan, have yet to be approved. The final list will be confirmed on April 15.

Retired officer: US let ISIS gain foothold in Iraq

David Gregory (left) moderates a discussion concerning the rise of ISIS with retired Army Col. Peter Mansoor at American University on Wednesday, April 8. Mansoor said that the takeover of ISIS is a direct result of the U.S. decision to invade, and then leave Iraq in the 2000s: “Al-Qaida was defeated during the surge in 2007-2008 – not destroyed.” (Mary Cirincione/MEDILL)

David Gregory (left) moderates a discussion concerning the rise of ISIS with retired Army Col. Peter Mansoor at American University on Wednesday, April 8. Mansoor said that the takeover of ISIS is a direct result of the U.S. decision to invade, and then leave Iraq in the 2000s: “Al-Qaida was defeated during the surge in 2007-2008 – not destroyed.” (Mary Cirincione/MEDILL)

Whatever headway the U.S. gained in Iraq following the 2007 surge has for the most part come undone — paving the way for the rise of the self-described Islamic State.

That’s the assessment of retired Army Col. Peter Mansoor, who had a front-row seat for the surge in his capacity as executive officer to retired Army Gen. David Petraeus in Iraq from 2007 to 2008, the culmination of Mansoor’s 26-year Army career.

When the last U.S. troops left Iraq on Dec. 18, 2011, following several years of drawdowns, al-Qaida was defeated, but was not irrevocably destroyed.

“We had al-Qaida down on the 10-count, and we let it off the mat,” Mansoor said.

And, he added, from those not-quite-extinguished ashes rose the Islamic State, also known as ISIS or ISIL.

Continue reading

Encryption Becomes a Part of Journalists’ Toolkit

TEXT AND PHOTOS BY J. ZACH HOLLO FOR THE GROUNDTRUTH PROJECT & REPRINTED WITH PERMISSION.

WASHINGTON — When whistleblower Edward Snowden used an email encryption program called PGP to contact documentary filmmaker Laura Poitras, only a tiny fraction of journalists used it. The precaution, designed to scramble messages so only the sender and receiver can read them, was essential for Snowden to leak the information.

The series of stories that followed shocked the world and radically altered the way people think about government surveillance and the Internet. Now, encryption is becoming a standard item of the journalism toolkit, a must-have for anyone hoping to report on sensitive issues that might upset institutions of power. It was also the subject of a workshop recently held at Northwestern’s Medill newsroom in Washington, DC, which walked about 15 journalists through the basic software installations involved in setting up PGP, which is short for “Pretty Good Privacy” and ironically named after a grocery store in Garrison Keillor’s fictional town of Lake Wobegon.

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

For Aaron Rinehart, one of the workshop’s leaders, the goal is to protect the relationship between journalists and their sources, “to get journalists confident using these tools so sources feel they can give them information safely,” said Rinehart. Without that possibility, he said, the Fourth Estate could be fundamentally crippled.

And it’s not just the NSA journalists and sources need to protect themselves from, warned Rinehart. He used an example of a story exposing pharmaceutical malpractice. “It’s not that sexy of an issue, right? But just think of the potential adversaries.” There’s the government whose regulators screwed up, the drug companies who are poisoning people, and their stakeholders who don’t want to lose profits. With any story, there are likely a host of people who want to hack the journalist and sources to prevent the information from being aired.

The workshop was taught by Rinehart and digital security advisers David Reese and Ferdous Al-Faruque. Rinehart and Reese recently founded TestBed Inc., a technology consulting company. And Al-Faruque is a master’s journalism student at the University of Missouri who said he wants to establish a class there on encryption and cyber security.

Rinehart, who spent time in Djibouti while serving in the Marine Corps, said his motivation for putting on the workshop came from a time when journalism salvaged his college career. “The media saved me,” he said. About a decade ago, Rinehart faced a bureaucratic nightmare at the University of Missouri, when he returned from serving abroad and was not permitted to complete his studies. A local paper led an investigation into the problems veterans were having there, and the university changed policies. Since then, Rinehart said he tries to do all he can to help journalists.

Of the reporters who attended, many are intent on investigative work like the kind that exposed the NSA’s mass, indiscriminate surveillance. “Since I cover national security and defense, I would definitely use this to coax sources to communicate with me or send me documents that they don’t want their government or our government to see or know about,” said Kristina Wong, a reporter for The Hill.

But others also attended, including a cryptologist who said he comes to events like this out of professional interest, and a human rights worker.

“In a lot of countries, activists and human rights defenders especially are really targeted,” said Sarah Kinosian, who monitors American security assistance in Latin America for the Center for International Policy. “So we want to make sure [victims] can pass documentation to us in a safe way.”

The workshop began with Rinehart and Reese playing a segment of Citizen Four, Poitras’s documentary on Snowden and government surveillance that recently won an academy award.

“I would like to confirm out of email that the keys we exchanged were not intercepted and replaced by your surveillance,” a narrator said, reading Snowden’s correspondence with Poitras as a line of ominous tunnel light split darkness on the screen. “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase.” Rinehart interjected: “That is what we will be teaching you today.”

He then spoke for a while on the importance of responsible password management, recommending a program called KeePass, before moving on to downloading email client software and installing extensions designed to encrypt communications.

The way it works can seem daunting and complex, especially for anyone not tech-savvy. The email extension, called GPG or PGP, generates both a public and private key for each user. When PGP is used to send an email, the sender uses the receiver’s public key to encrypt the contents of the email so only the receiver’s private key can decrypt it.

Also on the other end, the receiver can see that the sender’s identity is confirmed. A public key is just what it sounds like: something meant to be made public along with an email address so the owner can be contacted by anyone. The private key must be kept secret by the owner, and is used to decrypt messages sent using his or her public key.

In essence, it’s is the same concept of an email. Anyone can send a message to someone but only that someone can read it. But encryption makes it nearly impossible for that message to be intercepted. And while subpoenas can force Google or Yahoo to turn over peoples’ emails, PGP makes it impossible for Google and Yahoo to read the messages, so they’d be turning over incoherent nonsense (although it is still possible to see who the sender and receiver are, and the subject line of the email is not encrypted. Ergo, aliases are commonly used once initial contact is made).

Click here to see my public key.

Encryption’s complexity has deterred it from becoming widespread, even in newsrooms. “At The Hill, not many people use it at all,” said Wong, something many would deem troublesome given the publication’s focus on politics and aim to bring transparency to Washington.

But most people agree the complexity is in the technical details behind the process, not in its application. “The world of cryptology and algorithms and coding that goes into encryption tools is difficult for just about anyone to comprehend,” Rinehart said. “But using the tools is quite simple for people who take the time to learn.”

While the majority journalists still do not use encryption, it is becoming common practice for many organizations who do investigative work. The New Yorker, The Intercept, Washington Post, and ProPublica are a few of the early sign-ons for Secure Drop, a new encryption system for journalists designed by the Freedom of the Press Foundation and originally coded by Kevin Poulsen and the late Aaron Swartz. Gawker is another publication that uses it, showing encryption may become more widespread for groups focused on less hard-hitting subjects as well.

[Editor’s note: This piece originally appeared in The Huffington Post.]

Minimizing your digital trail

WASHINGTON — In popular culture, going “off the grid” is generally portrayed as either unsustainable or isolated: a protagonist angers some omniscient corporate or government agency and has to hole up in a remote cabin in the woods until he can clear his name or an anti-government extremist sets up camp, also in the middle of nowhere, living off the land, utterly cut off from society at large.

But is there a way to live normally while also living less visibly on the grid? What steps can you take to reduce your digital footprint that don’t overly restrict your movements?

What is a digital footprint?

Your digital footprint is the data you leave behind when you use a digital service—browse the web, swipe a rewards card, post on social media. Your digital footprint is usually one of two classifications: active or passive.

Your active digital footprint is any information you willingly give out about yourself, from the posts you put up on Facebook to the location information you give to your local mass transit system when you swipe your transit pass.

By contrast, your passive digital footprint is information that’s being collected about you without your express knowledge or authorization, for example, the “cookies” and “hits” saved when you visit a website. When you see personalized ads on Google, for example, those are tailored to you through collection of your personal preferences as inferred through collection of your passive digital footprint.

To assess my digital footprint, I looked through my wallet, my computer and my phone.

The footprint in your wallet

First, the wallet: I have several rewards cards, each representing a company that has a record of me in its database that shows how often I shop and what I buy, which is linked to my name, address, email and birthday—plus a security question in case I forget my password, usually my mother’s middle name.

While I would consider this information fairly benign—they don’t have my credit card information or my Social Security number—these companies can still make many inferences about me from my purchases. CVS, for example, could probably say fairly accurately if I’m sick based on my purchase of medications, whether I’m sexually active based on birth control purchases and any medical conditions I may have based on my prescription purchases.

If I wanted to minimize my digital footprint, I could terminate all my rewards accounts and refrain from opening any more. For me, though, it’s worth allowing these companies to collect my information in order to receive the deals, coupons and specials afforded me as a rewards member.

Next up is my transit pass, which is linked to my name, local address and debit card. The transit authority has a record of every time I swipe my way onto a city bus or train, a record of my movements linked to my name.

A minimal-footprint alternative to a transit pass is single-use fare cards. If purchased with cash, they would leave no record of my travels linked to my name. While this, like the rewards cards, is feasible, it’s far less convenient than the pass —so much less so that again I’m willing to compromise my privacy.

My debit card and insurance card are the two highest-value sources of personal information, but both are utterly necessary—living half a country away from my local credit union, I need my debit card to complete necessary transactions. My medical insurance card, relatively useless to identity thieves unless they have an ID with my name on it, does represent another large file in a database with my personal information—doctors’ visits, prescriptions and hospital stays for the past several years. People with just the physical card, not my license or information, can’t do much with that, but if a hacker gets to that information it could be very damaging.

No driver’s license? No credit card?

To minimize my digital footprint, then, I could pare down my wallet to just the absolute necessities—my insurance card, debit card and my license. You didn’t talk about your license

Computer footprint

If I’m guilty of leaving a large digital footprint, all my worst infractions probably happen across the Web.

Between Facebook, Twitter and Pinterest, I’ve broadcast my name, picture, email, hometown and general movements, if not my specific location, on each of those sites. Of the three, Facebook certainly has the most comprehensive picture of my life for the past seven years—where I’ve been, with whom, what I like and what I’m thinking.

If I wanted to take myself as far off the grid as feasible, simply deactivating the accounts wouldn’t work—Facebook keeps all your information there for you to pick up where you left off. You can permanently delete it with no option for recovery, but some information isn’t stored just on your account—messages exchanged with friends, for example, or any information shared with third-party apps.

If you keep using social networking sites, privacy policies change frequently, meaning that even if you choose the most restrictive privacy settings, you often have to go back and re-set them whenever the company changes its policy. Apps complicate things even further, farming out much of your information to third-party companies with different privacy policies.

Even if you’re vigilant about your privacy settings and eschew apps, your profile is only as private as your most public Facebook friend, said Paul Rosenzweig, a privacy and homeland security expert.

When shopping online, it’s important to check the privacy statements and security policies of the companies you’re using. If possible, purchase gift cards to the specific retailer or from credit card companies and use those to shop, so you don’t leave your credit card information vulnerable to breaches like that of Target.

I know that email is not my friend when it comes to online privacy, but I can’t operate without it.  I use Gmail on Google Chrome for my email, so I installed Mymail-Crypt. It’s one of several “pretty good protection,” or PGP, encryption programs. Using it, my messages appear to be a jumbled bunch of letters until the recipient decrypts it using their private key, which I can save to a key server, like the aptly named Keyserver, where it’s searchable by my email or key ID. I can then link to it on my personal profiles such as Facebook or LinkedIn. People can then send an encrypted email to me using my public key that cannot be read without my private key to unlock it. I’ve also started encrypting my G-Chats using Off the Record chat.

Email can be used against you. Phishers have started to send more sophisticated emails imitating individuals or companies you trust in order to convince you to give up information like your social security number or credit card data. Drew Mitnick a junior policy counselor at digital rights advocacy group Access Now, said you need to be vigilant no matter what you’re doing on the internet.

“Ensure that whoever you’re dealing with is asking for appropriate information within the scope of the service,” he said. In other words, Gap shouldn’t be asking for your Social Security number.

To limit cookies and other data collection during your Internet use, you can open incognito windows in Google Chrome. In incognito mode, the pages you view don’t stay in your browser or search histories or your cookie store—though your Internet service provider and the sites you visit still have a record of your browsing.

Finally, encrypt your hard drive. Privacy laws vary from state to state and country to country so the best way to ensure that you’re protected no matter where you are is to encrypt your computer and be careful not leave it where someone can mess with it, said Mitnick.

Phone footprint

Another source of vulnerability for many people is a smartphone. As long as you have a phone, you’re on the grid—phone companies can triangulate your position using cell phone towers and location services, and they log your calls. Beyond that, though, there are steps you can take to limit information people can access about you using your phone.

First, be judicious when installing apps. Carefully read the permissions an app requires for installation, and if you’re uncomfortable with them, don’t install it! Read privacy policies and terms of use so you know what data the app keeps on you.

Because I have a Windows phone, many of the basic apps (alarms, maps, Internet Explorer, music, and Microsoft Office) are Microsoft apps and use their terms of use and privacy policy, which is pretty good about not sharing my information with third parties. They also delete your account data after you delete their app, though it may take a few weeks.

I have several social apps, such as the aforementioned Facebook and Pinterest, for which the privacy settings are fairly similar to their desktop counterparts—not very private—with the added bonus of them now having access to my location and phone number. It’s entirely possible—and advisable, if you’re trying to leave a minimal footprint—to live without these apps, but I choose not to.

I’m selective about the apps I install on my phone. Aside from the apps that come with the phone and my social media apps, I only have Uber—and that has a lot of access to my phone. According to the app information, Uber can access my contacts, phone identity, location, maps, microphone, data services, phone dialer, speech and web browser. That’s a lot, and not all of it seems necessary—why does Uber need my contacts? Again, though, I chose to compromise my privacy on this one because the convenience, for me, outweighed the risk.

A precaution I’ve always taken is turning off my location service unless I need it. While my cell phone company can still track me, this prevents my apps from accessing my location. I don’t need Pinterest or Facebook to know where I am to get what I want out of the app, so I don’t provide that information to them.

One of the projects Access Now has been working on is “super cookies”—when you use your cell phone, the cell companies can attach unique identifiers to your browsing as you go across multiple sites. Many companies don’t even offer opt-outs. AT&T has now stopped using super cookies, but other companies still do so.

If you don’t already, use two-step verification whenever possible to ensure that no one but you is logging onto your accounts. This process, used by Gmail, has you enter your password and a one-time numerical code texted to a phone number you provide.

Set a passcode to your phone if you haven’t already, and make it something people couldn’t easily guess—don’t use your birthday, for example. I’ve started using random numbers and passwords generated for long-defunct accounts like my middle school computer login that I memorized years ago but that can’t be linked back to me.

Amie Stepanovich of Access Now suggested using four unrelated words strung together for online account passwords—they’re even harder to hack than the usual suggestions of capital and lowercase letters, symbols and numbers.

One final precaution you can take is to encrypt your device. Apple has already started encrypting its phones by default, and Google has promised to do so. Regardless, you can turn on encryption yourself. I have a Windows phone, which does not allow for easy encryption—in fact, I can’t encrypt my SD card at all. To encrypt my phone, I need to log in to Office 365 on my laptop and change my mobile device mailbox policies to require a password, encryption, and an automatic wipe after a number of passcode fails I choose. I then log into Office 365 on my phone to sync the new settings. It’s much more straightforward for an Android—just go to settings, security, and choose “Encrypt phone.”

Off the grid? Not even close

For me – and most people, it’s not feasible to live entirely off the grid. Between my debit card, various online accounts and smartphone, I pour my personal data into company and government databases every day. The trick is to live on the grid intelligently, only providing the information that is necessary and taking steps to protect your devices from unauthorized access.

FAA backed away from proposing privacy regulations for drones – but that might be a good thing, experts say

WASHINGTON—When the Federal Aviation Administration released its proposed “framework of regulations” for governing the commercial use of small unmanned aircraft systems last month, people were surprised. After years of failing to act on a 2012 congressional order to develop regulations, the FAA’s proposal seemingly fell from the sky – unexpected, and as it turns out, an unexpected gift to the drone community.

But noticeably missing from the proposed regulations? Privacy.

And the FAA owned up to it. In a privacy impact assessment issued along with the proposed framework, the agency stated that it “acknowledges that privacy concerns have been raised about unmanned aircraft operations. … These issues are beyond the scope of this rulemaking.”

That makes sense, according to Matt Waite. Privacy is not in its wheelhouse.

“The FAA has said all along that it is not a privacy organization – It is an aviation safety organization. They don’t have the experience or the skill[set] to be in the privacy business,” Waite added.

A professor of journalism and founder of the Drone Journalism Lab at the University of Nebraska-Lincoln, Waite said that the FAA more or less intentionally walked away from building privacy regulations into its proposal. “They had been talking about it and had been claiming that that was the reason it was all being delayed [as] they were considering privacy regulations … But ultimately, nothing.”

Waite said that the implications of that choice suggest that states are going to have to make up the difference.

“The FAA has wisely backed off all privacy issues [because] there’s no need for a new federal privacy bureaucracy [when] states already have protections in place,” said Charles Tobin, a privacy rights lawyer and partner at Holland & Knight.

“The laws that are on the books are all technology agnostic. They apply to computers, they apply to still cameras, they apply to wireless microphones, they apply to video cameras … and there’s no reason that they can’t be applied – as already written – to UAVs,” Tobin added.

He said he understands why people are concerned, but suggests we look to history for any insight we might need. “Since the turn of the century, people have expressed concerns about every single new phase of technology [that has been] developed to allow people to gather information in public places and private places, and so over the decades, states have developed a strong series of statutes and precedents in the courts that deal with electronic surveillance, eavesdropping, trespassing and just about any other concern for invasion of privacy.”

To add additional statutes would be more than redundant, Tobin said. It would be confusing for everyone involved. It also leaves the possibility that one law could potentially violate the other.

While recognizing that the FAA made the appropriate call when it chose to step aside, Tobin said the baton has simply been passed on down the line. A presidential memorandum issued the same day as the FAA’s proposed regulations relays the responsibility to “develop a framework regarding privacy, accountability, and transparency for commercial and private UAS use” to the Department of Commerce. The memo states that the department must initiate a “multi-stakeholder engagement process” within 90 days of the memo’s release – so it must begin work by mid-May. According to Tobin, “the development of private industry best practices” by the Department of Commerce is a positive step – but it should avoid stepping further.

Government trying to involve itself in the regulation of a specific piece of technology is just a terrible idea, Waite said. “As we are already seeing, the government lags way behind technology when it comes to laws that would deal with that technology. It’s taken the FAA a long time to come up with rules for these drones and they’re flying around right now. They’re being used for commercial purposes even though the FAA says, ‘No, you can’t do that.’” Law will forever lag behind technology, he said.

“So if that’s the case, then legislatures and policymakers need to acknowledge and accept that and begin to craft rules that are technology agnostic,” Waite added. Because therein lies the solution to any concerns that privacy might be invaded.

Waite said that the key is deciding what we don’t want people to do – what we need to prevent from happening. “We need to start thinking about what we consider a reasonable expectation of privacy in our modern times. And if that’s not allowing [me to] photograph [someone] streaking in their backyard, then that’s great. We can say I can’t do that. But it shouldn’t matter how I do that, [just that] you don’t want me to do it.”

It’s about understanding what we’re offended by. And then realizing that if privacy was violated, then how it was done is unimportant, he added.

The drone-related privacy concerns of the average American are actually pretty obvious, Waite said. They’re afraid of a drone operator peering into their windows like a 21st Century peeping tom, or using them to stalk and harass people. And they’re also afraid that someone might gather information about them and their behaviors.

Amie Stepanovich, senior policy counsel for privacy advocacy group Access Now, said these concerns are genuine because drone technology is in a league of its own. “Drones have [the] capacity to bring a bunch of different surveillance technologies onto a singular platform and to reach into areas that other vehicles have not been able to get to. For example, up into very high buildings or into inside spaces.”

But many of the acts people are fearful of are actually crimes, Waite said. They’re already illegal. “It is illegal for you to fly up and peer in[to] someone’s window, those peeping tom laws already handle that.” He admitted that some states aren’t as advanced as others because they require that an offender physically be on the property to be prosecuted as a peeping tom. “[But] that doesn’t take a great leap of mind to fix that real quick,” he added.

Gathering information through surveillance is a different issue, however, one steeped with potential for abuse. Stepanovich said that limitations should be put in place to restrict the ways in which government agencies can use drone technology. “It’s highly advanced and gives them a great deal [of] increased capability and can be used to collect a great deal of information,” she said.

“We need things that will, for example, protect users’ location information from being collected and tracked. … It comes back to tracking people over time without a warrant and being able to pinpoint their exact location. And this is true with drones but … there are several other different kinds of technologies that are coming out. And we need to make sure that that information is adequately protected.”

The presidential memo issued in conjunction with the FAA’s proposal states that agencies must “comply with the Privacy Act of 1974, which, among other things, restricts the collection and dissemination of individuals’ information that is maintained in systems of records, including personally identifiable information.”

The White House’s assurance that government agencies will be held accountable to legacy privacy standards is a good thing, Stepanovich said, but she recommends further attribution and transparency.

“The FAA has a publicly accessible database of who is able to fly airplanes in any specific geographic area in the United States. But they haven’t made a similar commitment to do that for drone operators,” Stepanovich said. She calls that a double standard.

People won’t know which agency, company or person is behind the remote of the drone flying over their homes. They’re already fearful, so that’s not the best way to go about this, Stepanovich added.

“And so the FAA definitely has a role to play in protecting privacy,” and she recommends the agency operate a full registry. “We’re talking about transparency, requiring that drone users register what technology they are deploying on their drones, and what capacity these drones will have. This just gets at making sure people are aware of what’s going on in their own area,” she added.

“But it should be up to Congress and other agencies to ensure that users don’t violate one another’s privacy rights.” That requires a separate law, but Stepanovich said it would be a mistake to make a new law for a singular piece of technology.

Like Waite and Tobin, she advises technology agnosticism when it comes to lawmaking. Because technology changes frequently. And for that same reason, Stepanovich said the drone privacy debate is an important one: “It will definitely be worth paying attention to because it’s really deciding the future of this technology in the U.S.”

All three agree that the next 24 months will be very exciting. “We’re sort of in the early years of the Wild West stage here, where the rules and the court cases [haven’t happened] yet,” Waite said. “But things are going to happen and they’re going to be tested in court and they’re going to be squared to our constitutional values and when they are, we’ll actually have a fairly stable system.”

“But until then you’re going to have some crazy stuff going on,” Waite added. “You’re going to see people doing things that were never envisioned and you’re going to see [drones] being used in ways that we hadn’t thought of yet. And some of that’s going to be cool and neat and some of it’s going to be kind of ugly.”

One thing is guaranteed: The waiting game has just begun.

Long-ignored government practice lets IRS skirt fourth and fifth amendments

WASHINGTON — When Jeffrey Hirsch went to deposit money at his bank one morning in May 2012, his whole life changed. The teller told him the entire contents of his account—nearly half a million dollars—had been seized by the Internal Revenue Service.

Hirsch, a small business owner from Long Island, was never accused of a crime. Yet he would not see his $446,651.11 again for nearly three years due to the IRS’s civil asset forfeiture program, which allows the agency to seize money without filing criminal charges and keep it, in many cases, indefinitely.

Under federal law, banks are required to report cash deposits exceeding $10,000 to the Treasury Department, and account holders are forbidden from “structuring” deposits smaller than the $10,000 threshold to avoid the reporting requirement. If the IRS suspects someone is “structuring” their deposits, it can take their money without filing a criminal complaint.

The program was designed to help the federal government intercept the drug trade during the 1980s “war on drugs.” But the IRS has increasingly gone after small business owners and others who make frequent, small deposits.

“These laws were intended to target drug dealers and other hardened criminals engaged in money laundering or other criminal activity,” said Robert Johnson, Hirsch’s attorney. “In practice, however, the IRS enforces the structuring laws against innocent Americans who have no idea that depositing less than $10,000 in the bank could possibly get them in trouble with the law.”

Hirsch owns and operates Bi-County Distributors, a small business that distributes products to convenience stores on Long Island. The company had multiple accounts closed due its frequent cash deposits, which—when more than $10,000—require burdensome paperwork from the bank. Hirsch’s accountant recommended staying below the limit, so Hirsch often made cash deposits under $10,000.

On the basis of civil asset forfeiture, the IRS seized Hirsch’s money in May 2012 and held it for more than two years without issuing any charges against him. Twice, Hirsch said, the government offered settlements that would require him to surrender “a substantial portion” of the money.

“I rejected these offers as I felt that I had done nothing wrong and should not be forced to give up my hard-earned money for no reason,” Hirsch said. “I lived with that stress for over two-and-a-half years.”

Hirsch said the seizure drove his business “to the edge of insolvency,” forcing him to take extended lines of credit. In an attempt to demonstrate his innocence, he paid an accounting firm $25,000 to audit his own business.

“Government officials did not question the results of the audit and did not suggest that they were in possession of any evidence of wrongdoing by anyone associated with the business,” Hirsch said. “Nonetheless, the government still refused to return the money.”

To get seized funds back, property owners have to go to court against the Department of Justice—often a lengthy and expensive process.

In January, after a front-page story on civil asset forfeiture was published in The New York Times, the government agreed to return Hirsch’s money.

“In this country, people are supposed to be innocent until proven guilty. But, in the eyes of the IRS, I was guilty until proven innocent—forced to prove my own innocence to get my property back,” Hirsch said. “No other American should be put through the nightmare I experienced.”

But Hirsch’s case is not unique.

Documents obtained by the Institute for Justice, a national law firm that litigates property rights, show that the IRS conducted more than 2,500 of these seizures from 2005 to 2012.

In that seven-year period, the agency collected more than $242 million in suspected structuring violations. At least a third of those seizures “arose from nothing more than a series of cash transactions under $10,000, with no other criminal activity alleged,” according to the report.

And under federal law, the IRS gets to keep this money. Funds seized through civil forfeiture are deposited in the Treasury Forfeiture Fund, which is available for use by the IRS without any appropriation by Congress.

“Shockingly, the government uses the money that it takes through civil forfeiture to pad the budgets of the very agencies that seize the money,” said Johnson, who also works for the Institute for Justice. “The result is a legal system in which the deck is stacked against ordinary Americans.”

While the issue went largely unnoticed until late last year, lawmakers on Capitol Hill—both Republican and Democrat—are now looking for change from the long-embattled agency.

The House Oversight Subcommittee’s first hearing of the new Congress called on IRS Commissioner John Koskinen to testify. He was met with harsh criticism.

Rep. Mike Kelly, R-Pa., went so far as to compare civil asset forfeiture to torture. “You talk about waterboarding, this is waterboarding at its worst,” he said.

The IRS has promised to change. Koskinen apologized to the small business owners at the hearing and said the agency would no longer pursue civil seizure on structuring grounds “unless there are exceptional circumstances.”

“We’ve changed the policy from our standpoint,” Koskinen said.

But Johnson isn’t satisfied with the IRS’ promise.

“The only surefire reform of civil forfeiture is to eliminate the practice entirely, and to require all forfeiture to proceed under the criminal laws,” Johnson said. “Short of that, the IRS policy change—limiting application of the structuring laws to funds derived from illegal sources—should be codified in statute, and without any open-ended loophole for ‘exceptional’ cases.”

Many lawmakers also aren’t satisfied with the IRS’s “exceptional circumstances” standard.

In January, Sen. Rand Paul, R-Ky., and Rep. Tim Walberg, R-Mich., introduced a bill that would curb IRS forfeiture abuses by stopping the IRS from seizing funds without criminal charges and make it simpler and faster for innocent property owners to get their money back.

The bill is only in the primary stages of the legislative process, but some sort of remedial legislation is likely to receive support.

“It is wrong without any criminal evidence to seize anyone’s property,” Kelly said. “This flies in the face of everything we are as a country.”

In ‘Parks and Recreation,’ a vision for the future of consumer data privacy issues  

On a sunny morning in Pawnee, Indiana, a notification pops up on Leslie Knope’s phone: “Open Your Door.” Looking outside, she finds a drone at her doorstep, floating effortlessly, cradling a box addressed to her.

“Hey, Leslie Knope!” it chimes as it drops its cargo.

People have only been able to use drones for recreational, research or government purposes in the U.S., but the Federal Aviation Administration has proposed rules that would expand drones for any use, especially for commercial purposes. Yet the final season of NBC’s “Parks and Recreation,” set in a not-too-distant 2017, envisions a world in which your internet provider can listen to your every conversation, read every email and text, and use that information to predict your mood and deliver packages to your door. The offending company is Grizzyl, a bubbly, gleefully 21st century Internet and cell phone provider that shamelessly violates its customers’ privacy.

For ardent libertarian Ron Swanson, who destroys a drone and brings it to Leslie, (“This is a flying robot that I just shot out of the sky when it tried to deliver me a package”), the threat of such technology is philosophically horrifying, bringing him together with the liberal Knope to try to stop the behavior. While he originally blames others for making themselves vulnerable to that kind of invasion, he later changes his tune when his own privacy is threatened outside of his control.

For liberal Knope, the concern is more universal, with the actions of a corporation infringing upon its customers rights concerning from a populist perspective. As in many episodes, she sees the government serving as an activist voice, protecting its citizens from harm from an ill-intentioned private company.

By placing characters only two years from now, the show’s creators envisioned a future that’s within our reach. In the show’s view, the future has troubling implications for consumers, with sophisticated technology making it easier than ever for companies to pry into their user’s lives.

Below, we’ve compiled a list of technologies and actions made by Grizzyl. With their predictions of a soon-to-be future in mind, we examine the likelihood of each event coming true, and the current legal structures that govern them.

Use of commercial drones

In the show: After listening to its users phone calls, Grizzyl gathers its customers’ personal desires and sends them gifts they think they’ll appreciate via drone. While Donna receives two honey bears and boxes of sugarplums, coincidentally the pet names she and her fiancé use for each other, the characters on the show catch on to Grizzyl’s unethical business practices.

Today’s laws: Americans have very few options allowing them to use drones for commercial purposes. Companies may apply to the Federal Aviation Administration to authorize use of drones on a case-by-case basis. However, no existing legal framework allows for the widespread adoption of drones on a commercial basis, and the FAA describes its approach to the emerging technology as “incremental,” suggesting that you won’t see pizza-delivering drones anytime soon. The FAA Modernization and Reform Act of 2012 aimed to integrate unmanned aircraft by this year, but a recent government audit found that the FAA wouldn’t meet its September deadline. “There should be an eye toward integrating drones into our national airspace,” Peter Sachs, a lawyer specializing in drone law, said about these proposed regulations.

Tomorrow’s technology: When online retailer behemoth Amazon announced “Amazon Prime Air” last year, it seemed like an elaborate April Fool’s prank. Yet the company is dead serious about using the technology to deliver packages in as little as 30 minutes, sending the FAA a letter pushing for greater reforms. While Amazon predicts that drone deliveries will eventually be “as normal as seeing mail trucks on the road,” time will tell when their vision becomes a reality. However, with the FAA’s proposed regulations, drone operators would be required to stay within “eyesight” of their craft, according to Sachs. With this stipulation, it would be near impossible for vendors to use drones for deliveries.

Consumer data mining

In the show: After the characters receive individualized gift packages delivered by drone from Grizzyl, they quickly realize the only way they would have learned this information about them is through monitoring their calls and texts. Later, when Leslie visits the Grizzyl headquarters in disguise, the Grizzyl vice president of “Cool New Shiz” reveals he knew who she was all along by tracking her location from her phone. He says his company may know Leslie better than she knows herself. He tells her, “There’s nothing scary about Grizzyl. We just want to learn everything about everyone, track wherever they go and even what they’re about to do.”

Today’s laws: Despite the growing fascination with consumer privacy and cybersecurity in recent years, especially in the wake of Edward Snowden’s revelations about the National Security Agency’s program to gather millions of Americans’ phone and email records, no laws have yet to intensely regulate the act of consumer data mining. In Sorrell v. IMS Health Inc., the Supreme Court found that a Vermont statute that restricted the sale, disclosure and use of records that revealed the prescribing practices of individual doctors violated the First Amendment rights of data mining companies hired by pharmaceutical manufacturers. In a powerful feature story for Time Magazine in 2011, author Joel Stein sums up the current state of data mining for consumers: He contacts a range of private companies that gather information about him “in stealth,” creating a detailed picture of his life that’s been culled without his knowing.

Tomorrow’s technology: Though the debate about gathering and use data has typically been about government surveillance of private exchanges, companies such as Google, which could be seen as the real-life Grizzyl, already monitor emails sent over their Gmail network in order to tailor advertisements shown to particular Internet users. As Stein’s 2011 feature shows, companies already have an incredible ability to gather people’s information, something that will likely continue to grow unless Congress passes legislation limiting it.

Consumer agreements

In the show: When Leslie Knope discovers the data mining, she brings a lawsuit against Grizzyl. Leslie’s husband Ben argues that the agreement giving Pawnee free WiFi explicitly banned data mining. However, the company was able to sneak a clause “into the 27th update of a 500 page user agreement,” allowing them to monitor all communications sent over the network through Grizzyl products. As Ben said, “a person should not have to have an advanced law degree to avoid being taken advantage of by a multi-billion dollar company,” a sentiment oft repeated in today’s on-the-grid society. Ben compelled Grizzyl to be “upfront about what you’re doing and allow people the ability to opt out.”

Today’s laws: According to Ira Rheingold, executive director of the National Association of Consumer Advocates, the U.S. has little protection for consumers against how a private company constructs its consumer agreements. A report released by the Consumer Financial Protection Bureau, an independent government agency formed by the 2011 Dodd-Frank Wall Street reforms, showed that consumers often hand over their rights in consumer agreements without realizing it. They found that in 92 percent of credit card disputes that went to arbitration, consumers had signed contracts precluding their ability to sue without realizing it. In effect, even the savviest consumer, like Ben Wyatt, can be thwarted by a legal document that buries its most damaging clauses under pages of legal jargon, something that’s become commonplace in our society.

Tomorrow’s technology: When consumers sign these consumer agreements, they may unknowingly give up their right to sue, effectively stripping themselves of their right to take these corporations to trial in the event of an injustice. Sen. Al Franken, D-Minn., has championed the Arbitration Fairness Act, which works to “restore the rights of workers and consumers” in assuring them of transparency in civil litigation and prohibiting the usage of forced arbitration clauses in consumer agreements. While the bill has unsuccessfully been introduced in Congress since 2011, Franken plans on reintroducing it during this session.

 

Private sector remains wary of government efforts to increase cybersecurity collaboration

WASHINGTON– President Barack Obama and lawmakers have announced plans to increase information sharing between the government and the private sector following data breaches at major companies. But companies are hesitant to join these initiatives because of liability and privacy concerns – and sharing information could put them at a competitive disadvantage.

Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.

Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.

“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.

One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.

DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.

“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”

Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.

“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”

Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.

Despite these efforts, robust information sharing is still lacking.

“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.

Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.

Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.

“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”

Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.

The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.

“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said. 

To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.

The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.

In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.

However, experts remain skeptical about the center.

“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”

The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.

“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”

Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.

While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.

“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”

Internet currency Bitcoin lacks privacy protections

WASHINGTON — Bitcoin lacks the anonymity that many users have come to expect and desire, especially for a currency advertised as “cash for the Internet.”

All transactions made using the online currency is logged in a public ledger to ensure their validity.

“It’s inherent in the system to have it be transparent,” said Jim Harper, a senior fellow at the libertarian Cato Institute and a member of the board of directors at the Bitcoin Foundation. “You could have greater privacy if it was a system that one party controlled, but that would have costs relying on that party to get it right.”

Bitcoin is a digital currency that has no central authority and can be used, in many ways, like cash. Many businesses, from restaurants to WordPress, have begun to accept bitcoin as payment. To get started, it only takes a few minutes to go online to set up a Bitcoin wallet.

“It is fast and free,” said David Barrett, the CEO of Expensify, a company that supports Bitcoin use for international transactions. “It’s secure. And I would say it works everywhere in the world. And it is a very powerful technology for moving money around the world.”

Bitcoin offers an “acceptable level of privacy,” according to Bitcoin.org, which is managed by its developers. And for many Bitcoin users, any potential loss of privacy is an acceptable trade-off to circumvent traditional financial institutions.

“The idea of having this flexible payment system where you can pay someone on the other side of the world without having to turn to Western Union or something, that is quite an appealing concept,” said Sarah Meiklejohn, a lecturer at University College London who has done research on the currency.

Because this cybercurrency is not tied to any country or bank, it can be a relatively stable option for those in developing countries, where the local currency is often unreliable.

But, because of Bitcoin’s transparency, it is relatively easy to track a user’s entire transaction history. The public ledger shows the location of the Bitcoin user who is making a transaction as well as the history of the Bitcoin they are spending.

The public ledger shows a Bitcoin's transaction history and the user's location.

The public ledger shows a Bitcoin’s transaction history and the user’s location.

“It is kind of anonymous, but the second that you do any transaction with Bitcoin, every transaction is there,” said Barrett. “Once you pay me a bitcoin, basically I can look at the log and see every transaction you’ve made.”

Bitcoin.org claims no responsibility for any “losses, damages or claims,” for invasions of privacy or thefts, according to its terms and conditions. It suggests encrypting Bitcoin wallets and using secure connections to avoid thefts.

There are ways to improve the anonymity of the currency, but they require a concerted and technology-intensive effort that many do not even know is an option.

“There’s a thing called mixing, which is a process where you commingle your bitcoins with the bitcoins of others and the output of those transactions is harder to trace back to individuals,” said Harper, the Cato fellow. “It might make it a probabilistic calculation rather than drawing a direct line.”

This process is the equivalent to moving funds through banks in countries like the Cayman Islands and Panama which have strict bank-secrecy laws.

Today, some experts are cautious in accepting Bitcoin as a widespread currency. However, many see the Bitcoin concept as one that will remain.

“It’s actually a good alternative to a currency if there is inflation,” Barrett said. “In Venezuela and Africa, it is getting larger adoption. Russia also has a big growth in bitcoin. It’s a safer and less volatile way to keep your currency. Over time, Bitcoin will, in certain parts of the world, become a daily occurrence.”

Bitcoin and its supposed anonymity gained prominence in its role with the Silk Road, an online black marketplace known for selling illicit drugs and weapons. Buyers and sellers were able to connect virtually and use the cybercurrency to conduct anonymous transactions.

“This perception of anonymity might be driving groups towards Bitcoin, but then the transparency is giving law enforcement or anyone interested in these illicit transactions this beautiful view of all of these types of illicit transactions,” said Meiklejohn, the Bitcoin researcher. “Instead of going to somewhere like Western Union and wiring cash over to the Islamic State or whatever, if you’re doing it with Bitcoin then you are creating this paper trail that is never going to go away, literally ever.”

What may scare off more potential Bitcoin users, however, is not its lack of anonymity, it’s the volatility of the currency. In the last 12 months, the value of the currency has fallen by nearly half.

“Maybe I’m just cynical, but it’s hard to see why Bitcoin, as it is now, would achieve widespread adoption, which ultimately is what you would need to have any kind of stable currency,” Meiklejohn said. “So, as long as Bitcoin is this niche market, it is going to remain pretty volatile.”