On Monday, I wrote about the expanding private surveillance industry and its relationship with the government, with a focus on something called Project Vigilant as one particularly troubling, illustrative example. That group's Executive Director, Chet Uber, generated substantial media attention -- in Forbes, Wired and elsewhere -- by appearing at a Defcon conference this weekend and claiming, among other things, that it was he who put Adrian Lamo in touch with his contacts at the "highest levels of the government" at "three letter agencies." He further boasted that Project Vigilant is a group which "monitors the traffic of 12 regional Internet service providers," "tracks more than 250 million IP addresses a day and can 'develop portfolios on any name, screen name or IP address,'" and then "hands much of that information to federal agencies." The reasons these revelations would be alarming are obvious, and Law Professor Orin Kerr suggested that such activities would likely be illegal.
But over the past several days, I've become convinced that Uber's claims about his group are wildly exaggerated, rendering my concerns about it largely misguided and unwarranted. In a follow-up post, Kerr points to and tentatively endorses this analysis from Richard Bejlitch, who makes a persuasive case that Project Vigilant is "largely a publicity stunt, meaning it was just invented and its so-called 'history' is an extension of someone's imagination." I also had several email exchanges with Cato's Julian Sanchez, who spent the last several days investigating Project Vigilant and Uber's claims and -- for reasons he will detail in a piece he is writing -- also concluded that concerns about this group are largely unwarranted. Numerous, knowledgeable readers -- both in the comment section to that post and via email -- have also offered compelling arguments as to why it's far more likely than not that Uber is basically engaged in a self-aggrandizing, attention-seeking campaign (not unlike Adrian Lamo), and thus, to put it mildly, is seriously hyping the importance of his group and what it does.
Anyone with even minimal credibility knows not to believe uncorroborated, fantastical claims simply because they are publicly touted. What persuaded me of the authenticity of Uber's claims -- aside from their being reported in the above-mentioned credible publications by reporters who regularly cover surveillance issues -- were these two articles from last month in The Examiner by Mark Albertson, covering Project Vigilant at length. Indeed, the second one was specifically devoted to addressing doubts about its seriousness:
It’s tempting to look at a secret group of cybercrime "monitors" and dismiss them as a group of lightweights trying to play cops and robbers in the Internet world. Nothing could be farther from the truth.
The article identified numerous, sophisticated Internet experts -- former officials of the DOJ, DHS, the NSA and the New York Stock Exchange -- who were purportedly working with them. All of this evidence together led me to conclude that the group was real and credible. I interpreted my inability to gather more information about them -- including by speaking that morning with surveillance experts who had never heard of them, and attempting to find out background information about them and the corporation which "funds" it only to come up largely empty -- as simply a reflection of how covertly they operated. In retrospect, I should have been more skeptical of these claims.
In sum, the dangers of the growing private surveillance industry and its increasing commercial relationship with the U.S. government are every bit as real and severe as I described. But "Project Vigilant" is probably not an example of that.
* * * * *
On a related note, Luke Shepard of Facebook contacted me -- in comments and via email -- and asked that I direct readers' attention to this post, which he says provides some clarity on the relationship between The Washington Post and Facebook, which I also mentioned in what I wrote.