Group items tagged

Four months from now, at the same time that the National Security Agency finally abandons the massive domestic telephone dragnet exposed by whistleblower Edward Snowden, it will also stop perusing the vast archive of data collected by the program. The NSA announced on Monday that it will expunge all the telephone metadata it previously swept up, citing Section 215 of the U.S.A Patriot Act. The program was ruled illegal by a federal appeals court in May. In June, Congress voted to end the program, but gave the NSA until the end of November to phase it out. The historical metadata —  records of American phone calls showing who called who, when, and for how long — will be put out of the reach of analysts on November 29, although technical personnel will have access for three more months. The program started 14 years ago, and operated under rules requiring data be retained for five years, and then destroyed.

The only possible hold-up, ironically, would be if any of the civil lawsuits prompted by the program prohibit the destruction of the data. “The telephony metadata” will be “preserved solely because of preservation obligations in pending civil litigation,” the Office of the Director of National Intelligence announced. “As soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.” ACLU staff attorney Alex Abdo told The Intercept his organization is “pleased that the NSA intends to purge the call records it has collected illegally.” But, he added: “Even with today’s pledge, the devil may be in the details.”

They say what goes around comes around, and there's perhaps nowhere that rings more true than in the world of government surveillance. Such was the case on Monday morning when Hacking Team, the Italian company known for selling electronic intrusion tools to police and federal agencies around the world, awoke to find that it had been hacked itself—big time—apparently exposing its complete client list, email spools, invoices, contracts, source code, and more. Those documents show that not only has the company been selling hacking tools to a long list of foreign governments with dubious human rights records, but it’s also establishing a nice customer base right here in the good old US of A. The cache, which sources told Motherboard is legitimate, contains more than 400 gigabytes of files, many of which confirm previous reports that the company has been selling industrial-grade surveillance software to authoritarian governments. Hacking Team is known in the surveillance world for its flagship hacking suite, Remote Control System (RCS) or Galileo, which allows its government and law enforcement clients to secretly install “implants” on remote machines that can steal private emails, record Skype calls, and even monitor targets through their computer's webcam. Hacking Team in North America

According to leaked contracts, invoices and an up-to-date list of customer subscriptions, Hacking Team’s clients—which the company has consistently refused to name—also include Kazakhstan, Azerbaijan, Oman, Saudi Arabia, Uzbekistan, Bahrain, Ethiopia, Nigeria, Sudan and many others. The list of names matches the findings of Citizen Lab, a research lab at the University of Toronto's Munk School of Global Affairs that previously found traces of Hacking Team on the computers of journalists and activists around the world. Last year, the Lab's researchers mapped out the worldwide collection infrastructure used by Hacking Team's customers to covertly transport stolen data, unveiling a massive network comprised of servers based in 21 countries. Reporters Without Borders later named the company one of the “Enemies of the Internet” in its annual report on government surveillance and censorship.

we’ve only scratched the surface of this massive leak, and it’s unclear how Hacking Team will recover from having its secrets spilling across the internet for all to see. In the meantime, the company is asking all customers to stop using its spyware—and likely preparing for the worst.

Facebook has been ordered by a Belgian court to stop tracking non-Facebook users when they visit the Facebook site. Facebook has been given 48 hours to stop the tracking or face possible fines of up to 250,000 Euro a day.

Facebook has said that it will appeal the ruling, claiming that since their european headquarters are situated in Ireland, they should only be bound by the Irish Data Protection Regulator. Facebook’s chief of security Alex Stamos has posted an explanation about why non-Facebook users are tracked when they visit the site. The tracking issue centres around the creation of a “cookie” called “datr” whenever anyone visits a Facebook page. This cookie contains an identification number that identifies the same browser returning each time to different Facebook pages. Once created, the cookie will last 2 years unless the user explicitly deletes it. The cookie is created for all visitors to Facebook, irrespective of whether they are a Facebook user or even whether they are logged into Facebook at the time. According to Stamos, the measure is needed to: Prevent the creation of fake and spammy accounts Reduce the risk of someone’s account being taken over by someone else Protect people’s content from being stolen Stopping denial of service attacks against Facebook

The principle behind this is that if you can identify requests that arrive at the site for whatever reason, abnormal patterns may unmask people creating fake accounts, hijacking a real account or just issuing so many requests that it overwhelms the site. Stamos’ defence of tracking users is that they have been using it for the past 5 years and nobody had complained until now, that it was common practice and that there was little harm because the data was not collected for any purpose other than security. The dilemma raised by Facebook’s actions is a common one in the conflicting spheres of maintaining privacy and maintaining security. It is obvious that if you can identify all visitors to a site, then it is possible to determine more information about what they are doing than if they were anonymous. The problem with this from a moral perspective is that everyone is being tagged, irrespective of whether their intent was going to be malicious or not. It is essentially compromising the privacy of the vast majority for the sake of a much smaller likelihood of bad behaviour.