Group items tagged

When the premiere surveillance reform bill of 2014 is reintroduced in the current Congress, it can count on antipathy and even opposition from many of the civil libertarian activists who pushed it to the brink of passage last year. The USA Freedom Act, a bill that aims to stop the National Security Agency (NSA) from its daily collection of US phone records in bulk, is set for a 2015 revamp after failing in the Senate last November. Supporters pledge to unveil it late this week or early next week.

This time, as reported by the Guardian, the bill is shaping up to be the preferred piece of legislation to extend the lifespan of a controversial part of the Patriot Act, known as Section 215. The NSA uses Section 215 to justify its domestic mass surveillance. The FBI considers it critical for terrorism and espionage investigations outside typical warrant or subpoena channels. Section 215 expires on 1 June. The bill’s architects consider the USA Freedom Act the strongest piece of legislation to roll back the domestic reach of US surveillance that Congress will pass. But a new coalition of civil libertarian groups on the left and the right is already looking past the bill, in the hopes of broadening what is possible – something they consider realistic, thanks to the intelligence community’s fervent desire to avoid the expiration of Section 215.

The White House on Wednesday made public for the first time the rules by which the government decides to disclose or keep secret software flaws that can be turned into cyberweapons — whether by U.S. agencies hacking for foreign intelligence, money-hungry criminals or foreign spies seeking to penetrate American computers. The move to publish an un­classified charter responds to years of criticism that the process was unnecessarily opaque, fueling suspicion that it cloaked a stockpile of software flaws that the National Security Agency was hoarding to go after foreign targets but that put Americans’ cyber­security at risk.

The rules are part of the “Vulnerabilities Equities Process,” which the Obama administration revamped in 2014 as a multi­agency forum to debate whether and when to inform companies such as Microsoft and Juniper that the government has discovered or bought a software flaw that, if weaponized, could affect the security of their product. The Trump administration has mostly not altered the rules under which the government reaches a decision but is disclosing its process. Under the VEP, an “equities review board” of at least a dozen national security and civilian agencies will meet monthly — or more often, if a need arises — to discuss newly discovered vulnerabilities. Besides the NSA, the CIA and the FBI, the list includes the Treasury, Commerce and State departments, and the Office of Management and Budget. The priority is on disclosure, the policy states, to protect core Internet systems, the U.S. economy and critical infrastructure, unless there is “a demonstrable, overriding interest” in using the flaw for intelligence or law enforcement purposes. The government has long said that it discloses the vast majority — more than 90 percent — of the vulnerabilities it discovers or buys in products from defense contractors or other sellers. In recent years, that has amounted to more than 100 a year, according to people familiar with the process. But because the process was classified, the National Security Council, which runs the discussion, was never able to reveal any numbers. Now, Joyce said, the number of flaws disclosed and the number retained will be made public in an annual report. A classified version will be sent to Congress, he said.