Group items tagged

A week ago, we saw a procession of nervous headlines after the Times and then Bloomberg reported that Facebook, its messaging platform WhatsApp and others would now be forced to disclose encrypted messages to law enforcement agencies under a new treaty between the U.S. and the U.K. As I commented at the time, these reports were misleading, mixing up agreements to share data that already exists with changes in the law to break encryption. But now the U.S. and U.K., as well as Australia, are set to write to Facebook to request that the company pauses its plans for cross-platform messaging encryption until backdoors can be added, citing public safety and serious crime as its reasons.EFF described the letter as an “all-out attack on encryption... a staggering attempt to undermine the security and privacy of communications tools used by billions of people,” and urged Facebook not to comply. The organization warned that the move would endanger activists and journalists, and could be used by “authoritarian regimes... to spy on dissidents in the name of combatting terrorism or civil unrest.”

The US intelligence community has delivered a limited list of tweaks to how long it can hold information on ordinary citizens and hide secret trawls for data, responding to Barack Obama’s call for reform of its surveillance practices in the wake of revelations about NSA practices. Published by the office of the director of national intelligence, James Clapper, just six days before a recently announced visit to Washington by the German chancellor, Angela Merkel, the report is the culmination of a year-long effort to respond to revelations by whistleblower Edward Snowden.

But the report does not appear to address the role of telecommunications companies in collecting metadata and the use of encryption to prevent hacking, and privacy critics were quick to pounce on a year of promises with little reform to show. “It’s hard to see much ‘there’ there,” Senator Ron Wyden said in a statement. “When it comes to reforming intelligence programs and protecting Americans’ privacy, there is much, much more work to be done.” The outline from the intelligence community also appears to fall short of the legislative changes attempted by campaigners in Congress, focusing instead on measures to tighten internal guidelines and provide foreigners with some of the protections allowed for US citizens. These measures include:

Other measures outlined in the new report include steps to clarify the protection given to whistleblowers if they follow internal rules and a requirement that “any significant compliance incident involving personal information, regardless of the person’s nationality” be reported to Clapper.

While the Justice Department wages a public fight with Apple over access to a locked iPhone, government officials are privately debating how to resolve a prolonged standoff with another technology company, WhatsApp, over access to its popular instant messaging application, officials and others involved in the case said. No decision has been made, but a court fight with WhatsApp, the world’s largest mobile messaging service, would open a new front in the Obama administration’s dispute with Silicon Valley over encryption, security and privacy.WhatsApp, which is owned by Facebook, allows customers to send messages and make phone calls over the Internet. In the last year, the company has been adding encryption to those conversations, making it impossible for the Justice Department to read or eavesdrop, even with a judge’s wiretap order.

As recently as this past week, officials said, the Justice Department was discussing how to proceed in a continuing criminal investigation in which a federal judge had approved a wiretap, but investigators were stymied by WhatsApp’s encryption.The Justice Department and WhatsApp declined to comment. The government officials and others who discussed the dispute did so on condition of anonymity because the wiretap order and all the information associated with it were under seal. The nature of the case was not clear, except that officials said it was not a terrorism investigation. The location of the investigation was also unclear.

To understand the battle lines, consider this imperfect analogy from the predigital world: If the Apple dispute is akin to whether the F.B.I. can unlock your front door and search your house, the issue with WhatsApp is whether it can listen to your phone calls. In the era of encryption, neither question has a clear answer.Some investigators view the WhatsApp issue as even more significant than the one over locked phones because it goes to the heart of the future of wiretapping. They say the Justice Department should ask a judge to force WhatsApp to help the government get information that has been encrypted. Others are reluctant to escalate the dispute, particularly with senators saying they will soon introduce legislation to help the government get data in a format it can read.

Thousands of people are signing up to join an unprecedented legal campaign against the United Kingdom’s leading electronic surveillance agency. On Monday, London-based human rights group Privacy International launched an initiative enabling anyone across the world to challenge covert spying operations involving Government Communications Headquarters, or GCHQ, the National Security Agency’s British counterpart. The campaign was made possible following a historic court ruling earlier this month that deemed intelligence sharing between GCHQ and the NSA to have been unlawful because of the extreme secrecy shrouding it.

Consequently, members of the public now have a rare opportunity to take part in a lawsuit against the spying in the Investigatory Powers Tribunal, a special British court that handles complaints about surveillance operations conducted by law enforcement and intelligence agencies. Privacy International is allowing anyone who wants to participate to submit their name, email address and phone number through a page on its website. The group plans to use the details to lodge a case with GCHQ and the court that will seek to discover whether each participant’s emails or phone calls have been covertly obtained by the agency in violation of the privacy and freedom of expression provisions of the European Convention on Human Rights. If it is established that any of the communications have been unlawfully collected, the court could force GCHQ to delete them from its vast repositories of intercepted data.

By Tuesday evening, more than 10,000 people had already signed up to the campaign, a spokesman for Privacy International told The Intercept. In a statement announcing the campaign on Monday, Eric King, deputy director of Privacy International, said: “The public have a right to know if they were illegally spied on, and GCHQ must come clean on whose records they hold that they should never have had in the first place. “We have known for some time that the NSA and GCHQ have been engaged in mass surveillance, but never before could anyone explicitly find out if their phone calls, emails, or location histories were unlawfully shared between the U.S. and U.K. “There are few chances that people have to directly challenge the seemingly unrestrained surveillance state, but individuals now have a historic opportunity finally hold GCHQ accountable for their unlawful actions.”

A court in the Belgian capital Brussels, on Friday, found the social media company Facebook guilty of breaching Belgian privacy laws. Belgium’s Privacy Commission had taken Facebook to court and the judge agreed with the Commission’s view that Facebook had flouted the country’s privacy legislation. The company has been ordered to correct its practice right away of face fines. Facebook has lodged an appeal.

Facebook follows its users activities by means of so-called social plug-ins, cookies, and pixels. These digital technologies enable Facebook to follow users’ behavior when online. Cookies, for example, are small files that are attached to your internet browser when you go online and visit a particular site. They are used to collect information about the kind of things you like to read or look at while surfing the web. Facebook uses the data both for its own ends, but also to help advertisers send tailor made advertising. In so doing Facebook also uses certain cookies to follow people that don’t even have a Facebook profile. The court ruled that it is “unclear what information Facebook is collecting about us” and “what it uses the information for”. Moreover, Facebook has not been given permission to keep tabs on internet-users by a court of law.

he court has ordered Facebook to stop the practice straight away and to delete any data that it has obtained by means contrary to Belgian privacy legislation. If Facebook fails to comply it will face a penalty payment of 250,000 euro/day.

A new cybersecurity bill poses serious threats to our privacy, gives the government extraordinary powers to silence potential whistleblowers, and exempts these dangerous new powers from transparency laws. The Cybersecurity Information Sharing Act of 2014 ("CISA") was scheduled to be marked up by the Senate Intelligence Committee yesterday but has been delayed until after next week's congressional recess. The response to the proposed legislation from the privacy, civil liberties, tech, and open government communities was quick and unequivocal – this bill must not go through. The bill would create a massive loophole in our existing privacy laws by allowing the government to ask companies for "voluntary" cooperation in sharing information, including the content of our communications, for cybersecurity purposes. But the definition they are using for the so-called "cybersecurity information" is so broad it could sweep up huge amounts of innocent Americans' personal data. The Fourth Amendment protects Americans' personal data and communications from undue government access and monitoring without suspicion of criminal activity. The point of a warrant is to guard that protection. CISA would circumvent the warrant requirement by allowing the government to approach companies directly to collect personal information, including telephonic or internet communications, based on the new broadly drawn definition of "cybersecurity information."

While we hope many companies would jealously guard their customers' information, there is a provision in the bill that would excuse sharers from any liability if they act in "good faith" that the sharing was lawful. Collected information could then be used in criminal proceedings, creating a dangerous end-run around laws like the Electronic Communications Privacy Act, which contain warrant requirements. In addition to the threats to every American's privacy, the bill clearly targets potential government whistleblowers. Instead of limiting the use of data collection to protect against actual cybersecurity threats, the bill allows the government to use the data in the investigation and prosecution of people for economic espionage and trade secret violations, and under various provisions of the Espionage Act. It's clear that the law is an attempt to give the government more power to crack down on whistleblowers, or "insider threats," in popular bureaucratic parlance. The Obama Administration has brought more "leaks" prosecutions against government whistleblowers and members of the press than all previous administrations combined. If misused by this or future administrations, CISA could eliminate due process protections for such investigations, which already favor the prosecution.

While actively stripping Americans' privacy protections, the bill also cloaks "cybersecurity"-sharing in secrecy by exempting it from critical government transparency protections. It unnecessarily and dangerously provides exemptions from state and local sunshine laws as well as the federal Freedom of Information Act. These are both powerful tools that allow citizens to check government activities and guard against abuse. Edward Snowden's revelations from the past year, of invasive spying programs like PRSIM and Stellar Wind, have left Americans shocked and demanding more transparency by government agencies. CISA, however, flies in the face of what the public clearly wants. (Two coalition letters, here and here, sent to key members of the Senate yesterday detail the concerns of a broad coalition of organizations, including the ACLU.)

In the UK earlier this month, human rights groups Liberty and Privacy International were cheered by a tribunal decision that declared GCHQ’s access to NSA spies’ data illegal. Though it was a hollow victory, as the tribunal also declared all current activities, including all those blanket surveillance projects much derided by free speech activists, entirely legal. The practices previously broke the law because the public was unaware of what safeguards were in place for the UK’s access to data from NSA programs like Prism; as soon as Snowden blew everything wide open the snoops had to explain themselves, and that was enough for the tribunal to confirm the legality of GCHQ’s operations. But the case has had one significant effect: anyone can now figure out if their data was illegally shared by the agencies. Privacy International has set up a simple webpage that anyone in the world can sign up to. You can visit the page here.

Once the UK Investigatory Powers Tribunal has determined whom was affected, it has to inform them. Though participants should find out whether their data were unlawfully obtained by GCHQ from the millions of private communications hoovered up by the NSA up until December 2014, it won’t be anytime soon. Privacy International warned in its FAQs: “Count on it being many months, and likely years before this action is completed.” And somewhat ironically Privacy International has to collect participant’s information, including their name and email address, to supply the service. They may ask for more information from willing participants once the group has determined if more is required from the IPT. Anyone who wants to submit directly to the tribunal can do so here.

The EU has accepted a new version of the so-called Private Shield law that would allow US companies to transfer Europeans’ private data to servers across the ocean. The EU struck down the previously-reached agreement over US surveillance concerns.

The majority of EU members voted in support of the Privacy Shield pact with the US that had been designed to replace its predecessor, the Safe Harbor system, which the highest EU court ruled “invalid” in October 2015 following Edward Snowden’s revelations about mass US surveillance.

The newly-adopted agreement will come into force starting Tuesday.The deal, which is said to be aimed at protecting European citizens’ private data, defines the rules of how the sharing of information should be handled. It gives legal ground for tech companies such as Google, Facebook and MasterCard to move Europeans’ personal data to US servers bypassing an EU ban on moving personal information out from the 28-nation bloc. The agreement covers everything from private data about employees to detailed records of what people do online.“For the first time, the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data,” the statement said.

After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement. Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations. “The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James B. Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

To Amie Stepanovich, the U.S. policy manager for Access, one of the groups signing the petition, the status quo isn’t good enough. “It’s really crucial that even if the government is not pursuing legislation, it’s also not pursuing policies that will weaken security through other methods,” she said. The FBI and Justice Department have been talking with tech companies for months. On Thursday, Comey said the conversations have been “increasingly productive.” He added: “People have stripped out a lot of the venom.” He said the tech executives “are all people who care about the safety of America and also care about privacy and civil liberties.” Comey said the issue afflicts not just federal law enforcement but also state and local agencies investigating child kidnappings and car crashes — “cops and sheriffs . . . [who are] increasingly encountering devices they can’t open with a search warrant.”

The decision was made at a Cabinet meeting Oct. 1. “As the president has said, the United States will work to ensure that malicious actors can be held to account — without weakening our commitment to strong encryption,” National Security Council spokesman Mark Stroh said. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.” But privacy advocates are concerned that the administration’s definition of strong encryption also could include a system in which a company holds a decryption key or can retrieve unencrypted communications from its servers for law enforcement. “The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data,” said Savecrypto.org, a coalition of industry and privacy groups that has launched a campaign to petition the Obama administration.

A company by the name of LocationSmart isn't having a particularly good month. The company recently received all the wrong kind of attention when it was caught up in a privacy scandal involving the nation's wireless carriers and our biggest prison phone monopoly. Like countless other companies and governments, LocationSmart buys your wireless location data from cell carriers. It then sells access to that data via a portal that can provide real-time access to a user's location via a tailored graphical interface using just the target's phone number.

Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out of rehab. And ideally, all the companies involved were supposed to ensure that data lookup requests were accompanied by something vaguely resembling official documentation. But a recent deep dive by the New York Times noted how the system was open to routine abuse by law enforcement, after a Missouri Sherrif used the system to routinely spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants): "The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show. Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases." It was yet another example of the way nonexistent to lax consumer privacy laws in the States (especially for wireless carriers) routinely come back to bite us. But then things got worse.

Driven by curiousity in the wake of the Times report, a PhD student at Carnegie Mellon University by the name of Robert Xiao discovered that the "try before you buy" system used by LocationSmart to advertise the cell location tracking system contained a bug, A bug so bad that it exposed the data of roughly 200 million wireless subscribers across the United States and Canada (read: nearly everybody). As we see all too often, the researcher highlighted how the security standards in place to safeguard this data were virtually nonexistent: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."

Federal regulators are discussing whether and how to hold Facebook Chief Executive Mark Zuckerberg personally accountable for the company's history of mismanaging users' private data, two sources familiar with the discussions told NBC News on Thursday.The sources wouldn't elaborate on what measures are specifically under consideration. The Washington Post, which first reported the development, reported that regulators were exploring increased oversight of Zuckerberg's leadership.While Facebook has come under scrutiny for its privacy practices for years, both of the Democratic members of the FTC have said the agency should target individual executives when appropriate.Justin Brookman, a former policy director for technology research at the Federal Trade Commission, or FTC, said Thursday night that while the FTC can name individual company leaders if they directed, controlled and knew about any wrongdoing, "they typically only use that authority in fraud-like cases, so far as I can tell."

Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.It looked like just another bug report. "When I start Chromium, it downloads something." Followed by strange status information that notably included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".

Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room.A brief explanation of the Open-source / Free-software philosophy is needed here. When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a fresh computer, thousands of really smart people have analyzed every line of human-readable source code before that operating system was built into computer-executable binary code, to make it common and open knowledge what the machine actually does instead of trusting corporate statements on what it’s supposed to be doing. Therefore, you don’t install black boxes onto a Debian or Ubuntu system; you use software repositories that have gone through this source-code audit-then-build process. Maintainers of operating systems like Debian and Ubuntu use many so-called “upstreams” of source code to build the final product.Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed this audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.

This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places. That official statement amounted to three parts (paraphrased, of course):

A few recent legal developments affecting U.S. online privacy have rightfully troubled privacy advocates and civil libertarians on American soil. In addition to the Patriot Act's relaxed regulation of law enforcement's access to private data, recent court rulings have made it clear that U.S. authorities can secretly request data from tech companies without the user ever knowing. If this seems objectionable from the standpoint of U.S. citizens, imagine how it looks to outsiders who are storing their data there. Some European companies who do business with U.S. technology companies are concerned enough to start looking elsewhere for infrastructure

Maine internet service providers will face the strictest consumer privacy protections in the nation under a bill signed Thursday by Gov. Janet Mills, but the new law will almost certainly be challenged in court. Several technology and communication trade groups warned in testimony before the Legislature that the measure may be in conflict with federal law and would likely be the subject of legal action.

The new law, which goes into effect on July 1, 2020, would require providers to ask for permission before they sell or share any of their customers’ data to a third party. The law would also apply to telecommunications companies that provide access to the internet via their cellular networks.

The law is modeled on a Federal Communications Commission rule, adopted under the administration of President Obama but overturned by the administration of President Trump in 2017. The rule blocked an ISP from selling a customer’s personal data, which is not prohibited under federal law.

The White House and U.S. intelligence chiefs Wednesday backed making permanent a law that allows for the collection of digital communications of foreigners overseas, escalating a fight in Congress over privacy and security. The law, enshrined in Section 702 of the Foreign Intelligence Surveillance Act, is due to expire on December 31 unless Congress votes to reauthorize it, but is considered vital by U.S. intelligence agencies. Privacy advocates have criticized the law though for allowing the incidental collection of data belonging to millions of Americans without a search warrant. The push to make the law permanent may lead to a contentious debate over renewal of Section 702 in Congress, where lawmakers in both parties are deeply divided over whether to adopt transparency and oversight reforms

Reuters reported in March that the Trump administration supported renewal of Section 702 without any changes, citing an unnamed White House official, but it was not clear at the time whether it wanted the law made permanent.

Six4Three recently published a playbook for the FTC to get to the bottom of Facebook’s secretive deals selling user data without privacy controls. In light of The New York Times article reporting multiple criminal investigations into Facebook surrounding these secretive deals, we’re publishing the playbook for criminal investigators.Perhaps the most important recognition at the outset is that the secretive deals that have been reported, whether those with a handful of device manufacturers or with 150 large technology companies, are just the tip of the iceberg. Those secretive deals handing over user data in exchange for gobs of cash were merely part and parcel of a much broader illegal scheme that begins with Facebook’s transition to mobile in 2012 and continues to this very day. We believe this illegal scheme amounts to a clear RICO violation. The United Kingdom Parliament agrees. Here’s how criminal investigators can overcome Facebook’s incredibly effective concealment campaign and bring a viable RICO case.Facebook’s pattern of racketeering activity is a play in three acts from at least 2012 to present. The first act is all about the desperation resulting from the collapse of Facebook’s desktop advertising business right around its IPO and the various securities violations that resulted. The second act is about covering up those securities violations by illegally building its mobile advertising business via extortion and wire fraud in order to close the gap in Facebook’s revenue projections before the world took notice, which likely resulted in additional securities violations. The third act is about covering up the extortion and wire fraud by lying to government officials investigating Facebook while continuing to effectuate the scheme. We are still in the third act.For almost a decade now Facebook has been covering up one illegal act with another in order to hide how it managed to ramp up its mobile advertising business faster than any other business in the history of capitalism. The abuses of Facebook’s data, from Russian interference in the 2016 election to Cambridge Analytica and Brexit, all stem in substantial part from the decisions Facebook knowingly, willfully and maliciously made to facilitate this criminal conspiracy. Put simply, Facebook’s transition to mobile destabilized the world.

Alleged leaked documents about the NSA's XKeyscore snooping software appear to show the paranoid agency is targeting Tor and Tails users, Linux Journal readers – and anyone else interested in online privacy.Apparently, this configuration file for XKeyscore is in the divulged data, which was obtained and studied by members of the Tor project and security specialists for German broadcasters NDR and WDR. <a href="http://pubads.g.doubleclick.net/gampad/jump?iu=/6978/reg_security/front&sz=300x250%7C300x600&tile=3&c=33U7ZK6qwQrMkAACSrTugAAAP1&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" target="_blank"> <img src="http://pubads.g.doubleclick.net/gampad/ad?iu=/6978/reg_security/front&sz=300x250%7C300x600&tile=3&c=33U7ZK6qwQrMkAACSrTugAAAP1&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" alt=""></a> In their analysis of the alleged top-secret documents, they claim the NSA is, among other things:Specifically targeting Tor directory servers Reading email contents for mentions of Tor bridges Logging IP addresses used to search for privacy-focused websites and software And possibly breaking international law in doing so. We already know from leaked Snowden documents that Western intelligence agents hate Tor for its anonymizing abilities. But what the aforementioned leaked source code, written in a rather strange custom language, shows is that not only is the NSA targeting the anonymizing network Tor specifically, it is also taking digital fingerprints of any netizens who are remotely interested in privacy.

These include readers of the Linux Journal site, anyone visiting the website for the Tor-powered Linux operating system Tails – described by the NSA as "a comsec mechanism advocated by extremists on extremist forums" – and anyone looking into combining Tails with the encryption tool Truecrypt.If something as innocuous as Linux Journal is on the NSA's hit list, it's a distinct possibility that El Reg is too, particularly in light of our recent exclusive report on GCHQ – which led to a Ministry of Defence advisor coming round our London office for a chat.

If you take even the slightest interest in online privacy or have Googled a Linux Journal article about a broken package, you are earmarked in an NSA database for further surveillance, according to these latest leaks.This is assuming the leaked file is genuine, of course.Other monitored sites, we're told, include HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion. The IP address of computer users even looking at these sites is recorded and stored on the NSA's servers for further analysis, and it's up to the agency how long it keeps that data.The XKeyscore code, we're told, includes microplugins that target Tor servers in Germany, at MIT in the United States, in Sweden, in Austria, and in the Netherlands. In doing so it may not only fall foul of German law but also the US's Fourth Amendment.

The first (and thus far only) roll-back of post-9/11 surveillance authorities was implemented over the weekend: The National Security Agency shuttered its program for collecting and holding the metadata of Americans’ phone calls under Section 215 of the Patriot Act. While bulk collection under Section 215 has ended, the government can obtain access to this information under the procedures specified in the USA Freedom Act. Indeed, some experts have argued that the Agency likely has access to more metadata because its earlier dragnet didn’t cover cell phones or Internet calling. In addition, the metadata of calls made by an individual in the United States to someone overseas and vice versa can still be collected in bulk — this takes place abroad under Executive Order 12333. No doubt the NSA wishes that this was the end of the surveillance reform story and the Paris attacks initially gave them an opening. John Brennan, the Director of the CIA, implied that the attacks were somehow related to “hand wringing” about spying and Sen. Tom Cotton (R-Ark.) introduced a bill to delay the shut down of the 215 program. Opponents of encryption were quick to say: “I told you so.”

But the facts that have emerged thus far tell a different story. It appears that much of the planning took place IRL (that’s “in real life” for those of you who don’t have teenagers). The attackers, several of whom were on law enforcement’s radar, communicated openly over the Internet. If France ever has a 9/11 Commission-type inquiry, it could well conclude that the Paris attacks were a failure of the intelligence agencies rather than a failure of intelligence authorities. Despite the passage of the USA Freedom Act, US surveillance authorities have remained largely intact. Section 702 of the FISA Amendments Act — which is the basis of programs like PRISM and the NSA’s Upstream collection of information from Internet cables — sunsets in the summer of 2017. While it’s difficult to predict the political environment that far out, meaningful reform of Section 702 faces significant obstacles. Unlike the Section 215 program, which was clearly aimed at Americans, Section 702 is supposedly targeted at foreigners and only picks up information about Americans “incidentally.” The NSA has refused to provide an estimate of how many Americans’ information it collects under Section 702, despite repeated requests from lawmakers and most recently a large cohort of advocates. The Section 215 program was held illegal by two federal courts (here and here), but civil attempts to challenge Section 702 have run into standing barriers. Finally, while two review panels concluded that the Section 215 program provided little counterterrorism benefit (here and here), they found that the Section 702 program had been useful.

There is, nonetheless, some pressure to narrow the reach of Section 702. The recent decision by the European Court of Justice in the safe harbor case suggests that data flows between Europe and the US may be restricted unless the PRISM program is modified to protect the information of Europeans (see here, here, and here for discussion of the decision and reform options). Pressure from Internet companies whose business is suffering — estimates run to the tune of $35 to 180 billion — as a result of disclosures about NSA spying may also nudge lawmakers towards reform. One of the courts currently considering criminal cases which rely on evidence derived from Section 702 surveillance may hold the program unconstitutional either on the basis of the Fourth Amendment or Article III for the reasons set out in this Brennan Center report. A federal district court in Colorado recently rejected such a challenge, although as explained in Steve’s post, the decision did not seriously explore the issues. Further litigation in the European courts too could have an impact on the debate.