Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged Big-Data

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

Spies and internet giants are in the same business: surveillance. But we can stop them ... - 0 views

www.theguardian.com/...-harbour-ruling-edward-snowden

surveillance state NSA EU data privacy litigation

shared by Paul Merrell on 12 Oct 15 - No Cached
  • On Tuesday, the European court of justice, Europe’s supreme court, lobbed a grenade into the cosy, quasi-monopolistic world of the giant American internet companies. It did so by declaring invalid a decision made by the European commission in 2000 that US companies complying with its “safe harbour privacy principles” would be allowed to transfer personal data from the EU to the US. This judgment may not strike you as a big deal. You may also think that it has nothing to do with you. Wrong on both counts, but to see why, some background might be useful. The key thing to understand is that European and American views about the protection of personal data are radically different. We Europeans are very hot on it, whereas our American friends are – how shall I put it? – more relaxed.
  • Given that personal data constitutes the fuel on which internet companies such as Google and Facebook run, this meant that their exponential growth in the US market was greatly facilitated by that country’s tolerant data-protection laws. Once these companies embarked on global expansion, however, things got stickier. It was clear that the exploitation of personal data that is the core business of these outfits would be more difficult in Europe, especially given that their cloud-computing architectures involved constantly shuttling their users’ data between server farms in different parts of the world. Since Europe is a big market and millions of its citizens wished to use Facebook et al, the European commission obligingly came up with the “safe harbour” idea, which allowed companies complying with its seven principles to process the personal data of European citizens. The circle having been thus neatly squared, Facebook and friends continued merrily on their progress towards world domination. But then in the summer of 2013, Edward Snowden broke cover and revealed what really goes on in the mysterious world of cloud computing. At which point, an Austrian Facebook user, one Maximilian Schrems, realising that some or all of the data he had entrusted to Facebook was being transferred from its Irish subsidiary to servers in the United States, lodged a complaint with the Irish data protection commissioner. Schrems argued that, in the light of the Snowden revelations, the law and practice of the United States did not offer sufficient protection against surveillance of the data transferred to that country by the government.
  • The Irish data commissioner rejected the complaint on the grounds that the European commission’s safe harbour decision meant that the US ensured an adequate level of protection of Schrems’s personal data. Schrems disagreed, the case went to the Irish high court and thence to the European court of justice. On Tuesday, the court decided that the safe harbour agreement was invalid. At which point the balloon went up. “This is,” writes Professor Lorna Woods, an expert on these matters, “a judgment with very far-reaching implications, not just for governments but for companies the business model of which is based on data flows. It reiterates the significance of data protection as a human right and underlines that protection must be at a high level.”
  • ...2 more annotations...
  • This is classic lawyerly understatement. My hunch is that if you were to visit the legal departments of many internet companies today you would find people changing their underpants at regular intervals. For the big names of the search and social media worlds this is a nightmare scenario. For those of us who take a more detached view of their activities, however, it is an encouraging development. For one thing, it provides yet another confirmation of the sterling service that Snowden has rendered to civil society. His revelations have prompted a wide-ranging reassessment of where our dependence on networking technology has taken us and stimulated some long-overdue thinking about how we might reassert some measure of democratic control over that technology. Snowden has forced us into having conversations that we needed to have. Although his revelations are primarily about government surveillance, they also indirectly highlight the symbiotic relationship between the US National Security Agency and Britain’s GCHQ on the one hand and the giant internet companies on the other. For, in the end, both the intelligence agencies and the tech companies are in the same business, namely surveillance.
  • And both groups, oddly enough, provide the same kind of justification for what they do: that their surveillance is both necessary (for national security in the case of governments, for economic viability in the case of the companies) and conducted within the law. We need to test both justifications and the great thing about the European court of justice judgment is that it starts us off on that conversation.
Paul Merrell

CURIA - Documents - 0 views

curia.europa.eu/...document.jsf

surveillance state EU Court-of-Justice data-retention data privacy

shared by Paul Merrell on 19 Jul 14 - No Cached
  • 37      It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.
  • 43      In this respect, it is apparent from recital 7 in the preamble to Directive 2006/24 that, because of the significant growth in the possibilities afforded by electronic communications, the Justice and Home Affairs Council of 19 December 2002 concluded that data relating to the use of electronic communications are particularly important and therefore a valuable tool in the prevention of offences and the fight against crime, in particular organised crime. 44      It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest.45      In those circumstances, it is necessary to verify the proportionality of the interference found to exist.46      In that regard, according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives (see, to that effect, Case C‑343/09 Afton Chemical EU:C:2010:419, paragraph 45; Volker und Markus Schecke and Eifert EU:C:2010:662, paragraph 74; Cases C‑581/10 and C‑629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C‑283/11 Sky Österreich EU:C:2013:28, paragraph 50; and Case C‑101/12 Schaible EU:C:2013:661, paragraph 29).
  • 67      Article 7 of Directive 2006/24, read in conjunction with Article 4(1) of Directive 2002/58 and the second subparagraph of Article 17(1) of Directive 95/46, does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures. In particular, Directive 2006/24 does not ensure the irreversible destruction of the data at the end of the data retention period.68      In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data (see, to that effect, Case C‑614/10 Commission v Austria EU:C:2012:631, paragraph 37).69      Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
  • ...13 more annotations...
  • 58      Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy. 59      Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
  • 1        These requests for a preliminary ruling concern the validity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).
  • Digital Rights Ireland Ltd (C‑293/12)vMinister for Communications, Marine and Natural Resources,Minister for Justice, Equality and Law Reform,Commissioner of the Garda Síochána,Ireland,The Attorney General,intervener:Irish Human Rights Commission, andKärntner Landesregierung (C‑594/12),Michael Seitlinger,Christof Tschohl and others,
  • JUDGMENT OF THE COURT (Grand Chamber)8 April 2014 (*)(Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union)In Joined Cases C‑293/12 and C‑594/12,
  • 34      As a result, the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter. 35      Furthermore, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter. 36      Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.
  • 65      It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.66      Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down.
  • 60      Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.61      Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto; it merely provides that each Member State is to define the procedures to be followed and the conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and proportionality requirements.
  • 55      The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35).56      As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population. 57      In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
  • 62      In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits. 63      Thirdly, so far as concerns the data retention period, Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Article 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.64      Furthermore, that period is set at between a minimum of 6 months and a maximum of 24 months, but it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary.
  • 52      So far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law, in any event, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Case C‑473/12 IPI EU:C:2013:715, paragraph 39 and the case-law cited).53      In that regard, it should be noted that the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter is especially important for the right to respect for private life enshrined in Article 7 of the Charter.54      Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99).
  • 26      In that regard, it should be observed that the data which providers of publicly available electronic communications services or of public communications networks must retain, pursuant to Articles 3 and 5 of Directive 2006/24, include data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for Internet services. Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. 27      Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.
  • 32      By requiring the retention of the data listed in Article 5(1) of Directive 2006/24 and by allowing the competent national authorities to access those data, Directive 2006/24, as the Advocate General has pointed out, in particular, in paragraphs 39 and 40 of his Opinion, derogates from the system of protection of the right to privacy established by Directives 95/46 and 2002/58 with regard to the processing of personal data in the electronic communications sector, directives which provided for the confidentiality of communications and of traffic data as well as the obligation to erase or make those data anonymous where they are no longer needed for the purpose of the transmission of a communication, unless they are necessary for billing purposes and only for as long as so necessary.
  • On those grounds, the Court (Grand Chamber) hereby rules:Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.
  • Paul Merrell on 19 Jul 14
     
    EU Court of Justice decision in regard to a Directive that required communications data retention by telcos/ISPs, finding the Directive invalid as a violation of the right of privacy in communications. Fairly read, paragraph 59 outlaws bulk collection of such records, i.e., it requires the equivalent of a judge-issued search warrant in the U.S. based on probable cause to believe that the particular individual's communications are a legitimate object of a search.  Note also that paragraph 67 effectively forbids transfer of any retained data outside the E.U. So a barrier for NSA sharing of data with GCHQ derived from communications NSA collects from EU communications traffic. Bye-bye, Big Data for GCHQ in the E.U. 
Paul Merrell

Data Transfer Pact Between U.S. and Europe Is Ruled Invalid - The New York Times - 0 views

www.nytimes.com/...-union-us-data-collection.html

surveillance state NSA-reform EUCJ litigation safe-harbor

shared by Paul Merrell on 06 Oct 15 - No Cached
  • Europe’s highest court on Tuesday struck down an international agreement that allowed companies to move digital information like people’s web search histories and social media updates between the European Union and the United States. The decision left the international operations of companies like Google and Facebook in a sort of legal limbo even as their services continued working as usual.The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy. The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances towards privacy.
  • Data protection advocates hailed the ruling. Industry executives and trade groups, though, said the decision left a huge amount of uncertainty for big companies, many of which rely on the easy flow of data for lucrative businesses like online advertising. They called on the European Commission to complete a new safe harbor agreement with the United States, a deal that has been negotiated for more than two years and could limit the fallout from the court’s decision.
  • Some European officials and many of the big technology companies, including Facebook and Microsoft, tried to play down the impact of the ruling. The companies kept their services running, saying that other agreements with the European Union should provide an adequate legal foundation.But those other agreements are now expected to be examined and questioned by some of Europe’s national privacy watchdogs. The potential inquiries could make it hard for companies to transfer Europeans’ information overseas under the current data arrangements. And the ruling appeared to leave smaller companies with fewer legal resources vulnerable to potential privacy violations.
  • ...3 more annotations...
  • “We can’t assume that anything is now safe,” Brian Hengesbaugh, a privacy lawyer with Baker & McKenzie in Chicago who helped to negotiate the original safe harbor agreement. “The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple. Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities.The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.
  • But it was unclear how bulletproof those treaties would be under the new ruling, which cannot be appealed and went into effect immediately. Europe’s privacy watchdogs, for example, remain divided over how to police American tech companies.France and Germany, where companies like Facebook and Google have huge numbers of users and have already been subject to other privacy rulings, are among the countries that have sought more aggressive protections for their citizens’ personal data. Britain and Ireland, among others, have been supportive of Safe Harbor, and many large American tech companies have set up overseas headquarters in Ireland.
  • “For those who are willing to take on big companies, this ruling will have empowered them to act,” said Ot van Daalen, a Dutch privacy lawyer at Project Moore, who has been a vocal advocate for stricter data protection rules. The safe harbor agreement has been in place since 2000, enabling American tech companies to compile data generated by their European clients in web searches, social media posts and other online activities.
  • Paul Merrell on 06 Oct 15
     
    Another take on it from EFF: https://www.eff.org/deeplinks/2015/10/europes-court-justice-nsa-surveilance Expected since the Court's Advocate General released an opinion last week, presaging today's opinion.  Very big bucks involved behind the scenes because removing U.S.-based internet companies from the scene in the E.U. would pave the way for growth of E.U.-based companies.  The way forward for the U.S. companies is even more dicey because of a case now pending in the U.S.  The Second U.S. Circuit Court of Appeals is about to decide a related case in which Microsoft was ordered by the lower court to produce email records stored on a server in Ireland. . Should the Second Circuit uphold the order and the Supreme Court deny review, then under the principles announced today by the Court in the E.U., no U.S.-based company could ever be allowed to have "possession, custody, or control" of the data of E.U. citizens. You can bet that the E.U. case will weigh heavily in the Second Circuit's deliberations.  The E.U. decision is by far and away the largest legal event yet flowing out of the Edward Snowden disclosures, tectonic in scale. Up to now, Congress has succeeded in confining all NSA reforms to apply only to U.S. citizens. But now the large U.S. internet companies, Google, Facebook, Microsoft, Dropbox, etc., face the loss of all Europe as a market. Congress *will* be forced by their lobbying power to extend privacy protections to "non-U.S. persons."  Thank you again, Edward Snowden.
Paul Merrell

Microsoft to host data in Germany to evade US spying | Naked Security - 0 views

nakedsecurity.sophos.com/...-in-germany-to-evade-us-spying

surveillance state NSA FBI EU data-centers privacy

shared by Paul Merrell on 14 Nov 15 - No Cached
  • Microsoft's new plan to keep the US government's hands off its customers' data: Germany will be a safe harbor in the digital privacy storm. Microsoft on Wednesday announced that beginning in the second half of 2016, it will give foreign customers the option of keeping data in new European facilities that, at least in theory, should shield customers from US government surveillance. It will cost more, according to the Financial Times, though pricing details weren't forthcoming. Microsoft Cloud - including Azure, Office 365 and Dynamics CRM Online - will be hosted from new datacenters in the German regions of Magdeburg and Frankfurt am Main. Access to data will be controlled by what the company called a German data trustee: T-Systems, a subsidiary of the independent German company Deutsche Telekom. Without the permission of Deutsche Telekom or customers, Microsoft won't be able to get its hands on the data. If it does get permission, the trustee will still control and oversee Microsoft's access.
  • Microsoft CEO Satya Nadella dropped the word "trust" into the company's statement: Microsoft’s mission is to empower every person and every individual on the planet to achieve more. Our new datacenter regions in Germany, operated in partnership with Deutsche Telekom, will not only spur local innovation and growth, but offer customers choice and trust in how their data is handled and where it is stored.
  • On Tuesday, at the Future Decoded conference in London, Nadella also announced that Microsoft would, for the first time, be opening two UK datacenters next year. The company's also expanding its existing operations in Ireland and the Netherlands. Officially, none of this has anything to do with the long-drawn-out squabbling over the transatlantic Safe Harbor agreement, which the EU's highest court struck down last month, calling the agreement "invalid" because it didn't protect data from US surveillance. No, Nadella said, the new datacenters and expansions are all about giving local businesses and organizations "transformative technology they need to seize new global growth." But as Diginomica reports, Microsoft EVP of Cloud and Enterprise Scott Guthrie followed up his boss’s comments by saying that yes, the driver behind the new datacenters is to let customers keep data close: We can guarantee customers that their data will always stay in the UK. Being able to very concretely tell that story is something that I think will accelerate cloud adoption further in the UK.
  • ...2 more annotations...
  • Microsoft and T-Systems' lawyers may well think that storing customer data in a German trustee data center will protect it from the reach of US law, but for all we know, that could be wishful thinking. Forrester cloud computing analyst Paul Miller: To be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal. As with all new legal approaches, we don’t know it is watertight until it is challenged in court. Microsoft and T-Systems’ lawyers are very good and say it's watertight. But we can be sure opposition lawyers will look for all the holes. By keeping data offshore - particularly in Germany, which has strong data privacy laws - Microsoft could avoid the situation it's now facing with the US demanding access to customer emails stored on a Microsoft server in Dublin. The US has argued that Microsoft, as a US company, comes under US jurisdiction, regardless of where it keeps its data.
  • Running away to Germany isn't a groundbreaking move; other US cloud services providers have already pledged expansion of their EU presences, including Amazon's plan to open a UK datacenter in late 2016 that will offer what CTO Werner Vogels calls "strong data sovereignty to local users." Other big data operators that have followed suit: Salesforce, which has already opened datacenters in the UK and Germany and plans to open one in France next year, as well as new EU operations pledged for the new year by NetSuite and Box. Can Germany keep the US out of its datacenters? Can Ireland? Time, and court cases, will tell.
  • Paul Merrell on 14 Nov 15
     
    The European Community's Court of Justice decision in the Safe Harbor case --- and Edward Snowden --- are now officially downgrading the U.S. as a cloud data center location. NSA is good business for Europeans looking to displace American cloud service providers, as evidenced by Microsoft's decision. The legal test is whether Microsoft has "possession, custody, or control" of the data. From the info given in the article, it seems that Microsoft has done its best to dodge that bullet by moving data centers to Germany and placing their data under the control of a European company. Do ownership of the hardware and profits from their rent mean that Microsoft still has "possession, custody, or control" of the data? The fine print of the agreement with Deutsche Telekom and the customer EULAs will get a thorough going over by the Dept. of Justice for evidence of Microsoft "control" of the data. That will be the crucial legal issue. The data centers in Germany may pass the test. But the notion that data centers in the UK can offer privacy is laughable; the UK's legal authority for GCHQ makes it even easier to get the data than the NSA can in the U.S.  It doesn't even require a court order. 
Paul Merrell

U.S. Airstrikes on ISIS in Tikrit Prompt Boycott by Shiite Fighters - NYTimes.com - 0 views

www.nytimes.com/...-raids-islamic-state-isis.html

war & peace Iraq U.S.-foreign-policy bombing Shia-militias yankee-go-home

shared by Paul Merrell on 28 Mar 15 - No Cached
  • By Day 2 of the American airstrike campaign against militants holed up in Tikrit, the mission appeared beleaguered on several fronts on Thursday: Thousands of Shiite militiamen boycotted the fight, others threatened to attack any Americans they found, and Iraqi officials said nine of their fighters had been accidentally killed in an airstrike.In Washington, American military leaders insisted that things were going according to plan. They said that they were stepping into the Tikrit fight only after the Iranian- and militia-led advance on the city had stalled after three weeks, and that they welcomed working solely with Iraqi government forces.Gen. Lloyd Austin, the head of the United States Central Command, told a Senate hearing on Thursday that no Shiite militias remained in Tikrit.
  • While the withdrawal of Iranian-led Shiite militias was one of the preconditions for the Americans to join the fight against the Islamic State in Tikrit, the sudden departure of three of the major groups risked leaving the Iraqi ground forces short-handed, especially if other Shiite militiamen also abandoned the fight.
  • The three militia groups, some of which had Iranian advisers with them until recently, pulled out of the Tikrit fight to protest the American airstrikes, which began late Wednesday night, insisting that the Americans were not needed to defeat the extremists in Tikrit.Too great or abrupt a withdrawal by militia forces, analysts said, could complicate the entire Iraqi counteroffensive. Even with the militias involved, officials said the current pro-government force would not be large enough to eventually help take Mosul back from the Islamic State, also known as ISIS or ISIL.Top officials at the Pentagon appeared to think that it would not be easy to retake even Tikrit without Iranian help. “It’s going to require the kind of hammer-and-anvil approach of ground forces forcing ISIL to respond in ways that they’re targetable by air power,” one Defense Department official said. “But we’re less than 24 hours into it.”
  • ...5 more annotations...
  • Another official, asked if he was worried that the United States now owned the Tikrit operation, said, “Yes. This was a calculated risk, but it’s one that had to be taken.” Both officials spoke on grounds of anonymity because they were not authorized to speak publicly on the issue.Together, the four Shiite groups that objected to the American air role already represent more than a third of the 30,000 fighters on the government side in the offensive against the Islamic State, analysts said.
  • One of the leaders of the biggest militias in the fight, the Badr Organization, also criticized the American role and said his group, too, might pull out.Continue reading the main story “We don’t need the American-led coalition to participate in Tikrit. Tikrit is an easy battle, we can win it ourselves,” said Mueen al-Kadhumi, who is one of the Shiite militia group’s top commanders.
  • The Badr Organization fields the largest cohesive ground force in the conflict, and its withdrawal from Tikrit would be potentially catastrophic, according to Wafiq al-Hashimi, the head of the Iraqi Group for Strategic Studies. “Dr. Abadi rushed into this decision to liberate Tikrit with the Americans without taking time to work out a compromise among all these groups and the Americans, most of whom have a lot of disputes with the Americans,” Mr. Hashimi said.Another Iranian-aligned Shiite militia group reacted with defiance and threats against the Americans.
  • “We are staying in Tikrit, we are not leaving and we are going to target the American-led coalition in Tikrit and their creation, ISIS,” said Akram al-Kabi, the leader of the Nujabaa Brigade, a powerful militia that has previously sent fighters to Syria on behalf of the Bashir al-Assad government there.His remarks raised the possibility that the group would use antiaircraft fire against coalition warplanes, using Iraqi fighting positions.On Thursday night, an airstrike on the village of Alvu Ajeel, on the edge of Tikrit, killed six Shiite militiamen, as well as three federal policemen, one of them a colonel, according to a spokesman for the Iraqi military’s Salahuddin Operations Command. The strike was thought to have been carried out by the United States.
  • The other groups that announced they would boycott the Tikrit operation were Qatab Hizbullah, which like Asaib Ahl al-Haq is closely aligned and supported by Iran, and the Peace Brigade, the latest name for a militia made of up followers of the Shiite cleric Moktada al-Sadr, previously known as the Mahdi Army.Mr. Sadr, whose troops fought bitter battles against the Americans during much of the Iraq war, said his group was pulling out because, “The participation of the so-called international alliance is to protect ISIS on the one hand, and to confiscate the achievements of the Iraqis on the other hand.”
  • Paul Merrell on 28 Mar 15
     
    Big "Yankee, go home" message from the Shia militias. They don't trust the U.S. for some strange reason. Not. The U.S. well earned their distrust.
Paul Merrell

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say - NYTimes.com - 0 views

www.nytimes.com/...ernet-flaws-officials-say.html

surveillance state Obama NSA NSA-backdoors exploits must-read Iranian-nukes-myth Stuxnet

shared by Paul Merrell on 13 Apr 14 - No Cached
  • Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
  • elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
  • One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.Continue reading the main story Continue reading the main story AdvertisementAnother recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.
  • ...2 more annotations...
  • The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
  • But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.
  • Paul Merrell on 13 Apr 14
     
    Note that this is only an elastic policy, not law. Also notice that NYT is now reporting as *fact* that the NSA did the cyber attack on the Iranian enrichment centrifuges. By any legal measure, if true that was an act of war, a war of aggression.  So why wasn't the American public informed that we were at war with Iran? 
Paul Merrell

BP Settlement in Gulf Oil Spill Is Raised to $20.8 Billion - The New York Times - 0 views

www.nytimes.com/...is-raised-to-20-8-billion.html

environment BP litigation settlement

shared by Paul Merrell on 13 Oct 15 - No Cached
  • The Justice Department on Monday announced a final settlement with the oil giant BP of $20.8 billion for its role in the disastrous 2010 Gulf of Mexico oil spill, raising the total from the initial $18.7 billion settlement announced in July.At either amount, it is the largest environmental settlement — and the largest civil settlement with any single entity — in the nation’s history.The United States attorney general, Loretta Lynch, called the filing of the final settlement “a major step forward in our effort to deliver justice to the gulf region in the wake of the Deepwater Horizon tragedy — the largest environmental disaster our nation has ever endured.”Gina McCarthy, the Environmental Protection Agency administrator, estimated that the final settlement represented a payment of $1,725 for each barrel of oil spilled in the disaster. The maximum amount that a judge could have assessed in the case was $4,300 a barrel.
  • The settlement resolves a 2010 lawsuit filed by the Justice Department against BP. It includes civil claims under the Clean Water Act, for which BP has agreed to pay a $5.5 billion penalty, the largest civil penalty in the history of environmental law. Also, it includes natural resources damages claims under the Oil Pollution Act, for which BP has agreed to pay $7.1 billion, on top of the $1 billion it previously committed to pay for early restoration work. Continue reading the main story Related in Opinion Editorial: BP Deal Will Lead to a Cleaner GulfJULY 8, 2015 In addition, the settlement includes economic damages claims, for which BP has agreed to pay $4.9 billion to the five gulf states — Alabama, Florida, Louisiana, Mississippi and Texas — and up to $1 billion to local governments. Louisiana, the hardest hit of the states, will receive $5 billion of the $8.8 billion allocated for restoration.Ms. Lynch said the increase in the total settlement represented a “refining of the numbers” over the initial settlement. “Over time, we refine numbers as the settlement is finalized,” she said.
  • Geoff Morrell, BP senior vice president for United States communications, said in a statement that the revised overall figure did not change the settlement announced in July, but included amounts previously spent or disclosed by the company. The settlement, he said, “resolves the largest litigation liabilities remaining from the tragic accident,” and provides the company “certainty with respect to its financial obligations.”Under the draft restoration plan, $8.8 billion would be allocated to restore the gulf ecosystem.
  • ...1 more annotation...
  • A panel responsible for assessing the damages to the gulf ecosystems found effects on the region’s wildlife, including fish, oysters, plankton, birds and sea mammals; habitat, including marshes and beaches; and recreational activities.The proposed $8.8 billion in restoration would be invested across the five gulf states over 15 years, in a range of projects intended to restore those resources.“This restoration plan ensures that the funds will be distributed in ways that make sense,” Ms. McCarthy said.
  • Paul Merrell on 13 Oct 15
     
    Let's see. $20.8 billion total settlement. $8.8 billion going to environmental restoration. The Feds pocket $12 billion. And it's all pennies on the dollar in terms of ongoing damage.  The Feds, knowing that they can profit from environmental havoc committed by corporations, only paused deep ocean drilling permits for a few months, hoping for more damage to be caused by other companies.  The real scandal was and is that BP had a long and extremely well-documented history of causing environmental disasters in their pursuit of oil profits. Were there truly any environmental justice, the result would have been corporate capital punishment and virtually all of its executives in prison for the remainder of their lives, preferably at hard labor cleaning up the mess they created. But throw enough zeros after the settlement number and the human beings whose penny-pinching on safety caused the disaster walk free, free to do it all over again. They must have joined the same Too Big to Jail Golf Club that the banksters use.  
Paul Merrell

N.S.A. Devises Radio Pathway Into Computers - NYTimes.com - 1 views

www.nytimes.com/...not-connected-to-internet.html

surveillance state NSA NSA-capabilities air-gap-penetration must-read

shared by Paul Merrell on 16 Jan 14 - No Cached
  • The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.
  • The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.
  • The N.S.A. and the Pentagon’s Cyber Command have implanted nearly 100,000 “computer network exploits” around the world, but the hardest problem is getting inside machines isolated from outside communications.
  • ...8 more annotations...
  • the program, code-named Quantum, has also been successful in inserting software into Russian military networks and systems used by the Mexican police and drug cartels, trade institutions inside the European Union, and sometime partners against terrorism like Saudi Arabia, India and Pakistan, according to officials and an N.S.A. map that indicates sites of what the agency calls “computer network exploitation.”“What’s new here is the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before,” said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. “Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”
  • A program named Treasure Map tried to identify nearly every node and corner of the web, so that any computer or mobile device that touched it could be located.
  • Over the past two months, parts of the program have been disclosed in documents from the trove leaked by Edward J. Snowden, the former N.S.A. contractor. A Dutch newspaper published the map of areas where the United States has inserted spy software, sometimes in cooperation with local authorities, often covertly. Der Spiegel, a German newsmagazine, published the N.S.A.'s catalog of hardware products that can secretly transmit and receive digital signals from computers, a program called ANT. The New York Times withheld some of those details, at the request of American intelligence officials, when it reported, in the summer of 2012, on American cyberattacks on Iran.
  • A 2008 map, part of the Snowden trove, notes 20 programs to gain access to big fiber-optic cables — it calls them “covert, clandestine or cooperative large accesses” — not only in the United States but also in places like Hong Kong, Indonesia and the Middle East. The same map indicates that the United States had already conducted “more than 50,000 worldwide implants,” and a more recent budget document said that by the end of last year that figure would rise to about 85,000. A senior official, who spoke on the condition of anonymity, said the actual figure was most likely closer to 100,000.
  • The N.S.A.'s efforts to reach computers unconnected to a network have relied on a century-old technology updated for modern times: radio transmissions.In a catalog produced by the agency that was part of the Snowden documents released in Europe, there are page after page of devices using technology that would have brought a smile to Q, James Bond’s technology supplier.
  • One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer “through a covert channel” that allows “data infiltration and exfiltration.” Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer — either in the field or when they are shipped from manufacturers — so that the computer is broadcasting to the N.S.A. even while the computer’s user enjoys the false confidence that being walled off from the Internet constitutes real protection.The relay station it communicates with, called Nightstand, fits in an oversize briefcase, and the system can attack a computer “from as far away as eight miles under ideal environmental conditions.” It can also insert packets of data in milliseconds, meaning that a false message or piece of programming can outrace a real one to a target computer. Similar stations create a link between the target computers and the N.S.A., even if the machines are isolated from the Internet.
  • Computers are not the only targets. Dropoutjeep attacks iPhones. Other hardware and software are designed to infect large network servers, including those made by the Chinese.Most of those code names and products are now at least five years old, and they have been updated, some experts say, to make the United States less dependent on physically getting hardware into adversaries’ computer systems.
  • But the Stuxnet strike does not appear to be the last time the technology was used in Iran. In 2012, a unit of the Islamic Revolutionary Guards Corps moved a rock near the country’s underground Fordo nuclear enrichment plant. The rock exploded and spewed broken circuit boards that the Iranian news media described as “the remains of a device capable of intercepting data from computers at the plant.” The origins of that device have never been determined.
  • Paul Merrell on 16 Jan 14
     
    Even radio transceivers emplanted in USB jacks. So now to be truly secure, we need not only an air gap but also a Faraday cage protecting the air gap. 
Paul Merrell

Congress Can Now Cut the Pay of Individual Civil Servants - 0 views

nymag.com/...individual-civil-servants.html

Congress legislation civil-service

shared by Paul Merrell on 27 Jan 17 - No Cached
  • This week, congressional Republicans gave themselves the power to slash the annual salary of any individual federal worker to as low as $1 — and the budget of any individual federal program right down to zero. They executed this attack on the independence of the civil service by reviving an obscure provision enacted by Congress in 1876: The Holman Rule, named after the Indiana congressman who devised it, empowers any member of Congress to submit an amendment to an appropriations bill that targets the funding of a specific government program or employee. The rule was devised before the advent of a nonpolitical, career civil service and was rarely invoked in the modern era. In 1983, Democratic speaker Tip O’Neill laid it to rest. For the past three decades, Congress has had the power to slash any agency’s overall budget, but not to target specific projects or civil servants for funding cuts or downsizing. @media (min-width: 1024px) { .ad.vp-1024-plus { display: block; } } Until now. “This is a big rule change inside there that allows people to get at places they hadn’t before,” House Majority Leader Kevin McCarthy told reporters this week. “All agencies should be held accountable and tested in a manner and this is an avenue to allow them to do it.” This big change flew under the radar when it was enacted Tuesday, as congressional Republicans’ (quickly forfeited) attempt to gut the House ethics office sucked up all available media attention. But the Holman Rule could prove more consequential, particularly if the GOP proves eager to deploy its new weapon.
  • Paul Merrell on 27 Jan 17
     
    That will last until the first case hits the federal courts. Huge separation of powers issue along with the Equal Protection Clause.
Paul Merrell

5 Big Banks Expected to Plead Guilty to Felony Charges, but Punishments May Be Tempered... - 0 views

www.nytimes.com/...nishments-may-be-tempered.html

banksters litigation UBS Barclays JPMorgan Chase Citigroup Royal-Bank-of-Scotland guilty-pleas SEC-waivers

shared by Paul Merrell on 16 May 15 - No Cached
  • The Justice Department is preparing to announce that Barclays, JPMorgan Chase, Citigroup and the Royal Bank of Scotland will collectively pay several billion dollars and plead guilty to criminal antitrust violations for rigging the price of foreign currencies, according to people briefed on the matter who spoke on the condition of anonymity. Most if not all of the pleas are expected to come from the banks’ holding companies, the people said — a first for Wall Street giants that until now have had only subsidiaries or their biggest banking units plead guilty.
  • The Justice Department is also preparing to resolve accusations of foreign currency misconduct at UBS. As part of that deal, prosecutors are taking the rare step of tearing up a 2012 nonprosecution agreement with the bank over the manipulation of benchmark interest rates, the people said, citing the bank’s foreign currency misconduct as a violation of the earlier agreement. UBS A.G., the banking unit that signed the 2012 nonprosecution agreement, is expected to plead guilty to the earlier charges and pay a fine that could be as high as $500 million rather than go to trial, the people said.
  • Holding companies, while appearing to be the most important entities at the banks, are in less jeopardy of suffering the consequences of guilty pleas. Some banks worried that a guilty plea by their biggest banking units, which hold licenses that enable them to operate branches and make loans, would be riskier, two of the people briefed on the matter said. The fear, they said, centered on whether state or federal regulators might revoke those licenses in response to the pleas. Advertisement Continue reading the main story Behind the scenes in Washington, the banks’ lawyers are also seeking assurances from federal regulators — including the Securities and Exchange Commission and the Labor Department — that the banks will not be barred from certain business practices after the guilty pleas, the people said. While the S.E.C.’s five commissioners have not yet voted on the requests for waivers, which would allow the banks to conduct business as usual despite being felons, the people briefed on the matter expected a majority of commissioners to grant them.In reality, those accommodations render the plea deals, at least in part, an exercise in stagecraft. And while banks might prefer a deferred-prosecution agreement that suspends charges in exchange for fines and other concessions — or a nonprosecution deal like the one that UBS is on the verge of losing — the reputational blow of being a felon does not spell disaster.
  • ...6 more annotations...
  • The foreign exchange investigation, which centers on accusations that traders colluded to fix the price of major currencies, will test the Justice Department’s strategy for securing guilty pleas on Wall Street.
  • In the case of UBS, the bank will lose its nonprosecution agreement over interest rate manipulation, the people briefed on the matter said, a consequence of its misconduct in the foreign exchange case. It is unclear why that penalty will fall on UBS, but not on other banks suspected of manipulating both interest rates and currency prices.
  • the bank is expected to avoid pleading guilty in the foreign exchange case, the people said, though it will probably pay a fine. While UBS was unlikely to plead guilty to antitrust violations because it was the first to cooperate in the foreign exchange investigation, the bank was facing the possibility of pleading guilty to fraud charges related to the currency manipulation. The exact punishment is not yet final, the people added.The Justice Department negotiations coincide with the banks’ separate efforts to persuade the S.E.C. to issue waivers from automatic bans that occur when a company pleads guilty. If the waivers are not granted, a decision that the Justice Department does not control, the banks could face significant consequences.For example, some banks may be seeking waivers to a ban on overseeing mutual funds, one of the people said. They are also requesting waivers to ensure they do not lose their special status as “well-known seasoned issuers,” which allows them to fast-track securities offerings. For some of the banks, there is also a concern that they will lose their “safe harbor” status for making forward-looking statements in securities documents.
  • In turn, the S.E.C. asked the Justice Department to hold off on announcing the currency cases until the banks’ requests had been reviewed, one of the people said. As of Wednesday, it seemed probable that a majority of the S.E.C.’s commissioners would approve most of the waivers, which can be granted for a cause like the public good. Still, the agency’s two Democratic commissioners — Kara M. Stein and Luis A. Aguilar, who have denounced the S.E.C.’s use of waivers — might be more likely to balk.
  • Corporate prosecutions are a delicate matter, peppered with political and legal land mines. Senator Elizabeth Warren, Democrat of Massachusetts, and other liberal politicians have criticized prosecutors for treating Wall Street with kid gloves. Banks and their lawyers, however, complain about huge penalties and guilty pleas. Continue reading the main story Recent Comments AvangionQ 14 hours ago These are the sorts of crimes that take down nations, jail sentences should be mandatory. Lance Haley 14 hours ago I find this whole legal exercise not only irrational, but insulting. I am a criminal defense attorney. Punishing the shareholders and the... loomypop 14 hours ago There is much more than Irony in the reality of how America treats criminal action and punishment when the entire determination and outcome... See All Comments And lingering in the background is the case of Arthur Andersen, an accounting giant that imploded after being convicted in 2002 of criminal charges related to its work for Enron. After the firm’s collapse, and the later reversal of its conviction, prosecutors began to shift from indictments and guilty pleas to deferred-prosecution agreements. And in 2008, the Justice Department updated guidelines for prosecuting corporations, which have long included a requirement that prosecutors weigh collateral consequences like harm to shareholders and innocent employees.
  • “The collateral consequences consideration is designed to address the risk that a particular criminal charge might inflict disproportionate harm to shareholders, pension holders and employees who are not even alleged to be culpable or to have profited potentially from wrongdoing,” said Mark Filip, the Justice Department official who wrote the 2008 memo. “Arthur Andersen was ultimately never convicted of anything, but the mere act of indicting it destroyed one of the cornerstones of the Midwest’s economy.”
  • Paul Merrell on 16 May 15
     
    In related news, the Dept. of Justice announced that it would begin using its "collateral consequences" analysis to decisions whether to charge human beings with crimes, taking into account the hardships imposed on innocent family members and other dependents if a person were sentenced to prison.  No? Sounds like corporations have more rights than human beings, yes?
Paul Merrell

Shell stops Arctic activity after 'disappointing' tests - BBC News - 0 views

www.bbc.com/...business-34377434

environment climate change arctic-drilling Shell

shared by Paul Merrell on 28 Sep 15 - No Cached
  • Royal Dutch Shell has stopped Arctic oil and gas exploration off the coast of Alaska after "disappointing" results from a key well in the Chukchi Sea.In a surprise announcement, the company said it would end exploration off Alaska "for the foreseeable future".Shell said it did not find sufficient amounts of oil and gas in the Burger J well to warrant further exploration.The company has spent about $7bn (£4.5bn) on Arctic offshore development in the Chukchi and Beaufort seas."Shell continues to see important exploration potential in the basin, and the area is likely to ultimately be of strategic importance to Alaska and the US," said Marvin Odum, president of Shell USA. "However, this is a clearly disappointing exploration outcome for this part of the basin."
  • Indeed some analysts suggested Shell might give up on the Arctic completely. "It is possible that Shell might almost be relieved as they can stop exploration for a legitimate operational reason, rather than being seen to bow to environmental pressure," Stuart Elliott from energy information group Platts told the BBC."With the oil price around $50 a barrel, it was a risky endeavour with no guarantee of success. "You could argue that this has been bad for Shell's reputation and it wouldn't be a big surprise if they abandoned Arctic drilling altogether."
  • So, what changed?Certainly, the first findings from the Burger J exploration well 150 miles off the Alaskan coast were not promising.Second, although President Barack Obama had given the necessary permissions for drilling to start again following the problems of rig fires in 2012, Mrs Clinton's tweet revealed that political risks were still substantial.
  • ...3 more annotations...
  • The US Geological Survey estimates that the Arctic holds about 30% of the world's undiscovered natural gas, as well as 13% of its oil.According to Shell, this amounts to around 400 billion barrels of oil equivalent, 10 times the total oil and gas produced in the North Sea to date.
  • However, environmental groups oppose Arctic offshore drilling, saying it will pollute and damage a natural wilderness largely untouched by human activity. They also argue that fossil fuels such as oil and gas must be left in the ground if the world is to avoid dangerous climate change.Over the summer, protesters in kayaks unsuccessfully tried to block Arctic-bound Shell vessels in Seattle and Portland, Oregon. "Big oil has sustained an unmitigated defeat," said Greenpeace UK executive director John Sauven."The Save the Arctic movement has exacted a huge reputational price from Shell for its Arctic drilling programme, and as the company went another year without striking oil, that price finally became too high."Shell had continued to explore for oil despite the slump in the price of oil. Other oil and gas majors have shelved expensive exploration projects but, having invested billions of dollars in its Arctic project, Shell persisted, believing that Arctic oil would be competitive in the longer term.This is why the announcement came as such a surprise.
  • More on this story Video Shell calls end to Alaska oil search 52 minutes ago Shell has made a costly call to abandon Alaska 28 September 2015 'Volatile' oil price hard to predict, says Shell boss 17 September 2015 Why mega-merger is so important for Shell 8 April 2015 BP profits fall on low oil price 28 July 2015
  • Paul Merrell on 28 Sep 15
     
    Not mentioned in the article, but environmental groups recently announced that they would begin a consumer boycott of Shell fuels because of its Artic drilling.  
Paul Merrell

Leaked memos reveal GCHQ efforts to keep mass surveillance secret | UK news | The Guardian - 0 views

www.theguardian.com/...ss-surveillance-secret-snowden

surveillance state GCHQ Tempora telecoms lies litigation offshoring-surveillance

shared by Paul Merrell on 26 Oct 13 - No Cached
  • The UK intelligence agency GCHQ has repeatedly warned it fears a "damaging public debate" on the scale of its activities because it could lead to legal challenges against its mass-surveillance programmes, classified internal documents reveal.Memos contained in the cache disclosed by the US whistleblower Edward Snowden detail the agency's long fight against making intercept evidence admissible as evidence in criminal trials – a policy supported by all three major political parties, but ultimately defeated by the UK's intelligence community.Foremost among the reasons was a desire to minimise the potential for challenges against the agency's large-scale interception programmes, rather than any intrinsic threat to security, the documents show.
  • The papers also reveal that:• GCHQ lobbied furiously to keep secret the fact that telecoms firms had gone "well beyond" what they were legally required to do to help intelligence agencies' mass interception of communications, both in the UK and overseas.• GCHQ feared a legal challenge under the right to privacy in the Human Rights Act if evidence of its surveillance methods became admissible in court.• GCHQ assisted the Home Office in lining up sympathetic people to help with "press handling", including the Liberal Democrat peer and former intelligence services commissioner Lord Carlile, who this week criticised the Guardian for its coverage of mass surveillance by GCHQ and America's National Security Agency.The most recent attempt to make intelligence gathered from intercepts admissible in court, proposed by the last Labour government, was finally stymied by GCHQ, MI5 and MI6 in 2009.
  • Another top GCHQ priority in resisting the admission of intercepts as evidence was keeping secret the extent of the agency's co-operative relationships with telephone companies – including being granted access to communications networks overseas.In June, the Guardian disclosed the existence of GCHQ's Tempora internet surveillance programme. It uses intercepts on the fibre-optic cables that make up the backbone of the internet to gain access to vast swaths of internet users' personal data. The intercepts are placed in the UK and overseas, with the knowledge of companies owning either the cables or landing stations.The revelations of voluntary co-operation with some telecoms companies appear to contrast markedly with statements made by large telecoms firms in the wake of the first Tempora stories. They stressed that they were simply complying with the law of the countries in which they operated.
  • ...6 more annotations...
  • In reality, numerous telecoms companies were doing much more than that, as disclosed in a secret document prepared in 2009 by a joint working group of GCHQ, MI5 and MI6.Their report contended that allowing intercepts as evidence could damage relationships with "Communications Service Providers" (CSPs).In an extended excerpt of "the classified version" of a review prepared for the Privy Council, a formal body of advisers made up of current and former cabinet ministers, the document sets out the real nature of the relationship between telecoms firms and the UK government."Under RIPA [the Regulation of Investigatory Powers Act 2000], CSPs in the UK may be required to provide, at public expense, an adequate interception capability on their networks," it states. "In practice all significant providers do provide such a capability. But in many cases their assistance – while in conformity with the law – goes well beyond what it requires."
  • GCHQ's internet surveillance programme is the subject of a challenge in the European court of human rights, mounted by three privacy advocacy groups. The Open Rights Group, English PEN and Big Brother Watch argue the "unchecked surveillance" of Tempora is a challenge to the right to privacy, as set out in the European convention on human rights.That the Tempora programme appears to rely at least in part on voluntary co-operation of telecoms firms could become a major factor in that ongoing case. The revelation could also reignite the long-running debate over allowing intercept evidence in court.GCHQ's submission goes on to set out why its relationships with telecoms companies go further than what can be legally compelled under current law. It says that in the internet era, companies wishing to avoid being legally mandated to assist UK intelligence agencies would often be able to do so "at little cost or risk to their operations" by moving "some or all" of their communications services overseas.
  • As a result, "it has been necessary to enter into agreements with both UK-based and offshore providers for them to afford the UK agencies access, with appropriate legal authorisation, to the communications they carry outside the UK".The submission to ministers does not set out which overseas firms have entered into voluntary relationships with the UK, or even in which countries they operate, though documents detailing the Tempora programme made it clear the UK's interception capabilities relied on taps located both on UK soil and overseas.There is no indication as to whether the governments of the countries in which deals with companies have been struck would be aware of the GCHQ cable taps.
  • Evidence that telecoms firms and GCHQ are engaging in mass interception overseas could stoke an ongoing diplomatic row over surveillance ignited this week after the German chancellor, Angela Merkel, accused the NSA of monitoring her phone calls, and the subsequent revelation that the agency monitored communications of at least 35 other world leaders.On Friday, Merkel and the French president, François Hollande, agreed to spearhead efforts to make the NSA sign a new code of conduct on how it carried out intelligence operations within the European Union, after EU leaders warned that the international fight against terrorism was being jeopardised by the perception that mass US surveillance was out of control.Fear of diplomatic repercussions were one of the prime reasons given for GCHQ's insistence that its relationships with telecoms firms must be kept private .
  • Telecoms companies "feared damage to their brands internationally, if the extent of their co-operation with HMG [Her Majesty's government] became apparent", the GCHQ document warned. It added that if intercepts became admissible as evidence in UK courts "many CSPs asserted that they would withdraw their voluntary support".The report stressed that while companies are going beyond what they are required to do under UK law, they are not being asked to violate it.Shami Chakrabarti, Director of Liberty and Anthony Romero Executive Director of the American Civil Liberties Union issued a joint statement stating:"The Guardian's publication of information from Edward Snowden has uncovered a breach of trust by the US and UK Governments on the grandest scale. The newspaper's principled and selective revelations demonstrate our rulers' contempt for personal rights, freedoms and the rule of law.
  • "Across the globe, these disclosures continue to raise fundamental questions about the lack of effective legal protection against the interception of all our communications."Yet in Britain, that conversation is in danger of being lost beneath self-serving spin and scaremongering, with journalists who dare to question the secret state accused of aiding the enemy."A balance must of course be struck between security and transparency, but that cannot be achieved whilst the intelligence services and their political masters seek to avoid any scrutiny of, or debate about, their actions."The Guardian's decision to expose the extent to which our privacy is being violated should be applauded and not condemned."
  • Paul Merrell on 26 Oct 13
     
    The Guardian lands another gigantic bomb squarely on target, with massive potential for diplomatic, political, and financial disruption. Well done, Guardian. 
Paul Merrell

Reset The Net - Privacy Pack - 0 views

pack.resetthenet.org

surveillance state digital-privacy NSA-reform Reset-the-Net

shared by Paul Merrell on 03 Jun 14 - No Cached
  • This June 5th, I pledge to take strong steps to protect my freedom from government mass surveillance. I expect the services I use to do the same.
  • Fight for the Future and Center for Rights will contact you about future campaigns. Privacy Policy
  • Paul Merrell on 03 Jun 14
     
    I wound up joining this campaign at the urging of the ACLU after checking the Privacy Policy. The Reset the Net campaign seems to be endorsed by a lot of change-oriented groups, from the ACLU to Greenpeac to the Pirate Party. A fair number of groups with a Progressive agenda, but certainly not limited to them. The right answer to that situation is to urge other groups to endorse, not to avoid the campaign. Single-issue coalition-building is all about focusing on an area of agreement rather than worrying about who you are rubbing elbows with.  I have been looking for a a bipartisan group that's tackling government surveillance issues via mass actions but has no corporate sponsors. This might be the one. The reason: Corporate types like Google have no incentive to really butt heads with the government voyeurs. They are themselves engaged in massive surveillance of their users and certainly will not carry the battle for digital privacy over to the private sector. But this *is* a battle over digital privacy and legally defining user privacy rights in the private sector is just as important as cutting back on government surveillance. As we have learned through the Snowden disclosures, what the private internet companies have, the NSA can and does get.  The big internet services successfully pushed in the U.S. for authorization to publish more numbers about how many times they pass private data to the government, but went no farther. They wanted to be able to say they did something, but there's a revolving door of staffers between NSA and the big internet companies and the internet service companies' data is an open book to the NSA.   The big internet services are not champions of their users' privacy. If they were, they would be featuring end-to-end encryption with encryption keys unique to each user and unknown to the companies.  Like some startups in Europe are doing. E.g., the Wuala.com filesync service in Switzerland (first 5 GB of storage free). Compare tha
Paul Merrell

American Surveillance Now Threatens American Business - The Atlantic - 0 views

www.theatlantic.com/...382821

surveillance state NSA U.S. polls sense-of-privacy data privacy

shared by Paul Merrell on 23 Nov 14 - No Cached
  • What does it look like when a society loses its sense of privacy? <div><a href="http://pubads.g.doubleclick.net/gampad/jump?iu=%2F4624%2FTheAtlanticOnline%2Fchannel_technology&t=src%3Dblog%26by%3Drobinson-meyer%26title%3Damerican-surveillance-now-threatens-american-business%26pos%3Din-article&sz=300x250&c=285899172&tile=1" title=""><img style="border:none;" src="http://pubads.g.doubleclick.net/gampad/ad?iu=%2F4624%2FTheAtlanticOnline%2Fchannel_technology&t=src%3Dblog%26by%3Drobinson-meyer%26title%3Damerican-surveillance-now-threatens-american-business%26pos%3Din-article&sz=300x250&c=285899172&tile=1" alt="" /></a></div>In the almost 18 months since the Snowden files first received coverage, writers and critics have had to guess at the answer. Does a certain trend, consumer complaint, or popular product epitomize some larger shift? Is trust in tech companies eroding—or is a subset just especially vocal about it? Polling would make those answers clear, but polling so far has been… confused. A new study, conducted by the Pew Internet Project last January and released last week, helps make the average American’s view of his or her privacy a little clearer. And their confidence in their own privacy is ... low. The study's findings—and the statistics it reports—stagger. Vast majorities of Americans are uncomfortable with how the government uses their data, how private companies use and distribute their data, and what the government does to regulate those companies. No summary can equal a recounting of the findings. Americans are displeased with government surveillance en masse:   
  • A new study finds that a vast majority of Americans trust neither the government nor tech companies with their personal data.
  • What does it look like when a society loses its sense of privacy? <div><a href="http://pubads.g.doubleclick.net/gampad/jump?iu=%2F4624%2FTheAtlanticOnline%2Fchannel_technology&t=src%3Dblog%26by%3Drobinson-meyer%26title%3Damerican-surveillance-now-threatens-american-business%26pos%3Din-article&sz=300x250&c=285899172&tile=1" title=""><img style="border:none;" src="http://pubads.g.doubleclick.net/gampad/ad?iu=%2F4624%2FTheAtlanticOnline%2Fchannel_technology&t=src%3Dblog%26by%3Drobinson-meyer%26title%3Damerican-surveillance-now-threatens-american-business%26pos%3Din-article&sz=300x250&c=285899172&tile=1" alt="" /></a></div>In the almost 18 months since the Snowden files first received coverage, writers and critics have had to guess at the answer. Does a certain trend, consumer complaint, or popular product epitomize some larger shift? Is trust in tech companies eroding—or is a subset just especially vocal about it? Polling would make those answers clear, but polling so far has been… confused. A new study, conducted by the Pew Internet Project last January and released last week, helps make the average American’s view of his or her privacy a little clearer. And their confidence in their own privacy is ... low. The study's findings—and the statistics it reports—stagger. Vast majorities of Americans are uncomfortable with how the government uses their data, how private companies use and distribute their data, and what the government does to regulate those companies. No summary can equal a recounting of the findings. Americans are displeased with government surveillance en masse:   
  • ...3 more annotations...
  • “It’s clear the global community of Internet users doesn’t like to be caught up in the American surveillance dragnet,” Senator Ron Wyden said last month. At the same event, Google chairman Eric Schmidt agreed with him. “What occurred was a loss of trust between America and other countries,” he said, according to the Los Angeles Times. “It's making it very difficult for American firms to do business.” But never mind the world. Americans don’t trust American social networks. More than half of the poll’s respondents said that social networks were “not at all secure. Only 40 percent of Americans believe email or texting is at least “somewhat” secure. Indeed, Americans trusted most of all communication technologies where some protections has been enshrined into the law (though the report didn’t ask about snail mail). That is: Talking on the telephone, whether on a landline or cell phone, is the only kind of communication that a majority of adults believe to be “very secure” or “somewhat secure.”
  • According to the study, 70 percent of Americans are “at least somewhat concerned” with the government secretly obtaining information they post to social networking sites. Eighty percent of respondents agreed that “Americans should be concerned” with government surveillance of telephones and the web. They are also uncomfortable with how private corporations use their data: Ninety-one percent of Americans believe that “consumers have lost control over how personal information is collected and used by companies,” according to the study. Eighty percent of Americans who use social networks “say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.” And even though they’re squeamish about the government’s use of data, they want it to regulate tech companies and data brokers more strictly: 64 percent wanted the government to do more to regulate private data collection. Since June 2013, American politicians and corporate leaders have fretted over how much the leaks would cost U.S. businesses abroad.
  • (That may seem a bit incongruous, because making a telephone call is one area where you can be almost sure you are being surveilled: The government has requisitioned mass call records from phone companies since 2001. But Americans appear, when discussing security, to differentiate between the contents of the call and data about it.) Last month, Ramsey Homsany, the general counsel of Dropbox, said that one big thing could take down the California tech scene. “We have built this incredible economic engine in this region of the country,” said Homsany in the Los Angeles Times, “and [mistrust] is the one thing that starts to rot it from the inside out.” According to this poll, the mistrust has already begun corroding—and is already, in fact, well advanced. We’ve always assumed that the great hurt to American business will come globally—that citizens of other nations will stop using tech companies’s services. But the new Pew data shows that Americans suspect American businesses just as much. And while, unlike citizens of other nations, they may not have other places to turn, they may stop putting sensitive or delicate information online.
Paul Merrell

New EU rules to curb transfer of data to US after Edward Snowden revelations | World ne... - 0 views

www.theguardian.com/...u-rules-data-us-edward-snowden

surveillance state NSA GCHQ NSA-blowback EU

shared by Paul Merrell on 19 Oct 13 - No Cached
  • New European rules aimed at curbing questionable transfers of data from EU countries to the US are being finalised in Brussels in the first concrete reaction to the Edward Snowden disclosures on US and British mass surveillance of digital communications.Regulations on European data protection standards are expected to pass the European parliament committee stage on Monday after the various political groupings agreed on a new compromise draft following two years of gridlock on the issue.The draft would make it harder for the big US internet servers and social media providers to transfer European data to third countries, subject them to EU law rather than secret American court orders, and authorise swingeing fines possibly running into the billions for the first time for not complying with the new rules.
  • "As parliamentarians, as politicians, as governments we have lost control over our intelligence services. We have to get it back again," said Jan Philipp Albrecht, the German Greens MEP who is steering the data protection regulation through the parliament.Data privacy in the EU is currently under the authority of national governments with standards varying enormously across the 28 countries, complicating efforts to arrive at satisfactory data transfer agreements with the US. The current rules are easily sidestepped by the big Silicon Valley companies, Brussels argues.The new rules, if agreed, would ban the transfer of data unless based on EU law or under a new transatlantic pact with the Americans complying with EU law."Without any concrete agreement there would be no data processing by telecommunications and internet companies allowed," says a summary of the proposed new regime.
  • Such bans were foreseen in initial wording two years ago but were dropped under the pressure of intense lobbying from Washington. The proposed ban has been revived directly as a result of the uproar over operations by the US's National Security Agency (NSA).Viviane Reding, the EU's commissioner for justice and the leading advocate in Brussels of a new system securing individuals' rights to privacy and data protection, argues that the new rulebook will rebalance the power relationship between the US and Europe on the issue, supplying leverage to force the American authorities and tech firms to reform."The recent data scandals prove that sensitivity has been growing on the US side of how important data protection really is for Europeans," she told a German foreign policy journal. "All those US companies that do dominate the tech market and the internet want to have access to our goldmine, the internal market with over 500 million potential customers. If they want to access it, they will have to apply our rules. The leverage that we will have in the near future is thus the EU's data protection regulation. It will make crystal clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. There will be no legal loopholes any more."But the proposed rules remain riddled with loopholes for intelligence services to exploit, MEPs admit.
Paul Merrell

How the NSA Plans to Infect 'Millions' of Computers with Malware - The Intercept - 0 views

firstlook.org/...ect-millions-computers-malware

surveillance state NSA GCHQ NSA-methods malware

shared by Paul Merrell on 13 Mar 14 - No Cached
  • Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process. The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks. The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.
  • The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands. To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency’s term for the interception of electronic communications. Instead, it sought to broaden “active” surveillance methods – tactics designed to directly infiltrate a target’s computers or network devices. In the documents, the agency describes such techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations. But the NSA recognized that managing a massive network of implants is too big a job for humans alone.
  • “One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).” The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”
  • ...10 more annotations...
  • TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.” In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations. The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)
  • But not all of the NSA’s implants are used to gather intelligence, the secret files show. Sometimes, the agency’s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target’s file downloads. These two “attack” techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for “defensive” purposes – to protect U.S. government networks against intrusions.
  • The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes. One implant, codenamed UNITEDRAKE, can be used with a variety of “plug-ins” that enable the agency to gain total control of an infected computer. An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer. The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption. It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.
  • Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers – the devices that connect computer networks and transport data packets across the Internet – the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications. Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through a Virtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session.
  • Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations. Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers. The intelligence community’s top-secret “Black Budget” for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named “Owning the Net.” The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”
  • Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network. According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a “back-door implant” infects their computers within eight seconds. There’s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious. Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called “man-in-the-middle” and “man-on-the-side” attacks, which covertly force a user’s internet browser to route to NSA computer servers that try to infect them with an implant.
  • To perform a man-on-the-side attack, the NSA observes a target’s Internet traffic using its global network of covert “accesses” to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency’s surveillance sensors alert the TURBINE system, which then “shoots” data packets at the targeted computer’s IP address within a fraction of a second. In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.
  • The TURBINE implants system does not operate in isolation. It is linked to, and relies upon, a large network of clandestine surveillance “sensors” that the agency has installed at locations across the world.
  • The NSA’s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England. The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet. When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or “tips” to TURBINE, enabling the initiation of a malware attack. The NSA identifies surveillance targets based on a series of data “selectors” as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique “cookies” containing a username or other identifying information that are sent to a user’s computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter. Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.
  • Documents published with this article: Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail Five Eyes Hacking Large Routers NSA Technology Directorate Analysis of Converged Data Selector Types There Is More Than One Way to Quantum NSA Phishing Tactics and Man in the Middle Attacks Quantum Insert Diagrams The NSA and GCHQ’s QUANTUMTHEORY Hacking Tactics TURBINE and TURMOIL VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN Industrial-Scale Exploitation Thousands of Implants
  • Paul Merrell on 13 Mar 14
     
    *Very* long article. Only small portions quoted.
Gary Edwards

It's the Profiling, Stupid! - The Patriot Post - 0 views

patriotpost.us/18651

NSA NSA-Patriot-Act-NDAA

shared by Gary Edwards on 13 Jun 13 - No Cached
  • Gary Edwards on 13 Jun 13
     
    Good article briefly describing th ehistory of the NSA and how it has evolved to the politicized monster it has become today. excerpt: "Last week, Barack Hussein Obama deflected new concerns about the National Security Administration's intrusive domestic data-mining operations, saying, "If people can't trust ... the executive branch ... to make sure we're abiding by the Constitution, due process, and rule of law, then we're going to have some problems here." Barack, we have some problems here. Of course, trusting the Executive Branch is not the issue. The problem is Obama's life-long record of deceit and deception, and his utter contempt for Rule of Law. Amidst recent revelations that Obama's black-bag cutouts inspired his "low-level" union cadres at the IRS to target his Patriot and Tea Party political enemies list, and scripted a cover-up of the Benghazi murders in order that it not derail his 2012 re-election campaign momentum, is it conceivable that his "low-level" union cadres at the NSA might collect intelligence data on U.S. citizens to profile those whom oppose Obama? As with the other scandals, Obama's political handlers and their Leftmedia talkingheads are obfuscating the facts regarding NSA data collection. They ignore legitimate civil liberty concerns, and focus instead on the question of whether such data is essential to our national security. Allow me to reframe a quote from James "Ragin' Cajun" Carville's political playbook about focusing on the big issue, and adapt it for the big data debate: "It's the profiling, stupid!" The question is not whether intelligence data collection is critical to our nation's ability to defend itself -- good intelligence is, and has always been a critical component of national defense and security. The overarching questions are, what is the scope of domestic NSA intelligence gathering, and what is the potential for an administration to use that information to profile and target political opponents? Here is a ver
Paul Merrell

Dutch intelligence agency AIVD hacks internet forums - nrc.nl - 0 views

www.nrc.nl/...gency-aivd-hacks-internet-fora

surveillance state Dutch social media web-databases

shared by Paul Merrell on 01 Dec 13 - No Cached
  • The Dutch intelligence service - AIVD - hacks internet web forums to collect the data of all users. The majority of these people are unknown to the intelligence services and are not specified as targets when the hacking and data-collection process starts. A secret document of former NSA-contractor Edward Snowden shows that the AIVD use a technology called Computer Network Exploitation – CNE – to hack the web forums and collect the data.
  • Nico van Eijk, a Dutch professor in Information Law, is of the opinion that the Dutch intelligence service has crossed the boundaries of Dutch legislation. “They use sweeps to collect data from all users of web forums. The use of these techniques could easily lead to mass surveillance by the government.” IT specialist Matthijs Koot says that the exploitation of this technology can lead to a blurring of the lines between normal citizens and legitimate targets of the intelligence services. The document summarizes a meeting held on February 14, 2013 between officials of the NSA and the Dutch intelligence services - AIVD and MIVD. During this meeting Dutch officials briefed their American counterparts on the way they target web forums with the CNE technique. “They acquire MySQL databases via CNE access”, the document reads. MySQL is free open source software used to build databases for web forums. These databases contain all the posts of all the users of the forum and their personal data. During the meeting Dutch intelligence officers explained how they use the information in the database. In order to identify targets. According to the document the Dutch “are looking at marrying the forum data with other social network info, and trying to figure out good ways to mine the data that they have.”
  • A group of Dutch members of parliament have called for a parliamentary inquiry into the way the secret services are collecting and using data. The Dutch intelligence services have been previously criticised by an oversight committee for the way in which they have used legally intercepted data. According to this committee the search queries the intelligence services used to filter the data, were not specific enough. The use of generic queries, the committee concluded, was “not in accordance with Dutch law”. A spokesperson for the Dutch government refused to comment on the use of data from web forums by the AIVD, but stated that the intelligence services are allowed to hack computers. A spokesperson for the American government stated that the publication of classified information is a threat to US national security.
  • Paul Merrell on 01 Dec 13
     
    Oooh ... Entire social media SQL databases. Content, user security stuff, the works. Big, big, big haystacks.
Paul Merrell

Lawmaker Says There More To NSA Spying - Business Insider - 0 views

www.businessinsider.com/here-more-to-nsa-spying-2013-6

surveillance state NSA future-disclosures

shared by Paul Merrell on 04 Jul 13 - No Cached
  • A House Democrat said information revealed about the National Security Agency's secret surveillance programs are "the tip of the iceberg," Daniel Strauss of The Hill reports. "I think it's just broader than most people even realize, and I think that's, in one way, what astounded most of us, too," Rep. Loretta Sanchez (D-Calif.) told C-SPAN's "Washington Journal" after a classified briefing with national security officials. Rep. Joe Barton (R-Texas), who also attended the meeting, said that the NSA "violated the spirit of the law when it started collecting data from everyone in the country just because technology now makes that possible.” Barton added that "in America ... You don’t target everyone and violate their 4th Amendment rights just because of a handful of threats. But that is exactly what is happening at the NSA ... it is wrong and it needs to stop now.” More from Sanchez: "I don't know if there are other leaks, if there's more information somewhere, if somebody else is going to step up, but I will tell you that I believe it's the tip of the iceberg."
  • A House Democrat said information revealed about the National Security Agency's secret surveillance programs are "the tip of the iceberg," Daniel Strauss of The Hill reports. "I think it's just broader than most people even realize, and I think that's, in one way, what astounded most of us, too," Rep. Loretta Sanchez (D-Calif.) told C-SPAN's "Washington Journal" after a classified briefing with national security officials. Rep. Joe Barton (R-Texas), who also attended the meeting, said that the NSA "violated the spirit of the law when it started collecting data from everyone in the country just because technology now makes that possible.” Barton added that "in America ... You don’t target everyone and violate their 4th Amendment rights just because of a handful of threats. But that is exactly what is happening at the NSA ... it is wrong and it needs to stop now.”
  • Glenn Greenwald of the Guardian, who has served as a conduit for Snowden's leaks, recently said that there will me many more "significant revelations that have not yet been heard." Greenwald told The New York Times that he received “thousands” of classified documents — “dozens” of which are newsworthy — from the the 29-year-old ex-Booz Allen employee who was contracted by the NSA. Sanchez said that what lawmakers learned "is significantly more than what is out in the media today," which is interesting when considering previous reports by journalists and whistleblowers.
  • ...2 more annotations...
  • Here's a rundown of the reports and the allegations: In 2006 NSA insiders told Leslie Cauley of USA Today that the NSA has been collecting almost all U.S. phone records since shortly after 9/11. In 2010 Dana Priest and William Arkin of The Washington Post reported that "collection systems at the [NSA] intercept and store 1.7 billion emails, phone calls, and other types of communications" every day. According to a 2007 lawsuit, Verizon built a fiber optic cable to give the "access to all communications flowing through the carrier’s operations center." In April 2012 Wired's James Bamford reported how the U.S. government hired two secretive Israeli companies to wiretap AT&T. AT&T engineer Mark Klein discovered the "secret room" at AT&T central office in San Francisco, through which the NSA actively "vacuumed up Internet and phone-call data from ordinary Americans with the cooperation of AT&T" through the wiretapping rooms, emphasizing that "much of the data sent through AT&T to the NSA was purely domestic." Former NSA executive and whistleblower Thomas Drake testified that the NSA is using Israeli-made hardware to "seize and save all personal electronic communications."
  • A classified program called Prism, leaked by Snowden, appears to acquire information from the servers of nine of the biggest internet companies. The Washington Post reported that the government's orders "serve as one-time blanket approvals for data acquisition and surveillance on selected foreign targets for periods of as long as a year." NSA Whistleblower William Binney that the NSA began using the program he built (i.e. ThinThread) to use communications data for creating, in real time, profiles of nearly all Americans so that the government is "able to monitor what people are doing" and who they are doing it with. In July the Foreign Intelligence Surveillance Court (FISC), established to "hear applications for and grant orders approving electronic surveillance," found that the NSA violated the Fourth Amendment's restriction against unreasonable searches and seizures "on at least one occasion." BONUS: In March CIA Chief Technology Officer Ira "Gus" Hunt said: "It is really very nearly within our grasp to be able to compute on all human generated information." If there is "significantly more" to the NSA's domestic snooping, then we're all ears and eyes.
Paul Merrell

Snooper's charter has practically zero chance of becoming law, say senior MPs | UK news... - 0 views

www.guardian.co.uk/...oopers-charter-zero-chance-law

surveillance state UK EU NSA-blowback cloud computing

shared by Paul Merrell on 27 Jun 13 - No Cached
  • The chances of Theresa May reintroducing her "snooper's charter" communications data bill are practically zero in the wake of the Guardian's disclosures on the scale of internet surveillance, leading Tory and Labour civil liberties campaigners have said.David Davis, a former contender for Conservative leadership, and Tom Watson, the Labour deputy chair, both said on Thursday they felt there had been a change in the atmosphere at Westminster compared with the "great rush" to legislate in the immediate aftermath of the Woolwich murder of Drummer Lee Rigby.Both MPs said the disclosure of the mass harvesting of personal communications, including internet data, by the American National Security Agency and Britain's eavesdropping agency, GCHQ, had shown that the existing UK regulatory framework was completely ineffective.Davis said in particular that GCHQ's Tempora operation, which harvests global phone and internet traffic by tapping into the transatlantic fibre-optic cables, had "put up a big red flag" indicating it was time to think again from scratch about the legal oversight arrangements.
  • He said it was necessary to look at ways of rewriting the Regulation of Investigatory Powers Act 2000, which sets out the legal oversight arrangements for the interception and surveillance of communications.But the former shadow home secretary and staunch Eurosceptic also praised the efforts of Viviane Reding, the EU commissioner for justice, who wrote to the foreign secretary, William Hague, on Wednesday giving him until the end of the week to answer the charge that the fundamental rights of citizens across Europe were being flouted."I hope that Viviane Reding keeps up the pressure. This is the only time you will hear me say that the European Union might be the answer," said Davis.Watson said he shared Davis's analysis of the poor prospects for the reintroduction of May's communications data bill, which would require internet and phone companies to store for up to 12 months data tracking everyone's use of email, phone and internet.
  • The meeting heard from surveillance experts Casper Bowden, a former chief privacy adviser to Microsoft, and solicitor/advocate, Simon McKay. Bowden said a huge debt was owed to Snowden, who had made the most important disclosures about surveillance for more than 25 years.He said the disclosures had serious implications for the corporate and individual stampede towards the use of "cloud computing" storage, much of which was housed in the US. He said that there was a real danger now that Britain would be left in an exposed position, with the rest of Europe not willing to allow their data to be stored through the UK. "Keep your cloudbase close and local and keep it in your jurisdiction," he said, adding that encryption was very limited as a defence.Bowden, who has worked as an adviser to the EU on its new data protection directive, which has yet to come into force principally because of British opposition, said he had secured an amendment giving protection for whistleblowers.He had also argued for a warning "pop-up" to be required when data was being transferred outside the EU's borders.
  • Paul Merrell on 27 Jun 13
     
    Finally, acknowledgement that the growth of the cloud computing industry will likely be affected greatly by disclosures of widespread US and UK storage and surveillance of digital data. But will this be enough to turn cloud computing companies into staunch advocates of reining in the NSA and GCHQ? Note that the emerging E.U. position creates an economic advantage for cloud computing companies with their server farms located in the E.U. (likely excluding the UK). 
1 - 20 of 133 Next › Last »
Showing 20 items per page