Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged ISPs

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Gary Edwards

Sony leaks reveal Hollywood is trying to break DNS, the backbone of the internet | The ... - 0 views

www.theverge.com/...s-piracy-sopa-leaked-documents

DNS-MPAA DMCA SOPA

shared by Gary Edwards on 05 Jan 15 - No Cached
  • You could still type http://www.piratebay.se into your browser, but without a working DNS record, you wouldn't be able to find the site itself. If a takedown notice could blacklist a site from every available DNS provider, the URL would be effectively erased from the internet.
  • No one's ever tried to issue a takedown notice like that, but this latest memo suggests the MPAA is looking into it as a potentially powerful new tool in the fight against piracy. "A takedown notice program, therefore, could threaten ISPs with potential secondary liability in the event that they do not cease connecting users to known infringing material through their own DNS servers," the letter reads. "While not making it impossible for users to reach pirate sites (i.e., a user could still use a third-party DNS server), it could make it substantially more complicated for casual infringers to reach pirate sites if their ISPs decline to assist in the routing of communications to those sites." The full document is embedded below.
  • The MPAA’s legal argument centers on the claim that DNS records are working as an index or directory rather than simply routing data. If that argument holds, then the DNS links could be vulnerable to the same takedown notices used to strike torrent links from Google searches. The net effect would be similar to site-blocking, making it as easy to unplug a URL as it is to take down a YouTube video. It would also cast DNS providers as legally responsible for all the sites on the web, the same way YouTube is responsible for every video uploaded to its network. For many providers, simply managing the flood of notices might create a logistical nightmare.
  • Gary Edwards on 05 Jan 15
     
    "Most anti-piracy tools take one of two paths: they either target the server that's sharing the files (pulling videos off YouTube or taking down sites like The Pirate Bay) or they make it harder to find (delisting offshore sites that share infringing content). But leaked documents reveal a frightening line of attack that's currently being considered by the MPAA: What if you simply erased any record that the site was there in the first place? A BOLD CHALLENGE TO THE BASIC ENGINEERING OF THE INTERNET To do that, the MPAA's lawyers would target the Domain Name System (DNS) that directs traffic across the internet. The tactic was first proposed as part of the Stop Online Piracy Act (SOPA) in 2011, but three years after the law failed in Congress, the MPAA has been looking for legal justification for the practice in existing law and working with ISPs like Comcast to examine how a system might work technically. If the system works, DNS-blocking could be the key to the MPAA's long-standing goal of blocking sites from delivering content to the US. At the same time, it represents a bold challenge to the basic engineering of the internet, threatening to break the very backbone of the web and drawing the industry into an increasingly nasty fight with Google. The Domain Name System is a kind of phone book for the internet, translating URLs like http://www.theverge.com into IP addresses like 192.5.151.3. Given a URL string, your computer will turn to a DNS server (often run by a local ISP or a third party like Google) to find the IP address of the corresponding server. Much like the phone book, that function is usually treated as a simple an engineering task - but a memo commissioned by the MPAA this August sketches out a legal case for blocking infringing sites from the DNS records entirely, like wiping unsavory addresses out of the phone book. You could still type http://www.piratebay.se into your browser, but without a working DNS record, you wouldn't be able to find the
Paul Merrell

US v. Warshak, 631 F. 3d 266 - Court of Appeals, 6th Circuit 2010 - Google Scholar - 0 views

scholar.google.com/scholar_case

surveillance state Stored-Communications-Act 4th Amendment

shared by Paul Merrell on 14 Feb 14 - No Cached
  • While a letter is in the mail, the police may not intercept it and examine its contents unless they first obtain a warrant based on probable cause. Ibid. This is true despite the fact that sealed letters are handed over to perhaps dozens of mail carriers, any one of whom could tear open the thin paper envelopes that separate the private words from the world outside. Put another way, trusting a letter to an intermediary does not necessarily defeat a reasonable expectation that the letter will remain private. See Katz, 389 U.S. at 351, 88 S.Ct. 507 ("[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected."). Given the fundamental similarities between email and traditional forms of communication, it would defy common sense 286*286 to afford emails lesser Fourth Amendment protection. See Patricia L. Bellia & Susan Freiwald, Fourth Amendment Protection for Stored E-Mail, 2008 U. Chi. Legal F. 121, 135 (2008) (recognizing the need to "eliminate the strangely disparate treatment of mailed and telephonic communications on the one hand and electronic communications on the other"); City of Ontario v. Quon, ___ U.S. ___, 130 S.Ct. 2619, 2631, 177 L.Ed.2d 216 (2010) (implying that "a search of [an individual's] personal e-mail account" would be just as intrusive as "a wiretap on his home phone line"); United States v. Forrester, 512 F.3d 500, 511 (9th Cir.2008) (holding that "[t]he privacy interests in [mail and email] are identical"). Email is the technological scion of tangible mail, and it plays an indispensable part in the Information Age.
  • Over the last decade, email has become "so pervasive that some persons may consider [it] to be [an] essential means or necessary instrument[] for self-expression, even self-identification." Quon, 130 S.Ct. at 2630. It follows that email requires strong protection under the Fourth Amendment; otherwise, the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve. See U.S. Dist. Court, 407 U.S. at 313, 92 S.Ct. 2125; United States v. Waller, 581 F.2d 585, 587 (6th Cir.1978) (noting the Fourth Amendment's role in protecting "private communications"). As some forms of communication begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise. See Warshak I, 490 F.3d at 473 ("It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.").
  • If we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment. An ISP is the intermediary that makes email communication possible. Emails must pass through an ISP's servers to reach their intended recipient. Thus, the ISP is the functional equivalent of a post office or a telephone company. As we have discussed above, the police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant, that is. See Jacobsen, 466 U.S. at 114, 104 S.Ct. 1652; Katz, 389 U.S. at 353, 88 S.Ct. 507. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception. In Warshak I, the government argued that this conclusion was improper, pointing to the fact that NuVox contractually reserved the right to access Warshak's emails for certain purposes. While we acknowledge that a subscriber agreement might, in some cases, be sweeping enough to defeat a reasonable expectation of privacy in the contents of an email account, see Warshak I, 490 F.3d at 473; Warshak II, 532 F.3d at 526-27, we doubt that will be the case in most situations, and it is certainly not the case here.
  • ...1 more annotation...
  • Accordingly, we hold that a subscriber enjoys a reasonable expectation of privacy in the contents of emails "that are stored with, or sent or received through, a commercial ISP." Warshak I, 490 F.3d at 473; see Forrester, 512 F.3d at 511 (suggesting that "[t]he contents [of email messages] may deserve Fourth Amendment protection"). The government may not compel a commercial ISP to turn over the contents of a subscriber's emails without first obtaining a warrant based on probable cause. Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak's emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.
  • Paul Merrell on 14 Feb 14
     
    A 2010 decision by the U.S. 6th Circuit Court of Appeals that I had missed up to now. It finds the Stored Communications Act's section that excuses email in the possession of an ISP for more than 180 days from the 4th Amendment's judicial warrant clause. There may yet be hope for cloud computing in the U.S. 
Paul Merrell

LINX Public Affairs » Advocate General says Data Retention Directive unlawful - 0 views

publicaffairs.linx.net/news

surveillance state EU GCHQ data-retention ISPs

shared by Paul Merrell on 12 Dec 13 - No Cached
  • The EU Data Retention Directive is incompatible with the Charter of Fundamental Rights of the European Union, according to the Advocate General of the European Court. While the purpose of the Directive, to ensure that communications data can be made available to law enforcement, is accepted as legitimate, the Advocate General says the legislator failed to provide adequate protections against misuse, as required by the Charter.
  • States supporting data retention are not out of the woods yet. The Advocate General’s opinion that the full extent of measures concerning retention of communications data, and access to the material so retained must be legislated at the European level is reached through his understanding of Article 52(1) of the Charter, that any limitation on the rights guaranteed by the Charter, such as right to privacy, must be “provided for by law”. This is the same Advocate General that proposed the same reasoning in another important case on Internet law, and in that case the European Court did not follow his advice. In the seminal case of Internet filtering, SABAM v Scarlet Extended, the Advocate General argued that it should be decided on the basis that court-ordered filtering by ISPs of copyright-infringing peer-to-peer traffic was “not provided for by law” until there is specific legislation to support it. The European Court chose not to follow the Advocate General’s narrow reasoning, and decided the case instead on the substantively more fundamental question of whether making ISPs filter traffic infringes human rights, ruling in favour of ISPs and users and against the copyright holders and States. It remains possible that in this case on data retention the Court will also choose to focus more specifically on the underlying questions raised by the Austrian Supreme Court.
  • Paul Merrell on 12 Dec 13
     
    Optimistic news on the ISP data-retention law front. If the data retention directive is found unlawful in the E.U., the ability of law enforcement and the spy agencies to access retained data is limited to what is retained voluntarily by ISPs. 
Paul Merrell

What was the Israeli involvement in collecting U.S. communications intel for NSA? - Dip... - 0 views

www.haaretz.com/...cations-intel-for-nsa-1.528529

security state NSA digital surveillance Israel IDF Unit-8200

shared by Paul Merrell on 10 Jun 13 - No Cached
  • Were Israeli companies Verint and Narus the ones that collected information from the U.S. communications network for the National Security Agency? The question arises amid controversy over revelations that the NSA has been collecting the phone records of hundreds of millions of Americans every day, creating a database through which it can learn whether terror suspects have been in contact with people in the United States. It also was disclosed this week that the NSA has been gathering all Internet usage - audio, video, photographs, emails and searches - from nine major U.S. Internet providers, including Microsoft and Google, in hopes of detecting suspicious behavior that begins overseas.
  • According to an article in the American technology magazine "Wired" from April 2012, two Israeli companies – which the magazine describes as having close connections to the Israeli security community – conduct bugging and wiretapping for the NSA. Verint, which took over its parent company Comverse Technology earlier this year, is responsible for tapping the communication lines of the American telephone giant Verizon, according to a past Verizon employee sited by James Bamford in Wired. Neither Verint nor Verizon commented on the matter.
  • Natus, which was acquired in 2010 by the American company Boeing, supplied the software and hardware used at AT&T wiretapping rooms, according to whistleblower Mark Klein, who revealed the information in 2004. Klein, a past technician at AT&T who filed a suit against the company for spying on its customers, revealed a "secret room" in the company's San Fransisco office, where the NSA collected data on American citizens' telephone calls and Internet surfing. Klein's claims were reinforced by former NSA employee Thomas Drake who testified that the agency uses a program produced by Narus to save the personal electrical communications of AT&T customers.  Both Verint and Narus have ties to the Israeli intelligence agency and the Israel Defense Forces intelligence-gathering unit 8200. Hanan Gefen, a former commander of the 8200 unit, told Forbes magazine in 2007 that Comverse's technology, which was formerly the parent company of Verint and merged with it this year, was directly influenced by the technology of 8200. Ori Cohen, one of the founders of Narus, told Fortune magazine in 2001 that his partners had done technology work for the Israeli intelligence.
  • ...2 more annotations...
  • "Nobody is listening to your telephone calls," Obama assured the nation after two days of reports that many found unsettling. What the government is doing, he said, is digesting phone numbers and the durations of calls, seeking links that might "identify potential leads with respect to folks who might engage in terrorism." If there's a hit, he said, "if the intelligence community then actually wants to listen to a phone call, they've got to go back to a federal judge, just like they would in a criminal investigation."
  • Obama said U.S. intelligence officials are looking at phone numbers and lengths of calls - not at people's names - and not listening in.
  • Paul Merrell on 10 Jun 13
     
    It figures that the Israeli creators of the Stuxnet worm would be involved. And here we also get our reminder why Obama is lying. We hearken back to the days when several ISPs and Telcos were being sued in class actions for providing NSA with access to their subscriber's phone calls and internet traffic.  Those suits ended only after Congress passed legislation immunizing the companies from suit for collaboration with NSA. The net effect was to allow the NSA to continue eavesdropping. So it matters not that Prism allegedly only gets the communications metadata. NSA need only correlate the metadata with the actual communications obtained from the Telcos and ISPs.   
Paul Merrell

ISPs take GCHQ to court in UK over mass surveillance | World news | theguardian.com - 0 views

www.theguardian.com/...rveillance-privacy-court-claim

surveillance state GCHQ litigation ISPs NSA-blowback

shared by Paul Merrell on 02 Jul 14 - No Cached
  • Internet service providers from around the world are lodging formal complaints against the UK government's monitoring service, GCHQ, alleging that it uses "malicious software" to break into their networks.The claims from seven organisations based in six countries – the UK, Netherlands, US, South Korea, Germany and Zimbabwe – will add to international pressure on the British government following Edward Snowden's revelations about mass surveillance of the internet by UK and US intelligence agencies.The claims are being filed with the investigatory powers tribunal (IPT), the court in London that assesses complaints about the agencies' activities and misuse of surveillance by government organisations. Most of its hearings are held at least partially in secret.
  • The IPT is already considering a number of related submissions. Later this month it will investigate complaints by human rights groups about the way social media sites have been targeted by GCHQ.The government has defended the security services, pointing out that online searches are often routed overseas and those deemed "external communications" can be monitored without the need for an individual warrant. Critics say that such a legal interpretation sidesteps the need for traditional intercept safeguards.The latest claim is against both GCHQ, located near Cheltenham, and the Foreign Office. It is based on articles published earlier this year in the German magazine Der Spiegel. That report alleged that GCHQ had carried out an attack, codenamed Operation Socialist, on the Belgian telecoms group, Belgacom, targeting individual employees with "malware (malicious software)".One of the techniques was a "man in the middle" attack, which, according to the documents filed at the IPT, bypasses modern encryption software and "operates by interposing the attacker [GCHQ] between two computers that believe that they are securely communicating with each other. In fact, each is communicating with GCHQ, who collect the communications, as well as relaying them in the hope that the interference will be undetected."The complaint alleges that the attacks were a breach of the Computer Misuse Act 1990 and an interference with the privacy rights of the employees under the European convention of human rights.
  • The organisations targeted, the submission states, were all "responsible and professional internet service providers". The claimants are: GreenNet Ltd, based in the UK, Riseup Networks in Seattle, Mango Email Service in Zimbabwe, Jinbonet in South Korea, Greenhost in the Netherlands, May First/People Link in New York and the Chaos Computer Club in Hamburg.
  • ...1 more annotation...
  • Among the programs said to have been operating were Turbine, which automates the injection of data and can infect millions of machines and Warrior Pride, which enables microphones on iPhones and Android devices to be remotely activated.
Paul Merrell

CURIA - Documents - 0 views

curia.europa.eu/...document.jsf

surveillance state EU Court-of-Justice data-retention data privacy

shared by Paul Merrell on 19 Jul 14 - No Cached
  • 37      It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.
  • 43      In this respect, it is apparent from recital 7 in the preamble to Directive 2006/24 that, because of the significant growth in the possibilities afforded by electronic communications, the Justice and Home Affairs Council of 19 December 2002 concluded that data relating to the use of electronic communications are particularly important and therefore a valuable tool in the prevention of offences and the fight against crime, in particular organised crime. 44      It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest.45      In those circumstances, it is necessary to verify the proportionality of the interference found to exist.46      In that regard, according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives (see, to that effect, Case C‑343/09 Afton Chemical EU:C:2010:419, paragraph 45; Volker und Markus Schecke and Eifert EU:C:2010:662, paragraph 74; Cases C‑581/10 and C‑629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C‑283/11 Sky Österreich EU:C:2013:28, paragraph 50; and Case C‑101/12 Schaible EU:C:2013:661, paragraph 29).
  • 67      Article 7 of Directive 2006/24, read in conjunction with Article 4(1) of Directive 2002/58 and the second subparagraph of Article 17(1) of Directive 95/46, does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures. In particular, Directive 2006/24 does not ensure the irreversible destruction of the data at the end of the data retention period.68      In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data (see, to that effect, Case C‑614/10 Commission v Austria EU:C:2012:631, paragraph 37).69      Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
  • ...13 more annotations...
  • 58      Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy. 59      Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
  • 1        These requests for a preliminary ruling concern the validity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).
  • Digital Rights Ireland Ltd (C‑293/12)vMinister for Communications, Marine and Natural Resources,Minister for Justice, Equality and Law Reform,Commissioner of the Garda Síochána,Ireland,The Attorney General,intervener:Irish Human Rights Commission, andKärntner Landesregierung (C‑594/12),Michael Seitlinger,Christof Tschohl and others,
  • JUDGMENT OF THE COURT (Grand Chamber)8 April 2014 (*)(Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union)In Joined Cases C‑293/12 and C‑594/12,
  • 34      As a result, the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter. 35      Furthermore, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter. 36      Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.
  • 65      It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.66      Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down.
  • 60      Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.61      Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto; it merely provides that each Member State is to define the procedures to be followed and the conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and proportionality requirements.
  • 55      The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35).56      As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population. 57      In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
  • 62      In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits. 63      Thirdly, so far as concerns the data retention period, Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Article 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.64      Furthermore, that period is set at between a minimum of 6 months and a maximum of 24 months, but it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary.
  • 52      So far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law, in any event, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Case C‑473/12 IPI EU:C:2013:715, paragraph 39 and the case-law cited).53      In that regard, it should be noted that the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter is especially important for the right to respect for private life enshrined in Article 7 of the Charter.54      Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99).
  • 26      In that regard, it should be observed that the data which providers of publicly available electronic communications services or of public communications networks must retain, pursuant to Articles 3 and 5 of Directive 2006/24, include data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for Internet services. Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. 27      Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.
  • 32      By requiring the retention of the data listed in Article 5(1) of Directive 2006/24 and by allowing the competent national authorities to access those data, Directive 2006/24, as the Advocate General has pointed out, in particular, in paragraphs 39 and 40 of his Opinion, derogates from the system of protection of the right to privacy established by Directives 95/46 and 2002/58 with regard to the processing of personal data in the electronic communications sector, directives which provided for the confidentiality of communications and of traffic data as well as the obligation to erase or make those data anonymous where they are no longer needed for the purpose of the transmission of a communication, unless they are necessary for billing purposes and only for as long as so necessary.
  • On those grounds, the Court (Grand Chamber) hereby rules:Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.
  • Paul Merrell on 19 Jul 14
     
    EU Court of Justice decision in regard to a Directive that required communications data retention by telcos/ISPs, finding the Directive invalid as a violation of the right of privacy in communications. Fairly read, paragraph 59 outlaws bulk collection of such records, i.e., it requires the equivalent of a judge-issued search warrant in the U.S. based on probable cause to believe that the particular individual's communications are a legitimate object of a search.  Note also that paragraph 67 effectively forbids transfer of any retained data outside the E.U. So a barrier for NSA sharing of data with GCHQ derived from communications NSA collects from EU communications traffic. Bye-bye, Big Data for GCHQ in the E.U. 
Paul Merrell

Courthouse News Service - 0 views

www.courthousenews.com/...51004.htm

security state liberties 4th Amendment internet cloud privacy

shared by Paul Merrell on 08 Oct 12 - No Cached
  •      Her 45-page motion argues that her client's subpoena has fateful repercussions in the age of cloud computing, an umbrella term describing the use of remote databases to store users' private information.     "Personal communications, daily schedules and travel itineraries that you once stored in a desk drawer or dedicated directory on a home computer are now stored for you by your ISP or social-networking site, somewhere in the cloud," the motion states. "The information is still yours. You still have control over it, but both technically and technologically someone else is now its custodian.     "The question this case poses to the court is: What, if anything, does the change in architecture and protocols of the Internet mean for the relationship between the individual and the state?
  •      "From Harris' perspective, not much has changed - only the address of your e-storage locker. Law enforcement is still seeking your information, still has to go to you for it, and still has to get your consent or obtain the information via discovery.     "From the [District Attorney of New York]'s perspective, the rise of e-storage has changed everything. The advent of cloud computing releases the DANY from any obligation to ask you for the information or obtain it from you through discovery. From its perspective, it can deal with the owner of the e-storage locker as though that person were the principal, rather than your agent. Since the owner of the storage locker does not have a proprietary interest or expectation of privacy in the stored information, however, that means there are no meaningful constitutional constraints on law enforcement, and your First and Fourth Amendment rights have vanished."
Paul Merrell

Federal Judge Finds National Security Letters Unconstitutional, Bans Them | Threat Leve... - 0 views

www.wired.com/...nsl-found-unconstitutional

surveillance state NLS gag orders 1st Amendment constitutional law

shared by Paul Merrell on 16 Mar 13 - No Cached
  • Ultra-secret national security letters that come with a gag order on the recipient are an unconstitutional impingement on free speech, a federal judge in California ruled in a decision released Friday. U.S. District Judge Susan Illston ordered the government to stop issuing so-called NSLs across the board, in a stunning defeat for the Obama administration’s surveillance practices. She also ordered the government to cease enforcing the gag provision in any other cases. However, she stayed her order for 90 days to give the government a chance to appeal to the Ninth Circuit Court of Appeals.
  • “We are very pleased that the Court recognized the fatal constitutional shortcomings of the NSL statute,” said Matt Zimmerman, senior staff attorney for the Electronic Frontier Foundation, which filed a challenge to NSLs on behalf of an unknown telecom that received an NSL in 2011. “The government’s gags have truncated the public debate on these controversial surveillance tools. Our client looks forward to the day when it can publicly discuss its experience.” The telecommunications company received the ultra-secret demand letter in 2011 from the FBI seeking information about a customer or customers. The company took the extraordinary and rare step of challenging the underlying authority of the National Security Letter, as well as the legitimacy of the gag order that came with it.
  • Illston found that although the government made a strong argument for prohibiting the recipients of NSLs from disclosing to the target of an investigation or the public the specific information being sought by an NSL, the government did not provide compelling argument that the mere fact of disclosing that an NSL was received harmed national security interests. A blanket prohibition on disclosure, she found, was overly broad and “creates too large a danger that speech is being unnecessarily restricted.” She noted that 97 percent of the more than 200,000 NSLs that have been issued by the government were issued with nondisclosure orders.
  • ...2 more annotations...
  • Both challenges are allowed under a federal law that governs NSLs, a power greatly expanded under the Patriot Act that allows the government to get detailed information on Americans’ finances and communications without oversight from a judge. The FBI has issued hundreds of thousands of NSLs over the years and has been reprimanded for abusing them — though almost none of the requests have been challenged by the recipients. After the telecom challenged the NSL, the Justice Department took its own extraordinary measure and sued the company, arguing in court documents that the company was violating the law by challenging its authority. The move stunned EFF at the time.
  • NSLs are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more. NSLs are a powerful tool because they do not require court approval, and they come with a built-in gag order, preventing recipients from disclosing to anyone that they have even received an NSL. An FBI agent looking into a possible anti-terrorism case can self-issue an NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation into international terrorism or clandestine intelligence activities.
Gary Edwards

THE TRUTH ABOUT SPYING: The Feds Are Intercepting Your Internet Data And Tech Giants Kn... - 0 views

www.businessinsider.com/he-nsas-data-collection-2013-6

Prism NSA-Patriot-Act-NDAA Edward-Snowden

shared by Gary Edwards on 12 Jun 13 - No Cached
  • Last year James Bamford of Wired — who wrote the book "The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America" — reported that the NSA hired secretive companies linked to Israeli intelligence to establish 10 to 20 wiretapping rooms at key Internet Service Provider (ISP) telecommunication points throughout the country.
  • In 2004 AT&T engineer Mark Klein discovered that a special NSA network actively "vacuumed up Internet and phone-call data from ordinary Americans with the cooperation of AT&T," emphasizing that "much of the data sent through AT&T to the NSA was purely domestic."
  • Glenn Greenwald revealed that the National Security Agency (NSA) is secretly using the so-called "business records" provision of the Patriot Act to collect telephone records of millions of Americans from Verizon. Greenwald noted that "previous reporting has suggested the NSA has collected cell records from all major mobile networks," which was best illustrated by this ACLU infographic graphic illustrating how the NSA intercepts more than a billion electronic records and communications every day.
  • ...4 more annotations...
  • NSA whistleblowers William Binney and Thomas Drake corroborated Klein's assertions: Binney contends that the NSA analyzes the information "to be able to monitor what people are doing" and who they are doing it with while Drake maintains that the NSA is using Israeli-made NARUS hardware to "seize and save all personal electronic communications."
  • Eric Lichtblau and James Risen of the New York Times won a Pulitzer-Prize for this 2005 story: As part of the program approved by President Bush for domestic surveillance without warrants, the N.S.A. has gained the cooperation of American telecommunications companies to obtain backdoor access to streams of domestic and international communications, the officials said.
  • in January Google released a transparency report detailing the government's use of controversial legislation that bypasses judicial approval to access the online information of private citizens.
  • Given the fact that the CIA's recently visited tech conference to detail the Agency's vision for collecting and analyzing all of the information people put on the Internet, it would be naïve to think that American tech giants hasn't know that all their data belongs to NSA.
  • Gary Edwards on 12 Jun 13
     
    Timeline for reports and whistleblower information going public about NSA world wide dragnet of information and communications.  Note that the official timeline the NSA slides depict the start of the Internet dragnet as late 2007, when the Bush Administration wrangled Microsoft as a source.  The whistleblower timeline starts in 2001 and is rolling worldwide by 2004.
Paul Merrell

U.S. gives big, secret push to Internet surveillance - CNET - 0 views

www.cnet.com/...-push-to-internet-surveillance

surveillance state ISP-wiretap-immunity DHS NSA DoJ

shared by Paul Merrell on 03 Apr 14 - No Cached
  • Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws. The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors' Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12. "The Justice Department is helping private companies evade federal wiretap laws," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which obtained over 1,000 pages of internal government documents and provided them to CNET this week. "Alarm bells should be going off." Those documents show the National Security Agency and the Defense Department were deeply involved in pressing for the secret legal authorization, with NSA director Keith Alexander participating in some of the discussions personally. Despite initial reservations, including from industry participants, Justice Department attorneys eventually signed off on the project.
  • The Justice Department agreed to grant legal immunity to the participating network providers in the form of what participants in the confidential discussions refer to as "2511 letters," a reference to the Wiretap Act codified at 18 USC 2511 in the federal statute books. The Wiretap Act limits the ability of Internet providers to eavesdrop on network traffic except when monitoring is a "necessary incident" to providing the service or it takes place with a user's "lawful consent." An industry representative told CNET the 2511 letters provided legal immunity to the providers by agreeing not to prosecute for criminal violations of the Wiretap Act. It's not clear how many 2511 letters were issued by the Justice Department. In 2011, Deputy Secretary of Defense William Lynn publicly disclosed the existence of the original project, called the DIB Cyber Pilot, which used login banners to inform network users that monitoring was taking place. In May 2012, the pilot was turned into an ongoing program -- broader but still voluntary -- by the name of Joint Cybersecurity Services Pilot, with the Department of Homeland Security becoming involved for the first time. It was renamed again to Enhanced Cybersecurity Services program in January, and is currently being expanded to all types of companies operating critical infrastructure.
  • Another e-mail message from a Justice Department attorney wondered: "Will the program cover all parts of the company network -- including say day care centers (as mentioned as a question in a [deputies committee meeting]) and what are the policy implications of this?" The deputies committee includes the deputy secretary of defense, the deputy director of national intelligence, the deputy attorney general, and the vice chairman of the Joint Chiefs of Staff. "These agencies are clearly seeking authority to receive a large amount of information, including personal information, from private Internet networks," says EPIC staff attorney Amie Stepanovich, who filed a lawsuit against Homeland Security in March 2012 seeking documents relating to the program under the Freedom of Information Act. "If this program was broadly deployed, it would raise serious questions about government cybersecurity practices." In January, the Department of Homeland Security's privacy office published a privacy analysis (PDF) of the program saying that users of the networks of companies participating in the program will see "an electronic login banner [saying] information and data on the network may be monitored or disclosed to third parties, and/or that the network users' communications on the network are not private."
  • ...2 more annotations...
  • Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, compared the NSA and DOD asking the Justice Department for 2511 letters to the CIA asking the Justice Department for the so-called torture memos a decade ago. (They were written by Justice Department official John Yoo, who reached the controversial conclusion that waterboarding was not torture.) "If you think of it poorly, it's a CYA function," Rosenzweig says. "If you think well of it, it's an effort to secure advance authorization for an action that may not be clearly legal." A report (PDF) published last month by the Congressional Research Service, a non-partisan arm of Congress, says the executive branch likely does not have the legal authority to authorize more widespread monitoring of communications unless Congress rewrites the law. "Such an executive action would contravene current federal laws protecting electronic communications," the report says.
  • An internal Defense Department presentation cites as possible legal authority a classified presidential directive called NSPD 54 that President Bush signed in January 2008. Obama's own executive order , signed in February 2013, says Homeland Security must establish procedures to expand the data-sharing program "to all critical infrastructure sectors" by mid-June. Those are defined as any companies providing services that, if disrupted, would harm national economic security or "national public health or safety."
  • Paul Merrell on 03 Apr 14
     
    Article is from April 2013, before the Snowden disclosures. 
Paul Merrell

European ISPs Can Stop Logging User Data, Court Rules | TorrentFreak - 0 views

torrentfreak.com/ata-retention-directive-140408

surveillance state EU litigation data-retention

shared by Paul Merrell on 06 May 14 - No Cached
  • The European Court of Justice has overturned Europe's data retention directive, arguing that it's disproportionate and a violation of people's privacy. The decision has far-reaching consequences for the collection of data from European internet users, including their IP-addresses.
  • In a landmark ruling, the European Court of Justice has declared Europe’s Data Retention directive to be a violation of Internet users’ privacy. Under the Directive Internet providers and other telecom companies were required to log and store vast amounts of information, including who their subscribers communicate with, and what IP-addresses they use. The local authorities could then use this information to fight serious crimes, but it was also been frequently used by third parties, in online piracy cases for example. Today the Court ruled that the data collection requirements are disproportionate. In a case started by Digital Rights Ireland the Court effectively annulled the directive, and it’s now up to the individual member states to change local laws accordingly.
  • “The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality,” the Court states. “By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” it adds. The judgement has far-reaching implications for large telecom companies, but also for smaller businesses including many VPN providers. With the new ruling these companies are no longer required to log extensive amount of user data as was required under the EU Directive.
  • ...1 more annotation...
  • The European Court of Justice judgement is a clear victory for privacy activists, but mostly for the public who will regain some of their online privacy. While the ruling specified that some data retention may be needed, broad and mandatory retention laws and NSA-style data dragnets are no longer the standard.
Paul Merrell

ExposeFacts - For Whistleblowers, Journalism and Democracy - 0 views

exposefacts.org

transparency whistle-blowers resources Wikileaks Tail

shared by Paul Merrell on 06 Jun 14 - No Cached
  • Launched by the Institute for Public Accuracy in June 2014, ExposeFacts.org represents a new approach for encouraging whistleblowers to disclose information that citizens need to make truly informed decisions in a democracy. From the outset, our message is clear: “Whistleblowers Welcome at ExposeFacts.org.” ExposeFacts aims to shed light on concealed activities that are relevant to human rights, corporate malfeasance, the environment, civil liberties and war. At a time when key provisions of the First, Fourth and Fifth Amendments are under assault, we are standing up for a free press, privacy, transparency and due process as we seek to reveal official information—whether governmental or corporate—that the public has a right to know. While no software can provide an ironclad guarantee of confidentiality, ExposeFacts—assisted by the Freedom of the Press Foundation and its “SecureDrop” whistleblower submission system—is utilizing the latest technology on behalf of anonymity for anyone submitting materials via the ExposeFacts.org website. As journalists we are committed to the goal of protecting the identity of every source who wishes to remain anonymous.
  • The seasoned editorial board of ExposeFacts will be assessing all the submitted material and, when deemed appropriate, will arrange for journalistic release of information. In exercising its judgment, the editorial board is able to call on the expertise of the ExposeFacts advisory board, which includes more than 40 journalists, whistleblowers, former U.S. government officials and others with wide-ranging expertise. We are proud that Pentagon Papers whistleblower Daniel Ellsberg was the first person to become a member of the ExposeFacts advisory board. The icon below links to a SecureDrop implementation for ExposeFacts overseen by the Freedom of the Press Foundation and is only accessible using the Tor browser. As the Freedom of the Press Foundation notes, no one can guarantee 100 percent security, but this provides a “significantly more secure environment for sources to get information than exists through normal digital channels, but there are always risks.” ExposeFacts follows all guidelines as recommended by Freedom of the Press Foundation, and whistleblowers should too; the SecureDrop onion URL should only be accessed with the Tor browser — and, for added security, be running the Tails operating system. Whistleblowers should not log-in to SecureDrop from a home or office Internet connection, but rather from public wifi, preferably one you do not frequent. Whistleblowers should keep to a minimum interacting with whistleblowing-related websites unless they are using such secure software.
    • Gary Edwards
      Gary Edwards on 07 Jun 14
       
      Thanks Paul! Great article and I agree with you about switching. Rather than a USB, I would rather look into a SSD and try to isolate performance to an ISP bandwidth issue. FYI, I read your Diigo posts daily at this Web site: https://groups.diigo.com/group/socialism-and-the-end-of-the-american-dream/content/user/marbux Seems to be the best visual presentation of your research. I do however think Diigo could improve their hosting of this research by enabling more extensive comments. Notice that your comments are often clipped :( Still, I really do appreciate your sharing both your research and your commentary. Priceless stuff! Many thanks! ~ge~
  • Paul Merrell on 06 Jun 14
     
    A new resource site for whistle-blowers. somewhat in the tradition of Wikileaks, but designed for encrypted communications between whistleblowers and journalists.  This one has an impressive board of advisors that includes several names I know and tend to trust, among them former whistle-blowers Daniel Ellsberg, Ray McGovern, Thomas Drake, William Binney, and Ann Wright. Leaked records can only be dropped from a web browser running the Tor anonymizer software and uses the SecureDrop system originally developed by Aaron Schwartz. They strongly recommend using the Tails secure operating system that can be installed to a thumb drive and leaves no tracks on the host machine. https://tails.boum.org/index.en.html Curious, I downloaded Tails and installed it to a virtual machine. It's a heavily customized version of Debian. It has a very nice Gnome desktop and blocks any attempt to connect to an external network by means other than installed software that demands encrypted communications. For example, web sites can only be viewed via the Tor anonymizing proxy network. It does take longer for web pages to load because they are moving over a chain of proxies, but even so it's faster than pages loaded in the dial-up modem days, even for web pages that are loaded with graphics, javascript, and other cruft. E.g., about 2 seconds for New York Times pages. All cookies are treated by default as session cookies so disappear when you close the page or the browser. I love my Linux Mint desktop, but I am thinking hard about switching that box to Tails. I've been looking for methods to send a lot more encrypted stuff down the pipe for NSA to store. Tails looks to make that not only easy, but unavoidable. From what I've gathered so far, if you want to install more software on Tails, it takes about an hour to create a customized version and then update your Tails installation from a new ISO file. Tails has a wonderful odor of having been designed for secure computing. Current
Paul Merrell

A Short Guide to the Internet's Biggest Enemies | Electronic Frontier Foundation - 0 views

www.eff.org/...uide-internets-biggest-enemies

surveillance state enemies of the internet

shared by Paul Merrell on 22 Mar 14 - No Cached
  • Reporters Without Borders (RSF) released its annual “Enemies of the Internet” index this week—a ranking first launched in 2006 intended to track countries that repress online speech, intimidate and arrest bloggers, and conduct surveillance of their citizens.  Some countries have been mainstays on the annual index, while others have been able to work their way off the list.  Two countries particularly deserving of praise in this area are Tunisia and Myanmar (Burma), both of which have stopped censoring the Internet in recent years and are headed in the right direction toward Internet freedom. In the former category are some of the world’s worst offenders: Cuba, North Korea, China, Iran, Saudi Arabia, Vietnam, Belarus, Bahrain, Turkmenistan, Syria.  Nearly every one of these countries has amped up their online repression in recent years, from implementing sophisticated surveillance (Syria) to utilizing targeted surveillance tools (Vietnam) to increasing crackdowns on online speech (Saudi Arabia).  These are countries where, despite advocacy efforts by local and international groups, no progress has been made. The newcomers  A third, perhaps even more disheartening category, is the list of countries new to this year's index.  A motley crew, these nations have all taken new, harsh approaches to restricting speech or monitoring citizens:
  • United States: This is the first time the US has made it onto RSF’s list.  While the US government doesn’t censor online content, and pours money into promoting Internet freedom worldwide, the National Security Agency’s unapologetic dragnet surveillance and the government’s treatment of whistleblowers have earned it a spot on the index. United Kingdom: The European nation has been dubbed by RSF as the “world champion of surveillance” for its recently-revealed depraved strategies for spying on individuals worldwide.  The UK also joins countries like Ethiopia and Morocco in using terrorism laws to go after journalists.  Not noted by RSF, but also important, is the fact that the UK is also cracking down on legal pornography, forcing Internet users to opt-in with their ISP if they wish to view it and creating a slippery slope toward overblocking.  This is in addition to the government’s use of an opaque, shadowy NGO to identify child sexual abuse images, sometimes resulting instead in censorship of legitimate speech.
Paul Merrell

U.S. Says It Spied on 89,000 Targets Last Year, But the Number Is Deceptive | Threat Le... - 0 views

www.wired.com/...foreigners-targeted-for-spying

surveillance-state NSA FBI stats 2013

shared by Paul Merrell on 29 Jun 14 - No Cached
  • About 89,000 foreigners or organizations were targeted for spying under a U.S. surveillance order last year, according to a new transparency report. The report was released for the first time Friday by the Office of the Director of Intelligence, upon order of the president, in the wake of surveillance leaks by NSA whistleblower Edward Snowden. But the report, which covers only surveillance orders issued in 2013, doesn’t tell the whole story about how many individuals the spying targeted or how many Americans were caught in the surveillance that targeted foreigners. Civil liberties groups say the real number is likely “orders of magnitude” larger than this. “Even if it was an honest definition of ‘target’—that is, an individual instead of a group—that also is not encompassing those who are ancillary to a target and are caught up in the dragnet,” says Kurt Opsahl, deputy general counsel of the Electronic Frontier Foundation.
  • In its report, the government indicated that the 423 selectors involved just 248 “known or presumed” Americans whose information was collected by the agency in the database. But Opsahl says that both of these numbers are deceptive given what we know about the database and how it’s been used. “We know it’s affecting millions of people,” he points out. But “then we have estimated numbers of affected people [that are just] in the three digits. That requires some effort [on the government's part] to find a way to do the definition of the number [in such a way] to make it as small as possible.”
  • “If you’re actually trying to get a sense of the number of human beings affected or the number of Americans affected, the number of people affected is vastly, vastly larger,” says Julian Sanchez, senior fellow at the Cato Institute. “And how many of those are Americans is impossible to say. But [although] you may not think you are routinely communicating with foreign persons, [this] is not any kind of assurance that your communications are not part of the traffic subject to interception.” Sanchez points out that each individual targeted is likely communicating with dozens or hundred of others, whose communications will be picked up in the surveillance. “And probably a lot of these targets are not individuals but entire web sites or companies. While [a company like the Chinese firm] Huawei might be a target, thousands of emails used by thousands of employees will be swept up.” How many of those employees might be American or communicating with Americans is unknown.
  • ...5 more annotations...
  • Also revealed in today’s report is the number of times the government has queried the controversial phone records database it created by collecting the phone records of every subscriber from U.S. providers. According to the report, the government used 423 “selectors” to search its massive phone records database, which includes records going back to at least 2006 when the program began. A search involves querying a specific phone number or device ID that appears in the database. The government has long maintained that its collection of phone records isn’t a violation of its authority, since it only views the records of specific individuals targeted in an investigation. But such searches, even if targeted at phone numbers used by foreigners, would include calls made to and from Americans as well as calls exchanged with people two or three hops out from the targeted number.
  • The report, remarkably, shows that the government obtained just one order last year under Section 702 of FISA—which allows for bulk collection of data on foreigners—and that this one order covered 89,138 targets. But, as the report notes, “target” can refer to “an individual person, a group, an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information.” Furthermore, Section 702 orders are actually certificates issued by the FISA Court that can cover surveillance of an entire facility. And since, as the government points out in its report, the government cannot know how many people use a facility, the figure only “reflects an estimate of the number of known users of particular facilities (sometimes referred to as selectors) subject to intelligence collection under those Certifications,” the report notes.
  • One additional figure today’s report covers is the number of National Security Letters the government issued last year to businesses to obtain data on accountholders and users—19,212. NSLs are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited, and more. These letters are a powerful tool because they do not require court approval, and they come with a built-in gag order, preventing recipients from disclosing to anyone that they have received an NSL. An FBI agent looking into a possible anti-terrorism case can self-issue an NSL to a credit bureau, ISP, or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has merely to assert that the information is “relevant” to an investigation into international terrorism or clandestine intelligence activities.
  • The FBI has issued hundreds of thousands of NSLs over the years and has been reprimanded for abusing them. Last year a federal judge ruled that the use of NSLs is unconstitutional, due to the gag order that accompanies them, and ordered the government to stop using them. Her ruling, however, was stayed pending the government’s appeal.
  • According to the government’s report today, the 19,000 NSLs issued last year involved more than 38,000 requests for information.
Paul Merrell

Leaked docs show spyware used to snoop on US computers | Ars Technica - 0 views

arstechnica.com/...-used-to-snoop-on-us-computers

surveillance state Gamma-Group FinFisher zero-day-exploits Vupen-Security MSOffice MSIE Acrobat

shared by Paul Merrell on 10 Aug 14 - No Cached
  • Software created by the controversial UK-based Gamma Group International was used to spy on computers that appear to be located in the United States, the UK, Germany, Russia, Iran, and Bahrain, according to a leaked trove of documents analyzed by ProPublica. It's not clear whether the surveillance was conducted by governments or private entities. Customer e-mail addresses in the collection appeared to belong to a German surveillance company, an independent consultant in Dubai, the Bosnian and Hungarian Intelligence services, a Dutch law enforcement officer, and the Qatari government.
  • The leaked files—which were posted online by hackers—are the latest in a series of revelations about how state actors including repressive regimes have used Gamma's software to spy on dissidents, journalists, and activist groups. The documents, leaked last Saturday, could not be readily verified, but experts told ProPublica they believed them to be genuine. "I think it's highly unlikely that it's a fake," said Morgan Marquis-Bore, a security researcher who while at The Citizen Lab at the University of Toronto had analyzed Gamma Group's software and who authored an article about the leak on Thursday. The documents confirm many details that have already been reported about Gamma, such as that its tools were used to spy on Bahraini activists. Some documents in the trove contain metadata tied to e-mail addresses of several Gamma employees. Bill Marczak, another Gamma Group expert at the Citizen Lab, said that several dates in the documents correspond to publicly known events—such as the day that a particular Bahraini activist was hacked.
  • The leaked files contain more than 40 gigabytes of confidential technical material, including software code, internal memos, strategy reports, and user guides on how to use Gamma Group software suite called FinFisher. FinFisher enables customers to monitor secure Web traffic, Skype calls, webcams, and personal files. It is installed as malware on targets' computers and cell phones. A price list included in the trove lists a license of the software at almost $4 million. The documents reveal that Gamma uses technology from a French company called Vupen Security that sells so-called computer "exploits." Exploits include techniques called "zero days" for "popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader, and many more." Zero days are exploits that have not yet been detected by the software maker and therefore are not blocked.
  • ...2 more annotations...
  • Many of Gamma's product brochures have previously been published by the Wall Street Journal and Wikileaks, but the latest trove shows how the products are getting more sophisticated. In one document, engineers at Gamma tested a product called FinSpy, which inserts malware onto a user's machine, and found that it could not be blocked by most antivirus software. Documents also reveal that Gamma had been working to bypass encryption tools including a mobile phone encryption app, Silent Circle, and were able to bypass the protection given by hard-drive encryption products TrueCrypt and Microsoft's Bitlocker.
  • The documents also describe a "country-wide" surveillance product called FinFly ISP which promises customers the ability to intercept Internet traffic and masquerade as ordinary websites in order to install malware on a target's computer. The most recent date-stamp found in the documents is August 2, coincidung with the first tweet by a parody Twitter account, @GammaGroupPR, which first announced the hack and may be run by the hacker or hackers responsible for the leak. On Reddit, a user called PhineasFisher claimed responsibility for the leak. "Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents," the user wrote. The name on the @GammaGroupPR Twitter account is also "Phineas Fisher." GammaGroup, the surveillance company whose documents were released, is no stranger to the spotlight. The security firm F-Secure first reported the purchase of FinFisher software by the Egyptian State Security agency in 2011. In 2012, Bloomberg News and The Citizen Lab showed how the company's malware was used to target activists in Bahrain. In 2013, the software company Mozilla sent a cease-and-desist letter to the company after a report by The Citizen Lab showed that a spyware-infected version of the Firefox browser manufactured by Gamma was being used to spy on Malaysian activists.
Paul Merrell

Federal Chief Information Officers (CIO) Council Wins Rosemary Award - 0 views

www2.gwu.edu/...20150318

Hillary Auction 2016 email-scandal State-Dept. gov't.-CIOs

shared by Paul Merrell on 19 Mar 15 - No Cached
  • Hillary Clinton E-Mail Controversy Illuminates Government-Wide Failure National Security Archive Lawsuit Established E-Mails as Records in 1993 CIO Council Repeats as Rosemary "Winner" for Doubling Down On "Lifetime Failure" Only White House Saves Its E-Mail Electronically, Agencies No Deadline Until 2016
  • The Federal Chief Information Officers (CIO) Council has won the infamous Rosemary Award for worst open government performance of 2014, according to the citation published today by the National Security Archive at www.nsarchive.org. The National Security Archive had hoped that awarding the 2010 Rosemary Award to the Federal Chief Information Officers Council for never addressing the government's "lifetime failure" of saving its e-mail electronically would serve as a government-wide wakeup call that saving e-mails was a priority. Fallout from the Hillary Clinton e-mail debacle shows, however, that rather than "waking up," the top officials have opted to hit the "snooze" button. The Archive established the not-so-coveted Rosemary Award in 2005, named after President Nixon's secretary, Rose Mary Woods, who testified she had erased 18-and-a-half minutes of a crucial Watergate tape — stretching, as she showed photographers, to answer the phone with her foot still on the transcription pedal. Bestowed annually to highlight the lowlights of government secrecy, the Rosemary Award has recognized a rogue's gallery of open government scofflaws, including the CIA, the Treasury Department, the Air Force, the FBI, the Justice Department, and Director of National Intelligence James Clapper.
  • Chief Information Officer of the United States Tony Scott was appointed to lead the Federal CIO Council on February 5, 2015, and his brief tenure has already seen more references in the news media to the importance of maintaining electronic government records, including e-mail, and the requirements of the Federal Records Act, than the past five years. Hopefully Mr. Scott, along with Office of Management & Budget Deputy Director for Management Ms. Beth Cobert will embrace the challenge of their Council being named a repeat Rosemary Award winner and use it as a baton to spur change rather than a cross to bear.
  • ...9 more annotations...
  • Many on the Federal CIO Council could use some motivation, including the beleaguered State Department CIO, Steven Taylor. In office since April 3, 2013, Mr. Taylor is in charge of the Department's information resources and IT initiatives and services. He "is directly responsible for the Information Resource Management (IRM) Bureau's budget of $750 million, and oversees State's total IT/ knowledge management budget of approximately one billion dollars." Prior to his current position, Taylor served as Acting CIO from August 1, 2012, as the Department's Deputy Chief Information Officer (DCIO) and Chief Technology Officer of Operations from June 2011, and was the Program Director for the State Messaging and Archival Retrieval Toolset (SMART). While Hillary Clinton repeatedly claimed that because she sent her official e-mail to "government officials on their State or other .gov accounts ... the emails were immediately captured and preserved," a recent State Department Office of Inspector General report contradicts claims that DOS' e-mail archiving system, ironically named SMART, did so.
  • The report found that State Department "employees have not received adequate training or guidance on their responsibilities for using those systems to preserve 'record emails.'" In 2011, while Taylor was State's Chief Technology Officer of Operations, State Department employees only created 61,156 record e-mails out of more than a billion e-mails sent. In other words, roughly .006% of DOS e-mails were captured electronically. And in 2013, while Taylor was State's CIO, a paltry seven e-mails were preserved from the Office of the Secretary, compared to the 4,922 preserved by the Lagos Consulate in Nigeria. Even though the report notes that its assessments "do not apply to the system used by the Department's high-level principals, the Secretary, the Deputy Secretaries, the Under Secretaries, and their immediate staffs, which maintain separate systems," the State Department has not provided any estimation of the number of Clinton's e-mails that were preserved by recipients through the Department's anachronistic "print and file" system, or any other procedure.
  • The unfortunate silver lining of Hillary Clinton inappropriately appropriating public records as her own is that she likely preserved her records much more comprehensively than her State Department colleagues, most of whose e-mails have probably been lost under Taylor's IT leadership. 2008 reports by CREW, right, and the GAO, left, highlighted problems preserving e-mails. Click to enlarge. The bigger issue is that Federal IT gurus have known about this problem for years, and the State Department is not alone in not having done anything to fix it. A 2008 survey by Citizens for Responsibility and Ethics in Washington (CREW) and OpenTheGovernment.org did not find a single federal agency policy that mandates an electronic record keeping system agency-wide. Congressional testimony in 2008 by the Government Accountability Office indicted the standard "print and file" approach by pointing out:
  • 2011- the Justice Department (for doing more than any other agency to eviscerate President Obama's Day One transparency pledge through pit-bull whistleblower prosecutions, recycled secrecy arguments in court cases, retrograde FOIA regulations, and mixed FOIA responsiveness) 2010 - the Federal Chief Information Officers' Council (for "lifetime failure" to address the crisis in government e-mail preservation) 2009 - the FBI (for having a record-setting rate of "no records" responses to FOIA requests) 2008 - the Treasury Department (for shredding FOIA requests and delaying responses for decades) 2007 - the Air Force (for disappearing its FOIA requests and having "failed miserably" to meet its FOIA obligations, according to a federal court ruling) 2006 - the Central Intelligence Agency (for the biggest one-year drop-off in responsiveness to FOIA requests yet recorded).
  • Troublingly, current Office of Management and Budget guidance does not require federal agencies to manage "all email records in an electronic format" until December 31, 2016. The only part of the federal government that seems to be facing up to the e-mail preservation challenge with any kind of "best practice" is the White House, where the Obama administration installed on day one an e-mail archiving system that preserves and manages even the President's own Blackberry messages. The National Security Archive brought the original White House e-mail lawsuit against President Reagan in early 1989, and continued the litigation against Presidents George H.W. Bush and Bill Clinton, until court orders compelled the White House to install the "ARMS" system to archive e-mail. The Archive sued the George W. Bush administration in 2007 after discovering that the Bush White House had junked the Clinton system without replacing its systematic archiving functions. CREW subsequently joined this suit and with the Archive negotiated a settlement with the Obama administration that included the recovery of as many as 22 million e-mails that were previously missing or misfiled.
  • s a result of two decades of the Archive's White House e-mail litigation, several hundred thousand e-mails survive from the Reagan White House, nearly a half million from the George H.W. Bush White House, 32 million from the Clinton White House, and an estimated 220 million from the George W. Bush White House. Previous recipients of the Rosemary Award include: 2013 - Director of National Intelligence James Clapper (for his "No, sir" lie to Senator Ron Wyden's question: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?") 2012 - the Justice Department (in a repeat performance, for failing to update FOIA regulations to comply with the law, undermining congressional intent, and hyping its open government statistics)
  • Rogue Band of Federal E-mail Users and Abusers Compounds Systemic Problems Former Secretary of State Hillary Clinton and other federal officials who skirt or even violate federal laws designed to preserve electronic federal records compound e-mail management problems. Top government officials who use personal e-mail for official business include: Clinton; former U.S. Ambassador to Kenya Scott Gration; chairman of the U.S. Chemical Safety Board Rafael Moure-Eraso; and former Secretary of State Colin Powell, who told ABC's This Week "I don't have any to turn over. I did not keep a cache of them. I did not print them off. I do not have thousands of pages somewhere in my personal files." Others who did not properly save electronic federal records include Environmental Protection Agency former administrator Lisa Jackson who used the pseudonym Richard Windsor to receive email; current EPA administrator Gina McCarthy, who improperly deleted thousands of text messages (which also are federal records) from her official agency cell phone; and former Internal Revenue Service official Lois Lerner, whose emails regarding Obama's political opponents "went missing or became destroyed."
  • "agencies recognize that devoting significant resources to creating paper records from electronic sources is not a viable long-term strategy;" yet GAO concluded even the "print and file" system was failing to capture historic records "for about half of the senior officials."
  • The destruction of other federal records was even more blatant. Jose Rodriguez, the former CIA official in charge of the agency's defunct torture program ordered the destruction of key videos documenting it in 2005, claiming that "the heat from destroying [the torture videos] is nothing compared to what it would be if the tapes ever got into the public domain;" Admiral William McRaven, ordered the immediate destruction of any emails about Operation Neptune Spear, including any photos of the death of Osama bin Laden ("destroy them immediately"), telling subordinates that any photos should have already been turned over to the CIA — presumably so they could be placed in operational files out of reach of the FOIA. These rogues make it harder — if not impossible — for agencies to streamline their records management, and for FOIA requesters and others to obtain official records, especially those not exchanged with other government employees. The US National Archives currently trusts agencies to determine and preserve e-mails which agencies have "deemed appropriate for preservation" on their own, often by employing a "print and file" physical archiving process for digital records. Any future reforms to e-mail management must address the problems of outdated preservation technology, Federal Records Act violators, and the scary fact that only one per cent of government e-mail addresses are saved digitally by the National Archive's recently-initiated "Capstone" program.
  • Paul Merrell on 19 Mar 15
     
    Complete with photos, names, titles, of the 41 federal department and independent agency CIOs. The March 2015 Insopector General report linked from the article belies Hillary Clinton's claim that all emails she sent to State Department staff had been preserved by the Department.   
Paul Merrell

New Security Bill will force online service providers to keep log of users' activity - ... - 0 views

www.independent.co.uk/...of-users-activity-9877902.html

surveillance state UK legislation ISP-records

shared by Paul Merrell on 26 Nov 14 - No Cached
  • Terrorists and child sex rings could be uncovered through their internet discussions as part of a tough set of security measures to be unveiled by Home Secretary Theresa May this week. Major online service providers, such as Google, will be legally obliged to retain a log of users and the mobile phones or computers they have accessed in case police and security agencies later need the information to help them locate criminals. This measure will be included in the Counter-terrorism and Security Bill that is being introduced in the wake of Isis’s beheadings of prisoners, including British aid workers David Haines and Alan Henning, this year
Paul Merrell

President Obama's Statement on Keeping the Internet Open and Free - YouTube - 0 views

www.youtube.com/watch

net-neutrality Obama

shared by Paul Merrell on 10 Nov 14 - No Cached
  • President Obama today urged the Federal Communications Commission (FCC) to take up the strongest possible rules to protect net neutrality, the principle that says Internet service providers (ISPs) should treat all internet traffic equally.
  • Paul Merrell on 10 Nov 14
     
    Obama statement today coming out for net neutrality in a big way. He asked FCC to reclassify all internet traffic under Title II. This follows by only a few days statements by Comcast and AT&T to the FCC that they have no plans to offer fast-lane service for a price. The only question left seems to be whether the FCC will do it.
1 - 19 of 19
Showing 20 items per page