Group items tagged

At a recent hearing of the Privacy and Civil Liberties Oversight Board, administration lawyers defended their latitude to perform such searches. The board is scheduled to deliver a report on the legal authority under which the communications are collected, Section 702 of the Foreign Intelligence Surveillance Act (Fisa), passed in 2008. Wyden and Colorado Democrat Mark Udall failed in 2012 to persuade their fellow Senate intelligence committee members to prevent such warrantless searches during the re-authorisation of the 2008 Fisa Amendments Act, which wrote Section 702 into law. Dianne Feinstein, the California Democrat who chairs the committee, defended the practice, and argued that it did not violate the act’s “reverse targeting” prohibition on using NSA’s vast powers to collect content on Americans.

Much of the NSA's bulk data collection is covered by section 702 of the Fisa Amendments Act. This allows for the collection of communications – content and metadata alike – without individual warrants, so long as there is a reasonable belief the communications are both foreign and overseas.The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as "incidental collection".Initially, NSA rules on such data prevented the databases being searched for any details relating to "US persons" – that is, citizens or residents of the US. However, in October 2011 the Fisa court approved new procedures which allowed the agency to search for US person data, a revelation contained in documents revealed by Snowden.

The ruling appears to give the agency free access to search for information relating to US people within its vast databases, though not to specifically collect information against US citizens in the first place. However, until the DNI's disclosure to Wyden, it was not clear whether the NSA had ever actually used these powers.On Tuesday, Wyden and Udall said the NSA’s warrantless searches of Americans’ emails and phone calls “should be concerning to all.” “This is unacceptable. It raises serious constitutional questions, and poses a real threat to the privacy rights of law-abiding Americans. If a government agency thinks that a particular American is engaged in terrorism or espionage, the fourth amendment requires that the government secure a warrant or emergency authorisation before monitoring his or her communications. This fact should be beyond dispute,” the two senators said in a joint statement.

They continued: “Today’s admission by the Director of National Intelligence is further proof that meaningful surveillance reform must include closing the back-door searches loophole and requiring the intelligence community to show probable cause before deliberately searching through data collected under section 702 to find the communications of individual Americans."

Rousseff says she intends to push for international rules on privacy and security in hardware and software during the U.N. General Assembly meeting later this month. Among Snowden revelations: the NSA has created backdoors in software and Web-based services. Brazil is now pushing more aggressively than any other nation to end U.S. commercial hegemony on the Internet. More than 80 percent of online search, for example, is controlled by U.S.-based companies. Most of Brazil’s global Internet traffic passes through the United States, so Rousseff’s government plans to lay underwater fiber optic cable directly to Europe and also link to all South American nations to create what it hopes will be a network free of U.S. eavesdropping.

More communications integrity protection is expected when Telebras, the state-run telecom company, works with partners to oversee the launch in 2016 of Brazil’s first communications satellite, for military and public Internet traffic. Brazil’s military currently relies on a satellite run by Embratel, which Mexican billionaire Carlos Slim controls. Rousseff is urging Brazil’s Congress to compel Facebook, Google and all companies to store data generated by Brazilians on servers physically located inside Brazil in order to shield it from the NSA. If that happens, and other nations follow suit, Silicon Valley’s bottom line could be hit by lost business and higher operating costs: Brazilians rank No. 3 on Facebook and No. 2 on Twitter and YouTube. An August study by a respected U.S. technology policy nonprofit estimated the fallout from the NSA spying scandal could cost the U.S. cloud computing industry, which stores data remotely to give users easy access from any device, as much as $35 billion by 2016 in lost business.

Brazil also plans to build more Internet exchange points, places where vast amounts of data are relayed, in order to route Brazilians’ traffic away from potential interception. And its postal service plans by next year to create an encrypted email service that could serve as an alternative to Gmail and Yahoo!, which according to Snowden-leaked documents are among U.S. tech giants that have collaborated closely with the NSA. “Brazil intends to increase its independent Internet connections with other countries,” Rousseff’s office said in an emailed response to questions from The Associated Press on its plans. It cited a “common understanding” between Brazil and the European Union on data privacy, and said “negotiations are underway in South America for the deployment of land connections between all nations.” It said Brazil plans to boost investment in home-grown technology and buy only software and hardware that meet government data privacy specifications.

While the plans’ technical details are pending, experts say they will be costly for Brazil and ultimately can be circumvented. Just as people in China and Iran defeat government censors with tools such as “proxy servers,” so could Brazilians bypass their government’s controls. International spies, not just from the United States, also will adjust, experts said. Laying cable to Europe won’t make Brazil safer, they say. The NSA has reportedly tapped into undersea telecoms cables for decades. Meinrath and others argue that what’s needed instead are strong international laws that hold nations accountable for guaranteeing online privacy.

“There’s nothing viable that Brazil can really do to protect its citizenry without changing what the U.S. is doing,” he said. Matthew Green, a Johns Hopkins computer security expert, said Brazil won’t protect itself from intrusion by isolating itself digitally. It will also be discouraging technological innovation, he said, by encouraging the entire nation to use a state-sponsored encrypted email service. “It’s sort of like a Soviet socialism of computing,” he said, adding that the U.S. “free-for-all model works better.”

That language could allow for surveillance of academics, journalists and human rights researchers. A Swiss academic who has information on the German government’s position in the run-up to an international trade negotiation, for instance, could be targeted if the government has determined there is a foreign-intelligence need for that information. If a U.S. college professor e-mails the Swiss professor’s e-mail address or phone number to a colleague, the American’s e-mail could be collected as well, under the program’s court-approved rules

Still, some lawmakers are concerned that the potential for intrusions on Americans’ privacy has grown under the 2008 law because the government is intercepting not just communications of its targets but communications about its targets as well. The expansiveness of the foreign-powers certification increases that concern.

In a 2011 FISA court opinion, a judge using an NSA-provided sample estimated that the agency could be collecting as many as 46,000 wholly domestic e-mails a year that mentioned a particular target’s e-mail address or phone number, in what is referred to as “about” collection. “When Congress passed Section 702 back in 2008, most members of Congress had no idea that the government was collecting Americans’ communications simply because they contained a particular individual’s contact information,” Sen. Ron Wyden (D-Ore.), who has co-sponsored ­legislation to narrow “about” collection authority, said in an e-mail to The Washington Post. “If ‘about the target’ collection were limited to genuine national security threats, there would be very little privacy impact. In fact, this collection is much broader than that, and it is scooping up huge amounts of Americans’ wholly domestic communications.”

The only reason the court has oversight of the NSA program is that Congress in 2008 gave the government a new authority to gather intelligence from U.S. companies that own the Internet cables running through the United States, former officials noted. Edgar, the former privacy officer at the Office of the Director of National Intelligence, said ultimately he believes the authority should be narrowed. “There are valid privacy concerns with leaving these collection decisions entirely in the executive branch,” he said. “There shouldn’t be broad collection, using this authority, of foreign government information without any meaningful judicial role that defines the limits of what can be collected.”

In addition to the tech coalition’s protest, the Computer & Communications Industry Association – whose members include Pandora, Samsung, Sprint, and others – said Wednesday it would “not support consideration or passage of the USA Freedom Act in its current form." The Obama administration publicly threw its support behind the amended USA Freedom Act, saying the bill would “provide the public greater confidence in our programs and the checks and balances in the system.” “The bill ensures our intelligence and law enforcement professionals have the authorities they need to protect the nation, while further ensuring that individuals’ privacy is appropriately protected when these authorities are employed,” the White House included.

Lawmakers opposed to the secretive negotiations attempted on Tuesday to counter the weakened surveillance reform bill by offering an amendment to the National Defense Authorization Act (NDAA) that is “materially identical” to the version of the USA Freedom Act that was advanced by the House Judiciary and Intelligence Committees earlier this month. Yet the amendment was denied by the House Rules Committee late Tuesday. The House is now scheduled to vote on the USA Freedom Act on Thursday under closed rules, which forbids adding amendments before the final vote.

Senator Leahy, they don’t. The minimization procedures call for the deletion of innocent Americans’ information upon discovery to determine whether it has any foreign intelligence value. But what the board’s report found is that in fact information is never deleted. It sits in the databases for 5 years, or sometimes longer. And so the minimization doesn’t really address the privacy concerns of incidentally collected communications—again, where there’s been no warrant at all in the process… In the United States, we simply can’t read people’s emails and listen to their phone calls without court approval, and the same should be true when the government shifts its attention to Americans under this program. One of the most startling exchanges from the hearing today came toward the end of the session, when Senator Dianne Feinstein—who also sits on the Intelligence Committee—seemed taken aback by Ms. Goitein’s mention of “backdoor searches.” 

Feinstein: Wow, wow. What do you call it? What’s a backdoor search? Goitein: Backdoor search is when the FBI or any other agency targets a U.S. person for a search of data that was collected under Section 702, which is supposed to be targeted against foreigners overseas. Feinstein: Regardless of the minimization that was properly carried out. Goitein: Well the data is searched in its unminimized form. So the FBI gets raw data, the NSA, the CIA get raw data. And they search that raw data using U.S. person identifiers. That’s what I’m referring to as backdoor searches. It’s deeply concerning that any member of Congress, much less a member of the Senate Judiciary Committee and the Senate Intelligence Committee, might not be aware of the problem surrounding backdoor searches. In April 2014, the Director of National Intelligence acknowledged the searches of this data, which Senators Ron Wyden and Mark Udall termed “the ‘back-door search’ loophole in section 702.” The public was so incensed that the House of Representatives passed an amendment to that year's defense appropriations bill effectively banning the warrantless backdoor searches. Nonetheless, in the hearing today it seemed like Senator Feinstein might not recognize or appreciate the serious implications of allowing U.S. law enforcement agencies to query the raw data collected through these Internet surveillance programs. Hopefully today’s testimony helped convince the Senator that there is more to this topic than what she’s hearing in jargon-filled classified security briefings.

Feinstein’s bill “seems to imply there is currently some authority for law enforcement to query the database, which [intelligence community] officials have not mentioned in any of their remarks on Section 702,” said Alan Butler, an attorney with the Electronic Privacy Information Center. The provision is also unclear about whether law enforcement agencies can search through the foreign communications databases for information on US persons. Feinstein’s office did not respond to a request for clarification by deadline. The ambiguity concerns civil libertarians, as it opens a door for law enforcement agencies to sidestep warrant requirements. “If Senator Feinstein or other congressional supporters of this bill believe that it would in fact expand law enforcement access to the database, that would be an unjustified expansion of surveillance over Americans,” Butler said.

The issue with balancing privacy and surveillance is that the wireless carriers are not interested in privacy, he said. "They've been providing wiretapping for 100 years. Apple may in the next year protect voice calls," he said, and said that the best hope for ending widespread government surveillance will be the makers of mobile operating systems like Apple and Google. Not all upcoming security innovation will be focused on that kind of privacy protection. Security researcher Brandon Wiley showed off at Defcon a protocol he calls Dust that can obfuscate different kinds of network traffic, with the end goal of preventing censorship. "I only make products about letting you say what you want to say anywhere in the world," such as content critical of governments, he said. Encryption can hide the specifics of the traffic, but some governments have figured out that they can simply block all encrypted traffic, he said. The Dust protocol would change that, he said, making it hard to tell the difference between encrypted and unencrypted traffic. It's hard to build encryption into pre-existing products, Wiley said. "I think people are going to make easy-to-use, encrypted apps, and that's going to be the future."

Companies could face severe consequences from their security experts, said Stamos, if the in-house experts find out that they've been lied to about providing government access to customer data. You could see "lots of resignations and maybe publicly," he said. "It wouldn't hurt their reputations to go out in a blaze of glory." Perhaps not surprisingly, Marlinspike sounded a hopeful call for non-destructive activism on Defcon's 21st anniversary. "As hackers, we don't have a lot of influence on policy. I hope that's something that we can focus our energy on," he said.

The second would be to have a third-party company hold all user data, with some sort of agreement to disclose information to the government, Lofgren said.“I think actually the trend line is in a different direction, which is encryption that is not accessible to the companies that provide it, either,” she added.  Major tech companies like Apple have done exactly that, claiming that even they can’t unlock data on newer devices.

But we have a collision going on in this country that’s getting closer and closer to an actual head-on, which is our important interest in privacy — which I am passionate about — and our important interest in public safety. The logic of universal encryption is inexorable that our authority under the Fourth Amendment — an amendment that I think is critical to ordered liberty — with the right predication and the right oversight to obtain information is going to become increasingly irrelevant. As all of our lives become digital, the logic of encryption is that all of our lives will be covered by strong encryption, therefore all of our lives — I know there are no criminals here, but including the lives of criminals and terrorists and spies — will be in a place that is utterly unavailable to court ordered process. And that, I think, to a democracy should be very, very concerning. I think we need to have a conversation about it. Again, how do we strike the right balance? Privacy matters tremendously. Public safety, I think, matters tremendously to everybody. I think fair-minded people have to recognize that there are tremendous benefits to a society from encryption. There are tremendous costs to a society from universal strong encryption. And how do we think about that?

We’ve got to have a conversation long before the logic of strong encryption takes us to that place. And smart people, reasonable people will disagree mightily. Technical people will say it’s too hard. My reaction to that is: Really? Too hard? Too hard for the people we have in this country to figure something out? I’m not that pessimistic. I think we ought to have a conversation.

Hogan also admitted that the PRISM programme of surveillance was wrong by the letter of Irish law, which protects people’s data and the inviolability of their homes.“It is very difficult to see how the mass and undifferentiated accessing by state authorities of personal data generated perhaps especially with the home… could survive constitutional scrutiny,” he said.“The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life with the home would be immune from potential state scrutiny.“Such a state of affairs – with its gloomy echoes of the mass state surveillance programmes conducted in totalitarian states such as the German Democratic Republic of Ulbricht and Honecker – would be totally at odds with the basic premises and fundamental values of the Constitution.”

However, he said that Irish law is pre-empted by EU law in this case and the Court of Justice needed to assess whether the interpretation of the Safe Harbour Regime needed to be re-evaluated.Any verdict from the European court will likely apply to all US companies that have participated in PRISM and operate in the region, Schrems said of the ruling.“We did not prepare for a direct reference to the ECJ, but this is the best outcome we could have wished for,” he said. “We will study the judgment in detail and will take the next steps as soon as possible.” ®

In the weeks since the documents detailing the NSA’s cryptographic capabilities emerged, further details about exactly which protocols the agency can attack successfully and which standards it may have influenced have been scarce. NIST, the U.S. agency that develops technical standards for cryptography, among other things, as denied accusations that the NSA was able to weaken some of the NIST standards. However, at the same time, NIST officials have issued a recommendation that people no longer use one of the encryption standards it previously published.

One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.Continue reading the main story Continue reading the main story AdvertisementAnother recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.

But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.