Group items tagged

The dispute came to a head in mid-January when Mr. Brennan told members of the committee that the agency had carried out a search of computers used by committee investigators at a C.I.A. facility in Northern Virginia, where the committee was examining documents the agency had made available for its report. Ms. Feinstein said on Tuesday that during the meeting, Mr. Brennan told her that the C.I.A. had searched a “walled-off committee network drive containing the committee’s own internal work product and communications” and that he was going to “order further forensic evidence of the committee network to learn more about activities of the committee’s oversight staff.”

The C.I.A. had carried out the search to determine whether committee investigators may have gained unauthorized access to the internal review of the detention program that the agency had carried out without informing the committee. Ms. Feinstein on Tuesday vigorously disputed this allegation, saying the document had been included — intentionally or not — as part of a dump of millions of pages the C.I.A. had provided for the Intelligence Committee.

Mr. Brennan, in a January letter to Ms. Feinstein that a government official who did not want to be identified released on Tuesday, said the committee had not been entitled to the internal review because it contained “sensitive, deliberative, pre-decisional C.I.A. material”— and therefore was protected under executive privilege considerations. The letter, attached to a statement that Mr. Brennan issued to the agency’s employees on Tuesday, raised questions about Ms. Feinstein’s statements earlier in the day concerning at what point the committee came into possession of the internal review. The C.I.A.’s acting general counsel has referred the matter to the Justice Department as a possible criminal offense, a move Ms. Feinstein called a strong-arm tactic by someone with a conflict of interest in the case. She said that that official had previously been a lawyer in the C.I.A.’s Counterterrorism Center — the section of the spy agency that was running the detention and interrogation program — and that his name is mentioned more than 1,600 times in the committee’s report. Ms. Feinstein did not name the lawyer, but she appeared to be referring to Robert Eatinger, the C.I.A.’s senior deputy general counsel. In 2007, The New York Times reported that when a top C.I.A. official in 2005 destroyed videotapes of brutal interrogations of Al Qaeda detainees, Mr. Eatinger had been one of two lawyers to approve their destruction.

Ms. Feinstein said that on two occasions in 2010, the C.I.A. had removed documents totaling hundreds of pages from the computer server used by her staff at the Northern Virginia facility. She did not provide any details about the documents, but said that when committee investigators confronted the C.I.A. they received a number of answers — first a denial that the documents had been removed, then an explanation that they had been removed by contractors working at the facility, then an explanation that the removal of documents was ordered by the White House. When the committee approached the White House, she said, it denied giving such an order.Ms. Feinstein’s broadside rallied Senate Democrats, but divided Republicans.

Chinese retaliation, when it comes, and it surely must, may not centre specifically on the Spratlys. There are plenty of other potential troublespots and flashpoints where Beijing might seek to give the Americans pause. In prospect is a sort of geopolitical chain reaction. A spokesman, Lu Kang, hinted at this on Tuesday: “China hopes to use peaceful means to resolve all the disputes, but if China has to make a response then the timing, method and tempo of the response will be made in accordance with China’s wishes and needs.”

Reacting to the perceived China threat, Abe is extending Okinawa’s defences and getting involved in South China Sea patrols in support of Washington. Japan also strengthened defence and security ties with Britain – a development that now makes David Cameron’s courtship of Beijing seem all the more incongruous. Taiwan is another powder keg that could be ignited by widening US-China confrontation. While Beijing regards Taiwan as a renegade province and seeks its return, the present-day status quo is underwritten by US military might.

US-China naval and aerial rivalry could expand even further afield. China is busy building a blue water fleet (a maritime force capable of operating across the deep waters of open oceans) including aircraft carriers, with the aim of challenging US dominance in the eastern Pacific. Chinese naval ships recently showed up off the Aleutian islands during an Obama visit to Alaska, the mineral-rich Arctic being another possible theatre. Meanwhile, regional western allies such as Australia have serious cause for concern that escalating superpower friction could draw them in.

The new paper is the first in-depth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the “R” in the widely used RSA public cryptography algorithm. In the report, the group said any effort to give the government “exceptional access” to encrypted communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power grid at risk. Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm — most recently at the United States Office of Personnel Management, the State Department and the White House — the security specialists said authorities could not be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, China and other governments in foreign markets would be spurred to do the same.

“Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” the report said. “The costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable.”

In reality, numerous telecoms companies were doing much more than that, as disclosed in a secret document prepared in 2009 by a joint working group of GCHQ, MI5 and MI6.Their report contended that allowing intercepts as evidence could damage relationships with "Communications Service Providers" (CSPs).In an extended excerpt of "the classified version" of a review prepared for the Privy Council, a formal body of advisers made up of current and former cabinet ministers, the document sets out the real nature of the relationship between telecoms firms and the UK government."Under RIPA [the Regulation of Investigatory Powers Act 2000], CSPs in the UK may be required to provide, at public expense, an adequate interception capability on their networks," it states. "In practice all significant providers do provide such a capability. But in many cases their assistance – while in conformity with the law – goes well beyond what it requires."

GCHQ's internet surveillance programme is the subject of a challenge in the European court of human rights, mounted by three privacy advocacy groups. The Open Rights Group, English PEN and Big Brother Watch argue the "unchecked surveillance" of Tempora is a challenge to the right to privacy, as set out in the European convention on human rights.That the Tempora programme appears to rely at least in part on voluntary co-operation of telecoms firms could become a major factor in that ongoing case. The revelation could also reignite the long-running debate over allowing intercept evidence in court.GCHQ's submission goes on to set out why its relationships with telecoms companies go further than what can be legally compelled under current law. It says that in the internet era, companies wishing to avoid being legally mandated to assist UK intelligence agencies would often be able to do so "at little cost or risk to their operations" by moving "some or all" of their communications services overseas.

As a result, "it has been necessary to enter into agreements with both UK-based and offshore providers for them to afford the UK agencies access, with appropriate legal authorisation, to the communications they carry outside the UK".The submission to ministers does not set out which overseas firms have entered into voluntary relationships with the UK, or even in which countries they operate, though documents detailing the Tempora programme made it clear the UK's interception capabilities relied on taps located both on UK soil and overseas.There is no indication as to whether the governments of the countries in which deals with companies have been struck would be aware of the GCHQ cable taps.

Evidence that telecoms firms and GCHQ are engaging in mass interception overseas could stoke an ongoing diplomatic row over surveillance ignited this week after the German chancellor, Angela Merkel, accused the NSA of monitoring her phone calls, and the subsequent revelation that the agency monitored communications of at least 35 other world leaders.On Friday, Merkel and the French president, François Hollande, agreed to spearhead efforts to make the NSA sign a new code of conduct on how it carried out intelligence operations within the European Union, after EU leaders warned that the international fight against terrorism was being jeopardised by the perception that mass US surveillance was out of control.Fear of diplomatic repercussions were one of the prime reasons given for GCHQ's insistence that its relationships with telecoms firms must be kept private .

Telecoms companies "feared damage to their brands internationally, if the extent of their co-operation with HMG [Her Majesty's government] became apparent", the GCHQ document warned. It added that if intercepts became admissible as evidence in UK courts "many CSPs asserted that they would withdraw their voluntary support".The report stressed that while companies are going beyond what they are required to do under UK law, they are not being asked to violate it.Shami Chakrabarti, Director of Liberty and Anthony Romero Executive Director of the American Civil Liberties Union issued a joint statement stating:"The Guardian's publication of information from Edward Snowden has uncovered a breach of trust by the US and UK Governments on the grandest scale. The newspaper's principled and selective revelations demonstrate our rulers' contempt for personal rights, freedoms and the rule of law.

"Across the globe, these disclosures continue to raise fundamental questions about the lack of effective legal protection against the interception of all our communications."Yet in Britain, that conversation is in danger of being lost beneath self-serving spin and scaremongering, with journalists who dare to question the secret state accused of aiding the enemy."A balance must of course be struck between security and transparency, but that cannot be achieved whilst the intelligence services and their political masters seek to avoid any scrutiny of, or debate about, their actions."The Guardian's decision to expose the extent to which our privacy is being violated should be applauded and not condemned."

But in a provision likely to raise concerns from privacy advocates, the administration wants to require DHS to share that information “in as near real time as possible” with other government agencies that have a cybersecurity mission, the official said. Those include the National Security Agency, the Pentagon’s ­Cyber Command, the FBI and the Secret Service. “DHS needs to take an active lead role in ensuring that unnecessary personal information is not shared with intelligence authorities,” Jaycox said. The debates over government surveillance prompted by disclosures from former NSA contractor Edward Snowden have shown that “the agencies already have a tremendous amount of unnecessary information,” he said.

The administration official stressed that the legislation will require companies to remove unnecessary personal information before furnishing it to the government in order to qualify for liability protection. It also will impose limits on the use of the data for cybersecurity crimes and instances in which there is a threat of death or bodily harm, such as kidnapping, the official said. And it will require DHS and the attorney general to develop guidelines for the federal government’s use and retention of the data. It will not authorize a company to take offensive cyber-measures to defend itself, such as “hacking back” into a server or computer outside its own network to track a breach. The bill also will provide liability protection to companies that share data with private-sector-developed organizations set up specifically for that purpose. Called information sharing and analysis organizations, these groups often are set up by particular industries, such as banking, to facilitate the exchange of data and best practices.

Efforts to pass information-sharing legislation have stalled in the past five years, blocked primarily by privacy concerns. The package also contains provisions that would allow prosecution for the sale of botnets or access to armies of compromised computers that can be used to spread malware, would criminalize the overseas sale of stolen U.S. credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk people or commit identity theft, and would give courts the authority to shut down botnets being used for criminal activity, such as denial-of-service attacks.

It would reaffirm that federal racketeering law applies to cybercrimes and amends the Computer Fraud and Abuse Act by ensuring that “insignificant conduct” does not fall within the scope of the statute. A third element of the package is legislation Obama proposed Monday to help protect consumers and students against cyberattacks. The theft of personal financial information “is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said. The plan, unveiled in a speech at the Federal Trade Commission, would require companies to notify customers within 30 days after the theft of personal information is discovered. Right now, data breaches are handled under a patchwork of state laws that the president said are confusing and costly to enforce. Obama’s plan would streamline those into one clear federal standard and bolster requirements for companies to notify customers. Obama is proposing closing loopholes to make it easier to track down cybercriminals overseas who steal and sell identities. “The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” he said.

In October, Obama signed an order to protect consumers from identity theft by strengthening security features in credit cards and the terminals that process them. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said there is concern that a federal standard would “preempt stronger state laws” about how and when companies have to notify consumers. The Student Digital Privacy Act would ensure that data entered would be used only for educational purposes. It would prohibit companies from selling student data to third-party companies for purposes other than education. Obama also plans to introduce a Consumer Privacy Bill of Rights. And the White House will host a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University.

Last year, the European Court of Justice set limits on telecommunication data retention. By invalidating a European Union directive for its unnecessary “wide-ranging and particularly serious interference with the fundamental right to respect for private life” and personal data, this court reaffirmed the outstanding place privacy holds in Europe. This judgment echoed a 2006 German Constitutional Court ruling that the German police had breached the individual right to self-determination and human dignity after they conducted a computerized search of suspected terrorists. Regrettably, these judgments are often ignored by key decision-makers. Many of the surveillance policies that have recently been adopted in Europe fail to abide by these legal standards. Worse, many of the new intrusive measures would be applied without any prior judicial review establishing their legality, proportionality or necessity. This gives excessive power to governments and creates a clear risk of arbitrary application and abuse.

Documents published with this article: LOVELY HORSE – GCHQ Wiki Overview INTOLERANT – Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers – SIDtoday  HAPPY TRIGGER/LOVELY HORSE/Zool/TWO FACE – Open Source for Cyber Defence/Progress NATO Civilian Intelligence Council – Cyber Panel – US Talking Points

These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses. The U.S. Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker. Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq.” GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).

The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents. In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents—which come from the U.K. Government Communications Headquarters agency and NSA—shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.

The adjudication process had a broad scope, taking into account the SF86 questionnaire, reports from background investigations, interviews with the applicant's family members and associates, his or her employment history, and for people seeking high-level clearances, the results of polygraph investigations.Seymour said such records “span an employee’s career” and could stretch back as far as 30 years. Officials have said that as many as 18 million people may have been affected by the breach. Asked specifically what information the hackers had obtained, Seymour told lawmakers that she preferred to answer later in a “classified session.” Seymour didn’t specify how many people’s information was stolen. But the OPM oversees background investigations, which comprise a key part of the adjudication process, for more than 90 percent of security clearance applicants, according to the Congressional Research Service. An OPM spokesman didn’t respond to a request for comment in time for publication.

A former senior U.S. intelligence official, who asked to remain anonymous, said the OPM breach would cause more damage to national security operations and personnel than the leaks by Edward Snowden about classified surveillance by the National Security Agency.“This is worse than Snowden, because at least programs that were running before the leaks could be replaced or rebuilt,” the former official said. “But OPM, that’s the gift that keeps on giving. You can’t rebuild people.”Adjudicators are in a powerful position because in deciding whether to recommend granting a security clearance, they have access to the entire scope of an applicant’s file and are told to make a subjective analysis.“The adjudication process is the careful weighing of a number of variables known as the whole-person concept,” according to official guidelines. “Available, reliable information about the person, past and present, favorable and unfavorable, should be considered in reaching a determination.”

By design, adjudication is an invasive process, meant to unearth risk factors including drug and alcohol abuse, extramarital affairs, a history of violence, and other events that speak to a person’s “trustworthiness” and their susceptibility to blackmail or being recruited to spy for a foreign government.For instance, “compulsive gambling is a concern, as it may lead to financial crimes including espionage,” the guidelines say. Adjudicators are told to note “a pattern of compulsive, self-destructive, or high risk sexual behavior,” “relapse after diagnosis of alcohol abuse,” and “emotionally unstable, irresponsible, dysfunctional, violent, paranoid, or bizarre behavior,” among other warning signs in 13 categories. Some of the embarrassing personal details found in some adjudications have been made public. That’s what happens after an applicant who was denied a security clearance launched an appeal.

Armed with such intimate details of a person’s worst moments, foreign spies would have unprecedented advantage against their U.S. adversaries. And the news is especially bad for people who hold the highest levels of clearance, which require more rigorous background checks, noted Adams, the computer security expert. “The higher up you go in your sensitivity levels, the more data that’s in your adjudication file,” he said.

In a 32-page opinion, the leading public law barrister Jemima Stratford QC raises a series of concerns about the legality and proportionality of GCHQ's work, and the lack of safeguards for protecting privacy.

The opinion notes that the UK has not adopted the doctrine of "anticipatory self-defence" in the same way as the US to provide legal cover for drone strikes in countries where it is not involved in an international armed conflict."Accordingly, in our view, if GCHQ transferred data to the NSA in the knowledge that it would or might be used for targeting drone strikes, that transfer is probably unlawful," the advice states."The transferor would be an accessory to murder for the purposes of domestic law … We consider that, pursuant to the transfer, the agent is likely to become an accessory to murder."Watson said he would be submitting the legal opinion to the parliamentary intelligence and security committee, which is undertaking an inquiry into mass surveillance."MPs now have strong independent advice questioning the legality of major UK intelligence programmes," he said.

The advice concludes: "In short, the rules concerning communications data are too uncertain and do not provide sufficient clarity to be in accordance with the law … we consider the mass interception of communications via a transatlantic cable to be unlawful, and that these conclusions would apply even if some or all of the interception is taking place outside UK territorial waters."Leaving decisions about whether data can be shared with agencies abroad to the "unfettered discretion" of ministers is also a probable breach of the convention, the advice warns.

"First, the transfer of private data is a significant interference with an individual's article 8 rights. That interference will only be lawful when proportionate."Secondly, the ECHR has held on more than one occasion that surveillance, and the use of surveillance data, is an area in which governments must conduct themselves in a transparent and 'predictable' manner. The current framework is uncertain: it relies on the discretion of one individual."Thirdly, on a pragmatic level,there is a real possibility that the NSA might function as GCHQ's unofficial 'backup' service. If GCHQ is not entitled to hold onto data itself, it might transfer it to the NSA. In time, and if relevant, that data might be transferred back to GCHQ. Without strong guidelines and scrutiny, the two services might support each other to (in effect) circumvent the requirements of their domestic legislation."The opinion adds: "If GCHQ transfers communications data to other governments it does so without any statutory restrictions. Such transfers are a disproportionate interference with the article 8 rights of the individuals concerned. There are no restrictions, checks or restraints on the transfer of that data."

At its most extreme, the advice raises issues about the possible vulnerability of staff at GCHQ if it could be proved that intelligence used for US drone strikes against "non-combatants" had been passed on or supplied by the British before being used in a missile attack."An individual involved in passing that information is likely to be an accessory to murder. It is well arguable, on a variety of different bases, that the government is obliged to take reasonable steps to investigate that possibility," the advice says.

"If ministers are prepared to allow GCHQ staff to be potential accessories to murder, they must be very clear that they are responsible for allowing it. We have seen a step change in mass covert surveillance and intelligence gathering, underpinned on dubious legal grounds and with virtually no parliamentary oversight. "The leadership of all the main parties should stop turning a blind eye to a programme that has far-reaching consequences around the globe."

For example, the source noted, none of the sensitive files in the data dump, from employees passports to list of customers, appear to be encrypted. “How can you give all the keys to your infrastructure to a 20-something who just joined the company?” he added, referring to Pozzi, whose LinkedIn shows he’s been at Hacking Team for just over a year. “Nobody noticed that someone stole a terabyte of data? You gotta be a fuckwad,” the source said. “It means nobody was taking care of security.”

The future of the company, at this point, it’s uncertain. Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard. It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts. Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely. The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about. To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.

In addition to his weak reasoning for why it would be feasible to create backdoors to encrypted devices without creating undue security risks or harming privacy, Vance makes several flawed policy-based arguments in favor of his proposal. He argues that criminals benefit from devices that are protected by strong encryption. That may be true, but strong encryption is also a critical tool used by billions of average people around the world every day to protect their transactions, communications, and private information. Lawyers, doctors, and journalists rely on encryption to protect their clients, patients, and sources. Government officials, from the President to the directors of the NSA and FBI, and members of Congress, depend on strong encryption for cybersecurity and data security. There are far more innocent Americans who benefit from strong encryption than there are criminals who exploit it. Encryption is also essential to our economy. Device manufacturers could suffer major economic losses if they are prohibited from competing with foreign manufacturers who offer more secure devices. Encryption also protects major companies from corporate and nation-state espionage. As more daily business activities are done on smartphones and other devices, they may now hold highly proprietary or sensitive information. Those devices could be targeted even more than they are now if all that has to be done to access that information is to steal an employee’s smartphone and exploit a vulnerability the manufacturer was required to create.

Privacy is another concern that Vance dismisses too easily. Despite Vance’s arguments otherwise, building backdoors into device encryption undermines privacy. Our government does not impose a similar requirement in any other context. Police can enter homes with warrants, but there is no requirement that people record their conversations and interactions just in case they someday become useful in an investigation. The conversations that we once had through disposable letters and in-person conversations now happen over the Internet and on phones. Just because the medium has changed does not mean our right to privacy has.

Vance attempts to downplay this serious risk by asserting that anyone can use the “Find My Phone” or Android Device Manager services that allow owners to delete the data on their phones if stolen. However, this does not stand up to scrutiny. These services are effective only when an owner realizes their phone is missing and can take swift action on another computer or device. This delay ensures some period of vulnerability. Encryption, on the other hand, protects everyone immediately and always. Additionally, Vance argues that it is safer to build backdoors into encrypted devices than it is to do so for encrypted communications in transit. It is true that there is a difference in the threats posed by the two types of encryption backdoors that are being debated. However, some manner of widespread vulnerability will inevitably result from a backdoor to encrypted devices. Indeed, the NSA and GCHQ reportedly hacked into a database to obtain cell phone SIM card encryption keys in order defeat the security protecting users’ communications and activities and to conduct surveillance. Clearly, the reality is that the threat of such a breach, whether from a hacker or a nation state actor, is very real. Even if companies go the extra mile and create a different means of access for every phone, such as a separate access key for each phone, significant vulnerabilities will be created. It would still be possible for a malicious actor to gain access to the database containing those keys, which would enable them to defeat the encryption on any smartphone they took possession of. Additionally, the cost of implementation and maintenance of such a complex system could be high.

Vance also suggests that the US would be justified in creating such a requirement since other Western nations are contemplating requiring encryption backdoors as well. Regardless of whether other countries are debating similar proposals, we cannot afford a race to the bottom on cybersecurity. Heads of the intelligence community regularly warn that cybersecurity is the top threat to our national security. Strong encryption is our best defense against cyber threats, and following in the footsteps of other countries by weakening that critical tool would do incalculable harm. Furthermore, even if the US or other countries did implement such a proposal, criminals could gain access to devices with strong encryption through the black market. Thus, only innocent people would be negatively affected, and some of those innocent people might even become criminals simply by trying to protect their privacy by securing their data and devices. Finally, Vance argues that David Kaye, UN Special Rapporteur for Freedom of Expression and Opinion, supported the idea that court-ordered decryption doesn’t violate human rights, provided certain criteria are met, in his report on the topic. However, in the context of Vance’s proposal, this seems to conflate the concepts of court-ordered decryption and of government-mandated encryption backdoors. The Kaye report was unequivocal about the importance of encryption for free speech and human rights. The report concluded that:

States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. … States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. Additionally, the group of intelligence experts that was hand-picked by the President to issue a report and recommendations on surveillance and technology, concluded that: [R]egarding encryption, the U.S. Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

The clear consensus among human rights experts and several high-ranking intelligence experts, including the former directors of the NSA, Office of the Director of National Intelligence, and DHS, is that mandating encryption backdoors is dangerous. Unaddressed Concerns: Preventing Encrypted Devices from Entering the US and the Slippery Slope In addition to the significant faults in Vance’s arguments in favor of his proposal, he fails to address the question of how such a restriction would be effectively implemented. There is no effective mechanism for preventing code from becoming available for download online, even if it is illegal. One critical issue the Vance proposal fails to address is how the government would prevent, or even identify, encrypted smartphones when individuals bring them into the United States. DHS would have to train customs agents to search the contents of every person’s phone in order to identify whether it is encrypted, and then confiscate the phones that are. Legal and policy considerations aside, this kind of policy is, at the very least, impractical. Preventing strong encryption from entering the US is not like preventing guns or drugs from entering the country — encrypted phones aren’t immediately obvious as is contraband. Millions of people use encrypted devices, and tens of millions more devices are shipped to and sold in the US each year.

Finally, there is a real concern that if Vance’s proposal were accepted, it would be the first step down a slippery slope. Right now, his proposal only calls for access to smartphones and devices running mobile operating systems. While this policy in and of itself would cover a number of commonplace devices, it may eventually be expanded to cover laptop and desktop computers, as well as communications in transit. The expansion of this kind of policy is even more worrisome when taking into account the speed at which technology evolves and becomes widely adopted. Ten years ago, the iPhone did not even exist. Who is to say what technology will be commonplace in 10 or 20 years that is not even around today. There is a very real question about how far law enforcement will go to gain access to information. Things that once seemed like merely science fiction, such as wearable technology and artificial intelligence that could be implanted in and work with the human nervous system, are now available. If and when there comes a time when our “smart phone” is not really a device at all, but is rather an implant, surely we would not grant law enforcement access to our minds.

Policymakers should dismiss Vance’s proposal to prohibit the use of strong encryption to protect our smartphones and devices in order to ensure law enforcement access. Undermining encryption, regardless of whether it is protecting data in transit or at rest, would take us down a dangerous and harmful path. Instead, law enforcement and the intelligence community should be working to alter their skills and tactics in a fast-evolving technological world so that they are not so dependent on information that will increasingly be protected by encryption.

While Gemalto was indeed another casualty in Western governments’ sweeping effort to gather as much global intelligence advantage as possible, the leaked documents make clear that the company was specifically targeted. According to the materials published Thursday, GCHQ used a specific codename — DAPINO GAMMA — to refer to the operations against Gemalto. The spies also actively penetrated the email and social media accounts of Gemalto employees across the world in an effort to steal the company’s encryption keys. Evidence of the Gemalto breach rattled the digital security community. “Almost everyone in the world carries cell phones and this is an unprecedented mass attack on the privacy of citizens worldwide,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology, a non-profit that advocates for digital privacy and free online expression. “While there is certainly value in targeted surveillance of cell phone communications, this coordinated subversion of the trusted technical security infrastructure of cell phones means the US and British governments now have easy access to our mobile communications.”

For Gemalto, evidence that their vaunted security systems and the privacy of customers had been compromised by the world’s top spy agencies made an immediate financial impact. The company’s shares took a dive on the Paris bourse Friday, falling $500 million. In the U.S., Gemalto’s shares fell as much 10 percent Friday morning. They had recovered somewhat — down 4 percent — by the close of trading on the Euronext stock exchange. Analysts at Dutch financial services company Rabobank speculated in a research note that Gemalto could be forced to recall “a large number” of SIM cards. The French daily L’Express noted today that Gemalto board member Alex Mandl was a founding trustee of the CIA-funded venture capital firm In-Q-Tel. Mandl resigned from In-Q-Tel’s board in 2002, when he was appointed CEO of Gemplus, which later merged with another company to become Gemalto. But the CIA connection still dogged Mandl, with the French press regularly insinuating that American spies could infiltrate the company. In 2003, a group of French lawmakers tried unsuccessfully to create a commission to investigate Gemplus’s ties to the CIA and its implications for the security of SIM cards. Mandl, an Austrian-American businessman who was once a top executive at AT&T, has denied that he had any relationship with the CIA beyond In-Q-Tel. In 2002, he said he did not even have a security clearance.

AT&T, T-Mobile and Verizon could not be reached for comment Friday. Sprint declined to comment. Vodafone, the world’s second largest telecom provider by subscribers and a customer of Gemalto, said in a statement, “[W]e have no further details of these allegations which are industrywide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations.” Deutsche Telekom AG, a German company, said it has changed encryption algorithms in its Gemalto SIM cards. “We currently have no knowledge that this additional protection mechanism has been compromised,” the company said in a statement. “However, we cannot rule out this completely.”

Update: Asked about the SIM card heist, White House press secretary Josh Earnest said he did not expect the news would hurt relations with the tech industry: “It’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so. So, I do think in fact that there are opportunities for the private sector and the federal government to coordinate and to cooperate on these efforts, both to keep the country safe, but also to protect our civil liberties.”

The new license plate reader contract comes after years of internal lobbying by the agency. ICE first tested Vigilant’s system in 2012, gauging how effective it was at locating undocumented immigrants. Two years later, the agency issued an open solicitation for the technology, sparking an outcry from civil liberties group. Homeland Security secretary Jeh Johnson canceled the solicitation shortly afterward, citing privacy concerns, although two field offices subsequently formed rogue contracts with Vigilant in apparent violation of Johnson’s policy. In 2015, Homeland Security issued another call for bids, although an ICE representative said no contract resulted from that solicitation. As a result, this new contract is the first agency-wide contract ICE has completed with the company, a fact that is reflected in accompanying documents. On December 27th, 2017, Homeland Security issued an updated privacy assessment of license plate reader technology, a move it explained was necessary because “ICE has now entered into a contract with a vendor.” The new system places some limits on ICE surveillance, but not enough to quiet privacy concerns. Unlike many agencies, ICE won’t upload new data to Vigilant’s system but simply scan through the data that’s already there. In practical terms, that means driving past a Vigilant-linked camera might flag a car to ICE, but driving past an ICE camera won’t flag a car to everyone else using the system. License plates on the hot list will also expire after one year, and the system retains extensive audit logs to help supervisors trace back any abuse of the system. Still, the biggest concern for critics is the sheer scale of Vigilant’s network, assembled almost entirely outside of public accountability. “If ICE were to propose a system that would do what Vigilant does, there would be a huge privacy uproar and I don’t think Congress would approve it,” Stanley says. “But because it’s a private contract, they can sidestep that process.”

The challenges were brought by Liberty, Privacy International and other civil liberties groups who claimed that GCHQ’s receipt of private communications intercepted by the NSA through its “mass surveillance” programmes Prism and Upstream was illegal.

The legal challenge was the first of dozens of GCHQ-related claims to be examined in detail by the IPT, which hears complaints against British intelligence agencies and government bodies that carry out surveillance under Ripa. Some of the most sensitive evidence about interceptions was heard in private sessions from which the rights groups were excluded.