Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged digital-privacy

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

The Use of FBI's Facial Recognition Is Growing, Despite Rampant Inaccuracy and Privacy ... - 0 views

theintercept.com/...r-privacy-protections-accuracy

surveillance state FBI facial-recognition

shared by Paul Merrell on 18 Jun 16 - No Cached
  • The FBI’s use of facial recognition technology is exploding, according to a new report from the Government Accountability Office — and its growth is largely unchecked, unaudited, and possibly flawed. “FBI should better ensure privacy and accuracy” of its facial recognition technology and the databases that photographs are stored in, urged the GAO. According to the report, the FBI has never reviewed its facial recognition searches for misuse — on either state databases or its own massive biometric database, known as the Next Generation Identification system. The FBI has access to 16 different state databases of driver’s license photos – almost 173 million people — not just criminal mug shots.
  • The FBI also hasn’t run any tests on how accurate the facial recognition technology is when searching state databases, and whether those searches come back with false positives, which could lead to misidentifying an innocent person as a criminal suspect. According to a National Institute of Standards and Technology report on facial recognition, error rates of technology surveyed can range between a few percent to more than 50. And the bureau has repeatedly dragged its feet when assessing the privacy impact of its facial recognition technology — information that would “improve the public’s understanding” of the FBI’s efforts to protect privacy, according to the GAO. “When people go to the DMV to take their driver’s license photos, they don’t expect that their faces will be scanned and searched tens of thousands of times by the FBI. They don’t expect that their faces will become part of a permanent, digital line-up. What the FBI is doing may be legal, but it isn’t right,” Alvaro Bedoya, the executive director of Georgetown Law School’s Center on Privacy and Technology, wrote in a statement.
  • In the meantime, the FBI has requested that its own biometric database be exempt from legal provisions in the Privacy Act that would require the agency to tell people their fingerprints, faces, and more have been collected so they can challenge the accuracy of the information.
Paul Merrell

No U.S. Action, So States Move on Privacy Law - NYTimes.com - 0 views

www.nytimes.com/...tates-move-on-privacy-law.html

surveillance state privacy-laws states digital-privacy

shared by Paul Merrell on 16 Apr 14 - No Cached
  • State legislatures around the country, facing growing public concern about the collection and trade of personal data, have rushed to propose a series of privacy laws, from limiting how schools can collect student data to deciding whether the police need a warrant to track cellphone locations.
  • Over two dozen privacy laws have passed this year in more than 10 states, in places as different as Oklahoma and California. Many lawmakers say that news reports of widespread surveillance by the National Security Agency have led to more support for the bills among constituents. And in some cases, the state lawmakers say, they have felt compelled to act because of the stalemate in Washington on legislation to strengthen privacy laws. “Congress is obviously not interested in updating those things or protecting privacy,” said Jonathan Stickland, a Republican state representative in Texas. “If they’re not going to do it, states have to do it.”
Paul Merrell

Transcript: Comey Says Authors of Encryption Letter Are Uninformed or Not Fair-Minded |... - 0 views

justsecurity.org/...-letter-uninformed-fair-minded

surveillance state FBI Comey encryption backdoors

shared by Paul Merrell on 21 May 15 - No Cached
  • Earlier today, FBI Director James Comey implied that a broad coalition of technology companies, trade associations, civil society groups, and security experts were either uninformed or were not “fair-minded” in a letter they sent to the President yesterday urging him to reject any legislative proposals that would undermine the adoption of strong encryption by US companies. The letter was signed by dozens of organizations and companies in the latest part of the debate over whether the government should be given built-in access to encrypted data (see, for example, here, here, here, and here for previous iterations). The comments were made at the Third Annual Cybersecurity Law Institute held at Georgetown University Law Center. The transcript of his encryption-related discussion is below (emphasis added).
  • Increasingly, communications at rest sitting on a device or in motion are encrypted. The device is encrypted or the communication is encrypted and therefore unavailable to us even with a court order. So I make a showing of probable cause to a judge in a criminal case or in an intelligence case to the Foreign Intelligence Surveillance Court judge that the content of a particular defense or a particular communication stream should be collected to our statutory authority, and the judge approves, increasingly we are finding ourselves unable to read what we find or we’re unable to open a device. And that is a serious concern. I am actually — I think encryption is a good thing. I think there are tremendous societal benefits to encryption. That’s one of the reasons the FBI tells people not only lock your cars, but you should encrypt things that are important to you to make it harder for thieves to take them.
  • A group of tech companies and some prominent folks wrote a letter to the President yesterday that I frankly found depressing. Because their letter contains no acknowledgment that there are societal costs to universal encryption. Look, I recognize the challenges facing our tech companies. Competitive challenges, regulatory challenges overseas, all kinds of challenges. I recognize the benefits of encryption, but I think fair-minded people also have to recognize the costs associated with that. And I read this letter and I think, “Either these folks don’t see what I see or they’re not fair-minded.” And either one of those things is depressing to me. So I’ve just got to continue to have the conversation. I don’t know the answer, but I don’t think a democracy should drift to a place where suddenly law enforcement people say, “Well, actually we — the Fourth Amendment is an awesome thing, but we actually can’t access any information.”
  • ...2 more annotations...
  • But we have a collision going on in this country that’s getting closer and closer to an actual head-on, which is our important interest in privacy — which I am passionate about — and our important interest in public safety. The logic of universal encryption is inexorable that our authority under the Fourth Amendment — an amendment that I think is critical to ordered liberty — with the right predication and the right oversight to obtain information is going to become increasingly irrelevant. As all of our lives become digital, the logic of encryption is that all of our lives will be covered by strong encryption, therefore all of our lives — I know there are no criminals here, but including the lives of criminals and terrorists and spies — will be in a place that is utterly unavailable to court ordered process. And that, I think, to a democracy should be very, very concerning. I think we need to have a conversation about it. Again, how do we strike the right balance? Privacy matters tremendously. Public safety, I think, matters tremendously to everybody. I think fair-minded people have to recognize that there are tremendous benefits to a society from encryption. There are tremendous costs to a society from universal strong encryption. And how do we think about that?
  • We’ve got to have a conversation long before the logic of strong encryption takes us to that place. And smart people, reasonable people will disagree mightily. Technical people will say it’s too hard. My reaction to that is: Really? Too hard? Too hard for the people we have in this country to figure something out? I’m not that pessimistic. I think we ought to have a conversation.
  • Paul Merrell on 21 May 15
     
    Considering that I'm over 10 times as likely to die from a police shoooting as I am from a terrorist attack, how about we begin this conversation, Mr. Comey, by you providing formal notice to everyone who's had the telephone metadata gathered or searched all dates on which such gatherings and searches were conducted so citizens can file suit for violation of their privacy rights? Note that the Second U.S. Circuit Court of Appeals held last week that the FBI exceeded statutory authority in gathering and searching that information. Because the gathering and searching was not authorized, that would bring the gathering and searching under the protections of the Privacy Act, including the FBI duty to account for the disclosures  and to pay at least the statutory minimum $1,500 in damges per incident.  Then I would like to have an itemization of all of the commercial software and hardware products that your agency and or your buddies at NSA built backdoors into.  Then your resignation for millions of violations of the Privacy Act would be deeply appreciated. Please feel free to delegate the above mentioned tasks to your successor. 
Gary Edwards

Great Privacy Essay: Fourth Amendment Doctrine in the Era of Total Surveillance | CIO - 0 views

www.cio.com/...era-of-total-surveillance.html

privacy the-Fourth-Amendment

shared by Gary Edwards on 04 Aug 14 - No Cached
  • Gary Edwards on 04 Aug 14
     
    "'Failing Expectations: Fourth Amendment Doctrine in the Era of Total Surveillance' is a thought-provoking essay written by a Fordham University law professor about how the reasonable expectation test for privacy is failing to protect us. Add into our networked world the third-party doctrine and we have little protection against unreasonable searches and seizures."
  • Paul Merrell on 05 Aug 14
     
    It doesn't detract substantially from the essay's central thesis, but an important part of the learned professor's heartfelt desires were delivered in a Supreme Court decision just decided, after the essay was published, Reilly v. California, http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf The Court held in relevant part: "We also reject the United States' final suggestion that officers should always be able to search a phone's call log, as they did in Wurie's case. The Government relies on Smithv. Maryland, 442 U. S. 735 (1979), which held that no warrant was required to use a pen register at telephone company premises to identify numbers dialed by a particular caller. The Court in that case, however, concluded that the use of a pen register was not a "search" at all under the Fourth Amendment. See id., at 745-746. There is no dispute here that the officers engaged in a search of Wurie's cell phone. Moreover, call logs typically contain more than just phone numbers; they include any identifying information that an individual might add, such as the label "my house" in Wurie's case." The effect there was to confine Smith v. Maryland, the foundation of the third-party doctrine, to its particular facts. In other words, the third-party doctrine is now confined to connected telephone numbers, the connect time, and the duration of the call. If any other metadata is gathered, such as location data, the third-party doctrine no longer applies. When you read the rest of the Reilly decision, you see a unanimous Supreme Court shooting down one government defense after another that have been used in the NSA's defense to mass telecommunications surveillance. But most interestingly, the Court unmistakably has laid the groundwork for a later decision drastically cutting back on digital surveillance without a search warrant based on particularized probable cause to believe that evidence of a specific crime has occurred and that the requested sear
Paul Merrell

Supreme Court Says Phones Can't Be Searched Without a Warrant - NYTimes.com - 0 views

www.nytimes.com/...cellphones-search-privacy.html

digital-privacy litigation U.S. cellphone-privacy NSA-reform

shared by Paul Merrell on 26 Jun 14 - No Cached
  • In a sweeping victory for privacy rights in the digital age, the Supreme Court on Wednesday unanimously ruled that the police need warrants to search the cellphones of people they arrest.While the decision will offer protection to the 12 million people arrested every year, many for minor crimes, its impact will most likely be much broader. The ruling almost certainly also applies to searches of tablet and laptop computers, and its reasoning may apply to searches of homes and businesses and of information held by third parties like phone companies.“This is a bold opinion,” said Orin S. Kerr, a law professor at George Washington University. “It is the first computer-search case, and it says we are in a new digital age. You can’t apply the old rules anymore.”
  • Paul Merrell on 26 Jun 14
     
    It is now beyond doubt that the Supreme Court is declining to authorize an Orwellian government surveillance future for the U.S. This sweeping, unanimous ruling definitely has broad application beyond cellphones, in no small part because the court recognized that cellphones of today are more like desktop computers and a host of other computerized devices than they are like the telephones of yesteryear. Hence, almost everything the court said afterward about the privacy rights in cellphones applies equally to all personal use computers. 
Paul Merrell

It's Time to Rewrite the Internet to Give Us Better Privacy, and Security - The Daily B... - 0 views

www.thedailybeast.com/...tter-privacy-and-security.html

surveillance state lessig surveillance-blocking

shared by Paul Merrell on 22 Jun 13 - No Cached
  • Almost 15 years ago, as I was just finishing a book about the relationship between the Net (we called it “cyberspace” then) and civil liberties, a few ideas seemed so obvious as to be banal: First, life would move to the Net. Second, the Net would change as it did so. Gone would be simple privacy, the relatively anonymous default infrastructure for unmonitored communication; in its place would be a perpetually monitored, perfectly traceable system supporting both commerce and the government. That, at least, was the future that then seemed most likely, as business raced to make commerce possible and government scrambled to protect us (or our kids) from pornographers, and then pirates, and now terrorists. But another future was also possible, and this was my third, and only important point: Recognizing these obvious trends, we just might get smart about how code (my shorthand for the technology of the Internet) regulates us, and just possibly might begin thinking smartly about how we could embed in that code the protections that the Constitution guarantees us. Because—and here was the punchline, the single slogan that all 724 people who read that book remember—code is law. And if code is law, then we need to be as smart about how code regulates us as we are about how the law does so.
  • There is, after all, something hopeful about a future that was smart about encoding our civil liberties. It could, in theory at least, be better. Better at protecting us from future Nixons, better at securing privacy, and better at identifying those keen to commit crime.
  • But what astonishes me is that today, more than a decade into the 21st century, the world has remained mostly oblivious to these obvious points about the relationship between law and code. That’s the bit in the Edward Snowden interview that is, to me, the most shocking. As he explained to Glenn Greenwald: The NSA specially targets the communications of everyone. It ingests them by default. It collects them in its system, and it filters them and it analyzes them and it measures them and it stores them for periods of time simply because that’s the easiest and the most efficient and most valuable way to achieve these ends ... Not all analysts have the ability to target everything. But I sitting at my desk certainly had the authority to wiretap anyone—from you [the reporter, Glenn Greenwald], to your accountant, to a federal judge, to even the president if I had a personal email. We don’t know yet whether Snowden is telling the truth. Lots of people have denied specifics, and though his interview is compelling, just now, we literally don’t know. But what we do know are the questions that ought to be asked in response to his claims. And specifically, this: Is it really the case that the government has entrusted our privacy to the good judgment of private analysts? Are there really no code-based controls for assuring that specific surveillance is specifically justified? And what is the technology for assuring that rogues paid by our government can’t use data collected by our government for purposes that none within our government would openly and publicly defend?
  • ...1 more annotation...
  • Because the fact is that there is technology that could be deployed that would give many the confidence that none of us now have. “Trust us” does not compute. But trust and verify, with high-quality encryption, could. And there are companies, such as Palantir, developing technologies that could give us, and more importantly, reviewing courts, a very high level of confidence that data collected or surveilled was not collected or used in an improper way. Think of it as a massive audit log, recording how and who used what data for what purpose. We could code the Net in a string of obvious ways to give us even better privacy, while also enabling better security. But we don’t, or haven’t, obviously. Maybe because of stupidity. How many congressmen could even describe how encryption works? Maybe because of cupidity. Who within our system can resist large and lucrative contracts to private companies, especially when bundled with generous campaign funding packages? Or maybe because the “permanent war” that Obama told us we were not in has actually convinced all within government that old ideas are dead and we just need to “get over it”—ideas like privacy, and due process, and fundamental proportionality. These ideas may be dead, for now. And they will stay dead, in the future. At least until we finally learn how liberty can live in the digital age. And here’s the hint: not through law alone, but through law that demands code that even the Electronic Frontier Foundation could trust.
  • Paul Merrell on 22 Jun 13
     
    As the most prominent among law professors concerned with online civil liberties and now specializing in government corruption, if Lawrence Lessig says there are technical solutions for protecting us from online government snooping, I'm all years. He directs attention to technology being developed by Palantir, http://www.palantir.com/
Paul Merrell

Brazil Looks to Break from U.S.-Centric Internet | TIME.com - 0 views

world.time.com/...reak-from-u-s-centric-internet

surveillance state NSA NSA-blowback Brazil Internet-Balkanization

shared by Paul Merrell on 25 Sep 13 - No Cached
  • Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments. President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google. The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner. Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.
  • “The global backlash is only beginning and will get far more severe in coming months,” said Sascha Meinrath, director of the Open Technology Institute at the Washington-based New America Foundation think tank. “This notion of national privacy sovereignty is going to be an increasingly salient issue around the globe.” While Brazil isn’t proposing to bar its citizens from U.S.-based Web services, it wants their data to be stored locally as the nation assumes greater control over Brazilians’ Internet use to protect them from NSA snooping. The danger of mandating that kind of geographic isolation, Meinrath said, is that it could render inoperable popular software applications and services and endanger the Internet’s open, interconnected structure.
  • The effort by Latin America’s biggest economy to digitally isolate itself from U.S. spying not only could be costly and difficult, it could encourage repressive governments to seek greater technical control over the Internet to crush free expression at home, experts say. In December, countries advocating greater “cyber-sovereignty” pushed for such control at an International Telecommunications Union meeting in Dubai, with Western democracies led by the United States and the European Union in opposition.
  • ...5 more annotations...
  • Rousseff says she intends to push for international rules on privacy and security in hardware and software during the U.N. General Assembly meeting later this month. Among Snowden revelations: the NSA has created backdoors in software and Web-based services. Brazil is now pushing more aggressively than any other nation to end U.S. commercial hegemony on the Internet. More than 80 percent of online search, for example, is controlled by U.S.-based companies. Most of Brazil’s global Internet traffic passes through the United States, so Rousseff’s government plans to lay underwater fiber optic cable directly to Europe and also link to all South American nations to create what it hopes will be a network free of U.S. eavesdropping.
  • More communications integrity protection is expected when Telebras, the state-run telecom company, works with partners to oversee the launch in 2016 of Brazil’s first communications satellite, for military and public Internet traffic. Brazil’s military currently relies on a satellite run by Embratel, which Mexican billionaire Carlos Slim controls. Rousseff is urging Brazil’s Congress to compel Facebook, Google and all companies to store data generated by Brazilians on servers physically located inside Brazil in order to shield it from the NSA. If that happens, and other nations follow suit, Silicon Valley’s bottom line could be hit by lost business and higher operating costs: Brazilians rank No. 3 on Facebook and No. 2 on Twitter and YouTube. An August study by a respected U.S. technology policy nonprofit estimated the fallout from the NSA spying scandal could cost the U.S. cloud computing industry, which stores data remotely to give users easy access from any device, as much as $35 billion by 2016 in lost business.
  • Brazil also plans to build more Internet exchange points, places where vast amounts of data are relayed, in order to route Brazilians’ traffic away from potential interception. And its postal service plans by next year to create an encrypted email service that could serve as an alternative to Gmail and Yahoo!, which according to Snowden-leaked documents are among U.S. tech giants that have collaborated closely with the NSA. “Brazil intends to increase its independent Internet connections with other countries,” Rousseff’s office said in an emailed response to questions from The Associated Press on its plans. It cited a “common understanding” between Brazil and the European Union on data privacy, and said “negotiations are underway in South America for the deployment of land connections between all nations.” It said Brazil plans to boost investment in home-grown technology and buy only software and hardware that meet government data privacy specifications.
  • While the plans’ technical details are pending, experts say they will be costly for Brazil and ultimately can be circumvented. Just as people in China and Iran defeat government censors with tools such as “proxy servers,” so could Brazilians bypass their government’s controls. International spies, not just from the United States, also will adjust, experts said. Laying cable to Europe won’t make Brazil safer, they say. The NSA has reportedly tapped into undersea telecoms cables for decades. Meinrath and others argue that what’s needed instead are strong international laws that hold nations accountable for guaranteeing online privacy.
  • “There’s nothing viable that Brazil can really do to protect its citizenry without changing what the U.S. is doing,” he said. Matthew Green, a Johns Hopkins computer security expert, said Brazil won’t protect itself from intrusion by isolating itself digitally. It will also be discouraging technological innovation, he said, by encouraging the entire nation to use a state-sponsored encrypted email service. “It’s sort of like a Soviet socialism of computing,” he said, adding that the U.S. “free-for-all model works better.”
  • Paul Merrell on 25 Sep 13
     
    So both Brazil and the European Union are planning to boycott the U.S.-based cloud industry, seizing on the NSA's activities as legal grounds. Under the various GATT series of trade agreements, otherwise forbidden discriminatory actions taken that restrict trade in aid of national security are exempt from redress through the World Trade Organization Dispute Resolution Process. So the NSA voyeurs can add legalizing economic digital discrimination against the U.S. to its score card.
Paul Merrell

In Hearing on Internet Surveillance, Nobody Knows How Many Americans Impacted in Data C... - 0 views

www.eff.org/...w-many-americans-impacted-data

surveillance state NSA 702 FISA legislation backdoor-serches stats

shared by Paul Merrell on 29 May 16 - No Cached
  • The Senate Judiciary Committee held an open hearing today on the FISA Amendments Act, the law that ostensibly authorizes the digital surveillance of hundreds of millions of people both in the United States and around the world. Section 702 of the law, scheduled to expire next year, is designed to allow U.S. intelligence services to collect signals intelligence on foreign targets related to our national security interests. However—thanks to the leaks of many whistleblowers including Edward Snowden, the work of investigative journalists, and statements by public officials—we now know that the FISA Amendments Act has been used to sweep up data on hundreds of millions of people who have no connection to a terrorist investigation, including countless Americans. What do we mean by “countless”? As became increasingly clear in the hearing today, the exact number of Americans impacted by this surveillance is unknown. Senator Franken asked the panel of witnesses, “Is it possible for the government to provide an exact count of how many United States persons have been swept up in Section 702 surveillance? And if not the exact count, then what about an estimate?”
  • Elizabeth Goitein, the Brennan Center director whose articulate and thought-provoking testimony was the highlight of the hearing, noted that at this time an exact number would be difficult to provide. However, she asserted that an estimate should be possible for most if not all of the government’s surveillance programs. None of the other panel participants—which included David Medine and Rachel Brand of the Privacy and Civil Liberties Oversight Board as well as Matthew Olsen of IronNet Cybersecurity and attorney Kenneth Wainstein—offered an estimate. Today’s hearing reaffirmed that it is not only the American people who are left in the dark about how many people or accounts are impacted by the NSA’s dragnet surveillance of the Internet. Even vital oversight committees in Congress like the Senate Judiciary Committee are left to speculate about just how far-reaching this surveillance is. It's part of the reason why we urged the House Judiciary Committee to demand that the Intelligence Community provide the public with a number. 
  • The lack of information makes rigorous oversight of the programs all but impossible. As Senator Franken put it in the hearing today, “When the public lacks even a rough sense of the scope of the government’s surveillance program, they have no way of knowing if the government is striking the right balance, whether we are safeguarding our national security without trampling on our citizens’ fundamental privacy rights. But the public can’t know if we succeed in striking that balance if they don’t even have the most basic information about our major surveillance programs."  Senator Patrick Leahy also questioned the panel about the “minimization procedures” associated with this type of surveillance, the privacy safeguard that is intended to ensure that irrelevant data and data on American citizens is swiftly deleted. Senator Leahy asked the panel: “Do you believe the current minimization procedures ensure that data about innocent Americans is deleted? Is that enough?”  David Medine, who recently announced his pending retirement from the Privacy and Civil Liberties Oversight Board, answered unequivocally:
  • ...2 more annotations...
  • Senator Leahy, they don’t. The minimization procedures call for the deletion of innocent Americans’ information upon discovery to determine whether it has any foreign intelligence value. But what the board’s report found is that in fact information is never deleted. It sits in the databases for 5 years, or sometimes longer. And so the minimization doesn’t really address the privacy concerns of incidentally collected communications—again, where there’s been no warrant at all in the process… In the United States, we simply can’t read people’s emails and listen to their phone calls without court approval, and the same should be true when the government shifts its attention to Americans under this program. One of the most startling exchanges from the hearing today came toward the end of the session, when Senator Dianne Feinstein—who also sits on the Intelligence Committee—seemed taken aback by Ms. Goitein’s mention of “backdoor searches.” 
  • Feinstein: Wow, wow. What do you call it? What’s a backdoor search? Goitein: Backdoor search is when the FBI or any other agency targets a U.S. person for a search of data that was collected under Section 702, which is supposed to be targeted against foreigners overseas. Feinstein: Regardless of the minimization that was properly carried out. Goitein: Well the data is searched in its unminimized form. So the FBI gets raw data, the NSA, the CIA get raw data. And they search that raw data using U.S. person identifiers. That’s what I’m referring to as backdoor searches. It’s deeply concerning that any member of Congress, much less a member of the Senate Judiciary Committee and the Senate Intelligence Committee, might not be aware of the problem surrounding backdoor searches. In April 2014, the Director of National Intelligence acknowledged the searches of this data, which Senators Ron Wyden and Mark Udall termed “the ‘back-door search’ loophole in section 702.” The public was so incensed that the House of Representatives passed an amendment to that year's defense appropriations bill effectively banning the warrantless backdoor searches. Nonetheless, in the hearing today it seemed like Senator Feinstein might not recognize or appreciate the serious implications of allowing U.S. law enforcement agencies to query the raw data collected through these Internet surveillance programs. Hopefully today’s testimony helped convince the Senator that there is more to this topic than what she’s hearing in jargon-filled classified security briefings.
  • Paul Merrell on 29 May 16
     
    The 4th Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and *particularly describing the place to be searched, and the* persons or *things to be seized."* So much for the particularized description of the place to be searched and the thngs to be seized.  Fah! Who needs a Constitution, anyway .... 
Paul Merrell

NSA 'not interested in' Americans, privacy officer claims | TheHill - 0 views

thehill.com/...ericans-privacy-officer-claims

surveillance state NSA not-interested Richards

shared by Paul Merrell on 18 Mar 16 - No Cached
  • The National Security Agency’s internal civil liberties watchdog insisted on Thursday that the agency has no interest in spying on Americans under its controversial spying tools. “Our employees are trained to not look for U.S. persons,” NSA privacy and civil liberties officer Rebecca Richards said on Thursday.
  • “We’re not interested in those U.S. persons. We’re trying to look away from those,” she added. “Instead, we’re looking for where are our targets?”Richards’s comments came up during a Capitol Hill panel discussion about a new report on U.S. spying from the Brennan Center for Justice.The analysis looks at aspects of a presidential order that dates back to Ronald Reagan and was updated by then-President George W. Bush, called Executive Order 12333.
  • Programs under the order, which is meant to guide foreign surveillance, “have implications for Americans’ privacy that could well be greater than those of their domestic counterparts,” the organization wrote in its analysis. “The vast majority of Americans — whether wittingly or not — engage in communication that is transmitted or stored overseas.”“This reality of the digital age renders Americans’ communications and data highly vulnerable to NSA surveillance abroad.”
  • ...2 more annotations...
  • NSA surveillance under Executive Order 12333 is separate from the agency’s higher profile bulk collection of Americans’ phone records, which ended last year. It also occurs under separate legal powers than a controversial provision of the 2008 update to the Foreign Intelligence Surveillance Act, which comes up for renewal at the end of 2017.The executive order targets foreigners, but can “incidentally” pick up data about Americans if their activity on the Internet crosses international borders, Richards acknowledged.“Our procedures are designed to say: There are occasions when you are going to get U.S. persons,” she said, “and when you get those U.S. persons, here’s the rules.”
  • Richards is the agency’s first ever civil liberties officer. She was hired in early 2014, on the heels of fallout from Edward Snowden’s leaks about the spy agency. 
  • Paul Merrell on 18 Mar 16
     
    Not interested. Apparently that's why NSA was turning over raw search results to Israel without filtering out "U.S. persons" data. And why they just decided to give other agencies including law enforcement access to raw search results. And why Gen. Keith Alexander personally put together a program to ruin people's reputations including a "U.S. person." And why Russell Tice said that he personally had Obama's NSA dossier in his hands when Obama was running for the U.S. Senate. And why Tice says NSA had similar dossiers on members of Congress and the justices of the U.S. Supreme Court and targeted "lots of lawyers." On and on.  Ms. Richards appears to have become a quick study in NSA's hallmark skill of lying to the public. 
Paul Merrell

Court Rules Feds Need Warrant to Access Drug Prescriptions Database | American Civil Li... - 0 views

www.aclu.org/...-feds-need-warrant-access-drug

surveillance state DEA prescriptions patient-records 4th Amendment warrant

shared by Paul Merrell on 14 Feb 14 - No Cached
  • In a significant win for the privacy rights of anyone who has ever gotten a drug prescription, a federal judge in Oregon ruled yesterday that the DEA needs a warrant to search confidential prescription records. Oregon, like 48 other states, has a Prescription Drug Monitoring Program (PDMP), which tracks patients’ prescriptions for medications used to treat a long list of sensitive medical conditions. Although Oregon law requires police to get a warrant from a judge before searching prescription records in the database, the DEA has been requesting records using administrative subpoenas, which do not involve judicial authorization or probable cause. After the State of Oregon sued the DEA over this practice, the ACLU and ACLU of Oregon joined the suit on behalf of four patients and a doctor in the state. Last month, we argued in court that the DEA is violating the Fourth Amendment by bypassing the Constitution’s warrant requirement when seeking private prescription records. Yesterday, the court agreed. The court’s ruling is the first time a judge has held that law enforcement must get a probable cause warrant to access confidential prescription records from a state database in a criminal investigation. The opinion is significant for several reasons.
  • First, the court soundly rejected the DEA’s extreme argument that people lose their Fourth Amendment privacy rights in their medical information when they engage in confidential discussions with their doctor and pharmacist about their illnesses and treatment decisions. The federal government had argued that the “third party doctrine” applied, comparing confidential prescription records to electricity consumption records, bank records, and other categories of information held by third-party companies, for which courts have said police don’t need a warrant. The judge batted this argument aside, explaining that prescription records are “more inherently personal or private than bank records, and are entitled to and treated with a heightened expectation of privacy.” As the court held: “Although there is not an absolute right to privacy in prescription information, as patients must expect that physicians, pharmacists, and other medical personnel can and must access their records, it is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records.” More importantly, this ruling fits into a series of recent opinions calling into question the continuing vitality of the third party doctrine in modern society. As Justice Sotomayor wrote in United States v. Jonestwo years ago, “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” This sentiment was echoed by the federal judge who ruled last year that the NSA’s bulk telephone metadata program violates the Fourth Amendment. The Oregon case is another blow to the third party doctrine’s shaky foundation.
  • In addition, although yesterday’s ruling is only binding within Oregon, it will be persuasive precedent for courts evaluating law enforcement’s use of subpoenas to obtain private prescription records—and similar information—around the country. The case is a reminder to the DEA and other law enforcement agencies that they are not above the law, and that they must comply with the Fourth Amendment’s warrant requirement when seeking sensitive information in criminal investigations. Finally, the case should add momentum to a movement within state legislatures to amend PDMP statutes to require police to get a warrant for prescription records. Ten states currently require a warrant as a matter of state law (Rhode Island was the most recent state to add this requirement, last year). The Pennsylvania House has passed legislation creating a warrant requirement for that state’s PDMP, and is waiting for the state senate to act. The Florida legislature may update the privacy protections for its PDMP this year. Action by state legislatures will send a strong message to the DEA that it should be getting warrants everywhere, not just in Oregon.
  • Paul Merrell on 14 Feb 14
     
    A case to watch as it wends it way through the appellate process. A very big win for the ACLU, with major implications for federal intelligence gathering in general. 
Paul Merrell

NSA shares raw intelligence including Americans' data with Israel | World news | The Gu... - 0 views

www.theguardian.com/...personal-data-israel-documents

security state NSA FISA Court Israel Unit-8200 NSA-records Obama lies

shared by Paul Merrell on 19 Sep 13 - No Cached
  • The National Security Agency routinely shares raw intelligence data with Israel without first sifting it to remove information about US citizens, a top-secret document provided to the Guardian by whistleblower Edward Snowden reveals.Details of the intelligence-sharing agreement are laid out in a memorandum of understanding between the NSA and its Israeli counterpart that shows the US government handed over intercepted communications likely to contain phone calls and emails of American citizens. The agreement places no legally binding limits on the use of the data by the Israelis.The disclosure that the NSA agreed to provide raw intelligence data to a foreign country contrasts with assurances from the Obama administration that there are rigorous safeguards to protect the privacy of US citizens caught in the dragnet. The intelligence community calls this process "minimization", but the memorandum makes clear that the information shared with the Israelis would be in its pre-minimized state.
  • The deal was reached in principle in March 2009, according to the undated memorandum, which lays out the ground rules for the intelligence sharing.The five-page memorandum, termed an agreement between the US and Israeli intelligence agencies "pertaining to the protection of US persons", repeatedly stresses the constitutional rights of Americans to privacy and the need for Israeli intelligence staff to respect these rights.But this is undermined by the disclosure that Israel is allowed to receive "raw Sigint" – signal intelligence. The memorandum says: "Raw Sigint includes, but is not limited to, unevaluated and unminimized transcripts, gists, facsimiles, telex, voice and Digital Network Intelligence metadata and content."According to the agreement, the intelligence being shared would not be filtered in advance by NSA analysts to remove US communications. "NSA routinely sends ISNU [the Israeli Sigint National Unit] minimized and unminimized raw collection", it says.
  • In a statement to the Guardian, an NSA spokesperson did not deny that personal data about Americans was included in raw intelligence data shared with the Israelis. But the agency insisted that the shared intelligence complied with all rules governing privacy."Any US person information that is acquired as a result of NSA's surveillance activities is handled under procedures that are designed to protect privacy rights," the spokesperson said.The NSA declined to answer specific questions about the agreement, including whether permission had been sought from the Foreign Intelligence Surveillance (Fisa) court for handing over such material.
  • ...3 more annotations...
  • While NSA documents tout the mutually beneficial relationship of Sigint sharing, another report, marked top secret and dated September 2007, states that the relationship, while central to US strategy, has become overwhelmingly one-sided in favor of Israel."Balancing the Sigint exchange equally between US and Israeli needs has been a constant challenge," states the report, titled 'History of the US – Israel Sigint Relationship, Post-1992'. "In the last decade, it arguably tilted heavily in favor of Israeli security concerns. 9/11 came, and went, with NSA's only true Third Party [counter-terrorism] relationship being driven almost totally by the needs of the partner."
  • In another top-secret document seen by the Guardian, dated 2008, a senior NSA official points out that Israel aggressively spies on the US. "On the one hand, the Israelis are extraordinarily good Sigint partners for us, but on the other, they target us to learn our positions on Middle East problems," the official says. "A NIE [National Intelligence Estimate] ranked them as the third most aggressive intelligence service against the US."Later in the document, the official is quoted as saying: "One of NSA's biggest threats is actually from friendly intelligence services, like Israel. There are parameters on what NSA shares with them, but the exchange is so robust, we sometimes share more than we intended."
  • The Guardian asked the Obama administration how many times US data had been found in the raw intelligence, either by the Israelis or when the NSA reviewed a sample of the files, but officials declined to provide this information. Nor would they disclose how many other countries the NSA shared raw data with, or whether the Fisa court, which is meant to oversee NSA surveillance programs and the procedures to handle US information, had signed off the agreement with Israel.In its statement, the NSA said: "We are not going to comment on any specific information sharing arrangements, or the authority under which any such information is collected. The fact that intelligence services work together under specific and regulated conditions mutually strengthens the security of both nations."NSA cannot, however, use these relationships to circumvent US legal restrictions. Whenever we share intelligence information, we comply with all applicable rules, including the rules to protect US person information."
Paul Merrell

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth - 0 views

www.privateinternetaccess.com/...ce-of-privacy-defense-in-depth

surveillance state Google-Chrome Chromium audio-surveillance digital-surveillance

shared by Paul Merrell on 23 Jun 15 - No Cached
  • Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.It looked like just another bug report. "When I start Chromium, it downloads something." Followed by strange status information that notably included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".
  • Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room.A brief explanation of the Open-source / Free-software philosophy is needed here. When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a fresh computer, thousands of really smart people have analyzed every line of human-readable source code before that operating system was built into computer-executable binary code, to make it common and open knowledge what the machine actually does instead of trusting corporate statements on what it’s supposed to be doing. Therefore, you don’t install black boxes onto a Debian or Ubuntu system; you use software repositories that have gone through this source-code audit-then-build process. Maintainers of operating systems like Debian and Ubuntu use many so-called “upstreams” of source code to build the final product.Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed this audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.
  • This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places. That official statement amounted to three parts (paraphrased, of course):
  • ...4 more annotations...
  • 1) Yes, we’re downloading and installing a wiretapping black-box to your computer. But we’re not actually activating it. We did take advantage of our position as trusted upstream to stealth-insert code into open-source software that installed this black box onto millions of computers, but we would never abuse the same trust in the same way to insert code that activates the eavesdropping-blackbox we already downloaded and installed onto your computer without your consent or knowledge. You can look at the code as it looks right now to see that the code doesn’t do this right now.2) Yes, Chromium is bypassing the entire source code auditing process by downloading a pre-built black box onto people’s computers. But that’s not something we care about, really. We’re concerned with building Google Chrome, the product from Google. As part of that, we provide the source code for others to package if they like. Anybody who uses our code for their own purpose takes responsibility for it. When this happens in a Debian installation, it is not Google Chrome’s behavior, this is Debian Chromium’s behavior. It’s Debian’s responsibility entirely.3) Yes, we deliberately hid this listening module from the users, but that’s because we consider this behavior to be part of the basic Google Chrome experience. We don’t want to show all modules that we install ourselves.
  • If you think this is an excusable and responsible statement, raise your hand now.Now, it should be noted that this was Chromium, the open-source version of Chrome. If somebody downloads the Google product Google Chrome, as in the prepackaged binary, you don’t even get a theoretical choice. You’re already downloading a black box from a vendor. In Google Chrome, this is all included from the start.This episode highlights the need for hard, not soft, switches to all devices – webcams, microphones – that can be used for surveillance. A software on/off switch for a webcam is no longer enough, a hard shield in front of the lens is required. A software on/off switch for a microphone is no longer enough, a physical switch that breaks its electrical connection is required. That’s how you defend against this in depth.
  • Of course, people were quick to downplay the alarm. “It only listens when you say ‘Ok, Google’.” (Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A company stealth installs an audio listener that listens to every room in the world it can, and transmits audio data to the mothership when it encounters an unknown, possibly individually tailored, list of keywords – and it’s no big deal!?) “You can opt out. It’s in the Terms of Service.” (No. Just no. This is not something that is the slightest amount of permissible just because it’s hidden in legalese.) “It’s opt-in. It won’t really listen unless you check that box.” (Perhaps. We don’t know, Google just downloaded a black box onto my computer. And it may not be the same black box as was downloaded onto yours. )Early last decade, privacy activists practically yelled and screamed that the NSA’s taps of various points of the Internet and telecom networks had the technical potential for enormous abuse against privacy. Everybody else dismissed those points as basically tinfoilhattery – until the Snowden files came out, and it was revealed that precisely everybody involved had abused their technical capability for invasion of privacy as far as was possible.Perhaps it would be wise to not repeat that exact mistake. Nobody, and I really mean nobody, is to be trusted with a technical capability to listen to every room in the world, with listening profiles customizable at the identified-individual level, on the mere basis of “trust us”.
  • Privacy remains your own responsibility.
  • Paul Merrell on 23 Jun 15
     
    And of course, Google would never succumb to a subpoena requiring it to turn over the audio stream to the NSA. The Tor Browser just keeps looking better and better. https://www.torproject.org/projects/torbrowser.html.en
Paul Merrell

NSA phone surveillance program likely unconstitutional, federal judge rules | World new... - 0 views

www.theguardian.com/...-likely-unconstitutional-judge

surveillance state NSA call-metadata litigation 4th Amendment constitutional law NSA-blowback

shared by Paul Merrell on 17 Dec 13 - No Cached
  • A federal judge in Washington ruled on Monday that the bulk collection of Americans’ telephone records by the National Security Agency is likely to violate the US constitution, in the most significant legal setback for the agency since the publication of the first surveillance disclosures by the whistleblower Edward Snowden. Judge Richard Leon declared that the mass collection of metadata probably violates the fourth amendment, which prohibits unreasonable searches and seizures, and was "almost Orwellian" in its scope. In a judgment replete with literary swipes against the NSA, he said James Madison, the architect of the US constitution, would be "aghast" at the scope of the agency’s collection of Americans' communications data. The ruling, by the US district court for the District of Columbia, is a blow to the Obama administration, and sets up a legal battle that will drag on for months, almost certainly destined to end up in the supreme court. It was welcomed by campaigners pressing to rein in the NSA, and by Snowden, who issued a rare public statement saying it had vindicated his disclosures. It is also likely to influence other legal challenges to the NSA, currently working their way through federal courts.
  • In Monday’s ruling, the judge concluded that the pair's constitutional challenge was likely to be successful. In what was the only comfort to the NSA in a stinging judgment, Leon put the ruling on hold, pending an appeal by the government. Leon expressed doubt about the central rationale for the program cited by the NSA: that it is necessary for preventing terrorist attacks. “The government does not cite a single case in which analysis of the NSA’s bulk metadata collection actually stopped an imminent terrorist attack,” he wrote.
  • Leon’s opinion contained stern and repeated warnings that he was inclined to rule that the metadata collection performed by the NSA – and defended vigorously by the NSA director Keith Alexander on CBS on Sunday night – was unconstitutional. “Plaintiffs have a substantial likelihood of showing that their privacy interests outweigh the government’s interest in collecting and analysing bulk telephony metadata and therefore the NSA’s bulk collection program is indeed an unreasonable search under the fourth amendment,” he wrote. Leon said that the mass collection of phone metadata, revealed by the Guardian in June, was "indiscriminatory" and "arbitrary" in its scope. "The almost-Orwellian technology that enables the government to store and analyze the phone metadata of every telephone user in the United States is unlike anything that could have been conceived in 1979," he wrote, referring to the year in which the US supreme court ruled on a fourth amendment case upon which the NSA now relies to justify the bulk records program.
  • ...5 more annotations...
  • In a statement, Snowden said the ruling justified his disclosures. “I acted on my belief that the NSA's mass surveillance programs would not withstand a constitutional challenge, and that the American public deserved a chance to see these issues determined by open courts," he said in comments released through Glenn Greenwald, the former Guardian journalist who received leaked documents from Snowden. "Today, a secret program authorised by a secret court was, when exposed to the light of day, found to violate Americans’ rights. It is the first of many.”
  • In his ruling, Judge Leon expressly rejected the government’s claim that the 1979 supreme court case, Smith v Maryland, which the NSA and the Obama administration often cite to argue that there is no reasonable expectation of privacy over metadata, applies in the NSA’s bulk-metadata collection. The mass surveillance program differs so much from the one-time request dealt with by the 1979 case that it was of “little value” in assessing whether the metadata dragnet constitutes a fourth amendment search.
  • In a decision likely to influence other federal courts hearing similar arguments from the ACLU, Leon wrote that the Guardian’s disclosure of the NSA’s bulk telephone records collection means that citizens now have standing to challenge it in court, since they can demonstrate for the first time that the government is collecting their phone data.
  • Leon also struck a blow for judicial review of government surveillance practices even when Congress explicitly restricts the ability of citizens to sue for relief. “While Congress has great latitude to create statutory schemes like Fisa,” he wrote, referring to the seminal 1978 surveillance law, “it may not hang a cloak of secrecy over the constitution.”
  • In his ruling on Monday, Judge Leon predicted the process would take six months. He urged the government to take that time to prepare for an eventual defeat. “I fully expect that during the appellate process, which will consume at least the next six months, the government will take whatever steps necessary to prepare itself to comply with this order when, and if, it is upheld,” wrote Leon in his opinion. “Suffice it to say, requesting further time to comply with this order months from now will not be well received and could result in collateral sanctions.”
  • Paul Merrell on 17 Dec 13
     
    This is the case I thought was the weakest because of poor drafting in the complaint. The judge noted those issues in dismissing the plaintiffs' claims under the Administrative Procedures Act, but picked his way through what remained to find sufficient allegations to support the 4th Amendment challenge. Because he ruled for the plaintiffs on the 4th Amendment count, the judge did not reach the plaintiffs' arguments under the First and Fifth Amendments. This case is about cellphone call metadata, which the FISA Court has been ordering cell phone companies to provide every day, with the orders updated every 90 days. The judge's 68-page opinion is at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2013cv0881-40 (cleaner copy than the Guardian's, which was apparently faxed). Notably, the judge, Richard Leon, is a Bush II appointee and one of the plaintiffs is a prominent conservative civil libertarian lawyer. The other plaintiff is the father of an NSA cryptologist who worked closely with SEAL Team 6 and was killed along with members of that team when their helicopter crashed in Afghanistan. I'll add some more in a comment. But digital privacy is not yet dead.
  • Paul Merrell on 17 Dec 13
     
    Unfortunately, DRM is not dead yet either and the court's PDF file is locked. No easy copying of its content. If you want to jump directly to the discussion of 4th Amendment issues, go to page 35. That way, you can skip past all the dreary discussion of the Administrative Procedures Act claim and you won't miss much that's memorable. In ruling on the plaintiffs' standing to raise the 4th Amendment claim, Judge Leon postulated two possible search issues: [i] the bulk daily collection of metadata and its retention in the database for five years; and [ii] the analysis of that data through the NSA's querying process. The judge had no difficulty with the first issue; it definitely qualifies as a search. But the judge rejected the plaintiffs' argument on the second type (which was lame), demonstrating that at least one federal judge understands how computers work. The government's filings indicated that a "seed" telephone number or other identifier is used as the query string. Judge Leon figured out for himself from this fact that the NSA of necessity had to compare that number or identifier to every number or identifier in its database looking for a match. The judge concluded that the plaintiffs' metadata --- indeed everyone's metadata --- had to be searched for comparison purposes *every* time the NSA analysts ran any query against the database. See his incisive discussion at pp. 39-41. So having established that two searches were involved, one every time the NSA queried the database, the judge moved on to the next question, whether "the plaintiffs had a reasonable expectation of privacy that is violated when the Government indiscriminately collects their telephony metadata along with the metadata of hundreds of millions of other citizens without any particularized suspicion of wrongdoing, retains that metadata for five years, and then queries, analyzes, and investigates that data without prior judicial approval of the investigative targets." pg. 43. More later
Paul Merrell

Between the Lines of the Cellphone Privacy Ruling - NYTimes.com - 0 views

www.nytimes.com/...ellphone-privacy-decision.html

digital-privacy litigation U.S. cellphone-privacy NSA-reform

shared by Paul Merrell on 26 Jun 14 - No Cached
  • In a pathbreaking case on Fourth Amendment privacy rights and modern technology, the Supreme Court unanimously ruled that the police must obtain warrants before searching the digital contents of cellphones taken from people who are placed under arrest. Here are some key points in the opinion by Chief Justice John G. Roberts Jr. and a concurrence by Justice Samuel Alito.
Paul Merrell

European Lawmakers Demand Answers on Phone Key Theft - The Intercept - 0 views

firstlook.org/...gemalto-heist-shocks-europe

surveillance state Gemalto SIM-card-keys

shared by Paul Merrell on 24 Feb 15 - No Cached
  • European officials are demanding answers and investigations into a joint U.S. and U.K. hack of the world’s largest manufacturer of mobile SIM cards, following a report published by The Intercept Thursday. The report, based on leaked documents provided by NSA whistleblower Edward Snowden, revealed the U.S. spy agency and its British counterpart Government Communications Headquarters, GCHQ, hacked the Franco-Dutch digital security giant Gemalto in a sophisticated heist of encrypted cell-phone keys. The European Parliament’s chief negotiator on the European Union’s data protection law, Jan Philipp Albrecht, said the hack was “obviously based on some illegal activities.” “Member states like the U.K. are frankly not respecting the [law of the] Netherlands and partner states,” Albrecht told the Wall Street Journal. Sophie in ’t Veld, an EU parliamentarian with D66, the Netherlands’ largest opposition party, added, “Year after year we have heard about cowboy practices of secret services, but governments did nothing and kept quiet […] In fact, those very same governments push for ever-more surveillance capabilities, while it remains unclear how effective these practices are.”
  • “If the average IT whizzkid breaks into a company system, he’ll end up behind bars,” In ’t Veld added in a tweet Friday. The EU itself is barred from undertaking such investigations, leaving individual countries responsible for looking into cases that impact their national security matters. “We even get letters from the U.K. government saying we shouldn’t deal with these issues because it’s their own issue of national security,” Albrecht said. Still, lawmakers in the Netherlands are seeking investigations. Gerard Schouw, a Dutch member of parliament, also with the D66 party, has called on Ronald Plasterk, the Dutch minister of the interior, to answer questions before parliament. On Tuesday, the Dutch parliament will debate Schouw’s request. Additionally, European legal experts tell The Intercept, public prosecutors in EU member states that are both party to the Cybercrime Convention, which prohibits computer hacking, and home to Gemalto subsidiaries could pursue investigations into the breach of the company’s systems.
  • According to secret documents from 2010 and 2011, a joint NSA-GCHQ unit penetrated Gemalto’s internal networks and infiltrated the private communications of its employees in order to steal encryption keys, embedded on tiny SIM cards, which are used to protect the privacy of cellphone communications across the world. Gemalto produces some 2 billion SIM cards a year. The company’s clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers. “[We] believe we have their entire network,” GCHQ boasted in a leaked slide, referring to the Gemalto heist.
  • ...4 more annotations...
  • While Gemalto was indeed another casualty in Western governments’ sweeping effort to gather as much global intelligence advantage as possible, the leaked documents make clear that the company was specifically targeted. According to the materials published Thursday, GCHQ used a specific codename — DAPINO GAMMA — to refer to the operations against Gemalto. The spies also actively penetrated the email and social media accounts of Gemalto employees across the world in an effort to steal the company’s encryption keys. Evidence of the Gemalto breach rattled the digital security community. “Almost everyone in the world carries cell phones and this is an unprecedented mass attack on the privacy of citizens worldwide,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology, a non-profit that advocates for digital privacy and free online expression. “While there is certainly value in targeted surveillance of cell phone communications, this coordinated subversion of the trusted technical security infrastructure of cell phones means the US and British governments now have easy access to our mobile communications.”
  • For Gemalto, evidence that their vaunted security systems and the privacy of customers had been compromised by the world’s top spy agencies made an immediate financial impact. The company’s shares took a dive on the Paris bourse Friday, falling $500 million. In the U.S., Gemalto’s shares fell as much 10 percent Friday morning. They had recovered somewhat — down 4 percent — by the close of trading on the Euronext stock exchange. Analysts at Dutch financial services company Rabobank speculated in a research note that Gemalto could be forced to recall “a large number” of SIM cards. The French daily L’Express noted today that Gemalto board member Alex Mandl was a founding trustee of the CIA-funded venture capital firm In-Q-Tel. Mandl resigned from In-Q-Tel’s board in 2002, when he was appointed CEO of Gemplus, which later merged with another company to become Gemalto. But the CIA connection still dogged Mandl, with the French press regularly insinuating that American spies could infiltrate the company. In 2003, a group of French lawmakers tried unsuccessfully to create a commission to investigate Gemplus’s ties to the CIA and its implications for the security of SIM cards. Mandl, an Austrian-American businessman who was once a top executive at AT&T, has denied that he had any relationship with the CIA beyond In-Q-Tel. In 2002, he said he did not even have a security clearance.
  • AT&T, T-Mobile and Verizon could not be reached for comment Friday. Sprint declined to comment. Vodafone, the world’s second largest telecom provider by subscribers and a customer of Gemalto, said in a statement, “[W]e have no further details of these allegations which are industrywide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations.” Deutsche Telekom AG, a German company, said it has changed encryption algorithms in its Gemalto SIM cards. “We currently have no knowledge that this additional protection mechanism has been compromised,” the company said in a statement. “However, we cannot rule out this completely.”
  • Update: Asked about the SIM card heist, White House press secretary Josh Earnest said he did not expect the news would hurt relations with the tech industry: “It’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so. So, I do think in fact that there are opportunities for the private sector and the federal government to coordinate and to cooperate on these efforts, both to keep the country safe, but also to protect our civil liberties.”
  • Paul Merrell on 24 Feb 15
     
    Watch for massive class action product defect litigation to be filed against the phone companies.and mobile device manufacturers.  In most U.S. jurisdictions, proof that the vendors/manufacturers  knew of the product defect is not required, only proof of the defect. Also, this is a golden opportunity for anyone who wants to get out of a pricey cellphone contract, since providing a compromised cellphone is a material breach of warranty, whether explicit or implied..   
Paul Merrell

Senate committee adopts cybersecurity bill opposed by NSA critics | World news | thegua... - 0 views

www.theguardian.com/...ty-bill-opposed-by-nsa-critics

surveillance state NSA legislation cyberwar vulnerabilities

shared by Paul Merrell on 10 Jul 14 - No Cached
  • The Senate intelligence committee voted Tuesday to adopt a major cybersecurity bill that critics fear will give the National Security Agency even wider access to American data than it already has.Observers said the bill, approved by a 12 to 3 vote in a meeting closed to the public, would face a difficult time passing the full Senate, considering both the shortened legislative calendar in an election year and the controversy surrounding surveillance.But the bill is a priority of current and former NSA directors, who warn that private companies’ vulnerability to digital sabotage and economic data exfiltration will get worse without it.Pushed by Dianne Feinstein and Saxby Chambliss, the California Democrat and Georgia Republican who lead the committee, the bill would remove legal obstacles that block firms from sharing information "in real time" about cyber-attacks and prevention or mitigation measures with one another and with the US government.
  • Worrying civil libertarians is that the NSA and its twin military command, US Cyber Command, would receive access to vast amounts of data, and privacy guidelines for the handling of that data are yet to be developed.A draft of the bill released in mid-June would permit government agencies to share, retain and use the information for "a cybersecurity purpose" – defined as "the purpose of protecting an information system or information that is stored on, processed by or transiting an information system from a cybersecurity threat or security vulnerability" – raising the prospect of the NSA stockpiling a catalogue of weaknesses in digital security, as a recent White House data-assurance policy permits.It would also prevent participating companies from being sued for sharing data with each other and the government, even though many companies offer contract terms of service prohibiting the sharing of client or customer information without explicit consent.
  • But digital rights advocates warn that the measure will give the government, including the NSA, access to more information than just that relating to cyberthreats, potentially creating a new avenue for broad governmental access to US data even as Congress and the Obama administration contemplate restricting the NSA's domestic collection.The bill contains "catch-all provisions that would allow for the inclusion of a lot more than malicious code. It could include the content of communications. That's one of the biggest concerns," said Gabriel Rottman, an attorney with the American Civil Liberties Union.Provisions in the bill are intended to protect American privacy on the front end by having participating companies strike "indicators … known to be personal information of or identifying a United States person" before the government sees it, but the draft version leaves specific guidelines for privacy protection up to the attorney general."Nobody knows whether the flow from the private sector will be a trickle or a river or an ocean. The bill contemplates an ocean, and that's what worries us," said Greg Nojeim of the Center for Democracy and Technology.
Paul Merrell

France Threatens Google With Privacy Fines - ABC News - 0 views

abcnews.go.com/...-google-privacy-fines-19443670

digital-privacy regulatory-action Google

shared by Paul Merrell on 20 Jun 13 - No Cached
  • France is giving Google three months to be more upfront about the data it collects from users — or be fined. Other European countries aren't far behind.
  • The French agency that regulates information technology says that five other European countries are taking similar steps in a staggered offensive against Google's privacy policy between now and the end of July. It says Google largely ignored earlier recommendations from European regulators.
  • Paris' formal warning gives the company three months to make changes to its privacy practices. They include specifying to users what it is using personal data for, and how long it's held. Regulators also want Google to let users opt out of having their data centralized — for example, when data from online searches, Gmail and YouTube are crunched into a single location.
  • Paul Merrell on 20 Jun 13
     
    Note that we have yet to hear from European regulatory entities with power to inflict far bigger hurt on cloud companies like Google, e.g., the EC's DG Competition, national security forces, E.U. Parliament, etc. 
Paul Merrell

Court to rule on cellphone privacy : SCOTUSblog - 0 views

www.scotusblog.com/...t-to-rule-on-cellphone-privacy

surveillance state constitutional law 4th Amendment cellphone privacy

shared by Paul Merrell on 18 Jan 14 - No Cached
  • Moving into another conflict between technology and privacy, the Supreme Court agreed on Friday afternoon to rule on police authority to search the contents of a cellphone they take from an individual they have arrested.  The Court accepted for review a state case and a federal case, involving differing versions of hand-held telephone capacity.
  • Both of the new cases on cellphone privacy involve the authority of police, who do not have a search warrant, to examine the data that is stored on a cellphone taken from a suspect at the time of arrest.  The two cases span the advance in technology of cellphones:  the government case, Wurie, involves the kind of device that is now considered old-fashioned — the simple flip phone.  The Riley case involves the more sophisticated type of device, which functions literally as a hand-held computer, capable of containing a great deal more personal information. The state case involves a San Diego man, David Leon Riley, convicted of shooting at an occupied vehicle, attempted murder, and assault with a semi-automatic weapon.  Riley was not arrested at the time of the shooting incident in August 2009; instead, he was arrested later, after he was stopped for driving with expired license plates.   Police seized the cellphone he was carrying at the time of his arrest, and twice examined its contents, without a warrant. The data turned up evidence identifying him as a gang member out to kill members of a rival gang.  Other contents included a photo of him with a red car seen at the shooting site.  Police were then able to trace calls, leading to a trail of evidence pointing to Riley as a participant in the shooting.  No one positively identified him, but the data from the cellphone search was put before the jury, which convicted him of all three counts.  He has been sentenced to fifteen years to life in prison.
  • Riley’s petition had posed a general question about whether the Fourth Amendment allowed police without a warrant to search “the digital contents of an individual’s cellphone seized from the person at the time of arrest.”  In granting review, the Court said it would only rule on this issue: “Whether evidence admitted at [his] trial was obtained in a search of [his] cellphone that violated [his] Fourth Amendment rights.” The government case involves a South Boston man, Brima Wurie.  In 2007, a police officer saw him make an apparent drug sale out of his car.  The officer confronted the buyer, turning up two bags of crack cocaine. He partially identified his drug source. Officers followed Wurie from the scene, and arrested him.  He was then taken to a police station, where the officers retrieved two cellphones.   One of the phones was receiving repeated calls from a number identified as Wurie’s home.  The officers checked the phone’s call log.  They traced him to his house.  The officers deemed the fact that he had cellphones with him as an indication that he carried out drug dealing with the use of such a device. He was convicted of being a felon who had a gun and ammunition, distributing crack cocaine, and possessing the crack with intent to distribute it  He sought to block the use of the evidence taken from his cellphone, but that failed.  He was convicted on all charges, and has been sentenced to 262 months in prison.
  • ...1 more annotation...
  • Although the two cases raise the same constitutional issue, the Court did not consolidate them for review, so presumably there will be separate briefing and argument on each.  They probably would be argued one after the other, however.  The Court did not expedite the briefing schedule, but they still are expected to be heard in April.
Paul Merrell

N.S.A. Able to Foil Basic Safeguards of Privacy on Web - NYTimes.com - 1 views

www.nytimes.com/...-much-internet-encryption.html

surveillance state NSA GCHQ NSA-capabilities

shared by Paul Merrell on 06 Sep 13 - No Cached
Gary Edwards liked it
  • The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
  • The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
  • The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
  • ...11 more annotations...
  • “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
  • Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.
  • For at least three years, one document says, GCHQ, almost certainly in collaboration with the N.S.A., has been looking for ways into protected traffic of popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail. By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document. (Google denied giving any government access and said it had no evidence its systems had been breached).
  • Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip. “And they went and did it anyway, without telling anyone,” Mr. Kocher said. He said he understood the agency’s mission but was concerned about the danger of allowing it unbridled access to private information.
  • The documents are among more than 50,000 shared by The Guardian with The New York Times and ProPublica, the nonprofit news organization. They focus on GCHQ but include thousands from or about the N.S.A. Intelligence officials asked The Times and ProPublica not to publish this article, saying it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools.
  • The files show that the agency is still stymied by some encryption, as Mr. Snowden suggested in a question-and-answer session on The Guardian’s Web site in June. “Properly implemented strong crypto systems are one of the few things that you can rely on,” he said, though cautioning that the N.S.A. often bypasses the encryption altogether by targeting the computers at one end or the other and grabbing text before it is encrypted or after it is decrypted.
  • Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.
  • At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.
  • Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method. Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members. Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” “Eventually, N.S.A. became the sole editor,” the memo says.
  • But the agencies’ goal was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence. A 2010 document calls for “a new approach for opportunistic decryption, rather than targeted.” By that year, a Bullrun briefing document claims that the agency had developed “groundbreaking capabilities” against encrypted Web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.
  • Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
  • Paul Merrell on 06 Sep 13
     
    Lengthy article, lots of new information on NSA decryption capabilities, none of it good for those who value their data privacy.
  • Gary Edwards on 06 Sep 13
     
    Thanks Paul - nice job cutting this monster down to size :)
Paul Merrell

The NSA is turning the internet into a total surveillance system | Alexander Abdo and P... - 0 views

www.theguardian.com/...sa-internet-surveillance-email

surveillance state NSA email lies

shared by Paul Merrell on 16 Aug 13 - No Cached
  • Another burst of sunlight permeated the National Security Agency's black box of domestic surveillance last week.According to the New York Times, the NSA is searching the content of virtually every email that comes into or goes out of the United States without a warrant. To accomplish this astonishing invasion of Americans' privacy, the NSA reportedly is making a copy of nearly every international email. It then searches that cloned data, keeping all of the emails containing certain keywords and deleting the rest – all in a matter of seconds.
  • The NSA appears to believe this general monitoring of our electronic communications is justified because the entire process takes, in one official's words, "a small number of seconds". Translation: the NSA thinks it can intercept and then read Americans' emails so long as the intrusion is swift, efficient and silent.That is not how the fourth amendment works.Whether the NSA inspects and retains these messages for years, or only searches through them once before moving on, the invasion of Americans' privacy is real and immediate. There is no "five-second rule" for fourth amendment violations: the US constitution does not excuse these bulk searches simply because they happen in the blink of an eye.The government claims that this program is authorized by a surveillance statute passed in 2008 that allows the government to target foreigners for surveillance. Although the government has frequently defended that law as a necessary tool in gathering foreign intelligence, the government has repeatedly misled the public about the extent to which the statute implicates Americans' communications.
  • There should no longer be any doubt: the US government has for years relied upon its authority to collect foreigners' communications as a useful cover for its sweeping surveillance of Americans' communications. The surveillance program revealed last week confirms that the interception of American communications under this law is neither "targeted" at foreigners (in any ordinary sense of that word) nor "inadvertent", as officials have repeatedly claimed.Last week's revelations are a disturbing harbinger of future surveillance. Two months ago, this newspaper reported that the US government has been forcing American telecommunications companies to turn over the call records of every one of their customers "on an ongoing daily basis", to allow the NSA to later search those records when it has a reason to do so. The government has since defended the program, in part on the theory that Americans' right to privacy is not implicated by the initial acquisition of their phone records, only by their later searching.That legal theory is extraordinarily dangerous because it would allow the NSA to acquire virtually all digital information today simply because it might possibly become relevant tomorrow. The surveillance program revealed by the New York Times report goes one step further still. No longer is the government simply collecting information now so that the data is available to search, should a reasonable suspicion arise at some point in the future; the NSA is searching everything now – in real time and without suspicion – merely on the chance that it finds something of interest.
  • ...1 more annotation...
  • That principle of pre-emptive surveillance threatens to subvert the most basic protections of the fourth amendment, which generally prohibit the government from conducting suspicion-less fishing expeditions through our private affairs. If the government is correct that it can search our every communication in case we say or type something suspicious, there is little to prevent the NSA from converting the internet into a tool of pervasive surveillance.
  • Paul Merrell on 16 Aug 13
     
    Obama was apparently technically accurate but materially misleading when he he said that no one is reading your email. But government computers are reading every email. "Although conduct by law enforcement officials prior to trial may ultimately impair that right, a constitutional violation occurs only at trial. Kastigar v. United States, 406 U. S. 441, 453 (1972). The Fourth Amendment functions differently. It prohibits 'unreasonable searches and seizures' whether or not the evidence is sought to be used in a criminal trial, and a violation of the Amendment is 'fully accomplished' at the time of an unreasonable governmental intrusion. United States v. Calandra, 414 U. S. 338, 354 (1974); United States v. Leon, 468 U. S. 897, 906 (1984)." United States v. Verdugo-Urquidez, 494 US 259, 265 (1990), http://scholar.google.com/scholar_case?case=10167007390100843851  
‹ Previous 21 - 40 of 116 Next › Last »
Showing 20 items per page