Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged privacy-shield

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

Distrust of US surveillance threatens data deal | TheHill - 0 views

thehill.com/...rveillance-threatens-data-deal

surveillance state EU NSA safe-harbor negotiations Congress

shared by Paul Merrell on 08 Feb 16 - No Cached
  • European privacy regulators are putting U.S. surveillance practices under the microscope, this time with a crucial transatlantic data deal hanging in the balance.Legal and privacy advocates say European nations are poised to strike down the deal if they decide the U.S. hasn't done enough to reform its spying programs.The new test comes after the European Commission and the Commerce Department — after months of tense negotiations — reached a deal this week permitting Facebook, Google and thousands of other companies to continue legally handling Europeans’ personal data.ADVERTISEMENTCritics though have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European court, where privacy is considered a fundamental right under the EU Charter.A working group of 28 EU nations’ data protection authorities — domestic entities separate from the Commission that will be in charge of enforcing the new agreement — may now cast the deciding vote.The group is spending the next few months picking through the so-called Privacy Shield agreement to determine if it adequately protects the personal data of European citizens.
  • “The Commission has said, ‘We’re satisfied. We believe them. We believe the U.S. has substantially changed its practices,’ and they are no longer going off the [Edward] Snowden revelations in the media,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.“Whether the working group will go along with it is another question.”The privacy advocate whose complaint against Facebook brought down the Privacy Shield’s 15-year-old predecessor agreement is already questioning the new deal’s validity.“With all due respect ... a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,” Max Schrems of Austria said in a statement Tuesday.The United States has been fighting against the perception that it tramples on civil liberties after ex-National Security Agency contractor Edward Snowden revealed the breadth of the agency’s snooping.One sticking point in the Privacy Shield negotiations was over the scope of an exception allowing surveillance for national security purposes.
  • In announcing the deal, Commission officials insisted that the U.S. had provided “detailed written assurances” that surveillance of Europeans’ data by intelligence agencies would be subject to appropriate limitations.“The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,” Andrus Ansip, Vice President for the Digital Single Market on the European Commission, said Tuesday.The U.S. has also agreed to create an office in the State Department, to address complaints from EU citizens who feel their data has been inappropriately accessed by intelligence authorities.Complicating the working group’s approval of the deal is the hodgepodge of competing regulators in Europe. Each nation has an agency in charge of its own country’s regulation. Some countries — such as Germany — are seen as tougher on privacy than others, like France or the U.K.While some countries consider U.S. privacy protections to be satisfactory, in others they are seen as woefully inadequate.
  • ...2 more annotations...
  • Defenders of U.S. intelligence practices often point to France and the U.K., arguing they are equally intrusive with their citizens' data.A recent public report “pretty clearly documented that the protections are patchy, vary hugely and are nonexistent in some of the countries,” Foster noted.Privacy advocates dismiss those arguments.“You cannot pick the worst member state, like the U.K., and claim you are ‘equivalent’ to that,” Schrems said Tuesday. “First, this is not a price [sic] you want to win, secondly you have to meet the standards of the European Court of Justice, EU law and the EU Charter of Fundamental Rights — not the standard of the worst member state.”The U.S. has made significant reforms to federal spying powers under the Obama administration.The Privacy and Civil Liberties Oversight Board — a small bipartisan watchdog — on Friday said the government has begun addressing each of the nearly two-dozen recommendations it made following Snowden's revelations.“[I]mportant measures have been taken to enhance the protection of Americans’ privacy and civil liberties and to strengthen the transparency of the government’s surveillance efforts, without jeopardizing our counterterrorism efforts,” the five-member board said.
  • But whether European countries believe those changes are sufficient to sign off on the Privacy Shield is uncertain. Each of the EU’s 28 member states must approve the deal before it can be finalized.“A lot of this is going to come down to whether the data protection authorities are persuaded by the U.S.’s portrayal of the cumulative protections given to European citizens and the cumulative carving back on the NSA surveillance programs,” Foster said.If the European working group is not satisfied with the assurances from the Commerce Department, the consequences could be dire. Businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014.The most likely outcome, experts say, would be a patchwork of country-to-country regulations that would make it extremely expensive for companies to comply.Legislative changes in the U.S. seem unlikely. Congress is close to passing a privacy law considered crucial to getting seeing the Privacy Shield approved. But the bill — which gives EU citizens the right to sue in U.S. courts over the misuse of personal data — has sparked controversy on Capitol Hill.Some lawmakers are expressing frustration that the EU has used the threat of enforcement action against U.S. companies to push Congress to make more concessions.“It’s been hard enough to get the Judicial Redress Act passed — if they’re going to make more demands on Congress, there won’t be a lot of willing listeners here,” Sen. Chris Murphy (D-Conn.) told The Hill on Thursday.
Paul Merrell

EU-US Personal Data Privacy Deal 'Cracked Beyond Repair' - 0 views

www.mintpressnews.com/...218358

surveillance state EU safe-harbor privacy-shield litigation

shared by Paul Merrell on 12 Jul 16 - No Cached
  • Privacy Shield is the proposed new deal between the EU and the US that is supposed to safeguard all personal data on EU citizens held on computer systems in the US from being subject to mass surveillance by the US National Security Agency. The data can refer to any transaction — web purchases, cars or clothing — involving an EU citizen whose data is held on US servers. Privacy groups say Privacy Shield — which replaces the Safe Harbor agreement ruled unlawful in October 2015 — does not meet strict EU standard on the use of personal data. Monique Goyens, Director General of the European Consumer Organization (BEUC) told Sputnik: “We consider that the shield is cracked beyond repair and is unlikely to stand scrutiny by the European Court of Justice. A fundamental problem remains that the US side of the shield is made of clay, not iron.”
  • The agreement has been under negotiation for months ever since the because the European Court of Justice ruled in October 2015 that the previous EU-US data agreement — Safe Harbor — was invalid. The issue arises from the strict EU laws — enshrined in the Charter of Fundamental Rights of the European Union — to the privacy of their personal data.
  • The Safe Harbor agreement was a quasi-judicial understanding that the US undertook to agree that it would ensure that EU citizens’ data on US servers would be held and protected under the same restrictions as it would be under EU law and directives. The data covers a huge array of information — from Internet and communications usage, to sales transactions, import and exports.
  • ...1 more annotation...
  • The case arose when Maximillian Schrems, a Facebook user, lodged a complaint with the Irish Data Protection Commissioner, arguing that — in the light of the revelations by ex-CIA contractor Edward Snowden of mass surveillance by the US National Security Agency (NSA) — the transfer of data from Facebook’s Irish subsidiary onto the company’s servers in the US does not provide sufficient protection of his personal data. The court ruled that: “the Safe Harbor Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.”
  • Paul Merrell on 12 Jul 16
     
    Off we go for another trip to the European Court of Justice.
Paul Merrell

Obama to propose legislation to protect firms that share cyberthreat data - The Washing... - 0 views

www.washingtonpost.com/...4-bcfb-059ec7a93ddc_story.html

surveillance state U.S. digital-privacy legislation

shared by Paul Merrell on 19 Jan 15 - No Cached
  • President Obama plans to announce legislation Tuesday that would shield companies from lawsuits for sharing computer threat data with the government in an effort to prevent cyber­attacks. On the heels of a destructive attack at Sony Pictures Entertainment and major breaches at JPMorgan Chase and retail chains, Obama is intent on capitalizing on the heightened sense of urgency to improve the security of the nation’s networks, officials said. “He’s been doing everything he can within his executive authority to move the ball on this,” said a senior administration official who spoke on the condition of anonymity to discuss legislation that has not yet been released. “We’ve got to get something in place that allows both industry and government to work more closely together.”
  • The legislation is part of a broader package, to be sent to Capitol Hill on Tuesday, that includes measures to help protect consumers and students against ­cyberattacks and to give law enforcement greater authority to combat cybercrime. The provision’s goal is to “enshrine in law liability protection for the private sector for them to share specific information — cyberthreat indicators — with the government,” the official said. Some analysts questioned the need for such legislation, saying there are adequate measures in place to enable sharing between companies and the government and among companies.
  • “We think the current information-sharing regime is adequate,” said Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, a privacy group. “More companies need to use it, but the idea of broad legal immunity isn’t needed right now.” The administration official disagreed. The lack of such immunity is what prevents many companies from greater sharing of data with the government, the official said. “We have heard that time and time again,” the official said. The proposal, which builds on a 2011 administration bill, grants liability protection to companies that provide indicators of cyberattacks and threats to the Department of Homeland Security.
  • ...5 more annotations...
  • But in a provision likely to raise concerns from privacy advocates, the administration wants to require DHS to share that information “in as near real time as possible” with other government agencies that have a cybersecurity mission, the official said. Those include the National Security Agency, the Pentagon’s ­Cyber Command, the FBI and the Secret Service. “DHS needs to take an active lead role in ensuring that unnecessary personal information is not shared with intelligence authorities,” Jaycox said. The debates over government surveillance prompted by disclosures from former NSA contractor Edward Snowden have shown that “the agencies already have a tremendous amount of unnecessary information,” he said.
  • The administration official stressed that the legislation will require companies to remove unnecessary personal information before furnishing it to the government in order to qualify for liability protection. It also will impose limits on the use of the data for cybersecurity crimes and instances in which there is a threat of death or bodily harm, such as kidnapping, the official said. And it will require DHS and the attorney general to develop guidelines for the federal government’s use and retention of the data. It will not authorize a company to take offensive cyber-measures to defend itself, such as “hacking back” into a server or computer outside its own network to track a breach. The bill also will provide liability protection to companies that share data with private-sector-developed organizations set up specifically for that purpose. Called information sharing and analysis organizations, these groups often are set up by particular industries, such as banking, to facilitate the exchange of data and best practices.
  • Efforts to pass information-sharing legislation have stalled in the past five years, blocked primarily by privacy concerns. The package also contains provisions that would allow prosecution for the sale of botnets or access to armies of compromised computers that can be used to spread malware, would criminalize the overseas sale of stolen U.S. credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk people or commit identity theft, and would give courts the authority to shut down botnets being used for criminal activity, such as denial-of-service attacks.
  • It would reaffirm that federal racketeering law applies to cybercrimes and amends the Computer Fraud and Abuse Act by ensuring that “insignificant conduct” does not fall within the scope of the statute. A third element of the package is legislation Obama proposed Monday to help protect consumers and students against cyberattacks. The theft of personal financial information “is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said. The plan, unveiled in a speech at the Federal Trade Commission, would require companies to notify customers within 30 days after the theft of personal information is discovered. Right now, data breaches are handled under a patchwork of state laws that the president said are confusing and costly to enforce. Obama’s plan would streamline those into one clear federal standard and bolster requirements for companies to notify customers. Obama is proposing closing loopholes to make it easier to track down cybercriminals overseas who steal and sell identities. “The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” he said.
  • In October, Obama signed an order to protect consumers from identity theft by strengthening security features in credit cards and the terminals that process them. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said there is concern that a federal standard would “preempt stronger state laws” about how and when companies have to notify consumers. The Student Digital Privacy Act would ensure that data entered would be used only for educational purposes. It would prohibit companies from selling student data to third-party companies for purposes other than education. Obama also plans to introduce a Consumer Privacy Bill of Rights. And the White House will host a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University.
Paul Merrell

Microsoft to host data in Germany to evade US spying | Naked Security - 0 views

nakedsecurity.sophos.com/...-in-germany-to-evade-us-spying

surveillance state NSA FBI EU data-centers privacy

shared by Paul Merrell on 14 Nov 15 - No Cached
  • Microsoft's new plan to keep the US government's hands off its customers' data: Germany will be a safe harbor in the digital privacy storm. Microsoft on Wednesday announced that beginning in the second half of 2016, it will give foreign customers the option of keeping data in new European facilities that, at least in theory, should shield customers from US government surveillance. It will cost more, according to the Financial Times, though pricing details weren't forthcoming. Microsoft Cloud - including Azure, Office 365 and Dynamics CRM Online - will be hosted from new datacenters in the German regions of Magdeburg and Frankfurt am Main. Access to data will be controlled by what the company called a German data trustee: T-Systems, a subsidiary of the independent German company Deutsche Telekom. Without the permission of Deutsche Telekom or customers, Microsoft won't be able to get its hands on the data. If it does get permission, the trustee will still control and oversee Microsoft's access.
  • Microsoft CEO Satya Nadella dropped the word "trust" into the company's statement: Microsoft’s mission is to empower every person and every individual on the planet to achieve more. Our new datacenter regions in Germany, operated in partnership with Deutsche Telekom, will not only spur local innovation and growth, but offer customers choice and trust in how their data is handled and where it is stored.
  • On Tuesday, at the Future Decoded conference in London, Nadella also announced that Microsoft would, for the first time, be opening two UK datacenters next year. The company's also expanding its existing operations in Ireland and the Netherlands. Officially, none of this has anything to do with the long-drawn-out squabbling over the transatlantic Safe Harbor agreement, which the EU's highest court struck down last month, calling the agreement "invalid" because it didn't protect data from US surveillance. No, Nadella said, the new datacenters and expansions are all about giving local businesses and organizations "transformative technology they need to seize new global growth." But as Diginomica reports, Microsoft EVP of Cloud and Enterprise Scott Guthrie followed up his boss’s comments by saying that yes, the driver behind the new datacenters is to let customers keep data close: We can guarantee customers that their data will always stay in the UK. Being able to very concretely tell that story is something that I think will accelerate cloud adoption further in the UK.
  • ...2 more annotations...
  • Microsoft and T-Systems' lawyers may well think that storing customer data in a German trustee data center will protect it from the reach of US law, but for all we know, that could be wishful thinking. Forrester cloud computing analyst Paul Miller: To be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal. As with all new legal approaches, we don’t know it is watertight until it is challenged in court. Microsoft and T-Systems’ lawyers are very good and say it's watertight. But we can be sure opposition lawyers will look for all the holes. By keeping data offshore - particularly in Germany, which has strong data privacy laws - Microsoft could avoid the situation it's now facing with the US demanding access to customer emails stored on a Microsoft server in Dublin. The US has argued that Microsoft, as a US company, comes under US jurisdiction, regardless of where it keeps its data.
  • Running away to Germany isn't a groundbreaking move; other US cloud services providers have already pledged expansion of their EU presences, including Amazon's plan to open a UK datacenter in late 2016 that will offer what CTO Werner Vogels calls "strong data sovereignty to local users." Other big data operators that have followed suit: Salesforce, which has already opened datacenters in the UK and Germany and plans to open one in France next year, as well as new EU operations pledged for the new year by NetSuite and Box. Can Germany keep the US out of its datacenters? Can Ireland? Time, and court cases, will tell.
  • Paul Merrell on 14 Nov 15
     
    The European Community's Court of Justice decision in the Safe Harbor case --- and Edward Snowden --- are now officially downgrading the U.S. as a cloud data center location. NSA is good business for Europeans looking to displace American cloud service providers, as evidenced by Microsoft's decision. The legal test is whether Microsoft has "possession, custody, or control" of the data. From the info given in the article, it seems that Microsoft has done its best to dodge that bullet by moving data centers to Germany and placing their data under the control of a European company. Do ownership of the hardware and profits from their rent mean that Microsoft still has "possession, custody, or control" of the data? The fine print of the agreement with Deutsche Telekom and the customer EULAs will get a thorough going over by the Dept. of Justice for evidence of Microsoft "control" of the data. That will be the crucial legal issue. The data centers in Germany may pass the test. But the notion that data centers in the UK can offer privacy is laughable; the UK's legal authority for GCHQ makes it even easier to get the data than the NSA can in the U.S.  It doesn't even require a court order. 
Paul Merrell

FBI demands new powers to hack into computers and carry out surveillance | US news | Th... - 0 views

www.theguardian.com/...hacking-computers-surveillance

surveillance state FBI Fed.R.Crim.P.-41 roving-warrants

shared by Paul Merrell on 01 Nov 14 - No Cached
  • The FBI is attempting to persuade an obscure regulatory body in Washington to change its rules of engagement in order to seize significant new powers to hack into and carry out surveillance of computers throughout the US and around the world. Civil liberties groups warn that the proposed rule change amounts to a power grab by the agency that would ride roughshod over strict limits to searches and seizures laid out under the fourth amendment of the US constitution, as well as violate first amendment privacy rights. They have protested that the FBI is seeking to transform its cyber capabilities with minimal public debate and with no congressional oversight. The regulatory body to which the Department of Justice has applied to make the rule change, the advisory committee on criminal rules, will meet for the first time on November 5 to discuss the issue. The panel will be addressed by a slew of technology experts and privacy advocates concerned about the possible ramifications were the proposals allowed to go into effect next year.
  • “This is a giant step forward for the FBI’s operational capabilities, without any consideration of the policy implications. To be seeking these powers at a time of heightened international concern about US surveillance is an especially brazen and potentially dangerous move,” said Ahmed Ghappour, an expert in computer law at University of California, Hastings college of the law, who will be addressing next week’s hearing. The proposed operating changes related to rule 41 of the federal rules of criminal procedure, the terms under which the FBI is allowed to conduct searches under court-approved warrants. Under existing wording, warrants have to be highly focused on specific locations where suspected criminal activity is occurring and approved by judges located in that same district. But under the proposed amendment, a judge can issue a warrant that would allow the FBI to hack into any computer, no matter where it is located. The change is designed specifically to help federal investigators carry out surveillance on computers that have been “anonymized” – that is, their location has been hidden using tools such as Tor.
  • Were the amendment to be granted by the regulatory committee, the FBI would have the green light to unleash its capabilities – known as “network investigative techniques” – on computers across America and beyond. The techniques involve clandestinely installing malicious software, or malware, onto a computer that in turn allows federal agents effectively to control the machine, downloading all its digital contents, switching its camera or microphone on or off, and even taking over other computers in its network.
  • ...2 more annotations...
  • Civil liberties and privacy groups are particularly alarmed that the FBI is seeking such a huge step up in its capabilities through such an apparently backdoor route. Soghoian said of next week’s meeting: “This should not be the first public forum for discussion of an issue of this magnitude.” Jennifer Granick, director of civil liberties at the Stanford center for internet and society, said that “this is an investigative technique that we haven’t seen before and we haven’t thrashed out the implications. It absolutely should not be done through a rule change – it has to be fully debated publicly, and Congress must be involved.” Ghappour has also highlighted the potential fall-out internationally were the amendment to be approved. Under current rules, there are no fourth amendment restrictions to US government surveillance activities in other countries as the US constitution only applies to domestic territory.
  • Another insight into the expansive thrust of US government thinking in terms of its cyber ambitions was gleaned recently in the prosecution of Ross Ulbricht, the alleged founder of the billion-dollar drug site the Silk Road. Experts suspect that the FBI hacked into the Silk Road server, that was located in Reykjavik, Iceland, though the agency denies that. In recent legal argument, US prosecutors claimed that even if they had hacked into the server without a warrant, it would have been justified as “a search of foreign property known to contain criminal evidence, for which a warrant was not necessary”.
  • Paul Merrell on 01 Nov 14
     
    This rule change has been in the works during the last year.  "The change is designed specifically to help federal investigators carry out surveillance on computers that have been "anonymized" - that is, their location has been hidden using tools such as Tor."  Are we dizzy yet? The State Department is pushing the use of TOR by dissidents in nations whose governments State and the CIA intends to overthrow. Meanwhile, Feed Bag, Inc. wants use of TOR to be sufficient grounds for installing malware on anyone using it to make their systems and all their systems can see or hear be an open book. Let's see. There's the First Amendment right to anonymous speech just to begin with. McIntyre v. Ohio Elections Comm'n, 514 US 334 (1995). ("Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation-and their ideas from suppression-at the hand of an intolerant society. The right to remain anonymous may be abused when it shields fraudulent conduct. But political speech by its nature will sometimes have unpalatable consequences, and, in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.") (Internal citation omitted.) And of course there's the Natural Law liberty to whisper, to utter words in a way that none but the intended recipient can hear. So throw on the violation of the Fifth Amendment's Liberty clause. Then there's the plain language of the Fourth Amendment warrant clause, "particularly describing the *place* to be searched." Not to mention the major reason for the Fourth Amendment, to abolish the "general warrant" that had enabled the Crown to search wherever the warrant's executor's little heart desired.  And th
Paul Merrell

United States v. United States Dist. Court for Eastern Dist. of Mich., 407 US 297 - Sup... - 0 views

scholar.google.com/scholar_case

surveillance state 4th Amendment constitutional law

shared by Paul Merrell on 27 Dec 13 - No Cached
  • But a recognition of these elementary truths does not make the employment by Government of electronic surveillance a welcome development—even when employed with restraint and under judicial supervision. There is, understandably, a deep-seated uneasiness and apprehension that this capability will be used to intrude upon cherished privacy of law-abiding citizens.[13] We 313*313 look to the Bill of Rights to safeguard this privacy. Though physical entry of the home is the chief evil against which the wording of the Fourth Amendment is directed, its broader spirit now shields private speech from unreasonable surveillance. Katz v. United States, supra; Berger v. New York, supra; Silverman v. United States, 365 U. S. 505 (1961). Our decision in Katz refused to lock the Fourth Amendment into instances of actual physical trespass. Rather, the Amendment governs "not only the seizure of tangible items, but extends as well to the recording of oral statements . . . without any `technical trespass under . . . local property law.'" Katz, supra, at 353. That decision implicitly recognized that the broad and unsuspected governmental incursions into conversational privacy which electronic surveillance entails[14] necessitate the application of Fourth Amendment safeguards.
  • National security cases, moreover, often reflect a convergence of First and Fourth Amendment values not present in cases of "ordinary" crime. Though the investigative duty of the executive may be stronger in such cases, so also is there greater jeopardy to constitutionally protected speech. "Historically the struggle for freedom of speech and press in England was bound up with the issue of the scope of the search and seizure 314*314 power," Marcus v. Search Warrant, 367 U. S. 717, 724 (1961). History abundantly documents the tendency of Government—however benevolent and benign its motives —to view with suspicion those who most fervently dispute its policies. Fourth Amendment protections become the more necessary when the targets of official surveillance may be those suspected of unorthodoxy in their political beliefs. The danger to political dissent is acute where the Government attempts to act under so vague a concept as the power to protect "domestic security." Given the difficulty of defining the domestic security interest, the danger of abuse in acting to protect that interest becomes apparent. Senator Hart addressed this dilemma in the floor debate on § 2511 (3):
  • "As I read it—and this is my fear—we are saying that the President, on his motion, could declare— name your favorite poison—draft dodgers, Black Muslims, the Ku Klux Klan, or civil rights activists to be a clear and present danger to the structure or existence of the Government."[15] The price of lawful public dissent must not be a dread of subjection to an unchecked surveillance power. Nor must the fear of unauthorized official eavesdropping deter vigorous citizen dissent and discussion of Government action in private conversation. For private dissent, no less than open public discourse, is essential to our free society.
  • ...8 more annotations...
  • As the Fourth Amendment is not absolute in its terms, our task is to examine and balance the basic values at stake in this case: the duty of Government 315*315 to protect the domestic security, and the potential danger posed by unreasonable surveillance to individual privacy and free expression. If the legitimate need of Government to safeguard domestic security requires the use of electronic surveillance, the question is whether the needs of citizens for privacy and free expression may not be better protected by requiring a warrant before such surveillance is undertaken. We must also ask whether a warrant requirement would unduly frustrate the efforts of Government to protect itself from acts of subversion and overthrow directed against it. Though the Fourth Amendment speaks broadly of "unreasonable searches and seizures," the definition of "reasonableness" turns, at least in part, on the more specific commands of the warrant clause. Some have argued that "[t]he relevant test is not whether it is reasonable to procure a search warrant, but whether the search was reasonable," United States v. Rabinowitz, 339 U. S. 56, 66 (1950).[16] This view, however, overlooks the second clause of the Amendment. The warrant clause of the Fourth Amendment is not dead language. Rather, it has been
  • "a valued part of our constitutional law for decades, and it has determined the result in scores and scores of cases in courts all over this country. It is not an inconvenience to be somehow `weighed' against the claims of police efficiency. It is, or should 316*316 be, an important working part of our machinery of government, operating as a matter of course to check the `well-intentioned but mistakenly overzealous executive officers' who are a part of any system of law enforcement." Coolidge v. New Hampshire, 403 U. S., at 481. See also United States v. Rabinowitz, supra, at 68 (Frankfurter, J., dissenting); Davis v. United States, 328 U. S. 582, 604 (1946) (Frankfurter, J., dissenting). Over two centuries ago, Lord Mansfield held that common-law principles prohibited warrants that ordered the arrest of unnamed individuals who the officer might conclude were guilty of seditious libel. "It is not fit," said Mansfield, "that the receiving or judging of the information should be left to the discretion of the officer. The magistrate ought to judge; and should give certain directions to the officer." Leach v. Three of the King's Messengers, 19 How. St. Tr. 1001, 1027 (1765).
  • Lord Mansfield's formulation touches the very heart of the Fourth Amendment directive: that, where practical, a governmental search and seizure should represent both the efforts of the officer to gather evidence of wrongful acts and the judgment of the magistrate that the collected evidence is sufficient to justify invasion of a citizen's private premises or conversation. Inherent in the concept of a warrant is its issuance by a "neutral and detached magistrate." Coolidge v. New Hampshire, supra, at 453; Katz v. United States, supra, at 356. The further requirement of "probable cause" instructs the magistrate that baseless searches shall not proceed. These Fourth Amendment freedoms cannot properly be guaranteed if domestic security surveillances may be conducted solely within the discretion of the Executive 317*317 Branch. The Fourth Amendment does not contemplate the executive officers of Government as neutral and disinterested magistrates. Their duty and responsibility are to enforce the laws, to investigate, and to prosecute. Katz v. United States, supra, at 359-360 (DOUGLAS, J., concurring). But those charged with this investigative and prosecutorial duty should not be the sole judges of when to utilize constitutionally sensitive means in pursuing their tasks. The historical judgment, which the Fourth Amendment accepts, is that unreviewed executive discretion may yield too readily to pressures to obtain incriminating evidence and overlook potential invasions of privacy and protected speech.[17]
  • It may well be that, in the instant case, the Government's surveillance of Plamondon's conversations was a reasonable one which readily would have gained prior judicial approval. But this Court "has never sustained a search upon the sole ground that officers reasonably expected to find evidence of a particular crime and voluntarily confined their activities to the least intrusive means consistent with that end." Katz, supra, at 356-357. The Fourth Amendment contemplates a prior judicial judgment,[18] not the risk that executive discretion may be reasonably exercised. This judicial role accords with our basic constitutional doctrine that individual freedoms will best be preserved through a separation of powers and division of functions among the different branches and levels of Government. Harlan, Thoughts at a Dedication: Keeping the Judicial Function in Balance, 49 A. B. A. J. 943-944 (1963). The independent check upon executive discretion is not 318*318 satisfied, as the Government argues, by "extremely limited" post-surveillance judicial review.[19] Indeed, post-surveillance review would never reach the surveillances which failed to result in prosecutions. Prior review by a neutral and detached magistrate is the time-tested means of effectuating Fourth Amendment rights. Beck v. Ohio, 379 U. S. 89, 96 (1964).
  • But we do not think a case has been made for the requested departure from Fourth Amendment standards. The circumstances described do not justify complete exemption of domestic security surveillance from prior judicial scrutiny. Official surveillance, whether its purpose be criminal investigation or ongoing intelligence gathering, risks infringement of constitutionally protected privacy of speech. Security surveillances are especially sensitive because of the inherent vagueness of the domestic security concept, the necessarily broad and continuing nature of intelligence gathering, and the temptation to utilize such surveillances to oversee political dissent. We recognize, as we have before, the constitutional basis of the President's domestic security role, but we think it must be exercised in a manner compatible with the Fourth Amendment. In this case we hold that this requires an appropriate prior warrant procedure. We cannot accept the Government's argument that internal security matters are too subtle and complex for judicial evaluation. Courts regularly deal with the most difficult issues of our society. There is no reason to believe that federal judges will be insensitive to or uncomprehending of the issues involved in domestic security cases. Certainly courts can recognize that domestic security surveillance involves different considerations from the surveillance of "ordinary crime." If the threat is too subtle or complex for our senior law enforcement officers to convey its significance to a court, one may question whether there is probable cause for surveillance.
  • Nor do we believe prior judicial approval will fracture the secrecy essential to official intelligence gathering. The investigation of criminal activity has long 321*321 involved imparting sensitive information to judicial officers who have respected the confidentialities involved. Judges may be counted upon to be especially conscious of security requirements in national security cases. Title III of the Omnibus Crime Control and Safe Streets Act already has imposed this responsibility on the judiciary in connection with such crimes as espionage, sabotage, and treason, §§ 2516 (1) (a) and (c), each of which may involve domestic as well as foreign security threats. Moreover, a warrant application involves no public or adversary proceedings: it is an ex parte request before a magistrate or judge. Whatever security dangers clerical and secretarial personnel may pose can be minimized by proper administrative measures, possibly to the point of allowing the Government itself to provide the necessary clerical assistance.
  • Thus, we conclude that the Government's concerns do not justify departure in this case from the customary Fourth Amendment requirement of judicial approval prior to initiation of a search or surveillance. Although some added burden will be imposed upon the Attorney General, this inconvenience is justified in a free society to protect constitutional values. Nor do we think the Government's domestic surveillance powers will be impaired to any significant degree. A prior warrant establishes presumptive validity of the surveillance and will minimize the burden of justification in post-surveillance judicial review. By no means of least importance will be the reassurance of the public generally that indiscriminate wiretapping and bugging of law-abiding citizens cannot occur.
  • As the surveillance of Plamondon's conversations was unlawful, because conducted without prior judicial approval, the courts below correctly held that Alderman v. United States, 394 U. S. 165 (1969), is controlling and that it requires disclosure to the accused of his own impermissibly intercepted conversations. As stated in Alderman, "the trial court can and should, where appropriate, place a defendant and his counsel under enforceable orders against unwarranted disclosure of the materials which they may be entitled to inspect." 394 U. S., at 185.[21]
Paul Merrell

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth - 0 views

www.privateinternetaccess.com/...ce-of-privacy-defense-in-depth

surveillance state Google-Chrome Chromium audio-surveillance digital-surveillance

shared by Paul Merrell on 23 Jun 15 - No Cached
  • Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.It looked like just another bug report. "When I start Chromium, it downloads something." Followed by strange status information that notably included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".
  • Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room.A brief explanation of the Open-source / Free-software philosophy is needed here. When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a fresh computer, thousands of really smart people have analyzed every line of human-readable source code before that operating system was built into computer-executable binary code, to make it common and open knowledge what the machine actually does instead of trusting corporate statements on what it’s supposed to be doing. Therefore, you don’t install black boxes onto a Debian or Ubuntu system; you use software repositories that have gone through this source-code audit-then-build process. Maintainers of operating systems like Debian and Ubuntu use many so-called “upstreams” of source code to build the final product.Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed this audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.
  • This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places. That official statement amounted to three parts (paraphrased, of course):
  • ...4 more annotations...
  • 1) Yes, we’re downloading and installing a wiretapping black-box to your computer. But we’re not actually activating it. We did take advantage of our position as trusted upstream to stealth-insert code into open-source software that installed this black box onto millions of computers, but we would never abuse the same trust in the same way to insert code that activates the eavesdropping-blackbox we already downloaded and installed onto your computer without your consent or knowledge. You can look at the code as it looks right now to see that the code doesn’t do this right now.2) Yes, Chromium is bypassing the entire source code auditing process by downloading a pre-built black box onto people’s computers. But that’s not something we care about, really. We’re concerned with building Google Chrome, the product from Google. As part of that, we provide the source code for others to package if they like. Anybody who uses our code for their own purpose takes responsibility for it. When this happens in a Debian installation, it is not Google Chrome’s behavior, this is Debian Chromium’s behavior. It’s Debian’s responsibility entirely.3) Yes, we deliberately hid this listening module from the users, but that’s because we consider this behavior to be part of the basic Google Chrome experience. We don’t want to show all modules that we install ourselves.
  • If you think this is an excusable and responsible statement, raise your hand now.Now, it should be noted that this was Chromium, the open-source version of Chrome. If somebody downloads the Google product Google Chrome, as in the prepackaged binary, you don’t even get a theoretical choice. You’re already downloading a black box from a vendor. In Google Chrome, this is all included from the start.This episode highlights the need for hard, not soft, switches to all devices – webcams, microphones – that can be used for surveillance. A software on/off switch for a webcam is no longer enough, a hard shield in front of the lens is required. A software on/off switch for a microphone is no longer enough, a physical switch that breaks its electrical connection is required. That’s how you defend against this in depth.
  • Of course, people were quick to downplay the alarm. “It only listens when you say ‘Ok, Google’.” (Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A company stealth installs an audio listener that listens to every room in the world it can, and transmits audio data to the mothership when it encounters an unknown, possibly individually tailored, list of keywords – and it’s no big deal!?) “You can opt out. It’s in the Terms of Service.” (No. Just no. This is not something that is the slightest amount of permissible just because it’s hidden in legalese.) “It’s opt-in. It won’t really listen unless you check that box.” (Perhaps. We don’t know, Google just downloaded a black box onto my computer. And it may not be the same black box as was downloaded onto yours. )Early last decade, privacy activists practically yelled and screamed that the NSA’s taps of various points of the Internet and telecom networks had the technical potential for enormous abuse against privacy. Everybody else dismissed those points as basically tinfoilhattery – until the Snowden files came out, and it was revealed that precisely everybody involved had abused their technical capability for invasion of privacy as far as was possible.Perhaps it would be wise to not repeat that exact mistake. Nobody, and I really mean nobody, is to be trusted with a technical capability to listen to every room in the world, with listening profiles customizable at the identified-individual level, on the mere basis of “trust us”.
  • Privacy remains your own responsibility.
  • Paul Merrell on 23 Jun 15
     
    And of course, Google would never succumb to a subpoena requiring it to turn over the audio stream to the NSA. The Tor Browser just keeps looking better and better. https://www.torproject.org/projects/torbrowser.html.en
Paul Merrell

Brazil Looks to Break from U.S.-Centric Internet | TIME.com - 0 views

world.time.com/...reak-from-u-s-centric-internet

surveillance state NSA NSA-blowback Brazil Internet-Balkanization

shared by Paul Merrell on 25 Sep 13 - No Cached
  • Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments. President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google. The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner. Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.
  • “The global backlash is only beginning and will get far more severe in coming months,” said Sascha Meinrath, director of the Open Technology Institute at the Washington-based New America Foundation think tank. “This notion of national privacy sovereignty is going to be an increasingly salient issue around the globe.” While Brazil isn’t proposing to bar its citizens from U.S.-based Web services, it wants their data to be stored locally as the nation assumes greater control over Brazilians’ Internet use to protect them from NSA snooping. The danger of mandating that kind of geographic isolation, Meinrath said, is that it could render inoperable popular software applications and services and endanger the Internet’s open, interconnected structure.
  • The effort by Latin America’s biggest economy to digitally isolate itself from U.S. spying not only could be costly and difficult, it could encourage repressive governments to seek greater technical control over the Internet to crush free expression at home, experts say. In December, countries advocating greater “cyber-sovereignty” pushed for such control at an International Telecommunications Union meeting in Dubai, with Western democracies led by the United States and the European Union in opposition.
  • ...5 more annotations...
  • Rousseff says she intends to push for international rules on privacy and security in hardware and software during the U.N. General Assembly meeting later this month. Among Snowden revelations: the NSA has created backdoors in software and Web-based services. Brazil is now pushing more aggressively than any other nation to end U.S. commercial hegemony on the Internet. More than 80 percent of online search, for example, is controlled by U.S.-based companies. Most of Brazil’s global Internet traffic passes through the United States, so Rousseff’s government plans to lay underwater fiber optic cable directly to Europe and also link to all South American nations to create what it hopes will be a network free of U.S. eavesdropping.
  • More communications integrity protection is expected when Telebras, the state-run telecom company, works with partners to oversee the launch in 2016 of Brazil’s first communications satellite, for military and public Internet traffic. Brazil’s military currently relies on a satellite run by Embratel, which Mexican billionaire Carlos Slim controls. Rousseff is urging Brazil’s Congress to compel Facebook, Google and all companies to store data generated by Brazilians on servers physically located inside Brazil in order to shield it from the NSA. If that happens, and other nations follow suit, Silicon Valley’s bottom line could be hit by lost business and higher operating costs: Brazilians rank No. 3 on Facebook and No. 2 on Twitter and YouTube. An August study by a respected U.S. technology policy nonprofit estimated the fallout from the NSA spying scandal could cost the U.S. cloud computing industry, which stores data remotely to give users easy access from any device, as much as $35 billion by 2016 in lost business.
  • Brazil also plans to build more Internet exchange points, places where vast amounts of data are relayed, in order to route Brazilians’ traffic away from potential interception. And its postal service plans by next year to create an encrypted email service that could serve as an alternative to Gmail and Yahoo!, which according to Snowden-leaked documents are among U.S. tech giants that have collaborated closely with the NSA. “Brazil intends to increase its independent Internet connections with other countries,” Rousseff’s office said in an emailed response to questions from The Associated Press on its plans. It cited a “common understanding” between Brazil and the European Union on data privacy, and said “negotiations are underway in South America for the deployment of land connections between all nations.” It said Brazil plans to boost investment in home-grown technology and buy only software and hardware that meet government data privacy specifications.
  • While the plans’ technical details are pending, experts say they will be costly for Brazil and ultimately can be circumvented. Just as people in China and Iran defeat government censors with tools such as “proxy servers,” so could Brazilians bypass their government’s controls. International spies, not just from the United States, also will adjust, experts said. Laying cable to Europe won’t make Brazil safer, they say. The NSA has reportedly tapped into undersea telecoms cables for decades. Meinrath and others argue that what’s needed instead are strong international laws that hold nations accountable for guaranteeing online privacy.
  • “There’s nothing viable that Brazil can really do to protect its citizenry without changing what the U.S. is doing,” he said. Matthew Green, a Johns Hopkins computer security expert, said Brazil won’t protect itself from intrusion by isolating itself digitally. It will also be discouraging technological innovation, he said, by encouraging the entire nation to use a state-sponsored encrypted email service. “It’s sort of like a Soviet socialism of computing,” he said, adding that the U.S. “free-for-all model works better.”
  • Paul Merrell on 25 Sep 13
     
    So both Brazil and the European Union are planning to boycott the U.S.-based cloud industry, seizing on the NSA's activities as legal grounds. Under the various GATT series of trade agreements, otherwise forbidden discriminatory actions taken that restrict trade in aid of national security are exempt from redress through the World Trade Organization Dispute Resolution Process. So the NSA voyeurs can add legalizing economic digital discrimination against the U.S. to its score card.
Paul Merrell

US looks at ways to prevent spying on its spying - 0 views

bigstory.ap.org/...king-prevent-spying-its-spying

surveillance state NSA call-metadata dispersed-call-metadata research

shared by Paul Merrell on 29 Jan 14 - No Cached
  • (AP) — The U.S. government is looking at ways to prevent anyone from spying on its own surveillance of Americans' phone records. As the Obama administration considers shifting the collection of those records from the National Security Agency to requiring that they be stored at phone companies or elsewhere, it's quietly funding research to prevent phone company employees or eavesdroppers from seeing whom the U.S. is spying on, The Associated Press has learned. The Office of the Director of National Intelligence has paid at least five research teams across the country to develop a system for high-volume, encrypted searches of electronic records kept outside the government's possession. The project is among several ideas that would allow the government to discontinue storing Americans' phone records, but still search them as needed.
  • Under the research, U.S. data mining would be shielded by secret coding that could conceal identifying details from outsiders and even the owners of the targeted databases, according to public documents obtained by The Associated Press and AP interviews with researchers, corporate executives and government officials.
  • Internal documents describing the Security and Privacy Assurance Research project do not cite the NSA or its phone surveillance program. But if the project were to prove successful, its encrypted search technology could pave the way for the government to shift storage of the records from NSA computers to either phone companies or a third-party organization. A DNI spokesman, Michael Birmingham, confirmed that the research was relevant to the NSA's phone records program. He cited "interest throughout the intelligence community" but cautioned that it may be some time before the technology is used. The intelligence director's office is by law exempt from disclosing detailed budget figures, so it's unclear how much money the government has spent on the SPAR project, which is overseen by the DNI's Intelligence Advanced Research Projects Activity office. Birmingham said the research is aimed for use in a "situation where a large sensitive data set is held by one party which another seeks to query, preserving privacy and enforcing access policies."
  • ...3 more annotations...
  • A Columbia University computer sciences expert who heads one of the DNI-funded teams, Steven M. Bellovin, estimates the government could start conducting encrypted searches within the next year or two. "If the NSA wanted to deploy something like this it would take one to two years to get the hardware and software in place to start collecting data this way either from phone companies or whatever other entity they decide on," said Bellovin, who is also a former chief technologist for the Federal Trade Commission.
  • An encrypted search system would permit the NSA to shift storage of phone records to either phone providers or a third party, and conduct secure searches remotely through their databases. The coding could shield both the extracted metadata and identities of those conducting the searches, Bellovin said. The government could use encrypted searches to ensure its analysts were not leaking information or abusing anyone's privacy during their data searches. And the technique could also be used by the NSA to securely search out and retrieve Internet metadata, such as emails and other electronic records. Some computer science experts are less sanguine about the prospects for encrypted search techniques. Searches could bog down because of the encryption computations needed, said Daniel Weitzner, principal research scientist at MIT's Computer Science and Artificial Intelligence Laboratory and former deputy U.S. chief technology officer for the Obama administration. "There's no silver bullet that guarantees the intelligence community will only have access to the records they're supposed to have access to," Weitzner said. "We also need oversight of the actual use of the data."
  • The encrypted search techniques could make it more difficult for hackers to access the phone records and could prevent phone companies from knowing which records the government was searching. "It would remove one of the big objections to having the phone companies hold the data," Bellovin said. Similar research is underway by researchers at University of California at Irvine; a group from the University of Wisconsin-Madison and the University of Texas at Austin; another group from MIT, Yale and Rensselaer Polytechnic Institute; and a fourth from Stealth Software Technologies, a Los Angeles-based technology company.
Paul Merrell

Encouraging Words of Regret From Dean Baquet and Weasel Words From James Clapper - The ... - 0 views

firstlook.org/...uet-weasel-words-james-clapper

surveillance-state NSA-reform encryption Clapper lies

shared by Paul Merrell on 10 Jun 14 - No Cached
  • One should not expect any change to come from the U.S. government itself (which includes Congress), whose strategy in such cases is to enact the pretext of “reform” so as to placate public anger, protect the system from any serious weakening, and allow President Obama to go before the country and the world and give a pretty speech about how the U.S. heard their anger and re-calibrated the balance between privacy and security. Any new law that comes from the radically corrupted political class in DC will either be largely empty, or worse. The purpose will be to shield the NSA from real reform. There are, though, numerous other avenues with the real potential to engender serious limits on the NSA’s surveillance powers, including the self-interested though genuine panic of the U.S. tech industry over how surveillance will impede their future business prospects, the efforts of other countries to undermine U.S. hegemony over the internet, the newfound emphasis on privacy protections from internet companies worldwide, and, most of all, the increasing use of encryption technology by users around the world that poses genuine obstacles to state surveillance. Those are all far, far more promising avenues than any bill Barack Obama, Dianne Feinstein and Saxby Chambliss will let Congress cough up.
  • That national security state officials routinely mislead and deceive the public should never have even been in serious doubt in the first place – certainly not for journalists, and especially now after the experience of the Iraq War. That fact — that official pronouncements merit great skepticism rather than reverence — should be (but plainly is not) fundamental to how journalists view the world. More evidence for that is provided by a Washington Post column today by one of the national security state’s favorite outlets, David Ignatius. Ignatius interviewed the chronic deceiver, Director of National Intelligence James Clapper, who now “says it appears the impact [of Snowden's leaking] may be less than once feared because ‘it doesn’t look like he [Snowden] took as much’ as first thought.” Clapper specifically casts serious doubt on the U.S. government’s prior claim that Snowden ”had compromised the communications networks that make up the military’s command and control system”; instead, “officials now think that dire forecast may have been too extreme.” Ignatius — citing an anonymous “senior intelligence official” (who may or may not be Clapper) — also announces that the government has yet again revised its rank speculation about how many documents Snowden took: “This batch of probably downloaded material is about 1.5 million documents, the senior official said. That’s below an earlier estimate of 1.77 million documents.”
  • Most notable is Ignatius’ summary of the government’s attempt to claim Snowden seriously compromised the security of the U.S.: Pressed to explain what damage Snowden’s revelations had done, the official was guarded, saying that there was “damage in foreign relations” and that the leaks had “poisoned [NSA’s] relations with commercial providers.” He also said that terrorist groups had carefully studied the disclosures, turning more to anonymizers, encryption and use of couriers to shield communications. The senior official wouldn’t respond to repeated questions about whether the intelligence community has noted any changes in behavior by either the Russian or Chinese governments, in possible response to information they may have gleaned from Snowden’s revelations. In other words, the only specific damage they can point to is from the anger that other people around the world have about what the U.S. government has done and the fact that people will not want to buy U.S. tech products if they fear (for good reason) that those companies collaborate with the NSA. But, as usual, there is zero evidence provided (as opposed to bald, self-serving assertions) of any harm to genuine national security concerns (i.e., the ability to monitor anyone planning actual violent attacks).
  • ...1 more annotation...
  • As is always the case, the stream of fear-mongering and alarmist warnings issued by the government to demonize a whistleblower proves to be false and without any basis, and the same is true for accusations made about the revelations themselves (“In January, [Mike] Rogers said that the report concluded that most of the documents Snowden had access to concerned ‘vital operations of the U.S. Army, Navy, Marine Corps and Air Force’” – AP: Lawmakers: Snowden’s Leaks May Endanger US Troops“). But none of that has stopped countless U.S. journalists from mindlessly citing each one of the latest evidence-free official claims as sacred fact.
Paul Merrell

Court Grants Secrecy for Memo on Phone Data - NYTimes.com - 0 views

www.nytimes.com/...gal-memo-on-phone-records.html

surveillance state FBI secret-law domestic-telephone-records

shared by Paul Merrell on 18 Jan 14 - No Cached
  • A federal appeals court on Friday ruled that the Obama administration may continue to withhold a Justice Department memo that apparently opened a loophole in laws protecting the privacy of consumer data.The memo establishes the legal basis for telephone companies to hand over customers’ calling records to the government without a subpoena or court order, even when there is no emergency, according to a 2010 report by the Justice Department’s inspector general. The details of the legal theory, and the circumstances in which it could be invoked, remain unclear. Related Coverage F.B.I. Made ‘Blanket’ Demands for Phone RecordsMARCH 13, 2008 F.B.I. Violated Rules in Obtaining Phone Records, Report SaysJAN. 20, 2010 C.I.A. Is Said to Pay AT&T for Call DataNOV. 7, 2013 The ruling, by the United States Court of Appeals for the District of Columbia Circuit, came down on the side of a broad conception of the executive branch’s power to keep secret its interpretation of what the law permits it to do. The ruling may make it easier for the government to shield other memos by the Justice Department’s powerful Office of Legal Counsel from disclosure under the Freedom of Information Act.
  • The document at issue is a classified memo issued by the Office of Legal Counsel on Jan. 8, 2010. A report later that year by the Justice Department’s inspector general at the time, Glenn A. Fine, disclosed the memo’s existence and its broad conclusion that telephone companies may voluntarily provide records to the government “without legal process or a qualifying emergency,” notwithstanding the Electronic Communications Privacy Act.
  • The F.B.I. had asked for the memo as part of an investigation by Mr. Fine into problems with the bureau’s use of so-called exigent letters to obtain telephone and financial records without following any legal procedures.
Paul Merrell

From Radio to Porn, British Spies Track Web Users' Online Identities - 0 views

theintercept.com/...ck-web-users-online-identities

surveillance state GCHQ Black-Hole

shared by Paul Merrell on 27 Sep 15 - No Cached
  • HERE WAS A SIMPLE AIM at the heart of the top-secret program: Record the website browsing habits of “every visible user on the Internet.” Before long, billions of digital records about ordinary people’s online activities were being stored every day. Among them were details cataloging visits to porn, social media and news websites, search engines, chat forums, and blogs. The mass surveillance operation — code-named KARMA POLICE — was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom’s electronic eavesdropping agency, Government Communications Headquarters, or GCHQ. The revelations about the scope of the British agency’s surveillance are contained in documents obtained by The Intercept from National Security Agency whistleblower Edward Snowden. Previous reports based on the leaked files have exposed how GCHQ taps into Internet cables to monitor communications on a vast scale, but many details about what happens to the data after it has been vacuumed up have remained unclear.
  • Amid a renewed push from the U.K. government for more surveillance powers, more than two dozen documents being disclosed today by The Intercept reveal for the first time several major strands of GCHQ’s existing electronic eavesdropping capabilities.
  • The surveillance is underpinned by an opaque legal regime that has authorized GCHQ to sift through huge archives of metadata about the private phone calls, emails and Internet browsing logs of Brits, Americans, and any other citizens — all without a court order or judicial warrant
  • ...17 more annotations...
  • A huge volume of the Internet data GCHQ collects flows directly into a massive repository named Black Hole, which is at the core of the agency’s online spying operations, storing raw logs of intercepted material before it has been subject to analysis. Black Hole contains data collected by GCHQ as part of bulk “unselected” surveillance, meaning it is not focused on particular “selected” targets and instead includes troves of data indiscriminately swept up about ordinary people’s online activities. Between August 2007 and March 2009, GCHQ documents say that Black Hole was used to store more than 1.1 trillion “events” — a term the agency uses to refer to metadata records — with about 10 billion new entries added every day. As of March 2009, the largest slice of data Black Hole held — 41 percent — was about people’s Internet browsing histories. The rest included a combination of email and instant messenger records, details about search engine queries, information about social media activity, logs related to hacking operations, and data on people’s use of tools to browse the Internet anonymously.
  • Throughout this period, as smartphone sales started to boom, the frequency of people’s Internet use was steadily increasing. In tandem, British spies were working frantically to bolster their spying capabilities, with plans afoot to expand the size of Black Hole and other repositories to handle an avalanche of new data. By 2010, according to the documents, GCHQ was logging 30 billion metadata records per day. By 2012, collection had increased to 50 billion per day, and work was underway to double capacity to 100 billion. The agency was developing “unprecedented” techniques to perform what it called “population-scale” data mining, monitoring all communications across entire countries in an effort to detect patterns or behaviors deemed suspicious. It was creating what it said would be, by 2013, “the world’s biggest” surveillance engine “to run cyber operations and to access better, more valued data for customers to make a real world difference.”
  • A document from the GCHQ target analysis center (GTAC) shows the Black Hole repository’s structure.
  • The data is searched by GCHQ analysts in a hunt for behavior online that could be connected to terrorism or other criminal activity. But it has also served a broader and more controversial purpose — helping the agency hack into European companies’ computer networks. In the lead up to its secret mission targeting Netherlands-based Gemalto, the largest SIM card manufacturer in the world, GCHQ used MUTANT BROTH in an effort to identify the company’s employees so it could hack into their computers. The system helped the agency analyze intercepted Facebook cookies it believed were associated with Gemalto staff located at offices in France and Poland. GCHQ later successfully infiltrated Gemalto’s internal networks, stealing encryption keys produced by the company that protect the privacy of cell phone communications.
  • Similarly, MUTANT BROTH proved integral to GCHQ’s hack of Belgian telecommunications provider Belgacom. The agency entered IP addresses associated with Belgacom into MUTANT BROTH to uncover information about the company’s employees. Cookies associated with the IPs revealed the Google, Yahoo, and LinkedIn accounts of three Belgacom engineers, whose computers were then targeted by the agency and infected with malware. The hacking operation resulted in GCHQ gaining deep access into the most sensitive parts of Belgacom’s internal systems, granting British spies the ability to intercept communications passing through the company’s networks.
  • In March, a U.K. parliamentary committee published the findings of an 18-month review of GCHQ’s operations and called for an overhaul of the laws that regulate the spying. The committee raised concerns about the agency gathering what it described as “bulk personal datasets” being held about “a wide range of people.” However, it censored the section of the report describing what these “datasets” contained, despite acknowledging that they “may be highly intrusive.” The Snowden documents shine light on some of the core GCHQ bulk data-gathering programs that the committee was likely referring to — pulling back the veil of secrecy that has shielded some of the agency’s most controversial surveillance operations from public scrutiny. KARMA POLICE and MUTANT BROTH are among the key bulk collection systems. But they do not operate in isolation — and the scope of GCHQ’s spying extends far beyond them.
  • The agency operates a bewildering array of other eavesdropping systems, each serving its own specific purpose and designated a unique code name, such as: SOCIAL ANTHROPOID, which is used to analyze metadata on emails, instant messenger chats, social media connections and conversations, plus “telephony” metadata about phone calls, cell phone locations, text and multimedia messages; MEMORY HOLE, which logs queries entered into search engines and associates each search with an IP address; MARBLED GECKO, which sifts through details about searches people have entered into Google Maps and Google Earth; and INFINITE MONKEYS, which analyzes data about the usage of online bulletin boards and forums. GCHQ has other programs that it uses to analyze the content of intercepted communications, such as the full written body of emails and the audio of phone calls. One of the most important content collection capabilities is TEMPORA, which mines vast amounts of emails, instant messages, voice calls and other communications and makes them accessible through a Google-style search tool named XKEYSCORE.
  • As of September 2012, TEMPORA was collecting “more than 40 billion pieces of content a day” and it was being used to spy on people across Europe, the Middle East, and North Africa, according to a top-secret memo outlining the scope of the program. The existence of TEMPORA was first revealed by The Guardian in June 2013. To analyze all of the communications it intercepts and to build a profile of the individuals it is monitoring, GCHQ uses a variety of different tools that can pull together all of the relevant information and make it accessible through a single interface. SAMUEL PEPYS is one such tool, built by the British spies to analyze both the content and metadata of emails, browsing sessions, and instant messages as they are being intercepted in real time. One screenshot of SAMUEL PEPYS in action shows the agency using it to monitor an individual in Sweden who visited a page about GCHQ on the U.S.-based anti-secrecy website Cryptome.
  • Partly due to the U.K.’s geographic location — situated between the United States and the western edge of continental Europe — a large amount of the world’s Internet traffic passes through its territory across international data cables. In 2010, GCHQ noted that what amounted to “25 percent of all Internet traffic” was transiting the U.K. through some 1,600 different cables. The agency said that it could “survey the majority of the 1,600” and “select the most valuable to switch into our processing systems.”
  • According to Joss Wright, a research fellow at the University of Oxford’s Internet Institute, tapping into the cables allows GCHQ to monitor a large portion of foreign communications. But the cables also transport masses of wholly domestic British emails and online chats, because when anyone in the U.K. sends an email or visits a website, their computer will routinely send and receive data from servers that are located overseas. “I could send a message from my computer here [in England] to my wife’s computer in the next room and on its way it could go through the U.S., France, and other countries,” Wright says. “That’s just the way the Internet is designed.” In other words, Wright adds, that means “a lot” of British data and communications transit across international cables daily, and are liable to be swept into GCHQ’s databases.
  • A map from a classified GCHQ presentation about intercepting communications from undersea cables. GCHQ is authorized to conduct dragnet surveillance of the international data cables through so-called external warrants that are signed off by a government minister. The external warrants permit the agency to monitor communications in foreign countries as well as British citizens’ international calls and emails — for example, a call from Islamabad to London. They prohibit GCHQ from reading or listening to the content of “internal” U.K. to U.K. emails and phone calls, which are supposed to be filtered out from GCHQ’s systems if they are inadvertently intercepted unless additional authorization is granted to scrutinize them. However, the same rules do not apply to metadata. A little-known loophole in the law allows GCHQ to use external warrants to collect and analyze bulk metadata about the emails, phone calls, and Internet browsing activities of British people, citizens of closely allied countries, and others, regardless of whether the data is derived from domestic U.K. to U.K. communications and browsing sessions or otherwise. In March, the existence of this loophole was quietly acknowledged by the U.K. parliamentary committee’s surveillance review, which stated in a section of its report that “special protection and additional safeguards” did not apply to metadata swept up using external warrants and that domestic British metadata could therefore be lawfully “returned as a result of searches” conducted by GCHQ.
  • Perhaps unsurprisingly, GCHQ appears to have readily exploited this obscure legal technicality. Secret policy guidance papers issued to the agency’s analysts instruct them that they can sift through huge troves of indiscriminately collected metadata records to spy on anyone regardless of their nationality. The guidance makes clear that there is no exemption or extra privacy protection for British people or citizens from countries that are members of the Five Eyes, a surveillance alliance that the U.K. is part of alongside the U.S., Canada, Australia, and New Zealand. “If you are searching a purely Events only database such as MUTANT BROTH, the issue of location does not occur,” states one internal GCHQ policy document, which is marked with a “last modified” date of July 2012. The document adds that analysts are free to search the databases for British metadata “without further authorization” by inputing a U.K. “selector,” meaning a unique identifier such as a person’s email or IP address, username, or phone number. Authorization is “not needed for individuals in the U.K.,” another GCHQ document explains, because metadata has been judged “less intrusive than communications content.” All the spies are required to do to mine the metadata troves is write a short “justification” or “reason” for each search they conduct and then click a button on their computer screen.
  • Intelligence GCHQ collects on British persons of interest is shared with domestic security agency MI5, which usually takes the lead on spying operations within the U.K. MI5 conducts its own extensive domestic surveillance as part of a program called DIGINT (digital intelligence).
  • GCHQ’s documents suggest that it typically retains metadata for periods of between 30 days to six months. It stores the content of communications for a shorter period of time, varying between three to 30 days. The retention periods can be extended if deemed necessary for “cyber defense.” One secret policy paper dated from January 2010 lists the wide range of information the agency classes as metadata — including location data that could be used to track your movements, your email, instant messenger, and social networking “buddy lists,” logs showing who you have communicated with by phone or email, the passwords you use to access “communications services” (such as an email account), and information about websites you have viewed.
  • Records showing the full website addresses you have visited — for instance, www.gchq.gov.uk/what_we_do — are treated as content. But the first part of an address you have visited — for instance, www.gchq.gov.uk — is treated as metadata. In isolation, a single metadata record of a phone call, email, or website visit may not reveal much about a person’s private life, according to Ethan Zuckerman, director of Massachusetts Institute of Technology’s Center for Civic Media. But if accumulated and analyzed over a period of weeks or months, these details would be “extremely personal,” he told The Intercept, because they could reveal a person’s movements, habits, religious beliefs, political views, relationships, and even sexual preferences. For Zuckerman, who has studied the social and political ramifications of surveillance, the most concerning aspect of large-scale government data collection is that it can be “corrosive towards democracy” — leading to a chilling effect on freedom of expression and communication. “Once we know there’s a reasonable chance that we are being watched in one fashion or another it’s hard for that not to have a ‘panopticon effect,’” he said, “where we think and behave differently based on the assumption that people may be watching and paying attention to what we are doing.”
  • When compared to surveillance rules in place in the U.S., GCHQ notes in one document that the U.K. has “a light oversight regime.” The more lax British spying regulations are reflected in secret internal rules that highlight greater restrictions on how NSA databases can be accessed. The NSA’s troves can be searched for data on British citizens, one document states, but they cannot be mined for information about Americans or other citizens from countries in the Five Eyes alliance. No such constraints are placed on GCHQ’s own databases, which can be sifted for records on the phone calls, emails, and Internet usage of Brits, Americans, and citizens from any other country. The scope of GCHQ’s surveillance powers explain in part why Snowden told The Guardian in June 2013 that U.K. surveillance is “worse than the U.S.” In an interview with Der Spiegel in July 2013, Snowden added that British Internet cables were “radioactive” and joked: “Even the Queen’s selfies to the pool boy get logged.”
  • In recent years, the biggest barrier to GCHQ’s mass collection of data does not appear to have come in the form of legal or policy restrictions. Rather, it is the increased use of encryption technology that protects the privacy of communications that has posed the biggest potential hindrance to the agency’s activities. “The spread of encryption … threatens our ability to do effective target discovery/development,” says a top-secret report co-authored by an official from the British agency and an NSA employee in 2011. “Pertinent metadata events will be locked within the encrypted channels and difficult, if not impossible, to prise out,” the report says, adding that the agencies were working on a plan that would “(hopefully) allow our Internet Exploitation strategy to prevail.”
Paul Merrell

Spy Chief James Clapper Wins Rosemary Award - 0 views

www2.gwu.edu/...20140324

surveillance state NSA Rosemary-Award Obama Clapper Alexander

shared by Paul Merrell on 24 Mar 14 - No Cached
  • Director of National Intelligence James Clapper has won the infamous Rosemary Award for worst open government performance in 2013, according to the citation published today by the National Security Archive at www.nsarchive.org. Despite heavy competition, Clapper's "No, sir" lie to Senator Ron Wyden's question: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" sealed his receipt of the dubious achievement award, which cites the vastly excessive secrecy of the entire U.S. surveillance establishment. The Rosemary Award citation leads with what Clapper later called the "least untruthful" answer possible to congressional questions about the secret bulk collection of Americans' phone call data. It further cites other Clapper claims later proved false, such as his 2012 statement that "we don't hold data on U.S. citizens." But the Award also recognizes Clapper's fellow secrecy fetishists and enablers, including:
  • Gen. Keith Alexander, director of the NSA, for multiple Rose Mary Woods-type stretches, such as (1) claiming that the secret bulk collection prevented 54 terrorist plots against the U.S. when the actual number, according to the congressionally-established Privacy and Civil Liberties Oversight Board (PCLOB) investigation (pp. 145-153), is zero; (2) his 2009 declaration to the wiretap court that multiple NSA violations of the court's orders arose from differences over "terminology," an explanation which the chief judge said "strains credulity;" and (3) public statements by the NSA about its programs that had to be taken down from its website for inaccuracies (see Documents 78, 85, 87 in The Snowden Affair), along with public statements by other top NSA officials now known to be untrue (see "Remarks of Rajesh De," NSA General Counsel, Document 53 in The Snowden Affair).
  • Robert Mueller, former FBI director, for suggesting (as have Gen. Alexander and many others) that the secret bulk collection program might have been able to prevent the 9/11 attacks, when the 9/11 Commission found explicitly the problem was not lack of data points, but failing to connect the many dots the intelligence community already had about the would-be hijackers living in San Diego. The National Security Division lawyers at the Justice Department, for misleading their own Solicitor General (Donald Verrilli) who then misled (inadvertently) the U.S. Supreme Court over whether Justice let defendants know that bulk collection had contributed to their prosecutions. The same National Security Division lawyers who swore under oath in the Electronic Frontier Foundation's Freedom of Information Act lawsuit for a key wiretap court opinion that the entire text of the opinion was appropriately classified Top Secret/Sensitive Compartmented Information (release of which would cause "exceptionally grave damage" to U.S. national security). Only after the Edward Snowden leaks and the embarrassed governmental declassification of the opinion did we find that one key part of the opinion's text simply reproduced the actual language of the 4th Amendment to the U.S. Constitution, and the only "grave damage" was to the government's false claims.
  • ...9 more annotations...
  • President Obama for his repeated misrepresentations about the bulk collection program (calling the wiretap court "transparent" and saying "all of Congress" knew "exactly how this program works") while in effect acknowledging the public value of the Edward Snowden leaks by ordering the long-overdue declassification of key documents about the NSA's activities, and investigations both by a special panel and by the Privacy and Civil Liberties Oversight Board. The PCLOB directly contradicted the President, pointing out that "when the only means through which legislators can try to understand a prior interpretation of the law is to read a short description of an operational program, prepared by executive branch officials, made available only at certain times and locations, which cannot be discussed with others except in classified briefings conducted by those same executive branch officials, legislators are denied a meaningful opportunity to gauge the legitimacy and implications of the legal interpretation in question. Under such circumstances, it is not a legitimate method of statutory construction to presume that these legislators, when reenacting the statute, intended to adopt a prior interpretation that they had no fair means of evaluating." (p. 101)
  • Even an author of the Patriot Act, Rep. Jim Sensenbrenner (R-WI), was broadsided by the revelation of the telephone metadata dragnet. After learning of the extent of spying on Americans that his Act unleashed, he wrote that the National Security Agency "ignored restrictions painstakingly crafted by lawmakers and assumed plenary authority never imagined by Congress" by cloaking its actions behind the "thick cloud of secrecy" that even our elected representatives could not breech. Clapper recently conceded to the Daily Beast, "I probably shouldn't say this, but I will. Had we been transparent about this [phone metadata collection] from the outset … we wouldn't have had the problem we had." The NSA's former deputy director, John "Chris" Inglis, said the same when NPR asked him if he thought the metadata dragnet should have been disclosed before Snowden. "In hindsight, yes. In hindsight, yes." Speaking about potential (relatively minimal) changes to the National Security Agency even the president acknowledged, "And all too often new authorities were instituted without adequate public debate," and "Given the unique power of the state, it is not enough for leaders to say: Trust us. We won't abuse the data we collect. For history has too many examples when that trust has been breached." (Exhibit A, of course, is the NSA "watchlist" in the 1960's and 1970's that targeted not only antiwar and civil rights activists, but also journalists and even members of Congress.)
  • The Archive established the not-so-coveted Rosemary Award in 2005, named after President Nixon's secretary, Rose Mary Woods, who testified she had erased 18-and-a-half minutes of a crucial Watergate tape — stretching, as she showed photographers, to answer the phone with her foot still on the transcription pedal. Bestowed annually to highlight the lowlights of government secrecy, the Rosemary Award has recognized a rogue's gallery of open government scofflaws, including the CIA, the Treasury Department, the Air Force, the FBI, the Federal Chief Information Officers' Council, and the career Rosemary leader — the Justice Department — for the last two years. Rosemary-winner James Clapper has offered several explanations for his untruthful disavowal of the National Security Agency's phone metadata dragnet. After his lie was exposed by the Edward Snowden revelations, Clapper first complained to NBC's Andrea Mitchell that the question about the NSA's surveillance of Americans was unfair, a — in his words — "When are you going to stop beating your wife kind of question." So, he responded "in what I thought was the most truthful, or least untruthful, manner by saying 'no.'"
  • The Emmy and George Polk Award-winning National Security Archive, based at the George Washington University, has carried out thirteen government-wide audits of FOIA performance, filed more than 50,000 Freedom of Information Act requests over the past 28 years, opened historic government secrets ranging from the CIA's "Family Jewels" to documents about the testing of stealth aircraft at Area 51, and won a series of historic lawsuits that saved hundreds of millions of White House e-mails from the Reagan through Obama presidencies, among many other achievements.
  • After continuing criticism for his lie, Clapper wrote a letter to Chairman of the Senate Select Committee on Intelligence Dianne Feinstein, now explaining that he misunderstood Wyden's question and thought it was about the PRISM program (under Section 702 of the Foreign Intelligence Surveillance Act) rather than the telephone metadata collection program (under Section 215 of the Patriot Act). Clapper wrote that his staff "acknowledged the error" to Senator Wyden soon after — yet he chose to reject Wyden's offer to amend his answer. Former NSA senior counsel Joel Brenner blamed Congress for even asking the question, claiming that Wyden "sandbagged" Clapper by the "vicious tactic" of asking "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Meanwhile, Steve Aftergood of the Federation of American Scientists countered that "it is of course wrong for officials to make false statements, as DNI Clapper did," and that in fact the Senate Intelligence Committee "became complicit in public deception" for failing to rebut or correct Clapper's statement, which they knew to be untruthful. Clapper described his unclassified testimony as a game of "stump the chump." But when it came to oversight of the National Security Agency, it appears that senators and representatives were the chumps being stumped. According to Representative Justin Amash (R-Mich), the House Intelligence Committee "decided it wasn't worthwhile to share this information" about telephone metadata surveillance with other members of Congress. Classified briefings open to the whole House were a "farce," Amash contended, often consisting of information found in newspapers and public statutes.
  • Director Clapper joins an undistinguished list of previous Rosemary Award winners: 2012 - the Justice Department (in a repeat performance, for failure to update FOIA regulations for compliance with the law, undermining congressional intent, and hyping its open government statistics) 2011- the Justice Department (for doing more than any other agency to eviscerate President Obama's Day One transparency pledge, through pit-bull whistleblower prosecutions, recycled secrecy arguments in court cases, retrograde FOIA regulations, and mixed FOIA responsiveness) 2010 - the Federal Chief Information Officers' Council (for "lifetime failure" to address the crisis in government e-mail preservation) 2009 - the FBI (for having a record-setting rate of "no records" responses to FOIA requests) 2008 - the Treasury Department (for shredding FOIA requests and delaying responses for decades) 2007 - the Air Force (for disappearing its FOIA requests and having "failed miserably" to meet its FOIA obligations, according to a federal court ruling) 2006 - the Central Intelligence Agency (for the biggest one-year drop-off in responsiveness to FOIA requests yet recorded).   ALSO-RANS The Rosemary Award competition in 2013 was fierce, with a host of government contenders threatening to surpass the Clapper "least untruthful" standard. These secrecy over-achievers included the following FOI delinquents:
  • Admiral William McRaven, head of the Special Operations Command for the raid that killed Osama Bin Laden, who purged his command's computers and file cabinets of all records on the raid, sent any remaining copies over to CIA where they would be effectively immune from the FOIA, and then masterminded a "no records" response to the Associated Press when the AP reporters filed FOIA requests for raid-related materials and photos. If not for a one-sentence mention in a leaked draft inspector general report — which the IG deleted for the final version — no one would have been the wiser about McRaven's shell game. Subsequently, a FOIA lawsuit by Judicial Watch uncovered the sole remaining e-mail from McRaven ordering the evidence destruction, in apparent violation of federal records laws, a felony for which the Admiral seems to have paid no price. Department of Defense classification reviewers who censored from a 1962 document on the Cuban Missile Crisis direct quotes from public statements by Soviet Premier Nikita Khrushchev. The quotes referred to the U.S. Jupiter missiles in Turkey that would ultimately (and secretly) be pulled out in exchange for Soviet withdrawal of its missiles in Cuba. The denials even occurred after an appeal by the National Security Archive, which provided as supporting material the text of the Khrushchev statements and multiple other officially declassified documents (and photographs!) describing the Jupiters in Turkey. Such absurd classification decisions call into question all of the standards used by the Pentagon and the National Declassification Center to review historical documents.
  • Admiral William McRaven memo from May 13, 2011, ordering the destruction of evidence relating to the Osama bin Laden raid. (From Judicial Watch)
  • The Department of Justice Office of Information Policy, which continues to misrepresent to Congress the government's FOIA performance, while enabling dramatic increases in the number of times government agencies invoke the purely discretionary "deliberative process" exemption. Five years after President Obama declared a "presumption of openness" for FOIA requests, Justice lawyers still cannot show a single case of FOIA litigation in which the purported new standards (including orders from their own boss, Attorney General Eric Holder) have caused the Department to change its position in favor of disclosure.
Paul Merrell

Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide - 0 views

firstlook.org/...nsa-auroragold-hack-cellphones

surveillance state NSA NSA-methods cell-network-penetration AURORAGOLD

shared by Paul Merrell on 06 Dec 14 - No Cached
  • In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military’s Africa Command needed help to hack into Libya’s cellphone networks and monitor text messages. For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers’ internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks. The NSA’s assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program—global in its scope and ramifications—targeted not just at hostile countries.
  • According to documents contained in the archive of material provided to The Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance. The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into—a controversial tactic that security experts say could be exposing the general population to criminal hackers. Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks.
  • Karsten Nohl, a leading cellphone security expert and cryptographer who was consulted by The Intercept about details contained in the AURORAGOLD documents, said that the broad scope of information swept up in the operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.
  • ...11 more annotations...
  • “Collecting an inventory [like this] on world networks has big ramifications,” Nohl said, because it allows the NSA to track and circumvent upgrades in encryption technology used by cellphone companies to shield calls and texts from eavesdropping. Evidence that the agency has deliberately plotted to weaken the security of communication infrastructure, he added, was particularly alarming. “Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities,” Nohl said, “because once NSA introduces a weakness, a vulnerability, it’s not only the NSA that can exploit it.”
  • The AURORAGOLD operation is carried out by specialist NSA surveillance units whose existence has not been publicly disclosed: the Wireless Portfolio Management Office, which defines and carries out the NSA’s strategy for exploiting wireless communications, and the Target Technology Trends Center, which monitors the development of new communication technology to ensure that the NSA isn’t blindsided by innovations that could evade its surveillance reach. The center’s logo is a picture of the Earth overshadowed by a large telescope; its motto is “Predict – Plan – Prevent.”
  • The NSA documents reveal that, as of May 2012, the agency had collected technical information on about 70 percent of cellphone networks worldwide—701 of an estimated 985—and was maintaining a list of 1,201 email “selectors” used to intercept internal company details from employees. (“Selector” is an agency term for a unique identifier like an email address or phone number.) From November 2011 to April 2012, between 363 and 1,354 selectors were “tasked” by the NSA for surveillance each month as part of AURORAGOLD, according to the documents. The secret operation appears to have been active since at least 2010.
  • By covertly monitoring GSMA working groups in a bid to identify and exploit security vulnerabilities, the NSA has placed itself into direct conflict with the mission of the National Institute for Standards and Technology, or NIST, the U.S. government agency responsible for recommending cybersecurity standards in the United States. NIST recently handed out a grant of more than $800,000 to GSMA so that the organization could research ways to address “security and privacy challenges” faced by users of mobile devices. The revelation that the trade group has been targeted for surveillance may reignite deep-seated tensions between NIST and NSA that came to the fore following earlier Snowden disclosures. Last year, NIST was forced to urge people not to use an encryption standard it had previously approved after it emerged NSA had apparently covertly worked to deliberately weaken it.
  • One of the prime targets monitored under the AURORAGOLD program is the London-headquartered trade group, the GSM Association, or the GSMA, which represents the interests of more than 800 major cellphone, software, and internet companies from 220 countries. The GSMA’s members include U.S.-based companies such as Verizon, AT&T, Sprint, Microsoft, Facebook, Intel, Cisco, and Oracle, as well as large international firms including Sony, Nokia, Samsung, Ericsson, and Vodafone. The trade organization brings together its members for regular meetings at which new technologies and policies are discussed among various “working groups.” The Snowden files reveal that the NSA specifically targeted the GSMA’s working groups for surveillance.
  • The NSA focuses on intercepting obscure but important technical documents circulated among the GSMA’s members known as “IR.21s.” Most cellphone network operators share IR.21 documents among each other as part of agreements that allow their customers to connect to foreign networks when they are “roaming” overseas on a vacation or a business trip. An IR.21, according to the NSA documents, contains information “necessary for targeting and exploitation.” The details in the IR.21s serve as a “warning mechanism” that flag new technology used by network operators, the NSA’s documents state. This allows the agency to identify security vulnerabilities in the latest communication systems that can be exploited, and helps efforts to introduce new vulnerabilities “where they do not yet exist.” The IR.21s also contain details about the encryption used by cellphone companies to protect the privacy of their customers’ communications as they are transmitted across networks. These details are highly sought after by the NSA, as they can aid its efforts to crack the encryption and eavesdrop on conversations.
  • Last year, the Washington Post reported that the NSA had already managed to break the most commonly used cellphone encryption algorithm in the world, known as A5/1. But the information collected under AURORAGOLD allows the agency to focus on circumventing newer and stronger versions of A5 cellphone encryption, such as A5/3. The documents note that the agency intercepts information from cellphone operators about “the type of A5 cipher algorithm version” they use, and monitors the development of new algorithms in order to find ways to bypass the encryption. In 2009, the British surveillance agency Government Communications Headquarters conducted a similar effort to subvert phone encryption under a project called OPULENT PUP, using powerful computers to perform a “crypt attack” to penetrate the A5/3 algorithm, secret memos reveal. By 2011, GCHQ was collaborating with the NSA on another operation, called WOLFRAMITE, to attack A5/3 encryption. (GCHQ declined to comment for this story, other than to say that it operates within legal parameters.)
  • The extensive attempts to attack cellphone encryption have been replicated across the Five Eyes surveillance alliance. Australia’s top spy agency, for instance, infiltrated an Indonesian cellphone company and stole nearly 1.8 million encryption keys used to protect communications, the New York Times reported in February.
  • The NSA’s documents show that it focuses on collecting details about virtually all technical standards used by cellphone operators, and the agency’s efforts to stay ahead of the technology curve occasionally yield significant results. In early 2010, for instance, its operatives had already found ways to penetrate a variant of the newest “fourth generation” smartphone-era technology for surveillance, years before it became widely adopted by millions of people in dozens of countries. The NSA says that its efforts are targeted at terrorists, weapons proliferators, and other foreign targets, not “ordinary people.” But the methods used by the agency and its partners to gain access to cellphone communications risk significant blowback. According to Mikko Hypponen, a security expert at Finland-based F-Secure, criminal hackers and foreign government adversaries could be among the inadvertent beneficiaries of any security vulnerabilities or encryption weaknesses inserted by the NSA into communication systems using data collected by the AURORAGOLD project.
  • Vines, the NSA spokeswoman, told The Intercept that the agency was committed to ensuring an “open, interoperable, and secure global internet.” “NSA deeply values these principles and takes great care to honor them in the performance of its lawful foreign-intelligence mission,” Vines said.
  • Documents published with this article: AURORAGOLD – Project Overview AURORAGOLD Working Group IR.21 – A Technology Warning Mechanism AURORAGOLD – Target Technology Trends Center support to WPMO NSA First-Ever Collect of High-Interest 4G Cellular Signal AURORAGOLD Working Aid WOLFRAMITE Encryption Attack OPULENT PUP Encryption Attack NSA/GCHQ/CSEC Network Tradecraft Advancement Team
  • Paul Merrell on 06 Dec 14
     
    Notice that they've cracked even 4G.
Paul Merrell

Details Of Assassination Plot On Occupy Movement Leaders Withheld From Public At FBI's ... - 0 views

www.mintpressnews.com/...202064

surveillance state Occupy-Houston FOIA litigation assassination-plot FBI

shared by Paul Merrell on 14 Feb 15 - No Cached
  • The FBI was right to withhold records about an alleged murder plot targeting the leaders of Occupy Houston, to protect its informants, a federal judge ruled. Plaintiff Ryan Noah Shapiro is a doctoral student at the Massachusetts Institute of Technology. His research includes “the policing of dissent … especially in the name of national security” and “examining FBI and other intelligence agency efforts to preserve domestic surveillance capabilities while simultaneously subverting the Freedom of Information Act,” according to his MIT profile. Shapiro sent the FBI three Freedom of Information Act requests in early 2013, asking for records about “a potential plan to gather intelligence against the leaders of [Occupy Wall Street-related protests in Houston] and obtain photographs, then formulate a plan to kill the leadership [of the protests] via suppressed sniper rifles.” Shapiro told Courthouse News he learned of the alleged plot from FBI documents obtained by investigative reporter Jason Leopold.
  • The FBI had refused to give Shapiro any documents until he filed an April 2013 federal complaint in Washington, D.C., after which the agency gave him 17 pages. U.S. District Judge Rosemary Collyer found last year that the FBI had properly withheld some records, but took issue with its use of Exemption 7 under the FOIA, which protects from disclosure “records or information compiled for law enforcement purposes.” Collyer dismissed the lawsuit this week after reviewing the documents in her chambers. Shapiro challenged the FBI’s withholding of the names of its murder plot sources, claiming there is no privacy expectation for people who could be called to testify as trial witnesses. But Collyer found Monday that the FBI correctly invoked FOIA exemption 7(c), which shields law enforcement records from disclosure if they could constitute an invasion of personal privacy. The judge also agreed with the FBI that exemption 7(d) applied to the case. It allows records to be withheld if they “could reasonably be expected to disclose the identity of a confidential source.”
  • Citing a declaration from FBI agent David Hardy that said the confidential sources are “individuals who are members of organized violent groups,” Collyer said the likelihood of retaliation justified keeping the sources’ identities under wraps. Shapiro vowed to keep fighting for the records. “I’m of course disappointed in, and disagree with, the judge’s ruling. I’m now conferring with my attorney to determine next steps,” Shapiro said in an email. He said he is concerned that the FBI collected dossiers on Occupy protestors while publicly denying it. “The FBI even flatly asserted in a separate FOIA lawsuit of mine that, ‘(T)he FBI determined that it had never opened an investigation on the Occupy movement,'” Shapiro wrote. “Yet, in the course of my FOIA lawsuit against the FBI for records about the sniper plot against Occupy Houston, the FBI contradicted its own position.” Shapiro said that with recently released FBI documents about Occupy Chicago, “We are coming ever closer to finally forcing the FBI to concede it actually possesses a large volume of documents about this FBI-coordinated nationwide investigation of political protesters as supposed terroristic threats to national security.”
Paul Merrell

Court Rebukes White House Over "Secret Law" - Secrecy News - 1 views

blogs.fas.org/...ppd-secret-law

Obama Obama-administration transparency government secrecy FOIA litigation

shared by Paul Merrell on 18 Dec 13 - No Cached
  • DC District Judge Ellen Segal Huvelle yesterday ordered the Obama Administration to release a copy of an unclassified presidential directive, and she said the attempt to withhold it represented an improper exercise of “secret law.” The Obama White House has a “limitless” view of its authority to withhold presidential communications from the public, she wrote, but that view is wrong. “The government appears to adopt the cavalier attitude that the President should be permitted to convey orders throughout the Executive Branch without public oversight– to engage in what is in effect governance by ‘secret law’,” Judge Huvelle wrote in her December 17 opinion. “The Court finds equally troubling the government’s complementary suggestion that ‘effective’ governance requires that a President’s substantive and non-classified directives to Executive Branch agencies remain concealed from public scrutiny,” she wrote.
  • The directive in question, Presidential Policy Directive (PPD) 6, “is a widely-publicized, non-classified Presidential Policy Directive on issues of foreign aid and development that has been distributed broadly within the Executive Branch and used by recipient agencies to guide decision-making,” the Judge noted. “Even though issued as a directive, the PPD-6 carries the force of law as policy guidance to be implemented by recipient agencies, and it is the functional equivalent of an Executive Order.” “Never before has a court had to consider whether the [presidential communications] privilege protects from disclosure under FOIA a final, non-classified, presidential directive.”
  • Several significant points emerge from this episode. First, President Obama’s declared commitment to “creating an unprecedented level of openness in Government” has not been internalized even by the President’s own staff. This latest case of “unbounded” secrecy cannot be blamed on the CIA or an overzealous Justice Department attorney. It is entirely an Obama White House production, based on a White House policy choice. Second, and relatedly, it has proved to be an error to expect the executive branch to unilaterally impose transparency on itself. To do so is to ignore, or to wish away, the Administration’s own conflicting interests in secrecy and disclosure.  Instead, it is the role of the other branches of government to check the executive and to compel appropriate disclosure.
  • ...3 more annotations...
  • Significantly, Judge Huvelle insisted on examining the document herself in camera instead of simply relying on the Administration’s characterization of the document.  Having done so, she found that it “is not ‘revelatory of the President’s deliberations’ such that its public disclosure would undermine future decision-making.” She criticized the government for “the unbounded nature” of its claim. “In the government’s view, it can shield from disclosure under FOIA any presidential communication, even those — like the PPD-6 — that carry the force of law, simply because the communication originated with the President…. The Court rejects the government’s limitless approach….”
  • An official Fact Sheet on PPD-6 (which has not yet been released) is available here. The Electronic Privacy Information Center is currently pursuing release of another presidential directive, the Bush Administration’s NSPD-54 on cyber security. In October, Judge Beryl Howell unexpectedly ruled that that directive was exempt from disclosure because, she said, it was not an “agency record” that would be subject to the FOIA.  Her opinion came as a surprise and was not persuasive to everyone. In a footnote in yesterday’s ruling, Judge Huvelle said that the arguments over the two directives were sufficiently distinguishable that “this Court need not decide if it will follow Judge Howell’s rationale”– suggesting that if pressed, she might not have done so.  Yesterday, EPIC filed a notice of its intent to appeal the decision.
  • DC District Judge Ellen Segal Huvelle yesterday ordered the Obama Administration to release a copy of an unclassified presidential directive, and she said the attempt to withhold it represented an improper exercise of “secret law.” The Obama White House has a “limitless” view of its authority to withhold presidential communications from the public, she wrote, but that view is wrong. “The government appears to adopt the cavalier attitude that the President should be permitted to convey orders throughout the Executive Branch without public oversight– to engage in what is in effect governance by ‘secret law’,” Judge Huvelle wrote in her December 17 opinion. “The Court finds equally troubling the government’s complementary suggestion that ‘effective’ governance requires that a President’s substantive and non-classified directives to Executive Branch agencies remain concealed from public scrutiny,” she wrote.
  • Paul Merrell on 18 Dec 13
     
    Outrageous. I read the court's opinion. This happened only because: [i] federal judges are reluctant to impose sanctions on government attorneys; and [ii] government attorneys know that. In all my years of legal practice, I read only one court opinion where an assistant U.S. attorney was sanctioned and instead of the normal sanction of paying the other side's attorney fees and expenses of litigation, the judge just awarded a $500 sanction. That is also why litigating against the Feds is such a chore; you spend half your time shooting down blatantly implausible arguments. That's far less of a problem when facing attorneys who are in private practice. But so much for Obama's "transparency" platform; this was the result of the Obama Administration itself asserting a preposterous privilege claim supported only by ridiculous arguments, no more than a delaying action.  
Paul Merrell

US sets new record for denying federal files under Freedom of Information Act | US news... - 0 views

www.theguardian.com/...es-freedom-of-information-foia

transparency FOIA U.S. records

shared by Paul Merrell on 20 Mar 15 - No Cached
  • The US has set a new record for denying and censoring federal files under the Freedom of Information Act, analysis by the Associated Press reveals. For the second consecutive year, the Obama administration more often than ever censored government files or outright denied access to them under the open-government legislation. The government took longer to turn over files when it provided any, said more regularly that it couldn’t find documents, and refused a record number of times to turn over files quickly that might be especially newsworthy.
  • It also acknowledged in nearly one in three cases that its initial decisions to withhold or censor records were improper under the law – but only when it was challenged. Its backlog of unanswered requests at year’s end grew remarkably by 55% to more than 200,000. The government’s new figures, published Tuesday, covered all requests to 100 federal agencies during fiscal 2014 under the Freedom of Information law, which is heralded globally as a model for transparent government. They showed that despite disappointments and failed promises by the White House to make meaningful improvements in the way it releases records, the law was more popular than ever. Citizens, journalists, businesses and others made a record 714,231 requests for information. The US spent a record $434m trying to keep up.
  • The government responded to 647,142 requests, a 4% decrease over the previous year. The government more than ever censored materials it turned over or fully denied access to them, in 250,581 cases or 39% of all requests. Sometimes, the government censored only a few words or an employee’s phone number, but other times it completely marked out nearly every paragraph on pages. On 215,584 other occasions, the government said it couldn’t find records, a person refused to pay for copies or the government determined the request to be unreasonable or improper. The White House touted its success under its own analysis. It routinely excludes from its assessment instances when it couldn’t find records, a person refused to pay for copies or the request was determined to be improper under the law, and said under this calculation it released all or parts of records in 91% of requests – still a record low since Barack Obama took office using the White House’s own math.
  • ...4 more annotations...
  • “We actually do have a lot to brag about,” White House spokesman Josh Earnest said. The government’s responsiveness under the open records law is an important measure of its transparency. Under the law, citizens and foreigners can compel the government to turn over copies of federal records for zero or little cost. Anyone who seeks information through the law is generally supposed to get it unless disclosure would hurt national security, violate personal privacy or expose business secrets or confidential decision-making in certain areas. It cited such exceptions a record 554,969 times last year. Under the president’s instructions, the US should not withhold or censor government files merely because they might be embarrassing, but federal employees last year regularly misapplied the law. In emails that AP obtained from the National Archives and Records Administration about who pays for Michelle Obama’s expensive dresses, the agency blacked-out a sentence under part of the law intended to shield personal, private information, such as Social Security numbers, phone numbers or home addresses. But it failed to censor the same passage on a subsequent page.
  • The sentence: “We live in constant fear of upsetting the WH [White House].” In nearly one in three cases, when someone challenged under appeal the administration’s initial decision to censor or withhold files, the government reconsidered and acknowledged it was at least partly wrong. That was the highest reversal rate in at least five years. The AP’s chief executive, Gary Pruitt, said the news organization filed hundreds of requests for government files. Records the AP obtained revealed police efforts to restrict airspace to keep away news helicopters during violent street protests in Ferguson, Missouri. In another case, the records showed Veterans Affairs doctors concluding that a gunman who later killed 12 people had no mental health issues despite serious problems and encounters with police during the same period. They also showed the FBI pressuring local police agencies to keep details secret about a telephone surveillance device called Stingray.
  • “What we discovered reaffirmed what we have seen all too frequently in recent years,” Pruitt wrote in a column published this week. “The systems created to give citizens information about their government are badly broken and getting worse all the time.” The US released its new figures during Sunshine Week, when news organizations promote open government and freedom of information. The AP earlier this month sued the State Department under the law to force the release of email correspondence and government documents from Hillary Clinton’s tenure as secretary of state. The government had failed to turn over the files under repeated requests, including one made five years ago and others pending since the summer of 2013.
  • The government said the average time it took to answer each records request ranged from one day to more than 2.5 years. More than half of federal agencies took longer to answer requests last year than the previous year. Journalists and others who need information quickly to report breaking news fared worse than ever. Under the law, the US is required to move urgent requests from journalists to the front of the line for a speedy answer if records will inform the public concerning an actual or alleged government activity. But the government now routinely denies such requests: Over six years, the number of requests granted speedy processing status fell from nearly half to fewer than one in eight. The CIA, at the center of so many headlines, has denied every such request over the last two years.
  • Paul Merrell on 20 Mar 15
     
    I did a fair bit of FOIA litigation during my years as a citizen activist and later as a lawyer. The response situation never was good and it's gotten far worse. I have an outstanding FOIA request to the Dept. of Health & Human Services for copies of particular documents submitted as public comments by other agencies including the CIA in a rulemaking proceeding. I submitted electronically over a year ago, got an authresponder telling me to expect a postcard acknowledging receipt within ten working days as required by FOIA. Didn't hear back from them, so resubmitted with copies of the original request and the autoresponse and got the same autoresponse. Still haven't got either of my postcards or the records, so it looks like I'm about to come out of retirement and file a FOIA lawsuit. It's an area where the squeakiest wheel gets the grease.  The bureaucracy does not like public records requests.   
1 - 17 of 17
Showing 20 items per page