Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged surveillance-criteria

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

Fresno Police Roll Out Dystopian 'Threat Ranking' System - 0 views

www.mintpressnews.com/...212684

surveillance state Fresno citizen-threat-ranking Intrado Beware trade-secrets

shared by Paul Merrell on 12 Jan 16 - No Cached
  • “On 57 monitors that cover the walls of the center, operators zoomed and panned an array of roughly 200 police cameras perched across the city. They could dial up 800 more feeds from the city’s schools and traffic cameras, and they soon hope to add 400 more streams from cameras worn on officers’ bodies and from thousands from local businesses that have surveillance systems.” Though the intricate surveillance apparatus described above seems straight from a dystopic novel, it is actually the Washington Post’s recent description of the the visual data collection system employed by a local California police department. The police department in Fresno, California, has taken extreme measures to combat high rates of crime in the city. As the Post reports, Fresno’s Real Time Crime Center, buried deep in the police station’s headquarters, has developed as a response to what many police call increasing threats. The system, according to police officials, can “provide critical information that can help uncover terrorists or thwart mass shootings, ensure the safety of officers and the public, find suspects, and crack open cases” — a feature they say is increasingly important in the wake of events like the November terror attack in Paris and the San Bernardino shooting last month.
  • “Our officers are expected to know the unknown and see the unseen,” Fresno Chief of Police Jerry Dyer said. “They are making split-second decisions based on limited facts. The more you can provide in terms of intelligence and video, the more safely you can respond to calls.” Programs similar to the Real Time Crime Center have launched in New York, Houston, and Seattle over the course of the last decade. Nationwide, the use of Stingrays, data fusion centers, and aerial drone surveillance have broadened the access local police have to private information. In another example, the FBI is continually developing a comprehensive biometric database that local police access every day. “This is something that’s been building since September 11,” says Jennifer Lynch, a senior attorney at the Electronic Frontier Foundation. Like the problem of police militarization, Lynch traces the trend back to the Pentagon: “First funding went to the military to develop this technology, and now it has come back to domestic law enforcement. It’s the perfect storm of cheaper and easier-to-use technologies and money from state and federal governments to purchase it.”
  • While many of these programs may fail to shock Americans, one new software program takes police scrutiny of private citizens to a new level. Beware, a software tool produced by tech firm Intrado, not only surveils the data of the citizens of Fresno, the first city to test it — it calculates threat levels based on what it discovers. The software scours arrest records, property records, Deep Web searches, commercial databases, and social media postings. By this method, it was able to designate a man with a firearm and gang convictions involved in a real-time domestic violence dispute as the highest of three threat levels: a bright red ranking. Fresno police say the intelligence from Beware aided them, as the man eventually surrendered and officers found he was armed with a gun. Beware scours billions of data points to develop rankings for citizens, and though few recoil at the thought of catching criminals and miscreants, the program provides particular cause for concern because of both its invasiveness and its fallibility.
  • ...3 more annotations...
  • These shortcomings have sparked concern among Fresno’s city council members, who discussed the issue at a meeting in November. At that meeting, one council member cited an incident where a girl who posted on social media about a card game called “Rage” was consequently given an elevated threat ranking — all because “rage” could be a triggering keyword for Beware. At that same meeting, libertarian-leaning Republican councilman Clinton J. Olivier asked Chief Dyer to use the technology to calculate his threat level. In real-time, Olivier was given a green, or non-threatening ranking, but his home received a yellow, or medium, threat ranking. It was likely due to the record of his home’s prior occupant. “Even though it’s not me that’s the yellow guy, your officers are going to treat whoever comes out of that house in his boxer shorts as the yellow guy,” Olivier told Dyer. “That may not be fair to me.” He added later, “[Beware] has failed right here with a council member as the example.” “It’s a very unrefined, gross technique,” Fresno civil rights attorney, Rob Nabarro, has said of Beware’s color-coded levels. “A police call is something that can be very dangerous for a citizen,” he noted, echoing Olivier’s worries.
  • Further, though Fresno police use Beware, they are left in the dark about how it determines rankings. Intrado designates the method a “trade secret,” and as such, will not share it with the officers who use it. This element of the software’s implementation has concerned civil rights advocates like Nabarro. He believes the secrecy surrounding the technology may result in unfair, unchecked threat rankings. Nabarro cautioned that between the software’s secrecy and room for error, Beware could accidentally rank a citizen as dangerous based on, for example, posts on social media criticizing police. This potential carries with it the ability for citizens to be punished not for actual crimes, but for exercising basic constitutional rights. Further, it compromises the rights of individuals who have been previously convicted of crimes, potentially using past behavior to assume guilt in unrelated future incidents. Chief Dyer insists concerns are exaggerated and that a particular score does not guarantee a particular police response. Police maintain the tools are necessary to fight crime. Nevertheless, following the heated November meeting, Dyer suggested he would work to turn off the color-coded threat ranking due to citizens’ concerns. “It’s a balancing act,” he admitted.
  • It remains to be seen if Fresno police and residents will move forward with the technology or shut it down over privacy concerns. City officials in Oakland, California, for example, recently scaled back plans to establish a Real Time Crime Center after outraged citizens protested. At the very least, as Northern California ACLU attorney Matt Cagle said, “[W]henever these surveillance technologies are on the table, there needs to be a meaningful debate. There needs to be safeguards and oversight.”
  • Paul Merrell on 12 Jan 16
     
    Claiming trade secrecy for the software's selection criteria for threat ranking actually constitutes policy policy, the trade secrecy claim would probably not survive judical review. It's at least arguably an unconstitutional delegation of a government function (ranking citizens as threats) to a private company. Police departments in Florida were sued to produce records of how a related surveillance device, the Stingray IMSI device that intercepts cell phone calls by mimicking a cell-phone tower, and only averted court-ordered disclosure of its trade secret workings by the FBI swooping in just before decision to remove all the software documentation from local police possession, custody, and control.    There is a long chain of case law holding that information that is legitimately trade secret and proprietary loses that protection if adopted by local or federal government as law. With a software program that classifies citizens as threats for governmental purposes if they meet the program's selection criteria, the software is performing a strictly governmental function that is in reality law. 
Paul Merrell

GCHQ taps fibre-optic cables for secret access to world's communications | UK news | gu... - 0 views

www.guardian.co.uk/...ecret-world-communications-nsa

surveillance state NSA GCHQ UK Snowden must-read

shared by Paul Merrell on 22 Jun 13 - No Cached
  • Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA).The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate.One key innovation has been GCHQ's ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months.
  • GCHQ and the NSA are consequently able to access and process vast quantities of communications between entirely innocent people, as well as targeted suspects.This includes recordings of phone calls, the content of email messages, entries on Facebook and the history of any internet user's access to websites – all of which is deemed legal, even though the warrant system was supposed to limit interception to a specified range of targets.The existence of the programme has been disclosed in documents shown to the Guardian by the NSA whistleblower Edward Snowden as part of his attempt to expose what he has called "the largest programme of suspicionless surveillance in human history"."It's not just a US problem. The UK has a huge dog in this fight," Snowden told the Guardian. "They [GCHQ] are worse than the US."
  • However, on Friday a source with knowledge of intelligence argued that the data was collected legally under a system of safeguards, and had provided material that had led to significant breakthroughs in detecting and preventing serious crime.Britain's technical capacity to tap into the cables that carry the world's communications – referred to in the documents as special source exploitation – has made GCHQ an intelligence superpower.By 2010, two years after the project was first trialled, it was able to boast it had the "biggest internet access" of any member of the Five Eyes electronic eavesdropping alliance, comprising the US, UK, Canada, Australia and New Zealand.UK officials could also claim GCHQ "produces larger amounts of metadata than NSA". (Metadata describes basic information on who has been contacting whom, without detailing the content.)By May last year 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data.The Americans were given guidelines for its use, but were told in legal briefings by GCHQ lawyers: "We have a light oversight regime compared with the US".
  • ...8 more annotations...
  • When it came to judging the necessity and proportionality of what they were allowed to look for, would-be American users were told it was "your call".The Guardian understands that a total of 850,000 NSA employees and US private contractors with top secret clearance had access to GCHQ databases.
  • For the 2 billion users of the world wide web, Tempora represents a window on to their everyday lives, sucking up every form of communication from the fibre-optic cables that ring the world.The NSA has meanwhile opened a second window, in the form of the Prism operation, revealed earlier this month by the Guardian, from which it secured access to the internal systems of global companies that service the internet.The GCHQ mass tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data to western Europe from telephone exchanges and internet servers in north America.This was done under secret agreements with commercial companies, described in one document as "intercept partners".The papers seen by the Guardian suggest some companies have been paid for the cost of their co-operation and GCHQ went to great lengths to keep their names secret. They were assigned "sensitive relationship teams" and staff were urged in one internal guidance paper to disguise the origin of "special source" material in their reports for fear that the role of the companies as intercept partners would cause "high-level political fallout".
  • The GCHQ documents that the Guardian has seen illustrate a constant effort to build up storage capacity at the stations at Cheltenham, Bude and at one overseas location, as well a search for ways to maintain the agency's comparative advantage as the world's leading communications companies increasingly route their cables through Asia to cut costs. Meanwhile, technical work is ongoing to expand GCHQ's capacity to ingest data from new super cables carrying data at 100 gigabits a second. As one training slide told new users: "You are in an enviable position – have fun and make the most of it."
  • The categories of material have included fraud, drug trafficking and terrorism, but the criteria at any one time are secret and are not subject to any public debate. GCHQ's compliance with the certificates is audited by the agency itself, but the results of those audits are also secret.An indication of how broad the dragnet can be was laid bare in advice from GCHQ's lawyers, who said it would be impossible to list the total number of people targeted because "this would be an infinite list which we couldn't manage".There is an investigatory powers tribunal to look into complaints that the data gathered by GCHQ has been improperly used, but the agency reassured NSA analysts in the early days of the programme, in 2009: "So far they have always found in our favour".
  • Historically, the spy agencies have intercepted international communications by focusing on microwave towers and satellites. The NSA's intercept station at Menwith Hill in North Yorkshire played a leading role in this. One internal document quotes the head of the NSA, Lieutenant General Keith Alexander, on a visit to Menwith Hill in June 2008, asking: "Why can't we collect all the signals all the time? Sounds like a good summer project for Menwith."By then, however, satellite interception accounted for only a small part of the network traffic. Most of it now travels on fibre-optic cables, and the UK's position on the western edge of Europe gave it natural access to cables emerging from the Atlantic.
  • The processing centres apply a series of sophisticated computer programmes in order to filter the material through what is known as MVR – massive volume reduction. The first filter immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads, which reduces the volume by about 30%. Others pull out packets of information relating to "selectors" – search terms including subjects, phone numbers and email addresses of interest. Some 40,000 of these were chosen by GCHQ and 31,000 by the NSA. Most of the information extracted is "content", such as recordings of phone calls or the substance of email messages. The rest is metadata.
  • "The criteria are security, terror, organised crime. And economic well-being. There's an auditing process to go back through the logs and see if it was justified or not. The vast majority of the data is discarded without being looked at … we simply don't have the resources."However, the legitimacy of the operation is in doubt. According to GCHQ's legal advice, it was given the go-ahead by applying old law to new technology. The 2000 Regulation of Investigatory Powers Act (Ripa) requires the tapping of defined targets to be authorised by a warrant signed by the home secretary or foreign secretary.However, an obscure clause allows the foreign secretary to sign a certificate for the interception of broad categories of material, as long as one end of the monitored communications is abroad. But the nature of modern fibre-optic communications means that a proportion of internal UK traffic is relayed abroad and then returns through the cables.
  • British spy agency collects and stores vast quantities of global email messages, Facebook posts, internet histories and calls, and shares them with NSA, latest documents from Edward Snowden reveal
  • Paul Merrell on 22 Jun 13
     
    Note particularly that the Brit criteria adds economic data to the list of categories categories the NSA trawls for and shares its data with the U.S. NSA. Both agencies claim to be targeting foreigners, so now we're into the "we surveil your citizens; you surveil our citizens, then we'll share the results" scenario that leaves both sides of the pond with a superficial excuse to say "we don't surveil our own citizens, just foreigners." But it's just ring-around-the-rosy. 850,000 NSA employees and U.S. private contractors with access to GCHQ surveillance databases.  Lots more in the article that I didn't highlight.
Paul Merrell

How the NSA's Surveillance Procedures Threaten Americans' Privacy | American Civil Libe... - 0 views

www.aclu.org/...res-threaten-americans-privacy

surveillance state NSA surveillance-criteria

shared by Paul Merrell on 22 Jun 13 - No Cached
  • Newly released documents confirm what critics have long suspected—that the National Security Agency, a component of the Defense Department, is engaged in unconstitutional surveillance of Americans' communications, including their telephone calls and emails. The documents show that the NSA is conducting sweeping surveillance of Americans' international communications, that it is acquiring many purely domestic communications as well, and that the rules that supposedly protect Americans' privacy are weak and riddled with exceptions.
  • 3. The Procedures permit the government to conduct surveillance that has no real connection to the government's foreign intelligence interests. One of the fundamental problems with the Act is that it permits the government to conduct surveillance without probable cause or individualized suspicion. It permits the government to monitor people who aren't even thought to be doing anything wrong, and to do so without particularized warrants or meaningful review by impartial judges. Government officials have placed heavy emphasis on the fact that the Act allows the government to conduct surveillance only if one of its purposes is to gather "foreign intelligence information." That term, though, is defined very broadly to include not only information about terrorism but also information about intelligence activities, the national defense, and even "the foreign affairs of the United States." The Procedures weaken the limitation further. Among the things the NSA examines to determine whether a particular email address or phone number will be used to exchange foreign intelligence information is whether it has been used in the past to communicate with foreigners. Another is whether it is listed in a foreigner's address book. In other words, the NSA seems to equate a propensity to communicate with foreigners with a propensity to communicate foreign intelligence information. The effect is to bring virtually every international communication within the reach of the NSA's surveillance.
  • Paul Merrell on 22 Jun 13
     
    "Among the things the NSA examines to determine whether a particular email address or phone number will be used to exchange foreign intelligence information is *whether it has been used in the past to communicate with foreigners."* Let that sink into your mind, please. Have you ever communicated with a foreigner? Have any of your communications ever been routed through servers in a foreign country? (The way the Internet works, it is an everyday event for just about anyone.) Does that constitute communication with a foreigner?  One of the many giant loopholes in the NSA's leaked procedures document for "minimizing" the collection of data on U.S. citizens.  
Paul Merrell

Private firms selling mass surveillance systems around world, documents show | World ne... - 0 views

www.theguardian.com/...mass-surveillance-technologies

surveillance state surveillance-industry capabilities

shared by Paul Merrell on 20 Nov 13 - No Cached
  • Private firms are selling spying tools and mass surveillance technologies to developing countries with promises that "off the shelf" equipment will allow them to snoop on millions of emails, text messages and phone calls, according to a cache of documents published on Monday.The papers show how firms, including dozens from Britain, tout the capabilities at private trade fairs aimed at offering nations in Africa, Asia and the Middle East the kind of powerful capabilities that are usually associated with government agencies such as GCHQ and its US counterpart, the National Security Agency.The market has raised concerns among human rights groups and ministers, who are poised to announce new rules about the sale of such equipment from Britain.
  • The documents are included in an online database compiled by the research watchdog Privacy International, which has spent four years gathering 1,203 brochures and sales pitches used at conventions in Dubai, Prague, Brasilia, Washington, Kuala Lumpur, Paris and London. Analysts posed as potential buyers to gain access to the private fairs.The database, called the Surveillance Industry Index, shows how firms from the UK, Israel, Germany, France and the US offer governments a range of systems that allow them to secretly hack into internet cables carrying email and phone traffic.The index has details from 338 companies, including 77 from the UK, offering a total of 97 different technologies.
  • The documents include a brochure from a company called Advanced Middle East Systems (AMES), based in Dubai. It has been offering a device called Cerebro – a DIY system similar to the Tempora programme run by GCHQ – that taps information from fibre-optic cables carrying internet traffic.AMES describes Cerebro as a "core technology designed to monitor and analyse in real time communications … including SMS (texting), GSM (mobile calls), billing data, emails, conversations, webmail, chat sessions and social networks."The company brochure makes clear this is done by attaching probes to internet cables. "No co-operation with the providers is required," it adds."Cerebro is designed to store several billions of records – metadata and/or communication contents. At any time the investigators can follow the live activity of their target with advanced targeting criteria (email addresses, phone numbers, key words)," says the brochure.
  • ...2 more annotations...
  • Another firm selling similar equipment is VASTech, based in South Africa, which has a system called Zebra. Potential buyers are told it has been designed to help "government security agencies face huge challenges in their combat against crime and terrorism".VASTech says Zebra offers "access to high volumes of information generated via telecommunication services for the purposes of analysis and investigation".It has been designed to "intercept all content and metadata of voice, SMS, email and fax communications on the connected network, creating a rich repository of information".
  • It is now possible, from a single laptop computer, to locate where a mobile phone is calling from anywhere in the world, with an accuracy of between 200 metres and a mile. This is not done by attaching probes, and it is not limited to the area where the laptop is working from. The "cross border" system means it is now theoretically possible to locate a mobile phone call from a town abroad from a laptop in London.
  • Paul Merrell on 20 Nov 13
Paul Merrell

A Year After Reform Push, NSA Still Collects Bulk Domestic Data, Still Lacks Way to Ass... - 0 views

firstlook.org/...lueless-much-good-surveillance

surveillance state NSA-reform PCLOB implementations

shared by Paul Merrell on 02 Feb 15 - No Cached
  • The presidential advisory board on privacy that recommended a slew of domestic surveillance reforms in the wake of the Edward Snowden revelations reported today that many of its suggestions have been agreed to “in principle” by the Obama administration, but in practice, very little has changed. Most notably, the Privacy and Civil Liberties Oversight Board called attention to the obvious fact that one full year after it concluded that the government’s bulk collection of metadata on domestic telephone calls is illegal and unproductive, the program continues apace. “The Administration accepted our recommendation in principle. However, it has not ended the bulk telephone records program on its own, opting instead to seek legislation to create an alternative to the existing program,” the report notes.
  • And while Congress has variously debated, proposed, neutered, and failed to agree on any action, the report’s authors point the finger of blame squarely at President Obama. “It should be noted that the Administration can end the bulk telephone records program at any time, without congressional involvement,” the report says. Obama said a year ago that he favored an end to the government collection of those records if an alternative — such as keeping the records at the telephone companies, or with a third party — still allowed them to be searchable by the government. The White House was recently said to be “still considering” the matter. The board noted that Obama has accepted some, but not all, of the privacy safeguards it recommended — somewhat reducing the ease and depth with which National Security Agency agents can dig through the domestic data, but not, for instance, agreeing to delete the data after three years, instead of five.
  • A year ago, the board also recommended that Congress enact legislation enabling the secretive Foreign Intelligence Surveillance Court, which currently approves both specific and blanket warrant applications without allowing anyone to argue otherwise, to hear independent views. It recommended more appellate reviews of that court’s rulings. There’s been no progress on either front. A year ago, the board recommended that “the scope of surveillance authorities affecting Americans should be public,” and that the intelligence community should “develop principles and criteria for the public articulation of the legal authorities under which it conducts surveillance affecting Americans.” Something is apparently brewing in that area, but it’s not entirely clear what. “Intelligence Community representatives have advised us that they are committed to implementing this recommendation,” with principles “that they will soon be releasing,” the report says.
  • ...2 more annotations...
  • But one recommendation in particular – that the intelligence community develop some sort of methodology to assess whether any of this stuff is actually doing any good — has been notably “not implemented.” “Determining the efficacy and value of particular counterterrorism programs is critical,” the board says. “Without such determinations, policymakers and courts cannot effectively weigh the interests of the government in conducting a program against the intrusions on privacy and civil liberties that it may cause.”
  • The presidential advisory board on privacy that recommended a slew of domestic surveillance reforms in the wake of the Edward Snowden revelations reported today that many of its suggestions have been agreed to “in principle” by the Obama administration, but in practice, very little has changed. Most notably, the Privacy and Civil Liberties Oversight Board called attention to the obvious fact that one full year after it concluded that the government’s bulk collection of metadata on domestic telephone calls is illegal and unproductive, the program continues apace. “The Administration accepted our recommendation in principle. However, it has not ended the bulk telephone records program on its own, opting instead to seek legislation to create an alternative to the existing program,” the report notes.
Paul Merrell

Germany's Spies Store 11 Billion Pieces Of Phone Metadata A Year -- And Pass On 6 Billi... - 0 views

www.techdirt.com/...ar-pass-6-billion-to-nsa.shtml

surveillance state NSA Germany BND phone-metadata

shared by Paul Merrell on 07 Feb 15 - No Cached
  • Given Germany's high-profile attachment to privacy, it's always interesting to hear about ways in which its spies have been ignoring that tradition. Here, for example, is a story in the German newspaper Die Zeit about the country's foreign intelligence agency BND gathering metadata from millions of phone records every day: Zeit Online has learned from secret BND documents that five agency locations are involved in gathering huge amounts of metadata. Metadata vacuumed up across the world -- 220 million pieces of it every single day -- flows into BND branch offices in the German towns of Schöningen, Reinhausen, Bad Aibling and Gablingen. There, they are stored for between a week and six months and sorted according to still-unknown criteria. Exactly where the BND obtains the data remains unclear. The Bundestag [German parliament] committee investigating the NSA spying scandal has uncovered that the German intelligence agency intercepts communications traveling via both satellites and Internet cables. The 220 million metadata are only one part of what is amassed from these eavesdropping activities. It is certain that the metadata only come from "foreign dialed traffic," in other words, from telephone conversations and text messages that are held and sent via mobile telephony and satellites.
  • As in the US and UK, the German spies attempt to pull the "it's only metadata, so it's not surveillance" trick: Many people don't realize how much information can be derived from metadata -- and the BND is working hard to keep it that way. For example, during hearings before the Bundestag committee investigating the NSA affair, intelligence officials have consistently spoken about "routine traffic" whenever they have actually meant metadata. Given that the German word for "traffic" is the same as that for "intercourse," this has sounded more like bad sex and has aimed to obscure the fact that hidden behind it was comprehensive, groundless and massive surveillance. What's more, the officials have argued that they are permitted to vacuum up this kind of routine traffic all over the world without any restrictions and to use it as they see fit. However, Peter Schaar doesn't share this view at all. Instead, the German government's former commissioner for data protection and freedom of information believes that metadata should also be protected by the basic right of privacy of correspondence, posts and telecommunications guaranteed by Article 10 of Germany’s Basic Law.
  • This long and interesting report is important for the insight it gives us about what the BND is up to -- despite Germany's stringent laws -- as well as the news that the German intelligence service passes 500 million pieces of metadata to the NSA every month. General Michael Hayden, former director of the NSA and the CIA, famously said: "We kill people based on metadata." That means privacy-loving Germany could be implicated in some of those deaths. And there's another aspect to the story worth noting. Nowhere does Die Zeit say that this information comes from Edward Snowden. Once again, it looks as if his example is inspiring others to shine a little light on the murky world of surveillance.
Paul Merrell

Tomgram: Shamsi and Harwood, An Electronic Archipelago of Domestic Surveillance | TomDi... - 0 views

www.tomdispatch.com/...elago_of_domestic_surveillance

surveillance state civil-liberties shadow-ID watchlists

shared by Paul Merrell on 07 Nov 14 - No Cached
  • Uncle Sam’s Databases of Suspicion A Shadow Form of National ID
  • We do know that the nation’s domestic-intelligence network is massive, including at least 59 federal agencies, over 300 Defense Department units, and approximately 78 state-based fusion centers, as well as the multitude of law enforcement agencies they serve. We also know that local law enforcement agencies have themselves raised concerns about the system’s lack of privacy protections.
  • The SAR database is part of an ever-expanding domestic surveillance system established after 9/11 to gather intelligence on potential terrorism threats. At an abstract level, such a system may seem sensible: far better to prevent terrorism before it happens than to investigate and prosecute after a tragedy. Based on that reasoning, the government exhorts Americans to “see something, say something” -- the SAR program’s slogan. Indeed, just this week at a conference in New York City, FBI Director James Comey asked the public to report any suspicions they have to authorities. “When the hair on the back of your neck stands, listen to that instinct and just tell somebody,” said Comey. And seeking to reassure those who do not want to get their fellow Americans in trouble based on instinct alone, the FBI director added, “We investigate in secret for a very good reason, we don't want to smear innocent people.”
  • ...15 more annotations...
  • There are any number of problems with this approach, starting with its premise.  Predicting who exactly is a future threat before a person has done anything wrong is a perilous undertaking. That’s especially the case if the public is encouraged to report suspicions of neighbors, colleagues, and community members based on a “hair-on-the-back-of-your-neck” threshold. Nor is it any comfort that the FBI promises to protect the innocent by investigating “suspicious” people in secret. The civil liberties and privacy implications are, in fact, truly hair-raising, particularly when the Bureau engages in abusive and discriminatory sting operations and other rights violations.
  • At a fundamental level, suspicious activity reporting, as well as the digital and physical infrastructure of networked computer servers and fusion centers built around it, depends on what the government defines as suspicious.  As it happens, this turns out to include innocuous, First Amendment-protected behavior. As a start, a little history: the Nationwide Suspicious Activity Reporting Initiative was established in 2008 as a way for federal agencies, law enforcement, and the public to report and share potential terrorism-related information. The federal government then developed a list of 16 behaviors that it considered “reasonably indicative of criminal activity associated with terrorism.” Nine of those 16 behaviors, as the government acknowledges, could have nothing to do with criminal activity and are constitutionally protected, including snapping photographs, taking notes, and “observation through binoculars.”
  • Under federal regulations, the government can only collect and maintain criminal intelligence information on an individual if there is a “reasonable suspicion” that he or she is “involved in criminal conduct or activity and the information is relevant to that criminal conduct or activity.” The SAR program officially lowered that bar significantly, violating the federal government’s own guidelines for maintaining a “criminal intelligence system.” There’s good reason for, at a minimum, using a reasonable suspicion standard. Anything less and it’s garbage in, garbage out, meaning counterterrorism “intelligence” databases become anything but intelligent.
  • Law enforcement officials, including the Los Angeles Police Department’s top counterterrorism officer, have themselves exhibited skepticism about suspicious activity reporting (out of concern with the possibility of overloading the system). In 2012, George Washington University’s Homeland Security Policy Institute surveyed counterterrorism personnel working in fusion centers and in a report generally accepting of SARs noted that the program had “flooded fusion centers, law enforcement, and other security outfits with white noise,” complicating “the intelligence process” and distorting “resource allocation and deployment decisions.” In other words, it was wasting time and sending personnel off on wild goose chases.
  • A few months later, a scathing report from the Senate subcommittee on homeland security described similar intelligence problems in state-based fusion centers. It found that Department of Homeland Security (DHS) personnel assigned to the centers “forwarded ‘intelligence’ of uneven quality -- oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections... and more often than not unrelated to terrorism.”
  • yet another burgeoning secret database that the federal government calls its “consolidated terrorism watchlist.” Inclusion in this database -- and on government blacklists that are generated from it -- can bring more severe repercussions than unwarranted law enforcement attention. It can devastate lives.
  • As of August 2013, there were approximately 47,000 people, including 800 U.S. citizens and legal permanent residents like Mashal, on that secretive no-fly list, all branded as “known or suspected terrorists.” All were barred from flying to, from, or over the United States without ever being given a reason why. On 9/11, just 16 names had been on the predecessor “no transport” list. The resulting increase of 293,650% -- perhaps more since 2013 -- isn’t an accurate gauge of danger, especially given that names are added to the list based on vague, broad, and error-prone standards.
  • There is hope, however. In August, four years after the ACLU filed a lawsuit on behalf of 13 people on the no-fly list, a judge ruled that the government’s redress system is unconstitutional. In early October, the government notified Mashal and six others that they were no longer on the list. Six of the ACLU’s clients remain unable to fly, but at least the government now has to disclose just why they have been put in that category, so that they can contest their blacklisting. Soon, others should have the same opportunity.
  • The No Fly List is only the best known of the government’s web of terrorism watchlists. Many more exist, derived from the same master list.  Currently, there are more than one million names in the Terrorist Identities Datamart Environment, a database maintained by the National Counterterrorism Center. This classified source feeds the Terrorist Screening Database (TSDB), operated by the FBI’s Terrorist Screening Center. The TSDB is an unclassified but still secret list known as the “master watchlist.” containing what the government describes as “known or suspected terrorists,” or KSTs.
  • Nothing encapsulates the post-9/11, Alice-in-Wonderland inversion of American notions of due process more strikingly than this “blacklist first, innocence later... maybe” mindset. The Terrorist Screening Database is then used to fill other lists. In the context of aviation, this means the no-fly list, as well as the selectee and expanded selectee lists. Transportation security agents subject travelers on the latter two lists to extra screenings, which can include prolonged and invasive interrogation and searches of laptops, phones, and other electronic devices. Around the border, there’s the State Department’s Consular Lookout and Support System, which it uses to flag people it thinks shouldn’t get a visa, and the TECS System, which Customs and Border Protection uses to determine whether someone can enter the country.
  • According to documents recently leaked to the Intercept, as of August 2013 that master watchlist contained 680,000 people, including 5,000 U.S. citizens and legal permanent residents. The government can add people’s names to it according to a shaky “reasonable suspicion” standard. There is, however, growing evidence that what’s “reasonable” to the government may only remotely resemble what that word means in everyday usage. Information from a single source, even an uncorroborated Facebook post, can allow a government agent to watchlist an individual with virtually no outside scrutiny. Perhaps that’s why 40% of those on the master watchlist have “no recognized terrorist group affiliation,” according to the government’s own records.
  • Inside the United States, no watchlist may be as consequential as the one that goes by the moniker of the Known or Appropriately Suspected Terrorist File. The names on this blacklist are shared with more than 17,000 state, local, and tribal police departments nationwide through the FBI’s National Crime Information Center (NCIC). Unlike any other information disseminated through the NCIC, the KST File reflects mere suspicion of involvement with criminal activity, so law enforcement personnel across the country are given access to a database of people who have secretly been labeled terrorism suspects with little or no actual evidence, based on virtually meaningless criteria.
  • This opens up the possibility of increased surveillance and tense encounters with the police, not to speak of outright harassment, for a large but undivulged number of people. When a police officer stops a person for a driving infraction, for instance, information about his or her KST status will pop up as soon a driver’s license is checked.  According to FBI documents, police officers who get a KST hit are warned to “approach with caution” and “ask probing questions.” When officers believe they’re about to go face to face with a terrorist, bad things can happen. It’s hardly a stretch of the imagination, particularly after a summer of police shootings of unarmed men, to suspect that an officer approaching a driver whom he believes to be a terrorist will be quicker to go for his gun. Meanwhile, the watchlisted person may never even know why his encounters with police have taken such a peculiar and menacing turn. According to the FBI's instructions, under no circumstances is a cop to tell a suspect that he or she is on a watchlist.
  • And once someone is on this watchlist, good luck getting off it. According to the government’s watchlist rulebook, even a jury can’t help you. “An individual who is acquitted or against whom charges are dismissed for a crime related to terrorism,” it reads, “may nevertheless meet the reasonable standard and appropriately remain on, or be nominated to, the Terrorist Watchlist.” No matter the verdict, suspicion lasts forever.
  • The SARs program and the consolidated terrorism watchlist are just two domestic government databases of suspicion. Many more exist. Taken together, they should be seen as a new form of national ID for a growing group of people accused of no crime, who may have done nothing wrong, but are nevertheless secretly labeled by the government as suspicious or worse. Innocent until proven guilty has been replaced with suspicious until determined otherwise. Think of it as a new shadow system of national identification for a shadow government that is increasingly averse to operating in the light. It’s an ID its “owners” don’t carry around with them, yet it’s imposed on them whenever they interact with government agents or agencies. It can alter their lives in disastrous ways, often without their knowledge. And they could be you. If this sounds dystopian, that’s because it is.
Paul Merrell

Cy Vance's Proposal to Backdoor Encrypted Devices Is Riddled With Vulnerabilities | Jus... - 0 views

www.justsecurity.org/...evices-riddled-vulnerabilities

surveillance state encryption-backdoors Vance tyranny right-to-whisper

shared by Paul Merrell on 11 Dec 15 - No Cached
  • Less than a week after the attacks in Paris — while the public and policymakers were still reeling, and the investigation had barely gotten off the ground — Cy Vance, Manhattan’s District Attorney, released a policy paper calling for legislation requiring companies to provide the government with backdoor access to their smartphones and other mobile devices. This is the first concrete proposal of this type since September 2014, when FBI Director James Comey reignited the “Crypto Wars” in response to Apple’s and Google’s decisions to use default encryption on their smartphones. Though Comey seized on Apple’s and Google’s decisions to encrypt their devices by default, his concerns are primarily related to end-to-end encryption, which protects communications that are in transit. Vance’s proposal, on the other hand, is only concerned with device encryption, which protects data stored on phones. It is still unclear whether encryption played any role in the Paris attacks, though we do know that the attackers were using unencrypted SMS text messages on the night of the attack, and that some of them were even known to intelligence agencies and had previously been under surveillance. But regardless of whether encryption was used at some point during the planning of the attacks, as I lay out below, prohibiting companies from selling encrypted devices would not prevent criminals or terrorists from being able to access unbreakable encryption. Vance’s primary complaint is that Apple’s and Google’s decisions to provide their customers with more secure devices through encryption interferes with criminal investigations. He claims encryption prevents law enforcement from accessing stored data like iMessages, photos and videos, Internet search histories, and third party app data. He makes several arguments to justify his proposal to build backdoors into encrypted smartphones, but none of them hold water.
  • Before addressing the major privacy, security, and implementation concerns that his proposal raises, it is worth noting that while an increase in use of fully encrypted devices could interfere with some law enforcement investigations, it will help prevent far more crimes — especially smartphone theft, and the consequent potential for identity theft. According to Consumer Reports, in 2014 there were more than two million victims of smartphone theft, and nearly two-thirds of all smartphone users either took no steps to secure their phones or their data or failed to implement passcode access for their phones. Default encryption could reduce instances of theft because perpetrators would no longer be able to break into the phone to steal the data.
  • Vance argues that creating a weakness in encryption to allow law enforcement to access data stored on devices does not raise serious concerns for security and privacy, since in order to exploit the vulnerability one would need access to the actual device. He considers this an acceptable risk, claiming it would not be the same as creating a widespread vulnerability in encryption protecting communications in transit (like emails), and that it would be cheap and easy for companies to implement. But Vance seems to be underestimating the risks involved with his plan. It is increasingly important that smartphones and other devices are protected by the strongest encryption possible. Our devices and the apps on them contain astonishing amounts of personal information, so much that an unprecedented level of harm could be caused if a smartphone or device with an exploitable vulnerability is stolen, not least in the forms of identity fraud and credit card theft. We bank on our phones, and have access to credit card payments with services like Apple Pay. Our contact lists are stored on our phones, including phone numbers, emails, social media accounts, and addresses. Passwords are often stored on people’s phones. And phones and apps are often full of personal details about their lives, from food diaries to logs of favorite places to personal photographs. Symantec conducted a study, where the company spread 50 “lost” phones in public to see what people who picked up the phones would do with them. The company found that 95 percent of those people tried to access the phone, and while nearly 90 percent tried to access private information stored on the phone or in other private accounts such as banking services and email, only 50 percent attempted contacting the owner.
  • ...8 more annotations...
  • In addition to his weak reasoning for why it would be feasible to create backdoors to encrypted devices without creating undue security risks or harming privacy, Vance makes several flawed policy-based arguments in favor of his proposal. He argues that criminals benefit from devices that are protected by strong encryption. That may be true, but strong encryption is also a critical tool used by billions of average people around the world every day to protect their transactions, communications, and private information. Lawyers, doctors, and journalists rely on encryption to protect their clients, patients, and sources. Government officials, from the President to the directors of the NSA and FBI, and members of Congress, depend on strong encryption for cybersecurity and data security. There are far more innocent Americans who benefit from strong encryption than there are criminals who exploit it. Encryption is also essential to our economy. Device manufacturers could suffer major economic losses if they are prohibited from competing with foreign manufacturers who offer more secure devices. Encryption also protects major companies from corporate and nation-state espionage. As more daily business activities are done on smartphones and other devices, they may now hold highly proprietary or sensitive information. Those devices could be targeted even more than they are now if all that has to be done to access that information is to steal an employee’s smartphone and exploit a vulnerability the manufacturer was required to create.
  • Privacy is another concern that Vance dismisses too easily. Despite Vance’s arguments otherwise, building backdoors into device encryption undermines privacy. Our government does not impose a similar requirement in any other context. Police can enter homes with warrants, but there is no requirement that people record their conversations and interactions just in case they someday become useful in an investigation. The conversations that we once had through disposable letters and in-person conversations now happen over the Internet and on phones. Just because the medium has changed does not mean our right to privacy has.
  • Vance attempts to downplay this serious risk by asserting that anyone can use the “Find My Phone” or Android Device Manager services that allow owners to delete the data on their phones if stolen. However, this does not stand up to scrutiny. These services are effective only when an owner realizes their phone is missing and can take swift action on another computer or device. This delay ensures some period of vulnerability. Encryption, on the other hand, protects everyone immediately and always. Additionally, Vance argues that it is safer to build backdoors into encrypted devices than it is to do so for encrypted communications in transit. It is true that there is a difference in the threats posed by the two types of encryption backdoors that are being debated. However, some manner of widespread vulnerability will inevitably result from a backdoor to encrypted devices. Indeed, the NSA and GCHQ reportedly hacked into a database to obtain cell phone SIM card encryption keys in order defeat the security protecting users’ communications and activities and to conduct surveillance. Clearly, the reality is that the threat of such a breach, whether from a hacker or a nation state actor, is very real. Even if companies go the extra mile and create a different means of access for every phone, such as a separate access key for each phone, significant vulnerabilities will be created. It would still be possible for a malicious actor to gain access to the database containing those keys, which would enable them to defeat the encryption on any smartphone they took possession of. Additionally, the cost of implementation and maintenance of such a complex system could be high.
  • Vance also suggests that the US would be justified in creating such a requirement since other Western nations are contemplating requiring encryption backdoors as well. Regardless of whether other countries are debating similar proposals, we cannot afford a race to the bottom on cybersecurity. Heads of the intelligence community regularly warn that cybersecurity is the top threat to our national security. Strong encryption is our best defense against cyber threats, and following in the footsteps of other countries by weakening that critical tool would do incalculable harm. Furthermore, even if the US or other countries did implement such a proposal, criminals could gain access to devices with strong encryption through the black market. Thus, only innocent people would be negatively affected, and some of those innocent people might even become criminals simply by trying to protect their privacy by securing their data and devices. Finally, Vance argues that David Kaye, UN Special Rapporteur for Freedom of Expression and Opinion, supported the idea that court-ordered decryption doesn’t violate human rights, provided certain criteria are met, in his report on the topic. However, in the context of Vance’s proposal, this seems to conflate the concepts of court-ordered decryption and of government-mandated encryption backdoors. The Kaye report was unequivocal about the importance of encryption for free speech and human rights. The report concluded that:
  • States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. … States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. Additionally, the group of intelligence experts that was hand-picked by the President to issue a report and recommendations on surveillance and technology, concluded that: [R]egarding encryption, the U.S. Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
  • The clear consensus among human rights experts and several high-ranking intelligence experts, including the former directors of the NSA, Office of the Director of National Intelligence, and DHS, is that mandating encryption backdoors is dangerous. Unaddressed Concerns: Preventing Encrypted Devices from Entering the US and the Slippery Slope In addition to the significant faults in Vance’s arguments in favor of his proposal, he fails to address the question of how such a restriction would be effectively implemented. There is no effective mechanism for preventing code from becoming available for download online, even if it is illegal. One critical issue the Vance proposal fails to address is how the government would prevent, or even identify, encrypted smartphones when individuals bring them into the United States. DHS would have to train customs agents to search the contents of every person’s phone in order to identify whether it is encrypted, and then confiscate the phones that are. Legal and policy considerations aside, this kind of policy is, at the very least, impractical. Preventing strong encryption from entering the US is not like preventing guns or drugs from entering the country — encrypted phones aren’t immediately obvious as is contraband. Millions of people use encrypted devices, and tens of millions more devices are shipped to and sold in the US each year.
  • Finally, there is a real concern that if Vance’s proposal were accepted, it would be the first step down a slippery slope. Right now, his proposal only calls for access to smartphones and devices running mobile operating systems. While this policy in and of itself would cover a number of commonplace devices, it may eventually be expanded to cover laptop and desktop computers, as well as communications in transit. The expansion of this kind of policy is even more worrisome when taking into account the speed at which technology evolves and becomes widely adopted. Ten years ago, the iPhone did not even exist. Who is to say what technology will be commonplace in 10 or 20 years that is not even around today. There is a very real question about how far law enforcement will go to gain access to information. Things that once seemed like merely science fiction, such as wearable technology and artificial intelligence that could be implanted in and work with the human nervous system, are now available. If and when there comes a time when our “smart phone” is not really a device at all, but is rather an implant, surely we would not grant law enforcement access to our minds.
  • Policymakers should dismiss Vance’s proposal to prohibit the use of strong encryption to protect our smartphones and devices in order to ensure law enforcement access. Undermining encryption, regardless of whether it is protecting data in transit or at rest, would take us down a dangerous and harmful path. Instead, law enforcement and the intelligence community should be working to alter their skills and tactics in a fast-evolving technological world so that they are not so dependent on information that will increasingly be protected by encryption.
Paul Merrell

How Many Americans Does The N.S.A. Spy On? A Lot of Them : The New Yorker - 0 views

www.newyorker.com/...-nsa-spy-on-a-lot-of-them.html

surveillance state NSA Obama lies

shared by Paul Merrell on 06 Sep 13 - No Cached
  • but reading the new documents, which include a secret FISA court order that amounts to a gift certificate for one year of warrant-free spying, it becomes clear that many more “United States persons” have their communications monitored, and on much vaguer grounds, than the Obama Administration has acknowledged. “What I can say unequivocally is that, if you are a U.S. person, the N.S.A. cannot listen to your telephone calls, and the N.S.A. cannot target your e-mails,” the President said earlier this week. A 2009 memorandum signed by Eric Holder establishes a broader criteria, referring to people “reasonably believed” to be located abroad. That reasonable belief, as it turns out, can be quite shaky. Among the information that the N.S.A. is told to use includes having had a phone or e-mail connection with a person “associated with a foreign power or foreign territory,” or being in the “‘buddy list’ or address book” of such a person. It won’t be lost on anyone that Americans whose families include recent immigrants will be disproportionately vulnerable to such intrusions. (So, incidentally, will journalists.) The defaults in the analysis are telling: a person
  • whose location is unknown, will not be treated as a United States person unless such person can be positively identified as such, or the nature or circumstances of the person’s give rise to a reasonable belief that such person is a United States person. (The extent to which the N.S.A. can spy on a wide range of foreigners is its own, important discussion.) The criteria also show the interaction of various N.S.A. programs: the Administration has defended the collection of telephony metadata by saying that if it ever produces an interesting match, investigators would have to go to court to get a proper warrant to look more closely. But metadata is mentioned in these documents as a basis for picking a target for the surveillance under what appears to be a blanket FISA order—not an individualized one.
  • And what happens when the N.S.A. realizes that it is reading and listening to an American’s communications? It is supposed to stop, at least until it gets a different kind of FISA order—which, based on what it has already heard, may be all the easier. And if it finds something that is interesting in any one of a half-dozen ways, it can analyze the communications further, and hold on to them for five years. Maybe an American’s e-mails contain “significant foreign intelligence information”; or maybe they don’t, but are “reasonably believed” to contain evidence of a crime. There are a lot of crimes on the books, and the N.S.A. is also allowed to count one it thinks might be “about to be committed.” It can also “disseminate” the information to other agencies, and find out more about the American if it seems that the person might have access to secrets, or be a target of foreigners, or just do business with them. This includes communications between someone under indictment and his or her lawyer—the words can’t be used in a prosecution, but can be to gather intelligence. And what the N.S.A. happens to see can also be used in leak investigations. Does this still seem too narrow, not enough to keep us all safe? The documents note that the private data of Americans that the N.S.A. can hold on to “include electronic communications acquired because of limitations on NSA’S ability to filter communications.” In other words, if it fails to fine-tune its targeting, it can keep what it sweeps up anyway. Also, if the N.S.A. decides on its own that there is an “immediate threat,” it can temporarily put all these minimization procedures aside and figure it out later.
  • ...1 more annotation...
  • These documents were classified: they shouldn’t have been. The N.S.A. can look for certain secrets and keep them. But Americans shouldn’t have to listen to the President with an ear for what words like “targeted” really mean. (Even by that standard, the Administration has not been forthright.) We get to know what the rules are—so we, and not just a secret court, can tell when they are being broken.
Paul Merrell

ACLU files new lawsuit over Obama administration drone 'kill list' | World news | The G... - 0 views

www.theguardian.com/...administration-drone-kill-list

war & peace U.S.-foreign-policy drone attacks Obama criteria FOIA litigation ACLU

shared by Paul Merrell on 17 Mar 15 - No Cached
  • As the US debates expanding its campaign against the Islamic State beyond Iraq and Syria, the leading US civil liberties group is intensifying its efforts to force transparency about lethal US counterterrorism strikes and authorities. On Monday, the American Civil Liberties Union (ACLU) will file a disclosure lawsuit for secret Obama administration documents specifying, among other things, the criteria for placement on the so-called “kill list” for drone strikes and other deadly force. Information sought by the ACLU includes long-secret analyses establishing the legal basis for what the administration terms its “targeted killing program” and the process by which the administration determines that civilians are unlikely to be killed before launching a strike, as well as verification mechanisms afterward to establish if the strike in fact has caused civilian deaths.
  • “Over the last few years, the US government has used armed drones to kill thousands of people, including hundreds of civilians. The public should know who the government is killing, and why it’s killing them,” Jameel Jaffer, deputy legal director for the ACLU, told the Guardian.
  • The ACLU suit proceeds after the Obama administration disclosed none of the lethal counterterrorism documentation through a Freedom of Information Act request the civil liberties group launched in October 2013. According to the new lawsuit, the departments of state, justice and defense, as well as the CIA, have stonewalled the ACLU’s requests for nearly 18 months. Recent legal history suggests the ACLU is in for an uphill court struggle. The Obama administration, which has called itself the most transparent in history, has thus far repelled or delayed ACLU lawsuits for disclosure around drone strikes and the 2011 assassination of Anwar al-Awlaki, a US citizen and al-Qaida propagandist. Additionally, the administration is fighting the ACLU on the legality of its bulk surveillance activities and to prevent the release of thousands of graphic photographs detailing Bush-era torture by the CIA and military. Yet the administration has seen the courts chip away at its blanket denials of documents sought by the ACLU. Most of the intelligence community’s disclosures of surveillance memos since Edward Snowden’s revelations have followed the administration’s courtroom losses to the ACLU and other civil-liberties groups. In June, the second circuit court of appeals forced the Department of Justice to release much of a critical 2010 memo blessing the killing of Awlaki. (The ACLU is seeking the release of 10 more major intelligence memos related to targeted killing.)
Gary Edwards

Is The US Using Prism To Engage In Commercial Espionage Against Germany And Others? | T... - 1 views

www.techdirt.com/...e-against-germany-others.shtml

NSA-Patriot-Act-NDAA

shared by Gary Edwards on 07 Aug 13 - No Cached
  • Gary Edwards on 07 Aug 13
     
    Meanwhile, illegal NSA spying is expected to cost USA Cloud Computing companies $35 Billion in lost sales and services. "whistleblower Edward Snowden worked for the CIA, rather than the NSA. Here's the original text in the Guardian: By 2007, the CIA stationed him with diplomatic cover in Geneva, Switzerland. His responsibility for maintaining computer network security meant he had clearance to access a wide array of classified documents. That access, along with the almost three years he spent around CIA officers, led him to begin seriously questioning the rightness of what he saw. He described as formative an incident in which he claimed CIA operatives were attempting to recruit a Swiss banker to obtain secret banking information. Snowden said they achieved this by purposely getting the banker drunk and encouraging him to drive home in his car. When the banker was arrested for drunk driving, the undercover agent seeking to befriend him offered to help, and a bond was formed that led to successful recruitment. In that quotation, there's the nugget of information that the CIA was not targeting terrorists on this occasion, at least not directly, but "attempting to recruit a Swiss banker to obtain secret banking information". That raises an interesting possibility for the heightened interest in Germany, as revealed by Boundless Informant. Given that the NSA is gathering information on a large scale -- even though we don't know exactly how large -- it's inevitable that some of that data will include sensitive information about business activities in foreign countries. That could be very handy for US companies seeking to gain a competitive advantage, and it's not hard to imagine the NSA passing it on in a suitably discreet way. Germany is known as the industrial and economic powerhouse of Europe, so it would make sense to keep a particularly close eye on what people are doing there -- especially if those people happen to work in companies that compete with US firms.
  • Paul Merrell on 08 Aug 13
     
    Closely related: see http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq (,) an article on British telecom's collaboration with wiretapping by the UK's counterpart to the NSA, GCHQ. According to an inside source: "The source said analysts used four criteria for determining what was examined: security, terror, organised crime and Britain's economic wellbeing." I also recall that years ago during the furor over the Echelon system, an EU Parliament investigation had concluded that there were concrete instances of commercial intelligence being passed on by NSA to American companies. Specifically, I recall a finding that during development of the AirBus, details of its design had been intercepted by NSA and passed on to Boeing. There was testimony received that more generically discussed the types of economic surveillance conducted. http://cryptome.org/echelon-nh.htm (page search for "economic"). The same researcher stressed that in public statements: "Those targets like terrorism and weapons transport are used as a cover for the traditional areas of spying, the predominant areas of spying, which are political, diplomatic, economic and military."
Paul Merrell

Privacy Board Urges New Criteria for Secrecy - Secrecy News - 0 views

blogs.fas.org/...pclob-secrecy

surveillance state NSA Privacy-Oversight-Board 215 unlawful

shared by Paul Merrell on 24 Jan 14 - No Cached
  • The public controversy that erupted over NSA bulk collection of Americans’ telephone records was a clear sign, if one were needed, that the boundaries of government secrecy had been drawn incorrectly, and that the public had been wrongly denied an opportunity to grant or withhold its consent in such cases. To remedy this systemic problem, the Privacy and Civil Liberties Oversight Board said in a new report yesterday that the government needs to develop new criteria for secrecy and openness.
  • “The Board concludes that Section 215 [of the USA Patriot Act] does not provide an adequate legal basis to support this [bulk collection] program. Because the program is not statutorily authorized, it must be ended,” the report said. Even in the absence of overt abuse, it was argued, the mere collection of American telephone records in bulk is an infringement on privacy and other civil liberties. “Permitting the government to routinely collect the calling records of the entire nation fundamentally shifts the balance of power between the state and its citizens.” While there are procedures in place to limit the official use of such records, “in our view they cannot fully ameliorate the implications for privacy, speech, and association that follow from the government’s ongoing collection of virtually all telephone records of every American. Any governmental program that entails such costs requires a strong showing of efficacy. We do not believe the NSA’s telephone records program conducted under Section 215 meets that standard.”
  • If the bulk collection program were demonstrably effective in saving lives, the report implied, then certain infringements on privacy might well be warranted. But that is not the case, the Board majority concluded. “Given the limited value this [bulk collection] program has demonstrated to date… we find little reason to expect that it is likely to provide significant value, much less essential value, in safeguarding the nation in the future,” the Board report said.
Paul Merrell

Blacklisted: The Secret Government Rulebook For Labeling You a TerroristThe Intercept - 0 views

firstlook.org/...blacklisted

surveillance state U.S. terrorist-watch-lists rulebook

shared by Paul Merrell on 26 Jul 14 - No Cached
  • The Obama administration has quietly approved a substantial expansion of the terrorist watchlist system, authorizing a secret process that requires neither “concrete facts” nor “irrefutable evidence” to designate an American or foreigner as a terrorist, according to a key government document obtained by The Intercept. The “March 2013 Watchlisting Guidance,” a 166-page document issued last year by the National Counterterrorism Center, spells out the government’s secret rules for putting individuals on its main terrorist database, as well as the no fly list and the selectee list, which triggers enhanced screening at airports and border crossings. The new guidelines allow individuals to be designated as representatives of terror organizations without any evidence they are actually connected to such organizations, and it gives a single White House official the unilateral authority to place entire “categories” of people the government is tracking onto the no fly and selectee lists. It broadens the authority of government officials to “nominate” people to the watchlists based on what is vaguely described as “fragmentary information.” It also allows for dead people to be watchlisted. Over the years, the Obama and Bush Administrations have fiercely resisted disclosing the criteria for placing names on the databases—though the guidelines are officially labeled as unclassified. In May, Attorney General Eric Holder even invoked the state secrets privilege to prevent watchlisting guidelines from being disclosed in litigation launched by an American who was on the no fly list. In an affidavit, Holder called them a “clear roadmap” to the government’s terrorist-tracking apparatus, adding: “The Watchlisting Guidance, although unclassified, contains national security information that, if disclosed … could cause significant harm to national security.”
  • The rulebook, which The Intercept is publishing in full, was developed behind closed doors by representatives of the nation’s intelligence, military, and law-enforcement establishment, including the Pentagon, CIA, NSA, and FBI. Emblazoned with the crests of 19 agencies, it offers the most complete and revealing look into the secret history of the government’s terror list policies to date. It reveals a confounding and convoluted system filled with exceptions to its own rules, and it relies on the elastic concept of “reasonable suspicion” as a standard for determining whether someone is a possible threat. Because the government tracks “suspected terrorists” as well as “known terrorists,” individuals can be watchlisted if they are suspected of being a suspected terrorist, or if they are suspected of associating with people who are suspected of terrorism activity. “Instead of a watchlist limited to actual, known terrorists, the government has built a vast system based on the unproven and flawed premise that it can predict if a person will commit a terrorist act in the future,” says Hina Shamsi, the head of the ACLU’s National Security Project. “On that dangerous theory, the government is secretly blacklisting people as suspected terrorists and giving them the impossible task of proving themselves innocent of a threat they haven’t carried out.” Shamsi, who reviewed the document, added, “These criteria should never have been kept secret.”
Paul Merrell

Who Is Watching the Watch Lists? - NYTimes.com - 0 views

www.nytimes.com/...-watching-the-watch-lists.html

surveillance state terrorist-watch-lists litigation

shared by Paul Merrell on 02 Dec 13 - No Cached
  • GOVERNMENTS wade into treacherous waters when they compile lists of people who might cause their countries harm. As fears about Japanese-Americans and Communists have demonstrated in the past, predictions about individual behavior are often inaccurate, the motivations for list-making aren’t always noble and concerns about threats are frequently overblown.
  • So it might seem that current efforts to identify and track potential terrorists would be approached with caution. Yet the federal government’s main terrorist watch list has grown to at least 700,000 people, with little scrutiny over how the determinations are made or the impact on those marked with the terrorist label.
  • What’s more, the government refuses to confirm or deny whether someone is on the list, officially called the Terrorist Screening Database, or divulge the criteria used to make the decisions — other than to say the database includes “individuals known or suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism and terrorist activities.” Even less is known about the secondary watch lists that are derived from the main one, including the no-fly list (used to prevent people from boarding aircraft), the selectee and expanded selectee lists (used to flag travelers for extra screening at airport checkpoints), the TECS database (used to vet people entering or leaving the United States), the Consular Lookout and Support System (used to screen visa applications) and the known or suspected terrorists list (used by law enforcement in routine police encounters). For people who have landed on these lists, the terrorist designation has been difficult to challenge legally — although that may be about to change. On Monday, a lawsuit brought by a traveler seeking removal of her name from the no-fly list, or at least due process to challenge that list, is going to trial in Federal District Court in San Francisco, after almost eight years of legal wrangling.
  • ...1 more annotation...
  • “We’ve tried to get discovery into whether our client has been surveilled and have been shut down on that,” said Elizabeth Pipkin, a lawyer with McManis Faulkner, the firm representing Ms. Ibrahim pro bono. “They won’t answer that question for us.” The government says that revealing this type of information would jeopardize national security. In April, Attorney General Eric H. Holder Jr. asserted to the court “a formal claim of the state secrets privilege” in the case. In another case, Latif v. Holder, 13 American citizens who have been denied boarding on flights are seeking removal of their names from any watch list, as well as the reasons they have been banned and an opportunity to rebut any derogatory information.
Paul Merrell

CURIA - Documents - 0 views

curia.europa.eu/...document.jsf

surveillance state EU Court-of-Justice data-retention data privacy

shared by Paul Merrell on 19 Jul 14 - No Cached
  • 37      It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.
  • 43      In this respect, it is apparent from recital 7 in the preamble to Directive 2006/24 that, because of the significant growth in the possibilities afforded by electronic communications, the Justice and Home Affairs Council of 19 December 2002 concluded that data relating to the use of electronic communications are particularly important and therefore a valuable tool in the prevention of offences and the fight against crime, in particular organised crime. 44      It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest.45      In those circumstances, it is necessary to verify the proportionality of the interference found to exist.46      In that regard, according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives (see, to that effect, Case C‑343/09 Afton Chemical EU:C:2010:419, paragraph 45; Volker und Markus Schecke and Eifert EU:C:2010:662, paragraph 74; Cases C‑581/10 and C‑629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C‑283/11 Sky Österreich EU:C:2013:28, paragraph 50; and Case C‑101/12 Schaible EU:C:2013:661, paragraph 29).
  • 67      Article 7 of Directive 2006/24, read in conjunction with Article 4(1) of Directive 2002/58 and the second subparagraph of Article 17(1) of Directive 95/46, does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures. In particular, Directive 2006/24 does not ensure the irreversible destruction of the data at the end of the data retention period.68      In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data (see, to that effect, Case C‑614/10 Commission v Austria EU:C:2012:631, paragraph 37).69      Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
  • ...13 more annotations...
  • 58      Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy. 59      Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
  • 1        These requests for a preliminary ruling concern the validity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).
  • Digital Rights Ireland Ltd (C‑293/12)vMinister for Communications, Marine and Natural Resources,Minister for Justice, Equality and Law Reform,Commissioner of the Garda Síochána,Ireland,The Attorney General,intervener:Irish Human Rights Commission, andKärntner Landesregierung (C‑594/12),Michael Seitlinger,Christof Tschohl and others,
  • JUDGMENT OF THE COURT (Grand Chamber)8 April 2014 (*)(Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union)In Joined Cases C‑293/12 and C‑594/12,
  • 34      As a result, the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter. 35      Furthermore, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter. 36      Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.
  • 65      It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.66      Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down.
  • 60      Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.61      Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto; it merely provides that each Member State is to define the procedures to be followed and the conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and proportionality requirements.
  • 55      The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35).56      As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population. 57      In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
  • 62      In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits. 63      Thirdly, so far as concerns the data retention period, Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Article 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.64      Furthermore, that period is set at between a minimum of 6 months and a maximum of 24 months, but it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary.
  • 52      So far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law, in any event, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Case C‑473/12 IPI EU:C:2013:715, paragraph 39 and the case-law cited).53      In that regard, it should be noted that the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter is especially important for the right to respect for private life enshrined in Article 7 of the Charter.54      Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99).
  • 26      In that regard, it should be observed that the data which providers of publicly available electronic communications services or of public communications networks must retain, pursuant to Articles 3 and 5 of Directive 2006/24, include data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for Internet services. Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. 27      Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.
  • 32      By requiring the retention of the data listed in Article 5(1) of Directive 2006/24 and by allowing the competent national authorities to access those data, Directive 2006/24, as the Advocate General has pointed out, in particular, in paragraphs 39 and 40 of his Opinion, derogates from the system of protection of the right to privacy established by Directives 95/46 and 2002/58 with regard to the processing of personal data in the electronic communications sector, directives which provided for the confidentiality of communications and of traffic data as well as the obligation to erase or make those data anonymous where they are no longer needed for the purpose of the transmission of a communication, unless they are necessary for billing purposes and only for as long as so necessary.
  • On those grounds, the Court (Grand Chamber) hereby rules:Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.
  • Paul Merrell on 19 Jul 14
     
    EU Court of Justice decision in regard to a Directive that required communications data retention by telcos/ISPs, finding the Directive invalid as a violation of the right of privacy in communications. Fairly read, paragraph 59 outlaws bulk collection of such records, i.e., it requires the equivalent of a judge-issued search warrant in the U.S. based on probable cause to believe that the particular individual's communications are a legitimate object of a search.  Note also that paragraph 67 effectively forbids transfer of any retained data outside the E.U. So a barrier for NSA sharing of data with GCHQ derived from communications NSA collects from EU communications traffic. Bye-bye, Big Data for GCHQ in the E.U. 
1 - 15 of 15
Showing 20 items per page