Group items tagged

Regardless of these individual defenses of encryption, the Intercept explained why these statements may be irrelevant: “Left unsaid is the fact that the FBI and NSA have the ability to circumvent encryption and get to the content too — by hacking. Hacking allows law enforcement to plant malicious code on someone’s computer in order to gain access to the photos, messages, and text before they were ever encrypted in the first place, and after they’ve been decrypted. The NSA has an entire team of advanced hackers, possibly as many as 600, camped out at Fort Meade.”

Rogers statements, of course, are not a full-fledged endorsement of privacy, nor can the NSA be expected to make it a priority. Even so, his new stance denotes a growing awareness within the government that Americans are not comfortable with the State’s grip on their data. “So spending time arguing about ‘hey, encryption is bad and we ought to do away with it’ … that’s a waste of time to me,” Rogers said Thursday. “So what we’ve got to ask ourselves is, with that foundation, what’s the best way for us to deal with it? And how do we meet those very legitimate concerns from multiple perspectives?”

The Nation: Explain the technical reform you mentioned. Snowden: We already see this happening. The issue I brought forward most clearly was that of mass surveillance, not of surveillance in general. It’s OK if we wiretap Osama bin Laden. I want to know what he’s planning—obviously not him nowadays, but that kind of thing. I don’t care if it’s a pope or a bin Laden. As long as investigators must go to a judge—an independent judge, a real judge, not a secret judge—and make a showing that there’s probable cause to issue a warrant, then they can do that. And that’s how it should be done. The problem is when they monitor all of us, en masse, all of the time, without any specific justification for intercepting in the first place, without any specific judicial showing that there’s a probable cause for that infringement of our rights.

Since the revelations, we have seen a massive sea change in the technological basis and makeup of the Internet. One story revealed that the NSA was unlawfully collecting data from the data centers of Google and Yahoo. They were intercepting the transactions of data centers of American companies, which should not be allowed in the first place because American companies are considered US persons, sort of, under our surveillance authorities. They say, “Well, we were doing it overseas,” but that falls under a different Reagan-era authority: EO 12333, an executive order for foreign-intelligence collection, as opposed to the ones we now use domestically. So this one isn’t even authorized by law. It’s just an old-ass piece of paper with Reagan’s signature on it, which has been updated a couple times since then. So what happened was that all of a sudden these massive, behemoth companies realized their data centers—sending hundreds of millions of people’s communications back and forth every day—were completely unprotected, electronically naked. GCHQ, the British spy agency, was listening in, and the NSA was getting the data and everything like that, because they could dodge the encryption that was typically used. Basically, the way it worked technically, you go from your phone to Facebook.com, let’s say—that link is encrypted. So if the NSA is trying to watch it here, they can’t understand it. But what these agencies discovered was, the Facebook site that your phone is connected to is just the front end of a larger corporate network—that’s not actually where the data comes from. When you ask for your Facebook page, you hit this part and it’s protected, but it has to go on this long bounce around the world to actually get what you’re asking for and go back. So what they did was just get out of the protected part and they went onto the back network. They went into the private network of these companies.

The Nation: The companies knew this? Snowden: Companies did not know it. They said, “Well, we gave the NSA the front door; we gave you the PRISM program. You could get anything you wanted from our companies anyway—all you had to do was ask us and we’re gonna give it to you.” So the companies couldn’t have imagined that the intelligence communities would break in the back door, too—but they did, because they didn’t have to deal with the same legal process as when they went through the front door. When this was published by Barton Gellman in The Washington Post and the companies were exposed, Gellman printed a great anecdote: he showed two Google engineers a slide that showed how the NSA was doing this, and the engineers “exploded in profanity.” Another example—one document I revealed was the classified inspector general’s report on a Bush surveillance operation, Stellar Wind, which basically showed that the authorities knew it was unlawful at the time. There was no statutory basis; it was happening basically on the president’s say-so and a secret authorization that no one was allowed to see. When the DOJ said, “We’re not gonna reauthorize this because it is not lawful,” Cheney—or one of Cheney’s advisers—went to Michael Hayden, director of the NSA, and said, “There is no lawful basis for this program. DOJ is not going to reauthorize it, and we don’t know what we’re going to do. Will you continue it anyway on the president’s say-so?” Hayden said yes, even though he knew it was unlawful and the DOJ was against it. Nobody has read this document because it’s like twenty-eight pages long, even though it’s incredibly important.

The big tech companies understood that the government had not only damaged American principles, it had hurt their businesses. They thought, “No one trusts our products anymore.” So they decided to fix these security flaws to secure their phones. The new iPhone has encryption that protects the contents of the phone. This means if someone steals your phone—if a hacker or something images your phone—they can’t read what’s on the phone itself, they can’t look at your pictures, they can’t see the text messages you send, and so forth. But it does not stop law enforcement from tracking your movements via geolocation on the phone if they think you are involved in a kidnapping case, for example. It does not stop law enforcement from requesting copies of your texts from the providers via warrant. It does not stop them from accessing copies of your pictures or whatever that are uploaded to, for example, Apple’s cloud service, which are still legally accessible because those are not encrypted. It only protects what’s physically on the phone. This is purely a security feature that protects against the kind of abuse that can happen with all these things being out there undetected. In response, the attorney general and the FBI director jumped on a soap box and said, “You are putting our children at risk.”

The Nation: Is there a potential conflict between massive encryption and the lawful investigation of crimes? Snowden: This is the controversy that the attorney general and the FBI director were trying to create. They were suggesting, “We have to be able to have lawful access to these devices with a warrant, but that is technically not possible on a secure device. The only way that is possible is if you compromise the security of the device by leaving a back door.” We’ve known that these back doors are not secure. I talk to cryptographers, some of the leading technologists in the world, all the time about how we can deal with these issues. It is not possible to create a back door that is only accessible, for example, to the FBI. And even if it were, you run into the same problem with international commerce: if you create a device that is famous for compromised security and it has an American back door, nobody is gonna buy it. Anyway, it’s not true that the authorities cannot access the content of the phone even if there is no back door. When I was at the NSA, we did this every single day, even on Sundays. I believe that encryption is a civic responsibility, a civic duty.

The Nation: Some years ago, The Nation did a special issue on patriotism. We asked about a hundred people how they define it. How do you define patriotism? And related to that, you’re probably the world’s most famous whistleblower, though you don’t like that term. What characterization of your role do you prefer? Snowden: What defines patriotism, for me, is the idea that one rises to act on behalf of one’s country. As I said before, that’s distinct from acting to benefit the government—a distinction that’s increasingly lost today. You’re not patriotic just because you back whoever’s in power today or their policies. You’re patriotic when you work to improve the lives of the people of your country, your community and your family. Sometimes that means making hard choices, choices that go against your personal interest. People sometimes say I broke an oath of secrecy—one of the early charges leveled against me. But it’s a fundamental misunderstanding, because there is no oath of secrecy for people who work in the intelligence community. You are asked to sign a civil agreement, called a Standard Form 312, which basically says if you disclose classified information, they can sue you; they can do this, that and the other. And you risk going to jail. But you are also asked to take an oath, and that’s the oath of service. The oath of service is not to secrecy, but to the Constitution—to protect it against all enemies, foreign and domestic. That’s the oath that I kept, that James Clapper and former NSA director Keith Alexander did not. You raise your hand and you take the oath in your class when you are on board. All government officials are made to do it who work for the intelligence agencies—at least, that’s where I took the oath.

The Nation: Creating a new system may be your transition, but it’s also a political act. Snowden: In case you haven’t noticed, I have a somewhat sneaky way of effecting political change. I don’t want to directly confront great powers, which we cannot defeat on their terms. They have more money, more clout, more airtime. We cannot be effective without a mass movement, and the American people today are too comfortable to adapt to a mass movement. But as inequality grows, the basic bonds of social fraternity are fraying—as we discussed in regard to Occupy Wall Street. As tensions increase, people will become more willing to engage in protest. But that moment is not now.

The Nation: You really think that if you could go home tomorrow with complete immunity, there wouldn’t be irresistible pressure on you to become a spokesperson, even an activist, on behalf of our rights and liberties? Indeed, wouldn’t that now be your duty? Snowden: But the idea for me now—because I’m not a politician, and I do not think I am as effective in this way as people who actually prepare for it—is to focus on technical reform, because I speak the language of technology. I spoke with Tim Berners-Lee, the guy who invented the World Wide Web. We agree on the necessity for this generation to create what he calls the Magna Carta for the Internet. We want to say what “digital rights” should be. What values should we be protecting, and how do we assert them? What I can do—because I am a technologist, and because I actually understand how this stuff works under the hood—is to help create the new systems that reflect our values. Of course I want to see political reform in the United States. But we could pass the best surveillance reforms, the best privacy protections in the history of the world, in the United States, and it would have zero impact internationally. Zero impact in China and in every other country, because of their national laws—they won’t recognize our reforms; they’ll continue doing their own thing. But if someone creates a reformed technical system today—technical standards must be identical around the world for them to function together.

As for labeling someone a whistleblower, I think it does them—it does all of us—a disservice, because it “otherizes” us. Using the language of heroism, calling Daniel Ellsberg a hero, and calling the other people who made great sacrifices heroes—even though what they have done is heroic—is to distinguish them from the civic duty they performed, and excuses the rest of us from the same civic duty to speak out when we see something wrong, when we witness our government engaging in serious crimes, abusing power, engaging in massive historic violations of the Constitution of the United States. We have to speak out or we are party to that bad action.

The Nation: Considering your personal experience—the risks you took, and now your fate here in Moscow—do you think other young men or women will be inspired or discouraged from doing what you did? Snowden: Chelsea Manning got thirty-five years in prison, while I’m still free. I talk to people in the ACLU office in New York all the time. I’m able to participate in the debate and to campaign for reform. I’m just the first to come forward in the manner that I did and succeed. When governments go too far to punish people for actions that are dissent rather than a real threat to the nation, they risk delegitimizing not just their systems of justice, but the legitimacy of the government itself. Because when they bring political charges against people for acts that were clearly at least intended to work in the public interest, they deny them the opportunity to mount a public-interest defense. The charges they brought against me, for example, explicitly denied my ability to make a public-interest defense. There were no whistleblower protections that would’ve protected me—and that’s known to everybody in the intelligence community. There are no proper channels for making this information available when the system fails comprehensively.

The government would assert that individuals who are aware of serious wrongdoing in the intelligence community should bring their concerns to the people most responsible for that wrongdoing, and rely on those people to correct the problems that those people themselves authorized. Going all the way back to Daniel Ellsberg, it is clear that the government is not concerned with damage to national security, because in none of these cases was there damage. At the trial of Chelsea Manning, the government could point to no case of specific damage that had been caused by the massive revelation of classified information. The charges are a reaction to the government’s embarrassment more than genuine concern about these activities, or they would substantiate what harms were done. We’re now more than a year since my NSA revelations, and despite numerous hours of testimony before Congress, despite tons of off-the-record quotes from anonymous officials who have an ax to grind, not a single US official, not a single representative of the United States government, has ever pointed to a single case of individualized harm caused by these revelations. This, despite the fact that former NSA director Keith Alexander said this would cause grave and irrevocable harm to the nation. Some months after he made that statement, the new director of the NSA, Michael Rogers, said that, in fact, he doesn’t see the sky falling. It’s not so serious after all.

The Nation: You also remind us of [Manhattan Project physicist] Robert Oppenheimer—what he created and then worried about. Snowden: Someone recently talked about mass surveillance and the NSA revelations as being the atomic moment for computer scientists. The atomic bomb was the moral moment for physicists. Mass surveillance is the same moment for computer scientists, when they realize that the things they produce can be used to harm a tremendous number of people. It is interesting that so many people who become disenchanted, who protest against their own organizations, are people who contributed something to them and then saw how it was misused. When I was working in Japan, I created a system for ensuring that intelligence data was globally recoverable in the event of a disaster. I was not aware of the scope of mass surveillance. I came across some legal questions when I was creating it. My superiors pushed back and were like, “Well, how are we going to deal with this data?” And I was like, “I didn’t even know it existed.” Later, when I found out that we were collecting more information on American communications than we were on Russian communications, for example, I was like, “Holy shit.” Being confronted with the realization that work you intended to benefit people is being used against them has a radicalizing effect.

The Nation: We have a sense, or certainly the hope, we’ll be seeing you in America soon—perhaps sometime after this Ukrainian crisis ends. Snowden: I would love to think that, but we’ve gone all the way up the chain at all the levels, and things like that. A political decision has been made not to irritate the intelligence community. The spy agencies are really embarrassed, they’re really sore—the revelations really hurt their mystique. The last ten years, they were getting the Zero Dark Thirty treatment—they’re the heroes. The surveillance revelations bring them back to Big Brother kind of narratives, and they don’t like that at all. The Obama administration almost appears as though it is afraid of the intelligence community. They’re afraid of death by a thousand cuts—you know, leaks and things like that.

The Nation: You’ve given us a lot of time, and we are very grateful, as will be The Nation’s and other readers. But before we end, any more thoughts about your future? Snowden: If I had to guess what the future’s going to look like for me—assuming it’s not an orange jumpsuit in a hole—I think I’m going to alternate between tech and policy. I think we need that. I think that’s actually what’s missing from government, for the most part. We’ve got a lot of policy people, but we have no technologists, even though technology is such a big part of our lives. It’s just amazing, because even these big Silicon Valley companies, the masters of the universe or whatever, haven’t engaged with Washington until recently. They’re still playing catch-up. As for my personal politics, some people seem to think I’m some kind of archlibertarian, a hyper-conservative. But when it comes to social policies, I believe women have the right to make their own choices, and inequality is a really important issue. As a technologist, I see the trends, and I see that automation inevitably is going to mean fewer and fewer jobs. And if we do not find a way to provide a basic income for people who have no work, or no meaningful work, we’re going to have social unrest that could get people killed. When we have increasing production—year after year after year—some of that needs to be reinvested in society. It doesn’t need to be consistently concentrated in these venture-capital funds and things like that. I’m not a communist, a socialist or a radical. But these issues have to be 
addressed.

Among a slew of American companies who contributed to the NSA’s “mainstreaming” efforts: Red Hat. And IBM? Like just about all of our American tech heroes, it looks at the NSA and other agencies in the Intelligence Community as “the Customer” with deep pockets, ever increasing budgets, and a thirst for technology and data. Which brings us back to Windows 8 and TPM. A decade ago, a group was established to develop and promote Trusted Computing that governs how operating systems and the “special surveillance chip” TPM work together. And it too has been cooperating with the NSA. The founding members of this Trusted Computing Group, as it’s called facetiously: AMD, Cisco, Hewlett-Packard, Intel, Microsoft, and Wave Systems. Oh, I almost forgot ... and IBM. And so IBM might not escape, despite its protestations and slick sales presentations, the suspicion by foreign companies and governments alike that its Linux servers too have been compromised – like the cloud products of other American tech companies. And now, they’re going to pay a steep price for their cooperation with the NSA. Read...  NSA Pricked The “Cloud” Bubble For US Tech Companies

“I’ve never seen that fast a move in emerging markets,” Chambers said. His industry peers were seeing the same thing. “Most of my CEO counterparts can almost finish my sentences in terms of what’s occurring,” he said. He even mentioned IBM. It’s “an industry phenomenon.” The collapse in the emerging markets – “We believe that more than half the world’s GDP occurs there,” he said – was “very consistent across the board.” And that consistency is what he was fretting about. “We usually, unfortunately, see things a couple of quarters ahead of our peers. This time we were a little bit surprised.” In the top five emerging markets, the “softening” started in Q4, “when we said they went from 13% growth the quarter before to flat in Q4. The other 15 countries continued to grow in the low teens. This time, all of them came down, and so out of our top 10, it was pretty brutal on that.” The NSA’s reckless all-encompassing spying, and its hand-in-glove multi-billion-dollar collusion with US tech companies to accomplish it, is now wreaking havoc on these same tech companies. Revenues are getting crushed overseas. Emerging market governments and companies are looking at other options. Trust that has taken decades to build has evaporated. A study in early August estimated that the spying scandal would cost US tech companies $35 billion. Which might not even be enough for a down-payment: alone that 11% drop in Cisco’s stock today cost shareholders $16 billion. 

It’s not a temporary issue. New revelations bubble to the surface all the time to complete the picture of a seamless, borderless, nearly perfect surveillance society. One dimension: the NSA and British GCHQ secretly break into the “clouds” of US companies to syphon off user data on a large scale. Illegal in the US. But the cloud is worldwide. Read..... NSA Secretly Breaks Into The Cloud Of US Tech Companies, Siphons Off Data, Fouls Up Revenues Overseas And here is my whole series on the spreading NSA spying scandal and its implications.

In addition to his weak reasoning for why it would be feasible to create backdoors to encrypted devices without creating undue security risks or harming privacy, Vance makes several flawed policy-based arguments in favor of his proposal. He argues that criminals benefit from devices that are protected by strong encryption. That may be true, but strong encryption is also a critical tool used by billions of average people around the world every day to protect their transactions, communications, and private information. Lawyers, doctors, and journalists rely on encryption to protect their clients, patients, and sources. Government officials, from the President to the directors of the NSA and FBI, and members of Congress, depend on strong encryption for cybersecurity and data security. There are far more innocent Americans who benefit from strong encryption than there are criminals who exploit it. Encryption is also essential to our economy. Device manufacturers could suffer major economic losses if they are prohibited from competing with foreign manufacturers who offer more secure devices. Encryption also protects major companies from corporate and nation-state espionage. As more daily business activities are done on smartphones and other devices, they may now hold highly proprietary or sensitive information. Those devices could be targeted even more than they are now if all that has to be done to access that information is to steal an employee’s smartphone and exploit a vulnerability the manufacturer was required to create.

Privacy is another concern that Vance dismisses too easily. Despite Vance’s arguments otherwise, building backdoors into device encryption undermines privacy. Our government does not impose a similar requirement in any other context. Police can enter homes with warrants, but there is no requirement that people record their conversations and interactions just in case they someday become useful in an investigation. The conversations that we once had through disposable letters and in-person conversations now happen over the Internet and on phones. Just because the medium has changed does not mean our right to privacy has.

Vance attempts to downplay this serious risk by asserting that anyone can use the “Find My Phone” or Android Device Manager services that allow owners to delete the data on their phones if stolen. However, this does not stand up to scrutiny. These services are effective only when an owner realizes their phone is missing and can take swift action on another computer or device. This delay ensures some period of vulnerability. Encryption, on the other hand, protects everyone immediately and always. Additionally, Vance argues that it is safer to build backdoors into encrypted devices than it is to do so for encrypted communications in transit. It is true that there is a difference in the threats posed by the two types of encryption backdoors that are being debated. However, some manner of widespread vulnerability will inevitably result from a backdoor to encrypted devices. Indeed, the NSA and GCHQ reportedly hacked into a database to obtain cell phone SIM card encryption keys in order defeat the security protecting users’ communications and activities and to conduct surveillance. Clearly, the reality is that the threat of such a breach, whether from a hacker or a nation state actor, is very real. Even if companies go the extra mile and create a different means of access for every phone, such as a separate access key for each phone, significant vulnerabilities will be created. It would still be possible for a malicious actor to gain access to the database containing those keys, which would enable them to defeat the encryption on any smartphone they took possession of. Additionally, the cost of implementation and maintenance of such a complex system could be high.

Vance also suggests that the US would be justified in creating such a requirement since other Western nations are contemplating requiring encryption backdoors as well. Regardless of whether other countries are debating similar proposals, we cannot afford a race to the bottom on cybersecurity. Heads of the intelligence community regularly warn that cybersecurity is the top threat to our national security. Strong encryption is our best defense against cyber threats, and following in the footsteps of other countries by weakening that critical tool would do incalculable harm. Furthermore, even if the US or other countries did implement such a proposal, criminals could gain access to devices with strong encryption through the black market. Thus, only innocent people would be negatively affected, and some of those innocent people might even become criminals simply by trying to protect their privacy by securing their data and devices. Finally, Vance argues that David Kaye, UN Special Rapporteur for Freedom of Expression and Opinion, supported the idea that court-ordered decryption doesn’t violate human rights, provided certain criteria are met, in his report on the topic. However, in the context of Vance’s proposal, this seems to conflate the concepts of court-ordered decryption and of government-mandated encryption backdoors. The Kaye report was unequivocal about the importance of encryption for free speech and human rights. The report concluded that:

States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. … States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. Additionally, the group of intelligence experts that was hand-picked by the President to issue a report and recommendations on surveillance and technology, concluded that: [R]egarding encryption, the U.S. Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

The clear consensus among human rights experts and several high-ranking intelligence experts, including the former directors of the NSA, Office of the Director of National Intelligence, and DHS, is that mandating encryption backdoors is dangerous. Unaddressed Concerns: Preventing Encrypted Devices from Entering the US and the Slippery Slope In addition to the significant faults in Vance’s arguments in favor of his proposal, he fails to address the question of how such a restriction would be effectively implemented. There is no effective mechanism for preventing code from becoming available for download online, even if it is illegal. One critical issue the Vance proposal fails to address is how the government would prevent, or even identify, encrypted smartphones when individuals bring them into the United States. DHS would have to train customs agents to search the contents of every person’s phone in order to identify whether it is encrypted, and then confiscate the phones that are. Legal and policy considerations aside, this kind of policy is, at the very least, impractical. Preventing strong encryption from entering the US is not like preventing guns or drugs from entering the country — encrypted phones aren’t immediately obvious as is contraband. Millions of people use encrypted devices, and tens of millions more devices are shipped to and sold in the US each year.

Finally, there is a real concern that if Vance’s proposal were accepted, it would be the first step down a slippery slope. Right now, his proposal only calls for access to smartphones and devices running mobile operating systems. While this policy in and of itself would cover a number of commonplace devices, it may eventually be expanded to cover laptop and desktop computers, as well as communications in transit. The expansion of this kind of policy is even more worrisome when taking into account the speed at which technology evolves and becomes widely adopted. Ten years ago, the iPhone did not even exist. Who is to say what technology will be commonplace in 10 or 20 years that is not even around today. There is a very real question about how far law enforcement will go to gain access to information. Things that once seemed like merely science fiction, such as wearable technology and artificial intelligence that could be implanted in and work with the human nervous system, are now available. If and when there comes a time when our “smart phone” is not really a device at all, but is rather an implant, surely we would not grant law enforcement access to our minds.

Policymakers should dismiss Vance’s proposal to prohibit the use of strong encryption to protect our smartphones and devices in order to ensure law enforcement access. Undermining encryption, regardless of whether it is protecting data in transit or at rest, would take us down a dangerous and harmful path. Instead, law enforcement and the intelligence community should be working to alter their skills and tactics in a fast-evolving technological world so that they are not so dependent on information that will increasingly be protected by encryption.

“It’s clear the global community of Internet users doesn’t like to be caught up in the American surveillance dragnet,” Senator Ron Wyden said last month. At the same event, Google chairman Eric Schmidt agreed with him. “What occurred was a loss of trust between America and other countries,” he said, according to the Los Angeles Times. “It's making it very difficult for American firms to do business.” But never mind the world. Americans don’t trust American social networks. More than half of the poll’s respondents said that social networks were “not at all secure. Only 40 percent of Americans believe email or texting is at least “somewhat” secure. Indeed, Americans trusted most of all communication technologies where some protections has been enshrined into the law (though the report didn’t ask about snail mail). That is: Talking on the telephone, whether on a landline or cell phone, is the only kind of communication that a majority of adults believe to be “very secure” or “somewhat secure.”

According to the study, 70 percent of Americans are “at least somewhat concerned” with the government secretly obtaining information they post to social networking sites. Eighty percent of respondents agreed that “Americans should be concerned” with government surveillance of telephones and the web. They are also uncomfortable with how private corporations use their data: Ninety-one percent of Americans believe that “consumers have lost control over how personal information is collected and used by companies,” according to the study. Eighty percent of Americans who use social networks “say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.” And even though they’re squeamish about the government’s use of data, they want it to regulate tech companies and data brokers more strictly: 64 percent wanted the government to do more to regulate private data collection. Since June 2013, American politicians and corporate leaders have fretted over how much the leaks would cost U.S. businesses abroad.

(That may seem a bit incongruous, because making a telephone call is one area where you can be almost sure you are being surveilled: The government has requisitioned mass call records from phone companies since 2001. But Americans appear, when discussing security, to differentiate between the contents of the call and data about it.) Last month, Ramsey Homsany, the general counsel of Dropbox, said that one big thing could take down the California tech scene. “We have built this incredible economic engine in this region of the country,” said Homsany in the Los Angeles Times, “and [mistrust] is the one thing that starts to rot it from the inside out.” According to this poll, the mistrust has already begun corroding—and is already, in fact, well advanced. We’ve always assumed that the great hurt to American business will come globally—that citizens of other nations will stop using tech companies’s services. But the new Pew data shows that Americans suspect American businesses just as much. And while, unlike citizens of other nations, they may not have other places to turn, they may stop putting sensitive or delicate information online.

In a December 2014 opinion in the Hassanshahi case, US District Judge Rudolph Contreras allowed the evidence, but also required that the government provide a "declaration summarizing the contours of the law enforcement database used by Homeland Security Investigations to discover Hassanshahi’s phone number, including any limitations on how and when the database may be used." To comply with the judge’s order, Robert Patterson, the assistant special agent in charge of the DEA, wrote in the Thursday filing: As noted, this database was a federal law enforcement database. It could be used to query a telephone number where federal law enforcement officials had a reasonable articulable suspicion that the telephone number at issue was related to an ongoing federal criminal investigation. The Iranian number was determined to meet this standard based on specific information indicating that the Iranian number was being used for the purpose of importing technological goods to Iran in violation of United States law. Previously, the government had not revealed exactly how it began its investigation of Hassanshahi, and only referred cryptically to "[DHS]-accessible law enforcement databases," in Akronowitz’ 2013 and  2014 affidavits.

Similarly, other privacy-minded legal experts questioned the government’s tactics in this new revelation. "We just don’t know about the scope of these things, and that’s what’s disturbing," Andrew Crocker, a legal fellow at the Electronic Frontier Foundation, told Ars. His colleague, Hanni Fakhoury, an EFF attorney who used to be a federal public defender, added that he was "not surprised." "Bulk surveillance technologies and the dangerous legal theories that are used to support them trickle down, and here's a prime example of that," he wrote by e-mail. "The DEA's mandate is of course important but not at the level of national security where as you know there are serious legal questions about the propriety of this collection of phone metadata. And if the DEA has a program like this, it wouldn't surprise me if other agencies do too for other sorts of records the government has claimed it can collect with a subpoena (like bank records)."

Patrick Toomey, an attorney with the American Civil Liberties Union, chimed in to say that this indeed was a clear example of government overreach. "This disclosure underscores how the government has expanded its use of bulk collection far beyond the NSA and the national-security context, to rely on mass surveillance in ordinary criminal investigations," he said by e-mail. "It’s now clear that multiple government agencies have tracked the calls that Americans make to their parents and relatives, friends, and business associates overseas, all without any suspicion of wrongdoing," Toomey continued. "The DEA program shows yet again how strained and untenable legal theories have been used to secretly justify the surveillance of millions of innocent Americans using laws that were never written for that purpose."

Despite the use of the word “now” in that first sentence, however, the FBI has yet to do any such thing. It has not announced any such change, nor explained how it will implement it, or when. Media inquiries were greeted with stalling and, finally, a no comment — ostensibly on advice of legal counsel. “There is pending litigation that deals with a lot of the same questions you’re asking, out of the Ninth Circuit,” FBI spokesman Chris Allen told me. “So for now, we’ll just have to decline to comment.” FBI lawyers are working on a court filing for that case, and “it will address” the new policy, he said. He would not say when to expect it.

There is indeed a significant case currently before the federal appeals court in San Francisco. Oral arguments were in October. A decision could come any time. But in that case, the Electronic Frontier Foundation (EFF), which is representing two unnamed communications companies that received NSLs, is calling for the entire NSL statute to be thrown out as unconstitutional — not for a tweak to the gag. And it has a March 2013 district court ruling in its favor. “The gag is a prior restraint under the First Amendment, and prior restraints have to meet an extremely high burden,” said Andrew Crocker, a legal fellow at EFF. That means going to court and meeting the burden of proof — not just signing a letter. Or as the Cato Institute’s Julian Sanchez put it, “To have such a low bar for denying persons or companies the right to speak about government orders they have been served with is anathema. And it is not very good for accountability.”

In a separate case, a wide range of media companies (including First Look Media, the non-profit digital media venture that produces The Intercept) are supporting a lawsuit filed by Twitter, demanding the right to say specifically how many NSLs it has received. But simply releasing companies from a gag doesn’t assure the kind of accountability that privacy advocates are saying is required by the Constitution. “What the public has to remember is a NSL is asking for your information, but it’s not asking it from you,” said Michael German, a former FBI agent who is now a fellow with the Brennan Center for Justice. “The vast majority of these things go to the very large telecommunications and financial companies who have a large stake in maintaining a good relationship with the government because they’re heavily regulated entities.”

So, German said, “the number of NSLs that would be exposed as a result of the release of the gag order is probably very few. The person whose records are being obtained is the one who should receive some notification.” A time limit on gags going forward also raises the question of whether past gag orders will now be withdrawn. “Obviously there are at this point literally hundreds of thousands of National Security Letters that are more than three years old,” said Sanchez. Individual review is therefore unlikely, but there ought to be some recourse, he said. And the further back you go, “it becomes increasingly implausible that a significant percentage of those are going to entail some dire national security risk.” The NSL program has a troubled history. The absolute secrecy of the program and resulting lack of accountability led to systemic abuse as documented by repeated inspector-general investigations, including improperly authorized NSLs, factual misstatements in the NSLs, improper requests under NSL statutes, requests for information based on First Amendment protected activity, “after-the-fact” blanket NSLs to “cover” illegal requests, and hundreds of NSLs for “community of interest” or “calling circle” information without any determination that the telephone numbers were relevant to authorized national security investigations.

Obama’s own hand-selected “Review Group on Intelligence and Communications Technologies” recommended in December 2013 that NSLs should only be issued after judicial review — just like warrants — and that any gag should end within 180 days barring judicial re-approval. But FBI director James Comey objected to the idea, calling NSLs “a very important tool that is essential to the work we do.” His argument evidently prevailed with Obama.

NSLs have managed to stay largely under the American public’s radar. But, Crocker says, “pretty much every time I bring it up and give the thumbnail, people are shocked. Then you go into how many are issued every year, and they go crazy.” Want to send me your old NSL and see if we can set a new precedent? Here’s how to reach me. And here’s how to leak to me.

The first shot was fired on Monday. Teradata, which sells analytics tools for Big Data, warned that quarterly revenues plunged 21% in Asia and 19% in the Middle East and Africa. Wednesday evening, it was IBM’s turn to confess that its hardware sales in China had simply collapsed. Every word was colored by Edward Snowden’s revelations about the NSA’s hand-in-glove collaboration with American tech companies, from startups to mastodons like IBM.

As is always the case, the stream of fear-mongering and alarmist warnings issued by the government to demonize a whistleblower proves to be false and without any basis, and the same is true for accusations made about the revelations themselves (“In January, [Mike] Rogers said that the report concluded that most of the documents Snowden had access to concerned ‘vital operations of the U.S. Army, Navy, Marine Corps and Air Force’” – AP: Lawmakers: Snowden’s Leaks May Endanger US Troops“). But none of that has stopped countless U.S. journalists from mindlessly citing each one of the latest evidence-free official claims as sacred fact.

Other companies have designed their encryption in this way, including AT&T, which offers encrypted phone service for business customers. Apple and Android recently began protecting content stored on users's phones in a way that would keep the tech companies from being able to comply with requests from law enforcement. The move drew public criticism from FBI Director James Comey, and some security experts expect that a renewed effort to stir passage of legislation banning such encryption will accompany Silicon Valley's increased interest in developing these services. Verizon believes major demand for its new encryption service will come from governmental agencies conveying sensitive but unclassified information over the phone, says Tim Petsky, a senior product manager for Verizon Wireless. Corporate customers who are concerned about corporate espionage are also itching for answers. "You read about breaches in security almost every week in the press," says Petsky. "Enterprise customers have been asking about ways to secure their communications and up until this point, we didn't have a solution." 

Many people in the security industry believe that a designed access point creates a vulnerability for criminals or spies to exploit. Last year reports surfaced that the FBI was pushing legislation that would require many forms of Internet communication to be wiretap-ready. A group of prominent security experts responded strongly: "Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences (PDF) for the economic well-being and national security of the United States," they wrote in a report issued in May. 

While Gemalto was indeed another casualty in Western governments’ sweeping effort to gather as much global intelligence advantage as possible, the leaked documents make clear that the company was specifically targeted. According to the materials published Thursday, GCHQ used a specific codename — DAPINO GAMMA — to refer to the operations against Gemalto. The spies also actively penetrated the email and social media accounts of Gemalto employees across the world in an effort to steal the company’s encryption keys. Evidence of the Gemalto breach rattled the digital security community. “Almost everyone in the world carries cell phones and this is an unprecedented mass attack on the privacy of citizens worldwide,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology, a non-profit that advocates for digital privacy and free online expression. “While there is certainly value in targeted surveillance of cell phone communications, this coordinated subversion of the trusted technical security infrastructure of cell phones means the US and British governments now have easy access to our mobile communications.”

For Gemalto, evidence that their vaunted security systems and the privacy of customers had been compromised by the world’s top spy agencies made an immediate financial impact. The company’s shares took a dive on the Paris bourse Friday, falling $500 million. In the U.S., Gemalto’s shares fell as much 10 percent Friday morning. They had recovered somewhat — down 4 percent — by the close of trading on the Euronext stock exchange. Analysts at Dutch financial services company Rabobank speculated in a research note that Gemalto could be forced to recall “a large number” of SIM cards. The French daily L’Express noted today that Gemalto board member Alex Mandl was a founding trustee of the CIA-funded venture capital firm In-Q-Tel. Mandl resigned from In-Q-Tel’s board in 2002, when he was appointed CEO of Gemplus, which later merged with another company to become Gemalto. But the CIA connection still dogged Mandl, with the French press regularly insinuating that American spies could infiltrate the company. In 2003, a group of French lawmakers tried unsuccessfully to create a commission to investigate Gemplus’s ties to the CIA and its implications for the security of SIM cards. Mandl, an Austrian-American businessman who was once a top executive at AT&T, has denied that he had any relationship with the CIA beyond In-Q-Tel. In 2002, he said he did not even have a security clearance.

AT&T, T-Mobile and Verizon could not be reached for comment Friday. Sprint declined to comment. Vodafone, the world’s second largest telecom provider by subscribers and a customer of Gemalto, said in a statement, “[W]e have no further details of these allegations which are industrywide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations.” Deutsche Telekom AG, a German company, said it has changed encryption algorithms in its Gemalto SIM cards. “We currently have no knowledge that this additional protection mechanism has been compromised,” the company said in a statement. “However, we cannot rule out this completely.”

Update: Asked about the SIM card heist, White House press secretary Josh Earnest said he did not expect the news would hurt relations with the tech industry: “It’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so. So, I do think in fact that there are opportunities for the private sector and the federal government to coordinate and to cooperate on these efforts, both to keep the country safe, but also to protect our civil liberties.”

Hanni Fakhoury, an attorney for the Electronic Frontier Foundation, said some states and judges are pushing back against stingrays. "In Tacoma, judges now require police (to) specifically note they plan to use an IMSI catcher and promise not to store data collected from people who are not investigation targets," he said. "The Florida and Massachusetts state supreme courts ruled warrants were necessary for real-time cell phone tracking. Nine states—Colorado, Illinois, Indiana, Maryland, Minnesota, Tennessee, Utah, Virginia, and Wisconsin—passed laws specifically requiring police to use a warrant to track a cell phone in real time."

To Amie Stepanovich, the U.S. policy manager for Access, one of the groups signing the petition, the status quo isn’t good enough. “It’s really crucial that even if the government is not pursuing legislation, it’s also not pursuing policies that will weaken security through other methods,” she said. The FBI and Justice Department have been talking with tech companies for months. On Thursday, Comey said the conversations have been “increasingly productive.” He added: “People have stripped out a lot of the venom.” He said the tech executives “are all people who care about the safety of America and also care about privacy and civil liberties.” Comey said the issue afflicts not just federal law enforcement but also state and local agencies investigating child kidnappings and car crashes — “cops and sheriffs . . . [who are] increasingly encountering devices they can’t open with a search warrant.”

One senior administration official said the administration thinks it’s making enough progress with companies that seeking legislation now is unnecessary. “We feel optimistic,” said the official, who spoke on the condition of anonymity to describe internal discussions. “We don’t think it’s a lost cause at this point.” Legislation, said Rep. Adam Schiff (D-Calif.), is not a realistic option given the current political climate. He said he made a recent trip to Silicon Valley to talk to Twitter, Facebook and Google. “They quite uniformly are opposed to any mandate or pressure — and more than that, they don’t want to be asked to come up with a solution,” Schiff said. Law enforcement officials know that legislation is a tough sell now. But, one senior official stressed, “it’s still going to be in the mix.” On the other side of the debate, technology, diplomatic and commerce agencies were pressing for an outright statement by Obama to disavow a legislative mandate on companies. But their position did not prevail.

Daniel Castro, vice president of the Information Technology & Innovation Foundation, said absent any new laws, either in the United States or abroad, “companies are in the driver’s seat.” He said that if another country tried to require companies to retain an ability to decrypt communications, “I suspect many tech companies would try to pull out.”