Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged telcos

Rss Feed Group items tagged

Paul Merrell

Feds May Have To Reveal FISA Phone Records In Murder Case | Techdirt - 0 views

  • There's been a lot of focus elsewhere concerning the FISA rulings that were leaked, showing that the government is scooping up the details of pretty much every phone call. However, a case concerning some guys who were trying to rob an armored truck may lead to some interesting revelations related to what the government collects. Daryl Davis, Hasam Williams, Terrance Brown, Toriano Johnson, and Joseph K. Simmons were charged with trying to rob a bunch of armored Brink's trucks, in which one of the robberies went wrong and a Brink's employee was shot and killed. As part of the case against the group, the DOJ obtained call records. However, during discovery, the government refused to hand over call records for July of 2010, claiming that when they sought them from the telco, the DOJ was told that those records had been purged. Terrance Brown's lawyer is now claiming that since it appears the NSA has sucked up all of this data for quite some time, it would appear that the government should, in fact, already have the phone records from July 2010, which he argues would show that he was nowhere near the robbery when it happened. Defendant Brown urges that the records are important to his defense because cell-site records could be used to show that Brown was not in the vicinity of the attempted robbery that allegedly occurred in July 2010. And, relying on a June 5, 2013, Guardian newspaper article that published a FISA Court order relating to cellular telephone data collected by Verizon,1 Defendant Brown now suggests that the Government likely actually does possess the metadata relating to telephone calls made in July 2010 from the two numbers attributed to Defendant Brown.
  • The court agrees that, under the law, the government may need to produce those records. Here, Defendant asserts that, under Brady v. Maryland, 373 U.S. 83 (1963), due process requires the production of the July 2010 telephone records because they are anticipated to be exculpatory in that they are expected to show that Defendant Brown was not physically located at the scene of the alleged attempted Brink’s truck robbery in July 2010. In view of Defendant Brown’s Motion and the requirements of FISA, it is hereby ORDERED and ADJUDGED that the Government shall respond to Defendant Brown’s Motion and, if desired, shall file an affidavit of the Attorney General of the United States. That order was actually issued Monday, only giving the government until yesterday to comply. At the time of posting, the government's reply has not yet shown up in PACER, though it may pop up soon. I'm guessing that they'll try to either get some sort of extension or explain why those records are somehow inaccessible -- but it could get interesting.
  •  
    This is definitely one to watch. The Court's order is short but definitely enlightening. The defendant's trial is already under way, so the Court set a very short response time, and required the Feds to concurrently file the affidavit of the Attorney General if the Feds want to claim that disclosure would harm national security. She has also ordered that the Feds concurrently explain any belief that thre information was lawfully gathered, citing some specific portions of the FISA Act that are at the heart of the government's claim of right to compel telcos to disclose the information to the Feds.    Then the court decides whether the Feds must produce the records anyway. Tough position for the government because it would be extremely difficult to argue that the phone call metadata itself is classified, since they are by law "business records" of a private party, the telco.  And this sets the stage for a flood of habeas corpus petitions by persons already convicted seeking new trials with NSA surveillance records disclosed. Easiest way out for the Feds is to claim that the records do not exist, but someone will have to sign a statement under penalty of perjury file to that effect.  If the Court orders disclosure, the Feds have a right of immediate appeal. So this one could win up in the Supreme Court very quickly (days, not months). Reading the Court's order, the judge seems predisposed to order production of the records. So stay tuned to this channel. I'm reminded that about a week ago, an MSNBC reporter blogged that he didn't think that the PRISM story "has legs" that will keep it in the news very long. He was wrong. 
Paul Merrell

How The FBI Actually Does Much Of The NSA's Spying, But Is Keeping That Quiet | Techdirt - 0 views

  • For all the focus on the NSA of late, a few folks have been trying to remind everyone that the FBI is heavily involved in all of this and, in many ways, has an equally bad if not worse record in abusing the rights of Americans. Many of the programs discussed were to retrieve information by the FBI or the NSA, and it turns out that the FBI often does much of the dirty work for the NSA, including interfacing with various companies to get access to data. We'd mentioned recently how the FBI was pushing tech companies to install "port readers" at both telco and tech companies (though, many tech firms were resisting), and also that the FBI had been ramping up their use of malware. Shane Harris, over at Foreign Policy has a nice profile on the FBI's Data Intercept Technology Unit, or DITU, who handles most of this work. It repeats the story of the port readers, but adds how the DITU is often the unit that works with tech companies and then passes info along to the NSA -- so some companies don't even realize they're dealing with the NSA, believing it's just via the FBI (not that this would make things any better). It also notes that the DITU tends to be made up of a lot of ex-telco guys who know very specifically how the telco networks work, something that at least some people at the telcos may be uncomfortable with the government knowing (though, again, the telcos seem much more willing to open up to the government than the tech companies).
  • It's an interesting profile all around, but at the end it gets even more interesting, as an ex-law enforcement source that Harris talks to highlights that without investigating what the DITU is up to, Congress' exploration of what's going on will be very incomplete. The former law enforcement official said Holder and Mueller should have offered testimony and explained how the FBI works with the NSA. He was concerned by reports that the NSA had not been adhering to its own minimization procedures, which the Justice Department and the FBI review and vouch for when submitting requests to the Foreign Intelligence Surveillance Court. "Where they hadn't done what was represented to the court, that's unforgivable. That's where I got sick to my stomach," the former law enforcement official said. "The government's position is, we go to the court, apply the law -- it's all approved. That makes for a good story until you find out what was approved wasn't actually what was done." That makes it sound like even more bad behavior is going to be revealed eventually...
  •  
    Yes, indeedy. 
Paul Merrell

What was the Israeli involvement in collecting U.S. communications intel for NSA? - Dip... - 0 views

  • Were Israeli companies Verint and Narus the ones that collected information from the U.S. communications network for the National Security Agency? The question arises amid controversy over revelations that the NSA has been collecting the phone records of hundreds of millions of Americans every day, creating a database through which it can learn whether terror suspects have been in contact with people in the United States. It also was disclosed this week that the NSA has been gathering all Internet usage - audio, video, photographs, emails and searches - from nine major U.S. Internet providers, including Microsoft and Google, in hopes of detecting suspicious behavior that begins overseas.
  • According to an article in the American technology magazine "Wired" from April 2012, two Israeli companies – which the magazine describes as having close connections to the Israeli security community – conduct bugging and wiretapping for the NSA. Verint, which took over its parent company Comverse Technology earlier this year, is responsible for tapping the communication lines of the American telephone giant Verizon, according to a past Verizon employee sited by James Bamford in Wired. Neither Verint nor Verizon commented on the matter.
  • Natus, which was acquired in 2010 by the American company Boeing, supplied the software and hardware used at AT&T wiretapping rooms, according to whistleblower Mark Klein, who revealed the information in 2004. Klein, a past technician at AT&T who filed a suit against the company for spying on its customers, revealed a "secret room" in the company's San Fransisco office, where the NSA collected data on American citizens' telephone calls and Internet surfing. Klein's claims were reinforced by former NSA employee Thomas Drake who testified that the agency uses a program produced by Narus to save the personal electrical communications of AT&T customers.  Both Verint and Narus have ties to the Israeli intelligence agency and the Israel Defense Forces intelligence-gathering unit 8200. Hanan Gefen, a former commander of the 8200 unit, told Forbes magazine in 2007 that Comverse's technology, which was formerly the parent company of Verint and merged with it this year, was directly influenced by the technology of 8200. Ori Cohen, one of the founders of Narus, told Fortune magazine in 2001 that his partners had done technology work for the Israeli intelligence.
  • ...2 more annotations...
  • "Nobody is listening to your telephone calls," Obama assured the nation after two days of reports that many found unsettling. What the government is doing, he said, is digesting phone numbers and the durations of calls, seeking links that might "identify potential leads with respect to folks who might engage in terrorism." If there's a hit, he said, "if the intelligence community then actually wants to listen to a phone call, they've got to go back to a federal judge, just like they would in a criminal investigation."
  • Obama said U.S. intelligence officials are looking at phone numbers and lengths of calls - not at people's names - and not listening in.
  •  
    It figures that the Israeli creators of the Stuxnet worm would be involved. And here we also get our reminder why Obama is lying. We hearken back to the days when several ISPs and Telcos were being sued in class actions for providing NSA with access to their subscriber's phone calls and internet traffic.  Those suits ended only after Congress passed legislation immunizing the companies from suit for collaboration with NSA. The net effect was to allow the NSA to continue eavesdropping. So it matters not that Prism allegedly only gets the communications metadata. NSA need only correlate the metadata with the actual communications obtained from the Telcos and ISPs.   
Paul Merrell

Obama concedes NSA bulk collection of phone data may be unnecessary | World news | theg... - 0 views

  • President Barack Obama has conceded that mass collection of private data by the US government may be unnecessary and said there were different ways of “skinning the cat”, which could allow intelligence agencies to keep the country safe without compromising privacy. In an apparent endorsement of a recommendation by a review panel to shift responsibility for the bulk collection of telephone records away from the National Security Agency and on to the phone companies, the president said change was necessary to restore public confidence. “In light of the disclosures, it is clear that whatever benefits the configuration of this particular programme may have, may be outweighed by the concerns that people have on its potential abuse,” Obama told an end-of-year White House press conference. “If it that’s the case, there may be a better way of skinning the cat.”
  • Though insisting he will not make a final decision until January, this is the furthest the president has gone in backing calls to dismantle the programme to collect telephone data, a practice the NSA claims has legal foundation under section 215 of the Patriot Act. This week, a federal judge said the program “very likely” violates the US constitution. “There are ways we can do this potentially that give people greater assurance that there are checks and balances, sufficient oversight and transparency,” Obama added. “Programmes like 215 could be redesigned in ways that give you the same information when you need it without creating these potentials for abuse. That’s exactly what we should be doing: to evaluate things in a very clear specific way and moving forward on changes. And that’s what I intend to do.”
  • The president would not comment on a suggestion last weekend by Richard Ledgett, the NSA official investigating the Snowden leaks, that an amnesty might be appropriate in exchange for the return of the data Snowden took from the agency. Obama said he could not comment specifically because Snowden was “under indictment”, something not previously disclosed. While the Justice Department filed a criminal complaint against Snowden on espionage-related charges in June, there has been no public subsequent indictment, although it is possible one exists under gag order. The Justice Department referred comment on a Snowden indictment to the White House. Caitlin Hayden, the chief spokeswoman for the White House National Security Council, clarified that Obama was referring to the criminal complaint against Snowden. It remains unclear if there is an indictment under seal. 
  • ...4 more annotations...
  • The president also went further than his review panel in suggesting the US needed to rein in its overseas surveillance activities. “We have got to provide more confidence to the international community. In a virtual world, some of these boundaries don’t matter any more,” he said. “The values that we have got as Americans are ones that we have to be willing to apply beyond our borders, perhaps more systematically than we have done in the past.”
  • Conspicuously, Obama declined to rebut one assessment from his surveillance review group – that the bulk collection of US call data was not essential to stopping a terrorist attack. Instead, he contended that there had been “no abuse” of the bulk phone data collection. But in 2009, a judge on the secret surveillance court prevented the NSA from searching through its databases of US phone information after discovering “daily violations” resulting from NSA searches of Americans’ phone records without reasonable suspicion of connections to terrorism. That data was inaccessible to the NSA for almost all of 2009, before the Fisa court was convinced the NSA had sufficient safeguards in place for preventing similar violations
  • In another indication of the shifting landscape on surveillance, the telecoms giant AT&T announced on Friday that it will begin publishing a semi-annual report about its complicity with government surveillance requests. AT&T followed its competitor Verizon, which announced a similar move on Thursday.
  • The first such report is expected for early 2014, Watts said. While technology firms like Yahoo and Google have pushed for greater transparency about providing their customer data to the government, the telecommunications firms – which have cooperated with the NSA since the agency’s 1952 inception – did not join them before the events of the past week.
  •  
    Movement on the NSA. Obama hints that the NSA's section 215 metadata collection will end, fesses up that Snowden has been criminally indicted, but declines to discuss whether Snowden might be pardoned in exchange for turning over his NSA document collection, notably not ruling it out. And finally, two of the giant telcos, AT&T and Verizon, have announced intent to do semi-annual public reports on their collaboration with government spy agencies. Amazing what a federal court decision can do, particularly when immediately followed by the president's own blue-ribbon panel report, both holding that the section 215 program has resulted in no terrorist attacks being prevented and that the program in unconstitutional. Obama finally reaches his tipping point. A good week for civil libertarians.   
Paul Merrell

CURIA - Documents - 0 views

  • 37      It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.
  • 43      In this respect, it is apparent from recital 7 in the preamble to Directive 2006/24 that, because of the significant growth in the possibilities afforded by electronic communications, the Justice and Home Affairs Council of 19 December 2002 concluded that data relating to the use of electronic communications are particularly important and therefore a valuable tool in the prevention of offences and the fight against crime, in particular organised crime. 44      It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest.45      In those circumstances, it is necessary to verify the proportionality of the interference found to exist.46      In that regard, according to the settled case-law of the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives (see, to that effect, Case C‑343/09 Afton Chemical EU:C:2010:419, paragraph 45; Volker und Markus Schecke and Eifert EU:C:2010:662, paragraph 74; Cases C‑581/10 and C‑629/10 Nelson and Others EU:C:2012:657, paragraph 71; Case C‑283/11 Sky Österreich EU:C:2013:28, paragraph 50; and Case C‑101/12 Schaible EU:C:2013:661, paragraph 29).
  • 67      Article 7 of Directive 2006/24, read in conjunction with Article 4(1) of Directive 2002/58 and the second subparagraph of Article 17(1) of Directive 95/46, does not ensure that a particularly high level of protection and security is applied by those providers by means of technical and organisational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures. In particular, Directive 2006/24 does not ensure the irreversible destruction of the data at the end of the data retention period.68      In the second place, it should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data (see, to that effect, Case C‑614/10 Commission v Austria EU:C:2012:631, paragraph 37).69      Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
  • ...13 more annotations...
  • 58      Directive 2006/24 affects, in a comprehensive manner, all persons using electronic communications services, but without the persons whose data are retained being, even indirectly, in a situation which is liable to give rise to criminal prosecutions. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime. Furthermore, it does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy. 59      Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
  • 1        These requests for a preliminary ruling concern the validity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).
  • Digital Rights Ireland Ltd (C‑293/12)vMinister for Communications, Marine and Natural Resources,Minister for Justice, Equality and Law Reform,Commissioner of the Garda Síochána,Ireland,The Attorney General,intervener:Irish Human Rights Commission, andKärntner Landesregierung (C‑594/12),Michael Seitlinger,Christof Tschohl and others,
  • JUDGMENT OF THE COURT (Grand Chamber)8 April 2014 (*)(Electronic communications — Directive 2006/24/EC — Publicly available electronic communications services or public communications networks services — Retention of data generated or processed in connection with the provision of such services — Validity — Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union)In Joined Cases C‑293/12 and C‑594/12,
  • 34      As a result, the obligation imposed by Articles 3 and 6 of Directive 2006/24 on providers of publicly available electronic communications services or of public communications networks to retain, for a certain period, data relating to a person’s private life and to his communications, such as those referred to in Article 5 of the directive, constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter. 35      Furthermore, the access of the competent national authorities to the data constitutes a further interference with that fundamental right (see, as regards Article 8 of the ECHR, Eur. Court H.R., Leander v. Sweden, 26 March 1987, § 48, Series A no 116; Rotaru v. Romania [GC], no. 28341/95, § 46, ECHR 2000-V; and Weber and Saravia v. Germany (dec.), no. 54934/00, § 79, ECHR 2006-XI). Accordingly, Articles 4 and 8 of Directive 2006/24 laying down rules relating to the access of the competent national authorities to the data also constitute an interference with the rights guaranteed by Article 7 of the Charter. 36      Likewise, Directive 2006/24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.
  • 65      It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.66      Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down.
  • 60      Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.61      Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto; it merely provides that each Member State is to define the procedures to be followed and the conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and proportionality requirements.
  • 55      The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35).56      As for the question of whether the interference caused by Directive 2006/24 is limited to what is strictly necessary, it should be observed that, in accordance with Article 3 read in conjunction with Article 5(1) of that directive, the directive requires the retention of all traffic data concerning fixed telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony. It therefore applies to all means of electronic communication, the use of which is very widespread and of growing importance in people’s everyday lives. Furthermore, in accordance with Article 3 of Directive 2006/24, the directive covers all subscribers and registered users. It therefore entails an interference with the fundamental rights of practically the entire European population. 57      In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.
  • 62      In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits. 63      Thirdly, so far as concerns the data retention period, Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Article 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.64      Furthermore, that period is set at between a minimum of 6 months and a maximum of 24 months, but it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary.
  • 52      So far as concerns the right to respect for private life, the protection of that fundamental right requires, according to the Court’s settled case-law, in any event, that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Case C‑473/12 IPI EU:C:2013:715, paragraph 39 and the case-law cited).53      In that regard, it should be noted that the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter is especially important for the right to respect for private life enshrined in Article 7 of the Charter.54      Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99).
  • 26      In that regard, it should be observed that the data which providers of publicly available electronic communications services or of public communications networks must retain, pursuant to Articles 3 and 5 of Directive 2006/24, include data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users’ communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for Internet services. Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. 27      Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.
  • 32      By requiring the retention of the data listed in Article 5(1) of Directive 2006/24 and by allowing the competent national authorities to access those data, Directive 2006/24, as the Advocate General has pointed out, in particular, in paragraphs 39 and 40 of his Opinion, derogates from the system of protection of the right to privacy established by Directives 95/46 and 2002/58 with regard to the processing of personal data in the electronic communications sector, directives which provided for the confidentiality of communications and of traffic data as well as the obligation to erase or make those data anonymous where they are no longer needed for the purpose of the transmission of a communication, unless they are necessary for billing purposes and only for as long as so necessary.
  • On those grounds, the Court (Grand Chamber) hereby rules:Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.
  •  
    EU Court of Justice decision in regard to a Directive that required communications data retention by telcos/ISPs, finding the Directive invalid as a violation of the right of privacy in communications. Fairly read, paragraph 59 outlaws bulk collection of such records, i.e., it requires the equivalent of a judge-issued search warrant in the U.S. based on probable cause to believe that the particular individual's communications are a legitimate object of a search.  Note also that paragraph 67 effectively forbids transfer of any retained data outside the E.U. So a barrier for NSA sharing of data with GCHQ derived from communications NSA collects from EU communications traffic. Bye-bye, Big Data for GCHQ in the E.U. 
Paul Merrell

REVEALED: GCHQ's BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE * The Register - 0 views

  • Exclusive Above-top-secret details of Britain’s covert surveillance programme - including the location of a clandestine British base tapping undersea cables in the Middle East - have so far remained secret, despite being leaked by fugitive NSA sysadmin Edward Snowden. Government pressure has meant that some media organisations, despite being in possession of these facts, have declined to reveal them. Today, however, the Register publishes them in full.The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen. British national telco BT, referred to within GCHQ and the American NSA under the ultra-classified codename “REMEDY”, and Vodafone Cable (which owns the former Cable & Wireless company, aka “GERONTIC”) are the two top earners of secret GCHQ payments running into tens of millions of pounds annually.
  • The actual locations of such codenamed “access points” into the worldwide cable backbone are classified 3 levels above Top Secret and labelled “Strap 3”. The true identities of the companies hidden behind codenames such as “REMEDY”, “GERONTIC”, “STREETCAR” or “PINNAGE” are classified one level below this, at “Strap 2”.After these details were withheld, the government opted not to move against the Guardian newspaper last year for publishing above-top-secret information at the lower level designated “Strap 1”. This included details of the billion-pound interception storage system, Project TEMPORA, which were revealed in 2013 and which have triggered Parliamentary enquiries in Britain and Europe, and cases at the European Court of Human Rights. The Guardian was forced to destroy hard drives of leaked information to prevent political embarrassment over extensive commercial arrangements with these and other telecommunications companies who have secretly agreed to tap their own and their customers’ or partners’ overseas cables for the intelligence agency GCHQ. Intelligence chiefs also wished to conceal the identities of countries helping GCHQ and its US partner the NSA by sharing information or providing facilities
  • According to documents revealed by Edward Snowden to journalists including Glenn Greenwald among others, the intelligence agency annually pays selected companies tens of millions of pounds to run secret teams which install hidden connections which copy customers' data and messages to the spooks’ processing centres. The GCHQ-contracted companies also install optical fibre taps or “probes” into equipment belonging to other companies without their knowledge or consent. Within GCHQ, each company has a special section called a “Sensitive Relationship Team” or SRT.BT and Vodafone/C&W also operate extensive long distance optical fibre communications networks throughout the UK, installed and paid for by GCHQ, NSA, or by a third and little known UK intelligence support organization called the National Technical Assistance Centre (NTAC).
  •  
    Report on GCHQ documents that The Guardian had agreed not to write about. Nice picture of the secret Seeb base.
Paul Merrell

Vodafone reveals existence of secret wires that allow state surveillance | Business | T... - 0 views

  • Vodafone, one of the world's largest mobile phone groups, has revealed the existence of secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond.The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.The company said wires had been connected directly to its network and those of other telecoms groups, allowing agencies to listen to or record live conversations and, in certain cases, track the whereabouts of a customer. Privacy campaigners said the revelations were a "nightmare scenario" that confirmed their worst fears on the extent of snooping.
  • Vodafone's group privacy officer, Stephen Deadman, said: "These pipes exist, the direct access model exists."We are making a call to end direct access as a means of government agencies obtaining people's communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used."Vodafone is calling for all direct-access pipes to be disconnected, and for the laws that make them legal to be amended. It says governments should "discourage agencies and authorities from seeking direct access to an operator's communications infrastructure without a lawful mandate".
  • Peter Micek, policy counsel at the campaign group Access, said: "In a sector that has historically been quiet about how it facilitates government access to user data, Vodafone has for the first time shone a bright light on the challenges of a global telecom giant, giving users a greater understanding of the demands governments make of telcos. Vodafone's report also highlights how few governments issue any transparency reports, with little to no information about the number of wiretaps, cell site tower dumps, and other invasive surveillance practices."
  • ...2 more annotations...
  • In America, Verizon and AT&T have published data, but only on their domestic operations. Deutsche Telekom in Germany and Telstra in Australia have also broken ground at home. Vodafone is the first to produce a global survey.
  • Snowden, the National Security Agency whistleblower, joined Google, Reddit, Mozilla and other tech firms and privacy groups on Thursday to call for a strengthening of privacy rights online in a "Reset the net" campaign.Twelve months after revelations about the scale of the US government's surveillance programs were first published in the Guardian and the Washington Post, Snowden said: "One year ago, we learned that the internet is under surveillance, and our activities are being monitored to create permanent records of our private lives – no matter how innocent or ordinary those lives might be. Today, we can begin the work of effectively shutting down the collection of our online communications, even if the US Congress fails to do the same."
  •  
    The Vodafone disclosures will undoubtedly have a very large ripple effect. Note carefully that this is the first major telephone service in the world to break ranks with the others and come out swinging at secret government voyeur agencies. Will others follow. If you follow the links to the Vodafone report, you'll find a very handy big PDF providing an overview of the relevant laws in each of the customer nations. There's a cute Guardian table that shows the aggregate number of warrants for interception of content via Vodafone for each of those nations, broken down by content type. That table has white-on-black cells noting where disclosure of those types of surveillance statistics are prohibited by law. So it is far from a complete picture, but it's a heck of a good start.  But several of those customer nations are members of the E.U., where digital privacy rights are enshrined as human rights under an EU-wide treaty. So expect some heat to roll downhill on those nations from the European treaty organizations, particularly the European Court of Human Rights, staffed with civil libertarian judges, from which there is no appeal.     
Paul Merrell

Operation Socialist: How GCHQ Spies Hacked Belgium's Largest Telco - 0 views

  • When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies. It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data. Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”
  • The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear. Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation. Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.
  • When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies. It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data. Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”
  • ...7 more annotations...
  • Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.” The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”
  • Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company. Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.
  • The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company. Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.
  • What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.
  • Between 2009 and 2011, GCHQ worked with its allies to develop sophisticated new tools and technologies it could use to scan global networks for weaknesses and then penetrate them. According to top-secret GCHQ documents, the agency wanted to adopt the aggressive new methods in part to counter the use of privacy-protecting encryption—what it described as the “encryption problem.” When communications are sent across networks in encrypted format, it makes it much harder for the spies to intercept and make sense of emails, phone calls, text messages, internet chats, and browsing sessions. For GCHQ, there was a simple solution. The agency decided that, where possible, it would find ways to hack into communication networks to grab traffic before it’s encrypted.
  • The Snowden documents show that GCHQ wanted to gain access to Belgacom so that it could spy on phones used by surveillance targets travelling in Europe. But the agency also had an ulterior motive. Once it had hacked into Belgacom’s systems, GCHQ planned to break into data links connecting Belgacom and its international partners, monitoring communications transmitted between Europe and the rest of the world. A map in the GCHQ documents, named “Belgacom_connections,” highlights the company’s reach across Europe, the Middle East, and North Africa, illustrating why British spies deemed it of such high value.
  • Documents published with this article: Automated NOC detection Mobile Networks in My NOC World Making network sense of the encryption problem Stargate CNE requirements NAC review – October to December 2011 GCHQ NAC review – January to March 2011 GCHQ NAC review – April to June 2011 GCHQ NAC review – July to September 2011 GCHQ NAC review – January to March 2012 GCHQ Hopscotch Belgacom connections
Paul Merrell

Wikimedia v. NSA: Another Court Blinds Itself to Mass NSA Surveillance | Electronic Fro... - 0 views

  • We all know justice is blind. But that is supposed to mean that everyone before it is treated equally, not that the justice system must close its eyes and refuse to look at important legal issues facing Americans.  Yet the government continues to convince courts that they cannot consider the constitutionality of its behavior in national security cases and, last week, in an important case for anyone who has ever used Wikipedia, another judge agreed with that position.  A federal district judge in Maryland dismissed Wikimedia v. NSA, a case challenging the legality of the NSA’s “upstream” surveillance—mass surveillance of Internet communications as they flow through the Internet backbone. The case was brought by our friends at the ACLU on behalf of nine plaintiffs, including human rights organizations, members of the media, and the Wikimedia Foundation.1 We filed a brief in the case, too, in support of Wikimedia and the other plaintiffs. The judge dismissed the case based on a legal principle called standing. Standing is supposed to ensure, among other things, that the party bringing the lawsuit has suffered a concrete harm, caused by the party being sued, and that the court can resolve the harm with a favorable ruling.
  • But the U.S. government has taken this doctrine, which was intended to limit the cases federal courts hear to actual live controversies, and turned it into a perverse shell game in surveillance cases—essentially arguing that because aspects of the surveillance program are secret, plaintiffs cannot prove that their communications were actually, in fact, intercepted and surveilled. And without that proof, the government argues, there’s no standing, because plaintiffs can’t show that they’ve suffered harm. Sadly, like several other courts before it, the judge agreed to this shell game and decided that it couldn’t decide whether the constitutional rights of Wikimedia and the other plaintiffs were violated.  This game is mighty familiar to us at EFF, but that doesn’t make it any less troubling. In our system, the courts have a fundamental obligation to conclusively determine the legality of government action that affects individuals’ constitutional rights. For years now, plaintiffs have tried to get the courts to simply issue a ruling on the merits of NSA surveillance programs. And for years, the government has successfully persuaded the courts to rely on standing and related doctrines to avoid doing so. That is essentially what happened here. The court labeled as “speculative” Wikimedia’s claim that, at a minimum, even one of its approximately one trillion Internet communications had been swept up in the NSA’s upstream surveillance program. Remember, this is a program that, by the government’s own admission, involves the searching and scanning of vast amounts of Internet traffic at key Internet junctures on the Internet’s backbone. Yet in court’s view, Wikimedia’s allegations describing upstream—based on concrete facts, taken from government documents— coupled with a plaintiff that engages in a large volume of internet communications were not enough to state a “plausible” claim that Wikimedia had been surveilled.
  • On the way to reaching that conclusion, and putting on its blindfold, the court made a number of mistakes. The Government’s Automated Eyes Are Still Government Eyes First, it appears the court fundamentally misunderstood Wikimedia’s claim about upstream surveillance and, in particular, “about surveillance.” As Wikimedia alleged, “about surveillance” (a specific aspect of upstream surveillance that searches the content of communications for references to particular email addresses or other identifiers) amounts to “the digital analogue of having a government agent open every piece of mail that comes through the post to determine whether it mentions a particular word or phrase.” The court held, however, that this type of “about” surveillance was “targeted insofar as it makes use of only those communications that contain information matching the tasked selectors,” like email addresses. But what the government "makes use of" is entirely beside the point—it is the scanning of the communications for the tasked selectors in the first place that is the problem.  To put it into a different context, the government conducts a search when it enters into your house and starts rifling through your files—not just when it finds something it wants to keep. The government's ultimate decision to “make use of” the communications it finds interesting is irrelevant. It is the search of the communications that matters.
  • ...2 more annotations...
  • Back of the Envelope Gymnastics Another troubling aspect of the court’s decision was its attack on the probabilities Wikimedia assigned to the likelihood of its communications being intercepted. Given that Wikimedia engages in a large volume of Internet communications, Wikimedia alleged that—even assuming a .00000001% chance that any one particular communication is intercepted—it would still have a 99.9999999999% of having one of its communications intercepted. The statistic was used to illustrate that, even assuming very low probabilities for interception, there was still a near-certainty that Wikipedia’s traffic was collected. But the court attacked Wikimedia’s simple statistical analysis (and the attack tracked, to a great degree, arguments made in the government’s declarations that the court purportedly did not consider). The court seemed to believe it had seized upon a great flaw in Wikimedia’s case by observing that, if the probability of any given communication being intercepted were decreased 100% or 1000%, the probability of one of Wikimedia’s communications being intercepted would similarly drop. The “mathematical gymnastics” the court believed it had unearthed were nothing more than Wikimedia using an intentionally small (and admittedly arbitrary) probability to illustrate the high likelihood that its communications had been swept up. But even if the court disagreed with the probabilities Wikimedia relied on, it’s not at all clear why that would justify dismissing the case at the outset. If it turned out, after development of the record, that the probabilities were off, then dismissal might be appropriate. But the court cut the case off before Wikimedia had the opportunity to introduce evidence or other facts that might support the probability they assigned.
  • Someone Else Probably Has Standing, Right? Perhaps most troubling was the court’s mistaken belief that the legality of upstream surveillance could be challenged in other ways, beyond civil cases like Wikimedia or our ongoing case, Jewel v. NSA. The court asserted its decision would not insulate upstream from judicial review, which—according to the court—could still receive judicial scrutiny through (1) review from the Foreign Intelligence Surveillance Court (FISC), (2) a challenge by a criminal defendant, or (3) a challenge from an electronic service provider. None of these options is truly a viable alternative, however. First, the FISC (until very recently) did not have adversarial proceedings—it only heard from the government, and its proceedings remain both far more limited and more secretive than a regular court’s. Second, a challenge from a criminal defendant won’t work either, because, to date, the government has explicitly refused to disclose—even where defendants are notified of the use of FISA surveillance—whether their communications were obtained using upstream surveillance. And, finally, in the nearly 15 years (or more) the government has conducted upstream surveillance, we’re not aware of any service provider that has challenged the legality of the practice. Indeed, given that upstream is done with the cooperation of telecoms like AT&T and Verizon—the same telcos that did not challenge the NSA’s bulk collection of Americans’ call records for over a decade—we're not holding our breath for a challenge anytime soon. Instead, we need the courts to tackle these cases. Upstream surveillance presents unique constitutional issues that no federal court has seriously addressed. It's time the federal courts stepped up to the challenge.
  •  
    The notion that the government can intentionally violate the privacy rights of its citizens yet a court find that those citizens have no right to seek redress announces a view that privacy rights are hollow --- that those wronged by government malfeasance have no remedy in the courts of our nation. That is a view that must be thrown in the dustbins of history if freedom is to be preserved. 
1 - 10 of 10
Showing 20 items per page