Techdirt. Stories filed under "spying"

Saudi Arabian Telco Asks Pro-Privacy Researcher To Help Them Spy On Citizens, Hilarity & Then Seriousness Ensues

Mike Masnick — Tue, 14 May 2013 11:56:19 PDT

Via Chris Soghoian, we learn that a Saudi Arabian telecom company (one of just two) contacted well-known pro-privacy researcher Moxie Marlinspike recently to see if he might help them intercept communications from a variety of popular communications apps, including Twitter, Viber, Line and WhatsApp. Curious about what they wanted, Marlinspike emailed with them a bit, and then published what he was told -- including the fact that they later told him they very quickly and easily figured out how to intercept WhatsApp communications. Eventually, he told them that he wouldn't work with them, and the guy he was communicating with told him by not helping the Saudi government intercept communications, he was helping the terrorists:

I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that’s why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.

From there, however, Marlinspike goes on into a very interesting discussion, well worth reading, about changes in the hacker/security community lately and the lucrative business of selling 0day exploits (often to governments) rather than publishing them and getting things fixed.

Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward. I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.

Maybe this is an unpopular opinion and the bulk of the community is totally fine with how things have gone (after all, it is profitable). There are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom, but having nothing to do with these ugly situations in Saudi Arabia. Once exploits are sold to US defense contractors, however, it’s very possible they could end up delivered directly to the Saudis (eg, eg, eg), where it would take some even more substantial handwaving to think that they’ll serve in some liberatory way.

Exploits will be exploited. Helping anyone to make use of them means that eventually they're going to get exploited by others in ways you might not agree with.

Permalink | Comments | Email This Story

Did FBI Counterterrorism Agent Reveal That Feds Now Record All Phone Calls?

Mike Masnick — Tue, 7 May 2013 13:24:42 PDT

It's long been assumed (or hinted at very strongly by a variety of evidence) that the feds have been making and collecting copies of pretty much every digital communication available. A whistleblower from AT&T more or less revealed the details on that. The NSA's ability to collect all this data is well documented, and people are just now coming to terms with the legal loopholes used to justify this mass sweeping up of communications.

However, for the most part, it was believed that the content of phone calls was not included in this broad sweep. While it's well known that law enforcement can get a wiretap on your phone if they suspect something, there was little indication that other calls are being recorded. Similarly, information about who you called and when you spoke to them tends to be easy for law enforcement to get. However, Glenn Greenwald is noting that a former FBI counterterrorism agent, Tim Clemente, went on TV, and in discussing the investigation of Katherine Russell (the wife of deceased accused Boston bomber Tamerlan Tsarnaev) has clearly said that the contents of historical phone calls are also available to the feds.

BURNETT: Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It's not a voice mail. It's just a conversation. There's no way they actually can find out what happened, right, unless she tells them?
CLEMENTE: "No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.

BURNETT: "So they can actually get that? People are saying, look, that is incredible.

CLEMENTE: "No, welcome to America. All of that stuff is being captured as we speak whether we know it or like it or not."

It's possible this was an exaggeration, but when questioned about this particular point later, Clemente again insisted that it was the case and specifically added that "all digital communications in the past" are recorded and stored. Of course, again, he may have misspoken. Or he may be exaggerating for effect. There's also the possibility that Tamerlan's phone calls were actually being tapped given the earlier investigation of him for possible terrorist connections.

So there are numerous possibilities here, but it is still a case of an FBI counterterrorism agent claiming, multiple times, that the contents of all phone calls are being recorded, which, if true, would be quite a revelation (and probably not something Clemente is supposed to be revealing via an interview with the media). At the very least, it would be good for there to be some serious follow up on this to find out how true Clemente's claims really are.

Permalink | Comments | Email This Story

New Zealand Wants New Spying Powers To Legalize Illegal Spying On Kim Dotcom And Others

Mike Masnick — Mon, 6 May 2013 11:04:26 PDT

You may recall that in the course of the case against Kim Dotcom in New Zealand, it was revealed that the New Zealand intelligence service, the Government Communications Security Bureau (GCSB), illegally wiretapped and spied on Kim Dotcom. The GCSB's mandate is that it can only spy on foreign communications, but used its powers illegally domestically. While NZ prime minister John Key apologized for the episode, it has raised lots of questions about his role in the whole matter -- and when he knew the law was being broken. Other info has come out as well, including attempts to cover up the illegal surveillance, and the fact that the GCSB illegally spied on nearly 100 people. Dotcom is now suing the government over this whole mess.

Given all that, you might think that PM Key would be focused on putting in place safeguards to stop the system from being so abused in the future. Not so. Instead, as reader aster points out, Key is now trying to change the law to make it easier to spy on citizens and others in the country. In other words, he's seeking to legalize domestic spying for the intelligence agency. The new proposal would allow for domestic spying on citizens and residents if approved by PM Key. As if he didn't already appear untrustworthy in the matter, he's now suggesting that because it has to go through him, it'll somehow avoid abuses? Opposition politicians are pointing out how laughable it is that Key is now asking people to trust him personally that such spying powers won't be abused.

Permalink | Comments | Email This Story

Investigation Into Illegal Spying On Kim Doctom Reveals NZ Intelligence Illegally Spied On 85 People

Mike Masnick — Tue, 9 Apr 2013 14:56:11 PDT

Remember how the New Zealand intelligence organization GCSB (Government Communications Security Bureau) had to admit that it had illegally spied on Kim Dotcom? That kicked off an investigation that has now revealed that the GCSB illegally spied on somewhere around 85 people.

GCSB director Ian Fletcher said in February that his agency did not illegally spy on anyone else on behalf of law enforcement agencies.

But the Kitteridge report contradicts this - questioning the lawfulness of GCSB surveillance involving 85 New Zealanders. The agency is forbidden from spying on anyone with citizenship or permanent residence here.

The illegal spying was conducted between April 2003 and September last year and done on behalf of the Security Intelligence Service, the domestic spy agency.

But wait... there's more. The report also found that it's likely GCSB violated other laws as well, including the Privacy Act and the Defence Act. Not surprisingly, the report also finds a mess of an agency with terrible management, poor record-keeping and little oversight. Shocking, isn't it, that such conditions would lead to abuse of power and illegal surveillance, huh?

Permalink | Comments | Email This Story

DOJ Trying To Hide Secret Interpretations Of The Law Because You'd All DIE!!!!

Mike Masnick — Thu, 4 Apr 2013 12:05:54 PDT

It's kind of sad that anyone could possibly think that it's okay for the government to have secret interpretations of the law in a free and open society. "The law" is more than just the legislation itself, but the collection of caselaw and interpretations, combined with the legislation, that make up the overall "law." If some of those interpretations are kept secret, then how can the public obey the law? The answer is that they can't -- which is why secret interpretations shouldn't be allowed. The Justice Department, however, prefers to keep some things secret, and it's asking the court to dismiss a lawsuit filed by the EFF seeking to find out how the Foreign Intelligence Surveillance Court is interpreting parts of the FISA Amendments Act, after it was revealed (late on a Friday) that the court found at least one situation in which the feds collected info in violation of the 4th Amendment.

The EFF figured the public should know the details. The DOJ on the other hand... would rather the public stay in the dark. The DOJ actually suggests that merely revealing the fact that they got slapped down by the FISC provides enough "balance."

Last summer, in an effort to strike the right balance between government transparency and the protection of critical intelligence activities, the government declassified four statements concerning its activities pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) Amendments Act of 2008. Not content with that disclosure, Electronic Frontier Foundation (“EFF” or “Plaintiff”) submitted a Freedom of Information Act (“FOIA”) request seeking additional information related to two of the declassified statements, specifically, that on at least one occasion the Foreign Intelligence Surveillance Court (“FISC”) “held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment” and that “on at least one occasion the FISA Court has reached th[e ] conclusion” that “the government’s implementation of Section 702 of FISA has sometimes circumvented the spirit of the law.”

And thus, we should be satisfied with that and want no more. Also, you don't want to know what kind of hell would break loose if the DOJ had to reveal how the law was actually interpreted. I mean, we'd all die or something very close to it, judging by the DOJ's language.

The government has determined that disclosure of the information withheld from Plaintiff could result in exceptionally grave and serious damage to the national security. Plaintiff obviously cannot contend otherwise. The Court accordingly should defer to the government’s determination in this case, uphold the Department’s withholdings, and grant this motion.

Basically, we've determined that you're all better off not knowing this information, and you should trust us because it's not like we have any incentives to lie (though, of course, we do). Also: boo!

Thankfully, more people are realizing just how ridiculous this is. The Washington Post has put out an editorial slamming the DOJ for its position:

Yet, as the amicus brief points out, the OLC’s opinions aren’t some intermediary step toward establishing the final legal interpretations for the executive branch. In general, they are the final legal interpretations for the executive branch. The FBI could choose to exercise the authority that the OLC said it had — or not — but Congress, the judiciary and the public at large all deserve to know what the executive branch thinks it can do, once it issues a conclusive opinion.

In other words, it's not right that the government can determine its own secret interpretations of the law, and it's time for the courts to put a stop to this.

Permalink | Comments | Email This Story

Homeland Security 'Fusion' Center Director: We're Not Spying On Americans... Just Anti-Government Americans

Mike Masnick — Wed, 3 Apr 2013 04:51:17 PDT

You may recall that, last fall, a Congressional investigation completely slammed Homeland Security's "Fusion Centers" -- noting that despite DHS insisting that they were critical to "fighting terrorism," the actual evidence showed that they had done nothing helpful in the fight against terrorism, but were instead chock full of wasteful (possibly fraudulent) spending... and with an added dose of civil liberties violations (just for fun).

Apparently, the Fusion Centers are trying to rehabilitate their own image, but they might want to send their officials to press training a bit more before sending them out into the wild. Reason alerts us to an interview that the director of the Arkansas State Fusion Center did with some local TV stations in which he appears to completely contradict himself -- first arguing that the Fusion Centers don't spy on Americans... and then saying they spy on "anti-government" Americans. First, there was this:

"There's misconceptions on what fusion centers are," he says. "The misconceptions are that we are conducting spying operations on US citizens, which is of course not the fact. That is absolutely not what we do."

Okay then. We've established won't you don't do. So, tell us, what do you do?

Davis says Arkansas hasn't collected much information about international plots, but they do focus on groups closer to home.

"We focus a little more on that, domestic terrorism and certain groups that are anti-government," he says. "We want to kind of take a look at that and receive that information."

Okay, hold on a second here. It would seem that his first statement is completely proven untrue by that second statement. Unless he's arguing that if someone classifies you as "anti-government" then you're no longer a US citizen, which would be a rather unique (and wrong) interpretation of the Constitution.

Elsewhere in the article, Davis defends what he does by playing the patriotism card, in which he can't actually explain what good he's doing, but just the fact that he's "doing something" after 9/11 is important.

"I do what I do because of what happened on 9/11," Davis says. "There's this urge and this feeling inside that you want to do something, and this is a perfect opportunity for me."

This line of argument is such ridiculously lazy and dangerous thinking. People who feel they need to "do something!" without caring as to what that something is or (more importantly) if it actually helps (or hurts) are not doing anyone any favors. They're just bound to cause more trouble.

Permalink | Comments | Email This Story

Justice Department 'Complies' With FOIA Request For GPS Tracking Memos; Hands ACLU 111 Fully Redacted Pages

Tim Cushing — Thu, 17 Jan 2013 13:16:00 PST

Just recently, we learned that the EFF had been handed what appeared to be several pages of severe formatting errors and faulty Morse code in response to its FOIA request for the secret interpretation of the FISA spying law. There were also the "sobering findings" faux-released by the NSA, which left in only enough unredacted wording to open speculation on these "sobering findings," as well as to publicly lament the surely misguided public debate on the super-secret agency's actions. Now, the news comes to us that the FBI has handed the ACLU a stack of papers that would make any toner supplier very happy.

The ACLU filed a FOIA request last July in hopes of receiving some insight into the FBI's tracking of US citizens via GPS devices. Two months later, it filed a lawsuit against the FBI, forcing the issue. At long last, the FBI has responded... with 111 pages of black ink.

Two key memos outlining the Justice Department's views about when Americans can be surreptitiously tracked with GPS technology are being kept secret by the department despite a Freedom of Information Act lawsuit filed by the ACLU to force their release. The FBI’s general counsel discussed the existence of the two memos publicly last year, yet the Justice Department is refusing to release them without huge redactions.

The word "see" is obviously some sort of joke because there's absolutely nothing to "see" here, unless you consider To, From and Subject fields to be the "smoking gun." Oh, and this one paragraph that leads into 56 straight pages of black ink.

In United States v. Jones, 132 S. Ct. 945 (2012), the Supreme Court affirmed the suppression of location data generated by a GPS tracking device surreptitiously affixed to a car without court authorization and monitored continuously over a 28-day period.

Yep, that's the power of the FOIA. All the black ink (or blank pages) you could possibly want, delivered months after they're requested. The redactions on these two documents obviously goes far beyond simply protecting sensitive information that might jeopardize ongoing investigations. This is nothing more than the DOJ covering up unconstitutional practices.

The Justice Department's unfortunate decision leaves Americans with no clear understanding of when we will be subjected to tracking — possibly for months at a time — or whether the government will first get a warrant. This is yet another example of secret surveillance policies — like the Justice Department's secret opinions about the Patriot Act's Section 215 — that simply should not exist in a democratic society.

The ACLU is asking the court to order the DOJ to release these memos in full. The Fourth Amendment's reasonable expectation of privacy is undermined by these secret memos, which limit knowledge of law enforcement tracking efforts solely to the executive branch.

The implications of these withheld documents go even further than discussing GPS tracking. FBI General Counsel Andrew Weissman's explanation of the second memo ("Guidance Regarding the Application of United States v. Jones to Additional Investigative Techniques") leaves the door open for tracking via other technology.

[The] second memoranda [sic] is going to be about guidance about what this means for other types of techniques, beyond GPS, because there's no reason to think that this is going to just end with GPS and some of that is going to be very much a judgment call.

It's already common knowledge that law enforcement agencies are using cell phone tracking. As the ACLU points out, wireless carriers already receive 1.5 million requests for data every year, most of which is used for location tracking. Additional technology, such as drones or license plate readers, make endless surveillance a logistic reality, and all without a warrant.

A fully-redacted document doesn't seem to indicate that the FBI is operating within the constraints of United States v. Jones. It signals the very opposite and provides us with another example of how government agencies, when faced with constitutional limitations, are more than happy to simply "interpret" their way around them -- and keep these interpretations out of public view, perhaps indefinitely. It's extremely hypocritical for the FBI and DOJ to sit in a position of law enforcement when they clearly believe abiding by the law is optional.

Doj Gps Tracking memo1 (PDF)Doj Gps Tracking memo1 (Text)

Doj Post Jones Tracking memo1 (PDF)Doj Post Jones Tracking memo1 (Text)

Permalink | Comments | Email This Story

EPIC Sues CIA For Release Of Documents Concerning Domestic Spying It Swears It's Not Doing

Tim Cushing — Fri, 28 Dec 2012 12:24:00 PST

We've written several times before about domestic spying being performed by the government agencies, most of which is performed under the protective guise of "national security" as part of the "War on Terror." The end result tends to be diminished rights rather than something more positive, like "terrorists caught."

The Electronic Privacy Information Center (EPIC) has been looking into the CIA's involvement in domestic surveillance, something the CIA is definitely not supposed to be doing.

Beginning in 2011, a series of investigative articles by the Associated Press ("AP") revealed that the New York Police Department ("NYPD") conducted extensive surveillance of Muslims and persons of Arab descent in New York, New Jersey, and elsewhere. The NYPD’s activities included photographing members of the Muslim community as they entered mosques, infiltrating Muslim student groups, and monitoring Muslim stores and businesses. According to the AP, the “police subjected entire neighborhoods to surveillance and scrutiny, often because of the ethnicity of the residents, not because of any accusations of crimes.” The AP also reported, “many of these operations were built with help from the CIA [Central Intelligence Agency], which is prohibited from spying on Americans but was instrumental in transforming the NYPD's intelligence unit after 9/11.”

This looks like the CIA is at the very least heavily involved with domestic surveillance, if not actually doing the surveillance itself. The "investigations" themselves are questionable enough even without the possibility of a departmental "misstep" by the CIA, generally consisting of paid informants infiltrating the Muslim community and amassing as much information as possible when not attempting to bait community members into saying something inflammatory.

This new "elite" NYPD agency has been given leeway to assemble a massive database on the Muslim community and its activities and, to date, has produced nothing in the way of useful leads. Despite this fact, the operations continue undeterred and everyone from the NYC police commissioner to various CIA spokespersons have acknowledged the CIA's ongoing "collaborative relationship" with the NYPD domestic spying program.

According to the CIA, the agency isn't performing the surveillance itself and is, therefore, staying within its legal boundaries.

In December 2011 the Associated Press described an investigation by the CIA Inspector General regarding the agency’s collaboration with NYPD. CIA spokesman Preston Golson acknowledged the existence of this investigation and stated that the agency's Inspector General concluded that no laws were broken and there was “no evidence that any part of the agency's support to the NYPD constituted 'domestic spying.”

In essence, the CIA aids with the spying, but doesn't actually perform the spying. Golson's statement in reference to the internal investigation is obviously meant to be the final word on the matter, but relies heavily on the public's credulity in regards to secretive agencies conducting in-house investigations whose results remain hidden from view. In that respect, Golson's statement failed miserably.

According to USA Today, “The revelations troubled some members of Congress and even prompted the director of national intelligence, James Clapper, to remark that it did not look good for the CIA to be involved in any city police department. Thirty-four lawmakers have asked for the Justice Department to investigate but so far that request has gone nowhere.” At a March 2012 hearing, Attorney General Holder told Congress “he's disturbed by what he's read about the New York Police Department conducting surveillance of mosques and Islamic student organizations in New Jersey.”

You know something has gone wrong when Eric Holder thinks you've gone too far. Golson's "everything's cool" statement notwithstanding, EPIC decided to look into the CIA's involvement with the NYPD's surveillance programs.

On March 28, 2012, EPIC submitted a FOIA request to CIA asking for:

All documents related to the CIA Inspector General’s investigation regarding the agency’s collaboration with NYPD;

All legal analyses conducted by the CIA Inspector General’s office regarding the CIA’s collaboration with the NYPD;

All final reports issued as a result of the CIA Inspector General’s investigation;

Any communications between the CIA Inspector General’s office and the NYPD regarding the agency’s collaboration with the NYPD.

Unsurprisingly, the CIA has been rather reluctant to hand over any of the requested information. So reluctant, in fact, that it now finds itself on the receiving end of a lawsuit filed by EPIC after "failing to disclose a single record." EPIC's complaint quotes the CIA as stating it was too busy to fulfill the requests because of a "substantial backlog." While that could very well be true, this is also information that the CIA would very likely prefer to not make public. It's also an excuse many other government agencies have used -- a built-in stalling tactic greatly aided by these agencies' preference towards only giving up information when forced to do so.

Obviously, it will be a long time before any information shakes loose from this internal investigation. EPIC still has to win the lawsuit before any "compelled" release of documents begins. There's also bound to be an appeal or two, along with the usual bureaucratic delays built into the process. And there's also the "state secret" wildcard, one that permanently removes documents from the public eye. Still, it's a worthwhile effort EPIC is making, one that will shed light on a very shady collaboration between the CIA and the NYPD, whether or not the results of this internal investigation are ever made public.

EPIC v CIA Complaint (PDF)EPIC v CIA Complaint (Text)

Permalink | Comments | Email This Story

Smart TV Exploit Means Hackers Can Watch You Watch TV

Timothy Geigner — Wed, 12 Dec 2012 15:02:00 PST

Remember all the hubbub (now there's a word I never thought I'd use; thanks a lot, aging process) over Comcast's kind of, maybe plan to spy on subscribers through their cable box as they watch TV, fold their laundry, or engage in coitus? There was quite an outcry at the time, even as Comcast said that the plan was only to have the cameras be able to recognize when different types or numbers of people were watching the tube. People just didn't feel comfortable with corporations being able to spy on them. As a result, Comcast backed away from the plan -- the people had defeated the corporation.

All, apparently, so that hackers could spy on them instead. At least, that's what some reports are saying about Samsung Smart TVs and an exploit that would allow hackers to snatch social media credentials, access any files or devices connected to the smart TV...oh, and to use the built in cameras to spy the hell out of people as they do whatever they do while watching television.

In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ("zero day") hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set.

The group that reportedly discovered the vulnerability, ReVuln, proudly stated that they would not publish any information about what they'd uncovered except to paying subscribers because screw everyone else (not an actual quote). They also have a company policy, apparently, that would prevent them from working with Samsung directly on a fix or even to disclose the hole, leading me to reach the logical conclusion that Dr. Evil is apparently running that company.

Even more fun, thanks to how Samsung designed the product, chances are any fix that could be produced would be difficult to implement.

Currently, the Smart TVs offer no native security features, such as a firewall, user authentication or application whitelisting. More critically: there is no independent software update capability, meaning that, barring a firmware update from Samsung, the exploitable hole can't be patched without "voiding the device's warranty and using other exploits," ReVuln said.

The company posted a video of an attack on a Samsung TV LED 3D Smart TV online. It shows an attacker gaining shell access to the TV, copying the contents of its hard drive to an external device and mounting them on a local drive, providing access to photos, documents and other content. ReVuln said an attacker would also be able to lift credentials from any social networks or other online services accessed from the device.

In other words, customers get to wait around until Samsung can figure this thing out on their own, since ReVuln won't help them out by company policy, or risk voiding their warranty on their smart TV that has a complete lack of security features. Nicely done, everyone involved.

Permalink | Comments | Email This Story

Justice Department Uses Red Tape To Delay Release Of Required Information On Domestic Spying Until Well After It Matters

Mike Masnick — Thu, 29 Nov 2012 12:02:00 PST

A couple of months ago, Julian Sanchez wrote about the ridiculous situation in which he filed a FOIA (Freedom of Information Act) request to reveal the latest semi-annual report from the Justice Department concerning how it was implementing the FISA Amendments Act of 2008. As we've been discussing, for a while, how the FISA Amendments Act broadly expanded the ability of federal law enforcement, in particular the NSA, to spy on everyone. While there is some language that suggests it's only supposed to be used on foreigners, it's been revealed that there is a secret interpretation of the bill, that likely allows them to use a loophole (plus the secret interpretation) to collect and review tons of data on Americans. The FAA is up for renewal, and it's likely that Congress will rush through a five year extension -- despite overwhelming evidence that many in Congress don't know how the NSA is interpreting the bill (and even making statements that directly contradict the evidence of how the bill is being used).

The law does require the "semi-annual" report mentioned above, and thanks to a lawsuit by the ACLU, the courts have said that the government is required to release redacted versions of those documents. Which is why it was crazy when Sanchez initially filed his FOIA request to see the most recent versions, arguing (quite reasonably) that such documents were inherently important in the debate over the FAA's renewal, that the DOJ initially told him that it had to deny his request because it could "neither confirm nor deny the existence of records in these files responsive to your request." That was obviously bullshit. Once again: the report is required by law, and the courts have already said that the content is subject to FOIA requests. Thankfully, after Sanchez went public with the ridiculousness of the situation, the DOJ quickly admitted the original response was a mistake, and promised they'd get right on finding the documents.

Sanchez now has an update of the situation, which is almost as ridiculous as the original story.

By mid-September, just under three months after my initial request went in, I was informed that they’d identified the reports I was looking for and forwarded them to the Office of the Director of National Intelligence (ODNI) for a declassification review, which they expected would be completed by early November. Joy! Would we actually get information about an intelligence program out of the government without a lawsuit? Maybe even in time to have a semi-informed public debate?

Well, no. ODNI informed me earlier this month that they were wrapping up their review and redaction Any Day Now, at which point… their redacted version would be forwarded, one at a time, to every other intelligence agency whose activities were referenced in the report. At each agency, it would go to the back of the line of FOIA requests, exactly as though it had just been submitted for the first time. Estimated time before a heavily censored version of these reports see the light of day: Another six months. At least. By which time, it won’t matter much what these reports say about NSA’s use of its sweeping powers, because Congress will have already given them another five years of spying authority.

Notice what this means in practice: Even though a court has already established, thanks to an ACLU lawsuit, that they are legally required to release redacted versions of these reports to the public on request, a cumbersome bureaucratic process effectively guarantees that it takes a solid year to get this information out, which means at best you’re working with what the assessment found two reports ago, allowing the government to assert that they’ve fixed whatever problems were found. In this case, the timing of the review process conveniently guarantees that whatever we learn will come far too late to influence this year’s vote on FAA powers, but be old news by the time Congress takes up the question again. It’s a little hard to swallow the claim that all this delay is remotely necessary: Are we really supposed to believe that the Office of the Director of National Intelligence will be so slipshod about letting sensitive classified information through that their work has to be independently double checked by every other intelligence agency? And that this process has to take six months or longer, even after ODNI has done their initial review and redaction? Of course it doesn’t: This is a bureaucratic procedure designed, not to protect national security, but to allow stalling on the release of politically inconvenient information that the courts won’t allow to be completely hidden from the public.

Once again, this seems to raise questions about the process here -- and how much of it really has to do with law enforcement officials being careful... and how much of it is purely political, seeking to hide damaging information that might impact the FAA renewal.

Furthermore, as Sanchez notes, the very idea that he had to file a FOIA for this information is troubling by itself:

What we should really be asking is why I had to submit this request at all. In his first days in office, after all, President Obama issued a directive not only urging agencies to err on the side of disclosure, but to adopt a policy of proactive release of documents likely to be of public interest. Surely if there were any doubt about the public interest in the use of sweeping surveillance powers, it should have been put to rest after the ACLU won release of the earliest compliance reports. So why didn’t the Justice Department follow President Obama’s directive and draft these reports with an eye toward preparing a declassified public version, knowing full well that civil liberties groups would come asking? Well, because then they wouldn’t be able to obfuscate and delay for months and months. Because then the public might be able to have an informed discussion about the secret surveillance powers we’ve given our spy agencies before we vote to extend them. Heaven forfend.

Permalink | Comments | Email This Story

Electronic Versions Of Textbooks Spy On Students As They Read Them

Glyn Moody — Fri, 16 Nov 2012 05:27:56 PST

The rapid uptake of ebooks by the public shows that there is a widespread recognition of their advantages. This would be good news for the publishing industry as it faces the transition from analog to digital formats, were it not for the fact that some publishers keep finding new ways of making ebooks less attractive than physical versions.

Here's the latest idea: electronic versions of textbooks that spy on students as they read them:

Say a student uses an introductory psychology e-textbook. The book will be integrated into the college’s course-management system. It will track students' behavior: how much time they spend reading, how many pages they view, and how many notes and highlights they make. That data will get crunched into an engagement score for each student.

The idea is that faculty members can reach out to students showing low engagement, says Sean Devine, chief executive of CourseSmart. And colleges can evaluate the return they are getting on investments in digital materials.

Well, the idea might be that it will help students will low engagement, but you can bet that it won't stop there. It will also be used to spy on whether students are cheating, as indicated by an implausibly small number of hours spent reading texts; or it might be used to check on whether books are being lent out to friends who aren't "authorized" to read that copy, as evidenced by unusual reading patterns.

Similarly, it's easy to imagine colleges starting to put pressure on students to read in certain rigidly-defined ways in order to "maximize" the return on that investment in digital materials -- hardly what education and learning to think for yourself are all about. Maximizing return will doubtless also lead to this reporting feature becoming mandatory -- at the moment students can opt out if they wish -- purely in the name of efficiency, you understand.

What's really tragic is that digital textbooks have the potential to be used in all kinds of truly innovative ways -- for example, allowing a class to share annotations in real time, making the whole reading experience more social; or perhaps editing and combining texts to produce exciting re-workings and re-imaginings. Instead, publishers are obsessed with tracking users and controlling how they use ebooks, largely out of an absurd, underlying fear that somewhere along the line somebody might be doing something without paying for it.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

Washington Post: Yes, We Need To Give Up Liberty For Security

Mike Masnick — Mon, 29 Oct 2012 10:29:56 PDT

By now you've probably seen the paraphrase of a Ben Franklin quote that those who give up liberty for security, deserve neither (he said similar things a few different ways, but the standard actual quote is: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.") Whatever the actual quote is, there is quite a lot of truth to it. Giving up liberty for the sake of security rarely works out as planned. Either way, it appears that the editorial board of the Washington Post is either wholly unfamiliar with the quote, or believes it to be untrue. It has come out with an editorial arguing in favor of extending the FISA Amendments Act (and against an ACLU/EFF challenge to the law, to be heard today at the Supreme Court, even with the crazy weather) saying that it is perfectly fine to "give up liberty" for security:

Discomfort with the government’s capacity, technical or legal, to collect and retain massive amounts of personal information is understandable. But the 2008 FISA amendments sought a compromise between two essential goals: preserving American liberty and robustly defending Americans’ lives and property. We favored the law and believe that it should be extended.

That's somewhat ridiculous. After all, as we've noted over and over again, almost no one seems to understand what's actually in the FISA Amendments Act, in part because there's a secret interpretation of it that only the government knows. This means that many, many people, including those in Congress, are clearly misrepresenting what's in the law. The fact that the NSA refuses to say how often it has used this secret interpretation to spy on Americans should be a pretty big warning sign -- especially as politicians who are either clueless or ignorant claim that it can't be used to spy on Americans.

And really, this is the root of the "don't give up liberty for security" quote. Once you do that, you're cooked, because it's a situation that only expands in one direction. Those who seek to hold back liberty will always make use of scare stories and FUD to seek to be able to spy further. You would think that the editorial board of the Washington Post, which has been covering this kind of mess for quite some time, would actually have some sort of ability to look back at history. Apparently its historical knowledge is close to nil.

Permalink | Comments | Email This Story

Leaked White House Report Finds No Evidence Of Huawei Spying

Mike Masnick — Wed, 17 Oct 2012 16:13:39 PDT

Remember that Congressional report from last week that warned everyone to fear Huawei, the Chinese telco equipment maker? Much of the fearmongering was around Huawei's close ties to the Chinese government (and military specifically) with no actual allegations, but plenty of speculation that there could be espionage issues. Of course, now, details of a White House report have leaked, claiming that they found no evidence of Huawei spying. They do point out that there are problems with Huawei equipment that could lead to exploitable security flaws -- which is certainly an issue. Of course, that seems like an issue that security experts to deal with, rather than politicians...

Permalink | Comments | Email This Story

German Gov't Inadvertently Reveals Police Monitor Gmail, Skype, Facebook & Use Snooping Malware

Glyn Moody — Wed, 10 Oct 2012 03:02:05 PDT

Transparency is worth having for itself, since governments often tend to behave a little better when they know that someone is watching. But occasionally, requests for data turn up something big and totally unexpected because someone failed to notice quite what the information provided implies.

Here's a great example spotted by the annalist blog, which reports on a parliamentary enquiry about expenditures by the German Federal Ministry of the Interior, responsible for internal security. What was probably thought to be no more than a few dozen pages of boring and thus safe figures turned out to reveal something quite shocking:

The German ministry for home affairs and thus the German police clearly state that they are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary. Money is spent on trojan viruses and we can be quite certain which company produces the IMSI catchers [used for "man-in-the-middle" attacks on mobile phones] used by German police.

It's been known for a year that the German police forces have been using malware to spy on citizens via their computers, but the latest revelations about surveillance activity go far beyond that. It confirms that even in countries where people are very sensitive about privacy, Internet snooping by the police is routine. It also emphasizes, once more, the importance of encrypting your communication channels where possible, and avoiding those where it isn't.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

New Data Dump Shows Feds Massively Increased Spying On Who You're Talking To

Mike Masnick — Fri, 28 Sep 2012 03:16:06 PDT

While the feds absolutely hate to reveal this kind of info, due to successful legal action by the ACLU, the Justice Department was forced to reveal information on how often they monitor electronic communications of Americans without a warrant -- using what's known as "pen register" and "trap and trace." This kind of surveillance isn't over the actual communications (that's left up to the NSA, apparently), but rather just the info on who contacted whom. For various reasons, such information is considered obtainable without needing a warrant. Not surprisingly, the data shows a rather massive increase in such surveillance by the Justice Department. The numbers are quite incredible:

In fact, more people were subjected to pen register and trap and trace surveillance in the past two years than in the entire previous decade.

And yet, whenever anyone suggests that maybe, just maybe, there should be a little bit of oversight on these kinds of things to prevent abuse, law enforcement freaks out. Perhaps that's really because they know they're widely abusing the ability to spy on communications, and they don't want to have to admit it. The fact that it took a lawsuit just to get this information (which is required by law) to be released really says something about the state of surveillance by the federal government. And what it says is not good at all.

Permalink | Comments | Email This Story

PC Rental Companies Agree To Not Watch You Have Sex

Timothy Geigner — Thu, 27 Sep 2012 09:07:03 PDT

People are spying on you. All kinds of people. Law encorcement does it. The NSA does it. Schools are monitoring our children. But I'll tell you who is not spying on you: PC rental companies. Well, at least not anymore.

But they were spying on you before federal charges were brought against them. It turns out that seven rent to own PC companies were employing software that logged your keystrokes, retained your social media passwords, recorded your social security passwords, snapped photos of people having sex with web cams, and even allowed rental company employees to deploy a French tickler through the screen to rub people's naughty bits (fine, fine, I made that last one up).

The companies captured screenshots of confidential and personal information, logged keystrokes and took webcam pictures of people in their homes. Their aim was to track the computers belonging to costomers who were behind with their payments.

"An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes," says FTC chairman Jon Leibowitz. "The FTC orders today will put an end to their cyber spying."

Yes, thank God for the FTC, because if anyone is going to watch me have sex, it's going to be the neighbors (no, I will not close the window and draw the shades, damn it, I like the breeze!). My question is why the hell anyone, especially the company that made the spying software used, DesignerWare, thought this kind of intrusion was necessary to begin with. Hell, this isn't even the first time a rental company using this software has gotten into trouble over it. The rental companies said they needed the software to remotely shut down and wipe stolen machines, as well as to initiate a kill switch on customer's machines when they were behind in payments. Those both make sense to me. Where do we get the explanation for logging keystrokes and in any way using the web cam?

At least the FTC must have brought the hammer down for such a gross violation of privacy, right?

The rent-to-own companies are Aspen Way Enterprises, Watershed Development, Showplace, JAG Rents, Red Zone, B Stamper Enterprises and CALM Ventures. They've got off lightly, agreeing to stop using the data-collection software and to stop deceiving customers.

I'll have to keep this in mind the next time I break the law. Just agree not to do it again and everything is okay, apparently. In the meantime, anyone who is renting computers can avoid these companies.

Permalink | Comments | Email This Story

NZ Prime Minister Admits That The Government Illegally Wiretapped Megaupload Employees

Mike Masnick — Mon, 24 Sep 2012 07:29:00 PDT

Since the January raid of Megaupload, not a month seems to go by in which another massive error in procedures isn't revealed concerning how US and New Zealand law enforcement handled the whole process. And each time, the mistakes seem to get bigger and bigger. They had the wrong warrants. They mishandled evidence. They mishandled the extradition request. And today comes the big news. New Zealand's Prime Minister, John Key, revealed that the Government Communications Security Bureau (GCSB), the equivalent of the NSA in New Zealand, illegally intercepted communications regarding individuals in the Megaupload case and provided those details to law enforcement. Like the NSA, the GCSB is in charge of monitoring electric communications, but is not allowed to use those tools domestically, only on foreign communications. Key has now ordered an investigation.

Mr Key says the Crown has filed a memorandum in the High Court in the Megaupload case advising the Court and affected parties that the GCSB had acted unlawfully while assisting the Police to locate certain individuals subject to arrest warrants issued in the case. The Bureau had acquired communications in some instances without statutory authority.

After being informed about the matter by the Director of the GCSB on September 17, the Prime Minister referred the Bureau’s actions to the Inspector-General, Hon Paul Neazor. The Inspector-General is an independent statutory officer with the power to enquire into any matter related to a government intelligence agency’s compliance with the law.

Once again, like pretty much all of these "mishaps," this seems to suggest a rather cavalier attitude towards actually following proper procedures under the law to go after Dotcom and Megaupload. Throughout this whole process, it really does appear that law enforcement, under pressure from Hollywood, believed that Dotcom was such a criminal mastermind that they could skirt the law in all sorts of ways to try to shut him down. And each time these mishaps come to light, it just raises more and more questions about whether or not law enforcement really had any legitimate evidence or reasons to do what they did.

Permalink | Comments | Email This Story

House To Vote On FISA Amendments Act, Despite Not Even Knowing How It's Being Interpreted

Mike Masnick — Tue, 11 Sep 2012 11:25:00 PDT

This is getting more ridiculous by the day. We've been covering how the NSA refuses to admit how many Americans are being spied upon via a secret interpretation of the FISA Amendments Act -- and how Congress' response is to pretend that as long as they stick their head in the sand, the NSA couldn't possibly be abusing the law. Rep. Dan Lungren literally said that he sees no reason to be worried because he hasn't seen any evidence that it's being used to spy on Americans. But that's only true if you are being willfully blind. The NSA has refused basic requests to reveal non-confidential info, ridiculously claiming it would violate the privacy of Americans to admit how many Americans were being spied upon. Meanwhile, Julian Sanchez's attempt to reveal some info via a Freedom of Information Act request is being stonewalled by the feds.

And yet Congress still wants to move forward. The House is planning to vote on extending the FISA Amendments Act in the next day or two, despite the fact that the vast majority of elected officials do not have the information on how the law is being interpreted and those who are in the know have hinted very, very, very strongly that it is being widely abused. Now, if Congress actually represented the public, it might try to stop this process and ask for some of the details. Instead, it seems to be focused on just re-upping support for this tool that has more or less enabled domestic spying on Americans.

After four years, you’d hope that some basic information or parameters of such a massive spying program would be divulged to the public, or at least your rank-and-file member of Congress, but they haven’t. Only a small handful of members have either personally attended classified briefings or have staff with high enough clearances to attend for them. Sen. Ron Wyden—who has been on the Senate Intelligence Committee for years—has even been stonewalled by the Obama administration for a year and a half in his attempts to learn basic information about the program, such as the number of Americans who have had their communications intercepted under the FAA.

Yet the House ambles on, ready to rubber stamp another five years of expansive surveillance that can pick up American communications without meaningful judicial oversight and without probable cause or any finding of wrongdoing. Instead of blind faith in the executive branch, every member of the House should demand that the administration publicly disclose the following before proceeding with reauthorization:

Copies of FISA court opinions interpreting our Fourth Amendment rights under the FAA, with redactions to protect sensitive information (the Department of Justice can write summaries of law if necessary);

A rough estimate of how many Americans are surveilled under the FAA every year;

A description of the rules that govern how American information picked up by FAA surveillance is protected.

Can you believe that 435 members of Congress who have sworn to uphold the Constitution are about to vote on a sweeping intelligence gathering law without this basic information?

If you find this worrisome (and you should), the ACLU has set up an an action page to contact your elected officials and ask them to do their jobs and find out the details before just rubber-stamping the extension of the FISA Amendments Act.

Permalink | Comments | Email This Story

NSA Whistleblower Explains How The NSA Is Collecting Data On All Of You (And He's Sorry About It)

Mike Masnick — Tue, 28 Aug 2012 13:59:00 PDT

Last year, in writing about the US government's vindictive lawsuit against whistleblower and former NSA employee Thomas Drake, we also talked about William Binney -- another ex-NSA employee and whistleblower (who was also raided by the feds, though they failed to find anything they could pin on him in a lawsuit). Binney is the mathematical genius behind one of the key algorithms the NSA is using to track everyone. Here's what the New Yorker said about Binner over a year ago:

Binney expressed terrible remorse over the way some of his algorithms were used after 9/11. ThinThread, the "little program" that he invented to track enemies outside the U.S., "got twisted," and was used for both foreign and domestic spying: "I should apologize to the American people. It's violated everyone's rights. It can be used to eavesdrop on the whole world."

Now, the NY Times has something of a following, including a short documentary feature about Binney and his whistleblowing over the NSA's domestic spying. It's really worth watching as it very simply highlights how vast the domestic spying effort is, however powerful it can be -- and also how the NSA dances around the fact that it's not allowed to spy on Americans. They claim that as long as they're not actually looking at the content they record and store directly, it's just collecting the info and not actually spying on people. That is, they think that acquiring all this data is fine, so long as they don't directly query the info. But... as Binney explains, his algorithms (which have likely been updated quite a bit) can still go through all this info and build basic "profiles" of just about anyone. It's really worth watching, if only to wonder how anyone thinks this is acceptable.

I'd embed the video here, except the geniuses over at the NY Times seem to have not figured out how to allow embeds with their video player.

The documentary was put together by Laura Poitras, who notes that thanks to some over-aggressive surveillance she, too, is on a "watch-list," thanks to a documentary she did about Iraq.

I have been detained at the border more than 40 times. Once, in 2011, when I was stopped at John F. Kennedy International Airport in New York and asserted my First Amendment right not to answer questions about my work, the border agent replied, “If you don’t answer our questions, we’ll find our answers on your electronics.”’ As a filmmaker and journalist entrusted to protect the people who share information with me, it is becoming increasingly difficult for me to work in the United States. Although I take every effort to secure my material, I know the N.S.A. has technical abilities that are nearly impossible to defend against if you are targeted.

All of this attention, by the way, is to question why Congress is so intent on re-authorizing the FISA Amendments Act (FAA) which is what gives the NSA a pass on much of this spying, thanks to a "secret interpretation" of the law, which the public is not allowed to even know about. If this sounds like the sort of thing that shouldn't be allowed in a free and open society, you're just beginning to grasp the problem.

Permalink | Comments | Email This Story

NSA Put A Premium On Collecting Info, But Not Making Sense Of It

Mike Masnick — Thu, 23 Aug 2012 16:08:08 PDT

You may remember that almost exactly a decade ago, the news leaked that key Iran-Contra political operative John Poindexter, still working for the US government, had been working with the NSA to create a system called Total Information Awareness or TIA. The news quickly went viral, with people (quite reasonably) worried about the government snooping on their private data. Suddenly everyone was against this program, Poindexter was soon out of a job, and the TIA was officially put on the shelf. Except... that's not quite what happened. As you should be aware by now, the NSA has been Hoovering up pretty much every bit of data it can, sometimes using confusing loopholes or legal changes to make it possible.

As a writeup at the NY Times notes, the NSA is basically doing everything that was promised in the TIA program... but without the basic safeguards that were included with TIA:

What’s missing, however, is a reliable way of keeping track of who sees what, and who watches whom. After T.I.A. was officially shut down in 2003, the N.S.A. adopted many of Mr. Poindexter’s ideas except for two: an application that would “anonymize” data, so that information could be linked to a person only through a court order; and a set of audit logs, which would keep track of whether innocent Americans’ communications were getting caught in a digital net.

And let's not even waste time discussing how the NSA actually had a much cheaper program that actually did have safeguards, because the guy who exposed the world to that almost end up in jail for a few decades.

Of course, the bigger issue here is that in gathering pretty much everything they can, actually making sense of the data is becoming more and more difficult:

The N.S.A. came up with more dead ends than viable leads and put a premium on collecting information rather than making sense of it.

Of course, that doesn't mean people's privacy isn't being violated (something even the NSA itself will admit when forced -- though it still refuses to say how many Americans are having their privacy violated). So the end result is that the NSA is collecting all of this data, violating people's privacy (and, most likely, the 4th Amendment). And, out of that they're turning up very little in the way of useful leads.

That's not exactly a compelling pitch.

But, as the NYT piece notes, even though the NSA built a system more powerful and privacy invading, and less effective (and probably more costly) than the original, much decried, Total Information Awareness program, very few people seem to be raising the alarm or particularly concerned about it. Apparently, the NSA has learned the best secret of all. If you don't actually name the program something creepy and Big Brotherish, and don't have a conspiracy-theory-inspired logo to go with it, you can get away with all sorts of stuff. There. Now don't you feel safer knowing that your tax dollars are funding this kind of thing?

Permalink | Comments | Email This Story

How A Random Lawsuit About Telco Policy Probably Resulted In Broad, Secret Law Enabling NSA To Spy On You

Mike Masnick — Wed, 22 Aug 2012 10:38:32 PDT

We've written many times about the FISA Amendments Act (FAA), of which there is a secret interpretation that certainly appears to allow the NSA to spy on all sorts of email communications without a warrant -- something that is not at all obvious upfront (and, in fact, which many in Congress apparently do not know about). While Senators Wyden and Udall have been working hard to try to force the government to reveal either the secret interpretation or how many Americans have been spied on, the rest of Congress appears to not want to know, while rubber stamping the renewals to let the effort continue.

There have been some questions about how all of this came about, and just why law enforcement officials keep insisting the FAA is so vital. Julian Sanchez may have worked out some key details, and provides a very compelling explanation. Seven years ago, the Supreme Court ruled in the Brand X case (the same day the Grokster ruling came out), basically saying that cable networks did not qualify for "common carrier" status, because they were "information services" rather than telco services. The direct end result was that broadband providers no longer had to share lines with service providers. But, as Sanchez notes, there may have been an unrelated indirect impact: by removing the common carrier designation, the NSA may have lost its legal authority to "tap" live communications on such networks without a warrant. Sanchez explains the nitty gritty:

“If FISA’s reference to ‘common carrier’ were interpreted in accord with the Communications Act,” Kris and Wilson explain, explicitly citing the Brand X decision, “information (such as e-mail) being carried on a cable owned and offered by a cable modem service provider would not be a ‘wire communication’ under FISA, and acquisition of such information would not be ‘electronic surveillance’ under” the definition that applies to traditional phone calls.

Sanchez provides a lot more detail, which is worth reading in full, because it's quite complex. However, it suggests that the Bush administration's focus on "deregulating" cable may have undercut the NSA's "spy on everyone" program through a simple definition change. The FAA, then, was put in place (partly) to once again enable the NSA to get access to a bunch of live communications legally, whereas it's quite possible that the FISA court had found, in light of Brand X, that the efforts had been against the law. Now, you can argue that the change due to the Brand X decision is no big deal, because it was just clarifying some rules, and dealing with antiquated language in the statute. But, again, since so much of this happened in secret, if Sanchez's story is accurate, it more or less allowed the government to write very broad rules, such as those now allowing such broad surveillance.

So the FISA Amendments Act allows the government to target foreigners and capture conversations with Americans — with no warrant required, so long as they aren’t actually trying to wiretap the American via a technical loophole.

But if the government’s problem is an inability to reliably determine the location of parties to a communication, it’s not clear why we should be confident that interception under this broad new authority can reliably avoid acquiring many purely domestic communications. Even if it can, blanket authority to acquire the international communications of Americans — with no requirement that the foreign side of the conversation be suspected of any connection to terrorism or espionage‹seems like an incredibly broad way of addressing the issue.

Perhaps Kris and Wilson are correct that a narrower solution to the problem would have been unworkable. On the other hand, perhaps legislators would have tried a bit harder to craft a viable narrow solution if they, and the general public, had clearly understood exactly what the problem was.

Sanchez goes on to point out that if this story is accurate, and if the FISA court had basically upended the feds' spying program becuase of some definitional issues, a more reasonable and transparent approach would simply be to work together with lawmakers and civil liberties experts to actually focus in on the specific problem. Instead, it appears they may have used this loophole to massively expand spying capabilities, with no public oversight at all.

Permalink | Comments | Email This Story

NYPD Spent Years Spying On Muslims, Generated Exactly Zero Leads

Mike Masnick — Tue, 21 Aug 2012 12:33:52 PDT

We just wrote about yet another (in a long line) of manufactured terrorist plots, in which the FBI creates its own terrorist plot to arrest anyone who can be coaxed into going along for the ride, even if they had no interest or ability to push the plot forward on their own. In that case, it was even more ridiculous, because they couldn't even find anyone willing to go along with the plot -- and the main "suspect" actually alerted the FBI to the informant who was trying to coax him into taking part in a plot (which didn't stop him from being arrested, even if the case was eventually dropped).

Of course, the FBI is not alone in its incredibly ham-fisted anti-terrorism efforts in which the focus seems to be much more about someone's religious leanings, rather than any actual interest in creating terror. The NY Police Department got plenty of attention for deciding to build their own local versions of the FBI and CIA to try to catch terrorists. That link describes the NYPD as a sort of new "elite" intelligence agency, hiring people out of other intelligence agencies and then placing agents around the globe to try to beat the FBI and CIA at their own game.

Back at home, apparently this included following on the FBI's tactic of assuming that "brown skin = terrorist." As such, they've spent the past few years spying on "Muslim neighbrhoods" throughout New York (with help from the CIA), sending undercover agents and informants into Muslim groups and organizations:

The Demographics Unit is at the heart of a police spying program, built with help from the CIA, which assembled databases on where Muslims lived, shopped, worked and prayed. Police infiltrated Muslim student groups, put informants in mosques, monitored sermons and catalogued every Muslim in New York who adopted new, Americanized surnames.

Police hoped the Demographics Unit would serve as an early warning system for terrorism. And if police ever got a tip about, say, an Afghan terrorist in the city, they'd know where he was likely to rent a room, buy groceries and watch sports.

How useful has it been? Apparently not at all. Not a single lead has come out of the program. Not one.

I know this is a crazy thought, but perhaps violating the privacy of tons of people just because of the color of their skin or their religion, isn't the best (or even "a") way to stop terrorists.

Permalink | Comments | Email This Story

Senate Not Concerned About How Often NSA Spies On Americans, But Very Concerned That It Built Open Source Software To Do So

Mike Masnick — Wed, 18 Jul 2012 12:17:23 PDT

Wired has a troubling story of how the Senate Armed Services Committee is pushing a bill that would likely kill off an open source NoSQL project that came out of the NSA called Accumulo. Like many other such NoSQL efforts, the NSA basically took some Google white papers about its BigTable distributed database setup, and built its own open source version, with a few improvements... and then open sourced the whole thing and put it under the Apache Foundation. It's kind of rare to see such a secretive agency like the NSA open source anything, but it does seem like the kind of thing that ought to be encouraged.

Unfortunately, the Senate Armed Services Committee sees things very differently. As part of a 600-page bill that's being floated, it actually calls out Accumulo by name, and suggests that it violates a policy that says the government shouldn't build its own software when there are other competing commercial offerings on the market. The reasoning is basically that the government shouldn't spend resources reinventing the wheel if it can spend fewer resources using existing code. You can see the basic reasoning behind that, but applying it here makes little sense. As the article notes, here we're talking about software that's already been developed and released -- not a new effort to rebuild existing software. In fact, those who follow this stuff closely note that Accumulo did "break new ground" with some of its features when it was being built. To then kill it afterwards seems not just counterproductive, but could also create a chilling effect for government open source efforts, which seem like something we should be encouraging, not killing.

What's really odd is the close interest that the Senate seems to be paying to this. The discussion is very specific, naming Accumulo and some of the competing offerings on the market. They're specifically calling out this one product. Of course, as Julian Sanchez notes, there's a bit of irony in the fact that the very same Senate appears to have absolutely no interest in finding out how often the NSA spies on Americans... but sure is concerned about what database it uses to store all of the information it's getting.

Of course... all of this raises a separate issue in my mind: can the NSA even open source Accumulo? I though that creations of the federal government were automatically public domain, rather than under copyright. And, thus, putting it under a specific license might, in fact, present limitations that the government can't actually impose on the software.... Thus, shouldn't the software code actually be completely open as a public domain project? The government should be able set up an Apache-like setup, but one without any restrictions on the code.

Permalink | Comments | Email This Story

NSA Chief Says NSA Doesn't Need Access To Your Info... As Whistleblowers Say They're Already Getting It

Mike Masnick — Wed, 11 Jul 2012 09:25:00 PDT

The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.

In fact, in a story that has received almost no attention, the EFF was able to get three whistleblowers to speak out on the NSA's massive spying infrastructure:

In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.

So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like: Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.

He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.

But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.

Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):

One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.

It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.

Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:

The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.

So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.

So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.

Permalink | Comments | Email This Story

Congress Plays See-No-Evil, Pretend-There's-No-Evil, Let-The-Evil-Continue With NSA Domestic Spying

Mike Masnick — Mon, 2 Jul 2012 12:31:15 PDT

We're still completely perplexed at how anyone in Congress could recognize that the NSA has refused to tell Congress how often it's violated the privacy of Americans without a warrant under the FISA Amendments Act (FAA) -- and then still vote to renew it. What kind of "oversight" is that? As Julian Sanchez recently wrote, it's no oversight at all. As he notes, the law requires the NSA to "prevent" the spying on folks when both parties in communication are in the US -- but here, the NSA is admitting that it has no mechanism to actually do that. Either (a) it's lying or (b) it's admitting that it cannot do what the law requires.

If we care about the spirit as well as the letter of that constraint being respected, it ought to be a little disturbing that the NSA has admitted it doesn’t have any systematic mechanism for identifying communications with U.S. endpoints. Similar considerations apply to the “minimization procedures” which are supposed to limit the retention and dissemination of information about U.S. persons: How meaningfully can these be applied if there’s no systematic effort to detect when a U.S. person is party to a communication?

Normally, this should be the point at which Congress steps in and says "no more" to the NSA. Instead, it shuns those who even ask the basic questions -- and as in the case of Rep. Dan Lungren, pretends that as long as no one proves to them that the NSA is abusing its power, there's simply no reason to demand evidence. That's not oversight. That's willful ignorance.

And... given that they're choosing to ignore their own oversight obligations over the NSA's spying on Americans, it should come as no surprise that the House Intelligence Committee unanimously voted to extend the FAA for five more years. Why not? It's not like Congress is actually going to make sure that the NSA is playing by the rules. The NSA apparently just needs to say that it would be too much work to do what the law requires and Congress says, "here, have a gift of five more years to spy on Americans against the specifics of the law." And, once again, as Sanchez points out, there are plenty of ways that the NSA could at least estimate how many Americans they're spying on.

But why would it do that? As Sanchez also points out, the NSA seems to redact anything even remotely embarrassing from its reports... including data on how often it failed to follow the law:

More generally, these reports contain a good deal of redacted statistical information that there is simply no plausible excuse for keeping secret. A table of “statistical data relating to compliance incidents,” for example, is included—but entirely blacked out. Are we to believe that the national security of the United States would be imperiled if the public knew the number of times the NSA had difficulty following the law? The reviewers conclude that the “number of compliance incidents remains small, particularly when compared with the total amount of activity”—but is there any legitimate reason for barring the public from knowing what counts as a “small” number, or just how massive the “total amount of activity” truly is?

How do folks in Congress who vote for this kind of thing defend such actions? They can't say that it's to protect Americans, when they refuse to even seek to get the data on whether or not Americans are being illegally spied upon.

Permalink | Comments | Email This Story