Follow me @glynmoody on Twitter or identi.ca, and on Google+

A federal appeals court is refusing to reconsider its August ruling in which it said the federal government may spy on Americans’ communications without warrants and without fear of being sued.

The original decision by a three-judge panel of the 9th U.S. Circuit Court of Appeals this summer reversed the first and only case that successfully challenged President George W. Bush’s once-secret Terrorist Surveillance Program.

Without comment, the San Francisco-based appeals court announced Wednesday that it would not rehear (.pdf) the case again with a larger panel of 11 judges, effectively setting the stage for a Supreme Court showdown. The appeals court Wednesday also made some minor amendments (.pdf) to its August ruling, but the thrust of it was the same as before.

The San Francisco-based appeals court had ruled that when Congress wrote the law regulating eavesdropping on Americans and spies, it never waived sovereign immunity in the section prohibiting targeting Americans without warrants. That means Congress did not allow for aggrieved Americans to sue the government, even if their constitutional rights were violated by the United States breaching its own wiretapping laws...

A lower court judge found in 2010 that two American lawyers’ telephone conversations with their clients in Saudi Arabia were siphoned to the National Security Agency without warrants. The allegations were initially based on a classified document the government accidentally mailed to the former al-Haramain Islamic Foundation lawyers Wendell Belew and Asim Ghafoor.

The document was later declared a state secret, removed from the long-running lawsuit and has never been made public.

Asked about the recordings at an unrelated news conference Monday, Mayor Rahm Emanuel said the issue was “much ado about nothing.”

“My view is, like all, we have a press conference here, I expect my staff to have a record of it,” he said. “And if I have a phone conversation, an interview, I expect to have a record of it as well.”

So remember when Chicago police were arresting people for recording them, and charging them with crimes punishable by 10 or more years in prison? Remember the woman who was arrested and charged because she attempted to record Chicago PD internal affairs police browbeating her when she tried to report a sexual assault by a Chicago cop? Remember all that stuff we heard from Chicago PD and Cook County DA Anita Alvarez’s office about protecting privacy?

The issue reached a public forum last week when a court filing in a wrongful death lawsuit against the city raised questions about whether a city spokeswoman had recorded Tribune reporters without their consent as they conducted a phone interview with Chicago police Superintendent Garry McCarthy in October 2011.

And in separate incidents this past September, city spokespeople twice recorded a Tribune reporter as he conducted phone interviews with a top city official involved in Emanuel's controversial speed camera program. The spokespeople acknowledged that they independently recorded the interviews without asking the reporter for consent.

Last month, the city turned over to the plaintiff's lawyers an audio recording and transcript of the conference call showing no evidence that McCarthy or Hamilton sought consent to record the Tribune reporters.

"Absent from the audio and the transcript was evidence of the parties' consent," according to a court filing last week by the plaintiff's attorney, Craig Sandberg.

Gerould Kern, senior vice president and editor of the Tribune, declined to comment Friday about the recordings. Instead, he cited the letter sent by Tribune Co. attorney Karen Flax to Patton, demanding that city officials cease recording Tribune reporters without consent. The letter also asked that the city preserve copies of all recorded conversations and turn them over to the Tribune.

In its response Saturday, the city said it was unclear whether there would be any tapes to turn over.

the Government is directed to conduct a further review of the materials previously withheld as non-responsive. In conducting such review, the presumption should be that information located on the same page, or in close proximity to undisputedly responsive material is likely to qualify as information that in “any sense sheds light on, amplifies, or enlarges upon” the plainly responsive material, and that it should therefore be produced, absent an applicable exemption.

As plaintiff points out, however, the large number of different types of documents included in each summary entry in the index, and the fact that multiple exemptions are claimed, makes analysis difficult, despite the veneer of detail. The supporting declaration covers 171 pages (with a great deal of repetition) purportedly explaining the justification for all of the exemptions claims, but does not identify documents by bates numbers or otherwise, further exacerbating the problem.

the existing index is insufficient to provide an adequate foundation for review of the soundness of the exemption claims. Accordingly, the FBI is directed to provide a revised index as promptly as practical, making a good faith effort to address the issues raised by EFF.

Mr Key says the Crown has filed a memorandum in the High Court in the Megaupload case advising the Court and affected parties that the GCSB had acted unlawfully while assisting the Police to locate certain individuals subject to arrest warrants issued in the case. The Bureau had acquired communications in some instances without statutory authority.

After being informed about the matter by the Director of the GCSB on September 17, the Prime Minister referred the Bureau’s actions to the Inspector-General, Hon Paul Neazor. The Inspector-General is an independent statutory officer with the power to enquire into any matter related to a government intelligence agency’s compliance with the law.

... upon examination, the proposition that Wi-Fi communications are accessible only with sophisticated technology breaks down. As mentioned above, Innovatio is intercepting Wi-Fi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. See Riverbed Technology Product Catalog, http://www.cacetech.com/products/catalog/ (last visited Aug. 21, 2012). A more basic packet capture adapter is available for only $198.00. Id. The software necessary to analyze the data that the packet capture adapters collect is available for down load for free. See Wireshark Frequently Asked Questions, http://www.wireshark.org/faq.html#sec1 (last visited Aug. 21, 2012) ("Wireshark is a network protocol analyzer. . . . It is freely available as open source. . . ."). With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted Wi-Fi network can begin intercepting communications sent on that network. Many Wi-Fi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of "sniffing" Wi-Fi networks, the court concludes that the communications sent on an unencrypted Wi-Fi network are readily available to the general public.

The mere threat of regulation is driving innovation in the direction of backdoors and surveillance compliance. And US law doesn’t require that, yet.

The move to in-house hosting of "supernodes" does not provide for monitoring or recording of calls. "Supernodes" help Skype clients to locate each other so that Skype calls can be made. Simply put, supernodes act as a distributed directory of Skype users. Skype to Skype calls do not flow through our data centres and the "supernodes" are not involved in passing media (audio or video) between Skype clients.

These calls continue to be established directly between participating Skype nodes (clients). In some cases, Skype has added servers to assist in the establishment, management or maintenance of calls; for example, a server is used to notify a client that a new call is being initiated to it and where the full Skype application is not running (e.g. the device is suspended, sleeping or requires notification of the incoming call), or in a group video call, where a server aggregates the media streams (video) from multiple clients and routes this to clients that might not otherwise have enough bandwidth to establish connections to all of the participants.

[....] Skype software autonomously applies encryption to Skype to Skype calls between computers, smartphones and other mobile devices with the capacity to carry a full version of Skype software as it always has done. This has not changed.

Ok, so Skype has access to users' communications encryption keys (or can enable others to impersonate as Skype users). What does this mean for the confidentiality of Skype calls? Skype may in fact be telling the truth when it tells journalists that it does not provide CALEA-style wiretap capabilities to governments. It may not need to. If governments can intercept and record the encrypted communications of users (via assistance provided by Internet Service Providers), and have the encryption keys used by both ends of the conversation -- or can impersonate Skype users and perform man in the middle attacks on their conversations, then they can decrypt the voice communications without any further assistance from Skype.

• Skype did make some infrastructure changes recently, which did increase the number of self-hosted supernodes, but those changes likely were to increase the quality of the product, and had little to do with law enforcement/surveillance.
• Skype has always had a program to provide available information to law enforcement if legally required to do so, but appears not to have made any major change to that program in quite some time. That program does not appear to include the ability to listen to calls.
• Skype to phone (or phone to Skype) calls have always been tappable, because they touch the public telephone network, where they can be intercepted.
• Skype to Skype calls remain encrypted, making it more difficult to "tap" them. However, because of the way Skype likely handles encryption keys, this does not mean that governments can't intercept the calls (or impersonate certain parties via Skype).
• In the end, then, it appears that much of this discussion is a whole lot of fuss about nothing particularly new -- but it is worth noting that your Skype calls probably were never quite as secure as you thought they were, even if they're somewhat more secure than some other offerings with little or no encryption and a central server. But if you're looking for 100% secure communications, Skype isn't it -- but that's not because of any change. It's likely always been that way.

As Falkvinge explains, things began with what seemed at the time a very minor matter:

the FRA [a Swedish security agency] had used a loophole in the law since 1976 that allowed it (maybe) to wiretap all phonecalls that were routed over satellites, by erecting their own receiver dishes next to the telco ones. This allowed them to receive all the satellite signals, in identical copies to what the intended receiver dish did. The law they used to justify this behavior was one that said that privacy cannot be expected over radio waves, and that anybody may listen to anything sent over radio -- which makes sense with shortwave-type radio amateur equipment, but not necessarily with satellite links: when you pick up the phone, you expect privacy, regardless of the technical route of the phonecall.

Significantly, this is exactly the same argument that the UK government is making with what it calls its "Communications Capabilities Development Programme" (pdf):

Communications data -- information such as who called whom and at what time -- is vital to law enforcement, especially when dealing with organised crime gangs, paedophile rings and terrorist groups. It has played a role in every major Security Service counter-terrorism operation and in 95 per cent of all serious organised crime investigations. Communications data can and is regularly used by the Crown Prosecution Service as evidence in court.

But communications technology is changing fast, and criminals and terrorists are increasingly moving away from landline and mobile telephones to communications on the internet, including voice over internet services, like Skype, and instant messaging services. Data from these technologies is not as accessible as data from older communications systems which means the police and Security Service are finding it increasingly hard to investigate very serious criminality and terrorism. We estimate that we are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006. Given the pace of technological change, the rate of degradation could increase, making our future capability very uncertain.

That is why, in the Government’s Strategic Defense and Security Review, published in 2010, we said we would "introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain data and to intercept communications within the appropriate legal framework."

The UK government, like the Swedish government before it, is trying to set up a false equivalence between monitoring communications before the Internet became a mass medium, and after. But the intrusiveness of such surveillance before the Internet, and before computing power was available to analyze the data gathered, was limited. Back then, working out the network of contacts of a person of interest could be done, but with effort, and at some cost. This ensured that only the potentially most serious threats were investigated.

But once again, Moore's Law has changed everything. What the UK government wishes to gather would allow the entire social graph of everyone in the UK to be calculated in near real-time. It would mean that their every move online could be watched as it happened, and cross-referenced with their past communications history. As Falkvinge points out in another recent post, what has really changed is not so much the ability to spy, but the cost of doing so.

Today, thanks to our networked lives and the plummeting cost of hardware, national governments can monitor everything we do online for the same outlay as the much more limited surveillance of yesteryear. So what is really being preserved is not some supposedly circumscribed spying capability, but the orders-of-magnitude cost. By keeping that cost constant, governments can increase the scope of their spying hugely.

But just because the technology makes it possible, and the economics makes it feasible, doesn't mean governments ought to go ahead and do it. They may claim that they are simply "compensating for technical developments", but really they are trying to exploit those developments to go way beyond what was agreed before as socially acceptable, and to do so without any consultation on how much online surveillance should be permitted in a free society.

And as to the UK government's argument that "we are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006", this conveniently skates over the fact that the quantity of such communications data has probably doubled in that time, since IP traffic is currently growing at around 32% annually: in absolute terms, more data is available than ever. This is not about preserving capabilities in order to stand still, it's about running ever faster into a world of total surveillance.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

"We don’t have the technical insights in the United States. In other words, you have to have something to intercept, or some way of doing that either by going to a service provider with a warrant or you have to be collecting in that area. We’re not authorized to do that, nor do we have the equipment in the United States to collect that kind of information."

It’s hard to tell here whether Alexander is parsing the questions closely, misspeaking or telling the truth. The heads of the intelligence service have a long tradition of misspeaking or telling untruths that advance their agenda. President George Bush himself on the re-election campaign trail said that no American had been wiretapped without a warrant, which was plainly false, according to numerous news stories and the government’s own admissions of the program.

In the aftermath of those half-truths, the Congress passed, and Bush signed into law, the FISA Amendments Act, which re-wrote the nation’s surveillance laws to give the NSA a much freer hand to wiretap American infrastructure wholesale.

The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," commented a CCC speaker. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.

[....]

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".

"If you permit the audio recordings, they'll be a lot more eavesdropping.…There's going to be a lot of this snooping around by reporters and bloggers," U.S. 7th Circuit Judge Richard Posner said. "Yes, it's a bad thing. There is such a thing as privacy."

“'A statute intended to prevent unwarranted intrusions into a citizen's privacy cannot be used as a shield for public officials who cannot assert a comparable right of privacy in their public duties,' the judge wrote in his decision dismissing the five counts of eavesdropping charges against defendant Michael Allison."

Thus, in light of the novelty of the issues presented, the court finds that its June 29 order involves a controlling question of law as to which there is a credible basis for a difference of opinion, and also finds that certification of the June 29 order for appeal would materially advance the litigation

It shall not be unlawful under this chapter or chapter 121 of this title for any person... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public

The government has shown how its zeal leads to carelessness in its unprecedented efforts to widely seize domain names for IP enforcement, which ICE undertook this year. Sites were wrongfully shut down based on allegations the user was engaged in criminal conduct deemed lawful by their courts. We are concerned the same low threshold will be used in making decisions to spy on U.S. citizens.

Some in Congress and the White House have apparently decided that no price is too high to pay to kowtow to Big Content's every desire, including curtailing civil liberties by expanding wiretapping of electronic communications. Even the controversial USA PATRIOT Act exists because of extraordinary national security circumstances involving an attack on our country. Does Hollywood deserve its own PATRIOT Act?

The legitimate desire to address some serious counterfeiting abuses -- such as medications or industrial components used in defense products -- has been hijacked to create draconian proposals to alleviate the content industry of the burden of protecting its own interest using its own extensive resources. The government's role in protecting the public's right to safe medicine and component parts should not be allowed to morph into supplanting the responsibility of private companies to use existing legal remedies to remove possibly infringing content online and bring legal action against those involved.

"The sweeping changes the government is proposing, to require 'back doors' into all private communications technologies, would have enormous privacy and security ramifications for American Internet users," said EFF Staff Attorney Jennifer Lynch. "Any meaningful debate must be based on the information we're seeking in the FOIA requests, so the government's failure to comply in a timely manner is troubling."

"Those of us who are public officials and are entrusted with the power of the state are ultimately accountable to the public," the judge wrote. "When we exercise that power in public fora, we should not expect our actions to be shielded from public observation."