by Mike Masnick
Thu, Jun 5th 2014 7:06pm
by Tim Cushing
Tue, May 20th 2014 3:48am
DC District Court Overrides Judge John Facciola's Orders, Grants DOJ Request For Gag Order On Subpoenaed Companies
from the throwing-a-shoulder-into-the-government dept
It appears Washington, DC magistrate judge John Facciola is still making the government earn everything it asks for. Facciola is the judge who has been sending the government back to its desk to rewrite overly broad warrants seeking electronic data. In one of these cases, the government decided that it would rather go "judge shopping" all the way across the country rather than narrow its request, but was shot down by a California district court judge.
Facciola's orders are the basis for two memorandums recently issued by DC District Court Judge Richard Roberts concerning a case still mostly under seal as part of federal grand jury investigation. (The government also asked for these to be filed under seal, but that has obviously been declined.)
The government challenges two orders issued by Magistrate Judge John Facciola regarding the government's application for an order under 18 U.S.C. The first order invited Twitter, Inc. to intervene as a respondent and file a notice with the court on whether Twitter intended to be heard on the merits of the government's application. The second order instructed the government to file a public, redacted copy of its application and draft order.Facciola also issued a similar order for Yahoo, the other company being subpoenaed. Both sets of orders invited the companies to challenge both the gag order preventing them from informing their customer(s) of the government's interest in their data. The government understandably wasn't thrilled with these orders and filed an appeal (of sorts) seeking to have Facciola's orders vacated. The District Court notes that the judicial system -- at this level -- doesn't exactly work this way.
On March 27, 2014, the government filed what it styled as an appeal from the magistrate judge's two orders regarding the government's application for an order under 18 U.S.C. The government moved to vacate the orders issued by the magistrate judge and moved for the district court to grant its application for a nondisclosure order. In addition, the government moved to seal the appeal and resulting order.This faux pas by the government is explained a bit further in a footnote, as is the judge's rationale for treating this as an "objection," rather than an "appeal."
The government styles its challenge as an appeal, but the reference is a misnomer. With the exception of authority granted by Federal Rule of Criminal Procedure 58 concerning misdemeanor proceedings handled by a magistrate judge under 18 U.S.C. 3401, the district court does not exercise appellate power. See, United States v. Choi, 818 F. Supp. 2d 79, 85 (D.D.C. 2011) ("The magistrate judge is not an inferior court, and the district court does not stand in an appellate capacity over the magistrate.") For the reasons explained below, the government's appeal will be considered as an objection to the magistrate judge's two orders.Several more pages of judicial rationale follow, pointing out that grand jury deliberations are not subject to transparency and that Facciola erred by suggesting Twitter and Yahoo could either challenge the gag order or inform their customers. Judge Roberts points out that there's very little either company can offer in terms of judging the "merit" of the government's gag order, or the subpoena itself. Further discussions also defer to "government knows best" mentality, suggesting that any notification would "jeopardize" ongoing investigations. That this investigation is tied to a grand jury slams the door shut on any appeal of the gag order.
Because the express terms of 18 U.S.C. 2705(b) and applicable legal precedent governing public access to grand jury proceedings and materials do not support the first order inviting Twitter [and Yahoo] to intervene or the second order instructing the government to file a public, redacted copy of the non-disclosure application, the orders will be vacated.So, the government gets its win, but it had to put in a little extra paperwork. It hoped these documents would be sealed as well, but you can't win them all, especially when memos in question contain only one redactable sentence each. If this is how the last few months have gone in Facciola's court, it's little wonder the government has been making road trips to other venues.
by Mike Masnick
Thu, May 8th 2014 12:35am
from the don't-fail-us-fcc dept
Along those lines, one FCC commissioner, Jessica Rosenworcel, has suggested that the FCC should put the brakes on its net neutrality plans to think things through a bit more carefully -- though apparently FCC boss Tom Wheeler has rejected that idea and plans to move forward with his rule-making proposal next week.
by Mike Masnick
Fri, May 2nd 2014 3:33am
from the good-for-them dept
Google already routinely notified users of government data requests but adopted an updated policy this week detailing the few situations in which notification is withheld, such as when there is imminent risk of physical harm to a potential crime victim. “We notify users about legal demands when appropriate, unless prohibited by law or court order,” the company said in a statement.If you're looking for who to thank about this turn of events, there are two places to point. First: the good folks at EFF. For the past few years, it's been publishing its Who Has Your Back? chart looking at how companies respond to government requests for data. Each year, this list has convinced more and more companies to improve how they protect their users, and how they push back on government requests. And, the reason why so many companies are rushing to change their policies is because the EFF is about to release its latest version. Yet another reason to be happy the EFF exists.
Lawyers at Apple, Facebook and Microsoft are working on their own revisions, company officials said, although the details have not been released. All are moving toward more routinely notifying users, said the companies, which had not previously disclosed these changes.
“Later this month, Apple will update its policies so that in most cases when law enforcement requests personal information about a customer, the customer will receive a notification from Apple,” company spokeswoman Kristin Huguet said.
Second, of course, is Ed Snowden. While not entirely directly at issue here -- since things like FISA Court Orders and National Security Letters are subject to gag orders barring companies from telling their users -- the generally heightened interest in government access to information provided to internet services has certainly created a culture where these companies can't get away with just rolling over for the government any more.
Of course, you could argue that it's taken these companies too long to get here -- and that's absolutely true -- but better late than never.
Oh yeah. Guess who's really upset about all of this:
The Justice Department disagrees, saying in a statement that new industry policies threaten investigations and put potential crime victims in greater peril.Once again, it seems like the DOJ and others think that anything that makes their job harder is somehow wrong. But that's incorrect. The whole point of protecting freedom is that it's supposed to be hard for law enforcement to spy on people and arrest them. That's how it's supposed to work.
“These risks of endangering life, risking destruction of evidence, or allowing suspects to flee or intimidate witnesses are not merely hypothetical, but unfortunately routine,” department spokesman Peter Carr said, citing a case in which early disclosure put at risk a cooperative witness in a case. He declined to offer details because the case was under seal.
by Mike Masnick
Wed, Apr 23rd 2014 9:05am
from the please-explain dept
It's good to see at least some pushback on the feds' attempt to get information and to silence companies from saying anything about it. But it's still quite troubling that they seem to assume they have near free rein to do so in the first place. Kudos to the ACLU for stepping in as well, and representing the public interest.
The ACLU filed a motion last night seeking to represent the public's interest in open court proceedings when the government seeks gag orders on Internet companies. We know about the three cases only because the magistrate judge pushed back on the government, inviting Yahoo and Twitter to weigh in and ordering the government to make its legal arguments public. The government appealed those orders to a district court, where the judge ordered the appeals sealed. The ACLU is now moving to intervene in the district court for the purpose of opening these gag order proceedings to public scrutiny. In a democracy, if your government is going to gag someone from speaking, it should publicly explain why.
The federal government has an awesome array of tools and technologies in its investigative arsenal, and it often goes to great lengths to shield its tactics from outside scrutiny. Not only does this secrecy prevent people from challenging surveillance used against them, but it also means that elected officials can't openly debate the underlying policies, and communities can't discuss their government's actions.
Traditionally, gag order applications are considered ex parte – meaning with only the government's argument on the record before the court. However, Magistrate Judge Facciola noted that the government's request in this case raised controversial legal questions, and so invited Twitter and Yahoo to respond. (In one case, the government withdrew its gag order application after Judge Facciola invited Twitter's participation.) He also ordered the government file public copies of its gag order applications with limited redactions.
by Tim Cushing
Mon, Mar 24th 2014 5:42am
from the won't-someone-think-of-the-data-harvesters? dept
Yahoo discovered, as many tech companies did last year, that they had been opted-in to broad surveillance programs operated by the NSA and GCHQ. While these companies had always responded to official requests coming through official channels (the sort of thing detailed in their transparency reports), they were unaware that these agencies were also pulling data and communications right off the internet backbone and tech company servers.
This left most companies with no way to opt out of these collections. With the global reach of these two agencies, along with the others in the "Five Eyes" surveillance network, there are very few ways to avoid becoming another tool in the surveillance state toolchest.
Yahoo is exploring one option, which would limit its exposure to surveillance efforts. In the wake of revelations showing GCHQ collected tons of Yahoo webcam chats, it announced its plan to move its center of European operations to Ireland and out of Scotland Yard's reach.
Following the Guardian's disclosures about snooping on Yahoo webcams, the company said it was "committed to preserving our users trust and security and continue our efforts to expand encryption across all of our services." It said GCHQ's activity was "completely unacceptable..we strongly call on the world's governments to reform surveillance law."Explaining the move to Dublin, the company said: "The principal change is that Yahoo EMEA, as the new provider of services to our European users, will replace Yahoo UK Ltd as the data controller responsible for handling your personal information. Yahoo EMEA will be responsible for complying with Irish privacy and data protection laws, which are based on the European data protection directive."Under the Regulation of Investigatory Powers Act (RIPA), the UK government can force UK-based service providers to turn over data from their servers. Ireland, however, operates under European data privacy laws, not the UK's, which would theoretically help Yahoo hold onto its customers' data.
The potential loss of a large data source seems to have touched off a mini-panic within the intelligence community, which strongly suggested UK Home Secretary Theresa May take the internet company aside and discuss "security concerns."
[C]harles Farr, the head of the office for security and counter-terrorism (OSCT) within the Home Office, has been pressing May to talk to Yahoo because of anxiety in Scotland Yard's counter-terrorism command about the effect the move to Dublin could have on their inquiries...Well, chances are RIPA won't apply, which would be the only reason these agencies are "concerned." They may have to go elsewhere to collect thousands of potentially naked webcam photos and videos. I'm sure the argument that terrorists will shift to Yahoo services as a result of the company's move is right around the corner. But the reality is that UK agencies will be forced to clear one additional minor hurdle before gaining access to the info it feels serves national security interests.
"There are concerns in the Home Office about how Ripa will apply to Yahoo once it has moved its headquarters to Dublin," said a Whitehall source. "The home secretary asked to see officials from Yahoo because in Dublin they don't have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard and the national crime agency. They regard this as a very serious issue."
From Friday, investigators may have to seek information by using a more drawn out process of approaching Yahoo through a Mutual Legal Assistance Treaty between Ireland and the UK.And how difficult can a "mutual assistance" process actually be? As we've seen detailed repeatedly since the leaks began, the world's intelligence communities enjoy relationships that range from "symbiotic" to "incestuous." That agency heads would feel the need to send a top government figure out to persuade Yahoo to stay within the easy reach of surveillance tentacles shows that these agencies love having tons of data, but really hate having to make the slightest amount of effort.
by Mike Masnick
Mon, Feb 3rd 2014 1:00pm
NSA/FBI Got Access To Content Of Around 40,000 Yahoo/Google User Accounts In First Six Months Of 2013
from the it's-a-lot dept
Concerning the Google data, you can see that there's been a pretty big increase in the number of users impacted over the past few years, peaking at the end of 2012, but that drop in the beginning of 2013 may be just seasonal. Meanwhile, it's interesting to see that a much larger number of Yahoo accounts have been impacted. Of course, for all we know, there could have been one FISA order to Google and three to Yahoo and then the number of accounts impacted would be around 10,000 per order. But, without more granularity, it's impossible to tell.
What does seem clear is that there are about 40,000 accounts on Yahoo or Google to which the NSA/FBI and others in the intelligence community have access.
Update: Facebook and Microsoft have updated their info as well and it's more of the same:
Microsoft, a major surveillance partner for the US government, received fewer than 1,000 orders from the Fisa court for communications content during the same period, related to between 15,000 and 15,999 “accounts or individual identifiers”.
The company, which owns the internet video calling service Skype, also disclosed that it received fewer than 1,000 orders for metadata – which reveals communications patterns rather than individual message content – related to fewer than 1,000 accounts or identifiers.
[....] Facebook disclosed that during the first half of 2013, it turned over content data from between 5000 and 5999 accounts – a rise of about 1000 from the previous six month period – and customer metadata associated with up to 999 accounts.
by Mike Masnick
Mon, Jan 27th 2014 11:55pm
Feds Reach Settlement With Internet Companies Allowing Them To Report Not Nearly Enough Details On Surveillance Efforts
from the too-bad dept
Not too long ago, the government had started allowing companies to reveal, for the first time, how many national security letter (NSL) requests they get, but said they had to reveal that number in ranges of 1,000 starting with 0 to 999. However, they did not allow any such reporting on FISA Court (FISC) orders, which covered things like the now infamous PRISM program under Section 702 of the FISA Amendments Act. It appears that the settlement more or less follows the outline of what the government allowed with NSLs. Companies are given two options. One is to basically report FISC requests like NSL requests, in bands of 1,000, and to similarly report "number of customer accounts affected" for NSLs, "FISA orders for content," "number of customer selectors targeted under FISA content orders," "FISA orders for non-content," and "number of customer selectors targeted under FISA non-content orders." All of those can be revealed separately, but always in bands of 1,000, starting with 0 to 999.
Alternatively, if companies are willing to lump these various programs together, they are allowed somewhat more granularity. So, if they lump together NSLs and FISA orders into a single number, they can reveal the details in bands of 250, starting with 0 to 249. Similarly, they can list the lumped together "customer selectors targeted" under combined NSLs and FISA orders in bands of 250.
This is a step forward, but it's not nearly far enough. As Kevin Bankston notes:
"Asking the public and policymakers to try to judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident."Among the problems here, are that while they can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.
Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. The thinking here is rather obvious. Say, for example, a company launches a new voice communications service, like Skype -- and then gets hit with a FISA court order demanding that the NSA be able to listen in. The companies would be blocked from revealing that for two years. Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.
There is still some indication that Congress may require greater transparency here. I can understand why the tech companies agreed to settle, but it's a bit disappointing that they threw in the towel so quickly.
Apple has already updated its transparency report to note 0 - 249 "national security orders" and 0 - 249 "total accounts affected."
by Mike Masnick
Thu, Jan 9th 2014 3:43am
from the bitcoin-mining-scams-on-the-rise dept
Just recently, we noted that Yahoo users in Europe were exposed to malicious ads that were downloading malware. It's now come out that the malware was... Bitcoin mining software, which sought to use some of everyone's excess computing resources to hunt for more Bitcoin. As "malware" goes, this is actually a lot less damaging than some other stuff out there (keyloggers designed to steal bank info, for example). It likely would bump up electricity bills slightly for some users, and basic PC mining is pretty ineffective, but it's interesting to see that malware folks are taking such extreme steps to try to build secret Bitcoin mining networks.
Of course, it still seems like doing this kind of thing in an upfront way might be an interesting business model: offer some useful software for free, telling folks very clearly that the "payment" is that they'll be using some of your spare cycles for mining. Of course, it might be better if this was done for cryptocurrencies that weren't so damn inefficient with electricity -- something like Peercoin instead of Bitcoin, for example. I imagine it's really only a matter of time. Imagine a Netflix/Hulu competitor that offered you the content for free, in exchange for distributed computing power, paying the licenses out of the proceeds from the mining. It's not that crazy when you think about it...
by Mike Masnick
Tue, Jan 7th 2014 2:18pm
from the it's-not-almost dept
- Google doesn't charge the government for requests for information:
FISA requires the government to reimburse companies for the cost of retrieving information. Google says it doesn’t bother to charge the government. But one company says it uses that clause, hoping to limit the extent of the requests. “At first, we thought we shouldn’t charge for it,” says an executive of that company. “Then we realized, it’s good—it forces them to stop and think.”This is kind of a "damned if you do/damned if you don't" situation. I know plenty of folks in the civil liberties community go back and forth on it. When companies do charge, then you see articles about how companies are "making a profit" off of violating our privacy. If they don't charge, then you see arguments about how they're making it too easy for the government to get info. Either way, the standard has been to charge basic costs, so it's interesting to see that Google doesn't charge at all, probably betting on the fact that if they did, it would be misrepresented. Of course, the fact that they don't might be misrepresented as well.
- The NSA has no response to fear of future abuse of programs beyond "we'd never do that." Seriously.
Critics charge that while there is not yet any evidence of massive abuse of the NSA’s collected data, there is also no guarantee that a future regime won’t ignore these touted protections. These officials discounted that possibility, saying that the majority of NSA employees wouldn’t stand for such a policy. “If that happened, there would be lines at the Inspector General’s office here, and at Congress as well—longer than a Disneyland line,” Ledgett says. (The fates of several NSA employees-turned-whistleblowers indicate that anyone in that hypothetical queue would be in for a ride far wilder than anything in Anaheim.)Sure, except there's a very long history of the NSA and the FBI doing exactly the opposite (the claim of no evidence of massive abuse is not actually true). And, as Levy notes in that final parenthetical, the way whistleblowers are treated these days would probably shorten that line quite a bit.
- Keith Alexander admits that companies were compelled to comply and admits that we should stand up for the companies not to be harmed by all of this:
“This isn’t the companies’ fault. They were compelled to do it. As a nation, we have a responsibility to stand up for the companies, both domestically and internationally. That is our nation’s best interest. We don’t want our companies to lose their economic capability and advantage. It’s for the future of our country.”This is just bizarre. If he doesn't want the companies to lose their economic capability and advantage, maybe he shouldn't have undermined a large portion of it.
Those words could have come from a policy spokesperson for Google, Facebook, Microsoft, or Yahoo. Or one of the legislators criticizing the NSA’s tactics. Or even a civil liberties group opposing the NSA. But the source is US Army general Keith Alexander, director of the NSA. Still, even as he acknowledges that tech companies have been forced into a tough position, he insists that his programs are legal, necessary, and respectful of privacy.
- Companies were given about 90 minutes to respond to the (misleading) claims in the original PRISM article that they had given the NSA direct access to their servers.
“We had 90 minutes to respond,” says Facebook’s head of security, Joe Sullivan. No one at the company had ever heard of a program called Prism. And the most damning implication—that Facebook and the other companies granted the NSA direct access to their servers in order to suck up vast quantities of information—seemed outright wrong. CEO Mark Zuckerberg was taken aback by the charge and asked his executives whether it was true. Their answer: no.This remains one of the most unfortunate bits about the Snowden leaks. While I think that Barton Gellman, Glenn Greenwald and Laura Poitras have done an incredible job with most of their reporting, the original PRISM stories that appeared in the Washington Post and Guardian both came out rushed and were misleading, which is still impacting how people are reporting on these things today. The PRISM program and Section 702 of the FISA Amendments Act have serious issues that need exploring, but it's all been distorted by the misleading initial claims, which implied things that just weren't true.
Similar panicked conversations were taking place at Google, Apple, and Microsoft. “We asked around: Are there any surreptitious ways of getting information?” says Kent Walker, Google’s general counsel. “No.”
- The NSA claims it uses the very same encryption that it tries to push everyone else to use. Yes, the same encryption that Snowden docs have revealed was compromised by the NSA.
And the NSA insists that, despite the implications of those Snowden-leaked documents, it does not engage in weakening encryption standards. “The same standards we recommend are the standards we use,” Ledgett says. “We would not use standards we thought were vulnerable. That would be insane.”Sorry, but no one believes that one at all. The clear takeover by the NSA of NIST standards shows that's clearly not true.
- The NSA still doesn't realize how serious all of this is. They still think it's just been blown out of proportion.
They understand that journalism conferences routinely host sessions on protecting information from government snoops, as if we were living in some Soviet society. And they are aware that multiple security specialists in the nation’s top tech corporations now consider the US government their prime adversary.
But they do not see any of those points as a reason to stop gathering data. They chalk all of that negativity up to monumental misunderstandings triggered by a lone leaker and a hostile press.
- Patent troll Nathan Myhrvold is also completely clueless about national security:
Former Microsoft research head Nathan Myhrvold recently wrote a hair-raising treatise arguing that, considering the threat of terrorists with biology degrees who could wipe out a good portion of humanity, tough surveillance measures might not be so bad. Myhrvold calls out the tech companies for hypocrisy. They argue that the NSA should stop exploiting information in the name of national security, he says, but they are more than happy to do the same thing in pursuit of their bottom lines. “The cost is going to be lower efficiency in finding terrorist plots—and that cost means blood,” he says.This is stupid on so many levels. First, the old argument that it's somehow equivalent of tech companies and the NSA to make use of information -- a claim that Levy ridiculously repeats multiple times in his article -- is a line that has been debunked so many times it's really beneath Levy to give it any life at all, let alone refuse to point out how stupid it is. Companies provide a direct service to users, and they make a decision: If I give this information, I get this service in return. It's a decision made by the consumer, and a trade-off where they decide if it's worth it. We can argue that people should have more information about the costs and benefits, but it's still a trade-off where the final decision is their own. The NSA, on the other hand, is not providing a choice or a trade-off. They're just taking everything in exchange for nothing. And, oh yeah, they have guns and can put you in jail -- something no company can do.
Second, Myhrvold incorrectly buys completely the line that all this data collection has been helpful in stopping terrorists. There's just one problem: there is no evidence to support that. Besides, based on his idiotic reasoning, we might as well just do away with pretty much all our rights. For example, I'm pretty sure that we could all have protected Myhrvold more completely if there were video cameras streaming video of everything he did within the privacy of his own home, cars, office or just walking around, right? We could certainly make sure that no one was attacking him or, better yet, that he wasn't about to attack anyone. The cost of not spying on every moment of Nathan Myhrvold might mean "blood." So, based on his own logic, we should violate his privacy, right?