Yesterday, we mentioned the reports kicked off by Nate Hoffelder's research that Adobe was spying on your ebook reading efforts and (even worse) sending the details as unencrypted plaintext. Adobe took its sweet time, but finally responded late last night (obnoxiously, Adobe refused to respond directly to Hoffelder at all, despite the fact that he broke the story). Here's Adobe's mealy-mouthed response that was clearly worked over by a (poorly trained) crisis PR team:
While Adobe has told some that it is working on an update to "address" the issue of transmitting the data in plaintext, it's a bit late in the process to be recognizing that's an issue. The Ars Technica article notes that this may, in fact, violate New Jersey's Reader Privacy Act. EFF wonders about the similar California Reader Privacy Act and whether or not Adobe's efforts here completely undermine that law.
Since Adobe's Digital Editions are commonly used by libraries (my local library uses it, which I've used to take out ebooks), it really raises some serious questions for those libraries. Librarians have a history of strongly standing up for the protection of reader privacy. In fact, for all the talk we've had recently about Section 215 of the PATRIOT Act and how the NSA abuses it, when it was first passed, the people who protested the loudest were the librarians, who feared that it would be used to collect records on what books people were reading! Some people even referred to it as the "library records" provision (even though it was eventually twisted into much more).
And yet, here we are, a decade or so later, and Adobe has completely undermined this kind of trust and privacy which libraries pride themselves on. And, even worse, it's all in the name of some crappy DRM that publishers demand. Librarians and readers should be up in arms over this, and looking for alternatives. Adobe should stop with the bullshit crisis PR response and admit that they screwed up and that the product needs to change to better protect the privacy of individuals and their reading habits.
Police used anti-terrorism powers to secretly spy on The Mail on Sunday after shamed Cabinet Minister Chris Huhne falsely accused journalists of conspiring to bring him down.
Detectives sidestepped a judge’s agreement to protect the source for our stories exposing how Huhne illegally conspired to have his speeding points put on to his wife's licence. Instead they used far-reaching powers under the controversial Regulation of Investigatory Powers Act (RIPA) -- originally intended to safeguard national security -- to hack MoS phone records and identify the source.
They trawled through thousands of confidential numbers called by journalists from a landline at the busy newsdesk going back an entire year, covering hundreds of stories unrelated to the Huhne case.
Every police force in the UK is to be asked by a parliamentary committee to reveal how many times they have secretly snooped on journalists by obtaining their telephone and email records without their consent.
Keith Vaz, chairman of the home affairs select committee, said he wanted a detailed breakdown of police use of the Regulation of Investigatory Powers Act (Ripa) to force telecoms companies to hand over phone records without customers' knowledge.
Today I have written to all Chief Constables and directed them under Section 58(1) of RIPA to provide me with full details of all investigations that have used Part I Chapter 2 RIPA powers to acquire communications data to identify journalistic sources. My office will undertake a full inquiry into these matters and report our findings to the Prime Minister and publically so as to develop clarity in relation to the scope and compliance of this activity.
This double-pronged attack should force the UK's top police officers to own up to what they have been doing secretly with RIPA. If it turns out that its powers have been routinely abused, the pressure for reforming the outdated RIPA will be greatly increased. Already, the Liberal Democrats, the junior partner in the UK's coalition government, have called for changes to RIPA that would protect journalists and whistleblowers from state snooping, while Keith Vaz wishes to go even further, as the Guardian reports:
Vaz said Ripa was not fit for purpose and needed "total refurbishment". He said: "It is important that the public and parliamentarians get statistics on the number of times it is being used and how it is being used without journalists having to submit freedom of information requests. All kinds of mistake are being made. Anecdotally we've heard of local authorities using it to check people's addresses when parents make applications for schools."
It's rather rich that at precisely the moment we find out how the UK police have been abusing RIPA's anti-terrorism surveillance capabilities to investigate minor offenses, the head of the UK's National Crime Agency has the gall to ask for even more powers.
The Bureau of Investigative Journalism is asking a European court to rule on whether UK legislation properly protects journalists' sources and communications from government scrutiny and mass surveillance.
No one knows anything about what GCHQ does with the journalistic information it pulls in. This is because, startlingly, neither the legislation nor government guidance about its use says anything at all about this.
But it is inevitable that some of GCHQ's minute analysis of the data will be giving it selective access to confidential journalistic material and identifying sources. There is already much evidence that law enforcement agencies increasingly seek to access such information for their own purposes. It is an easy way of advancing their investigations. It can help to identify and deal with embarrassing whistleblowers and can forewarn of awkward stories in the offing. The same is true for the security and intelligence agencies.
Fortunately, Articles 8 and 10 of the European Convention on Human Rights give strong protection to the right to privacy and to freedom of expression. As Millar explains, in earlier judgments the European Court of Human Rights (ECHR) has made it clear that:
this Article 10 right can only be overridden by an order of a judge. And the journalist must first have the opportunity to argue before the court that there is no competing public interest which makes such an order necessary. The law under the Convention is quite clear. Covert state surveillance and accessing of journalistic information cannot be used to circumvent these important rights.
Other journalistic information and activity can only be the subject of such covert surveillance in certain circumstances. Most importantly it must be carried out under laws which are clear, accessible and foreseeable in their effects. These laws must give journalists an adequate indication of how these discretionary surveillance powers might be used against them. They also have to provide protection against arbitrary or disproportionate surveillance measures.
However, the UK law that governs this area, the Regulation of Investigatory Powers Act 2000 (RIPA), is outdated, and does not comply with those rules, Millar believes. So this latest attack on GCHQ's mass surveillance is not just an empty gesture to express annoyance: if the ECHR rules in favor of The Bureau of Investigative Journalism, the British government will be required to review the regulations around the mass collection of communications data -- to update the anachronistic RIPA, in other words.
The good news is that the ECHR has already indicated that it will accept this new case. That offers the hope that the court may be preparing to put it in the fast track along with a similar one that calls into question the UK's compliance with Article 8 of the European Convention on Human Rights. Even if the pace of Snowden's revelations has slowed somewhat in recent months, the impact of earlier leaks continues to grow.
Now, we were disappointed in those comments as well, but mainly because they were mostly meaningless trifles, designed to appease the public with promises of more transparency, rather than an actual promise to cut back on spying on every single person in the US. Apparently King is upset on the other side of things, believing that even the tiniest amount of increased transparency means that Al Qaeda will win:
The President’s announcement today that he will pursue “reforms” to National Security Agency counterterrorism programs is a monumental failure in presidential wartime leadership and responsibility. These programs are legal, transparent and contain the appropriate checks and balances among the executive, legislative and judicial branches of our government. These intelligence tools keep Americans safe every single day.
America is at war with Islamist terror groups that kill and maim innocent civilians. The current threat to the Homeland is just as high as it was before 9/11. It is difficult to imagine past war leaders such as Franklin Roosevelt or Winston Churchill willingly surrendering signals intelligence tools that are needed to fight our enemies. We need a president who defends our intelligence programs, explains them appropriately to the American people, and uses every legal capability in his arsenal to defeat al Qaeda.
The second paragraph is just pure fearmongering based on nothing -- especially the claims about the threats being just as high today as they were before 9/11. Of course, what's even more ridiculous here is that King was a long time supporter of foreign terrorist organization, the IRA, including supposedly endorsing an attack on a police station that killed nine people. I wonder if he felt that the UK government should have used the same secret surveillance techniques against the IRA?
King wasn't done there, apparently. Following that statement, he went on Face the Nation and apparently said with a straight face that the public referring to the NSA's activity as "spying" or "snooping" was slandering the NSA and somehow diminishes their patriotism. Really. The man is apparently serious.
“These people in the NSA are patriots,” King said. “Probably what’s annoyed me the most over the last several months is people casually using words like ‘spying,’ ‘snooping,’ ‘what is the NSA up to now?’ Does anybody think General Alexander wants to snoop on America? I think that demeans the whole political dialogue, and that’s why I wish the president would be more outgoing and defend the NSA lot more than he did.”
“This has really been a slander on the thousand of good men and women who every day dedicate their lives to our country, and particularly General Alexander, who is as patriotic as anyone I have ever met in government or anywhere,” King said. “There is too much loose talk here. Every time i hear ‘snooping’ and ‘spying’, it just drives me crazy. We know what these men and women are doing, and they’re absolutely dedicated patriots.”
Meanwhile, King is not the only one in Congress who is upset that the President even hinted at reforms and transparency. House Speaker John Boehner issued a slightly less inflammatory statement arguing that the President must not back down on keeping the program intact, despite the fact that (again) there is no evidence that it has been necessary in stopping a single terrorist attack.
Transparency is important, but we expect the White House to insist that no reform will compromise the operational integrity of the program. That must be the president’s red line, and he must enforce it. Our priority should continue to be saving American lives, not saving face.”
Actually, I thought our priority should be protecting the Constitution -- including the 4th Amendment -- but it appears that many members of Congress have forgotten that little requirement.
Last year, we reported on Australia's plans to bring in comprehensive snooping on its citizens, and more recently how its spies had realized that encrypted services offered an easy way to avoid much of that surveillance. Reuters is now reporting that Australia has put its spying plans on hold -- for the moment:
Australia's government on Monday shelved plans to force phone and Internet companies to hold two years of phone call and email data following concerns raised by a parliamentary inquiry into telecommunications interception laws.
[Lawmakers on the telecommunications inquiry] said Internet browsing data should be excluded from the plans, and called for greater oversight of government agency access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.
However, this seems to be only a temporary reprieve: as the article above notes, Australia will be holding elections in September, and it is expected that the center-right Coalition, currently in opposition, will win power, and probably bring back the proposals. Of course, the current round of leaks about spying on a massive scale by the NSA and GCHQ may well have some impact on the debate, as will any future leaks of information, especially if they concern Australia directly.
One unfortunate knock-on effect of the revelations about the extent of NSA information gathering seems to be that the spies in other countries are starting to feel under-informed by comparison. Of course, many of them already knew about what was going on: in addition to the British and the Dutch, there are now reports that Germany was also kept informed at the highest levels (original in German.) That would probably explain the revelation by the news magazine Der Spiegel that Germany has been trying to beef up its own snooping capabilities for a while:
Last year, [Germany's foreign intelligence agency] BND head Gerhard Schindler told the Confidential Committee of the German parliament, the Bundestag, about a secret program that, in his opinion, would make his agency a major international player. Schindler said the BND wanted to invest €100 million ($133 million) over the coming five years. The money is to finance up to 100 new jobs in the technical surveillance department, along with enhanced computing capacities.
Small beer compared to the NSA, but it's a start. Der Spiegel's article provides some details on how they do it in Germany:
The largest traffic control takes place in Frankfurt, in a data processing center owned by the Association of the German Internet Industry. Via this hub, the largest in Europe, e-mails, phone calls, Skype conversations and text messages flow from regions that interest the BND like Russia and Eastern Europe, along with crisis areas like Somalia, countries in the Middle East, and states like Pakistan and Afghanistan.
But the BND still has a long way to go before it attains NSA-like levels of snooping:
In contrast to the NSA, though, the German intelligence agency has been overwhelmed by this daunting wealth of information. Last year, it monitored just under 5 percent, roughly every 20th phone call, every 20th e-mail and every 20th Facebook exchange. In the year 2011, the BND used over 16,000 search words to fish in this data stream.
As in the US, the idea is that this targets foreigners:
German law allows the BND to monitor any form of communication that has a foreign element, be it a mobile phone conversation, a Facebook chat or an exchange via AOL Messenger. For the purposes of "strategic communications surveillance," the foreign intelligence agency is allowed to copy and review 20 percent of this data traffic. There is even a regulation requiring German providers "to maintain a complete copy of the telecommunications."
Here's how the BND tries to achieve that:
If e-mail addresses surface that end in ".de" (for Germany), they have to be erased. The international dialing code for Germany, 0049, and IP addresses that were apparently given to customers in Germany also pass through the net.
Of course, as in the US, it doesn't quite work out like that:
At first glance, it's not evident where users live whose information is saved by Yahoo, Google or Apple. And how are the agencies supposed to spot a Taliban commander who has acquired an email address with German provider GMX? Meanwhile, the status of Facebook chats and conversations on Skype remains completely unclear.
Given this evident desire to create its own snooping apparatus, coupled with the fact that Germany has doubtless benefited from NSA spying, perhaps it's no surprise the German government's protests about its citizens being subject to extensive NSA surveillance have been muted. Maybe a little too muted: Der Spiegel quotes the question posed by Cornelia Rogall-Grothe, a state secretary in the German Interior Ministry, to the US Embassy in Berlin, in the wake of the revelations about NSA spying:
"Are US agencies running a program or computer system with the name Prism?," the Interior Ministry official asked.
Although New Zealand's decision not to allow patents for programs "as such" was welcome, other moves there have been more problematic. For example, after it became clear that the New Zealand intelligence service, the Government Communications Security Bureau (GCSB), illegally wiretapped and spied on Kim Dotcom, the New Zealand government announced that it would change the law so as to make it legal in the future to snoop on New Zealanders as well as on foreigners. Judging by a major new bill that has been unveiled, that was just the start of a thoroughgoing plan to put in place the capability to spy on every New Zealander's Internet activity at any moment.
Here's an excellent analysis of what the bill proposes, from Thomas Beagle, co-founder of the New Zealand digital rights organization Tech Liberty:
The TICS [Telecommunications (Interception Capability and Security)] Bill is a replacement for the Telecommunications (Interception Capability) Act 2004. This law forced communications providers (ISPs, telcos, data networks, etc) to provide "lawful intercept" capabilities so that the Police, SIS and GCSB could access communications once they had a suitable warrant. The new bill expands and clarifies these requirements.
However, the addition of the word "security" is the key to what has changed. The new bill now gives the GCSB sweeping powers of oversight and control over the design, deployment and operation of all data and telecommunications networks run by network providers in New Zealand. The stated reasons are to both protect New Zealand's infrastructure and to ensure that surveillance agencies can spy on traffic when required. As part of this, the GCSB will have the power to stop network providers from reselling overseas services that do not provide these capabilities.
As Beagle goes on to explain, this will have a number of implications, including a requirement to build backdoors into all telecoms networks:
From the Bill:
A network operator must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability.
Note that the surveillance agencies still need to have a legally issued warrant (under the Search & Surveillance Act, NZ SIS Act, or GCSB Act) to actually intercept any communications and there are obligations to avoid capturing communications that are not covered by the warrant.
Here's one way that could dramatically impact Internet users in New Zealand:
It then goes on to give the Minister the power to ban the resale of an off-shore telecommunications service in New Zealand if it does not provide interception capabilities. This could stop the resale of foreign-hosted VPNs, instant message services, email, etc.
Another clause could have major implications for Megaupload:
Network operators must decrypt the intercepted communications if they have provided the encryption, but there is no obligation to do so if the encryption is provided by others.
What does this mean for providers such as Mega (file locker) or LastPass (password storage) who have a business model based on the fact that they supply a cloud product that uses encryption but have deliberately designed it so that they can not decrypt the files themselves? This gives users the assurance that they can trust them with their data. Will the government close them down unless they provide a backdoor into the system?
One deeply troubling aspect is the following:
There is also a provision that allows the courts to receive classified information in a court case in the absence of the defendant or the defendant's lawyer. This applies to information that might reveal details of the interception methods used by the surveillance agency or is about particular operations in relation to any of the functions of the surveillance agency, or is provided as secret information from the surveillance agencies of another country. It can also be used if that disclosure would prejudice security of NZ, prejudice the maintenance of law, or endanger the safety of any person.
As Beagle notes:
particularly offensive to civil liberties are the provisions for convicting people based on secret evidence. How can you defend yourself fairly when you can't even find out the evidence presented against you?
He concludes with an important point:
One must ask where the justification for this expansion of power is coming from. Has New Zealand already been materially affected by attacks on our communications infrastructure? It seems clear that while the GCSB may not be that competent at exercising the powers they already have, they have done a fine job of convincing the government that they can handle a lot more.
That's a question that needs to be put to the governments of other countries, like the US and UK, that are also seeking to extend massively their ability to spy on their own citizens. What evidence do they have that such extreme, liberty-threatening powers are actually necessary, and will make the public safer, rather than simply being a convenient way for governments to identify whistleblowers who expose their incompetence and corruption, say, or to spy on those who dare to oppose them?
My goodness. Yesterday we posted about Rep. Louis Gohmert's incredible, head-shakingly ignorant exchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.
I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.
The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.
Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?
Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.
Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.
Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.
Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...
Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?
NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.
And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."
Lawyer: The email context is used to identify what ads are most relevant to the user...
Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?
Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.
Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.
Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?
Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.
Lawyer: We would not honor a request from the government for such a...
Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?
No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.
Lawyer: I don't think that describes what private advertisers...
Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?
What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.
Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.
If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.
Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.
Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.
Gohmert: Well then maybe he's not one of the simpletons I was referring to.
Sensenbrenner: He does have a Phd.
Gohmert: Well, you can still be a PHUL.
Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.
But, I guess we're all just "simpletons."
Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.
As you're probably aware since it's "the big story" right now, General David Petreaus stepped down last week after an FBI investigation turned up an affair he'd been having. It seems that every few hours more news "breaks" on the story, and it keeps getting more involved, with a growing number of players (and with each new revelation the story gets more and more bizarre). However, some have started wondering how and why the FBI was snooping on various emails. The original story was that it came about after Petreaus' mistress allegedly sent threatening (anonymous) emails to another woman, who reported them to the FBI. From that came a wider investigation, which supposedly may involve another General and a variety of other players. But some are realizing that this seems to show how the FBI has pretty free rein in terms of snooping on email accounts hosted online:
Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. To get more recent communications, a warrant from a judge is required. This is a higher standard that requires proof of probable cause that a crime is being committed.
But even that isn't entirely clear. Folks like Julian Sanchez have been puzzling through the timeline of events and wondering how a simple investigation into a small number of "rude" (but not illegal) emails then uncovered thousands of questionable emails involving a different general as alleged in the news that broke last night. It feels like the FBI may have taken a simple report of misconduct (which may have been driven by another love triangle issue involving an FBI agent who seemed to take the whole thing a lot more personally than makes sense) and turned it into a massive fishing expedition.
Given how fast new parts of this story keep breaking, I'm sure there are still a number of other dominoes to fall, but hopefully this actually gets people to pay attention to just how easy it is for law enforcement to snoop on people's emails these days based on next to nothing.
The draft bill of the UK's "Snooper's Charter", which would require ISPs to record key information about every email sent and Web site visited by UK citizens, and mobile phone companies to log all their calls, was published back in July. Before it is debated by politicians, a Joint Committee from both the House of Commons and House of Lords is conducting "pre-legislative scrutiny."
Jimmy Wales, the founder of Wikipedia, has sharply criticised the government's "snooper's charter", designed to track internet, text and email use of all British citizens, as "technologically incompetent".
He said Wikipedia would move to encrypt all its connections with Britain if UK internet companies, such as Vodafone and Virgin Media, were mandated by the government to keep track of every single page accessed by UK citizens.
He went on to suggest that other Internet companies would do the same, forcing the UK authorities to resort to what he called "black arts" to break the encryption. As he pointed out: "It is not the sort of thing I'd expect from a western democracy. It is the kind of thing I would expect from the Iranians or the Chinese."
To a certain extent, this is just bluster: Wales has no formal power to instruct Wikipedia to encrypt its connections, and even assuming that happened, it's not certain that companies like Google and Facebook would risk fines or imprisonment for their staff by refusing to hand over encryption keys. But Wales' intervention had a big symbolic importance: he's not only the co-founder of Wikipedia -- which even politicians have heard of and probably use -- he's also one of the UK government's own special tech advisers, appointed back in March.
His comments are, therefore, a real slap in the face, and a useful reminder that by pushing for this kind of total surveillance the UK government is not only making itself look oppressive, but stupid too.