WebProNews

Tag: Surveillance

  • NIST Says It Never Worked With The NSA To Weaken Encryption Standards

    NIST Says It Never Worked With The NSA To Weaken Encryption Standards

    Last week, it was revealed that the NSA works tirelessly to break through all forms of encryption. One of the more worrisome revelations from the leak was that the agency worked with the National Institute of Standards and Technology to introduce intentionally weak encryption standards. Now NIST is saying that never happened.

    In a statement today, NIST denies ever helping the NSA to weaken encryption standards. The organization adds that it would never “deliberately weaken a cryptographic standard.” Here’s the relevant part of the statement:

    NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.

    There has been some confusion about the standards development process and the role of different organizations in it. NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards.

    While NIST denies ever helping the NSA to weaken standards, it does admit that it works with the agency on encryption standards. In fact, the group is “required by statute to consult” with the agency during its “cryptography development process because of [the NSA’s] recognized expertise.”

    In other words, NIST has to work with the NSA on encryption standards, but it doesn’t actively weaken said standards at the agency’s bequest. Conspiracy theorists might say that the NSA inserted the vulnerabilities in NIST’s standards without the group noticing. It’s not exactly that far out of a theory considering everything else we’ve learned about the agency thus far.

    To help remove some of the skepticism it’s facing, NIST has also announced that it’s reopened the public comment period for its latest standards publication. This will give the public another chance to look through the latest encryption standards to see if they find anything out of the ordinary.

    [Image: Wikimedia Commons]
    [h/t: The Hill]

  • Google Once Again Pushes For Transparency When Dealing With Federal Data Requests

    Does Google hand over your private information to the feds? The company says it doesn’t, but it can’t prove this because of gag orders placed on it by the federal government. That’s why Google, along with Microsoft, have petitioned the government to allow it to be more transparent in reporting the number of federal data requests it receives.

    Google submitted its original petition to the FISA court back in June when it argued that it had a First Amendment right to publish an aggregate figure of all the federal data requests it receives. Now that same petition has been resubmitted with a new request. Google wants the FISA court to hold the debate on whether or not tech companies can publish federal data request numbers in the open.

    The public is not allowed to listen in on any hearings that go on in the FISA court. What’s worse is that there’s no representative of the public in said hearings. The court only hears from the government and then approves or denies the request. Google doesn’t outright say that needs to change, but it does call for greater transparency in the FISA court. The company says its only natural given the “important public policy issues at stake.”

    Besides resubmitting its petition, Google notes that it will be meeting with the President’s Group on Intelligence and Communications Technology today. The company says that it will present the same petition at this meeting demanding the government let it be more transparent regarding data requests.

    While Google is resubmitting its petition, Microsoft last month said it would be getting a little more aggressive in its quest for transparency. The company announced that it would be filing a lawsuit against the government in the hope that it can force transparency with the help of the court.

    [Image: Google]

  • NSA Can Break Internet Encryption Technologies

    The NSA can see pretty much everything you do online as long as it’s not encrypted. That’s at least what a Snowden leak from last month claimed. The news spurred more people and businesses to sign up for more encryption services, but a new leak suggests that their efforts may have been all for naught.

    The Guardian, in collaboration with The New York Times and ProPublica, report that the NSA employs a number of programs to break through the encryption software used everyday to protect the privacy of Internet users. These programs range from the use of super computers in decrypting files to outright paying companies to insert vulnerabilities into their own software.

    It should be noted before going any further that the NSA sees encryption and those who use it as adversaries to its mission. In one of the documents provided by Snowden, the NSA says that it’s able to use exploits in encryption software to access what “consumers and other adversaries” think is secure data.

    Let that sink in it for a moment.

    The NSA, an agency that’s charged with protecting the American people, refers to those its sworn to protect as adversaries. If the document had read “consumers and adversaries,” it would have been questionable, but fine. The addition of the “other” confirms a previous leak that revealed the NSA automatically assumes any encrypted data is up to no good.

    So, how does the NSA gain access to encrypted data? The most prominent method is the one used by pretty much every other hacker on the planet – brute force alongside new decryption techniques. It appears that the NSA worked alongside their British counterparts at the GCHQ on two programs – Bullrun and Edgehill respectively – to break through the encryption used in major communication systems, including Gmail.

    More worrisome, however, are the back room deals negotiated by the NSA to ensure that it doesn’t even have to break through the encryption in the first place. The documents point to a top secret program, which costs $250 million a year, where the NSA works with “US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” In other words, the NSA pays companies to insert backdoors into their own software. Some of the participants are even encryption companies that knowingly insert exploits into their own software so the NSA can access data sent via their services.

    The NSA also has a hand in influencing global encryption standards. The documents state that the agency secretly had its draft of encryption standards accepted by the US National Institute of Standards and Technology. These are the bare minimum security standards that any Internet company worth their salt abides by, and the NSA can just blow right through said standards on account of it writing them.

    So, is there anything that the NSA can’t peer into? Well, there are new encryption tools being developed every day. The NSA makes a note of this by saying that it can’t break through every encryption technology just yet. We don’t know what those encryption technologies are, but it’s safe to assume that LavaBit may have been one of them.

    Even more worrisome than the NSA having access to encrypted information is the existence of these backdoors in the first place. Any security researcher will tell you that backdoors are an incredibly bad idea that do more harm than good. What happens when malicious hackers find their way into the backdoors intended for government officials? Nothing good, that’s what.

    President Obama and defenders of the NSA claim that the agency is needed to protect us from the bad guys. Those bad guys are increasingly turning to cyberwarfare where such back doors are rather convenient for those who would launch cyber attacks that can cause real harm to people who use the Internet for everything from banking to sharing personal information. The NSA may be trying to secure America from foreign threats, but in doing so is making the Internet less secure. That’s a problem and one that needs to be addressed by Obama’s “independent” panel of experts that will examine the NSA’s practices over the coming months.

    [Image: The Guardian]

  • NRA Joins Lawsuit Against NSA’s Phone Metadata Collection

    The NRA is not the first organization that comes to mind when I think of civil liberty organizations. Sure, they fight for Second Amendment rights, but they don’t really get involved with matters concerning the First or Fourth Amendment unless it directly affects gun owners. Well, they now feel that the NSA has crossed a line in that respect.

    The Hill reports that the NRA has joined the ACLU’s lawsuit against the federal government concerning the NSA’s phone metadata collection program. If you recall, the metadata collection program was the first revealed by the Snowden leaks, and showed that the government was collecting phone data from every call made on Verizon’s network.

    So, why does the NRA have a stake in this? Are they suddenly concerned about the privacy of every American? Well, not really – they’re concerned about the privacy of gun owners as they feel the NSA collecting phone metadata is the same thing as building a national gun registry.

    In its filing, the NRA says that Congress, in authorizing metadata collection, has authorized the creation of a gun registry program:

    “It would be absurd to think that the Congress would adopt and maintain a web of statutes intended to protect against the creation of a national gun registry, while simultaneously authorizing the FBI and the NSA to gather records that could effectively create just such a registry.”

    So, how would the NSA compile a gun registry with the metadata it collects under section 215 of the Patriot Act? Well, metadata tells the agency who a person calls and for how long. The NRA feels that the agency could use this information and point out who owns a gun based upon calls being made to gun shops and firing ranges.

    While I think it’s a little absurd to think the NSA wants to create a gun registry, I do agree with the spirit of the NRA’s concern. President Obama and other defenders of the NSA say that metadata doesn’t divulge any personal information and is therefore not a violation of the Fourth Amendment. As the NRA points out, that’s not entirely the case as the NSA could use that metadata to find out which Americans make calls to gun shops. That same technique could be used to find out which Americans make calls to any number of groups and organizations. From there, you spiral into the not-so-silly conspiracy theories of the government looking for signs of dissent based upon calls being made to protest organizations and anti-government groups.

    With the NRA’s backing, the UCLA has a lot more power behind its attempt to stall the government’s collection of phone records. Now we can only hope the judge in the matter understands the NRA’s example to be just that – an example of how telling metadata really is.

    [h/t: Bjoertvedt/Wikimedia Commons]

  • Microsoft Says The Government Isn’t Doing Enough To Promote Transparency

    In late June, Google and Microsoft both filed suit with the FISA court demanding that the government let them publish the number of federal data requests they receive. The companies had hoped to work out a deal with the government that would allow them to publish the figures, but the government decided to take things into its own hands.

    Microsoft is the first of the big tech companies to respond to the Department of National Intelligence’s decision to publish aggregate numbers of people that the NSA has spied on over the last 12 months. The company’s general counsel, Brad Smith, says that it’s a good first step, but that it’s lacking what Microsoft and Google are fighting for.

    For example, we believe it is vital to publish information that clearly shows the number of national security demands for user content, such as the text of an email. These figures should be published in a form that is distinct from the number of demands that capture only metadata such as the subscriber information associated with a particular email address. We believe it’s possible to publish these figures in a manner that avoids putting security at risk. And unless this type of information is made public, any discussion of government practices and service provider obligations will remain incomplete.

    Smith also notes that Google and Microsoft had been negotiating with the government over the last two months to see if they could work out a deal. They even allowed the government to postpone having to respond to their lawsuits in the interest of working out a settlement. Those negotiations have failed, and Smith says that they have no choice now but to push forward with its lawsuit:

    Over the past several weeks Microsoft and Google have pursued these talks in consultation with others across the technology sector. With the failure of our recent negotiations, we will move forward with litigation in the hope that the courts will uphold our right to speak more freely. And with a growing discussion on Capitol Hill, we hope Congress will continue to press for the right of technology companies to disclose relevant information in an appropriate way.

    Aside from the above example, Microsoft has a vested interest in publishing data request information to protect its own hide. It’s been implicated far too many times in the recent leaks as a lapdog for the government that’s more than willing to hand over data or install backdoors in Skype. Microsoft vehemently denies the allegations made in the leaks, but the gag orders pertaining to federal data requests prevent the company from mounting a better defense.

    As we saw earlier this month, the existence of the NSA’s spy programs could have an enormous impact on the cloud storage industry. Microsoft’s SkyDrive is one of the biggest cloud providers, and it has a lot to lose if people start to distrust American tech companies. It needs to publish these numbers to regain the public’s trust, and the government is the only thing standing in its way. You would think that the Obama administration would be more supportive of the tech industry, but its current culture of secrecy will do nothing but hurt it.

    [Image: Microsoft]

  • Government To Declassify How Many People Were Targeted By The NSA In 2012

    Earlier this month, President Obama outlined four ways that he would like to reform the NSA and FISA court. A big part of those reforms was increased transparency, and it looks we’ll finally be getting a little more transparency.

    On the new (and hilarious) NSA tumblr blog, Director of National Intelligence James Clapper announced a plan to annually release data pertaining to the number of people and businesses targeted by the NSA. Of course, we won’t get actual numbers as the government will only be publishing aggregate figures, much like what Facebook published earlier this week.

    Unlike Facebook and other tech companies, however, the government’s list of published figures will be much broader in scope. Here’s everything you can expect to see in the upcoming report:

  • FISA orders based on probable cause ( Titles I and III of FISA, and sections 703 and 704).
  • Section 702 of FISA
  • FISA Business Records (Title V of FISA).
  • FISA Pen Register/Trap and Trace ( Title IV of FISA)
  • National Security Letters issued pursuant to 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709.

    • You might be disappointed that the government will only be publishing aggregate figures, but Clapper argues that it’s for the good of the nation:

    FISA and national security letters are an important part of our effort to keep the nation and its citizens safe, and disclosing more detailed information about how they are used and to whom they are directed can obviously help our enemies avoid detection.

    Everything that has been leaked by Snowden thus far was kept secret for the good of the nation, but said leaks seem to have had no impact yet. The real bad guys – the ones who would actually do the nation harm – aren’t using Facebook or Google+ to plan out attacks. Sure, the NSA might catch wind of a plot from a really stupid terrorist, but recent leaks suggest that they’re just scooping up data indiscriminately without a lot of oversight.

    Of course, the government should be commended for being even a little more transparent. It’s just unfortunate that transparency was only ever discussed once the Snowden leaks thoroughly embarrassed the government.

    Once the document is published, we’ll be sure to bring you all the information it contains. Just don’t expect a lot of startling revelations. After all, the NSA’s “ability to discuss these activities is limited by [its] need to protect intelligence sources and methods.”

    [Image: IC On The Record]

  • That NSA Review Panel Gets One More Member

    Last week, a unconfirmed report emerged saying that President Obama had chosen the members for his proposed NSA review panel. Many were disappointed to learn that the four members chosen all had a connection to the White House and three are close to the intelligence community. Well, we now have official confirmation of who’s joining the NSA review panel and it’s a little less disappointing.

    The Hill reports that President Obama held his first meeting with members of the NSA review panel on Tuesday. The members of the panel include the previously announced Michael Morrel, Richard Clarke, Cass Sustein and Peter Swire. There’s a fifth member – Geoffrey Stone – and he may bring a little independent thought to the panel.

    So, who is Stone? According to Wikipedia, he’s an American law professor currently teaching at the University of Chicago Law School. He’s also the author of two very topical books – Top Secret: When Our Government Keeps Us In The Dark and War And Liberty: An American Dilemma. He has no known connection to the White House or the intelligence community, and it seems that he’s very critical of both. In short, he’s a fantastic addition to a panel that was starting to look a little one sided.

    In an official statement, White House Press Secretary Jay Carney said that the review group will advise the President on how to move forward with the NSA’s data collection programs:

    “These individuals bring to the task immense experience in national security, intelligence, oversight, privacy and civil liberties. The Review Group will bring a range of experience and perspectives to bear to advise the President on how, in light of advancements in technology, the United States can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.”

    When President Obama first announced the review panel, he said that it would deliver an interim report to Intelligence Director James Clapper within 60 days and then deliver a final report to the president before the end of the year. That still seems to be the plan, but there’s no word yet on whether or not the president will publish the final report for the public’s consumption. We can only hope that the results of this review are transparent as possible.

    [Image: UCTV/YouTube]

  • Facebook Releases Transparency Report, U.S. Government Made 12,000 Requests For Data

    When PRISM was leaked in early June, Facebook was one of the first companies citied in the report to deny any involvement with the program. The revelation did, however, push Facebook into asking the U.S. government for permission to publish government data request numbers. That wish was granted in mid-June, and now Facebook has published its very first transparency report.

    Facebook today published what it calls the “Global Government Requests Report.” In short, it’s a report detailing government requests for user data from all over the world. It lists the total requests for data by country as well as how many user accounts were requested in said country. It also reveals the percentage of requests where Facebook was required by law to hand over data.

    Before we get to the actual numbers, Facebook’s General Counsel, Colin Stretch, reiterates once again that the social network does not provide a back door into its network for the NSA or any other governmental body. Instead, it makes any government requesting jump through as many hoops as possible:

    As we have made clear in recent weeks, we have stringent processes in place to handle all government data requests. We believe this process protects the data of the people who use our service, and requires governments to meet a very high legal bar with each individual request in order to receive any information about any of our users. We scrutinize each request for legal sufficiency under our terms and the strict letter of the law, and require a detailed description of the legal and factual bases for each request. We fight many of these requests, pushing back when we find legal deficiencies and narrowing the scope of overly broad or vague requests. When we are required to comply with a particular request, we frequently share only basic user information, such as name.

    So, let’s check out the numbers, shall we? They cover the first six months of 2013, and cover pretty much every nation that Facebook operates in. As expected, the United States is number one with 11,000 to 12,000 data requests that impact 20,000 to 21,000 user accounts. Additionally, 79 percent of these requests end up with Facebook handing over some user data.

    What may be surprising to some, however, is that India came in second place with 3,245 requests for data impacting 4,144 user accounts. Only 50 percent of those requests ended up with Facebook handing over data though.

    Rounding out the top five is the United Kingdom in third place, Germany in fourth and Italy in fifth. Only other one country, France, sent over 1,000 data requests in the first six months of this year. The rest of the countries in the report, mostly eastern Europe and Southeast Asia, sent less than 100 requests.

    One thing you may have noticed is that only the United States data requests are published in aggregate form without a hard number to accompany it. Unfortunately, that’s the only way Facebook can publish the numbers for U.S. data requests as the government makes Facebook combine federal and local data requests in an aggregate number so that the public can’t see how many federal requests for data are actually being sent.

    You may recall that this aggregate requirement rubbed Google the wrong way in late June when it filed a complaint with the FISA court regarding its inability to publish more accurate data request numbers. In its filing, Google argued that it should be able to publish an aggregate figure of federal requests without having to lump in local law enforcement requests. Publishing aggregate figures of just federal requests wouldn’t have any impact on national security, but Google hasn’t made any progress with its complaint even after Microsoft filed its own complaint as well.

    Regardless, Facebook feels that publishing these numbers, even if they’re disingenuous, play an important role in the public debate concerning the NSA:

    We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations. And while we view this compilation as an important first report – it will not be our last. In coming reports, we hope to be able to provide even more information about the requests we receive from law enforcement authorities.

    As we have said many times, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent. Government transparency and public safety are not mutually exclusive ideals. Each can exist simultaneously in free and open societies, and they help make us stronger. We strongly encourage all governments to provide greater transparency about their efforts aimed at keeping the public safe, and we will continue to be aggressive advocates for greater disclosure.

    That last paragraph is the most important point Stretch makes, and it’s something that we can only hope the U.S. government takes to heart in the coming months. Obama’s proposed NSA reforms promised transparency, but almost everything out of his administration thus far looks to sustain the status quo under a facade of transparency.

    [Image: Wikimedia Commons]

  • Obama Says Declassified FISA Court Order Proves NSA Oversight Works

    Is the NSA subject to enough oversight? It’s supporters would continue to have you believe that to be the case, including President Obama.

    In a recent interview with CNN, the president addresses the recent declassified court order that said the NSA collected thousands of “wholly domestic” emails in 2011. He said that this particular case is proof that the safeguards put into place work:

    “This latest revelation that was made, what was learned was that NSA had inadvertently, accidentally pulled the emails of some Americans in violation of their own rules because of technical problems that they didn’t realize. They presented those problems to the court. The court said, ‘This isn’t going to cut it. You’re going to have to improve the safeguards, given these technical problems.’ That’s exactly what happened. So the point is, is that all these safeguards, checks, audits, oversight worked.”

    Of course, the president neglects to mention the two other very important aspects pertaining to this particular court order. The first is that the NSA had been collecting these “wholly domestic” emails for a few months before they brought it to the attention of the FISA court. He can talk all he wants about congressional and judicial oversight, but the NSA is still its own master at the end of the day. Even the FISA court said that it “does not have the capacity to investigate issues of noncompliance.”

    The second is that the court order in which Obama alludes to includes a footnote where the judge says that the agency’s violation in 2011 “mark[s] the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.” In other words, the judge says that the NSA has lied to the court three times in the past regarding its collection programs. That’s not oversight – that’s an agency getting to choose when it tells the court it violated the law.

    Even with all the bad, some good came out of the interview with CNN. The President said that the NSA could do better and that he hopes future technology allows the agency to better filter out Americans’ communications. On the flip side, this new technology could make it easier for the NSA and other intelligence agencies around the world to spy on their citizens. We can only hope that the former is the case.

    [Image: White House/flickr]
    [h/t: The Hill]

  • Obama Appoints Four White House Insiders To NSA Review Panel

    Two weeks ago today, President Obama proposed a number of reforms to the NSA and FISA court in response to the Snowden leak. The reforms were largely cosmetic changes meant to give the illusion of real change, but there was one proposal that could actually do some good. He proposed the creation of an independent review board that would determine if the NSA ever overstepped its boundaries.

    ABC News reports that the Obama administration has chosen four members of the Intelligence community to head up the NSA review panel. These four members will be Michael Morell, Richard Clarke, Cass Sunstein and Peter Swire. The panel will deliver a report on the NSA in 60 days to Intelligence Director James Clapper, and then will deliver a final report and recommendations to President Obama before the end of the year.

    So, who are these people, and can they be trusted to independently review the NSA? Morell is by far the most well-known member as he served with the CIA since 1980 and was acting director in 2012. Clarke served in various counter-terrorism roles under both former Presidents George H. W. Bush and Bill Clinton. Sunstein was the former Administrator of the White House Office of Information and Regulatory Affairs under President Obama. Finally, Peter Swire is an expert in privacy law and served as an economic advisor to Obama during the beginning of his first term.

    As you can see, Swire is the only independent voice on the panel, and even he has previous ties to the administration. The other three members have close ties to the intelligence community. I don’t want to say that they will bring any pre-existing biases into the discussion, but it’s hard to believe that they won’t. The NSA already gets free reign to rule itself with very little oversight, and this oversight panel will likely not change any of that.

    Privacy advocates aren’t exactly happy about the appointees. The EFF told The Guardian that “having executive branch insiders continually placed in charge of reviewing the executive brach … is more of a fox guarding the henhouse operation.”

    Lawmakers aren’t happy either with Rep. Zoe Lofgren saying that the review panel “doesn’t give the appearance of independence that was anticipated.” She also cautioned that the review panel might not even work:

    “The apparent goal of sorting through the issues, and getting a credible report out there that was reassuring, will not be achieved. And therefore, he [Obama] is going to have to do something else.”

    Even if the public is largely pessimistic about the choices, they won’t get to see the results of the investigation until later this year or early next. Even then, the Obama administration might just give us a summary of the report claiming that the full report threatens national security. We can only hope that’s not the case.

    [Image: Wikimedia Commons]

  • Government Declassifies Court Opinion That Says NSA Violated The Fourth Amendment

    One of the big talking points from NSA proponents is how the agency’s spy programs are constitutional. That’s debatable and many in Congress feel that the agency has largely overstepped its bounds in the collection of American’s cellphone metadata. Even so, the FISA court that oversees these requests for data largely support the NSA’s activities. There was one brief moment in 2011, however, when the court threw the book at the agency.

    In a recently declassified FISA court opinion from May 2011, the government revealed that the NSA was caught to be in violation of the Fourth Amendment by collecting tens of thousands of “wholly domestic” emails. The agency had obtained the emails as part of its Upstream data collection program that taps into the fiber cables that bring data into and out of the U.S.

    The NSA defended itself by saying that the collection of domestic emails was an accident as it had no way to filter out domestic from foreign emails with Upstream. Still, the court unhappy as the NSA had not disclosed its gathering of Americans’ emails until long after its capability to do so was approved.

    In his opinion, FISA judge John D. Bates said that “the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court has been led to believe.” In other words, Bates called the NSA out for misleading the court in regards to its activities.

    It was with the revelation that the NSA overstepped its bounds in email collection that the court ordered the Upstream program to be halted immediately until the agency could ensure that its collection of incidental data was within an acceptable range. In November, the court gave upstream the go ahead after the NSA demonstrated its new filtering software that kept the collection of Americans’ emails to a minimum.

    It’s worrisome that the NSA is still being allowed to collect emails, but it’s a little better knowing that the FISA court has at least once slapped down a spy program until it had worked in sufficient safeguards. Some, including those in Congress, may argue that it’s not enough, but we’ll leave that debate for another time.

    For now, let’s focus on the most worrisome part of the declassified court opinion. In a footnote, Bates says the collection of “wholly domestic” emails as described above was actually the third time in three years that the NSA had overstepped its bounds:

    “The Court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.

    In March, 2009, the Court concluded that its authorization of NSA’s bulk acquisition of telephone call detail records from [redacted] in the so-called “big business records” matter “ha[d] been premised on a flawed depiction of how the NSA uses [the acquired] metadata” and that “[t]his misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions, and despite a government-devised and Court mandated oversight regime.”

    Contrary to the government’s repeated assurances, NSA has been routinely running queries of the metadata using querying terms that did not meet the required standard for querying. The Court concluded that this requirement had been “so frequently and systemically violated that it can be fairly said that this critical element of the overall … regime has never functioned effectively.”

    All of this may sound familiar if you were paying attention last week when it was revealed that the NSA had violated its own privacy rules over 2,000 times in 2012. In response to that leak, Reggie B. Walton, chief judge on the FISA court, said that the courts hands were essentially tied when it came to investigating issues of noncompliance. In other words, the FISA court has to rely on the NSA to report its own wrongdoings, and the above declassified opinion shows that the agency isn’t too keen on reporting its own violations until well after the fact.

    It’s a problem that needs to be addressed, but the president seems to think that making the NSA more transparent (i.e. declassifying two-year-old court opinions) will somehow make the agency more accountable. The government’s own piss poor attempts at transparency should make it clear that timely accountability isn’t coming anytime soon.

    [h/t: Washington Post]

  • Former Rep. Dennis Kucinich Calls For The NSA To Be Abolished

    The NSA has become quite the touchy subject in Washington these past few months after leaks from former NSA contractor Edward Snowden revealed the agency’s spy programs. The president and those who support the NSA have been on the defensive claiming that the agency doesn’t abuse its powers (it does), while those against the agency have been calling for it to be reigned in. Now one former lawmaker has called for the agency to be flat out abolished.

    At the Washington D.C. premier of “Terms and Conditions May Apply,” former Rep. Dennis Kucinich spoke briefly on how he feels about the NSA. TechDirt reports that he had some strong words for Sen. Dianne Feinstein’s favorite spy agency:

    We have the CIA, the FBI, a dozen other intelligence infrastructures. Frankly — and I’m saying this with a lifetime’s experience in government here — it’s time to punch the NSA’s ticket here. They’ve ruined the brand. They’ve destroyed the idea of privacy. We need some kind of symbolic and profound approach here, that says, ‘look, you’ve violated something that’s very dear to the American people — you don’t get to do that.’ We talk about the death penalty for individuals, which I oppose, but I think there needs to be for government agencies that so broadly betray the public interest, there needs to be a measure of responsibility. And if they go beyond the pale, which the NSA has, they just ought to be abolished. We don’t need the spying.

    You can watch the whole statement below where he also touches upon Intelligence Director James Clapper lying to Congress and what he thinks of Edward Snowden:

    So, what does Kucinich recommend the American public do about the NSA? He says that he believes in the Constitution and he believes in the vote. He says that Americans will have to vote people that respect privacy into Congress and into the presidency. He also says that people need to keep petitioning their lawmakers to stand up to the intelligence community and repeal Section 215 of the Patriot Act.

    As the former lawmaker notes, however, this is all just a pipe dream for now. The best hope anybody has right now in reigning in the NSA are a few pieces of legislation making their way through Congress. The President has also suggested some reforms to the NSA and FISA court, but they were largely cosmetic.

  • Lavabit Shuts Down, Email Service Says It Won’t Be “Complicit In Crimes Against The American People”

    In early July, it was suggested that former NSA contractor Edward Snowden used Lavabit. For those unaware, it’s a small email provider based out of Texas that promises the utmost privacy through encryption. The service had a small following, but now it’s gone.

    In a post on the Lavabit home page, owner Ladar Levison said that he’s shutting down Lavabit to avoid becoming “complicit in crimes against the American people.” What exactly does that mean? He can’t say due to gag laws, but it probably means that he started to receive requests for user data from the U.S. government. Instead of handing over the keys to the feds, he has decided to shut everything down.

    Here’s the letter in full:

    My Fellow Users,

    I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

    What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

    This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

    Sincerely,
    Ladar Levison
    Owner and Operator, Lavabit LLC

    In early June, it was revealed that the NSA has access to emails and other communications from the major American tech firms. Another program revealed last month – XKeysore – allows the agency to sift through emails using only a keyword or other variables.

    Lavabit would be an especially desirable target as the company offered encrypted email services to anybody who wanted it. Even if intercepted, it would take a lot of work to break open the encrypted emails. The federal government probably requested that Lavabit give them unfettered access to all emails being sent to and from the service.

    It’s nice to see Lavabit’s founder stick to his morals, but the circumstances surrounding its closure doesn’t exactly make one feel any better about other email services. Google and others have claimed that the government doesn’t have direct access to Americans’ emails and are even fighting in court to remove the gag orders to prove it. Even so, leaks from over the past few months have shown that the NSA has unprecedented access to email communications, and the closure of Lavabit only adds more evidence to the claims that the NSA, and the federal government, aren’t being forthright with the American people.

    [h/t: Reddit via crshbndct]

  • NSA Violated Its Own Privacy Rules Over 2,000 Times

    Since the NSA’s spy programs were revealed in early June, its proponents have argued that there’s a number of safeguards in place to make sure the agency’s surveillance is under the utmost oversight. A recent report finds that to not be the case.

    The Washington Post reports that it has obtained an internal audit of the NSA’s surveillance program from Edward Snowden that shows the agency has violated rules or court orders. The violations aren’t much of a surprise, but the sheer number of violations definitely is. The audit found that there have been 2,776 rule violations over the past few years.

    So, what does a violation mean in terms of the NSA? A document, humorously titled, “So you got U.S. Person Information?,” points out what analysts must do when collecting information on a U.S. person through incidental data. The slide says to immediately apply “minimization procedures” and to “focus your report on the foreign end of the communication.” That’s all well and good except that the document also says that incidental data collection doesn’t constitute a violation so it “does not have to be reported.”

    What’s more worrisome about this slide is that it says the NSA can keep the incidental data store on its servers. It has to mask the identities of the U.S. person whose data was collected, but it’s still there. The slide also notes that the analyst can obtain permission from a supervisor, not a judge, to unmask the U.S. person if the investigation requires it.

    Besides the retention of incidental data, the leaks also show that the NSA is taught to give as little data as possible when requesting surveillance permission from the FISA court. In a perfect world, the government would hand over all the details of its request so the FISA court could make an informed decision on whether or not it should grant the surveillance request. Instead, the NSA is told to not provide the court with any “extraneous information.” According to the slide, extraneous information includes “probable cause-like information (i.e. proof of your analytic jugdment), how you came to your analytic conclusions, any RAGTIME information, classification marking, or selector information.”

    As TechDirt points out, these surveillance requests are meant to provide only the bare minimum information necessary to initiate surveillance while the surveillance itself can be used to scoop up all kinds of incidental data. In other words, the NSA is subject to very little oversight by its own design.

    In fact, the chief judge for the FISA court, Reggie B. Walton, told The Washington Post that their hands are essentially tied when it comes to granting surveillance orders. He said the FISA court “does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing compliance with its orders.”

    Walton’s statement is a little worrisome because it pretty much says that the court knows it’s being duped, but they can’t do anything about it. The government has stacked the cards against the FISA court system to make sure that the NSA can get away with anything. It appears that President Obama’s proposal to add a privacy proponent to the court would do very little in a system where the NSA holds the power.

  • President Obama’s Oversight Panel To Investigate NSA’s Spy Programs

    On Friday, President Obama announced four measures that he would take to inject more oversight and transparency into the NSA after Edward Snowden leaked details of the agency’s spy programs in early June. One of those measures was to create an independent oversight panel that would look into the NSA.

    The Hill reports that the president has now formally announced the creation of the oversight panel. He believes that “it is important to take stock of how these technological advances alter the environment in which we conduct our intelligence mission.” The president is undoubtedly referring to programs like PRISM and XKeyscore that allow the NSA to tap directly into the Internet and service providers to collect data pertaining to terroristic threats.

    Of course, the revelation of these programs have caused some to fear that the NSA is collecting data not just on foreign threats, but all Americans. The president insists that the NSA does not spy on American citizens, but reports from leaks, and intelligence community sources, have called that claim into question. As such, the independent White House oversight panel will investigate if the NSA’s ability to collect phone calls or Internet data has ever been abused.

    So, when will we hear from this oversight panel? The initial findings will be presented to National Intelligence Director James Clapper by November, and then they will be given to the president by the end of the year. At that time, one might expect the president to reveal the results of the investigation, but that’s not likely. Instead, he’s likely to say the report came back all clear without offering any specifics, and that we shouldn’t worry.

    That’s pretty much what the president said on Friday when he revealed his four step process to inject more transparency into the NSA without scaling back any of the programs. After all, the NSA analysts who conduct surveillance with little to no oversight are the real patriots here, not the man whose efforts are the only reason we’re having this conservation in the first place.

  • President Obama Proposes Reforms To The NSA And FISA Court

    When the NSA’s spy programs were first revealed in early June by Edward Snowden, President Obama was one of the first in Washington to jump to the agency’s defense. He did, however, say that he would welcome a debate from privacy proponents on how to properly balance the need for security and privacy in the digital era. It’s been two months since the initial leaks, and now the President is finally ready to start that debate.

    In a press conference today at the White House, President Obama directly addressed the NSA’s spy programs that were revealed in June. He continued to defend the programs and said that he feels they have struck the right balance between protecting Americans’ security and their civil liberties. That being said, he proposed four specific reforms that he feels will bring transparency and public trust back to its spy programs.

    The President’s first proposal is that Congress work on reforms to the Patriot Act, specifically Section 215. This is the section that allows the government to collect phone records. The president reiterated that the NSA does not have the ability to listen to phone calls. He said that his idea for reform would implement greater oversight and transparency into the program. He didn’t go as far as suggesting that Congress dismantle the program, and even threatened to veto a House bill that would have done just that.

    The second proposal called for Congress to work on reforming the FISA court – the court that approves surveillance requests from the government. He addressed the criticism that the court rubber stamps all requests without hearing any other arguments. He proposes that there be somebody present in the FISA court to argue on behalf of civil liberties. The Senate is currently pushing legislation that would reform the court so here’s hoping that the President doesn’t stand in their way.

    The third proposal calls for greater transparency for the NSA and the Department of Justice. One particular reform mentioned is that he will direct the Justice Department to public its legal rationale behind collecting phone records under section 215 of the Patriot Act. He also will establish a full time privacy officer at the NSA, and direct the creation of a Web site that details what the NSA does and how they do it.

    The fourth and final proposal would create a group of outside experts to review the NSA and its technologies. The group would recommend ways to maintain the public’s trust in the agency and prevent abuse. He also said that the group would provide an interim report on the NSA’s programs in 60 days and then a full report at the end of the year.

    The president ended his statement by saying that the American government is not interested in spying on ordinary people domestically and abroad. He says that the government is solely focused on stopping terrorism with these programs. A recent report from Reuters calls that claim into question, but it’s nice to see the president propose greater transparency. Unfortunately, transparency only does so much, and he didn’t really propose any actual reforms to how the NSA operates as revealed by the Snowden leaks.

  • Sen. Dick Durbin Wants The NSA To Reveal The Scope Of Its Phone Surveillance Program

    In late July, Rep. Justin Amash proposed an amendment to the annual Defense spending bill that would prevent the NSA from targeting anybody not currently under an investigation. Unsurprisingly, the amendment was voted down. Now one Senator is trying the same thing in the Senate, but his attempt might be more successful.

    The Hill reports that Sen. Dick Durbin, chairman of the Senate Appropriations Defense Subcommittee, has introduced a provision into the Senate’s Defense spending bill that would require the NSA to reveal the number of phone records it collects. It would require the agency to also reveal when it started to collect phone records, how much it cost to collect said records and the kind of records it collects.

    Durbin’s provision would also require the NSA to disclose how many phone records were seen by agency officials as well as how many terrorist attacks were thwarted by the collection of these records. If you recall, the NSA’s two favorite talking points are how only a select few have access to phone records, and that their data collection has thwarted a number of terrorist attacks. Recent leaks have cast doubt on the former claim, and some senators remain skeptical about the latter.

    Echoing other lawmakers critical of the NSA, Durbin says that there’s no need for the agency to collect everybody’s phone records in the name of fighting terrorism:

    “I believe the government can obtain the information it needs to combat terrorism in a far more targeted manner, rather than casting a dragnet for information about millions of innocent Americans. In the end, Congress permitted this type of intrusion because too few demanded a balance between security and our constitutionally protected freedoms. I hope this provision will help reopen the debate.”

    So, will this provision be approved when the Defense spending bill goes up for a vote? It definitely has a better chance than the Amash amendment as Durbin is only seeking to inject some transparency into the NSA. He would have a much tougher time of it if he tried to defund the agency. He also has the support of at least 25 senators.

    Of course, we could end up with a close vote again that rids the spending bill of Durbin’s provision. In that case, we can at least see who in the Senate is pro-NSA. With that knowledge, privacy advocacy groups and citizens can better target those senators who are pro-surveillance.

  • New Leak Suggests NSA Can See Everything You Do Online

    In early June, former NSA contractor Edward Snowden revealed PRISM to the world. The secret NSA program allows the agency to collect communications from major tech companies. Various programs revealed since then have all been about streamlining that data collection. The latest leak, however, shows that the NSA has far more power than previously thought.

    The Guardian reports today that it has obtained slides that detail a NSA program called XKeyscore. The program, much like PRISM, allows the agency to collect the Internet communications of foreign and domestic targets. What makes this latest leak so worrisome, however, is that it seems to be held to even less oversight than the other surveillance programs.

    Before we get into that, let’s take a look at what XKeyscore is. According to training documents obtained by The Guardian, the NSA says XKeyscore can snoop on “nearly everything a typical user does on the Internet.” It does this through a collection of 700 servers around the world that pick up pretty much everything anybody does online. Analysts can then enter something as simple as an email address or an IP address, and be looking through everything the NSA has on that person.

    So, what kind of information can XKeyscore pick up? Through the use of plug-ins, NSA analysts can obtain the following information:

    New Leaks Suggest The NSA Can See Everything You Do Online

    In the above document, you see that XKeyscore really can see everything you do online. It picks up every email address, every file, every Web site and even every online chat a target engages in during an online session. The analyst can then go through these files one by one looking for specific information. In fact, the documents show that it’s as simple as looking through emails for a subject line.

    Another tool revealed in the leak is called the DNI Presenter. It allows an analyst to read through Facebook chats or private messages using XKeyscore. All they have to do is enter the Facebook user name and a date range to see every message and chat during that time.

    The NSA can also search for people based on search terms entered into specific Web sites. The example shows how an analyst could search for anybody looking for “Musharraf” on BBC. It’s pretty obvious that it can also be used to look for those searching for specific keywords on Google, Bing or any other search engine.

    All of this data collection has led to the NSA storing billions of “call events” in its database. A NSA report from 2007 said it had stored 850 billion “call events” and 150 billion Internet records, with one to two billion more records being added each day. The NSA can’t hold all that data in one database so it separates the interesting data from the incidental data, and stores it in a separate server that can hold on to it for up to five years.

    So, what kind of oversight is this program subject to? Well, the NSA isn’t required to obtain a warrant from the FISA court to do searches of its database. In fact, the analyst can conduct searches on anybody as long as they know some identifying information.

    In its defense, the NSA told The Guardian that its “activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.” The agency also said that “allegations of widespread, unchecked analyst access to NSA collection data are simply not true. … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring.”

    That all sounds well and good, but is XKeyscore actually effective? The NSA certainly seems to think so:

    New Leak Suggests NSA Can See Everything You Do Online

    Others might not be as easily convinced.

  • Senate To Grill NSA Over Surveillance Programs This Week

    It’s been almost two months since Edward Snowden revealed the existence of the NSA’s spy programs to the world. Any other issue would have been swept under the rug by now, but Congress is still pursuing changes to the agency. The House had their chance last week, and now it’s the Senate’s turn.

    The Hill reports that the Senate Judiciary Committee will be holding a hearing this week in which its members will be looking into the NSA’s spy programs. Both supporters and opponents of the agency will be present to make their case. In particular, James Cole, deputy attorney general at the Justice Department, and Jameel Jaffer, deputy legal director at the American Civil Liberties Union, will be making their case for or against the spy programs revealed last month.

    What makes this hearing especially interesting is that it’s being headed by the Judiciary Committee Chairman Patrick Leahy. He has already introduced legislation that would curtail the NSA’s ability to collect phone records, and it sounds like he’s going to use this hearing to further pursue his legislation:

    “I remain deeply concerned about the expansive use of government surveillance under [the Foreign Intelligence Surveillance Act]. The authorities under this law, and the government’s interpretation of them, must be carefully scrutinized by Congress. As I have said, just because we have the ability to collect huge amounts of data, it does not mean that we should be doing so.”

    Leahy’s comments regarding the NSA leaves one hopeful, but the House’s prior performance doesn’t inspire much confidence. Last week, an amendment from Reps. Justin Amash and John Conyers that would have severely limited the NSA’s spying powers tried to piggyback on the 2014 Defense spending bill. Unfortunately, the amendment was defeated in a narrow vote.

    The narrow vote has some confident that a similar push in the Senate may yield more positive results, but you have to also remember that some of the most hardcore NSA supporters are in the Senate. This is largely the same Senate that refused to divulge details on how many Americans had been targeted by the NSA because some members said such details must be kept secret.

    Even if I’m not particularly hopeful, the Senate does also house quite a few NSA opponents as well. Sens. Ron Wyden, Rand Paul and others could combine their powers with Leahy to push his legislation forward. We can only hope, right?

  • House Proves Yet Again That It Cares Not For Your Privacy

    The House proved earlier this year that it doesn’t care about your privacy when it voted in favor of CISPA yet again. Now the House has cemented the fact that it cares not for your civil liberties.

    The Hill reports that the House voted 205-217 against an amendment from Rep. Justin Amash that would have stopped the NSA from collecting Americans’ phone records. The amendment was proposed as an addition to the annual Defense Department spending bill. If it had passed, it would have prevented the NSA from targeting anybody not currently under investigation.

    As expected, the Obama administration, pro-NSA members of Congress and the intelligence community would have none of it. They lobbied furiously at the beginning of the week to shoot down the amendment when it became clear that it was headed to the floor for a vote. In short, they argued that a vote for Amash’s amendment would be a vote for terrorism.

    Rep. Amash’s amendment wasn’t the only NSA-related amendment being voted on last night though. The House, in a 409-12 vote, approved an amendment from Rep. Mike Pompeo that would prevent the NSA from intentionally targeting Americans. It’s a nice gesture, but the amendment does absolutely nothing as the laws currently in place prevent the same thing. Amash’s amendment would have actually put a stop to the wholesale collection of Americans’ phone records.

    Despite the House rejecting Amash’s amendment, the vote was still an important one. It’s the first time Congress has directly voted on the NSA’s spy programs since they were leaked last month by Edward Snowden. It also sets up the next battle against the NSA brewing in both the Senate and the House as lawmakers write up legislation that would either curtail the agency’s actions or make it more transparent. With the knowledge of this vote, opponents of the NSA can now more accurately target those lawmakers who voted in favor of spy agency.

  • License Plate Scanners: You’re Being Tracked

    These days, most people are aware that because of smartphones and surveillance cameras, very little public activity goes unrecorded. If you’re outside your home and live close to a decent-sized city, chances are good that you’re on camera somewhere, whether it’s at the ATM, in the grocery store, or even just walking down the street. But the American Civil Liberties Union says that a new camera system that has been implemented in many states is recording the information of innocent people, and most aren’t even aware it’s there.

    The cameras are mounted on patrol cars, on overpasses, and several other places in order to record passing cars and their license plates, and the information is sometimes stored indefinitely, depending on the state. Law officials say the cameras are used to track criminals and have aided in the capture of several guilty people…but what about the rest of us?

    “Trips to places of worship, political protests, or gun ranges can be powerful indicators of people’s beliefs,” writes the ACLU’s Catherine Crump. “Is it really the government’s business how often you go to the drug store or liquor store, what doctors you visit, and the identities of your friends? Should the government be logging for months, years, or indefinitely the movements of the other 99 percent of people, who are innocent? The answer to this question is no. License plate reader information can be very revealing. While one snapshot at one point might not seem sensitive, as blankets of plate readers cover our streets, and as the government stores data for longer and longer, the technology quickly morphs into a powerful tracking tool.”

    Crump says that while there are definite benefits to the camera system, the amount of criminals who have been caught just isn’t enough to justify surveillance on 99% of the innocent population. And although some states delete the stored info after a matter of months, others keep it on file forever.