Aletho News

ΑΛΗΘΩΣ

Six Key Questions for the Obama Administration and Companies About Yahoo’s Cooperation With the NSA

By Neema Singh Guliani | ACLU | October 7, 2016

Since the Snowden disclosures, it has been clear that the NSA conducts unconstitutional, dragnet surveillance of Americans’ international communications. However, it now appears that the NSA is using surveillance authorities to conduct an entirely new type of surveillance: requiring major companies to conduct mass e-mail wiretaps, which involve searching the content of all incoming traffic.

If the news stories that broke earlier this week are accurate, here’s what we know:

Last year, Yahoo, in response to a classified government order, scanned hundreds of millions of mail accounts for a “set of characters” or digital “signature” of a communications method purportedly used by a state-sponsored terrorist organization. The search was apparently performed on all messages as they arrived at Yahoo’s servers. All of this was done without input from Yahoo’s security team, potentially placing users’ security at risk and ultimately prompting the resignation of the company’s chief security information officer.

It appears that a secret court, the Foreign Intelligence Surveillance Court (FISC), approved the surveillance—or at least approved the general procedures the government used to identify its targets. There are conflicting reports on what authority the government relied on.

Unfortunately, the news stories and Yahoo’s cryptic response leave more questions than answers. Yahoo’s ability to disclose information about this classified government program may be limited. But the Obama Administration owes the public far more information about this spying program, especially if it is going to fulfill its promise of increased transparency. As a start, the Obama Administration and other major tech companies should publicly answer the following questions:

1. What authority did the government rely on in compelling Yahoo to search its customers’ emails?

The million-dollar question – which remains unanswered – is what legal authority the government relied on for its demand to Yahoo. Initial reports suggested that the government may have relied on Section 702 of the Foreign Intelligence Surveillance Act (FISA), a highly controversial provision enacted as an amendment to FISA in 2008. More recently, however, news reports have stated that the government obtained what is known as a “traditional” FISA order under Title I of the statute. In either scenario, the surveillance would reflect a dramatic shift in the public understanding of how these authorities are used. Title I authorizes the government to search the communications of a particular person or entity. But, if news reports are accurate, it would mean that the government is now using this law to require that companies scan the content of all users’ incoming emails.

2. What is the program’s legal justification and has it been reviewed?

Whether government is relying on Section 702 or Title I, it seems to have strayed far from the original congressional intent. What is the government’s legal justification for this type of surveillance? And, if the surveillance was authorized by the FISC, was the court aware that its order required Yahoo to search the emails of hundreds of millions of innocent users?

In the past, the government and FISC have engaged in legal gymnastics to justify mass surveillance. The public and Congress have the right to know if this is happening yet again. The Obama Administration should release all legal memoranda it relied on in conducting the Yahoo surveillance, and it should disclose any relevant FISC opinions regarding the surveillance. If no such FISC opinions exist then the public deserves to know, as that itself is cause for concern.3. What types of content searches does the government believe it has the authority to conduct under Title I and Section 702, and are past statements about these authorities still accurate?

Intelligence officials have argued that surveillance programs conducted on U.S. soil are narrowly targeted because the government searches only for specific communication identifiers (like an email address) and not for keywords (like “bomb”). But the Yahoo story suggests that even this limitation may be falling to the wayside. If Yahoo conducted a broad search of its users’ incoming email for a “set of characters” or digital “signature,” that information may have been found in the content of communications. In other words, individuals may have been targeted not based on any preexisting suspicion about who they are or who they communicate with, but based solely on what they were communicating. Moreover, it is unclear whether this “signature” was used only by the target organization, or also by other wholly unaffiliated individuals. If the intelligence community is now engaging in this type of content-based surveillance, then the Obama Administration has a responsibility to set the record straight.

4. If the government relied on Section 702, did Yahoo attempt to filter out purely domestic communications?

Section 702 does not authorize the government to collect or search purely domestic communications. However, the stories contain no details about whether Yahoo made efforts to filter out purely domestic communications, and if so, how successful those efforts were. If such efforts were not made and the surveillance occurred under Section 702, then the Obama Administration should immediately disclose the number of purely domestic communications that were collected and searched under the order so that the public can fully assess the privacy implications.

5. If the government relied on Section 702, did the Privacy and Civil Liberties Board (PCLOB) know about this type of surveillance when they conducted their examination?

In 2014, the Privacy and Civil Liberties Board issued a report on Section 702. While we disagreed with many of the report’s conclusions, there is no doubt that the PCLOB declassified important information about Section 702 to facilitate a more robust debate. However, the PCLOB’s public report makes no mention of the types of demands that were purportedly received by Yahoo. If the PCLOB was unaware that this surveillance was occurring under Section 702, why were they not informed? If they knew, why was this information withheld from the public? Either way, this further calls into question the conclusions in the PCLOB report and the adequacy of existing oversight mechanisms.

6. How are other major companies interpreting their obligations under Section 702 and Title I?

Major companies like Google have issued statements saying they have never received the types of demands described in the Yahoo stories and reaffirming that they would challenge such a demand. While we applaud these companies for their statements, more information is needed to fully understand how the government is using its surveillance authorities. Specifically, we urge major technology companies to make publicly available information on how they interpret Section 702 and Title I, and to describe the types of demands that they believe clearly fall outside the statutes’ purview. In this way, companies can help to fill the information abyss left by the Yahoo story and the intelligence community’s lack of transparency.

October 7, 2016 Posted by | Civil Liberties, Full Spectrum Dominance, Progressive Hypocrite | , , , , , | 1 Comment

Court Chooses to Ignore Overwhelming Evidence of NSA’s Mass Internet Spying

Big Brother is watching you.

By Ashley Gorski | ACLU | October 24, 2015

A federal district court yesterday dismissed Wikimedia v. NSA, a lawsuit brought by the ACLU on behalf of a broad group of educational, legal, human rights, and media organizations whose communications are swept up by the NSA’s unprecedented Internet dragnet.

Our lawsuit concerns the NSA’s “upstream” surveillance, which involves the mass interception and searching of Americans’ international Internet communications. The court held that our clients lacked “standing” to bring suit, because they had not plausibly alleged that their communications were being monitored by the NSA. That’s just plain wrong.

The court’s opinion relies heavily on the Supreme Court’s decision in a previous ACLU lawsuit, Amnesty v. Clapper, a challenge to warrantless surveillance under the FISA Amendments Act of 2008. In February 2013, the Supreme Court dismissed that case on the grounds that the plaintiffs could not prove that they had communicated with the NSA’s targets.

But as we explained in court, our current challenge to the NSA’s warrantless spying is very different than the last one. Among other reasons, Clapper was decided prior to the Snowden revelations and extensive government disclosures about upstream surveillance. These revelations fundamentally changed the equation. Since Clapper, the public has learned that the NSA is not surveilling only its targets — it is instead surveilling virtually everyone, looking for information about those targets.

Some early takeaways from the district court’s opinion:

1.The court misunderstands how upstream surveillance is fundamentally different from and much more intrusive than the surveillance considered by the Supreme Court in Clapper.

Upstream surveillance is accomplished through the installation of devices directly on the Internet “backbone” — the network of high-capacity cables, switches, and routers across which Internet traffic travels. One particularly disturbing feature of upstream spying is known as “about” surveillance. Through this surveillance, the NSA is not simply plucking the communications to or from terrorists, spies, or other targets. Instead, it’s copying and searching through the contents of nearly everyone’s international communications, looking for information about its many targets. When the Supreme Court considered warrantless surveillance in Clapper, it was focused on whether the plaintiffs communicated with targets. At that time, the public had no idea that the NSA was essentially opening everyone’s international emails. Indeed, contrary to the district court’s understanding, “about” surveillance is in no way targeted:

PCLOB Report

2. The court ignores how Internet communications are structured — and why that requires the government to intercept at least some of our clients’ trillion-plus international communications.

Collectively, our clients engage in more than one trillion international Internet communications each year, with individuals in virtually every country on Earth. As we explained in our complaint, given the structure of the Internet, it is virtually impossible for the NSA to conduct upstream surveillance without intercepting at least some of plaintiffs’ communications. Yet the court dismissed these allegations, characterizing them as having “no basis in fact.”

complaint

3. Given how much is in the public record about upstream surveillance, our clients’ allegations are not “speculative” or “hypothetical.”

As the court acknowledged, at this early stage of the litigation, plaintiffs have to satisfy only a very low threshold: plausibility. Especially considering what’s publicly known about how upstream surveillance works, and the volume and distribution of our clients’ communications, their allegations are more than plausible.

Alternative document

4. The court’s opinion would insulate government surveillance from any legal challenge, except in cases where the government has already admitted its reliance on a particular program.

Although the court recognized that “no government surveillance program should be immunized from judicial scrutiny,” its analysis would do precisely that in the overwhelming majority of cases. If the court’s reasoning were correct, then the only people who could challenge NSA surveillance would be those told by the government they were spied on — a result at odds with well-established precedent and our system of checks and balances:

Upstream surveillance

Our clients’ standing doesn’t depend on a supposition. There’s no question that the NSA is capturing and searching through their communications. That’s something the court — and everyone else — should find extremely disconcerting.

October 24, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , | Leave a comment

‘No customer oversight’: Dreaded cybersecurity bill CISA is back

RT | October 21, 2015

After a delay, cybersecurity legislation dreaded by privacy advocates and relentlessly pursued by national security officials, known as CISA, will get a vote on the Senate floor “in a couple of days,” a top sponsoring senator anticipates.

The Cybersecurity Information Sharing Act of 2015, also known as CISA, is as polarizing as it is close to a vote. It finally hit the Senate floor for debate on Tuesday, with top sponsor Senator Richard Burr (R-North Carolina) highlighting its necessity because “actors around the world continue to attack US systems, and in many cases penetrate it.”

Under the bill, private companies would have increased liability protection with respect to collecting American’s personal data that could potentially be related to security threats. It would also make it easier for them to share such data with the government, including departments like the National Security Agency.

Prominent CISA opponent and privacy advocate, Senator Ron Wyden (D-Oregon), challenged Burr, who chairs the Select Committee on Intelligence, on one argument in particular.

“He said that the most important feature of the legislation is that it’s voluntary. The fact is, it is voluntary for companies. It will be mandatory for their customers,” Wyden said, “and the fact is the companies can participate without the knowledge and consent of their customers, and they are immune from customer oversight and lawsuits if they do so.”

In many cases, customers have been able to nudge companies from a pro to a con position on CISA. In one instance last month, the Business Software Alliance (BSA) sent a letter to legislators, in part calling for “cyber threat information sharing legislation” granting them immunity so that they could “more easily share that information voluntarily.” However, after Fight for the Future, an internet freedom advocacy group, set up YouBetrayedUs.org to criticize the organizations, the BSA changed its tune.

The BSA, which includes Apple, IBM, and Microsoft, now opposes CISA, as does the Computer and Communications Industry Association, which includes Google, Facebook, and Amazon. Reddit, Wikimedia, Twitter, and Yelp have also released anti-CISA statements.

“Leading security experts argue that CISA actually won’t do much, if anything, to prevent future large-scale data breaches such as the federal government has already suffered, but many worry it could make things worse, by creating incentives for private companies and the government to widely share huge amounts of Americans’ personally identifiable information that will itself then be vulnerable to sophisticated hacking attacks,” added the American Library Association in a press release.

The discussion on CISA comes after a stall in the Senate’s schedule before its August recess. Lawmakers agreed to delay a vote on the bill when it became clear that senators had many amendments to submit, some of which included so-called “riders,” or unrelated issues, such as Senator Rand Paul’s (R-Kentucky) amendments to audit the Federal Reserve and defund “sanctuary cities.” At least 22 amendments will be given a chance to be added to CISA before a final passage vote.

Burr optimistically told The Hill that “a couple of days” was all that was needed to get to a final vote on CISA. He may have overshot, however, because there could be a scrimmage over amendments despite his efforts. Burr, with support of other Senate leaders, has managed to combine eight amendments into a legislative package he shares with CISA co-sponsor Senator Dianne Feinstein (D-California), but the grouping includes only one of Wyden’s two amendments.

Wyden told reporters that the one he feels “most strongly about” hadn’t been included. It would have provided a review system for deleting private info before data gets passed on to the government. The Wyden amendment that was included in the bill only requires that people be notified when their data is inappropriately shared.

Although no vote has been scheduled yet, Senate Majority Leader Mitch McConnell (R-Kentucky) is trying to end debate by Thursday. Beyond CISA, the Senate has an ambitious to-do list. It will decide whether to extend government spending beyond September 30, address the Iran nuclear deal, and fund highways and transportation systems in a comprehensive bill.

October 22, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , | Leave a comment

A Surveillance Bill by Any Other Name Smells Just As Foul

By Nathaniel J. Turner | ACLU | July 28, 2015

An impressive coalition has formed to oppose a new surveillance bill masquerading as cybersecurity legislation.

Privacy and civil liberties organizations, free market groups, and others from across the political spectrum are joining this week in a common chorus call: Stop CISA.

Proponents of CISA — the Cybersecurity Information Sharing Act — claim the Senate bill would help prevent cyber-crimes by improving information sharing between the government and the private sector. But in reality, CISA only succeeds in expanding government surveillance and weakening privacy while making Americans less secure online. The bill as drafted would have done nothing to stop the high-profile breaches at Sony, Anthem, and, most recently, the Office of Personnel Management, which holds terabytes of sensitive information about millions of government employees.

For several years, certain elements of the business community and national security hawks in Congress have pressed for legislation like CISA. In April, the House passed a package of similar cybersecurity information sharing bills, which were opposed by the ACLU and bevy of other privacy and civil liberties groups, but were in some ways dramatically better than the bill now pending in the Senate.

CISA’s vague language and expansive definitions will give the government new ways to collect and use the personal information and communications of innocent Americans, all without a warrant or any review by an independent court or overseer. CISA would allow companies to share information with the government relating to a “cybersecurity threat,” a term defined so broadly in the bill that it could include huge swaths of emails and text messages.  The handover of user information under CISA would be permitted even if otherwise prohibited by existing data privacy laws, like the Electronic Communications Privacy Act. The law would also give companies broad legal protections even if they improperly share consumer data.

And, perhaps unsurprisingly, the information shared by companies would automatically be forwarded to numerous intelligence, military, and law enforcement agencies, including the NSA and FBI.

Once in the government’s hands, CISA allows for the shared information to be used in garden-variety law enforcement cases that have nothing to do with cybersecurity. For example, the government could use private emails and messages received from communications providers like Comcast, Facebook, Google, or Verizon to investigate and prosecute whistleblowers who report serious misconduct to the press. That’s a serious concern given that the Obama administration has already prosecuted more national security whistleblowers than all other administrations combined.

As an added bonus for government snoopers, CISA also includes a new exemption to the Freedom of Information Act, which will make it harder for groups like the ACLU to obtain documents from the government to determine how it is using — or misusing — the shared information.  That means, for example, that it could be nearly impossible for us to find out how much private information is flowing from companies to the government or how the government is using it.

And despite CISA’s promise to open the floodgates for private information to flow to the government without any privacy protections, it fails at actually delivering better cybersecurity. As we learned with the hack at the OPM, the government is not a reliable guarantor of data security. Hackers were able to access the personal information of millions of Americans — including Social Security numbers, birthdates, and records about citizens’ finances, health, associations, and even sexual orientation—that applicants for security clearances must disclose to the government. All that additional information would make the government an even more desirable target for cybersnoops and cybercrooks.

CISA is more than just a bad solution to a serious problem. It would actually make cybersecurity worse while compromising basic democratic protections for personal privacy. The Senate must reject this surveillance bill. But if it decides to send this travesty to the president, he should veto the bill, consistent with his past threats against similarly atrocious bills.

Do your part to Stop CISA.

July 28, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , , , | Leave a comment

Surveillance watchdog calls for ‘democratic control’ of spies

RT | July 14, 2015

Civil liberties NGO Privacy International (PI) has criticized a report on state surveillance, calling for improved regulatory oversight rather than self-reporting by spy agencies.

The civil liberties NGO was commenting on a Royal United Service Institute (RUSI) report published on Monday.

Titled ‘A Democratic License to Operate’, the study was conducted by the foreign policy think-tank as part of Britain’s Independent Surveillance Review.

PI agreed with some of RUSI’s findings but insisted that government-backed mass surveillance remains a deep concern.

“The RUSI report, from start to end, emphasizes how technological change has rendered the current legal system governing surveillance obsolete,” PI deputy director Eric King told RT on Tuesday.

“Every day, the highly technical GCHQ finds new ways to eavesdrop, while our oversight tries to cope with technical blind spots,” he added.

Privacy International warned that the current system relies on GHCQ to self-report errors. It called for a “better resourced, more technically equipped oversight body” with the power to take “GCHQ to task.”

It also called for “root and branch reform” to bring snoops and the agencies they work for “under democratic control.”

This surveillance versus privacy rights debate has long infiltrated British politics, as campaigners continue to criticize government spy base GCHQ’s invasive snooping practices.

Despite contentious leaks by ex-NSA computer analyst and whistleblower Edward Snowden, RUSI’s report said there is “no evidence that the British government knowingly acts illegally in intercepting private communications.”

It argued further that there is no proof that the British state’s ability to collect data in bulk is used by snoops as a perpetual window into the private lives of UK residents.

RUSI’s study makes a series of recommendations on how state surveillance should be conducted in the future, saying that the current legal framework for intercepting communications is unclear.

The think tank adds this legal framework “has not kept pace with developments in communications technology, and does not serve either the government or members of the public satisfactorily.

The think tank is calling for “a new, comprehensive and clearer legal framework” to regulate state surveillance.

At a confidential intelligence conference held at Ditchley Park in Oxfordshire in June, the views of a number of high-ranking intelligence officials came to light.

Investigative journalist Duncan Campbell, who attended the conference, posted on his website, “Perhaps to many participants’ surprise, there was general agreement across broad divides of opinion that Snowden – love him or hate him – had changed the landscape.”

According to Campbell, a number of senior officials felt that shift “towards transparency, or at least ‘translucency’” was long overdue and utterly necessary.

July 14, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , , | Leave a comment

UK trade unionists, blacklisted activists demand police spying inquiry

RT | June 30, 2015

Trade unionists are demanding a full inquiry into ‘very troubling allegations’ of police spying on activists and blacklisted workers.

Home Secretary Theresa May has already set up an inquiry headed by Lord Justice Pitchford into allegations of police surveillance operations against activists, but its full remit is not yet known.

The inquiry has come about in response to allegations by police whistleblower Peter Francis, formerly of the Special Demonstration Squad, that during his four years working as an infiltrator of political groups he spied on member of five unions, including the Fire Brigades Union (FBU).

“Trade unions are the largest democratic, mass-membership organizations in the UK,” FBU General Secretary Matt Wrack told the Guardian.

“Trade unionists have legitimate concerns about police operations that may have undermined our decisions, interfered with industrial relations and led to the victimization of our elected officials.”

Wrack said an inquiry into allegations of police spying on causes such as environmentalism, the Stephen Lawrence murder case and trade unionism was “long overdue.”

Another group affected are those blacklisted by employers. Blacklist Support Group (BSG) secretary Dave Smith made an official submission to Pitchford last week regarding allegations of “collusion” between police and businesses.

“Trade unions are a perfectly legal part of civil society,” he told the Guardian.

“Why are we being infiltrated by undercover police units and why is the state sharing intelligence with big business?

“It is only because we were prepared to kick up a stink that the evidence about police collusion has slowly come to light.”

In March it was reported police spying had also been extended to Labour MPs. Francis revealed 10 Labour MPs were tailed and spied upon by British police. Those affected demanded the release of secret files kept on them.

The surveillance was carried out as recently as the 1990s when the politicians had been democratically elected to parliament.

Among the MPs targeted were prominent left-wingers and serving ministers Jeremy Corbyn, Diane Abbott and Dennis Skinner. The late Tony Benn, a lifelong socialist and anti-war campaigner, was also tailed by British police.

The highest-ranking MP to have been surveilled was Labour’s deputy leader Harriet Harman. Speaking to Penning, she said: “I would like you to assure me that you, the government, will let me see a full copy of my file.

“I was campaigning for the rights of women, for the rights of workers and the right to demonstrate — none of that was against the law, none of that was undermining our democracy.”

Read more: Labour witch-hunt: Spied-on MPs demand release of undercover police files

June 30, 2015 Posted by | Civil Liberties, Corruption, Full Spectrum Dominance | , , , | Leave a comment

New rule could prevent website owners from protecting their identity

RT | June 25, 2015

A new rule over domain registration would prevent people from using a third party to sign up for a commercial website. People often use proxies to protect their contact information from the public, particularly when their work is controversial.

Under the new rules, people registering websites for non-personal purposes would have to disclose their name, address and phone number, all of which could be easily searchable by anyone. The plan has privacy advocates like the Electronic Frontier Foundation (EFF) opposed to the idea and alarmed that website owners could “suffer a higher risk of harassment, intimidation and identify theft.”

“The ability to speak anonymously protects people with unpopular or marginalized opinions, allowing them to speak and be heard without fear of harm. It also protects whistleblowers who expose crime, waste, and corruption,” wrote EFF in a statement.

At first blush, the change would seem to only affect commercial website registration. But a personally created website that offers a community benefit, but also features ads to help defray the costs of running the site, could be judged as commercial, and has been in past domain name disputes.

It is not clear yet if the organization that oversees the bureaucratic process of naming online domains, the International Corporation for Assigned Names and Numbers (ICANN), will include the broader definition of commercial in the new rules.

ICANN has put up the rules for public comment until July 7. To date, thousands of people have logged comments.

One individual named Brad urged ICANN to “respect internet users’ rights to privacy and due process … Private information should be kept private.”

Another, Sarah Brown, told ICANN that her websites allow her to earn a living full-time online, but she has been stalked, harassed, and had content from her site stolen. She uses a third-party proxy to prevent people from finding her sites, her home address and phone number.

“I implore you to think through the consequences of removing our private WHOIS information. It serves as a buffer to protect us from the crazy people in this world,” wrote Brown. “We are living in unsafe times, where jealousy and greed overtake compassion and ethics. We are real people, with real lives, who can end up in real danger with our information in the wrong hands.” []

ICANN said the rule change is being driven by discussions with law enforcement. EFF said it is also being driven by US entertainment companies and others who want new tools to discover the identities of website owners and then accuse them of copyright and trademark infringement, without a court order. US entertainment companies told Congress in March that privacy for domain registration should be allowed only in “limited circumstances”.

Read more: US anti-fraud law makes deleting browser history a crime punishable by 20yrs in jail

June 25, 2015 Posted by | Full Spectrum Dominance | , , , , , | Leave a comment

The House Just Passed a Major Expansion of Government Surveillance in the Guise of Cybersecurity

By Gabe Rottman | ACLU | April 23, 2015

And it must be stopped in the Senate.

In what can only be described as a travesty for responsible, transparent lawmaking, the House of Representatives just passed a Frankenstein monster of a “cybersecurity information sharing” bill that will massively expand government surveillance authorities if it’s not defeated in the Senate.

And, to rub salt in the wound, House leadership used arcane procedural tricks to block privacy-protective amendments and to privilege the version of the bill preferred by the House intelligence committee, which is more privacy invasive than the version passed by the Committee on Homeland Security. *

The bill that passed would, if adopted by the Senate, create a new and secretive cybersecurity spy agency, broadly authorize the sharing of personal information with the NSA, and allow its use in ways that look a lot like the surveillance programs revealed over the past two years.

The House’s draft will now go to the Senate, which has an even worse bill waiting in the wings. Just as the privacy and civil liberties community is engaged in a battle to reform the Patriot Act or allow it to expire, we are being forced to simultaneously jump start our efforts against a major new surveillance offensive—these so-called “cybersecurity” bills that will do little to better protect our computers, but will give the government vast new authority to spy on us without any reason to think we’ve done anything wrong.

Now, calling these bills “surveillance” authorities is a serious charge. To understand why it’s warranted takes a bit of explanation.

First, it’s important to understand what we mean by “information sharing.” Right now, private companies have broad authority to share cyber threat information both among themselves and with the government. They also have the authority to monitor their own computers for hacking or data theft. There are, however, important privacy protections in existing laws like the Electronic Communications Privacy Act (“ECPA”) that limit the sharing of sensitive, personally identifiable information absent an exception, of which there are several.

The House bill cuts through all of those existing privacy protections. It says “notwithstanding any law,” companies can share “cyber” information among themselves and with the government, and be virtually immune from lawsuit or criminal exposure in doing so. In other words, “information sharing” is a bit of a misnomer; it’s more accurate to call it a sweeping new exception to all existing privacy laws.

The House bill does require a company to review and remove anything that it reasonably believes at the time of sharing to be personal and not directly related to the cyber threat. But that’s weaker protection than it sounds because it doesn’t restrict sharing to only the information necessary to address the cyber threat. In other words, as long as the company has an argument that the information is plausibly “directly” related to the threat, it can share with impunity, even if there’s no reason for the government to have it.

But, the “surveillance” piece of the bill really happens at the next step: what the government can do with personal information shared by companies once it’s disseminated. The House Intelligence bill will require that, once all the information not stripped is shared with the government, it all flows automatically to the military, including the NSA and the Office of the Director of National Intelligence (which then can/will share with the CIA, presumably).

Once there, the information can be used for purposes far removed from cybersecurity. The House Intelligence bill would permit federal, state, and local law enforcement agencies to use the information for a wide array of non-cybercrimes, including violations of the Espionage Act, which has been deployed by the Obama administration to aggressively prosecute national security whistleblowers and investigate reporters like James Risen, who was almost forced to disclose his source for a story in which the CIA screwed up and gave Iran information that could lead to a nuclear weapon.

Our colleagues at the Open Technology Institute, the Center for Democracy and Technology, and the Electronic Frontier Foundation have exhaustively catalogued the serious civil liberties, privacy, and open government issues with the House bills that were voted on today. We’ve also signed a letter with transparency and media law groups in strong opposition to the House intelligence bill for, among other things, allowing use in Espionage Act cases.

Now the fight turns to the Senate. And, unless the privacy and civil liberties communities really go all out, things are bleak. This is, after all, where Majority Leader Mitch McConnell (R-KY), despite the two-year drumbeat of revelations of mass surveillance of individuals suspected of no wrongdoing, has introduced a bill to reauthorize the Patriot Act, without any privacy protections, until 2020. Unless the community hits the bricks—as we did over CISPA in 2013—we will lose.

There’s lots we can and should be doing to improve cybersecurity, including encouraging the use of encryption, facilitating information sharing among private sector entities, and safeguarding critical infrastructure. What we shouldn’t be doing, however, is passing a bill that gives even more personal information on innocent individuals to the NSA and allowing that information to be mined for purposes unrelated to protecting against hackers. That’s exactly what these bills do, and it’s entirely fair to call them what they are: new surveillance powers.


* There’s a bit of legislative arcana to unpack here. Today, the House passed the version of the bill proposed by the House Committee on Homeland Security. Yesterday, it passed the House Intelligence Committee draft, which is worse for privacy. Next comes “engrossment,”where the House clerk finalizes the draft that goes over for Senate considerationby mashing the two bills together without change to any of the substantive provisions. This means that, for instance, the broader use authorizations in the House Intelligence Committee bill will co-exist alongside the narrower authorizations in the Homeland Security bill.

Practically, and especially if the Senate passes a bill that looks more like the House intelligence committee bill, this gives the House intelligence committee bill a significant advantage in whatever process the two chambers decide on to reconcile differences between their respective bills. In other words, even though the House passed two competing bills, the House intelligence committee bill is more likely to survive intact in negotiations with the Senate. Most of the more privacy protective provisions in the other bill are likely to drop off.

This is particularly concerning given that the Homeland Security bill passed with broader support than the House intelligence committee bill (307 to 116 versus 355 to 63). While we oppose both bills, the fact that the House intelligence committee bill has effectively become the base bill to reconcile with the Senate is, indeed, salt in the wound.

April 23, 2015 Posted by | Civil Liberties, Corruption, Deception | , , , | Leave a comment

Florida Laws Target Online Video Anonymity: State-Based Site Blocking?

By Sherwin Siy | Public Knowledge | March 24, 2015

As EFF has noted, a troubling bill has been making its way through the Florida state legislature. The bill, with versions in both the state House and Senate, would require anyone “dealing in…the electronic dissemination of commercial recordings or audiovisual works” to post their “true and correct name, physical address, and email or telephone number” on their site.

The bill defines “commercial recording or audiovisual work” broadly—it’s basically any video meant to be seen by the public (whether for profit or not). The only thing it really excludes are short clips of exiting works or completely private videos. So it encompasses both a posting of my own complete home lip-synch video as well as my posting of a movie trailer or campaign ad.

Apparently, the plan is to make sure that no one can post online video that’s viewable in Florida without the world knowing just where to find you. The privacy and free speech implications of this are staggering—making it illegal to post anonymous video would chill a massive amount of valuable speech.

But what’s the purpose of this bill? Surely the state of Florida isn’t just interested in removing online anonymity, and specifically for video, is it? Is this an attempt like those in Idaho and Utah to prevent the spread of films showing animal abuse? An attempt, like the one in Texas, to go after people posting videos of police activity?

Maybe not, although the bill, on its face, would seem to cover all those cases and strip anonymity from the people posting such videos. But a closer look at the bill indicates something else at work. Failing to put your name on your site doesn’t seem to give the government the right to arrest or sue you; it gives the right to sue to the private party who “owns” or “licenses” the video. In other words, copyright holders and their business partners.

The para-copyright nature of the bill becomes clearer when looking at the staff legislative analysis of the bill, which specifically discusses copyright law, including federal preemption, the DMCA, and its enforcement. Despite it being classified as a “consumer protection” bill, it doesn’t discuss harms to consumers from anonymous videos.

So the Florida bills seem to represent another attempt to target alleged copyright infringers (note that a suit can be brought against someone merely “likely to” share a video) outside of the scope of federal law. And although the bill says that intermediaries like hosts and ISPs can’t be held liable for someone’s video-sharing under this new law, nothing in it says that they won’t be enjoined for the actual video-sharer’s actions. Given the long and growing trend of rightsholders seeking to enjoin non-liable parties in courts, it’s hard not to see this as moving in the same direction.

With a very similar law passed last year in Tennessee, the proposed Florida law seems to be part of a multi-state effort to find new ways of targeting intermediaries in an attempt to work around SOPA’s defeat. The fact that the state law tries to avoid being directly about copyright just means that other forms of speech get targeted, too. What happens when someone depicted in an unflattering campaign video starts claiming that they’re an “owner” via rights of publicity?

In other words, speech and privacy—fundamental values of our society—are merely collateral damage in the pursuit of site blocking—one particularly problematic technique only loosely connected to the values it is supposed to protect.

March 25, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , | 2 Comments

Five Important Questions About DEA’s Vehicle Surveillance Program

By Rachel Levinson-Waldman | Just Security | January 30, 2015

With each week, we seem to learn about a new government location tracking program. This time, it’s the expanded use of license plate readers. According to the Wall Street Journal, relying on interviews with officials and documents obtained by the ACLU through a FOIA request, the Drug Enforcement Administration has been collecting hundreds of millions of records about cars traveling on U.S. roads. The uses for the data sound compelling: combating drug and weapons trafficking and finding suspects in serious crimes. But as usual, the devil is in the details, and plenty of important questions remain about those details.

First, who approved the program, and under what circumstances? We don’t know. The DEA is an arm of the Department of Justice, so presumably the Attorney General’s office has been involved, but details aren’t yet available. Also unknown is whether there has been any judicial oversight.

Second, are there any limitations on how the data can be used? This is also unknown. The emails obtained by the ACLU indicate that the main purpose of the program was to assist in seizures of cars, money, and other assets, often from people not charged with any crime, a program that has come under withering criticism. But the history of data collection programs is that information collected for one purpose quickly becomes attractive for other purposes. And the more information available (even for proper purposes), the more is available for misuse as well. Indeed, license plate information has been abused in the past, with peaceful protestors’ data shared with the FBI.

Third, how long can it be kept? The article reports that the DEA holds the data for three months, a significant drop from its previous two-year retention period. Much of this data is coming from readers set up by state and local law enforcement, though, and the retention periods for those jurisdictions are an inconsistent patchwork, with deletion times ranging from immediate (Ohio state patrol) to 90 days (Boston) to two years (Los Angeles County) to five years (New York City) to never (New York State Police). This is especially alarming given that a vanishingly small percentage of the millions of license plates scanned are actually connected to any crime or wrongdoing. At the same time, data collected by DEA reportedly goes back to state and local jurisdictions as well, setting up an endless loop of information with inadequate oversight. 

Fourth, where else does the data go? Some of it is sent to fusion centers, which are state- or regional-based hubs that centralize information for sharing among the federal government, states, and private partners. Originally established in the wake of 9/11, fusion centers have largely abandoned their focus on terrorism for want of credible threats; they have instead transformed into an “all threats” model. In the process, they have been roundly criticized for wasting money, contributing little to counterterrorism efforts, and endangering both civil liberties and Privacy Act protections. Maryland and Vermont are known to feed their plate data to fusion centers, and the numbers are likely higher, given fusion centers’ voracity for data.

Finally, which other federal agencies are using license plate readers? We know that the Department of Homeland Security is using them as part of their border enforcement. As of early 2009, nearly 100% of cars crossing the border were scanned with a license plate reader. And both DEA and DHS license plate readers can be coupled with cameras that provide pictures of the occupants of vehicles being scanned.

Of course, the DEA database is only the latest in a string of disclosures that, taken together, reveal a web of powerful surveillance capabilities. Late last year, the Wall Street Journal revealed that the U.S. Marshals Service is using a secretive technology that sweeps up information about thousands of innocent Americans’ cell phones in the process of searching for suspects. As with the license plate reader scheme, little is known about the specifics of this program.

And just last week, USA Today revealed that at least 50 law enforcement agencies, including the FBI and the U.S. Marshals Service, have obtained radar devices that allow them to detect any human movements inside a house, even motion as minimal as breathing, from more than 50 feet away. In at least one case, the device was used without a warrant to case a home for the presence of a suspected parolee.

Senators Chuck Grassley (R-Iowa) and Patrick Leahy (D-Vt.) have already expressed concern about this technology, and it’s hard to see how its use without a warrant passes constitutional muster. As the Tenth Circuit observed in a recently published case weighing the use of the radar technology, the Supreme Court has already disapproved of the use of a thermal imaging device to capture details of life within a home. Perhaps even more salient, the Court earlier established that tracking technology (known as a beeper) cannot be used without a warrant to confirm a person’s presence inside a private home, if obtaining that information would otherwise require entry into the home. It’s a little mystifying that using a high-powered radar for the same purpose would be kosher.

Taken together, these stories suggest a zone of privacy that is narrowing so much as to be almost imperceptible. Separate from the question of how these technologies are actually being used, the breadth of surveillance capabilities they provide are staggering. You can be tracked on the streets; in your home; on your phone; and almost anywhere else. We seem to forever be caught in a kind of vicious cycle: it’s too early to criticize or critique technologies when they’ve just been introduced and there’s no record of misuse, but once they’ve been in place for even a year or two, they take on an air of inevitability. … Full article

Rachel Levinson-Waldman serves as Counsel to the Brennan Center’s Liberty and National Security Program, which seeks to advance effective national security policies that respect constitutional values and the rule of law.

February 2, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , | 1 Comment

Intelligence agencies have direct access to telecoms infrastructure, Vodafone reveals

RT | June 6, 2014

Government intelligence agencies have direct access to telecommunication companies’ infrastructure which allows them to spy and record phone calls leaving no paper trail, the UK’s largest mobile phone company Vodafone has revealed.

The British operator said wires have been attached to its phone networks in some of the 29 countries in which it operates in Europe, as well as around the world, the Guardian reported. Governments similarly connect to other telecom groups, reportedly allowing them to listen to or record live conversations. In some cases, the surveillance agencies can also track the whereabouts of a customer.

“For governments to access phone calls at the flick of a switch is unprecedented and terrifying,” Liberty director Shami Chakrabarti told the Guardian. “Snowden revealed the internet was already treated as fair game. Bluster that all is well is wearing pretty thin – our analogue laws need a digital overhaul.”

But now Vodafone is pushing back against government surveillance through direct access to the pipes. On Friday, it will publish its first Law Enforcement Disclosure Report about how governments spy on people through the company’s infrastructure.

“These pipes exist, the direct access model exists,” the telecom giant’s group privacy officer, Stephen Deadman told the Guardian. “We are making a call to end direct access as a means of government agencies obtaining people’s communication data. Without an official warrant, there is no external visibility. If we receive a demand we can push back against the agency. The fact that a government has to issue a piece of paper is an important constraint on how powers are used.”

“We need to debate how we are balancing the needs of law enforcement with the fundamental rights and freedoms of the citizens,” Deadman said.

The problem with many of the laws on the books that governments use to receive the warrants is “most of the legislation on privacy and surveillance predates the internet and needs to be updated,” the Guardian wrote, citing the report’s introduction.

Agencies do not have to identify the targeted customers to the telecom companies in any way, and the direct-access systems do not require warrants.

“These are the nightmare scenarios that we were imagining,” Gus Hosein, executive director of Privacy International, which has brought legal action against the British government over mass surveillance, told the Guardian.

“I never thought the telcos [telecommunications companies] would be so complicit,” he said. “It’s a brave step by Vodafone and hopefully the other telcos will become more brave with disclosure, but what we need is for them to be braver about fighting back against the illegal requests and the laws themselves.”

In its report, the company asks for the direct-access pipes to be disconnected, for countries to outlaw the practice and for governments to “discourage agencies and authorities from seeking direct access to an operator’s communications infrastructure without a lawful mandate.”

Vodafone began working on the report last autumn, in the wake of the first Snowden leaks about government spying. It insists that its comprehensive survey of government warrant applications is not because of consumer backlash, the Guardian reported, though analysts contend that losing customers’ trust could cost the company tens of millions of pounds.

But Vodafone isn’t opening up about everything. One of the first of the Snowden revelations last June was about Project Tempora, which allows the Government Communications Headquarters (GCHQ) spy agency to intercept and store for 30 days huge volumes of data, like emails, social network posts, phone calls and much more, culled from international fiber-optic cables. On the one-year anniversary of the first Snowden leak the location of secret GCHQ bases in Oman tapping into underwater cables was revealed. The Vodafone report makes no mention of revelations about its participation in secret GCHQ operations.

June 6, 2014 Posted by | Civil Liberties, Corruption, Deception, Full Spectrum Dominance | , , , , , | Leave a comment

U.S. Marshals Seize Local Cops’ Cell Phone Tracking Files in Extraordinary Attempt to Keep Information From Public

By Nathan Freed Wessler | ACLU | June 3, 2014

A run-of-the-mill public records request about cell phone surveillance submitted to a local police department in Florida has unearthed blatant violations of open government laws, including an incredible seizure of state records by the U.S. Marshals Service, which is part of the Justice Department. Today the ACLU and the ACLU of Florida filed an emergency motion in state court to preserve the public’s right of access to government records.

Over the past several months, the ACLU has filed dozens of public records requests with Florida law enforcement agencies seeking information about their use of controversial cell phone tracking devices known as “stingrays.” (The devices are also known as “cell site simulators” or “IMSI catchers.”) Stingrays track phones by mimicking service providers’ cell towers and sending out powerful signals that trick nearby phones — including phones of countless bystanders — into sending their locations and identifying information.

The Florida agencies’ responses to our requests have varied widely, with some stonewalling and others releasing records. The most recent request went to the Sarasota Police Department, and the fallout from that request has raised red flag after red flag.

RED FLAG #1: The Sarasota Police initially told us that they had responsive records, including applications filed by and orders issued to a local detective under the state “trap and trace” statute that he had relied on for authorization to conduct stingray surveillance. That raised the first red flag, since trap and trace orders are typically used to gather limited information about the phone numbers of incoming calls, not to track cell phones inside private spaces or conduct dragnet surveillance. And, such orders require a very low legal standard. As one federal magistrate judge has held, police should be permitted to use stingrays only after obtaining a probable cause warrant, if at all.

RED FLAG #2: The Sarasota Police set up an appointment for us to inspect the applications and orders, as required by Florida law. But a few hours before that appointment, an assistant city attorney sent an email cancelling the meeting on the basis that the U.S. Marshals Service was claiming the records as their own and instructing the local cops not to release them. Their explanation: the Marshals Service had deputized the local officer, and therefore the records were actually the property of the federal government.

We emphatically disagree, since the Sarasota detective created the applications, brought them to court, and retained the applications and orders in his files. Merely giving him a second title (“Special Deputy U.S. Marshal”) does not change these facts. But regardless, once the Sarasota Police Department received our records request, state law required them to hold onto the records for at least 30 days, to give us an opportunity to go to court and seek an order for release of the documents.

Instead of complying with that clear legal obligation, the local police allowed the records to disappear by letting the U.S. Marshals drive down from their office in Tampa, seize the physical files, and move them to an unknown location. We’ve seen our fair share of federal government attempts to keep records about stingrays secret, but we’ve never seen an actual physical raid on state records in order to conceal them from public view.

RED FLAG #3: Realizing we weren’t going to get hold of the Sarasota Police Department’s copies of the applications and orders anytime soon, we asked the county court if we could obtain copies from its files. Incredibly, the court said it had no copies. The court doesn’t even have docket entries indicating that applications were filed or orders issued. Apparently, the local detective came to court with a single paper copy of the application and proposed order, and then walked out with the same papers once signed by a judge.

Court rules — and the First Amendment — require judges to retain copies of judicial records and to make them available to the public, but the court (and the detective) completely flouted those requirements here.

The ACLU’s emergency motion seeks a temporary injunction preventing the Sarasota Police Department from transferring any more files to the U.S. Marshals, as well as a determination that the police violated state law by sending the stingray applications and orders to the Marshals Service in the first place and an order requiring the police to produce the records.

When the government obtains court authorization to use invasive surveillance equipment, the public should not be kept in the dark. We have open records laws for a reason, but they mean nothing if the government can violate their clear commands at its whim.

June 4, 2014 Posted by | Civil Liberties, Deception, Full Spectrum Dominance, Progressive Hypocrite | , , | Leave a comment