Yahoo Inc’s secret scanning of customer emails at the behest of a U.S. spy agency is part of a growing push by officials to loosen constitutional protections Americans have against arbitrary governmental searches, according to legal documents and people briefed on closed court hearings.
The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government’s drive to change decades of interpretation of the U.S. Constitution’s Fourth Amendment right of people to be secure against “unreasonable searches and seizures,” intelligence officials and others familiar with the strategy told Reuters.
The unifying idea, they said, is to move the focus of U.S. courts away from what makes something a distinct search and toward what is “reasonable” overall.
The basis of the argument for change is that people are making much more digital data available about themselves to businesses, and that data can contain clues that would lead to authorities disrupting attacks in the United States or on U.S. interests abroad.
While it might technically count as a search if an automated program trawls through all the data, the thinking goes, there is no unreasonable harm unless a human being looks at the result of that search and orders more intrusive measures or an arrest, which even then could be reasonable.
Civil liberties groups and some other legal experts said the attempt to expand the ability of law enforcement agencies and intelligence services to sift through vast amounts of online data, in some cases without a court order, was in conflict with the Fourth Amendment because many innocent messages are included in the initial sweep.
“A lot of it is unrecognizable from a Fourth Amendment perspective,” said Orin Kerr, a former federal prosecutor and George Washington University Law School expert on surveillance. “It’s not where the traditional Fourth Amendment law is.”
But the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, said in an interview with Reuters on Tuesday that the legal interpretation needed to be adjusted because of technological changes.
“Computerized scanning of communications in the same way that your email service provider scans looking for viruses – that should not be considered a search requiring a warrant for Fourth Amendment purposes,” said Litt. He said he is leaving his post on Dec. 31 as the end of President Barack Obama’s administration nears.
This is outrageous. And it does highlight how the Obama Administration has worked, and continues to work, against the privacy rights of US citizens.
Much more here.
Via The Intercept:
THE ACLU HAS identified 23 legal opinions that contain new or significant interpretations of surveillance law — affecting the government’s use of malware, its attempts to compel technology companies to circumvent encryption, and the CIA’s bulk collection of financial records under the Patriot Act — all of which remain secret to this day, despite an ostensible push for greater transparency following Edward Snowden’s disclosures.
The opinions were written by the Foreign Intelligence Surveillance Court. On Wednesday, the ACLU and the Yale Law School Media Freedom Clinic filed a motion with the court requesting that those opinions be released.
“The people of this country can’t hold the government accountable for its surveillance activities unless they know what our laws allow,” said Patrick Toomey, a staff attorney with the ACLU’s National Security Project. “These secret court opinions define the limits of the government’s spying powers. Their disclosure is essential for meaningful public oversight in our democracy.”
Some of the opinions identified by the ACLU offer interpretations of Section 702 of the Foreign Intelligence Surveillance Act, a controversial provision that allows the government to conduct mass surveillance on American’s transnational communications. The authority is set to expire in December 2017.
Disclosure of the opinions would shed light on how the government understands the boundaries of its spying power. Earlier this month, for example, after Reuters reported that Yahoo is secretly scanning every customer’s incoming email, anonymous officials told the New York Times that that action was based on an individualized order from the secret court. Disclosure of the order would offer insight into why the government thinks that is legal. Yahoo, for its part, on Wednesday urged the Director of National Intelligence to release and explain the court order in question.
The ACLU identified the 23 still-secret opinions by combing through press clippings and publicly released opinions. A report released Tuesday by the Brennan Center for Justice, which was based on documents obtained under the Freedom of Information Act, similarly found that the government has kept classified 25 to 30 significant court opinions and orders dating from 2003 to 2013.
Citizens should be entitled to read the law. Secret laws have no place in a civilized society.
Via The New York Times:
Edward J. Snowden, the American who has probably left the biggest mark on public policy debates during the Obama years, is today an outlaw. Mr. Snowden, a former National Security Agency contractor who disclosed to journalists secret documents detailing the United States’ mass surveillance programs, faces potential espionage charges, even though the president has acknowledged the important public debate his revelations provoked.
Mr. Snowden’s whistle-blowing prompted reactions across the government. Courts found the government wrong to use Section 215 of the Patriot Act to justify mass phone data collection. Congress replaced that law with the USA Freedom Act, improving transparency about government surveillance and limiting government power to collect certain records. The president appointed an independent review board, which produced important reform recommendations.
That’s just in the American government. Newspapers that published Mr. Snowden’s revelations won the Pulitzer Prize. The United Nations issued resolutions on protecting digital privacy and created a mandate to promote the right to privacy. Many technology companies, facing outrage at their apparent complicity in mass surveillance, began providing end-to-end encryption by default. Three years on, the news media still refer to Mr. Snowden and his revelations every day. His actions have brought about a dramatic increase in our awareness of the risks to our privacy in the digital age — and to the many rights that depend on privacy.
Yet President Obama and the candidates to succeed him have emphasized not Mr. Snowden’s public service but the importance of prosecuting him. Hillary Clinton has said Mr. Snowden shouldn’t be brought home “without facing the music.” Donald J. Trump has said, “I think he’s a total traitor and I would deal with him harshly.”
Eric H. Holder Jr. struck a more measured tone in May, upon leaving office as Mr. Obama’s attorney general. He recognized that while Mr. Snowden broke the law, “he actually performed a public service” by raising the national debate on surveillance practices.
The law the Obama administration wants to use to prosecute him takes no account of whether revealing this information was a public service. Under the antiquated Espionage Act of 1917, the only issue is whether “national defense” information was given to someone not authorized to receive it. It doesn’t matter if the secrets revealed wrongdoing or if they endangered the national defense, whether they were passed to an American journalist or to a foreign enemy.
The full essay is worth a careful read. Our privacy rights are always at risk when spying on average Americans is considered.
An amendment designed to allow the government warrantless access to internet browsing histories has been narrowly defeated in the Senate.
The amendment fell two votes short of the required 60 votes to advance.
But the effort is far from dead. Majority leader Sen. Mitch McConnell (R-KY), who switched his vote at the last minute, submitted a motion to reconsider the vote following the defeat.
Sen. John McCain (R-AZ) introduced the amendment as an add-on to the commerce, justice, and science appropriations bill earlier this week. McCain said in a statement on Monday that the amendment would “track lone wolves” in the wake of the Orlando massacre, in which Omar Mateen, who authorities say radicalized himself online, killed 49 people at a gay nightclub in the Florida city.
The amendment aims to broaden the rules governing national security letters, which don’t require court approval. These letters allow the FBI to demand records associated with Americans’ online communications.
If the amendment becomes law, federal agents won’t need a court order to access phone logs, email records, cell-site data used to pinpoint locations, as well as browsing histories of recently visited websites.
It is outrageous that mass surveillance of such user information without a warrant came so close to success. And it may still pass. How is it that warrants are viewed as unnecessary to breach the privacy of American citizens?
Here are some Twitter reactions:
Via The Intercept:
A PROVISION SNUCK INTO the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy.
If passed, the change would expand the reach of the FBI’s already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs — most commonly, information about the name, address, and call data associated with a phone number or details about a bank account.
Since a 2008 Justice Department legal opinion, the FBI has not been allowed to use NSLs to demand “electronic communication transactional records,” such as email subject lines and other metadata, or URLs visited.
The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., whowrote in a statement that one of the bill’s provisions “would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers.”
How is it that the FBI can drive through such proposals with only a single legislator voting no? Should this survive, the surveillance state will reach an all-time high.
The U.S. House of Representatives voted unanimously on Wednesday to require law enforcement authorities to get a search warrant before asking technology companies to hand over old emails.
The bill’s prospects in the Senate remain unclear, though the 419-0 vote in the House was likely to put pressure on the upper chamber to approve it.
Under the Email Privacy Act, which updates a decades-old law, authorities would have to get a warrant to access emails or other digital communications more than 180 days old. At present, agencies such as the U.S. Justice Department and the Securities and Exchange Commission only need a subpoena to seek such data from a service provider.
It is well past time. Now let’s see of the Senate can get on board.
Via The Wall Street Journal:
The Federal Bureau of Investigation doesn’t plan to tell Apple Inc. how it cracked a San Bernardino, Calif., terrorist’s phone, said people familiar with the matter, leaving the company in the dark on a security vulnerability on some iPhone models.
The FBI knows how to use the phone-hacking tool it bought to open the iPhone 5c but doesn’t specifically knows how it works, allowing the tool to avoid a White House review, the people said, The FBI plans to notify the White House of this conclusion in the coming days, they added.
Any decision to not share details of the vulnerability with Apple is likely to anger privacy advocates who contend the FBI’s approach to encryption weakens data security for many smartphone and computer owners in order to preserve options for federal investigators to open locked devices.
Generally, a White House review is required when a vulnerability in security is discovered by a Federal agency so it can be shared with the manufacturer. Apparently, at least for now, the FBI is trying to avoid such sharing. The agency continues to damage information security for all.
By the way, the FBI did share a vulnerability to Apple on April 24. However, this was no big deal as Apple had already fixed the issue months ago.
The FBI has been tying itself in knots with Apple, first by trying to force Apple to break its own encryption, and then acknowledging that the agency was able to access at least two iPhones without Apple’s help.
The Wall Street Journal claims that the FBI has travelled into the zone of farce:
If history repeats itself first as tragedy and then as farce, what does the FBI have in store next for its encryption war with Apple? After withdrawing its demands in San Bernardino and then reopening hostilities with a drug prosecution in Brooklyn, the G-men abruptly dumped the second case over the weekend too. Is anyone in charge at the Justice Department, or are junior prosecutors running the joint?
* * *
Yet while Justice argued in Brooklyn that Apple’s help was essential, it also argued the FBI had no obligation to pursue a non-Apple work-around. The remarkable claim was that prosecutors need not exhaust all possible alternatives before conscripting a private company, such as consulting with other U.S. agencies, hiring an outside digital forensics outfit or even interrogating Feng again.
Such assertions were as false in Brooklyn as in San Bernardino. Two hours and a half before a deadline on Friday night, the government withdrew the case after “an individual provided the passcode to the iPhone,” according to legal filings. This second immaculate conception in as many months further undermines the FBI’s credibility about its technological capabilities. Judges ought to exercise far more scrutiny in future decryption cases even as Mr. Comey continues to pose as helpless.
* * *
Meanwhile, the White House has taken the profile-in-courage stand of refusing to endorse or oppose any encryption bill that Congress may propose. If the Obama team won’t start adjusting to the technological realities of strong and legal encryption, they could at least exercise some adult supervision at Main Justice.
The FBI cannot be trusted to protect privacy and security for our citizens, especially given their keystone cops behavior.
The Electronic Frontier Foundation has announced it filed a suit against the Justice Department over whether the Department ever required private companies to decrypt consumer’s private information.
The Electronic Frontier Foundation (EFF) filed a Freedom of Information (FOIA) lawsuit today against the Justice Department to shed light on whether the government has ever used secret court orders to force technology companies to decrypt their customers’ private communications, a practice that could undermine the safety and security of devices used by millions of people.
The lawsuit argues that the DOJ must disclose if the government has ever sought or obtained an order from the Foreign Intelligence Surveillance Court (FISC) requiring third parties—like Apple or Google—to provide technical assistance to carry out surveillance.
The suit separately alleges that the agency has failed to turn over other significant FISC opinions that must be declassified as part of surveillance reforms that Congress enacted with the USA FREEDOM Act.
EFF filed its FOIA requests in October and March amid increasing government pressure on technology companies to provide access to customers’ devices and encrypted communications for investigations. Although the FBI has sought orders from public federal courts to create a backdoor to an iPhone, it is unclear to what extent the government has sought or obtained similar orders from the FISC. The FISC operates mostly in secret and grants nearly every government surveillance request it receives.
You can read the full complaint here.
The EFF is a terrific organization that deserves support. You can support their efforts on civil liberties by contributing here.
Microsoft is filing a challenge to the current rules that prohibit technology firms from notifying their customers when the government seeks users’ records and communications.
Via The New York Times:
The software giant is suing the Justice Department, challenging its frequent use of secrecy orders that prevent Microsoft from telling people when the government obtains a warrant to read their emails.
In its suit, filed Thursday morning in Federal District Court in Seattle, Microsoft’s home turf, the company asserts that the gag order statute in the Electronic Communications Privacy Act of 1986 — as employed today by federal prosecutors and the courts — is unconstitutional.
The statute, according to Microsoft, violates the Fourth Amendment right of its customers to know if the government searches or seizes their property, and it breaches the company’s First Amendment right to speak to its customers.
* * *
Seizing information from file drawers or personal computers used to require entering a building to examine paper or a hard drive. Typically, the target of an investigation knew about it.
Not so in the cloud computing era, when investigators can bypass an individual and go straight to the company that hosts that information. And when courts issue secrecy orders, often with no time limit, a target may never know that information was taken.
Microsoft, in its suit, contends that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”
You can read the full lawsuit here.
Good on Microsoft.
Writing in TechDirt, Mike Masnick reviews the horrible and actually crazy, implications of the legislation.
The basics of the bill are exactly what you’d expect. It says that any “device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data” must respond to legal orders demanding access to said information. First off, this actually covers a hell of a lot more than was originally expected. By my reading, anyone providing PGP email is breaking the law — because it’s not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.
* * *
The second this bill becomes law, the US loses a massive economic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It will devastate American businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.
The article, as well as the bill itself, can be found here.
This is a great result. A “Stingray” is a cell site simulator that police can use to indiscriminately capture cellphone signals and data.
Via The Intercept, here is the substance of the court’s decision:
A Maryland appellate court on Wednesday explained its reasoning for its landmark decision earlier this month requiring police to establish probable cause and get a warrant before using a Stingray, or cell-site simulator.
The Maryland Court of Special Appeals rejected the state of Maryland’s argument that anyone turning on a phone was “voluntarily” sharing their whereabouts with the police. And the 73-page opinion also harshly rebuked Baltimore police for trying to conceal their use of Stingrays from the court.
“This is the first appellate opinion in the country to fully address the question of whether police must disclose their intent to use a cell site simulator to a judge and obtain a probable cause warrant,” said Nathan Wessler, a staff attorney with the ACLU’s Project on Speech, Privacy, and Technology.
The panel of judges stated that “cell phone users have an objectively reasonable expectation that their cell phones will not be used as real-time tracking devices, through the direct and active interference of law enforcement.”
In court testimony last April, a Baltimore detective revealed that the Baltimore Police Department had used Stingrays more than 4,300 times since 2007, repeatedly failing to notify courts of their use in criminal cases.
The full article is here.
The Wall Street Journal has published an editorial berating the actions of the FBI in connection with their claims about Apple’s encryption and the need for Apple help.
The Justice Department and FBI insist the encryption debate is critical to national security, and they’re right. The problem is that—amid another terror attack in the West—they continue to supply more reasons to doubt their credibility and even basic competence.
* * *
In a shock filing the night before, Justice reported that over the weekend, apparently, “an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone.” The FBI “has continued to research methods to gain access to the data stored on it. The FBI did not cease its efforts after this litigation began.” The legal proceedings are now thrown into limbo while the deus ex machina technique is tested.
This twist with double somersault is especially notable because DOJ has insisted for months that “the undisputed evidence is that the FBI cannot unlock Farook’s phone without Apple’s assistance,” as the department put it in a March 10 brief. The source code for the operating system is designed to reject programs that are not electronically “signed” by Apple, and thus “Apple alone” and “only Apple” can be commandeered, Justice argued.
* * *
In a democracy, the questions raised by encryption should be resolved by Congress, not by free-lancing judges. Those questions won’t vanish because the Apple case is on hold. Legislators could start by appointing a panel of expert arbiters who are more trustworthy than the FBI and Justice Department.
The FBI clearly never needed Apple’s help, at least to access this particular phone, but pushed ahead in an effort to try to set some sort of precedent requiring technology companies to either breach their own security and install backdoors and fight in court. Shameful.
The FBI announced late yesterday that they would cancel the scheduled hearing with Apple because, as the FBI stated that an outside party had demonstrated a possible way for the FBI to breach the iPhone security. Therefore, the FBI said, they did not need the hearing.
Remember that the FBI has repeatedly said that there is no one other than Apple that could breach the targeted device. Now, apparently, some believes they can do it.
But sooner or later, it will become necessary for Apple and other tech giants to build totally unbreakable devices for the sake of the privacy of private data. And yesterday, speaking at the beginning of an Apple event in Cupertino, Tim Cook stated: