It is well past time

While a lot can happen before the expiration of the Patriot Act on June 1, it looks like Congress (or at the least the House) are prepared for major reductions in US domestic spying and surveillance.

From the New York Times:

After more than a decade of wrenching national debate over the intrusiveness of government intelligence agencies, a bipartisan wave of support has gathered to sharply limit the federal government’s sweeps of phone and Internet records.

On Thursday, a bill that would overhaul thePatriot Act and curtail the so-called metadata surveillance exposed by Edward J. Snowden was overwhelmingly passed by the House Judiciary Committee and was heading to almost certain passage in that chamber this month.

An identical bill in the Senate — introduced with the support of five Republicans — is gaining support over the objection of Senator Mitch McConnell, Republican of Kentucky, who is facing the prospect of his first policy defeat since ascending this year to majority leader.

The push for reform is the strongest demonstration yet of a decade-long shift from a singular focus on national security at the expense of civil liberties to a new balance in the post-Snowden era.

Under the bipartisan bills in the House and Senate, the Patriot Act would be changed to prohibit bulk collection, and sweeps that had operated under the guise of so-called National Security Letters issued by the F.B.I. would end. The data would instead be stored by the phone companies themselves, and could be accessed by intelligence agencies only after approval of the secret Foreign Intelligence Surveillance Act court.

The legislation would also create a panel of experts to advise the FISA court on privacy, civil liberties, and technology matters, while requiring the declassification of all significant FISA court opinions.

More details from the Times here.

Decades of surveillance (updated)

USA Today is reporting that the government started collecting data on citizens’ international telephone calls a decade prior to 9/11.

For more than two decades, the Justice Department and the Drug Enforcement Administration amassed logs of virtually all telephone calls from the USA to as many as 116 countries linked to drug trafficking, current and former officials involved with the operation said. The targeted countries changed over time but included Canada, Mexico and most of Central and South America.

Federal investigators used the call records to track drug cartels’ distribution networks in the USA, allowing agents to detect previously unknown trafficking rings and money handlers. They also used the records to help rule out foreign ties to the bombing in 1995 of a federal building in Oklahoma City and to identify U.S. suspects in a wide range of other investigations.

The Justice Department revealed in January that the DEA had collected data about calls to “designated foreign countries.” But the history and vast scale of that operation have not been disclosed until now.

How Americans can ever trust the government to protect their privacy, and comply with the Constitution, is a real puzzle. Secret data collection by the government is apparently unstoppable in the current political environment. Shameful.

Update: The EFF has agreed to represent Human Rights Watch, a civil liberties group, in a lawsuit challenging the legality of the DEA’s massive data collection program.

Human Rights Watch, a nonpartisan organization that fights human rights abuses across the globe, filed suit against the U.S. Drug Enforcement Administration late Tuesday for illegally collecting records of its telephone calls to certain foreign countries as part of yet another government bulk surveillance program. The group is represented by the Electronic Frontier Foundation (EFF), which has launched a series of legal challenges against unconstitutional government surveillance.

“The DEA’s program of untargeted and suspicionless surveillance of Americans’ international telephone call records—information about the numbers people call, and the time, date, and duration of those calls—affects millions of innocent people, yet the DEA operated the program in secret for years,’’ said EFF Staff Attorney Nate Cardozo. “Both the First and Fourth Amendment protect Americans from this kind of overreaching surveillance. This lawsuit aims to vindicate HRW’s rights, and the rights of all Americans, to make calls overseas without being subject to government surveillance.”

The CIA seeks to break security of Apple devices

The Intercept is reporting that the CIA has conducted a multi-year campaign to break the security of Apple iPhones and iPads.

By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.

* * *

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “key logger.”

* * *

“Spies gonna spy,” says Steven Bellovin, a former chief technologist for the U.S. Federal Trade Commission and current professor at Columbia University. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”

Bellovin says he generally supports efforts by U.S. intelligence to “hack” devices — including Apple’s — used by terrorists and criminals, but expressed concern that such capabilities could be abused. “There are bad people out there, and it’s reasonable to seek information on them,” he says, cautioning that “inappropriate use — mass surveillance, targeting Americans without a warrant, probably spying on allies — is another matter entirely.”

Documents provided by Edward Snowden revealed the CIA attacks on Apple software and hardware. The documents also reveal that other tech companies were also attacked.  Tim Cook has repeatedly attacked the efforts of the CIA and the NSA and he has called for privacy protection for all Apple customers.

“If I were Tim Cook, I’d be furious,” says the ACLU’s Soghoian. “If Apple is mad at the intelligence community, and they should be, they should put their lawyers to work. Lawsuits speak louder than words.”

* * *

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will,” Cook said last September in announcing Apple’s new privacy policy. More recently, Cook said, “None of us should accept that the government or a company or anybody should have access to all of our private information. This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering.”

* * *

As corporations increasingly integrate default encryption methods and companies like Apple incorporate their own indigenous encryption technologies into easy-to-use text, voice and video communication platforms, the U.S. and British governments are panicking. “Encryption threatens to lead all of us to a very dark place,” declared FBI Director James Comey in an October 2014 lecture at the Brookings Institution. Citing the recent moves by Apple to strengthen default encryption on its operating systems, and commitments by Google to incorporate such tools, Comey said, “This means the companies themselves won’t be able to unlock phones, laptops, and tablets to reveal photos, documents, e-mail, and recordings stored within.”

Under current U.S. regulations, law enforcement agencies can get a court order to access communications channeled through major tech companies and wireless providers. But if those communications are encrypted through a process not accessible by any involved company, the data is essentially meaningless, garbled gibberish. “In a world in which data is encrypted, and the providers don’t have the keys, suddenly, there is no one to go to when they have a warrant,” says Soghoian. “That is, even if they get a court order, it doesn’t help them. That is what is freaking them out.”

You can read the full, detailed and shocking article here.

Wikipedia sues NSA over mass surveillance

Wikipedia is suing the NSA over the spy agency’s so-called “upstream” surveillance, which collects information around the world by tapping into Internet cables.

The notion that the N.S.A. is monitoring Wikipedia’s users is not, unfortunately, a stretch of the imagination. One of the documents revealedby the whistle-blower Edward J. Snowden specifically identified Wikipedia as a target for surveillance, alongside several other major websites like CNN.com, Gmail and Facebook. The leaked slide from a classified PowerPoint presentation declared that monitoring these sites could allow N.S.A. analysts to learn “nearly everything a typical user does on the Internet.”

The harm to Wikimedia and the hundreds of millions of people who visit our websites is clear: Pervasive surveillance has a chilling effect. It stifles freedom of expression and the free exchange of knowledge that Wikimedia was designed to enable.

* * *

In the lawsuit we’re filing with the help of the American Civil Liberties Union, we’re joining as a fellow plaintiff a broad coalition of human rights, civil society, legal, media and information organizations. Their work, like ours, requires them to engage in sensitive Internet communications with people outside the United States.

That is why we’re asking the court to order an end to the N.S.A.’s dragnet surveillance of Internet traffic.

Privacy is an essential right. It makes freedom of expression possible, and sustains freedom of inquiry and association. It empowers us to read, write and communicate in confidence, without fear of persecution. Knowledge flourishes where privacy is protected.

This is an excellent, well-funded effort that might have a decent chance of limiting at least some of the “collect it all” operations of the NSA.

SIM card security breached by US and UK

The Intercept is reporting this morning that US and UK spies broke into the internal network of Gemalto, the largest SIM card manufacturer in the world and stole the encryption keys used by the manufacturer. SIM cards are designed to protect the privacy of cellphone conversations, among other things. The reporting is based on documents provided by Edward Snowden, and the breach was described in a document written in 2010.

So, as a beginning point, you can safely assume that your mobile phone privacy was breached over four years ago.

Here are more details:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

* * *

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

SIM cards were not primarily designed to protect privacy, but instead were by cell phone companies to limit fraudulent use of their networks.

SIM cards were not invented to protect individual communications — they were designed to do something much simpler: ensure proper billing and prevent fraud, which was pervasive in the early days of cellphones. Soghoian compares the use of encryption keys on SIM cards to the way Social Security numbers are used today. “Social security numbers were designed in the 1930s to track your contributions to your government pension,” he says. “Today they are used as a quasi national identity number, which was never their intended purpose.”

Because the SIM card wasn’t created with call confidentiality in mind, the manufacturers and wireless carriers don’t make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. “I doubt anyone is treating those things very carefully,” says Green. “Cell companies probably don’t treat them as essential security tokens. They probably just care that nobody is defrauding their networks.” The ACLU’s Soghoian adds, “These keys are so valuable that it makes sense for intel agencies to go after them.”

Much more from The Intercept here.

Representative tweets:

Christmas Eve NSA data dump

If you head the NSA and, due to a court order, you are required to publicly release (heavily redacted) documents indicating that the NSA violated the law repeatedly over more than a decade, when would you choose to announce the release?

Well, the NSA chose to make the release around 1:30 pm, Christmas eve.

Bloomberg reports:

The NSA, responding to a Freedom of Information Act lawsuit from the American Civil Liberties Union, released a series of required quarterly and annual reports to the President’s Intelligence Oversight Board that cover the period from the fourth quarter of 2001 to the second quarter of 2013.

The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. They were posted on the NSA’s website at around 1:30 p.m. on Christmas Eve.

In a 2012 case, for example, an NSA analyst “searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting,” according to one report. The analyst “has been advised to cease her activities,” it said.

Other unauthorized cases were a matter of human error, not intentional misconduct.

Last year, an analyst “mistakenly requested” surveillance “of his own personal identifier instead of the selector associated with a foreign intelligence target,” according to another report.

 

An excellent proposal

Senator Mark Udall (D-CO) lost his reelection bid on Tuesday. This is particularly important as Udall was one of the most forceful members of the Senate Intelligence Committee to call for more disclosure from the CIA and NSA regarding their operations.

Trevor Timm, writing in The Guardian, has interestingly suggested that Udall could legally read into the Congressional Record the text of the CIA Torture Report, prepared by the Intelligence Committee, which is still tied up by the CIA (and Obama Administration) refusals to allow publication of the report without massive and frustrating redactions.

America’s rising civil liberties movement lost one of its strongest advocates in the US Congress on Tuesday night, as Colorado’s Mark Udall lost his Senate seat to Republican Cory Gardner. While the election was not a referendum on Udall’s support for civil liberties (Gardner expressed support for surveillance reform, and Udall spent most of his campaign almost solely concentrating on reproductive issues), the loss is undoubtedly a blow for privacy and transparency advocates, as Udall was one of the NSA and CIA’s most outspoken and consistent critics. Most importantly, he sat on the intelligence committee, the Senate’s sole oversight board of the clandestine agencies, where he was one of just a few dissenting members.

But Udall’s loss doesn’t have to be all bad. The lame-duck transparency advocate now has a rare opportunity to truly show his principles in the final two months of his Senate career and finally expose, in great detail, the secret government wrongdoing he’s been criticizing for years. On his way out the door, Udall can use congressional immunity provided to him by the Constitution’s Speech and Debate clause to read the Senate’s still-classified 6,000-page CIA torture report into the Congressional record – on the floor, on TV, for the world to see.

There’s ample precedent for this. In 1971, former Senator Mike Gravel famously read the top-secret classified Pentagon Papers for three hours before almost collapsing and then entering thousands of pages more into the record after he couldn’t speak for any longer from exhaustion.

* * *

But now, Udall has nothing to lose. He can’t get kicked off any committee he won’t be a part of in two months. And he can’t be prosecuted for revealing classified information as a member of Congress.

This would be a terrific service to Americans who need to know that torture was official US policy following 9/11 so as to insure that such crimes never happen again by the American government.

 

Second NSA whistleblower is “confirmed”

Michael Isikoff is reporting that Federal agents have identified a suspected “second” whistleblower providing details of the NSA surveillance programs to reporters.

Excerpt:

The FBI has identified an employee of a federal contracting firm suspected of being the so-called “second leaker” who turned over sensitive documents about the U.S. government’s terrorist watch list to a journalist closely associated with ex-NSA contractor Edward Snowden, according to law enforcement and intelligence sources who have been briefed on the case.

The FBI recently executed a search of the suspect’s home, and federal prosecutors in Northern Virginia have opened up a criminal investigation into the matter, the sources said.

But the case has also generated concerns among some within the U.S. intelligence community that top Justice Department officials — stung by criticism that they have been overzealous in pursuing leak cases — may now be more reluctant to bring criminal charges involving unauthorized disclosures to the news media, the sources said. One source, who asked not to be identified because of the sensitivity of the matter, said there was concern “there is no longer an appetite at Justice for these cases.”

I believe that the Justice Department should tread very carefully in dealing with any whistleblowers. And it should be especially careful in challenging reporters covering any additional disclosures in an attempt to reveal to Americans the overall breadth of the surveillance of American citizens. The people have a right to know.

Surveillance self-defense

The EFF has just released a compendium of products than can help you defend your computer systems and communications from the surveillance state. It is called Surveillance Self-Defense. It offers advice for people in differing scenarios.  I am planning to implement the recommendations in the section entitled “Mac User?”.

Well worth a careful review.

Conflicts of interest at the NSA

Who could have possibly thought that NSA employees, at high levels in the agency, would be involved in obvious conflicts of interest?  Well, BuzzFeed News is reporting that Teresa Shea, a high level employee, is leaving the agency as a result of financial interests and conflicts between her and her husband and the NSA.

Excerpt:

Shea was the director of signals intelligence, or SIGINT, which involves intercepting and decoding electronic communications via phones, email, chat, Skype, and radio. It’s widely considered the most important mission of the NSA, and includes some of the most controversial programs disclosed by former contractor Edward Snowden, including the mass domestic surveillance program.

It couldn’t be determined why Shea is leaving her position or what new job she might take. Neither the Sheas nor the NSA responded immediately to requests for comment.

In September, BuzzFeed News reported that a SIGINT “contracting and consulting” company was registered at Shea’s house, even while she was the SIGINT director at NSA. The resident agent of the company, Telic Networks, was listed as James Shea, her husband.

Mr. Shea is also the vice president of a major SIGINT contractor that appears to do business with the NSA. The company, DRS Signals Solutions, is a subsidiary of DRS Technologies, which itself is a subsidiary of Italian-owned Finmeccanica SPA.

Last week Buzzfeed News also reported Shea herself had incorporated an “office and electronics” business at her house, and that the company owned a six-seat airplane and a condominium in the resort town of Hilton Head, South Carolina.

 

Grand Rapids ArtPrize entry highlights NSA surveillance activities

ArtPrize is an independently organized international art competition in Grand Rapids, Michigan. It is the world’s largest art competition based on daily attendance, prize amounts, number of artists and venues. ArtPrize 2014 takes place September 24-October 12.  Voting number for “Just Listening” is 56367. ArtPrize officially opens Wednesday, September 24.

One of my friends, Ruth Tyszka, together with two other artists created a piece that challenges the NSA surveillance programs and whether the concept of Lady Justice has continuing validity in a time of world-wide mass surveillance.

Here is their explanation of the piece:

Darcel Deneau, Joan Schwartz and Ruth Tyszka worked together for months to create their 11 foot high sculpture “Just Listening” for exhibition at the 2014 ArtPrize art competition in Grand Rapids, Michigan. The three accomplished artists deploy art and technology in this visual commentary on American ideals within the context of the National Security Agency’s (NSA) electronic data surveillance and collection programs.The artists were honored and excited to be selected to show their sculpture “Just Listening” at the Fountain Street Church venue, which partnered with the American Civil Liberties Union to present the exhibit titled “Art To Change the World: Inspiring Social Justice.”The artists drew from a broad range of experience in different mediums to carefully choose a variety of mixed media materials to construct a contemporary Lady Justice lifting the world above her head. Serving as a symbol of American ideals and morality within the justice system, the Lady Justice figure is initially intended to be beautiful and aesthetically pleasing, drawing to mind traditional representations of Lady Justice. Upon closer inspection, the viewer is invited to participate and question the NSA’s systematic use of technology to collect information on citizens of the United States and from around the world. Lady Justice wears an elaborate gown made from surveillance-related news articles and punctuated by a cascade of red and white glass mosaic stripes down the front. She stands on a platform of data servers and balances above her head a 30-inch diameter globe constructed of repurposed circuit boards and stained glass and lit from within. A tablet computer embedded in the globe streams Tweets that reference the NSA. Earbuds connect Lady Justice to the world’s data. Throughout the sculpture, the artists use symbols like the slipping blindfold, the scales of justice, and the American eagle tattoo to metaphorically raise questions about the potential for compromise of Lady Justice’s representation of justice, fairness and equity.

Tyszka_justlistening_fullview
Photo credits: PD Rearick; click images to enlarge
 Tyszka_artprize_justlistening_upperdetail
Deneau is a graduate of the College for Creative Studies (Detroit) and recently completed her term as the Board Chair at the Detroit Artists Market. Schwartz graduated from Wayne State University (Detroit), is a non-practicing pediatrics nurse and currently serves on the board of the Mosaic Artists of Michigan. Tyszka is a graduate of Oakland University and Wayne Law School (Detroit), currently splits her time between law and art, and is the Governance Chair on the Board of Trustees for the Society of American Mosaic Artists.
The Fountain Street Church is located at 24 Fountain St. NE, Grand Rapids, Michigan. If you make it to the show, be sure to take a look at this project. And be sure to vote in its favor. Voting number for “Just Listening” is 56367. ArtPrize officially opens Wednesday, September 24.