Current Affairs Surveillance in the US reaches new levels

[BOF]

Credit to Yahoo! who tried to say no to Prism but ultimately failed when a judge ruled that asking for warrantless info on foreigners wasn't against the law and, by extension, refusal to hand it over was a break of the law itself. You gorra larf.

 

Secret Court Ruling Put Tech Companies in Data Bind

SAN FRANCISCO — In a secret court in Washington, Yahoo’s top lawyers made their case. The government had sought help in spying on certain foreign users, without a warrant, and Yahoo had refused, saying the broad requests were unconstitutional.

Related

So Yahoo became part of the National Security Agency’s secret Internet surveillance program, Prism, according to leaked N.S.A. documents, as did seven other Internet companies.

Like almost all the actions of the secret court, which operates under the Foreign Intelligence Surveillance Act, the details of its disagreement with Yahoo were never made public beyond a heavily redacted court order, one of the few public documents ever to emerge from the court. The name of the company had not been revealed until now. Yahoo’s involvement was confirmed by two people with knowledge of the proceedings. Yahoo declined to comment.

But the decision has had lasting repercussions for the dozens of companies that store troves of their users’ personal information and receive these national security requests — it puts them on notice that they need not even try to test their legality. And despite the murky details, the case offers a glimpse of the push and pull among tech companies and the intelligence and law enforcement agencies that try to tap into the reams of personal data stored on their servers.

It also highlights a paradox of Silicon Valley: while tech companies eagerly vacuum up user data to track their users and sell ever more targeted ads, many also have a libertarian streak ingrained in their corporate cultures that resists sharing that data with the government.

“Even though they have an awful reputation on consumer privacy issues, when it comes to government privacy, they generally tend to put their users first,” said Christopher Soghoian, a senior policy analyst studying technological surveillance at the American Civil Liberties Union. “There’s this libertarian, pro-civil liberties vein that runs through the tech companies.”

Lawyers who handle national security requests for tech companies say they rarely fight in court, but frequently push back privately by negotiating with the government, even if they ultimately have to comply. In addition to Yahoo, which fought disclosures under FISA, other companies, including Google, Twitter, smaller communications providers and a group of librarians, have fought in court elements of National Security Letters, which the F.B.I. uses to secretly collect information about Americans. Last year, the government issued more than 1,850 FISA requests and 15,000 National Security Letters.

“The tech companies try to pick their battles,” said Stephen I. Vladeck, a law professor at American University who has challenged government counterterrorism surveillance. “Behind the scenes, different tech companies show different degrees of cooperativeness or pugnaciousness.”

But Mr. Vladeck added that even if a company resisted, “that may not be enough, because any pushback is secret and at the end of the day, even the most well-intentioned companies are not going to be standing in the shoes of their customers.”

FISA requests can be as broad as seeking court approval to ask a company to turn over information about the online activities of people in a certain country. Between 2008 and 2012, only two of 8,591 applications were rejected, according to data gathered by the Electronic Privacy Information Center, a nonprofit research center in Washington. Without obtaining court approval, intelligence agents can then add more specific requests — like names of individuals and additional Internet services to track — every day for a year.

National Security Letters are limited to the name, address, length of service and toll billing records of a service’s subscribers.

Because national security requests ban recipients from even acknowledging their existence, it is difficult to know exactly how, and how often, the companies cooperate or resist. Small companies are more likely to take the government to court, lawyers said, because they have fewer government relationships and customers, and fewer disincentives to rock the boat. One of the few known challenges to a National Security Letter, for instance, came from a small Internet provider in New York, the Calyx Internet Access Corporation.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

“Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse,” the court said, adding that the government’s “efforts to protect national security should not be frustrated by the courts.”

One of the most notable challenges to a National Security Letter came from an unidentified electronic communications service provider in San Francisco. In 2011, the company was presented with a letter from the F.B.I., asking for account information of a subscriber for an investigation into “international terrorism or clandestine intelligence activities.”

The company went to court. In March, a Federal District Court judge, Susan Illston, ruled the information request unconstitutional, along with the gag order. The case is under appeal, which is why the company cannot be named.

Google filed a challenge this year against 19 National Security Letters in the same federal court, and in May, Judge Illston ruled against the company. Google was not identified in the case, but its involvement was confirmed by a person briefed on the case.

In 2011, Twitter successfully challenged a silence order on a National Security Letter related to WikiLeaks members.

Other companies are asking for permission to talk about national security requests. Google negotiated with Justice officials to publish the number of letters they received, and were allowed to say they each received between zero and 999 last year, as did Microsoft. The companies, along with Facebook and Twitter, said Tuesday that the government should give them more freedom to disclose national security requests.

The companies comply with a vast majority of nonsecret requests, including subpoenas and search warrants, by providing at least some of the data.

For many of the requests to tech companies, the government relies on a 2008 amendment to FISA. Even though the FISA court requires so-called minimization procedures to limit incidental eavesdropping on people not in the original order, including Americans, the scale of electronic communication is so vast that such information — say, on an e-mail string — is often picked up, lawyers say.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

[Davkaus]

And we thought "super injunctions" were bad.

[BOF]

Good Guy Sweden

Sweden’s data protection Authority bans Google cloud services over privacy concerns

In a landmark ruling, Sweden’s data protection authority (the Swedish Data Inspection Board) this week issued a decision that prohibits the nation’s public sector bodies from using the cloud service Google Apps.

The ruling – which bans Google cloud products such as calendar services, email and data processing functions – is based on inadequacies in the Google contract. A risk assessment by the Board determined that the contract gives Google too much covert discretion over how data can be used, and that public sector customers are unable to ensure that data protection rights are protected.

The assessment gives several examples of this deficiency, including uncertainty over how data may be mined or processed by Google and lack of knowledge about which subcontractors may be involved in the processing. The assessment also concluded that there was no certainty about if or when data would be deleted after expiration of the contract.

The decision comes at a critically important moment for Google. A group of EU data protection regulators is currently deciding how to respond to the company’s controversial new privacy policy which allows the company to amalgamate data across all its products and services for whatever purposes it sees fit. Regulators are concerned that this condition is perilous to data protection rights. The Swedish decision reflects many of these anxieties.

The decision may also trigger a disintegration of trust across Europe over the use by schools of such services. A recent survey revealed that schools are adopting cloud services at speed but that there is widespread concern over loss of control over the data.

The effect of the ruling against Salem will apply immediately across all Swedish municipal authorities, but will also by default extend to national government departments.

By way of background, in 2011 the Board criticized the Salem municipality for its use of the Google cloud service. That initial view focused on deficiencies in the agreement which meant that the contract did not comply with the rules in the Personal Data Act (PuL). The arrangement gave Google too much space to process personal data for its own purposes.

The Salem municipality was requested to produce a new agreement, but following a review of the new wording the Board concluded that the previous shortcomings remained.

Earlier this year the Norwegian data protection authority also demanded amendments to contract conditions for Cloud services, highlighting similar concerns

The decision runs headlong into Google’s “one size fits all” policy and throws out a challenge to the advertising giant to provide more specific terms and protections for its services. Other EU regulators will be closely monitoring the Swedish decision.

[Tegis]

My boss just marched into my office and said we need to build a hosted service for worried customers. Good thing I'm not fighting 54 other deadlines

[Davkaus]

Snowden had a Q&A on earlier today. Some interesting comments there.

Edited June 17, 2013 by Davkaus

[Xann]

Prism's situation is looking sticky on the surface: no longer secret, publicly exposed and denounced.

 

Also bad for them -  Going forward it probably won't just be the Chinese at the walls of the Prism cyber stockade.

 

If shifting the orbits of communication satellites had become tiresome, I know who I'd like to hack next.

 

Prism's existence could appear to be untenable

 

Will it front it out, be dissolved or perhaps be rebranded?

[islingtonclaret]

Think I might have to move to another e-mail address. With Google (legally, yes) not paying any sodding tax whilst take millions of pounds off people in this country and Google signed up to Prism I just can't bring myself to actively use their services anymore.

[BOF]

Xann if I had to guess, Prism is one of many such operations and they'll leave it out there as the poster child bad guy while doing something else secret in its place - if they aren't already. They're not just going to stop filtering the internet. I also read that the real scandal isn't Prism, the real scandal is that the laws have been rewritten so that Prism isn't even illegal. That the fact they're allowed to do it in law is the real problem here.

[tarjei]

GCHQ taps fibre-optic cables for secret access to world's communications

Exclusive: British spy agency collects and stores vast quantities of global email messages, Facebook posts, internet histories and calls, and shares them with NSA, latest documents from Edward Snowden reveal

Secret document detailing GCHQ's ambition to 'master the internet'

Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA).

The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate.

One key innovation has been GCHQ's ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months.

GCHQ and the NSA are consequently able to access and process vast quantities of communications between entirely innocent people, as well as targeted suspects.

This includes recordings of phone calls, the content of email messages, entries on Facebook and the history of any internet user's access to websites – all of which is deemed legal, even though the warrant system was supposed to limit interception to a specified range of targets.

The existence of the programme has been disclosed in documents shown to the Guardian by the NSA whistleblower Edward Snowden as part of his attempt to expose what he has called "the largest programme of suspicionless surveillance in human history".

"It's not just a US problem. The UK has a huge dog in this fight," Snowden told the Guardian. "They [GCHQ] are worse than the US."

However, on Friday a source with knowledge of intelligence argued that the data was collected legally under a system of safeguards, and had provided material that had led to significant breakthroughs in detecting and preventing serious crime.

Britain's technical capacity to tap into the cables that carry the world's communications – referred to in the documents as special source exploitation – has made GCHQ an intelligence superpower.

By 2010, two years after the project was first trialled, it was able to boast it had the "biggest internet access" of any member of the Five Eyes electronic eavesdropping alliance, comprising the US, UK, Canada, Australia and New Zealand.

UK officials could also claim GCHQ "produces larger amounts of metadata than NSA". (Metadata describes basic information on who has been contacting whom, without detailing the content.)

By May last year 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data.

The Americans were given guidelines for its use, but were told in legal briefings by GCHQ lawyers: "We have a light oversight regime compared with the US".

When it came to judging the necessity and proportionality of what they were allowed to look for, would-be American users were told it was "your call".

The Guardian understands that a total of 850,000 NSA employees and US private contractors with top secret clearance had access to GCHQ databases.

The documents reveal that by last year GCHQ was handling 600m "telephone events" each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time.

Document quoting Lt Gen Keith Alexander, head of the NSA, during a visit to Britain

Each of the cables carries data at a rate of 10 gigabits per second, so the tapped cables had the capacity, in theory, to deliver more than 21 petabytes a day – equivalent to sending all the information in all the books in the British Library 192 times every 24 hours.

And the scale of the programme is constantly increasing as more cables are tapped and GCHQ data storage facilities in the UK and abroad are expanded with the aim of processing terabits (thousands of gigabits) of data at a time.

For the 2 billion users of the world wide web, Tempora represents a window on to their everyday lives, sucking up every form of communication from the fibre-optic cables that ring the world.

The NSA has meanwhile opened a second window, in the form of the Prism operation, revealed earlier this month by the Guardian, from which it secured access to the internal systems of global companies that service the internet.

The GCHQ mass tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data to western Europe from telephone exchanges and internet servers in north America.

This was done under secret agreements with commercial companies, described in one document as "intercept partners".

The papers seen by the Guardian suggest some companies have been paid for the cost of their co-operation and GCHQ went to great lengths to keep their names secret. They were assigned "sensitive relationship teams" and staff were urged in one internal guidance paper to disguise the origin of "special source" material in their reports for fear that the role of the companies as intercept partners would cause "high-level political fallout".

The source with knowledge of intelligence said on Friday the companies were obliged to co-operate in this operation. They are forbidden from revealing the existence of warrants compelling them to allow GCHQ access to the cables.

"There's an overarching condition of the licensing of the companies that they have to co-operate in this. Should they decline, we can compel them to do so. They have no choice."

The source said that although GCHQ was collecting a "vast haystack of data" what they were looking for was "needles".

"Essentially, we have a process that allows us to select a small number of needles in a haystack. We are not looking at every piece of straw. There are certain triggers that allow you to discard or not examine a lot of data so you are just looking at needles. If you had the impression we are reading millions of emails, we are not. There is no intention in this whole programme to use it for looking at UK domestic traffic – British people talking to each other," the source said.

He explained that when such "needles" were found a log was made and the interception commissioner could see that log.

"The criteria are security, terror, organised crime. And economic well-being. There's an auditing process to go back through the logs and see if it was justified or not. The vast majority of the data is discarded without being looked at … we simply don't have the resources."

However, the legitimacy of the operation is in doubt. According to GCHQ's legal advice, it was given the go-ahead by applying old law to new technology. The 2000 Regulation of Investigatory Powers Act (Ripa) requires the tapping of defined targets to be authorised by a warrant signed by the home secretary or foreign secretary.

However, an obscure clause allows the foreign secretary to sign a certificate for the interception of broad categories of material, as long as one end of the monitored communications is abroad. But the nature of modern fibre-optic communications means that a proportion of internal UK traffic is relayed abroad and then returns through the cables.

Parliament passed the Ripa law to allow GCHQ to trawl for information, but it did so 13 years ago with no inkling of the scale on which GCHQ would attempt to exploit the certificates, enabling it to gather and process data regardless of whether it belongs to identified targets.

The categories of material have included fraud, drug trafficking and terrorism, but the criteria at any one time are secret and are not subject to any public debate. GCHQ's compliance with the certificates is audited by the agency itself, but the results of those audits are also secret.

An indication of how broad the dragnet can be was laid bare in advice from GCHQ's lawyers, who said it would be impossible to list the total number of people targeted because "this would be an infinite list which we couldn't manage".

There is an investigatory powers tribunal to look into complaints that the data gathered by GCHQ has been improperly used, but the agency reassured NSA analysts in the early days of the programme, in 2009: "So far they have always found in our favour".

Historically, the spy agencies have intercepted international communications by focusing on microwave towers and satellites. The NSA's intercept station at Menwith Hill in North Yorkshire played a leading role in this. One internal document quotes the head of the NSA, Lieutenant General Keith Alexander, on a visit to Menwith Hill in June 2008, asking: "Why can't we collect all the signals all the time? Sounds like a good summer project for Menwith."

By then, however, satellite interception accounted for only a small part of the network traffic. Most of it now travels on fibre-optic cables, and the UK's position on the western edge of Europe gave it natural access to cables emerging from the Atlantic.

The data collected provides a powerful tool in the hands of the security agencies, enabling them to sift for evidence of serious crime. According to the source, it has allowed them to discover new techniques used by terrorists to avoid security checks and to identify terrorists planning atrocities. It has also been used against child exploitation networks and in the field of cyberdefence.

It was claimed on Friday that it directly led to the arrest and imprisonment of a cell in the Midlands who were planning co-ordinated attacks; to the arrest of five Luton-based individuals preparing acts of terror, and to the arrest of three London-based people planning attacks prior to the Olympics.

As the probes began to generate data, GCHQ set up a three-year trial at the GCHQ station in Bude, Cornwall. By the summer of 2011, GCHQ had probes attached to more than 200 internet links, each carrying data at 10 gigabits a second. "This is a massive amount of data!" as one internal slideshow put it. That summer, it brought NSA analysts into the Bude trials. In the autumn of 2011, it launched Tempora as a mainstream programme, shared with the Americans.

The intercept probes on the transatlantic cables gave GCHQ access to its special source exploitation. Tempora allowed the agency to set up internet buffers so it could not simply watch the data live but also store it – for three days in the case of content and 30 days for metadata.

"Internet buffers represent an exciting opportunity to get direct access to enormous amounts of GCHQ's special source data," one document explained.

The processing centres apply a series of sophisticated computer programmes in order to filter the material through what is known as MVR – massive volume reduction. The first filter immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads, which reduces the volume by about 30%. Others pull out packets of information relating to "selectors" – search terms including subjects, phone numbers and email addresses of interest. Some 40,000 of these were chosen by GCHQ and 31,000 by the NSA. Most of the information extracted is "content", such as recordings of phone calls or the substance of email messages. The rest is metadata.

The GCHQ documents that the Guardian has seen illustrate a constant effort to build up storage capacity at the stations at Cheltenham, Bude and at one overseas location, as well a search for ways to maintain the agency's comparative advantage as the world's leading communications companies increasingly route their cables through Asia to cut costs. Meanwhile, technical work is ongoing to expand GCHQ's capacity to ingest data from new super cables carrying data at 100 gigabits a second. As one training slide told new users: "You are in an enviable position – have fun and make the most of it."

 

Link

Edited June 22, 2013 by tarjei

[peterms]

A few days ago, Michael Hastings died.  He worked for Rolling Stone.  He's the guy who wrote the story about General McChrystal which resulted in the General's forced resignation.

 

He was later threatened, with people saying if they didn't like what he wrote, they would kill him.  It wasn't the first death threat he'd had.

 

Shortly before his death, he emailed people to say he had a big story, if people came to interview them they should have legal representation present, and he was going off the radar.  He then contacted a Wikileaks lawyer to say the FBI were investigating him.  The FBI have since denied this.  His last article was on the NSA story.

 

Then he died.  His car crashed into a tree at (estimates vary) maybe 120mph, at 4.30 am, nothing else on the road.  An eye witness described seeing sparks and flames coming from the car before the crash.  The engine and transmission were found 100 feet from the car.

 

The police say there is no suspicion of foul play.

[maqroll]

Shades of Silkwood

[peterms]

Center for Automotive Embedded Systems Security

 

...Modern automobiles are becoming increasingly computerized — with many components controlled partially or entirely by computers and networked both internally and externally. This architecture is the basis for significant advances in safety (e.g., anti-lock brakes), fuel efficiency, and convenience. However, increasing computerization also creates new risks that must be addressed...

 

...Our research was aimed at comprehensively assessing — and learning from — how much resilience a conventional automobile has against a digital attack mounted against its internal components by an attacker with access to the car's internal network...

 

...In the paper "Comprehensive Experimental Analyses of Automotive Attack Surfaces," we step back and evaluate the external vulnerability surfaces of a modern automobile. We conceptually evaluate different potential vectors through which an attacker might be able to compromise computers within a car and, by transitivity, communicate over the car's internal computer network. Our conceptual analysis yields three key classes of remote attack vectors, or vectors that someone can leverage without ever being in physical contact with the vehicle. These three classes are: indirect physical, short-range wireless, and long-range wireless...

 

...We believe that car owners today should not be overly concerned at this time. It requires significant sophistication to develop the capabilities described in our papers and we are unaware of any attackers who are even targeting automobiles at this time...

 

...There are over 250 million registered passenger automobiles in the United States. The vast majority of these are computer controlled to a significant degree and virtually all new cars are now pervasively computerized. Computers (in the form of self-contained embedded systems) have been integrated into virtually every aspect of a car's functioning and diagnostics, including the throttle, transmission, brakes...

 

...the trends above — that modern automobiles are becoming increasingly computerized and networked — suggest that in the future, there may be increasing opportunities for unauthorized individuals (attackers) to access and tamper with a car's internal computers...

...We conducted our computer security analyses on two modern cars. These cars were introduced into the U.S. market in 2009 and are of the same make and model. We determined that someone with access to the internal network in the car could use his or her own computer equipment to take over a broad array of safety-critical computer systems.

 

For example, in live road tests, were able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we were able to forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly...

...the increasing use of externally facing wireless interfaces may increase the exposure for future vehicles and provide a way for someone to remotely access the car's wired network...

...Specially crafted CDs or a compromised mechanic's tool can install software on the car's computers which can perform any of the malicious behaviors we studied previously...

...The Bluetooth and cellular vectors allow total car compromise by exploiting flaws in the telematics unit. All of the wireless vectors enable controlling a previously compromised car by listening to their wireless channels and then sending a “trigger” message on the internal network...

...we observed automotive components that safely tolerate failures and disruptions in communications, but that were far more fragile with respect to tolerating attacks...

...against any small risk of "putting ideas" in the heads of future "bad guys," we believe there is a far greater benefit in putting these same ideas into the heads of "good guys" today. We do not want society to be taken by surprise for not having considered what new risks our future automotive designs may bring. If or when automotive attackers arrive on the scene, we believe defenses should already be in place. Research such as ours helps industry and government to stay a step ahead.

[Cliffy Biro]

The only thing that pisses me off about this snowden is a hero stuff is all the countries that are supporting him are probably doing the same thing, also china and russia trying to take the moral high ground is ridiculously amusing.

 

What would happen in china and russia if a civil servant leaked sensitive stuff like this? Not saying i agree with it by the way but if you break the law whatever your motives then you should deal with the consequences.

[CrackpotForeigner]

if you break the law whatever your motives then you should deal with the consequences.

 

I don't understand this thinking at all. The law was written by human beings with human faults and human failings. To follow it blindly and unquestioningly might keep you out of trouble, but it also makes YOU a bit LESS human at the same time.

[legov]

The only thing that pisses me off about this snowden is a hero stuff is all the countries that are supporting him are probably doing the same thing, also china and russia trying to take the moral high ground is ridiculously amusing.

 

What would happen in china and russia if a civil servant leaked sensitive stuff like this?

 

THIIIIIIIIS. (apart from the bit Crackpot mentioned)

[Cliffy Biro]

 

if you break the law whatever your motives then you should deal with the consequences.

 

I don't understand this thinking at all. The law was written by human beings with human faults and human failings. To follow it blindly and unquestioningly might keep you out of trouble, but it also makes YOU a bit LESS human at the same time.

 

Well im not saying to follow it blindly but we all know the basic laws and while you are free to break them if you choose you must surely realise that there are consequences? What are the alternatives?

[Davkaus]

What would happen in china and russia if a civil servant leaked sensitive stuff like this?

...Well...The American government would be up in arms about it.

They're all pretty much as bad as each other, the main difference with America is that their citizens have swallowed all of the 'land of the free' bullshit, whereas the Russians are more aware of what their government is up to.

Edited June 23, 2013 by Davkaus

[OutByEaster?]

Snowden brings home just how separated politics has become from reality - I wouldn't want him arrested and I don't know anyone that would, for me he's a whistleblower for an unscrupulous group and he's doing what he's doing for the greater good. Governments are describing him in the kind of language reserved for cold war traitors and it feels to me like that's what we're getting into - a cold war between governments (and their corporate and self interest) and the people. 

 

The idea of being able to vote for somebody that represents the electorate and has their interests at heart seems almost ridiculous. Party politics is dead. Something is happening and I don't know what it is, but I think we're reaching a tipping point. 

 

 

As for Prism and all that it represents, isn't it great that our governments are prepared to work so hard for our freedom that they're even prepared to sacrifice that freedom to get there?

[DanishVillan]

Prism, Bonesaw, Stuxnet. Say hi to General Keith Alexander.

[AVFCforever1991]