The Intercept reports: With only days until Donald Trump takes office, the Obama administration on Thursday announced new rules that will let the NSA share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security.
The new rules allow employees doing intelligence work for those agencies to sift through raw data collected under a broad, Reagan-era executive order that gives the NSA virtually unlimited authority to intercept communications abroad. Previously, NSA analysts would filter out information they deemed irrelevant and mask the names of innocent Americans before passing it along.
The change was in the works long before there was any expectation that someone like Trump might become president. The last-minute adoption of the procedures is one of many examples of the Obama administration making new executive powers established by the Bush administration permanent, on the assumption that the executive branch could be trusted to police itself. [Continue reading…]
Obama opens NSA’s vast trove of warrantless data to entire Intelligence Community, just in time for Trump
Jim Killock writes: The Investigatory Powers Act will come into force at the start of 2017, and will cement ten years of illegal surveillance into law.
It includes state powers to intercept bulk communications and collect vast amounts of communications data and content. The security and law enforcement agencies – including government organisations such as HMRC (Her Majesty’s Revenue and Customs) – can hack into devices of people in the UK.
Under this law, the intelligence agencies can use bulk hacking powers to hack devices and networks outside the UK. They can also access and analyse entire databases, whether they are held by private companies or public organisations – even though they have admitted that most people on them will not be suspected of any crimes.
One of the new and most intrusive powers is that Internet Service Providers (ISPs) can be compelled to collect a record of our web browsing activity and this can be accessed by the police and 48 government departments, including the Food Standards Agency and the HMRC. [Continue reading…]
The Guardian reports: A bill giving the UK intelligence agencies and police the most sweeping surveillance powers in the western world has passed into law with barely a whimper, meeting only token resistance over the past 12 months from inside parliament and barely any from outside.
The Investigatory Powers Act, passed on Thursday, legalises a whole range of tools for snooping and hacking by the security services unmatched by any other country in western Europe or even the US.
The security agencies and police began the year braced for at least some opposition, rehearsing arguments for the debate. In the end, faced with public apathy and an opposition in disarray, the government did not have to make a single substantial concession to the privacy lobby.
US whistleblower Edward Snowden tweeted: “The UK has just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies.” [Continue reading…]
The Guardian reports: British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, senior judges have ruled.
The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated an illegal regime to collect vast amounts of communications data, tracking individual phone and web use and other confidential personal information, without adequate safeguards or supervision for 17 years.
Privacy campaigners described the ruling as “one of the most significant indictments of the secret use of the government’s mass surveillance powers” since Edward Snowden first began exposing the extent of British and American state digital surveillance of citizens in 2013.
The tribunal said the regime governing the collection of bulk communications data (BCD) – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public. [Continue reading…]
Reuters reports: Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.
Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc. [Continue reading…]
The Wall Street Journal reports: Big technology companies, including Google, Microsoft Corp., Twitter Inc. and Facebook Inc. denied scanning incoming user emails on behalf of the U.S. government, following a report that Yahoo Inc. had built such a system. [Continue reading…]
Kenneth Roth and Salil Shetty write: Edward J. Snowden, the American who has probably left the biggest mark on public policy debates during the Obama years, is today an outlaw. Mr. Snowden, a former National Security Agency contractor who disclosed to journalists secret documents detailing the United States’ mass surveillance programs, faces potential espionage charges, even though the president has acknowledged the important public debate his revelations provoked.
Mr. Snowden’s whistle-blowing prompted reactions across the government. Courts found the government wrong to use Section 215 of the Patriot Act to justify mass phone data collection. Congress replaced that law with the USA Freedom Act, improving transparency about government surveillance and limiting government power to collect certain records. The president appointed an independent review board, which produced important reform recommendations.
That’s just in the American government. Newspapers that published Mr. Snowden’s revelations won the Pulitzer Prize. The United Nations issued resolutions on protecting digital privacy and created a mandate to promote the right to privacy. Many technology companies, facing outrage at their apparent complicity in mass surveillance, began providing end-to-end encryption by default. Three years on, the news media still refer to Mr. Snowden and his revelations every day. His actions have brought about a dramatic increase in our awareness of the risks to our privacy in the digital age — and to the many rights that depend on privacy.
Yet President Obama and the candidates to succeed him have emphasized not Mr. Snowden’s public service but the importance of prosecuting him. Hillary Clinton has said Mr. Snowden shouldn’t be brought home “without facing the music.” Donald J. Trump has said, “I think he’s a total traitor and I would deal with him harshly.”
Eric H. Holder Jr. struck a more measured tone in May, upon leaving office as Mr. Obama’s attorney general. He recognized that while Mr. Snowden broke the law, “he actually performed a public service” by raising the national debate on surveillance practices. [Continue reading…]
The New York Times reports: Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list.
The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry operate. The emails and documents were provided by two people who have had dealings with the NSO Group but would not be named for fear of reprisals.
The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group’s corporate mission statement is “Make the world a safe place.”
Ten people familiar with the company’s sales, who refused to be identified, said that the NSO Group has a strict internal vetting process to determine who it will sell to. An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies. And to date, these people all said, NSO has yet to be denied an export license.
But critics note that the company’s spyware has also been used to track journalists and human rights activists.
“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” [Continue reading…]
If you use a credit card, your daily activities are under continuous surveillance. Information gathered from each transaction is monitored and analysed, not by the NSA, but by the financial companies themselves.
Most cardholders who are aware of this are grateful for the fact. It means that if or when you get a phone call or text message from the company telling you they’ve noticed suspicious activity on your account, the chances are that the warning is warranted and some fraud can get snipped in the bud.
Suppose your online activity was being monitored in an analogous way — not to spot fraud but instead to spot symptoms of undiagnosed disease — would you welcome this kind of surveillance?
Right now, this is a hypothetical question, but it probably won’t be long before automated health-tracking systems emerge. Perhaps health insurance companies will offer a discount to individuals who opt-in for the service.
The hyperbole surrounding the issue of surveillance usually looks at it through the lens of the intelligence agencies and political oppression, but what may in the long run be much more significant, socially, is the kind of benign surveillance that caters to our needs — that makes life easier by anticipating our needs.
Needs easily met create an expanding field of things we take for granted, but with that comes a diminishing state of awareness. For some people, the fewer their cares, the more creative they become, but more often it seems like ease fuels a hunger for stimulation and distraction.
The surveillance state we are moving into is not one where we are at much risk of getting whisked away by the secret police, but rather it is one in which we are likely to submerge deeper and deeper into the oblivion of convenience.
The New York Times reports: Microsoft scientists have demonstrated that by analyzing large samples of search engine queries they may in some cases be able to identify internet users who are suffering from pancreatic cancer, even before they have received a diagnosis of the disease.
The scientists said they hoped their work could lead to early detection of cancer. Their study was published on Tuesday in The Journal of Oncology Practice by Dr. Eric Horvitz and Dr. Ryen White, the Microsoft researchers, and John Paparrizos, a Columbia University graduate student.
“We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” Dr. Horvitz said.
The researchers focused on searches conducted on Bing, Microsoft’s search engine, that indicated someone had been diagnosed with pancreatic cancer. From there, they worked backward, looking for earlier queries that could have shown that the Bing user was experiencing symptoms before the diagnosis. Those early searches, they believe, can be warning flags. [Continue reading…]
The Washington Post reports: The Obama administration is seeking to amend surveillance law to give the FBI explicit authority to access a person’s Internet browser history and other electronic data without a warrant in terrorism and spy cases.
The administration made a similar effort six years ago but dropped it after concerns were raised by privacy advocates and the tech industry.
FBI Director James B. Comey has characterized the legislation as a fix to “a typo” in the Electronic Communications Privacy Act, which he says has led some tech firms to refuse to provide data that Congress intended them to provide.
But tech firms and privacy advocates say the bureau is seeking an expansion of surveillance powers that infringes on Americans’ privacy. [Continue reading…]
Electronic Frontier Foundation: The U.S. House of Representatives passed the Email Privacy Act (H.R. 699) yesterday, which would require the government to get a probable cause warrant from a judge before obtaining private communications and documents stored online with companies such as Google, Facebook, and Dropbox.
The bill provides a long-overdue update to the Electronic Communications Privacy Act (ECPA), first passed in 1986. The bill also codifies the Sixth Circuit’s ruling in U.S. v. Warshak, which held that the Fourth Amendment demands that the government first obtain a warrant before accessing emails stored with cloud service providers.
The House vote is historic, given that H.R. 699 has an amazing 315 cosponsors, almost three quarters of the entire House. The House voted unanimously, following a unanimous vote by the House Judiciary Committee earlier this month. [Continue reading…]
The New York Times reports: The director of the F.B.I. suggested Thursday that his agency paid at least $1.3 million to an undisclosed group to help hack into the encrypted iPhone used by an attacker in the mass shooting in San Bernardino, Calif.
At a technology conference in London, a moderator asked James B. Comey Jr., the F.B.I. chief, how much bureau officials had to pay the undisclosed outside group to demonstrate how to bypass the phone’s encryption.
“A lot,” Mr. Comey said, as audience members at the Aspen Institute event laughed.
He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.”
The F.B.I. had been unwilling to say anything at all until Thursday about how much it paid for what has become one of the world’s most publicized hacking jobs, so Mr. Comey’s cryptic comments about his own wages and the bounty quickly sent listeners scurrying in search of their calculators.
The F.B.I. director makes about $185,100 a year — so Mr. Comey stands to earn at least $1.35 million at that base rate of pay for the remainder of his 10-year term. [Continue reading…]
The Guardian reports: Britain’s intelligence agencies have been secretly collecting bulk personal data since the late 1990s and privately admit they have gathered information on people who are “unlikely to be of intelligence or security interest”.
Disclosure of internal MI5, MI6 and GCHQ documents reveals the agencies’ growing reliance on amassing data as a prime source of intelligence even as they concede that such “intrusive” practices can invade the privacy of individuals.
A cache of more than 100 memorandums, forms and policy papers, obtained by Privacy International during a legal challenge over the lawfulness of surveillance, demonstrates that collection of bulk data has been going on for longer than previously disclosed while public knowledge of the process was suppressed for more than 15 years.
The files show that GCHQ, the government’s electronic eavesdropping centre based in Cheltenham, was collecting and developing bulk data sets as early as 1998 under powers granted by section 94 of the 1984 Telecommunications Act.
The documents offer a unique insight into the way MI5, MI6, and GCHQ go about collecting and storing bulk data on individuals, as well as authorising discovery of journalists’ sources.
Bulk personal data includes information extracted from passports, travel records, financial data, telephone calls, emails and many other open or covert sources. Often they are “fused” together to help pinpoint suspects. [Continue reading…]
The New York Times reports: The F.B.I. defended its hiring of a third party to break into an iPhone used by a gunman in last year’s San Bernardino, Calif., mass shooting, telling some skeptical lawmakers on Tuesday that it needed to join with partners in the rarefied world of for-profit hackers as technology companies increasingly resist their demands for consumer information.
Amy Hess, the Federal Bureau of Investigation’s executive assistant director for science and technology, made the comments at a hearing by members of Congress who are debating potential legislation on encryption. The lawmakers gathered law enforcement authorities and Silicon Valley company executives to discuss the issue, which has divided technology companies and officials in recent months and spurred a debate over privacy and security.
The hearing follows a recent standoff between the F.B.I. and Apple over a court order to force the company to help unlock an iPhone used by one of the San Bernardino attackers. Apple opposed the order, citing harm to the privacy of its users. The F.B.I. later dropped its demand for Apple’s help when it found a third-party alternative to hack the device. [Continue reading…]
The New York Times reports: Google is a top target for European regulators and privacy watchdogs, who openly fear and distrust its dominance. The American tech giant’s search engine alone gobbles up roughly 90 percent of the European market.
But a landmark court ruling intended to rein in Google has instead put it at the forefront of Europe’s enforcement of Internet privacy. That has upended conventional wisdom about the company and raised questions about the role of commercial interests in protecting people’s privacy, often with little or no transparency.
In the almost two years since Europeans gained the “right to be forgotten” on the Internet, Google has passed judgment in over 418,000 cases — roughly 572 a day — from people wanting links of certain search results to be removed, according to the company’s records. It has approved fewer than half of those requests, all behind closed doors.
Google’s total number of privacy-related judgments is double those of most of Europe’s biggest individual national authorities over the same period, even though these public agencies address a wider range of data protection complaints.
Despite a history of animosity toward the company, national regulators have handed over the review powers to Google with few complaints, saying they are merely following Europe’s complex data protection rules. Other search companies, including Microsoft, have been given the same authority, though their number of judgments pales by comparison.
Some consumer groups and privacy experts are not satisfied with that arrangement. They have sounded alarm bells over a for-profit company — one that relies on tapping into people’s digital lives to make billions of dollars and that is the subject of multiple privacy and antitrust investigations — playing such a central role in protecting individuals’ data, and doing so in such a secretive manner. [Continue reading…]
Reuters reports: The company that helped the FBI unlock a San Bernardino shooter’s iPhone to get data has sole legal ownership of the method, making it highly unlikely the technique will be disclosed by the government to Apple or any other entity, Obama administration sources said this week.
The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public. But it is not set up to handle or reveal flaws that are discovered and owned by private companies, the sources said, raising questions about the effectiveness of the so-called Vulnerabilities Equities Process.
The secretive process was created to let various government interests debate about what should be done with a given technology flaw, rather than leaving it to agencies like the National Security Agency, which generally prefers to keep vulnerabilities secret so they can use them. [Continue reading…]