Wired reports: Of all the revelations to come out of the 9,000-page data dump of CIA hacking tools, one of the most explosive is the possibility that the spy agency can compromise Signal, WhatsApp, and other encrypted chat apps. If you use those apps, let’s be perfectly clear: Nothing in the WikiLeaks docs says the CIA can do that.
A close reading of the descriptions of mobile hacking outlined in the documents released by WikiLeaks shows that the CIA has not yet cracked those invaluable encryption tools. That has done little to prevent confusion on the matter, something WikiLeaks itself contributed to with a carelessly worded tweet:
— WikiLeaks (@wikileaks) March 7, 2017
The end-to-end encryption protocols underpinning these private messaging apps protect all communications as they pass between devices. No one, not even the companies providing the service, can read or see that data while it is in transit. Nothing in the CIA leak disputes that. The underlying software remains every bit as trustworthy now as it was before WikiLeaks released the documents. [Continue reading…]
Asha Rangappa writes: In his latest round of twiplash, President Trump on Saturday leveled a very serious accusation: that President Obama had personally ordered the “tapping” of telephone lines in Trump Tower in the months leading up to the November 2016 election. His tweets (scarily) reveal more about what he believes the office of the President is capable of than the reality of what the law allows. As someone who obtained FISA warrants while conducting counterintelligence investigations for the FBI, I can attest to the fact that they not only don’t involve the White House, but the process includes too many layers of approval to be granted without strong evidence.
There are two ways to obtain a wiretap – also known as electronic surveillance – on U.S. persons (citizens and permanent residents), and both include the courts. For criminal investigations, the FBI can seek a warrant under Title III of the U.S. criminal code by showing a federal court that there is probable cause to believe the target has engaged, or is engaging in, criminal activity. This is a fairly high standard because of a strong presumption in favor of our Fourth Amendment right to privacy, and requires a showing that less intrusive means of obtaining the same information aren’t feasible.
The standard for electronic surveillance for foreign intelligence purposes, though, is a little lower. This is because when it comes to national security, as opposed to criminal prosecutions, our Fourth Amendment rights are balanced against the government’s interest in protecting the country. The Foreign Intelligence Surveillance Act (FISA) allows the FBI to get a warrant from a secret court, known as the Foreign Intelligence Surveillance Court (FISC), to conduct electronic surveillance on U.S. persons if they can show probable cause that the target is an “agent of a foreign power” who is “knowingly engag[ing]…in clandestine intelligence activities.” In other words, the government has to show that the target might be spying for a foreign government or organization. [Continue reading…]
Obama opens NSA’s vast trove of warrantless data to entire Intelligence Community, just in time for Trump
The Intercept reports: With only days until Donald Trump takes office, the Obama administration on Thursday announced new rules that will let the NSA share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security.
The new rules allow employees doing intelligence work for those agencies to sift through raw data collected under a broad, Reagan-era executive order that gives the NSA virtually unlimited authority to intercept communications abroad. Previously, NSA analysts would filter out information they deemed irrelevant and mask the names of innocent Americans before passing it along.
The change was in the works long before there was any expectation that someone like Trump might become president. The last-minute adoption of the procedures is one of many examples of the Obama administration making new executive powers established by the Bush administration permanent, on the assumption that the executive branch could be trusted to police itself. [Continue reading…]
Jim Killock writes: The Investigatory Powers Act will come into force at the start of 2017, and will cement ten years of illegal surveillance into law.
It includes state powers to intercept bulk communications and collect vast amounts of communications data and content. The security and law enforcement agencies – including government organisations such as HMRC (Her Majesty’s Revenue and Customs) – can hack into devices of people in the UK.
Under this law, the intelligence agencies can use bulk hacking powers to hack devices and networks outside the UK. They can also access and analyse entire databases, whether they are held by private companies or public organisations – even though they have admitted that most people on them will not be suspected of any crimes.
One of the new and most intrusive powers is that Internet Service Providers (ISPs) can be compelled to collect a record of our web browsing activity and this can be accessed by the police and 48 government departments, including the Food Standards Agency and the HMRC. [Continue reading…]
The Guardian reports: A bill giving the UK intelligence agencies and police the most sweeping surveillance powers in the western world has passed into law with barely a whimper, meeting only token resistance over the past 12 months from inside parliament and barely any from outside.
The Investigatory Powers Act, passed on Thursday, legalises a whole range of tools for snooping and hacking by the security services unmatched by any other country in western Europe or even the US.
The security agencies and police began the year braced for at least some opposition, rehearsing arguments for the debate. In the end, faced with public apathy and an opposition in disarray, the government did not have to make a single substantial concession to the privacy lobby.
US whistleblower Edward Snowden tweeted: “The UK has just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies.” [Continue reading…]
The Guardian reports: British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, senior judges have ruled.
The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated an illegal regime to collect vast amounts of communications data, tracking individual phone and web use and other confidential personal information, without adequate safeguards or supervision for 17 years.
Privacy campaigners described the ruling as “one of the most significant indictments of the secret use of the government’s mass surveillance powers” since Edward Snowden first began exposing the extent of British and American state digital surveillance of citizens in 2013.
The tribunal said the regime governing the collection of bulk communications data (BCD) – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public. [Continue reading…]
Reuters reports: Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.
Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc. [Continue reading…]
The Wall Street Journal reports: Big technology companies, including Google, Microsoft Corp., Twitter Inc. and Facebook Inc. denied scanning incoming user emails on behalf of the U.S. government, following a report that Yahoo Inc. had built such a system. [Continue reading…]
Middle East Eye reports: Taxi drivers in the UK are being trained to become the “eyes and ears” of local authorities and police in the hunt for potential terrorists as part of safeguarding schemes being rolled out across the country.
Drivers in several British towns and cities are receiving Prevent counter-terrorism training as part of mandatory “knowledge” tests introduced by local councils.
One flagship scheme, run by Calderdale Council in West Yorkshire, northern England, was considered so successful that councillors discussed extending it to staff working in takeaway food outlets and bars.
Manchester City Council also incorporated Prevent awareness into a safeguarding handbook issued to taxi drivers last year, while Dartford Borough Council in Kent is among the latest to introduce Prevent training as part of its safeguarding requirements for taxi drivers.
But taxi industry organisations and trade unions have raised concerns about the training which they say is being introduced in a piecemeal and inconsistent way across the country and risks creating an “air of suspicion” within communities.
Critics of Prevent also questioned the legality of the training and accused the Government of seeking to turn the UK into a “counter-terrorism state” in which citizens were expected to spy on each other. [Continue reading…]
Kenneth Roth and Salil Shetty write: Edward J. Snowden, the American who has probably left the biggest mark on public policy debates during the Obama years, is today an outlaw. Mr. Snowden, a former National Security Agency contractor who disclosed to journalists secret documents detailing the United States’ mass surveillance programs, faces potential espionage charges, even though the president has acknowledged the important public debate his revelations provoked.
Mr. Snowden’s whistle-blowing prompted reactions across the government. Courts found the government wrong to use Section 215 of the Patriot Act to justify mass phone data collection. Congress replaced that law with the USA Freedom Act, improving transparency about government surveillance and limiting government power to collect certain records. The president appointed an independent review board, which produced important reform recommendations.
That’s just in the American government. Newspapers that published Mr. Snowden’s revelations won the Pulitzer Prize. The United Nations issued resolutions on protecting digital privacy and created a mandate to promote the right to privacy. Many technology companies, facing outrage at their apparent complicity in mass surveillance, began providing end-to-end encryption by default. Three years on, the news media still refer to Mr. Snowden and his revelations every day. His actions have brought about a dramatic increase in our awareness of the risks to our privacy in the digital age — and to the many rights that depend on privacy.
Yet President Obama and the candidates to succeed him have emphasized not Mr. Snowden’s public service but the importance of prosecuting him. Hillary Clinton has said Mr. Snowden shouldn’t be brought home “without facing the music.” Donald J. Trump has said, “I think he’s a total traitor and I would deal with him harshly.”
Eric H. Holder Jr. struck a more measured tone in May, upon leaving office as Mr. Obama’s attorney general. He recognized that while Mr. Snowden broke the law, “he actually performed a public service” by raising the national debate on surveillance practices. [Continue reading…]
The New York Times reports: Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list.
The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York Times offer insight into how companies in this secretive digital surveillance industry operate. The emails and documents were provided by two people who have had dealings with the NSO Group but would not be named for fear of reprisals.
The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group’s corporate mission statement is “Make the world a safe place.”
Ten people familiar with the company’s sales, who refused to be identified, said that the NSO Group has a strict internal vetting process to determine who it will sell to. An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies. And to date, these people all said, NSO has yet to be denied an export license.
But critics note that the company’s spyware has also been used to track journalists and human rights activists.
“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.” [Continue reading…]
Brian O’Neill writes: For people not intimately involved in national security debates, and who haven’t closely followed how we arrived at the modern security state, the decade-and-a-half following the surreal terror of September 11 have felt like an unmoored drift, a country floating aimlessly, if recklessly, down a river of indecision. The internet’s rising ubiquity, followed by the dominance of social media, allowed many of us to unwittingly shrug off privacy concerns, while simultaneously ignoring others’ indefinite detention, the torture of strangers, and sky-borne assassination overseas, until we looked around and the sky was speckled with revelations. It’s easy to feel like the new relationship we have with our government “only just happened.”
In Rogue Justice, Karen Greenberg, the director of the Center on National Security at Fordham University School of Law, puts that feeling of aimless drift mostly to rest. This detailed and meticulously researched book shows how the willingness to make every citizen a suspect, and to give the executive branch immense powers to surveil, detain, torture, and murder were not just a product of collective fear and indifference, but the deliberate actions of a surprisingly small group of people. I say “mostly” because the decisions were made by officials within the Bush and (to a lesser extent) Obama administrations, but they were also enabled by the assumed (and granted) complicity of many others.
This complicity came from careerists worried about rocking the boat, politicians in both parties worried about being painted as weak on terror (with notable and noble exceptions), and to an uncomfortable extent, the general public. The terrorist attacks in 2001 made everyone realize that anyone could be a target, but we didn’t see — or didn’t want to see — that in a very real way, we also became a target of the government. Many of the policies enacted in the wake of 9/11 made everyone a suspect as much as a target. Through official secrecy aided by general indifference, we allowed ourselves to be passively dragooned into being on both sides of a war. [Continue reading…]
Anna Borshchevskaya writes: On June 7, Russian president Vladimir Putin signed controversial anti-terrorism legislation known in Russia as the “Yarovaya law,” named after its leading co-author, prominent member of Putin’s United Russia party Irina Yarovaya.
The law is reminiscent of Soviet-era surveillance. It will also likely contribute to crippling the Russian economy. According to Russian and Western sources, it allows for jailing children as young as 14 for a variety of vaguely-worded reasons, and significantly raises the costs of internet and telecommunications. Russia’s human rights activists and opposition politicians described the law as “unconstitutional.” Russia’s Presidential Council on Civil Society and Human Rights urged Putin not to sign the law.
“Hello, brave new world with expensive Internet, with jails for children, with global surveillance and prison terms for non-snitching,” wrote politician Dmitry Gudkov in his Facebook page after Putin signed the law. Gudkov, one of Russia’s few real opposition parliamentarians, was outspoken in June and urged his colleagues to vote against the law last month. The Duma (lower house of parliament) began the discussion of the bill in May of this year and both the upper and lower houses of parliament approved the bill in late June without genuine debate on the issue.
Among other things, reportedly, the law requires Internet and telecom providers to store recordings of all of their customers’ data and communications for six months. In addition, the law requires them to store all metadata for three years. Russia’s Federal Security Services (FSB) would have access to this information and, as Gudkov pointed out in June, it may easily leak into the black market. This requirement, according to Russia’s cellphone providers, for example, will increase costs for consumers at least two- to three-fold.
The law also introduces criminal liability for “failure to report a crime” that someone “has been planning, is perpetrating, or has perpetrated.” Moreover, under the new law, children as young as 14 can face up to a year in prison for such a “failure” and for other reasons related to extremism, terrorism and participation in massive riots (all of which can be virtually anything in Russia, since the law is vague). As Tanya Lokshina, Russia program director Human Rights Watch Russia program director pointed out in June before Putin signed the law, “it’s not clear what ‘planning’ stands for or what level of knowledge needs to be proved to hold a person liable.” Such ambiguity is the hallmark of Russia’s laws in the last several years when Putin began a massive crackdown on Russia’s civil society when he returned to his third presidential term in 2012 amidst the largest protests since the break-up of the Soviet Union. [Continue reading…]
If you use a credit card, your daily activities are under continuous surveillance. Information gathered from each transaction is monitored and analysed, not by the NSA, but by the financial companies themselves.
Most cardholders who are aware of this are grateful for the fact. It means that if or when you get a phone call or text message from the company telling you they’ve noticed suspicious activity on your account, the chances are that the warning is warranted and some fraud can get snipped in the bud.
Suppose your online activity was being monitored in an analogous way — not to spot fraud but instead to spot symptoms of undiagnosed disease — would you welcome this kind of surveillance?
Right now, this is a hypothetical question, but it probably won’t be long before automated health-tracking systems emerge. Perhaps health insurance companies will offer a discount to individuals who opt-in for the service.
The hyperbole surrounding the issue of surveillance usually looks at it through the lens of the intelligence agencies and political oppression, but what may in the long run be much more significant, socially, is the kind of benign surveillance that caters to our needs — that makes life easier by anticipating our needs.
Needs easily met create an expanding field of things we take for granted, but with that comes a diminishing state of awareness. For some people, the fewer their cares, the more creative they become, but more often it seems like ease fuels a hunger for stimulation and distraction.
The surveillance state we are moving into is not one where we are at much risk of getting whisked away by the secret police, but rather it is one in which we are likely to submerge deeper and deeper into the oblivion of convenience.
The New York Times reports: Microsoft scientists have demonstrated that by analyzing large samples of search engine queries they may in some cases be able to identify internet users who are suffering from pancreatic cancer, even before they have received a diagnosis of the disease.
The scientists said they hoped their work could lead to early detection of cancer. Their study was published on Tuesday in The Journal of Oncology Practice by Dr. Eric Horvitz and Dr. Ryen White, the Microsoft researchers, and John Paparrizos, a Columbia University graduate student.
“We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” Dr. Horvitz said.
The researchers focused on searches conducted on Bing, Microsoft’s search engine, that indicated someone had been diagnosed with pancreatic cancer. From there, they worked backward, looking for earlier queries that could have shown that the Bing user was experiencing symptoms before the diagnosis. Those early searches, they believe, can be warning flags. [Continue reading…]
The Washington Post reports: The Obama administration is seeking to amend surveillance law to give the FBI explicit authority to access a person’s Internet browser history and other electronic data without a warrant in terrorism and spy cases.
The administration made a similar effort six years ago but dropped it after concerns were raised by privacy advocates and the tech industry.
FBI Director James B. Comey has characterized the legislation as a fix to “a typo” in the Electronic Communications Privacy Act, which he says has led some tech firms to refuse to provide data that Congress intended them to provide.
But tech firms and privacy advocates say the bureau is seeking an expansion of surveillance powers that infringes on Americans’ privacy. [Continue reading…]
David Kushner reports: The Blackwater of surveillance, the Hacking Team is among the world’s few dozen private contractors feeding a clandestine, multibillion-dollar industry that arms the world’s law enforcement and intelligence agencies with spyware. Comprised of around 40 engineers and salespeople who peddle its goods to more than 40 nations, the Hacking Team epitomizes what Reporters Without Borders, the international anti-censorship group, dubs the “era of digital mercenaries.”
The Italian company’s tools — “the hacking suite for governmental interception,” its website claims — are marketed for fighting criminals and terrorists. But there, on Marquis-Boire’s computer screen, was chilling proof that the Hacking Team’s software was also being used against dissidents. It was just the latest example of what Marquis-Boire saw as a worrying trend: corrupt regimes using surveillance companies’ wares for anti-democratic purposes.
When Citizen Lab published its findings in the October 2012 report “Backdoors are Forever: Hacking Team and the Targeting of Dissent?” the group also documented traces of the company’s spyware in a document sent to Ahmed Mansoor, a pro-democracy activist in the United Arab Emirates. Privacy advocates and human rights organizations were alarmed. “By fueling and legitimizing this global trade, we are creating a Pandora’s box,” Christopher Soghoian, the principal technologist with the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told Bloomberg.
The Hacking Team, however, showed no signs of standing down. “Frankly, the evidence that the Citizen Lab report presents in this case doesn’t suggest anything inappropriately done by us,” company spokesman Eric Rabe told the Globe and Mail.
As media and activists speculated about which countries the Italian firm served, the founder and CEO of the Hacking Team, David Vincenzetti — from his sleek, white office inside an unsuspecting residential building in Milan — took the bad press in stride. He joked with his colleagues in a private email that he was responsible for the “evilest technology” in the world.
A tall, lean 48-year-old Italian with a taste for expensive steak and designer suits, Vincenzetti has transformed himself over the past decade from an under-ground hacker working out of a windowless basement into a mogul worth millions. He is nothing if not militant about what he defines as justice: Julian Assange, the embattled founder of WikiLeaks, is “a criminal who by all means should be arrested, expatriated to the United States, and judged there”; whistleblower Chelsea Manning is “another lunatic”; Edward Snowden “should go to jail, absolutely.”
“Privacy is very important,” Vincenzetti says on a recent February morning in Milan, pausing to sip his espresso. “But national security is much more important.”
Vincenzetti’s position has come at a high cost. Disturbing incidents have been left in his wake: a spy’s suicide, dissidents’ arrests, and countless human rights abuses. “If I had known how crazy and dangerous he is,” Guido Landi, a former employee, says, “I would never have joined the Hacking Team.” [Continue reading…]