Documents from the archive of whistleblower Edward Snowden indicate that Britain’s GCHQ intelligence service was behind a cyber attack against Belgacom, a partly state-owned Belgian telecoms company. A “top secret” Government Communications Headquarters (GCHQ) presentation seen by SPIEGEL indicate that the goal of project, conducted under the codename “Operation Socialist,” was “to enable better exploitation of Belgacom” and to improve understanding of the provider’s infrastructure.
The presentation is undated, but another document indicates that access has been possible since 2010. The document shows that the Belgacom subsidiary Bics, a joint venture between Swisscom and South Africa’s MTN, was on the radar of the British spies.
Belgacom, whose major customers include institutions like the European Commission, the European Council and the European Parliament, ordered an internal investigation following the recent revelations about spying by the United States’ National Security Agency (NSA) and determined it had been the subject of an attack. The company then referred the incident to Belgian prosecutors. Last week, Belgian Prime Minister Elio di Rupo spoke of a “violation of the public firm’s integrity.”
When news first emerged of the cyber attack, suspicions in Belgium were initially directed at the NSA. But the presentation suggests that it was Belgium’s own European Union partner Britain that is behind “Operation Socialist,” even though the presentation indicates that the British used spying technology for the operation that the NSA had developed.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.
The National Security Agency paid millions of dollars to cover the costs of major internet companies involved in the Prism surveillance program after a court ruled that some of the agency’s activities were unconstitutional, according to top-secret material passed to the Guardian.
The technology companies, which the NSA says includes Google, Yahoo, Microsoft and Facebook, incurred the costs to meet new certification demands in the wake of the ruling from the Foreign Intelligence Surveillance (Fisa) court.
And in the article, you can find Google basically admitting as much:
Google did not answer any of the specific questions put to it, and provided only a general statement denying it had joined Prism or any other surveillance program. It added: “We await the US government’s response to our petition to publish more national security request data, which will show that our compliance with American national security laws falls far short of the wild claims still being made in the press today.”
Falling short of “wild claims” is very easy…
The saga of Lavabit founder Ladar Levison is getting even more ridiculous, as he explains that the government has threatened him with criminal charges for his decision to shut down the business, rather than agree to some mysterious court order. The feds are apparently arguing that the act of shutting down the business, itself, was a violation of the order:
… a source familiar with the matter told NBC News that James Trump, a senior litigation counsel in the U.S. attorney’s office in Alexandria, Va., sent an email to Levison’s lawyer last Thursday – the day Lavabit was shuttered — stating that Levison may have “violated the court order,” a statement that was interpreted as a possible threat to charge Levison with contempt of court.
That same article suggests that the decision to shut down Lavabit was over something much bigger than just looking at one individual’s information — since it appears that Lavabit has cooperated in the past on such cases. Instead, the suggestion now is that the government was seeking a tap on all accounts:
Levison stressed that he has complied with “upwards of two dozen court orders” for information in the past that were targeted at “specific users” and that “I never had a problem with that.” But without disclosing details, he suggested that the order he received more recently was markedly different, requiring him to cooperate in broadly based surveillance that would scoop up information about all the users of his service. He likened the demands to a requirement to install a tap on his telephone.
It sounds like the feds were asking for a full on backdoor on the system, not unlike some previous reports of ISPs who have received surprise visits from the NSA.
Now that consumers know that NSA spooks are reviewing their every click, online privacy has become a much bigger concern.
After seven weeks of steady media coverage, the percentage of Internet users worried about their online privacy jumped 19 percent, from 48 percent in June (when the story first appeared in The Guardian and Washington Post) to 57 percent in July, according to Annalect, Omnicom Media Group’s data and analytics company.
The findings have huge implications for the targeted advertising because the more concerned Internet users are about privacy, the more likely they are to change settings and block tracking.
“If these trends continue, and Mozilla implements its plan for its Firefox browser to block most third-party cookies by default later this year, the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease,” the study concluded.
Snowden, who told me today that he found Lavabit’s stand “inspiring”, added:
“Ladar Levison and his team suspended the operations of their 10 year old business rather than violate the Constitutional rights of their roughly 400,000 users. The President, Congress, and the Courts have forgotten that the costs of bad policy are always borne by ordinary citizens, and it is our job to remind them that there are limits to what we will pay.
“America cannot succeed as a country where individuals like Mr. Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren’t fighting for our interests the same way small businesses are. The defense they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.
“When Congress returns to session in September, let us take note of whether the internet industry’s statements and lobbyists – which were invisible in the lead-up to the Conyers-Amash vote – emerge on the side of the Free Internet or the NSA and its Intelligence Committees in Congress.”
U.S. President Barack Obama met with the CEOs of Apple Inc, AT&T Inc as well as other technology and privacy representatives on Thursday to discuss government surveillance in the wake of revelations about the programs, the White House confirmed on Friday.
Google Inc computer scientist Vint Cerf and civil liberties leaders also participated in the meeting, along with Apple’s Tim Cook and AT&T’s Randall Stephenson, the White House said in confirming a report by Politico, which broke the news of the meeting.
“The meeting was part of the ongoing dialogue the president has called for on how to respect privacy while protecting national security in a digital era,” a White House official said.
The session was not included on Obama’s daily public schedule for Thursday.
When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 188.8.131.52 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.
Contradicting a statement by ex-vice president Dick Cheney on Sunday that warrantless domestic surveillance might have prevented 9/11, 2007 court records indicate that the Bush-Cheney administration began such surveillance at least 7 months prior to 9/11.
To get a sense of what I mean, imagine that I could telepathically read all your conscious and unconscious thoughts and feelings — I could know about them in as much detail as you know about them yourself — and further, that you could not, in any way, control my access. You don’t, in other words, share your thoughts with me; I take them. The power I would have over you would of course be immense. Not only could you not hide from me, I would know instantly a great amount about how the outside world affects you, what scares you, what makes you act in the ways you do. And that means I could not only know what you think, I could to a large extent control what you do.
That is the political worry about the loss of privacy: it threatens a loss of freedom. And the worry, of course, is not merely theoretical. Targeted ad programs, like Google’s, which track your Internet searches for the purpose of sending you ads that reflect your interests can create deeply complex psychological profiles — especially when one conducts searches for emotional or personal advice information: Am I gay? What is terrorism? What is atheism? If the government or some entity should request the identity of the person making these searches for national security purposes, we’d be on the way to having a real-world version of our thought experiment.
But the loss of privacy doesn’t just threaten political freedom. Return for a moment to our thought experiment where I telepathically know all your thoughts whether you like it or not From my perspective, the perspective of the knower — your existence as a distinct person would begin to shrink. Our relationship would be so lopsided that there might cease to be, at least to me, anything subjective about you. As I learn what reactions you will have to stimuli, why you do what you do, you will become like any other object to be manipulated. You would be, as we say, dehumanized
The connection between a loss of privacy and dehumanization is of course, a well-known and ancient fact, and one for which we don’t need to appeal to science fiction to illustrate. It is employed the world over in every prison and detention camp. It is at the root of interrogation techniques that begin by stripping a person literally and figuratively of everything they own. Our thought experiment merely shows us the logical endgame. Prisoners might hide their resentment, or bravely resist torture (at least for a time) but when we lose the very capacity to have privileged access to our psychological information — the capacity for self-knowledge, so to speak, we literally lose our selves.
There’s been plenty of commentary concerning the latest NSA leak concerning its FISA court-approved “rules” for when it can keep data, and when it needs to delete it. As many of you pointed out in the comments to that piece — and many others are now exploring — the rules seem to clearly say that if your data is encrypted, the NSA can keep it. Specifically, the minimization procedures say that the NSA has to destroy the communication it receives once it’s determined as domestic unless they can demonstrate a few facts about it. As part of this, the rules note:
In the context of a cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis.
If you licked your envelope shut, you might be evil, so we’ll keep the letter until we can find the right letter opener.
In other words, if your messages are encrypted, the NSA is keeping them until they can decrypt them. And, furthermore, as we noted earlier, the basic default is that if the NSA isn’t sure about anything, it can keep your data. And, if it discovers anything at all remotely potentially criminal about your data, it can keep it, even if it didn’t collect it for that purpose.
The federal surveillance programs revealed in media reports are just "the tip of the iceberg," a House Democrat said Wednesday.
Rep. Loretta Sanchez (D-Calif.) said lawmakers learned "significantly more" about the spy programs at the National Security Agency (NSA) during a briefing on Tuesday with counterterrorism officials.
"I think it’s just broader than most people even realize, and I think that’s, in one way, what astounded most of us, too," Sanchez said of the briefing.
Of course it may not be all that hard to astound Members of Congress, so that may not be saying much…
Legal and policy solutions focus too much on the problems under the Orwellian metaphor—those of surveillance—and aren’t adequately addressing the Kafkaesque problems—those of information processing. The difficulty is that commentators are trying to conceive of the problems caused by databases in terms of surveillance when, in fact, those problems are different.
Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist Schneier aptly notes, the nothing-to-hide argument stems from a faulty “premise that privacy is about hiding a wrong.” Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.
The deeper problem with the nothing-to-hide argument is that it myopically views privacy as a form of secrecy. In contrast, understanding privacy as a plurality of related issues demonstrates that the disclosure of bad things is just one among many difficulties caused by government security measures. To return to my discussion of literary metaphors, the problems are not just Orwellian but Kafkaesque. Government information-gathering programs are problematic even if no information that people want to hide is uncovered. In The Trial, the problem is not inhibited behavior but rather a suffocating powerlessness and vulnerability created by the court system’s use of personal data and its denial to the protagonist of any knowledge of or participation in the process. The harms are bureaucratic ones—indifference, error, abuse, frustration, and lack of transparency and accountability.
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.
- They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after. But the content of those calls remains safe from government intrusion.
- They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood’s number later that day. But nobody knows what you spoke about.
Today, Yahoo’s General Counsel posted a carefully worded denial regarding the company’s alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo’s denial is as straightforward as it seems.
If it had, even if I couldn’t talk about it, in all likelihood I would no longer be working at Google: the fact that we do stand up for individual users’ privacy and protection, for their right to have a personal life which is not ever shared with other people without their consent, even when governments come knocking at our door with guns, is one of the two most important reasons that I am at this company: the other being a chance to build systems which fundamentally change and improve the lives of billions of people by turning the abstract power of computing into something which amplifies and expands their individual, mental life.
Strong statement. And here’s Google’s chief legal officer, David Drummond:
We cannot say this more clearly — the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box. Nor have we received blanket orders of the kind being discussed in the media.
The government has cited the privilege in two active lawsuits being heard by a federal court in the northern district of California – Virginia v Barack Obama et al, and Carolyn Jewel v the National Security Agency. In both cases, the Obama administration has called for the cases to be dismissed on the grounds that the government’s secret activities must remain secret.The claim comes amid a billowing furore over US surveillance on the mass communications of Americans following disclosures by the Guardian of a massive NSA monitoring programme of Verizon phone records and internet communications.The director of national intelligence, James Clapper, has written in court filings that “after careful and actual personal consideration of the matter, based upon my own knowledge and information obtained in the course of my official duties, I have determined that the disclosure of certain information would cause exceptionally grave damage to the national security of the United States. Thus, as to this information, I formally assert the state secrets privilege.”The use of the privilege has been personally approved by President Obama and several of the administration’s most senior officials: in addition to Clapper, they include the director of the NSA Keith Alexander and Eric Holder, the attorney general. “The attorney general has personally reviewed and approved the government’s privilege assertion in these cases,” legal documents state.
A British Defense Ministry press advisory committee, reacting to a flurry of revelations in the American press about massive warrantless US government electronic surveillance programs, quietly warned UK organizations Friday not to publish British national security information.
Defiance of the advisory could make British journalists vulnerable to prosecution under the Official Secrets Act.
Jameel Jaffer, deputy legal director of the American Civil Liberties Union, said: “I would just push back on the idea that the court has signed off on it, so why worry? This is a court that meets in secret, allows only the government to appear before it, and publishes almost none of its opinions. It has never been an effective check on government.”
Several companies contacted by The Post said they had no knowledge of the program, did not allow direct government access to their servers and asserted that they responded only to targeted requests for information.
“We do not provide any government organization with direct access to Facebook servers,” said Joe Sullivan, chief security officer for Facebook. “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”
“We have never heard of PRISM,” said Steve Dowling, a spokesman for Apple. “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers.
Government officials and the document itself made clear that the NSA regarded the identities of its private partners as PRISM’s most sensitive secret, fearing that the companies would withdraw from the program if exposed. “98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources,” the briefing’s author wrote in his speaker’s notes.
University of Washington computer scientists have developed gesture-recognition technology that brings this a step closer to reality. Researchers have shown it’s possible to leverage Wi-Fi signals around us to detect specific movements without needing sensors on the human body or cameras.
By using an adapted Wi-Fi router and a few wireless devices in the living room, users could control their electronics and household appliances from any room in the home with a simple gesture.
“This is repurposing wireless signals that already exist in new ways,” said lead researcher Shyam Gollakota, a UW assistant professor of computer science and engineering. “You can actually use wireless for gesture recognition without needing to deploy more sensors.”
Privacy issues, anyone?
One particularly clever use of social media was connecting a video called “The Life of Julia,” which depicted how the President’s policies would help a citizen throughout her life, to the viewer’s Facebook account. By the time the viewer finished watching the show, BarackObama.com had trawled through all of the viewer’s Facebook friends, associating their names and birthdates with voting records, gender, and state of residence.
Anyone who uses Skype has consented to the company reading everything they write. The H’s associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.
I don’t believe that the NSA could save every domestic phone call, not at this time. Possibly after the Utah data center is finished, but not now. They could be saving the all the metadata now, but I’m skeptical about that too.
Posted for balance.
On Wednesday night, Burnett interviewed Tim Clemente, a former FBI counterterrorism agent, about whether the FBI would be able to discover the contents of past telephone conversations between the two. He quite clearly insisted that they could:
BURNETT: Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It’s not a voice mail. It’s just a conversation. There’s no way they actually can find out what happened, right, unless she tells them?
CLEMENTE: "No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It’s not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.
BURNETT: "So they can actually get that? People are saying, look, that is incredible.
CLEMENTE: "No, welcome to America. All of that stuff is being captured as we speak whether we know it or like it or not."
"All of that stuff" – meaning every telephone conversation Americans have with one another on US soil, with or without a search warrant – "is being captured as we speak".
However, since the bill hasn’t been challenged in the court of public opinion, others are now beginning to follow suit. Such is the case in Illinois, where the state House passed a bill this week, sponsored by Jim Durkin, that gives employers there the same rights. And, of course, it’s all done in the name of protecting the workplace.
The Illinois House passed a bill today that would allow employers to request access to employees’ personal web accounts used for business purposes, like Facebook and other social networking sites. As if people aren’t paranoid enough already. To be clear, the bill does not mandate that employees supply the information, and no one could be fired or penalized for noncompliance. The idea is to allow employers the opportunity to investigate employee misconduct, protect trade secrets, and prevent workplace violence by monitoring online activities. Even without it being mandatory to share your login and password, you could imagine a boss putting a subordinate under some uncomfortable pressure.
A challenge to everyone, if I may. If you were able to somehow catalog and characterize every single instance of employee misconduct, trade secret revealing, and workplace violence, exactly what percentage of them would you guess could have been prevented by proactive investigation of social media? Further, what percentage of such cases are such that the key evidence that would conclude any investigation into them would be only made available with a social media password? These are the kinds of answers with which I would expect proponents of such laws to be beating us over the head, yet you never seem to see any data in the reports. It all essentially comes down to, “We need to give employers the right to ask for social media passwords, because violence, scary internet, and children.”
The Internal Revenue Service doesn’t believe it needs a search warrant to read your e-mail.
Newly disclosed documents prepared by IRS lawyers say that Americans enjoy “generally no privacy” in their e-mail, Facebook chats, Twitter direct messages, and similar online communications — meaning that they can be perused without obtaining a search warrant signed by a judge.
That places the IRS at odds with a growing sentiment among many judges and legislators who believe that Americans’ e-mail messages should be protected from warrantless search and seizure. They say e-mail should be protected by the same Fourth Amendment privacy standards that require search warrants for hard drives in someone’s home, or a physical letter in a filing cabinet.
An IRS 2009 Search Warrant Handbook obtained by the American Civil Liberties Union argues that “emails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual’s computer.” The handbook was prepared by the Office of Chief Counsel for the Criminal Tax Division and obtained through the Freedom of Information Act.
A new proposal in California, supported by a diverse coalition including EFF and the ACLU of Northern California, is fighting to bring transparency and access to the seedy underbelly of digital data exchanges. The Right to Know Act (AB 1291) would require a company to give users access to the personal data the company has stored on them—as well as a list of all the other companies with whom that original company has shared the users’ personal data—when a user requests it. It would cover California residents and would apply to both offline and online companies.
Not enough – there’s no provision to force a company to correct or erase data.
Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time. But that may change soon, because the bureau says it has made gaining more powers to wiretap all forms of Internet conversation and cloud storage a “top priority” this year.
The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we’re being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users. Apple tracks us on our iPhones and iPads. One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period.
Sure, we can take measures to prevent this. We can limit what we search on Google from our iPhones, and instead use computer web browsers that allow us to delete cookies. We can use an alias on Facebook. We can turn our cell phones off and spend cash. But increasingly, none of it matters.
There are simply too many ways to be tracked. The Internet, e-mail, cell phones, web browsers, social networking sites, search engines: these have become necessities, and it’s fanciful to expect people to simply refuse to use them just because they don’t like the spying, especially since the full extent of such spying is deliberately hidden from us and there are few alternatives being marketed by companies that don’t spy.
And 99.99% of tracking is done to custom tailor the ads we block.
An education technology conference this week in Austin, Texas, will clang with bells and whistles as startups eagerly show off their latest wares.
But the most influential new product may be the least flashy: a $100 million database built to chart the academic paths of public school students from kindergarten through high school.
In operation just three months, the database already holds files on millions of children identified by name, address and sometimes social security number. Learning disabilities are documented, test scores recorded, attendance noted. In some cases, the database tracks student hobbies, career goals, attitudes toward school – even homework completion.
The database is a joint project of the Bill & Melinda Gates Foundation, which provided most of the funding, the Carnegie Corporation of New York and school officials from several states.
Federal officials say the database project complies with privacy laws. Schools do not need parental consent to share student records with any “school official” who has a “legitimate educational interest,” according to the Department of Education. The department defines “school official” to include private companies hired by the school, so long as they use the data only for the purposes spelled out in their contracts.
The database also gives school administrators full control over student files, so they could choose to share test scores with a vendor but withhold social security numbers or disability records.
That’s hardly reassuring to many parents.
“Once this information gets out there, it’s going to be abused. There’s no doubt in my mind,” said Jason France, a father of two in Louisiana.
I liked it a lot better when Bill was trying to fight the musquito.