Hacking Team Documentation

The Intercept has published the complete manuals for Hacking Team's attack software. This follows a detailed report on Hacking Team's products from August. Hacking Team sells computer and cell phone hacking capabilities to the governments of Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan...and probably others as well.

This is important. The NSA's capabilities are not unique to the NSA. They're not even unique to countries like the US, UK, China, Russia, France, Germany, and Israel. They're available for purchase by any totalitarian country that wants to spy on foreign governments or its own citizens. By ensuring an insecure Internet for everyone, the NSA enables companies like Hacking Team to thrive.

Posted on October 31, 2014 at 8:38 AM • 68 Comments

Comments

ThothOctober 31, 2014 8:59 AM

And that is why the best option to regain confidence is to create community standards besides Government standards in my opinion.

The probable solution on the table is to dispense proper knowledge and awareness and to rework standards and basic designs and knowledges. Re-implementing and igniting passion into open hardware and software with community standards is the way to go forward.

vas pupOctober 31, 2014 9:23 AM

Fighting terrorism in Germany(distant cousin of NSA)
http://www.dw.de/germanys-gtaz-ten-years-of-fighting-terror/a-18026349

This quotes caught my attention in aprticvular

"but incidents like the airport shooting also show how little power large institutions have, argues Ulla Jelpke, domestic policy spokeswoman for the Left party.[!] Although they collect a lot of data, they have few ways to interpret it[!]. Mostly, lone assailants make a decision to attack on the spot, says Jelpke."

"Germany's constitution provides for a strict division of the police and the intelligence services - as a lesson learned from the country's Nazi past under Adolf Hitler".

Second one should resonate with Anura for sure

JonKnowsNothingOctober 31, 2014 12:12 PM

There is no lock on ideas. Even if we can patent them, anyone can come up with the same or similar idea. You cannot block knowledge or un-learn something. Once you know, you know. You can learn to modify a behavior but unless you undergo something like brain surgery or have a memory disease, you cannot un-know it.

With all the Out In The Open News about constraints to our privacy, our traceability, our intellectual curiosity, there are still no BIG OUTCRY from the very people who have the ability to change it. I think they make too much money from it all, and in the USA money counts.

As others have said:

  • Encryption does not create Privacy.
    I can put stuff in a safe or hide it in the floorboards but you can still follow me.
  • Anonymous does not mean Untraceable.
    If you have GPS on, you are traced. It's trivial to discover who you are if you are followed to your home.
  • Surveillance is not Security.
    You can watch the robber or you can lock the door.
  • The Internet is not Securable
    The Internet was built on "trust". There's no one left to trust.

  • The Internet house: door, walls, roof and floor are all a sham. There's only one thing you can do: Start Over. No one wants to Start Over, but that is exactly what needs to happen.

    The roof is leaking and the beams are rotten and the termites are everywhere.

    BrianMOctober 31, 2014 12:48 PM

    @JonKnowsNothing:
    "If you have GPS on, you are traced."
    No, GPS is a receiver. If you have your phone on, you can be traced. But GPS by itself just means that your device is receiving signals from satellites, and nothing more than that.

    No, the NSA's capabilities are not unique. They have never been unique, they just have the funding of a major government behind them.

    @Bruce Schneier:
    "By ensuring an insecure Internet for everyone, the NSA enables companies like Hacking Team to thrive."

    The architecture of the Internet is what it is. Its primary design goal was to keep communications running in the event of extreme disruptions, i.e., nuclear attack. It was never meant as a means of ubiquitous, secure communications.

    The network known as the Internet is not going to be scrapped out. The thing is here to stay, in all its flawed "glory." In order for a government to be truly in the dark about the flow of communication, the information must be either so secret it doesn't exist, or as pervasive as sand on a beach. Either one works.

    Before the Internet, the governments employed large spy networks. The East German Stasi employed 1 agent for 166 people. Spying on a populace is always feasible, given sufficient government resources. And totalitarian regimes always make sure that those resources are at hand.

    Z.LozinskiOctober 31, 2014 12:52 PM

    "The Internet house: door, walls, roof and floor are all a sham. There's only one thing you can do: Start Over. No one wants to Start Over, but that is exactly what needs to happen."

    I'd be very careful with this. Many of the initiatives for re-designing t/ re-inventing / re-loading the internet start with premises that are very different from the ones the internet has grown up with, and are likely to lead to a series of balkanized networks with pay-to-=play walled gardens, limited interconnectivity and some "features":

    * Mandatory copyright enforcement (think back to the Secure Digital Music Initiative (SDMI) from the late 1990s).

    * Mandatory Government issued identity for internet usage (yes, this is already true in some countries).

    * Government control over policy and content.

    The IETF activities to strengthen the existing internet are probably the best hope we have. The alternative is a network controlled by the ITU-T, which has been limited up to now as a major source of innovation. (GSM didn't come out of the ITU-T machine, it came from some forward thinkers in London and Paris and other European capitals).

    Don't get me wrong we need to improve the security of the internet for everyone, but I'm really not sure about starting over.

    Gerard van VoorenOctober 31, 2014 12:53 PM

    @ JonKnowsNothing • October 31, 2014 12:12 PM

    If you are looking at "starting the internet over", that means getting rid of the broken by design OSI Model, then you could look at GnuNet. These guys have the proper ideas.

    JustinOctober 31, 2014 2:19 PM

    The problem isn't solely the NSA. There are simply too many vested interests in knowing what Joe Public (or Jane Private) is doing on the internet. Spying goes on for many reasons. Besides law enforcement and intelligence (which are increasingly blurred together these days,) some big ones are:

    • targeted advertising;
    • criminals getting access to financial accounts; and
    • criminals getting access to other computer systems to enroll in botnets, send out spam, etc.
    There is already a whole ecosystem of spyware supported by shady hucksters and criminals, and the attitude of law enforcement isn't that "We should put a stop to this," but that "These are tools we can use, too."

    Most of this spying is "out of sight, out of mind" for most users who don't notice or care until advertisements are blatantly creepy, (like Target's advertisements for pregnant women,) money is stolen from their credit card or bank account, or some server they are managing starts to send out spam. Even then, they don't think that their own PC or smart phone may have been compromised.

    SoWhatDidYouExpectOctober 31, 2014 2:23 PM

    @BrianM

    One spy for every 166 citizens...interesting.

    For the 320 million in the U.S. that means we have just under 200,000 in such a capacity in this country (just for our citizens).

    So, can someone come up with the estimated combined workforce size of the FBI, CIA, and NSA (plus any hidden compatriots)?

    Clive RobinsonOctober 31, 2014 2:42 PM

    With regards starting again with the Internet, it won't make any difference because of the duality of use or agnostic nature of the design of technolog.

    As the old saw has it "for every saint there is a sinner", humans will use tools for good or bad or even both simultaneously depending on the observers view point.

    There is nothing that can be used for only good and likewise for only bad. Even nuclear bombs have an engineering use and potentialy against fast moving rocks heading towards our home.

    Thus the reality in a world where we can not trust those with power, we as individuals or groups have to mitigate the abuse of power. To try to do anything else would not just be pointless it would be counter productive as those with power will only find other or new ways to use the new technology to their advantage, or more correctly our disadvantage.

    parrotOctober 31, 2014 2:45 PM

    @SoWhatDidYouExpect

    Here are the open numbers for employees:

    FBI: 35,344

    https://en.wikipedia.org/wiki/Federal_Bureau_of_Investigation

    CIA: 21,575

    https://en.wikipedia.org/wiki/Central_Intelligence_Agency

    NSA: 35,000 (ish)

    https://en.wikipedia.org/wiki/National_Security_Agency

    That makes about 90,000. Of course that doesn't include contractors, DIA, NRO, DEA, ICE, and other intelligence wings of the DHS. These numbers include administrative staff, which may not be comparable to the Stasi statistic.

    (Stasi statistic. Stasi statistic. Stasi statistic. Hahahaha.... man.)

    QnJ1Y2UOctober 31, 2014 3:23 PM

    @SoWhatDidYouExpect, @parrot

    Per research in the series Top Secret America by The Washington Post, the US intelligence apparatus consists of:

    • 10,000 locations across the United States
    • 1,271 government organizations
    • 1,931 private companies
    • 854,000 people who hold top-secret security clearances

    AlexOctober 31, 2014 4:57 PM

    This Hacking Team leak is great but I'm having a hard time parsing these manuals.

    Can someone point out the places where they talk about how they are infecting peoples' computers and phones? I.e. do they need physical access to the machine or are we vulnerable to attacks even if our phone stays in our pocket or our computer in our possession?

    I noticed something about a "scout agent" (pag. 39 of the "Technician's Guide") that checks to see if antivirus software is installed. I assume that's the place they'll talk about how they infect people but I'm no good at interpreting this stuff.

    albertOctober 31, 2014 5:35 PM

    @QnJ1Y2U, All
    .
    "..."The number of people who are cleared for access to classified information continued to rise in 2012 to more than 4.9 million, according to a new annual report from the Office of the Director of National Intelligence."..." - http://fas.org/blogs/secrecy/2013/04/2012_clearances/
    .
    Note: not all actually deal with classified information, but a "cleared" to do so; specific clearances are granted on a need-to-know basis. Still, it's a tremendous number.
    .
    I gotta go...

    Stephen QOctober 31, 2014 7:50 PM

    Instead of re-designing the internet, why not design a separate network specifically used for secure communications? I'd trust NSA more than the likes of Google, Yahoo, and Facebook for handing my personal information, but NSA is undoubtedly more interested in what we do on both networks. Unfortunately, NSA distrusts Americans more than the distrust we directed towards them.

    getthemathrightOctober 31, 2014 8:29 PM

    @sowhatdidyouexpect and others

    320 million citizens / 166 citizens per spy = 1.9 million spies

    So we are nowhere near East Germany ... Yet

    Bob S.October 31, 2014 9:09 PM

    By looking at the control panel...

    https://prod01-cdn01.cdn.firstlook.org/wp-uploads/sites/1/2014/10/05-technician-guide-p71u.png

    ...this thing can do everything except fry an egg. I want to know how something like that can do it without tripping any defenses or triggering any alarms whatsoever.

    If indeed this one program can defeat the entire cyber defenses of the world, then we are all ....in big, big trouble.

    For one thing if it hasn't happened already, cyber criminals will load up on this package to rape and rob the whole world besides are the crooked governments.

    Really, is it truly undetectable by every defense system, tactic, procedure ever known? No AV company even knows about it let alone has a wooden stake for it?

    Frankly, I think it's a bit baffling and bordering on incredible.

    catnipOctober 31, 2014 9:46 PM

    @Bob S.

    You don't think black hats have way more sophisticated technology at there disposal?

    Think of leased bot net dashboards?

    Think of any dashboard, any design, any layout, anything- it exists.

    Coyne TibbetsOctober 31, 2014 11:26 PM

    @SoWhatDidYouExpect: "So, can someone come up with the estimated combined workforce size of the FBI, CIA, and NSA (plus any hidden compatriots)?"

    When DHS was started, based on their planned staffing, I estimated 1 per 1500 people or thereabouts.


    @getthemathright: "So we are nowhere near East Germany ... Yet"

    Except we're well beyond that. With all their flaws, computers hugely magnify the reach of a person. That is, after all, the whole point of computers.

    If we go by @QnJ1Y2U, 854,000 spooks, and assume 10:1 computational magnification, the current ratio is around 1 per 43; 100:1 computational, 1 per 4.3.

    Depends a lot on assumptions, but probably the effective saturation is between 1 per 1500 and 1 per 50. And yes, I realize that's 2 orders of magnitude, but the computational magnification assumptions probably account for at least 1 order of magnitude of that range.

    65535November 1, 2014 5:24 AM

    “ …the NSA enables companies like Hacking Team to thrive.” – Bruce S.

    I agree.

    I believe we are seeing an inflated or bubble market for Botnets/virus builders around the world. It is a coalescing borderline criminals with law enforcement. This will end badly.

    For example, the Justice arrests a man for selling spyware saying:

    “Selling spyware is not just reprehensible, it’s a crime,” said Assistant Attorney General Caldwell. “Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life – all without the victim’s knowledge. The Criminal Division is committed to cracking down on those who seek to profit from technology designed and used to commit brazen invasions of individual privacy.”

    http://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spyware-app

    Yet, the Justice Department allows its own FBI and other agencies to buy spyware from the likes of the Hacking Team and also creates in house spyware like “Magic Lantern.”

    The Justice Department is not only a hypocrite and trend-setter, but possibly a board-line criminal who mocks the US Constitution. This behavior is then reflected down the ladder to local police departments who do the same [secret use of the Stingray cell tower impersonator device]. That is a real travesty.

    @ Alex

    “…Can someone point out the places where they talk about how they are infecting peoples' computers and phones?” –Alex

    See Hacking Team documents:

    “Agent (OSX)
    “Support for INJECT-HTML-FLASH infection vector”

    “Agent (iOS)
    Support for installation without jailbreak on iphone 3GS"


    “Agent (Linux)
    Support for the top 5 distributions from DistroWatch.com [new distributions of Linux Operating Systems]
    Support for INJECT-HTML-FLASH infection vector..."

    https://s3.amazonaws.com/s3.documentcloud.org/documents/1347998/remote-control-system-9-0-changelog-final.pdf

    "Sub-action type description
    Available type of sub-actions are described below:"

    "...(Action ) Destroy, (Device) desktop, mobile, (Description) Renders the target device unusable."

    [See page 125 rcs 9 technical final pdf]

    https://s3.amazonaws.com/s3.documentcloud.org/documents/1348002/rcs-9-technician-final.pdf

    "Network Injector
    "Opera support
    "Improved YouTube attack
    "Improved Fake Access Point attack"

    "Console
    Brand new console for Galileo"

    https://s3.amazonaws.com/s3.documentcloud.org/documents/1347998/remote-control-system-9-0-changelog-final.pdf

    [Next to remote console form the sys admin final pdf]

    "Managing the Network Injector"

    "Purpose"

    'During installation, the function lets you create a new Network Injector “object” that create the logical connection between the RCS Console and the Single hardware device [This appears to a device such as a switch, router, or server implanted on a major internet back bone or at Internet Service Provider’s location]'

    "Area Description
    "3 Network Injector Toolbar. Description are provided below:"

    [Icon of medical hypodermic needle]

    "Add a new Network Injector"

    [And other functions such as Edit Network Injector data. view log, Delete the selected Network Injector, Update appliance Control Center, Network Injector list, Injection rule list toolbar, List of selected network Injector rules… page 121 to 124]

    https://s3.amazonaws.com/s3.documentcloud.org/documents/1348001/rcs-9-sysadmin-final.pdf


    [Layman’s description of methods of injection of spyware by The Intercept]:

    Hacking Team manuals… 2013, provide step-by-step instructions for technicians, administrators, and analysts on how to infect a device and set up spying… software can be installed physically, via a USB stick, if the authorities have direct access to the computer (imagine a police stop or an airport search.) …infection can happen remotely. It could take the familiar form of a phishing attack or email scam – as a group of Moroccan reporters found out in 2012. A document promising them a secret scoop (it was titled “scandale,” in French) turned out to be a decoy for Hacking Team software … [or] legitimate, useful software that the victim is prompted to download."

    [Image of Contol Center, Network rules console]

    "(Rule) TACTICAL, (Probability) 100% , (Attack) INJECT-HTML-JAVA, (Resource)
    Login.livel[dot]com

    "(Rule) TACTICAL, (Probability) 100%, (Attack) REPLACE, (Resource) *google.*/robots.txt [a web crawler from Google]

    "(Rule) TACTICAL, (Probability) 100%, (Attack) INJECT-HTML-FLASH, (Resource)
    youTube[dot]com/watch*

    "(Rule) TACTICAL, (Probability) 100%, (Attack) INJECT-EXE, (Resource) *.exe*"

    https://firstlook.org/theintercept/2014/10/30/hacking-team/

    [More troubling methods of attack include Code signing Certificate forgery/tampering from Large Trusted Certificate vendors, explained by The Intercept]

    “…Hacking Team manuals recommend that customers buy a code signing certificate from Verisign (now Symantec), Thawte, or GoDaddy– companies that offer a stamp of assurance that signals to operating systems and anti-virus scanners that the software is legitimate [Your antivirus software skips checking the “signed and certificated” virus code with has been injected into your computer]. – The Intercept”

    https://firstlook.org/theintercept/2014/10/30/hacking-team/

    I would suspect there would be some trickery involved to compromise the Symantec company to knowing provide a certificate to a company known for spying – but I could be wrong.

    The real problem with Large Certificate providers having their certificates used for spying is the impact of the US financial system which is dependent upon secure SSL/TLS communications for transactions. I would guess that now Symantec has been named a number of individuals and banks will be taking a close look at their Symantec Certificates for authenticity – or removing them altogether. This factor could be a significant cause of the high number of credit card skimming crimes in the USA.

    Interwoven into modern Antivirus security is the concept of “sighed and secure” certificates to signal the AV software Not to check the code payload for malware – which probably is not a good practice! The certificate chain has cracks.

    The Hacking Team’s “invisibility report” lists four out of 18 AV products as “Cannot upgrade to elite” and the remaining 14 are “green” [I would guess the green means invisible to the AV software and upgradable – which is very alarming.]

    https://s3.amazonaws.com/s3.documentcloud.org/documents/1347999/invisibility-report-9-0-final.pdf

    This seems to cast a dark shadow on Anti-virus vendors. What happen with that survey of AV vendors and their answer as to their cooperation with the NSA?

    https://www.schneier.com/blog/archives/2013/12/how_antivirus_c.html

    If both AV vendors and Large Certificate vendors are in the spy game one would assume there would be huge distrust in American/Five Eyes vendors on many levels. This will cause customers to flee American products.

    A larger problem is the ever lowing of cost of Spyware around the globe [more competition brings lower price and the cycle repeats]. The Intercept notes:

    “The cost of a Hacking Team installation package, meanwhile, ranges from 200,000 to 1 million euros,.. Pricey, but not out of reach…”-The Intercept.

    https://firstlook.org/theintercept/2014/10/30/hacking-team/

    This could mean large entities such as drug cartels, large corporations and large political parties could buy such spyware damage their competitors. This could be vicious circle of wealthy entities vying for power with decreasing spyware costs.

    Worse, is the fact of many new “law enforcement” hacking companies are on the market. The Intercept links to the financial backers of the Hacking Team called INNOGEST SGR. I notice a similar company listed directly below the H.T. investment description which appears to be in the same business called Intelligence Focus located in Turin, Italy.

    [Investment description]

    “...Intelligence Focus core technology, known as Dynamic Intelligence Management System (DIMS®), allows the user to record live, structured and unstructured network flows and analyze them in real time, adding unprecedented layers of immediately usable intelligence to virtually any online operation...” – INNOGEST SGR

    See H.T. investment description 40% down page:
    http://www.innogest.it/page/8.html

    If this Italian venture capital firm can fund H.T. I would guess they also use their products – to ensure they get the best financial return. The same could hold true for any large investor such as a Drug Cartel, Large Corporation or Political PAC. The implications are nasty!

    Clive RobinsonNovember 1, 2014 6:31 AM

    @getthemathright,

    So we are nowhere near East Germany .. Yet

    Let me think, if people stand fingertip to fingertip they are avout five foot three inches apart, or a thousand people to the mile. Now at the equator it's about 25000 miles around so the 4.9 million security cleared peope quoted above at a stretch will go about one fith of the way around the equator at a stretch. However at fifty one degrees north it will be a lot further, more than enough to have not only reached but past East Germany.

    Whilst this is perhaps irrelevant, what is not is that East Germany fell a quater of a century ago and it was technologicaly backward. In that quater century we have had sixteen generations of COTS technology and about a 2^25 increase in storage density.

    Thus I think it fair to say that the US has long ago surpassed East Germany in capability, and whilst the US elite are not as obviously mad as Erick Honecker the current US President is very clearly just as much of a control freak as Honecker was.

    The only question realy is just how good the "search systems" are of our every word spoken or typed over electronic communications...

    JonKnowsNothingNovember 1, 2014 10:40 AM

    @BrianM / @SoWhatDidYouExpect / @parrot

    These employment estimates do not include contractors.

    iirc: There are approx. 80,000 contractors for the NSA alone. Edward Snowden was a contractor. He had previously been an employee of both the NSA/CIA.

    When the US voted out Big Government (Ronald Reagan) they also voted out oversight. Government employment fell, but someone still had to do the work. Those work contracts went to companies that have no oversight other than contract renewal.

    (http://en.wikipedia.org/wiki/Ronald_Reagan)

    As anyone who's been a contractor in the software engineering or in the accounting professions will know, contractors/temp employees fall in to a different line-item than employees on corporate financial reports. This allows corporations to show a different employee:profit ratio than their real worker:profit ratio. This is very much appreciated by Wall Street.

    JonKnowsNothingNovember 1, 2014 11:04 AM

    @BrianM

    @BrianM • October 31, 2014 12:48 PM
    @JonKnowsNothing: "If you have GPS on, you are traced."

    No, GPS is a receiver. If you have your phone on, you can be traced. But GPS by itself just means that your device is receiving signals from satellites, and nothing more than that.

    I would suggest that you consider that any "receiver" that is "ON" will be doing a "handshake" and "validation" routine with the transmitter. Especially a satellite transmitter.

    Recent news about how something as simple as your Bluetooth receiver is being harvested by markets/stores to locate your precise position inside the building uses a similar handshake ping exchange.

    A receiver like these is going to beacon a "HELLO? ANYONE HOME?" message. Some respond to any "WHO ARE YOU?" message with details of your phone, location, MAC address and other details while they are attempting to negotiate the handshake/validation even if the other end is not the intended connection device (spoofed). This message is being harvested. If you have the GPS on and you get a hit on the satellite this information is harvested. It's also a reason you get requests to "turn on your GPS".


    Re: Not Starting Over

    The only reason to not start over is that it is painful to consider.

    However, for every hole you try to plug in the dike, there is another hole deeper in. You cannot even know if the code running in the CPU or your network adapter firmware hasn't had a Hacking Tool item inserted. The NSA already reflashes Cisco Routers with ease. They can reflash any firmware or mandate the installation of any device (eg pen register) they want on any network in the US. Their amigos in the 5E can do this even faster. They can tap the very fiber you expecting to carry your encrypted data on. The data may be encrypted but the metadata is not. The design of how metadata works and even the way packets are defined was never intended to handle this current "understanding".

    It's time we picked up our huaraches and got moving.

    JonasNovember 1, 2014 11:09 AM

    Any of you who think living in the USA in 2014 is in any way comparable to living under communist rule in East Germany in terms of the threat to your privacy from government is an imbecile. I have lived under both systems. You insult me with your ignorance. I have also worked in the IC. I'm no fan of the current US administration, and I believe there are reforms needed in our domestic intelligence collection practices. But realize these practices have come about mostly due to well-meant efforts to provide the "security" that most Americans (who are now perpetually in fear of nearly everything) have expressed their desire for.

    Harrison HorsefaceNovember 1, 2014 3:32 PM

    @Jonas Re: Stasi

    Assuming you are not a deconfliction unit sockpuppet (look it up)... I'll note that the presence of Stasi references in this debate is not so much about accusing the U.S./NSA of being as bad as the Stasi were. But of highlighting how very short a path it is from here to something like that. All the more so based on how vehenemently NSA/FBI defenders assure us their well-intentioned surveillance apparatus could never be used for dark purposes.

    Obligatory wikipedia MLK citation. These folks in government are not nice people. Some are, to greater and lesser degrees. As they say- "the line between good and evil is not a line drawn in the sand between peoples, but a line drawn down the heart of each and every one of us".

    The FBI distributed reports regarding such affairs to the executive branch, friendly reporters, potential coalition partners and funding sources of the SCLC, and King's family.[246] The Bureau also sent anonymous letters to King threatening to reveal information if he did not cease his civil rights work.[247] One anonymous letter sent to King just before he received the Nobel Peace Prize read, in part:
    The American public, the church organizations that have been helping—Protestants, Catholics and Jews will know you for what you are—an evil beast. So will others who have backed you. You are done. King, there is only one thing left for you to do. You know what it is. You have just 34 days in which to do (this exact number has been selected for a specific reason, it has definite practical significant [sic]). You are done. There is but one way out for you. You better take it before your filthy fraudulent self is bared to the nation.[248]

    A tape recording of several of King's extramarital liaisons, excerpted from FBI wiretaps, accompanied the letter.[249] King interpreted this package as an attempt to drive him to suicide,[250]


    JustinNovember 1, 2014 4:03 PM

    @Jonas

    First of all, I think Benjamin Franklin put it rather well when he wrote:

    "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

    I realize that communist rule in East Germany was highly invasive of privacy, but nowadays technology has made invasive surveillance much easier. Almost all of what we do in our day-to-day lives ends up in big computerized databases even in the hands of private industry, and the government taps into this. Phone calls, texts, e-mails, faxes, web browsing, credit card purchases, bank transactions, physical mail, cell phone location data, automobile location data, it's all being recorded and kept under surveillance by the government. The "total information awareness" initiative from the years shortly after 9/11/2001 never really went away. And as I already mentioned, the wall between intelligence and law enforcement has broken down---witness the rise of the "fusion centers" across the nation.

    Yes, the Stasi no doubt had far more spies and informants in relation to the population than we now have in the U.S., but they had to rely on low-tech means because they didn't have the technology at that time that is now being used to spy on us.

    Maybe you just haven't been targeted for intensive surveillance and harassment in the U.S., but believe me, there are mechanisms in place for this.

    Sancho_PNovember 1, 2014 8:05 PM

    @ Jonas

    No one here questions it was “well-meant”.

    - You do not question it was “well-meant” in the GDR, do you?

    DanNovember 2, 2014 8:12 AM

    "Totalitarian" governments only? These technologies are available to (and used by) all governments, regardless of political organization.

    albertNovember 2, 2014 11:54 AM

    @Jonas
    .
    ".... But realize these practices have come about mostly due to well-meant efforts to provide the "security" that most Americans (who are now perpetually in fear of nearly everything) have expressed their desire for...."
    .
    The 'fear' you refer to was created by the US Propaganda Machine for the expressed purpose of tightening control of our society. Americans desire for the IC and Law Enforcement to DO THEIR JOBS is quite different from the draconian 'security' laws foisted upon them by the US Congress, and the illegal but widespread practices of the US IC.
    .
    Is the US a better place to live than the former East Germany? For sure. Will it always be? No, not with a complete rebuild. Read: http://www.huffingtonpost.com/naomi-wolf/ten-steps-to-close-down-a_b_46695.html
    .
    Wolf doesn't have special insight. It's Fascism 101. Take the course; our Fearless Leaders already have...
    .
    @Sancho_P
    No, it wasn't "well-meant", it was designed to _appear_ to be "well-meant". This should be clear to everyone by now.
    .
    What's most worrisome is the apparent extreme naivete of most Americans.
    .
    I gotta go...

    BobNovember 2, 2014 1:25 PM

    So given what we know about this program and given that Wikileaks has released a working copy of FinFisher, what practical measures could be taken to prevent infection by something like this? What about impractical measures other than air-gapping? Going even farther, if one were to, say, redesign Android or a Linux OS from the ground up, what changes would need to be made?

    Douglas McClendonNovember 2, 2014 2:10 PM

    @Bob

    1) open source everything. Firmwares down to hardware. Any compromise on this is the FIRST place the spooks will hide their shit.

    2) the right to serve. So long as the ISPs have a free hand to arbitrarily shut down any customers communication, we are at their mercy. PRISM only works because of the nature of centralized servers as chokepoints for spooks convenience. The spooks know this. Google and Facebook know they are vulnerable to decentralized open source alternatives. This is why Google's behavior in my crusade is explainable, and despicable.

    1+2 (plus of course open source strong encryption used judicously) yields a 3 of a world where ISPs and therefore the governments don't have defacto veto power control over the 'free speech' that goes on on the internet.

    I can't tell you how awesome it makes me feel to see even the Washington Post finally getting a clue even if it takes another decade or century before the FCC wises up.

    Sancho_PNovember 2, 2014 6:27 PM

    @ albert

    Um, so you think ”it was designed to _appear_ to be ‘well-meant’”.
    Basically you say the purpose was hidden behind a nice looking cover?
    Seriously, I’ve never heard that argument before (nice cover, indeed).

    May I ask you to clarify what you think how it [1] was really meant?

    Something along the lines of “ill-meant”?
    Like a conspiracy to destroy America, the land of the free and the home of the brave?
    If yes, who would be behind that? Congress? Racists? SCLC? Big business? The Mafia?

    Or is it again the “pöze Russe” (= Putin) pulling the strings?

    [1] “it” refers to:

    “well-meant efforts to provide the "security" that most Americans (…) have expressed their desire for.”

    BuckNovember 2, 2014 7:01 PM

    @Bruce

    By ensuring an insecure Internet for everyone, the NSA enables companies like Hacking Team to thrive.
    How do you reconcile that statement with this supposed quote from a few weeks ago?
    The Daily Dot relayed one NSA employee's claim to Schneier, that the TTP was a means of injecting federally-funded research back into the U.S. economy.
    "Bullshit," he responded. "The NSA's not stimulating the economy. They just said that and it sounds good. They just made that up."
    Is the latter simply in the context of the TTP (while ignoring markets indeed propped up by the TLA's), is it more of a matter of opportunity costs, or was Clive correct in his suggestion that the journos just caught you "on a bad hair day"..?

    Harrington HorsefaceNovember 2, 2014 10:22 PM

    @Sancho_P

    I can't speak for @albert, but here are my $0.02 straight answer to your seemingly sarcastic questions-


    Basically you say the purpose was hidden behind a nice looking cover?
    Seriously, I’ve never heard that argument before (nice cover, indeed).


    May I ask you to clarify what you think how it [1] was really meant?


    Something along the lines of “ill-meant”?
    Like a conspiracy to destroy America, the land of the free and the home of the brave?
    If yes, who would be behind that? Congress? Racists? SCLC? Big business? The Mafia?


    Or is it again the “pöze Russe” (= Putin) pulling the strings?

    I would hypothesize that the answer is "all of the above". (we'll set asside SCLC). Each and every one of the players you listed has the means and motive to cover up any aspect of the surveillance apparatus that does not play into the narrative of "this is a safe, well-meant apparatus that is not, and will not be abused".

    Let's take two obvious classes of abuse- LOVINT, and insider trading / espionage-for-profit. Both classes of abuse are all but as inevitable as prostitution and drug abuse, no matter how much a government or religion would like to wave its hands and pretend such things don't exist (in the populace, or the governance).

    From what I've seen of the universe, my mind would be blown to discover that Congress hasn't hushed up instances of abuse, because it would make them look bad, cost them votes, and shatter their narrative of scrupulous spies being above ordinary human frailties.

    Likewise, racists within government, that selectively wield the power of their office in ways tilted toward the race they favor, would also have the motive to cover up such abuses.

    Big Business doesn't like to invest in expensive security engineer's salaries, and expensive security practices. If their golfing and poker playing buddies with government connections give them a wink wink and a nudge nudge and suggestion there is no need to break a sweat implementing secure technologies that protect their privacy, I'm guessing those big businesses will also be more than willing to bend a bit to help hush up any known abuses of the surveillance apparatus. Everybody loves being able to afford to send their kids to college.

    Mafia, would love people to believe they are as technically inept as Tony Soprano. The more people believe in that narrative, the less they imagine that a few key bribes could turn what Snowden had access to into a magical machine that prints pure insider trading gold 24 hours a day.

    Putin, ... see Mafia. Though I'm sure finding the right journalists to throw off the right buildings is more his cup of tea after he gets over the 'having more money than God' thing.

    Look at how the LOVINT story was spun in the news immediately after Snowden's initial revelations. Then remember how the day before that airliner got SAMd in the Ukraine, that story went from "ahh, how sweet, LOVE intelligence", to "18-22 year old NSA agents were routinely passing around nude intercepts as trophies". To most recently, the CHP officer Harrison talking about whether or not a particular LOVINT nude photo was of a woman that was hiding her "Horse face".

    That LOVINT story was the kind of thing that a truly free press would have a giant orgiastic party over if they hadn't been towing an authoritarian government's party line. But instead it got spun as "ahh, how sweet, people in LOVE are violating some people's privacy". I mean WOW.

    The cover up of abuse of the surveillance apparatus is blatant. This I believe is what albert was referring to with the snide comment about Naivete.

    Again, Skeptical would have you believe that the reason we haven't heard about insider trading scandals tied to the NSA surveillance apparatus is because the corruption hasn't happened. I'm more skeptical than that. I think they just got away with it. And continue to do their best to represent the apparatus as "well-intentioned", when they know damn well it has been, is being, and will continue to be abused more and more.


    JonKnowsNothingNovember 3, 2014 1:19 AM

    @Bob

    In addition to every piece of software being Open Source, there has to be an equivalent version for every piece of firmware.

    Often Open Source is presumed to be higher applications but there are extreme vulnerabilities in the hardware too. So even if your Open Source Office works 100% OK, there is a lurking exploit in your USB system (already noted).

    Firmware includes all the software running on the chips themselves including all drivers. The chip mfg publish detailed manuals about KNOWN functions but nothing about the "hidden" functions. Intel/AMD aren't too disposed to let you know the full inner workings of their chips or the software on them and make sure that reverse engineering is not something a few people can do in their spare time. If someone does manage to reverse engineer what's there, a bevy of lawyers will swoop down on you.

    But without full disclosure, 100%, the entire system will eventually collapse from "no trust". Already the EU/Germany and other countries have embargos on US Tech. It's expected to cost $30+Billion in the next year. This is NOT an option.

    Additionally every piece of code has to have code signing. Good validations and the assumption that EVERYTHING coming into the system is compromised. We have to give up the idea we can validate once or twice and after that it's All Good To Go. We have to validate each and every time we do something. It's not the current practice and people need to re-think how they structure code to achieve this.

    It's not enough to have one routine that can be defeated and then opens up every subset that uses that one routine. There needs to be a N-routines that are part of these New Systems.

    Systems have to be re-designed to help eliminate Social Engineering as a method of gaining access. We likely cannot prevent all of this but we can reduce the incidence by re-tooling the software interfaces.

    The even bigger issue is what to do about Metadata. The NSA has been collecting Metadata legally without warrants for a long long time now. Metadata in the US has been declare to be public like the address on a piece of mail. Anyone can look at it and harvest it. Metadata needs to be "rethought" because there's no reason for most of it to be outside the envelope in plain text. It needs to be inside and encrypted. If we move the metadata we will need a new delivery mechanism.

    Until all of this is done.. Nothing will be "safe". Everything is comprisable. Even if you decide to dump all your computer stuff and go "dark", there's a person next to you with a cell phone or Google Glass or wearing an Apple Tech Wifi Watch. The License Plate readers and the Face Recognition programs will still harvest your image, your location and your associations and even your conversations.

    Andrew_KNovember 3, 2014 2:39 AM

    On the interpretation of the Stasi employee numbers.

    The question is who has been added to this number. Intelligence is blurry by nature. Who "works" for Intelligence? You can either count everyone who has ever (been forced to) write something about his neighbors (informers). Or you count only those who are working directly for Intelligence (say, thos who have a desk in an office).

    With today's Intel infrastructure I also think we need to be careful when interpreting these numbers. We cannot differentiate those really working "Intelligence" from those doing infrastructural work (cleaning staff, janitors, secretaries, guards, chiefs ... and especially in GDR they hired more then enough personnel to fulfill full employment).
    The same applies to contractors and -- as pointed out -- those with top secret clearance. Of course the cleaning lady for the administration office needs a top secret clearance. The house electrician, too. Basically, everyone who gets a glimpse behind the scenes. I wonder about the delivery guys from the surrounding pizza dealers. You will easily find similar constellations.

    Regarding the "new design internet"
    I almost instantly think of IPv6, which has been anounced as the future of the internet. For over ten years by now.
    In my view, the current Internet is too big to fail. There is no way around it, it is as it is and it will stay that way. There is no chance to set it to "privacy mode".

    What can we do about it? Face it -- Nothing technical. Adding overlay networks and encryption is not curing the illness, it's treating the sympthoms.

    My consecuence: There are topics I dicuss openly on the net when I'm sure I'm identifiable with minimal effort. There are topics I discuss (e.g. here) when I think it needs at least some work to seperate me from a large group of other individual who could have posted this (one of the advantages of working at a large IT Company or University is sharing a NAT among others who are similar to me in terms of interests). And there are topics which will never be discussed but only referenced online.

    Of course that poses restrictions.
    There are topics I would like to discuss with some of you here in the comentary section but there is no way to arrange a face-to-face meeting.

    ineievNovember 3, 2014 5:21 AM

    @ JonKnowsNothing

    I would suggest that you consider that any "receiver" that is "ON" will be doing a "handshake" and "validation" routine with the transmitter. Especially a satellite transmitter.

    This is wrong: radio and TV broadcast receivers don't "handshake" in any way
    with the station, and GPS (OMEGA, Transit, LORAN) receivers just have no transmitter hardware.

    65535November 3, 2014 8:00 AM

    @JonKnowsNothing

    “…Additionally every piece of code has to have code signing. Good validations and the assumption that EVERYTHING coming into the system is compromised. We have to give up the idea we can validate once or twice and after that it's All Good To Go. We have to validate each and every time we do something…” –JonKnowsNothing

    I agree.

    With the companies like H.T. Co. there is too much of a temptation to manipulate trusted Certificates. If Moxie Marlinspike can game the Certificate infrastructure a multimillion dollar company like H.T. Co. can do so with ease.

    albertNovember 3, 2014 12:16 PM

    @Sancho_P

    @Jonas said: "...But realize these [domestic intelligence collection] practices have come about mostly due to well-meant efforts to provide the "security" that most Americans (who are now perpetually in fear of nearly everything) have expressed their desire for...."
    .
    You said; "...No one here questions it was “well-meant”..."
    .
    So now you're speaking for everyone.
    .
    I agree with Jonas statement, except for the 'well-meant' part.
    .
    You said: "...Basically you say the purpose was hidden behind a nice looking cover?"
    .
    The answer to that "question" is NO.
    .
    You said;
    .
    "...Something along the lines of “ill-meant”?
    Like a conspiracy to destroy America, the land of the free and the home of the brave?
    If yes, who would be behind that? Congress? Racists? SCLC? Big business? The Mafia?

    Or is it again the “pöze Russe” (= Putin) pulling the strings?..."
    .
    So we go from implying the opposite, to a conspiracy to destroy America.
    .
    No conspiracy is required, America has proven to be quite capable of destroying itself. The unconstitutional actions of the [well-meaning] NSA are proof, in deed.
    .
    .
    @Harrington Horseface (Thank you for not speaking for me, or trying to put words in my mouth)
    .
    I agree, insider trading still happens, but why bother, when folks can make more money _legally_, without it.
    .
    I gotta go...

    Yah BlockoNovember 3, 2014 6:28 PM

    Thoth is straight up right. Unless we the public adopt our own standards, (integrity checks on all files, signing, encryption,...) we might as well just roll over and die like dead dogs.

    Anyone who wants to know, can your device be infected while you retain physical possession, YES!!! There are many vectors that can be exploited to get access to your system. Even a device that is not connected to any physical or wireless network I can hack without ever getting physical access to and I'm working with a limited budget. I do security for business and I haven't seen one business yet that has not been infiltrated. Infected discs through the mail or dropped outside, or some mug picks up a USB, and there are carrier backdoors on your phone and multiple other exploits too many to name. Any wireless network is vulnerable and any wired network is vulnerable also and so is any physical device. A powerless device (battery removed) is secure, until you turn it on.

    The amount of surveillance and government hacking now active is breaking the internet as we knew it. Free speech is in massive decline, huge internet black spots or dead zones now exist as data retention laws force ISPs to stop providing free data mirroring services on the backbone due to cost of store bulk data.

    In spite of increased surveillance and cops dumping data off mobile towers, more hacking, DDoS, NTP reflection and amplification attacks increase, banking fraud, etc etc etc.... The last year or so has seen a massively escalating online war zone and it just gets worse all the time. AngryAussie

    Sancho_PNovember 3, 2014 6:59 PM

    @ Harrington Horseface, @ albert

    Thanks for your reply.
    Yes, my posting has been sarcastic because I wanted to wake people up.

    The whole thing started with someone (@Jonas) singing like:
    ‘don’t compare it to evil communist GDR, it’s much much better here in the U.S. - and realize, these practices have come from well-meant efforts to provide security that Americans desire’.

    This idea is a bit naive, as the intention in the communist GDR was “well-meant”, and as I think, it is in the U.S (let me clarify that below).
    Also the intention to secure someone by all means doesn’t allow to suffocate them.

    So my reply @Jonas was already provoking - but honest from my side.
    He didn’t reply but instead @albert piped up, challenging the “well-meant”.

    So this is the point now:
    If it (the surveillance, to put it simple) wasn’t well-meant then it must be “not well-meant” or ill-meant,
    and if so, there should be a plausible reason for that fact.

    @albert came with the “no, it was designed to appear to be well-meant”, which
    a) doesn’t touch / explain the initial intention ("no, not well-meant")
    b) is questionable because we never heard nice music from them, neither before nor after Snowden, just silence.
    c) is wrong, it wasn’t designed to appear in public but designed to remain secret, no need of any nice cover.

    Thus my reply was sarcastic, too.

    Now what @Harrington Horseface replied may be worth discussing / an extra reply, but it does not cover the very first intention why any kind of surveillance state was implemented, before the need of a cover up or the inevitable consequences (abuse).

    @ albert

    I apologize for the “No one here”, seems I was wrong.
    But I can’t follow your “America has proven to be quite capable of destroying itself”, there is still no hint who could be behind “not well-meaning”. Be it “America” is too abstract for me.

    I believe in the good intentions.
    Some intelligent, powerful and paranoid (likely white and old) Americans have the very best intentions to serve their country and to fill their pockets.
    That’s the beginning of every surveillance state.

    SkepticalNovember 4, 2014 3:26 AM


    A brief rant:

    The comparisons of the NSA to the Stasi are execrable. They reveal either a stunning historical ignorance of the DDR or a stunning contemporary ignorance of the United States. Do you think Greenwald and Poitras could have traveled to East Germany to receive an award for publicizing leaks from the Stasi? Do you think The Guardian would transfer material stolen from the the Stasi to a paper in East Germany in order to safeguard it? Do you see critics of the President being disappeared and tortured?

    There are lots of legitimate privacy concerns we need to address. The post raises some. But these ludicrous nutjob conspiracy theories that pop up in the comment threads are distractions - and quite frankly they are at times offensive distractions.

    Nor should Naomi Wolf's absolutely absurd theses regarding fascism and the US be cited as authority for anything. This is the same author who compared the events in Germany post 1933 to events in the US post 9/11. Anyone remotely familiar with the history of the 1930s in Germany would feel immediate regret for having wasted their time on her bullshit. I'm not sure I've ever seen more silly arguments than her own outside of the fevered idiocy of an Alex Jones show.

    Free speech and dissent are vibrant and well protected in the United States. Indeed they are better protected than in most of Europe by a slim margin. There are Tea Parties and Occupy Protests and cable news shows showing people arguing quite seriously that the President isn't an American citizen. And indeed, one of those people was invited to the White House Correspondents' Dinner. Many media outlets make their living from producing criticism of the government and government officials - the more outrageous and spectacular, the better.

    This is nothing, nothing, like East Germany, like contemporary Russia or the PRC, like any other truly closed society.

    Nor are we anywhere close to becoming like such societies. I can think of no firmer principle in American law than freedom of speech, nor one as well protected.

    So if we could dial back the bullshit tinfoil-hat conspiracy half-baked adolescent Hollywood-history "analysis" evident in this comment thread and far too many others, and address some actual legitimate privacy concerns - such as those raised in the post - that'd be great.

    Clive RobinsonNovember 4, 2014 4:48 AM

    @ JonKnowsKnothing,

    When you talk about GPS, are you talking about a standalone unit or the GPS units in your mobile phone and some SatNavs that get updates via mobile phone etc?

    Because GPS is a "receive only system" but systems with GPS in them can and do transmit location details via other communications links.

    Oh by the way Bluetooth receivers don't need to read GPS data, it's actually shorter in range than the positional error on most GPS units with SA on thus simple trig direction finding would be more accurate.

    There are however some satellite systems such as EPIRB that do transmit back to satellites but, they would not work if more than one or two beacons were on in any one area at any time. They work by transmitting at 406MHz with a betterthan 2 parts per billion frequency stability at around 5watts. The satellite gets a "dopler shift track fix" on the beacon and requires a minimum of two different tracks to get a fix to around a 12Km search area (officialy within a 5Km radius). Most such EPIRB PLBs. systrms these days have either an inbuilt GPS or the VHF international distress "aeronautical beacon" on a frequency of 121.5MHz and around 10-100mW so that search aircraft can localise the PLB.

    There are a number of satellite PLB system other than EPIRB such as SPOT that work in various ways but they are not as common or have similar coverage / reliability.

    Nick PNovember 4, 2014 10:10 AM

    @ Jonas

    Forgot to put down that I agree with your assessment that directly comparing American surveillance state to the Stasi is nonsense. There's certainly comparisons, though, in certain specific activities the U.S. government is doing and what officials are saying to justify them. Many more comparison points than should exist in a republic. Yet, most of us are still free to say so without significant consequences and that's a key difference nobody should forget.

    Nick PNovember 4, 2014 10:22 AM

    @ Skeptical

    U.S. TLA's vs Stasi: Valid points of comparison

    Well said except with certain caveats. The U.S. can and *does* kidnap/torture U.S. and foreign citizens under "extraordinary rendition." They can indefinitely detain people without charges. They spy on their citizens via electronic surveillance and DHS/FBI's pushes for people to rat on others' suspicious behavior. They also operate in secrecy under secret interpretations of law with criminal immunity for violations. Almost all the activity happens in one branch of government with riskiest programs in black boxes (SAP's/USAP's) other branches aren't cleared for. So, we have organizations with no checks and balances that can suspend any and all Constitutional rights of U.S. citizens arbitrarily, in secret, and with no punishment for wrongdoing.

    Our situation is not Stasi: it's better in some ways and terrifyingly worse in others. The worst part is that citizens of this country are brought up thinking they live in a republic with inalienable rights giving them presumption of innocence, protection from unlawful search, protection from cruel/unusual punishment, & right to a day in court over charges. The reality is that they live in a country where NSA/DHS presumes them guilty until its surveillance has enough data to say otherwise, their systems are hacked in secret without traditional warrants, they can be grabbed for no reason, they can be tortured in secret prisons, and they will have no way of rejecting these in any court. Much like in certain dictatorships or fascist regimes.

    The difference here is there's enough laws to push people in a direction the government is fine with (e.g. overall stability). There's also enough laws that everyone is guilty of something. FBI and courts can handle vast majority problems. Their use of both surveillance and police state power was kept secret to avoid backlash. The surveillance state use is *massive*. The use of police state power is very selective and compartmentalized, reducing the risk to the majority of the public & the risk of the public to their continued existence. Our system is therefore a hybrid where two forms of government, a large republic & a small police state, run side-by-side with certain interactions and rules.

    This post-9/11 development was a truly brilliant subversion of the republic. It's brilliant because it worked, it's still expanding, and it's one of the few models that might last as long as the country. People watching the TV will never see enough wrongdoing to justify a massive rebellion. This proved true after every leak of lies and abuses: they griped about it at worst. The secret organizations continue doing whatever they want with even Congress being in the dark absent leaks. These secret power structures are an existential threat to liberty on one hand and have provided virtually no benefit on the other. That's an unacceptable tradeoff in a republic: those organizations and laws supporting them have got to go.

    (Or get reformed with tons of accountability with criminal prosecutions for offenders.)

    Sancho_PNovember 4, 2014 6:17 PM

    @ Nick P

    This article clearly summarizes our disaster, I didn’t know the site, thanks for the link!

    One should believe that those powers could rule the world much better than any democracy can. They have all information (+ think tanks) and are by far more intelligent as the masses [1].
    But they can’t.
    Imagine, they know it’s coming to a bitter end but can’t avoid it, for several reasons. The first is they are captured in their spider net.

    The only thing they can do is buy them (and us) some years.

    [1] They may have other deficits, though.

    AshamedNovember 4, 2014 11:36 PM

    @Skeptical


    So if we could dial back the bullshit tinfoil-hat conspiracy half-baked adolescent Hollywood-history "analysis" evident in this comment thread and far too many others, and address some actual legitimate privacy concerns - such as those raised in the post - that'd be great.

    Beyond "I'm rubber, you're glue...", Let's get started. Please propose an alternative suggestion to-

    MySuggestion: Fire the NSA, Rehire a new NSA, with a new mission nearly the opposite of

    ensuring an insecure Internet for everyone, the NSA enables companies like Hacking Team to thrive.

    And therefore leading places like China and the many others listed in the post, to have technology to make their citizen's lives clearly worse than that under the Stasi (or at least that subset interested in watching performance art consisting of nothing but watching someone paint a wall white that previously had the title of Taylor Swift album written on it).

    I mean seriously, OK, lets set asside Stasi/US comparisons, and focus on Stasi/China. There is some serious doubleplus ungood doublespeak about topics such as 1989, and the second coming of Jesus around those parts. And suicide nets put up around the FOXCon factories that make our iPads because marketers don't like the bummer that workforce reality exudes if they aren't protected from their own unpatrioticness.

    The NSA surveillance strategy is getting lots of blood on lots of hands. And perhaps many more tears of those prevented from choosing to end their own lives in one last desperate political statement.

    Clive RobinsonNovember 5, 2014 1:11 AM

    One thing is clear over this US-v-East Germany argument is that some people cannot tell the difference between a dog's bite and it's bark.

    Just to make it clear the bark is the noise it makes to advertise it's self, the bite is what does you the harm, not the bark.

    So the fact that a government barks or does not bark is irrelevant when considering it it bites or not.

    As some have pointed out the US goverment has done quite a bit of biting as did the East German government.

    The East German government eventually got euthanized and thoroughly disposed of by reunification by it's citizenship.

    The question is thus, does the US citizenship wish to euthanize the US Government or just put a muzzle on it?

    I had the misfortune to see a series of brief interviews with members of the US citizenship yesterday over poor voter turn out, a significant number of which were advocating more war to show the world the power of the US... I can only assume that they have forgotton the wounded and body bags of the last decade or so... such is a "home fit for heroes" where those brought back on their shields are so quickly forgotton as last weeks news.

    Sancho_PNovember 5, 2014 3:49 PM

    I didn’t catch @Clive Robinson’s “bark / bite” analogy, but regarding paranoia and surveillance in the U.S. versus GDR I can say:

    Both have, respectively had, both.
    The big difference from U.S to the GDR is that at the latter it was done in the open.
    Everybody knew about the (chilling) surveillance and that you couldn’t trust anybody.
    But there was no cowardly secrecy, no lying about it.
    (A non-German, I had the “opportunity” to work behind the wall for some months / years)

    ”The East German government eventually got euthanized …”
    Err, their spirit (and some persons) ended up in the German government?
    Why do you think they’re interested in Angie’s “secret” phone calls to her hair dresser?
    Speaking Russian fluently - OMG - red alert in W.D.C.!!!
    ;-)

    @Nick P’s paragraph regarding U.S laws and “everyone is guilty of something” I would like to add the absolute joke of plea bargaining in the U.S.
    This is not justice, it is bypassing the judge, making justice a trade in favor of a lazy prosecution.
    It reminds me at buying groceries at the suk in Damascus.

    Sorry for being off topic, I’ll try to unplug my keyboard now for a while.

    SkepticalNovember 6, 2014 2:38 AM


    @Nick P: The U.S. can and *does* kidnap/torture U.S. and foreign citizens under "extraordinary rendition."

    The United States does neither. For a brief period following 9/11, the US did commit acts against a number of high-level AQ personnel that could well be considered torture. The US also rendered captured persons to foreign governments, even when it was clear that those foreign governments would torture the detainee.

    However even in that period following 9/11, these were rare acts, and were not committed against US citizens. The worst treatment - waterboarding - was used on three people in the period between 2002 and 2003, and not since.

    Outside of those rare circumstances then, and in all circumstances today, US citizens enjoy the full panoply of their legal rights, and foreign persons captured are treated in accordance with humane standards.

    They can indefinitely detain people without charges.

    No they cannot.

    They spy on their citizens via electronic surveillance

    With a warrant, yes. Just as the federal government could open your mail in 1790 with a warrant.

    and DHS/FBI's pushes for people to rat on others' suspicious behavior.

    Encourage people to report things like abandoned backpacks in trains, not to report things like "hey the guy next door doesn't like the government."

    They also operate in secrecy under secret interpretations of law with criminal immunity for violations.

    They operate under a system of oversight that includes every branch of government and both political parties. Obviously legal decisions regarding classified programs are themselves classified to a necessary but highly limited extent.

    Almost all the activity happens in one branch of government with riskiest programs in black boxes (SAP's/USAP's) other branches aren't cleared for.

    Legal disclosure requirements obviate any need for those members of Congress, or in some circumstances federal judges, to obtain a security clearance in the ordinary sense. They have clearance by virtue of their position.

    So, we have organizations with no checks and balances that can suspend any and all Constitutional rights of U.S. citizens arbitrarily, in secret, and with no punishment for wrongdoing.

    Except that's horseshit. There is no organization that can suspend the rights of US citizens arbitrarily, nor is there any without checks and balances. Even detainees at Guantanamo have full legal representation - often from some of the best law firms in the US - and a legal process that has been subject to multiple review by multiple courts.

    Our situation is not Stasi: it's better in some ways and terrifyingly worse in others.

    No, our situation is not remotely similar to that of the DDR under the Stasi. It's not "terrifyingly worse" in any respect at all.

    The worst part is that citizens of this country are brought up thinking they live in a republic with inalienable rights giving them presumption of innocence, protection from unlawful search, protection from cruel/unusual punishment, & right to a day in court over charges. The reality is that they live in a country where NSA/DHS presumes them guilty until its surveillance has enough data to say otherwise, their systems are hacked in secret without traditional warrants, they can be grabbed for no reason, they can be tortured in secret prisons, and they will have no way of rejecting these in any court. Much like in certain dictatorships or fascist regimes.

    Bullshit. As a US citizen you cannot legally be disappeared, tortured in secret prisons, and held without the ability to challenge the legality of your detention in court. Those are facts.

    The difference here is there's enough laws to push people in a direction the government is fine with (e.g. overall stability). There's also enough laws that everyone is guilty of something.

    With all respect, more bullshit. Not everyone is guilty of something.

    This post-9/11 development was a truly brilliant subversion of the republic. It's brilliant because it worked, it's still expanding, and it's one of the few models that might last as long as the country. People watching the TV will never see enough wrongdoing to justify a massive rebellion. This proved true after every leak of lies and abuses: they griped about it at worst.

    Bullshit. After treatment of detainees was disclosed, including that of the three persons waterboarded, the practice was the subject of an Congressional investigation and banned. That's not "griping" about it. That's banning the practice.

    The secret organizations continue doing whatever they want with even Congress being in the dark absent leaks. These secret power structures are an existential threat to liberty on one hand and have provided virtually no benefit on the other. That's an unacceptable tradeoff in a republic: those organizations and laws supporting them have got to go.

    Snowden's leaks show that that these organizations scrupulously document what they do, and that they voluntarily disclose their mistakes to the courts - even when those mistakes may result in the court shutting down the program. They show that these secret organizations are actually crawling with attorneys and oversight personnel, most of whom are genuinely concerned about abiding by the law.

    There are a lot of pressing issues in this country as to how we handle privacy, both with respect to the government and with respect to private companies. But the Stasi bullshit, the concerns that the US can simply grab citizens off the street and torture them, etc., are Hollywood-esque smokescreens that conceal the real matters of concern.

    While all this heat is being expended on non-existent threats like an "out of control US Government", we're losing sight of the actual interests at stake. Bills requiring absurd restrictions on foreign intelligence collection are being discussed while bills protecting privacy against intrusion from private companies are non-existent. Bloated speeches are given about an "out of control NSA" while actual policy solutions that involve more balanced oversight and disclosure go ignored.

    I've been polite about the endless Stasi comparisons, but no longer. They're delusional, and quite frankly if these are what drove Snowden to do what he did then I almost wish he could be prosecuted for sheer stupidity.

    AlanSNovember 6, 2014 10:59 AM

    @Skeptical "...these secret organizations are actually crawling with attorneys and oversight personnel, most of whom are genuinely concerned about abiding by the law."

    I am not going to jump in on the rest of your argument with Nick P but wanted to pick up on the rules, regulations, lawyers and compliance bit. I think your statement above is correct but there's a catch that is documented and argued in this paper:

    Schlanger, Margo. Intelligence Legalism and the National Security Agency’s Civil Liberties Gap. SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, October 27, 2014. (There are also recent posts related to this paper, which is forthcoming in the Harvard National Security Journal, on Just Security.)

    Schlanger, who was the senior civil rights lawyer at DHS, documents in great detail the rise of what she calls "intelligence legalism" and explains its limitations and why it doesn't provide sufficient protection of civil liberties.

    ...neither the Constitution nor FISA aims to optimally balance security and liberty—and frequently analyzed difficulties in congressional intelligence oversight mean that new statutes are unlikely to fill that gap. Likewise the existing foundational Executive Order, 12,333, is at the very least out-of-date. Accordingly intelligence legalism, and its compliance mindset, cannot achieve optimal policy. Its concomitant empowerment of lawyers is real and important, but does not deputize a pro-civil-liberties force. Indeed, legalism actually both crowds out the consideration of policy and interests (as opposed to law and rights), and legitimates the surveillance state, making it less susceptible to policy reform.

    I don't think we should forget that back in the 1760s "writs of assistance" were determined to be legal by the courts in Massachusetts.

    AlanSNovember 6, 2014 11:05 AM

    @Skeptical: "...nor is there any [US organization] without checks and balances."

    On the significant limitations on checks and balances on the current security apparatus see:

    Glennon, Michael J. National Security and Double Government. SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, January 10, 2014.

    Glennon starts by asking why are there are practically no differences between Obama and Bush on national security issues. His explanation is that it is next to impossible for either the president, the congress or the courts to exert much influence on the military-industrial-surveillance bureaucracy. He points to the way the state has been hollowed out. The power has shifted but the trappings of the old regime remain to legitimate the actions of the new shadow state. (See also Schlanger's paper, cited earlier, in which she discusses how legalism legitimates the surveillance state and at the same time isolates it from real oversight and reform.)

    Glennon's paper echoes Eisenhower's 1961 Farewell to the Nation speech in which Eisenhower expresses concern about the potential for the rise of a powerful technocratic/military elite who will gain unwarranted influence and undermine free society.

    Nick PNovember 6, 2014 1:05 PM

    re indefinite detention

    "no they cannot"

    Yes they can. Originally started in the Patriot Act and now in the NDAA. There was a proposed amendment to prevent indefinite detention of U.S. citizens. That indefinite detention was upheld and that amendment was shot down by Congress says plenty. Good that some courts are trying to fight it already. That doesn't stop an agency in executive branch from grabbing you while your lawyers try to get something done in the courts.

    re rendition and torture

    Summary of extraordinary rendition. My statement on kidnapping and torture was undeniably true from the beginning of this program until an executive order in 2009. That changed the situation from kidnapping/blacksite/torture to kidnapping/blacksite/maybetrial. They narrowed it down a bit in 2011 with some promises made, although I'm unclear on accountability of those. The execution possibility comes from weaker testimony from CIA types on what happens to suspects depending on what country they're shipped to. Even dropping that one, we had torture up to 2009, kidnapping up to now, and no criminal liability for those involved in U.S.

    re disclosure

    " They have clearance by virtue of their position."

    The law, passed by Congress and upheld by courts, says otherwise. Only four committees get to know even basic information about a SAP. USAP's can restrict that further. Waived USAP's Congress has no oversight of at all & Congress has complained about them doing W-USAP's without authorization. The SAP/USAP security provisions also allow people on the inside to lie about the program to any uncleared individuals ensure its confidentiality. Further, breaching the rules can be treated as a violation of the Espionage Act as so many leakers have showed us recently.

    That's theory, though, so let's look at results. Both Wyden and Feinstein testified they weren't properly informed about these programs. Wyden described being stonewalled on any specific answers to his questions. A number of Congressmen that fund these programs say they're blocked from information on them. Another, Grayson, couldn't get basic information on FISA rulings. He resorted to informing fellow Congressmen using Snowden leaks, but was warned he'd face sactions if he kept it up.

    So, most are in the dark, they face reprecussions for possessing/distributing information despite Speech/Debate clause, and even intelligence committees get stonewalled on details. My claim that Congressional oversight can be blocked by these programs with impunity stands the test of the evidence from Congress themselves.

    re with a warrant

    They had secret courts and secret interpretations of law 1790? This article shows the government claimed they were only listening to foreign phone calls and they need a warrant from a judge to look at content. This wasn't the case under the Bush administration, with violations going unpunished saying something about accountability. The law was expanded in 2008 to allow warrantless surveillance of U.S. citizens if they communicated with a foreign national. This already contradicts official statements that any interception of American's calls needs a warrant.

    Further, the article reports that the NSA does *not* typically get warrants for individuals. Instead, it gets warrants for targeting criteria and guidelines. The FISC signs off on those. The NSA can then go after whoever they want that matches those criteria. FISC apparently didn't oversee or enforce the specifics. So, by your 1790 example, this would be equivalent to courts transferring their whole warrant issue process for individuals to the executive branch, allowing them to operate in secrecy, getting periodic reports on how it is being used, taking their word for that, and not prosecuting anyone for violations. It would've been shot down by 1791.

    On top of that, they authorized a number of exceptions where the NSA can unilaterally decide to do warrantless collection on Americans. Again, contradicting the government's (and your) position on this.

    re immunity

    The Administration's stance isn't just that the programs are technically legal. Their stance is a combination of state secrets and immunity. First, they claim any case about wrongdoing should be dismissed on grounds of state secrets. Second, the administration claims they have criminal immunity to any violations of U.S. surveillance laws. So far, no convictions, rollbacks, or terminations have happened due to surveillance abuses. Whether it legally sticks or not, they have these two things in practice. Criminal immunity for legal violations is as far opposite of accountability as one can get. So, there goes your assertion for the courts.

    re guilty of something

    Even if it's not everyone, it's a lot of people according to many law studies. This site has some good examples. The Rand Corporation tried a long time ago to count the total number of federal laws and regulations with criminal penalties. Their report was inconclusive. It's only expanded since then. So, you have a ton of vague laws, prosecutorial discretion, prosecutorial immunity, and high mandatory sentencing for many crimes. No wonder we have the highest prison population.

    That the FBI has been used against whistleblowers and even dissidents using internal channels supports my point that these are a risk.

    re banning the practice

    The torture was banned. Great. Everything else in my comment remains or expands. Not so great.

    Conclusion

    Overall, my claims hold up to the evidence minus a few points. The executive branch can use some police state powers against U.S. and foreign citizens. There are surveillance state activities going on involving mass collection and warrantless search of U.S. citizens. FISA oversight comes with no penalties for violators and little knowledge of specific actions against U.S. citizens. Congress (even Intelligence Committees)and the courts have no effective oversight, while Executive Branch also argues its immune to prosecution for violations of federal law. Reporting leaked evidence of abuse continues to be a risk of prosecution for citizens or sanctions for Congressmen.

    I'd say a clear case that the checks and balances aren't in effect on these issues. The situation looks nothing like the Constitution mandates or even what most Americans thought was going on pre-Snowden. Even Congress was surprised, sometimes shocked, by the activities. So, if there's is a call of bullshit, it's on your claim that these agencies are only performing authorized activities, that American targeting only happens with a warrant, that they collect only what they're allowed to, and that there's oversight/accountability. The leaks, Congress, and (real not FISA) courts have testified otherwise.

    JustinNovember 6, 2014 3:22 PM

    @Skeptical

    I apologize if you are offended at comparisons of the NSA to the Stasi. The one aspect where I stand by my claims, and which I find disturbingly Stasi-like is the use of "parallel construction" to conceal or lie about the source of intelligence (from NSA surveillance) shared with law enforcement and used in court to prosecute crimes.

    Nick PNovember 6, 2014 7:37 PM

    @ AlanS

    Oh I agree that it isn't solid yet. I think I mentioned something to that effect. Torture was illegal per U.S. law and international treaty when Bush/Cheney Administration launched black programs that used it. Obama Administration bans it, but USAP's remain mostly immune to Congressional oversight. So, who knows.

    bobNovember 7, 2014 6:59 AM

    Different angle: So the FBI pwns my computer with this software. The data magically appears on a computer at FBI hq. They arrest me. My time bomb stops getting the "dont erase" heartbeat and my hard drive is nuked.

    How do they prove in court they got the evidence from my PC? Is there judicial recognition of this stuff as being authentic? Don't they need to show the source code?

    AlanSNovember 7, 2014 8:25 AM

    @Nick P

    And note that they have declined to prosecute anyone engaged in torture but they did prosecute and jail the CIA officer who disclosed the use of torture to journalists. Their actions speak volumes.

    Nick PNovember 7, 2014 11:52 AM

    @ AlanS

    Absolutely. That trend repeated with Binney at NSA exposing Trailblazer and more recently the CIA guy getting documents to the public that were effectively cleared for the public. How dare these people betray America!?

    Sancho_PNovember 7, 2014 7:02 PM

    @ bob

    “My time bomb stops getting the "dont erase" heartbeat and my hard drive is nuked.

    How do they prove in court they got the evidence from my PC? Is there judicial recognition of this stuff as being authentic? Don't they need to show the source code? ”

    Generally they do not prove but testify. You would be hit by another “destroying of evidence” sentence, even if they have deleted it by their own stupidity.

    All the conglomerate of hardware, firmware, software and manual procedures in several government and non government (outsourced) institutions that would “prove” your guilt is:

    a) Protected because your lawyers could never review the correctness of data “analyzed” in secret programs at FBI hq, using data secretly collected by them or other agencies.

    b) Protected against any liability by the general rule that (also their) software can’t be free of error,
    but especially in your case there was of course no error in their data / findings
    (oh, that’s the law, sorry).

    There’s only one lesson to learn: You are on the short end of the lever.
    You were pwned, not your computer.
    Rest assured, that’s the same all over the world.

    However, in the U.S. you’d have the advantage of “plea bargaining”, so excellent lawyers could deal your sentence down from probably twice your lifetime to 2 years punishment without trial
    - if you surrender.

    Other’s don’t have that chance, beee happy!

    SkepticalNovember 8, 2014 6:16 PM


    @Nick P: Yes they can. Originally started in the Patriot Act and now in the NDAA. There was a proposed amendment to prevent indefinite detention of U.S. citizens. That indefinite detention was upheld and that amendment was shot down by Congress says plenty.

    The NDAA does not provide for the indefinite detention of US citizens. In fact it explicitly states otherwise.

    Even dropping that one, we had torture up to 2009, kidnapping up to now, and no criminal liability for those involved in U.S.

    The US certainly waterboarded 3 persons during 2002-2003. Does this mean that the power existed for the US to waterboard anyone? No.

    Does the exceptional nature of these acts excuse them? No - if they are unethical, then they are unethical. But that these acts are exceptional does limit the extent to which we can use them to characterize the United States.

    The law, passed by Congress and upheld by courts, says otherwise. Only four committees get to know even basic information about a SAP. USAP's can restrict that further. Waived USAP's Congress has no oversight of at all & Congress has complained about them doing W-USAP's without authorization.

    Waived programs are disclosed to a smaller number of persons - it's a mistake to say that they're without any oversight at all.

    As to limiting oversight to certain committees - well, yes, that's what Congress decided when they passed the law. And for good reason. You may want more oversight, but it would be incorrect to claim that there's no oversight at all.

    The SAP/USAP security provisions also allow people on the inside to lie about the program to any uncleared individuals ensure its confidentiality. Further, breaching the rules can be treated as a violation of the Espionage Act as so many leakers have showed us recently.

    They do not allow perjury or making false material statements to federal officials in the course of an investigation. They simply allow an individual, indeed require an individual, to maintain a cover story under other circumstances.

    These two competing legal obligations have sometimes been exploited to great effect by Congressional committees.

    My claim that Congressional oversight can be blocked by these programs with impunity stands the test of the evidence from Congress themselves.

    Members of Congress complaining is fairly paltry evidence. And some of the complaints you reference come down to fairly technical, narrow areas of dispute.

    They had secret courts and secret interpretations of law 1790?

    Decisions by courts have long been, in certain circumstances, kept confidential. The FISC isn't a "secret court" (its existence is known, its members are listed, and it's a creation of Congress), but rather one designated especially to hear and decide on certain matters that, in the view of Congress, are particularly likely to require confidential treatment.

    There are legitimate questions about "parallel construction", but surprisingly little light has been shed on this subject.

    Further, the article reports that the NSA does *not* typically get warrants for individuals. Instead, it gets warrants for targeting criteria and guidelines. The FISC signs off on those. The NSA can then go after whoever they want that matches those criteria.

    The NSA can target non-US Persons outside the United States for the purpose of foreign intelligence collection without a warrant. The FISC examines the procedures and criteria used by the NSA to make such determinations, but approval of those procedures and criteria doesn't obviate the basic legal limit against targeting US Persons without a warrant. For instance, the NSA can check boxes a through z in determining a target to be foreign, but if upon actually looking at the content they discover they made a mistake, then the surveillance is terminated immediately.

    Such mistakes are required to be reported. And when the FISC is dissatisfied with the explanation for the mistakes, or the measures taken to prevent such mistakes, it can order an extremely detailed review of a program - and by extremely detailed I mean everything from a large sampling of actual intercepts under the program to daily or weekly reporting requirements - or it can order the program terminated (or refuse to grant a new authorization).

    At this point, there are thousands of pages of documents released from FISC cases illustrating that.

    On top of that, they authorized a number of exceptions where the NSA can unilaterally decide to do warrantless collection on Americans. Again, contradicting the government's (and your) position on this.

    Who authorized what exceptions?

    The Administration's stance isn't just that the programs are technically legal. Their stance is a combination of state secrets and immunity. First, they claim any case about wrongdoing should be dismissed on grounds of state secrets. Second, the administration claims they have criminal immunity to any violations of U.S. surveillance laws. So far, no convictions, rollbacks, or terminations have happened due to surveillance abuses. Whether it legally sticks or not, they have these two things in practice. Criminal immunity for legal violations is as far opposite of accountability as one can get. So, there goes your assertion for the courts.

    An assertion of the state secrets privilege is subject to review by the court. It is intended to protect information, the disclosure of which would do significant or grave harm to national security, from being revealed in a lawsuit.

    If the court agrees with the assertion (and the court is free to disagree), and also finds that the plaintiff cannot make a case without the evidence protected by privilege, then the court will have no choice to dismiss the case.

    Now, so far as criminal immunity is concerned, federal officials are not protected from criminal prosecution. They do have a qualified immunity in a civil context. Or are you thinking of something more particular here than a general immunity from criminal prosecution?

    Even if it's not everyone, it's a lot of people according to many law studies. This site has some good examples. The Rand Corporation tried a long time ago to count the total number of federal laws and regulations with criminal penalties. Their report was inconclusive. It's only expanded since then. So, you have a ton of vague laws, prosecutorial discretion, prosecutorial immunity, and high mandatory sentencing for many crimes. No wonder we have the highest prison population.

    We have a high prison population in large part because of drug laws, which, though they may be misguided and in need of drastic change, are not vague.

    Indeed, if a criminal law fails to adequately specify the conduct proscribed, it can and should be found unconstitutional.

    Separately from all of the above, looking back at my original response to you, I think I was a little rude, and I apologize for that.

    JustinNovember 8, 2014 9:40 PM

    @Skeptical

    There are legitimate questions about "parallel construction", but surprisingly little light has been shed on this subject.

    NSA discovers evidence of evidence of a crime, and then tips off law enforcement. Trouble is that there was no probable cause and no warrant for the surveillance in the first place, so the evidence would be illegal to introduce in court, and moreover its source is classified information. Law enforcement then finds or invents some other pretext for probable cause to conduct a search and seizure, and that is then introduced as the probable cause and source of the evidence in court. The defense, judge, and even the prosecutor may be unaware that the original source of the information was unwarranted surveillance by the NSA.

    Techdirt covers it. William Binney explains a little bit about it toward the end of his presentation on the Snowden documents. Another article.

    By the doctrine of the "fruit of the poisonous tree," this is unconstitutional. The police may be acting on a tip from the NSA, but with "parallel construction" they are going to claim (rather untruthfully) that they arrived at the evidence by some other lawful means independently from the tip.

    tomNovember 9, 2014 12:28 AM

    The internet does not have to be replaced.

    If we were all to switch from cars to bikes, we would not have to remove all the roads and replace them with bikeways.

    With the right security at the end points and multiple transit points in TOR fashion, we can be secure right now.

    We just need some secure programs & computers and trustable "public" keys.

    AlanSNovember 9, 2014 9:15 AM

    @Justin, Skeptical and others on "parallel construction"

    It came up previously because the US Justice Department lied to the Supreme Court about it. (The Solicitor General may himself been deceived into lying to the court.) This is one of the lies that was exposed by the Snowden leaks, the other big one being Clapper lying to Congress.

    There has been quite a lot of coverage of this issue e.g.

    Everyone should know just how much the government lied to defend the NSA

    Justice Dept. Criticized on Spying Statements

    When Will the Government Officially Correct the False Claims It Made to the Supreme Court About NSA Surveillance?

    DEA and NSA Team Up to Share Intelligence, Leading to Secret Use of Surveillance in Ordinary Investigations

    SkepticalNovember 9, 2014 9:39 AM


    @Justin: NSA discovers evidence of evidence of a crime, and then tips off law enforcement. Trouble is that there was no probable cause and no warrant for the surveillance in the first place, so the evidence would be illegal to introduce in court, and moreover its source is classified information. Law enforcement then finds or invents some other pretext for probable cause to conduct a search and seizure, and that is then introduced as the probable cause and source of the evidence in court. The defense, judge, and even the prosecutor may be unaware that the original source of the information was unwarranted surveillance by the NSA.

    Your last paragraph contains the problematic assumption.

    Techdirt covers it. William Binney explains a little bit about it toward the end of his presentation on the Snowden documents. Another article.

    All speculation based on the single Reuters article.

    By the doctrine of the "fruit of the poisonous tree," this is unconstitutional. The police may be acting on a tip from the NSA, but with "parallel construction" they are going to claim (rather untruthfully) that they arrived at the evidence by some other lawful means independently from the tip.

    This is the speculation part. The question is whether that is what is happening, or whether we're talking about something else entirely. For example, a DEA informant in Mexico, the existence of which informant is extraordinarily sensitive, tips DEA that a shipment of explosives is being sent to a new "franchise" being started in City X via Truck Y. DEA coordinates with appropriate agencies without disclosing the source of their information, who dispatch (state police, ATF, etc.) units to follow Truck Y and seek a reason to stop and search it that does not rely upon the DEA informant information. Truck Y, fortunately, is driving recklessly and is pulled over. The driver, more worried about rival gangs than police, turns out to be armed illegally. The truck is searched, the weapons found and seized.

    Question: Need the government disclose to the defense the precise method by which they decided to observe Truck Y as it traveled a public highway?

    Answer: No.

    Alternative scenario: DEA illegally breaks into a Person P's house, and discovers a note about meeting Truck Y at Time T to receive weapons shipment. They coordinate with local agencies, truck is followed, is driving recklessly, is pulled over, driver is armed illegally, truck is searched, weapons found and seized, and, because of other evidence found in the truck, the person is arrested and prosecuted.

    And let's say in this case that the prosecutor does not disclose the reason that Truck Y was being watched.

    Question: Is this a problem?

    Answer: Yes.

    Do we know which of the above two scenarios is occurring when we're talking about parallel construction?

    No.

    Beyond that, there are also alternative meanings to the phrase, which don't appear in the Reuters article, but which some of those they interviewed may have had in mind when using it.

    I've seen very little follow-up on the subject. There's actually a fair amount of depth here as to what a prosecutor has to disclose, and to whom.

    As a side-note, the exclusionary rule normally applies only to the person whose 4th Amendment rights were violated. That is, if your neighbor's house is illegally searched, and evidence is found and used against you in a prosecution, you're unlikely to succeed in having the evidence excluded as being the result of an illegal search.

    We'll see how things develop. This may turn out to be a big deal, or this may turn out to be nothing at all, or it may be somewhere in the middle - a few cases of clear misconduct, but nothing widespread.

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.