Peter Swire on the USA FREEDOM Act

Peter Swire, law professor and one of the members of the President's review group on the NSA, writes about intelligence reform and the USA FREEDOM Act.

EDITED TO ADD (6/28): Swire gave a talk on this at the Gardner Security Summit. Here are his slides.

Posted on June 16, 2015 at 6:59 AM • 49 Comments

Comments

Bob S.June 16, 2015 7:32 AM

You can tell Mr. Swire is a politician as the very first sentence of his report is disingenuous doubletalk, re: "the USA FREEDOM Act, ending bulk collection under Section 215."

Maybe bulk collection is ended under Sec. 215, which was determined to be illegal anyway, but bulk data most certainly is still being collected. Data is being collected just as before for at least 6 months as allowed by the so called Freedom Act. It will be collected in perpetuity by the telecoms as now codified by the Freedom Act with access by the government authorized by rubber stamp co-opted judges acting in secret.

I am trying to adjust to the post Constitutional America, but it's hard sometimes. I train myself by watching news and movies about third world destitution, abuse, cracked-pot dictators, corrupt politicians, misery and general chaos.

WinterJune 16, 2015 8:09 AM

@Bob S
"You can tell Mr. Swire is a politician as the very first sentence of his report is disingenuous doubletalk, re: "the USA FREEDOM Act, ending bulk collection under Section 215." "

Or he could be a lawyer?

Anyhow, this whole discussion on National Security (all sides, from Libertarians to what passes for "communists" in the USA) reminds me of the famous quote of Benjamin Franklin:
We must all hang together, or assuredly we shall all hang separately.

From the other side of the pond, it looks just like every (sub-)group is fighting every other (sub-)group to the death. What I see is (USA) Americans that would not trust a compatriot if their life depended on it.

For which you need surveillance, of course. You cannot trust those other people.

So, Americans do not hang together and are thus hanged separately.

rgaffJune 16, 2015 8:26 AM

@Bob S

Naw, you haven't "adjusted" yet... wait till the first Tiananmen Square-Like Massacre... where they mowed down protesters with tanks and bullets and literal rivers of blood ran down the streets, then piled up the bodies, burned them up, and claimed "no-one died here" over and over on national television.... wait until the real fear for your life settles in... wait until everyone stops speaking out about it entirely in public from that fear, and only rarely in hushed tones to family members... so that the next generation doesn't even believe it happened... ubiquitous surveillance, remember? We are still way too outspoken. Just look at this blog! Bruce hasn't even gone to prison yet as a "dissident"... No, we're definitely not there yet.

But make no mistake, this is a future without the Constitution and other government-limiting and freedom-enabling provisions. All you pathological Constitution-haters have no idea what you're building for our future. You should live somewhere that doesn't have what we have for a while first, see the fear first hand, before you all decide this is what you love.

WinterJune 16, 2015 8:56 AM

@rgaff
"Naw, you haven't "adjusted" yet... wait till the first Tiananmen Square-Like Massacre... where they mowed down protesters with tanks and bullets and literal rivers of blood ran down the streets, then piled up the bodies, burned them up, and claimed "no-one died here" over and over on national television...."

The ongoing efforts of the Chinese leadership to suppress any mentioning of the Tienanmen square massacre is correlated to the size of the trauma it inflicted on the same leadership.

I assume capable politicians know that if they deploy the armed forces on their own people, these same armed forces will overturn the government.

Listening to USA politicians, I often doubt whether they are that capable. But someone there must surely be capable?

SasparillaJune 16, 2015 9:05 AM

Interesting read. The fellow seems entirely too optimistic about what has occurred so far and sounds like he thinks we're almost done with reform.

He seems to come from the perspective that the NSA will have to "request" access to the records that AT&T / Verizon etc. have in an individual, laborious process - when in reality it appears the NSA analysts and contractors won't see a difference at all - they'll already have their investigation level warrants and just do their queries (of whatever they want) and it'll source that information from DB's at AT&T / Verizon sources (which the NSA has set up) instead of from the NSA's own (i.e. no change).

His cheer-leading of the "leadership" of President Obama (from his background as a constitutional lawyer to his actions here etc.)are very difficult to swallow...accolading "the guy" who made the U.S. surveillance state the "new normal" (and much more difficult to roll back) instead of dismantling it (like he could have & was expected to) seems like the sunshine is getting blown very hard by the author.

Its good to point out, that a bunch of information was recently declassified (& book written) of what one of our prior President's did with regards to spying on U.S. citizens and political enemies, just because he could - that gives some perspective to what could be done with these new capabilities the POTUS has now...heard an interview with the author yesterday, here's the book for those that are interested:

http://www.amazon.com/One-Man-Against-World-Tragedy/dp/1627790837/ref=tmm_hrd_swatch_0?_encoding=UTF8&sr=1-1&qid=1434463312

Organ Grinder Monkey DanceJune 16, 2015 9:19 AM

Democrat apparatchik Peter Swire tries to salvage his reputation after his panel of servile ass-lickers crawled for Big Brother. His masters have trotted him out to sell his legal hackwork before the international community grades the US on the grave emergency of NSA surveillance. Swire doesn't dare think about Constitution Article VI because that might remind somebody of the binding legal commitment of ICCPR Article 17. That's above Swire's pay grade. Swire's standard statist legal indoctrination is reinforced by his sinecure at beltway beggar Georgia Tech, so he knuckled under to his betters in blowing off your privacy rights. Swire knows which side his bread is buttered on. Swire's shit-eating promise of more to come is a nice touch. Watch how that goes over at the treaty body plenary.

DaveJune 16, 2015 10:05 AM

It's easy to be skeptical, but I think of a lot of things in the political arena in terms of a pendulum. The USA Freedom act is the beginning of the pendulum swinging back toward sane intelligence policy. There's a long way to go, but this is a meaningful step in the right direction.

rgaffJune 16, 2015 10:29 AM

@ Winter

Over there it's not called "Tiananmen Square Massacre" it's called 6-4.... just like we say 9-11... Some things are just too horrible to say what they are, we call them by their dates, as if that makes them more palatable or something...

Think about the implications of this numbering system for a moment.... A mental equivalent to what we think is so horrible that we're willing to give up our freedom forever to make sure never ever can happen again.... their government did to their very own people because they did not have the freedom we have! Does it still sound like it's worth giving up? That's our future, folks, if we give it up! Look long and hard, stare that great dragon in the eyes until you feel its fire. Then come back and stop this madness!

GeorgeLJune 16, 2015 10:29 AM

@ Bob S., "Maybe bulk collection is ended under Sec. 215, which was determined to be illegal anyway, but bulk data most certainly is still being collected."

Telecoms have been collecting this data for billing purposes, most of which is outsourced to foreign countries anyways. I'm not sure how this legislation is being touted as a reform.

rgaffJune 16, 2015 10:38 AM

@Winter

"I assume capable politicians know that if they deploy the armed forces on their own people, these same armed forces will overturn the government."

Don't assume. Where there's enough of a will there's always a way. The first Chinese army division called to do the dirty deed did refuse 2 weeks earlier. They had to try again, with a second division from a poorer more distant part of the country... Not sure what happened to that first division either.

rgaffJune 16, 2015 10:41 AM

@ GeorgeL

I'm not sure how collecting cell tower triangulated geocoordinate locations of every phone in the country every second of every day counts as "for billing purposes" but whatever....

GeorgeLJune 16, 2015 10:53 AM

@ rgaff

Where is evidence that they are doing what you said? The cell towers must have some type of intelligent collection to handle signals for seamless mobility. They may not go as far to calculate geocoordinates but it is reasonable for them to keep some data on signal strengths. Granted a subset of call "metadata" is need for billing purposes. How would you propose roaming charges be handled without cell tower data?

keinerJune 16, 2015 11:30 AM

@Organ etc.pp.

Is only your NAME derived from an NSA acronym generator or is the whole comment created by "virtual" "intelligence"? :-D

rgaffJune 16, 2015 12:09 PM

@GeorgeL

Cell towers/phones sense signal strength to each phone/tower. It's part of the protocol for choosing the closest/strongest/best one. That much is needed for that, and that only. Roaming charges uses which group of towers was selected, sure, but the details of exactly which tower within that group and how and why that tower was selected and why others weren't selected is NOT needed for roaming charges.

The issue is that signal strength also strongly correlates to distance from the tower, and when you get three of them together, and each cell tower location is known, then they can do "triangulation" on the phone location with quite a high degree of accuracy (within just a few feet if all 3 are fairly strong signal or more than 3 towers, within a few dozen to hundred feet if they're all poor). There is absolutely no business need for such triangulation, only surveillance need on the tower/provider end and your phone showing yourself on a map on the phone end. This is how it's so accurate when it plots you on a map, with or without GPS. Some phones also use GPS and known Wifi hotspot locations to further increase the accuracy, as the more redundancy in the system the greater the accuracy of the fix.

The point is, cell phone providers all have enough data on their own, if they save it and use it this way, to plot everyone's location often with pretty good accuracy without the phone "telling" them what the location is from all these things the phone uses... Your phone doesn't have to be "hacked" for the government to know where you are, they just have to give a single warrant to each provider that says "gimme all tower data, it's for, um, terrorism, yeah, that's what it is." On some models of phone this even happens if the phone is OFF... so I'm sure the government loves the fact that more and more phones don't support battery removal (and no, breaking the glass doesn't stop it like in the movies either).

If you would like to see some evidence of this, search Google for "cell tower dumps nsa" and you'll find everything you need. If you don't care, or are just annoyed at my suggestion to search Google, welp, see you at the next 6-4!

d33tJune 16, 2015 12:13 PM

"Multiple measures by the Obama administration add to the roster of intelligence reforms. In considering the response of this administration, I believe President Obama himself was in an unusually good position to weigh the competing equities about intelligence reform: he taught constitutional law at the University of Chicago, and so is deeply versed on the civil liberties issues; he has been Commander in Chief of the armed forces during a period of active combat, so that he has a trained and personal sense of responsibility about protecting the nation; and, he ran as the “Internet” candidate, using new communications technologies in innovative ways."

Further tired drivel from another shameless, devout apologist. So many public figures working and speaking in fine Edward Bernays fashion for the last 87+ years. Without absolute adherence to the art and warfare of public relations and sloppily crafted social engineering embedded in every sentence uttered by these presidents, congressional members and their minions, the US might look up from 32 ounce soda vats and notice the nonstop shafting, grifting and erosion of their civil rights. Comforted by empty speeches and credit card shopping sprees, we rarely take notice of the loss of life, time, liberty and privacy and our slow descent into a sugary, syrupy mediocrity. On the way down the pipe, we keep getting paid to have babies, by teaching them to smoke and then locking them up tight.

Organ Grinder Monkey Banana TreatJune 16, 2015 1:08 PM

@keiner, the insults above can be generated by a variety of algorithms given the moment-generating function defined by the expert panel empowered to interpret the US government's binding commitment to privacy rights,

Mx(t) = E[ The State party should Interpret the Covenant in good faith ]

So we are not constrained to credit Swire with any integrity or mind of his own. His government staked the nation's honor on a covenant with fingers crossed, and Swire's job is to weasel out of it somehow. Understandably, it's easier for Swire to ignore US commitments and hope nobody notices. Inside the US propaganda bell jar it just might work. In the outside world where the population is less downtrodden, it's ruinous.

JaysonJune 16, 2015 1:19 PM

@rgaff

"Naw, you haven't "adjusted" yet... wait till the first Tiananmen Square-Like Massacre..."

I doubt this will happen in the US, a massacre is something people can rally against. Crowd control is far more effective here, the prisons are spacious, the arsenal of non-lethal weapons is overstocked, and seasoned political spinsters can make any use of authoritative force palatable.

anonymousJune 16, 2015 1:54 PM

rgaff : "what we think is so horrible that we're willing to give up our freedom forever to make sure never ever can happen again"

Yes, Americans do think that freedom forever is so horrible that they will make sure it never happens again.

Peter A.June 16, 2015 2:25 PM

@rgaff, GeorgeL:

For billing purposes only one datum from the cell phone is needed: the MSISDN, i.e. the identity of the subscriber - to know who to bill and how much (which plan applies). For roaming, detailed cell tower data is not needed - only the information that an "alien" phone connected to "my" network, regardless of at which tower specifically; the fact can be recognized by an MSISDN that's not in the local subscribers registry.

Well, occasionally the cell tower ID may be needed for some "clever" plans. Some ops offer discounted rates if the mobile phone does not move very much, i.e. stays on the tower or two that are close to subscriber's official address. This allows them to market their services as "land lines" - or "office phones", offering free calls between a set of mobile phones once they stay in one area.

The exact location of the mobile phone is NOT needed for billing.

***

Regarding "triangulation":

1. Signal strength/delay information is needed for technical operation of the network: adjusting transmission power, signal timing, adjusting data rate/modulation type/error correction settings, etc. etc. (depending on particular mobile network standard) to optimize network throughput and assure call stability. It is also used to direct the mobile to switch to a different tower(s), radio frequency or even a different system (of the same operator or a different one). This information is transient by nature and need not to be stored - but infrequent snapshots of it often land routinely in various operator's detailed call logs for diagnostic purposes - which may be abused, of course. This is usually recorded at the start and at the end of each call, as well as at each handover (i.e. switching to a different tower while in a call). How long this detailed data is stored is an operator's policy, but it's definitely not needed for billing. Whatever location data is bulk-collected by the NSA et consortes is probably this information.

2. Signal strength and delay is measured continuously while the mobile is connected, i.e. has an active voice call, data transmission etc. When the mobile is idle, it does not transmit, even if it moves around - it only listens to the towers, and even then not all the time but in short periods (slots) - to save battery charge. In the idle state the network "knows" only a very approximate location of the phone, based on the last contact with a tower, called a paging area - one paging area may cover many square miles. The mobile "pings" the network when it moves to another paging area and also may "ping" once in a time (tens of minutes, usually). The network may "ping" the mobile at any time, but normally it is done only when necessary (incoming call etc.) "Pinging" all the mobiles every second would kill the network, there's simply not enough throughput. Of course it is possible to ping a very limited set of mobiles more often - this is often a "lawful interception" feature.

3. More or less exact location of the mobile may be determined, derived from:

a) the exact geographical location of the cell tower the mobile is currently connected to (or the one the mobile has contacted recently);

b) the approximation of the direction from the tower towards the mobile based on which of multiple antennas are receiving the signal from the mobile and with what strength/phase difference (resolution can be anything from a couple of degrees in case of phase offset measurements in multiple-antenna "receive diversity" setups to 120 degrees in typical three-sector setups to nothing at all in case of rural omnidirectional-antenna installations);

c) the approximation of the distance from the tower, calculated from the signal delay (with a resolution of tens to hundreds of meters, depending on the cellular system type).

Both b) and c) may be somewhat botched if the signal from the mobile arrives at the tower after bouncing off buildings etc. and not in a direct line-of-sight. This - rather imprecise - location can be derived from a single tower only, either from historical data like the call logs I mentioned above, or on-demand by "pinging" a mobile, or from taking live measurements using diagnostic interfaces during an ongoing call. Again, this is not something that's routinely done on all mobiles every so often as it would kill the network. Most often, it is done on request from high level location services, invoked by the subscriber himself or as legally enforced for emergency services/law enforcement purposes (user called 911 - or the White House). "Lawful interception" for a limited set of mobiles comes into play as well.

4. A more precise approximation is possible by multilateration, that is measuring the signal delay and/or strength on more than one tower, converting it to distance/direction approximations, calculating the possible areas as in 3. above and looking for overlapping ones. As far as I know it requires requesting the mobile device to take and return received signal power measurements of the nearby towers (this is a normal and completely innocuous step of a handover attempt) or "shoving" it around several towers to take timing measurements there. To the limited extent of what I have seen there's no "spy silently on this mobile without it connecting to you" code on cellular base stations. The latter is particularly not possible at all in mobile systems that use different radio frequencies for neighboring towers (like GSM, unlike CDMA) - they would require a forced "artificial" handover or a series of them to take multilateration measurements.

5. More and more mobiles have GPS or assisted GPS functionality that may be invoked by higher-level services. This is the most precise method. Again, it is infeasible to do for all mobiles very often. On the other hand, people voluntarily using various location-based services on their smartphones (usually unrelated to the cellular network features at all, but using an always-on Internet connection) can have their location stored by various companies quite often - ready for TLAs to harvest.

rgaffJune 16, 2015 4:21 PM

@ Dave

Your pendulum analogy suggests that it's inevitable that the world get better and better, because most revolutions and wars and reforms result in great free nations.... not dictatorships and tyrannies. So temporary deviations from this inevitable improvement are nothing to be concerned about, just sit back and enjoy the ride into our great future world of bliss and freedom.

This is NOT how history has played out. In fact, quite the opposite. Every little inch of freedom was bought with great struggle and much blood. Giving it up is as easy as a simple penstroke. You see the disparity here? Can you see how easy it goes one way, and how hard it goes the other way? That means that there's a tendency toward the easy way. Away from freedom. Not the other way around.

And if we look back at history again, we'll see that most revolutions actually fail to achieve any good result. So this supports the logic presented above. Revolution is NOT something to welcome as a great way to equalize and fix things, it's something to be avoided at almost all costs, because it's really terrible. I say "almost" because there ARE a few things that are worse, but very few. It's far far easier to keep the freedom that we have, than to let it go and then try to regain back again it later if we realize we've accelerated too far down the easy road.

rgaffJune 16, 2015 4:47 PM

@ Peter A.

Thank you for your more precise, detailed, and informed technical descriptions than I had! Though I may have gotten some precise details a bit off, my main point remains intact: By requiring tower dumps, as the news articles have said they do, authorities monitor the physical locations of everyone throughout the day.

Ross SniderJune 16, 2015 5:07 PM

Nothing but noise.

Have you ever read anything that Cass Sunstein has written? The man is on the books as foundationally limiting free speech - so that people can choose what to say between a set of approved options. He believes that this speech is free because there are still choices. (He suggests that this should be enforced with governmental 'civilian affairs' engagement - sometimes covert government representatives injecting themselves into conversations to 'correct' dialogue).

This is a cheery representation of the FREEDOM act, which watered down essentially everything (because the House version was chosen) in a Bill that didn't go far enough.

Take a look at the Quadrennial Defense Review documents for 21st Century and the Defense Review Board recommendations for Strategic Communication - the "Sentry Eagle" top level strategic objectives of NSA signals collection leaked by Snowden - and the research being performed by DARPA SMISC.

The NSA surveillance platform is also a mass propaganda platform, used to track and shape the spread of information with sentiment and social media analysis - then supported by Persona Management and Astroturfing Software (e.g. Operation EARNEST VOICE).

Bullshit through and through. No matter how good Swire's intentions, this is a mistake.

FREEDOM doesn't go far enough. It's a drop in the bucket.

Peter A.June 16, 2015 5:26 PM

Err, in my comment above I should have said IMSI not MSISDN. Late-night posting...

@rgaff:

My main point was that the bulk-collected location data cannot be as fine-grained as many people fear - but it's comprehensive enough for many "interesting" queries... but I got carried off into a longish technical post.

I am also unable to confirm or deny the notion that some (or most) mobile phones can and/or do "phone home" while (supposedly) turned off - and even if they can how ubiquitous it may be. While it is technically possible to do, I guess this would require special "targeting" like installing special version of the software or enabling a special function of wide-deployed software, possibly remotely.

rgaffJune 16, 2015 7:21 PM

@Peter A.

My guess is that looking at how fast the battery is draining is a good relative indicator of how finely grained a given phone model or phones in general can be "mass" monitored while on a call, vs when on standby, vs when in "off" mode, vs battery taken out... because surely it takes some amount of power to detect and communicate the position each time. So what you're saying makes a lot of good sense. I would also further guess any targeting that makes it more fine grained than normal would also drain the battery faster (maybe even to the point of it being detectable, compared to before??)

I just remember the initial shock of it all... what? a so-called "free nation" government monitoring the location of every citizen all day every day of every year for decades in secret??? and so few even seem to care????

But yes, thanks again for the technical corrections, I will definitely be more careful using phrases like "every second" together with "all day" or whatever I was saying :) Every 20 min or whatever it is, is still all day though, and even if it's only a ping between handovers or something, that's still monitoring your general position every second all day, just not to couple foot accuracy every second. The fact is, if your battery is being used, you're being monitored.

Clive RobinsonJune 16, 2015 8:01 PM

@ Peter A,

I am also unable to confirm or deny the notion that some (or most) mobile phones can and/or do "phone home" while(supposedly) turned off - and even if they can how ubiquitous it may be.

It's actually quite easy to prove due to the way GSM transmits data.

GSM transmits in short bursts and the modulation scheme used has a sufficiently variable "envelop modulation" in the audio spectrum that it can and does interfere with audio amplifiers in "home audio" equipment.

You can build a detector circuit with a emitter follower or FET based high input impedence circuit with the equivalent of class b bias such that it becomes the equivalent of a "diode detector". The low output impedence then drives a simple audio T-type filter that is tuned to the appropriate audio frequencies this drives an op-amp that feeds either a recording device or an audible output such as the piezo device used in cheap watch alarms.

If it detects output when the phone is in "soft off" then the case is proved.

Without going into rather boring detail the signals transmitted for "handover", "SMS" and quite a few other functions are sufficiently recognisable with this detector that you can make a "data-logger" with a very low cost very low power microchip and use the low impeadence of the FET detector to trigger the micros intrupt line. The micro's RTC will give time stamps and data can be written to a low power memory card. Such a device can run of two AAA cells for weeks at a time.

It's a simple one or two week project for 1st year undergrads to design ans build then develop more interesting software etc for as a later project. Using the right PCB material and SMD components it can be made slim enough to actually be attached to the mobile phones battery making it effectivly "built in" for a phone with an appropriate external protective case.

rgaffJune 16, 2015 8:18 PM

@ xyzzy

Surely that's a joke and not actual serious quotes... they can't be that brazen and need their weasel words... unless the next 6-4 is a lot closer than I thought...

JustinJune 16, 2015 9:20 PM

What is it with these police/FBI comments lately? This one and this one, too on the other thread. Trouble with cops much? Or is the FBI asking questions and people are spooked?

65535June 16, 2015 10:43 PM

This legislation is a start but don’t get lulled into a false sense of security.

[First bullet from Peter Swire’s post]:

“Recommendation 1: Issue a Section 215 order only with judicial approval and heightened standard. The administration had already adopted this approach, and USA FREEDOM confirms it legislatively.”

I agree to some extent but not all. The other four bullets are not full implemented. I’ll explain further.

[The last sentence is the most important]

“We should anticipate more changes to come [enhanced privacy to come].

I think Bruce would agree with this because it is hard to get IT people motivated in politics [on the job pressures, new competitors and games eat into the ability of working tech people to engage in political action].

Any small win is better than any. Yet, more is certainly needed. Tech people of all stripes need to push harder for political reform.

As for Section 215, it has mainly been tweaked and renamed the USA Freedom Act and remains mostly intact with certain aspects moved into 702 or OE 12333.

Bulk collection of phone records may have stopped to 5 ms but restarted at the phone company/internet provider level.

The second circuit court of appeals ruled that bulk spying is illegal. That was changed behind closed doors.

[The Guardian]

‘Obama lawyers asked secret court to ignore public court's decision on spying’

“The Obama administration has asked a secret surveillance court to ignore a federal court that found bulk surveillance illegal and to once again grant the National Security Agency the power to collect the phone records of millions of Americans for six months. The …request, filed nearly four hours after Barack Obama vowed to sign a new law banning precisely the bulk collection he asks the secret court to approve, also suggests that the administration may not necessarily comply with any potential court order demanding that the collection stop.” –The Guardian

http://www.theguardian.com/world/2015/jun/09/obama-fisa-court-surveillance-phone-records

@ Bob S.

“You can tell Mr. Swire is a politician as the very first sentence of his report is disingenuous doubletalk, re: "the USA FREEDOM Act, ending bulk collection under Section 215." Maybe bulk collection is ended under Sec. 215, which was determined to be illegal anyway, but bulk data most certainly is still being collected.”

Exactly.

Not only is it being done by the telecommunication/Internet providers the “Freedom to Spy Act” provides the same legal shield against lawsuits that 215 provided.

Eventually, there will have to be a show-down between the courts and the President’s powers. Executive orders can tear huge holes in the US Constitution.

@ Sasparilla

“The fellow seems entirely too optimistic about what has occurred so far and sounds like he thinks we're almost done with reform.”

I agree.

We need more pressure on the government to change this vast spy system – not to rest on laurels. Bulk collection has to stop. NSLs with gag orders have to stop and the Intelligence Community needs to slim down and quit wasting money in Black Budgets.

@ Organ Grinder Monkey Dance

“Democrat apparatchik Peter Swire tries to salvage his reputation after his panel of servile ass-lickers crawled for Big Brother. His masters have trotted him out to sell his legal hackwork before the international community grades the US on the grave emergency of NSA surveillance. Swire doesn't dare think about Constitution Article VI because that might remind somebody of the binding legal commitment of ICCPR Article 17.”

That’s a little harsh but generally true.

@ GeorgeL

“Telecoms have been collecting this data for billing purposes, most of which is outsourced to foreign countries anyways. I'm not sure how this legislation is being touted as a reform.”

There is not much reform. Even the EFF that Bruce is associated with did not support the bill. It would have been better if 215 had just died and no new “Freedom” legislation was passed.

“[The] EFF is withdrawing our support of the bill. We’re urging Congress to roll the draft back to the stronger and meaningful reforms included in the 2013 version of USA Freedom and affirmatively embrace the Second Circuit’s opinion on the limits of Section 215.”

“…the "super minimization" procedures, which were key privacy procedures that mandated the deletion of any information obtained about a person not connected to the investigation, should be reintroduced. Key provisions establishing a higher legal standard and compliance assessment for the use of pen register/trap-and-trace devices, legal standing to sue the government over surveillance practices, and the original transparency provisions allowing government and corporate disclosure of surveillance orders should also be resuscitated.” -EFF

https://www.eff.org/deeplinks/2015/05/aclu-v-clapper-and-congress-how-second-circuits-decision-affects-legislative

@ rgaff

“…cell phone providers all have enough data on their own, if they save it and use it this way, to plot everyone's location often with pretty good accuracy without the phone "telling" them what the location is from all these things the phone uses... Your phone doesn't have to be "hacked" for the government to know where you are, they just have to give a single warrant to each provider that says "gimme all tower data, it's for, um, terrorism, yeah, that's what it is." On some models of phone this even happens if the phone is OFF... so I'm sure the government loves the fact that more and more phones don't support battery removal…”

I concur. The so-called “Business Records” law goes too far. The whole issue of what should be included in government searches under current law needs to be slimmed down. Geo location is simply not necessary in every government query. The government is mapping your every move.

@ Ross Snider

“…This is a cheery representation of the FREEDOM act, which watered down essentially everything (because the House version was chosen) in a Bill that didn't go far enough… look at the Quadrennial Defense Review documents for 21st Century and the Defense Review Board recommendations for Strategic Communication - the "Sentry Eagle" top level strategic objectives of NSA signals collection leaked by Snowden - and the research being performed by DARPA SMISC… NSA surveillance platform is also a mass propaganda platform, used to track and shape the spread of information with sentiment and social media analysis - then supported by Persona Management and Astroturfing Software (e.g. Operation EARNEST VOICE). Bullsh1t through and through. No matter how good Swire's intentions, this is a mistake. FREEDOM doesn't go far enough. It's a drop in the bucket…”

I can’t refute that.

Just take a look at the Wikipedia entry:

‘“The bill ultimately passed the Senate 67-32 on June 2, 2015 and reinstated three lapsed authorities i.e. the "Section 215" authorty, the "lone wolf" authority and the "roving wiretaps" authority of the Patriot Act… "This bill would make only incremental improvements, and at least one provision-the material-support provision-would represent a significant step backwards," ACLU deputy legal director Jameel Jaffer said in a statement. "The disclosures of the last two years make clear that we need wholesale reform." Jaffer wants Congress to let Section 215 sunset completely and wait for a better reform package than endorse something half-baked…Jennifer Granick, Director of Civil Liberties at Stanford Law School, stated:

The Administration and the intelligence community believe they can do whatever they want, regardless of the laws Congress passes, so long they can convince one of the judges appointed to the secretive Foreign Intelligence Surveillance Court (FISC) to agree. This isn't the rule of law. This is a coup d'etat.’-Wikipedia

https://en.wikipedia.org/wiki/USA_Freedom_Act

or

https://en.wikipedia.org/wiki/USA_Freedom_Act#Passage_in_Senate

[full pdf of the USA Freedom Act]

https://www.congress.gov/114/bills/hr2048/BILLS-114hr2048enr.pdf

[Empty wheel]

‘How the bills stack up’

“USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.”-emptywheel

https://www.emptywheel.net/page/4/

GeorgeLJune 16, 2015 11:11 PM

@ Peter A., "For billing purposes only one datum from the cell phone is needed: the MSISDN, i.e. the identity of the subscriber - to know who to bill and how much (which plan applies)."

The subscriber info may tell you who to bill but in order to know how much to bill, it must also collect "call metadata" to compose billing entries. What rgaff said about "cell tower dumps" is another issue akin to server admins keeping and scanning server logs.

Keeping logs on equipment usage is fairly self-explanatory to even most of nontechnical blog visitors here like myself, so perhaps I'm not technical enough to understand the rationale behind why not to keep them from the phone operator perspective.

@ rgaff, "I will definitely be more careful using phrases like "every second" together with "all day" or whatever I was saying :) Every 20 min or whatever it is, is still all day though, and even if it's only a ping between handovers or something, that's still monitoring your general position every second all day, just not to couple foot accuracy every second."

So to put this back into perspective, how does USA Freedom affect these specific types of data collections as Bob S. posted?

Peter A.June 17, 2015 4:08 AM

@Clive Robinson:

I did not say that "phoning home while off" behaviour is not detectable; it is, exactly in the way you've said. You can even cheaply buy various gadgets that flash a LED whenever the phone is accessing the network for any reason. Quite helpful sometimes...

Simply, I haven't observed such suspicious behaviour or found an article proving it beyond doubt - not that I monitor my phones 24/7 or have searched extensively for proofs. I still use "dumb" phones, so that may be one reason - or I am an "uninteresting" person. Good for me :-)


Even if there are credible proofs (which I have missed) of single instances of such covert operation they only prove that 1. it is technically possible at all (which is quite obvious) and 2. it actually occurs. The frequency, circumstances (e.g. models, versions, networks, countries/areas, profiles of the owners etc. etc.) and reasons - and therefore the actual risk arising from - of such occurrences is not known until someone performs an extensive and credible research - or leaks some secret files...

@rgaff:

It is definitely possible to detect extra transmit activity by monitoring battery drainage - but it will be quite difficult in practice out of a very controlled environment, as your daily routine most likely changes in a more significant way. I'll give two examples.

I have routinely observed that battery charge lasts much shorter when I drive all day then when I am mostly stationary. It is explained by the fact that while moving I cross various "borders" more often and the phone needs to re-register with the network more often.

Since I started using Bluetooth headset - only while driving, that is 1-3 hours a day on average - I need to charge my phone every 1-3 days instead of every 3-5 days. There's definitely something sub-optimal in my phone's Bluetooth implementation as the headset itself lasts 4-6 weeks on one charge of a much smaller battery.

Clive RobinsonJune 17, 2015 4:44 AM

@ Justin,

What is it with these police/FBI comments lately?

Well it might have something to do with people starting to realise that "Rose Gardens" have "more thorns than flowers", and underneath the projected fragrance there is real pain, and close contact is going to get you hurt unless you are real carefull.

Like all social groups that tend to isolate themselves law enforcment has a "them and us" mentality which can and does create friction it's especially true in "brotherhood organizations". Further as with any large enough group you get an almost entire microcosm of the human race from good to bad. When these two issues get combined the view in the brotherhood is "I've got your back..." which means that the bad of that society get protected for "the greater good" of that group, thus behdviour they absolutly would not tolerate in others, becomes accepted in a brother. And the "bad apples, rot the rest of the barrel".

Eventually the smell of the rot becomes so strong that others outside the group not just notice it but talk about it, and start to insist that "good neighborly behaviour" is to "clean up your backyard". Thus the sides start to polarize and the divide widen to the point were it is beyond building bridges, and the brotherhood move into "tribal behaviour" as do increasing numbers of others, at which point it only takes a spark.

One such is viewing a car with apparantly innocent but frightened people in it having out of control police officers jumping up and down on it and indiscriminatly firing so many bullets into it, it's obvious to any that they are behaving in a compleatly irrational way, and are actually behaving in a way that endangers themselves let alone any unfortunate person within a hundred yards or so.

There will always be those who say such behaviour has to be stopped and their argument is difficult to refute, so rather than try you get a knee jerk "blaim the victims" response from the brotherhood, which unsuprisingly gets a similar response from those not in the group.

It's this that you are seeing, and it's only going to get worse untill somebody finally starts to clear out the rot, either from within the broterhood or from a point of influance that the brotherhood can not ignore. At some point a status quo will be reached and society in general will move on for a while and then the issues will arise again, as long as the brotherhood has a "them and us attitude" or allows one to develop.

Such as they say is life...

65535June 17, 2015 5:13 AM

@ Peter A.

There is a number of cell phone tracking services available on online. I cannot vouch for their authenticity but some of the probably work. These tracking sites say they can track any time. So, I would assume they are using GPS or GSM locator services

[advert]

Gpsphonetracker[dot]org

‘Phone Tracking America & Mobile Number Tracking Eurasia’

"GPS Phone tracking is not just a fantasy seen in movies and 'secret service' style TV shows. You can now take any cell phone number and input it into an online search tool, like the ones below, and get real time results. The most advanced mobile phone tracking services will give you access to different types of functionality including street level satellite mapping and setting of secure areas for alerts. It is worth bearing in mind that mobile phone location systems are not as accurate as gps tracking systems due to the triangulation method that gives an exact area the mobile phone is in. However in some towns and urban areas, these zones can be as small as 150 or 200 meters. More than enough to know that your child or your workers are where they should be! This free service will allow you to test it throughout 2016 in your area."

"Available Countries:
USA, Canada, United Kingdom, France, Germany, Spain, Portugal, Italy, Netherlands, Norway, Poland, Switzerland, Greece, Austria, Sweden, Denmark, Belgium, Australia, New Zealand, Mexico, Singapore, Malaysia, Brazil, Qatar, Saudi Arabia, United Arab Emirates, India, South Africa."

"Find who owns a cell phone or landline number. Results include name, address, and more."

"Enter a 10-digit phone number [in box] Search now!"

htttp://gpsphonetracker[dot]org/mobile-locate/

htttp://gpsphonetracker[dot]org/

rgaffJune 17, 2015 9:23 AM

@ GeorgeL

Keeping logs on equipment usage is fairly self-explanatory to even most of nontechnical blog visitors here like myself, so perhaps I'm not technical enough to understand the rationale behind why not to keep them from the phone operator perspective.

Geeks keeping activity logs to debug issues with their servers, is indeed a normal part of life... however... those are not needed for "business purposes".... if you define "business" as customer billing purposes and collecting money. If you define "business" as "providing any part of the service" then you have a point... however, in today's world where the police scoop up anything that moves on a routine basis, it would make sense that if you give two hoots about your customer and the constitution, you'd never ever keep logs any longer than absolutely necessary. They can't get what you don't have (well, ignoring equipment confiscation and forensic analysis, if you're not doing "secure delete").

On my own equipment I generally try to delete all logs every day that are older than 7 days as a matter of policy... that seems long enough to me that I can use them when I need to debug a recent problem, yet short enough that if police serve me a warrant they're not getting years and years of history. I do wish it were easier to integrate some kind of automatic secure deletion however, I haven't found a good way to do that, and with more and more things having SSDs instead of HDDs, I wish that even became effective! Not that I "have something to hide" but when I want something gone, I want it really gone, thank you very much, not coming back to haunt me in 20 years.

@Peter A.

Speaking of bluetooth battery usage... I did notice that using bluetooth to form a wireless network between two devices used way way less battery than using wifi...

Clive RobinsonJune 17, 2015 10:39 AM

@ rgaff,

On my own equipment I generally try to delete all logs every day that are older than 7 days as a matter of policy... that seems ong enough to me that I can use them when I need to debug a recent problem, yet short enough that if police serve me a warrant they're not getting years and years of history.

There is a problem with this which in many jurisdictions is willful destruction of evidence.

To avoid being charged with this you have to meet a couple of tests.

The first is to have a policy, the second is to have a reasonable need for the policy.

It's the second you have to watch out for, as it's up to the prosecutor and judge to decide what is reasonable or not.

And with prosecutors trying to argue that encrypted data on computers in locked rooms and closets is not equivalent to being in a safe but inplain sight, then you can see that your reasoning has quite a significant bar to reach in the "reasonablness" stakes.

And don't think a corporate lawyer can give you sensible advice they probably won't give you anything usefull, you need quite specialist legal advice...

rgaffJune 17, 2015 12:20 PM

@Clive Robinson

Indeed, I did not specifically use the word "policy" by accident!

There are lots of ways of arguing it's a reasonable need.... most services by default never delete logs at all, making your machine run out of space after a while, and stop working. This has happened to me a few times so I made a policy, and I try to keep to it as much as I reasonably can. Some services by default keep logs for much longer (but not forever), this is not only against my policy, but so far I've found it to be completely unnecessary, I'd rather reserve the space for more important things than such unnecessary things, so I modify them to be in line with my policy as much as I reasonably can.

There are cases where things don't line up with my policy, but as far as I can tell so far, these are all either cases where I simply haven't gotten to it yet or I didn't know it was there or I didn't learn how to enforce the policy there yet.

Keep in mind that none of these are legal documents or actual business records. If they were, consult a lawyer on what's reasonable in your jurisdiction.

Finally, just because you have excellent arguments that are likely to stand up in court is no guarantee that they will. Anyone can be sued or charged for almost anything at any time, and lose, no matter how just, good, honest, righteous, and legal their cause. It's a general risk that we all live with in today's overly-litigious society. Just do the best you can, avoid contact with police and all other authority figures when you can, keep as reasonably private as you can, and that's all you can do. Those who argue for no more privacy ever again are lying, because I haven't seen them post all their passwords and bank info on here yet...

Mike AmlingJune 17, 2015 1:18 PM

@rgaff
"Over there it's not called "Tiananmen Square Massacre" it's called 6-4.... just like we say 9-11... Some things are just too horrible to say what they are, we call them by their dates, as if that makes them more palatable or something..."

We use color and shape to refer to the Presidential Palace and Supreme Military Headquarters. I presume color and shape are meant, like dates, to blunt the true meaning.

BuckJune 17, 2015 11:46 PM

@rgaff

... however, in today's world where the police scoop up anything that moves on a routine basis, it would make sense that if you give two hoots about your customer and the constitution, you'd never ever keep logs any longer than absolutely necessary. They can't get what you don't have ...
I think there may be some tricky situations that complicate this summation... How long exactly is absolutely necessary???

For example, let us say that one of your customers' accounts has been implicated in being involved with some sort of cyber/terrorism/thought crime... If a warrant is served after your policy dictates a purge of all relevant server logs, it might be much more difficult for your innocent user to exculpate themselves by showing that the real offender had logged in from some unrelated foreign IP address.

The same thing goes for cell-tower dumps. Say your customers' IMSI was captured by a stingray at the scene of a crime. By the time the trial has entered the discovery process -- Oops! You've already deleted the records that show your subscriber's handset had just pinged a tower hundreds of miles away, only moments before the alleged crime took place... :-\

Unless real legal reforms are made, the socially responsible sysadmin should make sure that their third-party 'business records' are made available (in the most secure manner possible) directly to the person of which they pertain. Not all users will be technically capable of handling this data though... If we have to assume that the 'agency' will have access to this information regardless, perhaps individuals could still keep their own private key and designate some trusted friends to hang on to encrypted versions of their 'meta-data', thus making intentional tampering more difficult..?

Clive RobinsonJune 18, 2015 9:28 AM

@ Mike Amling,

We use color and shape to refer to the Presidential Palace and Supreme Military Headquarters. I presume color and shape are meant, like dates, to blunt the true meaning

In the case of the "White House" it covers up the burns and bullet marks, left after the British chased the then US President out of it. They also did similar damage to other buildings on a "eye for eye" basis over what US troops did a few years earlier to what is now Canada. The only good thing to come out of that whole sorry 1812 war, was that the cowardly and unprovoked attack on what where US citizens living there made them determined to break away abd thus forge their own nation. For some reason although the "Tea Party" gets taught to US children, for some reason the ignominity of the 1812 war that the US started and lost does not get taught or where it does to the same level...

As for the shape of the Pentagon there was a "symbolic" reason for building it that shape, but the mists of time has made me not realy remember from when I was told in the 1970s what it was.

CharlesLJune 19, 2015 4:42 AM

@ Buck, rgaff , "I think there may be some tricky situations that complicate this summation... How long exactly is absolutely necessary???"

Protecting your customers is definitely a good business practice, but there are rare cases where a business must protect itself from its customers. When I signed up for a VPN service, I was told to look for one that does not keep logs, but what type of assurance do customers have that these service providers are really log-less as advertised?

rgaffJune 20, 2015 11:35 AM

@ Buck

The conscientious law-abiding sysadmin is required to follow any warrant served him... he is NOT required to keep every possible data, metadata, and intermediate form forever just in case some future investigation might benefit from them. He should delete stuff he no longer needs (defined by his actual needs, not the government's, and not defined by how much space he has either), until a proper non-general warrant tells him to keep more for a specific person or account, then from that moment forward he should also keep only what's specified on the warrant, not everything.

We should not outlaw garbage cans and paper shredders... and force everyone to build huge storage warehouses to store every piece of garbage or junkmail forever, just in case it might benefit the police someday... Ridiculous. And ridiculous electronically too.

Also your logic of "but I need to keep everything to prove my innocence" assumes "guilty until proven innocent".... Under "innocent until proven guilty" you're better off having no trace of anything, good or bad, that you've ever done. Then, even if you've never done anything bad, there's also nothing innocent to twist into looking bad, see? And the average American commits 3 felonies per day they just don't know about, there are that many ridiculous laws, so you're kidding yourself if you think there's nothing bad. No, your best protection is for there to be no records anywhere, because everyone is guilty as sin of something and just doesn't know it yet. (but ubiquitous surveillance of every detail will uncover it all)

@ CharlesL

There are no such assurances, with government-coerced secrecy and lying.

BuckJune 20, 2015 1:31 PM

@rgaff

While I think it's great that some honorable people still believe in the laudable 'innocent until proven guilty' principle, I would suggest that you haven't been paying much attention to the slow chipping away of this constitutional right... Replacing this ideal, we now have a system of 'trial by media' in which LEO's & prosecutors can either collude with or manipulate news outlets to demonize their suspect in the public opinion, long before the trial begins. Throw in a few scary buzzwords like 'cyber' or 'terror' and the case is effectively closed. The prosecution can then collect only the damning information, or even outright refuse to provide exculpatory evidence to the defense by invoking phrases of dubious meaning such as 'national security' or 'state secret'... If the matters at hand are sufficiently technologically complex, most judges and juries will be none the wiser that they have only been presented with part of the story.

BuckJune 20, 2015 1:33 PM

@rgaff

While I think it's great that some honorable people still believe in the laudable 'innocent until proven guilty' principle, I would suggest that you haven't been paying much attention to the slow chipping away of this constitutional right... Replacing this ideal, we now have a system of 'trial by media' in which LEO's & prosecutors can either collude with or manipulate news outlets to demonize their suspect in the public opinion, long before the trial begins. Throw in a few scary buzzwords like 'cyber' or 'terror' and the case is effectively closed. The prosecution can then collect only the damning information, or even outright refuse to provide exculpatory evidence to the defense by invoking phrases of dubious meaning such as 'national security' or 'state secret'... If the matters at hand are sufficiently technologically complex, most judges and juries will be none the wiser that they have been presented with only part of the story.

BuckJune 20, 2015 1:39 PM

Oops! :-\

You raise a good point with the '3 felonies per day' though... When everyone is a criminal, those in power can selectively choose to prosecute whomever their biases deem undesirable. This is a big problem.

rgaffJune 20, 2015 11:30 PM

@ Buck

Indeed. You're damned if you do and damned if you don't... but you're damned a lot less if there's simply no trace anywhere of anything you've ever done. Even when you have NOT committed any "3 felonies a day" perchance (which is nigh impossible), having a full record of everything you've ever done gives lots of fodder for twisting innocent stuff to look bad.

https://youtu.be/6wXkI4t7nuc

BuckJune 21, 2015 12:19 AM

@rgaff

Fair enough... But then there's still the matter of records kept by companies where there is a business need (i.e. they sell the data). I could easily avoid using Google or Facebook (probably even the internet entirely), but to avoid creating a digital trail, I'd also have to avoid walking to the park, driving a car, riding the bus, going grocery shopping, having insurance or using any healthcare services... I doubt I'd live too long. I'd rather just get on living and hope no one decides to go after me or anyone else who's just trying to get by. I imagine if someone with the power to do that ever actually wanted to do so, there'd be no need to twist innocent stuff... Why bother with that when they could just as easily make stuff up?

rgaffJune 22, 2015 2:00 AM

It's easier to refute stuff when it's made up, and it's also harder to rationalize it as a "good thing" in some twisted way... So if given the choice, I'd rather make my enemies make stuff up than give them fodder to use against me. Of course we can't completely be cut off from the world unless we live in rare seclusion, but my point that it's better to limit collection of things when reasonable to do so is still valid.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.