Entries Tagged "ACLU"

Page 2 of 4

Keeping Track of All the Snowden Documents

As more and more media outlets from all over the world continue to report on the Snowden documents, it’s harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.

None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers.

EDITED TO ADD (12/4): Here’s another compilation. And this mind map of the NSA leaks is very comprehensive.

EDITED TO ADD (12/5): Wikipedia also has an exhaustive list.

EDITED TO ADD (12/13): This is also good.

Posted on December 3, 2013 at 6:14 AMView Comments

Michael Chertoff on Google Glass

Interesting op-ed by former DHS head Michael Chertoff on the privacy risks of Google Glass.

Now imagine that millions of Americans walk around each day wearing the equivalent of a drone on their head: a device capable of capturing video and audio recordings of everything that happens around them. And imagine that these devices upload the data to large-scale commercial enterprises that are able to collect the recordings from each and every American and integrate them together to form a minute-by-minute tracking of the activities of millions.

That is almost precisely the vision of the future that lies directly ahead of us. Not, of course, with wearable drones but with wearable Internet-connected equipment. This new technology — whether in the form of glasses or watches — may unobtrusively capture video data in real time, store it in the cloud and allow for it to be analyzed.

It’s not unusual for government officials — the very people we disagree with regarding civil liberties issues — to agree with us on consumer privacy issues. But don’t forget that this person advocated for full-body scanners at airports while on the payroll of a scanner company.

One of the points he makes, that the data collected from Google Glass will become part of Google’s vast sensory network, echoes something I’ve heard Marc Rotenberg at EPIC say: this whole thing would be a lot less scary if the glasses were sold by a company like Brookstone.

The ACLU comments on the essay.

Posted on May 6, 2013 at 1:17 PMView Comments

State Department Redacts Wikileaks Cables

The ACLU filed a FOIA request for a bunch of cables that Wikileaks had already released complete versions of. This is what happened:

The agency released redacted versions of 11 and withheld the other 12 in full.

The five excerpts below show the government’s selective and self-serving decisions to withhold information. Because the leaked versions of these cables have already been widely distributed, the redacted releases provide unique insight into the government’s selective decisions to hide information from the American public.

Click on the link to see what was redacted.

EDITED TO ADD (3/2): Commentary:

The Freedom of Information Act provides exceptions for a number of classes of information, but the State Department’s declassification decisions appear to be based not on the criteria specified in the statute, but rather on whether the documents embarrass the US or portray the US in a negative light.

Posted on March 1, 2012 at 1:32 PMView Comments

The CIA and Assassinations

The former CIA general counsel, John A. Rizzo, talks about his agency’s assassination program, which has increased dramatically under the Obama administration:

The hub of activity for the targeted killings is the CIA’s Counterterrorist Center, where lawyers — there are roughly 10 of them, says Rizzo — write a cable asserting that an individual poses a grave threat to the United States. The CIA cables are legalistic and carefully argued, often running up to five pages. Michael Scheuer, who used to be in charge of the CIA’s Osama bin Laden unit, describes “a dossier,” or a “two-page document,” along with “an appendix with supporting information, if anybody wanted to read all of it.” The dossier, he says, “would go to the lawyers, and they would decide. They were very picky.” Sometimes, Scheuer says, the hurdles may have been too high. “Very often this caused a missed opportunity. The whole idea that people got shot because someone has a hunch­I only wish that was true. If it were, there would be a lot more bad guys dead.”

Sometimes, as Rizzo recalls, the evidence against an individual would be thin, and high-level lawyers would tell their subordinates, “You guys did not make a case.” “Sometimes the justification would be that the person was thought to be at a meeting,” Rizzo explains. “It was too squishy.” The memo would get kicked back downstairs.

The cables that were “ready for prime time,” as Rizzo puts it, concluded with the following words: “Therefore we request approval for targeting for lethal operation.” There was a space provided for the signature of the general counsel, along with the word “concurred.” Rizzo says he saw about one cable each month, and at any given time there were roughly 30 individuals who were targeted. Many of them ended up dead, but not all: “No. 1 and No. 2 on the hit parade are still out there,” Rizzo says, referring to “you-know-who and [Ayman al-] Zawahiri,” a top Qaeda leader.

And the ACLU Deputy Legal Director on the interview:

What was most remarkable about the interview, though, was not what Rizzo said but that it was Rizzo who said it. For more than six years until his retirement in December 2009, Rizzo was the CIA’s acting general counsel — the agency’s chief lawyer. On his watch the CIA had sought to quash a Freedom of Information Act lawsuit by arguing that national security would be harmed irreparably if the CIA were to acknowledge any detail about the targeted killing program, even the program’s mere existence.

Rizzo’s disclosure was long overdue — the American public surely has a right to know that the assassination of terrorism suspects is now official government policy ­ and reflects an opportunistic approach to allegedly sensitive information that has become the norm for senior government officials. Routinely, officials insist to courts that the nation’s security will be compromised if certain facts are revealed but then supply those same facts to trusted reporters.

Posted on April 11, 2011 at 6:33 AMView Comments

Never Let the Terrorists Know How We're Storing Road Salt

This seems not to be a joke:

The American Civil Liberties Union has filed a lawsuit against the state after it refused to release the construction plans for a barn used to store road salt, on the basis that doing so would be a security risk.

[…]

Chiaffarano filed an OPRA request for the state’s building plans, but was denied her request as the state cited a 2002 executive order by Gov. James McGreevey.

The order, issued in the wake of the Sept. 11 terrorist attacks on the World Trade Center and the Pentagon, allows the state to decline the release of public records that would compromise the state’s ability to “protect and defend the state and its citizens against acts of sabotage or terrorism.”

Lisa Ryan, spokeswoman for the Department of Community Affairs, declined to comment on the pending lawsuit.

Posted on December 8, 2010 at 2:27 PMView Comments

Kahn, Diffie, Clark, and Me at Bletchley Park

Saturday, I visited Bletchley Park to speak at the Annual ACCU Security Fundraising Conference. They had a stellar line of speakers this year, and I was pleased to be a part of the day.

Talk #1: “The Art of Forensic Warfare,” Andy Clark. Riffing on Sun Tzu’s The Art of War, Clark discussed the war — the back and forth — between cyber attackers and cyber forensics. This isn’t to say that we’re at war, but today’s attacker tactics are increasingly sophisticated and warlike. Additionally, the pace is greater, the scale of impact is greater, and the subjects of attack are broader. To defend ourselves, we need to be equally sophisticated and — possibly — more warlike.

Clark drew parallels from some of the chapters of Sun Tzu’s book combined with examples of the work at Bletchley Park. Laying plans: when faced with an attacker — especially one of unknown capabilities, tactics, and motives — it’s important to both plan ahead and plan for the unexpected. Attack by stratagem: increasingly, attackers are employing complex and long-term strategies; defenders need to do the same. Energy: attacks increasingly start off simple and get more complex over time; while it’s easier to defect primary attacks, secondary techniques tend to be more subtle and harder to detect. Terrain: modern attacks take place across a very broad range of terrain, including hardware, OSs, networks, communication protocols, and applications. The business environment under attack is another example of terrain, equally complex. The use of spies: not only human spies, but also keyloggers and other embedded eavesdropping malware. There’s a great World War II double-agent story about Eddie Chapman, codenamed ZIGZAG.

Talk #2: “How the Allies Suppressed the Second Greatest Secret of World War II,” David Kahn. This talk is from Kahn’s article of the same name, published in the Oct 2010 issue of The Journal of Military History. The greatest secret of World War II was the atom bomb; the second greatest secret was that the Allies were reading the German codes. But while there was a lot of public information in the years after World War II about Japanese codebreaking and its value, there was almost nothing about German codebreaking. Kahn discussed how this information was suppressed, and how historians writing World War II histories never figured it out. No one imagined as large and complex an operation as Bletchley Park; it was the first time in history that something like this had ever happened. Most of Kahn’s time was spent in a very interesting Q&A about the history of Bletchley Park and World War II codebreaking.

Talk #3: “DNSSec, A System for Improving Security of the Internet Domain Name System,” Whitfield Diffie. Whit talked about three watersheds in modern communications security. The first was the invention of the radio. Pre-radio, the most common communications security device was the code book. This was no longer enough when radio caused the amount of communications to explode. In response, inventors took the research in Vigenère ciphers and automated them. This automation led to an explosion of designs and an enormous increase in complexity — and the rise of modern cryptography.

The second watershed was shared computing. Before the 1960s, the security of computers was the physical security of computer rooms. Timesharing changed that. The result was computer security, a much harder problem than cryptography. Computer security is primarily the problem of writing good code. But writing good code is hard and expensive, so functional computer security is primarily the problem of dealing with code that isn’t good. Networking — and the Internet — isn’t just an expansion of computing capacity. The real difference is how cheap it is to set up communications connections. Setting up these connections requires naming: both IP addresses and domain names. Security, of course, is essential for this all to work; DNSSec is a critical part of that.

The third watershed is cloud computing, or whatever you want to call the general trend of outsourcing computation. Google is a good example. Every organization uses Google search all the time, which probably makes it the most valuable intelligence stream on the planet. How can you protect yourself? You can’t, just as you can’t whenever you hand over your data for storage or processing — you just have to trust your outsourcer. There are two solutions. The first is legal: an enforceable contract that protects you and your data. The second is technical, but mostly theoretical: homomorphic encryption that allows you to outsource computation of data without having to trust that outsourcer.

Diffie’s final point is that we’re entering an era of unprecedented surveillance possibilities. It doesn’t matter if people encrypt their communications, or if they encrypt their data in storage. As long as they have to give their data to other people for processing, it will be possible to eavesdrop on. Of course the methods will change, but the result will be an enormous trove of information about everybody.

Talk #4: “Reconceptualizing Security,” me. It was similar to this essay and this video.

Posted on November 9, 2010 at 6:01 AMView Comments

The FBI is Tracking Whom?

They’re tracking a college student in Silicon Valley. He’s 20, partially Egyptian, and studying marketing at Mission College. He found the tracking device attached to his car. Near as he could tell, what he did to warrant the FBI’s attention is be the friend of someone who did something to warrant the FBI’s attention.

Afifi retrieved the device from his apartment and handed it over, at which point the agents asked a series of questions ­ did he know anyone who traveled to Yemen or was affiliated with overseas training? One of the agents produced a printout of a blog post that Afifi’s friend Khaled allegedly wrote a couple of months ago. It had “something to do with a mall or a bomb,” Afifi said. He hadn’t seen it before and doesn’t know the details of what it said. He found it hard to believe Khaled meant anything threatening by the post.

Here’s the Reddit post:

bombing a mall seems so easy to do. i mean all you really need is a bomb, a regular outfit so you arent the crazy guy in a trench coat trying to blow up a mall and a shopping bag. i mean if terrorism were actually a legitimate threat, think about how many fucking malls would have blown up already.. you can put a bag in a million different places, there would be no way to foresee the next target, and really no way to prevent it unless CTU gets some intel at the last minute in which case every city but LA is fucked…so…yea…now i’m surely bugged : /

Here’s the device. Here’s the story, told by the student who found it.

This weird story poses three sets of questions.

  1. Is the FBI’s car surveillance technology that lame? Don’t they have bugs that are a bit smaller and less obtrusive? Or are they surveilling so many people that they’re forced to use the older models as well as the newer, smaller, stuff?

    From a former FBI agent:

    The former agent, who asked not to be named, said the device was an older model of tracking equipment that had long ago been replaced by devices that don’t require batteries. Batteries die and need to be replaced if surveillance is ongoing so newer devices are placed in the engine compartment and hardwired to the car’s battery so they don’t run out of juice. He was surprised this one was so easily found.

    “It has to be able to be removed but also stay in place and not be seen,” he said. “There’s always the possibility that the car will end up at a body shop or auto mechanic, so it has to be hidden well. It’s very rare when the guys find them.”

  2. If they’re doing this to someone so tangentially connected to a vaguely bothersome post on an obscure blog, just how many of us have tracking devices on our cars right now — perhaps because of this blog? Really, is that blog post plus this enough to warrant surveillance?

    Afifi’s father, Aladdin Afifi, was a U.S. citizen and former president of the Muslim Community Association here, before his family moved to Egypt in 2003. Yasir Afifi returned to the United States alone in 2008, while his father and brothers stayed in Egypt, to further his education he said. He knows he’s on a federal watchlist and is regularly taken aside at airports for secondary screening.

  3. How many people are being paid to read obscure blogs, looking for more college students to surveil?

Remember, the Ninth Circuit Court recently ruled that the police do not need a warrant to attach one of these things to your car. That ruling holds true only for the Ninth Circuit right now; the Supreme Court will probably rule on this soon.

Meanwhile, the ACLU is getting involved:

Brian Alseth from the American Civil Liberties Union in Washington state contacted Afifi after seeing pictures of the tracking device posted online and told him the ACLU had been waiting for a case like this to challenge the ruling.

“This is the kind of thing we like to throw lawyers at,” Afifi said Alseth told him.

“It seems very frightening that the FBI have placed a surveillance-tracking device on the car of a 20-year-old American citizen who has done nothing more than being half-Egyptian,” Alseth told Wired.com.

Posted on October 13, 2010 at 6:20 AMView Comments

Behavioral Profiling at Airports

There’s a long article in Nature on the practice:

It remains unclear what the officers found anomalous about George’s behaviour, and why he was detained. The TSA’s parent agency, the Department of Homeland Security (DHS), has declined to comment on his case because it is the subject of a federal lawsuit that was filed on George’s behalf in February by the American Civil Liberties Union. But the incident has brought renewed attention to a burgeoning controversy: is it possible to know whether people are being deceptive, or planning hostile acts, just by observing them?

Some people seem to think so. At London’s Heathrow Airport, for example, the UK government is deploying behaviour-detection officers in a trial modelled in part on SPOT. And in the United States, the DHS is pursuing a programme that would use sensors to look at nonverbal behaviours, and thereby spot terrorists as they walk through a corridor. The US Department of Defense and intelligence agencies have expressed interest in similar ideas.

Yet a growing number of researchers are dubious ­ not just about the projects themselves, but about the science on which they are based. “Simply put, people (including professional lie-catchers with extensive experience of assessing veracity) would achieve similar hit rates if they flipped a coin,” noted a 2007 report from a committee of credibility-assessment experts who reviewed research on portal screening.

“No scientific evidence exists to support the detection or inference of future behaviour, including intent,” declares a 2008 report prepared by the JASON defence advisory group. And the TSA had no business deploying SPOT across the nation’s airports “without first validating the scientific basis for identifying suspicious passengers in an airport environment”, stated a two-year review of the programme released on 20 May by the Government Accountability Office (GAO), the investigative arm of the US Congress.

Commentary from the MindHacks blog.

Also, the GAO has published a report on the U.S. DHS’s SPOT program: “Aviation Security: Efforts to Validate TSA’s Passenger Screening Behavior Detection Program Underway, but Opportunities Exist to Strengthen Validation and Address Operational Challenges.”

As of March 2010, TSA deployed about 3,000 BDOs at an annual cost of about $212 million; this force increased almost fifteen-fold between March 2007 and July 2009. BDOs have been selectively deployed to 161 of the 457 TSA-regulated airports in the United States at which passengers and their property are subject to TSA-mandated screening procedures.

It seems pretty clear that the program only catches criminals, and no terrorists. You’d think there would be more important things to spend $200 million a year on.

EDITED TO ADD (6/14): In the comments, a couple of people asked how this compares with the Israeli model of airport security — concentrate on the person — and the idea that trained officers notice if someone is acting “hinky”: both things that I have written favorably about.

The difference is the experience of the detecting officer and the amount of time they spend with each person. If you read about the programs described above, they’re supposed to “spot terrorists as they walk through a corridor,” or possibly after a few questions. That’s very different from what happens when you check into a flight an Ben Gurion Airport.

The problem with fast detection programs is that they don’t work, and the problem with the Israeli security model is that it doesn’t scale.

Posted on June 14, 2010 at 6:23 AMView Comments

Government Can Determine Location of Cell Phones without Telco Help

Interesting:

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.

This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI's cell-phone tracking practices. Since August, they've received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.

Posted on November 26, 2008 at 6:06 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.