Entries Tagged "courts"

Page 13 of 31

More Details on NSA Tapping the Internet Backbone

Two new stories: one from Der Spiegel in Germany (also reported in the Intercept) and the other from Dagbladet Information in Denmark (again, also reported in the Intercept). Lots of good information in both stories.

EDITED TO ADD (6/20): Der Spiegel has two other stories, as well as a large trove of source documents. The Dagbladet Information source documents are here.

And in related news, the US House of Representatives voted to ban NSA backdoor searches, as well as it weakening commercial products and protocols. There’s no chance it’ll become a law, but the 293-123 vote is a big deal nonetheless.

The current authority for the NSA’s bulk collection of telephone metadata expires today. A bunch of organizations have tried to urge the president not to renew it. I don’t think that’ll happen, either.

It’s a measure of the popular interest in this issue that the German/Danish story isn’t being reported by the US press, and I had to search to find the Congressional vote on the New York Times and Washington Post sites. Only the Guardian had it as a home page headline. No one is reporting today’s renewal of the telephone metadata program.

EDITED TO ADD (6/21): The bulk surveillance of Americans’ phone call records program has been renewed. And Der Spiegel published an editorial explaining why it broke the story and released the secret NSA documents.

EDITED TO ADD (6/23): Marcy Wheeler noticed at the FISC order renewing the bulk surveillance order came with some sort of memorandum opinion.

EDITED TO ADD (7/14): Good commentary from the comments.

Posted on June 20, 2014 at 9:43 AMView Comments

Government Policy on Cell Phone Interception Technology

New paper: “Your Secret Stingray’s No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy,” by Christopher Soghoian and Stephanie K. Pell:

Abstract: In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept calls due to a significant security vulnerability inherent in then widely used analog cellular phone networks: calls were not encrypted as they traveled over the air. In response to this problem, Congress, rather than exploring options for improving the security of cellular networks, merely outlawed the sale of new radio scanners capable of intercepting cellular signals, which did nothing to prevent the potential use of millions of existing interception-capable radio scanners. Now, nearly two decades after Congress passed legislation intended to protect analog phones from interception by radio scanners, we are rapidly approaching a future with a widespread interception threat to cellular communications very reminiscent of the one scanner posed in the 1990s, but with a much larger range of public and private actors with access to a much more powerful cellular interception technology that exploits security vulnerabilities in our digital cellular networks.

This Article illustrates how cellular interception capabilities and technology have become, for better or worse, globalized and democratized, placing Americans’ cellular communications at risk of interception from foreign governments, criminals, the tabloid press and virtually anyone else with sufficient motive to capture cellular content in transmission. Notwithstanding this risk, US government agencies continue to treat practically everything about this cellular interception technology, as a closely guarded, necessarily secret “source and method,” shrouding the technical capabilities and limitations of the equipment from public discussion, even keeping its very name from public disclosure. This “source and method” argument, although questionable in its efficacy, is invoked to protect law enforcement agencies’ own use of this technology while allegedly preventing criminal suspects from learning how to evade surveillance.

This Article argues that current policy makers should not follow the worn path of attempting to outlaw technology while ignoring, and thus perpetuating, the significant vulnerabilities in cellular communications networks on which it depends. Moreover, lawmakers must resist the reflexive temptation to elevate the sustainability of a particular surveillance technology over the need to curtail the general threat that technology poses to the security of cellular networks. Instead, with regard to this destabilizing, unmediated technology and its increasing general availability at decreasing prices, Congress and appropriate regulators should address these network vulnerabilities directly and thoroughly as part of the larger cyber security policy debates and solutions now under consideration. This Article concludes by offering the beginnings of a way forward for legislators to address digital cellular network vulnerabilities with a new sense of urgency appropriate to the current communications security environment.

Posted on May 21, 2014 at 9:51 AMView Comments

Putin Requires Russian Bloggers to Register with the Government

This is not good news.

Widely known as the “bloggers law,” the new Russian measure specifies that any site with more than 3,000 visitors daily will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published.

Besides registering, bloggers can no longer remain anonymous online, and organizations that provide platforms for their work such as search engines, social networks and other forums must maintain computer records on Russian soil of everything posted over the previous six months.

Posted on May 9, 2014 at 6:14 AMView Comments

DRM and the Law

Cory Doctorow gives a good history of the intersection of Digital Rights Management (DRM) software and the law, describes how DRM software is antithetical to end-user security, and speculates how we might convince the law to recognize that.

Every security system relies on reports of newly discovered vulnerabilities as a means of continuously improving. The forces that work against security systems—scripts that automate attacks, theoretical advances, easy-to-follow guides that can be readily googled—are always improving so any system that does not benefit from its own continuous improvement becomes less effective over time. That is, the pool of adversaries capable of defeating the system goes up over time, and the energy they must expend to do so goes down over time, unless vulnerabilities are continuously reported and repaired.

Here is where DRM and your security work at cross-purposes. The DMCA’s injunction against publishing weaknesses in DRM means that its vulnerabilities remain unpatched for longer than in comparable systems that are not covered by the DMCA. That means that any system with DRM will on average be more dangerous for its users than one without DRM.

Posted on February 12, 2014 at 7:15 AMView Comments

EU Might Raise Fines for Data Breaches

This makes a lot of sense.

Viviane Reding dismissed recent fines for Google as “pocket money” and said the firm would have had to pay $1bn under her plans for privacy failings.

Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously.

And she questioned how Google was able to take so long to getting round to changing its policy.

“Is it surprising to anyone that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not?” she said in a speech.

Ms Reding, who is also vice-president of the European Commission, wants far tougher laws that would introduce fines of up to 5% of the global annual turnover of a company for data breaches.

If fines are intended to change corporate behavior, they need to be large enough so that avoiding them is a smarter business strategy than simply paying them.

Posted on January 28, 2014 at 6:47 AMView Comments

"A Court Order Is an Insider Attack"

Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack:

To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.

From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.

This is why designing Lavabit to be resistant to court order would have been the right thing to do, and why we should all demand systems that are designed in this way.

Also on BoingBoing.

Posted on October 17, 2013 at 12:50 PMView Comments

NSA Harvesting Contact Lists

A new Snowden document shows that the NSA is harvesting contact lists—e-mail address books, IM buddy lists, etc.—from Google, Yahoo, Microsoft, Facebook, and others.

Unlike PRISM, this unnamed program collects the data from the Internet . This is similar to how the NSA identifies Tor users. They get direct access to the Internet backbone, either through secret agreements with companies like AT&T, or surreptitiously, by doing things like tapping undersea cables. Once they have the data, they have powerful packet inspectors—code names include TUMULT, TURBULENCE, and TURMOIL—that run a bunch of different identification and copying systems. One of them, code name unknown, searches for these contact lists and copies them. Google, Yahoo, Microsoft, etc., have no idea that this is happening, nor have they consented to their data being harvested in this way.

These contact lists provide the NSA with the same sort of broad surveillance that the Verizon (and others) phone-record “metadata” collection programs provide: information about who are our friends, lovers, confidants, associates. This is incredibly intimate information, all collected without any warrant or due process. Metadata equals surveillance; always remember that.

The quantities are interesting:

During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers….

Note that Gmail, which uses SSL by default, provides the NSA with much less data than Yahoo, which doesn’t, despite the fact that Gmail has many more users than Yahoo does. (It’s actually kind of amazing how small that Gmail number is.) This implies that, despite BULLRUN, encryption works. Ubiquitous use of SSL can foil NSA eavesdropping. This is the same lesson we learned from the NSA’s attempts to break Tor: encryption works.

In response to this story, Yahoo has finally decided to enable SSL by default: by January 2014.

One more amusing bit: the NSA has a spam problem.

Spam has proven to be a significant problem for the NSA—clogging databases with information that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake addresses and never ‘delivered’ to targets.”

The Washington Post published three NSA documents to support this article.

EDITED TO ADD: The New York Times makes this observation:

Spokesmen for the eavesdropping organizations reassured The Post that we shouldn’t bother our heads with all of this. They have “checks and balances built into our tools,” said one intelligence official.

Since the Snowden leaks began, the administration has adopted an interesting definition of that term. It used to be that “checks and balances” referred to one branch of the government checking and balancing the other branches—like the Supreme Court deciding whether laws are constitutional.

Now the N.S.A., the C.I.A. and the White House use the term to refer to a secret organization reviewing the actions it has taken and deciding in secret by itself whether they were legal and constitutional.

Posted on October 15, 2013 at 1:37 PMView Comments

1 11 12 13 14 15 31

Sidebar photo of Bruce Schneier by Joe MacInnis.