A US government task force is drafting FBI-backed legislation that would penalize companies like Google and Facebook for refusing to comply with wiretap orders, media report.
In the new legislation being drafted by US law enforcement officials, refusal to cooperate with the FBI could cost a tech company tens of thousands of dollars in fines, the Washington Post quoted anonymous sources as saying.
The fined company would be given 90 days to comply with wiretap orders. If the organization is unable or unwilling to turn over the communications requested by the wiretap, the penalty sum would double every day.
“We don’t have the ability to go to court and say, ‘We need a court order to effectuate the intercept.’ Other countries have that. Most people assume that’s what you’re getting when you go to a court,” FBI general counsel Andrew Weissmann told the Washington Post.
If passed in Congress and signed by President Obama, the bill could become a provision of the 1968 Wiretap Act, which require companies to develop mechanisms for obtaining information requested by government investigators.
However, many companies maintain that their resistance to this and similar measures has nothing to do with an unwillingness to help investigators. Google began encrypting its email service following a major hacking attack in 2010; developing wiretap technology could make it and other companies vulnerable, creating “a way for someone to silently go in and activate a wiretap,” said Susan Landau, a former engineer at Sun Microsystems.
The proposed expansion of wiretaps into the digital frontier is the latest in a series of US government efforts to monitor online communications.
The recent Boston Marathon bombings were used by some members of Congress as a reason to push through the highly controversial Cyber Intelligence Sharing and Protect Act (CISPA), which was passed by the lower house. If CISPA is signed into law, telecommunication companies will be encouraged to share Internet data with the Departments of Homeland Security and Justice concerning national security purposes.
Tech companies, including giants like Facebook and Microsoft, have objected fiercely to the bill, citing customers’ privacy concerns. The bill is currently shelved in the Senate following President Obama’s threat to veto CISPA due to a lack of personal privacy provisions.
Earlier in April, the FBI requested an additional $41 million from the federal government for the recording and analysis of Internet communication.
The Electronic Privacy Information Center also recently obtained over 1,000 pages of documents proving that the Pentagon has secretly eavesdropped on Internet traffic for several years.
“Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws,” CNET reporter Declan McCullagh wrote.
- Obama administration bypasses CISPA by secretly allowing Internet surveillance (alethonews.wordpress.com)
When one conspires to violate federal law, it helps to have a government agency or two as one’s co-conspirators when law enforcement comes poking around, as telecom giant AT&T and others learned recently when the Defense Department (DOD) and the Department of Homeland Security (DHS) successfully pressured the Justice Department (DOJ) to agree secretly not to prosecute blatantly illegal wiretaps conducted by AT&T and other Internet service providers at the request of the agencies.
Although some press reports have termed this an authorization of activity that would otherwise be illegal, this is a misnomer. The executive branch lacks the power to retroactively declare criminal conduct to be lawful, but it can choose to ignore it by waiving prosecution pursuant to “prosecutorial discretion.”
Although the secret DOJ prosecution waiver initially applied to a cyber-security pilot project—the DIB Cyber Pilot—that allowed the military to monitor defense contractors’ Internet links, the program has since been renamed Enhanced Cybersecurity Services and is being expanded by President Obama to allow the government to snoop on the private networks of all companies operating in “critical infrastructure sectors,” including energy, healthcare, and finance starting June 12.
“The Justice Department is helping private companies evade federal wiretap laws,” warned Marc Rotenberg, executive director of the Electronic Privacy Information Center, which obtained more than 1,000 pages of government documents relating to the issue via a Freedom of Information Act request. “Alarm bells should be going off.”
The wiretap law referenced by Rotenberg is the Wiretap Act, codified at 18 USC 2511, which makes it a crime for a network operator to intercept communications carried on its networks unless the monitoring is a “necessary incident” to providing the service or it occurs with a user’s “lawful consent.” Since neither of those exceptions applied, DOD and DHS pressed DOJ attorneys to agree not to prosecute what were clearly prosecutable offenses by issuing an unknown number of “2511 letters,” which are normally used by DOJ to tell a company that its conduct fit within one of the lawful exceptions to the Act.
The purported “retroactive authorization” is similar to the “retroactive immunity” given the telecoms by Congress for their participation in illegal wiretapping and eavesdropping between 2001 and 2006. Likewise, former DHS official Paul Rosenzweig compared the case of the “2511 letters” to the CIA asking the Justice Department for legal memos justifying torture a decade ago. “If you think of it poorly, it’s a CYA [“cover your ass] function,” Rosenzweig says. “If you think well of it, it’s an effort to secure advance authorization for an action that may not be clearly legal.” Or may be clearly illegal.
In any event, Obama’s own expansion by mid-June of the snooping “to all critical infrastructure sectors,” defined as companies providing services whose disruption would harm national economic security or “national public health or safety” will proceed.
- Obama administration bypasses CISPA by secretly allowing Internet surveillance (alethonews.wordpress.com)
- To Ease Internet Snooping, Feds Promise To Ignore Privacy Violations (reason.com)
Scared that CISPA might pass? The federal government is already using a secretive cybersecurity program to monitor online traffic and enforce CISPA-like data sharing between Internet service providers and the Department of Defense.
The Electronic Privacy Information Center has obtained over 1,000 pages of documents pertaining to the United States government’s use of a cybersecurity program after filing a Freedom of Information Act request, and CNET reporter Declan McCullagh says those pages show how the Pentagon has secretly helped push for increased Internet surveillance.
“Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws,” McCullagh writes.
That practice, McCullagh recalls, was first revealed when Deputy Secretary of Defense William Lynn disclosed the existence of the Defense Industrial Base (DIB) Cyber Pilot in June 2011. At the time, the Pentagon said the program would allow the government to help the defense industry safeguard the information on their computer systems by sharing classified threat information between the Department of Defense, the Department of Homeland Security and the Internet service providers (ISP) that keep government contractors online.
“Our defense industrial base is critical to our military effectiveness. Their networks hold valuable information about our weapons systems and their capabilities,” Lynn said. “The theft of design data and engineering information from within these networks greatly undermines the technological edge we hold over potential adversaries.”
Just last week the US House of Representatives voted in favor of the Cyber Intelligence Sharing and Protection Act, or CISPA — a legislation that would allow ISPs and private Internet companies across the country like Facebook and Google to share similar threat data with the federal government without being held liable for violating their customers’ privacy. As it turns out, however, the DIB Cyber Pilot has expanded exponentially in recent months, suggesting that a significant chunk of Internet traffic is already subjected to governmental monitoring.
In May 2012 less than a year after the pilot was first unveiled, the Defense Department announced the expansion of the DIB program. Then this past January, McCullagh says it was renamed the Enhanced Cybersecurity Services (ECS) and opened up to a larger number of companies — not just DoD contractors. An executive order signed by US President Barack Obama earlier this year will let all critical infrastructure companies to sign-on to ECS this June, likely in turn bringing on board entities in energy, healthcare, communication and finance.
Although the 1,000-plus pages obtained in the FOIA request haven’t been posted in full on the Web just yet, a sampling of that trove published by EPIC on Wednesday starts to show just exactly how severe the Pentagon’s efforts to eavesdrop on Web traffic has been.
In one document, a December 2011 slideshow on the legal policies and practices regarding the monitoring of Web traffic on DIB-linked systems, the Pentagon instructs the administrators of those third-party computer networks on how to implement the program and, as a result, erode their customers’ expectation of privacy.
In one slide, the Pentagon explains to ISPs and other system administrators how to be clear in letting their customers know that their traffic was being fed to the government. Key elements to keep in mind, wrote the Defense Department, was that DIB “expressly covers monitoring of data and communications in transit rather than just accessing data at rest.”
“[T]hat information transiting or stored on the system may be disclosed for any purpose, including to the government,” it continued. Companies participating in the pilot program were told to let users know that monitoring would exist “for any purpose,” and that users have no expectation of privacy regarding communications or data stored on the system.
According to the 2011 press released on the DIB Cyber Pilot, “the government will not monitor, intercept or store any private-sector communications through the program.” In a privacy impact assessment of the ECS program that was published in January by the DHS though, it’s revealed that not only is information monitored, but among the data collected by investigators could be personally identifiable information, including the header info from suspicious emails. That would mean the government sees and stores who you communicate with and what kind of subject lines are used during correspondence.
The DHS says that personally identifiable information could be retained if “analytically relevant to understanding the cyber threat” in question.
Meanwhile, the lawmakers in Congress that overwhelmingly approved CISPA just last week could arguably use a refresher in what constitutes a cyberthreat. Rep. Michael McCaul (R-Texas) told his colleagues on the Hill that “Recent events in Boston demonstrate that we have to come together as Republicans and Democrats to get this done,” and Rep. Dan Maffei (D-New York) made unfounded claims during Thursday’s debate that the whistleblowing website WikiLeaks is pursuing efforts to “hack into our nation’s power grid.”
Should CISPA be signed into law, telecommunication companies will be encouraged to share Internet data with the DHS and Department of Justice for so-called national security purposes. But even if the president pursues a veto as his advisers have suggested, McCullagh says few will be safe from this secretive cybersecurity operation already in place.
The tome of FOIA pages, McCullagh says, shows that the Justice Department has actively assisted telecoms as of late by letting them off the hook for Wiretap Act violations. Since the sharing of data between ISPs and the government under the DIB program and now ECS violates federal statute, the Justice Department has reportedly issued an undeterminable number of “2511 letters” to telecoms: essentially written approval to ignore provisions of the Wiretap Act in exchange for immunity.
“The Justice Department is helping private companies evade federal wiretap laws,” EPIC Executive Director Marc Rotenberg tells CNET. “Alarm bells should be going off.”
In an internal Justice Department email cited by McCullagh, Associate Deputy Attorney General James Baker is alleged to write that ISPs will likely request 2511 letters and the ECS-participating companies “would be required to change their banners to reference government monitoring.”
“These agencies are clearly seeking authority to receive a large amount of information, including personal information, from private Internet networks,” EPIC staff attorney Amie Stepanovich adds to CNET. “If this program was broadly deployed, it would raise serious questions about government cybersecurity practices.”
- To Ease Internet Snooping, Feds Promise To Ignore Privacy Violations (reason.com)
- Congressman evokes Boston bombings as reason to pass CISPA (rt.com)
- U.S. gives big, secret push to Internet surveillance (philosophers-stone.co.uk)
According to a new report published by Global Industry Analysts, Inc., the President and CEO of biometrics firm SmartMetric posits that the industry will be worth $10 billion by 2018.
SmartMetric, of course, “stands to capitalize significantly on this very large and fast growing market,” so perhaps that projection should be taken with a grain of salt.
But specific figures aside, the industry is undoubtedly booming, and in large part due to US military and law enforcement biometrics programs.
The FBI’s Next Generation Identification biometrics effort, housed in the Center for Biometric Excellence at the FBI-DoD operated Biometrics Technology Center, is the largest domestic operation. Local law enforcement are increasingly also using advanced biometric monitoring equipment, including face recognition and iris scanners.
If you are worried about how powerful biometrics technologies might be used in your city or state, click here to find out how to get involved at the local level to ensure police transparency and democratic accountability.
WASHINGTON – The FBI refuses to provide information on a massive biometric identification database that can identify noncriminal civilians through iris scans, DNA, and facial and voice recognition, a watchdog claims in court.
The Electronic Privacy Information Center, or EPIC, sued the FBI in Federal Court, claiming that the bureau identified more than 7,000 pages of responsive records, but won’t release them.
EPIC claims the FBI began posting details on its website about its biometric identification system, known as Next Generation Identification (NGI), in 2009.
“When completed, the NGI system will be the largest biometric database in the world,” EPIC says in its complaint. “The vast majority of records contained in the NGI database will be of U.S. citizens.”
EPIC claims the NGI system will be able to identify people through fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints and photographs, and will through facial recognition.
“The NGI database will include photographic images of millions of individuals who are neither criminals nor suspects,” the complaint states.
The Department of Homeland Security has spent “hundreds of millions of dollars” into the system, and wants to integrate it into state and local surveillance systems that may use other surveillance technology, giving the government the capability of real-time matching of live feeds from surveillance cameras, EPIC claims.
There are an estimated 30 million surveillance cameras in the United States, but not all of them will be used for law enforcement purposes, EPIC says in the complaint.
It claims private entities will also have access to the system.
EPIC claims the Orwellian system already is up and running in New York City, where police have been scanning irises of arrestees since 2010 and using a handheld device that “allows officers patrolling the streets to scan irises and faces of individuals and match them against biometric databases.”
At least 11 other states participate in the program: Arizona, Hawaii, Kansas, Maryland, Michigan, Missouri, Nebraska, New Mexico, Ohio, South Carolina and Tennessee, according to the complaint.
EPIC claims it submitted two FOIA request in 2012, seeking records on the FBI’s contracts with private contractors Lockheed Martin, IBM, Accenture, BAE Systems Information Technology, Global Science & Technology, Innovation Management & Technology Services, Platinum Solutions, the National Center for State Courts, and any other entities involved with the program.
The FBI said it found 7,380 pages of potentially responsive records but has failed to disclose a single agency record, the complaint states.
EPIC wants to see the records, and wants its FOIA fees waived.
San Francisco – The Electronic Frontier Foundation (EFF) urged the National Highway Traffic Safety Administration (NHTSA) today to include strict privacy protections for data collected by vehicle “black boxes” to protect drivers from long-term tracking as well as the misuse of their information.
Black boxes, more formally called event data recorders (EDRs), can serve a valuable forensic function for accident investigations, because they can capture information like vehicle speed before the crash, whether the brake was activated, whether the seat belt was buckled, and whether the airbag deployed. NHTSA is proposing the mandatory inclusion of black boxes in all new cars and light trucks sold in America. But while the proposed rules would require the collection of data in at least the last few seconds before a crash, they don’t block the long-term monitoring of driver behavior or the ongoing capture of much more private information like audio, video, or vehicle location.
“The NHTSA’s proposed rules fail to address driver privacy in any meaningful way,” said EFF Staff Attorney Nate Cardozo. “These regulations must include more than minimum requirements of what should be collected and stored – they need a reasonable maximum requirement as well.”
The current NHTSA proposal mandates a boilerplate notice to consumers that “various systems” are being monitored. The plan also calls for a commercial tool to be made available to allow user access to black box data. In its comments submitted to the NHTSA today, EFF calls for complete and comprehensive disclosure of data collection as well as a free and open standard to access black box information.
“The information collected by EDRs is private and must remain private until the car owner consents to its use,” said Cardozo. “Consumers deserve full disclosure of what is being collected, when, and how, as well as an easy and free way of accessing this data on their own. Having to buy access to your own data is not reasonable. “
In addition to submitting its own comments to the NHTSA today, EFF also joined the Electronic Privacy Information Center and a broad coalition of privacy, consumer rights, and civil rights organizations in comments urging the NHTSA to adopt specific, privacy-protecting amendments to its proposed rules.
For EFF’s full comments submitted to the NHTSA:
Electronic Frontier Foundation
- EFF to Supreme Court: Blanket DNA Collection Violates Fourth Amendment (alethonews.wordpress.com)
- Black Boxes in Cars: Open Call for Comments (eff.org)
- EFF, others to Microsoft: Who’s requesting our Skype data? (zdnet.com)
- EFF – How to Protect Your Privacy from Facebook’s Graph Search (bespacific.com)
Even on dry land, Americans should fear the stingray. Not the flat cartilaginous fishes related to sharks, but the secret government surveillance device that not only tracks suspected criminals but also intercepts the private information of law-abiding citizens who happen to be nearby. Now, because of a Freedom of Information Act (FOIA) request and lawsuit brought by the Electronic Privacy Information Center (EPIC) against the FBI, the government is slowly releasing thousands of relevant documents that are already raising alarms among privacy and civil liberties advocates.
The stingray came to public notice in 2011 when the FBI used a “cell-site simulator” to track down a suspect. This portable device, also called an “IMSI catcher” or a “stingray,” sends out a signal that fools nearby wireless phones into connecting with a fake network. It can then capture all sorts of personal data from all of those phones, including location data that can then be used to track a person’s movements in real time. A stingray can be handheld or mounted on a motor vehicle or an unmanned surveillance drone.
As the FBI has admitted to EPIC, because the stingray fools all nearby wireless phones into connecting with its bogus network and uploading private data to it, its use would constitute a “search and seizure” under the Fourth Amendment to the Constitution and thus require a warrant. However, because the FBI argues that wireless phone users have no reasonable expectation to privacy, the agency says it does not need a warrant. The Supreme Court has not yet ruled on the privacy of cell phone calls.
In addition to (probably) violating the constitution, the use of stingrays is also prohibited by federal law. Although heavily redacted, the files reluctantly released by the FBI reveal snippets of internal Justice Department discussions of how to justify use of the stingray as compliant with the provisions of the Communications Act that prohibit “interference” with communication signals like those of wireless phones.
These documents demonstrate, according to EPIC attorney Alan Butler, that “there are clearly concerns, even within the agency, that the use of Stingray technology might be inconsistent with current regulations. I don’t know how the DOJ justifies the use of Stingrays given the limitations of the Communications Act prohibition.”
Nor is it just the FBI. According to a recent report, local police are “quietly” using stingrays in Los Angeles, Miami, Fort Worth, and Gilbert, Arizona. And likely other places, as well.
Homeland Security claimed it had “dropped the plans at an early stage”
Newly released documents clearly show that the The Homeland Security Department continued to pursue a mobile surveillance program, moving radiation firing body scanners out of airports and into streets and shopping malls, despite claiming it has dropped the plans altogether.
The Electronic Privacy Information Center (EPIC) yesterday released the documents, obtained under the Freedom of Information Act, showing that the DHS was still operating the program in March 2011, just two days prior to claiming it had “dropped the projects in a very early phase after testing showed flaws”.
Previous EPIC FOIA work produced records showing that the DHS is actively moving to install radiation firing scanners in all manner of public places.
The technologies include “intelligent video,” backscatter x-ray, Millimeter Wave Radar, and Terahertz Wave, and could be deployed at subway platforms, sidewalks, sports arenas, and shopping malls.
EPIC filed a specific lawsuit against the DHS for attempting to keep the program secret.
EPIC’s suit asked a federal court to order disclosure of nearly 1,000 pages of additional records detailing the controversial program – records the agency repeatedly refused to make public, despite freedom of information requests and appeals over the course of several months.
The lawsuit points to an agency under the DHS umbrella, the Science and Technology Directorate, which has released only 15 full pages of documents on the mobile scanners, whilst heavily redacting another 158 pages and withholding 983 pages of documents.
In February 2011, EPIC discovered (PDF) that the DHS had paid contractors “millions of dollars on mobile body scanner technology that could be used at railways, stadiums, and elsewhere” on crowds of moving people.
According to the documents obtained by EPIC, the Transport Security Agency plans to expand the use of these systems to peer under clothes and inside bags away from airports.
The documents included a “Surface Transportation Security Priority Assessment” [PDF] which revealed details of conducting risk assessments and possible implementation of body scanners in “Mass transit, commuter and long-distance passenger rail, freight rail, commercial vehicles (including intercity buses), and pipelines, and related infrastructure (including roads and highways), that are within the territory of the United States.”
The DHS maintained that it had discontinued the program, but refused to provide the proof, invoking several FOIA exemption clauses, ironically including one that cited “invasion of personal privacy”.
EPIC also noted that the DHS has actively deployed “mobile body scanner technology in vans that are able to scan other vehicles while driving down public roadways.”
“These vans, known as ‘Z Backscatter Vans,’ are capable of seeing through vehicles and clothing and routinely store the images that they generate.” EPIC’s lawsuit notes.
As we previously reported, while the focus remained on the TSA’s use of naked body scanners at airports, the feds had already purchased hundreds of x-ray scanners mounted in vans that were being used to randomly scan vehicles, passengers and homes in complete violation of the 4th amendment and with wanton disregard for any health consequences.
WSBTV reported on one instance of the mobile scanners being used to check trucks for explosive devices at an internal checkpoint set up by Homeland Security, the Department of Transportation, and the TSA. Officials admitted there was no specific threat that justified the checkpoint, and although it was labeled a “counter-terror operation,” the scans were also being conducted in the name of “safety”.
EPIC will continue to pursue the case in an attempt to discover whether the DHS still plans to roll out mobile body scanners across America.
- Court Orders TSA to Explain Lawless Use of Naked Body Scanners (thenewamerican.com)
- TSA flouts the law on body scanners (juneauempire.com)
Earlier this month, on a Friday evening after most of the White House press corps had gone home, President Obama gave himself the power to take over, or shut down, all of the nation’s communications systems – including the Internet. The executive order is supposedly designed to preserve “survivable, resilient, enduring” and effective communications so that the government can speak to the people in the event of some emergency. But what he has authorized is the imposition of total silence except for the sound of his own voice.
Clearly, in a legitimate emergency, the government needs ways to communicate – but that does not require a monopoly. So, why is Obama giving himself – and any president that follows him into the Oval Office – a total communications on-and-off switch?
The administration claims it is authorized to bring all communications under its control by the 1934 Communications Act, which allows the takeover of broadcast stations and other wireless media if there exists a state of war, or the threat of war. Back then, of course, the public was fairly sure that they knew what “war” was: Congresses declared it. The “threat” of war was pretty self-evident, too: it was when other nations were threatening to attack the United States, or vice-versa.
However, we are now in what both Presidents Bush and Obama have made clear is a perpetual war, a war that is not defined by any legal norms or foundational statutes, a war against whoever the president decides is the enemy – which can include American citizens. Both of these War Presidents have told us in multitudinous ways that we are on a war footing – and have not been off it since 9/11, and will not be on any other kind of footing until some future president gives the “all clear” sign.
Obama’s executive order has nothing to do with getting out an effective distress call to the nation during a crisis. The “emergency” he has in mind is a State of Emergency – martial law. He is methodically preparing the infrastructure for a police state. Obama already has in place his preventive detention legislation, which he signed into law in the news-less hours of last New Year’s Eve. It empowers the president to lock up whomever he chooses, without charges or trial, and to keep them for as long as the executive sees fit. Based on the near-limitless powers Obama already claims to possess, he can also kill such enemies of the state if that is in the interests of national security in this time of war. There is nothing that he recognizes as law that says he can’t take such drastic executive action against thousands, or tens of thousands of Americans in one sweep.
And now, with his new executive order, if the president finds it convenient, he can take over the national communications network – down to the last, feeble Internet voice – to explain why it was necessary for all those people to disappear.
Or maybe he’ll say nothing at all. And nobody else will dare to say anything, either.
BAR executive editor Glen Ford can be contacted at Glen.Ford@BlackAgendaReport.com.
- White House Seizes Control of Internet by Executive Order (blacklistednews.com)
The Department of Homeland Security (DHS) has been paying a defense contractor $11.4 million to monitor social media websites and other Internet communications to find criticisms of the department’s policies and actions.
A government watchdog organization, the Electronic Privacy Information Center (EPIC), obtained hundreds of documents from DHS through the Freedom of Information Act and found details of the arrangement with General Dynamics. The company was contracted to monitor the Web for “reports that reflect adversely on DHS,” including sub-agencies like the Federal Emergency Management Agency, Citizenship and Immigration Services, Customs and Border Protection and Immigration and Customs Enforcement.
In testimony submitted to the House Subcommittee on Counterterrorism and Intelligence, Ginger McCall, director of EPIC’s Open Government Project, stated that “the agency is monitoring constantly, under very broad search terms, and is not limiting that monitoring to events or activities related to natural disasters, acts of terrorism, or manmade disasters….The DHS has no legal authority to engage in this monitoring.”
McCall added: “This has a profound effect on free speech online if you feel like a government law enforcement agency—particularly the Department of Homeland Security, which is supposed to look for terrorists—is monitoring your criticism, your dissent, of the government.”
- Lawmaker Demands DHS Cease Monitoring Blogs, Social Media (wired.com)
- Homeland Security monitors journalists (alethonews.wordpress.com)
- Twitter Followers: Yours May Include Homeland Security (news.dice.com)