The European Court of Justice’s top legal aid has said that a 15-year-old agreement that eases the transfer of data between the EU and the US should be ended, accusing American intelligence services of conducting “mass, indiscriminate surveillance.”
The ECJ’s advocate-general, Yves Bot, said on Wednesday that the Safe Harbour agreement does not do enough to protect the private information of EU citizens once it arrives in the US, adding that it should have been suspended.
Safe Harbour allows US firms to collect data on their European customers. The system is used by Google, Facebook, and more than 4,000 other companies.
However, it also allows the NSA to use the Prism surveillance system exposed by Snowden to wade through the personal data, communication, and information held by nine internet companies.
Using Facebook as an example, Bot said that users “are not informed that their personal data will be generally accessible to the United States security agencies.”
“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by articles seven and eight of the charter [of fundamental rights of the EU],” he said, adding that European internet users have no effective judicial protection while the data transfers are happening.
Bot added that if any EU country believes that transferring data to overseas servers undermines the protection of citizens, it has the power to suspend those transfers “irrespective of the general assessment made by the [EU] commission in its decision.”
But despite allegations from Bot, Facebook has denied accusations that it provides ‘backdoor’ access to its servers.
Sally Aldous, a spokeswoman for the social media giant, said on Wednesday that the company “operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgment.”
“We have repeatedly said that we do not provide ‘backdoor’ access to Facebook servers and data to intelligence agencies or governments,” she said.
Although Bot’s opinions are not binding, they are typically followed by the ECJ’s judges, who are considering a complaint about the arrangement in the wake of US surveillance revelations from former NSA contractor Edward Snowden.
The EU court’s decision is expected in the next four to six months.
The European Commission has been in talks with the US for two years, discussing ways to strengthen the Safe Harbour framework amid calls for its suspension.
Meanwhile, many US companies have praised the 2000 Safe Harbour deal, saying it helps them avoid complicated checks to transfer vital data, including payroll and human resources information.
An end to the agreement would cause a headache for US companies operating in the EU, as well as bring about the potential for a varying of national approaches, lawyers said, as cited by Reuters.
It comes just six months after 27-year-old Austrian law student Max Schrems filed a complaint against Facebook, alleging the social media site was helping the NSA harvest email and other private data by forwarding European data to servers in the US.
An overzealous attorney general is trying to police online speech by capitalizing on the reams of data Google stores about its users.
James Hood, Mississippi’s attorney general has issued a whopping 79-page subpoena to Google asking for a massive amount of data about the identities, communications, searches, and posts of people anywhere in the United States who use its services, including YouTube and Google+.
The kicker? The state is asking for all this information for anyone speaking about something “objectionable,” “offensive,” or “tangentially” related to something “dangerous,” which it defines as anything that could “lead to physical harm or injury.” You read that right. The attorney general claims that he needs information about all of this speech to investigate Google for state consumer protection violations, even though the subpoena covers such things as copyright matters and doesn’t limit itself to content involving Mississippi residents.
Earlier this year, a District Court judge froze Mississippi’s investigation into Google. The state appealed the ruling to the U.S. Court of Appeals for the 5th Circuit, where we filed a brief today against the attorney general’s attempt to violate the First Amendment rights of the millions of people who use the Internet.
The case has already gotten attention because of Google’s claims that Mississippi is attempting to censor its editorial choices, by dictating what can appear in search results or on YouTube, for example. Our brief attempts to highlight an overlooked aspect of the case – that millions of people’s rights to free speech, anonymity, and privacy are also at stake.
The government is well aware of all the personal information that’s being stockpiled online and often serves subpoenas on private companies for information about individuals and groups under investigation. But the Constitution has established protections that keep the government from getting into our business without just cause, especially when our First Amendment rights to express ourselves freely and anonymously are at stake.
Yet as we’re seeing in Mississippi, the government doesn’t always play by the rules.
We are increasingly seeing efforts by law enforcement to engage in wholesale monitoring of certain groups online. Just a couple of weeks ago, we learned the Department of Homeland Security has been scrutinizing #BlackLivesMatter for constitutionally protected activity. This kind of surveillance chills the exercise of our First Amendment freedoms, especially considering how much sensitive and important speech – like political or human rights advocacy – takes place on the Internet.
Needless to say, “objectionable,” “offensive,” or “tangentially” related to something “dangerous,” are terms that are so broad that they could encompass a huge swathe of content on the Internet – and result in information about millions of people’s online activity being handed over to the government. Virtually any topic could be said to “tangentially” lead to physical harm or injury in certain cases – from organizing protests to skydiving. Most importantly, the First Amendment protects the right to speak about dangerous, objectionable, and offensive things without fear that the government will be scrutinizing your speech or trying to find out your identity.
And let’s not assume it’s innocuous YouTube videos of skateboarding 6-year-olds, football highlight reels, or fireworks displays that the attorney general wants to waste his office’s time looking through – even though these would be covered by the subpoena. History has shown us that politically dissident and minority groups have been targeted for monitoring, and those are the groups that are most likely to be chilled from speaking. Politically active movements online, such as #BlackLivesMatter, often discuss strategy, organize protests, and post videos of police brutality (which certainly meets the attorney general’s definition of “dangerous”) online.
Not only that, but the right to online anonymity is threatened. Domestic violence support groups can provide a safe space online for victims to speak anonymously and honestly, including about the dangers of violence they face. Yet these activities could be seriously harmed if Mississippi is allowed to collect information about the people who engage in them. It’s no stretch to imagine that people will speak less freely if things like their email addresses, login times, and IP addresses could be handed to law enforcement whenever they say something that could be considered dangerous or offensive.
For these reasons, we’re asking the 5th Circuit to order the state to back off and keep the Internet a place where people can speak freely, without fear of government harassment or investigation.
Privacy activists are flooding Congress with messages of opposition to the cyber surveillance bill due to be considered by the Senate, using faxes rather than emails in order to poke fun at lawmakers’ antiquated understanding of technology and privacy.
Fight for the Future, a nonprofit fighting for privacy and against government surveillance, has set up a page dubbed “Operation: Fax Big Brother,” which lets anyone generate and customize a fax protesting the Cybersecurity Information Sharing Act (CISA). Each fax is then sent to all 100 Senators. The group has not said how many faxes have been sent so far.
CISA sailed through the Senate Intelligence Committee in March, with Oregon Democrat Ron Wyden being the sole dissenter. Senate is expected to take up a vote on the bill before the August 7 recess. A similar proposal, known as CISPA, was approved by the House of Representatives in 2013 but died in the Senate after public opposition compelled President Barack Obama to threaten a veto.
“Groups like Fight for the Future have sent millions of emails, and they still don’t seem to get it,” Evan Greer, the group’s campaign manager, told the Guardian. “Maybe they don’t get it because they’re stuck in 1984, and we figured we’d use some 80s technology to try to get our point across.”
According to the group, since 2012 civil liberties activists have sent hundreds of thousands of calls and tweets and over 2.6 million emails to Congress opposing overreaching cybersecurity laws. However, the fax stunt does not just have publicity value. Lawmakers often use analog technology like faxes and pagers in order to hide their digital tracks from Freedom of Information Act (FOIA) inquiries, claims a Senate staffer who spoke to the Guardian.
Sponsored by Senator Dianne Feinstein, a California Democrat, CISA seeks to enlist the support of corporations in collecting user data in the name of cybersecurity, providing them with liability protection if they share the data with federal agencies such as the NSA. Once they have the data, federal agencies would be able to share it freely with each other. What’s more, information shared with the government by the companies will be specifically exempt from FOIA disclosures.
Gabe Rottman, a legislative counsel with the American Civil Liberties Union, described the bill as a “new and vast surveillance authority that might as well be called Patriot Act 2.0 given how much personal information it would funnel to the NSA.”
The US Chamber of Commerce and a number of major corporations are backing the bill. In addition to Facebook and Google, Comcast and AT&T also favor CISA, as do Bank of America and Blue Cross Blue Shield Association.
Proponents of CISA have cited a spree of data breaches over the past year, from corporations such as Sony and healthcare provider Anthem to government agencies including the Department of State and Office of Personnel Management (OPM), as a reason to beef up cybersecurity. Critics have countered that CISA is not doing anything to protect networks from threats, and everything to vacuum up Americans’ data.
“With all these breaches, there’s a lot of fearmongering going on in DC,” says Fight for the Future’s Greer. “They just say: ‘This is a problem – we’ve got to do something!’ And this is the something they’re going to do. It’s not just that this won’t fix things – it’ll make them worse. And it’ll give sweeping legal immunity to some of the largest companies in the world and open us all up to new forms of surveillance.”
Open source developers and privacy campaigners are raising concerns over the automatic installation of a shady “eavesdropping tool” designed to enable ‘OK Google’ functionality but potentially capable of snooping on any conversation near the computer.
When one installs an open source Chromium browser, as it turns out, it “downloads something” followed by a status report that says “Microphone: Yes” and “Audio Capture Allowed: Yes,” according to an article by Rick Falkvinge, Swedish Pirate Party founder, published on the website Privacy Online News.
While the Chromium, the open source basis for Google’s browser, at least shows the code and allows user to notice it and turn it off, the same installation is included by default in the most popular browser Chrome, used by over 300 million people.
The code was designed to enable the new “OK, Google” hot word detection, which lets the computer do things like search or create reminders in response to human voice. Yet, some users are worried that the service could be activated without their permission, eventually sending recorded data to Google. The worried users describe the Chrome Hotword Shared Module as an audio-snooping “black box”, with only the corporation that provided it fully aware of what the injected pre-compiled code is capable of.
“Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room,” wrote Falkvinge.
“Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by … an unknown and unverifiable set of conditions.”
“We don’t know and can’t know what this black box does,” he added.
The users’ complaints were received with the Google developers’ words that: “While we do download the hot word module on startup, we do not activate it unless you opt in to hot wording.” They also underlined the fact that “Chromium is not a Google product. We do not directly distribute it, or make any guarantees with respect to compliance with various open source policies”.
However, according to Falkvinge, the default install will still “wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement.”
While the fact that the voice recognition module is always listening does not mean it transmits all the data to Google’s servers, Falkvinge argues that no one knows what other keywords could trigger the feature on.
The only reliable measure against mass surveillance, according to the first Pirate Party leader, is a manual disabling of the microphone and camera on the computer with a hardware switch.
The latest voice search functions have raised the concerns of privacy advocates, as their use presupposes the sending of voice recordings to company servers, as well as the controversy over the continuous recognition to catch the moment a user says the ‘hot’ phrase.
Yet another report has surfaced describing how tools created by the malware-industrial complex are being deployed by U.S. security services. While the coverage surrounding this story focuses primarily on federal agencies it’s important to step back for a moment and view the big picture. In particular, looking at who builds, operates, and profits from mass surveillance technology offers insight into the nature of the global panopticon.
A report published by Privacy International as well as an article posted by Vice Motherboard clearly show that both the DEA and the United States Army have long-standing relationships with Hacking Team, an Italian company that’s notorious for selling malware to any number of unsavory characters.
Federal records indicate that the DEA and Army purchased Hacking Team’s Remote Control System (RCS) package. RCS is a rootkit, a software backdoor with lots of bells and whistles. It’s a product that facilitates a covert foothold on infected machines so intruders can quietly make off with sensitive data. The aforementioned sensitive data includes encryption keys. In fact, Hacking Team has an RCS brochure that tells potential customers:
“What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain”
[Note: Readers interested in nitty-gritty details about RCS can check out the Manuals online.]
It’s public knowledge that other federal agencies like the FBI and the CIA have become adept at foiling encryption. Yet this kind of subversion doesn’t necessarily bother high tech luminaries like Bruce Schneier, who believe that spying is “perfectly reasonable” as long as it’s targeted. Ditto that for Ed Snowden. Schneier and Snowden maintain that covert ops, shrouded by layers of official secrecy, are somehow compatible with democracy just so long as they’re narrow in scope.
But here’s the catch: RCS is designed and marketed as a means for mass collection. It violates the targeted surveillance condition. Specifically, a Hacking Team RCS brochure proudly states:
“’Remote Control System’ can monitor from a few and up to hundreds of thousands of targets. The whole system can be managed by a single easy to use interface that simplifies day by day investigation activities.”
Does this sound like a product built for targeted collection?
So there you have it. Subverting encryption en masse compliments of Hacking Team. The fact that there’s an entire industry of companies just like this should give one pause as there are unsettling ramifications regarding the specter of totalitarian control.
Corporate America is Mass Surveillance
“I really don’t think there’s any more important battle today than combating the surveillance state [my emphasis]. Ultimately, the thing that matters most is that the rights that we know we have as human beings are rights that we exercise.”
There’s a tendency to frame mass surveillance in terms of the state. As purely a result of government agencies like the CIA and NSA. The narrative preferred by the far right is one which focuses entirely on the government (the so-called “surveillance state”) as the sole culprit, completely ignoring the corporate factions that fundamentally shape political decision making.
American philosopher John Dewey once observed that “power today resides in control of the means of production, exchange, publicity, transportation and communication. Whoever owns them rules the life of the country,” even under the pretense of democratic structures.
Dewey’s observation provides a conceptual basis for understanding how business interests drive the global surveillance apparatus. Mass surveillance is a corporate endeavor because the people who inevitably drive decisions are the same ones who control the resources. For example, the backbone of the internet itself consists of infrastructure run by Tier 1 providers like Verizon and Level 3 Communications. These companies are in a perfect position to track users and that’s exactly what they do.
Furthermore when spying is conducted it’s usually executed, in one form or another, by business interests. Approximately 70 percent of the national intelligence budget end up being channeled to defense contractors. Never mind that the private sector’s surveillance machinery dwarfs the NSA’s as spying on users is an integral part of high tech’s business model. Internet companies like Google operate their services by selling user information to the data brokers. The data broker industry, for example, generates almost $200 billion a year in revenue. That’s well over twice the entire 2014 U.S. intelligence budget.
From a historical vantage point it’s imperative to realize that high tech companies are essentially the offspring of the defense industry. This holds true even today as companies like Google are heavily linked with the Pentagon. For decades (going back to the days of Crypto AG) the private sector has collaborated heavily with the NSA’s in its campaign of mass subversion: the drive to insert hidden back doors and weaken encryption protocols across the board. Companies have instituted “design changes” that make computers and network devices “exploitable.” It’s also been revealed that companies like Microsoft have secret agreements with U.S. security services to provide information on unpublished vulnerabilities in exchange for special benefits like access to classified intelligence.
In a nutshell: contrary to talking points that depict hi-tech companies as our saviors, they’re more often accomplices if not outright perpetrators of mass surveillance. And you can bet that CEOs will devote significant resources towards public relations campaigns aimed at obscuring this truth.
A parting observation: the current emphasis on Constitutional freedom neglects the other pillar of the Constitution: equality. Concentrating intently on liberty while eschewing the complementary notion of equality leads to the sort of ugly practices that preceded the Civil War. In fact there are those who would argue that society is currently progressing towards something worse, a reality by the way that the financial elite are well aware of. When the public’s collective misery reaches a tipping point, and people begin to mobilize, the digital panopticon of the ruling class will be leveraged to preserve social control. They’ll do what they’ve always done, tirelessly work to maintain power and impose hierarchy.
Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” and “Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs.
 The Later Works of John Dewey, 1925-1953, Volume 9: 1933-1934, Essays, Reviews, Miscellany, and A Common Faith, Southern Illinois University Press, 2008, page 76.
Steven Levy, who specializes in massive articles looking into aspects of the tech industry, has a new one for Wired, called How the NSA Almost Killed the Internet. It basically looks at how the NSA legally coerced the tech companies into having to comply with certain court orders to hand over information, and how the tech companies have been gagged from explaining what’s going on. And then… he gets the NSA’s side of the story. Much of what’s in there is stuff that you probably already know (especially if you read Techdirt regularly), but I wanted to call out a few tidbits that I hadn’t seen or heard anywhere else before:
- Google doesn’t charge the government for requests for information:
FISA requires the government to reimburse companies for the cost of retrieving information. Google says it doesn’t bother to charge the government. But one company says it uses that clause, hoping to limit the extent of the requests. “At first, we thought we shouldn’t charge for it,” says an executive of that company. “Then we realized, it’s good—it forces them to stop and think.”
This is kind of a “damned if you do/damned if you don’t” situation. I know plenty of folks in the civil liberties community go back and forth on it. When companies do charge, then you see articles about how companies are “making a profit” off of violating our privacy. If they don’t charge, then you see arguments about how they’re making it too easy for the government to get info. Either way, the standard has been to charge basic costs, so it’s interesting to see that Google doesn’t charge at all, probably betting on the fact that if they did, it would be misrepresented. Of course, the fact that they don’t might be misrepresented as well.
- The NSA has no response to fear of future abuse of programs beyond “we’d never do that.” Seriously.
Critics charge that while there is not yet any evidence of massive abuse of the NSA’s collected data, there is also no guarantee that a future regime won’t ignore these touted protections. These officials discounted that possibility, saying that the majority of NSA employees wouldn’t stand for such a policy. “If that happened, there would be lines at the Inspector General’s office here, and at Congress as well—longer than a Disneyland line,” Ledgett says. (The fates of several NSA employees-turned-whistleblowers indicate that anyone in that hypothetical queue would be in for a ride far wilder than anything in Anaheim.)
Sure, except there’s a very long history of the NSA and the FBI doing exactly the opposite (the claim of no evidence of massive abuse is not actually true). And, as Levy notes in that final parenthetical, the way whistleblowers are treated these days would probably shorten that line quite a bit.
- Keith Alexander admits that companies were compelled to comply and admits that we should stand up for the companies not to be harmed by all of this:
“This isn’t the companies’ fault. They were compelled to do it. As a nation, we have a responsibility to stand up for the companies, both domestically and internationally. That is our nation’s best interest. We don’t want our companies to lose their economic capability and advantage. It’s for the future of our country.”
Those words could have come from a policy spokesperson for Google, Facebook, Microsoft, or Yahoo. Or one of the legislators criticizing the NSA’s tactics. Or even a civil liberties group opposing the NSA. But the source is US Army general Keith Alexander, director of the NSA. Still, even as he acknowledges that tech companies have been forced into a tough position, he insists that his programs are legal, necessary, and respectful of privacy.
This is just bizarre. If he doesn’t want the companies to lose their economic capability and advantage, maybe he shouldn’t have undermined a large portion of it.
- Companies were given about 90 minutes to respond to the (misleading) claims in the original PRISM article that they had given the NSA direct access to their servers.
“We had 90 minutes to respond,” says Facebook’s head of security, Joe Sullivan. No one at the company had ever heard of a program called Prism. And the most damning implication—that Facebook and the other companies granted the NSA direct access to their servers in order to suck up vast quantities of information—seemed outright wrong. CEO Mark Zuckerberg was taken aback by the charge and asked his executives whether it was true. Their answer: no.
Similar panicked conversations were taking place at Google, Apple, and Microsoft. “We asked around: Are there any surreptitious ways of getting information?” says Kent Walker, Google’s general counsel. “No.”
This remains one of the most unfortunate bits about the Snowden leaks. While I think that Barton Gellman, Glenn Greenwald and Laura Poitras have done an incredible job with most of their reporting, the original PRISM stories that appeared in the Washington Post and Guardian both came out rushed and were misleading, which is still impacting how people are reporting on these things today. The PRISM program and Section 702 of the FISA Amendments Act have serious issues that need exploring, but it’s all been distorted by the misleading initial claims, which implied things that just weren’t true.
- The NSA claims it uses the very same encryption that it tries to push everyone else to use. Yes, the same encryption that Snowden docs have revealed was compromised by the NSA.
And the NSA insists that, despite the implications of those Snowden-leaked documents, it does not engage in weakening encryption standards. “The same standards we recommend are the standards we use,” Ledgett says. “We would not use standards we thought were vulnerable. That would be insane.”
Sorry, but no one believes that one at all. The clear takeover by the NSA of NIST standards shows that’s clearly not true.
- The NSA still doesn’t realize how serious all of this is. They still think it’s just been blown out of proportion.
They understand that journalism conferences routinely host sessions on protecting information from government snoops, as if we were living in some Soviet society. And they are aware that multiple security specialists in the nation’s top tech corporations now consider the US government their prime adversary.
But they do not see any of those points as a reason to stop gathering data. They chalk all of that negativity up to monumental misunderstandings triggered by a lone leaker and a hostile press.
- Patent troll Nathan Myhrvold is also completely clueless about national security:
Former Microsoft research head Nathan Myhrvold recently wrote a hair-raising treatise arguing that, considering the threat of terrorists with biology degrees who could wipe out a good portion of humanity, tough surveillance measures might not be so bad. Myhrvold calls out the tech companies for hypocrisy. They argue that the NSA should stop exploiting information in the name of national security, he says, but they are more than happy to do the same thing in pursuit of their bottom lines. “The cost is going to be lower efficiency in finding terrorist plots—and that cost means blood,” he says.
This is stupid on so many levels. First, the old argument that it’s somehow equivalent of tech companies and the NSA to make use of information — a claim that Levy ridiculously repeats multiple times in his article — is a line that has been debunked so many times it’s really beneath Levy to give it any life at all, let alone refuse to point out how stupid it is. Companies provide a direct service to users, and they make a decision: If I give this information, I get this service in return. It’s a decision made by the consumer, and a trade-off where they decide if it’s worth it. We can argue that people should have more information about the costs and benefits, but it’s still a trade-off where the final decision is their own. The NSA, on the other hand, is not providing a choice or a trade-off. They’re just taking everything in exchange for nothing. And, oh yeah, they have guns and can put you in jail — something no company can do.
Second, Myhrvold incorrectly buys completely the line that all this data collection has been helpful in stopping terrorists. There’s just one problem: there is no evidence to support that. Besides, based on his idiotic reasoning, we might as well just do away with pretty much all our rights. For example, I’m pretty sure that we could all have protected Myhrvold more completely if there were video cameras streaming video of everything he did within the privacy of his own home, cars, office or just walking around, right? We could certainly make sure that no one was attacking him or, better yet, that he wasn’t about to attack anyone. The cost of not spying on every moment of Nathan Myhrvold might mean “blood.” So, based on his own logic, we should violate his privacy, right?
All in all there’s a lot in the article that’s worth reading, but those were a few key points that really stood out.
Privacy may not be the only casualty of the National Security Agency’s massive surveillance program. Major sectors of the US economy are reporting financial damage as the recent revelations shake consumer confidence and US trade partners distance themselves from companies that may have been compromised by the NSA or, worse, are secretly collaborating with the spy agency. Members of Congress, especially those who champion America’s competitiveness in the global marketplace, should take note and rein in the NSA now if they want to stem the damage.
The Wall Street Journal recently reported that AT&T’s desired acquisition of the European company Vodafone is in danger due to the company’s well-documented involvement in the NSA’s data-collection programs. European officials said the telecommunications giant would face “intense scrutiny” in its bid to purchase a major cell phone carrier. The Journal went on to say:
“Resistance to such a deal, voiced by officials in interviews across Europe, suggests the impact of the NSA affair could extend beyond the diplomatic sphere and damage US economic interests in key markets.”
In September, analysts at Cisco Systems reported that the fallout “reached another level,” when the National Institute of Standards and Technology (NIST) told companies not to use cryptographic standards that may have been undermined by the NSA’s BULLRUN program. The Cisco analysts said that if cryptography was compromised “it would be a critical blow to trust required across the Internet and the security community.”
This forecast was proven true in mid-November, when Cisco reported a 12 percent slump in its sales in the developing world due to the NSA revelations. As the Financial Times reported, new orders fell by 25 percent in Brazil and 30 percent in Russia and Cisco predicts its overall sales could drop by as much 10 percent this quarter. Cisco executives were quoted saying the NSA’s activities have created “a level of uncertainty or concern” that will have a deleterious impact on a wide-range of tech companies.
It is hard for civil libertarians to shed tears over AT&T losing business because of NSA spying, considering the company allowed the NSA to directly tap into its fiber optic cables to copy vast amounts of innocent Americans’ Internet traffic. AT&T was also recently revealed as having partnered with both the DEA and the CIA on separate mass surveillance programs. It is also hard to feel sorry for Cisco, which stands accused of helping China spy on dissidents and religious minorities. But the fact that the spying is hurting these major companies is indicative of the size of the problem.
This summer, European Parliament’s civil liberties committee was presented with a proposal to require every American website to place surveillance notices to EU citizens in order to force the US government to reverse course:
“The users should be made aware that the data may be subject to surveillance (under FISA 702) by the US government for any purpose which furthers US foreign policy. A consent requirement will raise EU citizen awareness and favour growth of services solely within EU jurisdiction. This will thus have economic impact on US business and increase pressure on the US government to reach a settlement.” [emphasis ours]
Meanwhile, Telenor, Norway’s largest telecom provider has reportedly halted its plans to move its customers to a US-based cloud provider. Brazil seems to be moving ahead to create its own email service and require US companies locate an office there if they wish to do business with Brazilian customers.
Laws like this mean that companies like Google “could be barred from doing business in one of the world’s most significant markets,” according to Google’s director for law enforcement and information security at Google, Richard Selgado. Google has been warning of this as far back as July, when in FISA court documents it argued that the continued secrecy surrounding government surveillance demands would harm its business.
Many commentators have been warning about the economic ramifications for months. Princeton technologist Ed Felten, who previously at the Federal Trade Commission, best explained why the NSA revelations could end up hurting US businesses:
“This is going to put US companies at a competitive disadvantage, because people will believe that U.S. companies lack the ability to protect their customers—and people will suspect that U.S. companies may feel compelled to lie to their customers about security.”
The fallout may worsen. One study released shortly after the first Edward Snowden leaks said the economy would lose $22 to $35 billion in the next three years. Another study by Forrester said the $35 billion estimate was too low and pegged the real loss figure around $180 billion for the US tech industry by 2016.
Much of the economic problem stems for the US government’s view that it’s open season when it comes to spying on non-U.S. persons. As Mark Zuckerberg said in September, the government’s position is“don’t worry, we’re not spying on any Americans. Wonderful, that’s really helpful for companies trying to work with people around the world.” Google’s Chief Legal Officer David Drummond echoed this sentiment last week, saying:
“The justification has been couched as ‘Don’t worry. We’re only snooping on foreigners.’ For a company like ours, where most of our business and most of our users are non-American, that’s not very helpful.”
Members of Congress who care about the US economy should take note: the companies losing their competitive edge due to NSA surveillance are mainstream economic drivers. Just as their constituents are paying attention, so are the customers who vote with their dollars. As Sen. Ron Wyden remarked last month, “If a foreign enemy was doing this much damage to the economy, people would be in the streets with pitchforks.”
Cell Phone Manufacturers Offer Carefully Worded Denials To Question Of Whether NSA Can Track Powered-Down Cell Phones
Back in July, a small but disturbing detail on the government’s cell phone tracking abilities was buried inside a larger story detailing the explosive expansion of the NSA post-9/11. Ryan Gallagher at Slate pulled this small paragraph out and highlighted it.
By September 2004, the NSA had developed a technique that was dubbed “The Find” by special operations officers. The technique, the Post reports, was used in Iraq and “enabled the agency to find cellphones even when they were turned off.” This helped identify “thousands of new targets, including members of a burgeoning al-Qaeda-sponsored insurgency in Iraq,” according to members of the special operations unit interviewed by the Post.
Ars Technica reports that some security researchers are calling this statement into question and have contacted cell phone providers for statements on the NSA’s claim. Only a few have responded at this point, and their denials have been worded very specifically.
Google had this to say:
When a mobile device running the Android Operating System is powered off, there is no part of the Operating System that remains on or emits a signal. Google has no way to turn on a device remotely.
Google may not have a way, but that doesn’t mean the NSA doesn’t.
Our devices are designed so that when they are switched off, the radio transceivers within the devices should be powered off. We are not aware of any way they could be re-activated until the user switches the device on again. We believe that this means that the device could not be tracked in the manner suggested in the article you referenced.
Once again, we’re looking at words like “should” and “not aware.” This doesn’t necessarily suggest Nokia does know of methods government agencies could use to track phones that are off, but it doesn’t entirely rule it out either.
Samsung’s response is more interesting. While declaring that all components should be turned off when the phone is powered down, it does acknowledge that malware could trick cell phone users into believing their phone is powered down when it isn’t. Ericsson, which is no longer in the business of producing cell phones (and presumably has less to lose by being forthright), was even more expansive on the subject.
The only electronics normally remaining in operation are the crystal that keeps track of time and some functionality sensing on-button and charger connection. The modem (the cellular communication part) cannot turn on by itself. It is not powered in off-state. Power and clock distribution to the modem is controlled by the application processor in the mobile phone. The application processor only turns on if the user pushes the on-switch. There could, however, be potential risks that once the phone runs there could be means to construct malicious applications that can exploit the phone.
On the plus side, the responding manufacturers seem to be interested in ensuring a powered down phone is actually powered down, rather than just put into a “standby” or “hibernation” mode that could potentially lead to exploitation. But the implicit statement these carefully worded denials make is that anything’s possible. Not being directly “aware” of something isn’t the same thing as a denial.
Even if the odds seem very low that the NSA can track a powered down cell phone, the last few months of leaks have shown the agency has some very surprising capabilities — some of which even stunned engineers working for the companies it surreptitiously slurped data from.
Not only that, but there’s historical evidence via court cases that shows the FBI has used others’ phones as eavesdropping devices by remotely activating them and using the mic to record conversations. As was noted by c|net back in 2006, whatever the FBI utilized apparently worked even when phones were shut off.
The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the “roving bug” was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect’s cell phone.
Kaplan’s opinion said that the eavesdropping technique “functioned whether the phone was powered on or off.” Some handsets can’t be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.
While the Genovese crime family prosecution appears to be the first time a remote-eavesdropping mechanism has been used in a criminal case, the technique has been discussed in security circles for years.
Short of pulling out the battery (notably not an option in some phones), there seems to be little anyone can do to prevent the device from being tracked and/or used as a listening device. The responding companies listed above have somewhat hedged their answers to the researcher’s questions, most likely not out of any deference to government intelligence agencies, but rather to prevent looking ignorant later if (or when) subsequent leaks make these tactics public knowledge.
Any powered up cell phone performs a lot of legwork for intelligence agencies, supplying a steady stream of location and communications data. If nothing else, the leaks have proven the NSA (and to a slightly lesser extent, the FBI) has an unquenchable thirst for data. If such exploits exist (and they seem to), it would be ridiculous to believe they aren’t being used to their fullest extent.
Despite having front-door access to communications transmitted across the biggest Internet companies on Earth, the National Security Agency has been secretly tapping into the two largest online entities in the world, new leaked documents reveal.
Those documents, supplied by former NSA contractor Edward Snowden and obtained by the Washington Post, suggest that the US intelligence agency and its British counterpart have compromised data passed through the computers of Google and Yahoo, the two biggest companies in the world with regards to overall Internet traffic, and in turn allowed those country’s governments and likely their allies access to hundreds of millions of user accounts from individuals around the world.
“From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants,” the Post’s Barton Gellman and Ashkan Soltani reported on Wednesday.
The document providing evidence of such was among the trove of files supplied by Mr. Snowden and is dated January 9, 2013, making it among the most recent top-secret files attributed to the 30-year-old whistleblower.
Both Google and Yahoo responded to the report, with the former’s response being the most forceful.
Google’s chief legal officer, David Drummond, said the company was “outraged” by the allegations.
“We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,” said Drummond, implying the web giant had been caught by surprise by the revelations..
“We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
Yahoo likewise implied it was not actively cooperating with the NSA in granting the agency access to its data infrastructure.
“We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency,” the company said via statement.
Gen. Keith Alexander, the head of the NSA, told reporters Wednesday afternoon, “I don’t know what the report is,” according to Politico, and said his agency is “not authorized” to tap into Silicon Valley companies. When asked if the NSA tapped into the data centers, Alexander said, “Not to my knowledge.”
Earlier this year, separate documentation supplied by Mr. Snowden disclosed evidence of PRISM, an NSA-operated program that the intelligence company conducted to target the users of Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Apple services. When that program was disclosed by the Guardian newspaper in June, reporters there said it allowed the NSA to “collect material including search history, the content of emails, file transfers and live chats” while having direct access to the companies’ servers, at times with the “assistance of communication providers in the US.”
According to the latest leak, the NSA and Britain’s Government Communications Headquarters are conducting similar operations targeting the users of at least two of these companies, although this time under utmost secrecy.
“The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process,” the Post noted.
And while top-brass in the US intelligence community defended PRISM and said it did not target American Internet users, the newest program — codenamed MUSCULAR — sweeps up data pertaining to the accounts of many Americans, the Post acknowledged.
The MUSCULAR program, according to Wednesday’s leak, involves a process in which the NSA and GCHQ intercept communications overseas, where lax restrictions and oversight allow the agencies access to intelligence with ease.
“NSA documents about the effort refer directly to ‘full take,’ ‘bulk access’ and ‘high volume’ operations on Yahoo and Google networks,” the Post reported. “Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.”
To do as much, the NSA and GCHQ rely on capturing information being sent between company data centers around the globe, intercepting those bits and bytes in transit by tapping in as information is moved from the “Public Internet” to the private “clouds” operated by the likes of Google and Yahoo. Those cloud systems involve the linking of international data centers, each processing and containing huge troves of user information for potentially millions of customers. Intelligence officers who can sneak through the cracks when information is decrypted — or never encrypted in the first place — can then see the information sent in real time as take “a retrospective look at target activity,” according to documents seen by the Post.
“Because digital communications and cloud storage do not usually adhere to national boundaries, MUSCULAR and a previously disclosed NSA operation to collect Internet address books have amassed content and metadata on a previously unknown scale from US citizens and residents” Barton and Soltani reported.
“Data are an essentially global commodity, and the backup processes of companies often mean that data is replicated many places across the world,” The Post’s Andrea Peterson added in a separate report. “So just because you sent an e-mail in the US, doesn’t mean it will always stay within the nation’s borders for its entire life in the cloud.”
As data goes into those facilities outside of the US, the NSA and GCHQ have more tactics to deploy in order to obtain private communications. Additionally, Yahoo has not nor do they now have any plans to deploy encryption technology to secure communications, suggesting the data of their millions of users was passed in-the-clear through international data centers, ripe to be intercepted by the intelligence community.
“Google and Yahoo generally connect their data centers over privately owned or leased fiber-optic cables, which do not share traffic with other Internet users and companies, to enable the tasted connections and keep information secure,” Gellman added in a separate article authored alongside the Post’s Todd Linderman. “Until recently, these internal data networks were not encrypted. Google announced in September, however, that it is moving quickly to encrypt those connections. Yahoo’s data center links are not encrypted.”
“It’s an arms race,” Eric Grosse, Google’s vice president for security engineering, told the Post last month. “We see these government agencies as among the most skilled players in this game.”
After hearing ot the MUSCULAR program by the Post, Google said in a statement that they were “troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.”
“We have long been concerned about the possibility of this kind of snooping, which is why we continue to extend encryption across more and more Google services and links,” the company said.
“We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency,” insisted Yahoo.
Only hours before the latest Snowden leak was made public, NSA Director Keith Alexander told a Congressional panel that the illegal, unconstitutional revelations helped terrorist intent on killing Americans. Answering a question from Rep. Michele Bachmann (R-Minnesota) about the effect of the leaks on national security, Alexander and Director of National Intelligence James Clapper both said the disclosure have and will continue to cause major damage to the US.
At that same hearing, Alexander admitted that the NSA “compels” telecommunication companies to provide the government with user intelligence.
“Nothing that has been released has shown that we’re trying to do something illegal or unprofessional,” Alexander added.
Brazil is urging a plan to introduce local data storage for Internet giants like Facebook and Google in order to keep the information they get from Brazilian users safe –as part of a complex of measures to oppose US spying.
The new law could impact Google, Facebook, Twitter and other Internet global companies that operate in Brazil, Latin America’s biggest country and one of the world’s largest telecommunications markets.
The country’s president, Dilma Rousseff, is urging lawmakers to vote as early as this week on the law, according to Reuters who have seen the draft of the legislation.
“The government can oblige Internet service companies … to install and use centers for the storage, management and dissemination of data within the national territory,” the draft of the document read.
Rousseff’s calls come after surveillance leaks by the US in Brazil that went as far as tracking the personal phone calls and e-mails of the President herself.
Last month, Brazilian President Dilma Rousseff canceled a scheduled meeting at the White House after leaked documents showed the NSA spied on her country’s state oil company.
“We are not regulating the way information flows, just requiring that data on Brazilians be stored in Brazil so it is subject to the jurisdiction of Brazilian courts,” Rousseff spokesman Thomas Traumann said. “This has nothing to do with global communications.”
However, the companies disagree saying that the legislation will increase costs of services, and damage the economic activity connected with information.
Last week a coalition of business groups representing dozens of Internet companies including Facebook, Google, Microsoft and eBay sent a letter to Brazilian lawmakers.
“In-country data storage requirements would detrimentally impact all economic activity that depends on data flows,” the letter read, Reuters reported.
Many also threatened the law will scare the companies, while others, nevertheless, were of the opinion that the companies would comply if faced with no other options.
This week, Brazil is expected to vote on a cyber-security bill to create a state system to protect the country’s citizens from spying.
When the news on the bill emerged two weeks ago, Brazilian President Dilma Rousseff tweeted the news, stressing the need for greater security “to prevent possible espionage.”
The latest legislation project comes against a backdrop of Brazil set to host a conference next April to debate ways to guard Internet privacy from espionage.
The meeting is to be held by ICAAN, the body that manages web domain names. It is thought to be neutral and includes governments, civil society and industry.
Meanwhile, BRICS companies are working to create a “new Internet”.
In particular, Brazil has been reported to be building a “BRICS cable” that will create an independent link between Brazil, South Africa, India, China and Russia, in order to bypass NSA cables and avoid spying.
The cable is set to go from the Brazilian town of Fortaleza to the Russian town of Vladivostok via Cape Town, Chennai and Shantou.
The length of the fiber-optic cable will be almost 35,000 kilometers, making it one of the most ambitious underwater telecom projects ever attempted.
Last week, most of the BRICS countries joined talks to hammer out a UN resolution that would condemn “indiscriminate” and “extra-territorial” surveillance, and ensure “independent oversight” of electronic monitoring.
Russian Foreign Minister Sergey Lavrov said that “contacts [between Moscow and Washington] never stop,” when asked if the latest publication of secret files leaked by the former National Security Agency (NSA) contractor would affect relations between Russia and the US.
Also, Lavrov made it clear that the situation surrounding Snowden is irrelevant to Russia.
“We have formulated our position on Snowden and have said everything,” he said.
- China echoes Brazil’s call for cyberspace guidelines (thebricspost.com)
Following in the footsteps of Facebook, anything you post, like, comment or review on Google or tied-in services can in future be used in product endorsement ads.
It means that starting Nov. 11, when Google’s new terms of service go live, all content (video, brands or products) Google+ and YouTube users publicly endorse by clicking on the “+1” or “Like” button can appear in an ad with that person’s image.
Such “shared endorsements” ads will also appear on millions of other websites that are part of Google’s display advertising network.
Google+ users will have the ability to opt out by turn the setting to “off,” but at the same time it “doesn’t change whether your Profile name or photo may be used in other places such as Google Play.”
“For users under 18, their actions won’t appear in shared endorsements in ads and certain other contexts,” the announcement on Google’s website reads.
Another way to “opt out” is just stop “liking”, sharing and publicly checking-in.
Google’s move follows a similar change Facebook imposed in August. There it is called “sponsored stories.” It works almost exactly the same way – a recommendation made through the social network’s “like” button appears as advertising endorsement on a friend’s Facebook page.
While both companies say the service will be helpful for users, Google’s revised terms of service have again raised privacy concerns.
“It’s a huge privacy problem,” Reuters cited Marc Rotenberg, the director of online privacy group EPIC, as saying.
He has called on the US Federal Trade Commission to investigate whether the policy change violates a 2011 consent order that prohibits Google from retroactively changing users’ privacy settings.
The announcement also was harshly criticized on Google’s profile, with users expressing dismay and disappointment. Some users suggested they might pull down all their current pictures or change profile pictures.