A Tale Of Two Data Breaches. Transparency Matters
83% Of The Leading Mobile Apps Put Your Sensitive Personal Information At Risk

The FISA Court, Justice Department, XKeyscore, And Your Online Passwords

Department of Justice logoThree related items in today's post. First, a Center For Democracy and Technology article discussed a newly disclosed letter that described the relationship between the FISA Court and the Department of Justice (DOJ). The relationship is closer than one might expect, and the letter documents how the two entities collaborate.

Before applying for surveillance under FISA Court rules, the Department of Justice:

"... sends a draft of the application for FISA surveillance to a clerk at the FISA Court; the FISA Court’s clerk sends back comments; DOJ sends another draft or a final application for a surveillance order; the FISA Court clerk prepares a bench memo on the application; and the FISA Court judge on duty decides whether to authorize the surveillance based on the application, bench memo and the government’s unopposed presentation at any hearing the judge may convene. As part of this process, FISA Court clerks and DOJ lawyers have conversations daily about FISA surveillance applications, and they get together for meetings approximately weekly depending on the caseload..."

Are the skills of the DOJ staff so weak that they need help from the FISA Court to write appropriate surveillance applications? Why this level of collaboration is troublesome:

"... in the criminal context, a specific person is wiretapped to obtain evidence about a specific crime, and whether that evidence was obtained lawfully and constitutionally is tested in a fully adversarial proceeding when that person is charged with the crime. There is no such after-the-fact check on FISA surveillance. Any adversarial testing of that surveillance has to occur up front, when the FISA Court is deciding whether to authorize it."

Given this cozy collaboration, it is no surprise that the FISA Court has rejected only 11 of 33,900 requests by the DOJ since 1979. That is a rejection rate of 0.03 percent, or 0.0003. That doesn't seem like oversight to me. That seems like a rubber stamp -- and a broken one, too.

Browse the number and type of DOJ applications and FISA approvals since 1979. Read part one about how the FISA Court undermines the public's trust.

Today's second item: several news outlets reported that the U.S. government has asked Internet firms to provide them with bulk users' passwords. Internet service providers (ISPs), social networking sites (e.g., Facebook), communications websites (e.g., Skype), online stores (e.g., Amazon), and websites usually store users' passwords in an encrypted format. By requesting this information, the government would be able to access private, confidential correspondence; or even log in and impersonate users:

"A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it." Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password... A Yahoo spokeswoman would not say whether the company had received such requests... Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them... The FBI declined to comment."

This is the government surveillance agencies (e.g., NSA, FBI) collecting information about everyone, and what everyone does online -- regardless of whether you have committed a crime or not. This troubles me greatly, and I hope that it troubles you, too. Just because you encrypt your online information, or use an online encryption service (e.g., VPN) does not make one suspicious. There are lots of reasons to encrypt your online activity. Example: it is wise data security to use a VPN and encrypt your online sessions when connected at a public WiFi hotspot. Example: a user experience and information architecture consultant, I have to protect my clients' sensitive assets.

This is not small government. This broad, encompassing data collection is an over-reach by our government: to collect all online data about everyone without limiting their data collection to people who have committed crimes, or to persons under suspicion of criminal activity with clearly articulated, valid, bounded, court approved orders.

Today's third item: the Guardian UK reported about another US government surveillance program:

"A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals... The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet."

National Security Agency logo Reportedly, all an NSA analyst needs is a person's email address to search data collected by Xkeyscore:

"... training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed..."

This XKeyscore system seems ripe for abuse. Looking at all three items, we have a secret court, secret laws, secret processes, and secret operations. On top of all this secrecy, our elected officials in U.S. Congress knew about it, voted for it, and did not inform the public whom they took an oath to serve.

Overall, there are two over-arching issues:

  1. Trust
  2. 4th Amendment of the U.S. Constitution

It is impossible for "We, the People" to hold accountable a secret court with secret laws and secret processes. Also, lies break the public's trust. When a government fails to honestly, accurately, and fully inform the voting public (e.g., We, the People) about secret courts, laws, processes, and processes, it breaks the public's trust. Perhaps more importantly, a government can't simply ignore or walk away from the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Write to your elected officials today. Learn more about government surveillance programs.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.