110 posts categorized "Surveillance" Feed

John Oliver's Awesome Fake Apple Ad About Encryption, Privacy And iPhones

With the ongoing legal battle about encryption between Apple and the Federal Bureau of Investigation (FBI), John Oliver, the host of the "Last Week Tonight" show, presented a satirical advertisement for Apple to help consumers understand encryption. The segment is worth watching.

First, some background. The FBI used a 227-year-old law to force Apple to build a "back door" into an iPhone used by one of the San Bernardino attackers, who killed 14 persons. The FBI believes that there may be information on that phone that could lead to other persons involved. Apple has appealed the court decision, citing several security and privacy issues. The back doors, really software, can be stolen and/or modified to make all iPhones vulnerable.

Legal experts warned that the 227-year-old All Writs Act is too broad, and Congress should act to clarify the law. Since then, we've learned that the FBI made access to the phone more difficult after a failed attempt to hack the attacker's iCloud account. Experts also warned that if Apple is forced to build a back there may be unintended consequences, including tech companies moving their operations and jobs offshore to avoid heavy-handed government surveillance and intrusions. And, if the government weakens encryption and security in products made by U.S. tech companies, then users (both good guys and bad guys) will simply shop elsewhere since many security products are already made abroad.

This week, we learned that Apple said the government is lying when it claimed that the company produced advertisements stating that encryption keeps out law enforcement. No doubt, there will be more disclosures and revelations. This latest claim makes the fake ad even more timely. No doubt, the final outcome of the Apple versus FBI court case will affect everyone.

The entire 18-minute segment is a good, funny, entertaining primer about encryption. The about-face by technophobe and U.S. Senator Lindsey Graham (R-South Carolina) is priceless. The fake ad appears in the last two minutes:


Apple News: eBook Price Fixing, Brooklyn, And San Bernardino

Apple Inc. logo Apple, Inc. Has been in the news a lot recently. So, it can be a little confusing to keep track of events. Below is a brief summary of three separate court cases.

First, the U.S. Supreme Court (SCOTUS) declined to hear an appeal by the tech giant about ebook price-fixing with book publishers. The U.S. Justice Department had sued Apple and several book publishers in April, 2012. A lower court decision in 2013 found Apple guilty. Since the SCOTUS declined to hear the appeal, then the lower court decision stands, and Apple must pay a $450 million class-action settlement. Fortune Magazine reported:

"The publishers—Hachette, Penguin, Simon & Schuster, HarperCollins and Macmillan—promptly settled the case, but Apple chose to fight the charges in court. This led to a highly publicized trial in which U.S. District Judge Denise Cote issued a lengthy ruling that Apple had clearly violated Section 1 of the Sherman Act... The price-fixing case, which transfixed the publishing industry, began in 2010 when Apple’s late CEO, Steve Jobs, persuaded five major publishers to sell books on the iPod. Under the arrangement, which was designed to wrest pricing power from Amazon, the publishers shifted to a so-called “agency pricing” model in which they set the price and passed along a commission to Apple."

Second, in California Apple has appealed a lower court's decision forcing it to unlock an iPhone (running iOS 9) used by one of the San Bernardino attackers. A decision in that appeal is pending. The Federal Bureau of Investigation (FBI) admitted during testimony before Congress that it had erred when it reset the associated iCloud password, making it more difficult to access the attacker's iPhone.

Third, a court in Brooklyn (New York) ruled late in February that Apple did not have to unlock a Brooklyn drug dealer's iPhone running the iOS 7 operating system.The tech giant had initially agreed to unlock the phone, but then declined when the court demanded first more information before issuing a search warrant. Bloomberg Business reported:

"When the government first contacted Apple about the drug dealer’s phone, an Apple “data extraction specialist” said it could find data on pre-iOS 8 phones after receiving a search warrant. The next day, the government sought a warrant from [Judge] Orenstein..."

Federal Bureau of Investigation logo Prosecutors have used the All Writs Act in both the Brooklyn and San Bernardino cases. Bloomberg Business reported that prosecutors In the Brooklyn case argued:

That Apple routinely extracted data from such devices shows the government’s request is not “burdensome” and doesn’t violate the All Writs Act, a 1789 law that prosecutors used to demand that Apple help access data on locked phones, the U.S. said. In refusing the government, Orenstein sided with the company’s claim that prosecutors were taking the law too far. He said Congress should resolve the issue. In their appeal, prosecutors said the All Writs Act authorizes courts to issue such warrants and that Orenstein’s “analysis goes far afield of the circumstances of this case and sets forth an unprecedented limitation of federal courts’ authority.”

Bloomberg Business also reported:

"Apple helped the government access data on at least 70 iPhones before it stopped cooperating, according to prosecutors. For phones using older operating systems, the company can extract data from locked devices at its headquarters, according to a guide it produced for law enforcement..."


Apple vs. FBI: "Extraordinary" Government Actions May Cause U.S. Companies To Move Offshore

Apple Inc. logo There may be unintended consequences of the Federal Bureau of Investigation (FBI) is successful with forcing Apple, Inc. to build back doors into its iPhones. What might some of those unintended consequences be? TechCrunch reported that Lavabit filed an amicus brief supporting Apple. Never heard of Lavabit? Forgot about Lavabit? You may remember:

"... Lavabit, a technology company that previously judged it necessary to shutter its own service after receiving similarly “extraordinary” government demands for assistance to access user data, in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden... the FBI sought the private encryption key used by Lavabit to protect the Secure Socket Layer (“SSL”) and Transport Layer Security (“TLS”) connections to their servers. With the SSL/TLS private key in hand, the FBI would be able to impersonate Lavabit on the Internet. This would allow them to intercept, decrypt, inspect, and modify (either with intent, or by accident) all of the connections between Lavabit and the outside world..."

Federal Bureau of Investigation logo In its brief, Lavabit argues that by being forced to build back doors into its devices. not only would Apple's brand be tarnished, but that the ability of iPhone users to receive reliable and secure operating-system security updates would be degraded. Some updates might include malware. If users' trust decreases and they choose to stop receiving security updates, then their devices become more vulnerable than otherwise. That's not good. And, if people blame government for starting this security mess, then that's not good either since it would erode trust in government.

Would companies relocate out of the United States due to privacy and surveillance concerns? Consider:

"... Silent Circle, moved its global headquarters from the Caribbean to Switzerland back in May 2014 — citing the latter’s “strong privacy laws” as one of the reasons to headquarter its business in Europe. Various other pro-encryption startups, including ProtonMail and Tutanota, have also chosen to locate their businesses in countries in Europe that have a reputation for protecting privacy."

Plus, there are money concerns. Since 1982, at least 51 companies completed tax inversions: moved their headquarters (and sometimes some employees) out of the United States to another country to enjoy lower taxes. So, Burger King is now a Canadian company. Pfizer is now an Irish company. And, lower tax payments by companies make government deficits (federal, state, local) worse. The bottom line: profitability matters. When companies suffer lower profitability -- as tarnished brands often do -- their executives take actions to improve profits. It's what they do.

Want to learn more about Lavabit? At about the two-thirds mark in the film "CitizenFour," Lavabit founder Ladar Levison shares some of his experiences.


Why The FBI Can't Access The San Bernardino Attacker's iPhone

Federal Bureau of Investigation logo On Tuesday, the head of the Federal Bureau of Investigation (FBI) admitted during House Judiciary Committee hearings that his agency lost an opportunity to access the San Bernardino attacker's iPhone when it reset the password to the iCloud account associated with the phone. The New York Times reported:

"There was a mistake made in the 24 hours after the attack,” James B. Comey Jr., the director of the F.B.I., told lawmakers at a hearing on the government’s attempt to force Apple to help “unlock” the iPhone. F.B.I. personnel apparently believed that by resetting the iCloud password, they could get access to information stored on the iPhone. Instead, the change had the opposite effect — locking them out and eliminating other means of getting in."

A Federal Court judge had ruled last month in favor of the FBI, and ordered Apple to develop the software to unlock the attacker's phone. Apple is appealing the ruling. FBI officials have claimed that the phone may contain information about what the attacker and his wife did before the attack, and who they communicated with. More details emerged during the hearing:

"When the dispute over Mr. Farook’s iPhone erupted two weeks ago, the Justice Department blamed technicians at San Bernardino County, which employed Mr. Farook as an environmental health specialist and which owned the phone he used. But county officials said their technicians had changed the password only “at the F.B.I.’s request.” Mr. Comey acknowledged at the hearing that the F.B.I. had directed the county to change the password."

Apple Inc. logo Bruce Sewell, the general counsel at Apple, also spoke at the hearing on Tuesday. He warned:

"... the F.B.I.’s demand for technical help to unlock Mr. Farook’s iPhone 5c “would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.” Apple has said that in many cases investigators have other means to gain access to crucial information, and in some instances it has turned over data stored in iCloud."

Mr. Sewell also said:

"... before F.B.I. officials ordered the password reset, Apple first wanted them to try to connect the phone to a “known” Wi-Fi connection that Mr. Farook had used. Doing so might have recovered information saved to the phone since October, when it was last connected to iCloud. “The very information that the F.B.I. is seeking would have been available, and we could have pulled it down from the cloud..."

So, the FBI has only itself to blame for the current mess, and for making access to the attacker's iPhone more difficult.


Government Uses 227-Year-Old Law To Force Apple To Unlock Terrorist's iPhone

Federal Bureau of Investigation logo The U.S. Department government has used a law created in the 1700's to force Apple Computer to break into an iPhone used by a terrorist last year. The New York Times reported that on Tuesday:

"... Magistrate Judge Sheri Pym of the Federal District Court for the District of Central California ordered Apple to bypass security functions on an iPhone 5c used by Syed Rizwan Farook, who was killed by the police along with his wife, Tashfeen Malik, after they attacked Mr. Farook’s co-workers at a holiday gathering. Judge Pym ordered Apple to build special software that would essentially act as a skeleton key capable of unlocking the phone... The Justice Department had secured a search warrant for the phone, owned by Mr. Farook’s former employer, the San Bernardino County Department of Public Health, which consented to the search... the F.B.I., instead of asking Congress to pass legislation resolving the encryption fight, has proposed what appears to be a novel reading of the All Writs Act of 1789... The government says the law gives broad latitude to judges to require “third parties” to execute court orders. It has cited, among other cases, a 1977 ruling requiring phone companies to help set up a pen register, a device that records all numbers called from a particular phone line..."

Apple Inc. logo So far, Apple has refused to comply. Excerpts from a statement by Apple:

"The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake... Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us. For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe... But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control... The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data."

This is not the first use of the All Writs Act against Apple. NPR reported:

"Last fall, the Justice Department, using the All Writs Act, tried to force Apple to unlock an iPhone running iOS 7 in a case involving a suspected methamphetamine dealer. Apple responded that it might be technically capable of unlocking that phone (since iOS 7 has fewer security features than later operating systems) but said the cost to the company's reputation — and resulting harm to its business — would pose an "undue burden." That case is still pending.."

The NPR news story also mentioned:

"In 2014, at the Justice Department's request, a federal court in New York used the law to order a phone-maker to unlock a password-protected device. The Justice Department says various other companies have been ordered under the All Writs Act to provide otherwise inaccessible information to investigators."

This is huge news. It highlights several privacy issues:

  1. Has the government over-reached by using a 1789 law?
  2. How can the government force a company to build something -- software, malware -- that doesn't exist? This Atlantic article describes the coercion slippery slope.
  3. Can Apple successfully build a back door for a single iPhone?
  4. If #3 is not technically impossible, does the back door place all iPhones at risk?
  5. Are back doors the best way to fight terrorism? Like you, terrorists read the news and will simply switch to other products without built-in back doors.
  6. Are back doors really needed? The law enforcement community is split over this.
  7. Are back doors a benefit or a risk?
  8. How does the government ensure that criminals, terrorists, and other governments' hackers don't use the same "back doors" it uses? After all, the Federal government has had massive data breaches.
  9. Do "back doors" prevent businesses from adequately protecting their proprietary trade secrets, processes, and private information?
  10. Why haven't other technology companies resisted the government's demands for back doors, as Apple has? This Wired article discusses why Apple's position (including encryption and strong privacy protections) is good for business.
  11. What does this mean for consumers' privacy? Some iPhone users have already built a website for protests.

Regarding item #1, the American Civil Liberties Union (ACLU) wrote in December 2015:

"The All Writs Act permits a court to issue an order to give effect to a prior lawful order or an existing grant of authority, and has been used for such things as ordering a prisoner be brought before a court. The Act does not allow a court to invest law enforcement with investigative tools that Congress has not authorized — like the extraordinary and unconstitutional conscription of a third party into obtaining information the third party does not possess or control... it’s even more troubling to consider that the government, by its own admission, has invoked it successfully in at least 70 cases."

The ACLU, the ACLU of Northern California, and the Center for Internet and Society (CIS) at Stanford Law Scvhool, filed a Freedom of Information Act (FOIA) request in December to understand the government’s use of the All Writs Act to force device manufacturers to unlock devices. It is important to known the full scope of the government’s use of a 227-year-old law. The Electronic Frontier Foundation (EFF) announced that it will file an amicus brief supporting Apple.

Center for Internet and Society at Stanford law School logo The CIS responded to the recent court decision:

"The text of the court order is here. Although it does not direct Apple to break the encryption per se, it asks the company to disable features that make it more difficult to brute force the device security capabilities -- such as the function that disables (er, self-destricts) the device after multiple attempts to enter a PIN number. While that sounds innocuous enough, it is likely such access cannot be granted on a device-by-device basis upon demand by law enforcement, although some technologists believe it possible. Rather, unless Apple demonstrates the technical, economical, or temporal infeasability of complying with the judge's order or gets the order lifted, the consequence may well be an update/patch to IOS that would implement that proverbial "backdoor" feature that certain law enforcement officials -- specifically, FBI Director James Comey -- allege is needed to protect the country, citizens, and (think of the) children from Any Number of Evil-Sounding Things That May or May Not Be True(tm). By contrast, NSA Director Admiral Mike Rogers has already stated publicly there is no need for such back doors or law enforcement access, and that strong Internet security features are more of a benefit than risk to society -- despite that perennial and selectively sensational hand-wringing by prominent law enforcement and/or intelligence officials..."

The privacy-friendly DuckDuckGo.com search engine posted this tweet on Wednesday:

Tweet by DuckDuckGo.com search engine about Apple iPhone privacy and government back door demand

And former N.S.A. contractor Ed Snowden posted:

Tweet by former NSA contractor ed Snowden about the FBI demand for Apple to unlock an iPhone


New York Civil Liberties Union Reports 'Stingray' Usage By New York City Police

After several freedom-of-information requests, the New York Civil Liberties Union (NYCLU) announced yesterday:

"In response to an NYCLU FOIL request, the NYPD disclosed it used Stingrays nearly 1,016 times between 2008 and May of 2015 without a written policy and following a practice of obtaining only lower-level court orders rather than warrants. This is the first time the extent of the use of Stingrays by the NYPD has been made public... Authorities are able to conduct this surveillance without the involvement of cell phone companies... The NYPD also disclosed that it has no written policy for the use of Stingrays but that, except in emergencies..."

Stingrays are devices that simulate real cellular phone towers in order to track and collect data about phone users. Your phone cannot distinguish between a real and simulated cellular tower. The data collection affects many people besides the persons being tracked:

"... in some configurations, [stingrays] collect the phone numbers that a person has been texting and calling and intercept the contents of communications. Stingrays also sweep up information from nearby bystander cell phones even when used to target specific phones..."

So, you can be completely innocent, and still be tracked. Not good. The U.S. Justice department implemented a new policy in September 2015 requiring probable-cause warrants for some usage. Stingrays are used by federal, state, and local law enforcement in at least 18 states. Stingrays are used far beyond New York City:

"Last April, the NYCLU released records showing the Erie County Sheriff’s Office had used Stingrays 47 times in the last four years and only once indicated obtaining a pen register order before doing so... In May, NYCLU FOIL requests also revealed that the New York State Police spent hundreds of thousands of taxpayer dollars on Stingrays and related equipment."

The NYCLU is an affiliate of the American Civil Liberties Union (ACLU). Read this to learn more about stingray usage by law enforcement.


Blocking The Ad Blockers

The digital advertising arms race is well underway. Since many consumers have installed ad blocking software on their computing devices for privacy and a better online experience, some publishers have responded by blocking those online users... or at least those users' web browsers.

While attempting to stream the latest episode of a popular television show, I encountered the message below, which is an extremely poor implementation. It suggested that i disable all ad blocking software. A better, responsible implementation would include messaging about the specific advertising mechanism:

Blocked ad blocker at CBS website. Click to view larger image

Have you encountered any similar messages at other sites?


You've Got Email Trackers: A Tool Marketers Use To Spy On Consumers

The New York Times told the story of an executive who received a call at 10:30 pm on his smartphone from a marketer, minutes after opening an e-mail message from the same marketer. Coincidence? The executive didn't think so, and after some investigation found that the marketer had planted a tracking mechanism in the e-mail message.

This marketer took e-mail marketing to the creepy zone. The marketer arrogantly assumed the executive, a) wouldn't mind the tracking and privacy invasion; and b) was agreeable to receiving a late-night phone call. Inappropriate. If the executive was driving his car, the late-night call could have created a distracted driving risk. Dangerous.

This marketer isn't alone. According to The New York Times:

"The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker."

The e-mail tracking is possible because most users view HTML e-mail messages. One e-mail vendor's website home page highlights the industry's position:

Image of Sidekick home page. Click to view larger version.

Marketers want to know when, where, what device you use, and what link(s) you click on with their e-mails and advertisements. Yes, marketers should be able to evaluate their e-mail and marketing programs. At the same time, consumers have valid needs, often including privacy and the desire not to be tracked.

According to Pew Research, consumers perform a variety of tasks to thwart online tracking and data collection: delete browser cookies or browser history (59 percent), refuse to provide personal information irrelevant to the transaction (57 percent), set their browser to disable or turn off browser cookies (34 percent), and more. 86% of internet users have taken steps online to remove or mask their digital footprints. Plus, the growth in usage of ad-blockers by consumers highlights the desire not to be tracked (since many advertising networks contain tracking mechanisms):

"Between 15 to 17% of the U.S. population reportedly use ad blockers, and the number is double that for millennials. The numbers are even higher in Europe, and up to 80-90% in the case of specialty tech and gaming sites."

So, balance and respect are key. If marketers and advertisers are going to plant trackers in e-mail messages, then be honest and transparent: say so. Notify consumers. Provide opt-in mechanisms for consumers that don't mind the tracking.

Don't be that creepy marketer.

Will marketers act with respect and not go to the creepy, dark side? History suggests otherwise, given the litany of covert technologies marketers and advertisers have used to track consumers online: browser cookies, zombie cookies, zombie e-tags, Flash cookies to regenerate browser cookies users have deleted, super cookiescanvas finger-printing, and more recently cross-device tracking.

Aware consumers realize that surveillance isn't performed only by government spy agencies. Private-sector corporate marketers and advertisers do it, too. The New York Times article discussed one of the e-mail trackers used:

"... MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message..."

Unfortunately, both the good guys and bad guys (e.g., spammers, phishers) use e-mail trackers. Experts advise consumers to expect trackers planted in messages, and:

"A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links."

Ugly Email and Trackbuster, are tools consumers can use to detect trackers embedded in e-mail messages. The former is a Gmail plug-in.

What are your opinions of e-mail trackers? What software do you use to detect e-mail trackers?

[Editor's Note: an earlier version of this post linked the "cross-device tracking" text to a CBS News article. That link was updated to a more descriptive article at Ars Technica.]


ESPN Report Links Spygate To Deflategate. Chronicles Decisions By NFL

National Football League logo If you haven't read it, there is a very interesting article at ESPN about the National Football League (NFL) and the New England Patriots team. After reading this ESPN article, it seems that the NFL has a gigantic mess on its hands. If the article is accurate, and it's accuracy is questionable given ESPN's erroneous reporting previously of the number of deflated footballs, then the punishment by NFL Commissioner Roger Goodell for deflategate was linked to spygate.

A better-written ESPN would have included embedded text links, for fans to read more and verify certain statements. Also, the article reads like a hit job on the Patriots... to tarnish the team’s brand and its value, thereby hurting Kraft in the wallet since QB Tom Brady won in court the first round against the league. At the same time, Goodell’s decision to destroy spygate evidence tarnishes the league’s credibility. Hence, huge mess. Some gems from the article:

“To many owners and coaches, the expediency of the NFL's [2008 spygate] investigation -- and the Patriots' and Goodell's insistence that no games were tilted by the spying -- seemed dubious. It reminded them of something they had seen before from the league and Patriots: At least two teams had caught New England videotaping their coaches' signals in 2006, yet the league did nothing. Further, NFL competition committee members had, over the years, fielded numerous allegations about New England breaking an array of rules. Still nothing. Now the stakes had gotten much higher: Spygate's unanswered questions and destroyed evidence had managed to seize the attention of a hard-charging U.S. senator, Arlen Specter of Pennsylvania, who was threatening a congressional investigation. This would put everyone -- players, coaches, owners and the commissioner -- under oath, a prospect that some in that room at The Breakers believed could threaten the foundation of the NFL.”

The supposed linkages between spygate and deflategate:

“Interviews by ESPN The Magazine and Outside the Lines with more than 90 league officials, owners, team executives and coaches, current and former Patriots coaches, staffers and players, and reviews of previously undisclosed private notes from key meetings, show that Spygate is the centerpiece of a long, secret history between Goodell's NFL, which declined comment for this story, and Kraft's Patriots. The diametrically opposed way the inquiries were managed by Goodell -- and, more importantly, perceived by his bosses -- reveals much about how and why NFL punishment is often dispensed. The widespread perception that Goodell gave the Patriots a break on Spygate, followed by the NFL's stonewalling of a potential congressional investigation into the matter, shaped owners' expectations of what needed to be done by 345 Park Ave. on Deflategate.”

And:

“... many former New England coaches and employees insist that the taping of signals wasn't even the most effective cheating method the Patriots deployed in that era. Several of them acknowledge that during pregame warm-ups, a low-level Patriots employee would sneak into the visiting locker room and steal the play sheet, listing the first 20 or so scripted calls for the opposing team's offense.”

A Patriots employee was caught filming in the Jets stadium during a 2007 game, and his camera confiscated. Goodell’s decision to destroy this video evidence in 2008:

“During the first half, Jets security monitored Estrella, who held a camera and wore a polo shirt with a taped-over Patriots logo under a red media vest that said: NFL PHOTOGRAPHER 138. With the backing of Jets owner Woody Johnson and Tannenbaum, Jets security alerted NFL security, a step Mangini acknowledged publicly later that he never wanted. Shortly before halftime, security encircled and then confronted Estrella. He said he was with "Kraft Productions." They took him into a small room off the stadium's tunnel, confiscated his camera and tape, and made him wait... On Monday morning, Estrella's camera and the spy tape were at NFL headquarters on Park Avenue... Belichick explained that he had misinterpreted a rule, which the commissioner did not believe to be true, sources say, and that he had been engaged in the practice of taping signals for "some time." The coach explained that "at the most, he might gain a little intelligence," Goodell would later recall, according to notes. Belichick didn't volunteer the total number of games at which the Patriots had recorded signals, sources say, and the commissioner didn't ask... The next day, the league announced its historic punishment against the Patriots, including an NFL maximum fine for Belichick. Goodell and league executives hoped Spygate would be over... When Estrella's confiscated tape was leaked to Fox's Jay Glazer a week after Estrella was caught, the blowback was so great that the league dispatched three of its executives -- general counsel Jeff Pash, Anderson and VP of football operations Ron Hill -- to Foxborough on Sept. 18. What happened next has never been made public: The league officials interviewed Belichick, Adams and Dee, says Glaser, the Patriots' club counsel. Once again, nobody asked how many games had been recorded or attempted to determine whether a game was ever swayed by the spying, sources say. The Patriots staffers insisted that the spying had a limited impact on games. Then the Patriots told the league officials they possessed eight tapes containing game footage along with a half-inch-thick stack of notes of signals and other scouting information belonging to Adams, Glaser says. The league officials watched portions of the tapes. Goodell was contacted, and he ordered the tapes and notes to be destroyed, but the Patriots didn't want any of it to leave the building, arguing that some of it was obtained legally and thus was proprietary. So in a stadium conference room, Pash and the other NFL executives stomped the videotapes into small pieces and fed Adams' notes into a shredder...”

The articled is filled with interviews with people who claimed this or that. No hard evidence. I guess this is how an oligopoly approaches investigations and “justice.” Lots of allegations, rumors, no proof, destruction of what little evidence existed, lots of fines (like big banks), and never true honesty with fans by telling fans everything.

Does your favorite NFL team cheat? Yes, according to the Your Team Cheats site.

Like I said, it’s a big mess. I'm glad I stopped watching the NFL back in 2013.


New Justice Department Policy Requires Warrants For Some Stingray Uses

Department of Justice logo Just before the holiday weekend, the U.S. Department of Justice (DOJ) announced a new policy where probable-cause warrants are required for federal agencies to use cellular-tower simulators or "stingrays." The new policy went into effect immediately. The DOJ announced on September 3 that the new policy:

"... will enhance transparency and accountability, improve training and supervision, establish a higher and more consistent legal standard and increase privacy protections in relation to law enforcement’s use of this critical technology... To enhance privacy protections, the new policy establishes a set of required practices with respect to the treatment of information collected through the use of cell-site simulators. This includes data handling requirements and an agency-level implementation of an auditing program to ensure that data is deleted consistent with this policy."

The new policy and stingray usage:

"... cell-site simulators may not be used to collect the contents of any communication in the course of criminal investigations. This means data contained on the phone itself, such as emails, texts, contact lists and images, may not be collected using this technology. While the department has, in the past, obtained appropriate legal authorizations to use cell-site simulators, law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator. There are limited exceptions in the policy for exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. Department components will be required to track and report the number of times the technology is deployed under these exceptions."

The Electronic Frontier Foundation (EFF) discussed the new DOJ policy:

"Most importantly, starting today all federal law enforcement agencies—and all state and local agencies working with the federal government—will be required to obtain a search warrant supported by probable cause before they are allowed to use cell-site simulators. EFF welcomes these policy changes as long overdue... Until recently, law enforcement’s use of Stingrays has been shrouded in an inexplicable and indefensible level of secrecy. At the behest of the FBI, state law enforcement agencies have been bound by non-disclosure agreements intended to shield from public scrutiny all details... Law enforcement has gone to extreme lengths to protect even the most basic information about them, even dropping charges rather than answering judges’ questions about them."

The EFF article discussed how stingrays work and what they collect:

"... cell-site simulators masquerade as legitimate cell phone towers, tricking phones nearby into connecting to them. This allows agents to learn the unique identifying number for each phone in the area of the device and to track a phone’s location in real time... all mobile traffic (voice, data, and text) from every phone in the area could be routed through the Stingray, giving the operator the option to do anything from recording entire calls and texts, to selectively denying service to particular phones."

Powerful technology. The new DOJ has limitations. According to the EFF:

"The new policy isn’t law and doesn’t provide any remedy to people whose data is swept up by Stingrays operated without a warrant. Indeed, it won’t even act to keep evidence collected in violation of the policy out of court (this is known as suppression). The policy doesn’t apply to the use of Stingrays outside of the criminal investigation context. For instance, when federal agents use cell-site simulators for “national security” purposes, they won’t be required to obtain a warrant by the terms of this policy..."

And, most importantly:

"... without a statute or court decision giving this voluntary policy the force of law, there will be no consequences if law enforcement agents flout its terms and continue using Stingrays as they have—without warrants. With only this policy shielding us, there’s nothing keeping warrantless Stingray evidence out of court, and therefore nothing to deter agents from behaving badly."

U.S. Senator Patrick Leahy (D-Vermont) issued this statement on September 4 (link added):

"The Department of Justice’s new policies are finally starting to catch up with the rapid advancement of this tracking technology. For more than a year, Chairman Grassley and I have pressed the administration about the use of cell-site simulators, which sweep up cell phone signals from innocent Americans who are not targets of an investigation. Today’s announcement is a welcome step forward, and has the potential to bring transparency and consistency to the Department’s use of these tracking devices. However, I have serious questions about the exceptions to the warrant requirement that are set forth in this new policy, and I will press the Department to justify them.”

Reportedly, earlier this year the Baltimore Police Department acknowledged that it had already used the stingray technology more than 4,300 times. The technology is used by many other police departments.

What are your opinions of the Justice Department's new policy? Just right, too little too late, or too much? Do your elected officials adequately represent your views on stingray usage?


Location Privacy. Does Your State Allow Warrantless Searches Of Cellphones?

Does your state's laws allow law enforcement to perform warrantless searches for cellphone location data? The American Civil Liberties Union (ACLU) released a report where it researched each state's current laws to determine whether residents' location privacy is protected or not:

"... 18 states now require law enforcement to get a probable cause warrant before obtaining people’s cell phone location information. Six of those states protect both historical and real-time location information from warrantless search... This year alone, legislation was introduced in 17 states. Instead of waiting for Congress or the courts to act, state legislatures are leading the way..."

Metadata about your phone calls reveals who you called, who called you, when the call happened, and how long you talked. Geo-location data reveals your travel patterns: where you went, when you left, when you returned, how long you stayed, places you passed by and didn't enter, and travel patterns (e.g., places you visit frequently and/or at certain times or on certain days).

The report included what's known (so far) about stingrays, the technology using fake cellular phone towers to spy and collect your phone usage and geo-location data:

"... New Hampshire has joined the ranks of states offering full probable-cause warrant protection to both historical and real-time cell phone location information. The Washington legislature unanimously passed a law requiring a warrant for use of “StingRay” cell phone tracking equipment, and Virginia enacted a similar law."

You can browse the report to read detail about the laws (or lack thereof) in the state where you live. For example, the state where I live:

ACLU report on warrantless search laws by state. Massachusetts. Click to view larger version

Besides stingrays, the use of other technologies threaten consumers' location privacy. The ACLU of Southern California and the Electronic Frontier Foundation (EFF) asked the California Supreme Court to review their lawsuit seeking access to automated license plate-reader (ALPR) data collected by the Los Angeles Police and Sheriff’s Departments. The EFF said in July:

"This case has significant precedential impact, setting a troubling standard allowing police to keep these records and details of its surveillance of ordinary, law-abiding citizens from ever being scrutinized. The appeals court ruling may apply not only to records collected with license plate cameras, but to data collected using other forms of automatic and indiscriminate surveillance systems, from body cameras and dash cameras to public surveillance cameras and drones. Without access to these records, we can’t ensure police accountability."

The case started in 2012 when local law enforcement refused to disclose ALPR data after the EFF filed a public records request:

"... cameras mounted on patrol cars and at fixed locations around the city and county of Los Angeles. ALPRs automatically take a picture of all license plates that come into view and record the time, date, and location where the vehicle was photographed. Because the agencies store the data for two to five years, they have been able to collect a massive amount of sensitive location-based information on mostly innocent Los Angeles residents..."

Reportedly, the reasons given by local law enforcement agencies:

"The agencies refused to turn over the records, claiming they could withhold the millions of license plate data points as “records of law enforcement investigations,” which are exempt from public review under the California Public Records Act. Incredibly, they argued that all drivers in Los Angeles are under criminal investigation at all times—whether or not the police suspect them of being involved in any criminal activity. The ACLU has estimated that as many as 99.8% of the vehicles photographed by ALPR cameras are never linked to any ongoing criminal investigation..."

Sadly, both the trial and appeal courts sided with the law enforcement agencies. So, the threat to consumers is two-fold: a) collection of law-abiding citizens without notice nor consent, and b) lack of accountability of government surveillance programs that could extend into more technologies such as body cameras.

Last, all of this does not minimize nor condone surveillance by corporations, which is arguably more extensive than government surveillance. Terms such as behavioral advertising, geo-fencing, and targeted advertising are often used to describe private-sector surveillance, with vague promises of relevant advertising benefits. At the end of the day, surveillance is surveillance; tracking is tracking. Many law enforcement and spy executives have probably looked at the extensive private-sector surveillance with weak consumer protections and concluded, "if they can do it, so should we."

View the ACLU report and status of warrantless search laws in your state.


History: Mississippi Sovereignty Commission Spied On Citizens And Civil Rights Activists

Mississippi State flag It was arguably the largest government spy program on U.S. citizens prior to September 11, 2001. And, you probably have not heard about it.

The documentary "Spies of Mississippi" describes the structure, goals, and activities of the Mississippi State Sovereignty Commission (MSSC) when it spied during the 1950s and 1960s upon more than 87,000 American citizens, mostly civil rights (voting) rights activists, to maintain a White-supremacist controlled government in the state:

"A no-nonsense group called the  Mississippi State Sovereignty Commission has quietly created a secret, state-funded spy agency answering directly to the Governor.  The Commission has infiltrated the civil rights coalition, eavesdropping on its most private meetings, and pilfering its most sensitive documents. The spies’ method of obtaining such sensitive information can be traced to an even more explosive secret known only to a handful of state officials that oversee the Commission and its anti-civil rights spy apparatus..."

Freedom Summer was a campaign during the summer of 1964 to register African-American voters in southern states. Campaign participants included mostly white college students from northern states working with African-American residents in several southern states to register voters. The MSSC, formed, funded, and controlled by the Mississippi state government, was central to using informants and paid investigators to identify, monitor, and track activists, who were often beaten and murdered. The murders received national and worldwide attention in 1963 with the murder of Medgar Evers, the head of the Mississippi NAACP, and in 1964 when three Freedom Summer students went missing. The students' bodies were later found buried underneath a 14-foot earthen dam.

Besides watching the documentary, you can learn more online.The Mississippi Department of Archives And History contains information and documents that describe the MSSC:

"... was created by an act of the Mississippi legislature on March 29, 1956. The agency was established in the wake of the May 1954 Brown v. Board of Education ruling. Like other states below the Mason-Dixon Line, Mississippi responded to Brown with legislation to shore up the walls of racial separation. The act creating the Commission provided the agency with broad powers. The Commission's objective was to "do and perform any and all acts deemed necessary and proper to protect the sovereignty of the state of Mississippi, and her sister states... the Commission was granted extensive investigative powers. The governor was appointed ex-officio chairman of the Commission. Other ex-officio members were the president of the Senate, who was vice-chairman of the Commission; the attorney general; and the speaker of the House of Representatives. In addition, the Commission comprised the following members: two members from the Senate, appointed by the president of the Senate; and three members from the House of Representatives, appointed by the speaker. The governor, attorney general and legislators served on the Commission during their tenures in office..."

The American Civil Liberties Union (ACLU) wrote that the documentary:

"... is a grim reminder of the depths that Mississippi authorities plumbed in their efforts to subvert the civil rights movement... The film draws on a trove of Commission records, which are available and searchable online thanks to a 1994 court order in a lawsuit brought by the ACLU of Mississippi... within a few years it had mushroomed into a full-scale spy agency, employing a network of investigators and agents who surveilled civil rights activists, tapped their phones, monitored their meetings, stole sensitive documents, and undermined voter rights efforts. The Commission was ruthless, waging an all-out war against change. Perhaps most painfully, it assembled a cadre of African American informants.. It destroyed the lives of people like Clyde Kennard, a Black Korean War veteran who attempted to enroll at what was then Mississippi Southern College. The Commission orchestrated the planting of evidence used to convict Mr. Kennard of stealing chicken feed. He served seven years in prison. Commission agents also funneled information to local law enforcement (which was rife with KKK members) about student activists who were descending on Mississippi for the "Freedom Summer" of 1964... films such as "Spies of Mississippi" serve two vital purposes: remembrance and reminder. They advance the long project of accounting for America's history of racial subjugation, in brutal detail. They also remind us, in the words of Mississippi Congressman Bennie Thompson, of the "need to keep us safe from terrorists, but also from ourselves." "

The MSSC highlights the consequences when a government spies upon its citizens without notice, consent, transparency, and accountability; and fails to comply with the U.S. Constitution. The documentary is currently being shown on Public Broadcasting Stations (PBS). The film and the book are available online for purchase and download. Watch the trailer:


Researchers Conclude AT&T Was The Best Corporate Collaborator With NSA Spying

N.S.A. logo Based upon recently released reports, experts have deduced that while many telecommunications companies helped the National Security Agency (NSA) perform various spy programs, AT&T had a closer relationship with the agency. The New York Times reported:

"... the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.” AT&T’s cooperation has involved a broad range of classified activities... from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T... The N.S.A.’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil..."

AT&T logo The documents, which discussed a program with the code name Fairview, do not mention AT&T by name. The documents came from former agency contractor Edward Snowden.

"After the terrorist attacks of Sept. 11, 2001, AT&T and MCI were instrumental in the Bush administration’s warrantless wiretapping programs, according to a draft report by the N.S.A.’s inspector general. The report, disclosed by Mr. Snowden and previously published by The Guardian, does not identify the companies by name but describes their market share in numbers that correspond to those two businesses..."

The New York Times and ProPublica reviewed the documents jointly.

What can consumers make of this? I see three messages.

First, ProPublica described well the privacy concerns with online surveillance:

".., a single email traverses the Internet in hundreds of tiny slices, called “packets,’’ that travel separate routes. Grabbing even one email requires a computer search of many slices of other people’s messages. Privacy advocates have long argued in court that grabbing portions of so many emails — involving people not suspected of anything — is a violation of the protection against unreasonable searches and seizures provided by the Fourth Amendment to the Constitution. The Electronic Frontier Foundation, a digital civil liberties group, is now hoping that the new documents will bolster their claims in a long-running case, Jewel v. NSA."

Second, after the terror attacks of September 11, 2001 American citizens wanted safety. It matters how government achieves safety while adhering to our values. Some people seem quick to trade freedoms for security. A wise person once said, you can't just run away from the Fourth Amendment.

Third, if you're the NSA and need to reach out and touch somebody, AT&T is your go-to company:


Justice Department Considers Changes To The Patriot Act And Rule 41 For Online Warrants

[Editor's Note: I am happy to feature another post by guest author Arkady Bukh. He leads the law firm of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. He is a frequent contributor on CNN, Wired, Forbes, Huffington Post, and several other sites.]

By Arkady Bukh, Esq.

In the days and months following 9/11, Americans shuffled between wincing in fear and screaming for retribution.

Forgetting Benjamin Franklin’s admonishment that people who give up security for liberty lose both, Americans sat by while some of the most restrictive legislation ever signed was enacted. Justified by claims of “national security,” American citizens watched as their rights were softened. The Patriot Act arguably was the legislative high point during President George W. Bush’s administration.

Lately, calmer heads have prevailed and Congress has started to move to relax some aspects of The Patriot Act as it eliminated others.

One small section of the Patriot Act, Rule 41, may get toughened and expanded while much of America is sidetracked by smartphones and the Kardashians. If the legislation is signed into law, the impact will not only be felt across American, but the tsunami wave of snooping and privacy invasion will perseverate globally.

Tweaks are “Monumental” Violation

While the U.S. Department of Justice (DOJ) has been working to modify a federal criminal procedure making it easier for judges to issue search warrants outside their areas of jurisdiction, Google has been busy warning others about the potential consequences.

Rule 41

The proposed change in Rule 41 of The Patriot Act would allow judges to assign warrants even if the source of a botnet, or another unidentified action, is anonymous and its location unknown. University of California Hastings law professor Ahmed Ghappour told the Ars Technica blog:

"This is another example of the FBI obtaining a warrant that they are not empowered to obtain based on the lack of technological expertise of the courts."

Ars Technica concluded:

"If the proposal is passed as currently drafted, federal authorities would gain an expanded ability to conduct "remote access" under a warrant against a target computer whose location is unknown or outside of a given judicial district. It would also apply in cases where that computer is part of a larger network of computers spread across multiple judicial districts."

In responding to public comments regarding the proposed expansion of Rule 41, the DOJ replied:

“These objections are misplaced here because the proposed amendment is solely about the appropriate venue for applying for such warrants. The existing rules already allow the government to obtain and execute such warrants when the district of the targeted computer is known. Thus, the issue before the Committee is not whether to allow warrants to be executed by remote search; it is whether such warrants should as a practical matter be precluded in cases involving anonymizing technology due to lack of a clearly authorized venue to consider warrant applications. Finally, we note that none of the commenters who expressed opposition to the proposal offered any substantive alternative solution...”

Google’s stance is that the proposal is too broad and would have unintended consequences. Google’s rebuttal adds that Congress should pass laws authorizing the changes, and not a DOJ proposal. Google’s response was filed along with 30 others during the comment period by groups that included the ACLU and the Electronic Frontier Foundation.

Under the proposed modifications, Rule 41 of the Federal Rules of Criminal Procedure authorizes the government to appear before a single Federal magistrate judge in any judicial district in which activities relating to terrorism may have occurred.

This means that the government could go before a single judge to get a warrant to search the property of a person — anywhere. If the state chose to appear in New York, an individual in California who wished to have the warrant squashed, would have to discover a way to appear before the New York Court that issued the warrant.

Rule 41 isn’t the only clause in The Patriot Act that concerns observers.

The Patriot Act

The dangers of The Patriot Act, specifically Section 802, is the definition of “terrorism.”  As defined, domestic terrorism is broad enough to include the actions of several prominent activist groups including Greenpeace, Operation Rescue and others.

The American Civil Liberties Union (ACLU) cited the Vieques Island protests as an example:

"... when many people, including several prominent Americans, participated in civil disobedience on a military installation where the United States government has been engaging in regular military exercises, which these protesters oppose. The protesters illegally entered the military base and tried to obstruct the bombing exercises. This conduct would fall within the definition of domestic terrorism because the protesters broke federal law by unlawfully entering the airbase and their acts were for the purpose of influencing a government policy by intimidation or coercion.The act of trying to disrupt bombing exercises arguably created a danger to human life - their own and those of military personnel."

Using the Vieques Island protests as a starting point, the new government powers can be examined.

Seizure of Assets

Section 806 of The Patriot Act would result in the civil seizure of individual assets without prior hearings and without being convicted of a crime. The language in Section 806 is widespread enough to authorize the government to seize any resources and belongings of any individual involved in Vieques or any group supporting the protests.

Additionally, any individual who supported the groups that supported the Vieques Island protesters would also be subject to Section 806.

The civil asset forfeiture power of the US government is incredible. The government can seize the assets based on the mere assertion that there is a possible cause to think that the assets were linked to“domestic terrorism.”

Educational Record Disclosure

Section 507 requires a judge to issue an order permitting the government to obtain private educational records if the US Attorney General certifies that the records are necessary for investigating terrorism. An independent judicial finding is not required to prove the records are relevant.

The types of records that can be seized include information such as a student’s grades, private medication information, and organizations the student belongs to.

Criminal defense attorneys do not oppose the criminal prosecution of people who violate the law — even if they are performing for political purposes. However, what is anathema is the broad definition of terrorism and the authorization that flows from that meaning.

One way to ensure that the behavior that falls within the meaning of terrorism is, in fact, to limit the scope of the behavior that triggers the charges.


Do Foreign Governments Have a Right To Spy On American Citizens Inside Their Homes? One Country Believes So

Just when you think that the surveillance news can't get any more bizarre, along comes this item. The Electronic Frontier foundation (EFF) will argue in a Federal court today at 2:00 pm for an American seeking to to proceed with a lawsuit against the Ethiopian government. Lawyers in the United States representing the Ethiopian government want the case dismissed and claim:

"... that foreign governments have a right wiretap Americans inside their own homes without court oversight, a right that not even the U.S. government claims for itself."

The plaintiff, an American, uses the pseudonym "Mr. Kidane" to protect his family both in the United States and in Ethiopia. Mr. Kidane wants to sue the Ethiopian government in a United States court for:

"... infecting his computer with secret spyware, wiretapping his private calls, and monitoring his family’s every use of the computer for weeks... EFF Staff Attorney Nate Cardozo will argue Tuesday that Ethiopia must answer in court for the illegal spying on Mr. Kidane. The case is also supported by the law firm of Robins, Kaplan, Miller and Ciresi, LLP."

According to the EFF press release, the spyware allegedly found on Mr. Kidane’s computer was identified as:

"... part of a systemic campaign by the Ethiopian government to spy on perceived political opponents. The malware in this case was a program called FinSpy, surveillance software marketed exclusively to governments by the Gamma Group of Companies. Just recently, leaked documents have shown that a competing spyware company called Hacking Team has also provided covert surveillance software to Ethiopia..."

The New York Times reported in August 2012 that FinSpy was:

"... one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes."

In 2012, experts estimated the size of the spy-software market at $5 billion. I believe consumers can safely assume that the spyware market is far larger today. Founded during the 1990s, the Gamma Group sells turnkey surveillance software globally to governments. "Turnkey" means completed, finished software that is ready to operate. You might say it's plug-and-play.

The Washington Post reported in February 2014 that Mr. Kidane:

"... came to the United States 22 years ago, won political asylum and now is a U.S. citizen living in Silver Spring, Md. He provides “technical and administrative support” to an Ethio­pian opposition group, Ginbot 7, but is not a formal member of that group..."

The lawsuit highlights the risks when consumers use the Internet. What are your opinions of this lawsuit?


China's New National Security Law Raises Intellectual Property, Privacy, And Supply Chain Concerns

The New York Times reported about China's new national security law and how it will affect U.S.-based corporations doing business there. The new law also raises intellectual property, privacy, and supply-chain concerns. What is different about the new law:

"New language in the rules calls for a “national security review” of the technology industry — including networking and other products and services — and foreign investment. The law also calls for technology that supports crucial sectors to be “secure and controllable,” a catchphrase that multinationals and industry groups say could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code."

MSS Indisde The term "controllable" seems to imply a lot more than access via back doors to software and computing systems. Closely related to this new law are disagreements between the United States and China:

"The United States has accused China of state-sponsored hacking attacks against American companies to gain a commercial advantage... In turn, China maintains that the disclosures by Edward J. Snowden, the former United States National Security Agency contractor, about American online espionage give it plenty of reason to wean itself from foreign technology that may have been tampered with by United States intelligence agencies."

The Ministry of State Security is China's intelligence agency. In April, China withdrew a law that:

"... restricted which technology products could be sold by foreign companies to Chinese banks. Groups that represent companies like Apple, Google and Microsoft had pushed against that law."

Australia's Sydney Morning Herald reported:

"... the Chinese government has enacted a new national security law that amounts to a sweeping command from President Xi Jinping to maintain the primacy of Communist Party rule across all aspects of society. The law is expected to bolster the power of China's domestic security apparatus and military. The law says "security" must be maintained in all fields, from culture to education to cyberspace... security must be defended on international seabeds, in the polar regions and even in outer space."

The Herald added:

"The law is one of three being scrutinised by foreign leaders and corporate executives... The other two laws are expected to be passed soon; one would regulate foreign non-governmental organisations and place them under the oversight of the Ministry of Public Security, and the other is a counterterrorism law... Legal scholars and analysts in China say it will probably lead to the security apparatus amassing more power..."

The U.S. Chamber of Commerce and several companies sent a letter in January 2015 to China calling for more discussions about the new law. The new laws seem to be clear rejection of that request.

NSA Android logo So, there are more security laws to come from China. China's new law raises several questions:

  1. How will high-tech companies respond? Will they comply, fight the new laws, or relocate their businesses to more hospitable countries?
  2. Will Apple permit the Chinese to have back doors or keys to its products after denying that to the U.S. intelligence community?
  3. reportedly, Google has included NSA code in its software. Will it also allow the MSS to include code?
  4. How will IBM, Cisco, Microsoft, and other high-tech companies respond?
  5. Is it possible to technically alter software products and Internet service for only the Chinese market, which aren't sold in other countries?
  6. If #5 is possible, would other countries' governments accept differentiated products, or demand the same backdoor access as China?
  7. How will the new law affect the Internet of Things (ioT); especially including Internet-capable appliances made in China?

NSA Inside logo What are your opinions of China's new security law? Are there any more issues or questions than the seven listed above? How do you think U.S.-based corporations should respond to China's new law?


FISA Court Rules NSA Bulk Phone Metadata Collection Program Can Resume

National Security Agency logo On Monday the Foreign Intelligence Surveillance Court ruled that the National Security Agency (NSA) can temporarily resume for six months its bulk collection of metadata about Americans' phone calls. The program had ended on June 1 when the law it was based upon, Secton 215 of the USA Patriot Act, expired. The New York Times reported:

"Congress revived that provision on June 2 with a bill called the USA Freedom Act, which said the provision could not be used for bulk collection after six months. The six-month period was intended to give intelligence agencies time to move to a new system in which the phone records — which include information like phone numbers and the duration of calls but not the contents of conversations — would stay in the hands of phone companies."

The Second Circuit Court of Appeals ruled in May that the bulk phone records program violated the USA Patriot Act. Also:

"... After President Obama signed the Freedom Act on June 2, his administration applied to restart the program for six months. But a conservative and libertarian advocacy group, FreedomWorks, filed a motion in the surveillance court saying it had no legal authority to permit the program to resume,"

The FISA Court ruled against the motion by FreedomWorks. For those interested, read the full text of the June 29, 2015 FISA Court opinion.

Senator Ron Wyden said in a statement:

"I see no reason for the Executive Branch to restart bulk collection, even for a few months. This illegal dragnet surveillance violated Americans' rights for fourteen years without making our country any safer... It is disappointing that the {Obama] administration is seeking to resurrect this unnecessary and invasive program after it has already been shut down. However I am relieved this will be the final five months of Patriot Act mass surveillance... It will take a concerted effort by everyone who cares about Americans' privacy and civil liberties to continue making inroads against government overreach."

So, while the official bulk phone records collection program is ending on November 29, 2015, one could argue that not much has really changed since experts say the telephone companies will perform the phone records collection and archiving instead.

What are your opinions?


Update: Massive U.S. Government Data Breach And The Alleged Hackers

Office of Personnel Management logo Update on the massive data breach at the Office of Personnel Management (OPM). On Saturday, the New York times reported that U.S. intelligence officials have followed the movements of several Chinese hacker for the past five years:

"But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data... Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems..."

This sheds a tiny bit of light on how the hackers may have gained access. It also seems to strongly suggest that the hackers obtains sign-in credentials of users' with the strongest privileges to access and manipulate information. What the hackers seem to be seeking:

"Much of the personnel data had been stored in the lightly protected systems of the Department of the Interior, because it had cheap, available space for digital data storage. The hackers’ ultimate target: the one million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance."

The types of federal employees that have security clearances typically include covert operatives and investigators, plus:

"... an audit issued early last year, before the Chinese attacks, harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission — and the Department of Homeland Security, which has responsibility for securing the nation’s critical networks... Computers at the I.R.S. allowed employees to use weak passwords like “password.” One report detailed 7,329 “potential vulnerabilities” because software patches had not been installed..."

It seems as though heads need to roll in several agencies with both senior management levels and specific departments (e.g., information technology, data security).


Federal Court Rules NSA Phone Data Collection Program Violated the Patriot Act

National Security Agency logo On Thursday, a federal appeals court ruled that the bulk collection of Americans' phone data by the National Security Agency (NSA) violated the USA Patriot Act. The Washington Post reported:

"... a unanimous three-judge panel of the U.S. Court of Appeals for the 2nd Circuit overturned a lower court and determined that the government had stretched the meaning of the statute to enable “sweeping surveillance” of Americans’ data in “staggering” volumes... The NSA’s mass collection of phone records for counterterrorism purposes — launched after the Sept. 11, 2001, terrorist attacks... Under the program, the NSA collects “metadata” — or records of times, dates and durations of all calls — but not call content."

The NSA's massive phone collection program was revealed in June 2013 by former NSA agency contractor Edward Snowden. The U.S. Government argued that the phone records data collection program, underway since at least May 2006, was necessary to identify:

"... terrorism suspects. A series of judges on the secretive Foreign Intelligence Surveillance Court have agreed."

The plaintiffs in the original lawsuit and appellants were the American Civil Liberties Union, American Civil Liberties Union Foundation, New York Civil Liberties Union, and New York Civil Liberties Union Foundation. Named in the appeal lawsuit were James R. Clapper (Director of National Intelligence), Michael S. Rogers (Director of the National Security Agency and Chief of the Central Security Service), Ashton B. Carter (Secretary of Defense), Loretta E. Lynch (Attorney General of the United States), and James B. Comey (Director of the Federal Bureau of Investigation).

The Court opinion stated in part:

"This appeal concerns the legality of the bulk telephone metadata collection program (the “telephone metadata program”), under which the National Security Agency (“NSA”) collects in bulk “on an ongoing daily basis” the metadata associated with telephone calls made by and to Americans, and aggregates those metadata into a repository or data bank that can later be queried. Appellants challenge the program on statutory and constitutional grounds. Because we find that the program exceeds the scope of what Congress has authorized, we vacate the decision below dismissing the complaint without reaching appellants’ constitutional arguments.."

Telephone metadata does not include what people said during a phone call. Metadata includes only the date, time, call duration (in minutes), caller's phone number, and recipient's phone number. With smartphones, the metadata may also include the caller's geo-location, the recipient's geo-location, and a phone identifier. The Court opinion also stated:

"The district court held that § 215 of the PATRIOT Act impliedly precludes judicial review; that plaintiffs/appellants’ statutory claims regarding the scope of § 215 would in any event fail on the merits; and that § 215 does not violate the Fourth or First Amendments to the United States Constitution. We disagree in part, and hold that § 215 and the statutory scheme to which it relates do not preclude judicial review, and that the bulk telephone metadata program is not authorized by § 215."

The Court decision summarized some important history Americans should know:

"In the early 1970s, in a climate not altogether unlike today’s, the intelligence‐gathering and surveillance activities of the NSA, the FBI, and the CIA came under public scrutiny. The Supreme Court struck down certain warrantless surveillance procedures that the government had argued were lawful as an exercise of the President’s power to protect national security, remarking on “the inherent vagueness of the domestic security concept [and] the necessarily broad and continuing nature of intelligence gathering.” United States v. U.S. Dist. Court for the E. Dist. of Mich. (Keith), 407 U.S. 297, 320 (1972). In response to that decision and to allegations that those agencies were abusing their power in order to spy on Americans, the Senate established the Select Committee to Study Governmental Operations with Respect to Intelligence Activities (the “Church Committee”) to investigate whether the intelligence agencies had engaged in unlawful behavior and whether legislation was necessary to govern their activities. The Church Committee expressed concerns that the privacy rights of U.S. citizens had been violated by activities that had been conducted under the rubric of foreign intelligence collection. The findings of the Church Committee, along with the Supreme Court’s decision in Keith and the allegations of abuse by the intelligence agencies, prompted Congress in 1978 to enact comprehensive legislation aimed at curtailing abuses and delineating the procedures to be employed in conducting surveillance in foreign intelligence investigations. That legislation, the Foreign Intelligence Surveillance Act of 1978 (“FISA”)... established a special court, the Foreign Intelligence Surveillance Court (“FISC”), to review the government’s applications for orders permitting electronic surveillance... Unlike ordinary Article III courts, the FISC conducts its usually ex parte proceedings in secret; its decisions are not, in the ordinary course, disseminated publicly..."

To balance the competing needs of citizens' privacy and intelligence gathering:

"... Congress has amended FISA, most significantly, after the terrorist attacks of September 11, 2001, in the PATRIOT Act. See USA PATRIOT ACT of 2001, Pub. L. No. 107‐56, 115 Stat. 272 (2001). The government argues that § 215 of that Act authorizes the telephone metadata program..."

The Court added:

"We are faced today with a controversy similar to that which led to the Keith decision and the enactment of FISA. We must confront the question whether a surveillance program that the government has put in place to protect national security is lawful. That program involves the bulk collection by the government of telephone metadata created by telephone companies in the normal course of their business... "

The court recognized that while law enforcement has historically used metadata, new technologies have changed things:

"We recognize that metadata exist in more traditional formats, too, and that law enforcement and others have always been able to utilize metadata for investigative purposes. For example, just as telephone metadata may reveal the charitable organizations that an individual supports, observation of the outside of an envelope sent at the end of the year through the United States Postal Service to such an organization might well permit similar inferences, without requiring an examination of the envelope’s contents. But the structured format of telephone and other technology‐related metadata, and the vast new technological capacity for large‐scale and automated review and analysis, distinguish the type of metadata at issue here from more traditional forms. The more metadata the government collects and analyzes, furthermore, the greater the capacity for such metadata to reveal ever more private and previously unascertainable information about individuals... in today’s technologically based world, it is virtually impossible for an ordinary citizen to avoid creating metadata about himself..."

The Court opinion discussed secrecy and the Administrative Procedure Act (APA):

"The government has pointed to no affirmative evidence, whether “clear and convincing” or “fairly discernible,” that suggests that Congress intended to preclude judicial review. Indeed, the government’s argument from secrecy suggests that Congress did not contemplate a situation in which targets of § 215 orders would become aware of those orders... That Congress may not have anticipated that individuals... would become aware of the orders, and thus be in a position to seek judicial review, is not evidence that Congress affirmatively decided to revoke the right to judicial review otherwise provided by the APA... The government’s argument also ignores the fact that, in certain (albeit limited) instances, the statute does indeed contemplate disclosure. If a judge finds that “there is no reason to believe that disclosure may endanger the national security of the United States, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person,” he may grant a petition to modify or set aside a nondisclosure order... Such a petition could presumably only be brought by a § 215 order recipient, because only the recipient, not the target, would know of the order before such disclosure. But this provision indicates that Congress did not expect that all § 215 orders would remain secret indefinitely..."

Download the U.S. Court of Appeals decision (Docket No. 14‐42‐cv, Adobe PDF). A copy is also available here.


6 Reasons Why Americans Refuse Privacy Protections From Government Surveillance

Pew Internet Research surveyed American Internet users and asked why some refuse to make any changes to their online behaviors for privacy and security after learning about extensive phone and online surveillance by the National Security Agency (NSA) and other agencies. There were five reasons or beliefs:

  1. It's too hard. 54 percent of users surveyed said that to enable privacy protections would be, "Somewhat Difficult" or "Very difficult."
  2. Nothing to hide. They consider their phone and online activity as uninteresting and/or totally legal. So they view any privacy changes as unnecessary.
  3. Lack the time or expertise. They consider the privacy changes necessary as requiring time and skills they lack.
  4. Resistance is futile. Any changes they'd make wouldn't stop the monitoring.
  5. Want to remain below the radar. They view the act of making privacy changes as inviting scrutiny.
  6. Believe they are safer with the surveillance. They view the surveillance as necessary for their safety.