A recent Wired story about digital coordinates that track U.S. soldiers and spies to brothels and nuclear vaults in Germany might have attracted almost as many eyeballs as the record-shattering premiere of the Kardashians on Hulu. The Wired mashup of atom bombs and visits to an establishment called SexWorld certainly had a Strangelovian allure. As Dhruv Mehrotra and Dell Cameron reported, the more than 3 billion phone coordinates collected by one U.S. data broker alone follows U.S. military personnel as they go about their business – from home, to dropping off children at school, to intelligence and nuclear facilities, to, yes, illicit nocturnal activities. These journalists tracked hundreds of thousands of signals inside sensitive U.S. installations in Germany that are legally collected for digital advertising. One signal tracked an employee inside a secret, windowless National Security Agency building with a metal exterior called the Tin Can. Such tracking does more than risk hostile actions from adversary nations and terrorists. The problem with a big stream of personal data is that it is like a dandelion – it wants to go everywhere. Take China’s vast surveillance state that links facial recognition, comprehensive tracking of digital searches, communications, and location history. It was built to give the Chinese Communist Party unprecedented control of that nation’s populace – where people go, their contacts, their messages, their private beliefs. But even one of the most tyrannical regimes on earth cannot control its own surveillance. Another Wired exposé by Andrew Greenberg demonstrates that corrupt officials are selling big chunks of data on China’s citizens to black market operators and scammers as a “side hustle.” This is in keeping with the ethos of the shady world of online digital auctions. The Consumer Financial Protection Bureau recently took a step toward fleshing out a Biden administration executive order restricting foreign data sales. While the Federal Trade Commission and the Consumer Financial Protection Bureau have commendably tried to place some restrictions on the sale of Americans’ data, the global and shadowy nature of the online data-auction market guarantees that these actions will enjoy limited success. Departing FBI Director Christopher Wray has warned it will be very difficult to keep the mass sale of Americans’ data to domestic and foreign data brokers from the hands of adversaries. Just as spies don’t walk around with CIA badges, so too buyers for China, Russia, Iran, and North Korea don’t advertise themselves as such. Many companies, Director Wray said, appear on the up-and-up but, through the use of ownership shell games, are in fact controlled by Chinese intelligence. The potential for blackmail and interference in NATO’s response to aggression virtually guarantees that there will be legislative action in Congress to end the tracking of service members and intelligence agents. As Congress begins to research such a bill, however, it should take stock of just how wide and dangerous the tracking threat is to all Americans. As Congress and the Pentagon look into safeguarding the digital data of Americans serving our nation abroad, they would do well to extend those protections to Americans at home by embracing the Fourth Amendment Is Not for Sale Act. Requiring probable cause warrants for the collection of Americans’ most personal information would be a good way to help further restrict the treasure trove of data – by telling the government not collect that data in the first place. The Eyes of Luigi Mangione and a McDonald’s Employee Shortly after the vicious public murder of Brian Thompson, CEO of United Healthcare, Juliette Kayyem of Atlantic wrote a perceptive piece about the tech-savviness of the gunman, who mostly succeeded in hiding his face behind a mask and a hood. “The killer is a master of the modern surveillance environment; he understands the camera,” Kayyem wrote. “Thompson’s killer seems to accept technology as a given. Electronic surveillance didn’t deter him from committing murder in public, and he seems to have carefully considered how others might respond to his action.” At this writing, police in Pennsylvania are holding Ivy League grad Luigi Mangione as a “person of interest” in relation to the murder. Despite many media reports of incriminating details, Mangione is, of course, entitled to a presumption of innocence. But enough of the killer’s face had been shown in social media for a McDonald’s employee to call the police after seeming to recognize Mangione in those images. Whoever killed Thompson, he made a mistake – as Kayyem noted – in showing his smile while flirting with someone. This allowed a significant slice of his profile to be captured. But even when the killer was careful, his eyes and upper face were captured by a camera in a taxicab. The lesson seems to be that a professional criminal cannot fully evade what Kayyem calls a “surveillance state” made up of ubiquitous cameras. We applaud the use of this technology to track down stone-cold killers and other violent criminals. Another example: CCTV technology was put to good use in the UK in 2018 when Russian agents who tried to kill two Russian defectors with the nerve agent Novichok were identified on video. The defectors survived, but a woman who came across a perfume bottle containing the toxin sprayed it on her wrist and died. When the images of the Russian operatives surfaced, they claimed they were tourists who traveled to Salisbury, England, to see its medieval cathedral. These are, of course, excellent uses of cameras and facial recognition technology. Danger to a civil society arises when such technology is used routinely to track law-abiding civilians going about their daily tasks or engaged in peaceful protests, religious services, the practice of journalism, or some other form of ordinary business or free speech. This is why a search warrant should be required to access the saved product of such surveillance to ensure it is used for legitimate purposes – catching killers, for example – and not to spy on ordinary citizens. Far from showing that the urban networks of comprehensive surveillance are riddled with holes, recent events show that they are tighter than ever. That is a good thing, until it is not. Hence the need for safeguards, starting with the Fourth Amendment. As Americans become aware – and concerned – about how our most sensitive and private digital information is sold by data brokers, there are stirrings within the federal government to place at least some guardrails on the practice. In a unanimous, bipartisan vote last week by the commissioners of the Federal Trade Commission, that agency cracked down on two data brokers, Mobilewalla and Gravy Analytics/Venntel, for unlawfully tracking and selling sensitive data. FTC declared that this data “not only compromised consumers’ personal privacy, but exposed them to potential discrimination, physical violence, and other harms …” Such practices included matching consumers’ identities with location data from health clinics, religious organizations, labor union offices, LGBTQ+-related locations, political gatherings, and military installations. By conducting real-time bidding exchanges, these brokers combined data from these auctions with data from other sources, to identify users at these locations by their mobile advertising IDs. Just days before, the Consumer Financial Protection Bureau proposed a rule that would prevent data brokers from collecting and selling sensitive personal information such as phone numbers and Social Security numbers, as well as personal financial information outside of relevant contexts, like a mortgage application. CFPB’s action also seeks to prevent the sale of the information of Americans in the military or involved in national security to “scammers, stalkers, and spies.” We applaud these bold bipartisan moves by FTC and CFPB, but we must keep in mind that these are first steps. These actions will only marginally address the vast sea of personal information sold by data brokers to all sorts of organizations and governments, including our own. There is throughout our government a failure to fully appreciate just how intrusive the mass collection of personal data actually is. Consider the reaction of Republican FTC Commissioner Andrew Ferguson. While mostly voting with the majority, Ferguson dissented on the breadth of the majority’s take on sensitive categories. Ferguson sees no distinction between the exposure of one’s digital location history and what can be learned by a private detective following a target across public spaces, a practice that is perfectly legal. Ferguson reasoned that many people are an open book about their health conditions, religion, and sexual orientation. “While some of these characteristics often entail private facts, others are not usually considered private information,” Ferguson wrote. “Attending a political protest, for example, is a public act.” We beg to differ. “A private detective could find this out” is too weak a standard to apply to the wealth of digital data on the privacies of millions of people’s lives. Data is different. As the Supreme Court explained in Riley v. California, “a cell phone search would typically expose to the government far more than the most exhaustive search of [even] a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form – unless the phone is.” That was true when it was written in 2014, and it is even more true today. Nowadays, artificial intelligence can analyze data and reveal patterns that no gumshoe could put together. In the case of a political protest, a high school student might attend, say, a trans rights event but be far from ready to let his parents or peers know about it. Or an adherent of one religion may attend services of an entirely different religion with conversion in mind but be far from willing to tell relatives. Worse, deeply personal information in the hands of prosecutors completely bypasses the letter and the intent of the Fourth Amendment, which requires the government to get a probable cause warrant before using our information against us. The government lacks appreciation of its own role in sweeping in the sensitive data of Americans. Venntel’s customers include the Department of Homeland Security, the Drug Enforcement Administration, the FBI, and the IRS. In all, about a dozen federal law enforcement and intelligence agencies purchase such data from many brokers and hold it for warrantless inspection. The FTC deserves credit for taking this step to tighten up the use of sensitive information. But the next step must be passage of the Fourth Amendment Is Not for Sale Act, which would require the government to obtain probable cause warrants before obtaining and using our most personal information against us. You are probably not old enough to remember the hit 1960s television series The Prisoner, in which Patrick McGoohan played a secret agent being held for interrogation in a dystopian resort on a nameless island. Whenever McGoohan’s character made it to the beach to find a small boat to row to freedom, the mysterious powers-that-be unleashed the Rover – a giant white balloon capable of blocking escapees, knocking them down, or even suffocating them. No idea, it seems, is too lurid for the Chinese Communist Party to render into reality in the service of its surveillance state. Pedestrians in China are now watching in amazement as the streets are patrolled by RG-T robots – essentially a metal ball surrounded by a tire – that subjects people to facial recognition scans, possible arrest and worse. (See it in action here.) The U.S. military toyed with a prototype, but considered it for warfare, not for civilian use. The Sun tabloid calls, without exaggeration, “all terrain, spherical robocops.” They are resistant to attack, even from a man wielding a baseball bat. The robots, produced by China’s Logon Technologies, are not passive observers. They are equipped with artificial intelligence that decides when and how to deploy net guns, tear gas sprayers, grenades, loudspeakers, and sound wave devices. The lethal potential of robots is not theoretical. In the United States, police routinely use robots and drones for surveillance to assess the danger of a situation. In one instance in 2018, a gunman in Dallas suspected of shooting five policemen and who exchanged gunfire with police was killed by a police robot. The use of the Dallas robot was deployed to protect the police and nearby citizens. Moreover, it was fully under human control. When AI is combined with new inventions as it is with the RT-G bots, however, the decision to use force, even lethal force, is up to an algorithm. A lot of bad ideas are becoming reality in China. But don’t expect them to stay there. Should you be reading this blog? If you’re at work, on a computer provided for you by your employer, is the content of this blog sufficiently work-related for you to justify to your employer the time you’ve spent reading it? Following your search history and the time you spend on particular websites during your working hours are just some of the most obvious ways employers track employees. Now a research paper from Cracked Labs, a non-profit based in Austria, with help from other non-governmental organizations and an Oxford scholar, have mapped out dozens of technologies that allow companies to track employees’ movements and activities at the office. In “Tracking Indoor Location, Movement, and Desk Occupancy in the Workplace,” Cracked Labs demonstrates how vendors are selling technology that pairs wireless networking with Bluetooth technology to follow employees in their daily movements. The former can pinpoint the location of smartphones, laptops, and other devices employees use and often carry. Bluetooth beacons can link to badges, security cameras, and video conferencing systems to track employee behavior. Quoting marketing literature from Cisco, Cracked Labs writes: “Companies can get a ‘real time view of the behavior of employees, guests, customers and visitors’ and ‘profile’ them based on their indoor movements in order to ‘get a detailed picture of their behavior.’” Tracking 138 people with 11 Wi-Fi points, Cisco claims, generated several million location records. Not to be outdone, a European vendor, Spacewell, installs sensors in ceilings, next to doors, and even under desks to track “desk attendance.” Nicole Kobie of ITPro reports that one in five office workers are now being monitored by some kind of activity tracker. She also reports surveys that tracked employees are 73 percent more likely to distrust their employer, and twice as likely to be job hunting as those who are not tracked in their workplace. Cracked Labs concludes: “Once deployed in the name of ‘good,’ whether for worker safety, energy efficiency, or just improved convenience, these technologies normalize far-reaching digital surveillance, which may quickly creep into other purposes.” It is not difficult to imagine that such surveillance could be used by a rogue manager for stalking, to find out who is gathering around the water cooler or kitchen, or to find something to embarrass an office rival. Even when these technologies are used for their stated purposes, we all lose something when privacy is degraded to this extent. Now, how was that for work-related content? PPSA today announces the filing of a Freedom of Information Act (FOIA) lawsuit against federal agencies that refused to respond to a series of FOIA requests we submitted in June. These requests seek documents concerning communications with Members of Congress and non-governmental organizations that would shed light on how the government acquires Americans’ private digital information. PPSA’s FOIA requests were sent to the gamut of federal intelligence and law enforcement agencies. They included the Department of Justice and the FBI, the Department of Homeland Security, the CIA, the Defense Intelligence Agency, the National Security Agency, and the Office of the Director of National Intelligence. PPSA asked for records of communications regarding data purchases and legislation, such as the Fourth Amendment Is Not for Sale Act, that would rein in this warrantless surveillance. Under the Freedom of Information Act, the agencies are bound to perform a search and respond back. Instead:
In every instance, the agencies failed to conduct a search reasonably likely to locate responsive records and to release any of them. These agencies – tasked with upholding the law – are violating the law by ignoring their statutory obligations under the Freedom of Information Act. That is why PPSA is now suing these agencies. This time, they will have to respond – at least in court. We will alert you on any developments. PPSA Sues After Justice Department Stonewalls and FBI Responds to FOIA with a “Scavenger Hunt”12/3/2024
Administrative subpoenas are the backstage pass for federal agents seeking to warrantlessly surveil millions of Americans. PPSA filed a FOIA lawsuit on Tuesday against the Department of Justice to bring this practice to light. Thanks to the investigative efforts of Sen. Ron Wyden (D-OR), we have had a glimpse into the murky practice of using what is really an administrative order (given the deference of courts to such “subpoenas”) to collect bulk data. Sen. Wyden revealed that the Homeland Security Investigations unit of the Homeland Security Department fired off administrative subpoenas to acquire millions of financial records from wire-money transfers. In this way, the government got its hands on millions of financial records, complete with personal information, that included money transfers between Arizona, California, New Mexico, Texas, and Mexico. But a multitude of other agencies also issue administrative subpoenas – and there is no telling what they are collecting. “It is likely that in most cases, they are seeking bulk data of millions of innocent Americans to sift through, rather than targeted data against an individual based on probable cause,” said Gene Schaerr, PPSA general counsel. “It is hard to think of a more direct violation of the Fourth Amendment.” PPSA submitted a FOIA request in June 2023, asking the Justice Department and its units for records on whether probable cause standards were applied to administrative subpoenas. How many administrative subpoenas were issued without probable cause? How many were rejected for lacking probable cause? Perhaps most importantly: How many administrative subpoenas were not directed at a particular identifiable investigation or target? In the year-and-a-half since the filing of our FOIA request, the Justice Department and its constituent parts have failed to respond “promptly” – or at all – to PPSA’s query, as the law requires. The FBI did direct PPSA to its Vault website. But the FBI did not state that the Vault contained all responsive records, and did not identify under what categories in this voluminous online chamber of documents the requested records could be found. The FBI and the Executive Office for the United States Attorneys were only a little more responsive than Justice’s Office of Information Policy, the Criminal and Civil divisions of the Justice Department, and the Bureau of Alcohol, Tobacco, Firearms and Explosives – which did not respond in a substantive way at all. “Courts have held that the Freedom of Information Act does not permit agencies to send requesters on a ‘scavenger hunt,’” Schaerr said. “Yet that is what the FBI is doing. Most of the other Justice Department agencies are completely unresponsive. That is why we are filing suit in the U.S. District Court in Washington, D.C., to ask a federal judge to end this lawlessness.” PPSA will report significant developments in our case as they occur. Expansive Spy Law Even Targets Churches Breitbart recently broke a story that a few recalcitrant House Members are holding up a promised fix to what many referred to as the “Make Everyone a Spy” law. The fix regards an amendment to the reauthorization of FISA Section 702, passed in April, in which pro-surveillance advocates added a requirement that U.S. business owners who offer customers the use of their Wi-Fi and routing equipment be covered as “electronic communication service providers” under the law. This means that any business – your neighborhood fitness center, an office complex that houses journalists, political campaigns, or even a church or other house of worship, as well as a host of other establishments – would face the same requirement as large telecoms to turn over the communications of their customers, no warrant required. This was not meant to happen. As the Senate voted in April to reauthorize FISA Section 702, bipartisan furor erupted over this provision, including leading conservatives in both chambers. Sen. Mark Warner (D-VA), Chairman of the Senate Intelligence Committee, promised his colleagues that the amendment that included this expansive authority would be narrowed to include only one category of business. That category is classified but is widely believed to be data centers that provide cloud computing and storage. With this promise in hand, the Senate voted down an amendment to remove the flawed provision, and immediately passed the reauthorization of Section 702 – all in the belief that the expansive new spy power would soon be curbed. Sen. Warner was true to his word, inserting language into the Senate intelligence bill that narrows the scope of the new measure. Now, in a baffling turn of events, it is the House that is refusing to include the fix in its version of the intelligence bill. Why are some House Members insisting on keeping an authority that allows spying on churchgoers, shoppers, and office workers? Bob Goodlatte, the former chairman of the House Judiciary Committee and PPSA senior policy advisor, told Breitbart News: “This measure passed because of assurances that this insanely broad authority would be narrowed. The promise of a fix was made and accepted in good faith, but that promise is being trashed by advocates for greater surveillance of our citizens. Unless Congress reverses course, Americans’ data that runs through the Wi-Fi and servers of millions of small businesses, ranging from fitness centers to department stores, small office complexes, as well as churches and other houses of worship, will be fair game for warrantless review. This would truly transform our country into a thorough surveillance state. I can’t imagine the next Congress and new Administration would welcome that.” Surely, giving the deep state free rein to spy on Americans is not in keeping with the philosophy of the incoming Trump administration, the new Republican majority in Congress, or most Democrats. Contact your House Member and say: “Please don’t let this legislative year end without narrowing the Electronic Communication Service Provider standard. Congress must keep its promise to fix the Make Everyone a Spy Law.” Investigative journalist Ronan Farrow delves into the Pandora’s box that is Israel’s NSO Group, a company (now on a U.S. Commerce Department blacklist) that unleashes technologies that allow regimes and cartels to transform any smartphone into a comprehensive spying device. One NSO brainchild is Pegasus, the software that reports every email, text, and search performed on smartphones, while turning their cameras and microphones into 24-hour surveillance devices. It’s enough to give Orwell’s Big Brother feelings of inadequacy. Farrow covers well-tread stories he has long followed in The New Yorker, also reported by many U.S. and British journalists, and well explored in this blog. Farrow recounts the litany of crimes in which Pegasus and NSO are implicated. These include Saudi Arabia’s murder of Jamal Khashoggi, the murder of Mexican journalists by the cartels, and the surveillance of pro-independence politicians in Catalonia and their extended families by Spanish intelligence. In the latter case, Farrow turns to Toronto-based Citizen Lab to confirm that one Catalonian politician’s sister and parents were comprehensively surveilled. The parents were physicians, so Spanish intelligence also swept up the confidential information of their patients as well. While the reality portrayed by Surveilled is a familiar one to readers of this blog, it drives home the horror of NSO technology as only a documentary with high production values can do. Still, this documentary could have been better. The show is marred by too many reaction shots of Farrow, who frequently mugs for the camera. It also left unasked follow-up questions of Rep. Jim Himes (D-CT), Ranking Member of the House Intelligence Committee. In his sit-down with Farrow, Himes made the case that U.S. agencies need to have copies of Pegasus and similar technologies, if only to understand the capabilities of bad actors like Russia and North Korea. Fair point. But Rep. Himes seems oblivious to the dangers of such a comprehensive spyware in domestic surveillance. Rep. Himes says he is not aware of Pegasus being used domestically. It was deployed by Rwandan spies to surveil the phone of U.S. resident Carine Kanimba in her meetings with the U.S. State Department. Kanimba was looking for ways to liberate her father, settled in San Antonio, who was lured onto a plane while abroad and kidnapped by Rwandan authorities. Rep. Himes says he would want the FBI to have Pegasus at its fingertips in case one of his own daughters were kidnapped. Even civil libertarians agree there should be exceptions for such “exigent” and emergency circumstances in which even a warrant requirement should not slow down investigators. The FBI can already track cellphones and the movements of their owners. If the FBI were to deploy Pegasus, however, it would give the bureau redundant and immense power to video record Americans in their private moments, as well as to record audio of their conversations. Rep. Himes is unfazed. When Farrow asks how Pegasus should be used domestically, Rep. Himes replies that we should “do the hard work of assessing that law enforcement uses it consistent with our civil liberties.” He also spoke of “guardrails” that might be needed for such technology. Such a guardrail, however, already exists. It is called the Fourth Amendment of the Constitution, which mandates the use of probable cause warrants before the government can surveil the American people. But even with probable cause, Pegasus is too robust a spy tool to trust the FBI to use domestically. The whole NSO-Pegasus saga is just one part of much bigger story in which privacy has been eroded. Federal agencies, ranging from the FBI to IRS and Homeland Security, purchase the most intimate and personal digital data of Americans from third-party data brokers, and review it without warrants. Congress is even poised to renege on a deal to narrow the definition of an “electronic communications service provider,” making any office complex, fitness facility, or house of worship that offers Wi-Fi connections to be obligated to secretly turn over Americans’ communications without a warrant. The sad reality is that Surveilled only touches on one of many crises in the destruction of Americans’ privacy. Perhaps HBO should consider making this a series. They would never run out of material. Catastrophic ‘Salt Typhoon’ Hack Shows Why a Backdoor to Encryption Would be a Gift to China11/25/2024
Former Sen. Patrick Leahy’s Prescient Warning It is widely reported that the breach of U.S. telecom systems allowed China’s Salt Typhoon group of hackers to listen in on the conversations of senior national security officials and political figures, including Donald Trump and J.D. Vance during the recent presidential campaign. In fact, they may still be spying on senior U.S. officials. Sen. Mark Warner (D-VA), Chairman of the Senate Intelligence Committee, on Thursday said that China’s hack was “the worst telecom hack in our nation’s history – by far.” Warner, himself a former telecom executive, said that the hack across the systems of multiple internet service providers is ongoing, and that the “barn door is still wide open, or mostly open.” The only surprise, really, is that this was a surprise. When our government creates a pathway to spy on American citizens, that same pathway is sure to be exploited by foreign spies. The FBI believes the hackers entered the system that enables court-ordered taps on voice calls and texts of Americans suspected of a crime. These systems are put in place by internet service providers like AT&T, Verizon, and other telecoms to allow the government to search for evidence, a practice authorized by the 1994 Communications Assistance for Law Enforcement Act. Thus the system of domestic surveillance used by the FBI and law enforcement has been reverse-engineered by Chinese intelligence to turn that system back on our government. This point is brought home by FBI documents PPSA obtained from a Freedom of Information Act request that reveal a prescient question put to FBI Director Christopher Wray by then-Sen. Patrick Leahy in 2018. The Vermont Democrat, now retired, anticipated the recent catastrophic breach of U.S. telecom systems. In his question to Director Wray, Sen. Leahy asked: “The FBI is reportedly renewing a push for legal authority to force decryption tools into smartphones and other devices. I am concerned this sort of ‘exceptional access’ system would introduce inherent vulnerabilities and weaken security for everyone …” The New York Times reports that according to the FBI, the Salt Typhoon hack resulted from China’s theft of passwords used by law enforcement to enact court-ordered surveillance. But Sen. Leahy correctly identified the danger of creating such domestic surveillance systems and the next possible cause of an even more catastrophic breach. He argued that a backdoor to encrypted services would provide a point of entry that could eventually be used by foreign intelligence. The imperviousness of encryption was confirmed by authorities who believe that China was not able to listen in on conversations over WhatsApp and Signal, which encrypt consumers’ communications. While China’s hackers could intercept text messages between iPhones and Android phones, they could not intercept messages sent between iPhones over Apple’s iMessage system, which is also encrypted. Leahy asked another prescient question: “If we require U.S. technology companies to build ‘backdoors’ into their products, then what do you expect Apple to do when the Chinese government demands that Apple help unlock the iPhone of a peaceful political or religious dissident in China?” Sen. Leahy was right: Encryption works to keep people here and abroad safe from tyrants. We should heed his warning – carving a backdoor into encrypted communications creates a doorway anyone might walk through. President-Elect Trump: Please Consider Catherine Herridge’s Offer of a Sit-Down on the PRESS Act11/23/2024
Award-winning journalist Catherine Herridge, who is being pressed by a federal judge to reveal her source for an investigative journalism series, has a lot on her plate.
She is walking the marbled halls of the U.S. Senate advocating passage of a bill, the PRESS Act, that would protect journalists and their sources. She is doing this while also facing the possibility of an $800 a day fine and jail time for not revealing the source behind her series of stories for Fox News in 2017. Now Herridge is asking President-elect Trump to hear her out on why Senate passage of the PRESS Act is so important to independent, non-mainstream journalists who were so prominent in the last election. This new, rising sector of independent journalists, lacking the deep pockets of a newspaper or a network, are particularly vulnerable to government harassment. They are perhaps the most in need of a limited right to refuse demands from government prosecutors to reveal their sources. Here’s what Herridge told NewsNation: A public report from the secret Foreign Intelligence Surveillance Court (FISC) gives the intelligence community a mixed review, noting progress in meeting its own internal quality standards while revealing violations and abuses as well. The court reviewed compliance by the FBI, NSA, and CIA with “minimization” and “querying” procedures under Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorizes spying on foreign targets located on foreign soil. In plain English, minimization means restricting access to the private data or communications of Americans that are caught up in the NSA’s global trawl, which frequently collects non-pertinent conversations that lack intelligence or evidentiary value. Querying standards direct agents to use precise search terms in an effort to avoid capturing Americans’ communications. Throughout, the government purports to earnestly verify the “foreign-ness” of a target.
Given that the court previously revealed that past queries violated the privacy of a U.S. Senator, a U.S. House Member, 19,000 donors to a federal candidate, a state senator, and a state judge, even small numbers could be hiding a lot. However tight the querying standard, warrantless searches can also still be used by the FBI to develop evidence for purely domestic cases, a source that might not be disclosed in open court.
As one moves through this report into NSA and CIA activities, the redactions often fill half a page.
In sum, the FISC report signed by federal judge Anthony J. Trenga gives us a glimpse of a federal intelligence bureaucracy struggling to comply with the law and its own standards, while still suffering from lapses too serious to paper over. An extreme measure that would give future U.S. Treasury Secretaries unprecedented authority to shut down non-profit, advocacy organizations remains a live option in Congress. The “Stop Terror-Financing and Tax Penalties on American Hostages Act,” HR 9495, failed to pass the House last week. But it maintains momentum due to a little sweetener that is widely popular – a commendable side measure to offer tax relief to Americans held hostage in foreign countries. The main part of the bill would grant future U.S. Treasury Secretaries power to use secret surveillance to declare a tax-exempt, non-profit advocacy organization a supporter of foreign terrorism, and shut it down. This provision, in essence, does one thing – it removes due process from existing law that allows the government to crack down on supporters of terrorist organizations. CRS reports that the IRS is already empowered to revoke the tax-exempt status of charitable organizations that provide material support to terrorist organizations, a power it has used. But current law also requires IRS to conduct a painstaking examination of the charge before issuing a revocation. It gives groups the ability to answer charges and to appeal decisions. But the “Stop Terror-Financing” bill would give targeted organizations a 90-day window to challenge the designation, while giving them no access to the underlying evidence behind the determination. An organization could challenge the designation in court but might not be able to access the charges against it due to the state secrets doctrine. In the meantime, being designated a terrorist-affiliate would be a death penalty for any organization and its ability to attract donors. “The entire process is run at the sole discretion of the Secretary of the Treasury,” Kia Hamadanchy of the American Civil Liberties Union told the media. “So you could have your nonprofit status revoked before you ever have a chance to have a hearing.” The latest attempt to pass this measure failed to reach a two-thirds majority needed to pass, with 144 Democrats and one Republican voting against it. Democrats were buoyed by a Who’s Who of liberal organizations, ranging from the ACLU to Planned Parenthood and the Brennan Center for Justice, that denounced the bill. Not surprisingly, pro-Palestinian groups were united in opposition as well. But Republicans and conservatives would be well advised to consider the principled opposition to the bill by Rep. Thomas Massie (R-Ky). He surely appreciates that this power, once created, could be used by future administrations against nonprofits of all sorts. Could a conservative organization be targeted as a supporter of terrorism for advocating, for example, a settlement with Russia (certainly a state sponsor of terror) in its war against Ukraine? Conservative principles and an adherence to the Constitution should begin with the notion that the government should not have the unilateral right to shut down the speech of advocacy organizations on the basis of secret evidence from surveillance, even if you despise what they advocate. Conservatives would also be well-advised to consider not how this law would be used in the near future, but by future administrations. Have they forgotten Lois Lerner and the attempt to use tax law to shut down conservative advocacy groups? “We don’t need to worry about alien terrorists,” Lerner wrote in an email justifying her actions against right-leaning organizations. “It’s our own crazies that will take us down.” Conservatives should be wary. This bill creates a weapon that can be aimed in any direction. The nomination of Tulsi Gabbard to serve as Director of National Intelligence promises to be contentious. One thing cannot be disputed: The former Congresswoman from Hawaii and lieutenant-colonel in the U.S. Army Reserve, with experience in Iraq and other dangerous countries, would bring a combination of responsible handling of secrets along with a solid record of surveillance reform. Gabbard voted for the USA RIGHTS Act and other measures that would require warrants for the government to access Americans’ data and to protect personal use of encrypted apps. Rep. Gabbard also filed an amendment to the National Defense Authorization Act in 2019 to prohibit government purchases of body cameras equipped with facial recognition and other biometric devices. In these and many other ways, Gabbard has compiled the record of a surveillance-reform leader. While in Congress, Gabbard served on the Homeland Security, Armed Services, and Foreign Relations Committees. A former Vice-Chair of the DNC, Gabbard made a long journey from being a staunch Democrat to supporting Donald Trump’s presidential campaign. As a private citizen, Gabbard is arguably a victim of surveillance abuse herself. Her record on surveillance reform is enough to send shivers down the backs of officials in the FBI and other intelligence organizations long used to warrantless access to Americans personal information. Not surprisingly, Gabbard is now being attacked in a whisper campaign by nameless sources for being a flake who has taken pro-Russian and pro-Syria positions. Gabbard is articulate in responding to these charges, portraying herself as foreign-policy realist. We hope the Senate will keep an open mind and listen to Tulsi Gabbard’s defense. Above all, we hope the Senate will consider the need to bring balance back to the intelligence community, which often helps itself to the purchased personal data of American citizens without bothering to seek a warrant. As a candidate, Donald Trump promised to reform FISA. Appointing Tulsi Gabbard to lead the intelligence community shows he’s serious about that. The next Director of National Intelligence should be someone who can restore a balance between the need to respect the constitutional rights of Americans and the need to keep America safe. A suspicious husband or wife can now examine the route history of a family car or the location data of a smartphone to track a spouse’s movements. We tend to think of location history surveillance as a uniquely 21st century form of snooping. In an amusing article in the MIT Press Reader, Dartmouth scholar Jacqueline D. Wernimont writes that such surveillance is older than we think. For example, The Hartford Daily Courant in 1879 reported: “A Boston wife softly attached a pedometer to her husband when, after supper, he started to ‘go down to the office and balance the books.’ On his return, fifteen miles of walking were recorded. He had been stepping around a billiard table all evening.” In a twist worthy of today’s spy agencies, Wernimont also reports that a U.S. admiral in 1895 gave junior watch officers common pocket watches with pedometers hidden inside. The results showed that the ensigns had been asleep or resting most of the night. A night watchman at a railroad yard was given a pedometer to track his movements. It was later discovered that the night watchman evaded his responsibilities by sleeping while the pedometer was attached to a moving piston rod. The use of pedometers was an early precursor of surveillance tools used today by employers to track the movements, browsing, communications, and daily routines of their workers. Wernimont writes: “As the pedometer became a vector for surveillance by those in power, people who were able quickly developed hacks designed to frustrate such efforts.” The problem with modern technology is that it is much harder to thwart, or even anticipate when and how one is being watched. No piston rod will save us. The election may have shaken Washington, D.C., like a snow globe in the grip of a paint mixer, but the current Congress still has important business for the lame duck session. For anyone who cares about privacy in this age of surveillance, issue one has to be whether or not Congress will retain the promised fix to what so many call the “make everyone a spy” provision in the National Defense Authorization Act (NDAA). This story goes back to April, when the House Permanent Select Committee on Intelligence slipped into the reauthorization of FISA Section 702 (which authorizes foreign intelligence) a measure to allow the government to secretly enlist almost every kind of U.S. business to spy on their customers. In response to the outcry, carveouts were made that exempted coffee shops, hotels, and a few other business categories. But most businesses – ranging from gyms to dentists’ offices, to commercial landlords with tenants that could include political campaigns or journalists – are required to turn over their customers’ communications that run on ordinary Wi-Fi systems. It is widely believed that this legislation was aimed at cloud computing facilities, which were not previously covered by the relevant law. When the Senate took up reauthorization of Section 702, Intelligence Committee Chairman Mark Warner (D-VA) admitted to his colleagues that the new measure was overbroad, and that he would craft new legislation to fix it. Sen. Warner kept his word and crafted legislation to narrow the provision. Although the nature of this fix is classified, it is widely believed to limit this new surveillance power to cloud computing facilities. The House Intelligence Committee, however, did not adopt that fix. We hear that behind-the-scenes negotiations are taking place, but we cannot report exactly who might be blocking it or why. Suffice it to say that it is far from clear that Congress will ultimately adopt Sen. Warner’s fix. PPSA calls on Speaker Mike Johnson and Senate Minority Leader Mitch McConnell to make it clear that the NDAA will include a provision to narrow the scope of this extreme provision. We must not give the FBI and other government agencies warrantless access to practically all communications that run through any kind of equipment operated by almost any kind of business. Allowing the current law to remain unfixed and unreformed would be a terrible punch in the gut to the American people and the new Congress. The 119th Congress has many surveillance debates scheduled, including one over the reauthorization of Section 702 itself in 2026 – which passed the House with the breaking of a tie vote. It would be a mistake to saddle the new Republican majority and the incoming Trump administration with a broken promise. Sen. Rick Scott – former two-term governor of Florida, now re-elected to the Senate by more than 10 points over his most recent challenger – has consistently voted for surveillance reform. Sen. Scott has been a vocal champion of reforming FISA Section 702 – enacted by Congress to authorize surveillance of foreign threats on foreign soil, but often used to collect the communications of Americans. Sen. Scott called FBI Director Christopher Wray on the carpet to tell him that he’s squandering the credibility of a great agency by playing games with Americans’ privacy. Rick Scott has also been a strong supporter of a probable cause warrant requirement before the FBI and other intelligence agencies can review Americans’ personal data and communications. Such principled stands on surveillance reform explain why we gave the Florida senator an “A” rating in our PPSA Scorecard. From Tallahassee to Capitol Hill, Sen. Scott has made winning tough races look easy. We encourage more Members of Congress in both parties to recognize what Sen. Scott demonstrates, that surveillance reform is good politics. The incoming Trump administration has an unparalleled opportunity to achieve historic surveillance reform. Donald Trump made campaign pledges to:
The Trump agenda on surveillance reform presages monumental and much needed reforms, from Section 702 reform to passage of the Fourth Amendment Is Not For Sale Act by both houses of Congress. The stars are aligning with the incoming administration. The 119th Congress must make the most of this historic opportunity. When police send Emergency Data Requests (EDRs) to communications companies like Verizon or Google, they attest that a victim is in danger of serious bodily harm or death unless certain private information about a suspect can be produced. An EDR blows the doors off of any requirement to attach a subpoena or court order with a judge’s signature to honor the requests. Companies usually produce the digital information of the targeted suspect with alacrity. Now the FBI is warning that hackers are worming their way into law enforcement cyber-systems in the United States and around the world, using stolen police credentials to send fake EDRs to steal the private information of innocent people. The potential exists for cybercriminals to issue fake freeze orders on people’s financial accounts, and then follow up with a seizure of assets, diverting funds to a fake custodial wallet that appears to be government-owned. For $1,000 to $3,000, a cybercriminal named Pwnstar will sell buyers police credentials for EDRs in 25 countries, including the United States. “This is social engineering at its highest level and there will be failed attempts at times,” Pwnstar assures his customers on the dark web. He presents himself as a fair businessman, offering to give refunds in the minority of attempts that fail. Krebs on Security reports that Kodex, a company founded by a former FBI agent to identify fake EDRs, found that of 1,597 EDRs it has processed, 485 failed a second-level verification. This status quo puts communications companies in a bind. Krebs writes that “the receiving company finds itself caught between unsavory outcomes: Failing to immediately comply with an EDR – and potentially having someone’s blood on their hands – or possibly leaking a customer record to the wrong person.” What can be done? First, all law enforcement agencies in the United States need to tighten up their digital hygiene to the highest professional levels. An FBI factsheet offers a detailed list of specific security steps police should take, ranging from evaluating the reliability of vendors, to being on the lookout for images that appear doctored or pasted, to strong password protocols, to phishing-resistant multifactor authentication for all services. Finally, the FBI recommends that local law enforcement agencies establish and maintain strong liaison relationships with their local FBI field office. The FBI says it is ready to identify departments’ vulnerabilities and help them mitigate threats. If you do not change direction, an ancient Chinese philosopher wrote, you might wind up where you were heading. Where we are heading is a U.S. House of Representatives that is charged by the Constitution with oversight of the executive branch intelligence community (IC), but in fact is a supervisor being overseen by the supervised. Since 2020, PPSA has used every legal avenue from Freedom of Information Act requests to lawsuits to press the IC – the Department of Justice, the FBI, the Office of the Director of National Intelligence, the National Security Agency, and the Department of State – to provide records concerning the possible surveillance of 48 Members of Congress on committees of jurisdiction that oversee the intelligence community. We’ve reported on court revelations of warrantless intrusion into the personal communications or data of Rep. Darin LaHood (R-Ill), an unnamed U.S. senator, a state senator, and a state judge. When faced with queries and exposure, the government resorts to obfuscation and delaying tactics. Even when it is Congress that is doing the overseeing, attempts to understand intelligence operations often amount to howling in the wind. Agencies sometimes don’t answer congressional queries with substantive responses, if they even bother to reply at all. The House of Representatives can address this upside-down oversight scheme with one simple stroke. The House Rules Committee will soon craft the new rules by which that body will deliberate during the 119th Congress. We call on the Rules Committee to adopt a new rule to allow every House Member to choose one staffer to be eligible for a Top Secret/Sensitive Compartmented Information (TS/SCI) security clearance. Oversight falters because only a few Members have staffers with such clearances. Members without cleared staff are unable to ignore their other duties to spend long hours in a secure compartment leafing through hundreds of pages of classified reports. Without making cleared congressional aides eligible for TS/SCI clearances, most Members – even those serving on oversight committees like the House Judiciary Committee – will continue to lack a basic understanding of current intelligence agency practices. Worse, among the staffers who are cleared, some are “detailees” from the very agencies they are helping their Members to oversee. Defenders of the status quo will argue that expanding clearances in the House is a prohibitively dangerous idea. That assertion is laughable. The intelligence community itself extends an estimated 1.2 million top-secret security clearances to federal government employees and consultants. A few hundred more clearances for aides vetted by the FBI and serving Members accountable to the public would be a tiny addition to the current army of Americans with TS/SCI clearance. The Senate shows the House it doesn’t have to accept being supervised by the IC. In 2021, Senate Majority Leader Chuck Schumer took the bold step of allowing one top secret/sensitive clearance to be available for one personal aide per senator. The House can do the same. All that is needed to enhance House oversight is to make wider access to clearances part of the House Rules package for the 119th Congress that begins in January. Go here to call or email and tell your U.S. House Representative – “Please support a new House rule that allows every House Member to have one staffer eligible for TS/SCI security clearance.” The FBI investigation now underway must answer two questions about the racist text messages sent last week to the cellphones of African-Americans in at least 13 states. The first question, of course, is who is behind this? Was it a state actor – possibly Russia – seeking to drive distrust between Americans? Or was it the proverbial guy in his mom’s basement? The answer to the first question will guide us to a second important question. Given that the attack used the services of TextNow, a company that helps anonymous users to send texts from a randomly generated phone number, is this attack something that anyone (like the guy in his basement) could do? Or did these texts require sophisticated knowledge backed by serious financial and technical resources to pull off? Somehow, this attack precisely targeted African-Americans. Many of the texts landed in the phones of students at historically Black colleges and universities. Did the attackers identify people from personal data purchased by third-party data brokers? Which company did the trolls purchase this data from? How elaborate were the digital profiles of the victims assembled from purchased data? Did these profiles include their financial status, sexual lives, health issues, and private business concerns? Congress and the American public must know the answers to these questions. This attack on the well-being and sense of personal safety of Americans must be understood and countered. But this text assault should also be taken as a warning just how insecure our data is, and how refined future attacks might be. Could a hostile state, in the middle of a crisis, send an official-sounding alert to key military and government personnel that their house is on fire? Answering these questions will clarify how hostile governments, trolls, and even our own government might misuse our data. A character in the masterful 2006 German film, The Lives of Others, follows the impact of the East German Stasi’s secret surveillance of a playwright and his actress girlfriend. At one point, the playwright declares: “The state office for statistics on Hans-Beimler street counts everything; knows everything: how many pairs of shoes I buy a year: 2.3, how many books I read a year: 3.2 and how many students graduate with perfect marks: 6,347. But there's one statistic that isn't collected there, perhaps because such numbers cause even paper-pushers pain: and that is the suicide rate.” From Fyodor Dostoevsky to George Orwell, Aleksandr Solzhenitsyn, Ray Bradbury, Margaret Atwood, and The Lives of Others director and screenwriter Florian Henckel, great writers have portrayed the heroic (and sometimes not) struggles of ordinary people against total surveillance. Now the dehumanizing impact of surveillance is on display in the visual arts in a year-long new exhibition at the Wende Museum in Culver City. One piece is from German artist Verena Kyselka’s 2007 “Pigs Like Pigments,” which incorporates printouts of Stasi files overlaid in red with personal details about the artist’s uneventful daily life under the regime. Mixed-media prints by Sadie Barnette adds floral decorations to the 500-page file the FBI kept on her father in a work entitled “Mug Shot.” Another display is of “smelling jars” in which the Stasi, after breaking into homes and stealing small items of clothing, kept the scents of their surveillance victims in case the state needed to pursue them with dogs. A Wende Museum blog says: “The exhibition feels particularly important today, in a time of hyper-surveillance, from programmatic digital ads that follow our every move online, to voice detection in our phones that feed us more ads, to geo-location devices in our cars, to CCTV cameras on our sidewalks, to dark web sites that sell our personal information, to hackers breaching another database compromising our passwords and leading to possible identity theft, to Artificial Intelligence technology that can mimic our voices and plant our faces on someone else’s body.” This exhibition, which mixes archival artifacts and surveillance devices with contemporary artworks, will be at the Wende Museum for one year. The Wende Museum also offers online a digital book on the Counter/Surveillance exhibit, the artists, and the human costs of a surveillance state. Vice presidential candidate J.D. Vance (R-OH) told Joe Rogan over the weekend that backdoor access to U.S. telecoms likely allowed the Chinese to hack American broadband networks, compromising the data and privacy of millions of Americans and businesses. “The way that they hacked into our phones is they used the backdoor telecom infrastructure that had been developed in the wake of the Patriot Act,” Sen. Vance told Rogan on his podcast last weekend. That law gave U.S. law enforcement and intelligence agencies access to the data and operations of telecoms that manage the backbone of the internet. Chris Jaikaran, a specialist in cybersecurity policy, added in a recently released Congressional Research Service report about a cyberattack from a group known as Salt Typhoon: “Public reporting suggests that the hackers may have targeted the systems used to provide court-approved access to communication systems used for investigations by law enforcement and intelligence agencies. PRC actors may have sought access to these systems and companies to gain access to presidential candidate communications. With that access, they could potentially retrieve unencrypted communication (e.g., voice calls and text messages).” Thus, the Chinese were able to use algorithms developed for U.S. law enforcement and intelligence agencies to see to any U.S. national security order and presumably any government extraction of the intercepted communications of Americans and foreign targets under FISA Section 702. China doesn’t need a double agent in the style of Kim Philby. Our own Patriot Act mandates that we make it easier for hostile regimes to find the keys to all of our digital kingdoms – including the private conversations of Vice President Kamala Harris and former President Donald Trump. As alarming as that is, it is hard to fully appreciate the dangers of such a penetration. The Chinese have chosen not to use their presence deep in U.S. systems to “go kinetic” by sabotaging our electrical grid and other primary systems. The possible consequences of such deep hacking are highlighted in a joint U.S.-Israel advisory that details the actions against Israel that were enabled when an Iranian group, ASA, wormed its way into foreign hosting providers. ASA hackers allowed the manipulation of a dynamic, digital display in Paris for the 2024 Summer Olympics to denounce Israel and the participation of Israeli athletes on the eve of the Games. ASA infiltrated surveillance cameras in Israel and Gaza, searching for weak spots in Israeli defenses. Worst of all, the hack enabled Hamas to contact the families of Israeli hostages in order to “cause additional psychological effects and inflict further trauma.” The lesson is that when our own government orders companies to develop backdoors into Americans’ communications, those doors can be swung open by malevolent state actors as well. Sen. Vance’s comments indicate that there is a growing awareness of the dangers of government surveillance – an insight that we hope increases Congressional support for surveillance reform when FISA Section 702 comes up for renewal in 2026. Why Signal Refuses to Give Government Backdoor Access to Americans’ Encrypted Communications11/4/2024
Signal is an instant messenger app operated by a non-profit to enable private conversations between users protected by end-to-end encryption. Governments hate that. From Australia, to Canada, to the EU, to the United States, democratic governments are exerting ever-greater pressure on companies like Telegram and Signal to give them backdoor entry into the private communications of their users. So far, these instant messaging companies don’t have access to users’ messages, chat lists, groups, contacts, stickers, profile names or avatars. If served with a probable cause warrant, these tech companies couldn’t respond if they wanted to. The Department of Justice under both Republican and Democratic administrations continue to press for backdoors to breach the privacy of these communications, citing the threat of terrorism and human trafficking as the reason. What could be wrong with that? In 2020, Martin Kaste of NPR told listeners that “as most computer scientists will tell you, when you build a secret way into an encrypted system for the good guys, it ends up getting hacked by the bad guys.” Kaste’s statement turned out to be prescient. AT&T, Verizon and other communications carriers complied with U.S. government requests and placed backdoors on their services. As a result, a Chinese hacking group with the moniker Salt Typhoon found a way to exploit these points of entry into America’s broadband networks. In September, U.S. intelligence revealed that China gained access through these backdoors to enact surveillance on American internet traffic and data of millions of Americans and U.S. businesses of all sizes. The consequences of this attack are still being evaluated, but they are already regarded as among of the most catastrophic breaches in U.S. history. There are more than just purely practical reasons for supporting encryption. Meredith Whittaker, president of Signal, delves into the deeper philosophical issues of what society would be like if there were no private communications at all in a talk with Robert Safian, former editor-in-chief of Fast Company. “For hundreds of thousands of years of human history, the norm for communicating with each other, with the people we loved, with the people we dealt with, with our world, was privacy,” Whittaker told Safian in a podcast. “We walk down the street, we’re having a conversation. We don’t assume that’s going into some database owned by a company in Mountain View.” Today, moreover, the company in Mountain View transfers the data to a data broker, who then sells it – including your search history, communications and other private information – to about a dozen federal agencies that can hold and access your information without a warrant. When it comes to our expectations of privacy, we are like the proverbial frogs being boiled by degrees. Whittaker says that this is a “trend that really has crept up in the last 20, 30 years without, I believe, clear social consent that a handful of private companies somehow have access to more intimate data and dossiers about all of us than has ever existed in human history.” Whittaker says that Signal is “rebuilding the stack to show” that the internet doesn’t have to operate this way. She concludes we don’t have to “demonize private activity while valorizing centralized surveillance in a way that’s often not critical.” We’re glad that a few stalwart tech companies, from Apple and its iPhone to Signal, refuse to cave on encryption. And we hope there are more, not fewer, such companies in the near future that refuse to expose their customers to hackers and government snooping. “We don’t want to be a single pine tree in the desert,” Whittaker says, adding she wants to “rewild that desert so a lot of pine trees can grow.” Ever have the uncanny feeling that as soon as you voice an interest in a consumer item – a vacation destination, a tie or a scarf, an exotic coffee – an ad for that very item appears in your social media feed? Are our phones listening to us and reporting what we say in private conversations to advertisers? The Electronic Frontier Foundation explores this question in this short video along with a factsheet. While EFF says our phones are probably not listening to us, the mechanisms behind this phenomena of coincidental ads are no less disturbing: As EFF observes, it isn’t just advertisers that are buying our digital lives from data brokers. The federal government is also buying this same intrusive data gleaned from our social media interests and apps. This is the worst violation of our privacy, one that comes from a federal government that has the power to raid our homes and charge us with crimes on the basis of personal information acquired without a warrant. All the more reason to urge your U.S. Senators to follow the example of the U.S. House of Representatives and pass The Fourth Amendment Is Not For Sale Act, which would require federal intelligence and law enforcement agencies to obtain probable cause warrants – as required by the U.S. Constitution – before examining our purchased data. |
Categories
All
|