• Tag Archives NSA

  • Why We’re Being Watched

    Posted on by Azrael 1 Comment

    Why We’re Being Watched

    Wikileaks has just published over 8,000 files they say were leaked from the CIA, explaining how the CIA developed the capacity to spy on you through your phone, your computer, and even your television. And Wikileaks’s Julian Assange claims these “Vault 7” documents are just one percent of all the CIA documents they have.

    The media will be combing through these for weeks or months, so now is a perfect moment for us to reconsider the role of privacy, transparency, and limited government in a free society.

    We’ve put together a quick list of the six best Learn Liberty resources on government spying and whistleblowing to help inform this discussion.



    1. War Is Why We’re Being Watched

    Why is the US government spying on its citizens in the first place? Professor Abby Hall Blanco says that expansive state snooping at home is actually the result of America’s military interventionism abroad:

    2. Is Privacy the Price of Security?

    Yes, you may think, the government is snooping on us, but it’s doing that to keep us safe!

    That’s the most common justification for sweeping and intrusive surveillance, so we held a debate between two experts to get right to the heart of it. Moderated by TK Coleman, this debate between Professor Ronald Sievert and Cindy Cohn, the Executive Director of the Electronic Frontier Foundation, was inspired in part by the revelations about NSA surveillance leaked by Edward Snowden in June 2013.

    3. Freedom Requires Whistleblowers

    People are already drawing parallels between the Snowden leaks and the Vault 7 revelations. If the leaks are indeed coming from a Snowden-like whistleblower, that will once again raise the issue of government prosecution of people who reveal classified information to the public.

    Professor James Otteson argues that a free society requires a transparent government, and whistleblowers play a key role in creating that accountability. Otteson also sounds a warning that should resonate with many Americans today:

    Maybe you’re not concerned about the invasions of privacy that the federal government agencies are engaging in because you think, “Well, I haven’t done anything wrong. What do I have to fear?” Maybe you think, “I like and support this president. I voted for him.”

    But what about the next president?  The powers that we let the government have under one president are the same powers that the next president will have too.

    What if the next president is one you don’t support? He, too, will have all the power that you were willing to give the president you now support.”

    4. Encryption Is a Human Rights Issue

    Documents from Vault 7 suggest that the CIA has been so stymied by encrypted-messaging apps, such as Signal and Whatsapp, that it has resorted to taking over entire smartphones to read messages before they are sent.

    That turns out to be a costly, targeted, and time-consuming business that doesn’t allow for mass data collection. But for decades, government officials have tried to require tech companies to give the government a backdoor into their encryption. In “Encryption Is a Human Rights Issue,” Amul Kalia argues that protecting encryption from government is essential to our safety and freedom.

    5. The Police Know Where You Live

    It turns out that it’s not just spy agencies that have access to detailed information about your life. Ordinary police officers have it, too, and they often face little supervision or accountability. As Cassie Whalen explains, “Across the United States, police officers abuse their access to confidential databases to look up information on neighbors, love interests, politicians, and others who had no connection to a criminal investigation.”

    Surveillance is a serious issue at every level of government.

    6. Understanding NSA Surveillance

    If you’re ready to take your learning to the next level, check out our complete video course on mass government surveillance with Professor Elizabeth Foley. In it, you’ll learn what you need to know to make sense of the NSA scandal in particular and mass surveillance in general.

    Reprinted from Learn Liberty.


    Kelly Wright

    Kelly Wright is an Online Programs Coordinator at the Institute for Humane Studies.

    This article was originally published on FEE.org. Read the original article.


    📂This entry was posted in News and Politics 📎and tagged

  • NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight

    Posted on by Azrael 1 Comment

    In August, an entity calling itself the “Shadow Brokers” took the security world by surprise by publishing what appears to be a portion of the NSA’s hacking toolset. Government investigators now believe that the Shadow Brokers stole the cache of powerful NSA network exploitation tools from a computer located outside of the NSA’s network where they had been left accidentally, according to Reuters. A new detail, published for the first time in yesterday’s Reuters report, is that the NSA learned about the accidental exposure at or near the time it happened. The exploits, which showed up on the Shadow Brokers’ site last month, target widely used networking products produced by Cisco and Fortinet and rely on significant, previously unknown vulnerabilities or “zero days” in these products. The government has not officially confirmed that the files originated with the NSA, but the Intercept used documents provided by Edward Snowden to demonstrate links between the NSA and the Equation Group, which produced the exploits.

    The Reuters story provides a partial answer to the most important question about the Shadow Brokers leak: why did the NSA seemingly withhold its knowledge of the Cisco and Fortinet zero days, among others, from the vendors? According to unnamed government sources investigating the matter, an NSA employee or contractor mistakenly left the exploits on a remote computer about three years ago, and the NSA learned about that mistake soon after. Because the agency was aware that the exploits had been exposed and were therefore vulnerable to theft by outsiders, it “tuned its sensors to detect use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia.” Apparently finding no such evidence, the NSA sat on the underlying vulnerabilities until the Shadow Brokers posted them publicly.

    But the NSA’s overconfidence should disturb us, as security researcher Nicholas Weaver points out. The “sensors” mentioned by Reuters are likely a non-technical reference to monitoring of the Internet backbone by the NSA under such authorities as Section 702 and Executive Order 12333, which could act as a form of Network Intrusion Detection System (NIDS). (The Department of Homeland Security also operates an NIDS called Einstein specifically to monitor government networks.) But Weaver explains that at least some of the exploits, including those that affected Cisco and Fortinet products, appear not to lend themselves to detection by outside monitoring since they operate within a target’s internal network. In other words, the NSA’s confidence that its surveillance tools weren’t being used by other actors might have been seriously misplaced.

    The NSA’s decision not to disclose the Cisco and Fortinet vulnerabilities becomes even more questionable in light of the fact that some of the specific products affected had been approved by the Department of Defense’s Unified Capabilities (UC) Approved Products List (APL), which identifies equipment that can be used in DoD networks:1

    Under National Security Directive 42 [.pdf], NSA is tasked with securing “National Security Systems” against compromise or exploitation, a mission which was traditionally housed within the Information Assurance Directorate (IAD). The NSA is currently in the process of combining the “defensive” IAD with its “offensive” intelligence-gathering divisions, but high-level officials charged with information assurance have acknowledged the NSA’s defensive mission is more important than ever. Regardless of whether the mission of protecting National Security Systems is interpreted broadly or narrowly, the NSA’s failure to remedy defects in products used widely across the IT sector and apparently by the government, and even the DoD itself, is difficult to defend.

    Above all, the Shadow Brokers story highlights the need for oversight of the government’s use of zero days. Right now, the decision whether to retain or disclose a vulnerability is theoretically governed by the Vulnerabilities Equities Process (VEP), a once-secret policy that EFF obtained in redacted form via a Freedom of Information Act lawsuit. But because the VEP isn’t binding on the government, as far as we can tell, it’s toothless. While we don’t know the exact considerations employed by the government in reaching a decision to withhold a zero day, several of the high-level considerations described by White House Cybersecurity Coordinator Michael Daniel in a blog post about the VEP seem highly relevant:

    • How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
    • Does the vulnerability, if left unpatched, impose significant risk?
    • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
    • How likely is it that we would know if someone else was exploiting it?

    Even if NSA initially believed the specific vulnerabilities at issue in this case wouldn’t be discovered by others, its knowledge that the exploits had been left exposed should have changed that calculus. And if NSA knew specifically that the exploits had been stolen, it’s hard to think of a rationale where disclosure would still be outweighed by other considerations. Coincidentally, the NSA seems to have lost control of the Shadow Brokers exploits in 2013, during a fallow period for the VEP. Although the VEP was written in 2010, Michael Daniel told Wired that it was not “implemented to the full degree that it should have been” and was only “reinvigorated” in 2014.

    We think lawmakers should be concerned with this story, and we encourage them to ask the NSA to explain exactly what happened. We think the government should be far more transparent about its vulnerabilities policy. A start would be releasing a current version of the VEP without redacting the decisionmaking process, the criteria considered, and the list of agencies that participate, as well as an accounting of how many vulnerabilities the government retains and for how long. After that, we urgently need to have a debate about the proper weighting of disclosure versus retention of vulnerabilities, and we should ensure that any policy that implements this decision is more than just a vague blog post or a document that lacks all “vigor.”

    Source: NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged

  • Word Games: What the NSA Means by “Targeted” Surveillance Under Section 702

    Posted on by Azrael 1 Comment

    We all know that the NSA uses word games to hide and downplay its activities. Words like “collect,” “conversations,” “communications,” and even “surveillance” have suffered tortured definitions that create confusion rather than clarity.

    There’s another one to watch: “targeted” v. “mass” surveillance.

    Since 2008, the NSA has seized tens of billions of Internet communications. It uses the Upstream and PRISM programs—which the government claims are authorized under Section 702 of the FISA Amendments Act—to collect hundreds of millions of those communications each year. The scope is breathtaking, including the ongoing seizure and searching of communications flowing through key Internet backbone junctures,[1] the searching of communications held by service providers like Google and Facebook, and, according to the government’s own investigators, the retention of significantly more than 250 million Internet communications per year.[2]

    Yet somehow, the NSA and its defenders still try to pass 702 surveillance off as “targeted surveillance,” asserting that it is incorrect when EFF and many others call it “mass surveillance.”

    Our answer: if “mass surveillance” includes the collection of the content of hundreds of millions of communications annually and the real-time search of billions more, then the PRISM and Upstream programs under Section 702 fully satisfy that definition.

    This word game is important because Section 702 is set to expire in December 2017. EFF and our colleagues who banded together to stop the Section 215 telephone records surveillance are gathering our strength for this next step in reining in the NSA. At the same time, the government spin doctors are trying to avoid careful examination by convincing Congress and the American people that this is just “targeted” surveillance and doesn’t impact innocent people.

    Section 702 Surveillance: PRISM and Upstream

    PRISM and Upstream surveillance are two types of surveillance that the government admits that it conducts under Section 702 of the FISA Amendments Act, passed in 2008. Each kind of surveillance gives the U.S. government access to vast quantities of Internet communications.[3]

    Upstream gives the NSA access to communications flowing through the fiber-optic Internet backbone cables within the United States.[4] This happens because the NSA, with the help of telecommunications companies like AT&T, makes wholesale copies of the communications streams passing through certain fiber-optic backbone cables. Upstream is at issue in EFF’s Jewel v. NSA case.

    PRISM gives the government access to communications in the possession of third-party Internet service providers, such as Google, Yahoo, or Facebook. Less is known about how PRISM actually works, something Congress should shine some light on between now and December 2017.[5]

    Note that those two programs existed prior to 2008—they were just done under a shifting set of legal theories and authorities.[6] EFF has had evidence of the Upstream program from whistleblower Mark Klein since 2006, and we have been suing to stop it ever since.

    Why PRISM and Upstream are “Mass,” Not “Targeted,” Surveillance

    Despite government claims to the contrary, here’s why PRISM and Upstream are “mass surveillance”:

              (1) Breadth of acquisition:  First, the scope of collection under both PRISM and Upstream surveillance is exceedingly broad. The NSA acquires hundreds of millions, if not billions, of communications under these programs annually.[7] Although, in the U.S. government’s view, the programs are nominally “targeted,” that targeting sweeps so broadly that the communications of innocent third parties are inevitably and intentionally vacuumed up in the process. For example, a review of a “large cache of intercepted conversations” provided by Edward Snowden and analyzed by the Washington Post revealed that 9 out of 10 account holders “were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.”[8] The material reviewed by the Post consisted of 160,000 intercepted e-mail and instant message conversations, 7,900 documents (including “medical records sent from one family member to another, resumes from job hunters and academic transcripts of schoolchildren”), and more than 5,000 private photos.[9] In all, the cache revealed the “daily lives of more than 10,000 account holders who were not targeted [but were] catalogued and recorded nevertheless.”[10] The Post estimated that, at the U.S. government’s annual rate of “targeting,” collection under Section 702 would encompass more than 900,000 user accounts annually. By any definition, this is “mass surveillance.”

              (2) Indiscriminate full-content searching.  Second, in the course of accomplishing its so-called “targeted” Upstream surveillance, the U.S. government, in part through its agent AT&T, indiscriminately searches the contents of billions of Internet communications as they flow through the nation’s domestic, fiber-optic Internet backbone. This type of surveillance, known as “about surveillance,” involves the NSA’s retention of communications that are neither to nor from a target of surveillance; rather, it authorizes the NSA to obtain any communications “about” the target.[11] Even if the acquisition of communications containing information “about” a surveillance target could, somehow, still be considered “targeted,” themethod for accomplishing that surveillance cannot be: “about” surveillance entails a content search of all, or substantially all, international Internet communications transiting the United States.[12]  Again, by any definition, Upstream surveillance is “mass surveillance.”  For PRISM, while less is known, it seems the government is able to search through—or require the companies like Google and Facebook to search through—all the customer data stored by the corporations for communications to or from its targets.

    Seizure: Fourth Amendment and the Wiretap Act

    To accomplish Upstream surveillance, the NSA copies (or has its agents like AT&T copy) Internet traffic as it flows through the fiber-optic backbone. This copying, even if the messages are only retained briefly, matters under the law. Under U.S. constitutional law, when the federal government “meaningfully interferes” with an individual’s protected communications, those communications have been “seized” for purposes of the U.S. Constitution’s Fourth Amendment. Thus, when the U.S. government copies (or has copied) communications wholesale and diverts them for searching, it has “seized” those communications under the Fourth Amendment.

    Similarly, U.S. wiretapping law triggers a wiretap at the point of “interception by a device,” which occurs when the Upstream mechanisms gain access to our communications.[13]

    Why does the government insist that it’s targeted?  For Upstream, it may be because the initial collection and searching of the communications—done by service providers like AT&T on the government’s behalf—is really, really fast and much of the information initially collected is then quickly disposed of. In this way the Upstream collection is unlike the telephone records collection where the NSA kept all of the records it seized for years. Yet this difference should not change the conclusion that the surveillance is “mass surveillance.” First, all communications flowing through the collection points upstream are seized and searched, including content and metadata. Second, as noted above, the amount of information retained—over 250 million Internet communications per year—is astonishing.

    Thus, regardless of the time spent, the seizure and search are comprehensive and invasive. Using advanced computers, the NSA and its agents can do a full-text, content search within a blink of an eye through billions, if not trillions of your communications, including emails, social media, and web searches. Second, as demonstrated above, the government retains a huge amount of the communications—far more about innocent people than about its targets—so even based on what is retained the surveillance is better described as “mass” rather than “targeted.”

    Yes, it is Mass Surveillance

    So it is completely correct to characterize Section 702 as mass surveillance. It stems from the confluence of: (1) the method NSA employs to accomplish its surveillance, particularly Upstream, and (2) the breadth of that surveillance.

    Next time you see the government or its supporters claim that PRISM and Upstream are “targeted” surveillance programs, you’ll know better.

    Source: Word Games: What the NSA Means by “Targeted” Surveillance Under Section 702 | Electronic Frontier Foundation


    📂This entry was posted in News and Politics 📎and tagged