A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy. If passed, the change would expand the reach of the FBI’s already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs—most commonly information about the name, address, and call information associated with a phone number or details about a bank account. Since a 2008 Justice Department ruling, the FBI has not been allowed to use NSLs to demand “electronic communication transaction records” such as email subject lines and other metadata, or URLs visited. The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of its provisions “would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers.” Wyden’s office would not clarify whether the provision would also allow the FBI to demand web-surfing histories and other such information. It’s unclear how or when the provision was added, although Sens. Richard Burr, R-N.C, —the committee’s chairman—and Tom Cotton, R-Ark., have both offered bills in the past that would address what the FBI calls a gap and privacy advocates consider a serious threat to civil liberties. “At this point, it should go without saying that the information the FBI wants to include in the statue is extremely revealing—URLS, for example, may reveal the content of a website that users have visited, their location, and so on,” Andrew Crocker, staff attorney for the Electronic Frontier Foundation wrote in an email to The Intercept. “And it’s particularly sneaky because this bill is debated behind closed doors,” Robyn Greene, policy counsel at the Open Technology Institute, said in an interview. In February, FBI Director James Comey testified during a Senate Intelligence Committee hearing on worldwide threats that the FBI’s inability to get email records with NSLs was a “typo”—and that fixing it was one of the FBI’s top legislative priorities . Greene warned at the time: “Unless we push back against Comey now, before you know it, the long slow push for an [Electronic Communications Transactional Records] fix may just be unstoppable.” The FBI used to think that it was in fact allowed to get email records with NSLs, and did so routinely until the Justice Department under George W. Bush told the FBI they had interpreted their powers over broadly. Ever since then, the FBI has tried to get that power and been rejected, including during negotiations over the USA Freedom Act. The FBI’s power to issue NSLs is actually derived from the Electronic Communications Privacy Act—a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications – not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week. Sen. John Cornyn, R-Tex., is expected to offer an amendment that would mirror the provision in the intelligence bill. Privacy advocates warn that adding it to the broadly supported reform effort would backfire. “If [the provision] is added to ECPA, it’ll kill the bill,” Gabe Rottman, deputy director of the Center for Democracy and Technology’s freedom, security, and technology project wrote in an email to The Intercept. “If it passes independently, it’ll create a gaping loophole. Either way, it’s a big problem and a massive expansion of government surveillance authority.” NSLs have a particularly controversial history. Justice Department Inspector General Glenn Fine in 2008 blasted the FBI for using NSLs supported by weak evidence and documentation to collect information on Americans, some of which “implicated the target’s First Amendment rights.” “NSLs have a sordid history. They’ve been abused in a number of ways, including… targeting of journalists, and…use to collect an essentially unbounded amount of information,” Crocker wrote. One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters’ existence to anyone, much less the public. Sign up for The Intercept Newsletter here.The post Secret Text in Senate Bill Would Give FBI Warrantless Access to Email Records appeared first on The Intercept.
The Federal Bureau of Investigation’s refusal to discuss even the broad strokes of some of its secret investigative methods, such as implanting malware and tracking cellphones with Stingrays, is backfiring — if the goal is to actually enforce the law. In the most recent example, the FBI may be forced to drop its case against a Washington State school administrator charged with possessing child porn because it doesn’t want to tell the court or the defense how it got its evidence—even in the judge’s chambers. The FBI reportedly used a bug in an older version of the free anonymity software Tor to insert malware on the computers of people who accessed a child-porn website it had seized. The malware gave agents the ability to see visitors’ real Internet addresses and track them down. Defense lawyers for Jay Michaud of Vancouver, Wash., argued they had the right to review the malware in order to pursue their argument that the government compromised the security of Michaud’s computer, leading to the illicit material ending up there unintentionally. U.S. District Court Judge Robert Bryan in Tacoma agreed. “The consequences are straightforward: the prosecution must now choose between complying with the Court’s discovery order and dismissing the case,” Michaud’s defense attorneys wrote in a brief filed last week. The FBI’s lawyers took what they described as the “unusual step” in late March of asking the judge to reconsider his order, repeating earlier arguments that revealing the full details of the technique would be “harmful to the public interest.” The information might damage future investigations by allowing potential targets to learn about the FBI’s tactics, its attorneys argued, and might “discourage cooperation from third parties and other governmental agencies who rely on these techniques in critical situations.” The bureau sometimes pays third parties for exploitable security flaws, which lose their market value when they are made public and get fixed. FBI officials declined to comment to The Intercept about their legal strategy. In their frequent public arguments against unbreakable encryption, FBI officials have been arguing that public safety takes precedence over personal privacy. But if this case gets dropped, the “defendant walks because the Government has decided that its secrecy trumps someone else’s becoming a victim of Crime Everyone Hates,” Scott Greenfield, criminal defense lawyer, wrote in his blog Simple Justice. “The FBI would rather let a criminal go free than actually follow a court order designed to ensure a fair defense” even though revealing the bug “would almost certainly not help the defense,” tweeted Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California. And this isn’t the first time FBI has expressed “its preference for secrecy over public safety,” tweeted Amie Stepanovich, U.S. policy manager for digital rights group Access Now. Indeed, the FBI’s insistence on keeping certain surveillance tools secret —particularly the Stingray, or IMSI catcher, which imitates a cellphone tower to secretly grab up data about nearby phones – is letting criminals go free. In Baltimore, 2,000 convictions may be overturned because of evidence that the police and the FBI purposefully withheld and then lied about the capabilities of the technology. And last week, a city judge in Baltimore reluctantly tossed out key murder evidence gathered after the use of a cell site simulator because the police, who had been concealing use of the device as part of a nondisclosure agreement with the FBI, used it without getting a search warrant. She called it an “unconstitutional search.” Journalists have also reported on cases in New York and Florida where the FBI instructed prosecutors to offer a deal or drop the case entirely to hide details about the technology. In Milwaukee, the FBI simply tried to hide its use entirely from the record. At least 20 local agencies have signed non-disclosure agreements when they purchase Stingrays, according to privacy advocate Mike Katz-Lacabe who keeps track. The American Civil Liberties Union and other groups have chronicled federal and local law enforcement use of Stingrays in at least 23 states. “We still don’t know all of the law enforcement agencies that actually have StingRay/HailStorm/DRTbox devices,” Katz-Lacabe wrote in an email to The Intercept. “With a few exceptions, we don’t know how they are used by each agency or how frequently. We don’t know their full range of impact on nearby phones as we don’t know the technical capabilities of the amplifiers and antennas that are used with the devices. We don’t know which agencies are using equipment that can actually intercept calls instead of just track them. I think that more cases will be thrown out as defense attorneys, judges, and the public learn about the technology that law enforcement has tried to keep secret,” he wrote. Nathan Wessler, an attorney with the ACLU’s Speech, Privacy, and Technology Project, says the FBI’s openness about Stingrays seems to have gotten a little better since the DOJ updated its Stingray policy in September 2015 to increase privacy protections and legal requirements. “It looks like the DOJ policy has had an effect at least on what the FBI is telling judges when it seeks judicial authorization. The FBI should have exercised at least this level of candor with judges starting years ago, but at least there’s evidence that they’re doing so now,” he wrote in an email to The Intercept. And yet, he wrote: “The biggest continuing problem involving FBI secrecy about Stingrays is at the state and local level, where the FBI’s non-disclosure agreement has kept judges, defense attorneys, and the public in the dark.” When it comes to hacking tools, the FBI’s secrecy is “still intense,” Wessler concluded. Sign up for The Intercept Newsletter here.The post FBI Chooses Secrecy Over Locking Up Criminals appeared first on The Intercept.
A newly published study from Oxford’s Jon Penny provides empirical evidence for a key argument long made by privacy advocates: that the mere existence of a surveillance state breeds fear and conformity and stifles free expression. Reporting on the study, the Washington Post this morning described this phenomenon: “If we think that authorities are watching our online actions, we might stop visiting certain websites or not say certain things just to avoid seeming suspicious.” The new study documents how, in the wake of the 2013 Snowden revelations (of which 87% of Americans were aware), there was “a 20 percent decline in page views on Wikipedia articles related to terrorism, including those that mentioned ‘al-Qaeda,’ “car bomb’ or ‘Taliban.’” People were afraid to read articles about those topics because of fear that doing so would bring them under a cloud of suspicion. The dangers of that dynamic were expressed well by Penny: “If people are spooked or deterred from learning about important policy matters like terrorism and national security, this is a real threat to proper democratic debate.” As the Post explains, several other studies have also demonstrated how mass surveillance crushes free expression and free thought. A 2015 study examined Google search data and demonstrated that, post-Snowden, “users were less likely to search using search terms that they believed might get them in trouble with the US government” and that these “results suggest that there is a chilling effect on search behavior from government surveillance on the Internet.” The fear that causes self-censorship is well beyond the realm of theory. Ample evidence demonstrates that it’s real – and rational. A study from PEN America writers found that 1 in 6 writers had curbed their content out of fear of surveillance and showed that writers are “not only overwhelmingly worried about government surveillance, but are engaging in self-censorship as a result.” Scholars in Europe have been accused of being terrorist supporters by virtue of possessing research materials on extremist groups, while British libraries refuse to house any material on the Taliban for fear of being prosecuted for material support for terrorism. There are also numerous psychological studies demonstrating that people who believe they are being watched engage in behavior far more compliant, conformist and submissive than those who believe they are acting without monitoring. That same realization served centuries ago as the foundation of Jeremy Bentham’s Panopticon: that behaviors of large groups of people can be effectively controlled through architectural structures that make it possible for them to be watched at any given movement even though they can never know if they are, in fact, being monitored, thus forcing them to act as if they always are being watched. This same self-censorsing, chilling effect of the potential of being surveilled was also the crux of the tyranny about which Orwell warned in 1984: There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You have to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized. This is a critical though elusive point which, as the Post notes, I’ve been arguing for years, including in the 2014 TED talk I gave about the harms of privacy erosions. But one of my first visceral encounters with this harmful dynamic arose years before I worked on NSA disclosures: it occurred in 2010, the first time I ever wrote about WikiLeaks. This was before any of the group’s most famous publications. What prompted my writing about WikiLeaks back then was a secret 2008 Pentagon Report that declared the then-little-known group a threat to national security and plotted how to destroy it: a report which, ironically enough, was leaked to WikiLeaks, which then published it online. (Shortly thereafter, WikiLeaks published a 2008 CIA report describing (presciently, it turns out) how the best hope for maintaining popular European support for the war in Afghanistan would be the election of Barack Obama as President: since he would put a pretty, popular, progressive face on war policies.) As a result of that 2008 report, I researched WikiLeaks and interviewed its founder, Julian Assange, and found that they had been engaging in vital transparency projects around the world: from exposing illegal corporate waste-dumping in East Africa to political corruption and official lies in Australia. But they had one significant problem: funding and human resource shortfalls were preventing them from processing and publishing numerous leaks. So I wrote an article describing their work, and recommended that my readers support that work either by donating or volunteering. And I included links for how they could do so. In response, a large number of American readers expressed – in emails, in the comment section, at public events – the fear to me that, while they support WikiLeaks’ work, they were petrified that supporting them would cause them to end up on a government list somewhere or, worse, charged with crimes if WikiLeaks ended up being formally charged as a national security threat. In other words, these were Americans who were voluntarily relinquishing core civil liberties – the right to support journalism they believe in and to politically organize – because of fear that their online donations and work would be monitored and surveilled. Subsequent revelations showing persecution and surveillance against WikiLeaks and its supporters, including an effort to prosecute them for their journalism, proved that these fears were quite rational. There is a reason governments, corporations, and multiple other entities of authority crave surveillance. It’s precisely because the possibility of being monitored radically changes individual and collective behavior. Specifically, that possibility breeds fear and fosters collective conformity. That’s always been intuitively clear. Now, there is mounting empirical evidence proving it. Sign up for The Intercept Newsletter here.The post New Study Shows Mass Surveillance Breeds Meekness, Fear and Self-Censorship appeared first on The Intercept.
The Supreme Court on Thursday approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes will take immediate affect in December, unless Congress adopts competing legislation. Previously, under the federal rules on criminal procedures, a magistrate judge couldn’t approve a warrant request to search a computer remotely if the investigator didn’t know where the computer was—because it might be outside his or her jurisdiction. The rule change, sent in a letter to Congress on Thursday, would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor. Over a million people use Tor to browse popular websites like Facebook every month for perfectly legitimate reasons, in addition to criminals who use it to hide their locations. The changes, which would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant, are already raising concerns among privacy advocates who have been closely following the issue. “Whatever euphemism the FBI uses to describe it—whether they call it a ‘remote access search’ or a ‘network investigative technique’—what we’re talking about is government hacking, and this obscure rule change would authorize a whole lot more of it,” Kevin Bankston, director of Open Technology Institute, said in a press release. Ahmed Ghappour, a visiting professor at University of California Hastings Law School, has described it as “possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception” because it could potentially allow the FBI to hack a large number of computers domestically and abroad. The Supreme Court ruling also expands the warrants to allow the FBI to hack into computers in five or more districts that have been hacked, such as those infected by a botnet—a type of malware that gives criminal hackers the power to take over many innocent “zombie” computers to distribute spam or spread viruses. This part of the ruling would allow the FBI to search the victim’s property, explained Amie Stepanovich, senior policy counsel for digital rights group Access Now in a message to The Intercept. “On account of their distributed nature, investigations of unlawful botnets undoubtedly pose a significant barrier to law enforcement,” she said in testimony before an obscure judiciary committee that considered the rule change before it got to the Supreme Court. However, “the proposed amendment unilaterally expands [FBI] investigations to further encompass the devices of the victims themselves, those who have already suffered injury and are most at risk by the further utilization of the botnet.” It’s up to Congress to propose legislation that would modify or reject the proposed changes to the criminal procedure rules. Lawmakers have until Dec. 1, otherwise the new policies would immediately take affect. “These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices,” Senator Ron Wyden, D-Ore., wrote in a press release. “I plan to introduce legislation to reverse these amendments shortly, and to request details on the opaque process for the authorization and use of hacking techniques by the government.” Sign up for The Intercept Newsletter here.The post Supreme Court Gives FBI More Hacking Power appeared first on The Intercept.
A BIPARTISAN GROUP of lawmakers is none too happy that the executive branch is asking them to reauthorize two key surveillance programs next year without answering the single most important question about them. The programs, authorized under Section 702 of the Foreign Intelligence Surveillance Act, are called PRISM and Upstream. PRISM collects hundreds of millions of internet communications of “targeted individuals” from providers such as Facebook, Yahoo, and Skype. Upstream takes communications straight from the major U.S. internet backbones run by telecommunications companies such as AT&T and Verizon and harvests data that involves selectors related to foreign targets. But both programs, though nominally targeted at foreigners overseas, inevitably sweep up massive amounts of data involving innocent Americans. The question is: How much? The government won’t answer. Fourteen members of the House Judiciary Committee sent a letter to Director of National Intelligence James R. Clapper on Friday asking for at least a rough estimate. “In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis,” said the letter. Signatories included ranking Democrat John Conyers Jr. and a senior Republican member, James Sensenbrenner. Sen. Ron Wyden has asked for a number since 2011; the Privacy and Civil Liberties Oversight Board recommended in July 2014 that the government provide several. In October, more than 30 privacy groups asked for an estimate and explained how easy it would be to come up with one. “House Judiciary Committee members have lent their voices to the growing chorus demanding hard facts about how foreign intelligence surveillance affects Americans,” said Elizabeth Goitein, co-director of the Brennan Center’s Liberty and National Security Program, in a statement. “The NSA will soon be asking Congress to reauthorize the Foreign Intelligence Surveillance Act, and it will repeat its past claims that any collection of Americans’ communications is merely ‘incidental.’” But, Goitein said, “We still don’t have this basic information.” Top photo: “Red Bricks” by Grzesiek used under CC BY, modified with NSA logo. The post Stonewalled by NSA, Members of Congress Ask Really Basic Question Again appeared first on The Intercept.