NSA monitored calls of 35 world leaders after US official handed over contacts

http://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls

NSA monitored calls of 35 world leaders after US official handed over contacts

• Agency given more than 200 numbers by government official
• NSA encourages departments to share their ‘Rolodexes’
• Surveillance produced ‘little intelligence’, memo acknowledges

The NSA memo suggests that such surveillance was not isolated as the agency routinely monitors world leaders. Photograph: Guardian

The NSA memo suggests that such surveillance was not isolated as the agency routinely monitors world leaders. Photograph: Guardian

The National Security Agency monitored the phone conversations of 35 world leaders after being given the numbers by an official in another US government department, according to a classified document provided by whistleblower Edward Snowden.

Continue reading

Wyden Probing Economic Harm Caused by NSA Surveillance

Clearly, privacy isn’t the only thing at stake here with the NSA spying program. U.S. technology companies are suffering overseas, which will inevitably effect jobs and the economy here.

http://www.businessweek.com/news/2014-07-14/wyden-probing-economic-harm-caused-by-nsa-surveillance

Wyden Probing Economic Harm Caused by NSA Surveillance

Snowden-screen

Senate Finance Committee Chairman Ron Wyden is investigating the economic harm he said is being caused by the U.S. National Security Agency’s surveillance methods.

Wyden, a persistent critic of the NSA, is using his perch as the panel’s chairman to broaden his attack on the agency’s practices, he said in an interview with editors and reporters at Bloomberg News headquarters in New York.

Continue reading

NSA Spying Hurts Cybersecurity for All of Us Say Privacy Advocates

Some commentary from security advocates, including cryptography writer Bruce Schneier.

http://time.com/2966463/nsa-spying-surveillance-cybersecurity-privacy-advocates-schneier/

NSA Spying Hurts Cybersecurity for All of Us Say Privacy Advocates

The surveillance debate has focused on the legality of spying on Americans but some say the biggest danger is in the methods the NSA uses

Privacy advocates Monday slammed the National Security Agency for conducting surveillance in a way they say undermines cybersecurity for everyone and harms U.S. tech companies.

Continue reading

Edward Snowden condemns Britain’s emergency surveillance bill

http://www.theguardian.com/world/2014/jul/13/edward-snowden-condemns-britain-emergency-surveillance-bill-nsa

Edward Snowden condemns Britain’s emergency surveillance bill

Exclusive: NSA whistleblower says it ‘defies belief’ that bill must be rushed through after government ignored issue for a year

The NSA whistleblower Edward Snowden has condemned the new surveillance bill being pushed through the UK’s parliament this week, expressing concern about the speed at which it is being done, lack of public debate, fear-mongering and what he described as increased powers of intrusion.

In an exclusive interview with the Guardian in Moscow, Snowden said it was very unusual for a public body to pass an emergency law such as this in circumstances other than a time of total war. “I mean we don’t have bombs falling. We don’t have U-boats in the harbour.”

Continue reading

The Latest Snowden Leaks Show That NSA Surveillance Gets Extremely Personal

According to recent Snowden leaks, our person pictures and videos as well as school and medical records  are being collected in the NSA’s spying program. But such non-targeted data, according to the NSA, is simply incidental. So now our most intimate details are incidental?

https://news.vice.com/article/the-latest-snowden-leaks-show-that-nsa-surveillance-gets-extremely-personal

The Latest Snowden Leaks Show That NSA Surveillance Gets Extremely Personal

We have known since Edward Snowden’s first leaks came to light more than a year ago that NSA surveillance practices rely upon dragnet spying — the sort of programs that sweep in communications data of many thousands of ordinary phone and Internet users who have never been suspected of being terrorists. This is the backbone of the NSA story as it has played out so far: Surveillance is totalized, not targeted.

The newest revelations, published in a Washington Post investigation Sunday, flesh out what dragnet surveillance really means. And it’s personal.

Continue reading

Linux Lands on NSA Watch List

290x195cybersecurity4

Using Linux and Tor can land you on the NSA’s watch list, but according to the EFF, that shouldn’t necessarily be a deterrent.

http://www.eweek.com/security/linux-lands-on-nsa-watch-list.html

Linux Lands on NSA Watch List

Visiting a popular Linux Website could make an individual a target of government scrutiny.

New disclosures and investigations into the activities of the U.S. National Security Agency (NSA) have revealed fresh insights about the targets of cyber-surveillance activities. Among the new revelations are details about some of the target locations for the NSA XKeyscore system, which monitors and collects Internet data.

Continue reading

Low-level federal judges balking at law enforcement requests for electronic evidence

http://www.washingtonpost.com/local/crime/low-level-federal-judges-balking-at-law-enforcement-requests-for-electronic-evidence/2014/04/24/eec81748-c01b-11e3-b195-dd0c1174052c_story.html

Low-level federal judges balking at law enforcement requests for electronic evidence

Judges at the lowest levels of the federal judiciary are balking at sweeping requests by law enforcement officials for cellphone and other sensitive personal data, declaring the demands overly broad and at odds with basic constitutional rights.

This rising assertiveness by magistrate judges — the worker bees of the federal court system — has produced rulings that elate civil libertarians and frustrate investigators, forcing them to meet or challenge tighter rules for collecting electronic evidence.

Continue reading

Feds Beg Supreme Court to Let Them Search Phones Without a Warrant

http://www.wired.com/?p=774771

Feds Beg Supreme Court to Let Them Search Phones Without a Warrant

Illustration: mattjeacock/Getty ImagesIllustration: mattjeacock/Getty ImagesAmerican law enforcement has long advocated for universal “kill switches” in cellphones to cut down on mobile device thefts. Now the Department of Justice argues that the same remote locking and data-wiping technology represents a threat to police investigations–one that means they should be free to search phones without a warrant.

In a brief filed to the U.S. Supreme Court yesterday in the case of alleged Boston drug dealer Brima Wurie, the Justice Department argues that police should be free to warrantlessly search cellphones taken from suspects immediately at the time of arrest, rather than risk letting the suspect or his associates lock or remotely wipe the phone before it can be searched.

The statement responds to briefs made to the court by the Center for Democracy and Technology and the Electronic Frontier Foundation arguing that warrantless searches of cellphones for evidence represents a serious violation of the suspect’s privacy beyond that of a usual warrantless search of a suspect’s pockets, backpack, or car interior.

“This Court should not deprive officers of an investigative tool that is increasingly important for preserving evidence of serious crimes based on purely imaginary fears that police officers will invoke their authority to review drug dealers’ ‘reading history,’ … ‘appointments with marital counselors,’ or armed robbers’ ‘apps to help smokers quit,’” reads the statement written by DOJ attorney Donald Verrilli Jr., responding to specific examples cited by the CDT.

Continue reading

Fusion Centers: The 78 Local Intelligence Hubs Spying on Us All

Fusion Centers: The 78 Local Intelligence Hubs Spying on Us All

Fusion Centers: The 78 Local Intelligence Hubs Spying on Us AllExpand

While NSA surveillance has been front and center in the news recently, fusion centers are a part of the surveillance state that deserve close scrutiny.

Fusion centers are a local arm of the so-called “intelligence community,” the 17 intelligence agencies coordinated by the National Counterterrorism Center (NCTC). The government documentation around fusion centers is entirely focused on breaking down barriers between the various government agencies that collect and maintain criminal intelligence information.

Barriers between local law enforcement and the NSA are already weak. We know that the Drug Enforcement Agency gets intelligence tips from the NSA which are used in criminal investigations and prosecutions. To make matters worse, the source of these tips is camouflaged using “parallel construction,” meaning that a different source for the intelligence is created to mask its classified source.

This story demonstrates what we called “one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA’s trove of information by other law enforcement agencies.” This is particularly concerning when NSA information is used domestically. Fusion centers are no different.

In fact, in early 2012, the Foreign Intelligence Surveillance Court approved the sharing of raw NSA data with the NCTC. The intelligence community overseen by the NCTC includes the Department of Homeland Security and FBI, the main federal fusion center partners. Thus, fusion centers—and even local law enforcement—could potentially be receiving unminimized NSA data. This runs counter to the distant image many people have of the NSA, and it’s why focusing on fusion centers as part of the recently invigorated conversation around surveillance is important.

What are fusion centers?

Fusion centers are information centers that enable intelligence sharing between local, state, tribal, territorial, and federal agencies. They are actual physical locations that house equipment and staff who analyze and share intelligence.

How many are there?

There are 78 recognized fusion centers listed on the Department of Homeland Security (DHS) website.

Who works at fusion centers?

Fusion centers are staffed by local law enforcement and other local government employees as well as Department of Homeland Security personnel. DHS “has deployed over 90 personnel, including Intelligence Officers and Regional Directors, to the field.” Staffing agreements vary from place to place. Fusion centers are often also colocated with FBI Joint Terrorism Task Forces.

What do fusion centers do?

Fusion centers enable unprecedented levels of bi-directional information sharing between state, local, tribal, and territorial agencies and the federal intelligence community. Bi-directional means that fusion centers allow local law enforcement to share information with the larger federal intelligence community, while enabling the intelligence community to share information with local law enforcement. Fusion centers allow local cops to get—and act upon—information from agencies like the FBI.

Fusion centers are also key to the National Suspicious Activity Reporting Initiative (NSI), discussed below.

What is suspicious activity reporting?

The government defines suspicious activity reporting (SAR) as “official documentation of observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” SARs can be initiated by law enforcement, by private sector partners, or by “see something, say something” tips from citizens. They are then investigated by law enforcement.

What is the National Suspicious Activity Reporting Initiative?

NSI is an initiative to standardize suspicious activity reporting. The NSI was conceived in 2008, and started with an evaluation project that culminated in a January 2010 report describing how NSI would encompass all fusion centers. It appears significant progress has been made towards this goal.

The evaluation project included so-called Building Communities of Trust (BCOT) meetings which focused “on developing trust among law enforcement, fusion centers, and the communities they serve to address the challenges of crime and terrorism prevention.”

BCOT “community” events involved representatives from local fusion centers, DHS, and FBI traveling to different areas and speaking to selected community representatives and civil rights advocates about NSI. These were invite only events with the clear purpose of attempting to engender community participation and garner support from potential opponents such as the ACLU.

So what’s wrong with Suspicious Activity Reporting and the NSI?

SARs do no meet legally cognizable standards for search or seizure under the Fourth amendment. Normally, the government must satisfy reasonable suspicion or probable cause standards when searching a person or place or detaining someone. While SARs themselves are not a search or seizure, they are used by law enforcement to initiate investigations, or even more intrusive actions such as detentions, on the basis of evidence that does not necessarily rise to the level of probable cause or reasonable suspicion. In other words, while the standard for SAR sounds like it was written to comport with the constitutional standards for investigation already in place, it does not.

In fact, the specific set of behaviors listed in the National SAR standards include innocuous activities such as:

taking pictures or video of facilities, buildings, or infrastructure in a manner that would arouse suspicion in a reasonable person,” and “demonstrating unusual interest in facilities, buildings, or infrastructure beyond mere casual or professional (e.g. engineers) interest such that a reasonable person would consider the activity suspicious. Examples include observation through binoculars, taking notes, attempting to measure distances, etc.

These standards are clearly ripe for abuse of discretion.

Do fusion centers increase racial and religious profiling?

The weak standards around SAR are particularly concerning because of the way they can lead to racial and religious profiling. SARs can originate from untrained civilians as well as law enforcement, and as one woman pointed out at a BCOT event people who might already be a little racist who are ‘observing’ a white man photographing a bridge are going to view it a little differently than people observing me, a woman with a hijab, photographing a bridge. The bottom line is that bias is not eliminated by so-called observed behavior standards.

Furthermore, once an investigation into a SAR has been initiated, existing law enforcement bias can come into play; SARs give law enforcement a reason to initiate contact that might not otherwise exist.

Unsurprisingly, like most tools of law enforcement, public records act requests have shown that people of color often end up being the target of SARs:

One review of SARs collected through Public Records Act requests in Los Angeles showed that 78% of SARs were filed on non-whites. An audit by the Los Angeles Police Department’s Inspector General puts that number at 74%, still a shockingly high number.

A review of SARs obtained by the ACLU of Northern California also show that most of the reports demonstrate bias and are based on conjecture rather than articulable suspicion of criminal activity. Some of the particularly concerning SARs include titles like “Suspicious ME [Middle Eastern] Males Buy Several Large Pallets of Water” and “Suspicious photography of Folsom Dam by Chinese Nationals.” The latter SAR resulted in police contact: “Sac[ramento] County Sheriff’s Deputy contacted 3 adult Asian males who were taking photos of Folsom Dam. They were evasive when the deputy asked them for identification and said their passports were in their vehicle.” Both of these SARs were entered into FBI’s eGuardian database.

Not only that, there have been disturbing examples of racially biased informational bulletins coming from fusion centers. A 2009 “North Central Texas Fusion Center Prevention Awareness Bulletin” implies that tolerance towards Muslims is dangerous and that Islamic militants are using methods such as “hip-hop boutiques” and “online social networks” to indoctrinate youths in America.

Do fusion centers facilitate political repression?

Fusion centers have been used to record and share information about First Amendment protected activities in a way that aids repressive police activity and chills freedom of association.

A series of public records act requests in Massachusetts showed: “Officers monitor demonstrations, track the beliefs and internal dynamics of activist groups, and document this information with misleading criminal labels in searchable and possibly widely-shared electronic reports.” The documents included intelligence reports addressing issues such internal group discussions and protest planning, and showed evidence of police contact.

For example, one report indicated that “Activists arrested for trespassing at a consulate were interviewed by three surveillance officers ‘in the hopes that these activists may reach out to the officers in the future.’ They were asked about their organizing efforts and for the names of other organizers.”

Who oversees the National Suspicious Activity Reporting Initiative?

The NSI is led by the Program Manager for the Information Sharing Environment (PM-ISE) in collaboration with the DHS and the FBI. The ISE is “the people, projects, systems, and agencies that enable responsible information sharing for national security.” The PM-ISE, currently Kshemendra Paul, oversees the development and implementation of the ISE. The position was created by the Intelligence Reform and Terrorism Prevention Act of 2004.

If this all sounds confusing, that’s because it is: the entire intelligence community is a plethora of duplicative agencies with overlapping areas of responsibility.

What kind of information do fusion centers have?

Staff at fusion centers have access to a variety of databases. Not all staff have the same level of clearances, and the entire extent of what is available to fusion centers is unclear. But we do know certain facts for sure:

Fusion centers have access to the FBI’s eGuardian database, an unclassified companion to the FBI’s Guardian Threat Tracking System. “The Guardian and eGuardian systems . . . have a bi-directional communication ability that facilitates sharing, reporting, collaboration, and deconfliction among all law enforcement agencies.”

Fusion centers also have access to DHS’ Homeland Security Data Network and it’s companion Homeland Security Information Network. These systems provide access to terrorism-related information residing in DoD’s classified network. It is worth noting that HSIN was hacked in 2009 and was considered so problematic that it was briefly decommissioned entirely.

Fusion centers have access to other information portals including the FBI’s Law Enforcement Online portal, Lexis Nexis, the Federal Protective Service portal, and Regional Information Sharing Systems .

Finally, as discussed above, we know that unminimized NSA data can be shared with the National Counterterrorism Center, which means that fusion centers could be in receipt of such data.

What federal laws apply to fusion centers?

Because they are collaborative, legal authority over fusion centers is blurred, perhaps purposefully. However, there are some federal laws that apply. The Constitution applies, and fusion centers arguably interfere with the First and Fourth Amendments.

28 Code of Federal Regulations Part 23 governs certain federal criminal intelligence systems. The “Fusion Center Guidelines . . . call for the adoption of 28 CFR Part 23 as the minimum governing principles for criminal intelligence systems.” 28 CFR 23.20 requires reasonable suspicion to collect and maintain criminal intelligence and prohibits collection and maintenance of information about First Amendment protected activity “unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Finally, it prohibits inclusion of any information collected in violation of local law.

Section 552(a)(e)(7) of the Privacy Act prohibits federal agencies, in this case DHS personnel who work at fusion centers, from maintaining any “record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.” A 2012 U.S. Senate Permanent Subcommittee on Investigations report on fusion centers stated: “The apparent indefinite retention of cancelled intelligence reports that were determined to have raised privacy or civil liberties concerns appears contrary to DHS’s own policies and the Privacy Act.”

What state or local laws apply to fusion centers?

Fusion centers are sometimes bound by local and state laws. The law enforcement agencies that feed information into centers may also be restricted in terms of what information they can gather.

The Northern California Regional Intelligence Center, located in San Francisco, CA, serves as a good example of how state and local regulations can apply to a fusion center. NCRIC works with law enforcement partners around the region and stores criminal intelligence information. The California constitution has a right to privacy and California has other laws that address privacy and criminal intelligence. These should cover NCRIC.

The San Francisco Police Department’s relationship with NCRIC also serves as a good example of the applicability of local laws. SFPD participates in suspicious activity reporting, but is also bound by a number of restrictions, including Department General Order 8.10, which heavily restricts intelligence gathering by the SFPD, as well as the sanctuary city ordinance, which prohibits working with immigration enforcement. While the fusion center would not be bound by these regulations on its own, the SFPD is.

Who funds fusion centers?

Fusion centers are funded by federal and state tax dollars. Estimates of exactly how much funding fusion centers get from these sources are difficult to obtain. However, there are some numbers available.

For 2014, the Homeland Security Grant Program, which is the federal grant program that funds fusion centers, has $401,346,000 available in grant funds. The grant announcement emphasizes that funding fusion centers and integrating them nationally is a high priority. This is an approximately $50 million increase over last year’s allocation—somewhat shocking in light of the critiques around fusion center funding that have been raised by Congress.

A 2008 Congressional Research Service report states that the average fusion center derives 31% of its budget from the federal government. Those numbers may have changed now.

Has there been any discussion about fusion centers at the federal level?

Yes, but not enough. In October of 2012, fusion centers were the subject of an extremely critical report from the U.S. Senate Permanent Subcommittee on Investigations. The bipartisan report focused on the waste, ineptitude, and civil liberties violations at fusion centers. The report revealed that fusion centers spent tax dollarson “gadgets such as ‘shirt button cameras, $6,000 laptops and big-screen televisions. One fusion center spent $45,000 on a decked-out SUV…” Regarding the information produced by fusion centers, the report noted that fusion centers produced “‘intelligence’ of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism.”

This report recommended a hard look at fusion center funding, but that clearly has not happened. They are still operating across the country with federal funding. In fact, their funding has even been increased.

What about at the local level?

There are grassroots privacy advocates in multiple cities fighting to get more information about fusion centers and how their local law enforcement participates in them. These efforts have been frustrated by stonewalling of public records act requests and uneducated, or at times dishonest, public officials.

Have any regulations been passed or proposed?

To date, only one place has passed regulations around fusion centers. Berkeley, CA, passed a policy in September 2012 that the Berkeley Police Department can only submit suspicious activity reports after establishing reasonable suspicion of criminal behavior, and put in place an audit of SARs.

Massachusetts is also considering changes to fusion centers. SB 642 would strictly limit collection and dissemination of criminal intelligence information and would require a yearly audit of the Massachusetts Commonwealth Fusion Center.

What can I do?

Fusion centers are an area ripe for grassroots organizing. Groups like the StopLAPD Spying Coalition, which put together a “People’s Audit” of SARs in LA, provide excellent examples of how this can happen. Public records act requests can be leveraged to get information about what your local law enforcement is doing. Grassroots organizing and education can get people and elected officials talking about this issue.

On April 10, activists across the country will be participating in “Stop the Spy Centers: a national day of action against fusion centers.” These activists have three demands: 1. Shut down fusion centers, 2. De-fund fusion centers, and 3. Release all suspicious activity reports and secret files.

While April 10 is one day of action, the conversation around fusion centers must continue hand in hand with our national discourse around NSA, CIA, and FBI surveillance.

Where can I get more information about fusion centers?

This article first appeared on Electronic Frontier Foundation and is republished under Creative Commons license. Image by Tischenko Irina/Shutterstock.

NSA Reportedly Exploited Heartbleed For Spying—But Strongly Denies the Allegation

NSA Reportedly Exploited Heartbleed For Spying—But Strongly Denies the Allegation

Because the agency hasn’t already reportedly done enough.

http://www.nationaljournal.com/tech/nsa-reportedly-exploited-heartbleed-for-spying-but-strongly-denies-the-allegation-20140411

When it bleeds, it pours.

The National Security Agency reportedly knew of and exploited the massive Internet bug revealed to the public this week and known now as “Heartbleed” in order to gather intelligence information on targets.

This new revelation packs an extra twist that other recent NSA leaks have lacked: Regardless of its purpose for intelligence gathering, the NSA may have known for years about a historic security flaw that may have affected up to two-thirds of the Internet. Instead of trying to repair that flaw–which has potentially impacted countless people–the NSA reportedly manipulated it in secret.

“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” Bloomberg first reported Friday, citing two people “familiar” with the matter. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”

In a statement late Friday afternoon, the NSA denied the Bloomberg report. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” said agency spokeswoman Vanee Vines. “Reports that say otherwise are wrong.”

In a follow-up statement, NSC Spokesperson Caitlin Hayden said that the Obama administration “takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

Unlike previous statements about alleged NSA activities, the statements made by the NSA and White House today are definitive, with little room for differing interpretations.

The Heartbleed bug was revealed publicly for the first time earlier this week, and has been described by numerous cybersecurity experts as one of the worst security glitches the web has ever encountered. Heartbleed is caused by a minor two-year-old flaw in software coding of a program known as OpenSSL that is meant to provide extra protection to websites.

Considerable attention has been paid to Heartbleed’s potential use by criminal hackers to collect war chests filled with online passwords, personal information and banking data, but it remains unclear whether any such bad actors knew of or exploited it prior to its disclosure. A fix was rolled out five days ago, but concerns persist that much of the Internet’s security has been compromised.

Some Internet freedom and privacy groups began speculating that intelligence agencies may have exploited Heartbleed for surveillance purposes shortly after news of the bug broke earlier this week. The Electronic Frontier Foundation suggested earlier exploitations of the bug detected in November of last year “makes a little more sense for intelligence agencies than for commercial or lifestyle malware.”

Earlier Friday, the Department of Homeland Security issued guidance on Heartbleed, saying that “everyone has a role to play to ensuring [sic] our nation’s cybersecurity.”

This post was updated Friday afternoon after the NSA statement was released.