By Adina Schwartz and Aidan Booth To view the 2014 chronicle please click here To view the 2013 chronicle please click here
May 25, 2015
The Ditchley Foundation, which hosts several conferences each year on “complex issues of international concern” at its massion in Oxfordshire, England, hosted a conference on “Intelligence, Security and Privacy” from May 14-16. Sir John Scarlett, the former head of the UK’s M16, chaired the conference, and participants included senior policy and legal staff from Apple, Google, and Vodafone, intelligence regulators and human rights specialists from Europe and English-speaking countries, and twelve current or former directors or senior staff of intelligence and security agencies, including Germany’s BND, France’s DGSE, Sweden’s sigint agency FRA, Australia’s ASIO and ASIS, Canada’s CSIS, the CIA, and GCHQ and MI6.
The conference was conducted under the Chatham House Rule, which attempts to promote open and frank discussion by forbidding the public attribution of statements to particular attendees. Conference participants agreed that the Snowden leaks had stimulated overdue change towards transparency, “or at least ‘translucency,’” that relatively little embarrassing information had emerged from the leaks, and that the most embarrassing revelations were about spying on friendly states. There was also agreement that intelligence agencies should make front door requests for data from internet companies, instead of engaging in hacking or intercepting data flows, and that oversight should extend beyond data collection to data analysis and the use and sharing of data. The Ditchley Foundation is scheduled shortly to publish the conference conclusions, which focus on accountability, regulation, and oversight.
May 22, 2015
Janine Gibson, the editor who oversaw the coverage of the Snowden revelations that won The Guardian its first Pulitzer Prize, is leaving The Guardian after being passed over to replace Alan Rusbridger as senior editor when he departs next month. Last year, Gibson had come close to moving to The New York Times before Jill Abramson left that paper.
May 15, 2015
At a hearing in the UK Investigatory Powers Tribunal (IPT) on complaints brought by Privacy International and seven internet companies against the GCHQ and the Secretary of State for the Foreign and Commonwealth Office, the complainants stated that the day before the hearing began, the government had notified them for the first time that the Computer Misuse Act (CMA) had been amended to exempt GCHQ staff, intelligence officers and police from prosecution for hacking into computers, laptops and mobile phones. The exemption from prosecution in amended Savings Clause 10 of the CMA was promulgated as part of the Serious Crime Act 2015, which received royal assent on March 3, 2015 and came into effect on May 3. There was no public debate on the amendment, and no Privacy Impact Assessment was published. While the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders, neither regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner’s Office, industry, nor NGOs were notified or consulted.
A UK government fact sheet on the amendments to the CMA is available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415953/Factsheet_-_Computer_Misuse_-_Act.pdf
For discussion of Privacy International’s and the seven internet companies’ complaints before the IPT, see Sections II (A) and (B) of Aidan Booth and Adina Schwartz, “Challenges in the UK to surveillance by the NSA and GCHQ,” available on this website.
May 8, 2015
Journalist Ahmad Muaffaq Zaidan, Al Jazeera’s longtime Islamabad bureau chief, was identified as a likely courier for senior Al Qaeda leaders in a slide from a June 2012 NSA power point presentation on the SKYNET program to detect suspicious patterns in location and metadata gathered from bulk call records. The slide indicated that Zaidan had previously been placed on the US intelligence community’s Terrorist Identities Datamart Environment (TIDE) database, and identified Zaidan as a member of the Muslim Brotherhood as well as Al Qaeda.
Zaidan, who rose to international prominence after 9/11 because of his access to senior Al Qaeda leaders, denied belonging to either Al Qaeda or the Muslim Brother in an interview with The Intercept, and stated, through Al Jazeera, that interviewing key people in Afghanistan and Pakistan was crucial to journalist mission of informing the public. Although Zaidan had interviewed Bin Laden multiple times and received a number of his taped messages to Americans, in May 2010, Bin Laden wrote that “journalists may be involuntarily monitored in a way that we or they do not know about, either on ground or by satellite, especially Ahmad Zaydan of Al Jazeera, and it is possible that a tracking chip could be put into some of their personal effects before coming to the meeting place.”
Another 2012 NSA presentation indicates that major Pakistani telecommunications companies provided the call data for SKYNET, but does not specify the technical means by which the data was obtained. According to the presentation, SKYNET discovers terrorist connections through such questions as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” and by considering such behaviors as “excessive SIM or handset swapping,” “incoming calls only,” “visits to airports,” and “overnight trips.”
May 7, 2015
The BND reportedly ended its cooperation with the NSA after the NSA refused to agree to Chancellor Merkel and the BND’s condition that it provide a justification for each surveillance request. In an effort to defuse the scandal over the BND’s cooperation with the NSA, Chancellor Merkel offered to testify before the German Parliament.
May 5, 2015
Responding to suspicions that the NSA and BND might have spied on Austrian companies or government agencies, the Austrian Interior Ministry filed a complaint with the prosecutor’s office against an unknown entity, alleging that surveillance might have been secretly conducted to Austria’s disadvantage.
While reaffirming her position that friends do not spy on friends, Chancellor Angela Merkel also responded to questions by stating that the German “intelligence services, especially the B.N.D., … must and will cooperate internationally to protect the bodies and lives of 80 million Germans as best they can” and that means cooperating “first and foremost” with the NSA.
May 4, 2015
In response to revelations of the BND’s use of NSA-provided selectors that targeted German and other European governments and officials, EU institutions, and European companies, the German Federal Prosecutor’s Office is reviewing whether there is “initial evidence” of a criminal offense, such as espionage or treason-related crimes, that falls within its jurisdiction. One of the targets of the surveillance, the largest European defense company, Airbus, formerly known as EADS, filed a criminal complaint in Germany against persons unknown for industrial espionage.
In 2012, the BND, GCHQ and NSA began operation Monkeyshoulder to collect signals intelligence at the internet hub in Frankfurt operated by Deutsche Telekom. Training workshops took place until the operation was stopped by BND head Gerhard Schindler in August 2013.
The US is also suspected of targeting Chancellery staff in Berlin or targeting journalists.
Detailing “[t]he blame game [that] has long since begun in the German capital [and] efforts to determine who knew what and when and who misled which supervisory authority and when,” Der Spiegel concluded that “this scandal of the BND, NSA-spying, a lack of control and lying cabinet members could seriously shake the foundations of [Chancellor Merkel’s] power.”
April 24, 2015
As part of assisting the German Parliamentary investigation of the NSA, a project group from Germany’s foreign intelligence agency, the Bundesnachrichtendienst (BND), found that during surveillance at the Bad Aibling facility in Bavaria, BND agents had used 40,000 search parameters provided by the NSA to target German and other Western European governments and companies. In the aftermath of the Snowden revelations, a BND investigation in October 2013 had concluded that at least 2,000 NSA selectors were aimed at Western European or German interests. Before that, BND agents had become aware by 2008 at the latest that the Memorandum of Agreement signed by the US and Germany in 2002 in regard to surveillance at Bad Aibling had been violated by the use of NSA selectors targeting European defense company EADS, helicopter manufacturer Eurocopter, and French agencies. Until March 2015, however, the BND assured German parliamentarians that their cooperation with the NSA at Bad Aibling conformed to the law.
April 18, 2015
Twitter announced that effective May 18, services to users outside the United States would be provided by Twitter International Company, and that the company, based in Dublin, Ireland, would handle “account information under Irish privacy and data protection law, which is based on the European Union’s Data Protection Directive.” Twitter, Inc., based in San Francisco, California, would continue to provide services, governed by United States law, to users in the United States.
April 16, 2015
Documents leaked by Snowden and jointly analyzed by The New Zealand Herald and The Intercept show that starting in 2003 or 2004, New Zealand’s Government Communication Security Bureau (GCSB) played a leading role in conducting electronic surveillance in Bangladesh to aid US counterterrorism efforts. The GCSB shared intercepted material with Bangladesh’s state intelligence service, despite reports of severe human rights abused by Bangladeshi intelligence, but also secretly monitored the communications of Bangladesh’s lead counter-terrorism unit, the Rapid Action Battalion. Eavesdropping on mobile phone conversations was conducted from a collection site in Dhaka, likely located, since New Zealand does not have a high commission or any official building in Bangladesh, in a US building overseen by the NSA or CIA.
April 11, 2015
Privacy International, Bytes for All, Amnesty International, Liberty and other civil liberties groups filed an appeal in the European Court of Human Rights from the UK Investigatory Powers Tribunal’s Judgments of December 5, 2014 and February 6, 2015 that (i) Articles 8, 10 and 14 of the ECHR were not violated by the UK’s Tempora program and (ii) after disclosures by the Intelligence Services were published in the Judgments of December 5, 2014 and February 6, 2015, the UK’s sharing of information obtained by the NSA’s Prism and/or Upstream Programs did not violate Articles 8 or 10 of the ECHR.
For a discussion of the IPT’s Judgments of December 5, 2014 and February 6, 2015, see Section I (B) of Aidan Booth and Adina Schwartz, “Challenges in the UK to Surveillance by the NSA and GCHQ,” available on this website.
April 10, 2015
Applications for the position of UN Special Rapporteur on Privacy are now being considered. The deadline for submitting applications is April 30.
The application form is available at http://www.ohchr.org/EN/HRBodies/SP/Pages/HRC29.aspx
The UK Foreign Office has refused to disclose the job title, role and responsibilities, or salary of Cressida Dick, the former head of Specialist Operations at London’s Metropolitan Police who oversaw a criminal investigation into journalists who reported on documents leaked by Snowden. In December, Ms. Dick announced that she was leaving the Met Police for a top job with the Foreign Office. Although the salaries and job titles of senior Foreign Office officials are routinely posted on line, in response to The Intercept’s Freedom of Information Act (FOIA) requests, the Foreign Office would only disclose that Ms. Dick was appointed to a “director general” position and that director generals’ salaries are between £105,000 and £208,000 ($156,000 and $309,000). Citing an exemption for information related to or provided by the intelligence services, a Foreign Office spokesperson stated that, “As the details of Ms. Dick’s exact role and responsibilities relate to security matters, they are exempt for public disclosure under the Freedom of Information Act.” The UK Information Commissioner’s Office, which enforces the UK’s freedom of information laws, will be investigating The Intercept’s complaint about the limited disclosure.
April 8, 2015
Starting in 1992, the United States Justice Department and Drug Enforcement Agency (DEA) amassed metadata on all telephone calls from the United States to as many as 116 of the 195 countries recognized by the US. Although the targeted countries changed over time, Canada, Mexico, Italy, Iran, Pakistan and Afghanistan and other countries in Europe, Asia western Africa, and Central and South America and the Caribbean were included. The DEA obtained the call records without prior judicial approval by serving administrative subpoenas on telecommunications companies. The metadata to call records acquired outside the United States and to investigative reports from the DEA, FBI, and Customs Service. Although the DEA program was the model for the NSA’s bulk collection of metadata beginning in 2006, while agents reportedly searched the NSA database 300 times in 2012, that many searches of the DEA database were routinely made in a day.
In response to the Snowden revelations, searches of the DEA database were culminated in September 2013, and the collected metadata was purged not long after. In lieu of bulk collection of metadata on domestic calls to foreign countries, the DEA now assembles daily lists of telephone numbers suspected of being linked to drug trafficking, and issues electronic subpoenas to telephone companies for logs of these numbers’ international calls. In a day, phone companies may be served with subpoenas for more than a thousand numbers.
The government did not publicly disclose the existence of DEA bulk metadata program until January 2015. In the criminal case, United States v. Hassanshahi in the federal district court for the District of Columbia, in which the disclosure was made, the Justice Department redacted the list of targeted countries “to protect against any disruption to prospective law enforcement cooperation.”
The documents disclosing the DEA program in United States v. Hassanshahi are available at https://www.documentcloud.org/documents/1719876-database.html, and https://www.documentcloud.org/documents/1700104-d-d-c-13-cr-00274-dckt-000049-000-filed-2015-01-15.html – document/p3/a211046
April 2, 2015
In partnership with Argentine news site Todo Notícias, The Intercept published documents leaked by Snowden showing that between 2008-2011, GCHQ assisted the UK government’s efforts to prevent Argentina from using either military or diplomatic efforts to retake the Falkland Islands. While surveillance of Argentine “military and Leadership” communications was a “high priority,” by 2011, GCHQ’s Joint Threat Research and Intelligence Group (JTRIG) was conducting offensive cyberoperations. Although the particular tactics that JTRIG employed in the Falklands mission are unknown, the unit has the capacity to use “covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, ‘amplif[y]’ sanctioned messages on YouTube, and plant false Facebook wall posts for ‘entire countries.’”
As of 2010, the NSA was assisting the GCHQ’s Falklands operations, despite the Obama Administration’s unwillingness to publicly support the UK government’s stance on the Falklands.
March 27, 2015
The decision of the Court of Appeals is available at http://www.bailii.org/ew/cases/EWCA/Civ/2015/311.html
March 26, 2015
New Zealand Inspector-General of Intelligence and Security Cheryl Gwyn announced that she would investigate complaints arising from recent articles on the activities of New Zealand’s Government Communications Security Bureau (GCSB) by The Intercept and its partners, the New Zealand Herald, Herald on Sunday, and Sunday-Star-Times, as well as “wider questions regarding the collection, retention and sharing of communications data.”
Also in response to the articles, former director of the GCSB Sir Bruce Ferguson stated on Radio New Zealand that, “It’s the whole method of surveillance these days – it’s mass collection. To actually individualise that is mission impossible.” Nonetheless, Sir Bruce agreed with Prime Minister and former GCSB director Key that GCSB was not spying on New Zealanders, stating that it wasn’t happening “willingly” or “intentionally.”
The articles were based on top-secret documents from 2009-2012, at which time it was illegal for GCSB to do anything leading to the interception of a New Zealand citizen’s or resident’s communications. In the event of accidental interception, such communications were required to be destroyed as soon as possible.
The Media Release by the New Zealand Office of the Inspector-General of Intelligence and Security is available at https://www.documentcloud.org/documents/1695301-new-zealand-inspector-general-gcsb-surveillance.html
Australia enacted a law requiring internet service providers and mobile phone networks to store customers’ metadata for two years. Widely-used third-party email, video, and social media platforms and apps, such as Gmail, Hotmail, Facebook Skype, Whatsapp, Viber, and Signal, are not required to retain metadata. Nor are internal email and telephone networks, such as those maintained by universities and corporations. The exemptions, which the government publicly announced, cast doubt on the law’s ability to achieve its intended purpose of combating domestic terrorism.
Spearheaded by Germany and Brazil, the United Nations’ top human rights body, the Human Rights Council, unanimously adopted a resolution calling for the appointment of a special rapporteur on the right to privacy for an initial period of three years.
The resolution is available at https://www.privacyinternational.org/sites/default/files/SR resolution.pdf
At the ECJ hearing in the case against Facebook described in the March 24 entry below, an attorney for the European Commission (EC) refused to confirm that the Safe Harbor rules adequately protect EU citizens privacy, stating that “You might consider closing your Facebook account, if you have one.” Nonetheless, the EC and the Irish Data Protection Supervisor argued that reforming Safe Harbor should be up to the EC, and the EC asserted that the continued existence of Safe Harbor was economically and politically necessary.
March 24, 2015
The European Court of Justice (ECJ) heard arguments in the case against Facebook brought by Austrian digital rights activist Maximilian Schrems and referred to the ECJ by the Irish High Court. The case raises the question of whether the Safe Harbor agreement between the EU and the US adequately protects EU citizens’ privacy.
A lawyer for Mr. Schrems stated that, “Mass surveillance is manifestly incompatible with the fundamental right to privacy and data protection,” and maintained that Mr. Schrems’ right to privacy was violated even though there was no evidence that the NSA had specifically accessed his data. A representative of the U.K. government warned that a victory for Schrems “would have quite serious effects…risking disruption of trade that carries significant benefit for the EU and its citizens.” While the European Commission also supported the Safe Harbor Agreement, lawyers for the governments of Belgium, Poland and Austria supported Schrems.
The Wall Street Journal called the case “the biggest threat yet” to the Safe Harbor Agreement, and stated that the lead judge on the case, Thomas von Danwitz, “appeared sympathetic” to Schrems’ position.
The Advocate General of the ECJ is scheduled to issue a non-binding opinion on June 24, and the Court is expected to issue its decision in October.
For a discussion of the Irish High Court’s decision, see Aidan Booth and Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and GCHQ,” available on this website.
March 23, 2015
President Obama’s Privacy and Civil Liberties Oversight Board (“PCLOB”) issued a request for comments from the public in regard to the implications for privacy and civil liberties of counterterrorism activities conducted by United States intelligence agencies under the authority of Executive Order 12333. The period for comments runs through June 16, 2015.
A New York Times editorial entitled “Britain’s Surveillance State” criticized the ISC report, linked to and described in the March 12 entry below, for proposing reforms “that are mostly cosmetic and would do little to protect individual privacy.” The editorial stated that the largely unsuccessful legal challenges brought before the IPT to the Prism and Tempora programs (see the February 6 entry below) “are likely to end up in the European Court of Human Rights [which] has taken an expansive view of the individual’s right to privacy under the European Convention on Human Rights.”
A top-secret document last modified on May 6, 2013 shows that as part of an ultimately unsuccessful effort to have National Minister Tim Groser appointed director-general of the World Trade Organization (WTO), New Zealand’s Government Communications Security Bureau (GCSB) intercepted communications pertaining to competing countries’ candidates. Using the NSA’s XKEYSCORE system, the GCSB searched the body of emails for references to Groser, the WTO, the director general candidacy, and the last names of the eight other candidates. GCSB also targeted all internet communications (not just emails) pertaining to Indonesian candidate Mari Pangestu. The instructions for the keyword searches were in French and Spanish as well as English.
According to The New Zealand Herald, “Deploying GCSB’s surveillance capabilities to gain the upper hand in the WTO selection is far away from terrorism, the Islamic State and other security issues for which Mr Key [the current Prime Minister of New Zealand who headed the GCSB at the time of the WTO surveillance] has claimed the agency is used.” “While the New Zealand Government collected intelligence on the other eight countries’ candidates, it is unlikely that those countries [South Korea, Indonesia, Brazil, Mexico, Kenya, Ghana, Jordan and Costa Rica] were spying on Mr Groser and New Zealand’s lobbying effort in return. None of the eight countries targeted in the operation have the capability to conduct surveillance against the internet on a global level.”
The GCSB had access to XKEYSCORE due to its membership in the Five Eyes alliance. According to an April 2013 NSA document, GCSB “continues to be especially helpful in its ability to provide NSA ready access to areas and countries that are difficult for the United States to access.” China, India, Pakistan, Vietnam, Iran, Japan, North Korea and South American and Pacific Island nations are among the countries that have been subject to GCSB surveillance.
The May 6, 2013 document is available at http://media.nzherald.co.nz/webcontent/document/pdf/201513/WTO document.pdf
Documents leaked by Snowden and jointly analyzed by CBC News/Canada and The Intercept show that Canada’s Communications Security Establishment (CSE) has the ability to hack into networks to gather intelligence or damage infranstructure, such as electricity, transportation or banking systems. CSE also is able to transmit progaganda over social media, to disrupt online traffic by such techniques as deleting emails, freezing internet connections, blocking websites and redirecting wire money transfers, and to conduct “false flag operations” that make other governments appear responsible for attacks. An April 2013 NSA briefing note states that, “NSA and CSEC cooperate closely … [on] active computer network access and exploitation on a variety of foreign intelligence targets, including CT [counter terrorism], Middle East, North Africa, Europe, and Mexico.”
Anti-Terrorism Act, Bill C-51 is currently being debated in the Canadian Parliament, and could legalize CSE’s use of some of these capabilities.
March 20, 2015
In response to a Freedom of Information Act (FOIA) request by reporter Ryan Gallagher of The Intercept, the UK’s Metropolitan Police Department refused to release any information about the status of the criminal investigation that it launched into Guardian journalists who reported on the Snowden documents, despite having acknowledged the existence of the investigation at Parliamentary hearings in 2013. In refusing to either confirm or deny its access to any information concerning any “current or previous investigations,” Met Police stated that, “In this current environment, where there is a possibility of increased threat of terrorist activity, providing any details even to confirm or deny that any information exists could assist any group or persons who wish to cause harm to the people of the nation which would undermine the safeguarding of national security.”
The refusal notice was issued in late February, and upheld by Met Police this month after an appeal. The Intercept has filed a complaint with the Information Commissioner’s Office, the public body that enforces the U.K.’s freedom of information laws.
The response to the FOIA request is available at https://www.documentcloud.org/documents/1689943-uk-met-police-snowden-criminal-investigation.html
March 19, 2015
Admiral Michael S. Rogers, who heads both the NSA and its military cousin, the United States Cyber Command, told the Senate Armed Services Committee that because “a purely defensive reactive strategy will be both late” and “incredibly resource-intense,” the US needs to expand its ability to conduct cyber attacks in order to deter attacks by other countries.
In a speech in which he praised the journalists who worked on the Snowden archive, Vice Chancellor Sigmar Gabriel of Germany lamented that Snowden was stuck in “Vladimir Putin’s autocratic Russia” because no other country was willing and able to protect him from imprisonment in the US. In response to questioning afterwards by Glenn Greenwald, who was present at the event to receive an award, the Vice Chancellor explained that Germany would not and could not offer Snowden asylum because the US had threatened to cut Germany off from all sharing of intelligence if it did so.
March 18, 2015
Privacy International published the UK government’s Open Response of February 6, 2015 to challenges brought before the IPT by Privacy International in regard to illegal hacking and by seven Internet Service Providers and Privacy International in regard to alleged network infrastructure attacks. In accord with the UK Intelligence Services’ traditional “neither confirm nor deny” (NCND) policy in regard to all factual details about their operations, the Open Response was accompanied by a Closed Response accessible only by the IPT. To claim that NCND was compatible with the foreseeability component of the “accordance with the law” component of Article 8 of the ECHR, the Respondents invoked the IPT’s power to examine their “below the waterline” arrangements in closed hearings. In addition, the Respondents relied on the draft Equipment Interference Code of Practice (the “EI” Code) that the Home Office published on February 6, 2015.
Notwithstanding NCND, the Open Response indicates that the EI Code allows “intended”, as well as “collateral,” “interference with the equipment” of “individuals who are not intelligence targets in their own right.” At the same time, the Claimants are criticized for making “very extreme factual allegations about the scope, scale and nature of GCHQ’s activities ….”
The Open Response and Privacy International’s press release are available, respectively, at https://www.documentcloud.org/documents/1688275-privacy-greennet-open-response-6-feb-2015.html, and https://www.privacyinternational.org/?q=node/545
See Section II of Aidan Booth & Adina Schwartz, “Challenges in the UK to Surveillance by the NSA and GCHQ,” available on this website, for a discussion of these challenges before the IPT.
March 17, 2015
In an explicit attack on the UK Parliament’s Intelligence and Security Committee (ISC), a former head of MI6, Sir Richard Dearlove, called for an independent watchdog, comprised of “citizens’ groups,” NGO’s, and people who “really understood technology,” to be established to scrutinize the operations of MI5, MI6, and GCHQ.
March 16, 2015
By an 11-1 vote, the Judicial Conference Advisory Committee on Criminal Rules approved amending Rule 41 of the Federal Rules of Criminal Procedure to allow judges to authorize warrants for remote searches of computers located outside their districts or at unknown locations. Under the current version of the Rule, judges are generally restricted to issuing search warrants for material located within their judicial district’s geographical bounds.
Critics warn that the proposed amendment to Rule 41 might allow the FBI to violate the sovereignty of foreign nations. In addition, the Amendment would allow the FBI to more easily infiltrate computer networks to install malicious tracking software.
The Amendment will go into effect only if approved by the Judicial Conference’s Standing Committee on Rules of Practice and Procedure, by the Judicial Conference itself, and by the U.S. Supreme Court, and then not vetoed by Congress. Even if the Amendment is passed, the process is likely to take over a year.
March 13, 2015
At a public hearing in the IPT in the Belhadj case described in the February 18 and 26 entries below, lawyers for the UK government argued that even if the government had unlawfully intercepted the complainants’ attorney-client communications, it was entitled to keep that fact a secret from the complainants, their lawyers, and the public.
March 12, 2015
The UK Parliament’s Intelligence and Security Committee (“ISC”) issued a Report, “Privacy and security: A modern and transparent legal framework,” upholding the legality of the surveillance of communications, but criticizing the legal framework for being “unnecessarily complicated” and “lack[ing] transparency.” The ISC concluded that the Intelligence Services “do not seek to circumvent the law,” and reasoned that bulk interception does not constitute mass surveillance if only a small proportion of the intercepted communications are read. “Given the extent of targeting and filtering involved, it is evident that while GCHQ’s bulk interception capability may involve large numbers of emails, it does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance. GCHQ is not collecting or reading everyone’s emails: they do not have the legal authority, the resources, or the technical capability to do so.” In addition, GCHQ must “first obtain a specific authorization naming that individual, signed by a secretary of state” before searching for or examining communications of people in the UK that are acquired through bulk interception.
Separately, in a report covering January-December 2014, the Office of Interception of Communications Commissioner (“IOCCO”) Sir Anthony May disclosed that a GCHQ employee had been fired for performing unauthorized searches, stating that this was “the first known instance of deliberate abuse of GCHQ’s interception and communications data systems in this way.”
The ISC Report is available at http://isc.independent.gov.uk/news-archive/12march2015
The IOCCO Report is available at http://www.iocco-uk.info/docs/IOCCO Report March 2015 %28Web%29.pdf
March 11, 2015
The District Court of The Hague ruled that a Dutch law requiring telecommunications providers to collect and store traffic data for up to 12 months violated the rights to privacy and to the protection of personal data. Although appealable, the ruling is effective immediately, relieving telecommunications companies of any obligation to collect or retain data.
March 10, 2015
Documents from 2010-2012 leaked by Snowden show that researchers working with the CIA engaged in sustained efforts to break the security of Apple’s iPhones and iPads. The research was presented at the CIA’s annual Trusted Computing Base Jamboree whose aim is to host “presentations that provide important information to developers trying to circumvent or exploit new security capabilities,” as well as to “exploit new avenues of attack.” Consistently with the Apple research, the Congressional Budget Justification, widely known as the “Black Budget,” leaked by Snowden from 2013, speaks of a US government commitment to analyzing “secure communications products, both foreign and domestic” in order to “develop exploitation capabilities against the authentication and encryption schemes.”
Responding to proposals by Prime Minister David Cameron, the UK’s Parliamentary Office of Science and Technology (“Post”), issued a report on March 9 entitled “The darknet and online anonymity.” Post, whose mission is to provide independent, non-partisan advice on science and technology to Members of Parliament, cited the Chinese government’s failed attempt to block access to Tor, stating that there is “Widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK. Even if it were, there would be technical challenges.” The Report also rejected proposals to allow users to access the web anonymously through Tor, while banning the anonymous websites accessible only through Tor (Tor Hidden Services (THS)) that comprise the darknet, explaining that THS “benefit non-criminal [as well as criminal] Tor users because they may add a further layer of user security.” In addition, it would be “technologically infeasible” to prevent access to THS from within the UK.“
The Report is available at http://www.parliament.uk/briefing-papers/POST-PN-488/the-darknet-and-online-anonymity
A lawsuit alleging that the NSA’s upstream data collection program violates Article III of the Constitution and the First and Fourth Amendments and goes beyond the warrantless surveillance authorized by the FISA Amendments Act (“FAA”) was filed in the federal district court for the district of Maryland. The plaintiffs, Wikimedia Foundation, The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and The Washington Office on Latin America, emphasize that the NSA’s upstream surveillance of the contents of communications as they pass through internet switches “is not limited to communications sent or received by the NSA’s targets. … The NSA systematically examines the full content of substantially all international text-based communications (and some domestic ones) for references to its search terms.” The plaintiffs allege that their rights are violated and that they are hindered in conducting their work because their communications are intercepted, copied and reviewed as part of the NSA’s Upstream program. In addition, they claim that the NSA is substantially likely to read, retain or disseminate their overseas communications on the ground that they are to, from, or about overseas “targets” of its upstream program.
The complaint is available at https://www.aclu.org/files/assets/wikimedia_v2c_nsa_-_complaint.pdf
An op-ed piece by Jimmy Wales, the founder of Wikipedia and a board member of the Wikimedia Foundation, and Lila Tretikov, the executive director of the Wikimedia Foundation, is available at http://www.nytimes.com/2015/03/10/opinion/stop-spying-on-wikipedia-users.html?ref=opinion
March 9, 2015
Responding to the draft of an Equipment Interference Code of Practice that the UK Home Office published for public comment from February 6-March 20, Caroline Wilson Palow, legal officer at Privacy International, stated that, “The draft code grants the intelligence services incredible powers to hack into people’s phones, computers, and communications infrastructure. The power to hack should be closely controlled and governed by legislation, as communications interception has been.” David Cook, cyber crime and data security solicitor at law firm Slater & Gordon, opined that publication of the code “seems to be a method of seeking a veneer of lawfulness over an approach which is, at its core, absolutely abhorrent,” explaining that while warrants are needed to bug particular people’s houses, the Intelligence Services “would not necessarily need a specific warrant to do the same thing by hacking a computer.” Renate Samson, chief executive of civil liberties group Big Brother Watch, warned that the code would allow anyone to be hacked; it would be “not just a case of targeting a suspect, but people who are entirely neutral, too“.
March 6, 2015
Speaking via video link from Moscow to an audience in Geneva, Switzerland that had viewed Citizenfour, Edward Snowden stated that US authorities had refused to guarantee him a fair trial and that asylum in “Switzerland would be a sort of great political option because it has a history of neutrality.” Snowden, who had been an undercover CIA operative in Geneva, said that, “I would love to return to Switzerland, some of my favorite memories are from Geneva.”
March 4, 2015
Researchers discovered a new SSL/TLS vulnerability — the FREAK attack — that allows HTTPS connections between vulnerable clients and servers to be intercepted, forcing the use of ‘export-grade’ cryptography, which can then be decrypted or altered. The vulnerability results from the Clinton Administration’s requirement that weak cryptography be used in US software and hardware exports. Although many technology companies abandoned weak cryptography once the restriction on strong cryptography in exports was lifted, the code in a range of modern devices and websites still includes weak encryption keys.
Although no FREAK attacks have been discovered, Apple and Android phones are among the devices vulnerable to the attack, and 36% of online servers are vulnerable. Apple promised to patch the vulnerability in its iOS mobile operating system and OS X Macintosh operating system by next week, and Google claimed to have already developed and provided a patch to Android manufacturers for Android connections to websites. Although Blackberry and Amazon products are also vulnerable, the companies did not respond to requests for comment by The New York Times.
Computer scientists claim that the FREAK attack illustrates the problems with US and UK government calls for the creation of back doors to allow law enforcement to intercept strongly encrypted communications. An assistant professor of computer science and engineering at the University of Michigan, J. Alex Halderman, stated that, “When computer scientists say you can’t build a crypto back door without weak encryption for everyone, this is exactly what we’re worried about.”
An explanation of the Freak attack, including a tracking of its impact, is available at https://freakattack.com.
At a news conference in Moscow on March 3, Snowden’s Russian attorney, Anatoly G. Kucherena, said that he was working with a team of German and American lawyers to enable Snowden to return to the US with a guarantee of a legal and impartial trial. Comparing Snowden’s legal situation with that of General David Petraeus, the former director of the CIA who admittedly showed “black books” of classified information to his then-lover but was allowed to plead guilty this week to one count of removing classified documents and receive a sentence of two years’ probation and a fine of $40,000, one of Snowden’s US legal advisors, Ben Wizner of the ACLU, told The Guardian that, “The problem is that leniency is only extended to officials with friends in high places. If Petraeus deserves exceptional treatment because of his service to the nation, then surely the same exception should be offered to Edward Snowden, whose actions have led to a historic global debate that will strengthen free societies.”
February 26, 2015
The UK’s Investigatory Powers Tribunal (“IPT”) ordered that “there be a declaration that since January 2010 the regime for the interception/obtaining, analysis, use, disclosure and destruction of legally privileged material has contravened Article 8 ECHR and was accordingly unlawful.” The Order was issued after the UK government admitted, as described in the February 18 entry below, that its regime for dealing with legally privileged material was unlawful. The admission was made before a hearing in a case brought before the IPT by Libyans Abdel-Hakim Belhadj and Sami al-Saadi and their families, alleging that the security services illegally intercepted their communications with their attorneys in order to gain an unfair advantage in the civil action they brought against the UK government and others in connection with their abduction and subsequent torture by the Gaddafi regime.
Since the government would neither confirm nor deny that its illegal interception of attorney-client communications had extended to Belhadj, al-Saadi, and their families, the IPT Order of February 26 also directed that a closed hearing be held on “whether the Claimants’ legally privileged communications have in fact been intercepted/obtained, analysed, used, disclosed or retained (‘relevant interception’).” In addition, the IPT scheduled a public hearing on March 12 to consider “on the hypothetical assumption (the true position being neither confirmed nor denied), that there have been relevant interception, what if any remedies should be granted to the Claimants.”
The IPT’s Order is available at http://www.ipt-uk.com/docs/Belhadj_order_26Feb15.pdf
February 25, 2015
In response to the February 19 story in The Intercept described below, Gemalto issued a press release stating that it had “conducted a thorough investigation, based in particular on two elements: the purported NSA and GCHQ documents which were made public by [The Intercept], and our internal monitoring tools and their past records of attempts of attacks.” The principal results of the investigation were that (i) there were “reasonable grounds to believe” that NSA and GCHQ were responsible for “sophisticated attacks” detected by Gemalto in 2010 and 2011 that used the “intrusion methods” described in the leaked documents; (ii) since the attacks only breached Gemalto’s office networks, they could not have caused “a massive theft of encryption keys;” (iii) the attacks aimed to intercept keys while they were in transit between suppliers and mobile operators, but only “rare exceptions” to the “secure transfer system” that Gemalto deployed by 2010 could have caused keys to be intercepted; and (iv) even if keys were stolen, the intelligence services could only have listened in on communications on 2G, as opposed to 3 or 4G, mobile networks.
Gemalto’s Press Release is available at http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx
February 24, 2015
As a result of being caught in the sting operation described in the February 23 entry below, Sir Malcolm Rifkind resigned from chairing the UK Parliament’s Intelligence and Security Committee (“ISC”), but will continue to serve on the committee. In addition, Sir Malcolm stated that he would not run in the next Parliamentary election, which is scheduled for May at the latest.
February 23, 2015
Conservative UK MP Sir Malcolm Rifkind, the Chairperson of the Intelligence and Security Committee (“ISC”) of Parliament that oversees the intelligence services, was suspended from his political party after being secretly filmed responding positively to solicitations from reporters from The Daily Telegraph and Channel 4’s Dispatches who were posing as representatives of a fictitious Hong Kong-based communications agency called PMR. Sir Malcolm, whose Committee upheld the legality of the GCHQ’s use of Prism in July 2013, told the supposed PMR representatives that he could use his position to arrange “useful access” to every British ambassador in the world, and suggested that he would be willing to write to ministers on behalf of the company without providing its name. He was recorded saying, “I am self-employed – so nobody pays me a salary. I have to earn my income,” and that his usual fee for half a day’s work was “somewhere in the region of £5,000 to £8,000.”
Denying any wrongdoing, Sir Malcolm told the BBC he had only engaged in a preliminary discussion with the supposed company’s representatives. He admitted that it was “a silly thing to say” that he was not paid a salary, but stated that while an MP’s yearly salary of £ 67,000 a year “sounds a lot of money to anyone earning less than that,” limiting MP’s to their salaries would “exclud[e] very large numbers of very able people” from Parliament because they could not “accept such a substantial reduction in their standard of living.” Unless his colleagues on the Committee request it, Sir Malcolm does not intend to resign from chairing the ISC. “One’s got nothing to do with the other. None of the matters are remotely to do with intelligence or security.”
Characterizing the reports about Sir Malcolm’s behavior as “very serious,” Prime Minister David Cameron promised an “immediate disciplinary inquiry.”
Labor Party MP Jack Straw, who was also caught in the sting, suspended himself from his Party, and while denying that he had said anything improper to the supposed company representatives, said he was “mortified” to have fallen into the reporters’ “trap.”
February 22, 2015
Following up on the February 10 story in The Intercept, described below, on a document leaked by Snowden about cyber warfare between Iran and the United States, The New York Times reported that although the banks that Iran attacked in 2012 were not named in the document, Bank of America and JP Morgan Chase were the main targets. In addition, the Irani attack on Saudi Aramco described in the leaked document “appeared to pave the way for a technically similar strike on Sony [by North Korea] last year.” A former senior intelligence official told The New York Times that the leaked document provided “more evidence of how far behind we are in figuring out how to deter attacks, and how to retaliate when we figured out who was behind them.”
According to the Times, the leaked document hinted that the NSA and GCHQ had arrived at a less generous arrangement than the GCHQ would have preferred for sharing information with the Israeli National Sigint Unit about cyber warfare with Iran.
February 21, 2015
The UK Home Office fully accepted the criticisms of UK Interception of Communications Commissioner Sir Anthony May of police use of the Regulation of Investigatory Powers Act (RIPA) to obtain records of journalists’ phone and email traffic without prior judicial authorization. Henceforth, Home Secretary Theresa May announced, police would be required to obtain judicially approved production orders under the Police and Criminal Evidence Act 1984. This is an interim solution pending legislation in the next Parliament.
February 20, 2015
The Wall Street Journal reported that The Intercept’s article of February 19, described below, on the NSA and GCHQ’s hacking of Gemalto “raise[d] the prospect of significant financial pain, with some analysts saying the company may be forced to recall chips if the alleged leak raises widespread worry among telecommunications customers or individual users over privacy.” In a written statement, Gemalto said that they were taking The Intercept’s article “very seriously and will devote all our resources necessary to fully investigate and understand the scope of such sophisticated techniques.” Deutsche Telekom AG, which uses Gemalto SIM cards, stated that Gemalto needed rapidly to provide an exact account of the scope of the breach.
Jan Philipp Albrecht, chief negotiator for the European Parliament on the EU’s data protection law, urged the Dutch government to investigate the allegations, stating that “[m]ember states like the U.K. are frankly not respecting [the law of the] Netherlands and partner states.” A spokesperson for the Dutch Interior Ministry declined to say whether the Netherlands would launch an investigation, but averred that the Dutch intelligence agency AIVD does not assist foreign intelligence agencies in illegal activities.
February 19, 2015
Documents leaked by Snowden and included in an article in The Intercept show that in 2010, a joint NSA-GCHQ unit, the Mobile Handset Exploitation Team, hacked into the internal computer network of Dutch multinational Gemalto, the world’s largest manufacturer of SIM cards. AT&T, Verizon, Sprint, T-Mobile, Vodafone, Orange, and some 450 wireless network providers around the world are clients of Gemalto.
Stealing the encryption keys for Gemalto chips enabled the NSA and GCHQ to avoid the need to circumvent the strong encryption on communications between 3G, 4G and LTE cell phones and wireless carriers. The agencies were able to monitor cell phone users’ calls, texts, Internet communications, and contact lists without gaining approval from telecommunications companies or foreign governments and without leaving any trace of the interception on wireless providers’ networks.
Although the documents do not reveal the actual number of encryption keys stolen, a NSA document from 2009 states that the agency was able to process between 12 and 22 million keys per second and predicted that the agency would be able to process more than 50 million keys per second. GCHQ documents state that during three months in 2010, millions of encryption keys were harvested.
Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, stated that “[g]aining access to a database of keys is pretty much game over for cellular encryption,” and that the massive theft by the NSA and GCHQ was “bad news for phone security. Really bad news.” Gemalto executive vice president Paul Beverly told The Intercept that he was “quite concerned that this has happened,” and that “the most important thing for us now is to understand the degree” of the breach. Gerard Schouw, a member of the Dutch Parliament and the intelligence spokesperson for D66, the largest opposition party in the Netherlands, stated that, “We don’t want to have the secret services from other countries doing things like this.” Schouw and other lawmakers intend to ask the Dutch government to provide an official explanation and to clarify whether the country’s intelligence services were aware that the NSA and GCHQ were targeting Gemalto.
The NSA declined to provide any comment to The Intercept. In addition to the GCHQ’s usual “neither confirm nor deny” statement and avowal of the strictness of its legal and policy framework, a GCHQ spokesperson stated in an email that, “[T]he UK’s interception regime is entirely compatible with the European Convention on Human Rights.”
February 18, 2015
Following on the IPT (Investigatory Powers Tribunal)’s decision against the UK government on February 6 in regard to the sharing of information with the NSA’s Prism and upstream collection programs, the UK government admitted that for the past five years, the security and intelligence services had been monitoring attorney-client communications under an illegal regime. According to a government spokesperson, “we acknowledge that the policies adopted since [January] 2010 have not fully met the requirements of the ECHR [European Convention on Human Rights], specifically article 8 (right to privacy). This includes a requirement that safeguards are made sufficiently public.” The spokesperson claimed, however, that the concession “does not mean that there was any deliberate wrongdoing on their [sic] part of the security and intelligence agencies, which have always taken their obligations to protect legally privileged material extremely seriously. Nor does it mean that any of the agencies’ activities have prejudiced or in any way resulted in an abuse of process in any civil or criminal proceedings.”
The concession comes in advance of an IPT hearing in a case brought by Libyans Abdel-Hakim Belhaj and Sami al-Saadi, who allege that the security services illegally intercepted their communications with their attorneys in order to gain an unfair advantage in the civil action they brought against the UK government and others in connection with their abduction and subsequent torture by the Gaddafi regime. In accord with its usual policy, the UK government refused to either confirm or deny that Belhaj and al-Saadi’s attorney-client communications had been intercepted.
February 17, 2015
Privacy International followed up on the IPT’s Judgment of February 6 by posting a petition on which individuals from any country can provide their email addresses and telephone numbers for the purpose of having the GCHQ ascertain whether it obtained their communications from the NSA’s Prism and Upstream programs before December 2014. People whose communications are found to have been so obtained will receive a declaration from the IPT that the GCHQ violated their rights under Articles 8 and 10 of the European Convention on Human Rights. They can also request that the GCHQ delete any information about them that it obtained from the NSA before December 2014.
Over 10,000 people had signed the petition by the evening of February 17. In an email to The Intercept, a Home Office spokesperson stated that, “The current regime governing both the intelligence agencies’ external interception and intelligence sharing regimes is lawful and European Court of Human Rights compliant. This government is committed to transparency. It has made public more detail than ever before about the work of the security and intelligence agencies, including through the publication of statutory codes of practice.”
The petition is available at https://www.privacyinternational.org/?q=illegalspying
“FAQ: Did GCHQ Spy on You?” is available at https://www.privacyinternational.org/?q=node/495
February 16, 2015
At a conference in Mexico, Russian firm Kaspersky Lab published the technical details of research showing that since 2001 and increasingly aggressively since 2008, the US has deployed techniques similar to Stuxnet to infect computers in thirty countries. The greatest number of infections were found in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. Government and military agencies, banks, Islamic activists, telecommunications companies, nuclear researchers, media and energy companies were among the targets.
The reported techniques include infecting the firmware that is embedded in and preps computers’ hardware before the operating system starts. This enables encryption keys to be surreptitiously obtained from computers. Antivirus products are ineffective against attacks on firmware, and hard drives that are wiped become reinfected.
According to the Kaspersky researchers, the firmware attacks would be effective on more than a dozen companies’ disk drives, comprising essentially the entire market. For the firmware attacks to be developed, access to the proprietary source code directing the hard drives’ actions would have been required.
A former NSA employee confirmed to Reuters that Kaspersky Lab’s analysis was correct.
February 11, 2015
In the long running Jewel case filed in 2008, Judge Jeffrey S. White of the federal district court for the Northern District of California granted the government summary judgment on February 10, 2015 against the plaintiffs’ claim that their Fourth Amendment rights were violated by the NSA’s upstream collection of their data under Section 702. In dismissing this constitutional claim without a trial, the district court relied on classified submissions by the government to find that the plaintiffs had not provided a sufficient factual basis to establish that as AT&T customers, their Internet communications had been and were being collected under Section 702. Using Catch 22-type reasoning, Judge White opined, in the alternative, that even if the plaintiffs’ evidence of standing were sufficiently probative to defeat summary judgment, “harmful disclosures of national security information” were crucial to its defense against the plaintiffs’ claims of standing and its defense on the merits. Hence, the state secrets privilege precluded any resolution in court of the plaintiffs’ Constitutional claims in regard to Section 702.
Judge White’s Order is available at https://www.eff.org/files/2015/02/10/jewel_order.pdf
February 10, 2015
An April 2013 NSA document prepared in connection with a planned meeting with the GCHQ and leaked by Snowden warned of the technological know how that Iran had gained from cyber attacks. Speaking of Iran’s cyber attack against Saudi Aramco in August 2012, which resulted in the destruction of data on tens of thousands of computers, the document stated that, “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.” While stating that it had no indication of a planned cyber attack by Iran against a US or UK target, the NSA warned that “we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.”
The NSA document is available at https://firstlook.org/theintercept/document/2015/02/10/iran-current-topics-interaction-gchq
Pursuant to the requirements of Section 71 of the Regulation of Investigatory Powers Act 2000 (“RIPA”), the UK Home Office published drafts of a revised and updated Interception of Communications Code of Practice and a new Equipment Interference Code of Practice, for public comment from February 6 – March 20. The key changes in the draft Interception of Communications Code are clarification of the safeguards in Section 8(4) of RIPA for interception and handling of communications sent or received outside the UK and of the protections afforded to legally privileged and other confidential communications. The draft Equipment Interference Code explains when the UK Security and Intelligence Services, both in the UK and abroad, “can lawfully interfere with electronic equipment, such as computers, and the rules and safeguards that govern the use of any information obtained by these means.” In a Foreword, James Brokenshire MP, Minister for Immigration and Security, stated that “[t]he threat to the UK from terrorism, espionage and organised crime” had increased the importance of “[t]he abilities to read or listen to a suspect’s communications or to interfere with his or her computer equipment.” While stating that “[t]here are limits on what can be said in public,” Mr. Brokenshire acknowledged that “it is imperative that the Government is as open as it can be about these capabilities and how they are used.”
The revised and updated Codes and the UK government’s request for consultation are available at https://www.gov.uk/government/consultations/interception-of-communications-and-equipment-interference-draft-codes-of-practice
February 6, 2015
For the first time in its fifteen-year history, the Investigatory Powers Tribunal, the exclusive forum in the UK for complaints about illegal surveillance by intelligence agencies or law enforcement, issued a judgment against the Intelligence Services. In a case brought by Liberty, Privacy International, the American Civil Liberties Union, Pakistani organization Bytes For All, Amnesty International Limited, and others, the IPT held that until December 5, 2014, “the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream” contravened Article 8 or 10 ECHR [European Convention on Human Rights].” The IPT found that the Intelligence Services’ policies in regard to obtaining private communications from foreign governments and storing and transmitting them, including, in particular, policies in regard to communications obtained from the NSA’s Prism and upstream collection programs, were unknown to the public until their disclosure in hearings in the case and publication in the IPT’s Judgment of December 5, 2014. Hence, until December 5, 2014, the right to privacy in Article 8 and the right to freedom of expression in Article 10 of the ECHR were violated because the rules governing the Intelligence Services’ obtaining and use of communications from Prism and the upstream data collection programs were not sufficiently disclosed to the public. By contrast, in accord with its judgment of December 5, 2014, the IPT held that as a result of the Intelligence Services’ disclosure of the governing rules, Articles 8 and 10 of the ECHR were no longer violated.
Claimants Liberty, Privacy International, Bytes For All and Amnesty International plan to appeal to the European Court of Human Rights the IPT’s Judgment of December 5, 2014 that the ECHR is (i) not violated by the RIPA legal regime governing the GCHQ’s alleged Tempora program and (ii) no longer violated by the Intelligence Services’ obtaining and use of private communications from the NSA’s Prism and the upstream data collection programs.
The IPT’s Judgments of December 5, 2014 and February 6, 2015 and its Order of February 6, 2015 are available, respectively, at http://www.ipt-uk.com/docs/IPT_13_168-173_H.pdf, http://www.judiciary.gov.uk/wp-content/uploads/2015/02/liberty-v-fco.pdf, and https://www.scribd.com/fullscreen/254908600?access_key=key-NLzI97FQvT1DBPBdjt57&allow_share=false&escape=false&show_recommendations=false&view_mode=scroll
On January 28, the Brazilian government posted its Preliminary Draft Bill for the Protection of Personal Data in order to facilitate public debate. The Draft Bill imposes obligations on individuals and organizations that process personal data through automatic means if the processing occurs in Brazil or the data is collected in Brazil. The bill would also restrict the transfer of personal data to countries not providing as high a level of data protection as Brazil.
The Draft Bill (in Portuguese only) is at http://participacao.mj.gov.br/dadospessoais/
February 3, 2015
Marking the anniversary of President Obama’s signing on January 17, 2014 of Presidential Policy Directive-28, Signals Intelligence Activities (PPD-28) and accompanying speech on intended measures to protect people’s privacy regardless of nationality, the Office of the Director of National Intelligence released “The Signals Intelligence Reform Anniversity Report 2015.” The most significant expansion of foreigners’ rights to privacy was that SIGINT collected about them must now be deleted after five years “unless the information has been determined to be relevant to, among other things, an authorized foreign intelligence requirement, or if the Director of National Intelligence determines, after considering the views of … agency privacy and civil liberties officials, that continued retention is in the interest of national security.” By contrast, the Report states that “the government must delete communications to, from, or about U.S. persons acquired [through warrantless surveillance] under Section 702 that have been determined to lack foreign intelligence value.”
Cybersecurity expert Professor Alan Woodward of Surrey University voiced concerns to the BBC about the five-year rule for retaining foreigners’ data, stating that, “Regimes change, governments change, and if they keep your data – and it’s getting easier and cheaper to keep it – who knows what it might be used for in the future?”
The Report is available at http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties
January 29, 2015
On January 1, Finland’s Information Security Code (2014/ 917) came into effect, and made the obligation to protect the confidentiality of communications extend beyond telecommunications providers to all providers of electronic communications services, such as instant messaging services and online social networking tools. The Code’s approach to extraterritoriality is similar to that of the forthcoming EU General Data Protection Regulation, and its privacy protections extend to businesses established outside the EU that offer their services in Finnish or otherwise target Finnish residents.
January 28, 2015
The Intercept and Canada’s CBC News jointly reported on a power point presentation from 2012 leaked by Snowden describing the Levitation project of the Canadian counterpart of the NSA and GCHQ, the Communications Security Establishment (CSE). Under Levitation, CSE agents intercept 10 to 15 million downloads and uploads per day by people in Europe, the Middle East, North Africa and North America. Although the power point states that the CSE accesses data from 102 free file-sharing sites, the only sites named are RapidShare, SendSpace and the now defunct MegaUpload. 350 “interesting download events” are reportedly found each month, amounting to less than 0.0001 per cent of the total traffic collected. Once downloads or uploads are flagged as suspicious, CSE analysts can input the associated IP addresses into the GCHQ’s Mutant Broth database to view five hours of traffic associated with the IP address before or after the download or upload occurred. CSE analysts can also use the year’s work of online metadata in the NSA’s Marina database to find further information about flagged IP addresses. Instead of relying on cooperation from file-sharing companies, Levitation obtains data directly from internet cables that are tapped into by the CSE’s Atomic Banjo project.
While the CSE’s ability to monitor users of RapidShare and SendSpace may have been thwarted by these sites’ encryption of their users’ connections since 2012, many popular file-sharing sites have yet to adopt encryption.
New Chinese government regulations require companies selling computer equipment to Chinese banks to turn over secret source code, submit to invasive audits, and build back doors into hardware and software. In a letter to a Communist Party committee on cybersecurity led by President Xi Jinping, the US Chamber of Commerce and other foreign business groups objected to what they saw as a growing trend for concerns about cybersecurity to be used as a guise for requiring the exclusive use of technological products and services developed and controlled by Chinese companies. According to The New York Times, “Recent calls by the director of the Federal Bureau of Investigation, James B. Comey, to assure that the United States has a key to decrypt information stored on iPhones and other devices will doubtless be used by the Chinese to argue that all governments need access to sensitive computer systems.”
A senior government official acknowledged the Chinese government’s role in recent sophisticated attacks on popular VPN services in China, and promised more of the same.
The German conference of data protection commissioners hosted a European Data Protection Day event entitled “Europe: Safer Harbor for Data Protection? – The Future Use of the Different Level of Data Protection between the EU and the US.”
At the event, the initiation of administrative proceedings in the German states of Berlin and Bremen in regard to data transfers by two US companies pursuant to the Safe Harbor Framework was revealed.
The schedule for the event (in German only) is available at https://www.huntonprivacyblog.com/files/2015/01/Flyer_EuropäischerDatenschutztag_2015_web.pdf
January 27, 2015
In response to FOIA actions brought by The New York Times and the Electronic Frontier Foundation, on January 26, the US Department of Justice released a redacted version of an Order on May 31, 2007 in which FISC Judge Vinson relied on the “roaming wiretap” provisions of FISA to authorize warrantless surveillance of the contents of foreign telecommunications. Also released was an Order and Memorandum Opinion of August 2, 2007 in which Judge Vinson ruled that the provision for warrantless surveillance in his Order of May 31, 2007 applied to any foreign telephone number or email address for which, at the time it applied for the Order, the government had not “connected the dots” and found probable cause of use or imminent use by an member or agent of a foreign power.
The released versions of Judge Vinson’s Order of May 31, 2007 and Opinion and Order of August 2, 2007 are available at http://www.nytimes.com/interactive/2015/01/27/us/27-fisc-foia-documents.html
For discussion of the other FISC opinions and orders in 2007 pertaining to warrantless surveillance that were previously released in response to the FOIA actions by The New York Times and EFF, see the December 12 entry in Aidan Booth and Adina Schwartz, “International Chronicle of Surveillance Events-2014,” available on this website.
For a more detailed analysis of the legal issues in the FISC opinions and orders released on December 12, 2014 and January 26, 2015, see Section I H of Adina Schwartz, “Challenges in the United States to the Secrecy of NSA Surveillance,” available on this website.
January 23, 2015
At a ceremony on the historic thoroughfare of Unter den Linden, just opposite the Soviet embassy in former East Berlin, the Sam Adams Award for Integrity in Intelligence was awarded to whistleblower William Binney, former technical director of the NSA. In accepting the award, Binney stated that he had resigned from the NSA in 2001 because he believed that the agency’s bulk collection of US citizens’ data amounted to “purposefully violating the Constitution.” According to Binney, “That’s what the Stasi did, the KGB did it – every totalitarian state down through history did that.” Speaking by video hook up from Moscow, Edward Snowden, who received the Sam Adams Award in 2013, said, “Without Bill Binney, there would be no Edward Snowden.”
January 21. 2015
In a briefing paper prepared after this month’s terrorist attacks in Paris for a meeting of EU interior ministers meeting next week, EU Counter-Terrorism Coordinator Gilles de Kerchove wrote that, “The Commission should be invited to explore rules obliging Internet and telecommunications companies operating in the EU to provide … access of the relevant national authorities to communications (ie share encryption keys).” Jan Philipp Albrecht, a Green member of the European Parliament from Germany, accused de Kerchove of reaching for “the toolbox of repressive regimes … by asking for a back-door way into encrypted communication“.
January 19, 2015
A 70,000 line spread sheet from November 2008 leaked by Snowden summarizes information gained from a single intercept, suggesting that in a few minutes during a single day that month, the GCHQ collected emails to reporters and photographers at at least a dozen international news organizations, many United Nations officials, workers at far-flung oil companies and tens of thousands of other people.
January 17, 2015
Documents leaked by Snowden show that surveillance of the Internet is considered “Phase 0” of the US digital war attempt to “control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0).” A key component of the digital war strategy is “Fourth Party Collection” in which the NSA and its Five Eyes allies view the intelligence services of all other countries as potential targets. Fourth Party cyber attacks are traced, observed and analyzed with the stated aim of “[s]teal[ing] their tools, tradecraft, targets and take.”
January 16, 2015
In a filing in a prosecution for illegally exporting goods to Iran, the Justice Department revealed that the US Drug Enforcement Agency (“DEA”) had maintained records of the numbers, times, lengths and dates of calls from the United States to countries with connections to international drug trafficking and related criminal activities. Although Justice Department officials stated that telephone numbers were used to query the data base only where “federal law enforcement officials had a reasonable articulable suspicion that the telephone number at issue was related to an ongoing federal criminal investigation,” phone records were retained even if there was no evidence that callers were engaged in criminal activity. As shown by the filing in the illegal export case, other law enforcement agencies had access to the DEA data base.
A Justice Department spokesman said that the DEA had stopped collecting bulk call records in September 2013 and that all of the information in the database had been deleted. In a letter last March urging Attorney General Eric H. Holder Jr. not to restore the program, former head of the Senate Judiciary Committee Senator Patrick J. Leahy wrote that the DEA had been “indiscriminately” collecting “an enormous amount of information about many Americans for use in routine criminal investigations — rather than national security efforts, ” and stated that he was “deeply concerned about this suspicionless intrusion into Americans’ privacy in any context, but it is particularly troubling when done for routine criminal investigations.”
In response to the Charli Hebdo and kosher market shootings, Valérie Pécresse, a minister under former President Nicolas Sarkozy, suggested that the French government needed surveillance powers similar to those under the USA Patriot Act. The suggestion was strongly criticized on both sides of the Atlantic, with former French prime minister Dominique de Villepin warning against “exceptional” measures, and François Fillon, the prime minister under Mr. Sarkozy, stating that if any freedoms are abandoned, “we give justification to those coming to fight on our land.”
At a news conference in the White House with UK Prime Minister David Cameron, President Obama said that as part of the fight against terrorism, the US and UK governments had been talking to private companies about how they could obtain more access to encrypted messages on the Internet, while respecting “legitimate privacy concerns.”
January 14, 2015
In response to a decision by the Federal Information and Data Protection Commissioner, Switzerland’s State Secretariat for Economic Affairs (SECO) published a list of licenses issued in 2014 for the export of surveillance technology equipment, including costs and destinations. Twenty-one licenses were granted for the export of IMSI catchers, among them, exports to Ethiopia, Indonesia, Qatar, Kuwait, Lebanon, Lithuania and Thailand for a total of 8 million Swiss francs. In response to questions raised by Members of the Swiss Parliament and the government’s refusal to decide whether to grant licenses, in early 2014, companies withdrew requests to export internet monitoring equipment to Ethiopia, Indonesia, Yemen, Qatar, Malaysia, Namibia, Oman, Russia, Chad, Taiwan, Turkmenistan, UAE, and China.
January 11, 2015
On January 9, 2015, in response to a court order in a FOIA lawsuit brought by The New York Times, the Justice Department released a redacted version of a previously wholly classified report by the Department’s Inspector General (“IG”) in September 2012 on the FBI’s activities under Section 702, the warrantless surveillance provision of the FISA Amendments Act. The Report stated that in 2008, the FBI began reviewing NSA agents’ selection of email accounts for targeting under the Prism program, but saw “no reason to presume that the NSA is not upholding its constitutional duty” or “to question the [NSA’s] presumption that the vast majority of persons who are located overseas are not United States persons and that most of their communications are with other, non-United States persons who are also located overseas.” Beginning in October 14, 2012, raw data acquired by NSA agents under 702 was “dual routed” for analysis and retention by the FBI, and the FBI began nominating new email accounts and phone numbers for use in targeting communications in April 2012.
The Report also showed that after FISC Judge Vinson refused in April 2007 to re-authorize the warrant that Judge Howard had granted in January for indiscriminate interception of contents of communications, and Judge Howard’s subsequent one-time temporary renewal of the warrant expired, Judge Vinson issued a warrant on May 31, 2007 for the interception of international communications to and from specific email addresses and phone numbers that he found probable cause to believe were being or about to be used by agents of a foreign power. A former senior Justice Department official claimed that by requiring the NSA to make probable cause showings for each selector email address and phone number, Judge Vinson “caused the NSA to place fewer foreign selectors under coverage than it wanted to.” As a result of this and “the comparatively laborious process [that Judge Vinson’s Order imposed] for targeting selectors,” the Bush Administration accelerated the efforts to gain legislative approval for warrantless surveillance that led to the enactment of the Protect America Act in August 2007.
The heavy redactions in the released version of the IG’s Report include only one uncensored reference to the Prism program, and a New York Times attorney stated that it might challenge the redactions at a later stage in the FOIA litigation.
The redacted version of the IG’s report is available at http://www.nytimes.com/interactive/2015/01/12/us/12-doj-ig-fbi-702-foia.html
January 7, 2015
In response to questions by the Committee on Civil Liberties, Justice and Home Affairs, the Legal Service of the European Parliament issued an opinion on the implications of the invalidation of the EU Data Retention Directive by the European Court of Justice (“ECJ”) in Digital Rights Ireland (the “DRI judgment”). According to the opinion, the DRI judgment might be applied, in separate proceedings before the ECJ, to lead to the invalidation in whole or part of existing EU laws “requiring mass personal data collection other than traffic data, storage of the data of a very large number of unsuspected persons and access to and use of such data by law enforcement authorities” (e.g., the Terrorist Finance Tracking Program (“TFTP”) agreement and the Passenger Name Records (“PNR”) agreements with the US and Australia). Pending EU international agreements and new and pending internal EU legislation in “the general context of programmes of surveillance must clearly now take account of the reasoning of the Court of Justice in the DRI judgment.” While any obligation on the part of Member States to retain traffic data on publicly available telecommunications service and networks is abolished by the DRI judgment, any data retention laws enacted by Member States must conform to the judgment.
The opinion of the Legal Service is available at https://s3.amazonaws.com/access.3cdn.net/27bd1765fade54d896_l2m6i61fe.pdf