Published: Mon, 27 Mar 2017 00:00:00 -0400
Last Build Date: Mon, 27 Mar 2017 16:03:20 -0400
Mon, 27 Mar 2017 13:05:00 -0400After Khalid Farood launched a terrorist attack in Westminster, England, last week, killing four before getting killed himself, officials made it clear that Farood was not on the government's radar as a potential threat. While the details of the case are still under investigation, the theory at the moment coming out of Scotland Yard and investigators was that he was a lone attacker that self-radicalized. Farood did have a previous criminal record, but he was not seen as a terrorist threat, and it's not even clear yet whether he should have been. In response to the attack, Prime Minister Theresa May gave a short speech talking about how the United Kingdom's commitment to Democracy, freedom, human rights, and rule of law made them targets, but "Any attempt to defeat those values through violence and terror is doomed to failure." Then, over the weekend, her own administration took to the media to demand that citizens abandon those freedoms and human rights to serve the government's interests. Specifically, Amber Rudd, home secretary (the leader of the U.K.'s various national security and policing agencies) went to the press to complain about encryption as a threat to national security, though there's absolutely no evidence that encryption played any role in the failure to predict or prevent this attack. The targets here are communication tools like WhatsApp, which has end-to-end encryption that has the potential to thwart investigators. Authorities are trying to determine whether Farood communicated with anybody through encrypted messaging, but this is after-the-fact research. Whether or not authorities could have penetrated Farood's encryption wouldn't have prevented the attack because, again, he wasn't considered a terror threat. Nevertheless, the fact that Farood might have had a way to communicate without the government being able to access it is again bringing up the decades-long fight by officials to try to prevent citizens from communicating secretly. Rudd is insisting that she wants these communication apps to assist the government in bypassing encryption on demand in order to assist government investigations. We've seen these arguments a lot, both out of the United Kingdom and in the United States. The leaders of both, May and President Donald Trump, are open supporters of mass surveillance and have shown very little respect for citizen privacy. Rudd, like many of these anti-encryption officials, insist that they don't want to totally destroy our tech privacy but simply demand that tech companies assist government to gain access to targeted people's communications when they have proper warrants. The problem remains—and Rudd, like other government officials, refuses to acknowledge or engage with it—that there's no such thing as an encryption back door or bypass that can only be used by the "proper" authorities. Any bypass can be cracked by hackers, be they criminals or foreign government officials who don't have the United Kingdom's commitment to "human rights." Fortunately, Rudd is getting pushback from privacy activists (and even other officials) in England. From The Guardian: Brian Paddick, the Liberal Democrat home affairs spokesman and a former deputy assistant commissioner in the Metropolitan police, said that giving the security services access to encrypted messages would be "neither a proportionate nor an effective response" to the Westminster attack. "These terrorists want to destroy our freedoms and undermine our democratic society," he said. "By implementing draconian laws that limit our civil liberties, we would be playing into their hands. The United Kingdom has, unfortunately, already recently implemented draconian surveillance laws in the Investigatory Powers Act, which does have the potential to allow the government to try to force encryption back doors in software or devices produced by companies with offices in England. I explained what the law says in the March issue of Reason magazine. Read up here.[...]
Mon, 27 Mar 2017 08:32:00 -0400American and British banks are monitoring customers' contraception purchases, DVD-rental frequency, dining-out habits, and more in a misguided attempt to detect human traffickers, according to a new report from the British think-tank Royal United Services Institute (RUSI). Their intrusive and ineffective efforts come at the behest of government agencies, who have been eager to use asset-forfeiture powers against suspected human-trafficking rings. There are just a few problems: sophisticated trafficking operations are generally wise enough not to do suspicious business through U.S.- and U.K.-based consumer banks. And without any obvious or majorly suspicious activity to flag, bank executives have had to get creative, coming up with improbable or absurd metrics that might indicate labor- or sex-trafficking. This, in turn, exposes all sorts of innocent bank customers—including but certainly not limited to adults engaging in consensual sex work—to privacy invasions and potential involvement with the criminal justice system. The U.S. and U.K. banks RUSI researchers interviewed said they were happy to help law enforcement prosecute human traffickers and had little problems turning over financial records for people already arrested or under investigation. But proactively finding potential traffickers themselves proved more difficult. As RUSI explains, "the often unremarkable nature of transactions related to" human trafficking made finding criminals or victims via transaction monitoring a time-consuming and unfruitful endeavor. Yet financial institutions are boxed in by regulations that threaten to punish them severely should they participate in the flow of illegally begotten money, however unwittingly. The bind leaves banks and other financial services eager to cast as wide a net as possible, terminating relationships with "suspicious" customers, monitoring the bank accounts of people they know, or turning their records over to law enforcement rather than risk allegations of not doing enough to comply. Thus far, American and British regulators have given financial firms some guidance on the type of activity to flag, but this guidance has been vague and open to broad interpretation. Banks have carved out varied policies based on this, sometimes also soliciting tips and training from "modern-slavery"-awareness groups. The majority of financial firms RUSI communicated with were "from the Americas (the US in particular)," and had already taken "significant steps" to engage with the issue of human trafficking through monitoring and flagging customer accounts. In 2014, U.S. banks filed 820 suspicious-activity reports with the feds in which the phrase human trafficking appeared (accounting for 0.1 percent of all criminal-suspicion reports), but the Financial Crimes Enforcement Network (FinCEN) saw a "tremendous jump" following the release of a related advisory in fall 2015, according to Adam Szubin, former under secretary for terrorism and financial intelligence with the U.S. Treasury Department and now acting secretary of the Treasury. So what sorts of activity is being flagged? Cheap travel, online advertising, and large grocery bills: One U.S. bank told RUSI that they monitor frequent travel on cheap airlines; regular payments to classified-ad sites such as Backpage.com; and "unusual shopping patterns." As examples of suspicious shopping activity the bank implicated frequent large supermarket bills or bulk DVD rentals. Sure, such things could simply indicate large families, frequent entertaining, or lack of access to high-speed internet and streaming services—but bank staff said it could also indicate someone holding others in captivity and, as RUSI puts it, "endeavouring to occupy groups held for exploitation when they are not working." (You know, when you're an evil international slaver but don't want your forced-sex harems to get bored!) Once a customer's account is flagged for suspicious activity, bank staff will monitor future transactions more closely and search back through history for prev[...]
Fri, 24 Mar 2017 09:32:00 -0400
(image) Has Donald Trump's claim that Obama secretly wiretapped him at Trump Tower made government surveillance a hot topic again?
At this year's South by Southwest conference in Austin, Texas, Reason put together a panel of experts to discuss "Get a Warrant: The Fourth Amendment and Digital Data." The panel discussed important current surveillance and privacy issues in play right now and specifically focused on the role Congress plays in helping establish limits to authority and how citizens (and people attending the panel) can push for reforms.
I served as the moderator and was joined by Sean Vitka, director of the congressional Fourth Amendment Caucus' Advisory Committee, Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, and Mike Godwin, well-known media/Internet lawyer, Reason contributing editor, and inventor of Godwin's Law.
The topics of the hourlong discussion range from warrant protections for old emails, border searches of tech devices, continued unwarranted federal surveillance of Americans, and an explanation of what Trump's wiretap fears mean for the rest of us.
Click below to listen to the conversation—or subscribe to our podcast at iTunes and never miss an episode.
src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/314107222&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true" width="100%" height="450" frameborder="0">
Don't miss a single Reason podcast! (Archive here.) Subscribe, rate, and review!
Thu, 23 Mar 2017 13:15:00 -0400It looks like whatever House Intel Committee Chair Rep. Devin Nunes (R-California) might have been attempting to accomplish yesterday when he held a press conference to reveal some post-election surveillance of Trump's transition team may have backfired. Nunes, a Trump ally, was clearly attempting to draw attention to the argument that the intelligence community was violating the privacy of the incoming Trump administration in its data and information collection. He said the information he had received showed that the surveillance and data collection of Trump team communications was "incidental," meaning they likely were not surveillance targets themselves. But Nunes running to the press and not actually informing the rest of his peers in the House Committee first subsequently made the story about Nunes and what he was trying to accomplish instead. Trump's critics, both on the left and the right, worry that Nunes' behavior is an attempt to interfere with a congressional investigation of any possible ties between Trump and the Russian government and whether anything possibly illegal has happened. Was this all about trying to help Trump? Trump himself immediately jumped on Nunes' comments in a Time interview to defend his wiretap conspiracy tweets, which at least suggests some interesting timing. Nunes has since apologized to his Democratic counterparts in the House for not telling them first before going to the press. There is likely a very noncontroversial explanation for the data collection that implicates nobody in particular and helps inform Americans about how federal surveillance actually works if people are willing to—for however briefly—set aside their feelings about Trump. Folks may recall that prior to taking office, Trump and his transition team decided to start contacting and communicating with world leaders. In all likelihood the National Security Agency (NSA) had active permission to engage in surveillance of such people. It's not necessarily an indicator of a criminal investigation; it's the business of international intelligence. So members of Trump's team may have ended up dragged into "incidental" surveillance because of the people they were talking to. As such, what happened with Trump's folks is a perfect opportunity for Americans to understand how "incidental" surveillance of citizens' works, what happened to the data, and the inherit risks of this level of collection for all of our privacy so at least we're all informed about how all of this works. Privacy and civil liberties activists are calling for reforms to surveillance authorities in order to reduce the likelihood that private data or communications get retained and exposed the way it might have happened with Trump's team. Also of interest: Nunes has said that actually, some of the names in these reports were still "masked" (redacted), but he was able to tell who the reports were talking about based on the context. In the wake of Edward Snowden's revelations about mass collection of data from Americans' phone and online communications, government officials (all the way up to President Barack Obama himself) attempted to assure people that nobody was reading through all of our emails or listening in to all of our phone calls. But they were collecting loads of metadata (where and who we were communicating with, for how long, when and how frequently, et cetera), and experiments have shown that enough metadata is available out there to extrapolate a lot about our private behavior. But as long as this is a fight only over the behavior of Trump and his team, it's going to be tough to have a discussion or call for reform of these tools. As I noted yesterday, even vocal Democratic critics of the extent of federal surveillance are using all this to try to attack Trump's administration as potentially breaking the law even knowing full well that's not necessarily what the information collection means. Mind you, it could very well be that Nunes is indeed trying to taint an[...]
Tue, 21 Mar 2017 19:15:00 -0400In his 2006 book The Future of Assisted Suicide and Euthanasia, Neil Gorsuch expressed significant doubts about the propriety of the U.S. Supreme Court recognizing and defending unenumerated constitutional rights under the Due Process Clause of the 14th Amendment. Citing the work of the late conservative legal scholar Robert Bork, Gorsuch wrote that the Due Process Clause has been stretched "beyond recognition" by the Supreme Court when the Court interpreted it to be "the repository of other substantive rights not expressly enumerated in the text of the Constitution or its amendments." Today Gorsuch was asked about that part of his book during his SCOTUS confirmation hearings before the Senate Judiciary Committee. "I'm interested in your view of privacy," said Sen. Chris Coons (D-Del.). As every con-law aficionado watching immediately understood, Coons was referring to the fact that the right to privacy appears nowhere in the text of the Constitution. Indeed, it is precisely the sort of thing that Gorsuch meant when he referred to (and criticized) "substantive rights not expressly enumerated in the text of the Constitution or its amendments." Coons wanted to know what Gorsuch had to say about the matter now. "Do you believe the Constitution contains a right to privacy?" he asked the nominee. "Yes, Senator, I do," Gorsuch responded. "Privacy is in a variety of places in the Constitution," he said, such in the Fourth Amendment right to be free from unreasonable searches and seizures, as well as in the Third Amendment's prohibition on the quartering of troops in private homes during peacetime. And the Supreme Court has said for decades that the "Due Process Clause protects privacy in a variety of ways," Gorsuch added. "So Senator, yes, the Constitution definitely contains privacy rights." That is a very noteworthy answer. The idea that "the Constitution definitely contains privacy rights" is the exact opposite of what Robert Bork thought about this issue. Indeed, Bork was famous for castigating the Supreme Court for its 1965 decision in Griswold v. Connecticut, in which the Court first recognized a constitutional right to privacy in the course of striking down a state law prohibiting married couples from obtaining birth control devices. The problem with Griswold, Bork wrote in the Indiana Law Journal, was that the Court invented "a new constitutional right" out of thin air. "When the Constitution has not spoken," Bork declared, "the only course for a principled Court is to let the majority have its way." In other words, because the Constitution does not expressly list the right to privacy, the Supreme Court has no business enforcing that unwritten right against legislative enactments. Under the Bork-ian view, only enumerated rights are entitled to judicial protection. Neil Gorsuch certainly seemed to take the Bork-ian view in his 2006 book. But today at his SCOTUS confirmation hearings, Gorsuch seemed to take a different view. In fact, Gorsuch's argument today that "privacy is in a variety of places in the Constitution" sounds a whole lot like the Griswold case's well-known argument that a "zone of privacy" can be found among the "penumbras" and "emanations" of the Constitution's explicit guarantees. Does Gorsuch now reject the Bork-ian view of unenumerated rights? Or was he simply summarizing existing legal doctrine and keeping his own views to himself? I encourage other members of the Senate Judiciary Committee to press Gorsuch with follow-up questions about this fundamental matter of constitutional law and interpretation.[...]
Thu, 16 Mar 2017 15:00:00 -0400Last week Wikileaks finally released its much-hyped "Vault 7" data detailing the CIA's arsenal of hacking tools. The first tranche, consisting of 8,761 documents and attachments from an "isolated, high-security network" in the CIA's Center for Cyber Intelligence, reveals important information about the federal spy body's intrusion techniques, alliances with other government bodies, and internal culture from 2013 to 2016. These new details alone would be explosive. But the media's relative lack of interest in these major revelations makes this story even more curious. The CIA's hacking toolkit, while not surprising to those in the security community, should be downright paranoia-inducing for most Americans. Big Brother Really Is Watching According to the Vault 7 documents, the CIA can hack into most consumer devices, rendering even the strongest encryption techniques useless. Some of the CIA's techniques have been diabolical. For example, one exploit of Samsung smart TVs would surreptitiously spy on owners even though the device appeared to be turned off. Another, more chilling technique could be used to hack a smart car and send its driver careening into a fiery death on the road. Furthermore, the CIA's "UMBRAGE" library of foreign "fingerprints" can make it falsely appear as if other governments are behind its dirty deeds. Most of the conversation so far has revolved around the CIA's trove of "zero day vulnerabilities," computer bugs that are known only to the discoverer (which means that the software industry would have had "zero days" to patch them—get it?). Wikileaks itself has emphasized this dimension of the story: the first batch of documents was called "Year Zero," a title that might refer to the CIA's need to re-build its cyber-arsenal. While the data dump stops short of releasing the full code, the leak describes enough about the CIA's hacking techniques to render them functionally impotent. This is because software providers scrambled to patch up the vulnerabilities soon after they were made public. Assuming that most of the CIA hacks were in the leak, America's top international spy agency could be effectively powerless for the time being, at least in terms of hacking capability. This does not mean we should celebrate. The Wikileaks press release suggests that they were not the first body to get their hands on this cyber-arsenal, reporting that "the archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner." It is possible that hostile groups got their hands on these weapons first, which means that both our "enemies" and our "protectors" could have been hacking and spying on us with these methods for the past few years. Since Wikileaks has not released the entire database to the public yet, some of these vulnerabilities likely remain unpatched. As others have noted, the Vault 7 debacle serves as yet another reminder of the inherent folly in building government-mandated backdoors into secure systems or hoarding zero days to circumvent security. If powerful and capable groups like the CIA and NSA can't protect their cyber-arsenals, why should we expect others to manage it? A Tale of Two Leaks What has been most striking to me about this episode is the amazing lack of interest in the broader dimensions of the story. Compare reactions to the Wikileaks-enabled CIA leaks with reactions to the National Security Agency (NSA) leaks provided by Edward Snowden in 2013. In both cases, a notoriously secretive and powerful U.S. intelligence agency was unmasked before the world, expansive surveillance or intrusion techniques were laid bare, and the public learned of serious vulnerabilities in their privacy or their security (or both). Civil libertarians simultaneously cheered the revelations, while muttering that deep down, they knew it all along. But where the NSA leaks dominated headlines for months and stimulated executive a[...]
Thu, 16 Mar 2017 08:15:00 -0400The First Amendment Lawyers Association (FALA) is asking new Attorney General of California Xavier Becerra to end the "abuse of governmental power" perpetuated by predecessor Kamala Harris against current and former executives of the classified-ad site Backpage. On March 14, FALA—a nonprofit membership association launched in the late '60s that has boasted some of the country's top constitutional lawyers—sent a letter to Becerra condemning "the abusive prosecution of individuals associated with the online classified advertising website Backpage.com, and also the use of expansive search warrants seeking vast amounts of constitutionally-protected material, including personally identifiable information about all of the website's users." In the letter, FALA President Marc Randazza says he can identify "no theory under the First Amendment that would countenance such an abusive use of prosecutorial discretion or such a dragnet demand for information." Kamala Harris' crusade against Backpage began last fall, when she had current chief executive Carl Ferrer and former owners Michael Lacey and Jim Larson arrested for pimping and conspiracy. The premise of the charges was that Backpage—a user-generated advertising site much like Craigslist—received payment for "escort" ads that eventually resulted in prostitution, thereby making Ferrer, Lacey, and Larkin the "pimps." But it's an argument that California Judge Michael Bowman rejected, on the grounds that Section 230 of the Communications Decency Act (CDA) prohibits the criminal prosecution of web publishers for content posted by users. "The protections afforded by the First Amendment were the motivating factors behind the enactment of the CDA," noted Bowman, whose decision to dismiss the indictments is consistent with numerous other cases against classified ad sites like Backpage. As the FALA letter points out, "at least seven other courts have expressly rejected the assumption underlying the California indictment that ads for escorts or those posted in an adult services section involve illegal speech, and none have concluded otherwise." Given this, and the fact that Harris previously signed a letter acknowledging Section 230's limit on Backpage prosecutions, "it is alarming that the State sought to bring a prosecution in the first place," writes Randazza. But it didn't stop there: after Bowman's ruling, Harris' office filed another criminal complaint against Backpage, this time asserting the same pimping and conspiracy charges and adding a few counts of money laundering, too. The new complaint simply restates the previously rejected arguments for why Ferrer, Lacey, and Larkin are guilty of criminal activity. Note that the normal process would have been for the state to appeal Bowman's final ruling, but instead, Harris—who is now in the U.S. Senate—and her office tried to simply bring the same failed criminal case in another court. This sort of "forum shopping" is "a gross abuse of prosecutorial discretion and a serious violation fo the First Amendment," FALA alleges. And that's still not all: Beyond the fact of the prosecution itself, the methods employed by the prosecutors also exhibit an utter disregard for established First Amendment limits. We have learned that a subpoena was served on Backpage.com that calls for the production of massive amounts of information for a several-year period, including copies of all advertisements posted (in all content categories), all billing records, the identities of all of the website's users and their account histories, all internal communications, and even the source code for the operation of the website. This goes beyond the despised "General Warrants" that prompted the Constitution's Framer's to adopt the Fourth Amendment's protections against unreasonable searches, and violates numerous Supreme Court decisions limiting such demands for materials protected by the Fi[...]
Wed, 15 Mar 2017 13:09:00 -0400The state of New York wants to tell you what's appropriate to post online and what should be removed. The concept behind the European Union's "right to be forgotten" has crossed the Atlantic, and two state lawmakers in New York want to attempt to institute it here. The "right to be forgotten" in the European Union originated from a court ruling demanding Google and search engines remove links to a story that embarrassed a Spanish man because it detailed a previous home repossession. The story was not factually inaccurate. He insisted it was no longer relevant and that it embarrassed him, and the court agreed he had the right to have the information censored from search engines. Since 2014, search engines like Google have received hundreds of thousands of requests to have links to news reports removed and not because there's anything factually incorrect about them, but because the people within them are embarrassed by having the information public. Now, in New York, Assemblyman David Weprin and State Sen. Tony Avella (both Democrats) are attempting to implement such a law in the United States. The bill (readable here) appears remarkably far-reaching. It would allow people to demand that identifying information and articles about them to be removed from search engines or publishers if the content is "inaccurate," "irrelevant," inadequate," or "excessive." And yes, there are potentially fines involved ($250 dollars a day plus attorney's fees) for those who don't comply. Here's how the legislation defines the rather vague justifications for removal: [C]ontent, which after a significant lapse in time from its first publication, is no longer material to current public debate or discourse, especially when considered in the light of the financial, reputational and/or demonstrable other harm that the information, article or other content is causing to the requester's professional, financial, reputational or other interest, with the exception of content related to convicted felonies, legal matters relating to violence, or a matter that is of significant current public interest, and as to which the requester's role in regard to the matter is central and substantial. This would put the courts in the position of having the authority to declare what is or isn't relevant for the public to know. Reason asked First Amendment attorney Ken White of Brown, White & Osborn (and also of Popehat fame) for his analysis of the bill. He did not hold back in an emailed statement: This bill is a constitutional and policy disaster that shows no sign that the drafters made any attempt whatsoever to conform to the requirements of the constitution. It purports to punish both speakers and search engines for publishing—or indexing—truthful information protected by the First Amendment. There's no First Amendment exception for speech deemed "irrelevant" or "inadequate" or "excessive," and the rules for punishing "inaccurate" speech are already well-established and not followed by this bill. The bill is hopelessly vague, requiring speakers to guess at what some fact-finder will decide is "irrelevant" or "no longer material to current public debate," or how a fact-finder will balance (in defiance of the First Amendment) the harm of the speech and its relevance. The exceptions are haphazard and poorly defined, and the role of the New York Secretary of State in administering the law is unclear. This would be a bonanza for anyone who wanted to harass reporters, bloggers, search engines, and web sites to take down negative information, and would incentivize such harassment and inflict massive legal costs on anyone who wanted to stand up to a vexatious litigant. Also of relevance: The law extends the statute of limitations for defamation complains for online content in a way that pretty much all but removes them. The clock for the statute of limitations for defamation[...]
Fri, 10 Mar 2017 20:50:00 -0500South by Southwest attendees may not be able to recite the Fourth Amendment on command (unlike yours truly), but two early panels on technology, privacy, and surveillance indicate that protecting this right is important to quite a few of them. Today officially launches the start of this year's South by Southwest conference here in Austin. Peter Suderman blogged earlier the opening address by Sen. Cory Booker (D-New Jersey). His piece launched the "government" track segment of the conference, running up through Monday. Reason is represented here not just as journalists covering the conference: Suderman, Jacob Sullum, and I are also moderating panels on important policy issues. Conider my panel, "Get a Warrant: The Fourth Amendment and Digital Data" as a sort of table-setter for tech privacy and surveillance issues that are going to be popping up at several other panels over the next few days. That's how we decided to approach it anyway. Assisted by Sean Vitka of Demand Progress and the advisory committee of Congress' Fourth Amendment Caucus, Neema Singh Guliani, of the American Civil Liberties Union, and Mike Godwin, the media/internet lawyer who helped start the Electronic Frontier Foundation (and also has a famous law you may have heard of), we offered up a sampler platter of top tech surveillance issues in America today. Our ultimate goal, though, was to help people attending the conference understand that legislators play a key role in helping restrain the surveillance and data collection authorities law enforcement and federal intelligence services have brought to bear against America's own citizens. Of course, those who read Reason regularly could have nodded along at the information passed along by our panelists. We only touched on each issue for a few minutes, but you can read more about why President Donald Trump's claims of being illegally wiretapped matter about more than just Trump lashing out or some sort of power play over who controls the government (though that does matter, too). An important provision that gives the intelligence community a significant amount of surveillance authority needs to be renewed this year or it will expire. Congress has a vote coming, and Trump's administration has said they don't want anything changed. But civil liberties and privacy groups are calling for reforms. We touched on border tech searches and the attempts by federal officials to try to essentially intimidate travelers—both foreign visitors and Americans—into granting access to their tech devices. Vitka noted in the panel encryption plays an important role of trying to restrain the government here and likened it to vaccinations and herd immunity. These searches happen because the possibility of access remains. If more or most Americans used tougher encryption to access devices, they'd be denied enough to stop trying. Sen. Ron Wyden (D-Oregon) is trying to get a law passed to require warrants for these border tech searches. And we used the Email Privacy Act to help highlight some of the challenges facing privacy supporters in Congress. The Email Privacy Act, which would close an old legislative loophole that allows warrantless access to old emails, passed unanimously in the House of Representatives, but has not been able to get through the Senate. Established Senate leaders (and not just Republicans) have stood in the way of reforming the law, even when it has massive bipartisan support. (And when we polled the audience, many people who followed Edward Snowden's leak coverage nevertheless had no idea that this act even existed.) Following on the heels of my panel was "Are Biometrics the New Face of Surveillance?" The panel drew a large crowd, given that it's probably the latest "hotness" in how technology is facilitating government snooping. The panel was moderated by Sara Sorcher of the Christian Sci[...]
Thu, 09 Mar 2017 14:25:00 -0500Earlier this week, FBI Director James Comey spoke at the Boston Conference on Cyber Security at Boston College and addressed the growth of cyber threats. While the agency head explained that "cybersecurity is a priority for every enterprise in the United States at all levels," he also made some chilling statements that should give every American pause. "There is no such thing as absolute privacy in America," Comey announced at the conference, Politico reported. "There is no place in America outside of judicial reach." This comes on the heels of a Wikileaks dump that revealed the CIA is working on hacks into everything from smart televisions to cars. The reality of a mass surveillance state has been apparent at least since then–National Security Agency contractor Edward Snowden leaked information in 2013 that the organization was spying on the public, so admissions like these from the intelligence community should come as no surprise. Yet the candidness with which Comey admits that Americans' privacy is circumscribed is striking. He acknowledged that the law says "all of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices," but provided a nice little caveat that if it has a "good reason," the state can nonetheless "invade our private spaces." "Even our memories aren't private," Comey added, according to Politico. "Any of us can be compelled to say what we saw...In appropriate circumstances, a judge can compel any of us to testify in court on those private communications." Back in 2015, a Pew Research poll found Americans were not nearly as concerned as you might think about the government spying on them. Some 54 percent were not very or not at all concerned about officials snooping on their emails; 53 percent felt the same way about their search engine data. Even when it came to cellphones, 54 percent were not concerned. Many participants explained that they were not worried about government surveillance programs as long as they were helpful in preventing terrorist attacks or criminal activity. It appears, in this instance anyway, that a substantial segment of the population prefers security to liberty. Perhaps the latest Wikileaks release will lead to more substantive discussions about privacy and mass surveillance, but as Reason's Scott Shackford pointed out in his article about the president's recent wiretapping claims, it can be hard to get people to look beyond their politics. He wrote: There is plenty to discuss about problems with how surveillance authorities are granted here in the United States—the incidental collection of our own private data, the opaqueness of the Foreign Intelligence Surveillance Court (FISC), and the potential for intelligence sharing to be abused domestically to bypass the warrant requirements of the Fourth Amendment. But none of those policy issues are being brought up in this fight at all. It's all about Trump vs. President Barack Obama. This fight just turns real surveillance issues into political intrigue and just another tool in the battle over who controls the executive branch. Everything about this issue has been and will continue to be analyzed in the terms of what it all means for Trump—and only Trump. A reminder for anyone who will be in Austin this weekend that Shackford will be discussing the future of legislating on digital privacy with experts from the Fourth Amendment Caucus, the American Civil Liberties Union, and the R Street Institute at South by Southwest tomorrow. Stop by and see him.[...]
Wed, 08 Mar 2017 14:00:00 -0500Consider this: The actual details about certain CIA cybersurveillance tools and hacking programs making it out into the public sphere aren't as important as we think. That the fact these details leaked in the first place is what matters. That our intelligence agencies cannot expect to keep their practices secret from the public at large (and other nations) should influence policy decisions on how much information they collect and how they prioritize infiltrating devices over revealing security risks. After WikiLeaks dumped thousands of documents about CIA surveillance and cyberespionage techniques Tuesday, Ed Krayewski looked through and summarized some of the more notable discoveries. There have been some responses that maybe overstate what the CIA is doing based on at least what's in these documents. The use of surveillance through smart televisions, for example, requires a person to physically interact with the television in order to install malware. There is no evidence that CIA snoops can simply access the camera in any Samsung smart television. So maybe the information from this leak is itself not particularly shocking. The CIA is doing largely what people expect them to do. That doesn't mean there's nothing important we should be learning from this info dump. Julian Sanchez, a Cato senior fellow who writes and speaks on surveillance issues and is a founding editor of Just Security, spoke to Reason (via Twitter direct messages) about the greater implications of the dump. The CIA documents demonstrated an emphasis on data and device infiltration over security and the desire to keep "zero day" exploits (security weaknesses the device or software creator doesn't initially know exists) to themselves to aid in surveillance. Except, as this latest leak demonstrates, the CIA may not actually be good at keeping these exploits secure. And that creates more cybersecurity vulnerabilities for everybody because the CIA isn't informing companies about holes in their devices and programs. "Many of us have been saying for a while that the default really ought to be quite prompt disclosure, because on net the security gain from closing vulnerabilities—defense against attacks against Americans—is likely to be greater than the value of the intelligence gleaned from maintaining the access," Sanchez says. "And I think that holds even if we're just talking about the risk of a hacker or foreign intel service independently discovering the same leak." It's not unlike the fight over encryption "backdoors," deliberately designed mechanisms to access the data of a device or program by bypassing its security systems. Government officials want to use backdoors to access data for investigations of crime or terrorism. But there's no such thing as an encryption bypass that only the "right" people can use. Just like zero day exploits, anybody with the right knowledge—regardless of whether they have good or ill intent—would be able to exploit an encryption backdoor. If even the secretive CIA cannot keep the details of its exploits out of the hands of Wikileaks, then we've surrendered both privacy and security for the benefit of the intelligence community's desire to collect information. Sanchez notes that "when you add what appears to be a very real problem of the actual tools we develop—weaponized vulnerabilities—making it into the wild, the risk of opting for retention over disclosure is even greater." The leak should also be a reminder that when the federal government snoops, collects, and stores data about everybody, there's also the risk of that information "making it into the wild." We already saw this under President Barack Obama's administration when the private personnel data on millions of federal employees was compromised. The more information the government[...]
Mon, 06 Mar 2017 14:10:00 -0500Edward Snowden may be a household name now, but the sad reality has been that federal surveillance-related issues and stories have been getting less attention and do not draw the interest of Americans the way they did back when Snowden first started blowing the whistle. So one might assume that surveillance experts and anybody who writes about "deep state" would maybe be excited that President Donald Trump's tweets over the weekend claiming that President Barack Obama tapped Trump Tower would lead to an increased visibility of these issues back in the press. Count this surveillance reporter out—and maybe a little frustrated. Part of the problem is that distilling the extremely complicated system of federal foreign surveillance regulations into general news stories leads to confused and mistaken reporting. I'm not going to go over what all the reporting about Trump's claim of being wiretapped is getting wrong but Julian Sanchez over at Just Security has a helpful explainer of what people might be misunderstanding. I will echo Sanchez's note that President Barack Obama's administration has been working on changing the regulations to relax raw intelligence sharing between federal agencies for a while now and has nothing to do with Trump. The Breitbart piece that seems to have inspired a lot of this weekend heat seems to conflate different types of surveillance authorities all under the same umbrella. Now take all that confusion about how foreign intelligence surveillance actually works and add the current panic-based, personality-focused news cycles, fed by both Trump supporters and opponents and happily abetted by media outlets. There is plenty to discuss about problems with how surveillance authorities are granted here in the United States—the incidental collection of our own private data, the opaqueness of the Foreign Intelligence Surveillance Court (FISC), and the potential for intelligence sharing to be abused domestically to bypass the warrant requirements of the Fourth Amendment. But none of those policy issues are being brought up in this fight at all. It's all about Trump vs. President Barack Obama. This fight just turns real surveillance issues into political intrigue and just another tool in the battle over who controls the executive branch. Everything about this issue has been and will continue to be analyzed in the terms of what it all means for Trump—and only Trump. Last Thursday, just two days before this wiretap complaint blew up on Twitter and in the media, White House representatives told Reuters that it didn't support any potential reforms to federal surveillance laws that might restrain the government's authority to collect data and communications of Americans. That is to say, at the same time that Trump is complaining that the federal government was inappropriately snooping on him, his administration does not want to do anything at all to reduce the likelihood that the federal government inappropriately snoops on you. So, frustratingly, this whole circus makes it feel even less likely to result in positive reforms to surveillance authorities, because it's turned the entire civil rights issue into a chest-thumping contest about whether Russia is unduly influencing Trump or his people. A panel of experts and I will be reminding citizens about how this fight actually impacts their own privacy rights at South by Southwest in Austin this Friday. Hopefully we'll be able to explain to folks that there's a whole lot more to this than Trump being upset.[...]
Thu, 02 Mar 2017 12:50:00 -0500One might think that, given that the Trump administration is struggling with national security staff leaks that appear to be designed to cause them political harm (at the very least), they'd maybe realize some of the risks of overly expansive surveillance authority and what happens when secretive government officials are in everybody else's business. But no, they're no really different from other politicians who want one set of rules for themselves and another for the rest of us. According to Reuters, the White House just announced that it does not want Congress to make any changes or reforms that would reduce the authority of federal intelligence agencies to engage in surveillance, even if compromises Americans' privacy. During this session of Congress, Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act will sunset. Section 702 grants the National Security Agency (NSA) fairly broad authority to engage in electronic surveillance against foreign targets. While the basic concept that the NSA should be snooping on potentially hostile foreign actors overseas is uncontroversial to most Americans, what has become abundantly clear over the past several years is that any and all surveillance powers granted to the feds ends up being used in extremely broad ways many Americans didn't realize. Under the authorities granted by 702, data and communications from and by Americans have been scooped up during these investigations. And the broad authorities granted federal investigators have given them a path to get private information about Americans without having to get a warrant and to keep it all secret from them in cases that extend not just to the war on terror but to domestic crimes. The massive extent of federal government surveillance was exposed to Americans by the leaks of Edward Snowden. Wasn't the USA Freedom Act, passed in 2015, supposed to end—or at least restrain access—to Americans' private communications? Yes and no. That act focused on the surveillance authorities granted by the Patriot Act and the misuse of them to engage in mass, unwarranted citizens' communication metadata. There are actually several different mechanisms and authorizations that guide federal surveillance. Section 702 is separate from the Patriot Act and also separate from Executive Order 12333, the rules that establish how federal agencies share surveillance data. (President Barack Obama's administration expanded this sharing capacity between agencies right before he left office.) On Wednesday the House Judiciary Committee had hearings to discuss whether to make changes to 702 before renewing it to better protect the privacy of Americans. We don't even know how many Americans have had their personal communications collected or accessed through Section 702. In December, intelligence officials said they were going to put together a report attempting to estimate how many Americans have had their privacy compromised via Section 702's search mechanisms, but it hasn't happened yet. And it's not certain whether that report is even going to happen now. Sen. Dan Coates, Trump's nominee for director of national intelligence, told the Senate he would do everything he could to get those numbers, but it's not a guarantee. As Congress mulls what to do, privacy-minded groups like the American Civil Liberties Unions and Human Rights Watch are calling for reforms to put a stop to the use of these snooping tools to engage in warrantless searches of Americans' information. Here's a recent warning from the ACLU: The government justifies warrantless Section 702 surveillance on the theory that this spying is directed at foreigners — but, once the information is collected, the government routinely trains its sights [...]
Tue, 21 Feb 2017 13:15:00 -0500Hey, it's another "This was happening under President Barack Obama, but now everybody's freaking out about it," story. In this case, it's been established for years now by court decisions that American citizens do not have the full protection of the Fourth Amendment within 100 miles of the country's borders. Officials have for a long time, on the basis of border security, been permitted wide latitude to search travelers without warrants, even if they're United States citizens. President Donald Trump's ascendance and a new, stronger push to control border access has increased attention to this gap in our Fourth Amendment protections. A story about an attempt by the Department of Homeland Security to force a Wall Street Journal reporter to hand over her phone when disembarking from a flight got some attention on social media recently. But the story actually dates back to last July under President Barack Obama, and there was a fivefold increase in the number of border searches taking place in the year before Trump took office. But Trump's intentions to scale back immigration into the United States has drawn more attention to this abandonment of our privacy protections. Immigration officials also may be pressing to require visa applicants to hand over passwords to social media accounts so that the content may be examined. While these targets are not American citizens, we should always be concerned and extremely aware that any authorities granted to snoop on foreign targets end up eventually being used on Americans. See also: Stingray devices, fusion centers, and most of what Edward Snowden revealed. Sen. Ron Wyden (D-Ore.) has sent a letter to John Kelly, the secretary of Homeland Security, to express his concerns about Border Patrol officers attempting to get access to citizens' devices without warrants. He says he plans to introduce legislation to add some restraints to what border authorities may do: There are well-established legal rules governing how law enforcement agencies may obtain data from social media companies and email providers. The process typically requires that the government obtain a search warrant or other court order, and then ask the service provider to turn over the user's data. If the request is overbroad, the company may seek to have the order narrowed. By requesting a traveler's credentials and then directly accessing their data, CBP would be short-circuiting the vital checks and balances that exist in our current system. In addition to violating the privacy and civil liberties of travelers, these digital dragnet border search practices weaken our national and economic security. Indiscriminate digital searches distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation. Likewise, if businesses fear that their data can be seized when employees cross the border, they may reduce non-essential employee international travel, or deploy technical countermeasures, like "burner" laptops and mobile devices, which some firms already use when employees visit nations like China. I intend to introduce legislation shortly that will guarantee that the Fourth Amendment is respected at the border by requiring law enforcement agencies to obtain a warrant before searching devices, and prohibiting the practice of forcing travelers to reveal their online account passwords. Whether such legislation gets anywhere at all is heavily dependent on whether Senate Republicans are willing to put themselves out there to publicly vote for restraining the executive branch's surveillance authorities. We know that Republicans in the House are willing to do so. Rep. Jason Chaffetz (R-Utah) is introducing legislation to try to [...]
Sun, 19 Feb 2017 06:00:00 -0500
Big cities are great places if you're looking for work, stimulation, love, or a new life. But the density that fosters excitement and opportunity also erodes security and identity. Amid the crush of strangers, a single person can feel violated or insignificant. So city dwellers are quick to adopt any technology suitable for carving out personal space in public.
Before the smartphone or the hoodie, the iPod or the Walkman—even before the automobile—that technology was the umbrella. It gave its bearer space and a semblance of privacy. Like the smartphone and the music player, it also provided ample material for humorists, social critics, and arbiters of manners.
In 1891, an anonymous Chicago Daily Tribune columnist called the umbrella "worse than a Gatling." Average women, the writer declared, "have not yet learned to carry umbrellas and parasols in a manner satisfactory to the unarmed pedestrian with a selfish interest in the preservation of life and limb." These deadly weapons weren't today's spring-loaded compacts but big models along the lines of golf umbrellas. Carried at an angle under the arm, they jabbed anyone who got too close.
Even while mocking the umbrella's propensity to take out the knees and ribs of innocent pedestrians, the columnist acknowledged the device's important social functions. "Women rely upon it to get them through crowds, to make uncomfortable the possessors of smarter bonnets than their own, to shield themselves from too inquisitive eyes, and to defend themselves from insult if they happen to be belated without other escort," he wrote.
A closed umbrella made a handy walking stick or prop while standing. An open umbrella was a screen against prying eyes. Lovers used them to create intimate spaces as they walked together or reclined in parks or on beaches. When Mississippi banned shades and screens on the windows of saloons, in an effort to shame drinkers, bar patrons began shielding themselves with open umbrellas.
"A man taking a drink at a bar under an umbrella is certainly not an example of conviviality," wrote a New York Times reporter in 1892, "and a row of men at bars retiring with their respective drinks under their several umbrellas, like so many inedible fungi of enormous size, present, one would suppose, a picture of the horrors of intemperance more dismal than was ever drawn by the late and ophidian [temperance crusader] John B. Gough." A judge ruled the subterfuge illegal: An umbrella constituted a screen under the law.
The most telling attack on the umbrella came in Edward Bellamy's utopian novel Looking Backward: 1887–2000, published in 1888. A monster bestseller, it told the story of a man who awakens in the year 2000 to find Boston transformed into a paradise of collectivist planning. When it rains, a continuous waterproof canopy encloses the sidewalk, so no one needs an umbrella. The wise old man representing the author's views opines that "the difference between the age of individualism and that of concert was well characterized by the fact that, in the nineteenth century, when it rained, the people of Boston put up three hundred thousand umbrellas over as many heads, and in the twentieth century they put up one umbrella over all the heads."
Like the automobile later on, the umbrella offended those who imagined a more efficient mass system. They saw it only as a way to keep out the rain. But the umbrella served psychological purposes as well. On the crowded streets of the 19th century, it gave individuals a way to assert autonomy and control—to enjoy the public while preserving the private.