Monitoring NSA in de VS en erbuiten, deel 10

quote:

British mobile phone users’ movements 'could be sold for profit’ | World news | The Guardian

Hackers could steal users’ location data, finding out ‘where you are, how you got there and where you are going’, say campaigners

British mobile phone users are one data breach away from having the routines of their daily lives revealed to criminals, privacy campaigners have said.

Mobile phone networks and wireless hotspot operators are collecting detailed information on customers’ movements that reveal intimate details of their lives, two separate investigations into mobile data retention have found.

Many people unwittingly sign up to be location-tracked 24/7, unaware that the highly sensitive data this generates is being used and sold on for profit. Campaigners say that if this information were stolen by hackers, criminals could use it to target children as they leave school or homes after occupants have gone out.

It is so detailed that it can reveal customers’ gender, sexual orientation, religion and other many personal details that could present serious risks of blackmail.

“Effectively consumers are opting in to being location tracked by default,” said Geoff Revill, the founder of Krowdthink, the privacy campaign group behind one of the investigations published on Monday.

“The fact of the matter is your mobile service provider knows – without you knowing – where you are, how you got there and can figure out where you are going.”

Related: UK plans to track all internet connections could cost £1bn, campaigners warn

Such precise location data would be like “gold dust” for criminals if it found its way on to the black market, said Pete Woodward, the founder of information security experts Securious.

“The information that mobile and Wi-Fi service providers hold on location tracking is an evolving and high-risk area of cybercrime that needs urgent attention by the industry,” Woodward said. “Otherwise we will face the frightening prospect that such highly sensitive data could get into the hands of the likes of kidnappers and paedophiles.”

Krowdthink’s research found that 93% of UK citizens had opted in to location tracking, giving mobile phone and wireless operators unlimited access to their whereabouts 24 hours a day.

This data, the report says, “brings the cloud into the crowd” by connecting web users’ digital lives with their physical lives, making it one of the most intrusive forms of tracking.

Yet Krowdthink’s research, and research conducted simultaneously but independently by the Open Rights Group (ORG), found that customers were not being given clear enough information about how the data is used, or opportunities to opt out of collection.

Mystery shopping trips carried out by both groups found that mobile and wireless service providers are not telling customers upfront that all their movements will be tracked and used for marketing, and often sold on to third parties.

All the mobile phone companies contacted by the ORG said they anonymise data, which means they are not legally obliged to ask for consent to use it. But the group, which campaigns for digital rights, raised questions about the efficacy of anonymising such personal information.

Often all it takes is the cross-referencing of one set of anonymised data with another set of data, such as the electoral roll, to reveal the identities of the people tracked. Jim Killock, the ORG’s executive director, said: “Mobile service providers need to collect and keep data so that they can bill us for our services.

“But just because they collect this data does not mean that they have an automatic right to process that data for other purposes without our consent. If they don’t, they are removing our right to control this data and the risks associated with their using it.”

Related: There’s always an excuse to hack into our lives | John Naughton

Britain’s mobile phone industry is worth £14bn, with 93% of adults owning a mobile phone and 61% owning a smartphone. Data collected from these phones, including usage, web browsing and location histories, is used to build profiles that are used by advertisers and other undefined businesses.

Location data is collected from the cell towers of a mobile service provider when it tracks a customer to route a call to them. There are now 52,000 cell towers in Britain. In some areas they are as close as 50 metres apart.

Wireless hotspots are also potential location trackers, with many public providers opting customers into tracking by default in their terms and conditions. In many cases these hotspots will log registered customers’ location as they pass through, even if they do not sign in.

Krowdthink’s investigation found that some providers, including O2 and Vodafone, use the same privacy policy for wireless as for their mobile phone customers. The combination of the two networks enables them to track location with even greater fidelity of location tracking.

However, customers do have a legal right to opt out of location tracking for marketing purposes and, with the forthcoming European General Data Protection Regulation, will soon be able to demand that their location data is deleted.

Krowdthink and the ORG warn mobile users to turn off wireless internet when they are out to avoid disclosing their identities as they pass through hotspots. They also warn people to be aware that they could be providing information on their location when sharing digital photos and video images and downloading mobile apps.

Killock added: “Mobile phone companies should improve the transparency of their operations by making their privacy polices clearer, giving customers’ information about what exact data they are collecting, how long they will keep it for, how each particular type of data will be used, who it will be shared with and the risks associated with this.

“They should also make contracts available before the point of sale and marketing and location tracking opt-outs simpler.”

• The headline on this article was changed on 4 April 2016 to better reflect the story.

Bron: www.theguardian.com

quote:

WhatsApp is nu één van de veiligste chat-apps - rtlz.nl

WhatsApp is sinds vandaag één van de veiligste chat-apps die je kunt gebruiken. De dienst heeft een krachtige vorm van encryptie doorgevoerd, die beschikbaar is voor alle vormen van communicatie met de app.

Dat maakt WhatsApp vandaag bekend. Opvallend genoeg is de beveiliging sinds de overname door Facebook alleen maar opgeschroefd, terwijl gebruikers door die overname juist vreesden voor hun privacy. Het proces om de krachtige end-to-end-encryptie door te voeren, waarmee berichten alleen door de ontvanger kunnen worden ingezien, heeft ongeveer een jaar geduurd.

Open Whisper Systems
De end-to-end-encryptie van WhatsApp is gebaseerd op het Signal-protocol van Open Whisper Systems, het bedrijf achter de beveiligde chat-app Signal. De oprichter van Open Whisper Systems, Moxie Marlinspike, is een bekende privacyvoorvechter die in 2013 aan WhatsApp voorstelde om hun beveiliging op te schroeven. De ceo van WhatsApp, Jan Koum, stemde daarmee in. Ook heeft Koum zich verschillende keren publiekelijk uitgelaten over het belang van privacy en encryptie.

WhatsApp beveiligt vanaf vandaag je (groeps)chats, verzonden en ontvangen (media)bestanden en telefoongesprekken tussen alle platformen: Android, iOS, Windows Phone, Nokia S40, Nokia S60, BlackBerry en BlackBerry 10. De chatdienst wordt wereldwijd door 1 miljard mensen gebruikt.

"In sommige opzichten kun je end-to-end-encryptie zien als het eren van hoe het verleden eruitzag", legt Marlinspike uit aan Wired. "Onze communicatie gaat steeds vaker via netwerken in plaats van face-to-face of andere traditionele vormen die privé zijn. Zelfs schriftelijke correspondentie werd niet zo onderworpen aan massasurveillance als elektronische communicatie vandaag de dag."

Elkaar checken via QR-code
Bij de gesprekken in WhatsApp komt een melding te staan als er gebruik wordt gemaakt van end-to-end-encryptie. Als de ontvanger een oudere versie van WhatsApp gebruikt, staat de melding er niet. WhatsApp-gebruikers kunnen elkaar verifiëren met een qr-code of lange cijfercode, waardoor je kunt checken of je daadwerkelijk met de juiste persoon communiceert.

De encryptie van WhatsApp is, net als bij alle andere 'veilige' apps en diensten, niet 100 procent veilig. Het Signal-protocol kan bijvoorbeeld vanaf de server worden uitgeschakeld. Daarnaast uploaden veel gebruikers nog een onbeveiligde back-up van hun WhatsApp-geschiedenis naar de cloud, wat ook voor beveiligingsproblemen kan zorgen. Het is dus veiliger om die automatische back-up uit te zetten.

Het vertrouwen in Marlinspike en het Signal-protocol is daarentegen groot, want zelfs NSA-klokkenluider Edward Snowden zegt dat je de beveiliging achter Signal - en dus ook WhatsApp - kunt vertrouwen.

Bron: www.rtlz.nl

quote:

Europese privacywaakhonden vinden datadeal EU-VS te slap - rtlz.nl

Dat zegt Jacob Kohnstamm, voorzitter van de Nederlandse privacywaakhond Autoriteit Persoonsgegevens (AP), tegen RTL Z. De AP maakt onderdeel uit van de Artikel 29-werkgroep, die bestaat uit de Europese privacywaakhonden. De werkgroep is kritisch op het Privacy Shield.

Niet bindend, wel belangrijk
Het advies van de Artikel 29-werkgroep is niet bindend, maar wel belangrijk voor de ontwikkeling van de Privacy Shield-overeenkomst. De Europese Commissie heeft de privacywaakhonden om advies gevraagd. Dat is verplicht.

De Europese Commissie en Verenigde Staten hebben in februari een politieke deal gesloten waardoor het voor de meer dan 4000 Amerikaanse bedrijven, zoals Facebook, Google en Microsoft, mogelijk blijft om gegevens van Europeanen te verwerken. Denk bijvoorbeeld aan e-mailadressen, foto's en zoekopdrachten. Het Privacy Shield vervangt een oude overeenkomst, die vorig jaar ongeldig werd verklaard door het Europees Hof.

Kohnstamm denkt dat de Europese Commissie nog een 'reuze klus' heeft om het Privacy Shield rond te krijgen: "De overeenkomst zoals hij er nu ligt, beschermt de privacy van Europeanen niet voldoende."

Drie grote zorgen
De zorgen rondom het Privacy Shield vormen zich voornamelijk rondom drie onderwerpen: de internetsurveillance van de Amerikaanse geheime dienst, de onafhankelijke ombudsman die klachten over die surveillance in behandeling neemt en het opslaan van data.

Allereerst zijn de privacywaakhonden van mening dat er nog te weinig zekerheden zijn dat data van Europese burgers niet onderworpen zal worden aan de willekeurige massasurveillance van de NSA. Daarvoor biedt Privacy Shield te weinig waarborgen.

Ook wordt getwijfeld aan de onafhankelijkheid van de Amerikaanse ombudsman: hoe onafhankelijk is een Amerikaanse klachtbehandelaar die Europese klachten over de Amerikaanse regering behandelt? Volgens Kohnstamm worden Europeanen met het Privacy Shield 'bijna als Noord-Koreanen' behandeld: "Het hele klachtproces is enorm ondoorzichtig en we vrezen dat klachten van Europeanen niet serieus worden gehoord."

Het derde punt waar de privacyautoriteiten zijn bedenkingen bij heeft, is de manier waarop gegevens in de VS worden bewaard. In Europa geldt een wet dat data alleen wordt bewaard als dat strikt noodzakelijk is. "Zo'n bepaling zien wij niet terug in het Privacy Shield", laat Kohnstamm weten.

Lobbyen
Tegenover de kritische privacyorganisaties staat het Amerikaanse bedrijfsleven, dat afhankelijk is van data-uitwisseling tussen Europa en de VS. Zij hebben de afgelopen periode flink gelobbyt om het Privacy Shield erdoorheen te krijgen. Onder andere Microsoft steunt de datadeal.

De Europese Commissie heeft als doel om voor deze zomer het Privacy Shield rond te krijgen. Na de zomer beginnen de presidentiële verkiezingen in de VS, waardoor de aandacht van de Amerikaanse politiek vooral daarnaartoe gaat.

Het advies van de autoriteiten is ook belangrijk voor het Europees Parlement en de Europese Raad. Het Europees Parlement kan advies geven over het Privacy Shield. De Europese Raad, die bestaat uit de bestuurders van de Europese landen, moet het Privacy Shield nog officieel goedkeuren.

Bron: www.rtlz.nl

quote:

EFF Sues for Secret Court Orders Requiring Tech Companies to Decrypt Users’ Communications

quote:

San Francisco—The Electronic Frontier Foundation (EFF) filed a Freedom of Information (FOIA) lawsuit today against the Justice Department to shed light on whether the government has ever used secret court orders to force technology companies to decrypt their customers’ private communications, a practice that could undermine the safety and security of devices used by millions of people.

The lawsuit argues that the DOJ must disclose if the government has ever sought or obtained an order from the Foreign Intelligence Surveillance Court (FISC) requiring third parties—like Apple or Google—to provide technical assistance to carry out surveillance.

The suit separately alleges that the agency has failed to turn over other significant FISC opinions that must be declassified as part of surveillance reforms that Congress enacted with the USA FREEDOM Act.

EFF filed its FOIA requests in October and March amid increasing government pressure on technology companies to provide access to customers’ devices and encrypted communications for investigations. Although the FBI has sought orders from public federal courts to create a backdoor to an iPhone, it is unclear to what extent the government has sought or obtained similar orders from the FISC. The FISC operates mostly in secret and grants nearly every government surveillance request it receives.

The FBI’s controversial attempt to force Apple to build a special backdoor to an iPhone after the San Bernardino attacks underscored EFF’s concerns that the government is threatening the security of millions of people who use these devices daily. Many citizens, technologists and companies expressed similar outrage and concern over the FBI’s actions.

Given the public concern regarding government efforts to force private companies to make their customers less secure, EFF wants to know whether similar efforts are happening in secret before the FISC. There is good reason to think so. News outlets have reported that the government has sought FISC orders and opinions requiring companies to turn over source code so that federal agents can find and exploit security vulnerabilities for surveillance purposes.

Whether done in public or in secret, forcing companies to weaken or break encryption or create backdoors to devices undermines the safety and security of millions of people whose laptops and smartphones contain deeply personal, private information, said EFF Senior Staff Attorney Nate Cardozo.

“If the government is obtaining FISC orders to force a company to build backdoors or decrypt their users’ communications, the public has a right to know about those secret demands to compromise people’s phones and computers,” said Cardozo. “The government should not be able to conscript private companies into weakening the security of these devices, particularly via secret court orders.”

In addition to concerns about secret orders for technical assistance, the lawsuit is also necessary to force the government to comply with the USA FREEDOM Act, said EFF Senior Staff Attorney Mark Rumold. Transparency provisions of the law require FISC decisions that contain significant or novel legal interpretations to be declassified and made public. However, the government has argued that USA FREEDOM only applies to significant FISC decisions written after the law was passed.

“Even setting aside the existence of technical assistance orders, there’s no question that other, significant FISC opinions remain hidden from the public. The government’s narrow interpretation of its transparency obligations under USA FREEDOM is inconsistent with the language of the statute and Congress’ intent,’’ said Rumold. “Congress wanted to bring an end to secret surveillance law, so it required that all significant FISC opinions be declassified and released. Our lawsuit seeks to hold DOJ accountable to the law.”

For the full complaint:
https://www.eff.org/document/fisc-foia-complaint

quote:

'Geheime diensten willen chat-apps aftappen' - rtlz.nl

Met de aankomende 'aftapwet' wordt het voor de geheime diensten mogelijk om internetverkeer te onderscheppen. Daarmee wil de AIVD bijvoorbeeld gebruikers van specifieke apps in de gaten houden.

In een document dat is ingezien door de NOS vraagt het ministerie van Binnenlandse Zaken aan internetproviders om een kostenberekening te maken voor een fictieve tapopdracht. De fictieve tapopdracht bestaat uit een stad met 400.000 inwoners die een specifieke chat-app gebruiken, waarvan het internetverkeer van 200 gebruikers moet worden 'doorzocht'.

In het fictieve voorbeeld zou het kunnen gaan om gebruikers van een specifieke chat-app die populair is onder jihadisten. Er wordt dan gekeken welke ip-adressen deze app gebruiken en - indien mogelijk - met wie zij communiceren, om vervolgens nader onderzoek te verrichten en bijvoorbeeld de communicatie in te zien.

Op de vraag van RTL Z waarom het voorbeeld van een tapopdracht zich specifiek richt op een stad en chat-apps, wil het ministerie van Binnenlandse Zaken niet reageren.

Zorgt voor een sleepnet
Met de fictieve tapopdracht wordt de indruk gewekt dat de aankomende Wet op de inlichtingen- en veiligheidsdiensten voor een 'sleepnet' zorgt. Bij een sleepnet onderscheppen de geheime diensten een grote hoeveelheid data, om vervolgens de informatie te analyseren.

Minister Plasterk heeft vorige week ontkend dat er een sleepnet komt, en benadrukt dat de nieuwe wet het bijvoorbeeld mogelijk maakt om alle communicatie tussen Nederland en Syrië af te tappen. Op de vraag of de AIVD ook specifieke wijken of steden wil aftappen omdat zich daar mogelijk een terrorismeverdachte schuilhoudt, wilde Plasterk niet inhoudelijk reageren.

Alleen bij specifieke onderzoeken
Een woordvoerder van Binnenlandse Zaken benadrukt tegen RTL Z dat de tapbevoegdheid alleen bij een specifieke onderzoeksopdracht mag worden ingezet, die naast de minister ook door een onafhankelijke commissie van rechters wordt getoetst.

Het contact met internetproviders is volgens de woordvoerder verplicht omdat voor de aankomende wet een 'bedrijfseffectentoets' moet worden gehouden. Bij zo'n toets worden de potentiële kosten voor de sector in kaart gebracht.

Gaat miljoenen kosten
"Het gaat om ontzettend veel data, bijna onwerkbaar", zegt een anonieme medewerker uit de telecomindustrie die de netwerken aftapbaar moet maken, tegen de NOS. Volgens hem gaat de nieuwe wet miljoenen euro's kosten.

De afgelopen maanden zijn veel techbedrijven overgestapt op end-to-end-encryptie, waarmee communicatie wordt versleuteld. Hierdoor is het voor de geheime diensten lastiger om de afgetapte communicatie in te zien.

17:30
Bron: www.rtlz.nl

quote:

'Britse inlichtingendiensten harkten info bijeen over gewone Britten' | NOS

De Britse inlichten- en veiligheidsdiensten hebben de afgelopen vijftien jaar regelmatig bulkinformatie verzameld over gewone Britten. Die informatie had weinig toegevoegde waarde, zeggen de diensten zelf.

Dit concludeert onder andere The Guardian uit meer dan 100 beleidsdocumenten, formulieren en memo's, die openbaar zijn gemaakt tijdens een rechtszaak van privacy-activisten tegen de Britse overheid.

Sinds 1998 verzamelt de inlichtingendienst GCHQ grote bestanden met daarin bijvoorbeeld paspoortinformatie, reisschema's, financiële gegevens, telefoontjes en e-mails. De bestanden worden dan samengevoegd om daaruit 'verdachten' te filteren. Hoeveel Britten er in de bestanden van de diensten zitten, is niet bekend.

Volgens de regering wordt er altijd verantwoord met de informatie omgegaan en lopen alleen criminelen en terroristen het risico om te worden bespioneerd. Uit de documenten blijkt dat de diensten regelmatig hun boekje te buiten gaan. "We hebben gevallen meegemaakt van misbruik (...) zoals het opzoeken van een adres voor een kaartje, het controleren van paspoortgegevens of details van familie controleren voor eigen gebruik," citeert The Guardian.

De diensten krijgen binnen de huidige Britse wet veel ruimte om data te verzamelen, concluderen de activisten. "De documenten laten zien op wat voor enorme schaal de overheid onze data bij elkaar harkt," zegt Millie Graham Wood van Privacy International, dat de documenten had opgevraagd.

Bron: nos.nl

quote:

Spy Chief Complains That Edward Snowden Sped Up Spread of Encryption by 7 Years

THE DIRECTOR OF NATIONAL INTELLIGENCE on Monday blamed NSA whistleblower Edward Snowden for advancing the development of user-friendly, widely available strong encryption.

“As a result of the Snowden revelations, the onset of commercial encryption has accelerated by seven years,” James Clapper said during a breakfast for journalists hosted by the Christian Science Monitor.

The shortened timeline has had “a profound effect on our ability to collect, particularly against terrorists,” he said.

When pressed by The Intercept to explain his figure, Clapper said it came from the National Security Agency. “The projected growth maturation and installation of commercially available encryption — what they had forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks.”

Asked if that was a good thing, leading to better protection for American consumers from the arms race of hackers constantly trying to penetrate software worldwide, Clapper answered no.

“From our standpoint, it’s not … it’s not a good thing,” he said.

Technologists have been tirelessly working to strengthen encryption for decades, not just the past few years. But Snowden’s revelations about the pervasiveness of mass surveillance clearly accelerated its more widespread availability.

And technologists say the threat of law enforcement “going dark” has been overhyped. For instance, there are almost always ways to hack around encryption, even if you can’t break it.

Clapper acknowledged that there is no such thing as unbreakable encryption from his perspective. “In the history of mankind, since we’ve been doing signals intelligence, there’s really no such thing, given proper time, and proper application of technology.”

quote:

Traffic to Wikipedia terrorism entries plunged after Snowden revelations, study finds | Reuters

By Joseph Menn

SAN FRANCISCO (Reuters) - Internet traffic to Wikipedia pages summarizing knowledge about terror groups and their tools plunged nearly 30 percent after revelations of widespread Web monitoring by the U.S. National Security Agency, suggesting that concerns about government snooping are hurting the ordinary pursuit of information.

A forthcoming paper in the Berkeley Technology Law Journal analyzes the fall in traffic, arguing that it provides the most direct evidence to date of a so-called “chilling effect,” or negative impact on legal conduct, from the intelligence practices disclosed by fugitive former NSA contractor Edward Snowden.

Author Jonathon Penney, a fellow at the University of Toronto’s interdisciplinary Citizen Lab, examined monthly views of Wikipedia articles on 48 topics identified by the U.S. Department of Homeland Security as subjects that they track on social media, including Al Qaeda, dirty bombs and jihad.

In the 16 months prior to the first major Snowden stories in June 2013, the articles drew a variable but an increasing audience, with a low point of about 2.2 million per month rising to 3.0 million just before disclosures of the NSA's Internet spying programs. Views of the sensitive pages rapidly fell back to 2.2 million a month in the next two months and later dipped under 2.0 million before stabilizing below 2.5 million 14 months later, Penney found.

The traffic dropped even more to topics that survey respondents deemed especially privacy-sensitive. Viewership of a presumably “safer” group of articles about U.S. government security forces decreased much less in the same period.

Penney's results, subjected to peer-review, offer a deeper dive into an issue investigated by previous researchers, including some who found a 5.0 percent drop in Google searches for sensitive terms immediately after June 2013. Other surveys have found sharply increased use of privacy-protecting Web browsers and communications tools.

Penney’s work may provide fodder for technology companies and others arguing for greater restraint and disclosure about intelligence-gathering. Chilling effects are notoriously difficult to document and so have limited impact on laws and court rulings.

More immediately, the research could aid a lawsuit filed by the American Civil Liberties Union on behalf of Wikipedia’s nonprofit parent organization and other groups against the NSA and the Justice Department.

The year-old suit argues that intelligence collection from backbone Internet traffic carriers violated the Fourth Amendment ban on unreasonable searches.

(Reporting by Joseph Menn; editing by Jonathan Weber)

Bron: mobile.reuters.com

quote:

Snowden calls for whistleblower shield after claims by new Pentagon source | US news | The Guardian

Accusations that Pentagon retaliated against a whistleblower undermine argument that there were options for Snowden other than leaking to the media


Edward Snowden has called for a complete overhaul of US whistleblower protections after a new source from deep inside the Pentagon came forward with a startling account of how the system became a “trap” for those seeking to expose wrongdoing.

The account of John Crane, a former senior Pentagon investigator, appears to undermine Barack Obama, Hillary Clinton and other major establishment figures who argue that there were established routes for Snowden other than leaking to the media.

Crane, a longtime assistant inspector general at the Pentagon, has accused his old office of retaliating against a major surveillance whistleblower, Thomas Drake, in an episode that helps explain Snowden’s 2013 National Security Agency disclosures. Not only did Pentagon officials provide Drake’s name to criminal investigators, Crane told the Guardian, they destroyed documents relevant to his defence.

Snowden, responding to Crane’s revelations, said he had tried to raise his concerns with colleagues, supervisors and lawyers and been told by all of them: “You’re playing with fire.”

He told the Guardian: “We need iron-clad, enforceable protections for whistleblowers, and we need a public record of success stories. Protect the people who go to members of Congress with oversight roles, and if their efforts lead to a positive change in policy – recognize them for their efforts. There are no incentives for people to stand up against an agency on the wrong side of the law today, and that’s got to change.”

Snowden continued: “The sad reality of today’s policies is that going to the inspector general with evidence of truly serious wrongdoing is often a mistake. Going to the press involves serious risks, but at least you’ve got a chance.”

Thomas Drake’s legal ordeal ruined him financially and ended in 2011 with all serious accusations against him dropped. His case served as a prologue to Snowden’s. Now Crane’s account has led to a new investigation at the US justice department into whistleblower retaliation at the Pentagon that may serve as an epilogue – one Crane hopes will make the Pentagon a safe place for insiders to expose wrongdoing and illegality.

“If we have situations where we have whistleblowers investigated because they’re whistleblowers to the inspector general’s office, that will simply shut down the whole whistleblower system,” Crane told the Guardian.

Crane, who has not previously given interviews, has told his explosive story in a new book, Bravehearts: Whistle Blowing In The Age of Snowden by Mark Hertsgaard, from which the Guardian is running extracts. The Guardian has partnered with Der Spiegel and Newsweek Japan on Crane’s story.

“When someone becomes a whistleblower, they’re making a serious, conscious decision,” Crane said.

“They’re making a decision that can change their lives, change their futures, impact family life, too. There needs to be this certain unbreakable trust. Confidentiality is that trust and that can’t ever be violated.”

Snowden cited Drake’s case as a reason for his lack of faith in the government’s official whistleblower channels.

“When I was at NSA, everybody knew that for anything more serious than workplace harassment, going through the official process was a career-ender at best. It’s part of the culture,” Snowden told the Guardian.

“If your boss in the mailroom lies on his timesheets, the IG might look into it. But if you’re Thomas Drake, and you find out the president of the United States ordered the warrantless wiretapping of everyone in the country, what’s the IG going to do? They’re going to flush it, and you with it.”

While Drake’s case is well known in US national security circles, its internal history is not.

In 2002, Drake and NSA colleagues contacted the Pentagon inspector general to blow the whistle on an expensive and poorly performing tool, Trailblazer, for mass-data analysis. Crane, head of the office’s whistleblower unit, assigned investigators. For over two years, with Drake as a major source, they acquired thousands of pages of documents, classified and unclassified, and prepared a lengthy secret report in December 2004 criticizing Trailblazer, eventually helping to kill the program. As far as Crane was concerned, the whistleblower system was working.

But after an aspect of the NSA’s warrantless mass surveillance leaked to the New York Times, Drake himself came under investigation and eventually indictment. Drake was suspected of hoarding documentation – exactly what inspector-general investigators tell their whistleblowers to do.

“They made it clear to keep [documents] wherever possible, and obviously properly handle anything that was classified,” Drake remembered.

Crane feared that his own colleagues had told the FBI about Drake. He suspected the Pentagon inspector general’s lead attorney, Henry Shelley, whom Crane said had earlier suggested working with the justice department about the leak, had done so. A confrontation yielded what Crane considered to be evasions.

“The top lawyer would not reveal to me whether or not Drake’s confidentiality had been compromised or not. That was a concern … Normally I expect direct answers,” Crane said.

When Drake’s attorneys sought potentially exculpatory information from the inspector general’s office, they learned that much of it had been “destroyed before the defendant was charged, pursuant to a standard document destruction policy”, according to a 2011 letter from prosecutors.

Crane was livid. All relevant regulations mandated keeping the documents, not destroying them. But a high-ranking colleague, Lynne Halbrooks, prevented Crane from investigating the document destruction. He suspected Shelley and Halbrooks of sacrificing a whistleblower and misleading the justice department and a federal judge, all in a case centering around the cover-up of NSA bulk surveillance.

Crane’s relationship with his superiors spiraled downward until they forced him out in 2013, months before Snowden’s revelations. The next year, he filed a complaint with a federal agency that works with whistleblowers, the Office of Special Counsel. In March this year, it found a “substantial likelihood” that the Pentagon inspector general’s office improperly destroyed the Drake documents and arranged, with Pentagon consent, for the justice department inspector general to investigate.

Shelley, still the Pentagon inspector general’s senior counsel, declined to answer questions but said he was “certain my name will be cleared” by the new investigation.

Halbrooks, the Office of Special Counsel and the justice department inspector general declined to comment for this story.

Bridget Serchak, a spokeswoman for the Pentagon inspector general, noted that her office and the Office of Special Counsel jointly requested the justice department investigation.

“It is important to point out that there has been no determination on the allegations, and it is unfair to characterize the allegations otherwise at this point. DoD OIG will cooperate fully with the DoJ OIG’s investigation of this matter and looks forward to the results of that investigation,” Serchak said.

Crane considers this latest inquiry a bellwether for whether the whistleblower system can reform itself in a post-Snowden era.

“Snowden responded to the way Drake was handled. The Office of Special Council investigation regarding destruction of possibly exculpatory documents regarding Drake might be the end of this saga,” Crane said.

Bron: www.theguardian.com

quote:

Eric Holder says Edward Snowden performed a 'public service'

quote:

Chicago (CNN)Former U.S. Attorney General Eric Holder says Edward Snowden performed a "public service" by triggering a debate over surveillance techniques, but still must pay a penalty for illegally leaking a trove of classified intelligence documents.
"We can certainly argue about the way in which Snowden did what he did, but I think that he actually performed a public service by raising the debate that we engaged in and by the changes that we made," Holder told David Axelrod on "The Axe Files," a podcast produced by CNN and the University of Chicago Institute of Politics.

quote:

Official correspondence reveals lack of scrutiny of MI5's data collection | UK news | The Guardian

Privacy International releases letters that it says show ‘cosy’ relationship between watchdog and intelligence operations


The watchdog that monitors interception of emails and phone calls by the intelligence services allowed MI5 to escape regular scrutiny of its bulk collection of communications data, according to newly released confidential correspondence.

A highly revealing exchange of letters from 2004 has been published by Privacy International (PI) before Monday’s parliamentary debate on the investigatory powers bill, sometimes called the snooper’s charter.

The campaign group argues that the letters demonstrate the relationship between government agencies and the independent organisation that is supposed to oversee and regulate their activities has been too “cosy”.

The correspondence has been disclosed in the course of legal action between PI and the government at the investigatory powers tribunal (IPT) which is due to be heard in full this year. The IPT deals with complaints about the intelligence services and surveillance by public bodies. GCHQ is alleged to be illegally collecting “bulk personal datasets” from the phone and internet records of millions of people who have no ties to terrorism and are not suspected of any crime.

The letters were sent by Home Office legal advisers, GCHQ and Sir Swinton Thomas, who was the interception of communications commissioner. The organisation is now called the Interception of Communications Commissioner’s Office (IOCCO).

In May 2004, a Home Office legal adviser wrote to Thomas backing an MI5 proposal that collecting bulk data from communication service providers for its “database project” be authorised under section 94 of the 1984 Telecommunications Act because, at that stage, there were no human rights implications or breach of privacy concerns. Using that act would not require a notice to be put before parliament because it could be used secretively on the grounds that “disclosure of the direction would be against the interests of national security”.

Thomas wrote back the following month, expressing reservations about such clandestine authorisation. He proposed that it would be better to use the more modern and exacting Regulation of Investigatory Powers Act 2000 (Ripa), which involves more open legal procedures and safeguards.

Related: GCHQ hacking does not breach human rights, security tribunal rules

The Home Office responded, saying that, although Ripa might be engaged, it did not think that meant it must be used. The letter continued: “The only practical difference between the two sets of provisions is if [Ripa] were used, a new notice would need to be issued every month … involving a fresh consideration of the necessity and proportionality issues. This would not be the case under section 94 [of the Telecommunications Act].”

Thomas backed down, replying that, “on reconsideration”, use of Ripa was not mandatory. He added: “I am also impressed by the considerable and, if possible to be avoided, inconvenience in following the [Ripa] procedure in the database procedures.”

GCHQ wrote to Thomas in October that year after he had visited its Cheltenham headquarters. “Huges volumes of data are acquired (about 40m bits of data a day),” it informed him. “In the interests of security and commercial confidentiality, GCHQ prefers to keep all the telephony material together in one database … to disguise its source, as the origin of some of the material is extremely sensitive.”

GCHQ also asked whether access to communications data for its databases would be lawful under the Telecommunications Act rather than the more burdensome Ripa.

Thomas said it was not a straightforward problem but eventually acquiesced, saying: “I have, therefore, reached the conclusion, not without some difficulty, that the present system for retrieval [under the Telecommunications Act] is lawful. As you say, adhering to the spirit of the legislation is important.”

The debate goes some way to explain official thinking on the legal distinction between anonymised bulk data collection and a second stage of interception where material may be matched to individuals.

The latest revelation follows an earlier release of confidential documents by PI last month that showed how GCHQ, MI5 and MI6 obtain personal data from public and private organisations, including financial institutions, the NHS, electronic petitions record databases and others.

Privacy International said the letters exemplified the “total failure” of oversight.

Caroline Wilson Palow, the organisation’s general counsel, said: “The documents demonstrate the government’s troubling history of over-reaching in order to expand its surveillance powers while minimising safeguards.

“This discussion, between lawyers for MI5 and GCHQ and the interception of communications commissioner, is also an illuminating example of how oversight can go wrong when it lacks sufficient transparency, resources and advocates for the individuals whose privacy may be violated.

“We think the commissioner’s conclusions were incorrect, permitting GCHQ to acquire communications data in bulk under a broad and secret interpretation of a power to which few safeguards attach. Indeed, the commissioner even agrees with GCHQ and MI5 that collecting our communications data from service providers would not be an interference with our privacy – a position that would likely come as a surprise to most of us and is in direct conflict with recent court decisions.”

Sir Stanley Burnton, the interception commissioner at IOCCO, said: “We have recently concluded our comprehensive review of section 94 [Telecommunications Act] directions which have been issued by secretaries of state from various government departments since the late 1990s, after taking this additional oversight on at the request of the prime minister in 2015.

“Our review has been very challenging because all the section 94 directions are subject to statutory secrecy provisions which limit severely what we are able to say publicly about them. Nevertheless, our review report sets out an extensive series of recommendations which must be implemented in order to clarify and bring consistency to the procedures in place, remedy the lack of record-keeping requirements and codified processes and ensure that we are able to undertake this additional oversight and audit of the giving and use of section 94 directions properly. Our report is due to be published at the end of June or early July.”

“We welcome and support Privacy International’s proposal for oversight bodies to be supported by public interest advocates and their calls for further transparency in these matters.”

Bron: www.theguardian.com

quote:

NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says

The National Security Agency is researching opportunities to collect foreign intelligence — including the possibility of exploiting internet-connected biomedical devices like pacemakers, according to a senior official.

“We’re looking at it sort of theoretically from a research point of view right now,” Richard Ledgett, the NSA’s deputy director, said at a conference on military technology at Washington’s Newseum on Friday.

Biomedical devices could be a new source of information for the NSA’s data hoards — “maybe a niche kind of thing … a tool in the toolbox,” he said, though he added that there are easier ways to keep track of overseas terrorists and foreign intelligence agents.

When asked if the entire scope of the Internet of Things — billions of interconnected devices — would be “a security nightmare or a signals intelligence bonanza,” he replied, “Both.”

“As my job is to penetrate other people’s networks, complexity is my friend,” he said. “The first time you update the software, you introduce vulnerabilities, or variables rather. It’s a good place to be in a penetration point of view.”

Bron: theintercept.com

quote:

Snooper's charter: GCHQ will be licensed 'to hack a major town'

quote:

The security services are to receive a licence for hacking into the phones and laptops of a “major town” under the snooper’s charter legislation, which reaches the House of Lords next week.

The broad nature of the hacking powers to be handed to GCHQ are disclosed in an obscure case study in a background Home Office document setting out the operational case for their use.

This shows that all the phones and laptops in a “major town” could be hacked into, as long as the town were overseas and the action were necessary for national security purposes. The example used in the case study is identifying the phones and laptops being used by a terrorist group planning an attack on Western tourists in a major town.
The stories you need to read, in one handy email
Read more

The home secretary, Theresa May, has asked the official terror law watchdog, David Anderson QC, to conduct a speedy review this summer of whether such “bulk powers” are needed by the security services, and whether the information cannot be gained by less intrusive means.

quote:

In Wisconsin, a Backlash Against Using Data to Foretell Defendants’ Futures

quote:

CHICAGO — When Eric L. Loomis was sentenced for eluding the police in La Crosse, Wis., the judge told him he presented a “high risk” to the community and handed down a six-year prison term.

The judge said he had arrived at his sentencing decision in part because of Mr. Loomis’s rating on the Compas assessment, a secret algorithm used in the Wisconsin justice system to calculate the likelihood that someone will commit another crime.

Mr. Loomis has challenged the judge’s reliance on the Compas score, and the Wisconsin Supreme Court, which heard arguments on his appeal in April, could rule in the coming days or weeks. Mr. Loomis’s appeal centers on the criteria used by the Compas algorithm, which is proprietary and as a result is protected, and on the differences in its application for men and women.

The debate in Wisconsin highlights a broader national discussion about how law enforcement officials use predictive data — including deciding which streets to patrol, identifying people at risk of being shot and calculating the likelihood of recidivism.

quote:

Snowden uit kritiek op privacywet Rusland | NU - Het laatste nieuws het eerst op NU.nl

Snowden uit kritiek op privacywet Rusland

Na zijn onthullingen over Amerikaanse en Britse afluisterpraktijken, mengt klokkenluider Edward Snowden zich nu in het privacydebat in Rusland.

Het parlement van zijn tijdelijke thuisland heeft een nieuwe "Big Brother-wet" aangenomen die "alle Russen geld en vrijheid gaat kosten, zonder de veiligheid te vergroten", schreef Snowden op Twitter.

Het parlement van zijn tijdelijke thuisland heeft een nieuwe "Big Brother-wet" aangenomen die "alle Russen geld en vrijheid gaat kosten, zonder de veiligheid te vergroten", schreef Snowden op Twitter.

ICT-expert Snowden vindt dat de wet niet moet worden ondertekend. Daarmee doet hij een indirect beroep op president Vladimir Poetin, die de wet zou kunnen tegenhouden.

Om terrorisme tegen te gaan wil Rusland onder meer telecombedrijven dwingen om gegevens langer op te slaan voor opsporingsdoeleinden.

Edward Snowden kreeg in 2014 tijdelijk asiel in Rusland, omdat hij in de VS wordt gezocht voor het openbaar maken van staatsgeheimen. Hij mag er drie jaar blijven.

Eigenlijk had hij naar Zuid-Amerika gewild, maar daar kon hij niet komen doordat de Amerikaanse autoriteiten zijn paspoort introkken. Waar hij volgend jaar naartoe zal gaan, is nog onbekend.
Bron: www.nu.nl

quote:

Germany to further curb activities of spy agency in wake of NSA scandal

quote:

Germany has approved new measures to rein in the activities of its foreign intelligence agency after a scandal over improper collusion with the US National Security Agency.

Two months after replacing the head of the BND service over the damning revelations, chancellor Angela Merkel’s cabinet signed off on the reforms to keep the country’s spies on a tighter leash.

Oversight of the spy agency directly from Merkel’s office will be beefed up with an external watchdog panel of jurists, and the list of duties the BND carries out for the NSA has been overhauled.

While intelligence-gathering from EU institutions or partner states will not be explicitly banned, it will be limited by law to “information to recognise and confront threats to internal or external security”. Economic espionage is barred.

The reforms, which require approval from parliament, are based on the findings of a government-appointed investigator into claims that the BND spied on its European allies for the NSA.

The 300-page report found the NSA had kept a long list of European government offices as targets for espionage and that the US had thus “clearly violated treaty agreements”.

The investigation was based on a review of telephone numbers and IP addresses the NSA handed to the BND’s surveillance apparatus with the request that the results to be sent back to the US.

The findings indicated that over the years the BND whittled down the list of thousands of NSA targets while still maintaining cooperation.

Germany reacted with outrage when information leaked by former NSA contractor Edward Snowden revealed in 2013 that US agents were carrying out widespread tapping worldwide, including of Merkel’s mobile phone.

Merkel, who grew up in communist East Germany where state spying on citizens was rampant, declared repeatedly that “spying among friends is not on” while acknowledging Germany’s reliance on the US in security matters.

quote:

Rechter: Microsoft hoeft niet zomaar mails vrij te geven - rtlz.nl

Ook in de digitale wereld spelen landsgrenzen nog steeds een rol, blijkt uit een uitspraak van de rechter van het Court of Appeals for the Second Circuit. Microsoft hoeft e-mails die zijn opgeslagen bij datacenters in Ierland niet over te dragen.

De Amerikaanse overheid wil informatie van een Hotmailgebruiker, wiens e-mails staan opgeslagen in een datacenter van Microsoft in Ierland. Dat mag niet, blijkt uit het oordeel.

Amerikaanse bedrijven kunnen niet zomaar gedwongen worden om data vrij te geven die in het buitenland staat opgeslagen, oordeelde het hof. De uitspraak is opvallend, want een lagere rechter oordeelde eerder het tegenovergestelde. Die oordeelde dat een Amerikaans bedrijf gewoon informatie moet overdragen als de rechter daarom vraagt, ongeacht waar de gegevens opgeslagen staan.

Microsoft was het daarmee oneens. "Wij zeggen: nee, de Ierse wet is hierop van toepassing, dus je moet eerst naar Ierse overheid. En die moet ons dan vragen of we het willen overdragen. Waarom doen we dit? Omdat we het heel belangrijk vinden dat in een digitale wereld landsgrenzen blijven gelden. Klanten moeten informatie kunnen opslaan in bepaalde regio’s, wetende dat ook echt de lokale wetgeving van toepassing is", vertelde Jochem de Groot, de public affairs-man van het bedrijf, eerder tegen RTL Z.

De multinational was de eerste Amerikaanse onderneming die de overheid uitdaagde en weigerde om zomaar gegevens over te dragen die buiten de landsgrenzen staan opgeslagen. Microsoft is niet het enige dat worstelt met de grote hoeveelheden privacygevoelige informatie die de Amerikaanse overheid opvraagt. Ook eBay, Amazon en Apple krijgen bijvoorbeeld regelmatig verzoeken.
Bron: www.rtlz.nl

quote:

Bulk data collection only lawful in serious crime cases, ECJ rules

European court ruling backs David Davis and Tom Watson and could have serious impact on so-called snooper’s charter

Retaining data from telephone calls and emails is legal only if law enforcement agencies use it to tackle serious crime, the EU’s highest court has ruled.

The preliminary finding by the influential European court of justice (ECJ) in Luxembourg came in response to a legal challenge that was brought initially by David Davis, when he was a backbench Conservative, and Tom Watson, Labour’s deputy leader, over the legality of GCHQ’s bulk interception of call records and online messages.

Davis, one of the most vociferous critics of the state’s powers to collect data on its citizens, quietly withdrew from the case after his appointment to the cabinet. Many had commented on his involvement in the case at the EU’s highest court, after he was appointed secretary of state for leaving the European Union.

In an opinion likely to be followed by the full court, the advocate general, Henrik Saugmandsgaard Øe, clarified EU law after the two MPs successfully argued in British courts that the Data Retention and Investigatory Powers Act (Dripa) 2014 was illegal.

The ECJ’s advocate general said: “Solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences … are not.” Only the data associated with calls and emails is retained not the content of messages.

The preliminary ruling appears to bring European data retention practices closer into line with the debate over the passage of the UK’s investigatory powers bill over what safeguards should be imposed for bulk interception and retention of data.

The court’s final decision will be delivered in the coming months. The vast majority of judgments follow the line set out by the advocate general.

Davis and Watson, who were supported by the Law Society, had already won a high court victory on the issue but the government appealed and the case was referred to the ECJ.

At issue was whether there are EU standards on data retention that need to be respected by member states in their domestic legislation. The result, though significant in the short term, may eventually prove academic once the UK has withdrawn from the EU and the ECJ no longer has judicial authority over the UK.

Before he became a minister under Theresa May, Davis travelled to Luxembourg this spring to hear the case being argued at the ECJ. He has argued that the British government is “treating the entire nation as suspects” by ignoring safeguards on retaining and accessing personal communications data.

The outcome of the Dripa case, which was heard by 15 European judges in Luxembourg, is likely to have a significant impact on the ultimate shape of the controversial investigatory powers bill – it has been nicknamed the snooper’s charter – now before parliament.

The case has been heard amid successive jihadi atrocities in Paris, Brussels and Nice that have reinforced political demands for the expansion of powers to intercept emails and phone calls to help catch Islamic State militants operating on the continent.

During the Luxembourg hearing, lawyers for the UK government maintained that intercepted communications had been at the heart of every terrorist case investigated by police and the security services in recent years.