Cyber Bill Gives Companies Perfect Cover to Gut Your Privacy

Some tech companies are eager to share more of our personal data with the government so long as they don’t have to worry about violating any privacy safeguards. CISA gives companies exactly what they want: ironclad liability protection to share information about any perceived cyber threats with federal agencies. (Photo: Mr. Thinktank/flickr/cc)

By Sandra Fulton

Following several high-profile data breaches — such as those at Sony and the U.S. Office of Personnel Management — Congress is once again feeling the pressure to push “cybersecurity” legislation.

The problem is, the bill they’re laser-focused on is misguided, wouldn’t protect us — and is a huge gift to companies wanting legal cover if and when they choose to violate Americans’ privacy rights.

In March, the Senate Intelligence Committee voted 14–1 in favor of the Cybersecurity Information Sharing Act of 2015 (CISA). The bill, like its infamous predecessor CISPA, would allow companies to share vast amounts of users’ private and personally identifiable data with the government. That information would go straight to the Department of Homeland Security and then on to the NSA.

If CISA passes, companies would be permitted to monitor and then report to the government on vaguely defined “cyber-threat indicators” — a term so broad that it covers actual threats hackers pose to computer systems but also sweeps in information on crimes like carjacking and burglaries. Those are serious offenses to be sure, but they have nothing to do with cybersecurity.

While current law allows companies to monitor their own systems for cyber threats, CISA would take this to the next level. The bill would allow companies that hold huge swaths of our personal data — like health insurers and credit-card companies — to monitor and report online activity “notwithstanding any other provision of law.”

This means that CISA would undermine the strong protections embedded in laws like the Electronic Communications Privacy Act of 1986 and the Privacy Act of 1964 — laws designed to keep the government from spying on our communications.

While posing a serious threat to our privacy online, CISA wouldn’t even guard well against cyber attacks. The bill offers a bad trade-off, to put it mildly.

In April, leading Internet-security technologists wrote to the Senate Intelligence Committee, arguing that Congress didn’t need to create new legal authority to let companies share information designed to help protect their systems from future attacks. As their letter explains:

Waiving privacy rights will not make security sharing better. The more narrowly security practitioners can define these IoCs [indicators of compromise] and the less personal information that is in them, the better… Any bill that allows for and results in significant sharing of personal information could decrease the signal to noise ratio and make IoCs less actionable.

In June 2015, further revelations from whistleblower Edward Snowden showed that much of the activity CISA would authorize has been going on for quite some time. Leaked government slides show that the NSA and the FBI secretly joined forces in 2012 to spy on Internet traffic in pursuit of cybersecurity suspects.

Despite these efforts, cyber attacks have continued to escalate. Yet this bill to immunize companies from liability for sharing our personal data sailed through the Senate Intelligence Committee.

The lone dissenter on that committee, Sen. Ron Wyden, noted that cyber attacks are a “serious problem.” However, Wyden said, “if information-sharing legislation does not include adequate privacy protections, then that’s not a cybersecurity bill — it’s a surveillance bill by another name.”

So who’s behind the massive push to pass CISA? Insurers, credit-card companies, banks, gas and oil giants, and telecom companies have all lined up behind the bill. Keepers of some of our most private and sensitive data — banks like JPMorgan Chase, and health insurers like Anthem and Blue Cross Blue Shield, to name just a few — are lobbying hard for CISA’s passage.

In fact, according to lobby-disclosure reports for the first quarter of 2015, the number of companies lobbying for CISA has just about tripled over the last year. Recent attacks have cost companies billions, not to mention embarrassment.

Stronger cyber “hygiene” would best protect these companies from intrusions and breaches, but that would be costly. Implementing invasive monitoring programs and handing the information off to the government is far preferable if that approach can be sold as a solution to the problem.

In short, these companies are eager to share more of our personal data with the government so long as they don’t have to worry about violating any privacy safeguards. CISA gives companies exactly what they want: ironclad liability protection to share information about any perceived cyber threats with federal agencies.

So while CISA would do little or nothing to improve cybersecurity, it would strengthen the surveillance regime and make our personal information even more vulnerable to government abuse.

Leaders in the Senate, who want to pass CISA before Congress breaks for its August recess, have announced that the bill will be up on their agenda as soon as this week. The Free Press Action Fund is working with our allies to fight back. Please click here to urge your senators to oppose this dangerous bill.

————–

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

Sandra Fulton is a Legislative Assistant at the ACLU’s Washington Legislative Office working on First Amendment and privacy issues.

Why I care when people with ‘something to hide’ are hacked

privacy

“Privacy” by Melanie Feuerer used under a Creative Commons Attribution 2.0 United States License

By Spocko

It’s all about the Privacy.

Do some people deserve it less than others? Who decides?

Online Cheating Site AshleyMadison Hacked
— Brian Krebs, @briankrebs Krebs on Security July 19, 2015

When people who are supposed to protect someone’s privacy fail, what should their responsibility be following the failure? How do you make “someone whole,” as they say in the insurance biz, following a privacy breach?

Hacks of OPM databases compromised 22.1 million people, federal authorities say — Ellen Nakashima, @nakashimae, The Washington Post, July 9, 2015

What are the valid reasons someone’s privacy is violated? National Security? Public safety? Potential violence? Donating to the wrong cause? Who gets permission? Who oversees this?

“I don’t care if the government listens to me, I don’t have anything to hide. If you don’t have anything to hide, what are you worried about?”

— US citizen comment I read in response to Snowden revelations

Are there standards and regulations that organizations should meet? Who enforces them? What are the penalties if they don’t? (more…)

Journalist Sues US Government for Records on ‘Kafkaesque Harassment’ by Security Agents During Travel

Laura Poitras, 2010

Laura Poitras is a journalist and documentary filmmaker, who recently won an Academy Award for the documentary on NSA whistleblower Edward Snowden called Citizenfour. But, between July 2006 and April 2012, Poitras was “subjected to ‘Secondary Security Screening Selection,” detained and questioned at the United States border on every international flight she took” to the US, according to her recently filed lawsuit.

When traveling from the US, when she was outside the US traveling internationally, and even when she was traveling within the US, Poitras was “occasionally subjected to secondary security screening.” More than 50 times she was given this designation, which allowed Transportation Security Administration (TSA) agents to subject her to extra scrutiny.

On January 24, 2014, Poitras filed Freedom of Information Act (FOIA) requests with the Department of Homeland Security, Customs and Border Protection (CBP), Citizenship and Immigration Services (CIS), and TSA for “all agency records concerning, naming, or relating to Ms. Poitras.” She also submitted requests to the FBI and the Office of the Director of National Intelligence (ODNI).

Poitras has, to date, received no records in response to her requests and alleges agencies are wrongfully withholding records [PDF].

“I’m filing this lawsuit because the government uses the US border to bypass the rule of law,” Poitras explained in a press release from the Electronic Frontier Foundation. “This simply should not be tolerated in a democracy.”

“I am also filing this suit in support of the countless other less high-profile people who have also been subjected to years of Kafkaesque harassment at the borders. We have a right to know how this system works and why we are targeted.”

One of those individuals, who Poitras may be referring to, is Jacob Appelbaum. He is a journalist, Tor developer, and WikiLeaks volunteer, who has been stopped and harassed at the US border multiple times. (He has also had his personal data connected to services, such as Twitter and Google, targeted as part of the Justice Department’s investigation into WikiLeaks.)

Airport security agents have previously informed Poitras that she had a “criminal record,” even though that is not true. She has been informed her name was in a “national security threat database.” During one stop, she was told she was on the “No Fly List.” Her laptop, camera, mobile phone, and her notebooks have been seized and copied. One time when she attempted to take notes while she was detained by agents, she was threatened with being put in handcuffs. The agents pretended to fear that she might use the pen as a weapon so she could not create a record of their interaction.

Poitras is not the first to challenge this abuse. The American Civil Liberties Union (ACLU) and National Press Photographers Association (NPPA) have challenged suspicionless laptop searches by DHS through a lawsuit filed in 2010.

Detaining Journalists, Abusing Families, and Humiliating American Muslims

Abuse by US security agents at the border has become increasingly common. In February 2014, the podcast, On the Media, aired an episode called “Secrecy on the Border.” The episode focused on how Homeland Security violates the rights of people and refuses to provide any explanations. (more…)

Google Reveals It Was Forced to Hand Over Journalist’s Data for WikiLeaks Grand Jury Investigation

Jacob Appelbaum

Google released another legal disclosure notice related to the United States government’s ongoing grand jury investigation into WikiLeaks. It informed journalist and technologist Jacob Appelbaum, who previously worked with WikiLeaks, that Google was ordered to provide data from his account.

The disclosure suggests the grand jury investigation may have sought Appelbaum’s data because the US government believed data would contain details on WikiLeaks’ publication of State Department cables.

Appelbaum has been under investigation because of his connection to WikiLeaks for four to five years. He has been detained and interrogated at the US border multiple times. He was one of three subjects of an order the government issued to Twitter for account data for its investigation, which Twitter and other groups like the American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) challenged in court.

He was recently profiled along with Chinese activist and artist Ai Weiwei in a short film by Laura Poitras, “The Art of Dissent.” He lives in Berlin, where he has spent the past couple of years reporting on documents from NSA whistleblower Edward Snowden for media organizations like Der Spiegel. His lawyers have advised him not to return to the US.

Google’s full legal disclosure to Appelbaum consisted of 306 pages of documents. He did not post the disclosure in its entirety but shared screen shots of parts of the disclosure through his Twitter account.

On April 1, the government apparently determined there was some information that could be disclosed to Appelbaum.

The government seems to confirm in legal documents that it does not consider WikiLeaks to be a journalistic enterprise. It also writes, “The government does not concede that the [redacted] subscriber is a journalist,” referring to Appelbaum.

Nevertheless, the government broaches the issue and insists “newsmen” may be subject to grand jury investigations of this intrusive nature.

“Journalists have no special privilege to resist compelled disclosure of their records, absent evidence that the government is acting in bad faith,” the government asserts. “Even if the [redacted] subscriber were to bring a First Amendment challenge, he could not quash the order because he could not show that the government has acted in bad faith, either in conducting its criminal investigation or in obtaining the order.”

Later, the government adds, “The government has acted in good faith throughout this criminal investigation, and there is no evidence that either the investigation or the order is intended to harass the [redacted] subscriber or anyone else.”

Appelbaum mentioned that this reminded him of how the government targeted New York Times reporter James Risen when they were investigating CIA whistleblower Jeffrey Sterling. He also recalled that a US border agent once said to him he would be “endlessly harassed.”

That experience would seem to call into question the government’s claim it has not acted in bad faith. Plus, given that his Google data was targeted in secret, Appelbaum could not possibly mount a First Amendment challenge because his lawyers did not even know to file a challenge or what to challenge exactly.

(more…)

You Want to Commit Espionage with Hacked Personal Data?

This post was originally published at WeMeantWell.com.

Did the most-recent, recent, breach of United States government personnel files significantly compromise American security? Yes. Could a foreign government make use of such information to spy on the United States? Oh my, yes.

China-based hackers are suspected of breaking into the computer networks of the United States Office of Personnel Management (OPM), the human resources department for the entire federal government. They allegedly stole personnel and security clearance information for at least four million federal workers. The current attack was not the first. Last summer the same office announced an intrusion in which hackers targeted the files of tens of thousands of those who had applied for top-secret security clearances; the Office of Personnel Management conducts more than 90 percent of federal background investigations, including all those needed by the Department of Defense and 100 other federal agencies.

Why all that information on federal employees is a gold mine on steroids for a foreign intelligence service is directly related to what is in the file of someone with a security clearance.

Most everyone seeking a clearance starts by completing Standard Form 86, Questionnaire for National Security Positions, form SF-86, an extensive biographical and social contact questionnaire.

Investigators, armed with the questionnaire info and whatever data government records searches uncover, then conduct field interviews. The investigator will visit an applicant’s home town, her second-to-last-boss, her neighbors, her parents and almost certainly the local police force and ask questions in person. As part of theclearance process, an applicant will sign the Mother of All Waivers, giving the government permission to do all this as intrusively as the government cares to do; the feds really want to get to know a potential employee who will hold the government’s secrets. This is old fashioned shoe-leather cop work, knocking on doors, eye balling people who say they knew the applicant, turning the skepticism meter up to 11.

Things like an old college roommate who moved back home to Tehran, or that weird uncle who still holds a foreign passport, will be of interest. Some history of gambling, drug or alcohol misuse? Infidelity? A tendency to not get along with bosses? Significant debt? Anything at all hidden among those skeletons in the closet?

The probe is looking for vulnerabilities, pure and simple. And that’s the scary “why this really matters” part of the China-based hack into American government personnel files.

America’s spy agencies, like every spy agency, know people are manipulated and compromised by their vulnerabilities. If someone applying for a federal position has too many of them, or even one of particular sensitivity, s/he may be too risky to expose to classified information.

And that’s because unlike almost everything you see in the movies, the most important intelligence work is done the same way it has been done since the beginning of time. Identify a person with access to the information needed (“Qualifying an agent;” a Colonel will know rocket specifications, a file clerk internal embassy phone numbers, for example.) Learn everything you can about that person. Was she on her college tennis team? Funny thing, your intelligence officer likes tennis, too! Stuff like that is very likely in the files taken from the Office of Personnel Management.

But specifically, a hostile intelligence agency is looking for a target’s vulnerabilities. They then use that information to approach the target person with a pitch – give us the information in return for something.

For example, if you learn a military intelligence officer has money problems and a daughter turning college age, the pitch could be money for secrets. A recent divorce? Perhaps some female companionship is desired, or maybe nothing more than a sympathetic new foreign friend to have a few friendly beers with, and really talk over problems. That kind of information is very likely in the files taken from the Office of Personnel Management. And information is power; the more tailored the approach, the more likely the chance of success.

Also unlike in the movies, blackmail is a last resort. Those same vulnerabilities that dictate the pitch are of course ripe fodder for blackmail (“Tell us the location of the code room or we’ll show these photos of your new female friend to the press.”) However, in real life, a blackmailed person will try whatever s/he can do to get out of the trap. Guilt overwhelms and confession is good for the soul. A friendly approach based on mutual interests and goals (Your handler is a nice guy, with a family you’ve met. You golf together. You need money, they “loan” you money. You gossip about work, they like the details) has the potential to last for many productive years of cooperative espionage.

So much of what a foreign intelligence service needs to know to create those relationships and identify those vulnerabilities is in those hacked files, neatly typed and in alphabetical order. Never mind the huff and puff you’ll be hearing about identity theft, phishing and credit reports.

Espionage is why this hack is a big, big deal.

Image is Creative Commons Licensed Photo from Digitale Gesellschaft.

Congress Did Not Pass an Anti-Surveillance Law (And Other Thoughts About the USA Freedom Act)

Screen shot 2015-06-03 at 4.39.24 PM

When President Barack Obama signed the USA Freedom Act, it did not end bulk data collection or mass surveillance programs. It did not address many of the policies, practices or programs of the NSA, which NSA whistleblower Edward Snowden revealed. It did not sharply limit surveillance nor was it an anti-surveillance law. The USA Freedom Act renewed Patriot Act provisions, which had sunset days ago. However, it is difficult to disagree with Snowden’s generally optimistic assessment.

During an Amnesty International UK event, as the Senate was about to pass the law, Snowden declared, “For the first time in forty years of US history, since the intelligence community was reformed in the ’70s, we found that facts have become more persuasive than fear.”

Snowden continued, “For the first time in recent history we found that despite the claims of government, the public made the final decision and that is a radical change that we should seize on, we should value and we should push further.”

He was specifically referring to how the Congress and courts had rejected this NSA surveillance program.

In that sense, June 2 was a day that the people won against the security state. US citizens took away the government’s control of nearly all of their domestic call records. And power was forced to act because their operation of a program and the operations of a secret surveillance court, the Foreign Intelligence Surveillance Court, were no longer seen as legitimate.

The extent of the victory, however, probably ends there.

As another NSA whistleblower, Bill Binney, said during an event in Chicago, the USA Freedom Act was a “surface change.” The government still has Executive Order 12333, which it can use for “content collection of US domestic communications as well as metadata. It’s all done through the Upstream programs. It’s done without oversight at all. There’s no oversight by Congress or the courts.” [Upstream is the series of different cables and fiber optic taps that the NSA uses to collect data that passes through fiber networks. Phone calls, emails, cloud transfers, pictures, and video, according to Binney, can all be collected.]

Journalist Marcy Wheeler pointed out that bulk collection of Americans’ international phone calls will continue. “Backdoor searches” under Section 702 of the FISA Amendments Act will continue, as the NSA can collect emails, browsing and chat history of US citizens without a warrant.

A number of the senators who voted for the USA Freedom Act did so because the three Patriot Act provisions had expired. They wanted something passed quickly so the NSA could resume spying operations that were supposed to be put on hold. So, some senators saw the USA Freedom Act as both a law to protect security as well as privacy.

Senator Bernie Sanders voted against the USA Freedom Act and explained in a released statement that it would still give the NSA and “law enforcement too much access to vast databases of information on millions of innocent Americans.”

The independent senator voted against the Patriot Act and both of the law’s extensions in 2005 and 2011.

The only Democratic senator to vote against the law. (more…)

Spy Planes: FBI Flew Over 100 Secret Missions Over 30 Cities in Recent Months

The Associated Press reported new details on secret surveillance flights being conducted by the FBI, including how the agency registers aircrafts with fake companies to conceal their role.

A recent review conducted by the AP found that over a “recent 30-day period” the FBI flew over 100 flights over 30 cities in 11 states and the District of Columbia.

Most of the missions were with Cessna 182T Skylane aircrafts. They were flown over Boston, Chicago, Houston, Phoenix, Seattle and parts of Southern California.

The planes carried video surveillance equipment as well as Stingray surveillance equipment or cell-site simulator gear, which creates a dragnet and enables the FBI to trick cellphones in a given area into providing identification information to agents.

Unlike the agency’s drone fleet, piloted aircraft is not subject to the Justice Department’s policy barring drones from being used to monitor “First Amendment activities,” which may partly explain why the secret flights have been spotted over cities where communities have protested killings by police.

Sam Richards, an independent journalist, first reported that the FBI was flying secret missions over cities with aircraft registered to fake companies.

“The aircraft have been registered to corporations that do not exist, and the purpose of the aerial operations is not known at this time. The flight patterns of the aircraft indicate they are most likely conducting surveillance, much like the controversial aircraft caught flying circles over the city of Baltimore which has seen many protests recently,” Richards reported on May 25.

Richards searched “aircraft registration” in Bristow, Virginia, and found many “three-letter acronym companies.” A few of the aircrafts listed were “registered explicitly to the Department of Justice.” He decided the companies had to be fake when his searches for information on the Internet were “fruitless.” He also noticed that the flight patterns—repeated circles around a city—indicated these planes were likely involved in surveillance missions. (more…)

Sales Exec Fired for Refusing to Install 24/7 Tracking App on Smartphone, Sues Company


Myrna Arias, a sales executive who lives in Kern County, California, is suing Intermex, a wire-transfer company, for wrongful termination, claiming that she was fired for refusing to install a tracking app on her smartphone that would monitor her off-hours location.

According to a Courthouse News Service report that describes the lawsuit, Intermex recruited Ms. Arias while she was working for Netspend, a money-transfer competitor. She requested that Intermex allow her to continue work with Netspend in order to maintain health benefits during a new-hire waiting period, and Intermex agreed. A couple of months into her new employment, her boss, Intermex’s regional vice president of sales John Stubits, told Arias and other employees that they would have to download an app from Xora onto their smartphones that “contained a global positioning system function which tracked the exact location of the person possessing the smartphones on which it was installed.” When she refused, she was fired. Intermex then called Netspend and informed them of her overlapping employment- and Netspend fired her as well. Courthouse News Service explains:

Arias says in her complaint that she researched the app and asked Stubits if Intermex would be tracking her whereabouts when she was off the clock.
“Stubits admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she had installed the app on her phone,” Arias says in her complaint. “Plaintiff expressed that she had no problem with the app’s GPS function during work hours, but she objected to the monitoring of her location during non-work hours and complained to Stubits that this was an invasion of her privacy. She likened the app to a prisoner’s ankle bracelet and informed Stubits that his actions were illegal. Stubits replied that she should tolerate the illegal intrusion because Intermex was paying plaintiff more than NetSpend.”
Stubits also told Arias she had to keep her phone on “24/7″ to assist clients, and “scolded” her when she uninstalled the app to protect her privacy, the complaint adds.
Arias says Intermex fired her a few weeks later

/snip/

Arias objected to the app because there was no way to turn it off when she was at home. Even if she shut down the app on her phone, it would still be running in the background, Glick said.
“She found it very offensive that they were treating her like a felon,” she added. “She was not underperforming, so there was no reason to monitor her.”
To make matters worse, Glick said, Intermex was so angry at her objection to the app that it went “above and beyond a normal wrongful termination and interfered with her ability to earn a livelihood.”
Arias says in her complaint that Robert Lisy, Intermex’s president and CEO, “telephoned John Nelson, vice president of NetSpend, and informed Nelson that plaintiff had been disloyal to NetSpend and was employed by Intermex. As a result of Lisy’s intentional and malicious interference with plaintiff’s contract with NetSpend, NetSpend fired plaintiff promptly. NetSpend specifically cited Lisy’s phone call as the reason for the decision to terminate plaintiff,” the complaint states.

Ms. Arias’s lawsuit claims violation of the right to privacy and California labor laws, unfair business practices, and wrongful termination in violation of public policy.

Should companies be allowed to track workers’ movements on and off the clock with smartphone apps?