Category Archives: NSA Spying

‘Snowden Effect’ has Changed Cloud Data Security Assumption, Survey Claims

Posted on by

Techworld Edward Snowden's revelations of sophisticated NSA spying have made many senior IT staff distinctly edgy about their use of the cloud with nine out of teen now paying close attention to the location of stored data, a survey of global attitudes has found.

[ A Look at the Fallout From the 2013 Snowden Leaks ]

Teasing out the effect of Snowden on IT teams that are already cagey about the immaturity of the cloud is no mean feat. Have his revelations changed behaviour on the ground?

In NSA Aftershocks, NTT Communications found that nine out of ten of the 1,000 decision makers it asked in the UK, US, Hong Kong, France and Germany believed that Snowden has had some effect on their approach to the cloud.

In just over half of cases, more attention was being paid to where data was stored geographically, with just under half carrying out more due diligence on cloud projects. Around 35 percent said they'd changed their procurement policies for cloud providers with 62 percent stating that the revelations had stopped them from moving ICT into the cloud.

So Snowden is affecting behaviour on the ground, but it's still not clear whether some of this isn't natural wariness as people get to grips with the inevitable risks of using remote cloud providers.

For instance, 97 percent of respondents said they preferred data to be kept within their own region, something that is particularly true for EU enterprises. But this is as likely to be driven by data sovereignty and compliance worries; even without Snowden this would have been an issue and it could just be that the reality of the NSA's capabilities has brought home the need to justify security procedures.

The view of some vendors is that encryption can be used to enforce data security but this is not easy to implement to the degree necessary to stop surveillance. It is also expensive and comes with a performance overhead.

Medium term, provider security is still likely to become a selling point.

"ICT decision-makers have been quick to learn from the current crisis and now understand how to scrutinise providers. Those suppliers that can live up to the increased demands for data integrity, governance and security will find success in the post-Snowden world," noted NTT Communications' authors.

Read more from the original source:
'Snowden Effect' has Changed Cloud Data Security Assumption, Survey Claims

NSA spying should not contribute to the dangers posed by security flaws

Posted on by

The Heartbleed bug, the recently disclosed and already notorious flaw in the way that some websites send information, put millions of Americans at risk for theft of money, identity and perhaps worse. Yet, by some accounts, it was willfully exploited by the National Security Agency, which, if true, decided to leave Americans uninformed and exposed for whatever benefits it could gain from illicit monitoring of Internet traffic.

The NSA denies this, but in the past it has exploited such security flaws to gain access to target computers. The NSA operates in the shadows in order to keep Americans safe, and we have learned in about as hard a way as possible that there are those who live to murder Americans by the thousands.

But this is a special case, and it demands review. American business depends to a huge extent upon the Internet and the trust that users have in its security. American citizens communicate with one another and with their banks, doctors and lawyers via the Internet, seeking or sharing confidential information, including passwords with which someone with bad intent could ruin them. This flaw had the potential to inflict chaos on millions of people and, for all anyone knows at this point, did.

The flaw was inadvertently introduced in 2012 during a minor adjustment to OpenSSL, an open-source protocol free codes whose integrity relies upon a small number of underfunded researchers.

By contrast, the NSA has more than 1,000 experts devoted to the task of detecting such flaws using sophisticated, secret techniques.

According to Bloomberg News, once the NSA found the Heartbleed flaw, it quickly became part of its toolkit for stealing yes, stealing passwords and other information. Even if anyone is willing to grant that the NSA isnt stealing information from American citizens and businesses though no official has offered that assurance it remains a troubling fact that if the NSA knows about security flaws like Heartbleed, other, more nefarious, agencies and individuals probably do, too.

In the end this is more evidence that the country needs a better understanding of the legitimate needs of intelligence agencies for anti-terror operations and other uses. The Internet has opened more doors into Americans privacy than anyone suspected only a few years ago and it is obvious that there is no going back. This genie is out of the bottle.

Unless and until the government is willing to engage in the kind of discussion that allows Americans to accept what their intelligence agencies are doing in their name, they should understand that there are serpents in this electronic jungle and that, when it comes to their security, they are largely on their own.

More:
NSA spying should not contribute to the dangers posed by security flaws

NSA spying is here to stay

Posted on by

The 3 billion phone calls made in the US each day are snatched up by NSA, which stores each call's metadata for five years.

On Monday, April 14, the Washington Post and the Guardian newspapers received the Pulitzer for Journalism Public Service for their reports on NSA spying. In light of their hard work, let's recap events of the last year.

Embarrassed and irritated by Edward Snowden's leaks, Obama charged last year at a press conference that Snowden was presenting a false picture of NSA by releasing parts of its work piecemeal: "Rather than have a trunk come out here and a leg come out there," he said, "let's just put the whole elephant out there so people know exactly what they're looking at. ... America is not interested in spying on ordinary people," he assured us. The government, he went on, is not "listening in on people's phone calls or inappropriately reading people's emails."

Six days later, a Washington Post headline declared: "NSA broke privacy rules thousands of times per year." In an internal audit in May 2012 of its DC-area spy centers, the agency itself found 2,776 "incidences" of NSA overstepping its legal authority. As the American Civil Liberties Union noted, surveillance laws themselves "are extraordinarily permissive," so it's doubly troubling that the agency is surging way past what it is already allowed to do. The ACLU adds that these reported incidents are not simply cases of one person's rights being violated but thousands of Americans being snared, totally without cause, in the NSA's indiscriminate, computer-driven dragnet.

The agency's surveillance net stretches so wide that it is inherently abusive, even though its legal authority to spy on Americans is quite limited. US Rep. James Sensenbrenner, the sponsor of the PATRIOT Act (which NSA cites as its super-vac authority), said that Congress intended that it should apply only to cases directly tied to national security investigations. No lawmaker, he said, meant that government snoops should be able to conduct a wholesale grab of Americans' phone, email and other personal records and then store them in huge databases to be searched at will.

Yet look at what NSA has become:

The three billion phone calls made in the US each day are snatched up by the agency, which stores each call's metadata (phone numbers of the parties, date and time, length of call, etc.) for five years.

Each day telecom giants turn over metadata on every call they have processed.

Every out-of-country call and email from (or to) a US citizen is grabbed by NSA computers, and agents are authorized to listen to or read any of them.

The agency searches for and seizes nearly everything we do on the Internet. Without bothering with the constitutional nicety of obtaining a warrant, its XKeyscore program scoops up some 40 billion Internet records every month and adds them to its digital storehouse, including our emails, Google searches, websites visited, Microsoft Word documents sent, etc. NSA's annual budget includes a quarter-billion dollars for "corporate-partner access" i.e., payments to obtain this mass of material from corporate computers.

Continue reading here:
NSA spying is here to stay

Washington Post wins Pulitzer Prize for NSA spying revelations; Guardian also honored

Posted on by

A team of 28 Post journalists, led by reporter Barton Gellman, won the public service award, as did Guardian US, which also reported extensively about the NSAs secret programs. Gellman and Glenn Greenwald, then the Guardians lead reporter on the NSA pieces, based their articles on classified documents leaked by Edward Snowden, the former government contractor who has fled to exile in Russia, lending a controversial edge to this years awards.

The Posts Eli Saslow also won a Pulitzer newspaper journalisms highest award for a series of stories about the challenges of people living on food stamps. Saslow, 31, was cited in the explanatory-journalism category by the 19-member Pulitzer board in an announcement at Columbia University in New York, which administers the prizes.

The Boston Globe won in the breaking-news category for its extensive coverage of the Boston Marathon bombings last April.

The New York Times swept the two photography categories. The award in breaking photography went to Tyler Hicks for his photos of a terrorist attack on a shopping mall in Nairobi, and the feature-photography prize went to Josh Haner for his photos of a Boston Marathon bombing victim who lost most of both legs.

The prize for investigative reporting went to Chris Hamby of the nonprofit Center for Public Integrity in Washington for articles about lawyers and doctors who rigged a system to deny benefits to coal miners stricken with black-lung disease.

NSA reporting

The awards to The Post and the U.S. arm of the British-based Guardian newspaper for their NSA reporting are likely to generate debate, much like the Pulitzer boards decision to award its public service medal to the New York Times in 1972 for its disclosures of the Pentagon Papers, a secret government history of U.S. involvement in the Vietnam War.

In both the NSA and Pentagon Papers stories, the reporting was based on leaks of secret documents by government contractors. Both Snowden and Daniel Ellsberg who leaked the Pentagon Papers to Times reporter Neil Sheehan were called traitors for their actions. And both the leakers and the news organizations that published the stories were accused by critics, including members of Congress, of enabling espionage and harming national security.

But Post Executive Editor Martin Baron said Monday that the reporting exposed a national policy with profound implications for American citizens constitutional rights and the rights of individuals around the world.

Disclosing the massive expansion of the NSAs surveillance network absolutely was a public service, Baron said. In constructing a surveillance system of breathtaking scope and intrusiveness, our government also sharply eroded individual privacy. All of this was done in secret, without public debate, and with clear weaknesses in oversight.

More:
Washington Post wins Pulitzer Prize for NSA spying revelations; Guardian also honored

Guardian, Washington Post Get Pulitzers for NSA Reporting

Posted on by

The Guardian US and Post are awarded Pulitzers for Public Service for their reporting on secret NSA spying, largely based on the leaks of former NSA contractor Edward Snowden.

The Washington Post and the Guardian US were on Monday awarded Pulitzer Prizes for their reporting on the nature and breadth of secret electronic surveillance conducted by the National Security Agency, largely based on the revelations of former NSA contractor Edward Snowden.

The Post and the Guardian US were each awarded the Pulitzer Prize for Public Service, the Pulitzer Prize committee's highest honor. Newsday's reporting on misconduct by police officers in Long Island, N.Y. was also nominated for the Public Service prize.

In revealing "widespread secret surveillance by the National Security Agency," the Post's reporting was described as "marked by authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security." The Guardian US, an online product of the U.K.-based Guardian newspaper, was singled out for "aggressive reporting" that helped to "spark a debate about the relationship between the government and the public over issues of security and privacy."

Snowden began leaking documents to Guardian journalist Glenn Greenwald in late 2012 about the nature and scope of computer spying by the U.S. security agency. In June 2013, the first of those leaked documents were published and would be followed up by reports from The Guardian, The Washington Post, The New York Times, Der Spiegel, and many more newspapers and media outlets around the world.

Snowden's revelations have strained diplomatic relations between the United States and countries spied on digitally by the NSA. The U.S. government has attempted to assuage anger over the revelations, which have also sparked an internal debate in this country about how much government snooping at home and abroad is acceptable.

The Government Accountability Project (GAP), which has represented Snowden, said Monday that the Pulitzers won by the Post and Guardian US were a "direct result" of the NSA whistleblower's revelations.

"The Prize committee awards this Pulitzer to media outlets for their 'distinguished example of public service,' and this recognition therefore represents undeniable validation of the significance of the Snowden disclosures," said GAP executive director Bea Edwards.

"Americans are now aware of the dragnet electronic surveillance conducted by the NSA only because a whistleblower, Mr. Snowden, exposed it, and through The Washington Post and the Guardian US, sparked a national debate."

Included among the documents and reports were a number of confidence-shaking revelations for the tech industry. For example, it was reported last December that the NSA paid the computer security firm RSA $10 million to create a 'back door' entry point in its encryption software. RSA denied knowingly striking any such deal, but the damage was donenumerous regular attendees of the company's annual RSA Conference boycotted this year's event.

Visit link:
Guardian, Washington Post Get Pulitzers for NSA Reporting

Fusion Centers: The 78 Local Intelligence Hubs Spying on Us All

Posted on by
Fusion Centers: The 78 Local Intelligence Hubs Spying on Us All

Fusion Centers: The 78 Local Intelligence Hubs Spying on Us AllExpand

While NSA surveillance has been front and center in the news recently, fusion centers are a part of the surveillance state that deserve close scrutiny.

Fusion centers are a local arm of the so-called "intelligence community," the 17 intelligence agencies coordinated by the National Counterterrorism Center (NCTC). The government documentation around fusion centers is entirely focused on breaking down barriers between the various government agencies that collect and maintain criminal intelligence information.

Barriers between local law enforcement and the NSA are already weak. We know that the Drug Enforcement Agency gets intelligence tips from the NSA which are used in criminal investigations and prosecutions. To make matters worse, the source of these tips is camouflaged using "parallel construction," meaning that a different source for the intelligence is created to mask its classified source.

This story demonstrates what we called "one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA's trove of information by other law enforcement agencies." This is particularly concerning when NSA information is used domestically. Fusion centers are no different.

In fact, in early 2012, the Foreign Intelligence Surveillance Court approved the sharing of raw NSA data with the NCTC. The intelligence community overseen by the NCTC includes the Department of Homeland Security and FBI, the main federal fusion center partners. Thus, fusion centers—and even local law enforcement—could potentially be receiving unminimized NSA data. This runs counter to the distant image many people have of the NSA, and it's why focusing on fusion centers as part of the recently invigorated conversation around surveillance is important.

What are fusion centers?

Fusion centers are information centers that enable intelligence sharing between local, state, tribal, territorial, and federal agencies. They are actual physical locations that house equipment and staff who analyze and share intelligence.

How many are there?

There are 78 recognized fusion centers listed on the Department of Homeland Security (DHS) website.

Who works at fusion centers?

Fusion centers are staffed by local law enforcement and other local government employees as well as Department of Homeland Security personnel. DHS "has deployed over 90 personnel, including Intelligence Officers and Regional Directors, to the field." Staffing agreements vary from place to place. Fusion centers are often also colocated with FBI Joint Terrorism Task Forces.

What do fusion centers do?

Fusion centers enable unprecedented levels of bi-directional information sharing between state, local, tribal, and territorial agencies and the federal intelligence community. Bi-directional means that fusion centers allow local law enforcement to share information with the larger federal intelligence community, while enabling the intelligence community to share information with local law enforcement. Fusion centers allow local cops to get—and act upon—information from agencies like the FBI.

Fusion centers are also key to the National Suspicious Activity Reporting Initiative (NSI), discussed below.

What is suspicious activity reporting?

The government defines suspicious activity reporting (SAR) as "official documentation of observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity." SARs can be initiated by law enforcement, by private sector partners, or by "see something, say something" tips from citizens. They are then investigated by law enforcement.

What is the National Suspicious Activity Reporting Initiative?

NSI is an initiative to standardize suspicious activity reporting. The NSI was conceived in 2008, and started with an evaluation project that culminated in a January 2010 report describing how NSI would encompass all fusion centers. It appears significant progress has been made towards this goal.

The evaluation project included so-called Building Communities of Trust (BCOT) meetings which focused "on developing trust among law enforcement, fusion centers, and the communities they serve to address the challenges of crime and terrorism prevention."

BCOT "community" events involved representatives from local fusion centers, DHS, and FBI traveling to different areas and speaking to selected community representatives and civil rights advocates about NSI. These were invite only events with the clear purpose of attempting to engender community participation and garner support from potential opponents such as the ACLU.

So what's wrong with Suspicious Activity Reporting and the NSI?

SARs do no meet legally cognizable standards for search or seizure under the Fourth amendment. Normally, the government must satisfy reasonable suspicion or probable cause standards when searching a person or place or detaining someone. While SARs themselves are not a search or seizure, they are used by law enforcement to initiate investigations, or even more intrusive actions such as detentions, on the basis of evidence that does not necessarily rise to the level of probable cause or reasonable suspicion. In other words, while the standard for SAR sounds like it was written to comport with the constitutional standards for investigation already in place, it does not.

In fact, the specific set of behaviors listed in the National SAR standards include innocuous activities such as:

taking pictures or video of facilities, buildings, or infrastructure in a manner that would arouse suspicion in a reasonable person," and "demonstrating unusual interest in facilities, buildings, or infrastructure beyond mere casual or professional (e.g. engineers) interest such that a reasonable person would consider the activity suspicious. Examples include observation through binoculars, taking notes, attempting to measure distances, etc.

These standards are clearly ripe for abuse of discretion.

Do fusion centers increase racial and religious profiling?

The weak standards around SAR are particularly concerning because of the way they can lead to racial and religious profiling. SARs can originate from untrained civilians as well as law enforcement, and as one woman pointed out at a BCOT event people who might already be a little racist who are 'observing' a white man photographing a bridge are going to view it a little differently than people observing me, a woman with a hijab, photographing a bridge. The bottom line is that bias is not eliminated by so-called observed behavior standards.

Furthermore, once an investigation into a SAR has been initiated, existing law enforcement bias can come into play; SARs give law enforcement a reason to initiate contact that might not otherwise exist.

Unsurprisingly, like most tools of law enforcement, public records act requests have shown that people of color often end up being the target of SARs:

One review of SARs collected through Public Records Act requests in Los Angeles showed that 78% of SARs were filed on non-whites. An audit by the Los Angeles Police Department's Inspector General puts that number at 74%, still a shockingly high number.

A review of SARs obtained by the ACLU of Northern California also show that most of the reports demonstrate bias and are based on conjecture rather than articulable suspicion of criminal activity. Some of the particularly concerning SARs include titles like "Suspicious ME [Middle Eastern] Males Buy Several Large Pallets of Water" and "Suspicious photography of Folsom Dam by Chinese Nationals." The latter SAR resulted in police contact: "Sac[ramento] County Sheriff's Deputy contacted 3 adult Asian males who were taking photos of Folsom Dam. They were evasive when the deputy asked them for identification and said their passports were in their vehicle." Both of these SARs were entered into FBI's eGuardian database.

Not only that, there have been disturbing examples of racially biased informational bulletins coming from fusion centers. A 2009 "North Central Texas Fusion Center Prevention Awareness Bulletin" implies that tolerance towards Muslims is dangerous and that Islamic militants are using methods such as "hip-hop boutiques" and "online social networks" to indoctrinate youths in America.

Do fusion centers facilitate political repression?

Fusion centers have been used to record and share information about First Amendment protected activities in a way that aids repressive police activity and chills freedom of association.

A series of public records act requests in Massachusetts showed: "Officers monitor demonstrations, track the beliefs and internal dynamics of activist groups, and document this information with misleading criminal labels in searchable and possibly widely-shared electronic reports." The documents included intelligence reports addressing issues such internal group discussions and protest planning, and showed evidence of police contact.

For example, one report indicated that "Activists arrested for trespassing at a consulate were interviewed by three surveillance officers 'in the hopes that these activists may reach out to the officers in the future.' They were asked about their organizing efforts and for the names of other organizers."

Who oversees the National Suspicious Activity Reporting Initiative?

The NSI is led by the Program Manager for the Information Sharing Environment (PM-ISE) in collaboration with the DHS and the FBI. The ISE is "the people, projects, systems, and agencies that enable responsible information sharing for national security." The PM-ISE, currently Kshemendra Paul, oversees the development and implementation of the ISE. The position was created by the Intelligence Reform and Terrorism Prevention Act of 2004.

If this all sounds confusing, that's because it is: the entire intelligence community is a plethora of duplicative agencies with overlapping areas of responsibility.

What kind of information do fusion centers have?

Staff at fusion centers have access to a variety of databases. Not all staff have the same level of clearances, and the entire extent of what is available to fusion centers is unclear. But we do know certain facts for sure:

Fusion centers have access to the FBI's eGuardian database, an unclassified companion to the FBI's Guardian Threat Tracking System. "The Guardian and eGuardian systems . . . have a bi-directional communication ability that facilitates sharing, reporting, collaboration, and deconfliction among all law enforcement agencies."

Fusion centers also have access to DHS' Homeland Security Data Network and it's companion Homeland Security Information Network. These systems provide access to terrorism-related information residing in DoD's classified network. It is worth noting that HSIN was hacked in 2009 and was considered so problematic that it was briefly decommissioned entirely.

Fusion centers have access to other information portals including the FBI's Law Enforcement Online portal, Lexis Nexis, the Federal Protective Service portal, and Regional Information Sharing Systems .

Finally, as discussed above, we know that unminimized NSA data can be shared with the National Counterterrorism Center, which means that fusion centers could be in receipt of such data.

What federal laws apply to fusion centers?

Because they are collaborative, legal authority over fusion centers is blurred, perhaps purposefully. However, there are some federal laws that apply. The Constitution applies, and fusion centers arguably interfere with the First and Fourth Amendments.

28 Code of Federal Regulations Part 23 governs certain federal criminal intelligence systems. The "Fusion Center Guidelines . . . call for the adoption of 28 CFR Part 23 as the minimum governing principles for criminal intelligence systems." 28 CFR 23.20 requires reasonable suspicion to collect and maintain criminal intelligence and prohibits collection and maintenance of information about First Amendment protected activity "unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity." Finally, it prohibits inclusion of any information collected in violation of local law.

Section 552(a)(e)(7) of the Privacy Act prohibits federal agencies, in this case DHS personnel who work at fusion centers, from maintaining any "record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity." A 2012 U.S. Senate Permanent Subcommittee on Investigations report on fusion centers stated: "The apparent indefinite retention of cancelled intelligence reports that were determined to have raised privacy or civil liberties concerns appears contrary to DHS's own policies and the Privacy Act."

What state or local laws apply to fusion centers?

Fusion centers are sometimes bound by local and state laws. The law enforcement agencies that feed information into centers may also be restricted in terms of what information they can gather.

The Northern California Regional Intelligence Center, located in San Francisco, CA, serves as a good example of how state and local regulations can apply to a fusion center. NCRIC works with law enforcement partners around the region and stores criminal intelligence information. The California constitution has a right to privacy and California has other laws that address privacy and criminal intelligence. These should cover NCRIC.

The San Francisco Police Department's relationship with NCRIC also serves as a good example of the applicability of local laws. SFPD participates in suspicious activity reporting, but is also bound by a number of restrictions, including Department General Order 8.10, which heavily restricts intelligence gathering by the SFPD, as well as the sanctuary city ordinance, which prohibits working with immigration enforcement. While the fusion center would not be bound by these regulations on its own, the SFPD is.

Who funds fusion centers?

Fusion centers are funded by federal and state tax dollars. Estimates of exactly how much funding fusion centers get from these sources are difficult to obtain. However, there are some numbers available.

For 2014, the Homeland Security Grant Program, which is the federal grant program that funds fusion centers, has $401,346,000 available in grant funds. The grant announcement emphasizes that funding fusion centers and integrating them nationally is a high priority. This is an approximately $50 million increase over last year's allocation—somewhat shocking in light of the critiques around fusion center funding that have been raised by Congress.

A 2008 Congressional Research Service report states that the average fusion center derives 31% of its budget from the federal government. Those numbers may have changed now.

Has there been any discussion about fusion centers at the federal level?

Yes, but not enough. In October of 2012, fusion centers were the subject of an extremely critical report from the U.S. Senate Permanent Subcommittee on Investigations. The bipartisan report focused on the waste, ineptitude, and civil liberties violations at fusion centers. The report revealed that fusion centers spent tax dollarson "gadgets such as 'shirt button cameras, $6,000 laptops and big-screen televisions. One fusion center spent $45,000 on a decked-out SUV..." Regarding the information produced by fusion centers, the report noted that fusion centers produced "'intelligence' of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens' civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism."

This report recommended a hard look at fusion center funding, but that clearly has not happened. They are still operating across the country with federal funding. In fact, their funding has even been increased.

What about at the local level?

There are grassroots privacy advocates in multiple cities fighting to get more information about fusion centers and how their local law enforcement participates in them. These efforts have been frustrated by stonewalling of public records act requests and uneducated, or at times dishonest, public officials.

Have any regulations been passed or proposed?

To date, only one place has passed regulations around fusion centers. Berkeley, CA, passed a policy in September 2012 that the Berkeley Police Department can only submit suspicious activity reports after establishing reasonable suspicion of criminal behavior, and put in place an audit of SARs.

Massachusetts is also considering changes to fusion centers. SB 642 would strictly limit collection and dissemination of criminal intelligence information and would require a yearly audit of the Massachusetts Commonwealth Fusion Center.

What can I do?

Fusion centers are an area ripe for grassroots organizing. Groups like the StopLAPD Spying Coalition, which put together a "People's Audit" of SARs in LA, provide excellent examples of how this can happen. Public records act requests can be leveraged to get information about what your local law enforcement is doing. Grassroots organizing and education can get people and elected officials talking about this issue.

On April 10, activists across the country will be participating in "Stop the Spy Centers: a national day of action against fusion centers." These activists have three demands: 1. Shut down fusion centers, 2. De-fund fusion centers, and 3. Release all suspicious activity reports and secret files.

While April 10 is one day of action, the conversation around fusion centers must continue hand in hand with our national discourse around NSA, CIA, and FBI surveillance.

Where can I get more information about fusion centers?

This article first appeared on Electronic Frontier Foundation and is republished under Creative Commons license. Image by Tischenko Irina/Shutterstock.

Wide-area surveillance technology triggers privacy concerns

Posted on by

Wide-area surveillance technology triggers privacy concerns

http://www.pbs.org/newshour/rundown/wide-area-surveillance-technology-triggers-privacy-concerns/

A look from above at wide-area surveillance technology in action. The tool is described in a new report by the Center for Investigative Reporting and KQED as “Google Earth with a rewind button.” Credit: CIR

A report from Center for Investigative Reporting and KQED posted Friday takes an in-depth look at new technologies that could revolutionize policing, including improvements to fingerprint databases and facial recognition software.

The piece also touches on the potential use of wide-area surveillance by law enforcement, a technology described as “Google Earth with a rewind button and the ability to play back the movement of cars and people as they scurry about the city.”

These new advances raise questions about how extensively the public is monitored by the government.

https://www.youtube.com/watch?feature=player_embedded&v=y2fEslRCsTY

To learn more about how the nation’s state of surveillance may be changing, I spoke with G.W. Schulz, Homeland Security Reporter for CIR.

“What we wanted to do was identify technologies that were coming around the corner for law enforcement agencies,” Schulz said.

“There’s already an ongoing 21st century discussion about the types of digital technologies that police are adopting and the potential privacy and civil liberties implications for them… We wanted to look a little bit further down the road to see what could be implemented in the coming years.”

https://www.youtube.com/watch?feature=player_embedded&v=6VkKeM-OK6g

More: http://cironline.org/reports/hollywood-style-surveillance-technology-inches-closer-reality-6228

NSA Reportedly Exploited Heartbleed For Spying—But Strongly Denies the Allegation

Posted on by

NSA Reportedly Exploited Heartbleed For Spying—But Strongly Denies the Allegation

Because the agency hasn't already reportedly done enough.

http://www.nationaljournal.com/tech/nsa-reportedly-exploited-heartbleed-for-spying-but-strongly-denies-the-allegation-20140411

When it bleeds, it pours.

The National Security Agency reportedly knew of and exploited the massive Internet bug revealed to the public this week and known now as "Heartbleed" in order to gather intelligence information on targets.

This new revelation packs an extra twist that other recent NSA leaks have lacked: Regardless of its purpose for intelligence gathering, the NSA may have known for years about a historic security flaw that may have affected up to two-thirds of the Internet. Instead of trying to repair that flaw--which has potentially impacted countless people--the NSA reportedly manipulated it in secret.

"Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost," Bloomberg first reported Friday, citing two people "familiar" with the matter. "Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers."

In a statement late Friday afternoon, the NSA denied the Bloomberg report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," said agency spokeswoman Vanee Vines. "Reports that say otherwise are wrong."

In a follow-up statement, NSC Spokesperson Caitlin Hayden said that the Obama administration "takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

Unlike previous statements about alleged NSA activities, the statements made by the NSA and White House today are definitive, with little room for differing interpretations.

The Heartbleed bug was revealed publicly for the first time earlier this week, and has been described by numerous cybersecurity experts as one of the worst security glitches the web has ever encountered. Heartbleed is caused by a minor two-year-old flaw in software coding of a program known as OpenSSL that is meant to provide extra protection to websites.

Considerable attention has been paid to Heartbleed's potential use by criminal hackers to collect war chests filled with online passwords, personal information and banking data, but it remains unclear whether any such bad actors knew of or exploited it prior to its disclosure. A fix was rolled out five days ago, but concerns persist that much of the Internet's security has been compromised.

Some Internet freedom and privacy groups began speculating that intelligence agencies may have exploited Heartbleed for surveillance purposes shortly after news of the bug broke earlier this week. The Electronic Frontier Foundation suggested earlier exploitations of the bug detected in November of last year "makes a little more sense for intelligence agencies than for commercial or lifestyle malware."

Earlier Friday, the Department of Homeland Security issued guidance on Heartbleed, saying that "everyone has a role to play to ensuring [sic] our nation's cybersecurity."

This post was updated Friday afternoon after the NSA statement was released.

Metadata Is More Intrusive Than Direct Listening Of Phone Calls Says Snowden

Posted on by
Metadata Is More Intrusive Than Direct Listening Of Phone Calls Says Snowden

http://www.countercurrents.org/cc070414A.htm

07 April, 2014
Countercurrents.org

Government monitoring of “metadata” is more intrusive than directly listening to phone calls or reading emails, cautioned Edward Snowden, the US NSA whistleblower, and Glenn Greenwald, the reporter who disclosed leaks by Snowden about mass US government surveillance last year.

Moreover, on the “Cuban Twitter” campaign, the USAID program to topple Cuban government, citing top-secret documents Greenwald writes: “This sort of operation is frequently discussed at western intelligence agencies, which have plotted ways to covertly use social media for ‘propaganda’, ‘deception’, ‘mass messaging’, and ‘pushing stories’.” The top-secret documents have now been published by The Intercept.

A Reuter’s report [1] said:

“Snowden and Greenwald …appeared together via video link from opposite ends of the earth on [April 5, 2014] for what was believed to be the first time since Snowden sought asylum in Russia.”

In the video conference, they made the caution.

“Metadata includes which telephone number calls which other numbers, when the calls were made and how long they lasted. Metadata does not include the content of the calls.

“Amnesty International is campaigning to end mass surveillance by the US government and calling for Congressional action to further rein in the collection of information about telephone calls and other communications.”

“Snowden and Greenwald said that such data is in fact more revealing than outright government spying on phone conversations and emails.

“‘Metadata is what allows an actual enumerated understanding, a precise record of all the private activities in all of our lives. It shows our associations, our political affiliations and our actual activities,’ said Snowden, dressed in a jacket with no tie in front of a black background.

“‘My hope and my belief is that as we do more of that reporting and as people see the scope of the abuse as opposed to just the scope of the surveillance they will start to care more,’ he said.

“‘Mark my words. Put stars by it and in two months or so come back and tell me if I didn’t make good on my word.’”

A Reuters/Ipsos poll this week showed the majority of Americans were concerned that Internet companies were encroaching on too much of their lives.

The Chicago datelined report said:

“A sympathetic crowd of nearly 1,000 packed a downtown Chicago hotel ballroom at Amnesty International USA’s annual human rights meeting and gave Greenwald, who dialed in from Brazil, a raucous welcome before Snowden was patched in 15 minutes later to a standing ovation.”

The leaks of secret documents made by Snowden, who had been working at a NSA facility revealed a vast US government system for monitoring phone and Internet data. It deeply embarrassed the Obama administration, which in January banned US eavesdropping on the leaders of friendly countries and allies. However, Snowden faces arrest if he steps foot on US soil.

Greenwald has promised further revelations of government abuses of power at his new media venture the Intercept.

More on “Cuban Twitter”

The Associated Press has recently exposed a secret program run by the US Agency for International Development to create “a Twitter-like Cuban communications network” run through “secret shell companies” in order to create the false appearance of being a privately owned operation with the aim of toppling the Cuban government through a “Cuban Spring” like event.

On this campaign for toppling the Cuban government Glenn Greenwald writes:

“Unbeknownst to the service’s Cuban users was the fact that ‘American contractors were gathering their private data in the hope that it might be used for political purposes’–specifically, to manipulate those users in order to foment dissent in Cuba and subvert its government. According to top-secret documents published today [April 4, 2014] by The Intercept [3], this sort of operation is frequently discussed at western intelligence agencies, which have plotted ways to covertly use social media for ‘propaganda’, ‘deception’, ‘mass messaging’, and ‘pushing stories’.

“These ideas – discussions of how to exploit the internet, specifically social media, to surreptitiously disseminate viewpoints friendly to western interests and spread false or damaging information about targets – appear repeatedly throughout the archive of materials provided by NSA whistleblower Edward Snowden. Documents prepared by NSA and its British counterpart GCHQ – and previously published by The Intercept as well as some by NBC News – detailed several of those programs, including a unit devoted in part to “discrediting” the agency’s enemies with false information spread online.

“The documents in the archive show that the British are particularly aggressive and eager in this regard, and formally shared their methods with their US counterparts. One previously undisclosed top-secret document – prepared by GCHQ for the 2010 annual ‘SIGDEV’ gathering of the ‘Five Eyes’ surveillance alliance comprising the UK, Canada, New Zealand, Australia, and the US – explicitly discusses ways to exploit Twitter, Facebook, YouTube, and other social media as secret platforms for propaganda.

“The document was presented by GCHQ’s Joint Threat Research Intelligence Group (JTRIG). The unit’s self-described purpose is ‘using online techniques to make something happen in the real or cyber world’, including ‘information ops (influence or disruption).’ The British agency describes its JTRIG and Computer Network Exploitation operations as a ‘major part of business’ at GCHQ, conducting ‘5% of Operations.’

“The annual SIGDEV conference, according to one NSA document published today [April 4, 2014] by The Intercept, ‘enables unprecedented visibility of SIGINT Development activities from across the Extended Enterprise, Second Party and US Intelligence communities.’ The 2009 Conference, held at Fort Meade, included ‘eighty-six representatives from the wider US Intelligence Community, covering agencies as diverse as CIA (a record 50 participants), the Air Force Research Laboratory and the National Air and Space Intelligence Center.’

“Defenders of surveillance agencies have often insinuated that such proposals are nothing more than pipe dreams and wishful thinking on the part of intelligence agents. But these documents are not merely proposals or hypothetical scenarios. As described by the NSA document published today, the purpose of SIGDEV presentations is ‘to synchronize discovery efforts, share breakthroughs, and swap knowledge on the art of analysis.’
For instance: One of the programs described by the newly released GCHQ document is dubbed ‘Royal Concierge’, under which the British agency intercepts email confirmations of hotel reservations to enable it to subject hotel guests to electronic monitoring. It also contemplates how to ‘influence the hotel choice’ of travelers and to determine whether they stay at ‘SIGINT friendly’ hotels. The document asks: ‘Can we influence the hotel choice? Can we cancel their visit?’

“Previously, der Spiegel and NBC News both independently confirmed that the ‘Royal Concierge’ program has been implemented and extensively used. The German magazine reported that ‘for more than three years, GCHQ has had a system to automatically monitor hotel bookings of at least 350 upscale hotels around the world in order to target, search, and analyze reservations to detect diplomats and government officials.’ NBC reported that ‘the intelligence agency uses the information to spy on human targets through “close access technical operations”, which can include listening in on telephone calls and tapping hotel computers as well as sending intelligence officers to observe the targets in person at the hotels.’”

Greenwald writes:

“The GCHQ document we are publishing today expressly contemplates exploiting social media venues such as Twitter, as well as other communications venues including email, to seed state propaganda–GHCQ’s word, not mine–across the internet:

“(The GCHQ document also describes a practice called ‘credential harvesting’, which NBC described as an effort to ‘select journalists who could be used to spread information’ that the government wants distributed. According to the NBC report, GCHQ agents would employ ‘electronic snooping to identify non-British journalists who would then be manipulated to feed information to the target of a covert campaign’. Then, ‘the journalist’s job would provide access to the targeted individual, perhaps for an interview’. Anonymous sources that NBC didn’t characterize claimed at the time that GCHQ had not employed the technique.)

“Whether governments should be in the business of publicly disseminating political propaganda at all is itself a controversial question. Such activities are restricted by law in many countries, including the US. In 2008, The New York Times’ David Barstow won a Pulitzer Prize for exposing a domestic effort coordinated by the Pentagon whereby retired US generals posed as ‘independent analysts’ employed by American television networks and cable news outlets as they secretly coordinated their messaging with the Pentagon.

“Because American law bars the government from employing political propaganda domestically, that program was likely illegal, though no legal accountability was ever brought to bear (despite all sorts of calls for formal investigations). Barack Obama, a presidential candidate at the time, pronounced himself in a campaign press release ‘deeply disturbed’ by the Pentagon program, which he said ‘sought to manipulate the public’s trust.’

“Propagandizing foreign populations has generally been more legally acceptable. But it is difficult to see how government propaganda can be segregated from domestic consumption in the digital age. If American intelligence agencies are adopting the GCHQ’s tactics of ‘crafting messaging campaigns to go “viral”,’ the legal issue is clear: A ‘viral’ online propaganda campaign, by definition, is almost certain to influence its own citizens as well as those of other countries.

“For its part, GCHQ refused to answer any specific questions on the record, instead providing its standard boilerplate script which it provides no matter the topic of the reporting: ‘all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight.’ The NSA refused to comment.

“But these documents, along with the AP’s exposure of the sham ‘Cuban Twitter’ program, underscore how aggressively western governments are seeking to exploit the internet as a means to manipulate political activity and shape political discourse.”

At the conclusion, he writes:

“Those programs, carried out in secrecy and with little accountability (it seems nobody in Congress knew of the ‘Cuban Twitter’ program in any detail) threaten the integrity of the internet itself, as state-disseminated propaganda masquerades as free online speech and organizing. There is thus little or no ability for an internet user to know when they are being covertly propagandized by their government, which is precisely what makes it so appealing to intelligence agencies, so powerful, and so dangerous.”

Source:

[1] April 6, 2014, “Snowden, Greenwald urge caution of wider government monitoring at Amnesty event”

[2] April 4, 2014, “The ‘Cuban Twitter’ Scam Is a Drop in the Internet Propaganda Bucket”, © First Look Productions

[3] The documents are: 1. “Full-Spectrum Cyber Effects”, and 2. “2009 SigDev Conference”