Archive

Monthly Archives: September 2013


“If a dictator ever took charge in this country, the technological capacity that the intelligence community has given the government could enable it to impose total tyranny, and there would be no way to fight back because the most careful effort to combine together in resistance to the government, no matter how privately it was done, is within the reach of government to know. Such is the capacity of technology.” –Senator Frank Church

Advertisements

Yes – It’s not only the US Government with the NSA, CIA, FBI etc. that is spying on Activists, Journalists and Dissidents – also other ‘mature democracies’ share this approach.

The European Commission is planning to award a public contract for a study on “European Capability for Situational Awareness. SMART 2013/N004″ Ref. Ares(2013)291778622/08/2013

See  ECSA Final Invitation to Tender  the ECSA Final Tender specifications and the ECSA Final Model contract

General Context
In times of social and political unrest, governments of mature and nascent democracies are
increasingly tempted to reduce freedom of speech and unrestricted access to information,
both offline and online.
It is undoubted that Internet and more broadly Information and Communication
Technologies (ICT´s) can be conducive to a more effective protection and exercise of
human rights across borders, facilitating freedom of expression and serving as a catalyst
for social change, cultural diversity, political expression and democratic prosperity.
However, the opportunities for pluralism and diversity brought about by these
technological developments are not risk-free. At the same time that the Internet has opened
up a platform for journalists, bloggers, human rights defenders, political activists and
citizens to make their voices heard, it has also allowed the use of sophisticated censorship
and surveillance methods by non-democratic regimes to silent political criticism.
It is in that scenario that ICTs are an essential contributing factor for the creation of
positive dynamics among citizens, freedom and democracy, as well as an unprecedented
enabler of dialogue: a key element in society that requires ensuring that all parties can
communicate, access and exchange information without restrictions, gateways or filters,
and with appropriate privacy and security protections.
DG CONNECT, in close cooperation with other services (DG Development and
Cooperation; DG Enterprise) and the European External Action Service (EEAS), has put in
place the No-Disconnect Strategy. The goal of this policy toolkit is to provide on-going
support to counter-censorship initiatives to facilitate the role of activists, political
dissidents, bloggers, journalists and citizens living and/or operating in high-risk
environments, making operational its commitment to uphold human rights and
fundamental freedoms online. This way, the No-Disconnect Strategy embraces the wider
EU strategy for Human Rights. (http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/EN/foraff/131181.pdf)
The No-Disconnect Strategy is part of the integrated response of the European Union to the
events that unfolded in the Middle East and North African region during the Arab Spring to
support and advance human rights and democracy in the region, as envisaged in the Joint
Communication of the Commission and the High Representative of the Union for Foreign
Affairs and Security Policy “A Partnership for Democracy and Shared Prosperity with
the Southern Mediterranean” (COM(2011) 200) (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0200:FIN:EN:PDF)

Currently, the geographical scope of the Strategy is not limited to the aforementioned
region, but operates at global scale given the fact that the implementation of the No-
Disconnect Strategy is achieved in cooperation with other Services and through EU
global instruments such as the European Instrument for Democracy and Human
Rights (http://ec.europa.eu/europeaid/how/finance/eidhr_en.htm) led by DG Development and Cooperation; and the EU Strategic Framework on
Human Rights and Democracy, led by the European External Action Service. (http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/EN/foraff/131181.pdf)

————-

27.09.2013, JD

20130922-193319.jpg

ABSTRACT
In light of the recent PRISM-related revelations, this briefing note analyzes the impact of US surveillance programmes on European citizens’ rights. The note explores the scope of surveillance that can be carried out under the US FISA Amendment Act 2008, and related practices of the US authorities which have very strong implications for EU data sovereignty and the protection of European citizens’ rights.

EXECUTIVE SUMMARY
This Briefing note provides the LIBE Committee with background and contextual information on PRISM/FISA/NSA activities and US surveillance programmes, and their specific impact on EU citizens’ fundamental rights, including privacy and data protection.
Prior to the PRISM scandal, European media underestimated this aspect, apparently oblivious to the fact that the surveillance activity was primarily directed at the rest-of-the- world, and was not targeted at US citizens. The note argues that the scope of surveillance under the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (FAA) has very strong implications on EU data sovereignty and the protection of its citizens’ rights.
The first section provides a historical account of US surveillance programmes, showing that the US authorities have continuously disregarded the human right to privacy of non-Americans. The analysis of various surveillance programmes (Echelon, PRISM) and US national security legislation (FISA, PATRIOT and FAA) clearly indicates that surveillance activities by the US authorities are conducted without taking into account the rights of non- US citizens and residents. In particular, the scope of FAA creates a power of mass- surveillance specifically targeted at the data of non-US persons located outside the US, including data processed by ‘Cloud computing’, which eludes EU Data Protection regulation.
The second section gives an overview of the main legal gaps, loopholes and controversies of these programmes and their differing consequences for the rights of American and EU citizens. The section unravels the legal provisions governing US surveillance programmes and further uncertainties in their application, such as:
– serious limitations to the Fourth Amendment for US citizens
– specific powers over communications and personal data of “non-US persons”;
– absence of any cognizable privacy rights for “non-US persons” under FISA
The section also shows that the accelerating and already widespread use of Cloud computing further undermines data protection for EU citizens, and that a review of some of the existing and proposed mechanisms that have been put in place to protect EU citizens’ rights after data export, actually function as loopholes.
Finally, some strategic options for the European Parliament are developed, and related recommendations are suggested in order to improve future EU regulation and to provide effective safeguards for protection for EU citizens’ rights.

Read the full document (pdf)

AUTHOR(S)
Mr Caspar BOWDEN (Independent Privacy Researcher)

Introduction by Prof. Didier BIGO (King’s College London / Director of the Centre d’Etudes sur les Conflits, Liberté et Sécurité – CCLS, Paris, France).

Copy-Editing: Dr. Amandine SCHERRER (Centre d’Etudes sur les Conflits, Liberté et Sécurité – CCLS, Paris, France)

Bibliographical assistance : Wendy Grossman

——————–
22.09.2013, JD

To the list members of Cypherpunks: I, Jim Bell (yes, THAT Jim Bell) have just (re-) subscribed to the Cypherpunks list.
(Pardon me if I don’t immediately attempt to relate the numerous reason(s) for my unfortunate 15-year absence.)

Of some relevance to the list is the recent publication (by the US Patent and Trademark Office, USPTO) of my fiber-optic patent application. See http://www.freepatentsonline.com/WO2013101261A1.html .
No, the patent hasn’t been granted yet. A brief description of the invention follows: A silica optical fiber in which the core and inner-cladding are made from silica in which the silicon-atom content is modified from the usual 92.23% (atom/atom) Si-28 content, 4.67% Si-29, and 3.2% Si-30. A few of the possible advantage are, increase of the velocity-factor of the fiber to over 90% of ‘c’ (as opposed to the 68% of ‘c’ of existing fibers); a reduction in optical loss by a factor of 10-20 compared to existing fiber’s 0.19 db/km; a factor of 10-20 reduction in ‘optical dispersion’ compared to existing fibers; an optical bandwidth increase to about 1000-1800 nanometers wavelength.
There is actually the prospect of some crypto-relevance here. There is the Bell’s theorem (not me, but John Stewart Bell’s) theorem to the EPR (Einstein Podolsky Rosen) paradox. See the Wikipedia article “Bell’s Theorem. This led to experimentation where a single ‘entangled photon’ was sent down two optical fibers in opposite directions. Eventually (30 or so kilometers apart, I believe) these photons were detected. See http://www.cleoconference.org/library/images/cleo/PDF/2009/09-plenary-aspect.pdf . My understanding is that the distance limitations of these experiments are determined primarily by the loss of the optical fiber. If so, then a reduction by a factor of 10-20 in optical loss will result in an increase of a corresponding factor of 10-20 increase in the maximum practical distance of these kinds of quantum-entanglement experiments. Presumably, this will lead eventually to the same degrees of increases in maximum distances over which quantum encryption could operate.
Jim Bell
——————-
20.09.2013, JD

Re: http://www.zdnet.com/nsa-cryptanalyst-we-too-are-americans-7000020689/

In his Big Data argument, NSA analyst Roger Barkan carefully
skips over the question of what rules there should be for government
*collecting* big data, claiming that “what matters” are the rules for
how the data is used, *after* assuming that it will be collected.

Governments seldom lose powers; they work to grow their powers, to
loosen the rules that govern what they can do. NSA’s metadata
database has fewer restrictions today than it did when it was
collected, all carefully “legal” and vetted by a unaccountable
bureacracy that has its own best interests at heart. My own Senator
Feinstein claims from her “oversight” post that whatever’s good for
NSA is good for America; my Congresswoman Pelosi worked hard to defeat
the bill that would have stopped the NSA phone metadata program in
its tracks; and both of them run political machines that have made
them “lifetime” congresspeople, no matter how out-of-step they are
with their constituents. NSA and these overseers conspired to keep
the whole thing secret, not to avoid “tipping off the terrorists” who
already knew NSA was lawless, but to avoid the public backlash that
would reduce their powers and maybe even reverse a decade of hugely
growing secret budgets.

Having watched the Drug War over the last 50 years, NSA for 30 years,
and TSA/DHS over the last decade, I have zero faith that NSA can
collect intimite data about every person in America and on the planet,
and then never use that data for any purpose that is counter to the
interest of the people surveilled. There will always be
“emergencies”, always “crises”, always “evildoers”, always
“opportunities”, that would be relieved “if we could just do X that
wasn’t allowed until now”. So what if general warrants are explicitly
forbidden? And if searching people without cause is prohibited? We
could catch two alleged terrorists — or a few thousand people with
sexual images — or 750,000 pot smokers — or 400,000 hard-working
Mexican migrants — every year, if we just use tricky legalisms to
ignore those pesky rules. So the government does ignore them. Will
you or your loved ones fall into the next witchhunt? Our largest city
was just found guilty of forcibly stopping and physically searching
hundreds of thousands of black and latino people without cause for a
decade — a racist program defended both before and after the verdict
by the Mayor, the Police Commission, the City Council, and state
legislators. NSA has secretly been doing warrantless, suspicionless,
non-physical searches on every American with a phone for a decade, all
using secret gerrymandered catch-22 loopholes in the published
constitution and laws, defended before and after by the President, the
Congress and all the courts. Make rules for NSA? We already have
published rules for NSA and it doesn’t follow them today!

So Mr Barkan moves on to why NSA would never work against the
citizens. The US imprisons more people than any country on earth, and
murders far more than most, but it’s all OK because those poor,
overworked, rule-bound government employees who are doing it are
“defending freedom”. Bullshit they are! Somehow scores of countries
have found freedom without descending to this level of lawlessness and
repression. NSA cannot operate outside of this context; rules that
might work in a hypothetical honest and free government, will not work
in the corrupt and lawless government that we have in the United
States.

NSA employees are accountable for following the rules, Mr. Barkan?
Don’t make me laugh. There’s a word for it: impunity. EFF has
diligently pursued NSA in court for most of a decade, and has still
gotten no court to even consider the question “is what NSA did legal?”
Other agencies like DoJ and HHS regularly retain big powers and
budgets by officially lying about whether marijuana has any medical
uses, rather than following the statutes, despite millions of
Americans who use it on the advice of their doctor. None of these
officials lose their jobs. Find me a senior federal official anywhere
who has ever lost their job over major malfeasance like wiretapping,
torture, kidnapping, indefinite imprisonment, assassination, or
malicious use of power — let alone been prosecuted or imprisoned for
it. Innocent citizens go to prison all the time, from neighborhood
blacks to medical marijuana gardeners to Tommy Chong and Martha
Stewart — high officials never.

Re Big Data: I have never seen data that could be abused by someone
who didn’t have a copy of it. My first line of defense of privacy is
to deny copies of that data to those who would collect it and later
use it against me. This is exactly the policy that NSA supposedly has
to follow, according to the published laws and Executive Orders: to
prevent abuses against Americans, don’t collect against Americans.
It’s a good first step. NSA is not following that policy.

Where Big Data collection is voluntary, I do not volunteer, thus I
don’t use Facebook, Google, etc. When collection is involuntary, like
with NSA’s Big Data, I work to limit their power, both to collect, and
to use; and then I don’t believe they will follow the rules anyway,
because of all the historical evidence. So I arrange my life to not
leave a big data trail: I don’t use ATMs, I pay with cash, don’t carry
identification, don’t use Apple or Google or Microsoft products, etc.

Your government will not make a big announcement when it has become a
police state. So if you’re a patriot, you’d better practice now: how
to avoid stupid mistakes that would let a police state catch you when
telling the truth to your fellow citizens becomes a crime — like it
did for Mr. Snowden, Ms. Manning, Mr. Ellsberg, Mr. Nacchio,
Mr. Assange, and Ms. Mayer (who claims she’s been dragged silently
kicking and screaming to spy on her customers rather than be
prosecuted for telling them the truth). NSA and its Big Data will not
be defending you when the secret police come to bust you for
publishing secrets. NSA will be on the cops’ and prosecutors’ side.
They have recently filed legal memos declaring that they don’t have to
help the defense side in any criminal trials, even when NSA has
exculpatory data, and even when NSA provided wiretapped Big Data that
led the prosecutors to you. Defending the citizens from the excesses
of government isn’t their job. Defending their turf, their budget,
and their powers is their job.

John Gilmore
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

18.09.2013, JD

Original thread to follow: http://www.metzdowd.com/pipermail/cryptography

_______________________________________________

To: cryptography[at]metzdowd.com, gnu[at]toad.com
Date: Sat, 14 Sep 2013 20:37:07 -0700
From: John Gilmore <gnu[at]toad.com>
Subject: [Cryptography] A lot to learn from “Business Records FISA NSA Review”

See:

https://www.eff.org/document/nsa-business-records-fisa-redactedex-ocr

This is one of the documents that an EFF Freedom of Information lawsuit asked for.  The government had been claiming they could not release ANY FISA court orders or submissions.  When the President ordered the intelligence community to declassify more info in order to present a fuller picture of the issues that Edward Snowden’s leaked documents raised, they went back through all the relevant documents and, last week, released hundreds of pages in a rough dozen documents, that they had initially claimed were exempt.  I read this document the other night and learned a lot.  I encourage y’all to read it — and other recently released documents.

These are not “leaked” documents from Mr. Snowden.  These are officially released documents from the NSA and Department of Justice. While their choice of “what to release and what to black out” may have been self-serving, the documents themselves are real and official. They candidly describe a particular part of NSA’s internal operations that relate to the telephone metadata collected about on everyone in the US.

Their main goal in writing this document was to convince the FISA court (which had ordered them in 2009 to stop accessing the telephone metadata after NSA told the court that some of it had leaked outside the boundaries of the FISA court order) that they had their processes in hand and that the court should let them go back to accessing the
metadata.

Their main goal in declassifying it is, I believe, to convince the public that they are being very diligent to the court’s orders and to the limits that the court places on them.  And to detail all the internal restrictions, checks and balances that they go through while collecting, processing, accessing and releasing this telephone metadata.  To show “the whole elephant”.

And to that extent, they succeeded, both with the court and with me.

(However, I think the secret court made a fundamental error in ruling that collecting info about everybody’s phone calls is “relevant” to any particular terrorism investigation.  That assertion reminds me of John Yoo’s since-repudiated assertions from the early Bush days, like “it isn’t torture unless you really intend to cause great bodily injury” and “the President has inherent power to do anything he wants”.  When you start from a severely false premise, you can go a long way into the wilderness before you notice your error.)

What NSA and DCI and DoJ also revealed, around the edges of this document, is a lot of small bits of information about how the NSA technical and managerial infrastructure works.  Much of this is information that we “already knew”, or could have guessed based on already existing information, but some of it is not.  This document supplies some context that help to fit the puzzle pieces together.

Things I learned there include:

*  NSA’s internal infrastructure runs on Unix.  (Linux is a branch of Unix.)  Their analysts log in to Unix machines with logins and passwords, as we do, and they use the standard Unix/Linux file access controls (“user, group, and other” permissions).

*  They use web servers and web browsers and HTML and URLs to deliver their data to their “customers” at the FBI, CIA, and NCTC.

*  NSANET, their internal Internet, is not encrypted!  (It is almost certainly protected by link encryption and fiber signal strength monitoring when it crosses from one place to another, but not inside their secured buildings.)  It’s just a bunch of machines plugged into Ethernets, running standard protocols, like what all of our infrastructure uses.

*  I’m guessing the reason NSANET isn’t encrypted is because they don’t seem to have any better encryption protocols for general use inside NSA than we do outside.  E.g. they don’t seem to have automatic end-to-end encryption.  So in order to be able to buy standard machines and plug them in and use them, they have to run their whole net unencrypted.  (I think it’s funny that because my old effort to embed automatic Opportunistic Encryption in Linux and IPSEC failed, therefore NSA’s internal network isn’t encrypted. Like they couldn’t do it themselves!)

*  They use a “PKI” (public key infrastructure) to control access to some databases inside NSANET.  When they wanted to stop one part of NSA’s tech infrastructure from accessing the telephone metadata, hey removed the “certificate” that gave it access credentials.

In other words, when it comes to general purpose computing, they are running on almost exactly the same kind of infrastructure we are — nothing better.  This makes sense, but I had expected that with billions of tax dollars every year they had made some improvements in the security, authenticity and integrity of their protocols and software.  (But, I worked at Sun, which spent billions of dollars a year on engineering their hardware and software, and Sun’s machines weren’t much better than their competitors’ at security, authenticity or integrity either.)  We in the outside world *invented* all of NSA’s infrastructure.  They buy it from us, and are just “users” like most computer users.  (Yes, they have programmers and they write code, but their code seems mostly applications, not lower level OS improvements or protocols.  I’m not talking about the parts of NSA that find security holes in other peoples’ infrastructure, nor the malware writers.)

So go read the document anyway!  Don’t believe what I tell you… draw your own conclusions.

Also it seems that:

*  The vast majority of the information that they are squirting around inside NSA, searching and correlating, comes with no particular restrictions other than those that they impose internally (like not revealing things that disclose their sources and methods) and the general restrictions on releasing information about US persons.  They got that data “legally”, or anyway, “fair and square”, by stealing it from signals in other countries, and they can do what they want with it.  Having to deal with a judge who can put arbitrary restrictions on what they can do with a large database is a novel experience for them, and one that neither their personnel nor their infrastructure is properly set up to handle.  That’s why they found that data was “leaking” from the telephone metadata database nine or ten ways that they hadn’t yet noticed until they did an end-to-end review. The leaks were mostly fairly minor, but if they hadn’t been forced to do the review, it’s clear that more and more of NSA would have just been treating the telephone metadata like any other piece of stolen data.

*  Their “need to know” culture and the maze of classifications and code words often prevents the right hand from knowing what the left hand is doing.  This is deliberate and is to help figure out who the insider threats (“moles”) are, based on who had access to what info before it leaked outside NSA.  But the result is also that nobody is really in charge.  There are too many details that don’t percolate up and down the chain of command, so stuff happens that isn’t supposed to happen.  Like, the programmers who wrote the code for accessing the stored database of telephone metadata knew that it could only be accessed with a search term (“selector”) that met the court’s standard for “RAS” (“Reasonable Articulable Suspicion”), so they coded the software to check for that.  But the separate programmers who wrote the code for IMPORTING new data into the database from the telcos, didn’t know that, so they wrote an “Alert list” (renamed “Activity Detection List” during the review) that would send a note to an analyst whenever new data came in for any selector on the list (e.g. when someone of interest to that analyst made a phone call).  These selectors were not restricted to those that met the court’s standards, and indeed most of the selectors on the list did NOT meet the standard (it had 1,935 RAS approved selectors and 15,900 unapproved ones).  This is not because they tried to get around the court — but because they were not in control of their own infrastructure, because of lack of internal sharing of relevant information.  Free cultures really do  outperform authoritarian ones!

This is all useful information.  I recommend that folks also read other documents that came out of that FOIA case — there are about a dozen, all listed on the EFF web site here:

https://www.eff.org/deeplinks/2013/09/government-releases-nsa-surveillance-docs-
and-previously-secret-fisa-court

In that list, this one is called “June 25, 2009 — Implementation of the Foreign Intelligence Surveillance Court Authorized Business Records FISA”.

John
_______________________________________________
The cryptography mailing list
cryptography[at]metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

_______________________________________________

15.09.2013, JD

 

%d bloggers like this: