Category Archives: Security

Revealed: FBI can demand web history, phone location data without a warrant

Zack Whittaker at ZDNet: The FBI can compel companies and individuals to turn over vast sums of personal data without a warrant, it has been revealed for the first time.

In a case that’s lasted more than a decade, a court filing released Monday showed how the FBI used secret interpretations to determine the scope of national security letters (NSLs).

Nicholas Merrill, founder of internet provider Calyx Internet Access, who brought the 11-year-old case to court after his company was served a national security letter, won the case earlier this year.

National security letters are almost always bundled with a gag order, preventing Merrill from speaking freely about the letter he received.

While it was known that national security letters can demand customer and user data, it wasn’t known exactly what.

In a statement on Monday, Merrill revealed the FBI has used its authority to force companies and individuals to turn over complete web browsing history; the IP addresses of everyone a person has corresponded with; online purchase information, and also cell-site location information, which he said can be used to turn a person’s phone into a “location tracking device.”

According to a release, the FBI can also force a company to release postal addresses, email addresses, and “any other information which [is] considered to be an electronic communication transactional record.”

Merrill said in remarks: “The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs.”

Federal district judge Victor Marrero described in his decision that the FBI’s position was “extreme and overly broad.”

He also found that the FBI’s overbroad gag order on Mr. Merrill “implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.”

Merrill is the first person who has succeeded in completely lifting a national security letter gag order.

The Patriot Act expanded the reach of national security letters when it was signed into law a month after the September 11 attacks in 2001.

More than ten thousand national security letters are issued by the FBI every year, without a warrant or judicial oversight.

These letters have been surrounded with controversy for years, leading to many unsuccessful attempts to litigate against them. Major companies, including Google, have challenged national security letters, with little luck. Microsoft recently challenged an order, which led to the FBI to withdraw the demand.

In 2008, a US court found the National Security Letter statute, amended by the Patriot Act in 2001, was unconstitutional.

In a separate case in 2013, the gag order provision was found to be in breach of the First Amendment. The government appealed the ruling.


ZDNet – Revealed: FBI can demand web history, phone location data without a warrant

Yale – Merrill v. Lynch – Unredacted Decision Vacating Gag Order.pdf

Yale – Merrill v. Lynch – Unredacted Attachment to 2004 NSL.pdf


Why the Internet Governance Forum is Important to Us


Since the IGF’s inception at the World Summit on the Information Society (WSIS) in 2005, it has served as an invaluable space for governments, civil society, academia, the technical community, and the private sector to learn from one another, share best practices and policy recommendations, and collaborate with new partners. Over the years, Public Knowledge has welcomed this opportunity for stakeholders to come together and develop their vision for the future of the Information Society. However, the IGF’s mandate is set to expire at the end of this year and its course will be determined at the ten-year review of the WSIS (WSIS+10) on December 15-16. For this reason, Public Knowledge signed a joint statement on the final phase of the WSIS+10 negotiations to convey that it is time to do the following:

  • renew the IGF and implement recommendations for its improvement;
  • preserve the multistakeholder model of governance; and
  • promote access to an open and inclusive Internet.

Platforms like the IGF are a crucial venue for open and collaborative multistakeholder dialogue that will help shape the future of the Internet. Extending its mandate will be a step towards achieving a secure and open Internet. Over 100 organizations and individuals have already signed on to the joint statement, and we urge you to add your support as well.


Discussions about cybersecurity and human rights online were prevalent at this year’s IGF.  Public Knowledge contributed to these topics through various meetings, panels, and workshops. This included hosting a cybersecurity strategy meeting with Latin American digital rights advocates to identify venues and ways for Latin American civil society to engage in the cybersecurity debate. This effort is also tied to our forthcoming cybersecurity program to support civil society’s engagement in the development of their respective national cybersecurity agendas. To learn more about our work in this area, please see our Cybersecurity and Human Rights issue page

Additionally, Public Knowledge’s Vice President of International Policy, Carolina Rossini, co-organized and moderated a panel entitled “How Trade Agreements Shape the Future of Internet Governance.” The session included a diverse group of representatives from civil society, the European parliament, business, academia, and the U.S. government, and the discussion focused on the impact of bilateral and multilateral trade agreements on Internet governance.

This is a particularly important topic that we believe more digital rights activists need to follow. Trade negotiations are increasingly becoming the vehicles for norm setting on Internet policy issues, such as intellectual property, domain names, e-commerce, human rights, privacy, cybersecurity, spectrum, access to telecommunications, and the free flow of information. Many of these negotiations are being held in secrecy, among governments and few private sector lobbies. The Trans Pacific Partnership (TPP) and the current negotiations of the Trade in Services Agreement (TISA) and Transatlantic Trade and Investment Partnership (TTIP) are prime examples of this. The panel assessed how the inclusion of these Internet policy issues, in closed door, state-to-state agreements, impact the future of multistakeholder Internet governance and the digital rights at stake.

Finally, in an IGF pre-event, we joined the Association for Progressive Communications, the Center for Democracy and Technology, Coding Rights, and Global Partners Digital in a WSIS+10 strategy meeting to discuss the main issues at stake and coordinate with other organizations to ensure that civil society priorities are strongly reflected in the WSIS+10 review. Such priorities include aligning the WSIS+10 review with the Sustainable Development Goals, bridging the digital divide, and protecting human rights online, such as the right to privacy and access to information.

New York Times claims NSA kept e-mail spying program

Charlie Savage at New York Times: When the National Security Agency’s bulk collection of records about Americans’ emails came to light in 2013, the government conceded the program’s existence but said it had shut down the effort in December 2011 for “operational and resource reasons.”

While that particular secret program stopped, newly disclosed documents show that the N.S.A. had found a way to create a functional equivalent. The shift has permitted the agency to continue analyzing social links revealed by Americans’ email patterns, but without collecting the data in bulk from American telecommunications companies — and with less oversight by the Foreign Intelligence Surveillance Court.


The disclosure comes as a sister program that collects Americans’ phone records in bulk is set to end this month. Under a law enacted in June, known as the U.S.A. Freedom Act, the program will be replaced with a system in which the N.S.A. can still gain access to the data to hunt for associates of terrorism suspects, but the bulk logs will stay in the hands of phone companies.

The newly disclosed information about the email records program is contained in a report by the N.S.A.’s inspector general that was obtained by The New York Times through a lawsuit under the Freedom of Information Act. One passage lists four reasons that the N.S.A. decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that “other authorities can satisfy certain foreign intelligence requirements” that the bulk email records program “had been designed to meet.”

The report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. Because of the way the Internet operates, domestic data is often found on fiber optic cables abroad.

The N.S.A. had long barred analysts from using Americans’ data that had been swept up abroad, but in November 2010 it changed that rule, documents leaked by Edward J. Snowden have shown. The inspector general report cited that change to the N.S.A.’s internal procedures.

The other replacement source for the data was collection under the FISA Amendments Act of 2008, which permits warrantless surveillance on domestic soil that targets specific noncitizens abroad, including their new or stored emails to or from Americans.

“Thus,” the report said, these two sources “assist in the identification of terrorists communicating with individuals in the United States, which addresses one of the original reasons for establishing” the bulk email records program.

Timothy Edgar, a privacy official in the Office of the Director of National Intelligence in both the George W. Bush and Obama administrations who now teaches at Brown University, said the explanation filled an important gap in the still-emerging history of post-Sept. 11, 2001, surveillance.

“The document makes it clear that N.S.A. is able to get all the Internet metadata it needs through foreign collection,” he said. “The change it made to its procedures in 2010 allowed it to exploit metadata involving Americans. Once that change was made, it was no longer worth the effort to collect Internet metadata inside the United States, in part because doing so requires N.S.A. to deal with” restrictions by the intelligence court.

Observers have previously suggested that the N.S.A.’s November 2010 rules change on the use of Americans’ data gathered abroad might be connected to the December 2011 end of the bulk email records program. Marcy Wheeler of the national security blog Emptywheel, for example, has argued that this was probably what happened.

And officials, who spoke on the condition of anonymity to discuss sensitive collection programs, have said the rules change and the FISA Amendments Act helped make the email records program less valuable relative to its expense and trouble. The newly disclosed documents amount to official confirmation.

The N.S.A. and the Office of the Director of National Intelligence did not respond to a request for comment.


New York Times: File Says N.S.A. Found Way to Replace Email Program

New York Times: NSA Declassifies Inspector General Reports About Defunct Bulk E-mail Metadata Program

Charlie Savage: NYT/Savage Freedom of Information Act Litigation

Microsoft to host data in Germany, allegedly to hide it from US intelligence agencies

James Vincent at The Verge: Microsoft is opening new data centers in Germany to allow European customers to hide their digital information from US government surveillance. The new data centers will open in late 2016 and will be operated by a subsidiary of Deutsche Telekom. However, The Financial Times notes that customers will have to pay extra to store their data in this way.

“These new data centre regions will enable customers to use the full power of Microsoft’s cloud in Germany […] and ensure that a German company retains control of the data,” said Microsoft CEO Satya Nadella at a press conference in Berlin this morning.


The announcement is the latest move in an ongoing battle between US tech companies and the American government over access to foreign-held data. Companies like Microsoft and Google want to retain the trust of their users after the Snowden revelations, but have to contend with American police and spy agencies who want the same privileged access they’ve always enjoyed.

An ongoing legal battle between Microsoft and a New York court exemplifies the debate, with the US authorities demanding access to the emails of an American citizen stored in Ireland and Microsoft refusing to hand over the data.

Although Microsoft could still lose in this particular case, opening new data centers in Germany will provide a future safeguard against US demands for data.

The company has also announced plans for new data centers in the UK, but Germany’s data-protection laws are some of the most rigorous in Europe. By placing its data centers under the control of a Germany company as a “data trustee,” Microsoft is forcing any requests for information to be routed through Germany authorities.

It’s an approach that’s comparable to Apple’s use of encryption that even the iPhone-maker can’t break — theoretically taking away the option of government authorities forcing the company to give up users’ data.

However, none of these tactics are ever completely secure. For example, the Snowden revelations showed that despite Europe’s outward desire for data sovereignty, many local spy agencies still funneled European citizens’ data to the NSA. Paul Miller, an analyst for Forrester, notes that although Microsoft is confident in the security of German servers, this arrangement has yet to be tested in the courts. “To be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal,” said Miller.

More importantly, though, Microsoft’s decision could end up affecting more than just its own users. If the German trustee model becomes a recognized standard for data security, then customers of other cloud computing firms like Google and Amazon could demand similar arrangements. EU officials might also be emboldened by the move.

Last month, the EU Court of Justice invalidated the longstanding Safe Harbor treaty allowing US companies to send data on European citizens back to America. The treaty is currently being renegotiated, and Microsoft’s support for the data trustee model could feed into these debates.


The Verge: Microsoft will host data in Germany to hide it from US spies

PR Newsire UK: Microsoft Announces Plans to Offer Cloud Services from German Datacenters

Microsoft Germany: Microsoft Cloud in Deutschland

Facebook to let you know if the government is spying on you

Rob Thubron at TechSpot: Facebook will now notify people it believes have accounts that are being spied on by government agencies such as the NSA.

Facebook Chief Security Officer Alex Stamos wrote in a blog post that “while we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored”.

Precisely how Facebook knows that the hacks are originating from government agencies isn’t explained, although experts could identify the source of the intrusion by the servers that are used in the breach or by the type of malware or exploit used to attack a computer. Stamos said: “To protect the integrity of our methods and processes, we often won’t be able to explain how we attribute certain attacks to suspected attackers […] We plan to use this warning only in situations where the evidence strongly supports our conclusion.”

Facebook warning

Facebook suggests that any users who are notified that their accounts may be the target of state-sponsored hackers should “rebuild or replace” any hardware that may have been infected by malware. It also advises people to turn on login approvals; a feature that sends a one-time authorization passcode to a user’s cell phone whenever Facebook detects someone accessing their account from a new browser or device.

Facebook’s announcement comes at a time when an increasing number of internet users fear their privacy may be at risk from government intrusion. While the move will likely be welcomed by the social media giant’s billion plus userbase, it remains to be seen how various governments will respond to the new measures.


TechSpot: Facebook will now let you know if the government is spying on you

Facebook: Notifications for targeted attacks

Flooding the system: Climate change could knock the Internet offline

Author: Joshua Eaton
Source: Aljazeera America
Date: October 12, 2015
Additional Source: The GroundTruth Project

While the global Internet seems a genuine model of resilience, events like Hurricane Katrina in 2005 and Sandy in 2012 have shown how quickly it can break down on a local level. With climate change set to increase the intensity and frequency of severe weather, there is a fear that extreme events could unpredictably wreak havoc on parts of the Internet.

The Internet depends on buildings, wires, servers and conduits. And that physical infrastructure is just as vulnerable as any other. That has government, industry and nonprofits all working to build sturdier infrastructure before the next catastrophic storm hits.

With temperatures rising and sea levels mounting, storms like Katrina will become both more common and more dangerous, according to the 2014 National Climate Assessment. A stretch of the East Coast between North Carolina and Massachusetts will be especially vulnerable to storm surge — a wall of ocean water pushed onto shore — as it experiences considerably greater sea level rise than the worldwide average, according to a U.S. Geological Survey study. Other parts of the country will continue to see increases in flooding, droughts and wildfires, detrimentally affecting critical infrastructure.

Unlike some other parts of critical infrastructure, the Internet is built with redundancies. Global Internet traffic was quickly rerouted when major network hubs in New York City went down during Sandy, according to separate analyses of network traffic by Dyn and the RIPE Network Coordination Center. Other major storms, like Katrina, have also had little effect on the global flow of Internet traffic.  But that does not mean local outages can’t cause big problems.

Many service providers in New York have reinforced their infrastructure since Hurricane Sandy, switching from easily damaged copper cables to flood-resistant fiber optics or relocating backup power to higher floors. But it’s not just New York City’s telecom infrastructure that’s at risk.

Four months before Sandy, severe thunderstorms took down an Amazon data center in northern Virginia, temporarily bringing down Netflix, Instagram and Pinterest. Earlier this year, thousands of people in western Australia lost Internet access when temperatures hit 111 degrees Fahrenheit and knocked out an iiNet data center.

Example: As a vulnerable coastal city Boston is working to move its government data servers to safer locations outside of the central hub. However, as 90% of the local area relies on the private company Comcast for internet service, if Comcast went down due to an environmental concern, most of the city would loose connection with it.
Risk of service providers creating a monopoly: Franklin-Hodge hopes the city can diversify its broadband market and build more resilient infrastructure by encouraging greater competition. But he won’t rule out regulation, if that’s what it takes.

“Their broadband services are more or less unregulated, and there is no market pressure that is pushing them to provide better resiliency or redundancy,” he said of Comcast. “There’s no governmental oversight organization that is monitoring what they’re doing. That is a very high risk.”

Solution: Now groups in New York City, Silicon Valley, Detroit and elsewhere are trying to buck that trend with small, decentralized networks that can plug into the broader Internet or provide local communication if Internet access goes down.

he goal isn’t just to build more durable machines, according to Greta Byrum, a senior field analyst for New America’s Resilient Communities program. The project also aims to build the human connections, technical skills and local knowledge that will make those machines useful in an emergency.

“What we see over and over again is it’s individual and citizen-based responses that are really vital for the survival of communities … We need to have local and small-scale and easily fixed communications systems in an emergency or disaster,” she said.


Tagged , , , , , , ,

Update of computer security company AVG’s privacy policy reveals allowance to sell users’ internet browsing history data

James Temperton at Wired UK: Security firm AVG can sell search and browser history data to advertisers in order to “make money” from its free antivirus software, a change to its privacy policy has confirmed.

The updated policy explained that AVG was allowed to collect “non-personal data”, which could then be sold to third parties. The new privacy policy comes into effect on 15 October, but AVG explained that the ability to collect search history data had also been included in previous privacy policies, albeit with different wording.

Updated AVG privacy policy.

AVG’s potential ability to collect and sell browser and search history data placed the company “squarely into the category of spyware”, according to Alexander Hanff security expert and chief executive of Think Privacy.

In a statement AVG said it had updated its privacy policy to be more transparent about how it could collect and use customer data.

An AVG spokesperson told WIRED that in order to continue offering free security software the company may in the future “employ a variety of means, including subscription, ads and data models.”

“Those users who do not want us to use non-personal data in this way will be able to turn it off, without any decrease in the functionality our apps will provide,” the spokesperson added. “While AVG has not utilised data models to date, we may, in the future, provided that it is anonymous, non-personal data, and we are confident that our users have sufficient information and control to make an informed choice.”

AVG is the third most popular antivirus product in the world according to market analysis from software firm Opswat.

Orla Lynskey, a data protection and IT law expert from London School of Economics, welcomed the change in language but said users would be justifiably concerned by the implications. “Its privacy policy is written in clear and simple language,” she told WIRED, adding that users might expect an antivirus provider to be “more respectful” of their privacy and data security.

“It appears that AVG is adopting a generous interpretation of the data protection rules in order to justify its data use policy,” Lynskey argued. “Although some of the data they classify as ‘non-personal’ might not identify individuals directly, they may be indirectly identifiable based on that data.”

Full Article: Wired UK – AVG can sell your browsing and search history to advertisers