By Aidan Booth and Adina Schwartz To view the 2013 chronicle please click here
December 23, 2014
In an amicus brief filed in the United States Court of Appeals for the Second Circuit in support of Microsoft’s appeal of Judge Preska’s ruling authorizing a search warrant for a customer’s data stored on a Microsoft server in Ireland, the Irish government rejected the United States government’s position that “it is required to intervene into foreign court proceedings to protect its sovereign rights in respect of its jurisdiction.” Ireland stated that it “would be pleased to consider, as expeditiously as possible” a United States government request under the Mutual Legal Assistance Treaty (“MLAT”) for the Microsoft data, and sought to inform the Second Circuit of the Supreme Court of Ireland case of Walsh v. National Irish Bank  1 ESC 2. Although it ordered a branch of the National Irish Bank in the Isle of Man to disclose details of a customer account, the Walsh Court reasoned that Irish courts would order the disclosure of records held by an Irish entity in a foreign country only “in the absence of alternative means of obtaining information for a criminal or similar investigation.” The Irish government asserted that, by contrast to the situation in Walsh, the United States could use the MLAT as an alternative means for obtaining the Microsoft data in Ireland.
The Irish Government’s amicus brief and Walsh v. National Irish Bank are available, respectively, at http://digitalconstitution.com/wp-content/uploads/2014/12/Ireland-Amicus-Brief.pdf and http://ie.vlex.com/vid/walsh-v-national-irish-bank-limited-416337310
See here for a discussion of the Irish Government’s amicus brief, and the April 25, June 10, July 31, August 13, September 2 and 10, November 19 and December 9 and 15 entries below for discussion of and links to articles and legal documents pertaining to the Microsoft case.
December 22, 2014
On the basis of court files, interviews with current and former Indian, UK and US officials, and classified documents, including ones leaked by Snowden, The New York Times, ProPublica, and the PBS series “Frontline” reported that before the massive three day terrorist attack by Pakistani group Lashkar e-Taiba (“Lashkar”) in Mumbai in November 2008, UK and Indian intelligence services had accessed relevant on line communications and web searches by Lashkar’s technology chief, Zarrar Shah. Independent electronic and human sources had provided the US with information, but the intelligence agencies failed to connect the data to prevent the attack.
Among clues missed by the US was information provided by his wife about the terrorist sympathies and mysterious activities in Mumbai of David Coleman Headley, a Pakistani-American who scouted the locations for the Mumbai attacks. Almost immediately after the Mumbai attack, Mr. Headley became involved in the Lashkar plot against the Danish newspaper that published cartoons of the Prophet Mohammed.
Shivshankar Menon, a retired Indian government official who was foreign secretary at the time of the Mumbai attacks and later became the national security adviser, stated that, “No one put together the whole picture. Not the Americans, not the Brits, not the Indians.” A top American official said, “It’s not that things were missed – they were never put together.” In response to questions about whether the GCHQ should have had “strong suspicions of a looming attack,” a UK official issued the statement: “We do not comment on intelligence matters. But if we had had critical information about an imminent act of terrorism in a situation like this we would have shared it with the Indian government. So the central allegation of this story is completely untrue.”
According to a top-secret NSA document, cooperation among the UK, Indian, and US intelligence agencies enabled a “complete operations plan for the attacks” to be put together in retrospect. The retired Indian official, Mr. Menon, said that, “[O]nly once the shooting started did everyone share,” and then “the picture instantly came into focus.”
December 15, 2014
Ten amicus briefs, whose signatories included technology companies, trade associations, media organizations, and 35 computer science professors, were filed before the United States Court of Appeals for the Second Circuit in support of Microsoft’s appeal of a ruling by Judge Preska of the United States District of the Southern District of New York requiring Microsoft to comply with a search warrant authorizing the United States Department of Justice to obtain a customer’s email and other documents stored on a Microsoft server in Ireland.
A posting on the amicus briefs by Microsoft’s General Counsel and Executive Vice President, Legal and Corporate Affairs, Brad Smith, is at http://blogs.microsoft.com/blog/2014/12/15/business-media-civil-society-speak-key-privacy-case/
A list of the signatories to the briefs is available at http://mscorp.blob.core.windows.net/mscorpmedia/2014/12/Amicus-Briefing-Filers_Supporters2.pdf
See the April 25, June 10, July 31, August 13, September 2 and 10, November 19 and December 9 entries below for discussion of and links to articles and legal documents pertaining to the case
December 12, 2014
Germany’s constitutional court ruled that the government could prevent the Green and Left parties from inviting Edward Snowden into Germany to give evidence before a parliamentary committee investigating NSA surveillance. Arguing that Snowden’s presence in Germany could impair relations with the US and pressure Germany to extradite him, Chancellor Merkel’s government has proposed that the eight members of the committee interview Snowden in Moscow. Through a lawyer, however, Snowden has stated that he only will speak to the committee if he is allowed to do so in Germany.
In response to FOIA actions brought by The New York Times and the EFF, the United States Department of Justice released redacted versions of an opinion by FISC Judge Howard in January 2007 authorizing warrantless surveillance of international email communications entering and leaving the United States and an opinion by FISC Judge Vinson in April 2007 refusing to authorize such surveillance. Subsequent to Judge Vinson’s refusal, the Bush Administration secured legislative authorization for warrantless surveillance in the Protect America Act in August 2007 and, after that Act’s scheduled expiration date, in the FISA Amendments Act of 2008.
December 11, 2014
Germany’s top public prosecutor, Harald Range, announced that the investigation that he launched in June into the alleged tapping by the NSA of Chancellor Angela Merkel’s phone had yet to find clear proof that the tapping occurred. The investigation will continue, but Range stated that “the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database. There is no proof at the moment which could lead to charges that Chancellor Merkel’s phone connection data was collected or her calls tapped.”
December 9, 2014
On December 8, Microsoft filed its brief before the United States Court of Appeals for the Second Circuit against the district court’s ruling that it comply with a search warrant requiring it to provide the US Department of Justice with customer data stored on a server in Ireland. Microsoft argued that there was “no way” that the United States government would accept the district court’s reasoning if it were applied by other countries to access data on American soil on the basis of their own laws, rather than international treaties.
Microsoft’s brief is available at https://www.documentcloud.org/documents/1376674-microsoft-brief-to-appeals-court.html
See the April 25, June 10, July 31, August 13, September 2, September 10, and November 19 entries below for discussion of and links to articles and legal documents pertaining to the case.
December 6, 2014
An Irish statutory instrument, effective December 1 and signed into place by Minister for Justice Frances Fitzgerald on November 26, allows foreign law enforcement agencies to intercept Irish phone calls and emails where there is “reason” or “an investigation is under way,” but does not allow indiscriminate interception. The legislation establishes procedures for the handling of foreign governments’ requests for interceptions, distinguishing between whether the assistance of an Irish-based company is needed to set up an interception, and requiring that the Irish government be notified when a foreign state intends to intercept communications but can legally do so without direct Irish assistance. Under the legislation, companies that refuse to comply with interception orders can be prosecuted in a secret court and not allowed to disclose to the public either their objections or the fact that they are being prosecuted. TJ McIntyre, a lecturer at University College Dublin’s school of law and the chairman of Digital Rights Ireland commented that, “Even with very sensitive cases in Ireland they’re not prosecuted in camera. It’s worrying because it means telecommunications companies might be pressured into doing things that aren’t entirely legal.”
December 5, 2014
In response to challenges brought by Privacy International, Amnesty UK, Liberty, the American Civil Liberties Union, Pakistani organization Bytes For All and other human rights groups, the UK’s Investigatory Powers Tribunal (“IPT”) ruled that, as of today, the GCHQ’s Tempora program and the UK intelligence services’ sharing of information obtained through the NSA’s Prism and upstream data collection programs do not violate the right to privacy in Article 8 of the European Convention on Human Rights or the right to freedom of expression in Article 10. The IPT left open for further argument whether the operation of these programs had violated Article 8 or 10 in the past, and stated that it would also consider “in closed” whether there had been “any unlawful interception or treatment of the Claimants’ communications.” In otherwise rejecting the challenges to Tempora and to the UK’s use of information obtained from the NSA’s Prism and upstream data collection programs, the IPT stated that, “[W]e are entirely clear that the [agencies] are not seeking, nor asserting that the system entitles them to seek to carry out what has been described as ‘mass’ or ‘bulk’ surveillance. … [W]e have ruled that the current regime, both in relation to Prism and Upstream [data collection] … when conducted in accordance with the requirements which we have considered, is lawful and human rights compliant…” Although no appeal from the IPT’s judgment is available within the UK court system, Privacy International, Bytes For All, and Amnesty UK plan to appeal to the European Court of Human Rights (“ECHR”).
The IPT’s ruling is available at http://www.ipt-uk.com/docs/IPT_13_168-173_H.pdf
Edward Snowden was awarded the Swedish human rights award, the Right Livelihood, “for his courage and skill in revealing the unprecedented extent of state surveillance violating basic democratic processes and constitutional rights.” The award was presented in the Swedish Parliament, and Snowden, who testified via video hook up from Moscow, received several standing ovations. Jakob von Uexküll, the philanthropist who established the award in 1980, stated in the Parliament, “So Mr Snowden, your Right Livelihood Award is waiting for you. We trust that Sweden will make it possible for you to collect your award here in Stockholm in person in the very near future.”
The editor of The Guardian, Alan Rusbridger, also received a Right Livelihood award for “building a global media organisation dedicated to responsible journalism in the public interest, undaunted by the challenge of exposing corporate and government malpractices.” Stressing to the Swedish parliament that the public interest comprises freedom of expression and the right to privacy as well as security from terrorists, Rusbridger stated that, “One of the challenges Snowden poses for us is the recognition that there is no such thing as the public interest. No such thing as one single, monolithic interest that overrides all others.”
November 29, 2014
A GCHQ document released by Snowden, entitled “Partner Cables,” shows that the GCHQ has accessed or attempted to access the undersea cables connecting Ireland to the rest of the world. The list includes the Solas cable, which connects the Wexford coast of Ireland to southern Wales and is listed as directly owned by Gerontic, the code name for Cable & Wireless, which is now part of Vodafone. Eircom, which has a 50% interest in the Solas cable, told the Irish Times that, “we have no knowledge of any activity of that nature.” The Hibernia cable connecting Ireland to the US and Canada and looping to the UK is listed as one to which GCHQ does not “currently have good access,” but codenamed companies Vitreous and Little are listed as assisting the GCHQ with access. A spokesman for the company that the Irish Times linked to Vitreous denied any involvement by the company in surveillance by the GCHQ. Also on the GCHQ’s list is the BT-TE1 cable, owned by Eircom and BT and landing in Holyhead in Wales, which Eircom claims has not been in use for over 10 years. The list also includes the ESAT1 cable running from Kilmore Quay in Wexford, Ireland to Sennan Cove in Cornwall, and the ESAT2 cable, running from Sandymount in Dublin to Southport in the UK.
November 27, 2014
The European Parliament’s President, Martin Schulz, announced that Parliament had agreed to the appointment of Giovanni Buttarelli as the next European Data Protection Supervisor (“EDPS”) and Wojciech Rafał Wiewiórowski as Assistant EDPS. Parliament’s Civil Liberties Committee had listed the two as the top candidates for the positions in October 20, and the final stage in their appointment will be the joint signing of the nomination decision by Parliament and the Council of the European Union. Buttarelli, who has been the Assistant EDPS since 2009, will replace Peter Hustinx, the EDPS since 2004. Before serving as Assistant EDPS, Buttarelli spent 12 years with the Italian Data Protection Authority. Wiewiórowski has been the Inspector General of the Polish Data Protection Authority since June 2010, and he became Vice-Chair of the EU’s Article 29 Working Party earlier this year.
November 26, 2014
The Counter-Terrorism and Security Bill 2014-15 was introduced in the UK House of Commons. Although the Bill requires ISP’s to retain records of the IP addresses allocated to particular computers and mobile devices at particular times, Home Secretary Theresa May reiterated the need for the more wide-ranging web monitoring powers of the Communications Data Bill, the so-called “snoopers’ charter” whose passage failed due to Liberal Democrats’ opposition.
Responding to a report on the killing of Fusilier Lee Rigby in London last May that revealed that one of the alleged killers, Michael Adebowale, had previously made a Facebook posting about wanting to murder a soldier, Prime Minister David Cameron stated that internet companies have a “social responsibility” to act on terrorist material posted online.
The text of the Counter-Terrorism and Security Bill 2014-15 and information about its progress through Parliament are available at http://services.parliament.uk/bills/2014-15/counterterrorismandsecurity.html
November 25, 2014
The European Parliament referred the EU-Canada agreement on the transfer of Passenger Name Records (PNR) to the European Court of Justice (CJEU) for an opinion on whether the agreement comports with EU Treaties and the Charter of Fundamental Rights of the European Union. Although the PNR agreement was signed by the EU Council of Ministers and Canada on 25 June 2014, Parliament’s vote on whether to give the necessary consent for the agreement to go into effect is now postponed until the CJEU issues its opinion. The impetus for Parliament’s referral of the EU-Canada agreement to the CJEU was the CJEU’s recent decision invalidating the 2006 Data Retention Directive and the critical opinion of the European Data Protection Supervisor on the proportionality of PNR schemes, bulk transfer of data, and the choice of a legal basis for PNR agreements.
The European Parliament’s draft motion for a resolution seeking an opinion from the CJEU is available at http://www.statewatch.org/news/2014/nov/ep-report-canada-pnr-cjeu-res.pdf
The Third Committee of the UN General Assembly approved a resolution that calls unlawful or arbitrary mass surveillance, interception and collection of online data “highly intrusive acts” that violate the right to privacy. Due to pressure from the Five Eyes countries, the Committee did not list surveillance of metadata as an intrusive act, but the resolution warns that “certain types of metadata, when aggregated, can reveal personal information and give an insight into an individual’s behaviour, social relationships, private preferences and identity.” The resolution was drafted by Germany and Brazil, and is expected to be adopted by the UN General Assembly in December. It is a follow up to the resolution on “The Right to Privacy in the Digital Age” that the United Nations General Assembly adopted last year.
After the resolution passed, Australia’s delegate told the Third Committee that, “Lawful surveillance, subject to appropriate safeguards and oversight, can be an important tool to protect individuals from criminal or terrorist threats and access to telecommunications metadata can be an important element of the investigation of such threats.” A Canadian delegate stated that, “If our muddled discussions on metadata are any indication, these conversations cannot take place between diplomats alone. They require the collective expertise of all stakeholders: governments, industry, civil society and the technical community.”
For discussion of and links to the resolution on “The Right to Privacy in the Digital Age” and associated material, see the December 18, 2013 entry in Aidan Booth and Adina Schwartz, “International chronicle of surveillance events -2013 “
November 20, 2014
On the basis of documents leaked by Snowden, UK broadcaster Channel 4, German regional broadcasters NDR and WDR, and German newspaper Süddeutsche Zeitung reported that from 2008 until at least 2010, telecommunications company Cable & Wireless regularly met with GCHQ and received tens of millions of pounds for establishing surveillance of Internet traffic on its network. The company, which was codenamed Gerontic on GCHQ documents, provided access to 29 of the 63 underseas cables accessible by GCHQ, amounting to 70% of the Internet data accessible by GCHQ in 2009. Cable & Wireless had either Direct Cable Ownership, an Indefeasible Right of Use or Leased Capacity on each of the 29 cables, and was also a landing partner for nine cables: FLAG Atlantic 1 (FA1), FLAG Europe-Asia (FEA), Apollo North, Apollo South, Solas, UK-Netherlands 14, UK-France 3, and Europe India Gateway (EIG).
In particular, the FLAG Europe-Asia (FEA) was solely owned by Indian telecommunications company Reliance Communications (renamed Global Cloud XChange in 2014), and connected the UK to Japan via the Mediterranean. Reliance was also the sole owner of the FLAG Atlantic 1 (FA1) cable connecting the east coast of North America to the UK and France. A local area network of Cable & Wireless provided the backhaul connection between FEA and FA1, which land six miles away from each other in Cornwall, and also connected both cables to Cable & Wireless’ terrestrial Internet backbone network. By 2011, GCHQ was able to use an access point, codenamed Nigella, at the Cable & Wireless backhaul connection to access all traffic on the FEA and FA1 cables. The Nigella access point was being used at least as late as April 2013, and GCHQ planned to take in a trillion gigabytes of data per second from that access point. In addition, data from Nigella was 9% of the data that the NSA collected from Internet cables.
In 2010, Cable & Wireless split into Cable & Wireless Worldwide (CWW) and Cable & Wireless Communications (CWC). Vodafone acquired CWW in July 2012, and the leaked documents about Cable & Wireless’ cooperation with the GCHQ have fueled criticism of Vodafone in Germany, where there are 30 million Vodafone customers. German politicians have questioned Vodafone’s ability to protect government officials’ data, with some calling for its contracts with the German government to be cancelled.
A Vodafone spokesman stated to Channel 4: “the law [sic] in Germany governing all these areas of privacy and data protection are essentially the same as the laws in the UK. What we have in the UK is a system based on warrants, where we receive a lawful instruction from an agency or authority to allow them to have access to communications data on our network. We have to comply with that warrant and we do and there are processes for us to do that which we’re not allowed to talk about because the law constrains us from revealing these things. We don’t go beyond what the law requires.”
http://electrospaces.blogspot.nl/2014/11/incenser-or-how-nsa-and-gchq-are.html (dated Nov. 29, last edited December 2, 2014)
Articles by NDR and WDR available in German only, can be found, respectively, at http://www.tagesschau.de/ausland/snowden-vodafone-101.html and http://www1.wdr.de/daserste/monitor/videos/videovodafonederlangearmdesbritischengeheimdienstes100.html
November 19, 2014
On November 18, Ireland’s Minister for European Affairs and Data Protection, Dara Murphy T.D., wrote asking the European Commission to submit observations to the United States Court of Appeals for the Second Circuit in Microsoft’s appeal of a ruling requiring it to comply with a US government search warrant for customer data stored on a server in Ireland. In Brussels, Mr. Murphy said, “By seeking direct access to data held in the EU through the US judicial system, existing legal mechanisms for mutual assistance between jurisdictions may be being effectively bypassed. … This is clearly an area where technological advances have taken place in a very rapid fashion. The right to privacy should be afforded maximum protection whilst ensuring that law enforcement agencies have the necessary mechanisms at their disposal to effectively fight serious crime. This is made ever more complex when different juridictions are involved, especially given the ease with which data can be transferred.”
On November 14, Digital Europe, which represents the largest IT, telecommunications and consumer electronics companies operating in Europe, including Microsoft, called on the European Commission to be more vocal in the debate and to consider filing an amicus brief.
A press release by the Irish Government is available at http://merrionstreet.ie/en/News-Room/Releases/Minister_for_European_Affairs_and_Data_Protection_requests_legal_brief_by_European_Commission_in_Microsoft_case.html
The statement by Digital Europe is available at http://www.digitaleurope.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=849&PortalId=0&TabId=353
See the April 25, June 10, July 31, August 13, September 2, and September 10 entries below for discussion of and links to articles and legal documents pertaining to the search warrant for data stored on a Microsoft server in Ireland.
November 12, 2014
In a post on the Google company blog, its chief legal officer, David Drummond, called for the extension to EU citizens of the Privacy Act’s provision allowing US citizens to challenge the federal government’s misuse of their data in US courts. The Electronic Privacy Information Center (“EPIC”) has asked President Obama’s Privacy and Civil Liberties Oversight Board to give priority to this reform. EPIC director Mark Rotenberg stated that, “From the EU perspective, one of the oddities of US law is that the Privacy Act distinguishes between US and non US citizens. There is no similar distinction in EU law.”
Mr. Drummond’s post is available at http://googlepublicpolicy.blogspot.com/2014/11/its-time-to-extend-us-privacy-act-to-eu.html
November 6, 2014
Extracts of top secret guidelines show that UK intelligence services GCHQ, MI5 and MI6 have been intercepting attorney-client communications since at least October 2002. The extracts were disclosed two hours before a hearing before the Investigatory Powers Tribunal (“IPT”) on a claim brought by the families of Gaddafi opponents Abdel Hakim Belhaj and Sami al-Saadi. The families are currently involved in legal actions against the UK government and others in connection with an alleged UK-US-Libyan plot to abduct Belhaj and al-Saadi and their families from Southeast Asia and “render” them to Libya. After the Snowden revelations led to concerns that UK intelligence services might be intercepting and misusing the families’ privileged communications with lawyers at Reprieve and Leigh Day, the families filed a claim in the IPT in late 2013, alleging that M15, M16, and GCHQ have ineffective and unlawful policies for protecting “legal professional privilege” (the UK analog of US attorney-client privilege) and that UK government lawyers or officials involved in their torture cases might have been illegally misusing their attorney-client communications.
Reprieve’s press release on the case, with attached legal documents and an explanatory note on the litigation, is available at http://www.reprieve.org.uk/press/2014_11_06_uk_govt_force_release_spying_lawyers/
November 4, 2014
Julian David, the CEO of techUK, which represents 860 companies employing more than half a million people in the UK, rejected GCHQ Director Robert Hannigan’s call for a “deal” between technology companies and the UK intelligence services, stating that “any obligations placed upon technology companies must be based upon a clear and transparent legal framework and effective oversight,” and that it was “wrong” for Hannigan to suggest that technology companies were “in denial” about terrorists’ use of the internet. Calling Hannigan’s “mischaracterisation of the Internet as a ‘command and control centre’ for terrorists … wrong and ill-judged,” the Internet Services Providers’ Association (ISPA) said that “[i]f greater or clearer powers are needed [by the intelligence services], the case needs to be made via thorough consultation and legislative proposals should be placed in Parliament for further scrutiny.”
November 3, 2014
In an opinion piece in The Financial Times, Robert Hannigan, the Director of GCHQ, called for greater cooperation from large US technology companies, stating that ISIS “is the first terrorist group whose members have grown up on the internet,” and that [h]owever much they may dislike it, [the technology companies] have become the command-and-control networks of choice for terrorists and criminals ….” While averring “GCHQ is happy to be part of a mature debate on privacy in the digital age,” Hannigan insisted that “privacy has never been an absolute right and the debate about this should not become a reason for postponing urgent and difficult decisions.”
October 30, 2014
No US companies will be involved in Brazil’s project of building a fiber optic cable to Portugal to bypass the Internet routes through the US through which communications between Brazil and Europe currently travel. Commenting on the decision to exclude US companies, Franciso Ziober Filho, the President of Brazil’s state-owned telecommunications company Telebras, said that, “The issue of data integrity and vulnerability is always a concern for any telecom company.” During her campaign for re-election, President Dima Rousseff stated that Brazil would consider building direct Internet connections to Africa and Asia after the cable to Europe was built, commenting “it’s good to remember that submarine cables are among the main mechanisms of spying today.”
October 28, 2014
Privacy International, Liberty, and Amnesty International UK released a UK government document detailing the GCHQ’s policies in regard to raw signals intelligence obtained from foreign governments. The groups obtained the document from the UK government after the Investigatory Powers Tribunal (“IPT”) held a secret hearing, subsequent to its public hearing in July on their and other human rights groups’ challenge to the GCHQ’s surveillance practices. It states that “a RIPA [Regulation of Investigatory Powers Act 2000] interception warrant is not as a matter of law required in all cases in which unanalysed intercepted communications might be sought from a foreign government,” and that an exception obtains where “it is not technically feasible to obtain the communications via RIPA interception.” The document further states that “internal ‘arrangements’” ensure that the “same internal rules and safeguards” applying to communications and associated metadata obtained through RIPA interceptions apply to “unanalysed intercepted communications content and associated communications data [ that the Intelligence Services receive] from the government of a country or territory outside the United Kingdom (whether solicited or unsolicited).” During periodic reviews of whether the internal arrangements are “up-to-date and effective,” the Intelligence Agencies will “henceforth [be] content to consider” “whether more of those internal arrangements might safely and usefully be put into the public domain (for example, by way of inclusion in a relevant statutory code of practice).”
Privacy International, Liberty and Amnesty International UK claim that the document casts doubt on the Intelligence and Security Committee of Parliament (“ISC”)’s oversight of the GCHQ, referencing the ISC’s conclusion, at the end of its investigation of GCHQ access to communications obtained by the NSA under its PRISM program, that “in each case where GCHQ sought information from the US, a warrant for interception, signed by a Minister, was already in place, in accordance with the legal safeguards contained in the Regulation of Investigatory Powers Act 2000.”
The Press Release and the UK government document are available, respectively, at https://www.privacyinternational.org/news/press-releases/secret-policy-reveals-gchq-can-get-warrantless-access-to-bulk-nsa-data, and https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/ipt_gchq_arrangements_policy.pdf
For a description of the proceedings before the IPT and ISC, see Aidan Booth and Adina Schwartz, “Challenges in the UK to Surveillance by the NSA and GCHQ”
October 27, 2014
In an Initial Assessment Statement, the UK National Contact Point (NCP) for the Organization for Economic Cooperation and Development (OECD) Guidelines for Multinational Enterprises dismissed the complaint that Privacy International brought in November 2013 against six UK-based telecommunications companies for facilitating the GCHQ’s access to underseas fiber optic cables. The NCP found that Privacy International “presents a strong case that mass interception and surveillance of private communications through the collection and storage of data relating to an individual’s private life can infringe an individual’s human right to privacy.” (para. 47). Nonetheless, the NCP dismissed the complaint and terminated the complaint process because the complaint’s identification of the six companies as having facilitated the Tempora program was solely based on a single newspaper report on a UK security services document. Presumably referring to the August 2, 2013 article in the Süddeustsche Zeitung, the NCP found the article insufficient to “substantiate…” “[t]he link the complainants make to the specific companies,” even though it “accept[ed] that the publication that made this report saw the document concerned and had reason to trust the source providing it who had provided other information generally acknowledged to be genuine.” (para. 45). The NCP noted that the six companies had failed to “explicitly deny receiving the warrants in question,” but reasoned that it was “legitimate” for the companies to be concerned that “commenting on whether and what warrants may have been received would place [them] in breach of duties placed on them by RIPA.” Concluding that the companies’ silence did not provide a basis for further examination of the complaint’s allegations about their role in mass surveillance by the GCHQ, the NCP asserted that the OECD guidelines make “obeying domestic laws … the first obligation of enterprises and that the Guidelines ‘should not and are not intended to place an enterprise in situations where it faces conflicting requirements.’” (para. 46).
The NCP also insinuated that complaints about companies’ cooperation in unlawful surveillance by UK intelligence agencies may only be brought before the IPT, stating that Privacy International “has already brought a challenge … to the IPT which exists to investigate complaints about the alleged conduct including improper use of data/surveillance by UK Government entities within the scope of RIPA.” (para.59)
Although the Initial Assessment Statement was issued on July 11, 2014, Privacy International requested a review on July 24, and publication of the Initial Assessment Statement was delayed until the NCP’s decision to refuse the review request on October 6.
Privacy International’s press release is available at https://www.privacyinternational.org/news/press-releases/uk-government-human-rights-watchdog-refuses-to-hold-telcos-accountable-for-role
The NCP’s Initial Assessment Statement is available at https://www.gov.uk/government/publications/uk-ncp-initial-assessment-complaint-by-an-ngo-against-6-uk-based-telecommunication-companies
October 24, 2014
Vodafone submitted written evidence to the UK Investigatory Powers Review, which the UK’s Independent Reviewer of Terrorism Legislation, David Anderson QC, was appointed to conduct under Section 7 of the Data Retention and Investigatory Powers (“DRIP”) Act 2014. In calling for restrictions on government surveillance, enhanced accountability, and clarification and unification of the legislative framework, Vodafone stated that “respect for our customers’ privacy is paramount. If our customers begin to believe that their personal communications are no longer private, they will either use our services less or switch to others they believe are more protective of their privacy.” “[T]he Snowden revelations have caused [a] sea- change in public perception and awareness, … and the government approach to the conduct of surveillance needs to change with it.” Recognizing the tension between national law and global communications technology, Vodafone opined that UK citizens’ privacy and freedom of expression were at risk where communications providers or data were located in countries whose laws “do not provide equivalent protection for non-residents or citizens, or even lower levels of protection (e.g., the US, where the law only provides protections to US persons, leaving non-US persons without protection).”
Vodafone’s Press Release and submission to the Investigatory Powers Review are available, respectively, at http://www.vodafone.com/content/index/about/about-us/privacy/uk-investigatory-power.html, and http://www.vodafone.com/content/dam/group/about/downloads/privacy/vodafone-evidence-for-investigatory-powers-review.pdf
October 17, 2014
The Director of National Intelligence (“DNI”) publicly released an interim progress report dated July 2014, that was issued in response to Presidential Policy Directive/PPD-28 Signals Intelligence Activity. PPD-28 was promulgated by President Obama on January 17, 2014, and called on the intelligence community to ensure that signals intelligence activities took account of the privacy interests of people throughout the world, as well as the security needs of the United States and its allies.
The Interim Report, entitled “Safeguarding the Personal Information of All People: A Status Report on the Development and Implementation of Procedures under Policy Directive 28,” is available at http://www.dni.gov/files/documents/1017/PPD-28_Status_Report_Oct_2014.pdf
A press release on the report by Robert Litt, General Counsel of the DNI, and Alexander Joel, Civil Liberties Protection Officer for the Office of the DNI, is available at http://icontherecord.tumblr.com
October 16, 2014
Defending the bulk collection of telephone and internet data before the House of Commons Intelligence and Security Committee, Home Secretary Theresa May stated that privacy considerations only arise “at the point at which the communication is opened,” and that “[t]he ability to interrogate that bulk data – to look for that needle in the haystack – is an important part of the processes that people go through in order to keep us safe.” Mrs. May maintained that there was a clear difference, from the point of view of privacy, between government examination of metadata and contents of communications, and also claimed that although citizens do not explicitly consent to the collection of their communications data by the security services, there was “an unwritten agreement between the individual and the state that the state is going to do everything they can to keep them safe and secure.” Despite stating that the public needed to be educated about the need for bulk collection of communications data, Mrs. May ruled out publishing statistics comparing the effectiveness of that technique with targeted surveillance techniques such as wiretaps at preventing terrorist attacks. Revealing that considering government applications for wiretaps and other surveillance techniques took up more of her time as Home Secretary than any other task, Mrs. May stated that the number of warrants she refused to sign was “very, very small,” but added that “any warrant that reaches my desk has been through a very thorough process”.
October 15, 2014
Appearing before the UK House of Commons Intelligence and Security Committee, Deputy Prime Minister Nick Clegg called for a global “constitution for the internet- a sense people who use the internet feel they have got certain parameters and rights they can exercise in that space.” Mr. Clegg also stated that before the general election, the first of an annual series of transparency reports should make the work of the intelligence services public, and that the transparency report should include a detailed breakdown of the 500,000 requests that UK government authorities make each year for individuals’ communications data.
Also appearing before the committee, shadow home secretary Yvette Cooper of the Labor Party stated that it would be “preferable” for communications data to be retained by private companies rather than the government, and that there should be strong safeguards on how the data could be obtained and defined time limits for its retention.
October 14, 2014
The chief of the Internet Corporation for Assigned Names and Numbers (“ICANN”), Fadi Chehade, said that in light of progress in making ICANN answerable to a diverse, global group of stakeholders, its contract with the US government would likely end in months. The US government had announced in March that it would agree to non-renewal of its contract with ICANN if a new oversight system representing the spectrum of interests and able to ensure the reliability of the internet addressing structure was established. ICAAN plans to submit a proposal to the US Department of Commerce next year, and if the US government is not satisfied, the contract could be renewed for a short time period to allow revisions to be made. According to Chehade, “There are many people in the community who would like to see we not renew the contract past 2015.”
October 13, 2014
Privacy International filed a formal criminal complaint asking the National Cyber Crime Unit of the UK’s National Crime Agency (“NCA”) to investigate Bahrain’s alleged infection with Finfisher malware of the computers and cell phones of three Bahraini human rights activists living in asylum in the UK. FinFisher gives its user full access to a target’s device, enabling documents to be copied and transmitted, cameras and microphones to be remotely turned on, and emails to be sent from the target’s account. In August, Bahrain Watch and WikiLeaks published evidence of exchanges between Bahraini officials and Finfisher technical support staff. Finfisher was a subsidiary of UK-based Gamma International at the time of the alleged infection, but it has since become an independent German-based firm.
The complaint alleges that Bahraini authorities engaged in unlawful interception of communications under section 1 of the Regulation of Investigatory Powers Act 2000 (“RIPA”). Gamma International is alleged to be an accessory under the Accessories and Abettors Act 1861 and/or to have violated the Serious Crime Act 2007 by encouraging and assisting Bahrain in illegal surveillance.
If the NCA declines to investigate, Privacy International could bring an action in court. The NCA has yet to respond to a similar complaint that Privacy International brought on February 17 in regard to the infection with the FinSpy component of Finfisher of the computer of an Ethiopian political refugee living in the UK.
Privacy International’s Press Releases on the Bahraini and Ethiopian complaints before the NCA are available, respectively, at https://www.privacyinternational.org/news/press-releases/privacy-international-files-criminal-complaint-on-behalf-of-bahraini-activists and https://www.privacyinternational.org/resources/legal-action/criminal-complaint-to-national-cyber-crime-unit-on-behalf-of-tadesse-kersmo
October 7, 2014
The Director of the NSA Civil Liberties and Privacy Office, Rebecca J. Richards, issued a report on the NSA’s civil liberties and private protections for overseas surveillance conducted under Executive Order 12333.
The Report is available at https://www.nsa.gov/civil_liberties/_files/nsa_clpo_report_targeted_EO12333.pdf
September 28, 2014
The FBI, Drug Enforcement Administration (“DEA”), Secret Service and Immigration and Customs Enforcement have been lobbying the Federal Communications Commission (“FCC”) not to award the contract for operating the Numbers Portability Administration Center (“NPAC”) to Telecordia Technologies, a subsidiary of Sweden-based Ericsson AB. The agencies have expressed concern that “unwarranted, and potentially harmful” access to American surveillance methods and targets could result from awarding the contract to a foreign company. Virginia-based Neustar, which has held the $446 million yearly contract since the NPAC was established as a result of the 1997 law allowing cellphone and landline subscribers to maintain their numbers when they switched carriers, has hired former secretary of homeland security Michael Chertoff. In a 45-page report scheduled for submission to the FCC this week, Chertoff warns that if the NPAC contract were to be awarded to a European-based firm, “security would become obsolete in the face of constantly morphing threats,” and there could be a “counterintelligence bonanza for adversaries of the nation and a security disaster for the United States.”
An advance copy of Mr. Chertoff’s report is available at http://graphics8.nytimes.com/packages/pdf/national/ChertoffNPACAssessment.pdf
See the August 9 entry below for further discussion of the NPAC and the debate over the award of the contract
September 26, 2014
The Australian Senate passed the National Security Legislation Amendment Bill (No. 1) 2014 by a vote of 44 to 12, with passage by the House of Representatives virtually certain. The bill empowers the director-general of Australia’s domestic spy agency, the ASIO, or his deputy to use a single warrant to access a limitless number of devices on a computer network in order to monitor a target. Warrants permit data on any of the devices on a network to be copied, stored, deleted, or modified, and also permit disruption of the operation of both target computers and innocent third-party computers used to access them. Lawyers, right groups, academics and Australian media organizations warn that since the bill does not define the term “computer network,” a single warrant could be used to monitor the entire internet on the ground that it is a “network of networks.”
The bill also imposes up to a 10 year term of imprisonment on anyone – including journalists, whistleblowers, and bloggers – who “recklessly” discloses “information … [that] relates to a special intelligence operation,” and empowers authorised ASIO officers to decide which operations are “special.” Attorney- General George Brandis, who warned that the bill was needed in a “newly dangerous age,” refused to say whether journalists or whistleblowers could be imprisoned for reporting on allegations similar to the bugging of East Timor’s cabinet by Australia’s foreign spy agency, the ASIS, or the tapping of the mobile phones of the Indonesian president and his wife by the Australian Signals Directorate.
Although the previous maximum penalty was a year’s imprisonment, the bill imposes up to a ten-year term of imprisonment for exposing an undercover as an ASIO agent.
The text of the bill is available at http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=s969
September 22, 2014
Kim Dotcom’s Internet-Mana party did not win a single seat in the New Zealand elections. Mr. Dotcom admitted that “[t}he brand ‘Kim Dotcom’ was poison for what we were trying to achieve,” and stated that he took full blame for the defeat. The next extradition hearing on the criminal charges against Mr. Dotcom in the United States is scheduled for February.
September 18, 2014
The fledgling Internet Party founded by Kim Dotcom has a chance of winning seats in the Parliamentary elections to be held in New Zealand on September 20, and analysts consider a spot in a coalition government possible. At a recent rally featuring speeches by Glenn Greenwald and, via Internet video links, Julian Assange and Edward Snowden, Mr. Dotcom, who is fighting extradition to the United States in connection with racketeering charges stemming from his now defunct file-sharing site Megaupload, stated that, “We are going to work really, really hard to stop this country from participating in mass surveillance. And we’ll close one of the Five Eyes.”
Prime Minister John Key, who has called Glenn Greenwald “a loser” and “henchman” of Mr. Dotcom, has repeatedly denied that New Zealand’s Government Communications Security Bureau engages in mass domestic surveillance, but has refused to comment on its access to data on New Zealanders collected by other agencies.
September 16, 2014
In an op-ed piece in The New York Times entitled, “Israel’s N.S.A. Scandal,” James Bamford, the author of three books on the NSA including “The Shadow Factory: The Ultra-Secret N.S.A. from 9/11 to the Eavesdropping on America,” reported that Snowden had told him last summer that one of his “most shocking discoveries” was that the NSA had been routinely passing unminimized contents of Americans’ telephone and email communications and metadata to the large and very secret Israeli military organization, Unit 8200. Snowden was especially concerned that the transferred intercepts included communications of Arab- and Palestinian-Americans that could cause their relatives in Israel and the Palestinian territories to be targeted by Israeli intelligence and law enforcement. In a letter last week to their commanders, Prime Minister Benjamin Netanyahu, and the head of the Israeli army, 43 veterans of Unit 8200 charged Israel with using information collected against innocent Palestinians for “political persecution,” stating that they had a “moral duty” to no longer “take part in the state’s actions against Palestinians.” Mr. Bamford opined that, “It should trouble the American public that some or much of the information in question — intended not for national security purposes but simply to pursue political agendas — may have come directly from the N.S.A.’s domestic dragnet.”
For discussion of and links to the Memorandum of Understanding between the NSA and its counterpart, the Israeli Sigint National Unit (ISNU), that governs the transfer of communications from the NSA to Israel, and to The Guardian article reporting on the transfer of signals intelligence from the NSA to the ISNU, see the September 11, 2013 entry in Aidan Booth and Adina Schwartz, International chronicle of surveillance events – 2013
September 14, 2014
NSA agents and intelligence agents of the other Five Eyes countries have access to a program, code-named Treasure Map, that allows an “interactive map of the global Internet,” including telecommunications cables, routers, and end devices, to be created in “near real-time.” In addition to being used for monitoring, Treasure Map can assist with “Computer Attack/Exploit Planning.”
The existence of Treasure Map was first reported in The News York Times in November 2013. Spiegel reporters examined additional Treasure Map graphics in the Snowden archives that indicate that the Five Eyes agencies were able to monitor the end devices of customers of Deutsche Telekom AG and Netcologne as well as the companies’ networks and data flowing through them. Based in Cologne, Germany, regional operator Netcologne has its own fiber-optic network, and provides over 400,000 customers with telephone and Internet services. Deutsche Telekom (“Telekom”), in which the German government owns a 31.7% stake, is among the dozen or so Tier 1 providers operating global networks, and is part of the consortium owning the TAT14 telecommunications cable that runs through the UK to the east coast of the US. In addition to providing mobile phone, Internet and land line service to 60 million customers in Germany, Telekom is active in the US and UK.
Several weeks ago, Spiegel shared a GCHQ document with Telekom and Netcologne in order to allow them to investigate security breaches. Both companies claimed that they conducted intensive investigations that failed to reveal suspicious mechanisms or data streams leaving their networks. At the end of last week, Telekom informed Germany’s Federal Office for Information Security of Spiegel’s findings.
From Treasure Map graphics, Spiegel reporters also learned that the Five Eyes agencies established “Collection Access Points” on German satellite teleport operators Stellar, Cetel and IABG, which provide satellite Internet connections to remote regions of the world. Spiegel reporters visited Stellar headquarters and presented passages from GCHQ documents to company founder and CEO Christian Steffen and three other Stellar employees listed as targets of GCHQ surveillance. Steffen and his colleagues concluded that the GCHQ had hacked Stellar’s mail server, identified the specific satellite transponders that serve particular Stellar customers, and broken into Stellar’s network and stolen the password for the central server of an important customer. Steffen, who has yet to receive a response to a letter of inquiry that he sent the UK government six weeks ago, told Spiegel reporters that, “A cyber-attack of this nature is a clear criminal offense under German law. I want to know why we were a target and exactly how the attack against us was conducted — if for no other reason than to be able to protect myself and my customers from this happening again.”
The New York Times article revealing the existence of Treasure Map is available at http://www.nytimes.com/2013/11/23/us/politics/nsa-report-outlined-goals-for-more-power.html?pagewanted=all&_r=0
September 11, 2014
In response to litigation that Yahoo! began in July 2013, the FISC Court of Review ordered the release of more than 1,500 pages of documents pertaining to Yahoo!’s challenge in 2007-2008 to a government order, pursuant to the Protect America Act (“PAA”), for disclosure of the contents of customers’ communications. Enacted in 2007 with a set expiration date of 2008, the PAA was the predecessor of the FISA Amendments Act (“FAA”). The PAA resembled the FAA in authorizing warrantless surveillance from within the United States of the telecommunications of non-US persons reasonably believed to be located overseas, and differed from the FAA in also authorizing such surveillance of the telecommunications of US persons reasonably believed to be overseas. A redacted version of the FISC Court of Review’s opinion rejecting Yahoo!’s Fourth Amendment challenge to the PAA was published before the Snowden revelations (In re Directives [redacted] Pursuant to Section 105B of the Foreign Intelligence Surveillance Act, 551 F.3rd 1004 (FISC Ct Rev. 2008)). In response to the revelations, Yahoo! successfully sought the disclosure of its identity as the challenger in June 2013, and also engaged in the litigation that led to the FISC Court of Review’s order resulting in the Director of National Intelligence (“DNI”) and Department of Justice (“DOJ”)’s release of court documents pertaining to Yahoo!’s challenge to the PAA on September 11, 2014.
Among the documents that the DNI and DOJ released were redacted versions of briefs before both the FISC and FISC Court of Review, the FISC’s opinion of April 25, 2008 rejecting Yahoo!’s challenge to the PAA, and additional sections of the previously published redacted version of the FISC Court of Review’s opinion. Notably, the documents revealed that while Yahoo!’s appeal was pending before the FISC Court of Review, the government asked the FISC to hold the company in civil contempt, subject to a daily fine of at least $250,000, to be doubled each week that it refused to disclose customers’ data.
In a Press Release, Yahoo!’s General Counsel, Ron Bell, called the DNI and DOJ’s release of the documents “an important win for transparency,” and stated that the documents showed how the company “refused to comply with what we viewed as unconstitutional and overbroad surveillance and challenged the U.S. Government’s authority.” Yahoo! stated that in the absence of a public docket of FISC Court of Review proceedings, it was “in the process of making the complete 1500 pages of information available.” Yahoo! also stated that in the wake of the FISC Court of Review’s order, it would be pursuing fuller disclosure from the FISC of the trial level proceedings.
The documents released by the DNI and DOJ are available at http://icontherecord.tumblr.com/post/97251906083/statement-by-the-office-of-the-director-of
For further discussion of Yahoo!’s challenges to the PAA and to the secrecy of the decisions and other court documents pertaining to the case, see, respectively, Sec. A(3) of Adina Schwartz and Aidan Booth, “Substantive Challenges in the United States to NSA Surveillance,” and Sec. I B of Adina Schwartz, “Challenges in the United States to the Secrecy of NSA Surveillance.”
September 10, 2014
On September 8, 2014, Microsoft and the government filed a stipulation with Chief Judge Preska of the federal district court for the Southern District of New York agreeing to the entry of a contempt order on the ground that Microsoft had not “fully complied” and did not intend to so comply with Judge Preska’s decision of July 31 rejecting Microsoft’s challenge to a warrant requiring it to provide the contents of a customer’s email account stored in Ireland. While stating that it “continued to believe that a contempt order is not needed to perfect an appeal,” Microsoft agreed with the government that the entry of the order would “avoid delays and facilitate a prompt appeal.” The parties further agreed that contempt sanctions would not be imposed, although the Government reserved the right to seek sanctions in the case of “materially changed circumstances” or if Microsoft refused to comply with the warrant after the United States Court of Appeals for the Second Circuit upheld its issuance.
Neither the name and physical location of the customer whose email account is sought nor which law enforcement agency served the warrant has been publicly disclosed.
The Stipulation Regarding Contempt Order is available at http://media.scmagazine.com/documents/91/microsoft_contempt_filing_22623.pdf
See the April 25, June 10, July 31, August 13, and September 2 entries below for discussion of and links to articles and legal documents pertaining to Judge Preska’s decision.
September 8, 2014
Privacy International filed an appeal with the European Court of Human Rights, contending that its right to freedom of expression, including freedom to receive information, under Article 10 of the European Convention on Human Rights, was violated by the GCHQ’s refusal of its request for information about its operations. The request, made under the UK Freedom of Information Act (2000) (“FOIA”) on March 4, 2014, included documents and instruments comprising the Five Eyes Agreement between the US, UK, Canada, Australia and New Zealand. Although the US and UK had declassified the original post-World War II agreement in 2010, Privacy International sought subsequent documents and instruments comprising the agreement on the ground that “[t]he modern alliance is grounded in and sustained by an unknown number of bilateral and multilateral instruments, agreements, memoranda of understanding and contracts which stipulate in detail the objectives, modes, means, and confines of signals intelligence gathering by the five countries.”
Before appealing the GCHQ’s refusal to the ECHR, Privacy International also made unsuccessful FOIA requests for details of the Five Eyes Agreement in the US, Canada, New Zealand and Australia.
Privacy International’s Press Release and submission to the ECHR are available, respectively, at https://www.privacyinternational.org/news/press-releases/privacy-international-asks-europes-human-rights-court-for-details-about-five, and https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/privacy_internation_echr.pdf
For further description of the appeal to the ECHR, see Aidan Booth and Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and GCHQ.”
Snowden’s revelations about NSA surveillance have contributed to the European backlash against Google’s dominance of the search market. Jérémie Zimmerman, a co-founder of the French Internet activist group La Quadrature du Net, said that he asks people who tell him that they work for Google how they “like working for the N.S.A.” The digital privacy legislation advancing through the European Parliament restricts how companies like Google use data and requires that they check with European officials before complying with American subpoenas.
As part of the 27th Session of the Human Rights Council of the United Nations, a panel discussion will be convened on September 12 “to examine the promotion and protection of the right to privacy in the digital age in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale….”
September 6, 2014
In response to Freedom of Information Act (“FOIA”) lawsuits that the Electronic Privacy Information Center (“EPIC”) and ACLU brought in the response to a December 16, 2005 article in The New York Times revealing that President Bush had directed the NSA to engage in warrantless wiretapping, the Justice Department released two redacted memoranda by the Office of Legal Counsel in 2004, authored by then-Assistant Attorney General Jack Goldsmith. The Bush-era surveillance program, code named Stellar Wind, involved both the targeted collection of the contents of telecommunications from within the United States and the collection of telephonic and email metadata. According to The Washington Post, “The broad outlines of the argument — that the president has inherent constitutional power to monitor Americans’ communications without a warrant in a time of war — were known, but the sweep of the reasoning becomes even clearer in the memos ….” The Post commented that “the unredacted portions do not reveal much analysis about what was reported to have been at the time the most controversial of the programs: the NSA’s bulk collection of e-mail metadata ….”
The May 6, 2004 memorandum is available at http://apps.washingtonpost.com/g/documents/national/a-memo-for-the-attorney-general-may-2004/1226/, and the July 16, 2004 memorandum is available at http://apps.washingtonpost.com/g/documents/national/a-memo-for-the-attorney-general-july-2004/1224/
The December 16, 2005 New York Times article is available at http://www.nytimes.com/2005/12/16/politics/16program.html?pagewanted=all&_r=1&
For a more complete discussion of the memoranda, see Section II (D) of Adina Schwartz, “Challenges in the United States to the Secrecy of NSA Surveillance.”
September 2, 2014
On August 29, Chief Judge Loretta Preska of the federal district court of the Southern District of New York lifted the stay of her July 31 order requiring Microsoft to comply with a search warrant for the contents of an Irish customer’s email account stored in Ireland. Although Judge Preska accepted the government’s position that for her Order to be a final order subject to appeal, Microsoft would need to refuse to comply and be held in contempt, a footnote in her Memorandum and Order states that, “The Government appears to be willing to stay enforcement of the contempt finding pending appellate review.”
Judge Preska’s Memorandum and Order is available at http://www.scribd.com/doc/238413669/Microsoft-Warrant-Ruling
See the April 25, June 10, July 31, and August 13 entries below for discussion of and links to articles and legal documents pertaining to Judge Preska’s order
August 29, 2014
The Electronic Frontier Foundation (“EFF”) and Access, an international human rights group devoted to extending the digital rights of users throughout the world, filed public comments with President Obama’s Privacy and Civll Liberties Oversight Board (“PCLOB”) asking it to expand the scope of its inquiry into Executive Order (“EO”) 12333. In addition to highlighting the concerns raised by whistleblower John Napier Tye, EFF and Access stated that under EO 12333, “those who are not U.S. persons are deemed to have little to no protection for … communications by virtue of their perceived location and nationality. The communications may be collected indiscriminately, which is contrary to international law and policy ….”
EFF and Access also asked the PCLOB to examine various issues pertaining to Presidential Policy Directive 28 (“PPD-28”) and to the overclassification of government documents, to “be skeptical about claims made regarding the value of big data,” and “to analyze the extent to which the United States surveillance practices are truly in line with the country’s obligations under international law.”
See the August 13 entry below for discussion of and links to articles pertaining to Mr. Tye’s complaint about EO 12333.
August 25, 2014
Documents leaked by Snowden reveal that the NSA has been granting nearly two dozen US government agencies, including domestic law enforcement agencies such as the FBI and Drug Enforcement Agency (“DEA”), access through a “Google-like” search engine code-named ICREACH to more than 850 billion metadata records on emails, phone calls, faxes, internet chats, and text messages, as well as location information from cellphones. ICREACH searches communications records that the NSA acquires overseas under Executive Order 12333, including both foreigners’ records and “minimized” records of US persons, and also searches communications records acquired by the NSA’s Five Eyes partners. ICREACH was piloted in 2007, and was referred to, in a September 2010 NSA memo, as the primary data sharing tool in the intelligence community. In a 2006 memo to then-Director of National Intelligence John Negroponte, recently retired NSA director General Keith Alexander proposed the construction of ICREACH on the model of the GLOBALREACH system through which the US shares “vast amounts of communications metadata” with the Five Eyes partners.
August 21, 2014
The Vienna Regional Court ordered Facebook Ireland to respond within four weeks to Maximilian Schrems’ complaint. On line registration to join the lawsuit was closed earlier this month because Mr. Schrems’ attorneys needed to verify the eligibility of each of the approximately 25,000 people who had attempted to join his lawsuit. Since then, about 35,000 more people have registered to join if the action should be expanded later.
The Vienna Court’s Order of August 18 requiring Facebook Ireland to respond to the complaint is available (in German) at http://www.europe-v-facebook.org/AuftragKB.pdf
See the August 1 entry below for discussion of and links to articles and legal documents pertaining to Mr. Schrems’ Austrian complaint against Facebook Ireland.
August 18, 2014
Germany’s foreign intelligence service, the Bundesnachrichtendienst (“BND”), intercepted telephone calls of Secretary of State John Kerry in 2013 and then- Secretary of State Hillary Clinton in 2012. The BND claims that the interceptions were an unintentional “by-catch” of its interceptions of satellite telephone calls from its listening station in Bad Aibling, Bavaria in order to learn about Islamic terrorism, and at least one of the Kerry conversations was apparently immediately deleted by the BND. A transcript of a conversation in which United Nations Secretary General Kofi Annan updated Clinton on the Syrian crisis was discovered by German investigators, however, on a USB stick in the apartment of Markus R, the BND employee recently accused of spying for the US. In internal discussions, the US is accusing Germany of hypocrisy in regard to Chancellor Merkel’s insistence that spying among friends is unacceptable.
The documents stolen by Markus R. also reveal that despite its being a NATO ally, Turkey is an official target of the BND’s espionage efforts. Thus far, Turkey’s reaction has been muted.
August 14, 2014
The Center for Digital Democracy (“CDD”) filed a complaint asking the Federal Trade Commission (“FTC”) to investigate thirty data marketing and profiling companies that self-certified adherence to the US-EU Safe Harbor Agreement. In announcing the complaint, CDD Executive Director Jeff Chester stated that “[t]he Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny.” CDD Legal Director Hudson Kingston claimed that “the fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”
The complaint is available at http://www.centerfordigitaldemocracy.org/sites/default/files/Safe%20HarborComplaints081314.pdf
The UK Information Commissioner’s Office (“ICO”) issued the first report on “big data” by a European Data Protection Authority. Among the issues covered by the report, which was issued on July 28 and entitled “Big Data and Data Collection,” is the proposed revision of the EU data protection framework.
August 13, 2014
John Napier Tye, a State Department employee from 2011 until April 2014 who worked on global Internet freedom policy and had top-secret clearance, has gone public with complaints about the NSA’s retention and use of telecommunications of Americans that are acquired overseas. By contrast to FISA, which allows only targeted collection from within the United States of the contents of telecommunications, Executive Order (“EO”) 12333 allows the bulk collection of contents of communications from satellite transmissions or overseas fiber-optic hubs. In an opinion piece in The Washington Post on July 18, 2014, Mr. Tye wrote that, “A legal regime in which U.S. citizens’ data receives different levels of privacy and oversight, depending on whether it is collected inside or outside U.S. borders, may have made sense when most communications by U.S. persons stayed inside the United States. But today, U.S. communications increasingly travel across U.S. borders — or are stored beyond them. For example, the Google and Yahoo e-mail systems rely on networks of ‘mirror’ servers located throughout the world. An e-mail from New York to New Jersey is likely to wind up on servers in Brazil, Japan and Britain.”
Before leaving the State Department in April, Mr. Tye filed complaints with the State Department’s and NSA’s Inspector Generals arguing that the collection, storage and use of Americans’ communications under EO 12333 violates the Fourth Amendment, and also brought his complaint to the House and Senate intelligence committees. The complaint, which has received no positive response, was prompted by the President’s decision in January to ignore the recommendations of his Review Group on Intelligence and Communication Technologies for restrictions on the storage and use of Americans’ communications acquired under EO 12333. Highlighting the fact that executive orders, rather than legislation, govern the overseas collection and subsequent storage and use of communications, Mr. Tye stated to The New York Times, “It’s a problem if one branch of government can collect and store most Americans’ communications, and write rules in secret on how to use them — all without oversight from Congress or any court, and without the consent or even the knowledge of the American people. Regardless of the use rules in place today, this system could be abused in the future.”
Mr. Tye’s opinion piece is available at http://www.washingtonpost.com/opinions/meet-executive-order-12333-the-reagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html
Revoking its previous consent to a stay, the Justice Department asked Judge Preska of the federal district court for the Southern District of New York to enforce her order of July 31 requiring Microsoft to comply with a search warrant for a customer’s emails stored in a data center in Ireland. Responding to Microsoft’s appeal of the July 31 order to the federal court of appeals for the Second Circuit, the government wrote to Judge Preska that the challenged warrant was “the functional equivalent of a subpoena” and that “an entity challenging a subpoena cannot seek appellate review of a district court’s decision upholding that subpoena unless it first defies the court’s order to produce the subpoenaed records and then is held in contempt.”
See the April 25, June 10 and July 31 entries below for discussion of and links to articles and legal documents pertaining to Judge Preska’s order.
August 11, 2014
In response to questions by Congressman Alan Grayson, Chairman Tom Wheeler of the Federal Communications Commission stated that he had recently established a task force to combat “the illicit and unauthorized use of IMSI catchers.” By impersonating cell phone towers, the catchers, which can be purchased for as little as $1,800 or built with only moderate technical expertise, allow phones to be located and identified, calls to be intercepted, and malicious software to be transmitted to phones. Chairman Wheeler stated that “the FCC has the statutory authority to address the threat posed by illicit IMSI catchers and to work closely with industry on mechanisms to secure our nation’s wireless networks and to protect the privacy of consumers’ communications,” but cautioned that the determination of “the extent to which private entities and foreign governments may be using IMSI catchers for espionage purposes” was within the expertise of the FBI and Departments of Justice and Homeland Security.
Congressman Grayson’s letter of July 2, 2014 and Chairman Wheeler’s reply of August 1 are available at http://apps.fcc.gov/ecfs/document/view;jsessionid=n0tRTymXR9WTWvctL4pQzWNzQr0ntvTQFVR7sBpDZMVjJG0VcS0r!-448120223!-58662085?id=7521752125
August 9, 2014
Referring to the judicial rulings discussed in the July 31, June 10 and April 25 entries below, spokespeople for the European Commission (“EC”) and the Irish government stated that Microsoft would violate Irish and EU law if it complied with a US search warrant for emails stored in a data center in Ireland. Speaking on condition of anonymity, the EC spokesperson commented, “The case is an example of the complex legal issues faced by companies operating on both sides of the Atlantic. The commission has raised this issue with the U.S. government on a number of occasions. The commission remains of the view that where governments need to request personal data held by private companies and located in the EU, requests should not be directly addressed to the companies but should proceed via agreed formal channels of cooperation between public authorities, such as the mutual legal assistance agreements.”
An Advisory Committee at the Federal Communications Commission (“FCC”) has recommended that the contract for operating the Numbers Portability Administration Center (“NPAC”) be awarded to Telecordia Technologies, a subsidiary of Sweden-based Ericsson AB that grew out of Bell Labs. The NPAC enables customers to maintain their phone numbers when they switch carriers, and currently handles the routing of all calls and texts for more than 650 million U.S. and Canadian phone numbers and more than 2,000 carriers. The FBI and other law enforcement agencies query the database 4 million times a year to determine which phone company provides the service for a particular number.
Since the NPAC was established in 1997, the contract to operate it has been held by Neustar, a Sterling, Virginia firm. Although Neustar derived almost half of its revenue in 2013 from the NPAC contract, Telecordia, which operates number portability systems in more than 15 countries, including India, Pakistan and Saudi Arabia, submitted a substantially lower bid for the contract than Neustar.
Neustar officials claimed that by using computer code from its overseas systems to run the NPAC database, Telecordia would increase the risk that the database would be penetrated by hackers. Chris Drake, chief technology officer at iconectiv, the Telcordia unit that handles number portability systems, countered that, “We are not using any of the code used and deployed in foreign installations at all, zero.” National security experts have expressed concern that foreign governments might hack into the NPAC database to learn which of their agents are being wiretapped by the FBI and other law enforcement agencies. Drake stated, however, that wiretap-related data would be encrypted and held in “a separate infrastructure — a shadow database — that’s even more tightly controlled than the NPAC itself.”
Representatives Mike Rogers (R-Mich), C.A. Dutch Ruppersberger (D-Md.), and Peter T. King (R-NY) have sent letters urging the FCC to consult the FBI and other agencies before awarding the contract, with Mr. King specifically expressing concern about “any security vulnerabilities associated with a non-US vendor.”
August 7, 2014
Yahoo! announced that it will join Google in an attempt to provide users by next year with an optional encryption tool, based on PGP, that will make the contents of their emails inaccessible to governments and other third parties without their consent. By contrast to Lavabit, Google and Yahoo! intend that individual account holders, rather than the email provider, be the sole holders of encryption keys.
Snowden’s Russian lawyer, Anatoly G. Kucherena, announced that although Snowden had not been granted asylum, he had received permission to live in Russia until 2017, with the option of leaving Russia for up to three months. Snowden will be eligible for Russian citizenship if he lives there for five years, counting from his first grant of residency in 2013.
August 6, 2014
The Office of Personnel Management (OPM) and the Department of Homeland Security (DHS) temporarily suspended their contracts for background checks with US Investigations Services (USIS), the company that performed the background check on Snowden, after USIS reported that its networks were breached in a cyber-attack. The company, which is being investigated by the Department of Justice for taking short cuts in background checks, stated in a media release that, “Experts who have reviewed the facts gathered to-date believe [the cyber-attack] has all the markings of a state-sponsored attack.”
The media release is available at http://www.usis.com/Media-Release-Detail.aspx?dpid=151
August 3, 2014
In 2013, the Israeli intelligence service and at least one other intelligence service eavesdropped on calls between Secretary of State John Kerry and high- ranking negotiating partners in Middle East peace talks. The intercepted calls were transmitted by satellite and not made with encrypted equipment, and the Israeli government used information obtained from the intercepted calls in negotiations.
August 1, 2014
Attorney and member of Europe v Facebook, Maximilian Schrems, filed a complaint against Facebook Ireland Ltd. (‘Facebook Ireland”) in Vienna Commercial Court on July 31. The Austrian complaint, prompted by delays in Mr. Schrems’ litigation against Facebook Ireland in Ireland, challenges Facebook Ireland’s participation in the NSA’s Prism program and other alleged intrusions on users’ privacy. Under Austrian law, adult Facebook members outside the United States and Canada whose contracts are with Facebook Ireland are eligible to join the lawsuit by assigning their claims to Mr. Schrems, which can be done via an on line app posted by Europe v Facebook. The lawsuit seeks damages of £500 on behalf of each individual who joins.
Mr. Schrems’ initial filing is available in German at http://www.europe-v-facebook.org/sk/sk.pdf
See the June 18, 2014 entry below and the October 24 entry in Aidan Booth and Adina Schwartz, “International Chronicle of Surveillance Events – 2013” for discussion, including links to article and legal documents, of Mr. Schrems’ lawsuit in Ireland against Facebook Ireland, including the Irish Court’s decision to refer the case to the European Court of Justice. For a more detailed account of the Irish litigation, see Aidan Booth and Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and GCHQ.”
July 31, 2014
Ruling from the bench in a case of first impression, Chief Judge Loretta Preska of the federal district court for the Southern District of New York upheld a magistrate’s order requiring Microsoft to comply with a search warrant for a customer’s emails stored in a data center in Ireland, but stayed her order pending appeal. Verizon, AT&T, Apple and Cisco had filed amicus briefs in support of Microsoft’s position that the Justice Department needed to use the procedures in a treaty between the US and Ireland to obtain the emails. According to the Wall Street Journal, the companies’ “shared concern [is] that compliance with U.S. requests for data held abroad could alienate foreign governments, which are placing more pressure on service providers to shore up customer privacy, and cost them billions of dollars in business.”
Christopher Soghoian, the ACLU’s principal technologist, commented that, “Today’s decision is a major blow not just for Microsoft, but for the entire U.S. cloud-computing industry. If these companies wish to regain the trust of their global customers, they must embrace security technologies such as cloud cryptography which can provide real privacy protections where the law does not.” Gregory Nojeim, senior counsel for the Center for Democracy and Technology, warned that “[t]he ruling could lead to chaos, where other governments demanding reciprocal treatment insist that their warrants compel U.S. providers to turn over content that they store in the United States.”
Prior to Judge Preska’s ruling, the European Commissioner for Justice, Viviane Reding, had stated on June 24 that the magistrate’s ruling might “be in breach of international law” and “impede” European citizens’ privacy.
See the June 10 and April 25 entries below for discussion of and links to the magistrate’s order, other legal documents, and articles.
The temporary visa that allowed Edward Snowden to remain in Russia has expired. The lawyer representing Mr Snowden said that he has the right to remain until his application to extend his stay in the country has been decided. Jesselyn Rasack, a US lawyer who has advised Mr Snowden, said that whilst he was likely to stay in Russia for the time being ultimately “he would love to be able to come home or seek refuge in a country of his choice“.
July 24, 2014
The Süddeutsche Zeitung and two-state funded German TV channels, WDR and NDR, reported that Ms Merkel’s Chancellery and her interior and foreign ministries had agreed to launch counter-espionage measures against Britain and the US for the first time since 1945. The German spying initiative is a direct response to revelations about spying by both the NSA and GCHQ. While Der Spiegel recently called the GCHQ “more unscrupulous than the NSA,” fear of NSA surveillance prompted members of the German parliament to call for the reintroduction of typewriters at committee meetings discussing US espionage. Classical music was played at one session in order to deter potential US eavesdroppers.
July 22, 2014
In his fourth annual report, the UK’s independent reviewer of terrorism legislation, David Anderson QC, called for the definition of terrorism to be narrowed, stating that journalists and bloggers can be convicted under current terror laws for simply “trying to influence the government for political reasons. In most other countries you need to have to intimidate or coerce the government before you can be a terrorist.”
Although he said that police should have the power to stop and detain where, as in David Miranda’s case, they believe a person is “carrying a large number of stolen secret documents,” Mr Anderson QC stated that it “is more difficult to defend the use of anti-terrorism laws for that purpose. One might be thinking of official secrets, of espionage, of theft, but it’s a bit of a stretch to see somebody like that as a potential terrorist”.
Mr. Anderson QC also urged Parliament to revisit current anti-terrorism legislation because the law “fails to distinguish, in all respects, between hate crime and terrorism. So you could take someone who is no harm to anyone other than his immediate victim – a man who pipe bombs his neighbour’s wall, or a student who threatens a teacher on a fascist website. They’re unpleasant and serious crimes, but it’s a bit of a stretch to see them as terrorism.”
While stating that the UK Home Office welcomed the fourth annual report and would “consider [Mr. Anderson QC’s] recommendations in detail and … respond in due course,” a Home Office spokesperson asserted that, “Terrorism remains the greatest threat to the UK’s national security and protecting the public is our primary duty. We believe our counter-terrorism laws are effective, proportionate and fair ….”
Members of the UK Parliament (“MP’s”) David Davis and Tom Watson gave the Home Office seven days’ notice of their intent to seek judicial review of the recently passed emergency legislation, the Data Retention and Investigatory Powers Act (“DRIP”). Under DRIP, telecommunications companies are required to retain metadata for a period of 12 months, to be provided to the police and security services if necessary. The MP’s challenge the compatibility of DRIP with human rights law.
If the MP’s request for judicial review is granted, a judge will review the manner in which the legislation was passed, and the case could be heard in the autumn or early 2015. If the judge agrees with the MP’s, the government will be required to amend DRIP so as to render it compatible with human rights law.
DRIP was rushed through parliament in three days, although passing legislation in the UK normally takes a number of months. Prime Minister David Cameron and Deputy Prime Minister Nick Clegg insisted that the European Court of Justice’s recent decision invalidating the EU Data Retention Directive necessitated the accelerated passage, and claimed that DRIP simply maintained existing powers. By contrast, Mr Davis MP called the accelerated passage “a constitutional scandal,” and claimed that it was “disingenuous” of party leaders to tell MP’s that DRIP simply reinstated existing policy. “It was reinstating a policy which had been struck down by European law, without doing anything to make right the flaws which led to it being struck down, and it was reinstating policy which had fallen into very serious disrepute.” Mr Watson MP added that the three party leaders’ cooperation in rushing through the bill amounted to “effectively making secret law, because most MP’s didn’t have the capacity or time to properly understand or scrutinise the legislation”.
See the July 10 entry below for discussion of and links to the DRIP legislation.
For discussion of and links to the European Court of Justices’ judgment, see the April 8 entry below and the more detailed analysis in Aidan Booth and Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and GCHQ.”
In a sign of the seriousness of the rupture caused by revelations about U.S. spying, President Obama sent his chief of staff and his counter-terrorism adviser to Germany to meet with Chancellor Merkel’s chief of staff and the head of Directorate-General 6 of Germany’s Federal Intelligence Service.
July 18, 2014
In an interview in Mosow with Guardian editor Alan Rusbridger and reporter Ewan MacAskill, Edward Snowden stated that due to the UK’s “light oversight regime,” “UK citizens and UK intelligence platforms are used as a testing ground for all of the other five eyes partners.” He admitted that he’d “kind of clapped [his] hands” when the UK government destroyed The Guardian’s hard drives; “[t]his is stupid.” Snowden further stated that with bulk metadata collection, governments “have taken it upon themselves to assign private eyes to every citizen in their country,” and that it was “unfortunate” that the revelation of NSA spying on German citizens wasn’t “a scandal.” “But when Angela Merkel’s cell phone is listened [in] on and she herself is made a victim, suddenly it changes relations.” Claiming that the fragmentation of the Internet would not “serve anybody’s interests,” Snowden stated that “we need common protocols that protect data, that protect communications regardless of the jurisdiction through which they transmit.”
Rusbridger and MacAskill’s article on the interview is at http://www.theguardian.com/world/2014/jul/18/-sp-edward-snowden-interview-rusbridger-macaskill
A video of the interview is available at http://www.theguardian.com/world/video/2014/jul/17/edward-snowden-video-interview, and an edited transcript is at http://www.theguardian.com/world/2014/jul/18/-sp-edward-snowden-nsa-whistleblower-interview-transcript
July 14, 2014
The Investigatory Powers Tribunal (“IPT”), sitting in the UK Royal Courts of Justice, began a public hearing, expected to last all week, on challenges brought by Liberty, Privacy International, Amnesty International, the American Civil Liberties Union (“ACLU”), and six other overseas human rights groups to the legality of alleged “interception, collection and use of communications” by UK intelligence agencies.
The claims center on the alleged use of a UK intelligence program called TEMPORA, whose existence has neither been confirmed nor denied by the UK Government. The hearing will seek to determine whether TEMPORA exists and, if so, whether the program violates articles 8 and 10 of the European Convention on Human Rights. The circumstances surrounding the UK intelligence services’ alleged use of the US PRISM program will also be examined. In highly unusual circumstances, the tribunal is hearing the challenge on the basis of “agreed hypothetical facts”.
The IPT was established by the Regulation of Investigatory Powers Act 2000 (“RIPA”) as the only tribunal where challenges can be brought against UK intelligence agencies and their practices. It is composed of 10 senior members of the legal profession who are appointed by the Queen for 5 year terms, and both its President and Vice President must hold or have held high judicial office.
According to the BBC, this week’s hearing is likely to be “highly unusual;” the complainants’ legal challenge is “unprecedented”.
For an overview of the Tempora program and its legal basis, see Aidan Booth, “GCHQ surveillance: Tempora program”.
In a newly declassified report that was completed in July 2013, Canada’s CSEC Commissioner, the watchdog over the Canadian analogue of the NSA, the Communications Security Establishment Canada (CSEC), stated that he had not been able “to assess the extent” to which the other Five Eyes countries (the US, UK, New Zealand and Australia) “follow the agreements with CSEC and protect private communications and information about Canadians in what CSEC shares with the partners.” The Commissioner recommended that Canada’s Defense Minister analyze the risks posed by the legal and policy regimes of the other Five Eyes countries, and issue a new directive to the CSEC on how to protect Canadians’ privacy in data transfers.
A CSEC spokesperson stated that the CSEC and Minister of Defence had accepted the Commissioner’s recommendations, and that CSEC “is already implementing them.”
July 12, 2014
On July 9, US Ambassador John Emerson unsuccessfully attempted to prevent the expulsion of the CIA station chief in Berlin by offering Germany an intelligence-sharing relationship similar to the Five Eyes partnership between the US, UK, Canada, Australia, and New Zealand.
July 11, 2014
Heavily redacted internal NSA emails that the Associated Press obtained in response to a FOIA request show that the US knew in advance that the UK government was planning in July 2013 to force The Guardian to destroy hard drives containing copies of documents leaked by Snowden. In response to the Associated Press’s release of the emails, a spokesman for Director of National Intelligence James P. Clapper, Jr. stated that, “The intelligence community saw the removal of any potential classified intelligence information from nonsecure computers as a good thing to ensure that any stolen documents, including those not published, would not be acquired by foreign intelligence services or cybercriminals.” By contrast, a White House spokesman stated that, “This administration strongly believes in the value of a strong, independent press. While the press has a responsibility to be mindful of the impact of revealing sensitive national security information, we have an even greater responsibility to be as transparent as possible with the American people about the government’s activities.” In August 2013, when The Guardian revealed that the UK government had forced it to destroy its computers, the Obama administration denied advance knowledge of the UK government’s plans.
The redacted, internal NSA emails obtained by The Associated Press are available at https://s3.amazonaws.com/s3.documentcloud.org/documents/1214273/nsa-emails-about-guardian-hard-drive-destruction.pdf
An official, Vladimir Volokh, who runs an agency that advises the Russian immigration authorities, said that because Snowden’s “life is endangered,” he “see[s] no problem in prolonging the temporary asylum.”
July 10, 2014
In response to the European Court of Justice’s judgment of April 8 invalidating the EU Data Retention Directive, the UK government is set to pass emergency legislation that will ensure that the police and security services can continue to access phone and internet records. DRIP, the Data Retention and Investigatory Powers bill, has the backing of all three major political parties, and legally obligates telecommunication firms to retain metadata on their customers for a period of 12 months.
DRIP does include a termination clause that will make the law expire in 2016, apparently to provide time for further debate in parliament. The new legislation will also create a “new Privacy and Civil Liberties Oversight Board to scrutinize the impact of the law on privacy and civil liberties”.
Privacy advocates believe that in enacting the law, the UK government is bypassing the European Court of Justice’s judgment on data retention. The Open Rights Group said that, “Not only will the proposed legislation infringe our right to privacy, it will also set a dangerous precedent where the government simply re-legislates every time it disagrees with a decision by the CJEU [Court of Justice of the European Union]. Blanket surveillance needs to end. That is what the court has said”.
A copy of the draft legislation can be found here:
For discussion of and links to the European Court of Justices’ judgment, see the April 8 entry below and the more detailed analysis in Aidan Booth and Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and GCHQ,”
In an action almost unheard of among allies, Chancellor Angela Merkel publicly announced the expulsion of the top U.S. spy in Germany, the CIA chief in Berlin.
July 9, 2014
Snowden’s attorney, Anatoly Kucherna, said that he had submitted documents to the Moscow branch of the Federal Migration Service asking for Snowden to be allowed to remain in Russia after his initial one-year asylum expires on July 31.
The Intercept reported that an NSA spreadsheet leaked by Snowden, entitled “FISA recap,” lists 7,485 email addresses that were monitored between 2002-2008. 202 and 1,782 of the addresses on the list are respectively identified as belonging to “U.S. persons” and “non-U.S. persons,” while “Nationality” is not identified for the remaining 5,501 addresses on the list. Since the vast majority of the email addresses on the FISA recap spreadsheet are not linked to names, the Intercept could not identify most of those targeted. From their email addresses, however, the Intercept was able to identify five prominent Muslim Americans as being on the list:
- Faisal Gill, who emigrated from Pakistan with his parents when he was eight-years-old, and, after law school and serving in the Navy, joined the Bush Administration in the aftermath of 9/11;
- Asim Ghafoor, a first generation American whose Muslim parents emigrated from India, who served in the government and became a public relations consultant, lobbyist, lawyer, and civil rights advocate on behalf of American Muslims after 9/11. While Ghafoor was representing the Al Haramain Islamic Foundation in 2003 and 2004, the government inadvertently disclosed that his email communications with clients. The FISA recap sheet reveals that the FBI and NSA were monitorning Ghafoor’s emails from 2005-2008, while he was suing the government for its prior, illegal surveillance of his attorney-client communications.
- Hooshang Amirahmadi, a professor of international relations at Rutgers University who has dual Iranian and U.S. citizenship, identifies as a secularist, and has advocated against sanctions against Iran;
- Agha Saeed, a naturalized U.S. citizen who came to the U.S. from Pakistan for graduate school, taught in the communications and political science departments at Berkeley and California State University in Hayward, and has advocated for Palestinian rights and against the growth of surveillance in the U.S., and organized Muslim-Americans to vote and participate in the political process;
- Nihad Awad, a Palestinian born in Jordan who became a U.S. citizen. has lived in the U.S. for more than twenty years, and is the executive director of the Council on American-Islamic Relations (CAIR), the largest Muslim civil rights organization in the U.S.
The government’s justifications for the monitoring of the five men’s emails by the NSA and FBI remain classified, and it was unclear whether the surveillance was conducted under FISA warrants.
Reacting to the reported surveillance, Faisal Gill stated that, “I was a very conservative, Reagan-loving Republican. If somebody like me could be surveilled, then [there are] other people out there I can only imagine who are under surveillance.”
In response to The Intercept’s report of FBI and NSA surveillance of the email communications of five Muslim Americans, several dozen civil liberties and rights organizations sent a letter to President Obama asking to meeting with him, Attorney General Eric Holder and FBI director James Comey. Although admitting that they did not know all the facts, the organizations stated that they believed that “the government has an obligation to explain the basis for its actions. … Too often, both in the past and in the present, we have observed the government engaging in patterns of discriminatory and abusive surveillance.” In a joint statement, the Justice Department and Office of Director of National Intelligence pointed to the “rigorous standard” that must be met for the FISA Court to authorize surveillance of Americans and denied that political beliefs or the exercise of Constitutional rights could be the sole basis for surveillance.
The organizations’ letter to President Obama is available at https://aclu.org/sites/default/files/assets/coalition_letter_re_intercept_nsa_revelations_0.pdf
The German federal prosecutor’s office announced that the police had searched the Berlin-area apartment and office of a second person suspected spying for the U.S. The newspaper Die Welt, which has well-placed sources in the German government, reported that the second suspect was a Bundeswehr soldier suspected of passing information to United States military intelligence.
Russia’s Council of the Federation (the upper chamber of the Russian Parliament) approved Bill No. 553424-6, amending Russia’s existing laws on privacy, information technology and protection of information, which the lower chamber of Parliament had passed on July 3. Russian media reported that the bill was signed by President Putin, and will go into effect on September 1, 2016. While the July 7 entry below stated that the bill would obligate companies to store copies of data in Russia for a minimum of six months, in an information letter dated July 9, Russian law firm ALRUD stated that the bill imposes an obligation to store Russian nationals’ data only in Russia. According to the ALRUD letter, the law obligates “operators to store and process personal data of Russian nationals only in the [sic] databases located in Russia. The introduced obligation will practically [sic] mean the companies operating in Russia and dealing with natural persons (for example, retailers, social networks, those operating in international transportation, banking and other similar spheres) will be forced to place their servers within Russia if they plan to continue doing business in the market.” The law empowers Roskomnadzor (the Federal Supervision Agency for Information Technologies and Communications) to maintain a blacklist of domain names and internet addresses not complying with the law, and to impose “sanctions” that stretch to instructing local ISPs to cut off non-complying companies’ internet access. Roskomnadzor is required to go to court, however, before taking down websites. According to TechWeek Europe, the law is widely viewed as a response to Snowden’s revelations, and “could provide a massive boost for Russia’s data centre industry, although a spokesman for Yandex, one of Russia’s largest technology companies, [stated that] foreign businesses could [face] a lot of technical difficulties.”
The ALRUD information letter is available at http://www.alrud.com/upload/iblock/3ea/Newsletter_Ban to store personal data outside Russia.pdf
In response to The Intercept’s disclosure, in the article on the surveillance of five prominent American Muslims described above, that an intelligence training document from 2005 used “Mohammed Raghead” as a placeholder for a surveillance target, White House spokeswoman Caitlin Hayden stressed that the administration took the accusation of racial and religious bias “extremely seriously, [and had] immediately requested that the director of national intelligence undertake an assessment of intelligence community policies, training standards or directives that promote diversity and tolerance, and as necessary, make any recommendations [for] changes or additional reforms.”
July 8, 2014
White House officials expressed frustration that when President Obama telephoned Chancellor Merkel on July 3, the CIA had not informed the White House that an employee of the German federal intelligence service had been arrested and had admitted spying for the CIA. According to German news media, the CIA may have been aware three weeks before the arrest that the Germans were monitoring the man.
July 7, 2014
The Russian Parliament adopted a bill last week that would require companies engaged in the transmission or recording of internet communications to store copies of the communications for a minimum of six months in data bases located within the Russian Federation. The bill appears to be aimed at facilitating access to Russian citizens’ data by Russian law enforcement while preventing access by foreign intelligence services, and may also be aimed at encouraging the growth of Russian online communication services. If approved by the upper House of Parliament and President Vladimir Putin, the bill will become effective in the second half of 2016.
The bill is available in Russian at http://asozd2.duma.gov.ru/main.nsf/%28SpravkaNew%29?OpenAgent&RN=428884-6&02
July 6, 2014
Reacting to the July 5 Washington Post story described below, Robert Litt, the general counsel to the director of national intelligence, stated that, “These reports simply discuss the kind of incidental interception of communications that we have always said takes place under Section 702. We target only valid foreign intelligence targets under that authority, and the most that you could conclude from these news reports is that each valid foreign intelligence target talks to an average of nine people.”
As Germans continued to demand answers from the U.S. government in regard to the German intelligence service employee accused of spying for the U.S., the chairman of a German parliamentary committee stated on German radio that there seemed to have been no breach of security in regard to the committee’s inquiry into American intelligence activities.
July 5, 2014
The Washington Post reported on a four-month long investigation of a trove of online communications released by Snowden that were intercepted by the NSA through warrantless surveillance under FISA Section 702 from 2009-2012, consisting of roughly 160,000 email and instant-message conversations, some of which were hundreds of pages long, and 7,900 documents from more than 11,000 online accounts. The trove reviewed by The Post is larger than the amount of material acquired under Section 702 that has been reviewed by any government oversight body, including the Justice Department, FISA Court, Congressional intelligence committees, and the President’s Privacy and Civil Liberties Oversight Board. The Post found that nine out of ten account holders in the trove were not intended targets of surveillance, and that half of the files contained names, email addresses or other details belonging to Americans. While more than 65,000 such identifiers were masked or “minimized” to protect Americans’ privacy, “nearly 900 additional e-mail addresses, unmasked in the files, … could be strongly linked to U.S. citizens of U.S. residents.” Although Section 702 requires that the targets of surveillance be non-Americans located overseas, the criteria analysts “use to judge foreignness sometimes stretch legal rules or well-known technical facts to the breaking point.”
The intercepted communications that the Post reviewed contained “discoveries of considerable intelligence value,” that “the Post will not describe in detail, to avoid interfering with ongoing operations,’ including, for example, revelations about a secret overseas nuclear project, double-dealing by a seeming ally, a military calamity that an unfriendly country suffered, and the identities of intruders into U.S. computer networks. The Post also found that the NSA retained many files containing intimate details of people’s lives, even when analysts concluded that the material was useless.
While unnamed government officials called his release of the files “reckless,” in an interview, Snowden stated that the Prism and upstream data collection programs authorized under Section 702 had “crossed the line of proportionality,” and that primary documents needed to be released for there to be an informed public debate on the programs. “While people may disagree about where to draw the line on publication, I know that you [reporter Barton Gellman] and The Post have enough sense of civic duty to consult with the government to ensure that the reporting on and handling of this material causes no harm.”
July 4, 2014
An employee of the German intelligence service, the Bundesnachrichtendienst (BND), has been arrested on suspicion of spying for the US. It is believed that the man, who, according to a source, had “no direct contact with the investigative committee,” was trying to gather details about a German parliamentary committee that is investigating claims of US espionage. It is reported that he passed secret documents to the US in exchange for money and that he had been working for the US for over two years.
The American ambassador was summoned by Germany and was urged to help with the “swift clarification of the case”. Chancellor Angela Merkel said that the allegations of espionage “weren’t something that was taken lightly”. The NSA and CIA declined to comment on the allegations, although a senior American official said that the reports “threaten to undo all the repair work” that has taken place.
July 2, 2014
Privacy International, along with 7 Internet Service Providers (ISP’s) filed a lawsuit in the Investigatory Powers Tribunal (IPT) claiming that alleged attacks on network infrastructure by the GCHQ and the NSA have violated the UK Computer Misuse Act, Article 1 of the First Additional Protocol (A1AP) of the European Convention of Human Rights (ECHR), which “guarantees the individual’s peaceful enjoyment of their possessions”, as well as Articles 8 & 10 of the ECHR.
This is the first time that ISP’s have brought claims against the GCHQ, and although none of the ISP claimants was specifically named in the documents leaked by Snowden, Privacy International contends that “the type of surveillance being carried out allows them to challenge the practices… because they and their users are at threat of being targeted“. The ISP claimants are GreenNet (UK), Riseup (US), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (South Korea), May First/People Link (US) and the Chaos Computer Club (Germany). According to Cedric Knight of GreenNet, “Snowden’s revelations have exposed GCHQ’s view that independent operators like GreenNet are legitimate targets for internet surveillance, so we could be unknowingly used to collect data on our users. We say this is unlawful and utterly unacceptable in a democracy.”
The claimants are seeking:
- A declaration that GCHQ’s intrusion into the computers and network assets of internet and communications service providers, their staff and their users is unlawful and contrary to Articles 8 and 10 and A1P1 ECHR;
- An order requiring the destruction of any unlawfully obtained material;
- An injunction restraining further unlawful conduct.
GCHQ maintains that all its work is conducted “in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate”.
The Statement of Grounds can be found here: https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/final_grounds_-_gchq_attacking_providers.pdf
More information from Privacy International on the lawsuit is available at https://www.privacyinternational.org/blog/stop-breaking-the-internet-internet-and-communications-service-providers-take-legal-action and https://www.privacyinternational.org/press-releases/global-internet-service-and-communications-providers-file-complaint-to-end-gchq
The Privacy and Civil Liberties Oversight Board’s report on Section 702 surveillance, linked to and described in the July 1 entry below, was praised by Director of National Intelligence James R. Clapper Jr., while Jameel Jaffer, the deputy legal director of the American Civil Liberties Union, called it “a weak report that fails to fully grasp the civil liberties and human rights implications of permitting the government sweeping access to the communications of innocent people.” Kevin Bankston, the policy director of the New America Foundation’s Open Technology Institute, called the report “a dud,” stating that warrantless surveillance under Sec. 702 is “in many ways much more worrisome than the bulk collection [telephony metadata] program” that the Privacy and Civil Liberties Oversight Board strongly criticized in a report earlier this year.
July 1, 2014
The Privacy and Civil Liberties Oversight Board, an independent, bipartisan agency within the Executive Branch established by Congress in 2007, released a 198 page report, including 10 recommendations, on Section 702 surveillance. The Executive Summary states that the program has “proven valuable in the government’s efforts to combat terrorism as well as in other areas of foreign intelligence,” and that the core of the program comports with the reasonableness requirement of the Fourth Amendment. The Board found Fourth Amendment problems, however, with the incidental collection of Americans’ communications as a result of the targeting of foreigners’ communications under Sec. 702, with the use of United States person identifiers to query communications collected under Section 702, and with the warrantless collection of Internet communications about, but neither to or from, targets. Although finding that “the treatment of non- U.S. persons in U.S. surveillance programs raises important but difficult legal and policy questions,” the Board concluded that it would be most productive for it to work with the President in implementing Presidential Policy Directive 28 on Signals Intelligence. The Board concluded that the Sec. 702 minimization procedures were “reasonably designed and implemented to ward against the exploitation of information acquired under the program for illegitimate purposes,” and saw “no trace of any … illegitimate activity associated with the program, or any attempt to intentionally circumvent legal limits.”
The Report is available at http://justsecurity.org/wp-content/uploads/2014/07/PCLOB-Section-702-Report-PRE-RELEASE.pdf
June 30, 2014
Pursuant to a resolution of the United Nations General Assembly on December 18, 2013, the Office of the United Nations High Commissioner for Human Rights issued a report, “The right to privacy in the digital age.” Especially crucial findings in the report are that, “Mass or ‘bulk’ surveillance programmes may … be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. …[I]t will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.” (Para. 25). The report rejects the position that the problem with bulk metadata programs is cured by having telecommunications companies, rather than the state, retain the data. “Mandatory third-party data retention – … where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access – appears neither necessary nor proportionate.” (Para. 26). The report explicitly cited legal provisions in each of the Five Eyes countries as examples of legal regimes that violate the principle of non-discrimination in international human right laws by “distinguish[ing] between the obligations owed to nationals or those within a State’s territories, and non-nationals and those outside, or otherwise provid[ing] foreign or external communications with lower levels of protection.” (Paras. 35 & 36 & n. 30).
The Advance Edited Version of the report is available at http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf
For discussion of and links to the General Assembly resolution that led to the report, see the December 18 entry in Aidan Booth and Adina Schwartz, International chronicle of surveillance events – 2013
In a letter responding to Senator Wyden’s questions during the June 5, 2014 hearing of the Senate Committee on Intelligence on the USA Freedom Act, the Office of the Director of National Intelligence (“DNI”) claimed that it was lawful to use U.S. person identifiers to search telecommunications collected under FISA Section 702, citing the recent decision in United States v. Mohamud, No. 3:10-CR-00475-K1-1 at *45 (D.Ore. June 24, 2014). The DNI also stated that the NSA’s minimization procedures only allow US person identifiers to be used to search Sec. 702 communications when “there is a reasonable basis to expect the query will return foreign intelligence,” and do not allow queries with US person identifiers of communications collected “upstream” through the backbone of the Internet. The CIA’s and FBI’s minimization procedures allow queries with US person identifiers “that are designed to find and extract foreign intelligence information,” and the FBI is also allowed to conduct such queries if they “are designed to find and extract evidence of a crime.”
The letter stated that in 2013, the NSA used 198 US person identifiers to query contents of communications collected under Sec. 702, and made 9,500 queries with US person identifiers of Sec. 702 metadata. The CIA made fewer than 1900 queries of contents of communications collected under Sec. 702, and its policy is not to compile statistics on queries with US person identifiers of Sec. 702 metadata. The FBI does not count the number of queries it makes of contents of communications or metadata collected under 702 and stores Sec. 702 communications and communications acquired with traditional FISA warrants in the same database. Stating that “the FBI believes the number of queries [it makes with US person identifiers of Sec. 702 data] is substantial,” the DNI asserted that “because of its domestic mission, the FBI routinely deals with information about US persons and is expected to look for domestic connections to threats emanating from abroad, including threats involving Section 702 non-U.S. person targets. To fulfill its mission and avoid missing connections within the information lawfully in its possession, the FBI does not distinguish between U.S. and non-U.S. persons for purposes of querying Section 702 collection.”
In response to the DNI”s letter, Senator Wyden stated that, “When the FBI says it conducts a substantial number of searches and it has no idea of what the number is, it shows how flawed this system is and the consequences of inadequate oversight. This huge gap in oversight is a problem now, and will only grow as global communications systems become more interconnected. … [T]he Foreign Intelligence Surveillance Court has noted that the NSA acquires more than two hundred and fifty million Internet communications every year using Section 702, so even if US communications make up a small fraction of that total, the number of U.S. communications being collected is potentially quite large.” Wyden stated that, in accord the bill passed in the House of Representatives passed last week, he would work on Senate legislation requiring a warrant to search Section 702 communications with US person identifiers.
The DNI’s letter is available at http://www.wyden.senate.gov/download/?id=184d62f9-4f43-42d2-9841-144ba796c3d3&download=1
Senator Wyden’s response is available at http://www.wyden.senate.gov/news/press-releases/wyden-releases-details-of-backdoor-searches-of-americans-communications
See the June 20 entry below for description of and a link to material on the House of Representatives’ bill.
In an order dated Aug. 19, 2010, Chief Judge John D. Bates, of the Foreign Intelligence Surveillance Court approved an annual certification allowing the NSA to conduct Sec. 702 surveillance of communications “concerning” 193 countries, that is, every country in the world except the four Five Eyes countries besides the United States (the UK, Canada, Australia and New Zealand). In an affidavit accompanying the 2010 certification, the Director of the NSA, General Keith Alexander, stated that foreigners targeted for Sec. 702 surveillance “possess, are expected to receive and/or are likely to communicate foreign intelligence information concerning these foreign powers.”
An NSA policy bulletin from 2013 indicates that the exemption of the Five Eyes countries from Sec. 702 surveillance does not extend to their 28 sovereign territories, such as the British Virgin Islands.
Defending the FISA Court’s limited role in approving foreign targeting decisions, a former defense official stated that, “Remember, the FISA court is not there to protect the privacy interests of foreign people. That’s not its purpose, however noble the cause might be. Its purpose is to protect the privacy interests of persons guaranteed those protections under the Constitution.”
Judge Bates’ order is available at http://apps.washingtonpost.com/g/page/world/fisa-judges-order-authorizing-surveillance-of-foreign-governments-and-organizations/1132/
The list of foreign governments and entities approved for surveillance is available at http://apps.washingtonpost.com/g/page/world/list-of-foreign-governments-and-organizations-authorized-for-surveillance/1133/
General Keith Alexander’s affidavit is available at http://apps.washingtonpost.com/g/page/world/nsa-directors-affidavit-on-foreign-surveillance/1135/
The Office of General Counsel’s summary dated December 28, 2008 of how Sec. 702 surveillance works is available at http://apps.washingtonpost.com/g/page/world/fisa-amendments-act-of-2008-section-702-summary-document/1141/
June 27, 2014
The Director of National Intelligence released the first transparency report ever on FISA surveillance, stating that such reports would be released annually in the future. During 2013, there were 1,144 targets of traditional FISA orders requiring probable cause, and 89, 138 targets of warrantless surveillance under Sec. 702. The report also provides statistics on the bulk telephony metadata program, the pen/trap provision of FISA, and National Security Letters, but does not contain statistics on overseas surveillance of foreigners under Executive Order 12333.
Criticizing the report’s failure to provide statistics on the number of Americans whose communications were incidentally collected under Sec. 702, Gregory Nojeim of the Center for Democracy and Technology stated that, “The intelligence community is hiding the extent to which this surveillance conducted without a warrant is impacting people in the United States, who have constitutional rights.”
The Report is available at http://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2013
June 26, 2014
In a press release on June 25, Attorney General Eric Holder stated that “as part of successfully concluding negotiations” with the EU on the Data Protection and Privacy Agreement Regarding Police and Judicial Cooperation (“DPPA”), the Obama Administration would work with Congress to pass legislation granting EU citizens the same rights of redress in US courts as US citizens enjoy under the Privacy Act in regard to “intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information.” The New York Times reported that European justice commissioner Viviane Reding responded, “Words only matter if put into law. We are waiting for the legislative step.”
Mr. Holder’s press release is available at http://www.justice.gov/opa/pr/2014/June/14-ag-668.html
Citing concerns over privacy and the need for a high level of security on their critical infrastructure, the German government have cancelled a contract with Verizon that was due to run out next year. The US telecommunications company provided internet services to a number of German government departments.
The German Interior Ministry spokesman, Tobias Plate said: “There are indications that Verizon is legally required to provide certain things to the NSA, and that’s one of the reasons the cooperation with Verizon won’t continue“. Verizon did not comment on the decision.
June 24, 2014
UK Home Secretary Teresa May, in delivering the Lord Mayor’s Defence and Security Lecture in London, dismissed suggestions that there is a program of mass surveillance in the country and disagreed with the idea that the UK is a surveillance state. Dismissing privacy campaigners’ accusations of unlawful hacking by the GCHQ, Ms May said, “Some people have alleged that GCHQ is exploiting a technical loophole in legislation that allows them to intercept external communications – that is, communications either sent or received outside the UK – at will and without authorisation. This is … nonsense“.
Despite the previous blocking of such proposals by the Liberal Democrats, the Home Secretary called for expanding the police and security services’ power to surveil online communications in order to combat terrorism and to “protect the public.” Although she allowed that,“[w]e have to make sure that the capabilities can only be used with the right authorisation and with appropriate oversight,” Ms. May insisted that expanding government surveillance power was “quite simply a question of life and death, a matter of national security. We must keep on making the case until we get the changes we need”.
Eric King, deputy director of Privacy International disagreed. “Arbitrary powers such as [those exercised by the GCHQ and NSA] are the purview of dictatorships, not democracies”. He went on, “Unrestrained, unregulated government spying of this kind is the antithesis of the rule of law and government must be held accountable for their actions”.
In the first decision on the issue, Judge Garr King of the federal district court for the district of Oregon upheld the constitutionality of the provision in Section 702 of FISA, 50 U.S.C. Sec. 1881a, allowing warrantless electronic surveillance from within the United States for “foreign intelligence purposes” of targets whom NSA analysts reasonably believe to be non-Americans physically located outside the United States. Sec. 702 provides the legal basis for the NSA’s PRISM and upstream data collection programs.
The decision in the case, United States v. Mohamed Osman Mohamud, Case No.3:10-CR-00475-KI (D. Or. Jun. 24, 2014), is available at http://www.nytimes.com/interactive/2014/06/24/us/25faa-ruling.html
For a discussion of challenges to the PRISM and upstream data collection programs, including the litigation leading up to Judge Garr King’s decision in Mr. Mohamud’s case, see Adina Schwartz and Aidan Booth, “Substantive Challenges in the United States to NSA Surveillance,” http://johnjayresearch.org/ccs/2014/02/23/substantive-challenges-in-the-united-states-to-nsa-surveillance, last updated on June 12th 2014, and to be updated soon to include an analysis of Judge King’s opinion.
June 21, 2014
In an editorial entitled, “Mass Surveillance in Britain,” the New York Times opined that, “European officials have often acted as though excessive government surveillance was solely an American problem. The recent release of a legal statement from a senior British counterterrorism official, Charles Farr, shows that the United States government is certainly not alone in justifying such practices.”
See the June 17 entry below for discussion of and links to relevant legal documents and articles from UK news outlets on Mr. Farr’s statement.
June 20, 2014
By a vote of 293 to 121, the House of Representatives passed an amendment to the Defense Appropriations bill sponsored by Reps. James Sensenbrenner (R-WI), Thomas Massie (R-KY), Zoe Lofgren (D-CA), and others, which prohibits the NSA from using “a United States person identifier” to query communications collected under Section 702 of FISA, 50 U.S.C. Sec. 1881a, and also prohibits the NSA or CIA from requiring manufacturers to alter their products or services to permit electronic surveillance of users’ communications.
The text of the amendment is available at http://repcloakroom.house.gov/uploadedfiles/massie.pdf
June 19, 2014
On the basis of newly disclosed documents from Snowden, Danish newspaper Dagbladet Information and The Intercept reported that by tapping into fiber optic cables, “third party” countries collaborated in providing the NSA with access to the majority of the world’s phone calls, faxes, e-mails, internet chats, data from virtual private networks, and VoIP communications. In the program, code named RAMPART-A, a third party partner uses NSA equipment to process data it obtains from cable access points on its soil and then forwards the data to NSA sites in the United States. “Third party” countries are distinguished from the “second party” Five Eyes countries. While there are strong reasons to believe that Denmark and Germany have both participated in RAMPART-A, which of the other 33 “third parties” has participated is not known. Between 2011 and 2013, the US spent $170 million on the program.
The underlying documents from Snowden are available at http://www.information.dk/databloggen/501278
An additional document published by Der Spiegel is available at http://www.spiegel.de/media/media-34104.pdf
In a letter to President Obama, the private sector members of the President’s Export Council, which was created in 2010 and serves as the President’s principal national advisory committee on international trade, expressed concern at “digital protectionism. Certain governments are using privacy and alleged national security concerns to justify new restrictions on the Internet and the free flow of data across borders for legitimate commerce. These include requiring in-country processing and storage of data or onerous restrictions on transfer of data out of the country. Such restrictions will impose significant costs and barriers to entry on U.S. companies which will impair their ability to compete in the global economy.” The letter concluded by asking the Administration to act aggressively and “take the steps necessary to defeat digital protectionism ….”
The letter is available at http://trade.gov/pec/docs/PEC_Letter_CBDF_06192014.pdf
June 18, 2014
A case against Facebook Ireland was referred by Irish High Court Judge Mr. Justice Hogan to the European Court of Justice for a re-evaluation of the scope of the Safe Harbor Agreement between the EU and the US. In June 2013, Austrian student group Europe v Facebook had filed a complaint with the Irish Data Protection Commissioner (the “DPC”), alleging that the revelations about the NSA’s Prism program showed that Facebook Ireland Ltd., which provides service to users outside the United States and Canada, had been and was violating the Irish Data Protection Act and the European Data Protection Directive by transferring users’ data to the United States for processing by Facebook Inc. After the DPC refused to investigate the complaint on the ground that the Safe Harbor Agreement showed that it was “frivolous,” the Irish High Court granted Europe v Facebook’s ex parte application to review whether the DPC’s failure or refusal to investigate the complaint was unlawful and whether a mandamus should issue to compel the DPC to investigate.
In ruling on the merits, Mr. Justice Hogan held that the DPC’s power to decide whether Facebook Ireland’s transfer of data to Facebook Inc. violated Irish or EU law was pre-empted by the European Commission’s finding, in its Safe Harbor decision of July 2000, that companies in the United States, such as Facebook Inc., that self-certified their conformity to certain principles provided “the adequate level of [data] protection” required by EU law. The Justice stated, however, that “much has happened in the interval since July 2000,” including “the enhanced threat to national and international security posed by rogue states, terrorist groupings and organized crime, disclosures regarding mass and undifferentiated surveillance of personal data by the US security authorities, the advent of social media and, not least from a legal perspective, the enhanced protection for personal data now contained in Article 8 of the Charter [of Fundamental Rights of the European Union].” These developments raised “the essential question … [of] whether, as a matter of European Union law,” the DPC is “absolutely bound by [the] finding of the European Commission in the 2000 Decision in relation to the adequacy of data protection in the law and practice of the United States having regard in particular to the subsequent entry into force of Article 8 of the Charter ….” In light of “the general novelty and practical importance of these issues which have considerable practical implications for all 28 Member States of the European Union,” Mr. Justice Hogan adjourned the case for the European Court of Justice to decide on the scope of the Safe Harbor Agreement.
Mr. Justice Hogan’s decision and Europe v Facebook’s formal complaint to the DPC are available, respectively, at http://www.europe-v-facebook.org/hcj.pdf, and http://www.europe-v-facebook.org/prism/facebook.pdf
A more extended analysis of Mr. Justice Hogan’s decision is available in Aidan Booth and Adina Schwartz, “Substantive Challenges in Europe to Surveillance by the NSA and GCHQ,” http://johnjayresearch.org/ccs/2014/04/22/challenges-in-europe-to-surveillance-by-the-nsa-and-gchq/
June 17, 2014
In connection with their challenges in the Investigatory Powers Tribunal (“IPT”) to the UK’s Tempora program, Privacy International, Liberty, Amnesty International, the American Civil Liberties Union, Pakistani organisation Bytes for All, the Canadian Civil Liberties Association, Egyptian Initiative for Personal Rights, Hungarian Civil Liberties Union, Irish Council for Civil Liberties, and the Legal Resources Centre, South Africa, published a statement from Charles Farr, the UK’s Director General of the Office for Security and Counter Terrorism, defining UK residents’ searches and communications on web-based platforms in the US, such as Facebook, Google, Hotmail, Twitter, Youtube, and Yahoo!, as “external communications” under the Regulation of Investigatory Powers Act (“RIPA”). While RIPA allows “internal communications” between people within the UK to be intercepted only on the basis of specific warrants based on individualized suspicion of unlawful activity, “external communications” with people outside the UK’s territorial bounds may be indiscriminately intercepted on the basis of general warrants without any suspicion of unlawful activity. The only restriction the UK recognizes on surveillance of “external communications” is a prohibition on searches with keywords or terms mentioning a specific British person or residence. Mr. Farr is slated to be the government’s star witness at the hearing on the challenges that the IPT is scheduled to hold from July 14 to 18, 2014.
Privacy International’s press release, including links to Mr. Farr’s statement, the witness statements of Dr Gus Hosein, Executive Director of Privacy International, Eric King, Deputy Director of Privacy International, Dr Ian Brown of the Oxford Internet Institute, and Cindy Cohn, Legal Director of the Electronic Frontier Foundation, and the Skeleton Argument served by Privacy International and Bytes for All on June 12, 2014, is available at https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/pi_july_hearing_skeleton.pdf
For a discussion of the Tempora program and RIPA, see Aidan Booth, “GCHQ Surveillance: TEMPORA Program,” at http://johnjayresearch.org/ccs/2013/07/11/gchq-surveillance-tempora-program/
June 13, 2013
In the landmark case of R v. Spencer, Canada’s highest court, the Supreme Court of Canada, decided that police need a warrant to obtain subscriber information associated with a particular IP address from an ISP, including the name, address and telephone number of the person using that IP address to access the Internet. The Court reasoned that the user had a reasonable expectation of privacy in the subscriber information, and that the police acquisition of the information from the ISP was therefore a “search,” subject to the protections against unreasonable searches and seizures in s. 8 of the Canadian Charter of Rights and Freedoms. “The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.”
The decision is available at http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/14233/index.do
June 12, 2014
Judges in the UK Court of Appeal blocked an attempt by the government to hold a completely secret criminal trial.
Lawyers for the government had argued that their “unique application” for a secret trial was in the interests of national security. Although the judges did state that the “core” of the terrorism trial could be partly heard in secret, they ruled that parts must be made public, adding they had “grave concerns” with the “cumulative effect” of anonymizing defendants and holding secret trials.
Lord Justice Gross said: “Open justice is both a fundamental principle of the common law and a means of ensuring public confidence in our legal system. Exceptions are rare and must be justified on the facts. Any such exceptions must be necessary and proportionate”.
The judges ruled that the media and public would be allowed to attend the swearing in ceremony, parts of the prosecution’s opening remarks, the verdicts and should there be convictions, the sentencing proceedings. In addition, a small number of journalists would be permitted to attend the closed parts of the trial, subject to confidentiality agreements and to the secure storing of their notes until the end of the trial.
The defendants, previously known only as AB and CD, were disclosed to be Erol Incedal, charged with preparing acts and collecting information useful for terrorism, and Mounir Rarmoul-Bouhadjar, charged with collecting information useful for terrorism and possession of false identification documents.
While a government spokesperson stated that the Crown Prosecution Service would abide by the court’s decision, the mixed reaction of the director of policy for campaign group Liberty, Isabella Sankey, was that, “The judges are clear that open justice is a priceless foundation of our system and faced with a blacked-out trial we now have a few vital chinks of light. But their wholesale deference to vague and secret ministerial ‘national security’ claims is worrying. Shutting the door on the core of a criminal trial is a dangerous departure from our democratic tradition.”
The decision is available at http://www.judiciary.gov.uk/judgments/guardian-news-and-media-ltd-v-ab-cd/
June 11, 2014
In association with the Institute of Information Law at the University of Amsterdam and Law, Science, Technology & Social Studies (“LSTS”) at the Vrie Universiteit at Brussels, The Privacy Surgeon published a report compiled and edited by privacy advocate Simon Davies, entitled “A Crisis of Accountability: A Global Analysis of the Impact of Snowden’s Revelations.”
The Report is available at http://www.privacysurgeon.org/blog/wp-content/uploads/2014/06/Snowden-final-report-for-publication.pdf
Davies’ summary of the Report’s findings is available at http://www.privacysurgeon.org/blog/incision/global-security-analysis-reveals-widespread-government-apathy-following-snowden-disclosures/
June 10, 2014
Microsoft has asked Judge Loretta A. Preska of the federal district court for the Southern District of New York to vacate Magistrate James C. Francis IV’s order of April 25, 2014, requiring it to provide the government with the content of a customer’s emails stored abroad, pursuant to a warrant issued under 18 U.S.C. Section 2703(a) of the Stored Communications Act. While Judge Francis reasoned that a Sec. 2703(a) warrant resembles a subpoena and differs from a Fourth Amendment warrant in “not implicat[ing] principles of extraterritoriality,” Microsoft argued in its appeal to Judge Preska that allowing the government to use a Section 2703(a) warrant to obtain email stored abroad “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.”
Verizon has filed an amicus brief supporting Microsoft, and other corporations and the Electronic Frontier Foundation are also expected to file amicus briefs on Microsoft’s behalf.
Oral argument before Judge Preska is scheduled for July 31.
A redacted version of the objections to the magistrate’s order that Microsoft filed on June 6, 2014 is available at https://www.documentcloud.org/documents/1184809-brief-in-microsoft-case-to-search-email-outside.html
Verizon’s amicus brief is available at https://www.documentcloud.org/documents/1184973-verizon-amicus-brief-on-customer-data-stored.html
Magistrate Francis’ Memorandum and Order of April 25, 2014 is available at 2014 WL 1661004 and at https://www.documentcloud.org/documents/1184972-magistrate-order-for-microsoft-to-hand-over-data.html.
See the April 25 entry below for discussion of and links to articles about Magistrate Francis’ decision
June 9, 2014
The NSA and its partners are currently tracking over twenty hacking groups in China, over half of which are People’s Liberation Army Units. A security company in Irvine, California, CrowdStrike, released a report today on the methods that one of the hacking groups had used to target the networks of American, European and Japanese government entities, military contractors, and companies in the space and satellite industry. The NSA and its partners have identified the group as Unit 61486, and claim that it sometimes shares resources and communications with Unit 61398 of the People’s Liberation Army, five members of which were indicted by the United States last month. The operations of Unit 61486 pose as large a threat to the infrastructure of the United States as the operations of Unit 61398.
See the May 20, 22 and 26 entries below for discussion of and links to news articles about the tension between China and the United States over the American indictment of members of Unit 61398.
June 6, 2014
In reaction to Snowden’s revelations and in an attempt to preserve overseas business with countries such as Brazil and Germany, Facebook, Microsoft, and Google are encrypting more data as it moves among their servers and are also helping customers to encrypt their own emails. In an interview, Google’s chief security officer, Eric Grosse, stated that while Google was willing to assist in government cybersecurity efforts, “signals intercept is totally off the table. No hard feelings, but my job is to make their job hard.” Microsoft intends to fully encrypt all its products, including Hotmail and Outlook.com, with 2,048-bit encryption by the end of this year. Microsoft’s general counsel, Brad Smith, stated that the company was establishing “transparency centers,” the first of which would be in Brussels, where foreign government experts would be allowed to check for back doors in Microsoft’s propriety source code.
Telecommuncations companies, such as AT&T and Verizon, claim that they have become much more reluctant than they were a year ago to cooperate with the government in “gray areas” where there is no explicit legal requirement for a warrant. As a result of Snowden’s revelations, the business of hardware companies such as Cisco has declined steadily in Asia, Brazil and Europe over the past year, and the companies complain that it is nearly impossible to prove that the NSA cannot infiltrate their systems.
June 5, 2014
In the first transparency report ever released by a Canadian telecommunications company, Rogers Communications revealed that in 2013, it received almost 175,000 requests for customer information from government agencies including the Royal Canadian Mounted Police (“RCMP”), Canadian Security Intelligence Service, Canada Border Services Agency, Canada Revenue Agency, and provincial and municipal agencies such as police forces and coroners. About half of the requests were to confirm the name and address associated with a phone number, and Rogers stated that it voluntarily complied so that warrants were not issued for the wrong person. Rogers claimed that it otherwise provided customer information only in response to a court order or an emergency, and that it required a warrant for metadata and would not allow agencies direct access to its customer databases. Although the company stated that it opposes and, if necessary, goes to court to contest overly broad orders for customer data, it did not reveal how often that occurs.
In response to a request from University of Toronto researches, one of Canada’s smaller telecommunications companies, Teksavvy, released a report stating that it received 52 requests for customer data from government agencies in 2012 and 2013, and complied with only a third of the requests.
The Rogers Communications Transparency Report is available at http://www.slideshare.net/Rogers/rogers-2013transparencyreporten
The Teksavvy report is available at https://citizenlab.org/wp-content/uploads/2014/06/TekSavvy-to-Citizenlab-2014-06-04.pdf
June 4, 2014
German Federal Prosecutor Harald Range announced the launching of a formal investigation into allegations that the NSA spied on Chancellor Angela Merkel’s mobile telephone communications. By contrast, sources close to Range said that he had concluded that there were insufficient reasons to open an official investigation into allegations of mass surveillance of Germans’ on line communications by the NSA and GCHQ. The office has the option, however, of initiating a formal investigation at a later date.
Range’s press release (in German) is available at http://www.generalbundesanwalt.de/de/showpress.php?themenid=16&newsid=506
June 3, 2014
Google announced the release of an early version of a new tool, called End-to-End, that will make it easier for users of its Chrome browser to encrypt their emails from the time they leave their browsers until their intended recipients decrypt them. After cryptographers, privacy activists and engineers test the early version for mistakes and back doors, the tool will be available in Google’s Chrome Web Store. Speaking by video conference at the South by Southwest conference earlier this year, Snowden stated that a “more constitutional, more carefully overseen enforcement model” could result if technologists made it easier for people to use end-to-end encryption. While the release of End-to-End is likely to make access to people’s emails harder for the NSA and other government agencies, its use will also prevent Google from gathering data from email messages for targeted advertising.
Separately, Google released numbers showing that 40 to 50% of the emails sent between Gmail and other providers are not encrypted. While less than 1% of traffic between Google and Comcast is encrypted, a Comcast spokesperson stated that the company is currently testing encryption of users’ communications with large websites and email providers and will turn on encryption with Google within weeks. Although only half of the traffic between Google and Microsoft services like Hotmail stays encrypted, Microsoft still has work to do on turning on encryption, even though it announced earlier this year that it intended to do so by the end of the year.
Google’s announcement is available at http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
For discussion of and a link to a Washington Post article reporting that the NSA and GCHQ had secretly tapped into the fiber-optic cables carrying information among Google’s and Yahoo!’s data centers and copied entire data flows, see the October 30, 2013 entry in our International Chronology, available at http://johnjayresearch.org/ccs/2013/07/12/international-chronicle-of-surveillance-events-2013/
June 1, 2014
In response to Congress’ passage of a law in December that bars Russia from improving its version of GPS by building monitor stations on American soil, deputy prime minister Dmitri O. Rogozin announced that as of June 1, the U.S. was barred from using GPS base stations in Russia for military purposes and as of September 1, would be barred from using Russian base stations for any purposes unless Russia was allowed to build base stations in the US. Although Mr. Rogozin acknowledged that the Russian restrictions would not disrupt GPS services to individuals and businesses, lack of cooperation between Russia and the US over access to GPS sites poses potentially serious complications for geodesic research.
For discussion of and a link to an article about the US restrictions on Russia, see the December 28, 2013 entry at http://johnjayresearch.org/ccs/2013/07/12/international-chronicle-of-surveillance-events-2013/
May 31, 2014
The NSA is collecting millions of images of people per day, including about 55,000 “facial recognition quality images,” from emails, text messages, social media, videoconferences, and other communications, and storing them for processing by its sophisticated facial recognition programs, according to top-secret documents leaked by Snowden.
One of the documents, a presentation to the 5 Eyes Intelligence Group (USA, UK, Canada, New Zealand and Australia) entitled “Identity Intelligence: Image Is Everything,” shows how the NSA attempts to “track, exploit, and identify targets of interest” by integrating biometric and biological data, biographical data, and contextual/behavioral data. NSA documents from 2011 indicate, however that its main facial recognition program, codenamed Tundra Freeze, sometimes produced misidentifications.
Neither FISA nor any other federal law contains specific provisions for the use of facial recognition data. According to an NSA spokeswoman, the agency considers images contents of communications and therefore obtains warrants when it intentionally collects Americans’ images. Warrants are not needed, however, to collect images contained in Americans’ communications with non-Americans overseas.
Commenting on The New York Times story, a Privacy International spokesperson told the BBC News, “Not only is our most personal of information being collected, stored, and analysed, it’s being done through faulty systems where there are no legal frameworks or safeguards.” Alessandro Acquisti, a researcher at Carnegie Mellon University, told The New York Times that despite current technical limitations, facial recognition technology “can be very invasive. … [T]he computational power keeps growing, and the databases keep growing, and the algorithms keep improving.”
The New York Times article is available at http://www.nytimes.com/2014/06/01/us/nsa-collecting-millions-of-faces-from-web-images.html?_r=0
An excerpt from one of the NSA documents on which the article is based is available at:
The BBC News article is available at: http://www.bbc.com/news/technology-27663130
May 26, 2014
The Internet Media Research Center, an arm of China’s State Council Information Office, issued a report stating that Beijing’s own investigations had basically confirmed Snowden’s allegations and that “U.S. monitoring operations have involved the Chinese government and leaders, Chinese companies and scientific research institutions, ordinary Internet users and many mobile phone users.” The report called US spying on China “a brazen violation of international law and a gross violation of human rights,” and also claimed, on the basis of an August 29, 2013 in The Washington Post, that “[s]urveillance cooperation between U.S. intelligence agencies and privately owned entities, especially with Internet service providers, has gone on for over six years.”
The Washington Post article is available at http://www.washingtonpost.com/world/national-security/nsa-paying-us-companies-for-access-to-communications-networks/2013/08/29/5641a4b6-10c2-11e3-bdf6-e4fc677d94a1_story.html
May 22, 2014
In an interview published in a New York Times blog, Adam Segal, an expert on China and cybersecurity at the Council on Foreign Relations, stated that while Chinese cyberespionage was a “threat to the competitiveness of companies and to national economies,” “the distinction [that the US government draws] between [its own] cyberespionage for security or national economic interest versus [Chinese] cybertheft for the benefit of specific companies is lost, not credible or not meaningful to many, if not most, other countries.”
China’s State Internet Information Office announced a policy of stricter Internet security assessments of companies selling Internet technology and services in sectors ‘related to national security and the public interest.’ According to a commentary on the website of the state-run newspaper China Daily, the new vetting procedures could affect Cisco Systems, IBM and Microsoft and require the disclosure of sensitive data and technology, such as encryption processes.
May 20, 2104
On the basis of documents leaked by Snowden, The Intercept reported that as of 2013, the NSA had been recording and storing for possible retrieval within 30 days the contents of all cell phone calls in the Bahamas and one other country whose name was withheld “in response to specific, credible concerns that doing so could lead to increased violence.” The Washington Post revealed the existence of the program in March, but withheld the names of all target countries on the US government’s request. Although The Post referred to the program as “MYSTIC,” SOMALGET was the NSA’s code name for the content collection in the Bahamas and unnamed country while MYSTIC was its code name for bulk collection of cell phone metadata in Kenya, Mexico and the Philippines as well as the Bahamas and unnamed country. The Intercept surmised that the NSA had used a seemingly legal request by the US Drug Enforcement Agency for a wiretap on a specific phone to gain backdoor access, without the Bahamian government’s knowledge or consent, to the country’s entire cell phone network. NSA documents indicated that in addition to using it to locate “international narcotics traffickers and special-interest alien smugglers,” the NSA deployed SOMALGET in the Bahamas as a means of testing and developing the program’s technology.
See the March 18 entry below for a description of and link to The Washington Post article.
The Chinese government accused the US of hypocrisy in indicating five members of China’s cyberware operation unit 61398 for theft of trade secrets from such companies as Westinghouse and Alcoa when the NSA has spied on, among others, China Telecom, Chinese maker of Internet switching equipment Huawei, Hong-Kong based operator of undersea fiber optic cables Pacnet, Brazilian state-run oil company Petrobras and Saudi Arabian, African, Iranian, and Mexican state oil companies, and Joaquin Almunia, the European Commission antitrust commissioner who was investigating Apple, Motorola Mobility, Intel, and Microsoft. The US claims that the NSA’s mission of protecting national security encompasses routine spying for American economic advantage, but distinguishes its spying from China’s on the ground that the NSA does not provide US companies with trade secrets or intelligence that it obtains from foreign companies or officials. While stating that it observes US law across the globe, the NSA admits that it does not view other states’ laws as constraining its operations.
May 14, 2014
In briefs filed in two criminal prosecutions where the defendants were notified of the government’s intent to use information derived from warrantless surveillance under the FISA Amendments Act (“FAA”), 50 U.S.C. Sec. 1881a, the government wrote that, “The privacy rights of US persons in international communications are significantly diminished, if not completely eliminated, when those communications have been transmitted to or obtained from non-US persons located outside the United States.” According to The Guardian, the government’s position in the briefs is that nothing in the Constitution “bars the NSA from monitoring every call and email between Americans in the United States and their non-American friends, relatives, and colleagues overseas. … [T]here is no need to ask whether the 2008 law violates Americans’ privacy rights, because in this context Americans have no rights to be violated.”
The briefs, filed in United States v. Jamshid Muhtorov, Criminal Case No. 1:12-cr-00033-JLK-01 (D.Colo. filed Jan. 19. 2012), and United States v. Mohamed Osman Mohamud, Case No.3:10-CR-00475-KI (D. Or. filed Nov. 29, 2010), are available, respectively, at https://www.aclu.org/sites/default/files/assets/muhtorov_-_govt_response_to_motion_to_suppress.pdf and https://www.aclu.org/sites/default/files/assets/mohamud_-_govt_response_to_mot_to_suppress.pdf
For further discussion of the Muhtorov, Mohamud and other prosecutions where the defendants have either been notified of or seek information in regard to the government’s intent to use information derived from warrantless surveillance under the FISA Amendments Act, see Section F of Adina Schwartz and Aidan Booth, “Substantive Challenges in the United States to NSA Surveillance,” http://johnjayresearch.org/ccs/2014/02/23/substantive-challenges-in-the-united-states-to-nsa-surveillance/ – FCrim1
May 13, 2014
Privacy International brought a complaint before the UK’s Investigatory Powers Tribunal (IPT) against the Foreign Secretary and GCHQ that demanded “an end to the unlawful hacking being carried out by GCHQ” on the ground that the hacking breaches Articles 8 and 10 of the European Convention on Human Rights. By contrast to pending complaints before the IPT that challenge the monitoring of communications through the Prism or upstream data collection programs, the new complaint challenges the more recently revealed collaboration of the GCHQ with the NSA in the widespread implantation of malware in individuals’ devices so as to obtain access to stored data or to the functions of devices (for example, acquiring the ability to activate cameras or microphones without the device user’s consent). Privacy International contends that there is “no clear legal authority” for the intelligence services’ infection of devices and that any such acts by anybody else would constitute a criminal offense. The complaint requests that the IPT rule that the hacking by the GCHQ is unlawful, enjoin any further such actions by GCHQ, and require all data obtained by such means to be destroyed.
Privacy International’s Statement of Grounds is available at https://www.privacyinternational.org/sites/default/files/PI%20Hacking%20Case%20Grounds.pdf
May 12, 2014
The Council of the European Union adopted the EU Human Rights Guidelines on Freedom of Expression Offline and Online, which recognize that “[u]ndue interference with individuals’ privacy can … limit the free development and exchange of ideas.” The Guidelines state that “[t]he obligation of States under international human rights law, in particular the right to freedom of expression, the right to privacy and the protection of personal data, extend to the online sphere in the same way as they apply offline,” and that those rights “may suffer violations as a result of unlawful or arbitrary interference, interception of communications or collection of personal data, in particular when carried out on a mass scale.”
The text of the Guidelines is available at http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/EN/foraff/142549.pdf
The New York Times reported that Glenn Greenwald’s book, “No Place to Hide: Edward Snowden, the N.S.A., and the U.S. Surveillance State,” which is being published on May 13, includes documents showing that in May 2010 when the U.N. was weighing sanctions against Iran, the NSA responded to a request for help from Susan Rice, the American ambassador to the U.N., by obtaining FISA Court orders allowing it to eavesdrop on the diplomatic facilities in the U.S. of Security Council members Bosnia, Gabon, Nigeria and Uganda. Also in Mr. Greenwald’s book is a document showing that the NSA penetrated embassies and missions of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam. NSA spokeswoman Caitlin Hayden defended the spying, stating that, “While our intelligence agencies will continue to gather information about the intentions of governments — as opposed to ordinary citizens — around the world, in the same way that the intelligence services of every other nation do, we will not apologize because our services may be more effective.”
May 7, 2014
As part of its effort to build opposition to the Swiss law requiring telecommunications companies to retain users’ metadata for six months and make it available to law enforcement on demand, the Swiss civil society group Digital Society Switzerland published an interactive visualization of the information that could be learned about the life of National Councillor Balthasar Glättli, a Green Party member from six months of his metadata.
The interactive visualization is available at http://digiges.ch/dr/
May 5, 2014
The legal service of the Council of the European Union produced an analysis of the European Court of Justice’s decision of April 8 invalidating the EU Data Retention Directive of 2006. While analyses of decisions by the Council’s legal service are ordinarily confidential, the text of this analysis was leaked.
The analysis is available at http://www.statewatch.org/news/2014/may/eu-council-note-data-retention-judgment-9009-14.pdf
May 2, 2014
At a meeting at the White House, President Obama called Chancellor Merkel “one of my closest friends on the world stage,” while Ms. Merkel stated that the “proportionality” of US surveillance needed to be addressed and that it was too soon to return to “business as usual.” Opposing German demands for an end to US spying on German soil, Mr. Obama said that “[w]e do not have a blanket no-spy agreement with any country. [W]e’re not holding back from doing something with Germany that we somehow do with somebody else.” In the meantime, a German ministry report indicated that an American law firm whose advice was sought opined that if Mr. Snowden were invited to testify before the German Parliament, the American government could charge members of Parliament with complicity in publicizing classified information.
May 1, 2014
Chancellor Angela Merkel’s visit to the White House on May 2 will take place against the backdrop of a deep division between Germany and the United States in regard to American spying on German soil. While Ms. Merkel’s spokesman, Steffen Seibert, stated on April 30 that Germany stood by “the demand that on German soil the German laws must be respected, and by everybody, ” a senior American official said that the German demand for a “no-spy agreement” had “pulled the plug” on negotiations between the countries on intelligence operations. According to American officials, President Obama’s National Security Advisor, Susan Rice, has stated that the U.S. does not even have no-spy agreements with the other members of the Five Eyes group (the UK, Canada, Australia and New Zealand). Ms. Rice fears that a no-spy agreement with Germany would lead to demands for the same by, among others, the major European allies of the United States, Japan, and South Korea.
On May 2, a German parliamentary commission is expected to issue a report on the Snowden disclosures without calling Mr. Snowden to testify. The German newspaper, Suddeutsche Zeitung, quoted a document from German officials which said that inviting Mr. Snowden to testify in Germany would put a “permanent strain” on relations with the United States.
A White House report whose primary focus is on developing government limits on companies’ use of customers’ data states that there is “a profound question” about whether telecommunications metadata “should be accorded stronger privacy protections than they are currently,” and recommends considering whether the use of metadata by intelligence agencies should be limited by “how much it reveals about individuals.” According to The New York Times, “The report also recommends extending Americans’ privacy rights to foreigners, on the theory that there are no boundaries when it comes to the data collected online. “
The Report is available at http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf
April 25, 2014
A magistrate in the federal district court of the Southern District of New York required Microsoft to comply with a warrant for the contents of a customer’s emails stored on a server in Dublin, Ireland. Microsoft moved to quash the warrant, which the United States obtained under the Stored Communications Act (“SCA”) provision of the Electronic Communications Privacy Act, on the ground that the United States lacks the authority to issue warrants for extraterritorial searches and seizures. Magistrate James C. Francis IV reasoned, however, that an SCA warrant does not implicate principles of extraterritoriality because “it is executed like a subpoena in that it is served on the ISP in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question. … It has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information.”
In a blog posting, David Howard, Microsoft’s Corporate Vice President & Deputy General Counsel, stated that the company would appeal the magistrate’s decision to the federal district judge and, if necessary, to the federal court of appeals. According to Mr. Howard, “A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. That’s why the U.S. has entered into many bilateral agreements establishing specific procedures for obtaining evidence in another country. We think the same rules should apply in the online world….”
The BBC News noted that the magistrate’s decision “potentially undermines” Microsoft’s pledge to offer business and government clients control over where their data resides. In response to the decision, Mina Andreeva, the European Commission spokeswoman for justice, fundamental rights and citizenship, told the BBC that, “The commission’s position is that this data should not be directly accessed by or transferred to US law enforcement authorities outside formal channels of co-operation, such as the mutual legal assistance agreements or sectoral EU-US agreements authorising such transfers.” She also said that “the European Parliament reinforced the principle that companies operating on the European market need to respect the European data protection rules – even if they are located in the US.”
The decision in In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 13 Mag. 2814, 2014 WL 1661004 (SDNY Apr. 25, 2014), is available at https://www.documentcloud.org/documents/1149373-in-re-matter-of-warrant.html
April 23, 2014
In the first response by a European Constitutional Court to the European Court of Justice’s invalidation of the EU Data Retention Directive of 2006 in Joined Cases C-293/12 & C-594/12 on April 8, the Slovak Constitutional Court preliminarily suspended the provisions for data retention, but not access to data, in the Slovak law implementing the Directive. The preliminary suspension applies until the Slovak court issues a decision on the merits, and was issued in a case brought in October 2012 by the European Information Society Institute (EISi) with the support of 30 Members of Parliament.
The Slovak Constitutional Court’s opinion is available in English at http://www.eisionline.org/images/projekty/sukromie/OpinionCJEU-EN.pdf
For further description of and links to the decision of the European of Court Justice, see the entry for April 8 below and the more complete discussion in Aidan Booth and Adina Schwartz, “Challenges in Europe to Surveillance by the NSA and GCHQ,” http://johnjayresearch.org/ccs/2014/04/22/challenges-in-europe-to-surveillance-by-the-nsa-and-gchq.
Hector Xavier Monsegur, a hacker known as “Sabu” who was affiliated with Anonymous, became an FBI informant after he was arrested and coordinated hundreds of cyberattacks on foreign websites in 2012. One of Monsegur’s recruits was Jeremy Hammond, who had worked with him on sabotaging the computer servers of Statfor Global Intelligence, a private intelligence firm based in Texas. On the basis of court documents and an interview with Hammond in the federal prison where he is currently serving ten years, The New York Times reported that Monsegur directed Hammond to use a vulnerability in the Plesk web-hosting software as a back door into government websites in Iran, Nigeria, Pakistan, Turkey and Brazil and the website of the Polish Embassy to the UK and the Ministry of Electricity in Iraq. Hammond extracted emails and databases from the websites and uploaded them to a computer server that Monsegur controlled. Monsegur also asked a Brazilian hacker known as Havittaja to attack Brazilian government websites, in chats between the two that Havittaja subsequently posted online. Speculation that Monsegur is still working as a government informant is fuelled by repeated delays in his sentencing and his unknown whereabouts.
About 850 government officials, academics, campaigners and technical experts are attending the two-day NetMundial conference in Sao Paolo, Brazil that President Dilma Rousseff organized after she learned that the NSA had monitored her telephone and email communications. Although the conference aims to arrive at shared principles and to outline issues that will form the basis for further discussions about Internet governance, there are substantial disagreements among the attendees.
President Rousseff signed into law the Marco Civil, an Internet “Bill of Rights” that establishes net neutrality in Brazil and requires service providers to develop protocols to ensure that emails can be read only by senders and intended recipients and imposes penalties for violations. Although the law’s privacy protections extend to Brazilians’ data regardless of where the data is held, a proposal that would have required Internet firms to store data about Brazilian users within the country’s borders was not enacted. The law also requires Internet firms to retain user data for six months, to be handed over to law enforcement under court order.
April 18, 2014
In an essay in The Guardian entitled “Vladimir Putin must be called to account on surveillance just like Obama: I questioned the Russian president live on TV to get his answer on the record, not to whitewash him,” Edward Snowden replied to critics of his decision to question Putin about the existence of mass surveillance in Russia on his call-in program. Snowden compared Putin’s response to Clapper’s lie in response to Senator Wyden’s question on the Senate floor about whether Americans were subject to mass surveillance and to Obama’s initial denial of the existence of mass domestic surveillance. He stated that his objective in appearing on the program was to stimulate public discussion about state surveillance in Russia.
April 17, 2014
During President Vladimir Putin’s annual call-in television program, Edward Snowden asked whether Russia had mass surveillance programs. He prefaced the question by stating that two independent White House investigations and a federal court had found that the NSA’s bulk surveillance of metadata was ineffective and unduly intrusive on privacy. Putin responded by denying the existence of any Russian mass surveillance programs and by claiming that all Russian intelligence gathering was governed by law and the requirement of particularized warrants.
Kiev-based journalist Myroslava Petsa criticized Snowden for not asking about the revelation that in December, the Russian intelligence agency asked Pavel Durov, the founder of the Russian social network VKontakte, for personal details of Ukrainians who were using his social network to organize protests in Kiev. In a post that included scanned images of the intelligence agency’s requests, Mr. Durov had stated that he refused to provide any information.
A video of the exchange between Snowden and Putin, with an English translation of Putin’s response, is available at: http://www.youtube.com/watch?v=w1yH554emkY&feature=youtu.be
April 15, 2014
Robert Hannigan, who is currently director general of defense and intelligence at the Foreign Office, will succeed Sir Iain Lobban as head of GCHQ this coming autumn.
April 14, 2014
The Pulitzer Prize for Public Service was awarded to The Washington Post and The Guardian US for their articles based on Snowden’s revelations. In a statement, Snowden said, in part, that his leaking “would have been meaningless without the dedication, passion, and skill of these newspapers,” and also claimed that the awards were “a vindication for everyone who believes that the public has a role in government.” The editor-in-chief of the Guardian, Alan Rusbridger, expressed gratitude to “our colleagues across the world who supported the Guardian in circumstances which threatened to stifle our reporting. And we share this honour, not only with our colleagues at the Washington Post, but also with Edward Snowden, who risked so much in the cause of the public service ….”
The Pulitzer Prize Committee’s citation is available at: http://www.pulitzer.org/citation/2014-Public-Service
The Guardian’s report on the award is available at: http://www.theguardian.com/media/2014/apr/14/guardian-washington-post-pulitzer-nsa-revelations
April 10, 2014
The Article 29 Working Party, comprised of representatives of the Data Protection Authorities of each EU Member State and the EU Commission and other EU institutes, adopted Opinion 04/2014 on surveillance of electronic communications for intelligence and national security purposes, 819/14/EN, WP 215. Explicitly denying that the collection of metadata is less serious than collection of contents of communications, the Opinion found that “secret, massive and indiscriminate surveillance programs are incompatible with our fundamental laws and cannot be justified by the fight against terrorism or other important threats to national security,” and that the transfer of personal data to a third country for purposes of such surveillance could not be legally justified. In addition, the Working Party stated that companies might be “in breach of European law [and subject to enforcement actions, including the suspension of data flows by data protection authorities] if intelligence services of third countries gain access to the data of European citizens stored on their servers or if [the companies] comply with a [third country’s]order to hand over personal data on a large scale.” The Working Party urged the European Council and Parliament to adopt a new General Data Protection Regulation and Police and Justice Data Protection Directive in 2014, and also called for enforceable international agreements on privacy and the protection of personal data that would, in particular, protect people against indiscriminate, mass surveillance.
The Opinion is available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp215_en.pdf
In a letter to Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding, the Article 29 Working Party endorsed all the recommendations in the Commission’s November 27, 2013 report on restoring trust in data flows between the EU and the US. An appendix to the letter includes additional recommendations for the Commission to pursue in its ongoing negotiations with the US on a new Safe Harbor Agreement. The Working Party also voiced agreement with the European Parliament’s opinion of March 27, 2014 that the Safe Harbor agreement should be suspended if negotiations were unsuccessful and affirmed the power of data protection authorities to suspend data flows in accord with EU law and individual Member States’ laws.
The Working Party letter to Ms. Reding is available at: https://www.huntonprivacyblog.com/files/2014/04/20140410_wp29_to_ec_on_sh_recommendations.pdf
Summaries and links to the European Parliament’s opinion of March 27, 2014 and the Commission’s November 27, 2013 report are available in the March 27 entry below and in the November 27, 2013 entry in http://johnjayresearch.org/ccs/2014/03/14/international-chronicle-of-surveillance-events-2013/
The Article 29 Working Party issued a letter stating that Microsoft’s enterprise cloud contracts, which apply to Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune, conform to EU requirements for data protection and privacy. The General Counsel and Executive Vice President of Legal and Corporate Affairs at Microsoft, Brad Smith, noted that the approval means that even if the Safe Harbor agreement between the US and EU is suspended, customers will not have their cloud services interrupted or curtailed. Thus far, Microsoft is the only company whose cloud services have been approved by the Article 29 Working Party.
Mr. Smith’s reaction to the development in the official Microsoft Blog is available at: http://blogs.technet.com/b/microsoft_blog/archive/2014/04/10/privacy-authorities-across-europe-approve-microsoft-s-cloud-commitments.aspx
During a visit to Washington in May, Chancellor Angela Merkel plans to voice concerns to President Obama and leading Senators and to be “forthright” about the issue of NSA surveillance if reporters raise questions. Raising the stakes for the visit, the United States government has refused to provide Merkel with access to her NSA file and has yet to respond to questions about surveillance that Germany submitted last June. The US has also refused to enter into a “no spy” agreement with Germany, in part because Germany is unwilling or unable to share the types of surveillance material that the US wants.
German Interior Minister Thomas de Maizière stated to Der Spiegel last week that, “If two-thirds of what Edward Snowden reports, or of what is reported with attribution to him, is correct, then I come to the conclusion: the USA is acting without any restraint.” A senior US official opined, however, that, “Given that we already have a dialogue on these issues in intelligence and diplomatic channels, and given the other critical issues the two leaders will need to discuss, … I would not expect NSA issues to be a big part of the discussions between Chancellor Merkel and President Obama.”
April 9, 2014
In a letter to the UK Secretary of State for the Home Department, Privacy International requested information about what steps were being taken to ensure that the practices that led to the previous day’s invalidation of the EU Data Protection Directive (Directive 2006/24/EC) by the European Court of Justice would be discontinued in the UK.
April 8, 2014
The highest court of the EU, the European Court of Justice (“CJEU”), struck down the EU Data Retention Directive of 2006 (‘the Directive”) in response to requests by the Austrian and Irish courts for a decision on the Directive’s compatibility with the rights to respect for private life and protection of personal data in the EU Charter of Fundamental Rights (the “EU Charter”). Under the Directive, EU member states had been required to enact laws requiring telecommunications firms to store location and traffic data, but not content, on all communications for a period of between six months to two years.
In the ruling, the judges stated that the Directive “does not provide sufficient safeguards against possible abuses of personal data”. Although the judges acknowledged that data retention was justified in the fight against serious crime and to protect public safety, they ruled that the Directive’s impact on privacy and the protection of personal data was disproportionate to those needs.
In a response to the ruling, a spokesman for the British government stated “we cannot be in a position where service providers are unable to retain this data,” and that the government would carefully consider the ruling’s implications.
The CJEU’s full written decision is available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=382548
In his first published report on data requests, the UK Commissioner for Interception, Sir Anthony May, cleared the UK intelligence service GCHQ of breaking the law, stating that he could “assure anyone who is not associated with terrorists or serious criminals that the agencies have no interest whatever in examining their private communications and for practical purposes do not do so”. He went on to say that the Regulation of Investigatory Powers Act (RIPA) was “broadly fit for purpose” and being used correctly.
Sir. May did, however, warn that law enforcement and the intelligence services might well be overusing their powers, and that the 514,608 requests in 2013 for address and subscriber information associated with telephone and Internet communications “has a feeling of too many”. According to Sir. May, “It really does require to be investigated whether there may not be an institutional over-emphasis in police forces on progressing their criminal investigations and an institutional under-emphasis on the privacy side of it.”
The full report is available: http://www.iocco-uk.info/docs/2013%20Annual%20Report%20of%20the%20IOCC%20Accessible%20Version.pdf
In testimony via videolink before the Council of Europe, Edward Snowden responded to the question of whether the NSA had spied on the “highly sensitive and confidential communications” of major human rights groups such as Amnesty International and Human Rights Watch by stating that “the answer is, without question, yes. Absolutely.” Snowden explained how the NSA’s XKeyscore program had allowed analysts to search without prior authorization through vast databases of emails, online chats, and browsing histories, and specified that there had been targeting of communications of Swiss nationals “across specific routes” and of French citizens who logged onto a suspected network. He also testified that the GCHQ’s Optic Nerve program of bulk collection of images from Yahoo webcam chats had “continued even after GCHQ became aware that the vast majority [of webcam chats] had no intelligence value at all.” Claiming that “[p]roperly implemented algorithms backed up by truly random keys of significant length … all require more energy to decrypt than exists in the universe,” Snowden advised the members of the Council to encypt their communications.
April 6, 2014
The award of the Ridenhour Prize for truth-telling to Edward J. Snowden and Laura Poitras is expected to be announced on April 7. The prize was established by the Nation Institute and the Fertel Foundation to honor Vietnam veteran Ronald L. Ridenhour, who helped expose the My Lai massacre and went on to become an investigative reporter. The award is to be made at the Washington Press Club on April 30, and the organizers seek to have Mr. Snowden and Ms. Poitras, who is based in Berlin, appear remotely.
April 1, 2014
The British Press Reward for newspaper of the year was awarded to The Guardian for its reporting on Snowden’s revelations. At the ceremony, held by the Society of Editors in London, the judges praised the Guardian for breaking “a story of global significance that went to the heart of the debate on press freedom. The fact that the coverage polarised opinion even within the press showed how important it was.
The job of a newspaper is to speak truth to power and the past year has seen the Guardian do this with will and verve.” After the ceremony, the editor of The Guardian, Alan Rusbridger, stated that, “The story was not, in the end, publishable out of London and I want in particular to thank colleagues on ProPublica and the New York Times for collaborating with us.” Rusbridger also noted “the personal cost to Edward Snowden involved in his decision to become a whistleblower.”
March 29, 2014
On the basis of leaks from Snowden, Spiegel reported that an internal report by the NSA’s Special Sources Operations (“SSO”) indicated that on March 7, 2013 in case number 13-319, the FISA Court (“FISC”) authorized the NSA to monitor “Germany.” Although the report did not provide enough information to determine the types of data covered by the FISC’s Order, the ACLU believes blanket surveillance of ordinary Germans’ communications was authorized. A partial list in the SSO report indicated that similar FISC Orders had been issued for China, Mexico, Japan, Venezuela, Brazil, Sudan, Guatemala, Bosnia, and Russia.
A further NSA document from 2009 indicates that the NSA’s automated name recognition system, “Nymrod,” had obtained 300 “hits” on Chancellor Angela Merkel by searching through transcripts of intercepted fax, voice, and computer-to-computer communications and other information from intelligence agencies. Merkel was one of 122 country leaders listed as NSA targets.
Internal GCHQ documents indicate that from its headquarters in Cornwall, the GCHQ hacked into the networks of three German companies – Stellar, Cetel, and IABG – that operate satellite ground stations capable of providing Internet and telephone service to even the most remote areas. In addition to intercepting Internet traffic passing through the companies’ nodes, the GCHQ obtained customer lists and the names and email addresses of key employees, particularly engineers.
Although the possibility of criminal charges based on the NSA’s monitoring of Chancellor Merkel’s cellphone and mass surveillance of Germans’ communication is under review, German Federal Public Prosecutor Harald Range recently told the Berlin-based daily Die Tageszeitung that whether to bring charges was “an extremely complicated issue.”
March 24, 2014
The BBC News reported that Chinese foreign ministry spokesman, Hong Lei, said China was extremely concerned about the allegations in The New York Times and Der Spiegel about the NSA’s surveillance of Huawei.
March 23, 2014
In an interview on NBC’s “Meet the Press,” former President Jimmy Carter said that he uses snail mail when communicating with foreign officials because he believes the NSA will monitor his emails. Previously, in an interview with CNN in June, Carter said that Snowden had “obviously violated the laws of America, for which he’s responsible, but I think the invasion of human rights and American privacy has gone too far. I think that the secrecy that has been surrounding this invasion of privacy has been excessive, so I think that the bringing of it to the public notice has probably been, in the long term, beneficial.”
March 22, 2014
On the basis of documents leaked by Snowden, The New York Times and Spiegel reported that beginning in 2009, the NSA, with the involvement of the White House intelligence coordinator and the FBI, created backdoors into the networks of the Chinese telecommunications giant Huawei. The operation, codenamed “Shotgiant,” provide the NSA with access to the servers in Huawei’s Shenzhen headquarters, enabling it to read a large share of its workers’ emails, including those of CEO Ren Zhengfei and Chairwoman Sun Yafang, and to gain information about the workings of the routers and digital switches through which Huawei claims to connect a third of the world’s population. The NSA also planned to exploit Huawei’s technology so to infiltrate the computer and telephone networks of foreign countries to which Huawei sold equipment and to use the underseas cables that Huawei laid to connect its networking empire to tunnel into “high priority targets – Iran, Afghanistan, Pakistan, Kenya, Cuba.”
A senior Huawei executive in the United States, William Plummer, said that Huawei had not suspected that it was an NSA target, voicing the personal opinion that “[t]he irony is that exactly what they are doing to us is what they have always charged that the Chinese are doing through us.”
The NSA’s operations against China also included penetrating its two largest cellphone networks and tracking the locations of Chinese leaders and strategically important military units.
The Spiegel article is at : http://www.spiegel.de/international/world/nsa-spied-on-chinese-government-and-networking-firm-huawei-a-960199.html (a longer version is to appear in Der Spiegel in German on March 24, 2014)
March 21, 2014
At a meeting with President Obama today, technology company executives, including Eric E. Schmidt of Google and Mark Zuckerberg of Facebook, are expected to raise the issues of losses to American business from Snowden’s revelations and the absence of a government response restoring trust in the security of data held by American companies. The losses, based on the cloud computing, web hosting and outsourcing markets, have been estimated, on a worst case scenario, to run as high as $180 billion, or a quarter of technology industry revenue.
Matthias Kunisch, a German software executive who chose Deutsche Telekom over United States cloud computing providers, stated that, “Issues like privacy are more important than finding the cheapest price. Because of Snowden, our customers have the perception that American companies have connections to the N.S.A.” Foreign beneficiaries of the distrust of American government and industry include the Norwegian email service Runbox, which says that it does not comply with foreign court orders for personal information, and the Brazilian and Spanish companies that have been hired by Brazil and the EU to build underseas cables between Brazil and Portugal as an alternative to the American underseas cables used to transmit data.
March 18, 2014
The congressional relations minister of Brazil, Ideli Salvatti, told reporters that a requirement that Internet companies store data on their Brazilian users within Brazil would be dropped from proposed legislation that has been dubbed Brazil’s “Internet Constitution.” Although the requirement of in-country data storage became a priority for President Dima Rousseff in the wake of revelations of NSA surveillance of Brazilians’ Internet communications, including her own and those of Petroleo Brasileiro SA, it was strongly opposed by Internet companies. The proposed legislation now provides that even if data about Brazilian citizens is stored abroad, companies such as Google and Facebook will be required to abide by the privacy protections in Brazilian law.
Based on interviews with people with direct knowledge of the program and documents leaked by Snowden, Barton Gellman and Ashkan Soltani reported in The Washington Post that the NSA had developed and deployed a program, entitled MYSTIC, that is capable of recording all telephone calls made and received in a country. The calls are stored in a 30-day rolling buffer, which the NSA’s RETRO tool enables analysts to search back in time for telephone calls when they discover new targets. MYSTIC was first developed in 2009, and by 2011, was fully deployed, along with RETRO, on all telephone calls in one country. The program has either been extended, or will soon extend, to five or six more countries. At the request of U.S. officials, The Washington Post withheld details that could reveal the country where MYSTIC and RETRO are known to have been deployed or the other countries where deployment has occurred or been planned.
By contrast to other surveillance programs revealed by Snowden, there appears to be concrete evidence of the efficacy of the MYSTIC and RETRO programs. “Highly classified briefings cite examples in which the tool offered high-stakes intelligence that would not have existed under traditional surveillance programs in which subjects are identified for targeting in advance. …[T]he briefings supply names, dates, locations and fragments of intercepted calls in convincing detail.”
A cost, however, is that “[u]biquitous voice surveillance, even overseas, pulls in a great deal of content from Americans who telephone, visit and work in the target country. It may also be seen as inconsistent with Obama’s Jan. 17 pledge ‘that the United States is not spying on ordinary people who don’t threaten our national security,’ regardless of nationality, ‘and that we take their privacy concerns into account.’”
Responding by email, NSA spokeswoman Vanee Vines stated that “continuous and selective reporting of specific techniques and tools used for legitimate U.S. foreign intelligence activities is highly detrimental to the national security of the United States and of our allies, and places at risk those we are sworn to protect.”
John Villasenor, a professor at the University of California, Los Angeles, who is affiliated with the Brookings Institute, authored a paper in 2011 entitled “Recording Everything: Digital Storage as an Enabler of Authoritarian Governments,” which focused on foreign countries, including Syria and Iran. Commenting on the revelations about the NSA’s MYSTIC and RETRO program, Professor Villasenor explained that “[p]lummeting storage costs are the main driver behind the ability to do this,” and opined that foreign countries, which might have no legal constraints on spying on Americans, could develop similar programs.
March 14, 2014
Starting in 2015, an international group will replace the United States in overseeing the assignment of Web addresses and domain names, which has been subcontracted by the US since 1998 to the Internet Corporation for Assigned Names and Numbers (“Icann”). According to The New York Times, the transition “has taken on a new urgency in the last year because of revelations that the United States intelligence community, particularly the National Security Agency, has been intercepting Internet traffic as part of its global spying efforts.” The US has rejected proposals for transferring oversight to a government-led organization, including the International Telecommunications Union, the United Nations affiliate that oversees global telephone traffic.
March 13, 2014
The Intercept published a classified document, entitled “What Are We After with Our Third Party Relationships? — And What Do They Want from Us, Generally Speaking?,” in which an official from the SIGINT Operations Group in NSA’s Foreign Affairs Directorate claimed that political changes generally did not affect cooperation between intelligence services because “in many of our foreign partners’ capitals, few senior officials outside of their defense-intelligence apparatuses are witting to any SIGINT connection to the U.S./NSA.” In an accompanying article, Glenn Greenwald discussed foreign political leaders’ claimed ignorance about cooperation with the NSA.
The document is available at https://firstlook.org/theintercept/document/2014/03/13/third-party-relationships/?Edi
The NSA issued a statement that “Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate.”
Reacting to the March 12 story in The Intercept about the NSA’s use of fake Facebook servers to implant malware in targets’ computers, Facebook’s co-founder and CEO Mark Zuckerberg stated, in a public post to the social network’s users, that “When our engineers work tirelessly to improve security, we imagine we’re protecting you against criminals, not our own government. … I’ve called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform.” Previously, at a mobile industry conference in Barcelona in February, Mr. Zuckerberg had called the NSA’s activities “way over the line.”
March 12, 2014
In an article in The Intercept based on and accompanied by documents leaked by Snowden, Glenn Greenwald described the automated system, codenamed TURBINE, that the TAO (Tailored Access Operations) unit of the NSA has developed to implant malware on millions of computers worldwide. In addition to NSA headquarters in Fort Meade, Maryland and an eavesdropping base in Japan, TURBINE is operated from the Menwith Hill satellite eavesdropping base in Northern England that the NSA operates in close cooperation with the GCHQ, which has played a major role in developing the automated malware implantation system.
Some of the targets of the malware attacks have been systems administrators at foreign phone and internet service providers since compromising them, according to a post on an internal NSA message board, facilitates access to other targets of interest, including “any government official that happens to be using the network some admin takes care of.”
Among the techniques integrated into TURBINE is a man-on-the-side technique, codenamed QUANTUMHAND, in which the NSA hack into the computers of targets and covertly siphons out their data by disguising itself as a Facebook server. After it was successfully tested against about a dozen targets, QUANTUMHAND, whose operation is demonstrated in a top-secret NSA animation, became operational in 2010. Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, expressed concern about integrating QUANTUMHAND into the NSA’s automated TURBINE system. “As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that’s terrifying.”
The European Parliament voted through the EU General Data Protection Regulation (the “Regulation”) intended to “strengthen citizen’s rights and thereby help restore trust”. Although the vote cemented the position of the European Parliament, the Regulation will only become law if adopted by representatives of the 28 EU member states in the EU Council of Ministers.
The reforms in the Regulation include requiring businesses and organizations to obtain explicit consent from EU citizens for all processing of their data, establishing a “right to be forgotten,” or, in other words, to have online activity erased, and making EU data protection requirements apply globally to all companies that do business in the EU market, regardless of where they are based. EU regulators will be able to enforce the global application by fining companies up to 2% of their global annual turnover for noncompliance with data protection requirements.
While the previous EU data protection law was a directive or, in other words, a general rule subject to different implementation in the law of each EU member state, as a regulation, the proposed reform would be a law applying uniformly in all member states.
Endorsing the EU Parliament’s vote, Vice-President Viviane Reding, the EU’s Justice Commissioner stated that, “Data Protection is made in Europe. Strong data protection rules must be Europe’s trademark. Following the U.S. data spying scandals, data protection is more than ever a competitive advantage.”
Separately, the EU Parliament passed a resolution, based on its six-month inquiry into Snowden’s revelations about NSA surveillance, calling for the withholding of consent to the Transatlantic Trade and Investment Partnership (TTIP) agreement unless the US fully respects the privacy of EU citizens and institutions. The Resolution also called for immediately suspending the Safe Harbor principles that allow US companies to conduct business in the EU and for suspending he Terrorist Finance Tracking Programme (TFTP) agreement until the resolution of allegations that US authorities have violated the agreement by gaining access to EU citizens’ bank data. Additionally, the Resolution calls for the UK, France, Germany, Sweden, the Netherlands and Poland to respond to allegations that they have engaged in mass surveillance in violation of EU law and for the participants in the “9-eyes” (UK, Denmark, France and the Netherlands) and “14-eyes” arrangements between intelligence services (those countries plus Germany, Belgium, Italy, Spain and Sweden) to ensure that their intelligence services are subject to laws and oversight that comply with EU citizens’ fundamental rights.
Match 10, 2014
The Director of the NSA, General Keith B. Alexander, replied to the letter of February 20 that the President of the American Bar Association (“ABA”) sent to express concern about the NSA’s possible monitoring of confidential communications between an American law firm and the foreign government that it was representing in trade talks. While stating that “it is not possible to address press reports about any specific alleged intelligence activities,” General Alexander nonetheless claimed that he could be “absolutely clear: NSA has afforded, and will continue to afford, appropriate protection to privileged attorney-client communications acquired during its lawful foreign intelligence mission…. Morever, NSA does not and cannot ask its foreign partners to conduct any intelligence activity that it would be prohibited from conducting itself in accordance with U.S. law.” General Alexander thanked the ABA for “the thoughtful and constructive approach of [its] inquiry,” “[a]t a time when certain aspects of the reporting and commentary about the National Security Agency (NSA) shed more heat than light on important matters of security, liberty and privacy worthy of meaningful public discussion.”
General Alexander’s letter is available at http://www.americanbar.org/content/dam/aba/images/abanews/nsa_response_03102014.pdf
The ABA’s letter and the news reports that prompted it are described and linked to, respectively, in the entries for February 20 and February 15.
March 7, 2014
In an interview in The New York Times Magazine, the editor of The Guardian, Alan Rusbridger, said that, “One thing that Snowden has taught us journalists is that it’s essential to be paranoid.” Describing his reaction to having his patriotism questioned during a parliamentary hearing on the Snowden leaks, Rusbridger stated, “I believe you can love your country precisely because it is the sort of democracy that allows newspapers to write this kind of thing. And I would love my country less if it were the sort of country that destroyed journalistic material or locked up journalists or used the law in a heavy-handed way.”
In publicly released, written answers to questions by members of the European Parliament, Edward Snowden stated that “a European bazaar” has emerged “where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn’t search it for Danes, and Germany may give the NSA access to another on the condition that it doesn’t search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany ….”
Snowden also claimed that he had gone public only after more than ten NSA officials had failed to address the concerns he expressed, and that US whistleblowing laws and regulations would not have protected him since he was an Intelligence Community contractor
March 4, 2014
The Royal United Services Institute (“RUSI”) announced the launch of its review of Internet surveillance practices in the UK and their control and oversight. Although undertaken at the request of Deputy Prime Minister Nick Clegg, the review “will be financed completely independently; not from government or from any party-political interest.” Professor Michael Clarke, the Director General of RUSI, will chair a panel of experts with backgrounds in technology, civil liberties, and intelligence. A report will be issued after the UK general elections in 2015.
March 3, 2014
In an opinion piece marking the biggest response thus far by any senior member of the UK government to Edwards Snowden’s revelations, the Deputy Prime Minister, Nick Clegg MP, advocated substantial reform of the current legal framework governing intelligence surveillance. While firmly backing the intelligence services and stating that he had no “doubt that they comply with the legal framework set for them by parliament,” Mr. Clegg wrote that the issue is “whether the rules we have set are fit for the internet age”.
In particular, the Deputy Prime Minister argued for “greater transparency, and strong, exacting third-party oversight”. This should include annual transparency reports, reforms to the Intelligence & Security Committee of Parliament and to the forum that hears complaints about surveillance by the intelligence services, the Investigatory Powers Tribunal (IPT), and the creation of an inspector general for the UK intelligence services.
Further, Mr. Clegg argued that while the IPT’s decisions are currently unpublished and only appealable to the European Court of Human Rights, a right to appeal should be established within the UK and the reasons for the IPT’s rulings should be made public. Additionally, he urged reform of the Regulation of Investigatory Powers Act (RIPA), the legislation that governs surveillance by intelligence agencies, to make sure that the intelligence agencies’ actions are “proportionate and held properly accountable,” noting that “[t]he way we use the internet, and the scale of the data we generate, has changed beyond recognition” since RIPA was enacted in 2000. Mr. Clegg also welcomed the agreement by the Royal United Services Institute, an independent think tank on defense and security issues, to his request to undertake a review of the use of internet data for surveillance purposes.
February 28, 2014
In response to The Guardian’s revelation on February 27 of the GCHQ’s bulk collection of Yahoo webcam chats in its Optic Nerve program, members of the Senate Intelligence Committee Ron Wyden, Mark Udall and Martin Heinrich announced plans to investigate any role of the NSA in Optic Nerve. The Senators stated that, “We are extremely troubled … that a very large number of individuals – including law-abiding Americans – may have had private videos of themselves and their families intercepted and stored without any suspicion of wrongdoing. If this report is accurate it would show a breathtaking lack of respect for the privacy and civil liberties of law-abiding citizens.” The CEO of the Internet Association, the trade association representing Google, Amazon, Netflix, AOL, Twitter and other internet giants, stated that, “Today’s revelations, about British intelligence practices, are alarming and reaffirm the need for greater transparency and reform of government surveillance. … The most pressing Internet user privacy issue continues to concern governments’ access to and use of electronic data.”
Reporting on the effects of Snowden’s disclosures at the annual RSA conference this week, The New York Times stated that, “In hotel lobbies, conference rooms, panels and coffee shops, American executives and government officials were seen and heard having tortured conversations with their international counterparts as executives tried to convince their clients that their technologies did not contain legal or virtual back doors for the National Security Agency.” By contrast, German attendees saw Snowden’s disclosures as a boon for business, with one executive stating that many clients were considering moving their data to hardware in Germany since “the U.S. owns the cloud.” At the rival TrustyCon conference, which proceeded even though RSA’s organizers had attempted to convince the management of the conference space not to house it, cryptographer Bruce Schneier said, “We can’t trust anything to any level of certainty. On the one hand, it feels like paranoia. On the other hand, it seems the paranoid people were not creative enough.”
February 27, 2014
Documents leaked by Snowden show that beginning in 2008 and continuing at least through 2012, a GCHQ program named Optic Nerve used the GCHQ’s network of internet cable taps to collect still images of Yahoo webcam chats in bulk and save them to agency databases. GCHQ did not have the technical means to filter out images of UK or US citizens, and although bulk searches were restricted to metadata, analysts were able to see the faces of people whose user names were similar to those of surveillance targets. The purposes of Optic Nerve were to conduct experiments in automated facial recognition, to monitor existing GCHQ targets, and to discover new targets. The program was conducted even though a document from the mid-2000’s warned that, “One of the greatest hindrances to exploiting video data is the fact that the vast majority of videos received have no intelligence value whatsoever, such as pornography, commercials, movie clips and family home movies.”
February 26, 2014
The March 20, 2014 issue of The New York Review of Books includes an excerpt from a speech by Chancellor Merkel on January 29 in which she told the German Parliament that “[o]ur answer has to be no” to the questions of “Can it … be right that our closest partners like the United States or Great Britain obtain access to all conceivable data with the justification that this serves their own security and the security of their partners—from which we might also benefit? … Can it be right when it is finally no longer a matter of defense against the dangers of terrorism but rather of gaining advantages, even against allies, in negotiations at G20 summits or UN meetings …?”
February 23, 2014
Bild am Sonntag reported that a high level NSA employee in Germany had informed it that in reaction to President Obama’s ban on eavesdropping on Chancellor Merkel, the NSA had stepped up its surveillance of senior German government officials, including Interior Minister Thomas de Maiziere, a close confidant of Merkel. Bild am Sonntag quoted the NSA employee as stating, “We have had the order not to miss out on any information now that we are no longer able to monitor the chancellor’s communication directly.”
February 20, 2014
European Data Protection Supervisor (“EDPS”) Peter Hustinx issued an Opinion on the Communications of the Commission to the European Parliament and Council on November 27, 2013 on “Rebuilding Trust in EU-US Data Flows” and “The Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU.” Criticizing the Commission’s failure to consider the “impact on the existing and enforceable rights of EU citizens to respect for privacy and to the protection of their personal data,” the EDPS recommended “more ambitious” steps in response to Snowden’s revelations about NSA surveillance. In particular, “exceptions or restrictions to fundamental rights allowed for national security purposes are only justified and permissible if they are strictly necessary, proportionate and in line with the jurisprudence of the ECtHR and Court of Justice;” current negotiations on an “umbrella agreement” on EU-US law enforcement cooperation should “not legitimize massive data transfers;” and EU institutions and relevant entities in EU member states need to assume responsibility for “ensuring IT security,” including encouraging research on encryption and raising awareness of the privacy risks in products.
In a letter to the Director and General Counsel of the NSA, the President of the American Bar Association expressed concern over “recent press reports alleging that confidential communications between an American law firm and a foreign government that it represented on trade issues may have been monitored and intercepted by another nation’s intelligence service and then shared with NSA.” Although acknowledging “the critical role that NSA plays in gathering intelligence information and protecting our national security, and … that during the course of these activities, it is inevitable that certain communications between U.S. law firms and their clients may be collected or otherwise obtained by the agency,” the letter nonetheless requested clarification and explanation of “NSA’s current policies and practices that are designed to protect the attorney-client privileged status of information that it collects or receives, and whether those policies and practices were followed with respect to the alleged interception of privileged communications between the U.S. law firm and its overseas client referenced above.”
February 19, 2014
David Miranda, the partner of journalist Glenn Greenwald, has lost his legal battle at the High Court in the UK. Miranda claimed that his detention at Heathrow Airport under anti-terrorism legislation on August 18, 2013, during a layover on his way home to Brazil from Germany, on a trip transporting documents between Mr. Greenwald and journalist Laura Poitras was unlawful and breached his human rights. The judges however, disagreed, stating that it was a “proportionate measure in the circumstances”.
Lord Justice Laws spoke of the need to balance press freedom against national security, but concluded that “on the facts of this case, the balance is plainly in favour of the latter.”
Although the High Court has refused permission to appeal to the Court of Appeal, Mr Miranda intends to petition the Court of Appeal directly to hear his case.
The judgment of the court is available here: http://www.judiciary.gov.uk/Resources/JCO/Documents/Judgments/miranda-v-sofshd.pdf
The response by Mr Miranda can be viewed here: https://firstlook.org/theintercept/article/2014/02/19/uk-court-david-miranda-detention-legal-terrorism-law/
Edward Snowden has been elected as the rector of Glasgow University by students. In the second round of voting, he had a clear majority with 3,347 votes, comfortably beating clergyman Kelvin Holdsworth, who received 1,563 votes. He will serve a 3 year term.
The election has gained mixed views, with a former CIA intelligence officer, Prof Michael Scheuer, describing it as “naïve” and a “failure of the education system in teaching the importance of patriotism and loyalty to their country.” Daniel Ellsberg, who leaked the Pentagon Papers, disagreed and praised the students for their decision. He stated that Mr Snowden’s election would help highlight the issue of mass surveillance by government agencies.
February 18, 2014
Aides to Chairman of the Senate Judiciary Committee Patrick Leahy and the House Judiciary Committee said that they intended to seek more information about the reported spying by the NSA and the Australian Signals Directorate on an American law firm’s communications with its Indonesian government client during trade talks with the United States. In January, in connection with reports that the NSA had collaborated with the UK’s GCHQ to collect data from smart phone apps, Senator Leahy asked Attorney General Holder what protections were in place to prevent the NSA from doing “an end-run around U.S. surveillance rules, including the Fourth Amendment, obviously, by just going to another foreign agency and say, ‘Hey, we’re prohibited from collecting this information on Americans. Would you do it for us?’ “ Mr. Holder replied that an executive order prohibited the intelligence community from asking “a foreign government to collect information that we ourselves would not be able to collect. And so any attempt to have a foreign government acquire information that we are not permitted to gather ourselves would be inappropriate and a violation of that executive order.”
On the basis of documents leaked by Snowden, Glenn Greenwald and Ryan Gallagher reported in The Intercept on a joint NSA-GCHQ effort against what the U.S. government calls “the human network that supports WikiLeaks.” One of the documents shows that as of 2012, GCHQ was tapping into fiber-optic cables to collect the IP addresses of visitors to the WikiLeaks site in real time and the search terms that visitors used to reach the site through search engines. By using publicly available analytics software, GCHQ was also able to determine visitors’ countries of origin. Gus Hosein, the executive director of Privacy International, stated that the GCHQ’s surveillance was a “monitoring of political interests of Internet users [that] shows a systemic failure in the rule of law.”
February 17, 2014
In an interview with the German international broadcaster Deutsche Welle (“DW”), Green MEP Jan Philipp Albrecht reacted to Chancellor Angela Merkel’s proposal for a European communications network by stating that “we cannot just build borders which would give us some sort of a German or a Schengen zone internet.” Albrecht called for a reformed European data protection framework that would make it “clear that if somebody offers services to European citizens and consumers, these services need to comply with the rules of our market: data security and protection, better encryption, and more control for users.”
February 16, 2014
In her weekly podcast, Chancellor Angela Merkel of Germany publicly embraced proposals, which German companies like Deutsche Telekom have floated, to create European data networks that keep emails and other communications on the European side of the Atlantic and protect them from American surveillance. While Chancellor Merkel stated that she would discuss the matter with President François Hollande of France this week, at a news conference in Washington last week, Mr. Hollande stated that France and America were “making headway” in fighting against terrorism while protecting privacy and that “[m]utual trust has been restored.” In her podcast, Chancellor Merkel also stated that the European operations of companies like Google and Facebook were based in countries, which she did not name, “whose data protection is weakest,” and that “[t]hat is a situation which we … cannot countenance forever.”
Glenn Greenwald, Ewen MacAskill, Laura Poitras, and Barton Gellman received Polk awards for journalism for their reporting based on documents leaked by Snowden. In announcing the awards, John Darnton, the curator of the Polk Awards, stated that, “In the tradition of George Polk [a CBS News correspondent who was killed while covering the civil war in Greece in 1948], many of the journalists we have recognized did more than report news. They heightened public awareness with perceptive detection and dogged pursuit of stories that otherwise would not have seen the light of day.”
February 15, 2014
A document released by Snowden shows that in February 2013, the Australian Signals Directorate offered to provide the NSA with communications between Indonesia and the American law firm representing it in trade talks with the United States. After informing the NSA that “information covered by attorney-client privilege may be included” and obtaining “clear guidance” from the NSA General Counsel’s Office, the Australian agency was “able to continue to cover the talks, providing highly useful intelligence for interested US customers.”
Documents also show that the signals intelligence facility in Alice Springs, Australia is jointly run by NSA and the Australian Signals Directorate, with half the personnel coming from the NSA. Most of the collaboration has focused on eavesdropping on China, Indonesia and other Asian countries, and a 2012 document indicates that the NSA provided the Australian agency with bulk call data from Indonesia telecommunications provider Indostat, including data on various Indonesia government officials. According to a 2013 NSA document, the Australian agency obtained and developed a way to decrypt nearly 1.8 million encrypted master keys from the Indonesian Telkomsel cellular phone network .
An excerpt from the February 2013 document leaked by Snowden, which is an edition of a monthly bulletin of SUSLOC, the acronym for the NSA office that handles liaisons with Australian intelligence is available at http://www.nytimes.com/2014/02/16/us/document-describes-eavesdropping-on-american-law-firm.html?emc=edit_tnt_20140215&tntemail0=y
In The Legal Times, Marcia Coyle opined that the revelation of the NSA’s monitoring of the American law firm’s communications with its Indonesian government client might provide an impetus for the Supreme Court to reconsider its decision in Clapper v. Amnesty Internat’l USA, 133 S.Ct. 1138 (2013), which makes it difficult, if not impossible, for plaintiffs to establish standing to challenge warrantless surveillance by the NSA under Sec. 702 of FISA, 50 U.S.C. Sec. 1881a. The petition for certiorari in CCR v. Obama, No. 13-802 (U.S. filed Jan. 2, 2014) could provide a vehicle for the reconsideration.
February 12, 2014
The UK’s most senior counter-terrorism officer, Cressida Dick, told the UK House of Commons’ home affairs select committee that Scotland Yard was investigating whether employees of The Guardian could face criminal charges, including for violating a section of the Terrorism Act 2000 that penalizes “elicit [ing], publish[ing] or communicat[ing]” information about members of the intelligence services with up to 10 years’ imprisonment.
February 10, 2014
In the first issue of The Intercept, a digital magazine created by Glenn Greenwald, Laura Poitras, and Jeremy Scahill and published by First Look Media (FLM), Scahill and Greenwald reported on a top secret program in which the NSA identifies targets for lethal drone strikes on the basis of metadata analysis and cell-phone tracking technologies. The CIA or USA military then use information about the activity and location of the target’s presumed mobile phone to order drone strikes without confirming the target’s identity with operatives or informants on the ground. The article was based on documents leaked by Snowden and discussions with whistle blower, former drone operator for the U.S. Air Force, Brandon Bryant, and a former drone operator with the U.S. military’s Joint Special Operations Command (JSOC)’s High Value Targeting task force, who spoke to Scahill and Greenwald on the condition of anonymity. Despite insisting on the program’s success in taking out terrorists, the former JSOC drone operator stated that it had “absolutely” resulted in the deaths of innocent people. He explained that, “Once the bomb lands or a night raid happens, you know that phone is there. But we don’t know who’s behind it, who’s holding it. … They might have been terrorists. Or they could have been family members who have nothing to do with the target’s activities.” The former JSOC drone operator became motivated to speak out when his efforts to alert superiors to the problems were stonewalled.
February 9, 2014
At the opening ceremony of the Berlin International Film Festival on February 6, the chairman of the festival’s international jury, James Schamus, said that America had learned a lot from Germany over the years, including by listening in on Germans’ phone calls. The interview with Snowden aired on German public television on January 26 was scheduled to be re-aired as part of the festival on February 10.
February 5, 2014
In a 2012 power point presentation that NBC News obtained from Snowden, the Joint Threat Research Intelligence Group (“JTRIG) of GCHQ boasted of having used a denial of service (“DDoS”) attack on chat rooms where members of Anonymous talked. The power point also indicated that JTRIG infiltrated Internet Relay Chatrooms (“IRC”s) in order to identify hackers who had taken confidential information from websites, and detailed how the infiltration had led to arrests.
Before the publication of the power point, JTRIG’s existence had not been publicly disclosed. The DDOS attack against Anonymous is the first such attack that a Western government is known to have launched, and a further document leaked by Snowden states that GCHQ is increasing its emphasis on cyberattacks.
Although a spokesperson for GCHQ defended the legality of the agency’s operations, Privacy International questioned this, stating that “there is no legislation that clearly authorises GCHQ to conduct cyber attacks.” Calling the DDOS attack on Anonymous “silly,” Jason Healey, a top cyber security official under President George W. Bush, opined that DDOS attacks should only be used against other nation states.
GCHQ’s power point presentation is available at: http://msnbcmedia.msn.com/i/msnbc/sections/news/snowden_anonymous_nbc_document.pdf
February 4, 2014
The German newspaper Süddeutsche Zeitung reported that beginning in 2002 and perhaps earlier, U.S. intelligence agencies monitored former German Chancellor Gerhard Schröder. An unidentified U.S. source was quoted as stating that the monitoring of Schröder, a Social Democrat who opposed U.S. plans to declare war on Iraq, began because“we had reason to assume that he was not contributing to the success of the alliance.” In a statement to Süddeutsche Zeitung, Mr. Schröder said, “Back then, I would not have come to the idea of being monitored by the American intelligence services; now it no longer surprises me.”
February 3, 2014
A complaint against the German government for aiding spying by the NSA and GCHQ and violating citizens’ rights to privacy was filed with the German Federal Prosecutor General’s office by Europe’s largest association of hackers, the Chaos Computer Club (“CCC”), in cooperation with the International League for Human Rights (ILMR). The CCC website stated that, “We accuse US, British and German secret agents, their supervisors, the German Minister of the Interior as well as the German Chancelor [sic] of illegal and prohibited covert intelligence activities, of aiding and abetting of those activities, of violation of the right to privacy and obstruction of justice in office by bearing and cooperating with the electronic surveillance of German citizens by NSA and GCHQ,” and claimed that these activities were felonies under German federal law. The Federal Prosecutor’s Office is to process the complaint and decide whether to open a criminal investigation.
January 31, 2014
n an article co-authored by Glenn Greenwald, Canada’s CBC News reported, on the basis of documents leaked by Snowden, that over a two-week period in 2012, the Communications Security Establishment Canada (“CSEC”) indiscriminately collected metadata from the wireless devices of people who used the free Internet service at a major Canadian airport. The CSEC was then able to track the travellers and their devices for a week or more as they connected to Wi-Fi “hotspots” across Canada and in U.S. airports, and was even able to retrospectively track the travellers before they arrived at the airport where their metadata was collected. The CSEC intended to share the technology and the information generated from it with its Five Eyes partners.
The CSEA stated in writing to CBC News that it was “mandated to collect foreign signals intelligence to protect Canada and Canadians. And in order to fulfill that key foreign intelligence role for the country, CSEC is legally authorized to collect and analyze metadata.” By contrast, Ontario’s privacy commissioner Ann Cavoukian stated that, “It is really unbelievable that CSEC would engage in that kind of surveillance of Canadians. Of us. I mean that could have been me at the airport walking around… This resembles the activities of a totalitarian state, not a free and open society.” According to Cavoukian, openness, transparency and accountability are needed in regard to CSEC. “This trust-me model that the government is advancing and CSEC is advancing – ‘Oh just trust us, we’re doing the right thing, don’t worry’ — yes, worry! We have very good reason to worry.”
A redacted version of the top secret pdf in which CSEC describes the airport tracking is available at http://www.cbc.ca/news2/pdf/airports_redacted.pdf
January 30, 2014
The Huffington Post and Danish daily newspaper Information, which worked with Laura Poitras, reported on documents leaked by Snowden that described NSA spying in connection with the Copenhagen Climate Summit in 2009. A document posted on an internal NSA website on the opening day of the conference, December 7, 2009, stated that the NSA, together with its Five Eyes partners, “will continue to provide policymakers with unique, timely, and valuable insights into key countries’ preparations and goals for the conference, as well as the deliberations within countries on climate change policies and negotiation strategies.” Another document, posted on the internal NSA website on May 14. 2007, quotes then- Under Secretary of Defense for Intelligence, James R. Clapper, as stating that, “Increasingly the environment is becoming an adversary for us. And I believe that the capabilities and assets of the Intelligence Community are going to be brought to bear increasingly in assessing the environment as an adversary.”
The December 7, 2009 NSA document is available at http://big.assets.huffingtonpost.com/unclimatechangeconference.pdf
According to Danish legal experts, the NSA’s spying at the Copenhagen climate conference violated both Danish and international law. Anders Henriksen, head of the Center for International Law and Justice at the University of Copenhagen, stated that the 1946 Convention on the Privileges and Immunities of the United Nations would have protected UN diplomats against surveillance at the conference,“[a]nd my immediate interpretation would be that the same principles apply to diplomatic members of the various national delegations at a UN summit such as COP15 [the Copehagen Climate Summit]. They have to be able to communicate confidentially with their home country.” According to Jørn Vestergaard, professor of Criminal Law at the University of Copenhagen, “Basically, breaking into other people’s computers or networks is a clear criminal offense in Denmark. This applies to casual hackers as well as to a foreign intelligence service like the NSA.” Mr. Vestegaard explained that obtaining a remedy would be problematic. “Traditionally, if spies are caught in the country while doing something illegal, they can be prosecuted, or diplomatic measures can be applied. But NSA employees would typically not be on site, because they work in places far from Denmark and spy via computers etc. Ultimately that leaves Denmark the only option of responding through diplomatic channels against a country like the United States, and it remains a political question whether Denmark wants to do that.”
January 29, 2014
A complaint will be brought on Monday alleging that the German Government and German Federal Intelligence Services cooperated with the NSA and also used the NSA’s XKeyscore tool to spy on Germans. The plaintiffs include the International Federal for Human Rights, computer activist Constanze Kurz, who is also a plaintiff in the ECHR lawsuit against the GCHQ, and other individuals and organizations.
The New York Times published an excerpt from an interview on January 26 on German public television station ARD in which Snowden stated that despite the anonymous threats to his life by U.S. intelligence officials that he’d read on Buzzfeed, he slept well knowing that he’d done the right thing. Snowden also characterized President Obama’s proposed reforms to the NSA surveillance programs as “minor changes to preserve authorities that we don’t need.” In a part of the interview not included in the NY Times video clip, Snowden cited Director of National Intelligence James Clapper’s testimony to Congress in March as “the breaking point” in his decision to become a whistle blower. “There’s no saving an intelligence community that believes it can lie to the public and the legislators who need to be able to trust it and regulate its actions. Seeing that really meant for me there was no going back.”
January 27, 2014
Documents leaked by Snowden and shared by The Guardian, The New York Times and Pro Publica offer far more detail than previously reported about how the GCHQ and NSA have worked together since 2007 on acquiring data from smartphone apps. The GCHQ and NSA have both been particularly interested in using Google Maps to determine users’ locations and plans. In addition, a secret British intelligence document from 2012 indicates that users’ political allegiances and sexual orientations can be determined from app data. Flow charts produced by the GCHQ in 2012 divide the data acquired from smartphones into metadata, “social apps,” “geoapps,” “http linking,” webmail, MMS data associated with transmitting pictures and multimedia, and traffic associated with mobile ads.
Underying documents from the NSA and GCHQ are available, respectively, at http://www.nytimes.com/interactive/2014/01/28/world/28mobile-annotateA.html and http://www.nytimes.com/interactive/2014/01/28/world/28mobile-annotateB.html
January 24, 2014
During a panel at the World Economic Forum in Davos, Switzerland, Aleksei K. Pushkov, the head of the foreign affairs committee for Russia’s lower house of Parliament, stated that “The U.S. has created a Big Brother system.” Mr. Pushkov also remarked that, “He will not be sent out of Russia. It will be up to Snowden,” and added that Snowden’s father believed his son could not get a fair trial in the United States. Senator John McCain responded that Snowden should be convicted, and former House member from California, Jane Harman, stated that Snowden should return to the U.S. to stand trial and spoke of 54 terrorist plots that the U.S. intelligence community had foiled.
The European Court of Human Rights (“ECHR”) has fast-tracked a challenge brought by English PEN, the Open Rights Group, Big Brother Watch and German internet activist Constanze Kurz against the GCHQ’s Tempora program and the UK’s use of information gathered by the NSA’s Prism program. Before the case proceeds further, the UK government will have until May 2 to submit written observations to the ECHR on, among other things, whether the applicants can claim that their privacy rights were violated, whether they exhausted legal remedies in the UK, and whether the GCHQ’s practices comport with the right to privacy. The applicants will be allowed to reply in writing to the UK’s submissions.
The ECHR’s letter to the applicants informing them of the fast-tracking and of the questions to which the UK has been asked to respond is available at https://www.documentcloud.org/documents/1009147-ltr-from-european-court-of-human-rights-copy.html.
The applicants’ complaint is available at https://www.privacynotprism.org.uk/assets/files/privacynotprism/496577_app_No_58170-13_BBW_ORG_EP_CK_v_UK_Grounds.pdf
January 23, 2014
In response to foreign customers’ concerns about the security of their data in the wake of Snowden’s revelations about NSA surveillance operations, Microsoft’s General Counsel, Brad Smith, announced that it would allow foreign customers to have their data held overseas. Although the new option will only be available to business and government customers, these customers will be able to choose the particular overseas data center where their data is held. An unnamed person at a leading internet company told The Financial Times that “being forced to set up data centres in every country would be prohibitively expensive, especially for start-ups that cannot afford facilities in multiple countries.” While acknowledging the expense, Mr. Smith responded, “does it mean that you ignore what customers want? That’s not a smart business strategy.” Mr. Smith also proposed that the EU and US sign an agreement prohibiting governments from using technology companies to access data outside their national boundaries.
January 21, 2014
Edward Snowden is to stand for the post of student rector at Glasgow University. The post, which is for a period of 3 years, includes bringing student concerns to the attention of university management and working with the students’ representative council. The rector is the elected representative of the students and THE election for the position is due to take place next month.
The nomination was arranged through a group of students and Mr Snowden’s lawyers. The group of students was quoted as saying “Edward Snowden’s candidacy is a unique opportunity to show our gratitude to a brave whistleblower. He has shown a spirit of daring and self-sacrifice that is virtually absent in our public life.”
January 17, 2014
In a “comment” piece in The Guardian, Glenn Greenwald accused President Obama of proposing only cosmetic reforms to NSA surveillance. “Ultimately, the radical essence of the NSA – a system of suspicion-less spying aimed at hundreds of millions of people in the US and around the world – will fully endure even if all of Obama’s proposals are adopted.”
January 16, 2014
In a collaboration between The Guardian and UK Channel 4 News, it was disclosed that the NSA was collecting “almost 200 million text messages a day across the globe”. Codenamed “Dishfire”, the program extracts data that includes “location, contacts, banking details and travel itineraries” from messages as they were sent between countries.
While communications between US telephone numbers were “minimized” from the database, those from other countries, including the UK, were retained, and the GCHQ was provided access to the database. GCHQ lawyers determined that a specific warrant was needed to search through the contents of UK texts, but not needed to search the database to determine which numbers were in contact with which.
A spokesman for Vodafone, one of the world’s largest mobile phone companies with operations in 25 countries including the UK, stated that the company would be challenging the UK government over its use of Dishfire. “[F]or us as a business this is anathema because our whole business is founded on protecting privacy as a fundamental imperative.”
The White House announced that UK Prime Minister David Cameron had been briefed the day before President Obama’s speech on the 17th proposing changes to NSA surveillance.
January 14, 2014
The New York Times reported that the NSA has implanted software in nearly 100,000 computers around the world, enabling the US to conduct surveillance on those machines and making a digital highway for launching cyberattacks possible.
While most of the software has been inserted through computer networks, through a program codenamed Quantum, the NSA has been able to conduct surveillance on computers that are not connected to the Internet through the use of a “covert channel of radio waves” since 2008. Although the program enables transmissions to be received miles away from the target, the radio frequency hardware “must still be physically inserted by a spy, manufacturer or an unwitting user”.
In an attempt to distinguish its implantation of software from Chinese implantation of similar software on American computer systems, the NSA claims that its software is used as an “active defense” against foreign cyberattacks, rather than an offensive tool.
Targets of the NSA program have included the Chinese Army and Russian military as well as trade institutions in the EU and such partners in the US fight against terrorism as Saudi Arabia, India and Pakistan. A well-known instance of the program was the Stuxnet attack on Iran’s nuclear enrichment plant in 2010.
The New York Times story was based, in part, on a December 29, 2013 Spiegel article on software developed by the NSA’s ANT division and a November 23, 2013 Dutch newspaper article that includes a map of the computer networks infected by NSA software. Both articles are described and linked to under those dates.
January 9, 2014
By a vote of 36-2 with one abstention, the European Parliament’s Justice and Civil Liberties Committee invited Edward Snowden to testify via video link as part of an investigation into how to protect the privacy of European citizens. Timothy Kirkhope, a British member from the European Conservatives and Reformists Group, dissented on the ground that Snowden “has endangered lives.”
January 8, 2014
The European Parliament’s Committee on Civil Liberties, and Home Affairs issued a 52-page draft report “on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs.” In addition to claiming that the NSA and GCHQ have both engaged in illegal dragnet surveillance programs, the Report claims that the UK government’s detention of David Miranda at Heathrow Airport and destruction of The Guardian’s computers violated the European Convention on Human Rights and the EU Charter. The Report also concludes that UK surveillance laws are outdated and in need of overhauling, and criticizes France, Germany and Sweden for running their own mass surveillance programs.
The Draft Report is available at: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/moraes_1014703_/moraes_1014703_en.pdf
January 1, 2014
An editorial in The Guardian calling for a pardon for Snowden concluded that, “We hope that calm heads within the present administration are working on a strategy to allow Mr Snowden to return to the US with dignity, and the president to use his executive powers to treat him humanely and in a manner that would be a shining example about the value of whistleblowers and of free speech itself.”