It's Grindr's Turn In The Barrel As America Finally Decides To Care About Consumer Privacy

from the standard-operating-procedure dept

Whatever you think about the Facebook Cambridge Analytica kerfuffle, it's pretty obvious that the scandal is causing a long overdue reassessment of our traditionally lax national privacy standards. While most companies talk a good game about their breathless dedication to consumer privacy, that rhetoric is usually pretty hollow and oversight borders on nonexistent. The broadband industry is a giant poster child for that apathy, as is the internet of very broken things sector. For a very long time we've made it abundantly clear that making money was more important than protecting user data, and the check is finally coming due.

While it may only be a temporary phenomenon, the Cambridge Analytica scandal is finally causing some much-needed soul searching on this front. And given how deep our collective privacy apathy rabbit hole goes, being sloppy with consumer data may actually bear witness to something vaguely resembling accountability for a little while. Case in point is gay dating site Grindr, which this week was hammered in the media after it was revealed that the company was sharing an ocean of data with app optimization partner companies, including location data and even HIV status.

Norwegian nonprofit SINTEF was commissioned to dig into the problem on behalf of Swedish public broadcaster SVT, which first broke the story. According to SINTEF, Grindr was also sharing its users’ precise GPS position, "tribe" (their preferred gay subculture), sexuality, relationship status, ethnicity, and phone ID with third-party advertising companies. And, because even "anonymized" data can never be truly considered anonymous, they concluded it isn't hard to identify these users based on this data.

Many were surprised that such a popular company would have such a casual disregard for its consumer privacy:

"Grindr is a relatively unique place for openness about HIV status,” James Krellenstein, a member of AIDS advocacy group ACT UP New York, told BuzzFeed News.

“To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community."

But again, this casual treatment of data isn't errant behavior on Grindr's part -- it's the norm. And in this case, many are correct to point out that in addition to it being problematic that users didn't know this data was being shared outside of the Grindr community, the exposure of the HIV data (which again was only with two app optimization companies) could potentially have placed people living in homophobic areas at risk of violence:

To its credit, Grindr wound up announcing that it would stop sharing HIV data with third parties, but not before the company issued a statement tinged with the usual lamentations about "misinformation." Several statements were made of the "everybody does it," flavor which didn't help the company's case. Grindr security chief Bryce Case also got defensive in comments to Axios about how the company was being "unfairly" singled out due to the Cambridge Analytica scandal:

"I understand the news cycle right now is very focused on these issues," Case said, but added, "I think what’s happened to Grindr is, unfairly, we’ve been singled out..."It’s conflating an issue and trying to put us in the same camp where we really don’t belong."

But nobody accused Grindr of doing what Cambridge Analytica did. They did however accuse the company of what's now fairly standard privacy apathy across countless industries, including overlong terms of service that don't make it clearer what data is being shared with whom, the sharing of some of private consumer data in unencrypted plain text (you know, like your television probably does), and sharing extremely-sensitive HIV status data that pretty clearly wasn't necessary for "app optimization":

"But some security experts say that this argument about whether the data was being sold to a third party for nefarious purposes or not misses the point: that HIV data is highly sensitive, and that sharing it with any outside companies is a move away from the security of its users.

"There was no reason for them to be storing that data with these analytics companies in the first place," Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News. "Grindr should be taking extra steps to secure this sort of very personal data."

It's understandable that Grindr doesn't want to be lumped in with Cambridge Analytica, and it's obvious that there's a vast chasm between sharing some data with ad optimization partners and using unauthorized data to disrupt elections. Still, companies like Grindr are lucky that this come to Jesus moment in consumer privacy didn't arrive years ago.

Assuming this concern for privacy isn't just a temporary fashion trend, Grindr's certainly not going to be the last company caught in the crossfire of what should be seen as a cultural learning process. And hopefully, some of the truly terrible players on this front (like the telecom sector) will ultimately witness their time in the barrel as well. Especially since what many wireless carriers have routinely been up to makes Grindr's privacy missteps look like child's play, and the government's response so far has been to make it easier than ever to violate consumer privacy.

Filed Under: data sharing, hiv status, location data, privacy
Companies: grindr

Both Facebook And Cambridge Analytica Threatened To Sue Journalists Over Stories On CA's Use Of Facebook Data

from the this-is-bad dept

I'm going to assume that you weren't living in an internet-proof cave this weekend, and caught at least some of the stories about Cambridge Analytica and Facebook. The news first kicked off with the announcement of a data protection lawsuit filed against Cambridge Analytica in the UK on Friday evening (we'll likely have more on that lawsuit soon), followed quickly by an attempt by Facebook to get out ahead of the coming tidal wave by announcing that it was suspending Cambridge Analytica and some associated parties from its platforms, claiming terms of service violations. This was quickly followed on Saturday with two explosive stories. The first, from Carole Cadwalladr at The Guardian, revealing a "whistleblower" from the very early days of Cambridge Analytica (who more or less set up how it works with data profiles) named Christopher Wylie. This was quickly followed up by another story at the NY Times, which was a bit more newsy, providing more details on how Cambridge Analytica got data on about 50 million people out of Facebook.

Admittedly -- much of this isn't actually new. The Intercept had reported something similar a year ago, though it only said it was 30 million Facebook users, rather than 50 million. And that story built on the work of a 2015 (yes, 2015) story in the Guardian discussing how Cambridge Analytica was using data from "tens of millions" of Facebook users "harvested without permission" in support of Ted Cruz's presidential campaign.

There's a lot of heat on this story right now, and a lot of accusations being thrown around, and I'll admit that I'm not entirely sure where I come down on the details yet. I assume people on basically both sides of this issue will scream at me and call me names over this, but there's too much going on to fully understand what happened here. I will note that, in that Guardian story in 2015, Cruz told the publication that this data collecting and targeting effort was "very much the Obama model." And political consultant Patrick Ruffini has a well worth reading Twitter thread arguing that people are overreacting to much of this, and that the 2012 Obama campaign did the exact same thing, and was celebrated for its creative use of data and targeting on the internet. Ad tech guy Jay Pinho makes the same point as well. Here's a Time article from 2012 excitedly talking up how the Obama campaign used Facebook in the same way:

That’s because the more than 1 million Obama backers who signed up for the app gave the campaign permission to look at their Facebook friend lists. In an instant, the campaign had a way to see the hidden young voters. Roughly 85% of those without a listed phone number could be found in the uploaded friend lists.

Of course, there is one major difference between the Obama one and the Cambridge Analytica one, which involves the level of transparency. With the Obama campaign, people knew they were giving their data (and friend's data) to the cause of re-electing Obama. Cambridge Analytica got its data by having a Cambridge academic (who the new Guardian story revealed for the first time is also appointed to a position at St. Petersburg University) set up an app that was used to collect much of this data, and misled Facebook by telling them it was purely for academic purposes, when the reality is that it was setup and directly paid for by Cambridge Analytica with the intent of sucking up that data for Cambridge Analytica's database. Is that enough to damn the whole thing? Perhaps.

As for the claims that this is just the same old Facebook model of selling everyone's data... that was not true and still is not accurate. Facebook doesn't sell your data. It sells access to its users via the data it has on you. That may not seem different, but it is different. But the lines do seem to get a bit blurry, as it appears that Cambridge Analytica, via its partnership with the professor Dr. Aleksander Kogan (who apparently briefly changed his name to -- I kid you not -- Dr. Spectre) and his "Global Science Research," basically paid people via Amazon's Mechanical Turk to do a "personality assessment" on Facebook that, as part of the process, exposed information about their entire social graph, which GSR apparently hoovered up and passed along to Cambridge Analytica.

At the very least, it can be said that Facebook should have recognized much earlier that this could and would be done, and to understand the potential privacy problems related to it. Facebook has a fairly long and painful history of not quite realizing how what it does impacts people's privacy, and this is one more example.

But, it's raising a bigger question, as well, and it's one that caused Facebook to do something that I'll definitively call as "incredibly stupid," which is that it threatened to sue the Guardian over its story, mainly because the Guardian story refers to this whole mess as a "data breach" for Facebook's data.

And, of course, Facebook wasn't the only one who threatened to sue. Cambridge Analytica did too:

The Observer also received the first of three letters from Cambridge Analytica threatening to sue Guardian News and Media for defamation.

There are issues of terminology here. Facebook, in its post, is adamant that what happened is not a "breach"

The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

There are legal reasons why Facebook is so concerned about whether or not this is a "breach" and, let's face it, the company is about to face a million and a half lawsuits over this, not to mention government investigations (already Senator Amy Klobuchar has demanded Mark Zuckerberg's head on a platter testimony before the Senate and Massachusetts' Attorney General Maura Healey has announced the opening of an investigation, and there have also been rumblings out of the UK and the EU, as well as the FTC). But, there are also some fairly important legal obligations if this was a "breach" in the traditional sense, such as disclosing that to those impacted by the breach.

I'm not entirely sure where I come down on the breach question. It doesn't feel like a traditional breach. It wasn't that Facebook coughed up this info, it was its users coughed up the info... and Facebook just made it easy for this outside "academic" to hoover up all that info by paying a bunch of people to take dopey personality quizzes. However, as the Guardian's Alex Hern points out, how do you distinguish what Kogan/GSR/Cambridge Analytica did from social engineering to get information.

Of course, there is something of a difference: it still wasn't Facebook per se coughing up the info. It was Facebook's own users. And, you might even argue that if you believe that Facebook doesn't "own" all this data in the first place, that it was actually those Facebook users coughing up a bunch of their own data -- including lots of data about their friends. Needless to say, this is a mess where a lot more transparency might help, and that transparency is going to be forced upon Facebook with a sledgehammer in the near near future.

But, regardless of where you come down on all of this, Facebook threatening defamation against the Guardian for calling this a data breach is ludicrous and Facebook should be ashamed and apologize. Even as it clearly disagrees with how the Guardian characterized much of the story, that's no excuse to whip out defamation threats. Not only is it incredibly stupid from a Facebook PR perspective (and makes the company look like a giant bully), it suggests that the company still has absolutely no fucking clue how to communicate with the press and the public about how its own platform works.

It's actually quite incredible to recognize just how big Facebook has gotten in the face of how little it seems to understand about what its own platform does.

Filed Under: aleksander kogan, christopher wylie, data, data breach, data sharing, elections, transparency
Companies: cambridge analytica, facebook, global science research

Congress Fast-Tracks Bill That Would Give DHS Agencies Access To NSA Collections

from the natsec-promiscuity dept

As a parting gift to the incoming president, Barack Obama approved information-sharing rules which gave sixteen federal agencies access to unminimized NSA collections. The whole list of agencies involved in the information sharing can be found at the ODNI's (Office of the Director of National Intelligence) website:

Two independent agencies—the Office of the Director of National Intelligence (ODNI) and the Central Intelligence Agency (CIA);

Eight Department of Defense elements—the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial- Intelligence Agency (NGA), the National Reconnaissance Office (NRO), and intelligence elements of the four DoD services; the Army, Navy, Marine Corps, and Air Force.

Seven elements of other departments and agencies—the Department of Energy’s Office of Intelligence and Counter-Intelligence; the Department of Homeland Security’s Office of Intelligence and Analysis and U.S. Coast Guard Intelligence; the Department of Justice’s Federal Bureau of Investigation and the Drug Enforcement Agency’s Office of National Security Intelligence; the Department of State’s Bureau of Intelligence and Research; and the Department of the Treasury’s Office of Intelligence and Analysis.

Yes, the collected communications can be masked to protect the identities of US persons, but that call is made on a case-by-case basis by the NSA and there are several government officials with the power to demand unminimized access.

This just isn't enough sharing, apparently. Patrick G. Eddington of CATO reports a new bill is being quickly and quietly pushed through the House to expand this sharing to several more federal agencies.

Introduced on April 26 by Rep. John Katko (R-NY), the “Improving Fusion Centers’ Access to Information Act” (HR 2169) is designed to plug any “information gaps” in state “fusion centers” by modifying the Homeland Security Act of 2002 to require DHS to

identify Federal databases and datasets, including databases and datasets used, operated, or managed by Department components, the Federal Bureau of Investigation, and the Department of the Treasury, that are appropriate, in accordance with Federal laws and policies, to address any gaps identified pursuant to paragraph (2), for inclusion in the information sharing environment and coordinate with the appropriate Federal agency to deploy or access such databases and datasets;

The DHS is already on the list of agencies with access to NSA collections. This bill would allow it to give underling agencies access to the same info. Some notable three-letter agencies on that list include CBP, ICE, and TSA. While the NSA's collections are supposed to serve a national security purpose, the FBI uses its access for standard criminal investigations. There's no reason to believe these agencies won't do the same.

But the bill has friends everywhere in the House. The bill was passed after 40 minutes of debate, thanks to a suspension of normal voting rules. The normal concerns for national security were voiced, but nothing was said of the NSA collection's routine use in routine, domestic criminal investigations. That Congress considers expanded information sharing with domestic security agencies "non-controversial" (hence the sped-up voting process) is an indication of the majority's view of the privacy/security balancing act.

Worse, if the bill becomes law, the worst, most ineffective parts of the DHS will be given access to data and communications gathered by the NSA. Fusion centers -- which are already known for being mostly useless, when not actively doing damage to Constitutional rights -- will have even more information to misuse. The bill would give bicycles to fish in all 50 states. The only thing guaranteed is the new powers will be used badly. Eddington quotes from a 2012 report from the Senate Homeland Security Committee, which found DHS Fusion Centers to be expensive, useless, and a harm to the public.

The Department of Homeland Security estimated that it had spent somewhere between $289 million and $1.4 billion in public funds to support state and local fusion centers since 2003, broad estimates that differ by over $1 billion.

The investigation found that DHS intelligence officers assigned to state and local fusion centers produced intelligence of “uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism.”

This is where the NSA's collections will ultimately end up: in the hands of DHS branch offices that do little more than repeatedly screw up. Only now, they'll be able to do significantly more harm to Americans' civil liberties. Add to that the routine clusterfuck that is the CBP, ICE, and TSA, and you have a recipe for massive Fourth Amendment violations under the pretense of national security.

Filed Under: congress, data sharing, dhs, nsa, surveillance

Mounting Privacy Problems In Europe For Facebook's Acquisition Of WhatsApp

from the statement-of-objections dept

When it comes to online privacy, the European data protection authorities tend to be quite interventionist as they try to police the movement of personal data within and out of the EU. The concerns over the Safe Harbor and Privacy Shield frameworks are one manifestation of this. Another is the increasing EU scrutiny of Facebook's purchase of WhatsApp.

A couple of years after Facebook acquired WhatsApp, the latter announced that it was updating its terms and privacy policy so as to allow user data to be transferred to its parent company. Johannes Caspar, the Commissioner for Data Protection and Freedom of Information in Hamburg, where Facebook has its German headquarters, was unhappy with that move. He saw it as harmful to users' privacy, not least because there was no way to opt out of the data sharing. In September last year, he ordered Facebook to stop collecting data from WhatsApp, and to delete anything it had already brought across. Facebook appealed against the decision, and the Administrative Court of Hamburg has now handed down its ruling, which is to deny the US giant's request for Caspar's order to be revoked (pdf):

Facebook has appealed to the administrative court against the order in the preliminary proceedings. The goal was to repeal the immediate enforcement. The court rejected this request today and clarified the fact that it does not see any legal basis for the planned data exchange. Facebook can not invoke interests of its own business because the complete data exchange is neither necessary for the purpose of network security or business analysis nor for advertising optimization. Furthermore, the court clarifies that there is no effective consent from WhatsApp users for a data exchange with Facebook. As a result, the administrative court is making a clear consideration in the context of the preliminary legal proceedings: the interests of the approximately 35 million German WhatsApp users predominates the economic interest of Facebook in a suspension of immediate enforceability.

That's not the only problem Facebook faces in Europe. A little while after WhatsApp announced that it would be consolidating its user data with Facebook, the European Commission sent what is called a "Statement of Objections" to Facebook, alleging that:

the company provided incorrect or misleading information during the Commission's 2014 investigation under the EU Merger Regulation of Facebook's planned acquisition of WhatsApp.

The problem is that:

When reviewing Facebook's planned acquisition of WhatsApp, the Commission looked, among other elements, at the possibility of Facebook matching its users' accounts with WhatsApp users' accounts. In its notification of the transaction in August 2014 and in a reply to a request of information, Facebook indicated to the Commission that it would be unable to establish reliable automated matching between the two companies' user accounts.

Once WhatsApp and Facebook started carrying out precisely that kind of automated data matching last year, the Commission naturally wondered whether Facebook had been totally frank in its answers. The company had until January 31 to explain itself, and the Commission is now deciding whether it feels it was given misleading information. If it does, the consequences may be quite costly. Under EU law, Facebook could be fined 1% of its global turnover -- which would amount to around $179 million based on 2015 revenues. On its own, that probably wouldn't be too much of a problem for the deep-pocketed company. But combined with the ruling in Germany, and the possibility that data protection authorities in other countries will follow suit -- the law is the same throughout the EU, after all -- these European concerns about privacy are turning into a major a headache for Facebook.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data protection, data sharing, eu, germany, privacy, privacy shield
Companies: facebook, whatsapp

If Open Sharing Of Data Is A Great Idea For Combatting A Dangerous Plant Disease, Why Not For All Human Diseases?

from the won't-somebody-think-of-the-wheat? dept

Wheat blast may not be uppermost in the minds of many Techdirt readers, but as the following explains, it's a serious plant disease that is spreading around the world:

Wheat blast is a fearsome fungal disease of wheat. It was first discovered in Paraná State of Brazil in 1985. It spread rapidly to other South American countries such as Colombia, Bolivia, Paraguay, and Argentina, where it infects up to 3 million hectares and causes serious crop losses. Wheat blast was also detected in Kentucky, USA, in 2011.

Wheat blast is caused by a fungus known as Magnaporthe oryzae although scientists are still debating its exact identity. There is a risk that wheat blast could expand beyond South America and threaten food security in wheat growing areas in Asia and Africa.

That comes from an interesting site called Open Wheat Blast. It's been set up by a group of scientists who want to help combat the threat of wheat blast. And as their name suggests, they hope to do that by sharing data as widely as possible:

To rapidly respond to this emergency, our team is making genetic data for the wheat blast pathogen available via this website and we are inviting others to do the same. Our goal is that the OpenWheatBlast website will provide a hub for information, collaboration and comment. Collectively, we can better exploit the genetic sequences and answer important questions about the nature of the pathogen and disease.

That's such a self-evidently sensible thing to do, the obvious question to ask is: why isn't this done routinely -- and for human diseases too? In fact, a couple of months ago, 33 global health bodies signed a "Statement on data sharing in public health emergencies," with particular emphasis on sharing data about the Zika virus:

The arguments for sharing data, and the consequences of not doing so, have been thrown into stark relief by the Ebola and Zika outbreaks.

In the context of a public health emergency of international concern, there is an imperative on all parties to make any information available that might have value in combatting the crisis.

We are committed to working in partnership to ensure that the global response to public health emergencies is informed by the best available research evidence and data

That declaration built on a "consensus statement" that came out of World Health Organization consultation on "Developing global norms for sharing data and results during public health emergencies" in September 2015. One of the summary points spells out the key issue holding back open sharing of key information:

WHO seeks a paradigm shift in the approach to information sharing in emergencies, from one limited by embargoes set for publication timelines, to open sharing using modern fit-for-purpose pre-publication platforms. Researchers, journals and funders will need to engage fully for this paradigm shift to occur.

As that makes clear, a big problem is the way that results are published, with researchers and publishers more interested in keeping their results under wraps for a while than spreading them widely and quickly. And there's another issue too:

Patents on natural genome sequences could be inhibitory for further research and product development. Research entities should exercise discretion in patenting and licensing genome-related inventions so as not to inhibit product development and to ensure appropriate benefit sharing.

It's a rather sad state of affairs when publishing concerns and patents are getting in the way of producing treatments and cures for serious human diseases that could improve the lives of millions of people. Protecting crops from wheat blast is, of course, welcome, but is it really the best we can do?

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data sharing, diseases, open access, patents, research, wheat blast

ODNI Lawyer Bob Litt Says There's No NSA Data Sharing With Law Enforcement... If You Don't Count The FBI, DEA, Etc.

from the a-fine-guest-post-full-of-classic-debunkables dept

Just when we thought some surveillance reforms might stick, the administration announced it was expanding law enforcement access to NSA data hauls. This prompted expressions of disbelief and dismay, along with a letter from Congressional representatives demanding the NSA cease this expanded information sharing immediately.

This backlash prompted Office of the Director of National Intelligence General Counsel Robert Litt to make an unscheduled appearance at Just Security to explain how this was all a matter of everyone else getting everything wrong, rather than simply taking the administration at its word.

There has been a lot of speculation about the content of proposed procedures that are being drafted to authorize the sharing of unevaluated signals intelligence. While the procedures are not yet in final form, it would be helpful to clarify what they are and are not. In particular, these procedures are not about law enforcement, but about improving our intelligence capabilities.

As Litt explains it, everything about this is lawful and subject to a variety of policies and procedures.

These procedures will thus not authorize any additional collection of anyone’s communications, but will only provide a framework for the sharing of lawfully collected signals intelligence information between elements of the Intelligence Community. Critically, they will authorize sharing only with elements of the Intelligence Community, and only for authorized foreign intelligence and counterintelligence purposes; they will not authorize sharing for law enforcement purposes. They will require individual elements of the Intelligence Community to establish a justification for access to signals intelligence consistent with the foreign intelligence or counterintelligence mission of the element. And finally, they will require Intelligence Community elements, as a condition of receiving signals intelligence, to apply to signals intelligence information the kind of strong protections for privacy and civil liberties, and the kind of oversight, that the National Security Agency currently has.

So, this all sounds like it has nothing to do with law enforcement. Just intelligence "elements" from the community. Except that law enforcement and intelligence agencies are hardly separate entities. We already know the NSA is allowed to "tip" data to the FBI if it might be relevant to criminal investigations. There's no clear dividing line between intelligence and law enforcement -- not with law enforcement's steady encroachment into national security territory. When Litt says "only intelligence agencies," he's actually referring to several law enforcement agencies, as Marcy Wheeler points out.

As a threshold matter, both FBI and DEA are elements of the intelligence community. Counterterrorism is considered part of FBI’s foreign intelligence function, and cyber investigations can be considered counterintelligence and foreign intelligence (the latter if done by a foreigner). International narcotics investigations have been considered a foreign intelligence purpose since EO 12333 was written.

In other words, this sharing would fall squarely in the area where eliminating the wall between intelligence and law enforcement in 2001-2002 also happened to erode fourth amendment protections for alleged Muslim (but not white supremacist) terrorists, drug dealers, and hackers.

So make no mistake, this will degrade the constitutional protections of a lot of people, who happen to be disproportionately communities of color.

And, to go back to Litt's statement, the whole thing starts with a dodge:

These procedures will thus not authorize any additional collection of anyone’s communications…

This is something no one has actually claimed. What people are concerned about is the NSA using its massive collection abilities to become an extension of domestic law enforcement, rather than the foreign-focused entity it's supposed to be.

And, as for Litt's claims that everything is subject to clearly-defined rules on minimization, those are also false. First off, the expanded permissions originate under Executive Order 12333, which has been revised in secret on more than one occasion -- all without the full participation of Congressional oversight. Not only that, but agencies that are recipients of unminimized data from the NSA are supposed to apply their own minimization procedures to better ensure "strong protections for privacy and civil liberties." Wheeler notes that two recipients have yet to put any minimization procedures in place, despite having had years to do so.

I also suspect that Treasury will be a likely recipient of this data; as of February 10, Treasury still did not have written EO 12333 protections that were mandated 35 years ago (and DEA’s were still pending at that point).

The backdoor search loophole has yet to be closed (which gives the FBI access to unminimized data and communications obtained via Section 702) and these agencies -- along with two consecutive, very compliant administrations -- have been tearing down any walls between the NSA and law enforcement for several years now.

Litt's reassurances are worthless. It namechecks all the stuff we know is mostly worthless: oversight, minimization procedures, the frankly laughable idea that the FBI cares more about privacy and civil liberties than making busts, etc. and asks us to believe that a tangled thicket of secretive agencies and even-more-secretive laws are all designed to protect us from government overreach.

Filed Under: bob litt, data sharing, dea, fbi, law enforcement, nsa, odni

Congressional Reps Tell NSA To Cease Sharing Unminimized Data With Domestic Law Enforcement Agencies

from the the-fed's-Big-Brother-program:-'adopt'-a-domestic-agency! dept

The FBI announced (without going into verifiable detail) that it had implemented new minimization procedures for handling information tipped to it by the NSA's Prism dragnet. Oddly, this announcement arrived nearly simultaneously with the administration's announcement that it was expanding the FBI's intake of unminimized domestic communications collected by the NSA.

So, which was it? Was the FBI applying more minimization or was it gaining more raw access? The parties involved have so far refused to offer any further details on either of the contradictory plans, save for vague assurances about the lawfulness of both options.

Fortunately, a few legislators have stepped up to do something about it. Megan Geuss of Ars Technica reports that Reps. Ted Lieu and Blake Farenthold have sent a letter to the NSA telling it to hold off on its plans to share unminimized data and communications with domestic intelligence agencies… at least until it's been discussed publicly.

We respectfully request you confirm whether the NSA intends to routinely provide intelligence information-collected without a warrant-to domestic law enforcement agencies. If the NSA intends to go down this uncharted path, we request that you stop. The proposed shift in the relationship between our intelligence agencies and the American people should not be done in secret. The American people deserve a public debate. The United States has a long standing principle of keeping our intelligence and military spy apparatus focused on foreign adversaries and not the American people.

The letter points out that while Congress has granted the NSA "extraordinary authority" to conduct warrantless surveillance and harvest massive amounts of data, it has not done so for domestic intelligence and law enforcement agencies. But that deliberate limitation of powers has been undone by the administration's expansion. It may be indirect -- requiring the assistance of the NSA -- but it accomplishes the same purpose: giving warrantless surveillance and bulk collection powers to domestic agencies by proxy.

The letter -- sent to the heads of a variety of Congressional committees -- pulls no punches in its comparative depiction of this overreach.

We believe allowing the NSA to be used as an arm of domestic law enforcement is unconstitutional. Our country has always drawn a line between our military and intelligence services, and domestic policing and spying. We do not -- and should not -- use U.S. Army Apache helicopters to quell domestic riots; Navy Seal Teams to take down counterfeiting rings; or the NSA to conduct surveillance on domestic street gangs.

What's most amazing about the administration's move is that it followed -- directly -- two and a half years of NSA document leaks, their accompanying protests, lawsuits and backlash, the passage of the USA Freedom Act and an intense debate over the lawfulness of the PATRIOT Act. Add to that the fact that it was dropped right in the middle of a heated legal battle that has shown the FBI to be both grasping for power and incapable of telling the truth -- and it clearly shows the administration is so insulated from the collateral damage of a decade-plus of constantly expanding surveillance powers as to be completely unable to detect shifts in tone.

Filed Under: blake farenthold, data sharing, doj, dragnet, fbi, minimization, nsa, ted lieu

DOJ Agrees To Hand Over Document To EPIC, But Only Because The Document Has Already Been Made Public

from the damn-foreigners dept

EPIC is reporting that the DOJ has finally caved and is handing over a document it requested last fall. The document EPIC sought was the "Umbrella Agreement" between the US and Europe on the handling of each entities' citizens' data.

On September 8, 2015, European and US officials announced that they have concluded an agreement, the so-called Umbrella Agreement, which is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US. Despite the announcements, neither US officials nor their European counterparts made the text of the Agreement public.

Two days after this announcement, EPIC filed expedited FOIA requests on both sides of the pond for the text of this agreement, arguing (logically) that the people this would affect had a right to know what their governments were agreeing to. EPIC specifically had concerns that the US would offer less protection to foreign citizens' data than to its own citizens, given that it has historically refused to extend these niceties to those residing elsewhere on the planet.

The DOJ has provided EPIC with a copy of the agreement. In doing so, it hopes to bring to an end EPIC's FOIA lawsuit against the agency. But the DOJ notes in the letter attached to the agreement that it's only doing so in the most begrudging fashion. If only its partners on the other side of the Atlantic hadn't blinked first…

After carefully reviewing the record responsive to your request, I have determined that, as a matter of discretion, this document may be released in full. While this record is likely subject to Exemption 5, which concerns certain inter- and intra-agency communications protected by the deliberative process privilege, given the fact that the European Commission has provided you with a copy of the record and is making the file publicly available on its website, I have determined to release the record as a matter of discretion.

That's the "most transparent administration" at work. The European Parliament released the agreement on September 14, 2015 -- six days after the announcement. The DOJ, on the other hand, held out for nearly six months and is only releasing it because it's already in the public domain. And it's arguing that it should still be exempt as a "deliberative document" -- using the government's most-abused FOIA exemption -- even when another, larger government agency has determined the document deserves no such protection.

Filed Under: data sharing, doj, eu, privacy, surveillance, umbrella agreement, us
Companies: epic

UK's Secretive Court Says Intelligence Sharing Between NSA And GCHQ Was Unlawful In The Past -- But Now It Isn't

from the power-of-transparency dept

Techdirt has written about the Investigatory Powers Tribunal (IPT), which reviews complaints about surveillance in the UK, a number of times, noting that in addition to being secretive, it is pretty toothless, and generally approves of everything that the UK's secret services get up to. Against that background, a ruling released today by the IPT is pretty surprising:

British intelligence services acted unlawfully in accessing millions of people's personal communications collected by the NSA, the Investigatory Powers Tribunal ruled today. The decision marks the first time that the Tribunal, the only UK court empowered to oversee GHCQ, MI5 and MI6, has ever ruled against the intelligence and security services in its 15 year history.

The Tribunal declared that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by NSA whistleblower Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.

As that explanation by Privacy International -- one of four claimants in this case -- mentions, the IPT found that sharing intelligence between the NSA and GCHQ was illegal, but now isn't. Here's why:

In a previous December 2014 ruling, the IPT held that GCHQ's access to NSA data was lawful from that time onward because certain of the secret policies governing the US-UK intelligence relationship were made public during Privacy International's case against the security services. Yet that belated disclosure could not remedy the lack of transparency regarding the UK-US sharing prior to December 2014, meaning that all UK access to NSA intelligence material was unlawful before the Court’s judgement.

Rather bizarrely, the complaint about GCHQ's illegal actions in the past has made subsequent actions legal, at least according to the IPT. Two of the claimants in the case now hope to build on this judgment by asking the IPT to confirm that communications were collected unlawfully before December 2014, and to demand their deletion. Parallel to that, they also intend to appeal against the ruling that since then, intelligence sharing between the NSA and GCHQ has been legal:

While we welcome today's decision, Privacy International and Bytes for All disagree with the tribunal's earlier conclusion that the forced disclosure of a limited subset of rules governing intelligence-sharing and mass surveillance is sufficient to make GCHQ's activities lawful as of December 2014. Both organisations will shortly lodge an application with the European Court of Human Rights challenging the tribunal's December 2014 decision.

So the battle to bring GCHQ's massive surveillance program under control, with proper safeguards for the public and meaningful oversight, continues. But at least a first victory has been gained from an unexpectedly helpful IPT.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data sharing, gchq, investigatory powers tribunal, ipt, nsa, privacy, surveillance, uk
Companies: privacy international

European Union's Highest Court To Consider PRISM's Impact On EU Data Protection Laws

from the is-the-'safe-harbor'-safe? dept

Back in 2011, we wrote about an Austrian citizen, Max Schrems, who asked Facebook to send all of the personal data that it held on him -- and received a CD-ROM with some 800 pages of it. Schrems and his organization, Europe v Facebook (EvF), are now trying to find out whether the so-called "Safe Harbor" framework, which allows US companies to transfer personal data out of Europe if they promise to provide certain levels of data protection, is now void in the light of Edward Snowden's revelations of the complicity of US computer companies in NSA spying through the PRISM system.

Initially, Schrems and EvF asked the Irish data protection commissioner to investigate whether Facebook had transferred the personal data of Europeans to the NSA -- the legal action was launched in Ireland because Facebook has its European headquarters there. The commissioner refused, calling the action "frivolous and vexatious". So EvF appealed, and as Gigaom reports, the Irish High Court's Judge Hogan has just handed down his verdict:

Hogan disagreed that Schrems was a vexatious complainer, saying that in the wake of Edward Snowden's NSA revelations his concern was justified. He also said that, although Schrems clearly had no definitive evidence that the principles of the Safe Harbor agreement were being violated, he was "nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the U.S. security authorities."

Because the questions raised by Schrems and EvF are so far-reaching for the whole of the European Union, Hogan referred the case to Europe's highest court, the EU Court of Justice (EUCJ), posing the following questions:

Is the [Irish data protection] watchdog "absolutely bound" by the European Commission's view 14 years ago that the U.S. adequately protects personal data, or "alternatively, may the office holder conduct his or her own investigation on the matter in the light of factual developments in the meantime since that Commission Decision was first published?"

Although the EUCJ is not being asked directly to consider Snowden's revelations about the NSA surveillance of Europeans through PRISM and other programs, and whether that spying undermines the entire Safe Harbor agreement, it seems inevitable that the court will need to address those issues in coming to its decision. As we've reported before, there are already calls from the European Parliament to suspend the Safe Harbor scheme -- something that would be pretty disastrous for US computer companies operating in Europe. At the very least, this latest development will add to the pressure there to revise the framework to address its manifest weaknesses.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data sharing, eu court of justice, eu safe harbor, max schrems, prism, privacy
Companies: facebook