Investigation Finds The UK's Spy Agency Did Not Break Any Laws When It Tapped Into PRISM Data

from the of-course-it-didn't...-nothing-ever-does dept

In case anybody thought UK's GCHQ may have broken a law or two by pulling data from the NSA's PRISM surveillance net, they can now set their minds at ease. Like every other surveillance program in the UK and the US, it's totally legal.

Parliament's intelligence and security committee launched an investigation into allegations Britain's GCHQ surveillance agency circumvented British laws protecting the privacy of communications by accessing data from the U.S. program.

"From the evidence we have seen, we have concluded that this is unfounded," said the committee.

That's a relief. For a little while, it looked as though sweeping data collection might be something that ran afoul of laws protecting citizens' privacy or other limitations put in place to prevent domestic intelligence agencies from spying on their countrymen. You know, the sort of restrictions that separated us from our Cold War rivals and current totalitarian regimes.

On the bright side, the GCHQ at least has the decency to show up with a warrant. Classy.

A thorough investigation had shown the reports GCHQ compiled using U.S. intelligence were put together legally, it said. The agency possessed a warrant for interception signed by a government minister each time it asked for information from the United States, it added.

Oh, wait. A "warrant for interception" is remarkably similar to a FISA court order.

All interception warrants are valid for an initial period of three months. Upon renewal, warrants issued on serious crime grounds are valid for a further period of three months. Warrants renewed on national security/economic well-being grounds are valid for a further period of six months. Urgent authorisations are valid for five working days following the date of issue unless renewed by the Secretary of State.

And they go after the same data.

For mobile telephony

the telephone number from which the telephone call was made and the name and address of the subscriber and registered user of that telephone;

the telephone number dialed and, in cases involving supplementary services such as call forwarding or call transfer, any telephone number to which the call is forwarded or transferred;

the date and time of the start and end of the call;

the service used to make the call;

details of the SIM and phone used to make and receive each call;

for pre-paid services the date, time and place of activation; and

the cell ID and location used for each call.

And having one conveniently available "each time" the GCHQ asked sounds familiar, too. More specifically, the report makes this statement:

Further, in each case where GCHQ sought information from the US, a warrant for interception, signed by a Minister, was already in place, in accordance with the legal safeguards contained in the Regulation of Investigatory Powers Act 2000.

"Already in place." A warrant pre-approval process, not unlike our "not a rubber stamp" FISA court approval process.

The process appears to be: if you'd like to grab some data, please stop by our offices during business hours to pick up a pre-filled out warrant. But don't worry. It's all legal and buttressed by plenty of "safeguards," just the way it is over in the US.

The takeaway is simple: the laws governing these surveillance programs are terrible if this is what they permit. Perhaps there will be some major changes in the future. But all of this would have remained unchallenged without Snowden's leaks. This just shows that, within our two governments, those who had direct knowledge were perfectly content with what was allowed. Even worse, they allowed expansions and reinterpretations of these laws in order to enable and encourage additional surveillance of domestic citizens.

Filed Under: investigation, legality, prism, surveillance, uk

FISC Says It Will Declassify Ruling That Forced Yahoo Into PRISM

from the how-much-black-ink-will-they-use-up? dept

Last month, we noted that, while it was known that a tech company had fought back against a surveillance effort by the government and lost, it hadn't yet been revealed who that company was. The NY Times then revealed that it was Yahoo!, and it involved whether or not Yahoo! would be involved in PRISM. Yahoo tried to fight it, lost, and had to comply -- but the details (of course) remained entirely sealed. It appears that's changing. Yahoo! has been asking the government if it can reveal more info, and eventually the government (at the very least) allowed Yahoo to admit that it was the party in the case. After that, Yahoo asked FISC if the ruling could be declassified, and the court has now told the government to review the ruling to figure out what can be declassified.

The Government shall conduct a declassification review of this Court's Memorandum Opinion of April 25, 2008, and (2) the legal briefs submitted by the parties to this Court in this matter. After such review, the Court anticipates publishing that Memorandum Opinion in a form that redacts any properly classified information.

Of course, given the government's history of over-redacting, I fully expect a document with a ridiculous amount of black ink applied (invest now in black ink!). However, I do wonder if this is part of the various FISC judges realizing that there's been a fairly strong outcry against their secret court with a big rubber stamp.

Filed Under: declassify, doj, fisa, fisc, nsa, nsa surveillance, prism, surveillance
Companies: yahoo

'Team Sport' Is The NSA's Buzzword For Getting Companies To Violate Your Privacy

from the that's-not-very-sporting dept

I noticed something interesting in two of our recent stories about NSA surveillance. In yesterday's revelation in the Guardian about how Microsoft had made it easy for the NSA to record Skype audio and video, an internal NSA bulletin referred to the situation this way:

The document continues: "The FBI and CIA then can request a copy of Prism collection of any selector…" As a result, the author notes: "these two activities underscore the point that Prism is a team sport!"

That was apparently written on August 3, 2012. But the "team sport" phrase caught my attention, because while Tim Cushing was writing up that story, I had been working on the story about the NSA's talking points for the groundbreaking of its massive datacenter in Bluffdale Utah. Those talking points were for January 6, 2011, but they too, reference "team sports" as a way to describe the collaboration with tech companies:

Cyber must be a team sport -- it is too big for one agency, or even one nation to be able to "control."

Seeing that exact phrase show up in two separate documents, which were both revealed on the same day, through different means (one via a leak, one via a FOIA request), were written at different times, and were revealed through very different sources, has me wondering. It seems likely that this is a key talking point that the NSA has been working on for quite some time, should information on PRISM and other programs ever get out. As long as they call these efforts a "team sport" perhaps people won't be as freaked out about them, or something.

But it's kind of a funny thing to call them. Who is the "opposing" team here? The public? And it's a funny sort of "sport" when the rules are all secret, and the referees and umpires get to reinterpret the rules in secret with the NSA/companies' team, without ever informing the public of the rule changes. There's definitely a team here, but it doesn't seem very sporting. It seems more like a bunch of people with way too much power screwing over the public. Perhaps that's what they should actually call it.

Filed Under: buzzwords, nsa surveillance, prism, privacy, surveillance, team sport

Latest Leak Shows Microsoft Handed The NSA And FBI Unencrypted Access To Outlook, SkyDrive And Skype

from the MS-US-Internet-Explorer-10,-now-available-for-download! dept

Microsoft has painted a picture that its relationship with the NSA and FBI isn't a cozy one, but one based on forced compliance. The company has recently been taking shots at Google with its "Scroogled" campaign, claiming it kept users' data more secure. Then news surfaced that Microsoft was providing intelligence agencies with zero-day exploits for deployment by the agencies before getting around to patching them, leading to questions as to its expressed concern for its customers.

The latest leak released by the Guardian paints the company as a willing "team player" working closely with the FBI and NSA to allow unfettered access to the data of its customers.

Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;

• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;

• Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport".

This damaging set of documents indicates that Microsoft talks a pretty good game when it comes to privacy, but the protection it actually offers is less than skin deep.

Microsoft's latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: "Your privacy is our priority."

Similarly, Skype's privacy policy states: "Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content."

Microsoft's actions say otherwise. Skype alone gives the NSA and FBI access to over 600 million users worldwide despite Skype's earlier claims that these calls couldn't be tapped.

Microsoft has responded to this leak with a statement claiming its actions are above-board and completely legal. The NSA released a statement as well, claiming, as Microsoft does, that everything detailed is fully compliant with applicable laws. As usual, the NSA statement makes reference to "strict oversight" and "careful monitoring," empty phrases its deployed before that are ultimately meaningless without any corresponding transparency.

Again, speaking to the "legality" of these actions is nothing more than self-serving rhetoric. As has been expressed before, the real scandal isn't that large-scale surveillance is happening. It's that it's legal. Secret courts issuing secret interpretations that companies like Microsoft are compelled to comply with. Microsoft may say it "rejects" demands that it doesn't deem "valid," but does anyone not think these rejections aren't simply overridden?

There are ways to comply with government requests which don't take the form of working closely with intelligence agencies to undercut the same privacy you're telling the public you're so interested in protecting. (Maybe ask Twitter for some advice...) Giving intelligence carte blanche access to data pre-encryption doesn't sound like the actions of a company that regularly challenges government requests. It sounds more like the compliance of a company who'd rather not jeopardize OS sales and support to one of its biggest customers.

Filed Under: encryption, nsa surveillance, pre-encryption access, prism, surveillance
Companies: microsoft, skype

Anyone Brushing Off NSA Surveillance Because It's 'Just Metadata' Doesn't Know What Metadata Is

from the your-metadata-reveals-quite-a-bit dept

One of the key themes that has come out from the revelations concerning NSA surveillance is a bunch of defenders of the program claiming "it's just metadata." This is wrong on multiple levels. First of all, only some of the revealed programs involve "just metadata." The so-called "business records" data is metadata, but other programs, such as PRISM, can also include actual content. But, even if we were just talking about "just metadata," the idea that it somehow is no big deal, and people have nothing to worry about when it comes to metadata is ridiculous to anyone who knows even the slightest thing about metadata. In fact, anyone who claims that "it's just metadata" in an attempt to minimize what's happening is basically revealing that they haven't the slightest clue about what metadata is. Here are a few examples of why.

Just a few months ago, Nature published a study all about how much a little metadata can reveal, entitled Unique in the Crowd: The privacy bounds of human mobility by Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen, and Vincent D. Blondel. The basic conclusion: metadata reveals a ton, and even "coarse datasets" provide almost no anonymity:

A simply anonymized dataset does not contain name, home address, phone number or other obvious identifier. Yet, if individual's patterns are unique enough, outside information can be used to link the data back to an individual. For instance, in one study, a medical database was successfully combined with a voters list to extract the health record of the governor of Massachusetts27. In another, mobile phone data have been re-identified using users' top locations28. Finally, part of the Netflix challenge dataset was re-identified using outside information from The Internet Movie Database29.

All together, the ubiquity of mobility datasets, the uniqueness of human traces, and the information that can be inferred from them highlight the importance of understanding the privacy bounds of human mobility. We show that the uniqueness of human mobility traces is high and that mobility datasets are likely to be re-identifiable using information only on a few outside locations. Finally, we show that one formula determines the uniqueness of mobility traces providing mathematical bounds to the privacy of mobility data. The uniqueness of traces is found to decrease according to a power function with an exponent that scales linearly with the number of known spatio-temporal points. This implies that even coarse datasets provide little anonymity.

Some of the figures they presented show how easy it is to track individuals and their locations, which can paint a pretty significant and revealing portrait of who they are and what they've done. In an interview, one of the authors of the paper basically said that your metadata effectively creates a "fingerprint" that is unique to you and easy to match to your identity:

"We use the analogy of the fingerprint," said de Montjoye in a phone interview today. "In the 1930s, Edmond Locard, one of the first forensic science pioneers, showed that each fingerprint is unique, and you need 12 points to identify it. So here what we did is we took a large-scale database of mobility traces and basically computed the number of points so that 95 percent of people would be unique in the dataset."

Others are discovering the same thing. Ethan Zuckerman, who recently co-taught a class with one of the authors of the paper above, Cesar Hidalgo, wrote about how two students in the class created a project called Immersion, with Hidalgo, which takes your Gmail metadata ("just metadata") and maps out your social network. As Zuckerman notes, his own use of Immersion reveals some things that could be questionable or dangerous. He discusses some bits of metadata that are "obvious," which would make him easily identifiable, but which probably aren't that "questionable." However, he also notes some potentially problematic things as well:

Anyone who knows me reasonably well could have guessed at the existence of these ties. But there’s other information in the graph that’s more complicated and potentially more sensitive. My primary Media Lab collaborators are my students and staff – Cesar is the only Media Lab node who’s not affiliated with Civic who shows up on my network, which suggests that I’m collaborating less with my Media Lab colleagues than I might hope to be. One might read into my relationships with the students I advise based on the email volume I exchange with them – I’d suggest that the patterns have something to do with our preferred channels of communication, but it certainly shows who’s demanding and receiving attention via email. In other words, absence from a social network map is at least as revealing as presence on it.

Separately, more than two years ago, we wrote about how a German politician named Malte Spitz got access to all of the metadata that Deutsche Telekom had on him over a period of six months, and then worked with the German newspaper Die Zeit to put together an amazing visualization that lets you track six months of his life entirely via his metadata, combined with public information, such as his Twitter feed. While this all came out over two years ago, just recently, Spitz wrote a NYT op-ed piece about how this "just metadata" situation means that it's tough to trust the US government.

In Germany, whenever the government begins to infringe on individual freedom, society stands up. Given our history, we Germans are not willing to trade in our liberty for potentially better security. Germans have experienced firsthand what happens when the government knows too much about someone. In the past 80 years, Germans have felt the betrayal of neighbors who informed for the Gestapo and the fear that best friends might be potential informants for the Stasi. Homes were tapped. Millions were monitored.

Although these two dictatorships, Nazi and Communist, are gone and we now live in a unified and stable democracy, we have not forgotten what happens when secret police or intelligence agencies disregard privacy. It is an integral part of our history and gives young and old alike a critical perspective on state surveillance systems.

"Just metadata" isn't "just" anything, other than a massive violation of basic privacy rights.

Filed Under: cesar hidalgo, ethan zuckerman, fingerprints, immersion, malte spitz, metadata, nsa surveillance, prism, privacy, surveillance

Newly Leaked NSA Slides On PRISM Add To Confusion, Rather Than Clear It Up

from the hmmm dept

Over the weekend there were two "big" new leaks from the documents that Ed Snowden took. The first, about US spying on EU embassies we already covered. The second one seemed bigger, but it also might have just made things murkier. It involves the Washington Post releasing four more slides about the PRISM program from that original slide deck that already had 5 of its 41 slides revealed in previous leaks. These slides show a lot more details about PRISM. What's amazing is that I've seen people claiming completely contrary things in looking over these slides: some are insisting it shows that the companies who are "members" of PRISM don't -- as was originally reported -- open up their servers to the NSA. Others insist that the slides actually support that original reporting and show that the companies are lying.

First up, here are the slides (sorry visitors from the Defense Department):





Things break down when people start to analyze these slides. A few news sources have zeroed in on the claim on that last slide that there are 117,675 "records" in PRISM as of April 5th. But, there's some disagreement about what the hell that means. The Washington Post says that these are "active surveillance targets" but it's unclear how they know that. It's possible that there's other, as yet unrevealed info that would support that, but even then there's confusion. How "active" is active? And, what constitutes a "record" anyway? No one seems to be providing any answers.

Another thing that's not entirely clear: the Washington Post annotations claim that the "FBI DITU," the "Data Intercept Technology Unit" (DITU), is on the premises of the companies listed as a part of PRISM -- but all of the companies have pretty strenuously denied this. And, honestly, from the slides, it's not at all clear that the DITU really is on-premises. Google has said in the past that when it receives a valid FISA court order under the associated program, it uses secure FTP to ship the info to the government. From that, it seems like the "DITU" could just be a government computer somewhere, not on the premises of these companies, and info is uploaded to those servers following valid FISC orders.

Others have focused in on the claims of "real-time surveillance," implying the ability to watch actual key strokes, but the slide in question (the third one above) suggests something slightly different: which is real time notifications for certain trigger events, such as logging into email or sending a message. Now, it does note that other forms of communication are available through the program, but it's not at all clear that's "real time." It's also not at all clear if the "real time" notifications apply to all companies in the program. It's entirely possible that a FISC order might require these companies to let the FBI/NSA know whenever a certain target logged into their email or chat. There are certainly some questions raised there about the appropriateness of that type of program, but it's not clear how much "real time" info is actually being sent.

It's entirely possible that the Washington Post's interpretation of these slides is accurate. It's also entirely possible that the other slides, or additional reporting from WaPo reporters allows them to have more knowledge on these things, and it could be true that the companies in questions are not being fully truthful. However, especially given how it appears that the WaPo's original reporting on PRISM was fairly sloppy, it seems worth reserving judgment until more information comes out.

Of course, if (as the NSA insists) this program is nothing more than these companies responding to valid FISC orders, I don't see why the NSA itself can't be a hell of a lot more transparent about these programs. If there's real oversight over these programs and they're really only used against actual threats (stop laughing...), then nothing revealed so far seems like it should be secret. It just shows how the system works for delivering the information that is legally required. The fact that there's so much secrecy over the program suggests either a stupid overclassification insistence by the NSA, or that there's a hell of a lot beyond this that they don't want to talk about (such as revealing that the program isn't what they claim). That seems like the most likely situation given what's been revealed so far.

Filed Under: ditu, fbi, leaks, nsa, nsa surveillance, prism, washington post

Shallow Surveillance Efforts Like PRISM Will Only Catch The 'Stupidest, Lowest-Ranking Of Terrorists'

from the better-watch-out-for-the-skin-deep dept

Government officials keep assuring the public that these surveillance programs are in place to track terrorists and prevent further violent activity aimed at our nation. But much of what the government actually tracks and collects is nearly useless. It's aimed at the sort of platforms and communication devices used by the general public -- the sort of people who make use of the "top level" because they actually have nothing to hide.

Leonid Bershidsky argues that casting the net wide, but only to a shallow depth, won't actually "catch" anything but the most inept of terrorists.

The infrastructure set up by the National Security Agency, however, may only be good for gathering information on the stupidest, lowest-ranking of terrorists. The Prism surveillance program focuses on access to the servers of America’s largest Internet companies, which support such popular services as Skype, Gmail and iCloud. These are not the services that truly dangerous elements typically use.

Truly dangerous people are smart enough to know to avoid anything easily tracked, surveilled or easily exposed. There may be a little value in catching anything that briefly rises to the surface or surveilling the "public faces" of terrorism, but those serious about their agenda will be operating far below these easily-tapped sources.

In a January 2012 report titled “Jihadism on the Web: A Breeding Ground for Jihad in the Modern Age,” the Dutch General Intelligence and Security Service drew a convincing picture of an Islamist Web underground centered around “core forums.” These websites are part of the Deep Web, or Undernet, the multitude of online resources not indexed by commonly used search engines.

The Netherlands’ security service, which couldn’t find recent data on the size of the Undernet, cited a 2003 study from the University of California at Berkeley as the “latest available scientific assessment.” The study found that just 0.2 percent of the Internet could be searched. The rest remained inscrutable and has probably grown since. In 2010, Google Inc. said it had indexed just 0.004 percent of the information on the Internet.

If someone or something doesn't want to be found on the internet, it's easy to stay hidden, or at the very least, continue to operate below the dragnet. On top of what's not being indexed, there are options available to go completely off the grid. This makes steady communication difficult, but not impossible. What does happen on the net is encrypted or otherwise obfuscated.

Communication on the core forums is often encrypted. In 2012, a French court found nuclear physicist Adlene Hicheur guilty of, among other things, conspiring to commit an act of terror for distributing and using software called Asrar al-Mujahideen, or Mujahideen Secrets. The program employed various cutting-edge encryption methods, including variable stealth ciphers and RSA 2,048-bit keys.

As Bershidsky puts it, tools like the PRISM system and phone metadata are much better suited for surveilling those who don't have any reason to suspect the government has an interest in their movements and actions. In other words: American citizens, the same people who are supposedly not being targeted.

If the FBI and the NSA are only interested in catching clumsy would-be terrorists who can't be bothered to stay off open channels, then, much like the programs themselves, they can only offer us a false sense of security. Being saved from the bench warmers of the terrorism world doesn't ultimately do anything to increase safety, but it does give these agencies something to point to when their actions are questioned. (The FBI has practically set up its own "Busting Stupid Terrorists" cottage industry.) "We stopped [insert plausible but impressive number here] attacks, therefore we need to continue collecting 'dots' and multiple haystacks of connective material."

Whatever the FBI and NSA are gathering from skimming the web's surface is only a minute percentage of what's available. It would seem that deeper, targeted efforts would be much more effective, rather than simply asking for everything and working backwards. But if the actual intent is to surveill American citizens (with prevented acts of terrorism being a bonus), then these agencies are in the perfect position to do exactly that.

Filed Under: dark web, deep web, encryption, nsa, nsa surveillance, prism, terrorism, terrorists

Senators To NSA: Your 'Fact Sheet' Isn't Factual; Can You Tell Us The Truth For Once?

from the look-at-that dept

We recently wrote about the NSA's highly questionable "talking points" about the various NSA surveillance programs that have leaked. Senators Ron Wyden and Mark Udall -- who have long been leading the fight to get people to understand how the NSA was spying on Americans -- have now sent a letter to NSA boss Keith Alexander saying that the "facts" in the NSA's "fact sheets" do not, in fact, appear to be factual, and asking him to correct the errors.

We were disappointed to see that this fact sheet contains an inaccurate statement about how the section 702 authority has been interpreted by the US government. In our judgment this inaccuracy is significant, as it portrays protections for Americans' privacy as being significantly stronger than they actually are. We have identified this inaccurate statement in the classified attachment to this letter.

We urge you to correct this statement as soon as possible. As you have seen, when the NSA makes inaccurate statements about government surveillance and fails to correct the public record, it can decrease public confidence in the NSA's openness and its commitment to protecting Americans' constitutional rights. Rebuilding this confidence will require a willingness to correct misstatements and a willingness to make reforms where appropriate.

Later in the letter, they also point to another "misleading" statement, amusingly using a letter that the Director of National Intelligence (DNI) sent to Wyden and Udall two years ago. This was back when they two were asking the DNI to at least reveal how many Americans had their info collected, and the DNI responded that "...it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed...." Now Wyden and Udall are using that line to show that the latest "fact sheet" must be wrong:

Separately, we note that this same fact sheet states that under section 702, "Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime." We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. In fact, the intelligence community has told us repeatedly that it is "not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority" of the FISA Amendments Act.

So, basically: were you lying to us then, or are you lying to us now?

We'll see what the NSA's response is, but I imagine it will likely involve more lying.

Filed Under: 215, 702, james clapper, keith alexander, mark udall, nsa, nsa surveillance, prism, ron wyden

Germany's Spies Have NSA Envy: Currently Working To Build Their Own Comprehensive Snooping System

from the it's-not-actually-a-competition dept

One unfortunate knock-on effect of the revelations about the extent of NSA information gathering seems to be that the spies in other countries are starting to feel under-informed by comparison. Of course, many of them already knew about what was going on: in addition to the British and the Dutch, there are now reports that Germany was also kept informed at the highest levels (original in German.) That would probably explain the revelation by the news magazine Der Spiegel that Germany has been trying to beef up its own snooping capabilities for a while:

Last year, [Germany's foreign intelligence agency] BND head Gerhard Schindler told the Confidential Committee of the German parliament, the Bundestag, about a secret program that, in his opinion, would make his agency a major international player. Schindler said the BND wanted to invest €100 million ($133 million) over the coming five years. The money is to finance up to 100 new jobs in the technical surveillance department, along with enhanced computing capacities.

Small beer compared to the NSA, but it's a start. Der Spiegel's article provides some details on how they do it in Germany:

The largest traffic control takes place in Frankfurt, in a data processing center owned by the Association of the German Internet Industry. Via this hub, the largest in Europe, e-mails, phone calls, Skype conversations and text messages flow from regions that interest the BND like Russia and Eastern Europe, along with crisis areas like Somalia, countries in the Middle East, and states like Pakistan and Afghanistan.

But the BND still has a long way to go before it attains NSA-like levels of snooping:

In contrast to the NSA, though, the German intelligence agency has been overwhelmed by this daunting wealth of information. Last year, it monitored just under 5 percent, roughly every 20th phone call, every 20th e-mail and every 20th Facebook exchange. In the year 2011, the BND used over 16,000 search words to fish in this data stream.

As in the US, the idea is that this targets foreigners:

German law allows the BND to monitor any form of communication that has a foreign element, be it a mobile phone conversation, a Facebook chat or an exchange via AOL Messenger. For the purposes of "strategic communications surveillance," the foreign intelligence agency is allowed to copy and review 20 percent of this data traffic. There is even a regulation requiring German providers "to maintain a complete copy of the telecommunications."

Here's how the BND tries to achieve that:

If e-mail addresses surface that end in ".de" (for Germany), they have to be erased. The international dialing code for Germany, 0049, and IP addresses that were apparently given to customers in Germany also pass through the net.

Of course, as in the US, it doesn't quite work out like that:

At first glance, it's not evident where users live whose information is saved by Yahoo, Google or Apple. And how are the agencies supposed to spot a Taliban commander who has acquired an email address with German provider GMX? Meanwhile, the status of Facebook chats and conversations on Skype remains completely unclear.

Given this evident desire to create its own snooping apparatus, coupled with the fact that Germany has doubtless benefited from NSA spying, perhaps it's no surprise the German government's protests about its citizens being subject to extensive NSA surveillance have been muted. Maybe a little too muted: Der Spiegel quotes the question posed by Cornelia Rogall-Grothe, a state secretary in the German Interior Ministry, to the US Embassy in Berlin, in the wake of the revelations about NSA spying:

"Are US agencies running a program or computer system with the name Prism?," the Interior Ministry official asked.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: germany, nsa, nsa surveillance, prism, snooping

Google, Without Admitting It Gets FISA Orders, Files Lawsuit To Challenge FISA Gag Orders

from the well-that-ought-to-be-interesting dept

Google appears to be stepping it up a notch in trying to fight back against the claims that it is somehow opening up its system to the NSA or other law enforcement folks. As you now know well, one of the leaks from Ed Snowden a few weeks ago was about a system called PRISM, which is associated with how tech companies provide information to the federal government in response to FISA court orders. The initial reports, claiming that the NSA had full direct access to servers and could see what people were doing in real time, appear to have been extremely overblown, as it now seems clear that this was much more narrow. But there's still a big question of how narrow. Google sent an open letter to the DOJ, asking for permission to reveal basic numbers on how many FISA requests they receive and how many people have had information passed along to the government under the program. The government then gave "permission" in a way that actually further obfuscated things, only allowing the release of numbers when combined with all sorts of other government requests.

Now, Google has filed a lawsuit against the government, arguing that gag orders on FISA requests violate the First Amendment. The filing itself is an interesting read, in part for its first footnote:

Nothing in this Motion is intended to confirm or deny that Google has received any order or orders issued by this Court.

Of course, that might lead some to suggest that Google can't actually have standing, but there's an interesting legal argument here. Basically, Google is arguing that the perception that it's opened up its network to the NSA, as suggested in various reports, and which it cannot refute fully without revealing some details of FISA orders it has received, has caused it harm.

Google's reputation and business has been harmed by the false or misleading reports in the media, and Google's users are concerned by the allegations. Google must respond to such claims with more than generalities. Moreover, these are matters of significant weight and importance, and transparency is critical to advancing public debate in a thoughtful and democratic manner.

Given that, Google is seeking a declaratory judgment from the court that it has a First Amendment right to publish the total number of FISA requests it receives and the total number of users associated with those requests, though obviously not anything more. I'm sure the government will come back with all sorts of excuses as to why this is horrible, but it certainly presents an interesting legal challenge to the FISA court's gag orders.

Filed Under: first amendment, fisa, fisa court, free speech, gag order, prism
Companies: google