European Court Of Human Rights: UK Surveillance Revealed By Snowden Violates Human Rights

from the well-of-course-it-does dept

Yet another vindication of Ed Snowden. Soon after some of the documents he leaked as a whistleblower revealed that the UK's GCHQ was conducting mass surveillance, a variety of human rights groups filed complaints with the European Court of Human Rights. It's taken quite some time, but earlier today the court ruled that the surveillance violated human rights, though perhaps in a more limited way than many people had hoped.

At issue were three specific types of surveillance: bulk interception of communications, sharing what was collected with foreign intelligence agencies, and obtaining communications data (metadata) from telcos. The key part of the ruling was to find that the bulk interception of communications violated Article 8 of the Human Rights Act (roughly, but not exactly, analogous to the US 4th Amendment). It was not a complete victory, as the court didn't say that bulk interception by itself violated human rights, but that the lack of oversight over how this was done made the surveillance "inadequate." The court also rejected any claims around GCHQ sharing the data with foreign intelligence agencies.

In short, the court found that bulk interception could fit within a human rights framework if there was better oversight, and that obtaining data from telcos could be acceptable if there were safeguards to protect certain information, such as journalist sources. But the lack of such oversight and safeguards doomed the surveillance activity that Snowden revealed.

Operating a bulk interception scheme was not per se in violation of the Convention and Governments had wide discretion (“a wide margin of appreciation”) in deciding what kind of surveillance scheme was necessary to protect national security. However, the operation of such systems had to meet six basic requirements, as set out in Weber and Saravia v. Germany. The Court rejected a request by the applicants to update the Weber requirements, which they had said was necessary owing to advances in technology.

The Court then noted that there were four stages of an operation under section 8(4): the interception of communications being transmitted across selected Internet bearers; the using of selectors to filter and discard – in near real time – those intercepted communications that had little or no intelligence value; the application of searches to the remaining intercepted communications; and the examination of some or all of the retained material by an analyst.

While the Court was satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers, it found that there was inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination. Furthermore, there were no real safeguards applicable to the selection of related communications data for examination, even though this data could reveal a great deal about a person’s habits and contacts.

Such failings meant section 8(4) did not meet the “quality of law” requirement of the Convention and could not keep any interference to that which was “necessary in a democratic society”. There had therefore been a violation of Article 8 of the Convention.

The court also found that acquiring data from telcos violated Article 8 as well, for similar reasons.

It first rejected a Government argument that the applicants’ application was inadmissible, finding that as investigative journalists their communications could have been targeted by the procedures in question. It then went on to focus on the Convention concept that any interference with rights had to be “in accordance with the law”.

It noted that European Union law required that any regime allowing access to data held by communications service providers had to be limited to the purpose of combating “serious crime”, and that access be subject to prior review by a court or independent administrative body. As the EU legal order is integrated into that of the UK and has primacy where there is a conflict with domestic law, the Government had conceded in a recent domestic case that a very similar scheme introduced by the Investigatory Powers Act 2016 was incompatible with fundamental rights in EU law because it did not include these safeguards. Following this concession, the High Court ordered the Government to amend the relevant provisions of the Act. The Court therefore found that as the Chapter II regime also lacked these safeguards, it was not in accordance with domestic law as interpreted by the domestic authorities in light of EU law. As such, there had been a violation of Article 8.

Both of those elements also ran afoul of Article 10's protection of free expression because journalists' communications had been swept up in the bulk data collection:

In respect of the bulk interception regime, the Court expressed particular concern about the absence of any published safeguards relating both to the circumstances in which confidential journalistic material could be selected intentionally for examination, and to the protection of confidentiality where it had been selected, either intentionally or otherwise, for examination. In view of the potential chilling effect that any perceived interference with the confidentiality of journalists’ communications and, in particular, their sources might have on the freedom of the press, the Court found that the bulk interception regime was also in violation of Article 10.

When it came to requests for data from communications service providers under Chapter II, the Court noted that the relevant safeguards only applied when the purpose of such a request was to uncover the identity of a journalist’s source. They did not apply in every case where there was a request for a journalist’s communications data, or where collateral intrusion was likely. In addition, there were no special provisions restricting access to the purpose of combating “serious crime”. As a consequence, the Court also found a violation of Article 10 in respect of the Chapter II regime.

On the final issue of passing on the info to foreign intelligence agencies, the court didn't find any human rights issues there:

The Court found that the procedure for requesting either the interception or the conveyance of intercept material from foreign intelligence agencies was set out with sufficient clarity in the domestic law and relevant code of practice. In particular, material from foreign agencies could only be searched if all the requirements for searching material obtained by the UK security services were fulfilled. The Court further observed that there was no evidence of any significant shortcomings in the application and operation of the regime, or indeed evidence of any abuse.

It would have been nice if there was more of a blanket recognition of the problems of bulk interception and mass surveillance. Unfortunately the court didn't go that far. But at the very least this has to be seen as a pretty massive vindication of Snowden whistleblowing on the lack of oversight to protect privacy and the lack of safeguards to prevent telcos from sharing information with the government that should have been protected.

Filed Under: bulk collection, echr, ed snowden, european court of human rights, gchq, human rights, mass surveillance, suveillance

How Far Does The National Snooping Dollar Stretch?

from the of-course,-there's-no-accounting-for-classified-funds dept

The surveillance dragnet in the US is undeniably large. As such, lots of money (your money) goes into financing the collection of "relevant" data (your data). We've already seen the generous $100 million surveillance "grant" handed out to telcos in exchange for their "voluntary" cooperation.

The AP has tracked down some of the fees charged by various services for providing the government with data and access. At this point, most of what's being requested probably falls under the heading of "unprecedented," hence the lack of any uniformity in the pricing structure. But even older methods of snooping are subject to some price fluctuations.

AT&T, for example, imposes a $325 "activation fee" for each wiretap and $10 a day to maintain it. Smaller carriers Cricket and U.S. Cellular charge only about $250 per wiretap. But snoop on a Verizon customer? That costs the government $775 for the first month and $500 each month after that, according to industry disclosures made last year to Rep. Edward Markey, D-Mass.

These fees are rather low when it comes to government expenditures, but this solely covers the less popular method of obtaining information -- old school, targeted wiretaps. Email records are also obtained very cheaply ($25 or less). Part of this surprisingly low cost is automation. In many cases, what the government is requesting is already automatically generated. Another factor is mitigation of the costs of compliance to the company itself.

Online companies in particular tend to undercharge because they don't have established accounting systems, and hiring staff to track costs is more expensive than not charging the government at all, he said.

Possibly the greatest factor in keeping the prices low is the oft-maligned court of public opinion. Most of the involved companies would rather not appear to be profiting from selling customer data to the government. That's probably a smart idea, but civil liberties defenders agree that these companies should be charging something, rather than handing out info for free.

"What we don't want is surveillance to become a profit center," said Christopher Soghoian, the ACLU's principal technologist. But "it's always better to charge $1. It creates friction, and it creates transparency" because it generates a paper trail that can be tracked.

The individual prices may seem nickel-and-dime, but the government generates enough business for this to turn into real money. AT&T claims to have 100 staffers working around the clock to satisfy government data requests. Verizon claims to have 70. $100 million has already been sent their way, and both companies are extremely unlikely to simply eat these expenses.

Even regular wiretaps can generate significant costs.

The average wiretap is estimated to cost $50,000, a figure that includes reimbursements as well as other operational costs. One narcotics case in New York in 2011 cost the government $2.9 million alone.

The costs associated with the FBI's and NSA's large scale surveillance efforts is likely to remain hidden. The FBI claims it's not possible to estimate its outlays as the payments run through a "variety of programs, field offices and case funds."

Anything about the size of NSA's payments to cooperating companies is genuinely impossible to nail down. (At least without a leak...) Its annual budget is classified. All that's known for certain is 15 intelligence agencies share a $75 billion annual budget and estimates place the NSA's share at $10-15 billion.

There's little chance the details of this budget will ever be publicized, which means the public is again asked to trust the "oversight" of those who have access. It's safe to say a large shadow industry has developed over the past 15 years, one that goes beyond simple transactions between intelligence agencies and involved services.

There's also a large number of private security firms being employed by these agencies, many of which have ensured future profitability by setting up shop as close to the Beltway as possible. That's the larger concern: a set of corporations almost totally funded with public money assisting in the capture, analysis and storage of the public's data.

Filed Under: costs, nsa surveillance, suveillance

Growing Number Of Senators Demand Answers About NSA Surveillance

from the they're-waking-up dept

For the past few years, it was just a very small group of Senators who seemed even remotely concerned about the NSA's broad surveillance and reinterpretation of the Patriot Act and FISA Amendment's Act. Senators Ron Wyden and Mark Udall have been talking about it for a while. Senator Jeff Merkley has been concerned about the secret interpretation. Every so often Senators Patrick Leahy and Rand Paul have expressed some concern. But that had been about it. However, with all of the leaks about the NSA's actual programs, more in the Senate appear to be waking up to the issue. A bipartisan group of 26 Senators, led by Wyden, have sent a very strongly worded letter to Director of National Intelligence James Clapper concerning the programs and his claims to Congress.

In our view, the bulk collection and aggregation of Americans' phone records has a significant impact on Americans' privacy that exceeds the issues considered by the Supreme Court in Smith v. Maryland. That decision was based on the technology of the rotary-dial era and did not address the type of ongoing, broad surveillance of phone records that the government is now conducting. These records can reveal personal relationships, family medical issues, political and religious affiliations, and a variety of other private personal information. This is particularly true if these records are collected in a manner that includes cell phone locational data, effectively turning Americans' cell phones into tracking devices. We are concerned that officials have told the press that the collection of this location data is currently authorized.

Furthermore, we are troubled by the possibility of this bulk collection authority being applied to other categories of records. The PATRIOT Act's business records authority is very broad in its scope. It can be used to collect information on credit card purchases, pharmacy records, library records, firearm sales records, financial information, and a range of other sensitive subjects. And the bulk collection authority could potentially be used to supersede bans on maintaining gun owner databases, or laws protecting the privacy of medical records, financial records, and records of book and movie purchases. These other types of bulk collection could clearly have a significant impact on Americans' privacy and liberties as well.

The use of "gun owner databases" is interesting, as it seems like a pretty clear attempt to attract some attention from a group of Republicans who have been outspoken against gun owner databases held by local governments, but who have been strongly in favor of the NSA surveillance programs.

The letter also calls out a few clearly misleading statements from defenders of the program:

Finally, we are concerned that by depending on secret interpretations of the PATRIOT Act that differed from an intuitive reading of the statute, this program essentially relied for years on a secret body of law. Statements from senior officials that the PATRIOT Act authority is "analogous to a grand jury subpoena" and that the NSA "[doesn't] hold data on US citizens" had the effect of misleading the public about how the law was being interpreted and implemented. This prevented our constituents from evaluating the decisions that their government was making, and will unfortunately undermine trust in government more broadly. The debate that the President has now welcomed is an important first step toward restoring that trust.

To drive this point home, the letter asks Clapper to answer a series of direct questions:

• How long has the NSA used Patriot Act authorities to engage in bulk collection of Americans' records? Was this collection underway when the law was reauthorized in 2006?
• Has the NSA used USA Patriot Act authorities to conduct bulk collection of any other types of records pertaining to Americans, beyond phone records?
• Has the NSA collected or made any plans to collect Americans' cell-site location data in bulk?
• Have there been any violations of the court orders permitting this bulk collection, or of the rules governing access to these records? If so, please describe these violations.
• Please identify any specific examples of instances in which intelligence gained by reviewing phone records obtained through Section 215 bulk collection proved useful in thwarting a particular terrorist plot.
• Please provide specific examples of instances in which useful intelligence was gained by reviewing phone records that could not have been obtained without the bulk collection authority, if such examples exist.
• Please describe the employment status of all persons with conceivable access to this data, including IT professionals, and detail whether they are federal employees, civilian or military, or contractors.

The twenty six senators who signed are:

Ron Wyden (Oregon), Mark Udall (Colorado), Lisa Murkowski (Alaska), Patrick Leahy (Vermont), Mark Kirk (Illinois), Dick Durbin (Illinois), Tom Udall (New Mexico), Brian Schatz (Hawaii), Jon Tester (Montana), Jeanne Shaheen (New Hampshire), Dean Heller (Nevada),Mark Begich (Alaska), Bernie Sanders (Vermont), Patty Murray (Washington), Jeff Merkley (Oregon), Mazie Hirono (Hawaii), Al Franken (Minnesota), Tom Harkin (Iowa), Chris Coons (Delaware), Maria Cantwell (Washington), Richard Blumenthal (Connecticut), Max Baucus (Montana), Elizabeth Warren (Massachusetts), Martin Heinrich (New Mexico), Tammy Baldwin (Wisconsin) and Mike Lee (Utah).

A bit surprised that Rand Paul isn't on the list. Similarly, disappointed, but tragically not surprised, that neither of my own Senators are on the list. Considering that Dianne Feinstein has been the leading defender of the program, despite the fact that it's a disaster for the tech industry in her own home state, I wouldn't have expected her to be on this list, but it still makes it no less a farce that she's siding with the government against both the public and her own state's best interests.

Filed Under: james clapper, nsa, nsa surveillance, ron wyden, secret law, senate, suveillance

Leaked: NSA's Talking Points Defending NSA Surveillance

from the you-have-to-be-kidding-me dept

The government has been passing around some "talking points" to politicians and the press trying to spin the NSA surveillance story. We've got the talking points about scooping up business records (i.e., all data on all phone calls) and on the internet program known as PRISM. Both are embedded below. Let's dig in on a few of the points, starting with the business records/FISA issue:

The news articles have been discussing what purports to be a classified, lawfully-authorized order that the Foreign Intelligence Surveillance Court (FISA Court) issued under an Act of Congress – the Foreign Intelligence Surveillance Act (FISA). Under this Act, the FISA Court authorized a collection of business records. There is no secret program involved here – it is strictly authorized by a U.S. statute.

"There is no secret program here"? Bullshit. Why, then, have so many people, both in the Congress and the public been shocked at the extent to which the NSA is snarfing up data? This is a secret program, enabled by a secret interpretation of the FISA Amendments Act, by the FISA Court, which the DOJ and the NSA insist the public is not allowed to know. Yes, it's a secret program. Saying otherwise is simply lying.

It authorizes only metadata collection, which includes barebones records – such as a telephone number or the length of a call.

"Barebones records" and "metadata" are terms being used to play down the extent of the collection of info, but it ignores multiple reports that note the amount of data actually collected -- including phone numbers, call times, call location, among other things -- is more than enough to identify who someone is and a variety of important characteristics about that person.

This legal tool, as enacted by Congress, has been critical in protecting America. It has been essential in thwarting at least one major terrorist attack to our country in the past few years.

"At least one" is a lot less than the "dozens" NSA boss Keith Alexander recently stated. But, so far the only "one" identified, involving an attempted NYC Subway bombing was shown not to have needed this data collection program to uncover and stop. So, nope.

Despite what appears to be a broad scope in the FISA Court’s order, the Intelligence Community uses only a small fraction of a percent of the business records collected to pursue terrorism subjects.

This is meaningless. That's like saying, even though we search everyone's house illegally, we only actually arrest a small number of people. No one would allow such house searches under the 4th Amendment, so why is it okay with phone records?

All three branches – Congress, the Courts, and the Executive Branch – review and sign off on FISA collection authorities. Congress passed FISA, and the Intelligence Committees are regularly and fully briefed on how it is used.

Except many in Congress have made it clear they did not review this kind of program, or were led to believe that the NSA did not collect this kind of information. And those who are being briefed now say the program goes way beyond what they were told. And, those who did know about it beforehand, tried to dig deeper into the program, but were blocked. As for "the Courts" reviewing it, we're talking about the FISA Court which is a rubberstamp in black robes, having approved every single request of it for the past three years. It last rejected a request back in 2009, and that was only one out of 1320. In its entire history, since 1979, the court has rejected a grand total of 11 applications. 11. Out of 33,939 applications. That's 0.03%. Not 3%. 0.03% with not a single rejection in over three years. That's not careful review. That's a rubber stamp. As for the executive branch signing off on it, what do you expect? They're going to hold back their own ability to spy on people?

The FISA Court authorizes intelligence collection only after the Intelligence Community has proven its case, based on underlying facts and investigations.

Well, we already covered the rubber stamp issue above, but Section 215 of the Patriot Act requires that the government present a case that the data it is seeking "must be relevant to an authorized preliminary or full investigation to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities." I'd love to see the argument that all data is somehow relevant to the investigation. Of course, I can't see it, because it's secret.

This legal tool has been reauthorized only after ongoing 90-day renewal periods. That means that every 90 days, the Department of Justice and the FBI must prove to the Foreign Intelligence Surveillance Court that they have the facts and legal basis to renew this legal authority. It is not a rubber stamp.

Ha ha ha. So, we violate your privacy without any opposing view -- but we do it every 90 days for seven straight years.

FISA-authorized collections are subject to strict controls and procedures under oversight of the Department of Justice, the Office of the Director of National Intelligence and the FISA Court, to ensure that they comply with the Constitution and laws of the United States and appropriately protect privacy and civil liberties.

What kind of "strict controls and procedures" allow for the collection of every single record of every single phone call, and then also make it accessible to the 29-year-old IT guy in Hawaii? Just wondering...

Moving on to the "NSA internet talking points."

Section 702 is a vital legal tool that Congress reauthorized in December 2012, as part of the FISA Amendments Act Reauthorization Act, after extensive hearings and debate. Under Section 702, the Foreign Intelligence Surveillance Court (FISA Court) certifies foreign intelligence collection. There is no secret program involved – it is strictly authorized by a U.S. statute.

Again, "no secret program," merely a secret interpretation of the law, in a secret ruling by a secret court. What's everyone complaining about?

Section 702 cannot be used to target any U.S. person. Section 702 also cannot be used to target any person located in the United States, whether that person is an American or a foreigner.

Note the careful choice of words: it cannot be used to target a person in the US. It can, however, be used to collect info on a person in the US if they're not "the target" of the investigation. Fun with words!

The unauthorized disclosure of information about this critical legal tool puts our national security in grave danger, puts Americans at risk of terrorist and cyber attacks, and puts our military intelligence resources in danger of being revealed to our adversaries.

Right. So this is not a new program, it's no surprise, people shouldn't be concerned... and now that you know about it we're all going to die!

How does anyone take these jokers seriously?

Filed Under: fisa, fisc, nsa surveillance, prism, suveillance, talking points

NSA Whistleblower Ed Snowden: From My Desk I Could Wiretap Anyone: You, A Federal Judge Or The President Of The US

from the well-that's-comforting dept

Yesterday, it was revealed that Ed Snowden was the whistleblower, who exposed some details of NSA surveillance capabilities, often going far beyond what people expected. If you haven't yet, you should watch his video interview with Glenn Greenwald where he goes into more detail: Here's a bit that caught my attention:

"I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email.

The wording here is a little unclear, since "wiretap" generally means capturing voice conversations, but saying that he would need a personal email address from the President to wiretap him suggests he's talking specifically about access their emails. Either way, given that we keep being told that the NSA is only supposed to cover non-US persons, the fact that a 29-year-old computer guy working for the NSA claims he could get access to anyone's email just by having their email address suggests, certainly, that there isn't much (if any) oversight, and the NSA is clearly not careful about the data it's scooping up.

Later in the interview, he explains why the people who say "I don't care, because I've got nothing to hide" are complete and total idiots:

"Because even if you're not doing anything wrong, you're being watched and recorded. And the storage capability of these systems increases every year consistently by orders of magnitude to where it's getting to the point where you don't have to have done anything wrong, you simply have to eventually fall under suspicion from somebody, even by a wrong call. And then they can use the system to go back in time and scrutinize every decision you've ever made. Every friend you've ever discussed something with. And attack you on that basis, to derive suspicion from an innocent life, and paint anyone in the context of a wrongdoer."

There's a lot more in the interview, which is absolutely worth watching. No one ever got to hear Bradley Manning speak before he got whisked away. Ed Snowden appears to have put a lot more thought and planning into what he was doing than Manning, and here we actually get to hear his thoughts.

Filed Under: bradley manning, edward snowden, nothing to hide, nsa, nsa surveillance, secrecy, suveillance, whistleblower, wiretaps