Domain: justsecurity.org
Stories and comments across the archive that link to justsecurity.org.
Stories · 8
-
Obama Changed Rules Regarding Raw Intelligence, Allowing NSA To Share Raw Data With US's Other 16 Intelligence Agencies (schneier.com)
An anonymous reader quotes a report from Schneier on Security: President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the U.S.'s other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Here are the new procedures. This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes. -
Obama Changed Rules Regarding Raw Intelligence, Allowing NSA To Share Raw Data With US's Other 16 Intelligence Agencies (schneier.com)
An anonymous reader quotes a report from Schneier on Security: President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the U.S.'s other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Here are the new procedures. This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes. -
Are US Courts 'Going Dark'? (justsecurity.org)
An anonymous reader writes: Judge Stephen Wm. Smith argues that questions about the government's "golden age of surveillance" miss an equally significant trend: that the U.S. Courts are "going dark". In a new editorial, he writes that "Before the digital age, executed search warrants were routinely placed on the court docket available for public inspection," but after the Electronic Communications Privacy Act of 1986, more than 30,000 secret court surveillance orders were given just in 2006. He predicts that today's figure is more than double, "And those figures do not include surveillance orders obtained by state and local authorities, who handle more than 15 times the number of felony investigations that the feds do. Based on that ratio, the annual rate of secret surveillance orders by federal and state courts combined could easily exceed half a million."
Judge Smith also cites an increase in cases -- even civil cases -- that are completely sealed, but also an increase in "private arbitration" and other ways of resolving disputes which are shielded from the public eye. "Employers, Internet service providers, and consumer lenders have led a mass exodus from the court system. By the click of a mouse or tick of a box, the American public is constantly inveigled to divert the enforcement of its legal rights to venues closed off from public scrutiny. Justice is becoming privatized, like so many other formerly public goods turned over to invisible hands -- electricity, water, education, prisons, highways, the military."
The judge's conclusion? "Over the last 40 years, secrecy in all aspects of the judicial process has risen to literally unprecedented levels. " -
Are US Courts 'Going Dark'? (justsecurity.org)
An anonymous reader writes: Judge Stephen Wm. Smith argues that questions about the government's "golden age of surveillance" miss an equally significant trend: that the U.S. Courts are "going dark". In a new editorial, he writes that "Before the digital age, executed search warrants were routinely placed on the court docket available for public inspection," but after the Electronic Communications Privacy Act of 1986, more than 30,000 secret court surveillance orders were given just in 2006. He predicts that today's figure is more than double, "And those figures do not include surveillance orders obtained by state and local authorities, who handle more than 15 times the number of felony investigations that the feds do. Based on that ratio, the annual rate of secret surveillance orders by federal and state courts combined could easily exceed half a million."
Judge Smith also cites an increase in cases -- even civil cases -- that are completely sealed, but also an increase in "private arbitration" and other ways of resolving disputes which are shielded from the public eye. "Employers, Internet service providers, and consumer lenders have led a mass exodus from the court system. By the click of a mouse or tick of a box, the American public is constantly inveigled to divert the enforcement of its legal rights to venues closed off from public scrutiny. Justice is becoming privatized, like so many other formerly public goods turned over to invisible hands -- electricity, water, education, prisons, highways, the military."
The judge's conclusion? "Over the last 40 years, secrecy in all aspects of the judicial process has risen to literally unprecedented levels. " -
Anti-Terrorism Hypothetical: Bulk Scanning of Hosted Files? (justsecurity.org)
An anonymous reader writes: The tech community has spoken: we don't want the NSA or any other government agency running bulk surveillance on us, and we don't want tech companies to help them. But Bruce Schneier points out an interesting hypothetical raised by Harvard Law School professor Jonathan Zittrain: "Suppose a laptop were found at the apartment of one of the perpetrators of last year's Paris attacks. It's searched by the authorities pursuant to a warrant, and they find a file on the laptop that's a set of instructions for carrying out the attacks. ... The private document was likely shared among other conspirators, some of whom are still on the run or unknown entirely. Surely Google has the ability to run a search of all Gmail inboxes, outboxes, and message drafts folders, plus Google Drive cloud storage, to see if any of its 900 million users are currently in possession of that exact document.
If Google could be persuaded or ordered to run the search, it could generate a list of only those Google accounts possessing the precise file — and all other Google users would remain undisturbed, except for the briefest of computerized 'touches' on their accounts to see if the file reposed there." Zittrain asks: would you run the search? He then walks us through some of the possible complications to the situation, and the pros and cons of granting permission. His personal conclusion is this: "At least in theory, and with some real trepidation, I'd run the search in that instance, and along with it publicly establish a policy for exactly how clear cut the circumstances have to be (answer: very) for future cases to justify pressing the enter key on a similar search." What would you do? -
US Budget Bill Passes With CISA Surveillance Intact (npr.org)
An anonymous reader writes: Early on Friday, the U.S. Senate approved the 2,000 page 'omnibus' budget bill that allocated $1.15 trillion in government funding. Later in the day, President Obama signed it into law. Because the budget bill was so important, many other pieces of unrelated legislation were tacked onto it, including the Cybersecurity Information Sharing Act, a bill notable for giving the government increased internet surveillance powers. Civil rights activists and tech experts largely consider it a "privacy disaster," and several lawmakers voted against the budget bill solely for CISA's inclusion. Senator Ron Wyden (D-OR) said, "Unfortunately, this misguided cyber legislation does little to protect Americans' security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review." Corporations in the U.S. will now have "legal immunity when sharing consumers' private data about hacks and digital breaches." The full omnibus is available online (PDF). The CISA provisions start on page 1,728. -
NSA Director Wants Legal Right To Snoop On Encrypted Data
jfruh writes: This may not come as a huge shock, but the director of the NSA doesn't believe that you have the right to encrypt your data in a way that the government can't access it. At a cybersecurity policy event, Michael Rogers said that the U.S. should be able to craft a policy that allows the NSA and law enforcement agencies to read encrypted data when they need to. -
Interviews: Jennifer Granick Answers Your Questions
samzenpus (5) writes "Recently you had a chance to ask Jennifer Granick, the Director of Civil Liberties for the Center for Internet and Society at Stanford Law School, about surveillance, data protection, copyright, and number of other internet privacy issues. Below you'll find her answers to those questions." What can be done to fix the DMCA?
by Anonymous Coward
As pretty much anyone who has ever used YouTube (or any similar service) knows, the DMCA has a lot of issues. For one, there's the fact that individuals or companies who file false DMCA claims, which are supposedly punishable under the law, are never punished. Another would be the unfair application of the DMCA - partners and other monetized channels on YouTube will (almost) never have their videos taken down from a single DMCA claim, even if a video made under the same circumstances and containing similar content would be taken down on a non-partner channel if a DMCA notice was ever filed. Is the EFF planning to do anything lobbying-wise to fix the DMCA? If so, what in your opinion would be the way to go about fixing it?
Granick: I don’t work for EFF anymore, so I can’t speak for their plans or thoughts.
The DMCA has two main parts, the notice and take down provisions, and the anti-circumvention provisions. By and large I think the notice and take down provisions are livable. the burden for specifically identifying infringing content is and should remain on rights holders. In making those identifications, there is the problem of unpunished abuse, and even just plain mistakes. Sometimes, legitimate content is improperly taken down and not restored. But overall, that system is allowing non-infringing content to flourish, and even enabling alternative business models for licensing and monetizing.
The anti-circumvention provisions, also called section 1201, are fundamentally broken. They interfere with people’s freedom to explore and modify software and devices that they themselves own. I support currently stalled efforts to reform section 1201 by protecting cell phone unlocking. If want to just address phone unlocking, there’s a right and a wrong way to do it. https://cyberlaw.stanford.edu/blog/2013/03/heres-how-legalize-phone-unlocking Still, these efforts fall short. Section 1201 could be and should be modified to regulate tools designed for infringement and leave mere access and tools that enable access alone.
Role of DMCA and free markets
by JohnnyComeLately
Do you see free market innovation thriving with DMCA despite the apparent lack of innovation? Articulation of my question: When I buy a car, I can modify it. If people like my modification they can view it at my leisure and tinker themselves. GM doesn't sue me, and if I open a business to work on other GM cars to do similar GM vehicle modifications, then I have little legal exposure. However, with DMCA, GM can shut down a video if it's "suspected" I've infringed on a digital asset, and I can't legally sell modifications of their digital asset. This is why we see every new technology for digital streaming of data run a gauntlet of legal hurdles, which in turn stifles new innovation in the area of digital property.
Granick: The anti-circumvention provisions of the DMCA haven’t totally killed innovation even as they hamper it in a number of ways. The EFF has been documenting those ways.
Re:European "right to be forgotten"
by AmiMoJo
Could you explain the "right to be forgotten" concisely and effectively so that people don't assume it grants "freedom not to be talked about"? Every story on Slashdot and every other news site with comments gets hundreds of angry responses from people who have completely the wrong idea about it.
Granick: The new case from the European Court of Justice says that people can compel search engines to remove certain reputation-harming search results that are generated by searching on the individual’s name. The ruling does not establish a “freedom not to be talked about” generally. But it is too broad. It interferes with the sanctity of search, which should be about getting people the most relevant results. Instead, it allows individuals to try to hide information about themselves, even if true. And the standard to be applied is horribly vague — search results are to be excluded if they are “inadequate, irrelevant or no longer relevant”. Companies will likely err on the side of caution and remove links upon request, regardless of the public interest in the information.
ECJ Google Spain v AEPD: privacy vs expression?
by xavdeman
You must deal with the clash between freedom of information (and expression), like in the Schwartz-case, and the right to privacy (and to be forgotten, even by agencies such as the NSA), every day.
What is your opinion on the Court of Justice of the European Union's Grand Chamber judgement in C-131/12 (Google Spain v AEPD and Mario Costeja Gonzalez)? The court ruled that the fundamental rights to privacy and data protection should, ‘as a rule’ override ‘not only the economic interest of the operator but also the interest of the general public in finding that information’. However, in certain circumstances, there may be a preponderant interest of the general public (for instance, if the individual concerned was a public figure) [97].[...], this is an assessment which must be made by the national court [98]. One commentator (Guy Vassall-Adams) noted that: "It appears that the court never asked itself if these large corporations can be relied on to protect the public interest in freedom of expression, taking a principled stance in response to unmeritorious complaints, as opposed to simply following the easy (and cheap) course of erasing information on request. Across the Atlantic and around the world other countries will look on us with bemusement as they read information which we are denied. This judgment is profoundly harmful to the operation of the internet and a betrayal of Europe’s great legacy in protecting freedom of expression."
Do you think the Court struck a good balance between the rights to privacy and freedom of expression? Can we expect a similar ruling by the US Supreme Court?...
Granick: For the reasons above, I think the ruling is a big mistake. I don’t believe this rule would be possible in the United States, as it almost certainly violates the First Amendment.
...What is your opinion on the Streisand effect of such cases (everybody knows that Mario Costeja Gonzalez was at one time involved in bankruptcy proceedings, because this is in ECJ case).
Granick: This individual will go down in history for both bankruptcy proceedings and for engendering one of the more confounding privacy rulings of the decade.
How to fight harder and win
by globaljustin
Ms. Granick, thanks so much for taking the time, your expertise on this issue is very valuable! I was an intern on Capitol Hill and was able to sneak into the Senate Judiciary Committee hearing on updates to the DCMA where Metallica and Shaun Fanning testified. My question: On issues of digital technology and freedom how can we, the people of the US, fight harder & win?
What represents a "win" against the RIAA/MPAA or a "win" for net neutrality? If all we need is Congress to pass Common Carriage why is it so difficult to get done? Ever since I attend that Senate Judiciary hearing, and I learned the issues, I realized it's always the same groups opposing digital freedom. What do we have to do to fix these issues forever so we can move on to better problems?
Granick: I’ve become even more disillusioned with Congress than I already was. I think money in politics is a huge problem. Its polarizing the politicians such that they do not do what the public wants even when there is a general consensus. Lawmakers can’t agree so they propose laws that do nothing and please no one, and then those bills do not pass. I remain optimistic, but we need to get all the pieces of democracy healthy again—free press, level playing field, educated populace—before Congress is going to be a fruitful avenue for the public interest to win. This is why I support the Rootstrikers and Larry Lessig’s MayDayPAC.
Re:Can Privacy ever actually be Maintained?
by Noah Haders
a follow on to this that is more personal. Without a doubt EFF has been owned 20 times over by NSA, not to mention anybody who works as a director of internet civil civil liberties. Personal stuff too. emails, bank records. Email accounts of your family, friends, and friends of friends (3 hops)! And unlike most NSA snooping which seems to be captured for the glee of capturing, your stuff is probably pretty closely monitored.
Do you think about this or worry about this? does it change your online behavior, or relationships with friends and family?
Granick: This has changed my behavior. I use encryption now far more than I did, for emails, texts and for phone calls. The people I communicate with are not that tech savvy though, and so that limits my ability to encrypt all the time. I use cookie blockers now, when I didn’t before. I don’t want Facebook tracking what I read. If I had more privacy friendly options, I’d use them. People often preface things they say to me with, “If the NSA is listening, they may not understand this, but” I find that terrifying, that people are afraid to be honest with their friends, and eventually maybe with themselves, for fear of government overreaction.
But I haven’t given up and you shouldn’t either. The idea isn’t complete secrecy, but to make opportunistic mass surveillance and bulk data collection impossible, and to make investigating people expensive again. That is one way we can ensure that such investigations happen for good reason, i.e. when they are worth the trouble. A great essay on the inevitability of privacy is by @neilmrichards: Privacy is Not Dead—Its Inevitable There’s also a great essay by Eben Moglen on why privacy is not hopeless. He says Snowden distinguished “between those forms of network communication that are hopelessly corrupted and no longer usable, those that are endangered by a continuing assault on the part of an agency gone rogue, and those that, even with their vast power, all their wealth, and all their misplaced ambition, conscientiousness and effort, they still cannot break.”
Where is personal privacy going?
by Spyder
Ms Granick, I'd really appreciate your perspective of where you think the personal privacy equilibrium will be. What personal privacy protections do you believe will survive the next 20 years in the US?
Do you believe that there will be individual control of personal information that will have suffice force of law to be functional meaningful in the US? Do you believe those protections will be useful if the information is stored outside the US?
Granick: I believe the Fourth Amendment is going to evolve in constructive ways such that it will still be relevant to privacy in 20 years. I think we’re going to reform statutes to provide location privacy. There’s a lot of support for that. And I think we’re going to have a single rule for law enforcement access to communications content from public providers. Beyond that, I think we’ve got work to do.
My opinion is that the location of data is not going to be a major factor in whether our government accesses it, except to the extent that it can do more mass surveillance of unencrypted data overseas at this point in time. I think that’s going to (slowly) change for technological and political reasons.
Campaign Finance Reform
by RR
It seems that no matter which party we vote for, we get either corporate-funded stooges or patronizing paternalists, like Dianne Feinstein of California. The media are complicit in this miscarriage of justice with their anointed "serious" candidates and "wasted" votes, for various reasons probably including the high amounts of money that they receive during campaigns.
So, what do you think about Larry Lessig and his change of focus from free culture to Congressional corruption?
Granick: I admire Larry immensely for the work he’s doing now on money in politics and for his innovation and commitment to the cause. I support the MayOne PAC wholeheartedly, and hope you will too.
Reconcile wisdom vs. technological savviness
by OSULugan
Slashdot has had a lot of discussion recently with regard to the (perception of the) Supreme Court justices (apparent) lack of technological savviness due to their age. This is pervasive throughout all of our government, from federal to local and throughout all three branches. Classically, this was desirable for the wisdom that comes with age, the prevention of coercion for the independent Supreme Court and/or the perks that could come from having a representative with seniority.
How do you see evolution of our government in a future where technological advances come at an ever increasing pace?
I.e., how does our government reconcile the need for wisdom in governance with the need for an understanding of the technology in the modern world, and the application of laws against it?
Granick: There are lots of informal ways to address this. For example, Supreme Court clerks are from a different generation, and understand cell phones. There are tech trainings for judges. I’ve attended them. Overall, I think the older judges are getting the point that technology matters, and they are trying to do better. The recent Fourth Circuit opinion in Lavabit got the tech, for example. Of course, you start with awareness that there’s a problem, and solving it is another matter. But its solvable.
Re:ECJ Google Spain v AEPD: privacy vs expression?
by xavdeman
Hey Jennifer, I just thought of another question. What is your opinion on cyber bullying and litigation?
E.g. a bully posts sensitive personal data about someone, and he or she wants that data to be "forgotten" by search engines, web hosts etc. (data processors). To obtain this result, he or she would have to go to a court, and because of the fact that most court proceedings are public and published (in the EU, at least, and let's assume this is concerning an adult, because in most countries, court cases involving minors are closed), this information would be even more widely broadcast, through the public records of the courts.
Is this a legal catch 22, do you see any solutions for these kinds of victims?
Granick: Courts deal with confidential information all the time, like in trade secret cases. And I think those tools can be used to hide sensitive personal data like addresses, credit card numbers and the like during litigation. But there is a bigger problem you are touching on here which includes “revenge porn”, upskirt photos, pictures of college kids passed out from drinking too much, and the like. Our society hasn’t developed a good way of dealing with these privacy violations yet. I do not think the law should change to make Internet search engines or platforms legally responsible for policing this content. Such changes may threaten public access to embarrassing information about politicians, for example. But while we figure out how we should respond, some people are suffering. So far this is a Catch-22, and I look to markets, technology and norms to develop into the main drivers for mitigating this serious problem.
Thanks to everyone who submitted questions for me!