Slashdot Mirror

Jake Laperruque, Senior Counsel at The Constitution Project, where he is working on issues of government surveillance, national security and defending privacy rights in the digital age, argues via Wired that it's time to end the National Security Agency's metadata collection program, known as CDR. An anonymous reader shares an excerpt: In 2015, Congress passed the USA Freedom Act to reform Section 215 and prohibit the nationwide bulk collection of communications metadata, like who we make calls to and receive them from, when, and the call duration. The provision was replaced with a significantly slimmed-down call detail record program, known as CDR. Rather than collecting information in bulk, CDR collects communications metadata of surveillance targets as well as those of individuals up to two degrees of separation (commonly called "two hops") from the surveillance target. But this newer system appears to be no more effective than its predecessor and is highly damaging to constitutional rights. Given this combination, it's time for Congress to pull the plug and end the authority for the CDR program.

It's unsurprising that just last week a bipartisan group in Congress introduced a bill to do so. Last month, the New York Times reported that a highly placed congressional staffer had stated that the CDR program has been out of operation for months, and several days later, NSA Director Paul Nakasone issued comments responding to questions about the Times story by saying the NSA was deliberating the future of the program. If accurate, this news is major but not shocking; this large-scale-collection program has been fraught with problems. Last year, the NSA announced that technical problems had caused it to collect information it wasn't legally authorized to, and that in response, the agency had voluntarily deleted all the call detail records it had previously acquired through the CDR program -- without even waiting for a court order or trying to save some of the data -- indicating that the system was unwieldy and the data being collected was not important to the agency.

According to a senior Republican congressional aide, the National Security Agency has quietly shut down a system that analyzes logs of Americans' domestic calls and texts. "The agency has not used the system in months, and the Trump administration might not ask Congress to renew its legal authority, which is set to expire at the end of the year, according to the aide, Luke Murry, the House minority leader's national security adviser," reports The New York Times. From the report: In a raw assertion of executive power, President George W. Bush's administration started the program as part of its intense pursuit for Qaeda conspirators in the weeks after the 2001 terrorist attacks, and a court later secretly blessed it. The intelligence contractor Edward J. Snowden disclosed the program's existence in 2013, jolting the public and contributing to growing awareness of how both governments and private companies harvest and exploit personal data. The way that intelligence analysts have gained access to bulk records of Americans' phone calls and texts has evolved, but the purpose has been the same: They analyze social links to hunt for associates of known terrorism suspects.

Congress ended and replaced the program disclosed by Mr. Snowden with the U.S.A. Freedom Act of 2015, which will expire in December. Security and privacy advocates have been gearing up for a legislative battle over whether to extend or revise the program -- and with what changes, if any. Mr. Murry, who is an adviser for Representative Kevin McCarthy of California, raised doubts over the weekend about whether that debate will be necessary. His remarks came during a podcast for the national security website Lawfare. Mr. Murry brought up the pending expiration of the Freedom Act, but then disclosed that the Trump administration "hasn't actually been using it for the past six months." "I'm actually not certain that the administration will want to start that back up," Mr. Murry said. He referred to problems that the National Security Agency disclosed last year. "Technical irregularities" had contaminated the agency's database with message logs it had no authority to collect, so officials purged hundreds of millions of call and text records gathered from American telecommunications firms. A spokesman for Mr. McCarthy's office said that Mr. Murry "was not speaking on behalf of administration policy or what Congress intends to do on this issue."

chicksdaddy shares a report from The Security Ledger: The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret. In a heavily redacted 250-page regulatory filing, NERC fined undisclosed companies belonging to a so-called "Regional Entity" $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.'s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a "serious risk" to the operation of the Bulk Power System and 62 were rated a "moderate risk." Together, the "collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System)," NERC wrote.

The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to "manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter" is rated a serious risk. So too are violations of CIP requirements calling for covered entities to "implement and document" access controls for "all electronic access points to the Electronic Security Perimeter(s)." Specific requirements that were violated suggest that the companies failed to implement access controls that "denies access by default," "enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter," and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter."

An anonymous reader quotes CNN: The U.S. Department of Justice is asking the Supreme Court to abandon its case against Microsoft over international data privacy. A new law signed by President Donald Trump last week answers the legal question at the heart of Microsoft's case, the DOJ says. So the case "is now moot," the department said in a court filing posted Saturday.

Microsoft's legal battle began in 2013, when it refused to hand over emails stored on a server in Ireland to US officials who were investigating drug trafficking. Microsoft argued at the time that sharing data stored abroad could violate international treaties and policies, and there was no law on the books to provide any clarity. That changed with the The Cloud Act, which was tucked into the spending bill that Trump signed March 23. The act establishes a legal pathway for the United States to form agreements with other nations that make it easier for law enforcement to collect data stored on foreign soil... Microsoft cheered the new law, saying the Cloud Act provides the legal clarity the company sought.
The ACLU's legislative counsel argues that the new act hurts privacy and human rights, "at a time when human rights activists, dissidents and journalists around the world face unprecedented attacks."

"Would even a well-intentioned technology company, particularly a small one, have the expertise and resources to competently assess the risk that a foreign order may pose to a particular human rights activist?"

An anonymous reader quotes a report from MIT Technology Review: An aggressive new cybersecurity and data protection law in China that goes into effect today will have global ripple effects, and could serve as a model for other governments. But the Chinese government has also left many parts of the law vague -- likely an intentional move meant to allow the country to stake out its own sense of "cyber sovereignty" while waiting to see how the U.S., Europe, and others decide to regulate the flow of data across international borders. The new law is a resounding announcement from China that it intends to be a global player in controlling perhaps the most precious commodity of the digital economy: data. It's hard to know how the law will actually change things because the most controversial aspects of it are so vague. Among them is a requirement that certain companies submit their products to the government for cybersecurity checks, which may even involve reviewing source code. How often it would be required, and how the government will determine which products must be reviewed is unknown. This could come into play as part of China's broader regulatory push to expand law enforcement's power to access data during criminal investigations. Another vague directive calls for companies to store certain data within the country's borders, in the interest of safeguarding sensitive information from espionage or other foreign meddling. The government has delayed the implementation of this change until the end of 2018, however.

An anonymous reader quotes a report from The Verge: A long-standing lawsuit holding Twitter responsible for the rise of ISIS got new life today, as plaintiffs filed a revised version of the complaint (PDF) that was struck down earlier this month. In the new complaint, the plaintiffs argue Twitter's Direct Message service is akin to providing ISIS with physical communications equipment like a radio or a satellite phone. The latest complaint is largely the same as the one filed in January, but a few crucial differences will be at the center of the court's response. The plaintiffs also offer new arguments for why Twitter might be held responsible for the attack. In the dismissal earlier this month (PDF), District Judge William Orrick faulted the plaintiffs for not articulating a case for why providing access to Twitter's services constituted material aid to ISIS. "Apart from the private nature of Direct Messaging, plaintiffs identify no other way in which their Direct Messaging theory seeks to treat Twitter as anything other than a publisher of information provided by another information content provider," the ruling reads. At the same time, the judge found that the privacy of those direct messages "does not remove the transmission of such messages from the scope of publishing activity." The new complaint includes some language that might address that concern, explicitly comparing Twitter to other material communication tools. "Giving ISIS the capability to send and receive Direct Messages in this manner is no different than handing it a satellite phone, walkie-talkies or the use of a mail drop," the new complaint reads, "all of which terrorists use for private communications in order to further their extremist agendas." The Safe Harbor clause has been used in the past to protect service providers from liability for hosting data on their network. However, "Brookings Institute scholar Benjamin Witters argued against protecting Twitter under the Safe Harbor clause, claiming that the current reasoning would also protect companies that actively offer services in support of terrorists."

Jason Koebler (3528235) writes When someone with an e-tattoo or an implanted biochip inevitably commits a crime, and evidence of that crime exists on that device within them, do they have a legal right to protect that evidence? Do cyborgs have the same rights as humans? "The more you take a thing with no rights and integrate it indelibly into a thing that we invest with rights, the more you inevitably confront the question: Do you give the thing with no rights rights, or do you take those rights away from the thing with rights?," Benjamin Wittes, a senior fellow at the Brookings Institution, who just released a paper exploring the subject, said.

chicksdaddy writes: "In a now-famous 2003 essay, 'Cyberinsecurity: The Cost of Monopoly,' Dr. Dan Geer argued, persuasively, that Microsoft's operating system monopoly constituted a grave risk to the security of the United States and international security, as well. It was in the interest of the U.S. government and others to break Redmond's monopoly, or at least to lessen Microsoft's ability to 'lock in' customers and limit choice. The essay cost Geer his job at the security consulting firm AtStake, which then counted Microsoft as a major customer. These days Geer is the Chief Security Officer at In-Q-Tel, the CIA's venture capital arm. But he's no less vigilant of the dangers of software monocultures. In a post at the Lawfare blog, Geer is again warning about the dangers that come from an over-reliance on common platforms and code. His concern this time isn't proprietary software managed by Redmond, however, it's common, oft-reused hardware and software packages like the OpenSSL software at the heart (pun intended) of Heartbleed. 'The critical infrastructure's monoculture question was once centered on Microsoft Windows,' he writes. 'No more. The critical infrastructure's monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them.'"

hydrofix writes "Techdirt has been following the story of the DoJ's classified interpretation of the PATRIOT Act. Specifically, it's all about Section 215, the so-called 'business-records provision,' which empowers the FBI to get businesses to turn over any records it deems relevant to a security investigation. Senators Ron Ryden and Mark Udall have been pushing the government to reveal how it uses these provisions to deploy 'dragnets' for massive amounts of information on private citizens 'without any connection to terrorism or espionage,' a secret reinterpretation that is 'inconsistent with the public's understanding of these laws.' After NYTimes reporter Charlie Savage had his Freedom of Information request denied, the NYTimes has now sued the government (PDF) to reveal how it interprets the very law under which it's required to operate."