PRISM
Latest
President Obama announces limitations on use of NSA-collected data, puts database in the hands of third party
The scandal surrounding the NSA's data collection and surveillance programs seems never ending. Almost every week there are new revelations as to the extent of the spying, which covers everything from social networks, to phone calls, text messages and location data. President Barack Obama has already sought to assuage the public's fears once by suggesting reforms to the programs, now it's time for round two. At a speech today, the commander in chief announced efforts to limit the use of bulk-collected data and a new process for reviewing data-collection policies. While the NSA won't stop sucking up information anytime soon, added oversight and periodic audits will work to ensure the private data of average citizens is protected not just against governmental abuse, but also external parties that would seek to steal that information. There will also be annual reviews of the priorities and policies used to collect and analyze the data that will involve the heads of multiple departments and agencies. And, to the extent possible, the presidential directive promises to declassify and release the details of those policies to the public. The increased transparency will go a long way toward fulfilling the promise the president made back in July, though many privacy advocates will surely find room for improvement. The biggest change comes in the form of an end to the bulk data-collection program under section 215 of the Patriot Act. A new system will be put in place, that places the collected metadata in the hands of an unspecified third party and requires a judicial finding before any query of the database, except in the event of a national emergency. There will also be a third-party privacy advocate present to argue before the FISA court at each request for data. The government will also use more stringent standards and "will only pursue phone numbers that are two steps removed from a terrorist organization." That change, from the current standard of three steps, is effective immediately. The government will have to demonstrate a clear national security purpose for each request, and the president guaranteed that this intelligence would not be used for any other purpose. That promise was delivered alongside jabs at foreign critics who have similar surveillance capabilities, but lack America's civil liberties protections.
Put your emoji where we can see them! The NSA collected text messages, too
Secretly sifting through your text messages isn't just for overprotective parents and paranoid lovers anymore. Now the NSA's prying eyes have shifted from your call logs and location data to your texts in a not-so-secret initiative called Dishfire. The Guardian reported that the NSA collected some 200 million text messages per day globally, extracting location data, contact information and credit card numbers. This revelation, unsurprisingly, sprung from documents leaked by Edward Snowden. According to the paper, the British intelligence agency known as the Government Communications Headquarters (GCHQ) also used the NSA's database to cull information about "untargeted and unwarranted" communications by UK citizens, noting that the program collects "pretty much everything it can." In addition to collecting and storing data from texts, a 2011 NSA presentation titled "SMS Text Messages: A Goldmine to Exploit," revealed a second program, referred to as "Prefer." Under Prefer, the agency used information pulled from automated text messages, missed call and network roaming alerts and electronic business cards to collect information pertaining to users' travel habits and social connections. While the documents, complete with smiley face Venn diagrams and gemstone metaphors, stated that US phone numbers were either removed or minimized. The same cannot be said for numbers from the UK and elsewhere. In a response to the report, an NSA spokesperson told The Guardian that the information would only be used against "valid foreign intelligence targets." Meanwhile the GCHQ claims it used the Dishfire data to develop new targets. According to a representative from the UK carrier Vodafone, the findings came as a shock and the program sounded like it circumvented UK privacy and security standards. Joseph Volpe contributed to this report
NYT: NSA embeds radio transmitters to access offline computers from miles away
Tonight's fun NSA revelation comes courtesy of the New York Times, reporting on an agency program to access and alter data on computers that aren't connected to the internet. Cherry picked from the NSA's tool kit of developments -- often used to bug equipment before it reaches the intended destination -- the technology described relies on a circuit board or USB device (called Cottonmouth I) installed on a PC that communicates wirelessly with a base station nearby. The base station itself has already been described by security expert Jacob Appelbaum; codenamed Nightstand, it's capable of hacking WiFi networks from up to eight miles away and retrieving or inserting data as necessary. The programs described are not exactly up to date, and the NYT's experts suggest recent developments are focused on making the US less dependent on physical access to do its hacking. Like the Dropoutjeep software created to attack iPhones, we're told these techniques are designed for use in places like Iran and China. Still, with an estimated 100,000 or so installations it probably wouldn't hurt to give your USB ports and internal expansion slots a once-over just in case.
FISA court reauthorizes NSA to collect call metadata (again)
Need another sign that the NSA's phone surveillance program is considered legal? The Foreign Intelligence Surveillance Court is happy to oblige. This week FISA renewed the agencies' authority to collect call metadata, echoing an October approval from the same court. That's actually standard -- the program needs to be reassessed every 90 days, but typically the authorizations fly under the radar. This time around, the Director of National Intelligence declassified the action "in order to provide the public with a more thorough and balanced understanding of the program."Even so, its not giving detractors any ground: the announcement also reasserts the program's legality, citing the "holdings of the United States District Courts of the Southern District of New York and Southern District of California, as well as the findings of 15 judges of the Foreign Intelligence Surveillance Court on 36 separate occasions over the last seven years." The statement at least closes on an amicable note, promising to be open to tweaking the program in ways that "achieve our counterterrorism mission in a manner that gives the American people greater confidence." Check out the full statement at the source link below.
Leaked documents detail 2008 NSA program to hack and remote control iPhones (video)
Part of security expert Jacob Appelbaum's Chaos Communications Congress presentation exposed NSA methods to hack systems via WiFi from long range, but we'll also point out another segment focusing on the Apple iPhone (embedded after the break, beginning at 44:30). Along with German news mag Der Spiegel, he mentioned a program called DROPOUTJEEP which developed malware to install on iPhones that can remotely access files on the devices including email, voicemails and SMS, or perform geolocation, hot mic, camera capture and more. While the documents dated to 2008, around the introduction of the iPhone, Appelbaum quoted the NSA QUANTUMTHEORY "toolbox" which claimed a 100 percent success rate at implanting this spyware. At the time, loading the tool required physical access to a phone but the team was already working on something it could load remotely. Details on more recently developed attacks don't seem to be part of the package, but another Der Spiegel report back in September mentioned an example of a target captured on camera via his iPhone as in 2012. Does this news have you looking for a way around prying eyes? Good luck, since other revelations have shown programs targeting Android devices as well as Blackberry's email servers and phones.
Tech's biggest misfires of 2013
You can't win 'em all. The adage certainly holds in the fast-paced world of technology, where one small slip can put a damper on your entire year. Every year, among all of the celebrations of top gadgets and big news stories, we like to take a moment to acknowledge the other side of things. This time out, it's a pretty diverse list, from flubbed Kickstarter launches to massive governmental privacy breaches and yet another really lousy year for one smartphone manufacturer. But don't worry everyone; the year 2013 is nearly over.
Edward Snowden looks back at NSA leaks, considers his personal mission accomplished
2013 is almost over, but revelations delivered this year about the amount of communications data the NSA has access to, and how it has acquired that data, will reverberate for much longer. The man at the center of the leaks, Edward Snowden, has spoken once again to The Washington Post in an interview stretching over 14 hours about what he did and why, saying "For me, in terms of personal satisfaction, the mission's already accomplished...I already won." The meaning behind his mission was, in his words, to give the public a chance to look over what the government agency had decided -- behind the closed doors of Congress the Foreign Intelligence Surveillance Court -- is legal in order to track terrorists after 9-11. Naturally, NSA leaders disagree, and dispute assertions that he brought his concerns about the agency's work to his supervisors. According to Snowden, he asked coworkers about how they thought the public would react if information about initiatives like PRISM and Boundless Informant appeared on newspaper frontpages, confronting them with data showing the programs collected more information in the US about Americans than Russians in Russia. Now, the information has been exposed for the public. Many companies are scrambling to lock down their systems both as a practical measure and a PR move, the NSA's policies are under review, and Snowden remains in Russia where he has been granted temporary asylum, and says he's "still working for the NSA right now...they just don't realize it."
NSA review group tells Obama to ditch bulk phone surveillance
2013 has been a hard year for the White House. It's been working overtime to try and manage the PR nightmare sparked by Edward Snowden's NSA whistleblowing -- fighting the outcry of angry citizens, CEOs and major tech firms. President Barack Obama eventually created a panel to review the government's surveillance programs and propose changes that will help restore public's trust. Today, the group's recommendations are in, and in summary, they aren't too surprising: don't spy on your citizens.The report's most public facing suggestion mandates ending the NSA's habit of collecting US phone call metadata. The agency would still be allowed to collect some records, of course, but the panel suggests that this data be maintained by a private third party, or the phone companies themselves. More importantly, this data would only be accessible with an order from the Foreign Intelligence Surveillance Court. That's hardly the panel's only critique, either: the 308 page document actually makes a total of 46 recommendations. It suggests putting international spy operations under heavier scrutiny, for instance, and says that decisions to monitor such communications need to be made by the Commander in Chief -- not the nation's intelligence agencies. It even suggests major tweak to the NSA's structure, asking the president to consider making the next Director of the NSA a civilian.
NSA overhaul could see an end to PRISM-style surveillance
Edward Snowden might have missed out on becoming Person of the Year, but that's not to say he's not been a big influence on America's government this year. According to deep-throated persons familiar with the matter, the presidential task force is proposing a huge overhaul to the NSA in the wake of the PRISM scandal. Proposed changes include giving bulk collection duties to phone companies or an independent third party, imposing tighter standards before NSA staffers can access your personal data and appointing a civilian head, rather than recruiting from the military. The report is due in full on Sunday, but there's no word on when the White House will make the proposals public -- unless, you know, someone else feels compelled to "do a Snowden."
Microsoft's immediate plans against NSA 'threat': court challenges, encryption and transparency
The NSA / PRISM / MUSCULAR scandal sparked by Edward Snowden's leaks stained many tech companies, and tonight Microsoft has laid out several plans it hopes will convince customers (particularly non-US businesses and foreign governments) they're safe using its products and services. In a blog post, general counsel and executive VP Brad Smith lays out a three pronged approach of "immediate and coordinated action" against the threat of government snooping. It's expanding the use of encryption to cover any content moving between it and its customers, any transmissions between its data centers, and data stored on its servers -- all of this is said to be in place by the end of 2014. In terms of court orders that may push it to reveal data, Microsoft is committing to notify "business and government" customers of any legal orders, and if it is prevented from doing so by a gag order, says it will challenge those in court. Finally, it's expanding the existing program giving governments access to its source code so they can make sure it doesn't contain any back doors. According to Reuters, this will put Microsoft on par with other Internet companies like Amazon Web Services, Yahoo and Google for how it treats data. Still, while that may help foreign diplomats feel better about logging into Outlook or Skype, there are probably a few individuals who will keep their tin foil hats on, Kinect cameras covered and cellphones off.
NSA reportedly cracks down on staff who thought it was okay to share their logins with Edward Snowden
In a slightly ironic twist for the National Security Agency, Reuters reports that as many as 25 members of its staff have been "removed from their assignments" because they shared their private passwords with Edward Snowden while he worked there. A number of government offices are currently trying to find out just how Snowden got hold of so much confidential data, and sources close to those investigations now claim that the PRISM whistleblower used his position as a systems admin to dupe colleagues into handing over their passwords. It's not clear whether the NSA staff involved in the breach have been fired or re-assigned, but if the allegations are true then there are likely to be some red faces at the agency once the various investigations reach their conclusions, because such a large-scale failure by supposedly highly-trained staff would implicate the NSA's systems and practices, rather than just a few naive individuals.
Google's Eric Schmidt slams NSA over 'outrageous' data center snooping and privacy invasion
Google's Executive Chairman and former CEO Eric Schmidt isn't a huge fan of the NSA or its surveillance methods, it seems. Speaking to The Wall Street Journal, Schmidt declared: "It's really outrageous that the National Security Agency was looking between the Google data centers, if true." His comment follows recent reports of a nefarious tool crafted by the agency and the UK's GCHQ that accessed Google and Yahoo data lairs without permission. Schmidt also said that to "potentially violate people's privacy, it's not OK," and that the broad public scrutiny months of leaks has uncovered is unnecessary to find a few bad eggs. Referring to claims that the NSA amassed phone records of 320 million people to actually investigate more like 300, the Google exec commented: "That's just bad public policy... and perhaps illegal." Not that the search giant has any personal experience with illegal data collection, of course.
Tech giants ensnared by NSA spying petition Congress for surveillance reform
In the months since information about the NSA's bulk surveillance efforts began to leak, many of the tech companies named in documents have been unable to even discuss their involvement. Those blinds have been pried back a little with the release of a few transparency reports, but today Google, Microsoft, Facebook, Yahoo, Apple and AOL (the corporate parent of Engadget) sent a letter to Congress encouraging it to do more. Mashable posted a copy of the letter (embedded after the break), which is addressed to members of the Senate Judiciary Committee and specifically references the recently-introduced USA Freedom Act as an "important contribution" to the discussion. That particular bill seeks to end the NSA's "dragnet" security programs while "requiring greater oversight, transparency, and accountability with respect to domestic surveillance authorities." According to the companies, greater transparency would clear up "erroneous reports that we permit intelligence agencies "direct access" to our companies' servers or that we are participants in a bulk Internet records collection program." As the Washington Post points out, the companies listed may take issue with other bills circulating like the FISA Improvement Act because they don't address surveillance of non-US citizens, creating suspicion and problems for said companies setting up services for users internationally.
Need tech support in Russia? Give Edward Snowden a call
So, what happens after you've become an international pariah? The PRISM revelations may rattle along, but the figure who started it all is trying to return to something approaching a normal life. Edward Snowden's lawyer has revealed that, after settling at an undisclosed location in Russia, the NSA whistleblower has found a job. He'll be offering technical support for a domestic website, which isn't being named for the obvious reasons. Is this the last that we'll hear from the former intelligence analyst? Only time will tell.
Dark Mail Alliance develops surveillance-proof email technology
We wouldn't be surprised if you're looking for a more secure email provider after the whole government surveillance debacle. That's why Lavabit and Silent Circle have joined forces as the Dark Mail Alliance to develop a new snoop-proof email technology. Dark Mail's "Email 3.0" tech applies peer-to-peer encryption not only to the body of the digital missive, but also to its metadata (To:, From: and Subject fields) that third parties are most likely to collect. One downside is that encryption only works between Dark Mail accounts -- messages sent using the tech to Gmail or a Hotmail addresses won't be protected from prying eyes. If the two firms sound familiar, that's because they used to offer secure email services of their own, which shuttered earlier this year. However, they're determined to rise from the ashes and make the tech available to the public via mobile and desktop apps by 2014. [Image credit: g4ll4is, Flickr]
Apple: No, we can't read your iMessages
Just yesterday, we reported on the claims of security firm QuarksLab that Apple could read iMessage communications, despite the company's statement to the contrary back in June when the NSA Prism program first came to light. Well, Apple has jumped right on those claims -- with a vengeance. The QuarksLab research explains how since Apple controls the encryption keys for iMessage, it could theoretically perform a "man-in-the-middle attack" and read or alter the communications between two people, either for nefarious purposes or for the government. Apple spokesperson Trudy Miller sent a statement to AllThingsD about the research, saying "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so." AllThingsD's John Paczkowski sums up his story about Apple's declaration with a good comment about the state of surveillance these days, saying "perhaps in today's world iMessage's encryption is only as good as your trust in Apple." With other companies being asked by the NSA to enable methods of intercepting messages, one security researcher told AllThingsD that "it would be naive to think that Apple wasn't at least approached by the government at some point."
FISA court renews NSA permission to collect call metadata
News that the NSA collects bulk phone call metadata (phone numbers, call times and duration) from Verizon and other backbone providers initially leaked out in June. Since then PRISM, Edward Snowden and any number of other national security related topics have been in the spotlight, and the new focus has spurred at least one change in the process. On Friday, the Office of the Director of National Intelligence publicly announced the request -- following other declassified documents about the program -- and that it has been renewed (again) by the Foreign Intelligence Surveillance Court. As The Hill mentions, the NSA claims its analysts are only able to search through the collected data if there is "reasonable, articulable suspicion" a phone number is connected to terrorist activity. With analysts still able to paw through tons of our data this doesn't quite feel like the transparency promised, but even this small admission that it's happening highlights how things have changed.
NYT: NSA monitors, graphs some US Citizens' social activity with collected metadata
Just how does the NSA piece together all that metadata it collects? Thanks to "newly disclosed documents and interviews with officials," The New York Times today shed light on how the agency plots out the social activity and connections of those it's spying on. Up until 2010, the NSA only traced and analyzed the metadata of emails and phone calls from foreigners, so anything from US citizens in the chains created stopgaps. Snowden-provided documents note the policy shifted later in that year to allow for the inclusion of Americans' metadata in such analysis. An NSA representative explained to the NYT that, "all data queries must include a foreign intelligence justification, period." During "large-scale graph analysis," collected metadata is cross-referenced with commercial, public and "enrichment data" (some examples included GPS locations, social media accounts and banking info) to create a contact chain tied to any foreigner under review and scope out its activity. The highlighted ingestion tool in this instance goes by the name Mainway. The NYT article also highlights a secret report, dubbed "Better Person Centric Analysis," which details how data is sorted into 164 searchable "relationship types" and 94 "entity types" (email and IP addresses, along with phone numbers). Other documents highlight that during 2011 the NSA took in over 700 million phone records daily on its own, along with an "unnamed American service provider" that began funneling in an additional 1.1 billion cellphone records that August. In addition to that, Snowden's leak of the NSA's classified 2013 budget cites it as hoping to capture "20 billion 'record events' daily" that would be available for review by the agency's analysts in an hour's time. As you might expect, the number of US citizens that've had their info bunched up into all of this currently remains a secret -- national security, of course. Extended details are available at the source links.
NSA accused of hacking into India's nuclear systems
According to Edward Snowden's cache of documents, the NSA has been delving deeper into India's servers than many could have imagined. The Hindu is reporting that, in addition to the usual PRISM snooping, the agency also vacuumed up data on the country's nuclear, political and space programs. The newspaper says it has a document, entitled "A Week in the Life of PRISM reporting," which allegedly shows that discussions between high-ranking politicians, nuclear and space scientists were being monitored in "real-time." The revelation comes a few months after Kapil Sibal, India's IT chief, denied that any such surveillance was being undertaken. Who knows? Maybe he was spending so much time on his other projects that he missed the clues. For its part, the US has insisted that its hands are clean in India. Back in June, Secretary of State John Kerry said that the US doesn't look at individual conversations but instead "randomly surveys" data in order to discover communications that are "linked to terrorists."
Daily Roundup: Moto X factory tour, which new iPhone to buy, Intel's Haswell Chromebooks, and more!
You might say the day is never really done in consumer technology news. Your workday, however, hopefully draws to a close at some point. This is the Daily Roundup on Engadget, a quick peek back at the top headlines for the past 24 hours -- all handpicked by the editors here at the site. Click on through the break, and enjoy.
