PRISM
Latest
Court documents reveal secret rules allowing NSA to use US data without a warrant
NSA's information gathering practices have been further detailed in court papers revealed by The Guardian. While the agency has continued to reiterate that it doesn't collect its data indiscriminately, the leaked papers detail several loopholes that allow it to gather data from both American and foreign origins without the need for a warrant. If you use data encryption or other privacy tools, your communications are likely to receive extra attention, and the agency can indefinitely keep any information assembled for "crypto-analytic, traffic analysis or signal exploitation purposes" -- in short, if the NSA believes may be relevant in the future. One reason to hold onto said files could simply be the fact that the data is encrypted and NSA wants to be able to analyze its protection. The security agency can also give the FBI and other government organizations any data if it contains a significant amount of foreign intelligence, or information about a crime that has (or will be) committed. Any data that's "inadvertently acquired" through the NSA's methods -- and could potentially contain details of US citizens -- can be held for up to five years before it has to be deleted. The Guardian's uploaded the leaked papers in full -- hit the source links for more.
Google challenges FISA court on government data requests, asks for ability to release more details
Google and other companies have already made general calls for more transparency in the wake of the PRISM revelations, and it looks like Mountain View is now escalating those requests to a court challenge. As The Washington Post reports, Google is asking the Foreign Intelligence Surveillance Court for some additional leeway with the government requests for data that it's able to disclose, and it's citing the First Amendment to make its case. In a statement provided to us (included in full after the break), a Google spokesperson says that the company is specifically asking the court to let it "publish aggregate numbers of national security requests, including FISA disclosures, separately," adding that "lumping national security requests together with criminal requests - as some companies have been permitted to do - would be a backward step for our users." That's in line with a statement Google made on Friday, which was echoed by Twitter, although there's no word yet on it or any other companies joining Google in the court challenge at this time.
FISA request roundup: Who has Uncle Sam asked to see your data, and how often?
As much as the federal government would like it to, the public outrage at the scope of its PRISM program has yet to die down, despite any good the program may have served in the interests of national and local security. The revelations made by Edward Snowden have cast a bright light on the powers granted our government by the Foreign Intelligence Surveillance Act (FISA), and many companies are taking the opportunity to push the feds to let them tell the public just how many governmental data requests are being made. Of course, no company can release exactly how many requests were made under FISA -- companies can only publish the number of total data requests, whether they be from the NSA, local law enforcement or elsewhere. Since so many of Silicon Valley's giants have been dishing our data to Uncle Sam on the sly, we figured we'd bring you all the numbers in one place. At the top of the request list is Yahoo, which received between 12-13,000 requests in the first six months of 2013. During that same time period, Apple received between 4-5,000 requests. Meanwhile, Google reported 8,438 requests between July and December of 2012, Facebook received between 9-10,000 and Microsoft was asked for its users data between 6-7,000 times. Prefer pictures to numbers? A colorful chart awaits after the break.
FBI deputy director claims intelligence programs foiled NYC subway and NYSE bombings, among others (update)
The United States government's controversial data collection practices reportedly helped thwart plots to bomb the New York City subway system and New York Stock Exchange, Federal Bureau of Investigation deputy director Sean Joyce said during a House Intelligence Committee hearing this morning in Washington, DC. Information from the programs -- one focused on phone networks and another on the internet -- was also said to serve a role in stopping a separate bombing threat at Danish newspaper Jyllands-Posten in Denmark, which ran a cartoon depicting Islam's Prophet Muhammad. National Security Agency director Keith Alexander added that, "50 terror threats in 20 countries" were stopped as a result of the controversial information gathering practices. "I would much rather be here today debating this than explaining why we were unable to prevent another 9/11'' attack," he said. When asked if the NSA is technologically capable of "flipping a switch" and listening in on Americans (whether by phone or internet), Alexander flatly answered, "no." Update: According to a Wired report, the man named during today's hearing in connection with the New York Stock Exchange bombing, Khalid Ouazzani, wasn't convicted of anything regarding the NYSE. Rather, his plea cites various money laundering in connection with terrorists, and his lawyer said, "Khalid Ouazzani was hot involved in any plot to bomb the New York Stock Exchange."
UK reportedly set up fake internet cafes, hacked diplomats' BlackBerrys during 2009 G20 summit
If you're antsy at the idea of PRISM reading your Facebook messages, be thankful you're not a foreign diplomat. The Guardian is reporting that GCHQ, the UK's communications surveillance unit, hacked delegates' BlackBerry handsets during 2009's G20 summit in London. According to leaked documents, spies were able to relay private messages to analysts in "near real-time," and pass that information along to top politicians as they were negotiating deals. The organization is also said to have set up fake internet cafés around the conference area, which used key-logging software to steal dignitaries' passwords for long-term surveillance. If you'll excuse us, we're just off to, you know, change all of our login details.
Apple issues 'Commitment to Customer Privacy' statement
Earlier this month a top-secret PowerPoint presentation was released that leaked the existence of the US government's PRISM program. The program is a surveillance program that gives the US government a backdoor into user accounts at major technology companies such as Microsoft, Facebook, Google and Apple, among others. All of the companies involved have strenuously denied any knowledge of PRISM's existence and have been in damage control mode assuring users that their privacy is upheld. Early today Apple issued a statement called Apple's Commitment to Customer Privacy in which it aims to clarify to users the steps it goes through to protect their privacy and also to state how many requests for user data it received from the government. Below is the statement in full. Apple's Commitment to Customer Privacy Two weeks ago, when technology companies were accused of indiscriminately sharing customer data with government agencies, Apple issued a clear response: We first heard of the government's "Prism" program when news organizations asked us about it on June 6. We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order. Like several other companies, we have asked the U.S. government for permission to report how many requests we receive related to national security and how we handle them. We have been authorized to share some of that data, and we are providing it here in the interest of transparency. From December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide. Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it. Apple has always placed a priority on protecting our customers' personal data, and we don't collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it. For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers' location, Map searches or Siri requests in any identifiable form. We will continue to work hard to strike the right balance between fulfilling our legal responsibilities and protecting our customers' privacy as they expect and deserve.
Apple releases statement on customer privacy, received over 4,000 government information requests in six months
Following the likes of Microsoft and Facebook, Apple has publicly responded to the explosion of interest in the NSA's PRISM program, and has been authorized to reveal some of the data on what it's shared with the US government in the past. It apparently first heard of the program when the media started to ask about it earlier this month and has reiterated that it provides no government agency with direct access to its servers. It does, however, get its fair share of requests for customer data from US law enforcement, receiving between 4,000 and 5,000 of them between December 1 2012 and May 31 2013. These requests covered over 9,000 accounts or devices, and come from federal, state and local authorities. Apple elaborated a little on these information requests too, saying that the majority of these requests have involved searching for missing children, preventing suicides and robberies. The company says it has "always placed a priority on protecting our customers' personal data," and its legal team evaluates each request. Apparently, Apple can't decrypt (and thus share) iMessage and FaceTime data, which is encrypted end-to-end. We've added its full statement after the break.
US officials say less than 300 phone numbers were investigated in 2012, data thwarted terrorist plots
With all the coverage of PRSIM and the NSA's data collection have been getting recently, it's no surprise that the US government is eager to rationalize its actions. The crux of the latest defense seems to be that the government isn't using its treasure trove of data very often: according to recently declassified documents, the NSA used the database to investigate less than 300 phone numbers last year. These efforts reportedly prevented terrorist actions in more than 20 countries. It's a small assurance, but a vague one, and the NSA knows it -- according to the Associated Press, the organization is trying to get the records of these thwarted plots declassified to demonstrate the program's value to concerned citizens. The reveal of such data might be a convincing argument, but disquieting revelations continue to roll out: members of congress are now reporting that the NSA has acknowledged that it does not need court authorization to listen to domestic phone calls. Either way, we're certainly open to more government transparency.
Google, Twitter push to reveal number of national security related requests separately
While Microsoft and Facebook have both published information tonight about how many requests for customer info the government made over a six month period, Google and Twitter are apparently hoping to take a different route. As Google told AllThingsD and Twitter legal director Benjamin Lee tweeted, "it's important to be able to publish numbers of national security requests-including FISA disclosures-separately." Google went further, claiming that lumping the number of National Security Letters together with criminal requests would be a "step backwards." Clearly this post-PRISM revelations battle for more transparency on just what the government is doing behind the scenes isn't over, we'll let you know if any of the parties involved have more information to share.
Facebook reveals government data request numbers, is first to include national security stats
Facebook lawyer Ted Ullyot revealed in a post tonight precisely how many user-data requests it receives from government entities, and that it's negotiated the ability to include national security-related (FISA and National Security Letters) inquiries in the report. Until now, the companies that receive such requests, whether through the recently uncovered PRISM program or not, have not been able to say anything about them, or report how many there are. Still, the stats it's able to release aren't specific, and include all requests from the last six months in a range, said to be between 9,000 and 10,000, covering between 18,000 and 19,000 accounts. We still have no official reports on what those inquiries cover, how wide reaching a single one can be or what information has been passed along. Facebook however, is quick to point out that these cover "only a tiny fraction of one percent" of its 1.1 billion active user accounts. Along with Microsoft and Google, Facebook has publicly petitioned the government to let it be more transparent about the size and scope of the requests it receives, and Reuters reports tonight that "several" internet companies have struck an agreement to do so. Expect more reports to arrive soon in similar formats, however Ullyot states Facebook will continue to push the government to be "as transparent as possible." For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) – was between 9,000 and 10,000. These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.
Google asks US government to let it publish more national security requests for data, including FISA disclosures (update: Microsoft, Facebook too)
Google CEO Larry Page and Chief Legal Officer David Drummond made a general call for more transparency in their response to the PRISM revelations last week, and Drummond has gotten quite a bit more specific with that request today. In a post on the company's Public Policy blog, he says that he's sent a letter to offices of the Attorney General and the Federal Bureau of Investigation asking that Google be allowed to publish aggregate numbers of the national security requests for data it receives, including FISA disclosures, "in terms of both the number we receive and their scope." Those numbers, he says, "would clearly show that our compliance with these requests falls far short of the claims being made," adding, "Google has nothing to hide." You can find the full letter at the source link below. Update: Reuters is reporting that Microsoft also wants Uncle Sam to loosen up and let it be more transparent with the "volume and scope" of national security requests and FISA orders. "Our recent report went as far as we legally could and the government should take action to allow companies to provide additional transparency," Ballmer and Co. added. Update 2: Hot off the heels of Redmond's call to the US government, Facebook is voicing similar sentiments regarding increased transparency. "We urge the United States government to help make that possible by allowing companies to include information about the size and scope of national security requests we receive," read a statement released by the social network.
PRISM got you worried? Seecrypt app promises secure calls and texts
Want to hide your data from the prying eyes of the US government and its information-gathering program PRISM? A team of South African developers may have an encrypted-communications solution for iOS that'll let you call and text in complete privacy. As noticed by the Daily Caller, the Seecrypt group recently updated the Seecrypt app which lets you "make and receive unlimited, secure voice calls and text messages between Seecrypt Mobile-enabled devices, anywhere in the world." It works over any carrier's data network and uses end-to-end, military-grade encryption to protect all your VoIP calls and text messages. Because all the calls and texts are transmitted as an encrypted data stream, any snooping programs will only know that you sent some data and cannot detect when or how long you made a call or exchanged messages. The service is available for US$3 per month and comes with a free three-month account trial. The Seecrypt app is available for free from the iOS App Store. It's also available for Android. [Via The Daily Caller]
The Weekly Roundup for 06.03.2013
You might say the week is never really done in consumer technology news. Your workweek, however, hopefully draws to a close at some point. This is the Weekly Roundup on Engadget, a quick peek back at the top headlines for the past seven days -- all handpicked by the editors here at the site. Click on through the break, and enjoy.
PRISM whistleblower Edward Snowden reveals himself, reasons for leaking surveillance program (updated)
Only days after the initial leaks and explanations by the US government about the National Security Agency's data surveillance program PRISM, Edward Snowden has revealed himself as the whistleblower. He's employed by defense contractor Booz Allen Hamilton and also worked at the NSA as a "technical assistant" for the CIA. In speaking to The Guardian, he explained his reasons for disclosing the intelligence program: he wanted to "to inform the public as to that which is done in their name and that which is done against them," hoping that they'll use the information to debate the issue. While the NSA's data-mining tool is reportedly known as Boundless Informant, Snowden has been keeping himself bound to a hotel in Hong Kong during this whole drama. Major internet companies have insisted that the government doesn't receive direct access to their servers and President Obama has stated that "nobody is listening to your phone calls, but the issue remains far from black and white. Snowden claims a "massive surveillance machine" is in the making under the radar -- at this point he's now waiting to see what happens next, assured he's made the the decision that feels right to him. Catch the full interview at the source link. Update: In case there was any doubt that Snowden has ever been employed by Booz Allen Hamilton, the company just released the following statement: Booz Allen can confirm that Edward Snowden, 29, has been an employee of our firm for less than 3 months, assigned to a team in Hawaii. News reports that this individual has claimed to have leaked classified information are shocking, and if accurate, this action represents a grave violation of the code of conduct and core values of our firm. We will work closely with our clients and authorities in their investigation of this matter.
The NSA's Boundless Informant: a data mining tool that maps collected intelligence
Leaks, denials and declassifications aside, one thing has been clear recently: the National Security Agency takes in a lot of data -- allegedly collecting call logs, internet records and even Facebook photos from folks all over the world. So, how does the outfit handle all this data? With custom software, of course. According to documents obtained by The Guardian, the NSA sorts through its treasure-trove of intelligence with a tool called Boundless Informant, data mining software that helps the NSA sort out how closely they're monitoring a given part of the world. According to the documents, Boundless Informant reportedly "allows users to select a country on a map and view the metadata volume and select details about the collections against that country." A screenshot found by The Guardian shows this in action, highlighting over two billion reports in the United States alone. According to the outlet, the screenshot also outs the program's heaviest hitters: in March of 2013, Boundless Informant boasted 14 billion reports from Iran, 13.5 billion from Pakistan and 12.7 billion from Jordan. We've got to hand it to the NSA -- we may not like what it's up to, but at least it's organized.
Director of National Intelligence declassifies PRISM info to clear up 'inaccuracies'
After details of a government program called PRISM with alleged hooks into the servers of major internet companies became public this week, Director of National Intelligence James Clapper decided it was necessary to reveal even more information. According to his statement, clearing up the "significant misimpressions" and "inaccuracies" requires the release of further classified info, included in a fact sheet listed after the break. So what is PRISM, according to the "Facts on Collection of Information Pursuant to Section 702"? It is an internal government computer system used to facilitate the government's statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision...This authority was created by the Congress and has been widely known and publicly discussed since its inception in 2008. In short, Section 702 facilitates the targeted acquisition of foreign intelligence information concerning foreign targets located outside the United States under court oversight. Service providers supply information to the Government when they are lawfully required to do so. The document claims PRISM is not an "undisclosed collection or data mining program." The above passages seemingly align with statements (including one today from Yahoo) from the companies listed claiming that they only respond to inquiries when required to by law. It goes on to offer some details on the process used to identify foreign targets ("Section 702 cannot be used to intentionally target any U.S. citizen, or any other U.S. person, or to intentionally target any person known to be in the United States") and the oversight involved. Specifically mentioned is the involvement of the Executive, Legislative and Judicial branches of the federal government. Additionally, another report from The Guardian exposes more internal documents that contradict the theory that PRISM involves access to "cable intercepts," although that can occur under a different process.
DevJuice: Is your app watching you?
The PRISM project is hitting the news just now, with the Director of National Intelligence issuing statements, and people talking about what privacy means in a free society. This morning, our backchannel discussion about PRISM drifted to the topic of user privacy in apps. Specifically, we've noticed a recent trend -- our apps are starting to contact us by email. Here's an example of a real email generated by an iOS app: Hello, Thank you for trying [redacted] out! I noticed that you've used the app a couple of times over the past few weeks but are no longer using it. We trying to make the calendar a better experience and in doing so I'd really appreciate if you could take a moment and tell me why [redacted] isn't working for you. If you have any other thoughts you'd like to share with the team, please feel free to send it our way! That's a pretty startling email to receive, especially when we never contacted the company in question or opted into monitoring. In fact, the app in question offers a lengthly privacy statement, which states, "we may use other Anonymous Information to analyze usage patterns". Clearly that data is not so anonymous that it wasn't able to hijack the Gmail credentials used within the app. There's a saying that basically goes, "if the app is free, then you are the product." It's become commonplace to reap device and usage statistics for analytics. Developers may forget that there remains a real privacy line between a user's personal data and how they use the app. With Apple's support of developer- and app-specific tracking identifiers, you shouldn't lose sight of how that data is supposed to be used. In February, the FTC issued recommendations for mobile privacy disclosure. Among these, the FTC suggested that apps offer affirmative express consent for access to sensitive information, along with an access "dashboard" that would allow users to review in-app privacy settings. At the time, Verne Kopytoff wrote at Bloomberg Businessweek about the motivation behind app privacy policies, "Privacy advocates like to call mobile phones by a more menacing name: tracking devices. Mobile apps log the pages people browse, the products they buy, and the videos they watch. Many apps also note their users' locations and, over time, glean their daily routines." As mild as email feedback outreach efforts are, they cross a critical line when leveraging account information meant for in-app use only. A user who buys an app intending to manage his calendar, isn't expressly trying to build a product feedback relationship with the developer. Repurposing Gmail account credentials for further contact breaks an important trust.
NYT explains how tech companies allow PRISM, yet deny 'direct server access' happened (update)
Yesterday a series of leaked PowerPoint slides in the Washington Post revealed a program codenamed PRISM that allowed government investigators access to data from a number of top internet companies. That leak has been followed up in the last 24 hours by a series of blanket denials as tech companies (and their CEOs, including Google's Larry Page and Facebook's Mark Zuckerberg) claimed they do not give "backdoor access," only generally acknowledging that they do respond to individual court orders. Meanwhile government officials including President Obama responded to the claims mostly by claiming whatever is going on -- including the bulk collection of call logs by the NSA -- is legal and has been "repeatedly authorized by Congress." Tonight, a New York Times article may be able to explain the difference between the statements, citing information from people briefed on the program and lawyers that handle the requests. Their report is that the companies discussed ways to "efficiently and securely" share data about foreign users in response to requests made under the Foreign Intelligence Surveillance Act. In contrast to the initial reports of direct server access, this report claims when a government request is made under an individual FISA request, it's reviewed by company lawyers and then sent over, sometimes electronically using company servers. That can include an investigation into a specific person, logs of certain search terms, and in some cases "real-time transmission of data." One specific instance cited involved an NSA agent going on-site at a company's HQ, installing government software on its server and remaining there for several weeks to offload data to a laptop. So why the quick denials about something the companies listed (including AOL, parent company of Engadget) may actually have ties to? Because FISA requests are by their nature secret, the report claims employees that deal with the requests can't discuss the details, even with their fellow employees. Notably, although companies must by law respond to the requests, they're not legally obligated to make it easy, and the article points out Twitter as a company that has declined to participate. Because of that, even if PRISM is more a streamlining of bureaucratic processes than a government backdoor into your Candy Crush Saga level, the semantic differences of company denials may not sit well with users, much less citizens voting for the officials who oversee the programs. Update: Google Chief Legal Officer David Drummond has chimed in once again via a post on Google+, denying (again) that the government has any access to Google servers. That includes directly, through a back door, or any kind of "drop box" as the Times report mentions had been discussed. Meanwhile, CNET has an alternate source who corroborates the company's claims of no direct access, describing the system as a "formalized legal process."
The Daily Roundup for 06.07.2013
You might say the day is never really done in consumer technology news. Your workday, however, hopefully draws to a close at some point. This is the Daily Roundup on Engadget, a quick peek back at the top headlines for the past 24 hours -- all handpicked by the editors here at the site. Click on through the break, and enjoy.
President Obama responds to PRISM concerns, clarifies scope of snooping
If you've missed the news on PRISM and the hugely disconcerting allegations that the NSA is basically tracking everything you do on the internet and every call you make on your cellphone, we're guessing that's because you're stuck in a cave that has access to neither technology. The allegations are incredibly troubling to say the least, and President Obama this afternoon took the time to address them -- albeit briefly. For one thing, he clarified that "nobody is listening to your phone calls," indicating that people are looking at metadata about those calls (destinations, length, etc.) rather than the calls themselves. Additionally, he clarified the internet side of the program thusly: "Internet monitoring is only for those outside United States; we have to balance keeping America safe with privacy concerns." That's great for Americans, but perhaps a bit troubling for everyone else. This more or less echoes the statements made yesterday by James Clapper, Director of National Intelligence. President Obama also reminded that this program predates his taking office, and that he himself was skeptical but has come around to the program, stating that this is something "Americans should feel comfortable about." Well, then, how comfortable do you feel? Let us know in comments. Update: The Wall Street Journal has a full transcript of President Obama's comments.
