EFF Provides An In-Depth Look At How The NSA Deploys Malware

This article, written by staff technologist Dan Auerbach, was originally published by the Electronic Frontier Foundation on Oct. 8.

We’ve long suspected that the NSA, the world’s premiere spy agency, was pretty good at breaking into computers. But now, thanks to an article by security expert Bruce Schneier—who is working with the Guardian to go through the Snowden documents—we have a much more detailed view of how the NSA uses exploits in order to infect the computers of targeted users. The template for attacking people with malware used by the NSA is in widespread use by criminals and fraudsters, as well as foreign intelligence agencies, so it’s important to understand and defend against this threat to avoid being a victim to the plethora of attackers out there.

How Does Malware Work Exactly?

Deploying malware over the web generally involves two steps. First, as an attacker, you have to get your victim to visit a website under your control. Second, you have to get software—known as malware—installed on the victim’s computer in order to gain control of that machine. This formula isn’t universal, but is often how web-based malware attacks proceed.

In order to accomplish the first step of getting a user to visit a site under your control, an attacker might email the victim text that contains a link to the website in question, in a so-called phishing attack. The NSA reportedly uses phishing attacks sometimes, but we’ve learned that this step usually proceeds via a so-called “man-in-the-middle” attack.1 The NSA controls a set of servers codenamed “Quantum” that sit on the Internet backbone, and these servers are used to redirect targets away from their intended destinations to still other NSA-controlled servers that are responsible for the injection of malware. So, for example, if a targeted user visits “yahoo.com”, the target’s browser will display the ordinary Yahoo! landing page but will actually be communicating with a server controlled by the NSA. This malicious version of Yahoo!’s website will tell the victim’s browser to make a request in a background to another server controlled by the NSA which is used to deploy malware.

Once a victim visits a malicious website, how does the attacker actually infect the computer? Perhaps the most straightforward method is to trick the user into downloading and running software. A cleverly designed pop-up advertisement may convince a user to download and install the attacker’s malware, for example.

But this method does not always work, and relies on a user taking action to download and run software. Instead, attackers can exploit software vulnerabilities in the browser that the victim is using in order to gain access to her computer. When a victim’s browser loads a website, the software has to perform tasks like parsing text given to it by the server, and will often load browser plugins like Flash that run code given to it by the server, in addition to executing Javascript code given to it by the server. But browser software—which is becoming increasingly complex as the web gains more functionality—doesn’t work perfectly. Like all software, it has bugs, and sometimes those bugs are exploitable security vulnerabilities that allow an attacker to gain access to a victim’s computer just because a particular website was visited. Once browser vendors discover vulnerabilities, they are generally patched, but sometimes a user has out of date software that is still vulnerable to known attack. Other times, the vulnerabilities are known only to the attacker and not to the browser vendor; these are called zero-day vulnerabilities.

The NSA has a set of servers on the public Internet with the code name “FoxAcid” used to deploy malware. Once their Quantum servers redirect targets to a specially crafted URL hosted on a FoxAcid server, software on that FoxAcid server selects from a toolkit of exploits in order to gain access to the user’s computer. Presumably this toolkit has both known public exploits that rely on a user’s software being out of date, as well as zero-day exploits which are generally saved for high value targets.2 The agency then reportedly uses this initial malware to install longer lasting malware.

Once an attacker has successfully infected a victim with malware, the attacker generally has full access to the user’s machines: she can record key strokes (which will reveal passwords and other sensitive information), turn on a web cam, or read any data on the victim’s computer.

What Can Users Do To Protect Themselves?

We hope that these revelations spur browser vendors to action, both to harden their systems against exploits, and to attempt to detect and block the malware URLs used by the FoxAcid servers.

In the meantime, users concerned about their security should practice good security hygiene. Always keep your software up to date—especially browser plugins like Flash that require manual updates. Make sure you can distinguish between legitimate updates and pop-up ads that masquerade as software updates. Never click a suspicious looking link in an email.

For users who want to go an extra step towards being more secure—and we think everyone should be in this camp—consider making plugins like Flash and Java “click-to-play” so that they are not executed on any given web page until you affirmatively click them. For Chromium and Chrome, this option is available in Settings => Show Advanced Settings => Privacy => Content Settings => Plug-ins. For Firefox, this functionality is available by installing a browser Add-On like “Click to Play per-element”. Plugins can also be uninstalled or turned off completely. Users should also use ad blocking software to stop unnecessary web requests to third party advertisers and web trackers, and our HTTPS Everywhere add-on in order to encrypt connections to websites with HTTPS as much as possible.

Finally, for users who are willing to notice some more pain when browsing the web, consider using an add-on like NotScripts (Chrome) or NoScript (Firefox) to limit the execution of scripts. This means you will have to click to allow scripts to run, and since Javascript is very prevalent, you will have to click a lot. For Firefox users, RequestPolicy is another useful add-on that stops third-party resources from loading on a page by default. Once again, as third-party resources are popular, this will disrupt ordinary browsing a fair amount. Finally, for the ultra paranoid, HTTP Nowhere will disable all HTTP traffic completely, forcing your browsing experience to be entirely encrypted, and making it so that only websites that offer an HTTPS connection are available to browse.

Conclusion

The NSA’s system for deploying malware isn’t particularly novel, but getting some insight into how it works should help users and browser and software vendors better defend against these types of attacks, making us all safer against criminals, foreign intelligence agencies, and a host of attackers. That’s why we think it’s critical that the NSA come clean about its capabilities and where the common security holes are—our online security depends on it.

1. The term “man-in-the-middle” is sometimes reserved for attacks on cryptographically secure connections, for example using a fraudulent SSL certificate. In this context, however, we mean it more generally to mean any attack where the attacker sits between the victim and the intended website.
2. According to the Guardian article, “the most valuable exploits are saved for the most important targets.”

EFF: Technology Is Not To Blame In Silk Road Takedown

This article, written by Parker Higgins, was originally published by the Electronic Frontier Foundation on Oct. 3.

The man alleged to be “Dread Pirate Roberts,” the founder and operator of the Silk Road—an online marketplace where bitcoins were traded for a range of goods and services, including drugs—was arrested by the FBI in San Francisco yesterday. The criminal complaint, released today, provides many details about how the site and its users relied on widespread anonymity technology, including Tor and Bitcoin.

The increased attention on this technology is a good reminder about how important it is not to blame these tools for the actions of a small portion of their users. The public wouldn’t tolerate a campaign to malign the car because of its utility as a getaway vehicle for bank robbers; we must apply the same critical thinking to essential privacy-preserving technology.

In certain parts of the complaint, even the federal agent behind the investigation and the Justice Department attorney in charge of the case acknowledge this. In describing how Tor was required to access the Silk Road (the site was configured as a Tor hidden service), they state that “Tor has known legitimate uses”. Similarly, “Bitcoins are not illegal in and of themselves and have known legitimate uses.”

Elsewhere the complaint goes astray. For example, it asserts that the suspect’s efforts to “‘hide the identities of those that run Silk Road’ reflect his awareness of the illegal nature of the Silk Road enterprise.” Of course, that explanation overlooks the countless lawful reasons why a person would want to engage in anonymous speech—and in the process hide the identities of those behind the technical infrastructure—that don’t involve breaking the law.

Similarly, the complaint’s description of the bitcoin “tumbler” that the Silk Road employed to obscure the parties involved in each transaction is alarmingly limited. According to the complaint, “the only function served by such ‘tumblers’ is to assist with the laundering of criminal proceeds.” Really, the purpose of a tumbler is to attempt to make a bitcoin transaction as anonymous and private as cash. Certainly one can take issue with Silk Road’s use of the technology in particular. It’s incredibly dangerous, though, to say that anonymous currency—whether bitcoins or traditional cash—is only of interest to drug dealers or money launderers.

It’s essential that the use of encryption, anonymization techniques, and other privacy practices is not deemed a suspicious activity. Rather, it must be recognized as an essential element for practicing freedom of speech in a digital environment.

In some ways, the complaint provides encouragement to those who depend on this technology to engage in speech privately and anonymously. After all, it was human error, and the chance discovery of nine fake ID cards in a routine package inspection at the border, that led to the final round of investigation. This summer’s revelations about the NSA’s subverting certain cryptographic technologies have definitely heightened fears in the security community. Although there are still some unanswered questions about the investigation, it’s a small relief that, for now, those fears weren’t confirmed by the criminal complaint.

The point remains, however, that relegating these technologies by associating them only with their criminal use threatens to undermine their ability to enable important, lawful speech.

Unfortunately, we’ve witnessed that sort of demonization of technology before. We’ve seen it in attempts to target peer-to-peer protocols because they can be used for copyright infringement; in the outrageous stacking of penalties that can result in decades of possible prison time for violations of the Computer Fraud and Abuse Act; in the original “Crypto Wars” of the 1990s and their reprise today; and in many other places besides.

The allegations against the Silk Road are serious, and may get even more so as the case progresses to formal charges and a trial. But if the government puts undue weight on the suspect’s use of technology, instead of the actual crimes of which he is accused, the public will be worse off for it.

Join EFF And The Stopwatching.Us Coalition To Stop Government Spying

This post originally appeared on the Electronic Frontier Foundation’s website.

This summer, some of our worst fears and suspicions about the NSA have been confirmed. We now have evidence that the NSA is actively undermining the basic security of the Internet. It is collecting millions and millions of phone records of individuals not suspected of any crime. It is surveilling journalists.

The NSA’s overreaching surveillance is creating a climate of fear and chilling free speech. Its addiction to secrecy makes real accountability impossible

But there’s a movement forming to change all of this. And we’re about to take the next step.

On the weekend of October 26 — the 12th anniversary of the signing of the USA PATRIOT Act — thousands of people from across the political spectrum will unite in Washington, D.C. to take a stand against unconstitutional surveillance. Please join EFF in D.C. for a day of grassroots training and citizen lobbying on October 25th and a historic rally and petition delivery on October 26th.

Stopwatching.Us is a politically diverse coalition including more than 100 public advocacy organizations and companies, including EFF, ACLU, FreedomWorks, Free Press, Mozilla, National Libertarian Party, reddit, Restore the Fourth and Thoughtworks.

We want you to join us in D.C. for this event. There will be speakers, privacy experts, live music, and an opportunity to be part of the official delivery of the Stop Watching Us petition to Congress – a petition in which over a half million people have called for an end to mass, suspicionless surveillance.

Join us in Washington.

– RSVP on the event page (privacy policy here): https://rally.stopwatching.us
– RSVP for the lobby day here: https://rally.stopwatching.us/lobbyday.html

Note: you do not need to RSVP to attend the rally, but it helps us gauge numbers. RSVPing to the event means that you may be contacted about other Stopwatching events and updates. If you would prefer not to have that type of contact, please RSVP to EFF here.

We’re planning a two-day event. Here are the details:

Friday, October 25th: Training and lobby day

If you are coming from out of town, you should plan to arrive in D.C. on Thursday night so you can join us for trainings on Friday morning. EFF is working with our friends Public Knowledge and other members of the Stopwatching.us coalition to host a lobby day in D.C. on NSA surveillance. On Friday morning, we’ll give you an overview of NSA surveillance, including talking points and handouts, and prepare you to meet with staffers. Then you will meet with key Hill staffers and elected officials to explain your concerns about NSA surveillance. Don’t worry – we schedule the meetings for you. We’ll be done by midafternoon.

In person meetings are the most effective way for an individual to influence Congress on an issue (except maybe giving them a lot of money).  Even if you’ve never considered lobbying on an issue, this is a not-to-be-missed opportunity to change America’s stance on surveillance.

Saturday, October 26th: Rally against mass surveillance

The Stopwatching.us coalition is hosting a historic rally in Washington D.C on Saturday October 26th – the 12th anniversary of the signing of the Patriot Act.  We’ll be joined by YACHT, the indie pop duo that’s sweeping the nation with its new song, “Party at the NSA.”  With your help, we’re going to create an amazing rally for privacy. Will you be there?

Hundreds of thousands of people have spoken out since the major NSA leaks began this June. Dozens of members of Congress have introduced bills aimed at reining in the NSA, and hundreds of organizations and companies are uniting to end the NSA’s unconstitutional surveillance.

But we will only succeed if we take the next step and raise our voices. RSVP now.

U.N. Launches Thirteen Principles Against Unchecked Surveillance

Geneva - At the 24th Session of the United Nations Human Rights Council on Friday, six major privacy NGOs, including the Electronic Frontier Foundation (EFF), warned nations of the urgent need comply with international human rights law to protect their citizens from the dangers posed by mass digital surveillance.

The groups launched the “International Principles on the Application of Human Rights to Communications Surveillance” at a side event on privacy hosted by the governments of Austria, Germany, Hungary, Liechtenstein, Norway, and Switzerland. The text is available in 30 languages at http://necessaryandproportionate.org.

“Governments around the world are waking up to the risks unrestrained digital surveillance pose to free societies,” EFF International Rights Director Katitza Rodriguez said during the official presentation of the principles. “Privacy is a human right and needs to be protected as fiercely as all other rights. States need to restore the application of human rights to communications surveillance.”

The document was the product of a year-long negotiation process between Privacy International, the Electronic Frontier Foundation, Access, Human Rights Watch, Reporters Without Borders, and the Association for Progressive Communications. The document spells out how existing human rights law applies to modern digital surveillance and gives lawmakers and observers a benchmark for measuring states’ surveillance practices against long-established human rights standards. The principles have now been endorsed by over 260 organizations from 77 countries, from Somalia to Sweden.

Included in the 13 principles are tenets such as:

Necessity: State surveillance must be limited to that which is necessary to achieve a legitimate aim.

Proportionality: Communications surveillance should be regarded as a highly intrusive act and weighed against the harm that would be caused to the individual’s rights.

Transparency: States must be transparent about the use and scope of communications surveillance. Public Oversight: States need independent oversight mechanisms.

Integrity of Communications and Systems: Because compromising security for state purposes always compromises security more generally, states must not compel ISPs or hardware and software vendors to include backdoors or other spying capabilities.

EFF and its co-signers will use the principles to advocate at national, regional and international levels for a change in how present surveillance laws are interpreted and new laws are crafted, including urging the United States government to re-engineer its domestic surveillance program to comply with international human rights law.

The event, “How to Safeguard the Right to Privacy in the Digital Age,” featured speakers including Navi Pillay, the United Nations High Commissioner for Human Rights–who highlighted the recent scandals over British and US surveillance programs in her introductory remarks to the Human Rights Council this week—and Frank La Rue, the United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. Earlier this year, LaRue released a report that details the widespread use of state surveillance of communications in several countries, stating that such surveillance severely undermines a citizenry’s ability to enjoy private lives, freely express themselves and exercise their other fundamental human rights.

“Member states of the Human Rights Council should assess their surveillance laws and bring them into compliance with the 13 benchmarks,” Rodriguez says. “We must put an end to unchecked, suspicionless, mass spying online.”

EFF Explains Google Street View Ruling And What It Means for Researchers And Cops

This post, written by staff attorney Hanni Fakhoury, was originally published on the EFF website on Monday.

Is a Wi-Fi signal the equivalent of an FM radio station, blasting classic rock ballads through your car speakers?

Not to the Ninth Circuit Court of Appeals, which issued its long awaited decision in Joffe v. Google this week, the case where Google was sued for allegedly violating the Wiretap Act when its Street View cars sucked up data from wireless routers as it passed by.

The Background

Google’s Street View feature allows users to see photographs of specific addresses on a Google map. To generate these pictures, Google deployed a fleet of cars with cameras mounted on top of their roofs to drive across the world and take pictures of everything it could. From 2007 to 2010 Google also equipped these cars with antennas and software that were capable of scanning wireless routers nearby in order to capture information like the network’s name, a router’s MAC addresses and whether a Wi-Fi network was encrypted or not.

Google did this to enhance the accuracy and precision of its location based services. But it also captured “payload data,” or the actual data transmitted through the Wi-Fi networks, including emails, usernames, passwords and more. After Google was criticized for the collection it apologized for the program in 2010, grounded the cars and has been ordered to delete the data in some countries.

The Lawsuit and the Law

Numerous class action lawsuits were filed against Google in 2010, claiming the company had violated federal and state wiretap laws by collecting this data. Although the Wiretap Act generally prohibits the interception of electronic and wire communications, Google moved to dismiss the case, arguing it didn’t violate the law because its collection of the data was permitted under an exception to the Wiretap Act. Under 18 U.S.C. § 2511(2)(g)(i), the interception of an “electronic communication” that “is readily accessible to the general public” is permitted.

This is really two related exceptions. The first covers electronic communications that are “readily accessible to the general public.” For example, a message posted on a public message board. The second exception comes from the definition of “readily accessible to the general public” in 18 U.S.C. § 2510(16)(a), which includes an unencrypted “radio communication.” In essence, an unencrypted radio communication is always considered to be “readily accessible to the general public.” So you can tune the radio in your car to any station without being guilty of wiretapping.

Google ultimately argued that its collection of the unencrypted Wi-Fi traffic was legal under the Wiretap Act for two reasons; first because unencrypted Wi-Fi signals are a “radio communication” which by definition is “readily accessible to the general public.” And second, even if it wasn’t a “radio communication,” it was an electronic communication that in practice was “readily accessible to the general public.”

Unfortunately, the Wiretap Act doesn’t more specifically define what “radio communication” means and so the trial court had to resolve whether Wi-Fi signals are in fact what Congress meant by “radio communications” or not.

The lower court, after all the cases were consolidated, ultimately denied Google’s motion, finding that unencrypted Wi-Fi signals weren’t “radio communications,” but rather electronic communications. It then rejected Google’s fallback argument, finding that unencrypted Wi-Fi signals aren’t “readily accessible to the general public.”

The Ninth Circuit agreed with the trial court. On the “radio communication” issue, the appellate court ruled that Congress meant a “radio communication” to mean a “predominantly auditory broadcast” like an AM/FM or CB radio broadcast. Because data sent over a Wi-Fi signal isn’t auditory, the Court held that it was not a “radio communication” under the Wiretap Act, regardless of whether a wireless access point used radio frequencies to communicate.

Having found that the “radio communication” exception didn’t apply, it also rejected Google’s second argument that unencrypted Wi-Fi signals are “readily accessible to the general public.” The Court noted that unlike, for example, an FM radio station which could broadcast for miles, Wi-Fi signals are “geographically limited and fail to travel far beyond the walls of the home or office where the access point is located.” In addition, the Court reasoned Wi-Fi signals aren’t “accessible” because capturing them “requires sophisticated hardware and software” and “most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network.” As a result, the lawsuit against Google will now continue.

The Good and The Bad

First, the bad. If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal.

On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We’ve seen the government use a device called a “moocherhunter” without a search warrant to read Wi-Fi signals to figure out who’s connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a “stingray” to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person’s location—they’ll need a wiretap order to do so. That’s good news since wiretap orders are harder to get than a search warrant.

It’s doubtful this will be the last word; lower courts have disagreed with each other and the Ninth Circuit is the first appellate court to rule on the tricky issue. We’ll be following the cases closely to especially see how the government interprets the decision, both to see whether it prosecutes security researchers and whether it gets a wiretap order to use its exotic surveillance tools.

A Cheat Sheet To Congress’ NSA Spying Bills

This post, by Policy Analyst and Legislative Assistant Mark M. Jaycox, originally appeared on the Electronic Frontier Foundation website on Sept. 11.

The veil of secrecy around the government’s illegal and unConstitutional use of both Section 215 of the Patriot Act and Section 702 of the Foreign Intelligence Surveillance Act (FISA) is being lifted. As a result, Congress has seen a flurry of legislation to try and fix the problems; however, as we’ve been saying since June there are far more questions than answers about the spying. And Congress must create a special investigative committee to find out the answers. Right now, the current investigations are unable to provide the American public with the information it needs.

For now, here’s a quick summary of the bills in Congress drafted after the June leaks that have a chance to go forward. They try to fix Section 215 of the Patriot Act, curtail the secret law being created by the surveillance court overseeing the spying (the Foreign Intelligence Surveillance Court, or FISA court), and change how the FISA court operates. Unfortunately, there is no bill in Congress with prospects of moving forward that tackles Section 702 of FISA — the section used for PRISM.

Quick Links:

Section 215 Bills:

Senator Patrick Leahy: The FISA Accountability and Privacy Protection Act of 2013

Representatives John Conyers and Justin Amash: The LIBERT-E Act

Ending Secret Law:

Representatives Adam Schiff and Todd Rokita: The Ending Secret Law Act

Corporate Disclosure:

Senator Al Franken: The Surveillance Transparency Act of 2013

Representatives Rick Larsen and Justin Amash: The Government Surveillance Transparency Act of 2013

Restructuring the FISA Court:

Senator Richard Blumenthal: The FISA Court Reform Act of 2013 and the FISA Court Judge Selection Reform Act

Representative Adam Schiff: The Presidential Appointment of FISA Court Judges Act

Representative Steve Cohen: The FISA Court Accountability Act

Section 215 Bills

Here are the bills that focus on trying to fix Section 215 of the Patriot Act:

Senator Patrick Leahy: The FISA Accountability And Privacy Protection Act Of 2013

Leahy’s bill is an overarching bill that includes language to try and stop mass spying, increase the number of reports about the spying and publicly disclose the secret law supposedly justifying the programs. The bill makes sure a Section 215 order must include “specific and articulable facts” that the information is relevant to an investigation and that the order “pertains to” an individual. It’s a good start; however, with the released Administration White Paper, the Leahy language doesn’t look strong enough to stop the abusive use of Section 215. Leahy has said that he will continue to refine the bill as it moves forward. This is good news, as a bill from Senators Mark Udall and Ron Wyden’s uses similar language.

Representatives John Conyers And Justin Amash: The LIBERT-E Act

Conyers and Amash present one of the few Section 215 fixes in the House of Representatives with the potential to move forward. Similar to Senator Leahy’s bill, the bill by Conyers and Amash mandates every order include “specific and articulable facts.” But the bill is also more specific: It adds that an order must “pertain only to an individual” under investigation. Other bills introduced to stop the abuse of Section 215 include bills by Representative Dennis Ross and Representative Michael Fitzpatrick. Both are similar to Conyers’ and Amash’s bill, except that Fitzpatrick includes a requirement that the records sought are “material” to an investigation. Representative Rush Holt also has a bill completely repealing Section 215 and Section 702.

Lastly, Representatives Jim Sensenbrenner and Zoe Lofgren have also announced they plan to propose legislation tackling many of the issues brought forward by the June leaks. Both representatives have been at the forefront of fighting against the Administration’s use of Section 215 to obtain innocent Americans’ calling information, and the Electronic Frontier Foundation is excited to see what they come up with.

Ending Secret Law

Currently, almost all of the decisions and orders by the secret FISA court are unknown to the public. The bills by Leahy, Udall, Merkley Conyers all have sections that create processes for the release of the secret law supposedly justifying the NSA’s programs. But there are also bills in Congress solely dedicated to disclosing the opinions:

Representatives Adam Schiff And Todd Rokita: The Ending Secret Law Act

The bill by Schiff and Rokita compels the Attorney General to release all decisions, orders and opinions with significant legal interpretations of the law. All opinions submitted to Congress before enactment must be released within 180 days, and all opinions submitted to Congress after enactment must be released within 45 days. If the Attorney General decides the opinions cannot be released due to national security, then he must release a summary of the decision. The same bill was introduced in the Senate by Senators Jeff Merkley and Mike Lee, and also in the House by Representative Sheila Jackson-Lee.

Corporate Disclosure

Senator Al Franken: The Surveillance Transparency Act Of 2013

There are also bills allowing companies to disclose further details any secret FISA order they receive for customer information. For instance, Franken’s Surveillance Transparency Act of 2013 requires the government to provide more reports to Congress and the public about its use of the Foreign Intelligence Surveillance Act, how many orders were filed and how many individuals it impacted. The bill also ensures companies can disclose similar information every six months.

Representatives Rick Larsen And Justin Amash: The Government Surveillance Transparency Act Of 2013

A bill by Larsen and Amash also seeks to increase reporting on how the government uses FISA. The bill, HR 2736, requires in aggregate numbers the number of orders the government filed using the Foreign Intelligence Surveillance Act, the number of people impacted by the orders and a general description of the information sought by the order.

Restructuring The FISA Court

Lastly, there are bills that seek to reorganize the FISA court. Currently, the judges on the court are selected by the Chief Justice of the Supreme Court. The court is also one-sided: When the government requests the calling information for every American, there is no one to argue against it. There are quite a few bills that seek to restructure and fix the FISA Court.

Senator Richard Blumenthal: The FISA Court Reform Act Of 2013 And The FISA Court Judge Selection Reform Act

Blumenthal has introduced two bills, S 1460 and S 1467 to change how the FISA court operates. The first bill establishes an Office of the Special Advocate (OSA) which introduces an adversary to the court. The OSA can contest FISA court orders, appeal orders all the way to the Supreme Court, request declassification of documents and call for public amicus briefs in certain cases.

The second bill, seeks to address the problem of judicial selection. What’s resulted as a result of FISA court judges being picked by the Chief Justice of the Supreme Court is a court heavily slanted toward former prosecutors and the eastern part of the United States. Instead of having a secret selection process, the second bill mandates each chief judge of a Federal circuit to publicly nominate a judge from their circuit to serve on the FISA court.

Other Bills

Other bills touching FISA court structural reform include bills by Schiff (which has the President, with the advice and consent of the Senate, nominating FISA court judges) and Representative Steve Cohen (which has the Chief Justice, and the majority and minority leaders of each house of Congress choosing judges).

More Bills To Follow

All of these bills are a start to tackling many of the problems raised by the leaked files. But none of them fix Section 702 of the Foreign Intelligence Surveillance Act, which the government is using to collect innocent Americans’ communications. As a result of the NSA spying, mass collection of innocent Americans’ information must stop. We look forward to the bills moving through Congress, but a full investigation of the NSA spying by a special Congressional must also occur. Join the more than 100 organizations and half-a-million people pushing Congress to stop the spying and fully investigate it.

Organizations, Activists Lining Up To Sue Against NSA Surveillance

This post originally appeared on the Electronic Frontier Foundation website on Sept. 10.

Five new groups—including civil-rights lawyers, medical-privacy advocates and Jewish social-justice activists—have joined a lawsuit filed by the Electronic Frontier Foundation (EFF) against the National Security Agency (NSA) over the unconstitutional collection of bulk telephone call records. With today’s amended complaint, EFF now represents 22 entities in alleging that government surveillance under Section 215 of the Patriot Act violates Americans’ First Amendment right to freedom of association.

The five entities joining the First Unitarian Church of Los Angeles v. NSA lawsuit before the U.S. District Court for the Northern District of California are: Acorn Active Media, the Charity and Security Network, the National Lawyers Guild, Patient Privacy Rights and The Shalom Center. They join an already diverse coalition of groups representing interests including gun rights, environmentalism, drug-policy reform, human rights, open-source technology, media reform and religious freedom.

“The First Amendment guarantees the freedom to associate and express political views as a group,” EFF legal director Cindy Cohn said. “The NSA undermines that right when it collects, without any particular target, the phone records of innocent Americans and the organizations in which they participate. In order to advocate effectively, these organizations must have the ability to protect the privacy of their employees and members.”

In June, The Guardian newspaper published a secret order from the Foreign Intelligence Surveillance Court (FISC) that authorized the wholesale collection of phone records of all Verizon customers, including the numbers involved in each call, the time and duration of the call, and “other identifying information.” Government officials subsequently confirmed the document’s authenticity and acknowledged the order was just one of a series issued on a rolling basis since at least 2006.

EFF originally filed the lawsuit on June 16, arguing the tracking program allows the government to compile detailed connections between people and organizations that have no correlation to national security investigations. Along with adding the new plaintiffs, the amended complaint also adds new information about “contact chaining” searches through the vast trove of phone records, adds James B. Comey as a defendant now that he is the head of the FBI, and makes some additional changes.

For Rabbi Arthur Waskow of The Shalom Center, the revelations come with a sense of déjà vu.

“Jewish tradition for at least the last 2,000 years has celebrated the right of privacy of the people against surveillance by a ruler,” Waskow said. “A generation ago, I joined with other antiwar activists to successfully sue the FBI over its ‘COINTELPRO’ program, which violated our right to assemble in opposition to the Vietnam War. Now, as director of The Shalom Center—a religious organization advocating for peace, social justice and environmental sustainablility—I am concerned that the NSA has greatly surpassed the FBI in undermining our Constitutional rights.”

The National Lawyers Guild, a public-interest legal association that has defended civil rights for more than 75 years, notes that surveillance has substantially impeded its ability to communicate with those seeking legal assistance.

“Applied on a massive scale, government surveillance becomes a form of oppression,” the Guild’s Executive Director Heidi Boghosian said. “Knowing that we are likely monitored, we have curbed our electronic interactions. Sensitive discussions about cases are confined to in-person meetings and letters. We have no illusions that our hotline for individuals visited by the FBI is private; we don’t even ask for specific details for fear of government eavesdropping.”

EFF also represents the plaintiffs in Jewel v. NSA, a class-action case filed on behalf of individuals in 2008 aimed at ending the NSA’s dragnet surveillance of millions of ordinary Americans. The Jewel case is set for a conference with the Court on September 27 in San Francisco.

For the amended complaint:
https://www.eff.org/document/first-unitarian-church-los-angeles-v-nsa-amended-complaint

Tahoe And Tor: Building Privacy On Strong Foundations

Tahoe-LAFS draws from a combination of computer security philosophies, backed up with cryptography implement in open-source code.

The Principle of Least Authority
In computer science, the principle of least authority means granting the minimum set of permissions necessary to accomplish a task. For example, someone who is a contributing blogger on a website doesn’t need full administrator access to a site. Tahoe attempts to apply this principle to online file storage by ensuring through encryption that the organization storing your data can’t see all your data, and that users can be given fine-grained access through cryptographic capabilities.

Cryptographic capabilities
In Tahoe-LAFS, you can read or write a file in the system only if you know a (rather long) set of characters, or key. The capability keys are different for each file, which means you can share a picture by sending a friend one capability key without giving them access to everything. You can also give people power to create or even edit files by sending them different keys. Using capability-based security means there’s no central authority that manages access control for you, as with Dropbox or Google Docs. You’re in charge of spreading (or withholding) your capability keys.

Erasure coding
A method of redundantly storing data over a number of servers that allows data to be reconstructed, even if a certain number of those servers get shut down or corrupted. In the default Tahoe network, data is spread over 10 drives and can be read even if seven of those servers are lost. That means you don’t have to rely on one provider and makes Tahoe storage harder to disrupt.

This post, by International Director Danny O’Brien, originally appeared on the Electronic Frontier Foundation website on Sept. 6.

Many people want to build secure Internet services that protect their users against surveillance, or the illegal seizure of their data. When EFF is asked how to build these tools, our advice is: Don’t start from scratch. Find a public, respected project that provides the privacy-protecting quality you want in your own work, and find a way to implement your dream atop these existing contributions.

So, for instance, the New Yorker’s Strongbox, a dropbox for anonymous sources, uses Tor as its basis to provide anonymity to its users. If you want anonymity in your app, building your tool on top of Tor’s backbone means you can take advantage of its experience and future improvements, as well as letting you contribute back to the wider community.

Anonymity is only one part of what will make the Net secure and privacy-friendly, though. The recent National Security Administration revelations as well as glitches and attacks on single services like GitHub, Amazon, Twitter and The New York Times, have prompted demand for online data storage that doesn’t depend on companies that might hand over such data or compromise security to comply with government demands, nor depend on one centralized service that could be taken down through external pressure.

The Tahoe Least Authority File System (Tahoe-LAFS) has been actively developed since 2007. Just as Tor concentrates on anonymity, Tahoe-LAFS’s developers have worked hard to create a resilient, decentralized, infrastructure that lets you store online both data you’d want to keep private, as well as data you want to share with selected groups of friends. It’s also able to protect against a single source of failure or censorship, like a commercial service being attacked or responding to a takedown.

Tahoe-LAFS is open source, but this month, some of the Tahoe project’s founders launched S4, a commercial “PRISM-proof” secure, off-site backup service that uses Tahoe as a backend and Amazon as a storage site.

Tahoe’s protections against third-party snooping and deletion have the kind of strong mathematical guarantees that reassure security experts that Tahoe-LAFS is well-defended against certain kinds of attack. That also means its privacy and resilience are not dependent on the good behavior or policies of its operators. (See the box for more information.)

Secure online backups like S4 are one possible use for Tahoe’s time-tested code and approach. You and your friends can run your own Tahoe network, sharing storage space across a number of servers, confident that your friends can see and change only what they have the caps to see, and that even if a sizable number of those servers disappear, your data will still be retrievable. Services like git-annex-assistant, a decentralized Dropbox-like folder synchronizer, already optionally offer it as backend. Some privacy activists have run private Tahoe networks over Tor, creating an anonymous, distributed and largely censorship-proof storage system.

It’s great to see commercial services like S4 emerging in the face of our new knowledge about pervasive online surveillance. Even better is the possibility that others, including entrepreneurs, designers and usability experts, will stand on the shoulders of the secure possibilities that protocols like Tor and Tahoe provide and give us all innovative Internet tools that can truly keep users and their data safe and sound.

EFF: Hundreds of Pages of NSA Spying Documents to be Released As Result of Lawsuit

In a major victory in one of EFF’s Freedom of Information Act (FOIA) lawsuits, the Justice Department conceded yesterday that it will release hundreds of pages of documents, including FISA court opinions, related to the government’s secret interpretation of Section 215 of the Patriot Act, the law the NSA has relied upon for years to mass collect the phone records of millions of innocent Americans.

In a court filing, the Justice Department, responding to a judge’s order, said that they would make public a host of material that will “total hundreds of pages” by next week, including:

[O]rders and opinions of the FISC issued from January 1, 2004, to June 6, 2011, that contain a significant legal interpretation of the government’s authority or use of its authority under Section 215; and responsive “significant documents, procedures, or legal analyses incorporated into FISC opinions or orders and treated as binding by the Department of Justice or the National Security Agency.”

While the government finally released a white paper detailing its expansive (and unconstitutional) interpretation of Section 215 last month, more important FISA court opinions adopting at least part of that interpretation have remained secret. The results of EFF’s FOIA lawsuit will finally lift the veil on the dubious legal underpinnings of NSA’s domestic phone surveillance program.

This victory for EFF comes on the heels of another FOIA success two weeks ago, when the Justice Department was also forced to release a 2011 FISA court opinion ruling some NSA surveillance unconstitutional.

Like our lawsuit over that 2011 FISA opinion—where the government posted the results on Director of National Intelligence’s new Tumblr account—the Justice Department may attempt to portray this release as being done out of the goodness of its heart and as a testament to its commitment to transparency. While we applaud the government for finally releasing the opinions, it is not simply a case of magnanimity. The Justice Department is releasing this information because a court has ordered it to do so in response to EFF’s FOIA lawsuit, which was filed on the tenth anniversary of the enactment of the Patriot Act—nearly two years ago.

For most of the duration of the lawsuit, the government fought tooth and nail to keep every page of its interpretations secret, even once arguing it should not even be compelled to release the number of pages that their opinions consisted of. It was not until the start of the release of documents leaked by NSA whistleblower Edward Snowden that the government’s position became untenable and the court ordered the government to begin the declassification review process.

It also should be noted, that on the same day the government agreed to release this information, GOP Rep. Jim Sensenbrenner, the author of the Patriot Act, submitted an amicus brief authored by EFF supporting ACLU’s constitutional challenge of the NSA phone collection program that relies on Section 215. In other words, even the author of Section 215 thinks the government has twisted and distorted its language to justify something that the law was never supposed to allow. Now, we will finally see that tortured interpretation.

EFF’s Open Letter to John Kerry: Tell Ethiopia to Release Eskinder Nega and Stop Imprisoning Bloggers

The following open letter, written by the Electronic Frontier Foundation, addresses a very frightening global trend: Nations increasingly using terror prevention as justification to lock up dissidents. Based on some provisions in the most recent National Defense Authorization Act, it is possible that similarly extreme cases could occur in the U.S.

Dear Secretary of State John Kerry,

This month marks the second anniversary of Eskinder Nega’s imprisonment.  When you visited Ethiopia in May, Eskinder Nega had already been imprisoned – and thus silenced – for over a year. It’s time for the United States to use its considerable influence to vigorously and directly advocate Nega’s freedom and, in the process, to promote free expression and independent journalism throughout Ethiopia.

Now is a crucial moment for the Secretary to speak out. Over the weekend, Ethiopian security forces in Addis Ababa brutally suppressed a demonstration calling for political reforms and the release of jailed journalists and dissidents.

Eskinder Nega is an internationally recognized Ethiopian reporter-turned-blogger.  His award-winning journalism on political issues in Ethiopia – and his refusal to stop publishing or flee the country – has made him the target of persecution by the Ethiopian government for many years. Nega was arrested in September 2011 and then convicted under a new, extremely broad anti-terrorism law in Ethiopia. Nega’s so-called crime was writing articles and speaking publicly on topics such as the Arab Spring and Ethiopia’s poor record on press freedom. For that, he was sentenced to 18 years in prison.

In July, the New York Times published a letter from Eskinder Nega in prison, who explained that Ethiopia’s anti-terrorism law “has been used as a pretext to detain journalists who criticize the government.”  He elaborated on the actions that landed him in prison on charges of terrorism:

I’ve never conspired to overthrow the government; all I did was report on the Arab Spring and suggest that something similar might happen in Ethiopia if the authoritarian regime didn’t reform. The state’s main evidence against me was a YouTube video of me, saying this at a public meeting. I also dared to question the government’s ludicrous claim that jailed journalists were terrorists.

As Leslie Lefkow, deputy Africa director at Human Rights Watch, said, “The use of draconian laws and trumped-up charges to crack down on free speech and peaceful dissent makes a mockery of the rule of law.”

EFF has joined other free speech advocates and human rights organizations around the world in calling for Nega’s release. The UN Working Group on Arbitrary Detention has joined the movement calling for Nega’s freedom. And Amnesty International has rightly declared Nega a prisoner of conscience and is petitioning for his release.

Journalists and human rights organizations around the world have condemned Nega’s sentence and called for his release. It’s time for the United States, and especially the State Department, to do the same.

We’re writing today to urge you to use your relationship with Ethiopia to campaign for Eskinder Nega’s freedom and the freedom of all peaceful bloggers in Ethiopia.

We appreciate the public statements that the State Department has made about Nega’s imprisonment, but that’s not enough. Nega has already spent two years in prison, and other bloggers in Ethiopia have also been silenced by similar unjust imprisonments.

A free and independent media is vital to democracy and justice. We are calling on you to speak out on behalf of Eskinder Nega and raise his case with your contacts within the Ethiopian government. We urge you to more strongly tie American economic and political support for  Ethiopia to its  record on press freedom. The Ethiopian government should understand that the imprisonment of Eskinder Nega has real and continuing consequences to the health of its global diplomatic and financial relationships with its partners.

The United States has deep ties with Ethiopia. Please use this access and influence to champion the rights of free expression and press freedom that are guaranteed by the Ethiopian constitution and international law.

Sincerely,

Electronic Frontier Foundation