Privacy Tools: The best encrypted messaging programs

This article by Julia Angwin was published originally by ProPublica.

Ever since former National Security Agency consultant Edward Snowden revealed mass governmental surveillance, my inbox has been barraged with announcements about new encryption tools to keep people’s communications safe from snooping.

But it’s not easy to sort out which secret messaging tools offer true security and which ones might be snake oil. So I turned to two experts Joseph Bonneau at Princeton and Peter Eckersley at the Electronic Frontier Foundation for advice about what to look for in encryption tools. Working together, we chose seven technical criteria on which to rank encryption tools.

The criteria aim to assess whether the tool is designed to combat threats such as backdoors secretly built into the software, Internet eavesdroppers, or tricksters who steal the secret “keys” that users must safeguard to keep their communications secure.

Check out the results of our review.

Keep in mind, even an unbreakable encryption tool can be circumvented by hackers or spies that secretly install software on a computer or phone that hijacks communications before it is encrypted.

And even the best encryption tools still don’t do enough. All the tools require both people communicating to install software. And few tools provide much anonymity so even if your messages are unreadable by anyone but you, your contact list could still be exposed. And many of the tools are run by rag-tag teams of volunteers, which could mean that they won’t last.

Still, some tools scored highly enough that users can feel confident that they take encryption seriously. “It’s important to realize we’re mostly grading for effort here and not execution,” said Bonneau. “We’re still a long way from being able to state which confidence how much security apps are actually delivering.”

One program that scored well was Cryptocat, a free chat program that can be installed in any Web browser and was famously used by journalist Glenn Greenwald while he was in Hong Kong meeting with Snowden. Nadim Kobeissi created Cryptocat in 2010 as an experiment when he was a 21-year-old student at Concordia University in Montreal. “It wasn’t anything serious,” Kobeissi told me.

But his tool won attention after it won a prize in a New York hackathon in 2012. Since then, he has raised about $150,000 in grants to help pay developers to work on improvements to the software. He funds his Web hosting bills through donations, and he pays himself by working as a software consultant and selling Cryptocat stickers and t-shirts. “It’s been an uphill battle,” he says. Being recognized as a secure tool, “is a huge deal.”

A lineup of three cellphone apps from San Francisco-based Open Whisper Systems also received perfect scores: Signal, for making secure phone calls on iPhone; RedPhone for secure phone calls on Android; and TextSecure, for sending secure texts on Android. All the apps are free and relatively simple to use.

The company’s Signal app also tries to give users’ some anonymity by using a sophisticated system called a ” bloom filter,” that allows users to find each other without sharing their address books. “The contacts from your device are never transmitted anywhere,” says Open Whisper Systems security expert Moxie Marlinspike.

A pricier option is available from a pair of highly ranked encryption apps for Android and iPhone, Silent Text and Silent Phone. The apps are free to install but users must sign up for a $9.95 monthly subscription service.

Mike Janke, CEO of Silent Circle, says that the only way to offer real privacy is to charge users. “It takes a lot of money to have a robust, always-on and high-quality service,” he said. “Most free apps don’t or cannot support this,” without selling ads or user data.

“Our architecture, network and technology is built to not have any user data,” he says. “You pay us for a service and a product with money, not with your data or through ad dollars.”

Surprisingly, some popular encryption programs didn’t fare well in the rankings. Gnu Privacy Guard, an often used email encryption program, fell short of the top score because it has not been audited and past communications can be compromised if the user’s secret key is stolen (by theft of a laptop, for instance). Similarly, Apple’s iMessage and FaceTime encrypted texting and video calling programs lost points because its software code is not open for public review.

Also, some tools that are popular in the press didn’t fare well. Wickr, a cellphone encryption app that was recently profiled on CNBC, lost points for not disclosing its underlying code or its underlying cryptographic protocols, and for not having a way for users to verify each others’ identity. Wickr said it is working toward publicly releasing a white paper that will disclose its protocols and is testing a new identity verification feature that it will release soon.

Similarly, Virtru, which was recently profiled in The New York Times, received low rankings because it stores user’s “secret keys” at its own computers rather than on user’s computers requiring users to trust Virtru with access to their secret messages. Virtru says it is working on a way to allow users to store their keys on their own computer if they prefer.

And some programs that sound like they might be secret such as Snapchat and Google’s off the record chats are only encrypted in transit, but can still be read by the provider.

One problem that remains thorny for many encryption apps is giving users a way to verify that they are sending secret messages to correct person.

That was an issue  when one of Edward Snowden’s lawyers, Jesslyn Radack, sent an encrypted e-mail to journalist Glenn Greenwald earlier this year asking if Snowden was going to appear at the Polk Awards. By mistake, she sent the email to the public key of someone masquerading as Greenwald, who then  decrypted the message and made it public.

Radack could avoided her mishap by comparing the ‘fingerprint’ of the fake Greenwald key with the ‘fingerprint’ of the key that Greenwald publishes on The Intercept’s website.

Eckersley said he hopes that the next generation of encryption apps can tackle the key verification problem. “It’s like we have extremely trustworthy couriers to deliver our secret packages, but we don’t always have a safe way to know what address to send them to,” he said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

ProPublica: Cops get spy gear from private donors

This article, written by Ali Winston and Darwin Bond Graham,  was published by ProPublica on Oct. 13.

In 2007, as it pushed to build a state-of-the-art surveillance facility, the Los Angeles Police Department cast an acquisitive eye on software being developed by Palantir, a startup funded in part by the Central Intelligence Agency’s venture capital arm.

Originally designed for spy agencies, Palantir’s technology allowed users to track individuals with unprecedented reach, connecting information from conventional sources like crime reports with more controversial data gathered by surveillance cameras and license plate readers that automatically, and indiscriminately, photographed passing cars.

The LAPD could have used a small portion of its multibillion-dollar annual budget to purchase the software, but that would have meant going through a year-long process requiring public meetings, approval from the City Council, and, in some cases, competitive bidding.

There was a quicker, quieter way to get the software: as a gift from the Los Angeles Police Foundation, a private charity. In November 2007, at the behest of then Police Chief William Bratton, the foundation approached Target Corp., which contributed $200,000 to buy the software, said the foundation’s executive director, Cecilia Glassman, in an interview. Then the foundation donated it to the police department.

Across the nation, private foundations are increasingly being tapped to provide police with technology and weaponry that — were it purchased with public money — would come under far closer scrutiny.

In Los Angeles, foundation money has been used to buy hundreds of thousands of dollars’ worth of license plate readers, which were the subject of a civil-rights lawsuit filed against the region’s law enforcement agencies by the American Civil Liberties Union of Southern California and the Electronic Frontier Foundation. (A judge rejected the groups’ claims earlier this year.)

Private funds also have been used to upgrade “Stingray” devices, which have triggered debate in numerous jurisdictions because they vacuum up records of cellphone metadata, calls, text messages and data transfers over a half-mile radius.

New York and Los Angeles have the nation’s oldest and most generous police foundations, each providing their city police departments with grants totaling about $3 million a year. But similar groups have sprouted up in dozens of jurisdictions, from Atlanta, Georgia, to Oakland, California. In Atlanta, the police foundation has bankrolled the surveillance cameras that now blanket the city, as well as the center where police officers monitor live video feeds.

Proponents of these private fundraising efforts say they have become indispensable in an era of tightening budgets, helping police to acquire the ever-more sophisticated tools needed to combat modern crime.

“There’s very little discretionary money for the department,” said Steve Soboroff, a businessman who is president of the Los Angeles Police Commission, the civilian board that oversees the LAPD’s policies and operations. “A grant application to the foundation cuts all the red tape, or almost all of the red tape.”

But critics say police foundations operate with little transparency or oversight and can be a way for wealthy donors and corporations to influence law enforcement agencies’ priorities.

It’s not uncommon for the same companies to be donors to the same police foundations that purchase their products for local police departments. Or for those companies also to be contractors for the same police agencies to which their products are being donated.

“No one really knows what’s going on,” said Dick Dadey of Citizens Union, a good government group in New York. “The public needs to know that these contributions are being made voluntarily and have no bearing on contracting decisions.”

Palantir, the recipient of the Los Angeles Police Foundation’s largesse in 2008, donated $10,000 to become a three-star sponsor of the group’s annual “Above and Beyond” awards ceremony in 2013 and has made similar-sized gifts to the New York police foundation. The privately held Palo Alto firm, which had estimated revenues of $250 million in 2011 and is preparing to go public, also has won millions of dollars of contracts from the Los Angeles and New York police departments over the last three years.

Palantir officials did not respond to questions about its relationships with police departments and the foundations linked to them. The New York City Police Foundation did not answer questions about Palantir’s donations, or its technology gifts to the NYPD.

Donna Lieberman, executive director of the New York Civil Liberties Union, said she saw danger in the growing web of ties between police departments, foundations and private donors.

“We run the risk of policy that is in the service of moneyed interests,” she said.

The nation’s first police foundation was established in New York City in 1971 by the Association for a Better New York, a private group headed by real estate magnate Lewis Rudin.

In the late 1970s, when violent crime soared and the city’s finances were shaky, the foundation paid for bulletproof vests, which were distributed via a raffle. “It changed the administration into believing bulletproof vests are necessary equipment for the job,” a former New York cop said.

Altogether, the New York City Police Foundation has distributed more than $120 million in grants since it was set up and has spurred a host of imitators.

One was the Los Angeles Police Foundation, which was founded in 1998 by then Police Chief Bernard Parks.

Its first modest mission was to pay to outfit police units with medical kits to treat gunshot wounds. “There were incidents with officers injured and paramedics were getting there too late,” said Parks, who is now a city councilman.

Over its lifespan, the foundation has provided the LAPD with grants totaling more than $20 million, much of it to acquire uncontroversial items such as bicycles and police dogs.

In New York and Los Angeles, it has long been true that top police officials have exercised considerable control over the use of foundation money.

Glassman said that the chief of police’s office deals directly with the Los Angeles foundation, identifying which products and services the department wants and who the vendor should be. At Bratton’s direction, private donations paid for a team of consultants to devise a plan to reorganize the LAPD.

According to press reports, Ray Kelly, New York’s police commissioner for a brief stint in the early ’90s and from 2002 to 2013, held similar sway with the New York City foundation. At his behest, foundation funds even paid for Kelly’s membership at the Harvard Club, an NYPD spokesman confirmed.

More recently, though, the New York and Los Angeles foundations have turned to funding technology initiatives, many of them involving surveillance systems.

An audit included with the New York foundation’s 2013 annual tax filing said almost half of the $6.5 million distributed by the group that year went to what it called the police department’s “technology campaign.”

The foundation was given $4.6 million by JPMorgan Chase to buy 1,000 laptops and security monitoring software for the police department’s main data center, according to the foundation’s tax documentation and press releases from JP Morgan.

Records for the Los Angeles foundation are more specific, showing outlays of almost $250,000 in 2010 for tracking equipment for the police department’s counter-terrorism investigators and $460,000 in 2011 on surveillance cameras and license plate readers.

According to its 2012 tax filing, the foundation gave almost $25,000 to upgrade “Stingray” devices placed in skid row to monitor drug transactions.

Police boosters say there’s no need for public debate over these types of acquisitions.

“I think we all see ourselves as part of a larger puzzle, which is making sure that Los Angeles has a world class police department, and we’re just the private funding source,” said Glassman of the Police Foundation. “The commission is an oversight board and the department is here to protect and serve.”

But Peter Bibring of the ACLU of Southern California said that when police acquire new surveillance tools it can reshape their approach to policing – shifts that, when enabled by private money, are occurring outside public view.

“These technologies are adopted without any kind of public discussion, without clear policies on how they should be used,” he said.

As private charities, police foundations are subject to reporting rules set by the tax code rather than the public information laws that apply to law enforcement agencies. In many cases, foundations give few details about where their money comes from and even fewer about what it’s used to buy.

The New York City Police Foundation lists contributors who give $1,000 or more on its website, separating them into donors ($1,000-$5,000), benefactors ($5,000-$10,000), bronze ($10,000-$25,000), silver ($25,000-$50,000), gold ($50,000-$100,000) and platinum ($100,000 or more).

The group offers no specifics at all on what its grants are used for, however. The police department’s annual budget lumps them all into a single line item labeled “non-city funds.”

Despite the minimal amount of disclosure, it’s clear that several companies are both vendors and donors to the New York foundation. Some also hold large contracts to supply goods and services to the police department.

The NYPD’s citywide surveillance hub uses software from IBM, which gave between $10,000 and 25,000 to the foundation. According to its website and tax documents, the foundation helped fund creation of the hub. IBM did not respond when asked about its relationships with New York’s police foundation and police department.

DynTek Inc. made a contribution of similar size to the foundation and has won more than $47 million in technology contracts with New York City since 2008. It lobbied the police department for more business as recently as this January, according to disclosure records. DynTek officials also did not respond to questions.

The New York Police Foundation’s bylaws say it reviews potential conflicts of interest involving donors, but foundation officials did not respond to questions about this process.

It appears that no one else is watching out for these overlapping relationships: New York’s Comptroller and Conflict of Interest Board, which oversee procurement and conflicts of interest for the city, said they don’t track the police foundation’s donations to the police department.

Los Angeles has put more protections in place –- at least on paper. According to the city’s Administrative Code, the Police Commission must approve all foundation gifts to the police department. Donations with a value of more than $10,000 also must be approved by the City Council and its Public Safety Committee.

Accompanying each donation is a signed assurance from LAPD staff that states, “all possible conflicts of interest have been researched, and this donation does not reflect negatively on the Department or City in general.”

In practice, though, the police commission puts donations from the foundation on its consent agenda, which typically passes with no discussion. In December 2013, for example, the commission approved a gift of 50 stun guns from TASER International Inc., valued at more than $48,000, in less than five seconds, video archives show. The donated models are an experimental product that LAPD officers are field testing for the company, according to city records. The City Council’s Public Safety Committee and, later, the full council, also approved the donation with no debate.

In some cases, foundations gifts may not be getting even this level of scrutiny. There’s no indication in records that the City Council ever voted on or approved the 2007 donation of the Palantir software.

A recent kerfuffle involving LAPD Officer Brandi Pearson, the daughter of Police Chief Charlie Beck, demonstrated the holes in vetting process for police foundation gifts. In March, the foundation paid $6,000 to buy a horse from Pearson, then donated it to the police department’s mounted unit. Beck himself signed off on the foundation’s purchase, but neither he nor foundation officials informed the Police Commission about the arrangement. Details of the horse’s purchase only emerged this August when the Los Angeles Times got hold of the story.

Ana Muniz, a former researcher with the Inglewood-based Youth Justice Coalition who has studied the LAPD’s gang policing efforts, called the porous system for monitoring foundation donations unsettling.

“At least with public contracts and spending, there’s a facade of transparency and accountability,” Muniz said. “With private partnerships, with private technology, there’s nothing.”

Parks said that the Los Angeles foundation was supposed to avoid taking donations from companies if they were bidding on contracts for the police department, but acknowledged there are no rules barring this.

As Motorola and Raytheon vied for a $600 million contract to provide the regional emergency communications system used by the LAPD, each company made generous donations to the police foundation.

Motorola gave more than $164,000 through a foundation controlled by company executives in 2010 and 2011. It also appointed Bratton, who left the LAPD in October 2009, to its board of directors in December 2010, a post that paid $240,000 a year.

“As part of our commitment to public safety, the Motorola Solutions Foundation, Motorola Solutions’ philanthropic arm, supports public safety nonprofits that provide training for officers and safety education for the general public, as well as memorials to honor the service and sacrifice of fallen officers, and to help fund scholarships for their families,” said Tama McWinney, a Motorola spokesperson, in a written response to questions about why the company had donated to the police foundation.

Raytheon countered by donating $311,000 in equipment to the police foundation to upgrade the LAPD’s existing radio system. “Our community engagement includes strategic partnerships, individual empowerment programs, employee volunteer efforts and regional projects that are aligned with support of first responders, education initiatives and our warfighters,” Michael Doble, Raytheon’s director of public relations, said in a statement.

Motorola ended up winning the contract.

Soboroff said he had no concerns that companies were donating to the foundation to improve their chances to do business with the city — donors were typically driven by “an insatiable appetite to help,” he said, not self-interest.

At a recent fundraiser hosted by a wealthy family, members of the police department’s canine, equestrian and SWAT units helped raise $180,000 to buy dogs, horses and equipment.

“All they need to do is see a menu of what we need and they’re willing to play,” Soboroff said.

Parks, however, said corporate donors should be seen with a more skeptical eye and that, in his view, it taints the contracting process when companies are allowed to make gifts to the same police agencies from which they are seeking work.

“If you are taking money from Motorola and all of a sudden Motorola is providing you with your radios, those are major concerns,” he said. “You should shy away from those relationships.”

Ultimately, Parks remains a supporter of police foundations and said Los Angeles’ group has provided critical support to the city’s police. But he has come to believe these groups need more substantial oversight than they are getting.

“You have to be diligent to look at what people are purchasing,” he said. “You don’t want to say, when did we buy 50 drones?”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

 

Inside the New York Fed: Secret recordings and a culture clash

by Jake Bernstein ProPublica, Sep. 26, 2014, 5 a.m.

Barely a year removed from the devastation of the 2008 financial crisis, the president of the Federal Reserve Bank of New York faced a crossroads. Congress had set its sights on reform. The biggest banks in the nation had shown that their failure could threaten the entire financial system. Lawmakers wanted new safeguards.

This story was co-published with This American Life, from WBEZ Chicago.

Hear the radio version on these stations or download the episode now.

The Federal Reserve, and, by dint of its location off Wall Street, the New York Fed, was the logical choice to head the effort. Except it had failed miserably in catching the meltdown.

New York Fed President William Dudley had to answer two questions quickly: Why had his institution blown it, and how could it do better? So he called in an outsider, a Columbia University finance professor named David Beim, and granted him unlimited access to investigate. In exchange, the results would remain secret.

After interviews with dozens of New York Fed employees, Beim learned something that surprised even him. The most daunting obstacle the New York Fed faced in overseeing the nation’s biggest financial institutions was its own culture. The New York Fed had become too risk-averse and deferential to the banks it supervised. Its examiners feared contradicting bosses, who too often forced their findings into an institutional consensus that watered down much of what they did.

The report didn’t only highlight problems. Beim provided a path forward. He urged the New York Fed to hire expert examiners who were unafraid to speak up and then encourage them to do so. It was essential, he said, to preventing the next crisis.

A year later, Congress gave the Federal Reserve even more oversight authority. And the New York Fed started hiring specialized examiners to station inside the too-big-to fail institutions, those that posed the most risk to the financial system.

One of the expert examiners it chose was Carmen Segarra.

Segarra appeared to be exactly what Beim ordered. Passionate and direct, schooled in the Ivy League and at the Sorbonne, she was a lawyer with more than 13 years of experience in compliance 2013 the specialty of helping banks satisfy rules and regulations. The New York Fed placed her inside one of the biggest and, at the time, most controversial banks in the country, Goldman Sachs.

It did not go well. She was fired after only seven months.

As ProPublica reported last year, Segarra sued the New York Fed and her bosses, claiming she was retaliated against for refusing to back down from a negative finding about Goldman Sachs. A judge threw out the case this year without ruling on the merits, saying the facts didn’t fit the statute under which she sued.

At the bottom of a document filed in the case, however, her lawyer disclosed a stunning fact: Segarra had made a series of audio recordings while at the New York Fed. Worried about what she was witnessing, Segarra wanted a record in case events were disputed. So she had purchased a tiny recorder at the Spy Store and began capturing what took place at Goldman and with her bosses.

Segarra ultimately recorded about 46 hours of meetings and conversations with her colleagues. Many of these events document key moments leading to her firing. But against the backdrop of the Beim report, they also offer an intimate study of the New York Fed’s culture at a pivotal moment in its effort to become a more forceful financial supervisor. Fed deliberations, confidential by regulation, rarely become public.

The recordings make clear that some of the cultural obstacles Beim outlined in his report persisted almost three years after he handed his report to Dudley. They portray a New York Fed that is at times reluctant to push hard against Goldman and struggling to define its authority while integrating Segarra and a new corps of expert examiners into a reorganized supervisory scheme.

Segarra became a polarizing personality inside the New York Fed 2014 and a problem for her bosses 2014 in part because she was too outspoken and direct about the issues she saw at both Goldman and the Fed. Some colleagues found her abrasive and complained. Her unwillingness to conform set her on a collision course with higher-ups at the New York Fed and, ultimately, led to her undoing.

In a tense, 40-minute meeting recorded the week before she was fired, Segarra’s boss repeatedly tries to persuade her to change her conclusion that Goldman was missing a policy to handle conflicts of interest. Segarra offered to review her evidence with higher-ups and told her boss she would accept being overruled once her findings were submitted. It wasn’t enough.

“Why do you have to say there’s no policy?” her boss said near the end of the grueling session.

“Professionally,” Segarra responded, “I cannot agree.”

The New York Fed disputes Segarra’s claim that she was fired in retaliation.

“The decision to terminate Ms. Segarra’s employment with the New York Fed was based entirely on performance grounds, not because she raised concerns as a member of any examination team about any institution,” it said in a two-page statement responding to an extensive list of questions from ProPublica and This American Life.

The statement also defends the bank’s record as regulator, saying it has taken steps to incorporate Beim’s recommendations and “provides multiple venues and layers of recourse to help ensure that its employees freely express their views and concerns.”

“The New York Fed,” the statement says, “categorically rejects the allegations being made about the integrity of its supervision of financial institutions.”

In the spring of 2009, New York Fed President William Dudley put together a team of eight senior staffers to help Beim in his inquiry. In many ways, this was familiar territory for Beim.

He had worked on Wall Street as a banker in the 1980s at Bankers Trust Company, assisting the firm through its transition from a retail to an investment bank. In 1997, the New York Fed hired Beim to study how it might improve its examination process. Beim recommended the Fed spend more time understanding the businesses it supervised. He also suggested a system of continuous monitoring rather than a single year-end examination.

Beim says his team in 2009 pursued a no-holds-barred investigation of the New York Fed. They were emboldened because the report was to remain an internal document, so there was no reason to hold back for fear of exposure. The words “Confidential Treatment Requested” ran across the bottom of the report.

“Nothing was off limits,” says Beim. “I was told I could ask anyone any question. There were no restrictions.”

In the end, his 27-page report laid bare a culture ruled by groupthink, where managers used consensus decision-making and layers of vetting to water down findings. Examiners feared to speak up lest they make a mistake or contradict higher-ups. Excessive secrecy stymied action and empowered gatekeepers, who used their authority to protect the banks they supervised.

“Our review of lessons learned from the crisis reveals a culture that is too risk-averse to respond quickly and flexibly to new challenges,” the report stated. “A number of people believe that supervisors paid excessive deference to banks, and as a result they were less aggressive in finding issues or in following up on them in a forceful way.”

One New York Fed employee, a supervisor, described his experience in terms of “regulatory capture,” the phrase commonly used to describe a situation where banks co-opt regulators. Beim included the remark in a footnote. “Within three weeks on the job, I saw the capture set in,” the manager stated.

Confronted with the quotation, senior officers at the Fed asked the professor to remove it from the report, according to Beim. “They didn’t give an argument,” Beim said in an interview. “They were embarrassed.” He refused to change it.

The Beim report made the case that the New York Fed needed a specific kind of culture to transform itself into an institution able to monitor complex financial firms and catch the kinds of risks that were capable of torpedoing the global economy.

That meant hiring “out-of-the-box thinkers,” even at the risk of getting “disruptive personalities,” the report said. It called for expert examiners who would be contrarian, ask difficult questions and challenge the prevailing orthodoxy. Managers should add categories like “willingness to speak up” and “willingness to contradict me” to annual employee evaluations. And senior Fed managers had to take the lead.

“The top has to articulate why we’re going through this change, what the benefits are going to be and why it’s so important that we’re going to monitor everyone and make sure they stay on board,” Beim said in an interview.

Beim handed the report to Dudley. The professor kept it in draft form to help maintain secrecy and because he thought the Fed president might request changes. Instead, Dudley thanked him and that was it. Beim never heard from him again about the matter, he said.

In 2011, the Financial Crisis Inquiry Commission, created by Congress to investigate the causes behind the economic calamity, publicly released hundreds of documents. Buried among them was Beim’s report.

Because of the report’s candor, the release surprised Beim and New York Fed officials. Yet virtually no one else noticed.

Among the New York Fed employees enlisted to help Beim in his investigation was Michael Silva.

As a Fed veteran, Silva was a logical choice. A lawyer and graduate of the United States Naval Academy, he joined the bank as a law clerk in 1992. Silva had also assisted disabled veterans and had gone into Iraq after the 2003 invasion to help the country’s central bank. Prior to working on Beim’s report, he had been chief of staff to the previous New York Fed president, Timothy Geithner.

In declining through his lawyer to comment for this story, Silva cited the appeal of Segarra’s lawsuit and a prohibition on disclosing unpublished supervisory material. The rule allows regulators to monitor banks without having to worry about the release of information that could alarm customers and create a run on a bank that’s under scrutiny.

Silva had been in the room with Geithner in September 2008 during a seminal moment of the financial crisis. Shares in a large money market fund 2013 the Reserve Primary Fund 2013 had fallen below the standard price of $1, “breaking the buck” and threatening to touch off a run by investors. The investment firm Lehman Brothers had entered bankruptcy, and the financial system appeared in danger of collapse.

In Segarra’s recordings, Silva tells his team how, at least initially, no one in the war room at the New York Fed knew how to respond. He went into the bathroom, sick to his stomach, and vomited.

“I never want to get close to that moment again, but maybe I’m too close to that moment,” Silva told his New York Fed team at Goldman Sachs in a meeting one day.

Despite his years at the New York Fed, Silva was new to the institution’s supervisory side. He had never been an examiner or participated as part of a team inside a regulated bank until being appointed to lead the team at Goldman Sachs. Silva prefaced his financial crisis anecdote by saying the team needed to understand his motivations, “so you can perhaps push back on these things.”

In the recordings, Silva then offered a second anecdote. This one involved the moments before the Lehman bankruptcy.

Silva related how the top bankers in the nation were asked to contribute money to save Lehman. He described his disappointment when Goldman executives initially balked. Silva acknowledged that it might have been a hard sell to shareholders, but added that “if Goldman had stepped up with a big number, that would have encouraged the others.”

“It was extraordinarily disappointing to me that they weren’t thinking as Americans,” Silva says in the recording. “Those two things are very powerful experiences that, I will admit, influence my thinking.”

Silva’s stories help explain his approach to a controversial deal that came to the New York Fed team’s attention in January 2012, two months after Segarra arrived. She said the Fed’s handling of the deal demonstrated its timidity whenever questions arose about Goldman’s actions. Debate about the deal runs through many of Segarra’s recordings.

On Friday, Jan. 6, 2012, at 3:54 p.m., a senior Goldman official sent an email to the on-site Fed regulators 2013 including Silva, Segarra and Segarra’s legal and compliance manager, Johnathon Kim. Goldman wanted to notify them about a fast-moving transaction with a large Spanish bank, Banco Santander. Spanish regulators had signed off on the deal, but Goldman was reaching out to its own regulators to see whether they had any questions.

At the time, European banks were shaky, particularly the Spanish ones. To shore up confidence, the European Banking Authority was demanding that banks hold more capital to offset potential future losses. Meeting these capital requirements was at the heart of the Goldman-Santander transaction.

Under the deal, Santander transferred some of the shares it held in its Brazilian subsidiary to Goldman. This effectively reduced the amount of capital Santander needed. In exchange for a fee from Santander, Goldman would hold on to the shares for a few years and then return them. The deal would help Santander announce that it had reached its proper capital ratio six months ahead of the deadline.

In the recordings, one New York Fed employee compared it to Goldman “getting paid to watch a briefcase.” Silva states that the fee was $40 million and that potentially hundreds of millions more could be made from trading on the large number of shares Goldman would hold.

Santander and Goldman declined to respond to detailed questions about the deal.

Silva did not like the transaction. He acknowledged it appeared to be “perfectly legal” but thought it was bad to help Santander appear healthier than it might actually be.

“It’s pretty apparent when you think this thing through that it’s basically window dressing that’s designed to help Banco Santander artificially enhance its capital position,” he told his team before a big meeting on the topic with Goldman executives.

The deal closed the Sunday after the Friday email. The following week, Silva spoke with top Goldman people about it and told his team he had asked why the bank “should” do the deal. As Silva described it, there was a divide between the Fed’s view of the deal and Goldman’s.

“[Goldman executives] responded with a bunch of explanations that all relate to, ‘We can do this,’ ” Silva told his team.

Privately, Segarra saw little sense in Silva’s preoccupation with the question of whether “should” applied to the Santander deal. In an interview, she said it seemed to her that Silva and the other examiners who worked under him tended to focus on abstract issues that were “fuzzy” and “esoteric” like “should” and “reputational risk.”

Segarra believed that Goldman had more pressing compliance issues 2013 such as whether executives had checked the backgrounds of the parties to the deal in the way required by anti-money laundering regulations.

Segarra had joined the New York Fed on Oct. 31, 2011, as it was gearing up for its new era overseeing the biggest and riskiest banks. She was part of a reorganization meant to put more expert examiners to the task.

In the past, examiners known as “relationship managers” had been stationed inside the banks. When they needed an in-depth review in a particular area, they would often call a risk specialist from that area to come do the examination for them.

In the new system, relationship managers would be redubbed “business-line specialists.” They would spend more time trying to understand how the banks made money. The business-line specialists would report to the senior New York Fed person stationed inside the bank.

The risk specialists like Segarra would no longer be called in from outside. They, too, would be embedded inside the banks, with an open mandate to do continuous examinations in their particular area of expertise, everything from credit risk to Segarra’s specialty of legal and compliance. They would have their own risk-specialist bosses but would also be expected to answer to the person in charge at the bank, the same manager of the business-line specialists.

In Goldman’s case, that was Silva.

Shortly after the Santander transaction closed, Segarra notified her own risk-specialist bosses that Silva was concerned. They told her to look into the deal. She met with Silva to tell him the news, but he had some of his own. The general counsel of the New York Fed had “reined me in,” he told Segarra. Silva did not refer by name to Tom Baxter, the New York Fed’s general counsel, but said: “I was all fired up, and he doesn’t want me getting the Fed to assert powers it doesn’t have.”

This conversation occurred the day before the New York Fed team met with Goldman officials to learn about the inner workings of the deal.

From the recordings, it’s not spelled out exactly what troubled the general counsel. But they make clear that higher-ups felt they had no authority to nix the Santander deal simply because Fed officials didn’t think Goldman “should” do it.

Segarra told Silva she understood but felt that if they looked, they’d likely find holes. Silva repeated himself. “Well, yes, but it is actually also the case that the general counsel reined me in a bit on that,” he reminded Segarra.

The following day, the New York Fed team gathered before their meeting with Goldman. Silva outlined his concerns without mentioning the general counsel’s admonishment. He said he thought the deal was “legal but shady.”

“I’d like these guys to come away from this meeting confused as to what we think about it,” he told the team. “I want to keep them nervous.”

As requested, Segarra had dug further into the transaction and found something unusual: a clause that seemed to require Goldman to alert the New York Fed about the terms and receive a “no objection.”

This appeared to pique Silva’s interest. “The one thing I know as a lawyer that they never got from me was a no objection,” he said at the pre-meeting. He rallied his team to look into all aspects of the deal. If they would “poke with our usual poker faces,” Silva said, maybe they would “find something even shadier.”

But what loomed as a showdown ended up fizzling. In the meeting with Goldman, an executive said the “no objection” clause was for the firm’s benefit and not meant to obligate Goldman to get approval. Rather than press the point, regulators moved on.

Afterward, the New York Fed staffers huddled again on their floor at the bank. The fact-finding process had only just started. In the meeting, Goldman had promised to get back to the regulators with more information to answer some of their questions. Still, one of the Fed lawyers present at the post-meeting lauded Goldman’s “thoroughness.”

Another examiner said he worried that the team was pushing Goldman too hard.

“I think we don’t want to discourage Goldman from disclosing these types of things in the future,” he said. Instead, he suggested telling the bank, “Don’t mistake our inquisitiveness, and our desire to understand more about the marketplace in general, as a criticism of you as a firm necessarily.”

To Segarra, the “inquisitiveness” comment represented a fear of upsetting Goldman.

By law, the banks are required to provide information if the New York Fed asks for it. Moreover, Goldman itself had brought the Santander deal to the regulators’ attention.

Beim’s report identified deference as a serious problem. In an interview, he explained that some of this behavior could be chalked up to a natural tendency to want to maintain good relations with people you see every day. The danger, Beim noted, is that it can morph into regulatory capture. To prevent it, the New York Fed typically tries to move examiners every few years.

Over the ensuing months, the Fed team at Goldman debated how to demonstrate their displeasure with Goldman over the Santander deal. The option with the most interest was to send a letter saying the Fed had concerns, but without forcing Goldman to do anything about them.

The only downside, said one Fed official on a recording in late January 2012, was that Goldman would just ignore them.

“We’re not obligating them to do anything necessarily, but it could very effectively get a reaction and change some behavior for future transactions,” one team member said.

In the same recorded meeting, Segarra pointed out that Goldman might not have done the anti-money laundering checks that Fed guidance outlines for deals like these. If so, the team might be able to do more than just send a letter, she said. The group ignored her.

It’s not clear from the recordings if the letter was ever sent.

Silva took an optimistic view in the meeting. The Fed’s interest got the bank’s attention, he said, and senior Goldman executives had apologized to him for the way the Fed had learned about the deal. “I guarantee they’ll think twice about the next one, because by putting them through their paces, and having that large Fed crowd come in, you know we, I fussed at ‘em pretty good,” he said. “They were very, very nervous.”

Segarra had worked previously at Citigroup, MBNA and Société Générale. She was accustomed to meetings that ended with specific action items.

At the Fed, simply having a meeting was often seen as akin to action, she said in an interview. “It’s like the information is discussed, and then it just ends up in like a vacuum, floating on air, not acted upon.”

Beim said he found the same dynamic at work in the lead up to the financial crisis. Fed officials noticed the accumulating risk in the system. “There were lengthy presentations on subjects like that,” Beim said. “It’s just that none of those meetings ever ended with anyone saying, ‘And therefore let’s take the following steps right now.'”

The New York Fed’s post-crisis reorganization didn’t resolve longstanding tensions between its examiner corps. In fact, by empowering risk specialists, it may have exacerbated them.

Beim had highlighted conflicts between the two examiner groups in his report. “Risk teams … often feel that the Relationship teams become gatekeepers at their banks, seeking to control access to their institutions,” he wrote. Other examiners complained in the report that relationship managers “were too deferential to bank management.”

In the new order, risk specialists were now responsible for their own examinations. No longer would the business-line specialists control the process. What Segarra discovered, however, was that the roles had not been clearly defined, allowing the tensions Beim had detailed to fester.

Segarra said she began to experience pushback from the business-line specialists within a month of starting her job. Some of these incidents are detailed in her lawsuit, recorded in notes she took at the time and corroborated by another examiner who was present.

Business-line specialists questioned her meeting minutes; one challenged whether she had accurately heard comments by a Goldman executive at a meeting. It created problems, Segarra said, when she drew on her experiences at other banks to contradict rosy assessments the business-line specialists had of Goldman’s compliance programs. In the recordings, she is forceful in expressing her opinions.

ProPublica and This American Life reached out to four of the business-line specialists who were on the Goldman team while Segarra was there to try and get their side of the story. Only one responded, and that person declined a request for comment. In the recordings, it’s clear from her interactions with managers that Segarra found the situation upsetting, and she did not hide her displeasure. She repeatedly complains about the business-line specialists to Kim, her legal and compliance manager, and other supervisors.

“It’s like even when I try to explain to them what my evidence is, they won’t even listen,” she told Kim in a recording from Jan. 6, 2012. “I think that management needs to do a better job of managing those people.”

Kim let her know in the meeting that he did not expect such help from the Fed’s top management. “I just want to manage your expectations for our purposes,” he told Segarra. “Let’s pretend that it’s not going to happen.”

Instead, Kim advised Segarra “to be patient” and “bite her tongue.” The New York Fed was trying to change, he counseled, but it was “this giant Titanic, slow to move.”

Three days later, Segarra met with her fellow legal and compliance risk specialists stationed at the other banks. In the recording, the meeting turns into a gripe session about the business-line specialists. Other risk specialists were jockeying over control of examinations, too, it turned out.

“It has been a struggle for me as to who really has the final say about recommendations,” said one.

“If we can’t feel that we’ll have management support or that our expertise per se is not valued, it causes a low morale to us,” said another.

On Feb. 21, 2012, Segarra met with her manager, Kim, for their weekly meeting. After covering some process issues with her examinations, the recordings show, they again discussed the tensions between the two camps of specialists.

Kim shifted some of the blame for those tensions onto Segarra, and specifically onto her personality: “There are opinions that are coming in,” he began.

First he complimented her: “I think you do a good job of looking at issues and identifying what the gaps are and you know determining what you want to do as the next steps. And I think you do a lot of hard work, so I’m thankful,” Kim said. But there had been complaints.

She was too “transactional,” Kim said, and needed to be more “relational.”

“I’m never questioning about the knowledge base or assessments or those things; it’s really about how you are perceived,” Kim said. People thought she had “sharper elbows, or you’re sort of breaking eggs. And obviously I don’t know what the right word is.”

Segarra asked for specifics. Kim demurred, describing it as “general feedback.”

In the conversation that followed, Kim offered Segarra pointed advice about behaviors that would make her a better examiner at the New York Fed. But his suggestions, delivered in a well-meaning tone, tracked with the very cultural handicaps that Beim said needed to change.

Kim: “I would ask you to think about a little bit more, in terms of, first of all, the choice of words and not being so conclusory.”

Beim report: “Because so many seem to fear contradicting their bosses, senior managers must now repeatedly tell subordinates they have a duty to speak up even if that contradicts their bosses.”

Kim: “You use the word ‘definitely’ a lot, too. If you use that, then you want to have a consensus view of definitely, not only your own.”

Beim report: “An allied issue is that building consensus can result in a whittling down of issues or a smoothing of exam findings. Compromise often results in less forceful language and demands on the banks involved.”

In Segarra’s recordings, there is some evidence to back Kim’s critique. Sometimes she cuts people off, including her bosses. And she could be brusque or blunt.

A colleague who worked with Segarra at the New York Fed, who does not have permission from their employer to be identified, told ProPublica that Segarra often asked direct questions. Sometimes they were embarrassingly direct, this former examiner said, but they were all questions that needed to be asked. This person characterized Segarra’s behavior at the New York Fed as “a breath of fresh air.”

ProPublica also reached out to three people who worked with Segarra at two other firms. All three praised her attitude at work and said she never acted unprofessionally.

In the meeting with Kim, Segarra observed that the skills that made her successful in the private sector did not seem to be the ones that necessarily worked at the New York Fed.

Kim said that she needed to make changes quickly in order to succeed.

“You mean, not fired?” Segarra said.

“I don’t want to even get there,” Kim responded.

It would be unfair to fire her, Segarra offered, since she was doing a good job.

“I’m here to change the definition of what a good job is,” Kim said. “There are two parts it: Actually producing the results, which I think you’re very capable of producing the results. But also be mindful of enfolding people and defusing situations, making sure that people feel like they’re heard and respected.”

Segarra had thought her job was simple: Follow the evidence wherever it led. Now she was being told she had to “enfold” business-line specialists and “defuse” their objections.

“What does this have to do with bank examinations,” Segarra wondered to herself, “or Goldman Sachs?”

Segarra worked on her examination of Goldman’s conflict-of-interest policies for nearly seven months. Her mandate was to determine whether Goldman had a comprehensive, firm-wide conflicts-of-interest policy as of Nov. 1, 2011.

Segarra has records showing that there were at least 15 meetings on the topic. Silva or Kim attended the majority. At an impromptu gathering of regulators after one such meeting early that December, her contemporaneous notes indicate Silva was distressed by how Goldman was dealing with conflicts of interest.

By the spring of 2012, Segarra believed her bosses agreed with her conclusion that Goldman did not have a policy sufficient to meet Fed guidance.

During her examination, she regularly talked about her findings with fellow legal and compliance risk specialists from other banks. In April, they all came together for a vetting session to report conclusions about their respective institutions. After a brief presentation by Segarra, the team agreed that Goldman’s conflict-of-interest policies didn’t measure up, according to Segarra and one other examiner who was present.

In May, members of the New York Fed team at Goldman met to discuss plans for their annual assessment of the bank. Segarra was sick and not present. Silva recounts in an email that he was considering informing Goldman that it did not have a policy when a business-line specialist interjected and said Goldman did have a conflict-of-interest policy 2013 right on the bank’s website.

In a follow-up email to Segarra, Silva wrote: “In light of your repeated and adamant assertions that Goldman has no written conflicts of interest policy, you can understand why I was surprised to find a “Conflicts of Interests Section” in Goldman’s Code of Conduct that seemed to me to define, prohibit and instruct employees what to do about it.”

But in Segarra’s view, the code fell far short of the Fed’s official guidance, which calls for a policy that encompasses the entire bank and provides a framework for “assessing, controlling, measuring, monitoring and reporting” conflicts.

ProPublica sent a copy of Goldman’s Code of Conduct to two legal and compliance experts familiar with the Fed’s guidance on the topic. Both did not want be quoted by name, either because they were not authorized by their employer or because they did not want to publicly criticize Goldman Sachs. Both have experience as bank examiners in the area of legal and compliance. Each said Goldman’s Code of Conduct would not qualify as a firm-wide conflicts of interest policy as set out by the Fed’s guidance.

In the recordings, Segarra asks Gwen Libstag, the executive at Goldman who is responsible for managing conflicts, whether the bank has “a definition of a conflict of interest, what that is and what that means?”

“No,” Libstag replied at the meeting in April.

Back in December, according to meeting minutes, a Goldman executive told Segarra and other regulators that Goldman did not have a single policy: “It’s probably more than one document 2013 there is no one policy per se.”

Early in her examination, Segarra had asked for all the conflict-of-interest policies for each of Goldman’s divisions as of Nov. 1, 2011. It took months and two requests, Segarra said, to get the documents. They arrived in March. According to the documents, two of the divisions state that the first policy dates to December 2011. The documents also indicate that policies for another division were incomplete.

ProPublica and This American Life sent Goldman Sachs detailed questions about the bank’s conflict-of-interest policies, Segarra and events in the meetings she recorded.

In a three-paragraph response, the bank said, “Goldman Sachs has long had a comprehensive approach for addressing potential conflicts.” It also cited Silva’s email about the Code of Conduct in the statement, saying: “To get a balanced view of her claims, you should read what her supervisor wrote after discovering that what she had said about Goldman was just plain wrong.”

Goldman’s statement also said Segarra had unsuccessfully interviewed for jobs at Goldman three times. Segarra said that she recalls interviewing with the bank four times, but that it shouldn’t be surprising. She has applied for jobs at most of the top banks on Wall Street multiple times over the course of her career, she said.

The audio is muddy but the words are distinct. So is the tension. Segarra is in Silva’s small office at Goldman Sachs with his deputy. The two are trying to persuade her to change her view about Goldman’s conflicts policy.

“You have to come off the view that Goldman doesn’t have any kind of conflict-of- interest policy,” are the first words Silva says to her. Fed officials didn’t believe her conclusion 2014 that Goldman lacked a policy 2014 was “credible.”

Segarra tells him she has been writing bank compliance policies for a living since she graduated from law school in 1998. She has asked Goldman for the bank’s policies, and what they provided did not comply with Fed guidance.

“I’m going to lose this entire case,” Silva says, “because of your fixation on whether they do or don’t have a policy. Why can’t we just say they have basic pieces of a policy but they have to dramatically improve it?”

It’s not like Goldman doesn’t know what an adequate policy contains, she says. They have proper policies in other areas.

“But can’t we say they have a policy?” Silva says, a question he asks repeatedly in various forms during the meeting.

Segarra offers to meet with anyone to go over the evidence collected from dozens of meetings and hundreds of documents. She says it’s OK if higher-ups want to change her conclusions after she submits them.

But Silva says the lawyers at the Fed have determined Goldman has a policy. As a comparison, he brings up the Santander deal. He had thought the deal was improper, but the general counsel reined him.

“I lost the Santander transaction in large part because I insisted that it was fraudulent, which they insisted is patently absurd,” Silva said, “and as a result of that, I didn’t get taken seriously.”

Now, the same thing was happening with conflicts, he said.

A week later, Silva called Segarra into a conference room and fired her. The New York Fed, he told Segarra, who was recording the conversation, had “lost confidence in [her] ability to not substitute [her] own judgment for everyone else’s.”

Producer Brian Reed of This American Life contributed reporting to this story. ProPublica intern Abbie Nehring contributed research.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

ProPublica fact checks Feinstein on the Assault Weapons ban

This piece, written by Lois Beckett, was originally published by ProPublica.

In the 10 years since the federal assault weapons ban expired, Sen. Dianne Feinstein (D-Calif.) has kept trying to renew the law, which she authored. In a press release this month honoring the 20th anniversary of the ban, she wrote, “The evidence is clear: the ban worked.”

But gun violence experts say the exact opposite. “There is no compelling evidence that it saved lives,” Duke University public policy experts Philip Cook and Kristin Goss wrote in their book “The Gun Debate: What Everyone Needs to Know.”

A definitive study of the 1994 law — which prohibited the manufacture and sale of semiautomatic guns with “military-style features” such pistol grips or bayonet mounts as well as magazines holding more than 10 rounds of ammunition — found no evidence that it had reduced overall gun crime or made shootings less lethal. “We cannot clearly credit the ban with any of the nation’s recent drop in gun violence,” the Department of Justice-funded study concluded in 2004. “Should it be renewed, the ban’s effects on gun violence are likely to be small at best and perhaps too small for reliable measurement.”

As we recently reported, key gun control groups say they are no longer making an assault weapons ban a priority because they think focusing on other policies, including universal background checks, are a more effective way to save lives. The Center for American Progress released a report earlier this month suggesting ways to regulate assault weapons without banning them.

Feinstein introduced an updated version of the assault weapons ban last year in the wake of the mass shooting at Sandy Hook Elementary School in which the shooter used a type of rifle that had been targeted by the ban. She told her Senate colleagues to “show some guts” when they voted on it in April. The measure failed, 40-60. The push to improve background checks also failed, but attracted more support.

The key statistic that Feinstein cited in her recent press release — that the ban “was responsible for a 6.7 percent decrease in total gun murders, holding all other factors equal” — was rejected by researchers a decade ago.

Feinstein attributed the statistic to an initial Department of Justice-funded study of the first few years of the ban, published in 1997.

But one of the authors of that study, Dr. Christopher Koper, a criminologist from George Mason University, told ProPublica that number was just a “tentative conclusion.” Koper was also the principal investigator on the 2004 study that, as he put it, “kind of overruled, based on new evidence, what the preliminary report had been in 1997.”

Feinstein’s spokesman, Tom Mentzer, contested the idea that the 2004 study invalidated the 1997 statistic that Feinstein has continued to cite. But Koper said he and the other researchers in 2004 had not re-done the specific analysis that resulted in the 6.7 percent estimate because the calculation had been based on an assumption that turned out to be false. In the 1997 study, Koper said, he and the other researchers had assumed that the ban had successfully decreased the use of large-capacity magazines. What they later found was that despite the ban, the use of large-capacity magazines in crime had actually stayed steady or risen.

“The weight of evidence that was gathered and analyzed across the two reports suggested that initial drop in the gun murder rate must have been due to other factors besides the assault weapons ban,” Koper said.

Cook, the Duke public policy expert, told ProPublica that the “weak results” of the 1994 ban “should not be interpreted to mean that in general bans don’t work.”

He said Feinstein’s updated version of the ban, which she proposed in 2013 and is more restrictive, might be more effective. An American assault weapons ban might also have an impact on drug and gang-related violence in Mexico, he said.

“Around 30,000 Americans are killed with guns each year; one-third of those are murders,” Feinstein said in a statement to ProPublica. “Obviously there’s no single solution, which is why I support a wide range of policy proposals to bring sense to our firearms laws.  I continue to believe that drying up the supply of military-style assault weapons is an important piece of the puzzle — and the data back this up.” (See Feinstein’s full statement below.)

Gun rights groups have long criticized the ban, and Feinstein’s defense of it.

“Gun rights organizations, Second Amendment people, always take Dianne Feinstein with the whole shaker full of salt,” said Dave Workman, the communications director for the Citizens Committee for the Right to Keep and Bear Arms.  “She’s been a perennial gun-banner.”

“One would think the lesson learned from banning alcohol, marijuana, and many other drugs and items [is that] it never works for anyone intent on obtaining any of these items,” Jerry Henry, the executive director of GeorgiaCarry.org, told ProPublica. “All it does is put it in the background and helps establish a flourishing black market.”

The National Rifle Association did not respond to a request for comment.

Full Feinstein statement:

“Around 30,000 Americans are killed with guns each year; one-third of those are murders. Obviously there’s no single solution, which is why I support a wide range of policy proposals to bring sense to our firearms laws. We need to expand background checks, strengthen gun trafficking laws and make sure domestic abusers, the seriously mentally ill and other dangerous people cannot access guns.

“I continue to believe that drying up the supply of military-style assault weapons is an important piece of the puzzle—and the data back this up. These weapons were designed for the military and have one purpose: to kill as many people as possible, as quickly as possible. They are the weapon of choice for grievance killers, gang members and juveniles, and they shouldn’t be on the streets.

“A 2004 Justice Department study found clear evidence that the ban on manufacture and transfer of assault weapons reduced their use in crimes. The percentage of assault weapons traced as part of criminal investigations dropped 70 percent between 1993 and 2002, and many police departments reported increases in the use of assault weapons after the ban expired. In less than a decade, the ban was already drying up supply. The study suggested the law would have been even more effective if it had banned weapons already in circulation and if it had continued past its 10-year duration. Unfortunately those limits were part of the compromise that had to be struck to pass the ban into law.

“Let me be clear: Assault weapons allow criminals to fire more shots, wound and kill more individuals and inflict greater damage. The research supports that. A ban on assault weapons was never meant to stop all gun crimes, it was meant to help stop the most deadly mass shootings. That’s why it needs to be a part of the discussion, or rampages like Sandy Hook will continue to happen.”

Correction: Due to an editing error, an earlier version of this story incorrectly referred to a round of ammunition as a “bullet.” Properly speaking, ammunition rounds include not just the bullet, but also propellant, primer and case.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for its newsletter.

 

China’s Cyberattacks Tied to U.S. Companies, Contractors and Government Systems

This article by Hanqing Chen was published by ProPublica on Aug. 27.

U.S.-China tensions have risen recently over suspicions of Chinese nationals infiltrating U.S. company computer systems. In late May, the U.S. Justice Department accused five Chinese military officers of allegedly hacking several U.S. companies, marking the first time the Obama administration has publicly accused China of cyberspying. The indictments came amid a string of U.S. security breaches tied to hackers in China. Here are some of the most notable cybersecurity breaches tied to China from the past several years.

How a Chinese National Gained Access to Arizona’s Terror Center

ProPublica and The Center for Investigative Reporting, August 2014

Lizhong Fan worked for five months at the Arizona Terrorism Center with access to sensitive information on 5 million Arizona drivers 2014 then disappeared without a trace. U.S. officials still don’t know exactly what data he took back to China. We explore how the computer engineer was allowed to work at “one of the best-run and most effective” intelligence facilities in the U.S. without the standard security vetting.

Chinese Hackers Pursue Key Data on U.S. Workers

New York Times, July 2014

Unnamed U.S. officials told The New York Times that Chinese hackers breached computer networks of the Office of Personnel Management, which manages data for federal employees in March 2014. The Times noted the attack was “particularly disturbing” because the agency oversees a system containing employees’ sensitive financial information. Four months after the attack, a spokeswoman for the Obama Administration said that no personally identifiable information had been compromised.

China’s Cyberspies Outwit Model for Bond’s Q

Bloomberg Businessweek, September 2013

Defense contractor QinetiQ, which has developed drones, satellites and software used by the U.S. military, found its research had been compromised over the course of three years by members of a Chinese military hacking unit (Businessweek has a timeline of events). “We found traces of the intruders in many of their divisions and across most of their product lines,” Christopher Day, who was hired twice by QinetiQ to investigate the intrusions. “There was virtually no place we looked where we didn’t find them.”

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

New York Times, February 2013

A Shanghai-based hacking group tied to the People’s Liberation Army in China has orchestrated more than 140 attacks on U.S. companies including Coca-Cola and Lockheed Martin, according to a 60-page study on the group by security firm Mandiant. Embassy officials denied that China’s government was involved with hacking, and an official with the Chinese Ministry of Foreign Affairs called the allegations “unprofessional.” But Rep. Mike Rogers (R-Mich.) told The Times that Mandiant’s findings were “completely consistent with the type of activity the Intelligence Committee has been seeing for some time.” The story features a graphic breakdown of the types of industries apparently targeted by the hacking collective over time.

Hackers in China Attacked The Times for Last 4 Months

New York Times, January 2013

The Times reported that Chinese hackers allegedly infiltrated their networks over four months, beginning in September 2012, setting up back doors to user computers and eventually obtaining access to usernames and passwords for every Times employee. The initial breach coincided with the newspaper’s publication of a story about the relatives of Chinese prime minister Wen Jiabao.

According to The Times, Bloomberg News computers were targeted (though not breached) under similar circumstances in 2012. After the Times report, The Wall Street Journal and The Washington Post also reported having been targeted by suspected Chinese hackers.

Chinese Hackers Hit U.S. Chamber

The Wall Street Journal, December 2011

A group of hackers in China compromised computer networks at the U.S. Chamber of Commerce, according to WSJ. Chamber officials told the newspaper “internal investigators found evidence that hackers had focused on four Chamber employees who worked on Asia policy, and that six weeks of their email had been stolen.” The “complex operation” was detected and shut down in May 2010, the newspaper reported.

The Best Reporting On Federal Push To Militarize Local Police

This article by Hanqing Chen originally appeared August 19, 2014 at the website of ProPublica.

by Hanqing Chen ProPublica, Aug. 19, 2014, 8:30 a.m.

Protests have continued for more than a week since the fatal police shooting of 18-year-old Michael Brown in Ferguson, Mo. Police officers initially met protesters with full riot gear, armored vehicles and assault rifles, escalating tensions and leading Gov. Jay Nixon to replace the St. Louis County Police Department with the Missouri State Highway Patrol, saying the St. Louis suburb looked like “a war zone.”

The militarization of St. Louis and other local police departments can be traced to two major sources – the federal 1033 Program, a section of the National Defense Authorization Act passed in the 1990s, as well as federal homeland security grants to states. Here are a few facts that you might have missed about the Pentagon pipeline and the rise of military equipment and tactics in local police departments.

Federal Pipeline

via Politico

The Defense Department has provided tens of thousands of pieces of military equipment to local police departments for free. As a “long season of war” draws to a close for the U.S., surplus weapons meant for foreign battlefields are finding their way into police departments across the country, the New York Times reports. The free supplies provided to local law enforcement include machine guns, magazines, night vision equipment, aircraft and armored vehicles. Local news outlets have investigated the flow of military-grade weapons and equipment into police departments in Utah, Indiana, Georgia and Tennessee.

The DOD program, known as 1033, has provided $4.3 billion in free military equipment to local police. The 1033 program allows the Pentagon to transfer weapons to local police departments on permanent loan for free. The program first started in the 1990s as part of an effort to arm police during the drug crisis.

How it All Started

via Los Angeles Times

The Justice Department, working with the Pentagon, began to pay for military technology in police departments during the Clinton years. In 1994, the Justice Department and the Pentagon funded a five-year program to adapt military security and surveillance technology for local police departments that they would otherwise not be able to afford. Even then, the technologies raised concerns with civil rights activists, according to the Christian Science Monitor.

States received at least $34 billion in federal grants to purchase military grade supplies in the decade after 9/11.Thousands of local police departments across the country went on a “buying spree” fueled by billions in federal grants, CIR reported. Even in remote cities like Fargo, North Dakota, rated one of the safest cities in America, police officers have traveled with military style assault rifles in their patrol cars. We talked to one of the reporters behind the story, G.W. Schulz, about his findings on a MuckReads podcast in January 2012.

Department of Homeland Security spending on domestic security hit $75 billion a year in 2011. But that spending “has been rife with dubious expenditures,” the Los Angeles Times reported, including $557,400 in rescue and communications gear that went to 1,500 residents of North Pole, Alaska, and a $750,000 “anti-terrorism fence” that was built around a Veterans Affairs hospital in North Carolina.

Local Consequences

via Salt Lake Tribune

St. Louis County has received at least 50 pieces of free tactical gear from the Defense Department in the last four years. Newsweek obtained a list of the “tactical” items that St. Louis County police procured through the 1033 program, including night vision gear, vehicles, an explosive ordnance robot, rifles and pistols. Popular Science breaks down the types of body armor, vehicles and weapons used by Ferguson police, as documented by journalists and witnesses on social media.

Police conduct up to 80,000 SWAT raids a year in the U.S., up from 3,000 a year in the early ‘80s. That’s according to criminologist and researcher Peter Kraska. But according to a recent study by the American Civil Liberties Union, almost 80 percent of SWAT team raids are linked to search warrants to investigate potential criminal suspects, not for high-stakes “hostage, barricade, or active shooter scenarios.” The ACLU also noted that SWAT tactics are used disproportionately against people of color.

The grenade launchers used by Ferguson police can cause serious injury. Flash grenades like those used in Ferguson have been shown to cause serious harm in the past. In one instance, a flash-bang grenade exploded near a toddler’s face during a drug raid by a local SWAT team in Georgia. The boy spent several weeks in a burn unit and was placed in a medically induced coma. County officials later said that they did not plan to pay the toddler’s medical expenses.

Militarization isn’t just changing the tools police officers use, but how they relate to communities they serve.Investigative reporter Radley Balko told Vice that police officers are often isolated from the communities they work in. “I think a much deeper problem is the effect all of this war talk and battle rhetoric has had on policing as a profession,” Balko said in an interview. “In much of the country today, police officers are psychologically isolated from the communities they serve.”

Why Is The Cuomo Administration Automatically Deleting New York State Employees’ Emails?

This article by Theodoric Meyer was originally published August 11, 2104 at the website of ProPublica.  This story was co-published with the Albany Times-Union and WNYC.

New York Gov. Andrew M. Cuomo’s administration — which the governor pledged would be the most transparent in state history — has quietly adopted policies that allow it to purge the emails of tens of thousands of state employees, cutting off a key avenue for understanding and investigating state government.

Last year, the state started deleting any emails more than 90 days old that users hadn’t specifically saved — a much more aggressive stance than many other states. The policy shift was first reported by the Albany Times Union.

A previously unpublished memo outlining the policy raises new questions about the state’s stated rationale for its deletions policy. What’s more, the rules on which emails must be retained are bewilderingly complex – they fill 118 pages – leading to further concern that emails may not be saved at all.

“If you’re aggressively destroying your email, it looks like you’re trying to hide something,” said Benjamin Wright, a Dallas lawyer who has advised companies and government agencies on records retention.

ProPublica obtained the memo through a public records request.

In the June 18, 2013, memo, Karen Geduldig, the general counsel of the state’s Office of Information Technology Services, described New York’s decision to automatically delete emails as a way to cut down on the state’s “enormous amount of email data.”

But the state implemented the policy as part of a move to Microsoft’s Office 365 email system, which offers 50 gigabytes of space per email user — enough to store hundreds of thousands or even millions of emails for each state worker. The state’s version of Office 365 also offers unlimited email archiving.

The Office of Information and Technology Services declined to comment on the record. An official in the office said even though the state can store large quantities of email, it can still be difficult to manage.

“Just because you have a big house doesn’t mean you have to shove stuff in it,” the official said.

Geduldig’s memo also pointed out that some federal government agencies and corporations automatically purge employees’ email. “Such a system will aid the State in improving its email management,” Geduldig wrote.

But many states take a different tack.

Florida, for instance, requires state employees to keep routine administrative correspondence for at least three years, and emails dealing with policy development for at least five years. Connecticut requires employees to keep routine emails for at least two years. Washington State requires workers to keep emails dealing with public business for two years, and emails to and from top officials for four years. Those states also do not automatically delete email.

“It shouldn’t be an automatic process,” said Russell Wood, the records manager for the Washington State Archives. “There should be some point of review in there.”

Emails that qualify as “records” are supposed to be preserved under New York’s policy. But determining which emails qualify and which don’t — a task left up to individual state employees — can be mind-numbingly complicated.

The state’s rules include 215 different categories of records — including two separate categories dealing with office supplies.

“We don’t think it’s plausible at all that agency personnel are going to meticulously follow” those rules, said John Kaehny, the executive director of the good-government group Reinvent Albany. If the rules for preservation aren’t followed, emails will be purged by default.

The length of time emails are required to be kept varies by category. Any emails related to “human rights training,” for instance, must be kept for six years. Emails concerning “agency fiscal management” must be kept for three years. Emails about “the development of internal administrative policies and procedures” must be kept for a year, but emails “used to support administrative analysis, planning and development of procedures” can be deleted as soon as they’re “obsolete,” according to the rules.

The governor’s office has its own rules detailing which emails must be saved, with 55 categories, from emails of weekly reports to emails “related to Native-American affairs.” Anything that doesn’t fall into one of the categories “should be deleted” once they’ve been opened, the governor’s office advises.

There is no internal or external watchdog to make sure the rules are being followed, Kaehny said.

The state also doesn’t have a standardized system for preserving emails that do have to be saved, according to the Office of Information Technology Services official. State workers can save their emails by printing them out, pasting them into Microsoft Word documents or placing them in a special folder in the email program itself.

“Everyone does it differently, and some people are still learning how to do it,” the official said.

Emails related to potential litigation and freedom of information requests are not supposed to be deleted under New York State’s policy. But Karl Olson, a San Francisco lawyer who has represented news outlets including the Los Angeles Times in freedom of information lawsuits, said that deleting emails after such a short period of time might mean they’re gone by the time reporters need to request them.

“It may take a while for evidence of misconduct to bubble to the surface,” Olson said.

Emily Grannis, a fellow with the nonprofit Reporters Committee for Freedom of the Press, said New York’s automatic deletion policy “strikes me as inconsistent with the goals of [freedom of information] laws, and to have such a short timeframe is particularly troubling.”

Government agencies often adopt deletion policies to help protect themselves from potential lawsuits and freedom of information requests, said Mark Diamond, the chief executive of Contoural, a records management consulting firm. Getting rid of emails after 90 days, though, risks deleting correspondence that employees might need down the road. “I don’t think it’s a well thought-out strategy,” he said.

Cuomo’s aides have also developed a reputation for using their personal email accounts to conduct state business — a move that can make it more difficult to seek the emails under the state’s freedom of information law. The Cuomo administration has denied that it does so, but a ProPublica reporter and others have, in fact, received such emails from officials.

New York isn’t the only state that destroys unsaved email after 90 days.

California’s governor’s office, for instance, has automatically deleted employees’ sent and received email after 90 days for more than a decade. But the office also requires employees to save far more than in New York, including official correspondence, memos, scheduling requests and other documents.

If you have information about or experience with the state’s email deletion policy, please contact Theo Meyer at theo.meyer@propublica.org.

Related articles: Read ProPublica’s coverage of how Cuomo administration officials have used their private email accounts for public business, and how the administration has denied that it does so.

Justin Elliott contributed reporting.

ProPublica: Meet the Online Tracking Device That is Virtually Impossible to Block

This story, written by Julia Angwin, was originally co-published by ProPublica and  Mashable.

Update: After this article was published, YouPorn contacted us to say it had removed AddThis technology from its website, saying that the website was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.” A spokeswoman for the German digital marketer Ligatus also said that is no longer running its test of canvas fingerprinting, and that it has no plans to use it in the future.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint — by pulling in different attributes than a typical device fingerprint.

In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.

A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The code was immediately popular.

But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology. “We collected several million fingerprints but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile and the fingerprinting doesn’t work well on mobile.”

Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting. “The fingerprint itself is a number which in no way is related to a personality,” he said.

AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” — a sentence that uses every letter of the alphabet at least once. This allows the company to capture slight variations in how each letter is displayed.

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

She added that the company does not use any of the data it collects — whether from canvas fingerprints or traditional cookie-based tracking — from government websites including WhiteHouse.gov for ad targeting or personalization.

The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com. YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.

Read ProPublica’s recent coverage about how online tracking is getting creepier, how Facebook has been tracking you, and what tools to use to protect yourself.

 

Here’s One Way To Land On The NSA’s Watch List

This article first appeared at ProPublica on July 9, 2014.

By Julia Angwin and Mike Tigas

Last week, German journalists revealed that the National Security Agency has a program to collect information about people who use privacy-protecting services, including popular anonymizing software called Tor. But it’s not clear how many users have been affected.

So we did a little sleuthing, and found that the NSA’s targeting list corresponds with the list of directory servers used by Tor between December 2010 and February 2012 2013 including two servers at the Massachusetts Institute of Technology. Tor users connect to the directory servers when they first launch the Tor service.

That means that if you downloaded Tor during 2011, the NSA may have scooped up your computer’s IP address and flagged you for further monitoring. The Tor Project is a nonprofit that receives significant funding from the U.S. government.

The revelations were among the first evidence of specific spy targets inside the United States. And they have been followed by yet more evidence. The Intercept revealed this week that the government monitored email of five prominent Muslim-Americans, including a former Bush Administration official.

It’s not clear if, or how extensively, the NSA spied on the users of Tor and other privacy services.

After the news, one of Tor’s original developers, Roger Dingledine, reassured users that they most likely remained anonymous while using the service: “Tor is designed to be robust to somebody watching traffic at one point in the network 2013 even a directory authority.” It is more likely that users could have been spied on when they were not using Tor.

For its part, the NSA says it only collects information for valid foreign intelligence purposes and that it “minimizes” information it collects about U.S. residents. In other words, NSA may have discarded any information it obtained about U.S. residents who downloaded Tor.

However, according to a recent report by the Privacy and Civil Liberties Oversight Board, the NSA’s minimization procedures vary by program. Under Prism, for example, the NSA shares unminimized data with the FBI and CIA.

In addition, the NSA can also later search the communications of those it has inadvertently caught in its Prism dragnet, a tactic some have called a ” backdoor” search. It’s not clear if similar backdoors exist for other types of data such as IP addresses.

In response to the Tor news, the NSA said it is following President Obama’s January directive to not conduct surveillance for the purpose of “suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion.”

[Disclosure: Mike Tigas is the developer of an app that uses Tor, called the Onion Browser.]

We updated our chart of NSA revelations to include monitoring of privacy software.

For the geeks, here are the IP addresses listed in the NSA Xkeyscore code and when they were added or removed from the list of Tor directory servers:

193.23.244.244Added: Fri, 12 Feb 2010 15:31:08 -0400 (14:31 -0500)

194.109.206.212Added: Sat, 8 Apr 2006 17:03:49 -0400 (21:03 0000)

86.59.21.38 Added: Sat, 5 Nov 2005 16:20:51 -0400 (20:20 0000)

213.115.239.118Added: Thu, 10 Jun 2010 10:56:08 -0400 (16:56 0200)Removed: Wed, 29 Feb 2012 14:22:41 -0400 (13:22 -0500)

212.112.245.170Added: Thu, 16 Dec 2010 08:10:19 -0400 (13:10 0100)

128.31.0.39Added Wed, 14 Oct 2009 19:36:08 -0400 (19:36 -0400)

216.224.124.114Added: Wed, 7 Nov 2007 17:20:45 -0400 (21:20 0000)Removed: on Wed, 4 Apr 2012 19:51:04 -0400 (01:51 0200)

208.83.223.34Added: Mon, 10 Aug 2009 01:32:51 -0400 (01:32 -0400)

Attorney General Holder Requires Recording of Interrogations, Unlike New York City

This report, written by reporter Joaquin Sapien, was originally published by ProPublica May 23.

Attorney General Eric Holder has ordered Federal law enforcement agents to record all interrogations with suspects in custody.

The policy was outlined in a memo sent to the Federal Bureau of Investigation; the Drug Enforcement Administration; the Bureau of Alcohol, Tobacco, Firearms and Explosives; and the U.S. Marshals Service.

It comes at a time when the recording of interrogations has become increasingly widespread among State and local law enforcement as a means to prevent false confessions and coercion.

Currently, 18 States require interrogations to be taped, along with hundreds of local police departments and prosecutors around the country.

But the practice is not currently required by law in New York, where the failure to record interrogations has factored into several high-profile murder cases.

Last year, ProPublica published an in-depth examination of the case against Pedro Hernandez, a man currently awaiting trial for the murder and kidnapping of a 6-year-old Etan Patz. Patz famously vanished while walking to his school bus stop in Manhattan in 1979. Hernandez confessed to the crime 33 years later in 2012, following an hours-long, unrecorded interrogation.

His lawyers say Hernandez was manipulated into a false confession. They note that he exhibits many of the problems that might lead someone to confess to something he didn’t do: He has the IQ of a borderline retarded person, he is mentally-ill, and he confessed to a well-known crime, in which many of the facts are publicly known.

In January 2012, then New York Police Commissioner Ray Kelly and Manhattan District Attorney Cyrus Vance were members of a panel that called for mandatory taping in New York—but it hasn’t been uniformly adopted or required.

A spokesperson for the New York Police Department did not immediately respond to questions about its policy on recordings.

Holder’s new policy “establishes a presumption” that Federal agents “will electronically record statements made by individuals in their custody.” But it also includes some caveats: recording is not required while someone is being transported to detention even if they’re being questioned during the trip, nor when suspects specifically request that they not be recorded, nor when questioning is “undertaken to gather national security-related intelligence.”

 

ProPublica On Privacy Tools: Encrypt What You Can

This piece, written by Julia Angwin, was originally published by ProPublica on May 6.

In the course of writing my book, Dragnet Nation, I tried various strategies to protect my privacy. In this series of book excerpts and adaptations, I distill the lessons from my privacy experiments into tips for readers.

Ever since Edward Snowden revealed the inner secrets of the NSA, he has been urging Americans to use encryption to protect themselves from rampant spying.

“Encryption does work,” Snowden said, via a remote connection at the SXSW tech conference. “It is a defense against the dark arts for the digital realm.”

ProPublica has written about the NSA’s attempts to break encryption, but we don’t know for sure how successful the spy agency has been, and security experts still recommend using these techniques.

And besides, who doesn’t want to defend against the dark arts? But getting started with encryption can be daunting. Here are a few techniques that most people can use.

Encrypt the data you store. This protects your data from being read by people with access to your computer.

  • Encrypt your hard drive so that if you lose your computer or you get hacked, your information will be safe. Most recent Apple Macintosh computers contain a built-in encryption system called FileVault that is simple to use. Some versions of Microsoft’s Windows 7 also contain a built-in encryption system called BitLocker. Another popular solution is the free, open-source program TrueCrypt, which can either encrypt individual files or entire partitions of your computer or an external hard drive.
  • Encrypt your smartphone’s hard drive. Yes 2014 your smartphone has a hard drive much like your computer has. In fact, your phone probably contains as much 2014 or more 2014 sensitive information about you as your computer does. Apple doesn’t let you encrypt your smart phone’s hard drive or the files on it, though it allows encryption of your phone’s backup files on iTunes or iCloud. You can also use Find my iPhone to remotely “wipe,” or delete the data on your iPhone or iPad if it is lost or stolen. Google’s Android operating system lets you encrypt your phone hard drive.
  • Encrypt the data you store in the cloud. I use the SpiderOak encrypted cloud service. If an encrypted cloud service were somehow forced to hand over their servers, your data would still be safe, because it’s encrypted using a key stored only on your computer. However, this also means that if you lose your password, they can’t help you. The encrypted data would be unrecoverable.

Encrypt the data you transmit. The Snowden revelations have revealed that U.S. and British spy agencies are grabbing as much unencrypted data as they can find as it passes over the Internet. Encrypting your data in transit can protect it against spy agencies, as well as commercial data gatherers.

  • Install HTTPS Everywhere on your Web browser. This encrypts your Web browsing sessions, protecting you from hackers and spy agencies that scoop up unencrypted traffic across the Internet. Not every site works properly with HTTPS Everywhere, though an increasing number do.
  • Use encrypted texting apps with friends who install the same apps on their phones. On the iPhone, Silent Circle and Wickr offer apps for encrypted texting. On Android, the TextSecure app encrypts texts in transit and when they are stored on your device.
  • Use the Off-the-Record Messaging protocol to encrypt your instant messaging conversations. You can still use your favorite instant-messaging service, such as Gchat or AIM, though you’ll need to use a software client that supports the Off-the-Record protocol. On Macs, free software called Adium can enable OTR chats, and on Windows, you can use Pidgin. Once you’ve set up OTR and gone through a simple verification step, you can IM as you usually do. Both parties have to use OTR for the encryption to work.
  • Use Gnu Privacy Guard to encrypt your email conversations. Like OTR, if you’re using GPG you’ll need the people you email with to use it as well in order to encrypt your conversations. I use free software called GPG Tools with Enigmail and Postbox.GPG Tools also works directly with Apple’s built-in Mail program.GPG has some shortcomings 2014 it’s difficult-to-impossible to use it with the mail program built into most smartphones, and you can’t use it easily with webmail like Gmail. (Although there are some new web-based mail programs that use GPG called Mailvelope and StartMail that I haven’t had a chance to try yet.)

    The most difficult part of GPG is that, unlike the encrypted texting and instant messaging programs, you have to generate a secret key and keep it somewhere secure (usually on your computer or on a USB stick). This often means you can only send GPG mail when you have your key with you. Even so, it is incredibly satisfying once you send your first message and watch it transform into a block of numbers and letters when you click “encrypt.”

 

ProPublica: Liberal Outside Money Groups Spend Big In North Carolina

This piece, written by Theodoric Meyer and Kim Barker, was originally published by ProPublica on April 29.

Most people have come to associate outside money — the hundreds of millions of dollars from politically active nonprofits and super PACs pouring into American elections — with conservatives.

And why not? Since the Supreme Court’s 2010 Citizens United decision, conservative groups have far outspent their liberal counterparts. In the 2012 Federal election cycle alone, conservatives shelled out almost two and a half times the amount of outside money as liberal groups, including labor unions.

But an early look at spending on television ads in North Carolina, home to a hotly contested Senate race and a number of competitive State races, shows that liberals are asserting themselves as never before. They are spending almost as much as conservatives in the Senate race and pouring funds into State contests that conservatives haven’t yet spent a cent on.

A ProPublica analysis of North Carolina’s top three markets shows liberal groups have booked $2.8 million in ads as of Monday praising Senator Kay Hagan, a freshman Democrat facing a tough re-election fight, or criticizing her likely opponent. That’s about the same amount as conservatives have reserved in ads attacking Hagan. A coalition of liberal nonprofits has also poured more than $1.1 million into ads criticizing four Republican State Senators.

The surge in advertising by liberal outside groups is obvious when you turn on a TV in the State, said Gary Pearce, a longtime Democratic consultant in Raleigh, N.C.

“It has struck me, I’d say, in the last month,” he said. “It’s just been a dramatic shift.”

About 42 percent of the outside ads in the North Carolina markets – $3.1 million worth – were booked by so-called dark money groups, nonprofits that do not disclose their donors. The rest were booked by super PACs, which do name their contributors, and a liberal charity, which discloses its donors in its annual reports.

In the past, analysts have speculated that liberals’ relative lack of outside spending reflected their discomfort with dark money groups and super PACs, both of which can raise unlimited amounts of money. Even the most prominent liberal dark money groups, such as Patriot Majority USA, spent a small portion of what conservative ones like Crossroads GPS and Americans for Prosperity did in 2012.

The leading liberal super PAC in the 2012 cycle, Priorities USA Action, spent $65 million on election activity. In contrast, Restore Our Future, the leading conservative super PAC, spent more than $142 million.

But there’s been a growing push on the left to play by the same rules as conservatives. Randy Voller, the chairman of the North Carolina Democratic Party, said that while he thought the Citizens United ruling was “a colossal mistake,” he didn’t think that liberal outside groups had an alternative to playing by the same rules as conservatives ones.

“At this point, these are the rules we have,” he said.

So far, in the 2014 cycle, groups focused on the environment have led the way for liberal dark money groups.

Liberal billionaire Tom Steyer has formed NextGen Climate, which plans to support legislators who push for action on climate change and attack those who don’t. The organization includes a dark money nonprofit, and has said one of its aims is to counter libertarian billionaire brothers Charles and David Koch, who help fund a network of dark money groups. (Steyer’s wife, Kat Taylor, is a member of ProPublica’s board of directors, and the couple have been significant contributors to ProPublica.) This month, two other environmental nonprofits announced they were starting a collaboration called LeadingGreen to steer donations to federal candidates and help major donors lobby elected officials.

For this story, we analyzed ads booked this year in Charlotte, Raleigh and Greensboro. Most of these ads don’t tell people directly to vote for or against a candidate, so they don’t have to be reported to the Federal Election Commission unless they run right before an election. But since 2012, the Federal Communications Commission has required TV stations in the country’s 50 largest markets to post the ad contracts online. Our analysis only includes ads that were booked since the beginning of the year – although conservatives spent heavily in North Carolina last fall – and there’s no guarantee that stations have uploaded every contract.

A conservative super PAC, American Crossroads, part of GOP consultant Karl Rove’s outside money empire, has booked the most money in ads for those markets so far in 2014: $1.46 million. But a liberal super PAC run by former aides to Senate Majority Leader Harry Reid, Senate Majority PAC, is only a touch behind. It has booked $1.45 million in ads praising Hagan so far this year.

On the dark money side, three conservative groups, led by Americans for Prosperity, the Koch brothers’ flagship dark money group, have spent almost $1.4 million on ads criticizing Hagan. One ad portrays her as being best pals with President Obama. “Tell Senator Hagan to stop thinking about politics and start thinking about people,” says another.

But two liberal nonprofits have more than countered in recent months, booking more than $1.3 million for ads of their own. One of them, Patriot Majority USA, has spent more than $500,000 on ads attacking a likely Hagan opponent. The other nonprofit, a charity called the Southern Alliance for Clean Energy, has bought several spots praising Hagan.

“Who’s behind the attacks on Kay Hagan? Oil industry billionaires, that’s who,” says one ad, making a veiled attack at the Koch brothers. “They want to undermine the air safety standards that protect us, and Senator Kay Hagan is working to stop them.”

The group’s annual reports disclose its donors, but the 2014 report may not be available for a few years. Its most recent annual report is from 2011.

The liberal Southern Alliance has only run ads in North Carolina but the buy is part of a national effort by environmental organizations, said David Di Martino, a consultant for the groups. Other nonprofits have bought ads supporting Senator Susan Collins, the moderate Maine Republican, and Democrats running for Senate seats in Iowa and Michigan. The groups are coordinating “to ensure that we’re getting the most bang out of the buck,” Di Martino said.

The North Carolina Environmental Partnership, a coalition of nine environmental groups formed last month, has reserved more than $1.1 million of ads attacking four Republican State Senators – three of whom are facing close races this fall – for their support for fracking. The coalition’s two largest members, the Natural Resources Defense Council and the Southern Environmental Law Center, footed the bill for the ads. They do not disclose their donors.

While conservative dark-money groups, such as Real Jobs NC, have shoveled money into attack ads targeting North Carolina State Senators in recent years, liberal groups haven’t done so until now.

“I’ve never seen the liberal side of the equation do anything like this,” said Brad Crone, a Democratic political and public relations consultant in Raleigh, N.C.

Bob Keefe, spokesman for the Natural Resources Defense Council, wouldn’t confirm how much the coalition has spent.

“We basically all agreed to not disclose how much we’re spending,” he said. “But it’s a lot.”

Although conservative groups have not booked ads in State legislature races so far, two groups – the North Carolina Chamber of Commerce and a super PAC called Justice for All NC – have also reserved ads mentioning candidates in the state Supreme Court races, almost $650,000 worth so far.

 

ProPublica: Medicaid Programs Drowning In Backlog

This article, written by Charles Ornstein, was originally published by ProPublica on April 9.

Last week, Federal health officials celebrated two milestones related to the Affordable Care Act. The first, which got considerable attention, was that more than 7 million people selected private health plans in State and Federal health insurance exchanges. The second, which got less attention, was that some 3 million additional enrollees had signed up for Medicaid and the Children’s Health Insurance Program (public health insurance programs for the poor), many as a result of Medicaid’s expansion.

But there are growing signs that Obamacare’s Medicaid expansion is a victim of its own success, unable to keep up with demand. While about half the States have refused to expand their Medicaid programs’ eligibility, among those that have, some can’t process applications fast enough.

Media reports from New Jersey, Illinois and California (States that have expanded their Medicaid programs) show that hundreds of thousands of consumers who may qualify for new Medicaid coverage aren’t getting it.

So what’s happening?

In Illinois, the Chicago Tribune reported last month that there’s a backlog of more than 200,000 applications waiting to be processed.

Illinois officials initially expected 200,000 people to sign up for Medicaid under the expansion in 2014. But through last week, more than double that number have applied. And amid a marketing blitz, officials expect a surge of additional applications by the end of the year.

Unlike new commercial insurance products, which consumers can purchase through March 31, there’s no deadline to sign up for Medicaid. By the end of the year, state officials expect about 350,000 new users to be enrolled in the program.

The growing backlog is causing concern among health care providers worried about getting paid, and confusion, frustration and anger among consumers, whose coverage was supposed to begin in January.

Much the same thing is happening in New Jersey, the Star-Ledger reported last week.

By all accounts, enrollment in the expanded Medicaid program has gone well in New Jersey. The numbers are robust as the program’s expansion under the Affordable Care Act allows single residents and childless couples to get coverage provided their income is low enough. But getting an actual ID card that allows someone to see a doctor? The flood of applicants appears to have resulted in a systemwide backlog, according to applicants and field workers.

“I’ve heard getting an actual Medicaid card is nearly impossible. It’s like getting Willy Wonka’s Golden Ticket,” said Rena Jordan, director of external affairs for Planned Parenthood of Metropolitan Jersey, which has been helping patients enroll.

“A lot of strange things have been happening, that’s the easiest way to say it,” said Virginia Nelson, administrative supervisor of the Medicaid Department for Middlesex County.

The flood of phone calls to her office about older cases has taken time away from processing the newest cases, Nelson said.

Federal officials conceded some of the blame for the delay can be put squarely at the feet of the Federal website, Healthcare.gov. That website transferred data about applicants whose income looked like they might qualify for Medicaid to the State system, but in a format the State system couldn’t use.

And in California, the backlog now numbers 800,000 for Medi-Cal, the State’s Medicaid program, the Los Angeles Times reported this week.

One patient wrote The Times to say she has a worrisome growth behind an ovary. She submitted an application in October. County health clinics informed her she won’t be able to keep her appointments for blood tests and ultrasound scans until her Medi-Cal coverage is confirmed, she said. Or she can pay full price for the services.

As of Thursday, she was still waiting.

“A lot of good, smart people with good intentions in the state and county are working really hard to fix these problems,” said Katie Murphy, managing attorney at Neighborhood Legal Services of Los Angeles County, which has a grant from the state to provide legal assistance to patients with Obamacare enrollment cases. “But until they do, people will fall through the cracks.”

A state spokesman told the paper that “the volume of Medi-Cal applications, combined with challenges of new computer systems, hampered the State’s ability to complete eligibility reviews in a timely and accurate manner.”

Matt Salo, executive director of the National Association of Medicaid Directors, said many of the problems relate to the way HealthCare.gov transfers information to States about consumers who appear to qualify for Medicaid based on their incomes. But there are State-specific issues, as well.

“It’s been the number one issue of concern for our members for the past nine months or so,” he said in an email. “The problems are getting fixed, but what worries people is that we’re only a few months away from NEXT year’s open enrollment, so we have to hurry.”

Ornstein is a senior reporter for ProPublica covering health care and the pharmaceutical industry.

ProPublica Examines What The Proposed NSA Reforms Wouldn’t Do

This article, written by Kara Brandeisky, was originally published by ProPublica on April 3.

Ten months after Edward Snowden’s first disclosures, three main legislative proposals have emerged for surveillance reform: one from President Obama, one from the House Intelligence Committee, and one proposal favored by civil libertarians.

All the plans purport to end the bulk phone records collection program, but there are big differences – and a lot they don’t do. Here’s a rundown.

President Obama’s proposal

What it would do: As described, the President’s proposal would prohibit the collection of bulk phone records. Instead, the government would seek individualized court orders every time it wants American phone metadata. The government would get the data from telecoms, which already keep it for at least 18 months.

The proposal would solidify some changes Obama has already made: For instance, since January, analysts have needed to get court approval before searching the phone records database. Also, NSA analysts have only been able to obtain records from people who are two “hops” away from a surveillance target – a target’s friends’ friends – rather than three “hops” away. Obama’s proposal would make both of those policies law.

What it wouldn’t do: It’s hard to know. The White House hasn’t released the actual text of the legislation, and lawmakers have yet to introduce it in Congress. But privacy advocates do have a lot of questions.

One thing the President hasn’t proposed: ending the bulk phone records program now. He could do that without any vote if he simply stopped asking the Foreign Intelligence Surveillance Court to reauthorize the program, as Senator Patrick Leahy (D-Vt.) has suggested.

The secret surveillance court’s last 90-day order for Verizon phone records has expired. President Obama reportedly wants the court to renew the program at least one more time, to give Congress a chance to pass new legislation. Until Congress acts, the NSA will continue collecting American phone records in bulk.

Of course, if President Obama were to act unilaterally, another President could later reverse his changes. If Congress passes his proposal, his reforms will have the force of law.

The President’s proposal also appears to address only one of the NSA’s many surveillance programs. It doesn’t seem to change the FISA Amendments Act, which allows the NSA to sweep up foreigners’ communications without a warrant. In the process, the NSA “incidentally” collects Americans’ communications.

In January, Obama said he would ask the Justice Department to limit the government’s authority to use any American communications collected while targeting foreigners. The Administration has not offered any details yet. However, even the Senate’s biggest NSA critics say the FISA Amendments Act has been an effective counter-terrorism tool, so Congress is unlikely to repeal it.

FISA Transparency and Modernization Act

What it would do: very little to limit surveillance. Introduced by House Intelligence Committee chairman Representative Mike Rogers (R-Mich.) and ranking member C.A. Dutch Ruppersberger (D-MD), this bill represents the wishes of the NSA’s biggest defenders in Congress.

The bill nominally bans the government’s bulk collection of phone records. Like Obama’s plan, telecoms would keep the records, but this in proposal, the government could request the records without a court order.

The bill also says it would prohibit the government from indiscriminate collection of other kinds of data, including “library circulation records,” “firearm sales records,” and “tax return records.” But the government could still use search terms to get the records it wants.

What else it would do: roll back current protections in the law. The legislation would no longer require that the government get a court order before obtaining American records. Instead, the secret surveillance court would review the privacy procedures before the Justice Department collects any records, and the court could also tell the government to stop collecting records after the fact.

Also, under current law, the government needs to show that records are related to foreign terrorism or clandestine intelligence activities. Rogers’ bill would change that standard, requiring the government to show that records are for an individual who is associated with a “foreign power” – a broad term that includes terrorist groups, foreign governments and foreign political groups.

If the bill passes, a lot would depend on how the secret surveillance court interprets it. For instance, what kinds of “selection terms” could the government use to search for records? The broader the search terms, the more likely it is that innocent people will get caught in the dragnet.

Finally, Rogers’ bill would not amend the FISA Amendments Act. “I don’t believe that foreign collection on foreign soil is something that we need to change,” Rogers said.

This bill has House Speaker John Boehner’s support.

USA Freedom Act

What it would do: A lot. First, the bill’s authors, Democratic Senator Leahy and Patriot Act author Representative James Sensenbrenner (R-Wis.) say the legislation would end all bulk collection of American records. To do so, they’d narrow the language in the Patriot Act to require that the government only collects records that are ” relevant and material” to an authorized investigation. To qualify, an investigation must be related to foreign terrorism or clandestine activities, and the records must directly “pertain” to a foreign power.

The proposal would also close a so-called backdoor loophole that allows the NSA to search its databases for the content of Americans’ communications. Under the new bill, analysts would need an individualized warrant to access any domestic content collected “incidentally.”

In addition, the lawmakers would also tighten oversight of national security letters, a kind of administrative subpoena that lets the FBI obtain records related to “national security” without a court order. The idea is to make sure that the government can’t use the national security letters law to justify bulk collection of American records in the future.

What it wouldn’t do: The bill covers a lot of bases and has won the support of the ACLU, the Electronic Frontier Foundation, 142 representatives and 21 Senators.

However, some worry that the bill does not unequivocally ban bulk collection of American records. Again, a lot depends on how the Foreign Intelligence Surveillance Court interprets the statute. While this bill’s language is narrower than current law, we now know the secret surveillance court has interpreted the Patriot Act very broadly. The EFF has suggested that the bill’s sponsors make their intent more explicit.

This bill has by far the most co-sponsors, but its prospects are uncertain – it was introduced in October, and it still hasn’t reached the floor.

As Full Disclosure Nears, Doctors’ Pay For Drug Talks Plummets

This article, written by Charles Ornstein, Eric Sagara and Ryann Grochowski Jones, was originally published by ProPublica on March 3.

Some of the Nation’s largest pharmaceutical companies have slashed payments to health professionals for promotional speeches amid heightened public scrutiny of such spending, a new ProPublica analysis shows.

Eli Lilly and Co.’s payments to speakers dropped by 55 percent, from $47.9 million in 2011 to $21.6 million in 2012.

Pfizer’s speaking payments fell 62 percent over the same period, from nearly $22 million to $8.3 million.

And Novartis, the largest U.S. drug maker as measured by 2012 sales, spent 40 percent less on speakers that year than it did between October 2010 and September 2011, reducing payments from $24.8 million to $14.8 million.

The sharp declines coincide with increased attention from regulators, academic institutions and the public to pharmaceutical company marketing practices. A number of companies have settled Federal whistle-blower lawsuits in recent years that accused them of improperly marketing their drugs.

In addition, the Physician Payment Sunshine Act, a part of the 2010 health reform law, will soon require all pharmaceutical and medical device companies to publicly report payments to physicians. The first disclosures required under the act are expected in September and will cover the period of August to December 2013.

Within the industry, some companies are reevaluating the role of physician speakers in their marketing repertoire. GlaxoSmithKline announced in December that it would stop paying doctors to speak on behalf of its drugs. Its speaking tab plummeted from $24 million in 2011 to $9.3 million in 2012.

Not all companies have cut speaker payments: Johnson and Johnson increased such spending by 17 percent from 2011 to 2012; AstraZeneca’s payments stayed about flat in 2012 after a steep decline the previous year.

ProPublica has been tracking publicly reported payments by drug companies since 2010 as part of its Dollars for Docs project. Users can search for their doctors to see if they have received compensation from the 15 companies that make such information available online.  (We’ve just updated our application to include payments made through the end of 2012, totaling $2.5 billion. Forest Labs, which only began reporting in 2012, reported speaking payments of $40 million, more than any other company in Dollars for Docs.)

Some companies in the database said their declines have less to do with the Sunshine Act and more to do with the loss of patent protection for key products. Lilly, for example, began facing generic competition to its blockbuster antipsychotic Zyprexa in late 2011. Its antidepressant Cymbalta lost its patent at the end of 2013.

“The value of educational programs tends to be higher when we’re launching a new medicine or we have new clinical data/new indication,” Lilly spokesman J. Scott MacGregor said in an email, adding that the drop in speaking payments also reflects the increased use of web conferencing.

Pfizer’s patent on Lipitor, its top-selling cholesterol drug, expired in 2011.

“Like any other company, our business practices must adapt to the changing nature of our product portfolio, based in part on products going off patent and new products being introduced into the market,” company spokesman Dean Mastrojohn said in an email.

Novartis’ patent for its breast cancer drug Femara expired in 2011, its hypertension drug Diovan in 2012 and its cancer drug Zometa in 2013. In a statement, Novartis said that speaking payments dropped in 2012, in part, because of a shift from big blockbuster drugs that many doctors prescribe toward specialty products prescribed by fewer physicians. Resources were also shifted “to support potential future product launches.”

The industry’s increased emphasis on expensive specialty medications for such conditions as multiple sclerosis or Hepatitis C, has been striking, said Aaron Kesselheim, an assistant professor of medicine at Harvard Medical School. A piece in the New England Journal of Medicine last week noted that half of the 139 drugs approved by the Food and Drug Administration since 2009 were for rare diseases and cancers.

“It’s possible the number of physicians they need to support sales of these items is less, leading to lower payments overall,” Kesselheim said.

In some cases, companies maintained or made smaller cuts to other forms of physician compensation while pulling back dramatically on speaking payments. Pfizer’s spending on consultants dropped 9 percent from 2011 to 2012, far less than its payments to speakers. The company’s spending on research stayed essentially the same.

Lilly increased spending on physician researchers by more than 20 percent, while reducing payments to consultants by more than two-thirds.

Many bioethicists and leaders of major academic medical centers frown upon physicians delivering promotional talks for drug companies, saying they turn doctors into sales representatives rather than leaders in research and patient care.

Officials with the Pharmaceutical Research and Manufacturers of America, the industry trade group, dispute this characterization. They said they are working with their member companies to prepare for the Sunshine Act and have created a campaign to promote the value of drug company-doctor collaborations.

“Companies will make their own independent decisions about how to engage professionals,” said Kendra Martello, PhRMA’s deputy vice president of strategic operations.

Scott Liebman, an attorney who advises pharmaceutical companies on the Sunshine Act, said it’s too early to know how much the law’s requirements are affecting company practices, in part because it’s so new. The fact that some companies are cutting back on speaking while preserving their spending on research and consulting suggests that other business forces could be at play, he added.

“It’s very hard to pinpoint exactly why that’s happening,” Liebman said. “I think there’s a lot of potential answers to that. I just don’t know which is the right one.”

ProPublica: You Know Who Else Collected Metadata? The Stasi.

This article, written by Julia Angwin, was originally published by ProPublica on Feb. 11.

The East German secret police, known as the Stasi, were an infamously intrusive secret police force. They amassed dossiers on about one quarter of the population of the country during the Communist regime.

stasi network analysisBut their spycraft, while incredibly invasive, was also technologically primitive by today’s standards. While researching my book Dragnet Nation, I obtained the above hand-drawn social network graph and other files from the Stasi Archive in Berlin, where German citizens can see files kept about them and media can access some files, with the names of the people who were monitored removed.

The graphic appears to be shows 46 connections, linking a target to various people: an “aunt,” “Operational Case Jentzsch” (presumably Bernd Jentzsch, an East German poet who defected to the West in 1976), places (“church”), and meetings (“by post, by phone, meeting in Hungary”).

Gary Bruce, an associate professor of history at the University of Waterloo and the author of The Firm: The Inside Story of the Stasi, helped me decode the graphic and other files. I was surprised at how crude the surveillance was. “Their main surveillance technology was mail, telephone and informants,” Bruce said.

Another file revealed a low-level surveillance operation called an im-forgang aimed at recruiting an unnamed target to become an informant. (The names of the targets were redacted; the names of the Stasi agents and informants were not.) In this case, the Stasi watched a rather boring high school student who lived with his mother and sister in a run-of-the-mill apartment. The Stasi obtained a report on him from the principal of his school and from a club where he was a member. But they didn’t have much on him. I’ve seen Facebook profiles with far more information.

A third file documented a surveillance operation known as an OPK, for Operative Personenkontrolle, of a man who was writing oppositional poetry. The Stasi deployed three informants against him but did not steam open his mail or listen to his phone calls. The regime collapsed before the Stasi could do anything further.

I also obtained a file that contained an “observation report,” in which Stasi agents recorded the movements of a 40-year-old man for two days Sept. 28 and 29, 1979. They watched him as he dropped off his laundry, loaded up his car with rolls of wallpaper and drove a child in a car “obeying the speed limit,” stopping for gas and delivering the wallpaper to an apartment building. The Stasi continued to follow the car as a woman drove the child back to Berlin.

The Stasi agent appears to have started following the target at 4:15 p.m. on a Friday. At 9:38 p.m., the target went into his apartment and turned out the lights. The agent stayed all night and handed over surveillance to another agent at 7 a.m. Saturday. That agent appears to have followed the target until 10 p.m. From today’s perspective, this seems like a lot of work for very little information.

And yet, the Stasi files are an important reminder of what a repressive regime can do with so little information. Here are the files:

Stasi File 1 Original

Stasi File 1 Translation

Stasi File 2 Original

Stasi File 2 Translation

Stasi Observation Report

Stasi Social Network Analysis

Translations by Yvonne Zivkovic and David Burnett

Epic Fail: Where Four State Health Exchanges Went Wrong

This article, written by Charles Ornstein, was originally published by ProPublica on Feb. 6.

Much has been written (and will continue to be written) about the spectacular failure of health insurance exchanges in Minnesota, Massachusetts, Oregon and Maryland 2014 all blue States that support the Affordable Care Act.

All were woefully unprepared for their Oct. 1 launch, and unlike HealthCare.gov, the Federal marketplace, they are still having trouble getting back on their feet. As a result, enrollment in those four States has lagged behind other States, including many that actively oppose the health law.

The New York Times recently reported on how problems in these States could give Republican candidates an opening. “Last month, the Republican National Committee filed public-records requests in Hawaii, Maryland, Massachusetts, Minnesota and Oregon seeking information about compensation and vacation time for the exchange directors, four of whom have resigned. All five States have Democratic governors whose terms end this year. Three of them — Governor Neil Abercrombie of Hawaii, Governor Mark Dayton of Minnesota and Governor John Kitzhaber of Oregon — are seeking re-election,” The Times reported.

One common element emerging in the coverage of these exchanges is that at least some State employees knew they were heading for disaster but didn’t take action early enough to remedy it. All the States have blamed some, if not all, of their problems on outside tech contractors. Here’s a sampling of what has been reported in each State.

Oregon

The Oregonian newspaper has done a great job chronicling the unfolding disaster with Cover Oregon. The State is the only one in which no one has been able to enroll using the website. In an article last month, the newspaper reported that a technology analyst at Oregon’s Department of Administrative Services warned last May that managers at the exchange were being “intellectually dishonest” in claiming it would be ready Oct. 1.

As The Oregonian set forth in its findings:

  • The project’s significant flaws were well documented dating back to November 2011. Multiple independent analysts repeatedly raised questions aboutpoor management along with strongdoubts that it could be operational by the Oct. 1, 2013 deadline.
  • Cover Oregon leaders wavered between despair and an almost evangelical enthusiasm that they could complete the site. In the end they charged ahead, piloting an unfinished, largely untested exchange project right up to the Oct. 1 go-live date with no backup plan ready to go.
  • Senior officials in Governor John Kitzhaber’s office and elsewhere read at least some of these warnings but took no significant steps to intervene, apparently after being convinced by others the project was on track.
  • A key official in the massive IT project took steps to silence the critics. The Oregon Health Authority last January withheld payment from the company hired to monitor the project, claiming its persistent criticism was inaccurate and inflammatory.

The director of Cover Oregon left on medical leave in December. The Oregonian also has a good piece comparing Oregon’s failures with the successes of Kentucky, whose exchange has been lauded.

Minnesota

Blame is being spread around in Minnesota, where the MNsure exchange is sputtering and its call center is unable to keep up with demand. As news site MinnPost reported last month: “The vendors are blaming the State. Governor Mark Dayton and State officials are blaming the private companies who built the faulty technology, and MNsure leaders are quick to point out that they weren’t around when controversial decisions were made. Republican lawmakers, meanwhile, are saying that the governor needs to take responsibility for the project.”

MinnPost reported that despite their efforts to blame vendors, State officials were responsible for key decisions:

Newly released contract documents suggest the state and MNsure leaders had a more direct role in the health exchange’s many missteps than they have publicly acknowledged.

In recent weeks, Governor Mark Dayton and MNsure officials have increased their criticism of vendors, blaming the private technology companies for some of the underlying problems and glitches with the health exchange’s operation.

However, in early May, the state of Minnesota in effect took over responsibility from its lead contractor, Maximus Inc., for constructing MNsure’s technical infrastructure, according to contract amendments released to MinnPost by MNsure.

The new documents show that the exchange staff quietly made a significant change to its key contract for building MNsure 2014 just months after making major revisions to the timeframe and size of the project.

Dayton later said he was unsure if senior MNsure staff were keeping him apprised of the serious issues with the exchange as soon as they came up.

The Star Tribune has reported on lengthy delays at the exchange’s call center and how officials in charge of the project received bonuses before its disastrous launch.

As in Oregon, the head of Minnesota’s exchange also resigned.

Massachusetts

In many ways, Massachusetts should have been a leader in setting up its own exchange. After all, its 2006 health reform law signed by then-Governor Mitt Romney has been cited as the model for Obamacare. But the State’s exchange, the Massachusetts Health Connector, has fumbled.

The Boston Herald reported last month that, “State officials overseeing the Health Connector website knew as early as February 2013 2014 some nine months before launch 2014 that parts of the $69 million Obamacare gateway would probably be delayed, public records obtained by the Herald last night revealed.”

The Boston Globe followed up with another report:

Massachusetts officials knew in July, three months before the launch of the state’s ill-fated health insurance website, that the technology company in charge was far behind on building the site and that there was “a substantial and likely risk” it would not be ready, according to a state official’s memo.

The website launched on Oct. 1 was incomplete and riddled with errors that frustrated consumers, blocked some from getting coverage, and required the state to move tens of thousands of people whose applications could not be processed into temporary insurance programs.

The head of the Massachusetts Health Connector Authority, which runs the insurance marketplace, was copied on the July memo. But the executive director, Jean Yang, and her staff never told the Connector board during its monthly public meetings that the project was off track, according to meeting minutes.

The Globe reported in a separate story how an untold number of people who “applied for Connector plans without financial assistance have not gotten coverage, because their payments were lost or somehow never linked to their accounts.”

John J. Monahan, a columnist for the Worcester Telegram & Gazette, put it like this last weekend:

Massachusetts’ universal health care program was the model for Obamacare. And now, it seems, the Obamacare website fiasco has been modeled by Massachusetts.

The state contracted with the same software company that messed up the launch of the Obamacare website to redesign its Health Connector website for people to buy insurance. It was scheduled to be working Oct. 1 to renew insurance for Jan. 1. It still isn’t working.

Maryland

The Maryland Health Connection, like the exchanges in other States, knew well in advance that it wasn’t ready to launch, but the problems weren’t fixed in time.

The Washington Post reported last month how “senior State officials failed to heed warnings that no one was ultimately accountable for the $170 million project and that the State lacked a plausible plan for how it would be ready by Oct. 1.”

Over the following months, as political leaders continued to proclaim that the state’s exchange would be a national model, the system went through three different project managers, the feuding between contractors hired to build the online exchange devolved into lawsuits, and key people quit, including a top information technology official because, as he would later say, the project “was a disaster waiting to happen.”

The repeated warnings culminated days before the launch, with one from contractors testing the Web site that said it was “extremely unstable” and another from an outside consultant that urged state officials not to let residents enroll in health plans because there was “no clear picture” of what would happen when the exchange would turn on.

Within moments of its launch at noon Oct. 1, the Web site crashed in a calamitous debut that was supposed to be a crowning moment for Maryland officials who had embraced President Obama’s Affordable Care Act and pledged to build a state-run exchange that would be unparalleled.

Weeks later, the Baltimore Sun’s Meredith Cohn wrote a piece about just how much trouble she personally had trying to enroll:

For a chunk of two recent days, I tried to buy insurance on the Maryland health exchange.

My editors asked me to do this because Gov. Martin O’Malley recently told a national television audience that the “website is now functional for most citizens.”

They wanted to know what “functional” meant, especially after hearing stories from consumers about a glitch-prone website created under the Affordable Care Act for the uninsured and underinsured. Marylanders have described frozen screens, lost information, error messages and even mistaken identity.

My own enrollment took 5 hours and 22 minutes over two days, two calls to the exchange’s call center, seven times entering my personal information, two computers and two web browsers.

Maryland’s exchange director resigned in December. Last week, Maryland Governor Martin O’Malley signed a law that would provide a backup method for hundreds of residents to get coverage effective Jan. 1 if they can show that they tried unsuccessfully to get coverage from the exchange.

Have you tried signing up for health care coverage through the new exchanges? Help us cover the Affordable Care Act by sharing your insurance story.

ProPublica: Consumers With Canceled Insurance Plans Shifted To New Ones Without Their Permission

This post, written by Charles Ornstein, was originally published by ProPublica on Jan. 27, 2014.

When California pharmacist Kevin Kingma received a letter last fall notifying him that his high-deductible health plan was being canceled because of the Affordable Care Act, he logged into his state’s health insurance exchange and chose another plan beginning Jan. 1.

Thanks to a subsidy, Kingma’s monthly premium went down, from about $300 to $175, and his benefits improved.

But this month, Kingma logged into his bank’s website and saw that his old insurer, Anthem Blue Cross, had deducted $587.40 from his account and had enrolled him in another of its insurance products for this year — he says without permission.

Hundreds of other consumers are caught in the same predicament, insurers acknowledge. And the California Department of Insurance said it is exploring whether any laws were broken when insurance companies withdrew money from consumers’ accounts for plans they didn’t select.

Here’s what happened to Kingma and others: When they received letters last fall, they were informed that their plans had been canceled. But within the letter, it also said that if they did nothing, they would be switched over to a different plan and if they had set up their payment to autodraft from their account, it would continue to do so.

Kingma said he didn’t read the whole letter, just enough of it to know his old plan was being canceled.

Once he noticed the withdrawals from his account this month, Kingma said he tried calling Anthem’s customer service hotline but couldn’t reach anyone because of “high call volume.” Dozens of consumers have reported long phone waits trying to reach Anthem.

Kingma then repeatedly faxed and contacted the insurer through its website. An Anthem representative first told him that he may only receive reimbursement for about half of January, until the date he actually canceled the new policy. Since then, it appears the insurer canceled his policy at the end of 2013. But as of Friday afternoon, it hadn’t refunded Kingma’s money, he said.

“I and a number of other former Anthem policy holders are stuck in Anthem’s Kafkaesque nightmare as part of healthcare reform,” Kingma, 57, wrote to me in an email.

Darrel Ng, a spokesman for Anthem Blue Cross, said in an email that insurers across California had moved members from canceled plans to new ones that comply with the law “and that transition retained their payment preference.

“In cases where members neglected to inform insurers that they had selected a new plan or informed insurers too late that they had selected a new plan, members are receiving a full refund for any amount paid.”

Kaiser Permanente spokesman Chris Stenrud confirmed that his insurer has also found cases similar to Kingma’s.

“Unfortunately, about 500 of our existing members in California who had automatic payment set up for their current plans were inadvertently charged before our systems recognized their enrollment in new plans through Covered California,” the state’s exchange, he wrote in an email. “We have identified the affected members and are in the process of contacting them to make them aware of the mistake, and of course, our commitment to refund the extra charge.

“We take this seriously, and want to assure our members that we will make them whole,” he wrote.

These actions may not fully satisfy the California Department of Insurance. Janice Rocco, deputy commissioner for health policy and reform, wrote in an email that insurers have cooperated with her agency and refunded premiums when questions arose, so “we hadn’t been focused on what the potential legal violations might be.”

She said insurers may have violated the law in two ways by deducting funds from customers’ bank accounts electronically. “Moving a policyholder from one product to another would be considered a ‘material change’ that would trigger a requirement in law to provide information about how to cancel the electronic funds transfer agreement. We did not see any notice of how to cancel an electronic transfer of funds in the policy cancellation notices, so there may be some violations of law in this regard.”

Beyond that, Rocco said, some of the new products used by two health insurers were technically “sold by one of the insurer’s affiliated companies with which that policyholder had no prior electronic funds transfer agreement, so that might be another area of potential legal violations,” she wrote.

It isn’t known whether similar complaints have been lodged outside of California. But insurers in a number of states sent consumers letters saying they would be moved to new plans unless they said otherwise. (This letter was posted online by Politifact.) The Associated Press reported last month that at least 4.7 million people were told their old health plans were going away because they didn’t meet the coverage standards of the Affordable Care Act.

In the meantime, consumers have taken to Twitter to voice their frustration. Here’s a sampling of their tweets (ProPublica has not verified their claims):

@AnthemPR_CA I’ve been on the phone for 2.5 hours to cancel part of a plan I never purchased. Can you please help cancel it?

— gregmachlin (@gregmachlin) January 24, 2014

@AnthemPR_CA It looks like you had charged me for a cancelled plan, please refund.

— mortanyong (@mortanyong) January 18, 2014

@AnthemPR_CA Been trying to cancel my policy for a month. You stole money from my bank acct. Can’t get anyone to help. What do I have to do?

— Kathi Kruse (@kathikruse) January 20, 2014

Kingma said the whole situation has left him frustrated.

“No business conducts fair business that way,” he said in an interview. “In December, they should be telling customers, this is the plan you will be converted into, this is the cost. I don’t put anything past large corporations.”

 

ProPublica Reports: Guards May Be Responsible For Half Of Prison Sexual Assaults

This article, written by Joaquin Sapien, was originally published by ProPublica on Jan. 23.

A new Justice Department study shows that allegations of sex abuse in the nation’s prisons and jails are increasing 2014 with correctional officers responsible for half of it  2014 but prosecution is still extremely rare.

The report, released today by the Bureau of Justice Statistics, takes data collected by correctional administrators representing all of the nation’s federal and state prisons as well as many county jails. It shows that administrators logged more than 8,000 reports of abuse to their overseers each year between 2009 and 2011, up 11 percent from the department’s previous report, which covered 2007 and 2008.

It’s not clear whether the increase is the result of better reporting or represents an actual rise in the number of incidents.

Allen Beck, the Justice Department statistician who authored the reports, told ProPublica that abuse allegations might be increasing because of growing awareness of the 2003 Prison Rape Elimination Act.

“It’s a matter of speculation, but certainly there’s been a considerable effort to inform staff about the dangers of sexual misconduct, so we could be seeing the impact of that,” said Beck.

The survey also shows a growing proportion of the allegations have been dismissed by prison officials as “unfounded” or “unsubstantiated.” Only about 10 percent are substantiated by an investigation.

But even in the rare cases where there is enough evidence to prove that sexual abuse occurred, and that a correctional officer is responsible for it, the perpetrator rarely faces prosecution. While most prison staff shown to be involved in sexual misconduct lost their jobs, fewer than half were referred for prosecution, and only 1 percent ultimately got convicted.

Roughly one-third of staff caught abusing prisoners are allowed to resign before the investigation comes to a close, the report concludes, meaning there’s no public record of what exactly transpired and nothing preventing them from getting a similar job at another facility.

“These findings point to a level of impunity in our prisons and jails that is simply unacceptable,” said Lovisa Stannow, Executive Director of Just Detention International, a prisoner advocacy group in California. “When corrections agencies don’t punish or choose to ignore sexual abuse committed by staff members2014 people who are paid by our tax dollars to keep inmates safe2014 they support criminal behavior.”

The lack of punishment may deter inmates from reporting. When the Justice Department has surveyed inmates directly, as opposed to the administrators that oversee them, the reports of abuse have been far greater. A 2013 survey estimated that more than 80,000 prisoners had been sexually victimized by fellow inmates or staff over a two-year period, roughly five times the rate reported by administrators.

“Inmates don’t report because of the way the institution handles these complaints: they’re afraid if they do report, then the staff will retaliate,” said Kim Shayo Buchanan, a law professor at the University of Southern California who studies the issue. “Even if you report and they believe you, which they probably won’t, the most likely thing to happen is that the person will be suspended or maybe fired.”

Calls for comment to the Federal Bureau of Prisons and the Association of State Correctional Administrators weren’t immediately returned.

ProPublica: Journalists Turn To Themselves For Obamacare Stories

This article, written by Charles Ornstein, was originally published by ProPublica on January 22.

After months of hype and hysteria, insurance policies purchased under the Affordable Care Act went into effect on New Year’s Day, and journalists have largely pivoted from writing about the problems of HealthCare.gov to how the law is actually working for consumers.

Some journalists don’t have to look very far. That’s because they are the story, too.

Back in December, I wrote about Missouri public radio reporter Harum Helmy, who earned too much for her state’s Medicaid program and too little to qualify for a subsidy that would have offset the cost of an insurance policy on Healthcare.gov.

“I know — an uninsured health reporter,” she wrote to me. “The joke’s not lost on me.”

Since then, reporters across the country have been telling their stories—and they seem to square with the broader experiences of the public.

Take Steve Friess, a freelance journalist and former reporter at Politico. In a first-person story for the Daily Caller last week, Friess wrote about how his partner, Miles Smith, had signed up for a plan, only to try to cancel it days after it took effect because it turned out to have unexpected costs.

After the initial elation at finding a reasonably priced plan, Friess wrote, Smith found out it wasn’t so great after all.

Three days into 2014, Miles took his Obamacare out for its maiden drive. His stop at the doctor went fine. At the pharmacy, it crashed.

His medication — which has cost us a co-pay of between $10 and $30 under every other plan he’s had since 2004 including one under Blue Cross Blue Shield of Michigan — would not be covered. At all.

That’s $438 out of pocket. Every month. And it won’t even go against the plan deductible.

In other words, this nifty $246 Obamacare plan would actually cost $686 a month.

Friess said he ate up an entire work week making a series of lengthy phone calls to try to figure out why the medication wasn’t covered. It was an exercise in frustration.

That’s not how it was supposed to be. After dozens of hours of phone calls that displaced my usual work obligations this week, only one thing is clear: Nobody can give anybody a straight or consistent answer to anything.

Our troubles may strike some as trivial and particular, although they wouldn’t if it happened to them. And anyone who wants a successful system – as we do – must understand that these nightmares are happening across the nation to the very people who want Obamacare to work.

Other reporters also felt similar frustration, but their stories had somewhat different endings. Jon Brooks, a former reporter at KQED radio in San Francisco, wrote a piece about the incorrect information he was given, delays, and, ultimately, success.

But if all goes smoothly from here on out, it is quite true that I, personally, am going to be one of the winners in the Obamacare game, receiving guaranteed insurance at a big cost savings. And by big, I mean about 60 percent, or thousands of dollars per year.

Not everyone is experiencing that, of course: Cancellations of individual policies that seemed to put the lie to the president’s now notorious “If you like your insurance, you can keep it,” message have been well-reported, as has the sticker shock when some of those cancelled customers shopped for a replacement policy on an exchange.

For me, though, I’d have to say the entire process was a little like my recent mortgage refinancing: frustrating and riddled with potential pitfalls at every step, but with a big financial benefit as the end result.

Finally, last month, freelance science writer Anna Azvolinsky shared her concerns on Twitter in response to a tweet about enrollment in the New York State of Health exchange:

@DanGoldbergCNY @charlesornstein Still waiting for confirmation of my ‘sign up’. Have not heard from Empire to pay. Getting kinda nervous

— Anna Azvolinsky (@annaazvolinsky) December 30, 2013

@charlesornstein @DanGoldbergCNY 90 min 49 sec on hold..Empire only started sending bills to those who signed up for #aca on Dec. 23rd

— Anna Azvolinsky (@annaazvolinsky) December 30, 2013

I checked in with Azvolinsky this week via email to ask her how it was going. She said she and her husband had been on hold with Blue Cross for a total of 22 hours trying to pay their premiums and ensure they were enrolled. On Jan. 10, they received insurance cards in the mail, but they were for their previous plan and were of no use. She added:

We were finally able to receive our [new plan] ID number on the 10th of Jan. I needed a prescription filled on the 13th so spent more than an hour on hold several times that day to receive the Rx numbers on Monday Jan. 13th, again being volleyed from rep to rep. We would be forwarded to reps in other states that had only information about specific geography customers but not to our information (in NY and other states in this area I assume).

She told me that she still doesn’t have her ID card and has found that none of her doctors take her new plan. She expects to write more about her experience in the future.

Sometimes journalists become better reporters when they not only cover a story but live it, too. I can’t help but wonder if that’s what’s happening here.

ProPublica Examines Four Questionable Claims Obama Has Made on NSA Surveillance

by Kara Brandeisky ProPublica, Jan. 17, 2014, 7 a.m.

Today President Obama plans to announce some reportedly limited reforms to National Security Agency surveillance programs.

Since the first disclosures based on documents provided by former NSA contractor Edward Snowden, Obama has offered his own defenses of the programs. But not all of the president’s claims have stood up to scrutiny. Here are some of the misleading assertions he has made.

1. There have been no abuses.

And I think it’s important to note that in all the reviews of this program [Section 215] that have been done, in fact, there have not been actual instances where it’s been alleged that the NSA in some ways acted inappropriately in the use of this data … There had not been evidence and there continues not to be evidence that the particular program had been abused in how it was used. — Dec. 20, 2013

At press conferences in June, August and December, Obama made assurances that two types of bulk surveillance had not been misused. In fact, the Foreign Intelligence Surveillance Court has reprimanded the NSA for abuses both in warrantless surveillance targeting people abroad, and in bulk domestic phone records collection.

In 2011, the FISA Court found that for three years, the NSA had been collecting tens of thousands of domestic emails and other communications in violation of the Fourth Amendment. The court ordered the NSA to do more to filter out those communications. In a footnote, Judge John D. Bates also chastised the NSA for repeatedly misleading the court about the extent of its surveillance. In 2009 – weeks after Obama took office – the court concluded the procedures designed to protect the privacy of American phone records had been “so frequently and systemically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively.”

The NSA told the court those violations were unintentional and a result of technological limitations. But the NSA’s own inspector general has also documented some “willful” abuses: About a dozen NSA employees have used government surveillance to spy on their lovers and exes, a practice reportedly called “LOVEINT.”

2. At least 50 terrorist threats have been averted.

We know of at least 50 threats that have been averted because of this information not just in the United States, but, in some cases, threats here in Germany. So lives have been saved. — June 19, 2013

The record is far less clear. Obama’s own review group concluded that the sweeping phone records collection program has not prevented any terrorist attacks. At this point, the only suspect the NSA says it identified using the phone records collection program is a San Diego cab driver later convicted of sending $8,500 to a terrorist group in his homeland of Somalia.

The NSA’s targeting of people abroad appears to have been more effective around counter-terrorism, as even surveillance skeptics in Congress acknowledge. But it’s impossible to assess the role the NSA played in each case because the list of thwarted attacks is classified. And what we do know about the few cases that have become public raises even more questions:

3. The NSA does not do any domestic spying.

We put in some additional safeguards to make sure that there is federal court oversight as well as Congressional oversight that there is no spying on Americans. We don’t have a domestic spying program. What we do have are some mechanisms where we can track a phone number or an e-mail address that we know is connected to some sort of terrorist threat, and that information is useful. — Aug. 7, 2013

In fact, plenty of Americans’ communications get swept up. The government, of course, has the phone records of most Americans.  And, as the FISA Court learned in 2011, the NSA was gathering tens of thousands of domestic emails and other communications.

Additionally, the NSA’s minimization procedures, which are supposed to protect American privacy, allow the agency to keep and use purely domestic communications in some circumstances. If the NSA “inadvertently” vacuums up American communications that are encrypted, contain evidence of a crime, or relate to cybersecurity, the NSA can retain those communications.

The privacy standards suggest there is a “backdoor loophole” that allows the NSA to search for American communications. NSA critic Sen. Ron Wyden, D-Ore., has said, “Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”It’s not clear whether the NSA has actually used this “backdoor.”

And while the NSA acknowledges that it intercepts communications between Americans and surveillance targets abroad, the agency also intercepts some domestic communications that mention information about foreigners who have been targeted. As a result, the NSA has sometimes searched communications from Americans who have not been suspected of wrongdoing – though an NSA official says the agency uses “very precise” searches to avoid those intercepts as much as possible.

4. Snowden failed to take advantage of whistleblower protections.

I signed an executive order well before Mr. Snowden leaked this information that provided whistleblower protection to the intelligence community – for the first time. So there were other avenues available for somebody whose conscience was stirred and thought that they needed to question government actions. — Aug. 9, 2013

Obama’s presidential policy directive forbids agencies from retaliating against intelligence personnel who report waste, fraud and abuse. But the measure mentions only “employees,” not contractors. Whistleblower advocates say that means the order does not cover intelligence contractors.

“I often have contractors coming to me with whistleblower-type concerns and they are the least protected of them all,” attorney Mark Zaid told the Washington Post.

What’s more, the directive was not yet in effect at the time Snowden came forward.Since the leaks, the Office of the Director of National Intelligence has said “the Executive Branch is evaluating the scope” of the protections.

Former NSA employee Thomas Drake argues that even if Snowden were a government employee who went through the proper legal channels, he still wouldn’t have been safe from retaliation. Drake says while he reported his concerns about a 2001 surveillance program to his NSA superiors, Congress, and the Department of Defense, he was told the program was legal. Drake was later indicted for providing information to the Baltimore Sun. After years of legal wrangling, Drake pleaded guilty to a lesser charge and got no prison time.