Tag Archives: FISA

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

Section 702 Renewal Could Have Huge Negative Impact on Business

As I said in an earlier post, after 9-11 Congress passed some major new surveillance laws.  The idea was to increase surveillance in a move to try and find more terrorists.  Congress also wasn’t completely sold on the idea, so the law sunsets every few years and Congress has to renew it.  This is one of those renewal years.

But there is a wrinkle.  Congress is still not sold on the idea.  The law was set to expire at the end of December and rather than allowing it to lapse while they were on vacation, Congress renewed the law prior to leaving town.  Renewed that is, for four weeks.  The law is set to expire, again, next week.

There are several bills in various stages of approval that range from a permanent renewal with no restrictions to a limited renewal with restrictions.

Apparently one of the sticking points is something called “About” collection.  This was abandoned last year, but some of the bills in Congress now reincarnate it.  About collection, some say, is a back door to allow the FBI via the NSA to collect information ABOUT Americans without a warrant, using some slight of hand saying the information was collected incidental to someone or some thing they were interested ABOUT.

Congress has 9 days to either figure it out or kick the can down the road.  Again.

But here is the negative business impact.

For U.S. companies that do business in Europe, many of them, especially smaller ones, need to be able to bring that data back to the United States.  Due to Europe’s much stricter privacy laws, they can’t do this unless the agree to offer E.U. citizens the same protections that they would get in Europe.  Enter Privacy Shield, son of Safe Harbor.  Privacy shield is an agreement between the U.S. government and the E.U. government regarding what we will and will not do with respect to protecting E.U. citizen’s privacy.  About 2.400 U.S. companies currently follow the Privacy Shield agreement and more are in process.

But the E.U. lawmakers are not very fond of Section 702.  In fact, they have said so publicly.  In fact, they have threatened to go to E.U. court to have Privacy Shield declared null and void.

And that is exactly what will likely happen (and did happen to Safe Harbor) if the U.S. extends Section 702 as is.

I am not clear that some U.S. Senators and Congresspeople understand that;  they would much rather deal in crisis.

So here is one possible outcome.  Congress renews Section 702 with no reforms, the E.U. goes to court and gets Privacy Shield declared unconstitutional and American businesses get to scramble to figure out how to continue to do business in Europe.  This is worth billions to U.S. businesses.

It probably won’t be that bad.  The court will probably give the U.S. 6-12 months to figure out a solution.  Then bureaucrats in the U.S. and E.U. will need to try and figure out how to deal with it and Congress may have to amend Section 702.

Alternatively, Congress could be proactive.  Not. Counting. On, That.

If you sell into Europe, you might want to contact your Congress-critters.

Otherwise, get some popcorn and watch the fun.

Information for this post came from The Hill.

Facebooktwitterredditlinkedinmailby feather

FISA Court Affirms FBI Does NOT Need A Warrant To Read Your EMail

The Foreign Intelligence Surveillance Court or FISA Court has affirmed that the Feds do not need a warrant to search your email.  Of course, if that email is encrypted – not like GMail, but with real encryption – then while they may have the FISA court’s permission to look at it, they will have to figure out how do decrypt it first.

FISA Court Judge Thomas Hogan, in an opinion from last November that was recently declassified, said that Section 702 of the Patriot Act, including as amended by the FISA Amendments Act allows the government to keep any emails from American citizens that they hoover up as part of their mass data collection if that email is evidence of a crime.  Evidence of a crime is a pretty low bar.  After all, a lot of evidence would never convince a jury of anything.

This confirms a couple of things.

First, you should not say incriminating things in email.  To me, this falls into the “DUH!” category.

And second, Section 702 of the FISA Amendments Act allows the government to hoover up a lot of email and keep it and share it if they think it could be evidence of a crime.

The implication of this is that if you expect your email to be private, that would require extraordinary steps on your part to make sure that it is.

In that same opinion, the criticized the NSA for not destroying old surveillance data in spite of rules that require them to do that.

“Perhaps”, Judge Hogan wrote, ” more disappointing that the NSA’s failure to purge this information for more than four years, was the Government’s failure to convey to the Court, explicitly during that time that the NSA was continuing to retain this information,”.

Let me translate that to English.

Ye Olde Judge is pissed that the NSA lied to him when they certified that they were complying with the rules for Section 702,  when in fact, they were not compliant.  I am gathering that the judge is saying that this was not an oopsie.

The NSA replied to the ruling by issuing a statement from ODNI Director James Clapper that said “prior representations could have been clearer”. – i.e., we lied and got caught at it.  My bad.  Sorry.

And some people are wondering why some citizens don’t trust the government.  Seems pretty clear why some people don’t trust the government.

Information for this post came from SC Magazine.

Facebooktwitterredditlinkedinmailby feather

HR 4681 and government surveillance

HR 4681, the Intelligence Authorization Act for FY 2015 was signed into law on December 19th, 2014 and provides funding for the intelligence community until next September.  The bill and now law contains one section – section 309 – that deals with the collection, retention and sharing of information collected by the intelligence community.  Because Congress wanted to get out of D.C., this bill was not debated and it was voted on under a rules suspension that is used to push through non-controversial bills.  Since no one wants to appear soft on terrorism, this bill fit into that category and it passed 325-100.

Section 309 was an effort to curtail some of the practices of mass data collection and retention of the intelligence community, but it seems to have a lot of wiggle room.  The text of the bill can be found here.

Interestingly, most of the data collection that the intelligence community collects is not done under the Patriot Act or the Foreign Intelligence Surveillance Act, but rather, under a very dusty executive order that President Reagan signed in 1981 called EO 12333.  A primer on the EO is available here.  Since EOs are written by the executive branch with no oversight by Congress, they tend to formalize what the executive branch wants to do anyway and are typically one-sided.   It covers, among other things, mass data collection and the minimization of data collected on U.S. citizens.  Those rules are currently covered by a document called USSID SP0018 which is available here.  In the preface it says that they need to balance the rights under the 4th amendment to the US Constitution against the needs of the government to collect intelligence.  In concept that makes sense, but in the case of both the EO and the USSID, the fox is squarely in charge of guarding the hen house.  EFF, a privacy watchdog, created a primer on it, which is linked to above and suggests that there are a lot of loopholes in these documents which allow for over collection, over retention and not much oversight.  Section 309 was an attempt to begin to reign in some of those activities.

Since Congress did not take the time to debate this bill, there was not much consideration of what section 309 formally codifies.  For the first time, there is a law that says that the intelligence community can collect, share and retain information on U.S. citizens.

It is a start.  Section 309:

  • It defines a covered communication as any electronic or telephone communication collected without the consent of a (only one) party to the communication.
  • It requires that the heads of each part of the intelligence community create policies approved by the Attorney General within the next two years describing how they are going to comply with Section 309.  That means that nothing is likely to change for at least two years and Congress won’t review these procedures.
  • That intelligence collected (including mass intelligence) can only be kept for 5 years unless the fox guarding the hen house decides- in compliance with these procedures that are going to be written in the next two years – that it is (a) foreign intelligence, (b) reasonably believed to be evidence of a crime, (c) encrypted, (d) all parties are reasonably believed to be non US citizens, (e) retention is necessary to protect against an imminent threat to human life (in which case they have to tell Congress about it later), (f) retention is necessary for technical assurance or compliance reasons (in which case they have to write a dusty report every year to the Senate and House Intelligence Committees) or (g) the head of an intelligence community element decides it is necessary to protect the national security (in which case they have to report on some unstated frequency to the intelligence committees again).

So while section 309 is a reasonable start, it appears that there is a lot of wiggle room and, for the first time, legally says that the intelligence community can keep encrypted communications forever and that if they think the intercepted communication is reasonably believed to be evidence of a crime, they can share it with unspecified law enforcement agencies, without a warrant and with no guidelines as to what reasonable means.  It also creates a process to keep that intelligence forever if something thinks it is important.

There is clearly no room for abuse in section 309.  So, while I think this is a good start, we are definitely no where near done yet.

 

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather