Liberty News

The US authorities are set to add questions to immigration arrivals forms asking for IDs used on social media such as Facebook and Twitter. Reports suggest that it is supposedly voluntary to provide such information, but it wouldn't be difficult to drop a few hints, that those not providing such info may not be granted entry, to make it more or less mandatory.

A Notice by the U.S. Customs and Border Protection (CBP) on 06/23/2016 detailed the new question:

CBP Forms I-94 (Arrival/Departure Record) and I-94W (Nonimmigrant Visa Waiver Arrival/Departure Record) are used to document a traveler's admission into the United States. These forms are filled out by aliens and are used to collect information on citizenship, residency, passport, and contact information. The data elements collected on these forms enable the Department of Homeland Security (DHS) to perform its mission related to the screening of alien visitors for potential risks to national security and the determination of admissibility to the United States.

Proposed Changes

DHS proposes to add the following question to ESTA and to Form I-94W:

Please enter information associated with your online presence -- Provider/Platform -- Social media identifier.

It will be an optional data field to request social media identifiers to be used for vetting purposes, as well as applicant contact information. Collecting social media data will enhance the existing investigative process and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case.

The latest surveillance battle gripping the technology industry is focused on a rewrite of US surveillance law that would mean the justice department would be able to access a citizen's web browsing history, location data and some email records without approval from a judge using a so-called national security letters (NSLs).

The FBI contends that such data is covered implicitly under current statute, which was written years ago and only explicitly covers data normally associated with telephone records.

Director James Comey now is lobbying Congress to extend the current definition to include internet data.

Technology companies including Google, Facebook and Yahoo have sent a letter warning Congress that they would oppose any efforts to rewrite law in the FBI's favor.

This expansion of the NSL statute has been characterized by some government officials as merely fixing a 'typo' in the law, the companies wrote:

In reality, however, it would dramatically expand the ability of the FBI to get sensitive information about users' online activities without court oversight.

Update: Censored whilst claiming to be uncensored

11th June 2016. See  article from theregister.co.uk

A sly attempt to grant the FBI warrantless access to people's browser histories in the US has been shot down by politicians.

Unfortunately, the Electronic Communications Privacy Act (ECPA) Amendments Act of 2015, which would have brought in some privacy safeguards for Americans, was cut down in the crossfire.

The bill was halted because of an amendment tacked on by Senator John Cornyn on Tuesday that would allow the FBI to obtain someone's internet browsing history and the metadata of all their internet use without a warrant. If Cornyn's amendment was passed, the Feds would simply have to issue a National Security Letter (NSL) to get the information.

The bill's sponsors, Senators Patrick Leahy and Mike Lee, told a session of the Senate Committee on the Judiciary that Cornyn's amendment had wrecked years of careful bipartisan negotiations and would seriously harm US citizens' privacy. As such, they weren't prepared to let the bill go forward.

Update: And again

23rd June 2016. See  article from theregister.co.uk

The US Senate has struck down an amendment that would have allowed the FBI to track internet histories and communications without judicial oversight, but a re-vote could be called under Senate rules.

The amendment to the Commerce, Justice, Science, and Related Agencies Appropriations Act would have given the FBI the right to use National Security Letters (NSLs), which compel communications companies to hand over a customer's transactional records, including their browsing history, time spent online, and email metadata, but not the content of messages.

In addition, it would have made permanent a provision in the Patriot Act that would allow the same powers for those deemed to be individual terrorists to be treated as agents of foreign powers, a measure aimed at tracking so-called lone wolf operators.

It was introduced on Monday by Senators John McCain and Richard Burr. Senator John Cornyn has named the issue the FBI's top legislative priority and has tabled a further amendment to allow similar powers to law enforcement.

MPs have voted in the final Commons stage of the Investigatory Powers Bill. They voted in favour of the bill by 444 to 69.

Some MPs - particularly Joanna Cherry, David Davis, Alistair Carmichael and Stephen McPartland - did a great job in putting the Government under pressure. SNP, Lib Dem and Green MPs voted against.

The Bill will now be debated in the House of Lords

The Open Rights Group have highlighted the Filter as the nastiest part of the bill which unifies website history and communication records into a single searchable database. The group explains:

The bill is very long and complex, and hundreds of amendments have been proposed. However, the Request Filter in particular is receiving far too little attention . With a huge range of issues to deal with, the Request Filter has been absent from the discussions from the front benches, despite being the one of two completely new developments in the Bill. As the IPB enters report stage we need to ensure that the Filter gets the attention it deserves from MPs.

The Request Filter is described by the Home Office as a safeguard designed to reduce the collateral intrusion produced in searching for small, specific information in a large dataset. In reality, the Request Filter would allow automated complex searches across the retained data from all telecommunications operators.

This has the potential for population profiling, composite fishing trips and the unaccountable generation of new insights. It is bulk data surveillance without the bulk label, and without any judicial authorisation at all. The Food Standards Agency will be able to self-authorise itself to cross reference your internet history with your mobile phone location and landline phone calls--and search and compare millions of other people's records too.

Queries can be made across datasets. Location data - which pub you were in - can be compared with who you phoned, or which websites you visit. All with great convenience, through automated search. The searches will be increasingly focused on events, such as a website visited , or place people have gathered, rather than the suspects. This is the reverse of the position today, which requires the police to focus on suspects, and work outwards. In the future, with the Filter, any query can examine the data of thousands of innocent persons - to check that they don't fit the police's search criteria.

The idea of passive retained records, that lie unexamined until someone comes to the attention of the authorities, will lie dead. The data becomes an actively checked resource, allowing everyone's potential guilt to be assessed as needed.

The Filter creates convenience for law enforcement queries, and pushes practice towards the use of intrusive capabilities. It lowers the practical level on which they are employed. Techniques that today would be used only in the most serious crimes, because they require thought and care, tomorrow may be employed in run of the mill criminal activity, public order, or even food standards, as the bill stands.

The Filter was at the centre of debates when the original Snooper's Charter was first introduced in 2012. Parliament described the Request Filter at the time as essentially a federated database of all UK citizens' communications data .

This dystopian surveillance tool should be stopped, and next week MPs will have the chance to do it. There are several amendments presented by the Lib-Dem MP Alistair Carmichael that aim to remove the filter.

Another MP, the Conservative Stephen McPartland , who was part of the Science and Technology Committee and understands the implications of the Filter, has tabled a series of amendments with measures designed to constrain the power. These include restricting the Filter to exceptional circumstances, putting it under the control of the Judicial Commissioner as other bulk powers, and bringing it into the statute book as formal Regulations - so it is subjected to the normal transparency and processes of judicial review.

It is important that all those amendments get debated. We want the complete removal of the filter. McPartland's amendments describe the minimum requirements even a proponent should be seeking, but more importantly give MPs an opportunity to be told what the filter is, what it is capable of, and why the government plans so little oversight for it.

The nature of the Filter must be discussed to expose the Orwellian doublespeak characterisation by the Home Office of this surveillance tools as a safeguard to improve privacy.

East Lothian Council has adopted the policy of using fake Facebook profiles enabling council employees to spy on law-abiding resident.

A new policy has enabled investigating officers at East Lothian Council to use false Facebook identities to befriend targets and? scour social media pages not protected by privacy settings.

The nine-page surveillance through social media policy agreed by officials has been branded beyond creepy by critics who have questioned whether it infringes privacy rights.

Human rights lawyers and civil liberties groups have blasted the move, describing it as a sign that powers normally only used by police were spreading into other areas.

Daniel Nesbitt, research director of Big Brother Watch, said the council needs to say why these tactics are necessary, why they think they are proportionate and what safeguards will be in place.  He added:

For years now councils have been criticised for using heavy-handed snooping tactics, and a nine-page document simply isn't good enough.

Jason Rose, who stood for the Greens in the East Lothian constituency in last year's Westminster elections said the? policy was beyond creepy :

I cannot believe our councillors have agreed this policy. It speaks volumes that a council which is so poor at communicating with the public and does not make its meetings available to view online agrees a covert surveillance policy in such a secretive way.

Privacy International is reviving its challenge against the UK government's right to issue general hacking warrants.

The group has filed for the High Court to review the Investigatory Powers Tribunal (IPT) decision that ruled the general warrants are legal.

At the moment the government issues general warrants to organisations such as GCHQ, allowing them to hack computers and phones of both UK and non-UK residents without the need for judges to sign-off the warrant first.

Privacy International is worried about the scope of general warrants, saying that it could mean an entire class of unidentified persons or property, such as all mobile phones in Nottingham could be hacked. It said that:

The common law is clear that a warrant must target an identified individual or group of identified individuals.

The Snoopers' Charter, currently under consideration in parliament, is set to write this general government hacking capability into law.

A unjust bid by the National Crime Agency to use civil law to force an alleged cyber hacker to hand over encrypted computer passwords has been thrown out by a judge.

The agency (NCA) seized the computers during a raid at Love's home in October 2013. the authorities tried to shortcut lega safeguards in such cases by using an obscure civil law to extract the keys.

But this legal shortcut has now beem rejected by a district judge. Delivering her judgment at London's Westminster Magistrates' Court, District Judge Nina Tempia said the NCA should have used the normal police powers rather than a civil action to obtain the information:

I'm not granting the application because, to obtain the information sought, the correct procedure to use - as the NCA did two-and-a-half years ago - is RIPA (Regulation of Investigatory Powers Act) and the inherent safeguards incorporated thereafter, she said.

She added the powers of the court should not be used to circumnavigate existing laws and the safeguards.

The US is attempting to extradite Lauri Love on charges of hacking into the US Army, Nasa and US Federal Reserve networks.

Estonian commissioner Andrus Ansip has re-introduced one of his favourite suggestions: using national ID cards to log in to online services: Online platforms need to accept credentials issued or recognised by national public authorities, such as electronic ID cards, citizen cards, bank cards or mobile IDs .

He claims that this is nothing to do with making mass surveillance easier, its apparently just to help users with their password management.

Estonia introduced online ID in 2012 and it is claimed that subjects are happy with it too.

The EEF is a campaign group supporting people's rights in the digital world. The group writes:

The US government hacking into phones and seizing computers remotely? It's not the plot of a dystopian blockbuster summer movie. It's a proposal from an obscure committee that proposes changes to court procedures--and if we do nothing, it will go into effect in December.

The proposal comes from the advisory committee on criminal rules for the Judicial Conference of the United States. The amendment would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law enforcement's ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country. This is part of a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a "rules enabling act." 1

The Federal Rules of Criminal Procedure set the ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on --all the day-to-day procedural details that come with running a judicial system.

The key word here is "procedural." By law, the rules and proposals are supposed to be procedural and must not change substantive rights. But the amendment to Rule 41 isn't procedural at all. It creates new avenues for government hacking that were never approved by Congress.

The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when the district where the media or information is located has been concealed through technological means or when the media are on protected computers that have been damaged without authorization and are located in five or more districts. It would grant this authority to any judge in any district where activities related to the crime may have occurred.

To understand all the implications of this rule change, let's break this into two segments.

The first part of this change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one's location. Many different commonly used tools might fall into this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated. It might also extend to people who deny access to location data for smartphone apps because they don't feel like sharing their location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.

There are countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for both safety and security. Millions of people who have nothing in particular to hide may also choose to use privacy tools just because they're concerned about government surveillance of the Internet, or because they don't like leaving a data trail around haphazardly.

If this rule change is not stopped, anyone who is using any technological means to safeguard their location privacy could find themselves suddenly in the jurisdiction of a prosecutor-friendly or technically-naïve judge, anywhere in the country.

The second part of the proposal is just as concerning. It would grant authorization to a judge to issue a search warrant for hacking, seizing, or otherwise infiltrating computers that may be part of a botnet . This means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government uses to infiltrate botnets, because the government often doesn't design its malware securely . Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic.

Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders. This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet. People both inside and outside of the United States should be equally concerned about this proposal.

The change to Rule 41 isn't merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials. If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that considers the privacy, security, and civil liberties of people impacted.

Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security. Congress should reject the proposal completely.

The Haystack is a new documentary , released today by Scenes of Reason , bringing together leading lights for and against the UK's Investigatory Powers Bill. This unprecedented piece of legislation, which is now under parliamentary scrutiny, seeks to affirm and expand the surveillance remit of UK security services and other departments, including new powers for the police to access internet connection records -- a database of the public's online activity over the previous 12 months.

The film provides an excellent roundup of arguments on both sides of the tortuous surveillance debate, including Conservative MP Johnny Mercer echoing the well-worn refrain, if you have nothing to hide, you have nothing to fear. Jim Killock of the Open Rights Group , speaking at the film's launch, quipped that Mr Mercer might feel a bit different if it were the left-wing government of Jeremy Corbyn and John McDonnell wielding these powers. Indeed, as far-right parties attract support around Europe and the world, the likelihood increases of tremendous state surveillance becoming the plaything of ever more abusive regimes.

The immense capabilities contained within the bill are unpalatable in the hands of any authority -- they are all too easily harnessed to undermine perfectly reasonable political opposition and judicial work. By way of example, the film outlines one such case where the current UK government improperly gained access to privileged details of a court case against it. In this light, the bill seems an intolerable threat to democracy and free expression.

Voices of concern from the security community , such as Sir David Omand, ex-GCHQ chief, explain that precautions against terrorism require more spying. Others reject this, noting that security services have failed to act on intelligence when they do have it -- spending enormous sums on digital surveillance only reduces their efficacy in the realm of traditional detective work. Moreover, those costs, to be borne by government and industry, are excessive at a time of cuts to other public services designed to protect us from more conventional enemies, such as disease.

The legality of Britain's surveillance laws used for the mass snooping of communications  come unders the intense scrutiny of 15 European judges on Tuesday in a politically sensitive test case that could limit powers to gather online data.

The outcome of the hearing at the European court of justice (ECJ) in Luxembourg is likely to influence the final shape of the government's investigatory powers bill and will test judicial relationships within the EU.

Around a dozen EU states including the UK have intervened in the challenge against the government's Data Retention and Investigatory Powers Act 2014 (Dripa) that was originally brought by two MPs , the Conservative David Davis and Labour's deputy leader, Tom Watson.

The British case is being heard in conjunction with a Swedish case based on similar principles.

A draft copy of a US law to criminalize strong encryption has been leaked online. And the internet is losing its shit.

The proposed legislation hasn't been formally published yet: the document is still being hammered out by the Senate intelligence select committee. The proposal reads:

The underlying goal is simple, when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We're still in the process of soliciting input from stakeholders and hope to have final language ready soon.

The draft legislation, first leaked to Washington DC insider blog The Hill, is named the Compliance with Court Orders Act of 2016 , and would require anyone who makes or programs a communications product in the US to provide law enforcement with any data they request in an intelligible format, when presented with a court order.

The bill stems from Apple's refusal to help the FBI break into the San Bernardino shooter's iPhone, but goes well beyond that case. The bill would require companies to either build a backdoor into their encryption systems or use an encryption method that can be broken by a third party.

On example of the tech community response was from computer forensics expert Jonathan Dziarski who said:

The absurdity of this bill is beyond words. Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America's technology infrastructure.

Update: Pakistan and Turkey too

12th April 2016. See article from vocativ.com

At least two other countries--Pakistan and Turkey--already have versions of such laws on the books. The Pakistan Telecommunications Authority has previously instructed the country's internet service providers to ban encrypted communication, though it's largely VPN use, which can be used to circumvent location-based internet censorship, that has been actively restricted there, and WhatsApp is still popular. Turkey takes the anti-encryption law on its books more seriously, and used it to initially charge Vice journalists arrested in southeastern Turkey in September 2015.

Meanwhile, France's National Assembly passed a bill in May to update its Penal Code to fine companies that don't find a way to undo their own encryption when served with a warrant in a terrorism investigation. The french? Senate version of this bill excludes this provision, and seven members from each house will now begin a compromise.

Update: Bill stalls

13th May 2016. See article from click.actionnetwork.org

Thanks to the attention brought to the importance of encryption via Apple vs FBI from Fight for the Future and other strong voices, Compliance with Court Orders Act of 2016 - one of the worst national security bills ever drafted - is stalled.

The Hungarian ruling party wants to ban all working crypto. The parliamentary vice-president from Fidesz has asked parliament to:

Ban communication devices that [law enforcement agencies] are not able to surveil despite having the legal authority to do so.

Since any working cryptographic system is one that has no known vulnerabilities, whose key length is sufficient to make brute force guessing impractical within the lifespan of the universe, this amounts to a ban on all file-level encryption and end-to-end communications encryption, as well as most kinds of transport encryption (for example, if your browser makes a SSL connection to a server that the Hungarian government can't subpoena, it would have no means of surveiling your communication).

Messaging app WhatsApp has announced that it has added encryption for all voice calls and file transfers for all users.

It renders messages generally unreadable if they are intercepted, for example by criminals or law enforcement. No doubt if the security services throw all their computing might at a message then they may be able to decrypt it by brute force.

The Facebook-owned company said protecting private communication of its one billion users worldwide was one of its core beliefs . Whatsapp said:

The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.

Users with the latest version of the app were notified about the change when sending messages on Tuesday. The setting is enabled by default.

Users should be aware that snoopers can still see a whole host of non-content data about the communication, such as who was using the app, who was being called, and for how long.

Amnesty International called the move a huge victory for free speech:

Whatsapp's roll out of the Signal Protocol, providing end to end encryption for its one billion users worldwide, is a major boost for people's ability to express themselves and communicate without fear.

This is a huge victory for privacy and free speech, especially for activists and journalists who depend on strong and trustworthy communications to carry out their work without putting their lives at greater risk.