U.S. courts: Electronic surveillance up 500 percent in D.C.-area since 2011, almost all sealed cases

U.S. courts: Electronic surveillance up 500 percent in D.C.-area since 2011, almost all sealed cases
By Spencer S. Hsu and Rachel Weiner
Oct 24 2016

Secret law enforcement requests to conduct electronic surveillance in domestic criminal cases have surged in federal courts for Northern Virginia and the District, but only one in a thousand of the applications ever becomes public, newly released data show.

The bare-bones release by the courts leaves unanswered how long, in what ways and for what crimes federal investigators tracked individuals’ data and whether long-running investigations result in charges.

Yet the listings of how often law enforcement applied to judges to conduct covert electronic surveillance — a list that itself is usually sealed — underscore the exponential growth in the use of a 1986 law to collect data about users’ telephone, email and other Internet communications.

Unsealing basic docket information “is an important first step for courts to recognize that they have been enabling a kind of vast, secret system of surveillance that we now know to be so pervasive,” said Brett Max Kaufman, a staff attorney at the American Civil Liberties Union’s Center for Democracy.

The two federal courts are among the most active in the nation, with investigations that can span the country — and are among only a handful known to make even modest disclosures about their surveillance dockets.

Peter Carr, a spokesman for the Justice Department, said “there are no broad generalizations or presumptions about when matters are sealed or not sealed,” and that such decisions are “an individualized process.”

When courts choose to share information “on the use of these investigative tools, the Department [of Justice] has worked with them” to preserve “the integrity of ongoing investigations,” and shield witnesses and the reputations of targets who are never charged, Carr said.

In Northern Virginia, electronic-surveillance requests increased 500 percent in the past five years, from 305 in 2011 to a pace set to pass 1,800 this year.

Only one of the total 4,113 applications in those five years had been unsealed as of late July, according to information from the Alexandria division of the U.S. District Court for the Eastern District of Virginia, which covers northern Virginia. Kaufman’s group obtained the Northern Virginia data in July and shared it with The Washington Post.

The federal court for the District of Columbia had 235 requests in 2012, made by the local U.S. attorney’s office. By 2013, requests in the District had climbed 240 percent, to about 564, according to information released by the court’s chief judge and clerk.

Three of the 235 applications from 2012 have been unsealed.

The releases from the Washington-area courts list applications by law enforcement to federal judges asking to track data — but not eavesdrop — on users’ electronic communications. That data can include sender and recipient information, and the time, date, duration and size of calls, emails, instant messages and social-media messages, as well as device identification numbers and some website information.

Electronic exchanges, even absent what was said or written, can help investigators map a wide range of a target’s relationships and the timing and pattern of activities.

The Virginia list also includes surveillance requests made since 2011 under a separate law that permits authorities to obtain the contents of emails.

The listings identified the case number of each surveillance application, the date it was filed and the name of the judge who reviewed it. Left undisclosed is information including the crime under investigation, any associated criminal case or charged defendant, or whether an investigation is ongoing or has ended. With rare exceptions, it also is not possible to determine whether a judge limited or denied an application, or whether a target or service provider challenged the government’s request.

The information about what are known as pen register and trap and trace orders was made public after litigation by the ACLU, the Electronic Frontier Foundation (EFF), journalists and others, including some service providers. The ACLU has urged disclosures by all courts so the public and lawmakers can learn whether public safety gains outweigh privacy trade-offs.

“It’s hard to understand whether this surveillance is necessary or whether there is overreach without basic information about how often these orders are sought or granted, or who is granting them. Even judges themselves do not know,” Kaufman said.


AT&T Is Spying on Americans for Profit, New Documents Reveal

[Note: This item comes from friend David Isenberg. DLH]

AT&T Is Spying on Americans for Profit, New Documents Reveal
The telecom giant is doing NSA-style work for law enforcement—without a warrant—and earning millions of dollars a year from taxpayers.
Oct 25 2016

On Nov. 11, 2013, Victorville, California, sheriff’s deputies and a coroner responded to a motorcyclist’s report of human remains outside of town.

They identified the partially bleached skull of a child, and later discovered the remains of the McStay family who had been missing for the past three years. Joseph, 40, his wife Summer, 43, Gianni, 4, and Joseph Jr., 3, had been bludgeoned to death and buried in shallow graves in the desert.

Investigators long suspected Charles Merritt in the family’s disappearance, interviewing him days after they went missing. Merritt was McStay’s business partner and the last person known to see him alive. Merritt had also borrowed $30,000 from McStay to cover a gambling debt, a mutual business partner told police. None of it was enough to make an arrest.

Even after the gravesite was discovered and McStay’s DNA was found inside Merritt’s vehicle, police were far from pinning the quadruple homicide on him.

Until they turned to Project Hemisphere.

Hemisphere is a secretive program run by AT&T that searches trillions of call records and analyzes cellular data to determine where a target is located, with whom he speaks, and potentially why.

“Merritt was in a position to access the cellular telephone tower northeast of the McStay family gravesite on February 6th, 2010, two days after the family disappeared,” an affidavit for his girlfriend’s call records reports Hemisphere finding (PDF). Merritt was arrested almost a year to the date after the McStay family’s remains were discovered, and is awaiting trial for the murders.

In 2013, Hemisphere was revealed by The New York Times and described only within a Powerpoint presentation made by the Drug Enforcement Administration. The Times described it as a “partnership” between AT&T and the U.S. government; the Justice Department said it was an essential, and prudently deployed, counter-narcotics tool.

However, AT&T’s own documentation—reported here by The Daily Beast for the first time—shows Hemisphere was used far beyond the war on drugs to include everything from investigations of homicide to Medicaid fraud.

Hemisphere isn’t a “partnership” but rather a product AT&T developed, marketed, and sold at a cost of millions of dollars per year to taxpayers. No warrant is required to make use of the company’s massive trove of data, according to AT&T documents, only a promise from law enforcement to not disclose Hemisphere if an investigation using it becomes public.

These new revelations come as the company seeks to acquire Time Warner in the face of vocal opposition saying the deal would be bad for consumers. Donald Trump told supporters over the weekend he would kill the acquisition if he’s elected president; Hillary Clinton has urged regulators to scrutinize the deal.

While telecommunications companies are legally obligated to hand over records, AT&T appears to have gone much further to make the enterprise profitable, according to ACLU technology policy analyst Christopher Soghoian.

“Companies have to give this data to law enforcement upon request, if they have it. AT&T doesn’t have to data-mine its database to help police come up with new numbers to investigate,” Soghoian said.

AT&T has a unique power to extract information from its metadata because it retains so much of it. The company owns more than three-quarters of U.S. landline switches, and the second largest share of the nation’s wireless infrastructure and cellphone towers, behind Verizon. AT&T retains its cell tower data going back to July 2008, longer than other providers. Verizon holds records for a year and Sprint for 18 months, according to a 2011 retention schedule obtained by The Daily Beast.

The disclosure of Hemisphere was not the first time AT&T has been caught working with law enforcement above and beyond what the law requires.

Special cooperation with the government to conduct surveillance dates back to at least 2003, when AT&T ordered technician Mark Klein to help the National Security Agency install a bug directly into its main San Francisco internet exchange point, Room 641A. The company invented a programming language to mine its own records for surveillance, and in 2007 came under fire for handing these mined records over to the FBI. That same year Hemisphere was born.


Inside the Cyberattack That Shocked the US Government

[Note: This item comes from friend Steve Goldstein. DLH]

Inside the Cyberattack That Shocked the US Government
Oct 23 2016

The US OFFICE of Personnel Management doesn’t radiate much glamour. As the human resources department for the federal government, the agency oversees the legal minutiae of how federal employees are hired and promoted and manages benefits and pensions for millions of current and retired civil servants. The core of its own workforce, numbering well over 5,000, is headquartered in a hulking Washington, DC, building, the interior of which has all the charm of an East German hospital circa 1963. It’s the sort of place where paper forms still get filled out in triplicate.

The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.

Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called ­opm­security.org. But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.

Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyber­espionage division. (In 2014 a federal grand jury in Pennsylvania indicted five people from one of that division’s crews, known as Unit 61398, for stealing trade secrets from companies such as Westinghouse and US Steel; all the defendants remain at large.)

Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives. “Everyone can always say, ‘Oh, yeah, the Pentagon is always going to be a target, the NSA is always going to be a target,’” says Michael Daniel, the cybersecurity coordinator at the White House, who was apprised of the crisis early on. “But now you had the Office of Personnel Management as a target?”

To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.


Murder in the Library of Congress

[Note: This item comes from friend David Rosenthal. David’s comment:’Should have said, this isn’t something I agree with Orlowski on. Copyright office has been classic regulatory capture.’ DLH]

Murder in the Library of Congress
Copyright chief removed, moved sideways
By Andrew Orlowski
Oct 24 2016

The US Copyright Office has been given a brutal Silicon Valley-style sacking, the first time the Copyright Register has been dismissed in 119 years.

Maria A Pallante was locked out of her computer on Friday, according to Billboard, on the instructions of her boss, a new Obama appointee, Carla Hayden, the Librarian of Congress.

“Officially, Pallante has been appointed as a senior adviser for digital strategy for the Library of Congress, although it’s clear she was asked to step down,” Billboard’s Robert Levine notes.

Critics see the move as in line with Silicon Valley asserting its influence over the US Government via its agencies in the dog days of the Obama Administration. Just last month, as Hayden started the post, the Google-funded group Public Knowledge attacked the Copyright Office for upholding the copyright laws.

“Pallante was the only one standing between Google and what is left of the copyright system,” wrote David Lowery on the Trichordist blog, which campaigns for better deals for songwriters and musicians.

Controversial decisions by the Department of Justice, the Federal Trade Commission, and the Federal Communications Commission have all resulted in proposals or decisions that advanced the business interests of Silicon Valley’s biggest companies.

For example, after an investigation of Google for anti-competitive practices, FTC staff concluded there was sufficient evidence to indict – but the Obama-appointed trade commissioners abandoned this for a voluntary deal instead.

The FCC, run by former industry lobbyist and major Obama fundraiser Tom Wheeler, has introduced a flood of measures that benefit huge web companies and constrain telcos, the most significant of which is Title II reclassification, which gives the bureaucrats wide-ranging authority over internet practices and private contracts. The DoJ was found to have kept Obama’s office closely involved on antitrust investigations – which has never happened before.

What’s the Register of Copyright and why has it annoyed Google

Congress created the post of The Register of Copyright at the end of the 19th Century, when copyright protection required an author to register a work (Registration of a work is now not needed if a country is a signatory to the Berne Convention, but in the USA, it entitles the owner to statutory damages.) The role of the Copyright Register has evolved to provide Congress with expert impartial advice. The legal duty of the Register is to uphold a functioning rights marketplace, something Silicon Valley isn’t keen to see, as the windfall profits of today’s giant web companies come from aggregation rather than trade.

Although the Library of Congress (as the name implies) reports to Congress, its boss is a Presidential appointee. Barack Obama appointed a librarian from his base of Chicago who rose to be head of the librarians’ association the ALA. Her appointment welcomed by anti-copyright crusaders.

But two pieces of advice from the Copyright Register in particular will have infuriated Google, which in each case sought radical changes in the operation of the copyright system.

On the advice of DoJ antitrust attorney, the DoJ recommended that part-authors of a song should lose the ability to say no to digital deals they don’t like.

The move came from Google’s former key antitrust lawyer Renata Hesse, who had moved from Wilson Sonsini Goodrich & Rosati to become acting Attorney General for antitrust issues. Songwriters come out worst out of any negotiation with The Man, and the move, called “100 per cent licensing”, weakened their position further.


Someone Is Learning How to Take Down the Internet

[Note: Given the events of last week, I thought it was appropriate to post this item from September by Bruce Schneier to the list. DLH]

Someone Is Learning How to Take Down the Internet
By Bruce Schneier
Sep 13 2016

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it’s overwhelmed. These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.

I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

There’s more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.


As Artificial Intelligence Evolves, So Does Its Criminal Potential

As Artificial Intelligence Evolves, So Does Its Criminal Potential
Oct 23 2016

Imagine receiving a phone call from your aging mother seeking your help because she has forgotten her banking password.

Except it’s not your mother. The voice on the other end of the phone call just sounds deceptively like her.

It is actually a computer-synthesized voice, a tour-de-force of artificial intelligence technology that has been crafted to make it possible for someone to masquerade via the telephone.

Such a situation is still science fiction — but just barely. It is also the future of crime.

The software components necessary to make such masking technology widely accessible are advancing rapidly. Recently, for example, DeepMind, the Alphabet subsidiary known for a program that has bested some of the top human players in the board game Go, announced that it had designed a program that “mimics any human voice and which sounds more natural than the best existing text-to-speech systems, reducing the gap with human performance by over 50 percent.”

The irony, of course, is that this year the computer security industry, with $75 billion in annual revenue, has started to talk about how machine learning and pattern recognition techniques will improve the woeful state of computer security.

But there is a downside.

“The thing people don’t get is that cybercrime is becoming automated and it is scaling exponentially,” said Marc Goodman, a law enforcement agency adviser and the author of “Future Crimes.” He added, “This is not about Matthew Broderick hacking from his basement,” a reference to the 1983 movie “War Games.”

The alarm about malevolent use of advanced artificial intelligence technologies was sounded earlier this year by James R. Clapper, the director of National Intelligence. In his annual review of security, Mr. Clapper underscored the point that while A.I. systems would make some things easier, they would also expand the vulnerabilities of the online world.

The growing sophistication of computer criminals can be seen in the evolution of attack tools like the widely used malicious program known as Blackshades, according to Mr. Goodman. The author of the program, a Swedish national, was convicted last year in the United States.

The system, which was sold widely in the computer underground, functioned as a “criminal franchise in a box,” Mr. Goodman said. It allowed users without technical skills to deploy computer ransomware or perform video or audio eavesdropping with a mouse click.

The next generation of these tools will add machine learning capabilities that have been pioneered by artificial intelligence researchers to improve the quality of machine vision, speech understanding, speech synthesis and natural language understanding. Some computer security researchers believe that digital criminals have been experimenting with the use of A.I. technologies for more than half a decade.

That can be seen in efforts to subvert the internet’s omnipresent Captcha — Completely Automated Public Turing test to tell Computers and Humans Apart — the challenge-and-response puzzle invented in 2003 by Carnegie Mellon University researchers to block automated programs from stealing online accounts.

Both “white hat” artificial intelligence researchers and “black hat” criminals have been deploying machine vision software to subvert Captchas for more than half a decade, said Stefan Savage, a computer security researcher at the University of California, San Diego.


Inside The Strange, Paranoid World Of Julian Assange

[Note: This item comes from friend David Isenberg. DLH]

Inside The Strange, Paranoid World Of Julian Assange
The WikiLeaks founder is out to settle a score with Hillary Clinton and reassert himself as a player on the world stage, says BuzzFeed News special correspondent James Ball, who worked for Assange at WikiLeaks.
By James Ball
Oct 23 2016

On 29 November 2010, then US secretary of state Hillary Clinton stepped out in front of reporters to condemn the release of classified documents by WikiLeaks and five major news organisations the previous day.

WikiLeaks’ release, she said, “puts people’s lives in danger”, “threatens our national security”, and “undermines our efforts to work with other countries”.

“Releasing them poses real risks to real people,” she noted, adding, “We are taking aggressive steps to hold responsible those who stole this information.”

Julian Assange watched that message on a television in the corner of a living room in Ellingham Hall, a stately home in rural Norfolk, around 120 miles away from London.

I was sitting around 8ft away from him as he did so, the room’s antique furniture and rugs strewn with laptops, cables, and the mess of a tiny organisation orchestrating the world’s biggest news story.

Minutes later, the roar of a military jet sounded sharply overhead. I looked around the room and could see everyone thinking the same thing, but no one wanting to say it. Surely not. Surely? Of course, the jet passed harmlessly overhead – Ellingham Hall is not far from a Royal Air Force base – but such was the pressure, the adrenaline, and the paranoia in the room around Assange at that time that nothing felt impossible.

Spending those few months at such close proximity to Assange and his confidants, and experiencing first-hand the pressures exerted on those there, have given me a particular insight into how WikiLeaks has become what it is today.

To an outsider, the WikiLeaks of 2016 looks totally unrelated to the WikiLeaks of 2010. Then it was a darling of many of the liberal left, working with some of the world’s most respected newspapers and exposing the truth behind drone killing, civilian deaths in Afghanistan and Iraq, and surveillance of top UN officials.

Now it is the darling of the alt-right, revealing hacked emails seemingly to influence a presidential contest, claiming the US election is “rigged”, and descending into conspiracy. Just this week on Twitter, it described the deaths by natural causes of two of its supporters as a “bloody year for WikiLeaks”, and warned of media outlets “controlled by” members of the Rothschild family – a common anti-Semitic trope.

The questions asked about the organisation and its leader are often the wrong ones: How has WikiLeaks changed so much? Is Julian Assange the catspaw of Vladimir Putin? Is WikiLeaks endorsing a president candidate who has been described as racist, misogynistic, xenophobic, and more?

These questions miss a broader truth: Neither Assange nor WikiLeaks (and the two are virtually one and the same thing) have changed – the world they operate in has. WikiLeaks is in many ways the same bold, reckless, paranoid creation that once it was, but how that manifests, and who cheers it on, has changed.