Category Archives: surveillance

Dutch Official Admits Lying about Meeting With Putin: is Fake News Used by Russia or About Russia?

Every empire needs a scary external threat, led by a singular menacing villain, to justify its massive military expenditures, consolidation of authoritarian powers, and endless wars. For the five decades after the end of World War II, Moscow played this role perfectly. But the fall of Soviet Union meant, at least for a while, that the Kremlin could no longer sustain sufficient fear levels. After some brief, largely unsuccessful auditions for possible replacements – Asian actors like China and a splurging Japan were considered – the post-9/11 era elevated a cast of Muslim understudies to the starring role: Al Qaeda and bin Laden, ISIS and al-Baghdadi, and “jihadism” generally kept fear alive.

The lack of any 9/11-type catastrophic attack on U.S. (or any western) soil for the past 17 years, along with the killing of a pitifully aged, ailing bin Laden and the erosion of ISIS, has severely compromised their ongoing viability as major bad guys. So now – just as a film studio revitalizes a once-successful super-villain franchise for a new generation of moviegoers – we’re back to the Russians occupying center stage.

That Obama spent eight years (including up through his final year-end news conference) mocking the notion that Russia posed a serious threat to the U.S. given their size and capabilities, and that he even tried repeatedly to accommodate and partner with Putin, is of no concern: in the internet age, “2016” is regarded as ancient history, drowned out by an endless array of new threats pinned by a united media on the Russkie Plague. Moreover, human nature craves a belief in an existential foreign threat because it confers a sense of purpose and cause, strengthens tribal unity and identity, permits scapegoating, shifts blame for maladies from internal to external causes, and (like religion) offers a simplifying theory for understanding a complex world.

One of the prime accusations sustaining this script is that the Kremlin is drowning the west in Fake News and other forms of propaganda. One can debate its impact and magnitude but disinformation campaigns are something the U.S., Russia and countless other nations have done to one another for centuries, and there is convincing evidence Russia does this sort of thing now. But evidence of one threat does not mean that all claimed threats are real, nor does it mean that that tactic is exclusively wielded by one side.

Over the past year, there have been numerous claims made by western intelligence agencies, mindlessly accepted as true in the western press, that have turned out to be baseless if not deliberate scams. Just today, it was revealed that the Dutch Foreign Minister, Halbe Zijlstra, lied when he claimed he was at a meeting with Putin in which the Russian president “said he considered Belarus, Ukraine and the Baltic states as part of a ‘Greater Russia.'”

Fake News is certainly something to worry about when it emanates from foreign adversaries but it is at least as concerning and threatening, if not more so, when emanating from one’s own governments and media. And there are countless, highly significant examples beyond today’s example of such propaganda that emanates from within:

Russian interference in Brexit vote:

The Guardian, January 10, 2018:

Reuters, February 8, 2018:

Russians responsible for #ReleaseTheMemo campaign:

Associated Press, January 22, 2018:

Daily Beast, January 23, 2018:

Russian interference in German elections:

Reuters, July 4, 2017:

New York Times, September 21, 2017:

Russians hacked Macron campaign:

Telegraph, May 6, 2017:

Associated Press, June 1, 2017:

And this is all independent of all those cases when the U.S. media was forced to retract, or issue humiliating Editor’s Notes, about stories regarding the Russian Threat that turned out to be false. Even in those cases where some evidence can be found suggesting that some “Russians” were engaged online in support for a particular cause, the size and impact of it is usually so minute as to be laughable. In response to months of demands and threats to Twitter from the UK Government to investigate how its service was used by Russians to support the Brexit referendum, Twitter – to satisfy mounting complaints – finally came up with this:

For the six decades of the miserable Cold War, those Americans who tried to argue that the Russian threat was being exaggerated for nefarious ends and who advocated for better relations between Washington and Moscow were branded as “traitors,” Kremlin apologists, or at best, “useful idiots.” The revitalization of Russia as Prime Villain has also given new life to those old right-wing tactics, though this time wielded by the same people who were once its targets:

But the reason this matters so much – this coordinated devotion to once again depicting Russia as a grave threat – is because of the serious, enduring policy implications. New Democratic Party star Joseph Kennedy III is following in the footsteps of his Cold Warrior ancestors by proposing massive new military, propaganda and cyber-security programs to combat the Russian threat. Senators such as Democrat Jeanne Shaheen and Republican John McCain routinely refer to “acts of war” when discussing US/Russia relations. British generals and tabloids are hyping the Russian threat beyond all measure of reason in their quest to obtain new weapons systems and increased military spending at the expense of austerity-battered British subjects.

If there’s any lesson that should unite everyone in the west, it’s that the greatest skepticism is required when it comes to government and media claims about the nature of foreign threats. If we’re going to rejuvenate a Cold War, or submit to greater military spending and government powers in the name of stopping alleged Russian aggression, we should at least ensure that the information on which those campaigns succeed are grounded in fact. Even a casual review of the propaganda spewing forth from western power centers over the last year leaves little doubt that the exact opposite is happening.

The post Dutch Official Admits Lying about Meeting With Putin: is Fake News Used by Russia or About Russia? appeared first on The Intercept.

After Section 702 Reauthorization

For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We've just lost an important battle. On January 18, President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of US law.

Section 702 was initially passed in 2008, as an amendment to the Foreign Intelligence Surveillance Act of 1978. As the title of that law says, it was billed as a way for the NSA to spy on non-Americans located outside the United States. It was supposed to be an efficiency and cost-saving measure: the NSA was already permitted to tap communications cables located outside the country, and it was already permitted to tap communications cables from one foreign country to another that passed through the United States. Section 702 allowed it to tap those cables from inside the United States, where it was easier. It also allowed the NSA to request surveillance data directly from Internet companies under a program called PRISM.

The problem is that this authority also gave the NSA the ability to collect foreign communications and data in a way that inherently and intentionally also swept up Americans' communications as well, without a warrant. Other law enforcement agencies are allowed to ask the NSA to search those communications, give their contents to the FBI and other agencies and then lie about their origins in court.

In 1978, after Watergate had revealed the Nixon administration's abuses of power, we erected a wall between intelligence and law enforcement that prevented precisely this kind of sharing of surveillance data under any authority less restrictive than the Fourth Amendment. Weakening that wall is incredibly dangerous, and the NSA should never have been given this authority in the first place.

Arguably, it never was. The NSA had been doing this type of surveillance illegally for years, something that was first made public in 2006. Section 702 was secretly used as a way to paper over that illegal collection, but nothing in the text of the later amendment gives the NSA this authority. We didn't know that the NSA was using this law as the statutory basis for this surveillance until Edward Snowden showed us in 2013.

Civil libertarians have been battling this law in both Congress and the courts ever since it was proposed, and the NSA's domestic surveillance activities even longer. What this most recent vote tells me is that we've lost that fight.

Section 702 was passed under George W. Bush in 2008, reauthorized under Barack Obama in 2012, and now reauthorized again under Trump. In all three cases, congressional support was bipartisan. It has survived multiple lawsuits by the Electronic Frontier Foundation, the ACLU, and others. It has survived the revelations by Snowden that it was being used far more extensively than Congress or the public believed, and numerous public reports of violations of the law. It has even survived Trump's belief that he was being personally spied on by the intelligence community, as well as any congressional fears that Trump could abuse the authority in the coming years. And though this extension lasts only six years, it's inconceivable to me that it will ever be repealed at this point.

So what do we do? If we can't fight this particular statutory authority, where's the new front on surveillance? There are, it turns out, reasonable modifications that target surveillance more generally, and not in terms of any particular statutory authority. We need to look at US surveillance law more generally.

First, we need to strengthen the minimization procedures to limit incidental collection. Since the Internet was developed, all the world's communications travel around in a single global network. It's impossible to collect only foreign communications, because they're invariably mixed in with domestic communications. This is called "incidental" collection, but that's a misleading name. It's collected knowingly, and searched regularly. The intelligence community needs much stronger restrictions on which American communications channels it can access without a court order, and rules that require they delete the data if they inadvertently collect it. More importantly, "collection" is defined as the point the NSA takes a copy of the communications, and not later when they search their databases.

Second, we need to limit how other law enforcement agencies can use incidentally collected information. Today, those agencies can query a database of incidental collection on Americans. The NSA can legally pass information to those other agencies. This has to stop. Data collected by the NSA under its foreign surveillance authority should not be used as a vehicle for domestic surveillance.

The most recent reauthorization modified this lightly, forcing the FBI to obtain a court order when querying the 702 data for a criminal investigation. There are still exceptions and loopholes, though.

Third, we need to end what's called "parallel construction." Today, when a law enforcement agency uses evidence found in this NSA database to arrest someone, it doesn't have to disclose that fact in court. It can reconstruct the evidence in some other manner once it knows about it, and then pretend it learned of it that way. This right to lie to the judge and the defense is corrosive to liberty, and it must end.

Pressure to reform the NSA will probably first come from Europe. Already, European Union courts have pointed to warrantless NSA surveillance as a reason to keep Europeans' data out of US hands. Right now, there is a fragile agreement between the EU and the United States ­-- called "Privacy Shield" -- ­that requires Americans to maintain certain safeguards for international data flows. NSA surveillance goes against that, and it's only a matter of time before EU courts start ruling this way. That'll have significant effects on both government and corporate surveillance of Europeans and, by extension, the entire world.

Further pressure will come from the increased surveillance coming from the Internet of Things. When your home, car, and body are awash in sensors, privacy from both governments and corporations will become increasingly important. Sooner or later, society will reach a tipping point where it's all too much. When that happens, we're going to see significant pushback against surveillance of all kinds. That's when we'll get new laws that revise all government authorities in this area: a clean sweep for a new world, one with new norms and new fears.

It's possible that a federal court will rule on Section 702. Although there have been many lawsuits challenging the legality of what the NSA is doing and the constitutionality of the 702 program, no court has ever ruled on those questions. The Bush and Obama administrations successfully argued that defendants don't have legal standing to sue. That is, they have no right to sue because they don't know they're being targeted. If any of the lawsuits can get past that, things might change dramatically.

Meanwhile, much of this is the responsibility of the tech sector. This problem exists primarily because Internet companies collect and retain so much personal data and allow it to be sent across the network with minimal security. Since the government has abdicated its responsibility to protect our privacy and security, these companies need to step up: Minimize data collection. Don't save data longer than absolutely necessary. Encrypt what has to be saved. Well-designed Internet services will safeguard users, regardless of government surveillance authority.

For the rest of us concerned about this, it's important not to give up hope. Everything we do to keep the issue in the public eye ­-- and not just when the authority comes up for reauthorization again in 2024 -- hastens the day when we will reaffirm our rights to privacy in the digital age.

This essay previously appeared in the Washington Post.

Detecting Drone Surveillance with Traffic Analysis

This is clever:

Researchers at Ben Gurion University in Beer Sheva, Israel have built a proof-of-concept system for counter-surveillance against spy drones that demonstrates a clever, if not exactly simple, way to determine whether a certain person or object is under aerial surveillance. They first generate a recognizable pattern on whatever subject­ -- a window, say -- someone might want to guard from potential surveillance. Then they remotely intercept a drone's radio signals to look for that pattern in the streaming video the drone sends back to its operator. If they spot it, they can determine that the drone is looking at their subject.

In other words, they can see what the drone sees, pulling out their recognizable pattern from the radio signal, even without breaking the drone's encrypted video.

The details have to do with the way drone video is compressed:

The researchers' technique takes advantage of an efficiency feature streaming video has used for years, known as "delta frames." Instead of encoding video as a series of raw images, it's compressed into a series of changes from the previous image in the video. That means when a streaming video shows a still object, it transmits fewer bytes of data than when it shows one that moves or changes color.

That compression feature can reveal key information about the content of the video to someone who's intercepting the streaming data, security researchers have shown in recent research, even when the data is encrypted.

Research paper and video.

Big predictions for sensors in the global security and surveillance market

The Internet of Things (IoT) is bringing about a new era of connectivity in the digital age, connecting critical business sectors through a network of secure data flow, analytics, and management. IoT is also bringing numerous opportunities for sensor participants through security technologies required for remote services and enhanced accessibility of devices. The total sensors market in security and surveillance applications was worth $6,267.9 million in 2016, with image sensors holding the largest market share … More

E Hacking News – Latest Hacker News and IT Security News: Skygofree Malware: One of Most Advanced Spyware Ever Seen

Russian cybersecurity lab, Kaspersky, has found out a new advanced Android spyware having “never before seen” features that lets hackers carry out advanced surveillance on Android phones, such as location-based audio recording, WhatsApp message theft, and connecting an infected device to Wi-Fi networks controlled by cybercriminals.

The malware, dubbed as “Skygofree,” was reportedly found on malicious websites in Italy. According to Kaspersky, the malware is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

More information including, Skygofree's commands, indicators of compromise, domain addresses, and device models targeted, can be found in their blog post on Securelist.

The spyware functions by tricking the “Accessibility” feature present in Android to help users with disabilities access their apps. Using this, the spyware can read the messages displayed on the screen, even those sent by the user.

Skygofree is also capable of taking pictures and video, recording audio and noise according to the location specified by the hacker, record Skype conversations, seizing call records, geolocation data, and other sensitive data.

Kaspersky believes that, just like an earlier hack in 2015 by Hacking Team, an Italy-based spyware developer, Skygofree was also developed by Italians.

Skygofree has allegedly been active since 2014 and has been targeting select individuals, who are all from Italy. The spyware has been undergoing regular development since then and as many as 48 commands were found in the latest version.


E Hacking News - Latest Hacker News and IT Security News

Skygofree Malware: One of Most Advanced Spyware Ever Seen

Russian cybersecurity lab, Kaspersky, has found out a new advanced Android spyware having “never before seen” features that lets hackers carry out advanced surveillance on Android phones, such as location-based audio recording, WhatsApp message theft, and connecting an infected device to Wi-Fi networks controlled by cybercriminals.

The malware, dubbed as “Skygofree,” was reportedly found on malicious websites in Italy. According to Kaspersky, the malware is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

More information including, Skygofree's commands, indicators of compromise, domain addresses, and device models targeted, can be found in their blog post on Securelist.

The spyware functions by tricking the “Accessibility” feature present in Android to help users with disabilities access their apps. Using this, the spyware can read the messages displayed on the screen, even those sent by the user.

Skygofree is also capable of taking pictures and video, recording audio and noise according to the location specified by the hacker, record Skype conversations, seizing call records, geolocation data, and other sensitive data.

Kaspersky believes that, just like an earlier hack in 2015 by Hacking Team, an Italy-based spyware developer, Skygofree was also developed by Italians.

Skygofree has allegedly been active since 2014 and has been targeting select individuals, who are all from Italy. The spyware has been undergoing regular development since then and as many as 48 commands were found in the latest version.

The US Global surveillance bill has been signed by President Trump

US Government missed a historic opportunity to reform a dangerous surveillance law that opens to a global surveillance, instead it has signed a version that makes it worse.

The U.S. legal framework related to the domestic surveillance has been signed by President Trump one day after the Senate approved it with 65 votes against 34. The bill will be effective for other six years, below the Edward Snowden’s comment:

Privacy advocates and civil rights have a long criticized the Section 702 of the Foreign Intelligence Surveillance Act (FISA) that allows US intelligence agencies to conduct domestic surveillance under certain conditions without a warrant.

The Section 702 allows the NSA to conduct warrantless spying of foreigners located abroad, including any communications with US citizens.

NSA surveillance activities

Section 702 was revealed by NSA whistleblower Edward Snowden in 2012. Civil rights and privacy advocates consider it as unconstitutional under the Fourth Amendment.

The bill increases spying powers of intelligence agencies and block safeguards, curiously it was passed by Republicans who always criticized the corruption of the Government.

Politicians that voted for the Section 702 believe it is crucial it is crucial to protect Americans from foreign governments and terrorism, they highlighted that the revisions to the bill will guarantee citizens from any abuse.

“There is a glimmer of light,” “The last few weeks have demonstrated that bipartisan efforts to reform our surveillance laws continue on an arc of progress.” wrote ACLU legislative counsel Neema Singh Guliani in a blog post.

“With only two more votes, reformers could have halted this bill from advancing and forced a floor debate over badly needed improvements. And an effort to pass the most comprehensive Section 702 reform bill introduced in Congress garnered the support of over 180 members in the House. With actual debate, real reform provisions likely would have passed.”

Just hours before the section 702 program was signed by the President, the Senate’s intelligence committee approved the release of a confidential four-page memo alleging previous abuse of the FISA spying program to the rest of Congress.

“Scores of Republicans have since viewed the document in a Sensitive Compartmented Information Facility on Capitol Hill. They left expressing shock, saying the special counsel investigation into whether Trump’s campaign officials had improper contacts with Russia is based on politically motivated actions at the highest level of law enforcement.” reported The Hill.

House Freedom Caucus Chairman Mark Meadows (R-N.C.) called the memo “shocking.”

““I’m here to tell all of a America tonight that I’m shocked to read exactly what has taken place,” Meadows (R-N.C.) said in a speech on the House floor. 

“I thought it could never happen in a country that loves freedom and democracy like this country. It is time that we become transparent with all of this, and I’m calling on our leadership to make this available so all Americans can judge for themselves.”

Politicians opposing the section 702 program are defining its contents “worse than Watergate.”

In conclusion, this is a black page in the history of Americans. The 6-year extension of the regulation that allows the US government to monitor foreigners’ communications abroad without a warrant has been approved. Moreover, the US  intelligence will also be able to spy on American citizens, politicians, businessmen, and journalists who communicate with them, despite the Fourth Amendment.

Pierluigi Paganini

(Security Affairs – NSA surveillance, Section 702- FISA)

The post The US Global surveillance bill has been signed by President Trump appeared first on Security Affairs.

Republicans Have Four Easy Ways to #ReleaseTheMemo — and the Evidence for It. Not Doing So Will Prove Them to Be Shameless Frauds.

One of the gravest and most damaging abuses of state power is to misuse surveillance authorities for political purposes. For that reason, the Intercept, from its inception, has focused extensively on these issues.

We therefore regard as inherently serious strident warnings from public officials alleging that the FBI and DOJ have abused their spying power for political purposes. Social media last night and today have been flooded with inflammatory and quite dramatic claims now being made by congressional Republicans about a four page memo alleging abuses of FISA spying processes during the 2016 election. This memo, which remains secret, was reportedly written under the direction of the Chairman of the House Permanent Select Committee on Intelligence, GOP Rep. Devin Nunes, and has been read by dozens of members of Congress after the committee voted to make the memo available to all members of the House of Representatives to examine in a room specially designated for reviewing classified material.

The rhetoric issuing from GOP members who read the memo is notably extreme. North Carolina Republican Rep. Mark Meadows, chair of the House Freedom Caucus, called the memo “troubling” and “shocking” and said, “Part of me wishes that I didn’t read it because I don’t want to believe that those kinds of things could be happening in this country that I call home and love so much.” GOP Rep. Scott Perry of Pennsylvania stated: “You think about, ‘Is this happening in America or is this the KGB?’ That’s how alarming it is.”

This has led to a ferocious outcry on the right to “release the memo” – and presumably thereby prove that the Obama administration conducted unlawful surveillance on the Trump campaign and transition. On Thursday night, Fox News host and stalwart Trump ally Sean Hannity claimed that the memo described “the systematic abuse of power, the weaponizing of those powerful tools of intelligence and the shredding of our Fourth Amendment constitutional rights.”

Given the significance of this issue, it is absolutely true that the memo should be declassified and released to the public — and not just the memo itself. The House Intelligence Committee generally and Nunes specifically have a history of making unreliable and untrue claims (its report about Edward Snowden was full of falsehoods, as Bart Gellman amply documented, and prior claims from Nunes about “unmasking” have been discredited). Thus, mere assertions from Nunes – or anyone else – are largely worthless; Republicans should provide American citizens not merely with the memo they claim reveals pervasive criminality and abuse of power, but also with all of the evidence underlying its conclusions.

President Trump and congressional Republicans have the power, working together or separately, to immediately declassify all the relevant information. And if indeed the GOP’s explosive claims are accurate – if, as HPSCI member Steve King, R.-Iowa., says, this is “worse than Watergate” — they obviously have every incentive to get it into the public’s hands as soon as possible. Indeed, one could argue that they have the duty to do so.

On the other hand, if the GOP’s claims are false or significantly misleading – if they are, with the deepest cynicism imaginable, simply using these crucial issues to whip up their base or discredit the Mueller investigation, or exaggerating or making claims that lack any evidentiary support, or trying to have the best of all worlds by making explosive claims about the memo but never having to prove their truth — then they will either not release the memo or they will release it without any supporting documentation, making it impossible for Americans to judge its accuracy for themselves.

Anyone who is genuinely concerned about the claims being made about eavesdropping abuses should understand why the issue of evidence is so critical. After all, the House, Senate and FBI investigations into any Trump collusion with Russia have so far proceeded with many startling claims in the media, but to date little hard evidence for the public to judge. Nobody rational should be assuming any claims or assertions from partisan actors about the 2016 election are true without seeing evidence to substantiate those claims.

The good news is there are at least four easy ways for congressional Republicans and/or President Trump to definitively prove that all the right’s darkest suspicions about the Obama administration are true. If this memo and the underlying documents prove even a fraction of what GOP politicians and media figures are claiming about them, then what could possibly justify its ongoing concealment? Any or all of these methods should be promptly invoked to ensure that the public sees this evidence:

  1. President Trump can declassify anything he wants.

All classification by the U.S. government has no basis in laws passed by Congress (with one tiny exception that is irrelevant here.) Rather, all classification is based on presidential executive orders, which rely on the president’s constitutional role as commander in chief of the armed forces. According to the Supreme Court, the presidential power “to classify and control access to information bearing on national security … flows primarily from the constitutional investment of power in the president.”

That means presidents can also declassify anything they chose to – for any reason or no reason – as they have done in the past. George W. Bush, under pressure in 2004, declassified the section of the 2001 presidential daily brief headlined “Bin Laden Determined to Strike in U.S.” Barack Obama declassified the Justice Department memos produced during the Bush presidency on the legality of torture.

Thus if the House Intelligence Committee merely releases a version of its memo without the supporting documentation, that won’t be just because they don’t want Americans to see it – it will be because Trump doesn’t want us to see it either. Note that GOP House members are insistent that releasing the memo and the underlying source material would not remotely harm national security:

So what possible justification is there for Trump to continue to conceal this alleged evidence of massive criminality from the American people by hiding it behind “classified” designations? Indeed, it is illegal to abuse classified designations to hide evidence of official criminality: so not only can Trump declassify such evidence, one could argue that he must, or at least should.

  1. The House (and Senate) intelligence committees can declassify any material they possess.

According to the procedural rules of both houses of Congress, their intelligence committees can declassify material in their possession if the committee votes that such declassification would be in the public interest. It is then declassified after five days unless the president formally objects. If the president does object, the full chamber votes on the question.

It is true that – in a measure of how embarrassingly deferential Congress is to the executive branch – neither the House nor the Senate intelligence committees has ever utilized this power, so it’s impossible to know how this gambit would play out in practice. But if Trump refused to release proof of the Obama administration’s misdeeds, congressional Republicans should have a straightforward way to overrule him.

  1. The Constitution protects members of Congress from prosecution for “any speech or debate in either House.”

Members of Congress have legal immunity for acts they commit as part of the legislative process. Article I, Section 6, clause 1 of the Constitution states that “for any speech or debate in either House, [Senators and Representatives] shall not be questioned in any other place.” It is this constitutional shield that protected Sen. Mike Gravel of Alaska from legal consequences in 1971 when he read sections of the Pentagon Papers during a meeting of the Senate Subcommittee on Public Buildings and Grounds, and then placed the rest of the Pentagon Papers into the Congressional Record.

It’s true that members could face legal consequences for ancillary acts — perhaps if they unlawfully removed the relevant material from the congressional SCIF. But they could go to the House floor and describe both the memo’s revelations and the underlying evidence for it without any fear of legal consequences.

If the memo really proves what they claim, it would seem to be their patriotic duty would compel them do this. Ordinary citizens – like Daniel Ellsberg, Edward Snowden and Chelsea Manning – have risked prison in order to expose what they believed was serious official crimes; these members of Congress can do this without any of those consequences. So what justifies their failure to do this?

  1. Republicans can leak everything to the news media.

If for some reason President Trump and the congressional leadership refuse to use any of the above options to vindicate themselves, a brave member of congress could turn whistleblower and transmit the classified proof of the GOP’s claims about the memo to the news media.

Many outlets now have secure methods of sending sensitive material to them, such as Secure Drop. Those for The Intercept can be found here. (All leaking entails risks, as we describe in our manual for whistleblowers).

So that’s that. All Americans, particularly conservatives, should ask every Republican making spectacular assertions about this memo when they will be using the above ways to conclusively demonstrate that everything they’ve said is based in rock-solid fact.

If they do not, Republicans will conclusively demonstrate something else. They will prove conclusively that all of this is about them shamelessly making claims they do not actually believe, fraudulently posturing as caring about one of the most vital, fundamental issues facing the United States: how the U.S. government uses the vast surveillance powers with which it has been vested.

Top photo: The official seal of the Federal Bureau of Investigation is seen on an iPhone’s camera screen outside the J. Edgar Hoover headquarters in Washington, on Feb. 23, 2016.

The post Republicans Have Four Easy Ways to #ReleaseTheMemo — and the Evidence for It. Not Doing So Will Prove Them to Be Shameless Frauds. appeared first on The Intercept.

Researchers uncover mobile, PC surveillance platform tied to different nation-state actors

The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign that has targeted activists, journalists, lawyers, military personnel, and enterprises in more than 20 countries in North America, Europe, the Middle East, and Asia. They have dubbed the threat Dark Caracal, and have traced its activities to as far back as 2012. The malware used by Dark Caracal The attackers went after information stored on targets’ Android devices … More

House Votes to Reauthorize Controversial Spy Provision, Section 702

The U.S. House of Representatives voted to renew U.S. spy provisions, extending the powers of the NSA to collect internet communications for another six years.

macOS Malware Creator Charged With Spying on Thousands of PCs Over 13 Years

The U.S. Justice Department unsealed 16-count indictment charges on Wednesday against a computer programmer from Ohio who is accused of creating and installing spyware on thousands of computers for more than 13 years. According to the indictment, 28-year-old Phillip R. Durachinsky is the alleged author of FruitFly malware that was found targeting Apple Mac users earlier last year worldwide,

Susan Landau’s New Book: Listening In

Susan Landau has written a terrific book on cybersecurity threats and why we need strong crypto. Listening In: Cybersecurity in an Insecure Age. It's based in part on her 2016 Congressional testimony in the Apple/FBI case; it examines how the Digital Revolution has transformed society, and how law enforcement needs to -- and can -- adjust to the new realities. The book is accessible to techies and non-techies alike, and is strongly recommended.

And if you've already read it, give it a review on Amazon. Reviews sell books, and this one needs more of them.

Urgent: Congress will likely vote this week on controversial NSA surveillance powers. Make your voice heard.

Tech
Pixabay

With a controversial surveillance law about to expire, the House of Representatives is expected to vote this week on whether to protect the public’s  Fourth Amendment rights to privacy or to allow the National Security Agency (NSA) to violate those rights by continuing to conduct warrantless surveillance on its own citizens.

Congress’ effort to hastily renew the NSA’s warrantless spying authority—known as Section 702 of the Foreign Surveillance Intelligence Act (FISA)—failed last month after widespread opposition. Now, legislators are trying again ahead of the January 19 deadline when the law is now set to expire.

The bill up for consideration is being labeled by certain members of the House Intelligence Committee as “reform,” but offers no substantial changes. It doesn’t close the loophole that allows the US government to warrantlessly spy on its own citizens, and it actually codifies some of the law’s most problematic aspects.

If passed, the government would be empowered to continue its use of Section 702 to collect the emails and phone calls of Americans when communicating with people living abroad without a warrant or any suspicion of wrongdoing. The new bill would impose warrant “requirements” only for FBI agents and only when launching a “formal” national security investigation. In short, the FBI could still read data collected under Section 702 about Americans uninhibited, and would only have to apply for a warrant if it decided later it wanted to launch an investigation, rendering the supposed requirement virtually meaningless.

Much like with the health care and tax debates, Republicans have kept the exact language of the bill they plan to force a vote on secret from the American public, making it hard for constituents to weigh in. However it’s quite likely, given that members of the GOP Freedom Caucus may vote against an extension of NSA spying powers, that Democrats will have the ability to kill the bill if it doesn’t have robust privacy protections in place.

House Minority Leader Nancy Pelosi has so far not signaled which way she will vote, but if she recommends a “no” vote to other Democrats, it could swing the entire vote. The Electronic Frontier Foundation has set up a call tool to tell Representative Pelosi to stand up for the Fourth Amendment. Call on your representatives to reject any reauthorization of the government’s surveillance authority that doesn’t include strong privacy protections.

In an attempt to stifle debate, intelligence community has failed to provide even a rough estimate of the number of Americans whose communications are swept up in surveillance that targets foreigners. As Senator Ron Wyden wrote earlier last year:

Congress and the American people deserve a fully informed debate about this reauthorization.  And we can’t have that debate unless we know the impact of Section 702 on the privacy and constitutional rights of Americans.

As long as this unconstitutional surveillance continues, people who care about their privacy—and particularly those who work with sensitive information like attorneys, activists, and journalists—are forced to act like spies to protect their communications from interception by their own government.

The Trump Administration, which has drastically escalated its crackdown on leakers and indicated openness to prosecuting journalists, would be granted sweeping surveillance powers if FISA Section 702 is passed without substantial changes. Trump has gone to extreme lengths to target immigrants, promised to surveil Muslim Americans, and has been accused of using the Department of Justice to go after his political enemies.

A Trump Administration with such vast spying powers has worrying implications for civil liberties. Any representative who claims to defend those civil liberties should vote against the bill. Public efforts successfully postponed a vote on the similarly flawed bill in December, and it’s crucial we keep the pressure on Congress now with a vote expected this week.

Tell House Minority Leader Nancy Pelosi to stand up for our Fourth Amendment rights and call on your representatives to reject any reauthorization of the government’s surveillance authority that doesn’t include strong privacy protections.

Congress is debating NSA’s spying powers. Demand they end warrantless surveillance on Americans.

NSA at Night by Trevor Paglen
Trevor Paglen

Once again, controversial National Security Agency (NSA) surveillance powers that affect millions of Americans are up for renewal in Congress, and lawmakers are attempting to ram through extreme and unconstitutional spying policies with virtually no debate.

Congress has known for years that Section 702 of the Foreign Intelligence Security Act—which allows the NSA to warrantlessly collect and read the communications of an untold number of Americans if they are talking to someone internationally—was set to expire at the end of the year. Yet as they did in 2012, Congress has waited until the very last minute to bring the topic up for a vote in the hopes that they could quickly pass a bill without the American public realizing what’s happening.

Civil liberties advocates have been decrying the NSA’s powers under Section 702 of FISA Amendments Act as unconstitutional for years, and a large bipartisan group of lawmakers have called for new restrictions. Yet House Republicans on Wednesday attempted to pass a bill that actually would have expanded these powers even further without any debate.

Not only would the Republicans’ bill have extended Section 702 with no reforms for years, but it would’ve explicitly allowed the FBI to target Americans’ emails in NSA databases without a warrant, and it would also have restarted the collection of Americans’ international emails that were merely about an NSA target—a controversial and unconstitutional practice that was just halted earlier this year.

If you want to read more about the extreme dangers in the bill that Republicans were proposing, Edward Snowden and the ACLU held a detailed Reddit AMA on the bill on Wednesday that you can read here.

But thankfully, after widespread outcry on Wednesday, the bill was pulled and a vote postponed. But the fight is far from over, and the next steps for Section 702 are uncertain. While it’s set to expire on December 31, the Trump administration is arguing it can keep the program going through at least April. Lawmakers could vote to temporarily reauthorize Section 702, or they could try again to rapidly push through legislation that expands NSA spying powers. 

But one thing’s for certain: As we saw yesterday, together we can pressure Congress to respect the Fourth Amendment. Americans deserve transparency, real legislative debate, and policies that keep them safe without violating their right to privacy.  Call your representatives and urge them to protect your privacy and vote no on reauthorization of Section 702 without serious reforms that end warrantless, mass surveillance.

How journalists can protect themselves while covering protests

Antiwar Demonstrators by Geoff King

Antiwar demonstrators attempt to enter the Phillip Burton Federal Building in San Francisco on January 5, 2009.

© Geoffrey King

Protesters call attention to economic, environmental, racial, gender-based and other forms of injustice. For journalists covering political movements, reporting on protests is crucial, but these events come with unique security challenges. This quick guide will focus on how U.S. journalists can manage the security of their devices and reporting materials when covering protests. Digital security is only one consideration, alongside both physical threats and your rights as a citizen and journalist.

Protecting your information

Before covering a protest, consider what data you’re bringing to the event, and what kinds of evidence you hope to take away. You also want to think about what would happen if any of that information left your custody. Depending on your situation, your devices might be lost, stolen, or confiscated by any number of groups — bystanders, demonstrators, authorities, and others. Ask yourself a few questions before attending the event:

  1. Do you have any sensitive data on your devices?
  2. How likely do you think it is that a third party could get access to your devices?
  3. Who could get access to your devices, and what might they be able to do?
  4. Do your web-connected devices have access to remote services, such as your email?
  5. Are there sensitive details that you need to obscure before publication, such as the identities of those involved? Would it be acceptable for them to be seen by someone before publication?

Sometimes protests can be relatively calm events. But sometimes protests can be chaotic. Press observers aren’t always distinguishable from the crowd; sometimes reporters even find themselves deliberately targeted by police, protesters or both. When protests become dynamic, equipment is generally more likely to be damaged, lost, stolen, or confiscated. Know the environment and the likely risks.

Need to protect your communications?

Signal Logo

Before going anywhere, make sure your colleagues know where you are, and have your contact information.

Phone calls and SMS text messages can be easily intercepted. One common way SMS messages and phone calls are intercepted is using a fake cellphone tower, sometimes called an IMSI catcher or “Stingray.” Evidence compiled by Lucy Parsons Labs suggests IMSI catchers are being used by law enforcement officials around the globe. The good news is that it’s pretty easy to encrypt your mobile communications. Use Signal for iOS or Android to make secure phone calls and send secure text messages. If you want help getting started, read Signal for Beginners.

Keep in mind that your messages are only as secure as your phone. So if there’s no passcode, your phone can be opened with a simple swipe.

Keeping your data safe

You’ll want to make sure a record of what you saw at the event makes it out safely. Whatever form your media takes — physical film, or digital storage on a camera or smartphone — be prepared to physically secure your media.

Consider bringing a secondary mobile device

We all love to bring our mobile devices everywhere. But before bringing it to a protest, think carefully about what data is on your phone, and what might happen if it leaves your possession. Does it contain a great deal of sensitive or private information? Would losing access cause you significant problems? If so, consider bringing an alternative device instead.

Contract-free phones are fairly easy to find at corner stores and electronics shops (e.g., Best Buy) and can typically be activated immediately after purchase. These devices are not nearly as secure as an up-to-date iPhone, for example, and encryption may not be on by default. On this secondary device, avoid logging into accounts with access to your personal data. If you plan on uploading video recordings on your mobile device, make sure to purchase a large data plan. Remember that your colleagues may not know about your secondary phone; make sure you’ve exchanged numbers. You can put their numbers in your phone, but in case you lose access, write it down somewhere else as well.

If you need to bring your personal device, there are smart ways to do that.

Before covering an event, back up your mobile devices locally

If you’re going to bring your mobile device to the event, make a local backup of your data in case you lose access to your device. iPhones can make local backups using iTunes. Learn how to back up files on your Android device.

Encrypt your devices

If your mobile device ever leaves your possession, the data on your hard disk can be read or copied. The good news is that it’s pretty easy to encrypt your disk. If you have a new password-protected iPhone, congratulations, your disk is already encrypted. Locking your phone is sufficient to encrypt the device — the longer the passcode, the better. For Android users, it’s pretty easy to encrypt your phone. Only a few Android phones are encrypted by default — the Google Pixel, Nexus 5X, 6P, 6, and 9. For Android devices, disk encryption is activated after powering down the phone entirely. It’s not enough to put the device into sleep mode.

(While you may not bring your laptop to an event, it’s still generally a good idea to encrypt your disk using your operating system’s native software, FileVault for Mac, or BitLocker on Windows. This is strongly advised for protecting your backups as well.)

Turn off mobile fingerprint unlock

Fingerprints and passwords are treated quite differently by law enforcement. Right now, the legal protections for information inside of your mind — such as your password — are much stronger than information on your body. Turn off your fingerprint scanner when covering protests. You can turn it back on later.

iPhone users: Settings > Touch ID & Passcode

Android users (with Nexus devices): Settings > Security > Nexus Imprint

Live streaming comes with tradeoffs

Sometimes it’s easiest to take video with your mobile device. Live streaming a video online (e.g., via Facebook Live) can be extraordinarily useful for capturing an event. If your device is confiscated, but you live streamed the video, it’s already out in the world. But you’re also at the whim of the streaming service. For instance, Facebook can, and has cut off Live feeds at the request of law enforcement. You also risk sharing unblurred images of protest participants and bystanders. Consider the tradeoffs, and if streaming is a good choice for your situation.

Need to protect the people in your photos or videos?

It’s possible you don’t want to identify the individuals in your images or recordings. When you’re concerned about revealing the individuals in a video, use ObscuraCam for Android to blur faces in your footage. ObscuraCam is developed by a group called The Guardian Project; check out their other tools for digital security as well.

If you are going to upload videos to YouTube, WITNESS put together an excellent guide on using YouTube’s blurring tool to obscure the faces of those in your video.

Bonus: Use sensor data for verification

Your phone is a beacon, transmitting an enormous amount of data about where you are, where you have been, and even where you might go. And while this can be a pain in other parts of our lives, when documenting an event this can be a valuable property for verifying the legitimacy of a photo or video. If this is a concern, use CameraV for Android (also developed by The Guardian Project) to attach rich sensor information to photos and videos.

Make sure you have enough power

Shooting video, live-tweeting, and calling your editor (hopefully via Signal!) all take a lot of juice. Be sure to bring a backup or external battery with sufficient power to recharge your phone at least two to three times. You’ll need it.

Physical concerns

Depending on the event you’re covering, physical injury can be a serious concern. Journalists are as vulnerable as anyone else at the event, and may even be targets because of their work. Even though this is illegal, it does happen. Buddy up if you can. And stay vigilant — both as to your own safety, as well as that of journalists around you.

In general, there isn’t a reliable way to encrypt photos and videos on a traditional camera, and this is a problem well recognized by photojournalists and filmmakers reporting from dangerous environments. Your primary defense for protecting physical films and storage devices is to keep them in your possession, and to make backups as soon as you can.

Know when to talk to a lawyer

The good news is the law is generally on your side. You have a First Amendment right to record public events. If authorities say you can’t record something happening in public at a demonstration, that’s almost certainly untrue. You also have a Fourth Amendment protection against unreasonable searches and seizures, meaning authorities are usually not permitted to search your smartphone without a warrant. (The rules are less clear regarding information stored in the cloud; on balance, it’s likely law enforcement will get a warrant for content stored offsite.) Similarly, law enforcement cannot delete your footage, photographs or posts, or force you to do so. In addition to implicating the First and Fourth Amendments, that would likely run afoul of the due process protections in the Fourteenth Amendment, as well.

In addition to the constitutional protections, there are state and federal statutes designed to safeguard the free flow of news. For example, with few exceptions, the federal Privacy Protection Act forbids law enforcement from searching and seizing journalists’ work product and documentary materials. This law applies to journalistic activity (e.g., freelancers and citizen journalists), not just journalists at traditional news organizations. With the exception of Wyoming, each state and the District of Columbia provide some protections that limit journalists’ obligation to testify about their stories or turn over unpublished materials in response to a subpoena. (The strength of these protections vary by state.)

You can still get in trouble for breaking laws that apply to everybody. For example, journalists cannot trespass on private property, obstruct officers, or resist arrest, and law enforcement may use these and similarly neutral laws as a pretext to arrest you. Unfortunately, the threat of arrest is more than hypothetical — there are many examples of journalists being detained while covering events.

The Electronic Frontier Foundation’s advice here is sound:

If questioned by police, you can politely but firmly ask to speak to your attorney and politely but firmly request that all further questioning stop until your attorney is present. It is best to say nothing at all until you have a chance to talk to a lawyer. However, if you do decide to answer questions, be sure to tell the truth. It is likely a crime to lie to a police officer and you may find yourself in more trouble for lying to law enforcement than for whatever it was they wanted on your [device].

Of course, none of this general information about the law takes the place of actual legal advice from an attorney who knows the facts of your situation. If you are arrested or your devices are seized, heed the EFF’s advice and talk to a lawyer immediately. There are a number of terrific organizations that offer pro bono legal assistance:

  1. Your local affiliate of the American Civil Liberties Union.
  2. The Electronic Frontier Foundation.
  3. The Reporters Committee for Freedom of the Press legal defense hotline.
  4. The Student Press Law Center.
  5. The National Press Photographers Association.

If you believe you are likely to run into trouble, consider writing your lawyer’s phone number on your arm before the event.

Go get the story

For reporters covering protests, legal, physical, and digital safety are all very real concerns. There’s no replacement for knowing the environment and likely concerns in advance, then coming prepared. Learn more about common risks for protesters. They are putting themselves on the line to call attention to issues of political importance. Do them justice. Stay safe, and get the story.


The authors would like to thank Victoria Baranetsky of the Reporters Committee for Freedom of the Press and Riana Pfefferkorn of the Stanford Center for Internet and Society for their invaluable feedback on this post.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license by the authors. 

Backdoors in messaging apps – what’s really going on?

We are in one of those phases again. The Paris attacks caused, once again, a cascade of demands for more surveillance and weakening of encryption. These demands appear every time, regardless of if the terrorists used encryption or not.

The perhaps most controversial demand is to make backdoors mandatory in communication software. Encryption technology can be practically unbreakable if implemented right. And the use of encryption has skyrocketed after the Snowden revelations. But encryption is not only used by terrorists. As a matter of fact, it’s one of the fundaments we are building our information society on. Protection against cybercrime, authentication of users, securing commerce, maintaining business secrets, protecting the lives of political dissidents, etc. etc. These are all critical functions that rely on encryption. So encryption is good, not bad. But as any good thing, it can be both used and misused.

And beside that. As people from the Americas prefer to express it: encryption is speech, referring to the First Amendment that grant people free speech. Both encryption technology and encrypted messages can be seen as information that people are free to exchange. Encryption technology is already out there and widely known. How on earth can anyone think that we could get this genie back in the bottle? Banning strongly encrypted messages would just harm ordinary citizens but not stopping terrorists from using secure communications, as they are known to disregard laws anyway. Banning encryption as an anti-terror measure would work just as well as simply banning terrorism. (* So can the pro-backdoor politicians really be that stupid and ignorant?

Well, that might not be the whole truth. But let’s first take a look at the big picture. What kind of tools do the surveillance agencies have to fight terrorism, or spy on their enemies or allies, or anybody else that happen to be of interest? The methods in their toolboxes can roughly be divided in three sections:

  • Tapping the wire. Reading the content of communications this way is becoming futile thanks to extensive use of encryption, but traffic analysis can still reveal who’s communicating with whom. People with unusual traffic patterns may also get attention at this level, despite the encryption.
  • Getting data from service provider’s systems. This usually reveals your network of contacts, and also the contents unless the service uses proper end-to-end encryption. This is where they want the backdoors.
  • Putting spying tools on the suspects’ devices. This can reveal pretty much everything the suspect is doing. But it’s not a scalable method and they must know whom to target before this method can be used.

And their main objectives:

  • Listen in to learn if a suspect really is planning an attack. This require access to message contents. This is where backdoors are supposed to help, according to the official story.
  • Mapping contact networks starting from a suspect. This requires metadata from the service providers or traffic analysis on the cable.
  • Finding suspects among all network users. This requires traffic analysis on the cable or data mining at the service providers’ end.

So forcing vendors to weaken end-to-end encryption would apparently make it easier to get message contents from the service providers. But as almost everyone understands, a program like this can never be water-tight. Even if the authorities could force companies like Apple, Google and WhatsApp to weaken security, others operating in another jurisdiction will always be able to provide secure solutions. And more skillful gangs could even use their own home-brewed encryption solutions. So what’s the point if we just weaken ordinary citizens’ security and let the criminals keep using strong cryptography? Actually, this is the real goal, even if it isn’t obvious at first.

Separating the interesting targets from the mass is the real goal in this effort. Strong crypto is in itself not the intelligence agencies’ main threat. It’s the trend that makes strong crypto a default in widely used communication apps. This makes it harder to identify the suspects in the first place as they can use the same tools and look no different from ordinary citizens.

Backdoors in the commonly used communication apps would however drive the primary targets towards more secure, or even customized, solutions. These solutions would of course not disappear. But the use of them would not be mainstream, and function as a signal that someone has a need for stronger security. This signal is the main benefit of a mandatory backdoor program.

But it is still not worth it, the price is far too high. Real-world metaphors are often a good way to describe IT issues. Imagine a society where the norm is to leave your home door unlocked. The police is walking around and checking all doors. They may peek inside to check what you are up to. And those with a locked door must have something to hide and are automatically suspects. Does this feel right? Would you like to live in a society like that? This is the IT-society some agencies and politicians want.

 

Safe surfing,
Micke

 

(* Yes, demanding backdoors and banning cryptography is not the same thing. But a backdoor is always a deliberate fault that makes an encryption system weaker. So it’s fair to say that demanding backdoors is equal to banning correctly implemented encryption.

Sunset for section 215, but is the world better now?

Section 215 of the US Patriot Act has been in the headlines a lot lately. This controversial section was used by the US intelligence agencies to scoop up large quantities of US phone records, among other things. The section had a sunset clause and needed to be renewed periodically, with the latest deadline at midnight May 31st 2015. The renewal has previously been a rubber-stamp thing, but not this time. Section 215 has expired and been replaced by the Freedom Act, which is supposed to be more restrictive and better protect our privacy. And that made it headline news globally.

But what does this mean in practice? Is this the end of the global surveillance Edward Snowden made us aware of? How significant is this change in reality? These are questions that aren’t necessary answered by the news coverage.

Let’s keep this simple and avoid going into details. Section 215 was just a part in a huge legal and technical surveillance system. The old section 215 allowed very broad secret warrants to be issued by FISA courts using secret interpretations of the law, forcing companies to hand over massive amounts of data about citizens’ communications. All this under gag orders preventing anyone to talk about it or even seek legal advice. The best known example was probably the bulk collection of US phone records. It’s not about tapping phones, rather about keeping track of who called whom at what time. People in US could quite safely assume that if they placed calls, NSA had them on record.

The replacing Freedom Act still allows a lot of surveillance, but aims to restrict the much criticized mass surveillance. Surveillance under Freedom Act needs to be more specified than under Section 215. Authorities can’t just tell a tele operator to hand over all phone records to see if they can find something suspicious. Now they have to specify an individual or a device they are interested in. Tele operators must store certain data about all customers, but only hand over the requested data. That’s not a problem, it is pretty much data that the operators have to keep anyway for billing purposes.

This sounds good on paper, but reality may not be so sunny. First, Freedom Act is a new thing and we don’t know yet how it will work in practice. Its interpretation may be more or less privacy friendly, time will tell. The surveillance legislation is a huge and complex wholeness. A specific kind of surveillance may very well be able to continue sanctioned by some other paragraph even if section 215 is gone. It’s also misleading when media reports that the section 215 intelligence stopped on June 1st. In reality it continues for at least six months, maybe longer, to safeguard ongoing investigations.

So the conclusion is that the practical impact of this mini reform is a lot less significant than what we could believe based on the headlines. It’s not the end of surveillance. It doesn’t guarantee privacy for people using US-based services. It is however an important and welcome signal that the political climate in US is changing. It’s a sign of a more balanced view on security versus basic human rights. Let’s hope that this climate change continues.

 

Safe surfing,
Micke

Image by Christian Holmér

Our fundamental human rights are being violated

We are worried about our digital freedom and need your help. The world our children will inherit may lack some fundamental rights we take for granted, unless actions are taken now. Our Digital Freedom Manifesto is one such action. Read on to learn more.

The United Nations’ Universal Declaration of Human Rights, Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

I think this is a very good and important article, and most people probably agree. We have all gotten used to concepts like secrecy of telephony and the postal service. In short, we have the right to privacy and the right to decide ourselves what private information we share with others. And we value these rights. We would not accept that our letters arrive opened or the police installing cameras in our homes.

But on the Internet everything seems to be different. The information you think is private may actually be transferred and stored by systems far away from you, often in other countries. This gives a wide range of agencies and companies a technical possibility to access your data. Article 12 is often your only protection but you have no way to verify that all involved parties respect it. After the Snowden leaks we know for sure what we feared earlier, there are several countries that pay no respect at all to article 12. The ability to monitor most of the world’s Internet traffic, and that way gain political and economic benefits, is just too desirable no matter how unethical it is. USA, where most of our data is hosted, is sadly among the worst offenders.

If warrantless wholesale data collection for political and economic purposes isn’t a violation of article 12, then what is? What’s really going on here? Are we ready to dump article 12 or should something be done? Why are we accepting erosion of our digital rights, while similar violations would cause an immediate outcry if some other area of our lives was affected?

We at F-Secure are ready to fight for your digital freedom. We do that by providing products that guard your on-line life, like F-Secure SAFE and F-Secure Freedome. But that is not enough. Guarding privacy is an uphill battle if the network’s foundations are unreliable or hostile. And the real foundations have nothing to do with technology, they are the laws regulating network use and the attitude of the authorities that enforce or break those laws.

That’s why we need the F-Secure Digital Freedom Manifesto. We know that many people around the word share our concern. This manifesto is crowd sourced and will be made available to the public and selected decision makers when ready. We want you to participate, preferable with your own words, or just by reading it and thinking about how valuable digital freedom is for you. The manifesto will not change anything by itself, but it will help raise awareness. And when the people are aware, then we can demand change. We have democracy after all, right?

You can participate until June 30th. Or just read the draft and think about how all this affects your digital life. Right now is a good moment to get familiar with it.

Micke

Make your own DIY surveillance system

image from foscam.us
image from foscam.us

When talking IT and security we often just think of securing the computers, and our valuable personal information. But the digital revolution can help us secure other things as well. It is surprisingly easy to make sure you know what’s happening at home when you are away. Yes, there are fine extensive surveillance systems on the market complete with installation service and all. But you may not be willing to pay big bucks, or you like this kind of DIY-challenge. If that’s the case, read on.

I’m going to describe an easy way to get camera surveillance for just a couple of hundred bucks. You also need to be a little bit computer savvy, but you do definitively not need to be an expert. With this system you can have any number of cameras at home and receive an e-mail when something moves in front of them. With a smartphone you can receive these mail wherever you are.

Ok, let’s first check the requirements for this to work.

  • You must have an Internet connection at home.
  • You must have a wireless network at home.
  • Have you ever used the browser to open the configuration screen of a router or other similar network component? If you have, then you know what kind of work you will be doing here. You can of course also call in a nerdy friend if this sounds scary.

Next select the places to put the cameras:

  • The entrances to your home is naturally critical places if you for example want to catch burglars.
  • Make sure you have the face of visitors towards the cameras. Filming backs is of little use.
  • Avoid filming against the light. All you get is dark silhouettes.
  • Try to get the camera as near the objects as possible. Especially cheap cameras have limited resolution and persons may not be recognizable if they are far away.
  • Avoid moving objects in the picture, like bushes that sway in the wind. (They will trigger the movement detection.)
  • Do not point the camera through a window. It may work in daylight but reflections will ruin the pictures at night.
  • You need to route electricity to the cameras. Note that most power supplies aren’t made for outdoor use even if the camera is, leave them inside and bring the low-voltage outside.
  • Your wireless network need to be strong enough where you place the cameras.
  • It’s OK to use cameras in your own home, but be careful if you plan to place the cameras so that they can see a public place. Check the law in your country if you plan to do this. Also check if you need to post warning signs about the CCTV system.

Now is the right time to select the cameras. Here are the requirements:

  • They must have support for wireless networks (WLAN, WiFi).
  • They must have support for “Motion detection alert via email”, or whatever the vendor has selected to call that feature.
  • Select wide-angle or tele-cameras depending or their location. The wide-angle models tend to be more useful.
  • Select outdoor or indoor cameras depending on their planned location.
  • Prefer models with night vision. They have integrated infrared LEDs and can film in complete darkness.
  • Prefer models with a 12V power supply, rather than 5V, if you need to extend the power cable. The higher voltage is less sensitive to voltage drops.

Foscam FI9801W is an example of a suitable wide-angle outdoor model. Cameras like this may sell for around $200 but there are cheaper models too. Shop around on the net and you will have no problem finding the right model, if your local dealer doesn’t happen to have suitable cameras.

Ok, time for the installation procedure:

  1. Create a mail account at some free mail provider, like Gmail or Microsoft Live (former Hotmail). This account will receive pictures from the camera. Do not use your ordinary mail account as the volume may get quite high.
  2. Configure the camera(s) to work with your wireless network at home. Follow instructions in their manual. Note that the initial setup often need to be done with a network cable connected to the camera. The wireless connection will not work before you have done the initialization.
  3. Install the cameras in their final locations and connect electricity.
  4. Use the browser to log into the camera’s control panel. (Again, see the manual.) Look for the settings controlling “Alarm settings”, “Motion alarm” or “Motion detection”. Here you need to make the following settings:
    1. Select to send mail when motion is detected.
    2. Configure the server address that receives outbound mail. This info is provided by your Internet service provider and may be something like “smtp.serviceprovider.com”. You may also have to specify a port number, try 25 unless the service provider instructs you to use something else.
    3. Configure the e-mail address that alerts are sent to. Use the address that you created in step 1 above. Specify the address that appears as sender in the mails, this can be your own address.
    4. Adjust the sensitivity. This is the threshold that decides how much movement must be detected before a mail is sent. Start somewhere in the middle of the scale. Log in and adjust later if needed, decrease sensitivity if you get false alerts, increase if people can walk by without triggering a mail.
    5. Note that the alert- and e-mail-settings may be located under different headings in the configuration utility. You may also have to turn on motion detection before the e-mail settings become visible, or vice versa.
    6. Check the mail account via webmail or add it to your mail program, like MS Outlook for example. See the instructions provided by the mail provider and the vendor of your mail program. Google is also an excellent source of instructions. Try for example “Gmail Outlook”, or whatever combination you use, and you will find plenty of instructions on-line.
    7. Add the new mail account to your smartphone and you will be able to get alerts immediately wherever you are. See the smartphone’s instructions if needed.

That’s it. Now you should get a mail message with a couple of still pictures every time there is movement in front of one of your cameras. And a nice plus is that the data is transmitted offsite immediately. Cutting the power to your property will naturally neutralize the cameras. But its futile for burglars to look for the video server once they have been captured, their pictures are already in your inbox.

Yes, this requires a little bit of understanding about how network components are configured. If you feel uncertain you can always talk to a tech-savvy friend and ask for help. And remember that this isn’t a full-fledged security system. Valuable properties should have proper security systems rather than hacks of this kind. But even a simple system like this can prove very valuable if something happens. Not to mention that just a visible camera and CCTV-sign can prevent crime.

Safe surfing,
Micke

PS. But what if I want to watch live video? That’s easy when at home, but doesn’t provide much value. It is usually possible to make the cameras accessible from other places too. But this is more complicated and depends on how your service provider handles inbound connections. I will not cover that here, but if you call in that nerdy friend to help, you might have a good opportunity to get it set up at the same time.