Tag Archives: government surveillance

PRISM is bigger than anything that came before it—but no-one knows how much bigger

The mystery surrounding how much domestic spying the US government has been conducting on its own citizens will only intensify in the coming days, as a growing number of the nine major internet companies linked to an alleged top-secret data-mining program deny they had anything to do with it.

The stories in the Guardian and Washington Post contend that the National Security Agency and FBI were jacking directly into the central servers of the companies and scooping up all sorts of personal data in a hunt for terrorist activity. Publicly, these agencies insist that they only do that overseas, to foreigners, while the tech firms concerned insist they aren’t involved and have never heard of such a scheme.

That may or may not be true, and finding out the gritty details is sure to become the next parlor game in Washington. One thing is for sure, though. If PRISM is what the two newspapers say it is, it is the biggest domestic spying program that the United States has ever conducted, and by orders of magnitude.

“It looks from what I’ve seen to be larger than anything I thought we were doing,” says Paul Rosenzweig, author of a recent book, Cyber Warfare.

Rosenzweig should know. As a former acting assistant secretary at the Department of Homeland Security, he was one of those people given the kind of Top Secret / Sensitive Compartmented Information clearances needed to work on any project as sensitive as this. But, he says, “I wasn’t read in on this.” (He wouldn’t comment on what he was “read in on”).

The reports about PRISM come a day after The Guardian reported on another data mining program that allowed the US government access to metadata about every single phone call flowing through the trunk lines at Verizon, one of the country’s biggest wireless carriers. The Wall Street Journal has since reported (paywall) that secret court orders also enable such surveillance at AT&T and Sprint, the other two big carriers, and that the orders are renewed every three months; NBC says it has been happening on every call in the US for the last seven years.

James Bamford, author of three books on the NSA, says the disclosures have certainly raised a lot of questions about what’s going on out at the agency’s headquarters in Fort Meade, Maryland. But Bamford says the two programs have may solved another mystery that he’s been wrestling with for a year now—why the NSA needed to build such a cavernous and secret complex way out in Bluffdale, Utah. “They need that data center to store all of this stuff,”  Bamford told Quartz.

Bamford said that he and other security experts familiar with the NSA have long snickered about how the NSA’s spooks and engineers were vacuuming up their emails and everything else they were doing. “It used to be a joke,” he said. “Now, it’s not a joke at all.”

Crime cameras make their presence felt, but what is the real mark of success?

Chicago’s camera surveillance system is second to none in the United States, at least in terms of sheer size.  Since 2006, the Chicago Police Department have made over 4500 arrests directly related to the their blue light camera system and other observation cameras, which monitor high crime areas.

Despite these high numbers, are the blue light cameras and other surveillance camera really that effective?

According to the Chicago Police Department, there are 800 Police Observation Device (POD) cameras in the city, all of which are operational. District and specialized units conduct POD missions, and additionally, the Chicago Police Crime Prevention and Information Center has staff that monitors the cameras.

For comparison’s sake,  analyze London’s crime camera system.  London’s crime fighting cameras are similar to that of Chicago.  Over 10,000 closed circuit cameras are operated by the state, at a cost of 200 million Euros, but only three percent of London’s street robberies are solved using the footage gathered from these cameras.

San Francisco also has deployed a crime camera system as well, although much smaller in nature.  According to a 2008 San Francisco Chronicle article, their 68 anti-crime cameras only contributed to one arrest in about two years, in city that saw a 12-year-high of 98 homicides.  San Francisco spent $900,000 on these cameras and had plans for installing another 25 more cameras.  The Chronicle points out that thefts dropped by 22 percent within 100 feet of the cameras, but had no effect on burglaries and car thefts. Murders also went down within 250 feet of the cameras, but the reduction was completely offset by an increase 250 to 500 feet away.

Chicago unveiled a new computer-aided dispatch system back in December 2008 that was paid for with a grant from the Department of Homeland Security. The system is designed to beam an image on the crime location to a computer dispatcher’s screen based off the origin of the 911 calls.

“We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive,” Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications, said to the Chicago Tribune.

Sergeant Antoinette Ursitti of the Chicago Police added “the Chicago Police Information Center monitors priority in progress calls for service and can identify areas where cameras are present and can be viewed.”

But what’s the true measure of success of these camera systems: crime prevention or solved crimes?

Jim Harper, the director of information policy studies at the Cato Institute, was quoted in a July 2007 ABC article: “They are good forensic tools — after something happens, they’ll tell you what happened.  But they do not provide protection against attacks, and that’s a key distinction.”

Legislating Security

CHICAGO — A Congressional Research Service report issued in January lists more than 15 individual pieces of cybersecurity-related legislation proposed in the 111th and 110th Congresses.

That doesn’t include a resolution presented this year by Illinois Congressman Daniel Lipinski to promote education of future cybersecurity specialists, the expansion of research and partnerships between universities and government agencies, and a standard setting process for “interconnectivity, identification and communication.”

John Veysey, Lipinski’s senior legislative assistant, said this is a typical number of bills for any given area of interest in Congress.

“But this is not a typical issue,” Veysey said. “If you define cybersecurity in the broadest of terms, it impacts so many things, so many aspects of our country, our economy and of the federal government – everything from defense to libraries and universities.”

That results in a lot of interested committees, people, and stakeholders. While it is challenging to negotiate with all those parties, many of the bills are moving through Congress, including the Cybersecurity Act (SB 773) being proposed by U.S. Sens. Jay Rockefeller, D-W.V., and Olympia Snowe, R-Maine, both of whom are members of the Senate Commerce and Intelligence committees.

They wrote in the Wall Street Journal that this proposed legislation would create a partnership between the government and private companies. The act would also create the position of a national adviser to bring government and private business together on this front and provides for “unprecedented information sharing.”

“From where I sit, the fact that Sen. Rockafeller and Sen. Snowe passed their bill out of committee … that represented a real step forward,” Veysey said. “I think we’re moving forward, and that’s good. … Certainly reflects the need and the long history of working on this issue with not a lot of progress. Many years.”

Cybersecurity research is one of the areas in greatest need of exploration, Veysey said.

“Agencies that are setting research agendas will need to listen to the private sector to hear what their needs are and what their priorities are and we’ll be able to influence that process,” he said.

Agencies like the NSA, National Science Foundation, and NIST are doing research, but they are not looking into the “human dimension aspects of these problems,” such as how people interact with computers and communication devices, and paying attention to psychological and sociological problems, Veysey said.

The government is full of agencies with some connection to technology, security and intelligence, such as the Joint Interagency Cyber Task Force for the Office of the Director of National Intelligence, an ambiguous name I came across in the Congressional Research Service report.

But apparently some of their research isn’t being shared: “It should be noted that some of the apparent gaps discovered [in response to cybersecurity challenges] may actually be addressed by existing classified programs, which cannot be discussed in this unclassified report.”

Among the “common themes of recent cybersecurity initiatives” discussed in the report is “privacy and civil liberties – maintaining privacy and freedom of speech protections on the Internet while devising cybersecurity procedures” as well as “outreach, collaboration and policy formation – working across government and with the private sector to share information on threats and other data, and to develop shared approaches to securing cyberspace.”

Jay Stanley, public education director of ACLU’s Technology and Liberty Program, said the government can help protect the private sector with its cybersecurity issues but the public needs to be conscious of the pitfalls and ensure that they are not allowing the creation of something that will give corporations more power than they should have.

People often willingly give out their personal information but they also do it begrudgingly and without complete awareness of “the extent to which the information they give to one institution is stored, used, traded and combined,” he said.

Over time, it is becoming more apparent how that information is being used.

Orayb Aref Najjar, a journalism professor at Northern Illinois University who specializes in cyber-communities and freedom of the press, said in an email that U.S. companies have a legitimate interest in protecting their trade secrets.

But she would like to know whether the government is approaching companies or if company officials are seeking federal assistance, why these companies don’t have the expertise to secure themselves, and how their technical information is stored.

“I would have to know whether getting the help of the government in this case would allow NSA access to citizen searches,” Najjar wrote. “If the NSA has access to the Google code, would it also have access to our accounts and our searches? Could the NSA keep its hands out of direct access to the searches cookie jar?”

Najjar said surveillance by the government or private contractors is unnecessary.
“If Wall Street can police itself, the cyber world can do that too,” she wrote. “People on social networks may be asked to report suspicious activity.”

Proposed legislation that involves identifying and assessing international and global risks is especially worrisome to Najjar, who is concerned that foreign countries’ anti-terrorism laws will extend beyond the scope of finding criminals.

“My research suggests that the laws were sometimes applied to the non-violent enemies of the regimes in questions, rather than only against ‘terrorists,’” she said in her email. “I see a similar problem developing in which enhanced abilities to control a country’s cyber space would allow the country to crack down on bloggers and dissenters who try to evade its reach. So the intent of this law, safety, is good, but I fear that it would be applied to the wrong thing.”

Stanley with the ACLU says the idea that security comes at the sacrifice of privacy is “overblown.”

“Privacy and security are not in conflict,” he said.

Many of the intrusions on privacy are also bad for security, Stanley said.

In the industrial age, people think of everything in terms of machines; they see everything as an information problem, he said. But searching databases for the metaphorical needle in a haystack is an ineffective way to solve terrorism.

“Terrorist attacks are not stopped that way,” he said.

The best approach to security is doing the legwork, chasing down leads, “good, old fashioned investigation,” he said.

Experts doubt surveillance ruling's strength

CHICAGO — A federal judge recently declared the Bush administration’s warrantless wiretapping program unconstitutional, issuing the second federal ruling against the controversial practice.

But experts are skeptical the ruling will stand.

“I think that it’s more likely than not that the Justice Department will appeal it, and it will not by any stretch of the imagination survive the appeal,” said Aziz Huq, a law professor at the University of Chicago.

The recent decision is the second ruling warrantless wiretapping unconstitutional. The first decision finding it illegal in 2006 was struck down when the plaintiffs could not definitively prove they had been wiretapped.

Because classified information revealed in error confirmed that the plaintiff, an Islamic charity in Oregon, had been watched, the case cannot be struck down on those grounds.

But even if it survived appeal, Huq said the ruling is unlikely to affect the current wiretapping program.

“The ruling concerns the terrorism surveillance program that was discontinued at least three years ago and does not, as far as I can tell, implicate the current surveillance regime under the Foreign Intelligence Surveillance Act as amended in 2008,” he said.

The Foreign Intelligence Surveillance Act was created in 1978 to gather data on suspected threats to national security connected to foreign organizations. Since 9/11, FISA has been amended to expand the federal government’s surveillance powers.

“Whatever surveillance is being done, it’s largely being done through the amended FISA bill, giving the government more authority than it used to have and drafted in such a way that one can imagine the government using the powers under the statute to sweep up a lot of communications without individualized warrants,” Huq said.

Ed Yohnka, director of communications and public policy for the Illinois branch of the ACLU, said he’s uncertain whether the ruling will change anything.

The necessity of warrantless wiretapping is unclear in the first place, Yohnka said.

“The feds just simply never got turned down for a warrant when they requested one,” he said.

But whether the ruling means change or not, Yohnka said it sends a message about warrantless wiretapping.

“I think it’s hard to know what the long-term implications of this might be, but I think it is also difficult at the same time to understate the importance of a court stepping up and calling this activity for what it was, which was illegal spying.”