Cypherpunks: Freedom and the Future of the Internet
Page 14
Klein’s affidavit gives important information about the character of the NSA surveillance program, confirmed by NSA whistleblowers. This is an example of “strategic interception”—all internet traffic passing through the United States is copied and stored indefinitely. It can be known with certainty that domestic US traffic is also intercepted and stored, because, from an engineering standpoint, when dealing with this volume of traffic it is impossible to screen out traffic for which a FISA warrant would be required. Official legal interpretation of FISA now holds that an “intercept” has only occurred when a domestic communication already intercepted and stored by the NSA is “accessed” on the NSA’s database, and that it is only at this stage that a warrant is required. US citizens should assume that all their telecommunications traffic (including voice calls, SMS, email, and web browsing) is monitored and stored forever in NSA data centers.
In 2008, in response to a high volume of litigation following from the wiretap scandal, the US Congress passed amendments to the 1978 FISA law, which were immediately signed in by the President. These created grounds for the grant of a highly controversial “retroactive immunity” against prosecution for violation of FISA. Senator Barack Obama, during his presidential campaign, had made “transparency” a part of his platform, and promised to protect whistleblowers, but when he entered office in 2009 his Justice Department continued the Bush administration’s policies, eventually defeating the Hepting case and others with the grant of “retroactive immunity” for AT&T.
While the Justice Department’s investigation into the source of the original New York Times story failed to turn up the whistleblower, it did uncover whistleblowers that had come forward after the story. One such was Thomas Drake, a former senior executive of the NSA, who had for years complained internally to Congressional Intelligence Oversight Committees about corruption and wastefulness within the NSA’s “Trailblazer” program. The internal complaints were suppressed, as were any government employees willing to pursue them. After the New York Times story, Drake had disclosed the Trailblazer story to the Baltimore Sun. He was indicted by a Grand Jury investigation, designated an “enemy of the state,” and charged under the Espionage Act. See “The Secret Sharer,” New Yorker, May 23, 2011: http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all.
The Drake prosecution cllapsed after intense public scrutiny in June 2011, and after unsuccessful attempts to compel Drake into a plea bargain the Justice Department settled for his plea of guilty in respect of one minor misdemeanor. Drake received one year of probation.
The fallout from the NSA surveillance scandal continues. The ACLU is litigating to challenge the constitutionality of the 2008 FISA amendments in Amnesty et. al. v. Clapper. See “FISA Amendment Act Challenge,” ACLU, September 24, 2012: http://www.aclu.org/national-security/amnesty-et-al-v-clapper.
In Jewel v. NSA, the EFF is seeking to put an end to the NSA’s warrantless surveillance. The case was dismissed in 2009 after the Obama administration argued immunity by virtue of national security secrets. See the EFF page on Jewel v. NSA: https://www.eff.org/cases/jewel. However, the Ninth Circuit Court of Appeals allowed the case to be reopened in December 2011. Thomas Drake and other NSA whistleblowers William Binney and J. Kirk Wiebe are giving evidence in Jewel v. NSA. The Obama administration—which ran on a platform of government transparency—has prosecuted more whistleblowers under the Espionage Act than all previous administrations combined. (All links in this note accessed October 23, 2012.)
45. See the entry for the Eagle system on buggedplanet:
http://buggedplanet.info/index.php?title=AMESYS#Strategic_.28.22Massive.22.29_Appliances (accessed October 22, 2012).
46. “German court orders stored telecoms data deletion,” BBC, March 2, 2010: http://news.bbc.co.uk/1/hi/world/europe/8545772.stm (accessed October 15, 2012).
47. Directive 2006/24/EC of the European Parliament and Council requires European states to store citizens’ telecommunications data for six to twenty-four months. It was the application of this Directive to German law that was ruled unconstitutional in Germany. In May 2012 the EU Commission referred Germany to the European Court of Justice for not complying with the Directive (see the Commission’s press release: http://europa.eu/rapid/press-release_IP-12-530_en.htm (accessed October 15, 2012)).
48. See “Sweden approves wiretapping law,” BBC, June 19, 2008: http://news.bbc.co.uk/1/hi/world/europe/7463333.stm.
For more on the FRA-lagen, see Wikipedia: http://en.wikipedia.org/wiki/FRA_law (both links accessed October 10, 2012).
49. Metadata is “data about data.” In the context of this discussion, metadata refers to data other than the “content” of the electronic communication. It is the front of the envelope, rather than the contents. Surveillance of metadata does not target the contents of emails, but rather all the information surrounding the contents—who the email was sent to or from, the IP addresses (and therefore location) from which it was sent, the times and dates of each email, etc. The point is, however, that the technology to intercept metadata is the same technology as the technology to intercept the contents. If you grant someone the right to surveil your metadata, their equipment must also intercept the contents of your communications. Besides this, most people do not realize that “metadata in aggregate is content”—when all the metadata is put together it provides an astonishingly detailed picture of a person’s communications.
50. Amesys is part of the Bull group, once a competitor to IBM’s Dehomag in selling punch card systems to the Nazis. See Edwin Black, IBM and the Holocaust (Crown Books, 2001).
For more on how Gaddafi spied on Libyans in the UK using Amesys surveillance equipment see, “Exclusive: How Gaddafi Spied on the Fathers of the New Libya,” OWNI.eu, December 1, 2011: http://owni.eu/2011/12/01/exclusive-how-gaddafi-spied-on-the-fathers-of-the-new-libya (accessed October 22, 2012).
51. WikiLeaks began releasing The Spy Files, exposing the extent of mass surveillance, in December 2011. They can be accessed at http://wikileaks.org/the-spyfiles.html.
52. For more detail see buggedplanet: http://buggedplanet.info/index.php?title=LY
53. The Chaos Communication Congress is an annual meeting of the international hacker scene, organized by the Chaos Computer Club.
54. Jacob is referring to ZTE, one of two Chinese producers (the other being Huawei) of electronic goods that are widely suspected of containing “backdoors.” Jacob means to suggest that the “gift” of communications infrastructure comes with a cost—that it will, by design, be susceptible to Chinese surveillance.
55. Kill Your Television is the name for a form of protest against mass communications, whereby people eschew television for social activities.
56. The “network effect” is the effect that one person’s performing an activity has on other people’s likelihood to perform that activity.
57. For more on the Grand Jury investigation, see “Note on the various attempts to persecute WikiLeaks and people associated with it” preceding the discussion.
58. According to the Wall Street Journal: “The U.S. government has obtained a controversial type of secret court order to force Google Inc. and small Internet provider Sonic.net Inc. to turn over information from the email accounts of WikiLeaks volunteer Jacob Appelbaum, according to documents reviewed by The Wall Street Journal… The WikiLeaks case became a test bed for the law’s interpretation earlier this year when Twitter fought a court order to turn over records from the accounts of WikiLeaks supporters including Mr. Appelbaum… The order sought the “Internet protocol,” or IP, addresses of the devices from which people logged into their accounts. An IP address is a unique number assigned to a device connected to the Internet. The order also sought the email addresses of the people with whom those accounts communicated. The order was filed under seal, but Twitter successfully won from the court the right to notify the subscribers whose information was sought… The court orders reviewed by the Journal seek the same t
ype of information that Twitter was asked to turn over. The secret Google order is dated Jan. 4 and directs the search giant to hand over the IP address from which Mr. Appelbaum logged into his gmail.com account and the email and IP addresses of the users with whom he communicated dating back to Nov. 1, 2009. It isn’t clear whether Google fought the order or turned over documents. The secret Sonic order is dated April 15 and directs Sonic to turn over the same type of information from Mr. Appelbaum’s email account dating back to Nov. 1, 2009. On Aug. 31, the court agreed to lift the seal on the Sonic order to provide Mr. Appelbaum a copy of it.” “Secret orders target email,” Wall Street Journal, October 9, 2011: http://online.wsj.com/article/SB10001424052970203476804576613284007315072.html (accessed October 11, 2012). For more detail, see “Note on the various attempts to persecute WikiLeaks and people associated with it” preceding the discussion.
59. “WikiLeaks demands Google and Facebook unseal US subpoenas,” Guardian, January 8, 2011: http://www.guardian.co.uk/media/2011/jan/08/wikileaks-calls-google-facebook-us-subpoenas (accessed October 16, 2012).
For more detail, see “Note on the various attempts to persecute WikiLeaks and people associated with it” preceding the discussion.
60. See “Note on the various attempts to persecute WikiLeaks and people associated with it” preceding the discussion.
61. For more details see the Europe versus Facebook website: http://www.europe-v-facebook.org/EN/Data_Pool/data_pool.html (accessed October 24, 2012).
62. A National Security Letter, or NSL, is a letter from a US agency demanding “non-content data” or “metadata,” such as financial transaction records, IP logs or email contacts. Anyone who receives an NSL must turn over the requested records or face prosecution. An NSL does not require authorization by a court—it can be issued directly by a federal agency. For this reason it is similar to a so-called “administrative subpoena”—an order to produce information that requires only administrative, rather than judicial, oversight. On this basis, NSLs arguably violate Fourth Amendment protections against arbitrary search and seizure. NSLs also contain a “gag component,” which means that it is a criminal offense for someone who receives an NSL to talk about it to anyone else. On this basis, NSLs arguably violate First Amendment protections on the freedom of speech. In Doe v. Gonzales, the gag provision of NSLs was ruled unconstitutional. The law was changed to grant recipients of an NSL rights to challenge the NSL in court, which satisfied the Second Circuit Court that their use was no longer unconstitutional. NSLs continue to be criticized by civil liberties groups, and challenged in court.
The use of NSLs vastly increased after the passage of the USA PATRIOT Act in 2001. The recipients of NSLs are typically service providers, such as ISPs or financial institutions. The records sought are normally those of the customers of the recipient. The recipient cannot inform the customer that their records have been demanded. While recipients have rights to challenge NSLs in court, the gag provision prevents the target from even knowing about the NSL, and therefore prevents them challenging it in court. To illustrate how difficult this is to justify, see a video of the FBI’s deputy general counsel attempting to answer Jacob Appelbaum’s question, “How am I supposed to go to a judge if the third party is gagged from telling me that I’m targeted by you?” Her answer, “There are times when we have to have those things in place,” is chilling: http://youtu.be/dTuxoLDnmJU (also found with further contextual material at Privacy SOS: http://privacysos.org/node/727).
According to the Electronic Frontier Foundation, “Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act the National Security Letter (NSL) power under 18 U.S.C. § 2709 as expanded by PATRIOT Section 505 is one of the most frightening and invasive. These letters served on communications service providers like phone companies and ISPs allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag order that forbids them from ever revealing the letters’ existence to their coworkers, to their friends or even to their family members, much less the public.” See: https://www.eff.org/issues/national-security-letters. See also the Electronic Frontier Foundation’s collection of documents relating to National Security Letters released under the Freedom of Information Act: https://www.eff.org/issues/foia/07656JDB (all links in this note accessed October 23, 2012).
63. See note 41 above on the “First Crypto Wars” of the 1990s.
64. Julian is referring to SSL/TLS, which is a cryptographic protocol now incorporated as standard into all web browsers, and used for secure browsing—for example, whenever a browser is used for internet banking.
65. For one example among many, see, “Blackberry, Twitter probed in London riots,” Bloomberg, August 9, 2011: http://www.bloomberg.com/news/2011-08-09/blackberry-messages-probed-in-u-k-rioting-as-police-say-looting-organized.html (accessed October 16, 2012).
66. For example, a member of the LulzSec group that exposed flaws in Sony’s security practices by releasing Sony customers’ personal data was arrested after his identity was gained from the proxy site HideMyAss.com, via a court order in the US. See, “Lulzsec hacker pleads guilty over Sony attack,” BBC, October 15, 2012: http://www.bbc.com/news/technology-19949624 (accessed October 15, 2012).
67. SOPA refers to the Stop Online Piracy Act. PIPA refers to the Protect Intellectual Property Act. Both are proposed US laws which came to world prominence in early 2012. Both are transparent legislative expressions of the desire of the content industry, represented by bodies like the Recording Industry Association of America, to enforce intellectual property law globally, and as heavily as possible, in response to the free distribution of cultural artifacts online. Both laws proposed to grant heavy-handed and wide-reaching internet censorship powers to US law enforcement agencies, which threatened to “break the internet.” Both laws earned the ire of substantial portions of the international online community and provoked a strong reaction from the industrial actors whose interests are in a free and open internet.
In early 2012, Reddit, Wikipedia and several thousand other sites blacked out their services in protest against the laws, instigating heavy public pressure on public representatives. Other online service providers, such as Google, encouraged petitions. In response, both laws were suspended, pending reconsideration and discussion of whether they represent the best approach to the problem of intellectual property online. The episode is seen as the first significant discovery and assertion of effective congressional lobbying power by the internet industry.
68. See the “Note on the various attempts to persecute WikiLeaks and people associated with it” preceding the discussion.
69. ACTA refers to the Anti-Counterfeit and Trade Agreement. It is a multilateral international treaty negotiated in secret over the course of years, led by the United States and Japan, part of which institutes new and draconian obligations to protect intellectual property.
Initial drafts of ACTA were revealed to the public in 2008 after they were leaked to WikiLeaks, provoking widespread outcry from free culture activists and online advocates. See the ACTA section on WikiLeaks: http://wikileaks.org/wiki/Category:ACTA.
US diplomatic cables shared with La Quadrature Du Net by WikiLeaks in early 2011 showed that ACTA was negotiated in secret explicitly in order to fast track the creation of extreme IP enforcement rules, which could later be coercively imposed on poorer countries excluded from the agreement. See, “WikiLeaks Cables Shine Light on ACTA History,” La Quadrature Du Net, February 3, 2011: http://www.laquadrature.net/en/wikileaks-cables-shine-light-on-acta-history (accessed October 23, 2012).
In July 2012, after a campaign led by La Quadrature Du Net and Jérémie Zimmermann, ACTA was defeated in the European Parliament.
70. M.A.I.D., (Mutually) Assured Information Destruction, is “a framework that provides time sensitive remote key escrow and provable authentica
tion with optional distress coding. It automatically destroys cryptographic keys after a given user configurable time threshold is crossed”: https://www.noisebridge.net/wiki/M.A.I.D.
Legislation such as the Regulation of Investigatory Powers Act of 2000, or RIPA, makes the United Kingdom quite a hostile regime for cryptography. Under RIPA individuals can be obliged to decrypt data or surrender a password on the order of a police constable. No judicial oversight is necessary. Refusal to comply can result in criminal charges. In a resulting trial, if the defendant claims she/he has forgotten the password, there is a reverse burden of proof. In order to avoid being convicted the defendant must prove that she/he has forgotten the password. This, it is argued by critics of the law, effectuates a presumption of guilt. Comparatively, while there has been much litigation in connection with the same issues in the United States, and the situation is by no means ideal, there has been far more success invoking the First and Fourth Amendments in similar circumstances. See the report, “Freedom from Suspicion, Surveillance Reform for a Digital Age,” published by JUSTICE, November 4, 2011, available from: http://www.justice.org.uk/resources.php/305/freedom-from-suspicion.
For more on the Rubberhose file system, see, “The Idiot Savants’ Guide to Rubberhose,” Suelette Dreyfus: http://marutukku.org/current/src/doc/maruguide/t1.html (all links accessed October 24, 2012).
71. An archive of the old Cypherpunk mailing list can be downloaded from: http://cryptome.org/cpunks/cpunks-92-98.zip.
Tim May was a founding member of the Cypherpunks mailing list. See his Cyphernomicon, an FAQ on cypherpunk history and philosophy: http://www.cypherpunks.to/faq/cyphernomicron/cyphernomicon.html (both links accessed October 24, 2012).