by crissly | Apr 12, 2024 | Uncategorized
A controversial US wiretap program days from expiration cleared a major hurdle on its way to being reauthorized.
After months of delays, false starts, and interventions by lawmakers working to preserve and expand the US intelligence community’s spy powers, the House of Representatives voted on Friday to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) for two years.
Legislation extending the program—controversial for being abused by the government—passed in the House in a 273–147 vote. The Senate has yet to pass its own bill.
Section 702 permits the US government to wiretap communications between Americans and foreigners overseas. Hundreds of millions of calls, texts, and emails are intercepted by government spies each with the “compelled assistance” of US communications providers.
The government may strictly target foreigners believed to possess “foreign intelligence information,” but it also eavesdrops on the conversations of an untold number of Americans each year. (The government claims it is impossible to determine how many Americans get swept up by the program.) The government argues that Americans are not themselves being targeted and thus the wiretaps are legal. Nevertheless, their calls, texts, and emails may be stored by the government for years, and can later be accessed by law enforcement without a judge’s permission.
The House bill also dramatically expands the statutory definition for communication service providers, something FISA experts, including Marc Zwillinger—one of the few people to advise the Foreign Intelligence Surveillance Court (FISC)—have publicly warned against.
“Anti-reformers not only are refusing common-sense reforms to FISA, they’re pushing for a major expansion of warrantless spying on Americans,” US senator Ron Wyden tells WIRED. “Their amendment would force your cable guy to be a government spy and assist in monitoring Americans’ communications without a warrant.”
The FBI’s track record of abusing the program kicked off a rare détente last fall between progressive Democrats and pro-Trump Republicans—both bothered equally by the FBI’s targeting of activists, journalists, and a sitting member of Congress. But in a major victory for the Biden administration, House members voted down an amendment earlier in the day that would’ve imposed new warrant requirements on federal agencies accessing Americans’ 702 data.
“Many members who tanked this vote have long histories of voting for this specific privacy protection,” says Sean Vitka, policy director at the civil-liberties-focused nonprofit Demand Progress, “including former speaker Pelosi, Representative Lieu, and Representative Neguse.”
The warrant amendment was passed earlier this year by the House Judiciary Committee, whose long-held jurisdiction over FISA has been challenged by friends of the intelligence community. Analysis by the Brennan Center this week found that 80 percent of the base text of the FISA reauthorization bill had been authored by intelligence committee members.
“Three million Americans’ data was searched in this database of information,” says Representative Jim Jordan, chair of the House Judiciary Committee. “The FBI wasn’t even following its own rules when they conducted those searches. That’s why we need a warrant.”
Representative Mike Turner, who chairs the House Intelligence Committee, campaigned alongside top spy agency officials for months to defeat the warrant amendment, arguing they’d cost the bureau precious time and impede national security investigations. The communications are legally collected and already in the government’s possession, Turner argued; no further approval should be required to inspect them.
by crissly | Apr 9, 2024 | Uncategorized
In the wake of 9/11, US president George W. Bush authorized the National Security Agency (NSA) to eavesdrop on Americans without court-approved warrants as part of the hunt for evidence of terrorist activity. A federal judge ruled the collection unconstitutional in 2006, as part of a lawsuit brought by the American Civil Liberties Union. (An appeals court later overturned the ruling without challenging the case’s merits.)
Rather than end the surveillance, Congress codified the program as Section 702 of the Foreign Intelligence Surveillance Act (FISA), granting itself some authority to enforce procedures ostensibly designed to limit the program’s impact on Americans’ civil liberties.
Section 702 explicitly prohibits the government from targeting Americans. The surveillance must instead focus on foreigners who are physically located overseas. Nevertheless, Americans’ communications are routinely swept up by the program.
While denying that it intentionally sets out to eavesdrop on its own citizens, once it has already done so, the US government’s position is that it now has a right to access these “legally collected” communications without a judge’s approval. In 2021 alone, the FBI conducted searches of communications intercepted under 702 more than 3.4 million times.
Last year, after acknowledging that hundreds of thousands of these searches were unlawful, the FBI said it had taken steps to curtail the number of queries carried out by its employees, reporting in 2022 as few as 204,000 searches.
It is impossible to count the number of Americans whose calls, emails, and texts are subject to surveillance under 702, the government claims, arguing that any attempt to reach an accurate figure would only further imperil the privacy of the Americans it surveils.
Congress is currently divided into two factions: Those that believe the FBI should be required to get a warrant before reading or listening to the communications of Americans collected under 702. And those who say warrants are too burdensome a requirement to impose on investigations of national security threats.
by crissly | Apr 7, 2024 | Uncategorized
Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday.
The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data companies can collect, retain, and use to what they need to operate their services. Users would also be allowed to opt-out of targeted advertising and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers, and force those companies to allow users to opt out of having their data sold.
“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Cathy McMorris Rodgers, House Energy and Commerce Committee chair, said in a statement on Sunday. “It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”
Congress has tried to put together a comprehensive federal law protecting user data for decades. Lawmakers have remained divided, though, on whether that legislation should prevent states from issuing tougher rules, and whether to allow a “private right of action” that would enable people to sue companies in response to privacy violations.
In an interview with the Spokesman Review on Sunday, McMorris Rodgers claimed that the draft’s language is stronger than any active laws, seemingly as an attempt to assuage the concerns of Democrats who have long fought attempts to preempt preexisting state-level protections. APRA does allow states to pass their own privacy laws related to civil rights and consumer protections, among other exceptions.
In the previous session of Congress, the leaders of the House Energy and Commerce Committees brokered a deal with Roger Wicker, the top Republican on the Senate Commerce Committee, on a bill that would preempt state laws with the exception of the California Consumer Privacy Act and the Biometric Information Privacy Act of Illinois. That measure, titled the American Data Privacy and Protection Act, also created a weaker private right of action than most Democrats were willing to support. Cantwell refused to support the measure, instead circulating her own draft legislation. The ADPPA hasn’t been reintroduced, but APRA was designed as a compromise.
“I think we have threaded a very important needle here,” Cantwell told the Spokesman Review. “We are preserving those standards that California and Illinois and Washington have.”
APRA includes language from California’s landmark privacy law allowing people to sue companies when they are harmed by a data breach. It also provides the Federal Trade Commission, state attorneys general, and private citizens the authority to sue companies when they violate the law.
The categories of data that would be impacted by the APRA include certain categories of “information that identifies or is linked or reasonably linkable to an individual or device,” according to a Senate Commerce Committee summary of the legislation. Small businesses—those with $40 million or less in annual revenue and limited data collection—would be exempt under APRA, with enforcement focused on businesses with $250 million or more in yearly revenue. Governments and “entities working on behalf of governments” are excluded under the bill, as are the National Center for Missing and Exploited Children and, apart from certain cybersecurity provisions, “fraud-fighting” nonprofits.
US representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, called the draft “very strong” in a Sunday statement, but said he wanted to “strengthen” it with tighter child safety provisions.
Still, it remains unclear whether APRA will receive the necessary support for approval. On Sunday, committee aids said that conversations on other lawmakers signing onto the legislation are ongoing. The current proposal is a “discussion draft;” while there’s no official date for introducing a bill, Cantwell and McMorris Rodgers will likely shop around the text to colleagues for feedback over the coming weeks, and plan to send it to committees this month.
by crissly | Apr 1, 2024 | Uncategorized
If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.
Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.
Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.
Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google’s data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.
Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.
Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.
The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.
The settlement’s relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—The Wall Street Journal reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.
Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who’ve been duped into thinking they’re browsing alone.
by crissly | Mar 21, 2024 | Uncategorized
The argument is one that some Apple critics have made for years, as spelled out in an essay in January by Cory Doctorow, the science fiction writer, tech critic, and coauthor of Chokepoint Capitalism. “The instant an Android user is added to a chat or group chat, the entire conversation flips to SMS, an insecure, trivially hacked privacy nightmare that debuted 38 years ago—the year Wayne’s World had its first cinematic run,” Doctorow writes. “Apple’s answer to this is grimly hilarious. The company’s position is that if you want to have real security in your communications, you should buy your friends iPhones.”
In a statement to WIRED, Apple says it designs its products to “work seamlessly together, protect people’s privacy and security, and create a magical experience for our users,” and it adds that the DOJ lawsuit “threatens who we are and the principles that set Apple products apart” in the marketplace. The company also says it hasn’t released an Android version of iMessage because it couldn’t ensure that third parties would implement it in ways that met the company’s standards.
“If successful, [the lawsuit] would hinder our ability to create the kind of technology people expect from Apple—where hardware, software, and services intersect,” the statement continues. “It would also set a dangerous precedent, empowering government to take a heavy hand in designing people’s technology. We believe this lawsuit is wrong on the facts and the law, and we will vigorously defend against it.”
Apple has, in fact, not only declined to build iMessage clients for Android or other non-Apple devices, but actively fought against those who have. Last year, a service called Beeper launched with the promise of bringing iMessage to Android users. Apple responded by tweaking its iMessage service to break Beeper’s functionality, and the startup called it quits in December.
Apple argued in that case that Beeper had harmed users’ security—in fact, it did compromise iMessage’s end-to-end encryption by decrypting and then re-encrypting messages on a Beeper server, though Beeper had vowed to change that in future updates. Beeper cofounder Eric Migicovsky argued that Apple’s heavyhanded move to reduce Apple-to-Android texts to traditional text messaging was hardly a more secure alternative.
“It’s kind of crazy that we’re now in 2024 and there still isn’t an easy, encrypted, high-quality way for something as simple as a text between an iPhone and an Android,” Migicovsky told WIRED in January. “I think Apple reacted in a really awkward, weird way—arguing that Beeper Mini threatened the security and privacy of iMessage users, when in reality, the truth is the exact opposite.”
Even as Apple has faced accusations of hoarding iMessage’s security properties to the detriment of smartphone owners worldwide, it’s only continued to improve those features: In February it upgraded iMessage to use new cryptographic algorithms designed to be immune to quantum codebreaking, and last October it added Contact Key Verification, a feature designed to prevent man-in-the-middle attacks that spoof intended contacts to intercept messages. Perhaps more importantly, it’s said it will adopt the RCS standard to allow for improvements in messaging with Android users—although the company did not say whether those improvements would include end-to-end encryption.
Page 1 of 1012345...10...»Last » 
