Tag Archives: US

Microsoft battles US over warrant for drugs case emails

Microsoft is returning to court to continue its fight against the US government’s demand that it hand over emails stored at an Irish data centre.

The messages involved are alleged to contain details of narcotics sales.

In 2014, a court ruled in favour of the government’s claim that because it had jurisdiction over the US-based company, it could force it to hand over data it controlled, even if stored abroad.

But Microsoft suggests that would put it in breach of privacy laws.

Instead, the company argues that the US “must respect the sovereignty of other countries” and has indicated that Washington should use legal assistance treaties if it wants access to information held in Ireland and other data centres outside the United States.

Ireland has already said that it would consider such a request “expeditiously”.

So, the stand-off is being viewed as a test case that will determine the extent of the US government’s powers over tech companies that offer cloud-based services.

EmailsImage copyrightThinkstock
Image captionThe case involves emails alleged to contain details of illegal trade of narcotics

Apple, Amazon, HP, eBay, AT&T, Verizon and Salesforce are among US companies that have voiced support for Microsoft’s appeal.

“They think they have already lost quite a lot of business in Europe over monitoring and surveillance concerns, and they are afraid it will get worse if there is a perceived carte blanche for the US authorities to access emails stored abroad,” said Carsten Caspar, from tech consultancy Gartner.

“The EU has stronger privacy requirements, at least on paper, compared with other parts of the world, so tensions between the US and Europe are highest. But other countries are also concerned by US access to foreign records.”

‘Open floodgate’

Microsoft says that it wants to ensure people can “trust the technology on their desks and in their pockets”.

“If the US government is permitted to serve warrants on tech companies in the United States and obtain people’s emails in any country, it will open the floodgate for other countries to serve warrants on tech companies for the private communications of American citizens that are stored in the United States in a data centre owned by a foreign company,” the company’s lawyer Brad Smith recently told the Council on Foreign Relations think tank.

“Imagine the immediate implications for journalists, advocacy organisations, or government officials here.”

Microsoft logoImage copyrightGetty Images
Image captionMicrosoft says the US government needs to balance privacy and national security

However, federal prosecutors involved in the case note that it “typically takes months” to obtain information via treaty requests, while warrants issued directly to US companies can be handled much more quickly.

They add that Microsoft’s system of storing data where customers say they are based is open to abuse.

“A criminal user can easily manipulate such a policy to evade the reach of US law enforcement by the simple expedient of giving false residence,” they state in court papers.

And they add that, anyway, US-based bodies have a legal obligation to comply with warrants issued under the Stored Communications Act, regardless of where the related electronic records are kept.

“With the benefits of corporate citizenship in the United States come corresponding responsibilities, including the responsibility to comply with a disclosure order issued by a US court,” they wrote.

“Microsoft should not be heard to complain that doing so might harm its bottom line.”

Microsoft’s lawyer has said that if it loses the appeal, he will try to take the matter “all the way to the Supreme Court”.

Tagged , , , , , , ,

US spy chief James Clapper highlights cyber threats

US intelligence agencies have placed cyber attacks from foreign governments and criminals at the top of their list of threats to the country.

Online assaults would increasingly undermine US economic competitiveness and national security, said Director of National Intelligence James Clapper.

A report issued by his office said Russia’s military was setting up a cyber command to carry out attacks.

The report also describes China, Iran and North Korea as leading threats.

In testimony to a congressional committee on Thursday, Mr Clapper said he no longer believed the US faced “cyber Armageddon”.

The idea that major infrastructure such as financial networks or power grids could be disabled by hackers now looked less probable, he said.

However he warned: “We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”

Mr Clapper highlighted the case of Russia, which he said posed the greatest a cyber risk to US interests. He said that threat from the Russian government was “more severe” than previously realised.

He also said profit-minded criminals and ideologically driven hackers were also increasingly active.

Director of National Intelligence James Clapper testifies on Capitol Hill in Washington, Thursday, Feb. 26, 2015Director of National Intelligence James Clapper said moderate attacks were the biggest threat
Movie posters for the premiere of the film 'The Interview' at The Theatre at Ace Hotel in Los Angeles, California on December 11, 2014. Hollywood film “The Interview” was embroiled in the fallout of a hack attack last year

Over the past year there have been a series of high-profile cyber attacks against US targets.

North Korea was accused of being behind the theft of a huge data cache from Sony Pictures in November.

Mr Clapper also mentioned the example of an alleged Iranian attack on the Las Vegas Sands Casino Corporation last year.

Meanwhile in January the Twitter and YouTube accounts of the US military command were hacked by a group claiming to back Islamic State (IS).

During the hearing, Mr Clapper acknowledged that the US had its own “offensive capabilities”.

In 2010 Iran experienced a cyber attack on its nuclear program. Tehran accused Israel and the US of planting malware.

Tagged , , , , , ,

SIM card maker Gemalto wants answers on alleged hacks by US, UK spies

Gemalto says it’s looking into a report that its SIM card encryption keys were hacked by the NSA and British surveillance agency GCHQ.

Did the US and UK hack their way into SIM cards used in mobile phones? That’s the question one SIM card maker is trying to investigate.

Dutch company Gemalto manufactures SIM cards for mobile phones, which it sells to around 450 carriers throughout the world, including AT&T, Verizon, T-Mobile and Sprint. The cards certain personal and normally secure information, including your phone number, billing information, contacts and text messages. These cards are protected by encryption keys to resist hacking.

But a story published Thursday by The Intercept claims that a joint unit of spies from the US’s National Security Agency and the UK’s Government Communications Headquarters, or GCHQ, hacked into the internal network of Gemalto and stole the encryption keys used to secure the company’s SIM cards. If true, that means the agencies would’ve been able to access personal data and tap into mobile phone voice and data communications from users around the world. Citing documents from former NSA contractor-turned-whistleblower Edward Snowden, the publication — founded by Glenn Greenwald, the journalist through whom Snowden’s revelations first were channeled — said the hacking occurred in 2010 and 2011.

The issue of government surveillance has been an undercurrent of concern over the two decades since the Internet began to become a part of everyday life for businesses and private citizens. But those worries exploded into a mainstream matter after Snowden’s first revelations two years ago, and others have taken up the torch. Just last week, for instance, security company Kaspersky raised a red flag over reports that the NSA can infect hard drives with surveillance software to spy on computers.

Reacting to the claims about its SIM cards, Gemalto issued a statement Friday saying that it is looking into the matter.

“We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques,” the company said. “We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation.”

Gemalto’s stock dove around 10 percent in early trading after The Intercept reported the hack.

But Gemalto wasn’t the only target, according to The Intercept, saying that the goal was to hit as many mobile phones as possible. The overall aim was to spy on mobile communications without the consent or knowledge of users or mobile carriers, The Intercept added. Calling itself the “world leader in digital security,” Gemalto said that it has detected and mitigated other hacking attempts over the years but for now can’t prove any link between the past attempts and the one reported by The Intercept.

“I’m disturbed, quite concerned that this has happened,” Paul Beverly, a Gemalto executive vice president, told The Intercept. “The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.”

Tagged , , , , , , , , , ,

GCHQ censured over sharing of internet surveillance data with US

UK surveillance agency GCHQ has been officially censured for not revealing enough about how it shares information with its American counterparts.

The Investigatory Powers Tribunal said GCHQ failed until December 2014 to make clear enough details of how it shared data from mass internet surveillance.

It was the IPT’s first ruling against an intelligence agency in its 15-year history.

The Home Office said the government was “committed to transparency”.

In December the IPT ruled that the system of UK intelligence collection did not breach the European Convention of Human Rights, following a complaint by campaign groups including Privacy International and Liberty.

But the tribunal has now ruled that the system did “contravene” human rights law – until extra information was made public in December.

In its disclosures in December, GCHQ said UK intelligence services were “permitted” to request information gathered by Prism and Upstream – US surveillance systems which can collect information on “non-US persons”.

It said a warrant was usually needed to make such a request, and information would only be sought in “exceptional circumstances” – and this had “not occurred” at the time the statement was made.

Before December, the IPT said: “The regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and… Upstream, contravened articles 8 or 10 [of the European Convention of Human Rights].”

Article 8 is the right to privacy, article 10 the right to freedom of expression.

The agency is now compliant, the tribunal said.


Edward SnowdenEdward Snowden revealed extensive surveillance by US intelligence

By Clive Coleman, BBC legal affairs correspondent

Since the revelations from Edward Snowden, the former US National Security Agency analyst and whistle-blower, there has been increased concern about the mass collection of personal communications data.

To be in accordance with the law, rules for intercepting data from private communications between people by way emails, phones, etc, have to be clear, accessible and publicly available.

Up until the hearing before the IPT last year, they weren’t.

It was only because the security services disclosed documents about their procedures, which had not previously been publicly available, that interception has become lawful.

Some remain unhappy with the regime for the collection of data, but the public now has access to more information about how the security services go about activities which the tribunal has described as “below the waterline”.


James Welch, legal director for Liberty, said: “We now know that, by keeping the public in the dark about their secret dealings with the National Security Agency, GCHQ acted unlawfully and violated our rights.

“That their activities are now deemed lawful is thanks only to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed government.”

He said they disagreed with the ruling that GCHQ was now compliant and would fight it in the European Court of Human Rights.

‘Historic victory’

Eric King, deputy director of Privacy International, said: “We must not allow agencies to continue justifying mass surveillance programs using secret interpretations of secret laws.”

He said the ruling was a “vindication” of the actions of Edward Snowden, the former US intelligence analyst who revealed details about UK and US surveillance practices.

Rachel Logan, of Amnesty International – another of the groups which brought the complaint – said the government had been “rumbled” and the IPT ruling was a “historic victory in the age-old battle for the right to privacy and free expression”.

“Governments around the world are becoming increasingly greedy and unscrupulous in the way they sweep up and use our personal information,” she said.

“This is about showing that the law exists to keep the government spooks in check.”

A Home Office spokesman said: “[The government] has made public more detail than ever before about the work of the security and intelligence agencies, including through the publication of statutory codes of practice.

“We have now made public the detail of the safeguards that underpin requests to overseas governments for support on interception.”

A Downing Street spokeswoman said the judgment did not require GCHQ to change its operations.

The IPT is a court which investigates complaints of “unlawful use of covert techniques by public authorities” which breach human rights.

data surveillance

What are Prism and Upstream?

Prism is a mass surveillance system launched in 2007 by the US National Security Agency (NSA).

It allows the organisation to “receive” data held by a range of US internet firms, and was designed to overcome earlier “constraints” in counterterrorism data collection, according to a leaked presentation dated April 2013.

That data apparently includes emails, video clips, photos, voice and video calls, social networking details, and logins.

Companies and internet services it mines include Microsoft, Skype, Google, YouTube, Yahoo, and Facebook, the leaked information suggests.

Upstream is the “collection of communications on fibre cables and infrastructure as data flows past”, according to an NSA document.

The implication is that the agency is able to obtain and study communications without having to request the information from internet companies, using its Prism programme.

Tagged , , , , , ,

FBI warns that Anonymous has hacked US government sites for a year

Official memo says that activist collective launched a rash of electronic break-ins beginning last December


Activist hackers linked to the collective known as Anonymous have secretly accessed US government computers and stolen sensitive information in a campaign that began almost a year ago, the FBI warned this week.

The hackers exploited a flaw in Adobe Systems Inc’s software to launch a rash of electronic break-ins that began last December, the FBI said in a memo seen by Reuters, then left “back doors” to return to many of the machines as recently as last month.

The news comes a day after an Anonymous activist received a 10-year sentence for his role in releasing thousands of emails from the private intelligence firm Stratfor. On Friday Jeremy Hammond told a Manhattan court he had been directed by an FBI informant to break into the official websites of several governments around the world.

Hammond, who called his sentence a”vengeful, spiteful act”, said of his prosecutors: “They have made it clear they are trying to send a message to others who come after me. A lot of it is because they got slapped around, they were embarrassed by Anonymous and they feel that they need to save face.”

He also said the FBI had directed his attacks on foreign websites: “The government celebrates my conviction and imprisonment, hoping that it will close the door on the full story. I took responsibility for my actions, by pleading guilty, but when will the government be made to answer for its crimes?”

The FBI memo about the Adobe Systems attacks, which was distributed on Thursday, described the attacks as “a widespread problem that should be addressed”. It said the breach affected the US army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies.

Officials said the hacking was linked to the case of Lauri Love, a British resident indicted on 28 October for allegedly hacking into computers at the Department of Energy, army, Department of Health and Human Services, the US Sentencing Commission and elsewhere. Investigators believe the attacks began when Love and others took advantage of a security flaw in Adobe’s ColdFusion software, which is used to build websites.

Investigators are still gathering information on the scope of the cyber campaign, which the authorities believe is continuing. The FBI document tells system administrators what to look for to determine if their systems are compromised.

An FBI spokeswoman declined to elaborate.

According to an internal email from Kevin Knobloch, chief of staff to the energy secretary, Ernest Moniz, the stolen data included personal information on at least 104,000 employees, contractors, family members and others associated with the Department of Energy, along with information on almost 2,0000 bank accounts. The email, dated 11 October, said officials were “very concerned” that the loss of the banking information could lead to thieving attempts.

An Adobe spokeswoman, Heather Edell, said she was not familiar with the FBI report. She added that the company has found that the majority of attacks involving its software have exploited programs that were not updated with the latest security patches.

The Anonymous group is a collective that conducts multiple hacking campaigns at any time, some with a few participants and some with hundreds. Its members have disrupted eBay Inc’s PayPal after it stopped processing donations to the anti-secrecy site Wikileaks. Anonymous has also launched more sophisticated attacks against Sony Corp and the security firm HBGary Federal.

Some of the breaches and stolen data in the latest campaign had previously been publicised by people who identify with Anonymous, as part of what the group dubbed “Operation Last Resort”. Among other things, the campaigners said the operation was in retaliation for overzealous prosecution of hackers, including the lengthy penalties sought for Aaron Swartz, a well-known computer programmer and internet activist who killed himself before a trial over charges that he illegally downloaded academic journal articles from a digital library known as JSTOR.

Despite the earlier disclosures, “the majority of the intrusions have not yet been made publicly known,” the FBI wrote. “It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed.”

Tagged , , , , , ,