Nextgov/FCW - Authors - Brian Fung

Analysis: Senate Cybersecurity Bill Is Uncontroversial but Also Unambitious

Brian Fung, National Journal — Fri, 12 Jul 2013 15:27:48 -0400

While President Obama was busy shooting down the House Intelligence Committee's cybersecurity bill for the second year in a row, the Senate was quietly working on a bill of its own. After months of talks, a draft of the legislation has finally come out—and it looks nothing like the much-reviled House version. But that doesn't mean it's any better.

The 25-page document circulated by Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., details a handful of things. It formally codifies a project by the National Institute of Standards and Technology to draw up voluntary cyberguidelines for businesses. It calls for a national research program to study the country's electronic vulnerabilities, and for the development of secure ways of dealing with them. And it proposes a nationwide public-awareness campaign to teach Americans about cybersecurity. (After all, only you can prevent cyberinvasions!)

There are two ways to look at this. The first is that it accomplishes a lot of the boring work that needs to get done in order for the country to tackle cybersecurity with any level of competency. Take the part of the bill that funds educational programs like cyber-focused competitions, scholarships, and internships as a way to meet the enormous demand for American cyberwarriors. Without those employees, it won't matter how committed business leaders are to protecting their networks. Manpower is a prerequisite.

But the Senate proposal also avoids most of the harder—and more significant—questions. As Adam Segal, a cybersecurity expert at the Council on Foreign Relations, told National Journal, the discussion draft "looks pretty limited." It doesn't lay out any new rules on when a company has to admit it has been hacked or when user data like e-mail and passwords have been compromised, something the European Union is trying to figure out right now. It doesn't weigh in on giving companies liability protection in exchange for adopting NIST's voluntary cybersecurity guidelines—something businesses have repeatedly asked for, but Sen. Rockefeller has resisted. And it doesn't grant businesses greater flexibility to share information about online threats with each other and with the government.

The latter two are things the White House, recognizing the boundaries of its authority, specifically asked Congress to address on its own when Obama unveiled a landmark executive order on cybersecurity in February. At that point, administration officials insisted that the presidential directive was merely a "down payment" on legislation.

So far, that down payment has bought two different legislative strategies from Congress. In the House, the Intelligence Committee simply re-upped the Cyber Intelligence Sharing and Protection Act, a bill that drives directly at information-sharing but drew loud complaints from civil libertarians over its potential for privacy violations. This strategy gets right to the point, but pushing it through will be a slog for everybody.

By contrast, the Senate has shied away from controversy. That's led to provisions in the proposed bill that call for, for instance, studies of educational curricula so that we might someday institute bettereducational curricula. Everyone can get behind education—but tweaking higher ed at the margins doesn't really match the rising level of apocalyptic rhetoric in Washington.

The Senate's recommendation that NIST develop voluntary standards is itself a rehash of what's contained in Obama's executive order, although a Commerce Committee source said codifying it into law would be helpful if the executive order ever expired.

In fairness, it's just a first draft.

"It’s a start," said James Lewis, a cybersecurity expert at the D.C.-based Center for Strategic and International Studies. "A good placeholder until something more immediately meaningful can be passed."

A markup is coming later this month. But unless that process leads to significant additions, the Senate bill might turn out to aim fairly low.

]]>

Edward Snowden Says He Wants to Stay in Russia, for Now

Brian Fung, National Journal — Fri, 12 Jul 2013 15:23:18 -0400

Edward Snowden intends to apply for asylum in Russia, according to Human Rights Watch's Tanya Lokshina. For the past half-hour, Lokshina has been meeting with Snowden—along with members of a handful of other human-rights organizations—in his first public appearance since fleeing to Moscow.

Snowden said he had received a formal offer of asylum from Venezuela and hoped eventually to wind up there. But because of his travel limitations, for now he's looking to stay put.

Russian President Vladimir Putin earlier this month said Snowden was welcome to stay as long as he stopped leaking classified information, a condition that Snowden rejected out of hand.

"I remain free and able to publish information that serves the public interest," he wrote in on July 2.

In recent weeks, Russia seemed to be putting pressure on Snowden to leave, with a high-ranking lawmaker urging him to accept Venezuela's offer of asylum. Days later, the member of parliament, Alexei Pushkov, tweeted that Snowden had in fact accepted the offer—and then promptly deleted the tweet, setting off speculation over Snowden's intentions.

According to Ellen Barry of The New York Times, Snowden seems aware that his fate depends on not crossing Putin again:

"No actions I take or plan are meant to harm the US," Snowden says, so Putin's condition poses no obstacle, @TanyaLokshina @hrw reports
— Ellen Barry (@EllenBarryNYT) July 12, 2013

More to come.

Update: WikiLeaks has released the full statement read by Snowden during the meeting. In part:

I announce today my formal acceptance of all offers of support or asylum I have been extended and all others that may be offered in the future. With, for example, the grant of asylum provided by Venezuela’s President Maduro, my asylee status is now formal, and no state has a basis by which to limit or interfere with my right to enjoy that asylum. As we have seen, however, some governments in Western European and North American states have demonstrated a willingness to act outside the law, and this behavior persists today. This unlawful threat makes it impossible for me to travel to Latin America and enjoy the asylum granted there in accordance with our shared rights.

This willingness by powerful states to act extra-legally represents a threat to all of us, and must not be allowed to succeed. Accordingly, I ask for your assistance in requesting guarantees of safe passage from the relevant nations in securing my travel to Latin America, as well as requesting asylum in Russia until such time as these states accede to law and my legal travel is permitted. I will be submitting my request to Russia today, and hope it will be accepted favorably.

]]>

The IRS Mistakenly Exposed Thousands of Social Security Numbers

Brian Fung, National Journal — Mon, 08 Jul 2013 16:47:15 -0400

Another day, another slipup by the Internal Revenue Service.

The incident involves the unwitting exposure of "tens of thousands" of Social Security numbers, according to a recent audit by the independent transparency and public-domain group Public.Resource.org. The identifying numbers were on the Internet for less than 24 hours after being discovered, but the damage was done. And unfortunately, the data-breach concerns some of the most sensitive types of transactions: Those made by nonprofit political groups known as 527s.

Every so often, 527s have to file tax forms to the IRS, which then get added to a database. The database itself is hardly a secret; the IRS has been sending updated records routinely to Public.Resource.org and other public-interest groups, and it's a favorite among political reporters. But when the IRS told the group's founder, Carl Malamud, to disregard the Form 990-Ts included in the agency's January release, he took a closer look at the files in question.

After analyzing the breach, Malamud wrote a letter to the IRS pointing out 10 instances where a social security number was accidentally revealed on the government's website—just a small sample of the larger breach.

Just the day before, Malamud had filed another letter to the agency describing a problem with the 990-Ts. Of over 3,000 tax returns contained in the January update, 319 contained sensitive data the agency should have scrubbed, Malamud wrote in the July 1 report that he filed to the inspector general's office. In that mixup, some 2,319 social security numbers—perhaps more—were revealed.

To determine the extent of the exposure, we’ve analyzed our logs and have also analyzed the data received from the IRS. We maintain a privacy registry based on any clicks made on the privacy cover sheet on the top of each return. That registry indicates that 8 clicks were made from 4 unique IP addresses. However, none of those resulted in privacy complaints and could have been made by an automated process.

In addition, we examined our FTP and HTTP logs. We only maintain a 7-day window for HTTP logs and did not see any HTTP-based access that was not from a search engine crawler. For the FTP logs (which indicates bulk download activity), we did not see extensive activity for the January directory, but it was clear that at least one copy of the DVD ISO image (the image of the original DVD) had been transferred.

Public.Resource.org took down its copy of the compromised 990-Ts and replaced them with a clean version that the IRS had sent. But it was another day before ~~"senior White House officials"~~ the IRS removed the files from public view on their end, on July 3.

Calling the IRS's efforts at data security "unprofessional and amateur," Public.Resource.org isrequesting that the IRS shut down the entire 527 database to prevent further lapses. In an email, Malamud told me that the IRS has, in fact, shut down the database—but that it should also reopen it as soon as possible in the interest of transparency.

In May, the IRS drew fire for singling out conservative political groups for greater scrutiny, leading to the resignation of the agency's acting director and sparking a slew of congressional hearings.

I've called the IRS for comment, and I'll update if I hear anything.

Update: An earlier version of this post didn't make sufficiently clear the distinction between the 990-Ts and the 527 database, which are each the source of separate, if similar, problems. Both the tax documents and the database revealed social security numbers; the IRS sent Public.Resource.org a clean copy of the first but didn't fix the second until Malamud contacted the agency.

]]>

Everything Gmail Knows About You and Your Friends

Brian Fung, National Journal — Mon, 08 Jul 2013 12:27:30 -0400

When Google hands over e-mail records to the government , it includes basic envelope information, or metadata, that reveals the names and e-mail addresses of senders and recipients in your account. The feds can then mine that information for patterns that might be useful in a law-enforcement investigation.

What kind of relationships do they see in an average account? Thanks to the researchers at the Massachusetts Institute of Technology Media Lab , now you can find out. They've developed a tool called Immersion that taps into your Gmail and displays the results as an interactive graphic. (That's mine, above).

The chart depicts all of your contacts as nodes, and the gray lines between those nodes represent connections between people by e-mail. The larger the circle, the more prominent that person is in your digital life.

A word of warning for the privacy conscious: To use the service, you need to give MIT permission to analyze your e-mail metadata. Once you've done so, it'll take a few minutes to compile everything. When you're done, you're given the option to delete your metadata from MIT's servers.

What you see in my chart are five and a half years' worth of e-mails. The yellow circles indicate family and close family friends. All of my college friends are in red, and my D.C. friends are in green. Blue nodes denote my colleagues at The Atlantic; pink, my coworkers at National Journal; and gray, people who generally don't share connections with the other major networks in my life.

In all, MIT counted 606 "collaborators" in my inbox, totaling some 83,000 e-mails. But you can also break down that data by year, month, or even the past week. Pretty amazing stuff—and a good reminder not only how much information Google knows about you, but what that information can uncover about other people . If you can learn this much just from looking at one account, imagine what crunching hundreds or thousands of interconnected accounts must be like.

Source: MIT

]]>

The Number of Times We Could Blow Up the Earth Is Once Again a Secret

Brian Fung, National Journal — Mon, 01 Jul 2013 17:29:44 -0400

Collectively, Russia, China, the United States and the world's other nuclear-armed countries possess enough fissile material to blow up the planet many times over. Exactly how many times that is, however, became more of a mystery Monday.

At last count, in 2010 , the Pentagon revealed it was the proud owner of 5,113 all-American nuclear warheads. That's down from a high of more than 31,000 in the late 1960s.

How many nukes does the Defense Department have now?

This should have been an uncontroversial question, considering that just three years ago, the Pentagon was more than happy to oblige.

"Increasing the transparency of global nuclear stockpiles is important to non-proliferation efforts," read an unprecedented agency report on the size of the U.S. strategic arsenal.

Non-proliferation experts hoped that the initial revelations would lead to further reports. But a recent Freedom of Information Act request for an updated number has since been summarily rejected . The number of active and inactive warheads in the U.S. strategic arsenal appears to have ducked behind the veil of secrecy once again, thanks to a part of the Atomic Energy Act that lets the government withhold the true size of its nuclear stockpile.

While the Federation of American Scientists—the group that filed the FOIA request—is invoking the act's declassification clause in an attempt to get Washington to talk, for now we're left guessing as to how many thousands of times this could happen:

]]>

Your TV Is Spying on You

Brian Fung, National Journal — Fri, 28 Jun 2013 08:45:12 -0400

Political messaging is moving back to the living room.

After an election in which Internet tactics seemed to captivate the public, political strategists are turning—or perhaps more accurately, returning—their attention to television advertising. TV isn’t sexy. Or at least, it hasn’t been lately. But with coming developments in user tracking and Internet-ready appliances, that’s going to change.

Even as more people ditch their traditional set-top boxes for online options like Netflix, Americans are actually watching more TV than they used to. In 2012, the average household spent 2 hours and 50 minutes consuming television, up 5 minutes from the previous year.

Quality content is partly behind the surge. So is our growing appetite for binge-watching. But, as Netflix’s famous gamble with House of Cards revealed, it’s behavioral data that has the biggest potential to keep our eyes glued to the screen. As a result, just as Web-browsing data came to the aid of political campaigns in the last electoral cycle, so will our television-watching habits in the next.

“There's going to be a marriage of the digital and the television, and that's going to be the future,” Republican strategist Sara Fagen told an audience at a conservative conference earlier this month. “That's where Republicans have an opportunity not just to catch the Democrats, but to leapfrog them.”

Current technology can determine how many people on Netflix skip the credits, replay sex scenes, or abandon episodes of Mad Men midway through. That information provides a general idea of people’s activities on the service. But it’s more of a proxy than anything else. It can’t tell you, for example, whether a viewer hit the pause button out of diminishing interest or because they needed more popcorn.

There’s a simple way to fix this, Fagen thinks, and it’s called Microsoft Kinect—the motion-activated video-game controller for Xbox. Fans of Kinect have hacked the device to accomplish all sorts of incredible things, so why not mash together its facial-recognition and motion-sensing abilities with a Netflix-like data-gathering operation?

What you'd wind up with, probably, is a pretty impressive viewer-feedback system. With it, you might learn whether your target was in the room the moment your ad aired. You might even be able to find out if they were actually watching, or if they were distracted and had their head turned away from the screen.

The first problem with this technology is that it’s obviously creepy. Then again, consumers put up with a lot of commercial behavior-tracking already; this might eventually become another extension of it.

Actually getting online databases to talk to real-world sensors will be another challenge. Such a merger of detection technology won’t be ready in time for 2014, or even for 2016. Progressive strategists, such as AFL-CIO’s Michael Podhorzer, agree. But perhaps by 2020, something like it might exist, Fagen said. It all depends on how quickly America adopts The Internet of Things .

Central to that future are mobile devices, which will allow people to control their thermostats, locks, refrigerators, and other appliances over the Web. Political advertisers are salivating over the idea, because it provides even more opportunities to talk to voters.

“People are always on the move, and they're consuming their media in many places and in many contexts,” said Podhorzer, a cofounder of the Analyst Institute. “During the days of broadcast media, you could put an ad on TV and be pretty sure that most people would see it. Now, you have to do a very multilayered approach that makes sure that not only are you reaching each voter you care about, but you're reaching them in multiple ways.”

This revelation has spurred some interesting experiments. Remember Lucas Baiano, the twenty-something ad maker behind all those political commercials that looked like movie trailers? Working with Sen. Mitch McConnell, R-Ky., Baiano recently designed an ad campaign that targeted the mobile devices of people within a 5-mile radius of the Kentucky Derby—a brilliant tactic. Targeting a particular demographic only gets you so close to the voter you're looking for. Add in a specific time and place where you know your targets will be, and you may as well be standing right next to them.

"Having a streamlined and linked system as a tool will only improve accuracy in political marketing," Baiano told me by email. "[Fagen] isn't too far off with her prediction."

Carrying on sustained conversations with voters over time yields far greater benefits to a campaign than a single interaction does. To maintain that kind of relationship with someone as they shift from tablet to phone to laptop and back again, campaigners need to be able to associate all three devices with the same owner, according to Scott Foernsler, a marketing executive at ValueClick.

Bringing digital strategy to TV advertising marks the first step of that process.

“You’ve got to talk to people the way they live,” Foernsler said.

(Image via Skylines/Shutterstock.com)

]]>

How Zombie Phones Could Create a Gigantic, Mobile Botnet

Brian Fung, National Journal — Wed, 26 Jun 2013 09:16:01 -0400

You've heard of the botnet — a collection of enslaved, malware-infested computers that act together to pump out spam and DDoS attacks, often unbeknownst to their owners. For the past decade, botnets have mostly been a problem for the PC world. But, according to a new report on mobile malware, it may not be long before we start seeing botnets built out of an increasingly sophisticated type of device: cell phones.

"It's only a matter of time before that's pervasive," said Karim Toubba, a vice president at Juniper Networks, the publisher of the study.

Google's Android operating system is by far the most vulnerable to outside attackers. Unlike Apple, which forces its iPhone apps through an infamously strict approval process before storing them in a single app store, Android phones are capable of downloading and installing apps from third-party websites.

As with Web browsing, visiting random sites and downloading software whose credentials you can't verify is a recipe for disaster. Yet many of us do it, even without realizing it. Ninety-two percent of the attacks detected by Juniper's mobile security research team last year took place on Android. The remaining 8 percent targeted smaller platforms like Windows Mobile, BlackBerry and Symbian.

It's not just malicious apps—or bugs in legitimate apps—that let attackers get through. Mobile operating systems themselves have vulnerabilities. Hackers sometimes will disguise a piece of malware as a valid system update. Once it's installed, the malware can run in the background, monitor a user's behavior, and report that activity to a central command-and-control machine.

From there, it's not a huge jump to turn a compromised device into a slave. We already know it's possible, because it happens all the time to desktops and laptops.

"The capabilities there are very similar," said Toubba, "to the underlying capabilities of the desktop operating system Linux."

Android could neutralize the vast majority of malware threats out there, the Juniper report said, if it made sure every one of its devices were running the latest version of the operating system. The problem is, even after Google makes updates to Android, the burden is on your wireless carrier to actually push the update to your phone. And they aren't doing it. More than a third of all Android devices haven't been updated since Feb. 2011. More than a quarter of Android devices haven't been updated since Dec. 2011.

When I asked Toubba whether carriers needed to do a better job of updating their customers' phones, he said simply that many were "taking these risks and these threats quite seriously."

]]>

Edward Snowden Realizes He Can't Live Without WikiLeaks

Brian Fung, National Journal — Mon, 24 Jun 2013 13:23:45 -0400

Edward Snowden may not have chosen to go the route of fellow Espionage Act indictee Bradley Manning by releasing sensitive National Security Agency documents through WikiLeaks. Part of that, he said, was because he wanted every single page vetted —not everything was to be revealed at once, and he trusted The Guardian 's Glenn Greenwald to do it.

But if the first act of Snowden's drama was to avoid WikiLeaks, the second that's now coming to light is just how much Snowden is reliant on the independent document clearinghouse.

WikiLeaks played a major role in helping Snowden evade detection once he left the United States. According to WikiLeaks founder Julian Assange, the organization's legal team helped draft Snowden's asylum applications to Iceland, Ecuador, and "possibly to other countries," although on a conference call Monday, Assange wouldn't say which. WikiLeaks also paid for Snowden's travel and legal assistance in Hong Kong.

Assange says Wikileaks paid for Snowden's travel and attorney in Hong Kong "No government or private organization assisted."
— Hunter Walker (@hunterw) June 24, 2013

"I instructed the organization to assist Mr. Snowden," Assange later added, "but I cannot go into further details at this stage."

Through a "well-connected" resident he had previously met on vacation there, Snowden was introduced to two local lawyers, Robert Tibbo and Jonathan Man. A third lawyer, Albert Ho, advised Snowden as well. Ho is a partner at one of Hong Kong's most powerful law firms.

Those services cannot have come cheaply. Nor does a next-day flight from Hong Kong to Moscow's Sheremetyevo International Airport, which costs over $700. Add in a ticket to Havana that wasn't even used , as well as the fact that Snowden was burning through between $200 and $700 of his personal cash every night in a luxury hotel for 22 days after he fled Hawaii, and the desperation of his dependence on WikiLeaks becomes clear.

Even if Snowden successfully evades capture, it's still unlikely he'll ever make enough money to compensate WikiLeaks for its help. But he could repay his benefactor in other ways. Asked whether WikiLeaks had acquired any of Snowden's classified documents for itself, Assange would only say that "of course" he would publish any files—if he had them.

]]>

You Know Who Else 'Inadvertently' Gathered Your Electronic Data?

Brian Fung, National Journal — Fri, 21 Jun 2013 15:24:08 -0400

Not long ago, when a Google Street View car came driving down your street, it wasn't just taking pictures to add to Google Maps—it was also scooping up information about local Wi-Fi networks as well as individual e-mail addresses and passwords. The privacy scandal led to formal investigations, international complaints—and in the United States, a $7 million fine from the Federal Trade Commission. Google maintains that the information was collected and stored inadvertently.

A British official Friday decided not to impose another monetary penalty on the company, but instead hasordered Google to delete any Street View data that remains in its possession.

On its own, this is pretty good news for privacy advocates. They might even be rejoicing right now—if not for the fact that we just spent the last month learning about an even bigger secret surveillance program run by the National Security Agency.

Google has 35 days to delete its data, or it will face criminal penalties.

On the other hand, NSA can hold your data for up to five years and never tell a soul.

It can keep "inadvertently acquired" data if it contains information about "threat of harm to people or property." It can listen in on U.S. citizens' phone calls or read their e-mails, without a warrant, as part of the process of determining whether said citizens fell unfairly into NSA's crosshairs.

As The New York Times noted Thursday, both NSA and Silicon Valley mine vast amounts of data to detect patterns; the only difference is one does it for intelligence and the other does it to make money.

But there's another difference The Timesdidn't mention. Despite functionally being in the same business, each organization is subject to radically different consequences if it breaches privacy protocols.

]]>

Can Silicon Valley Stand Up to Washington?

Brian Fung, National Journal — Fri, 21 Jun 2013 10:07:00 -0400

Watching Silicon Valley respond to the National Security Agency surveillance uproar has been a bit like watching Iron Man gear up for battle—countless screws whirring themselves into position; armored scales sliding closed; weapons charging; the menacing faceplate slamming solidly shut.

One after another, Apple, Facebook, Google, Microsoft and Yahoo have all shifted from playing defense—disavowing any knowledge of PRISM—to playing offense. While none are legally able to talk about PRISM’s specifics, the tech companies are not afraid to take aim at the culture of secrecy that created it. Their call for more government transparency, however, is at odds with the nation’s intelligence apparatus, a bureaucracy so big nobody knows how much it costs or how many people are in its employ.

Against that, what chance does Silicon Valley have?

Google won an early victory in March when it negotiated a deal with the government to print the number ofNational Security Letters it receives from law enforcement each year. The NSL figures that Google now lists in its transparency report are only a range, and the contents of the actual data requests are still secret. But if only a little, the move cracked some of the mystery.

Asking nicely seemed to work once. So now Google is trying again, filing a motion to the Foreign Intelligence Surveillance Court begging permission to disclose how many warrants for user data Google receives under the Foreign Intelligence Surveillance Act. But here’s where the Silicon Valley unity begins to break down. Not all of its peers agree with this strategy.

“This is likely to just slow the process down even more,” said one lawyer for a tech company involved in the process. “Anyone familiar with the state of play at this point knows that inserting a court motion into this process just means transparency … will take longer and be less likely in the end."

One reason Google’s latest bid may fail is that court orders from the FISC are classified, meaning that even if the FISC wanted to grant the company’s request, the Obama administration would have to declassify the information first. Some in Congress want to force the White House to do just that. But the success of that effort is far from guaranteed, and besides, given Obama’s reticence on the subject so far, it’d be foolish to expect him to sign it.

In the company’s defense, all it is asking for is the right to publish a number—not the actual court opinions—and as the Justice Department already tells the public how many FISA warrants it sends to everyone every year, breaking it down by company doesn’t seem like much more of an ask.

Unlike other high-profile battles over tech policy such as immigration or SOPA/PIPA, where lobbying dollars can sway votes, Silicon Valley’s financial reserves are not a reliable asset here. In the realm of the courts, the only currency that counts is a good argument. Fortunately for the tech companies, on their side is an organization whose specialty is suing the government.

Arguing that the NSA’s surveillance activity constitutes unreasonable search and seizure and a suppression of free-speech rights, the American Civil Liberties Union sued the agency last week. The formal complaint charges that Section 215 of the USA Patriot Act directly enabled the government’s violation of the First and Fourth Amendments.

The case’s future is uncertain. Laurence Tribe, the Harvard constitutional scholar and President Obama’s former mentor, told me that any Fourth Amendment challenge to the NSA would be “rendered difficult” by what’s known as the third-party doctrine, which says basic transactional data like phone numbers and credit-card purchases don’t enjoy the same privacy protections as other forms of information.

That could be problematic for Patrick Toomey, an ACLU attorney. Toomey said in a phone interview that the Fourth Amendment claim was “really one of the most significant claims here.”

But if it gets taken up, this case could also provide the momentum for a reinterpretation of the third-party doctrine in general, Tribe said. Critics of the doctrine believe that advances in communications technology have caused more and more transactional data to fall within its scope, widening the possibility of privacy violation.

It wasn’t long ago that tech companies had just one rule governing everything they did: Move fast and break things. (A second rule that’s since emerged speaks to the same principle: F**k it. Ship it.) Then they discovered that their mantra, while effective at producing ideas at a tremendous rate, had the side effect of disrupting other people’s rule sets—not necessarily a bad thing, but one that called for careful politics. As a result, the tech industry now spends upwards of $130 million a year on congressional lobbying, more than three times what it did in 1998.

But it’s what the tech world is doing in the judicial space that’s more interesting. Google’s petition, and the ACLU’s lawsuit, shed light on another facet of the increasingly complex dance between Silicon Valley and official Washington. Not since the Microsoft antitrust proceedings has so much nerd attention been focused on the courts (secret or otherwise).

(Image via Flickr user Kalexanderson)

]]>

Apple: iMessage and FaceTime Are Safe From the NSA's Prying Eyes

Brian Fung, National Journal — Mon, 17 Jun 2013 09:28:20 -0400

Apple has added its voice to a growing chorus of Silicon Valley companies calling on Washington for more transparency regarding its data-collection practices. In a statement released Monday, Apple disclosed new details about the requests for user information it fields from the government.

For the six months ending May 31, the company reported getting between 4,000 and 5,000 law-enforcement data requests, which altogether cover between 9,000 and 10,000 specific user accounts ("or devices," Apple says). Some fraction of that number is made up of FISA warrants and national security letters, but it's not clear how many or what the distribution looks like.

The firm also disclosed just what kind of data it does not make available to law enforcement—mainly, the end-to-end encrypted content Apple is unable to track, such as text and multimedia messages sent over Apple's iMessage service, as well as video chats using FaceTime.

"Similarly," Apple says, "we do not store data related to customers' location, Map searches, or Siri requests in any identifiable form."

On Friday, Microsoft revealed that the government asked for its customers' data between 6,000 and 7,000 times in the last six months of calendar-year 2012, implicating up to 32,000 accounts. The same day,Facebook said that it had received between 9,000 and 10,000 data requests over the same period, calling into question some 19,000 accounts on the service.

Google has yet to update its own transparency report with FISA data, though it does post the number of national security letters it gets from the government.

]]>

Is This PRISM 2.0?

Brian Fung, National Journal — Fri, 14 Jun 2013 16:29:14 -0400

The U.S. intelligence community has been working with "thousands" of companies in key sectors of the economy to trade sensitive information on cybersecurity, including classified data, in ways that go beyond the revelations dropped by National Security Agency leaker Edward Snowden earlier this month.

At least one of these companies, Microsoft, alerts the government to bugs in its own software products before it issues a public patch, according to Bloomberg News, allowing Washington to exploit those vulnerabilities in unpatched foreign systems for intelligence purposes:

Makers of hardware and software, banks, Internet security providers, satellite telecommunications companies, and many other companies also participate in the government programs. In some cases, the information gathered may be used not just to defend the nation but to help infiltrate computers of its adversaries.

Other information provided to the government includes metadata about which version of a given program a target computer may be running, knowledge that lets investigators hack in more easily. In exchange, Bloomberg reports, companies receive highly valuable classified information.

Companies may also be granting the government access to data stored on servers overseas—in which case, Washington doesn't need a Foreign Intelligence Surveillance Act court order.

Even before Snowden leaked his top secret slide deck on PRISM, we've always known that a program like the one Bloomberg describes has existed. The Homeland Security Department operates something called the Enhanced Cybersecurity Services, which is a voluntary information-sharing program that partners with the private sector. In February, the Obama administration publicly expanded the scope of ECS with a landmark executive order on cybersecurity.

In that directive, the president instructed ECS to cover "all" critical infrastructure sectors, as well as companies that "offer security services" to critical infrastructure operators.

The information-sharing identified by Bloomberg is not covered under the ECS program, a DHS official confirmed. If it was, then this would be nothing new and simply additional insight into a known process. The official wouldn't say whether the data-gathering is part of the PRISM program. If it is not, then that raises other questions. Some are already alleging that this is PRISM 2.0. I don't think we have the evidence for that just yet.

]]>

Analysis: Secret Intelligence Court Hardly Ever Says No

Brian Fung, National Journal — Thu, 13 Jun 2013 09:42:56 -0400

The secret court at the center of the National Security Agency surveillance debate has a bit of a reputation. It's supposed to act as a check on the executive, making sure it doesn't overstep its bounds when eavesdropping on terrorism suspects. In reality, the Foreign Intelligence Surveillance Courthardly ever says no to a request. Critics have called the court a "rubber stamp" that obeys the White House at every turn. The presiding judge on FISC, Reggie Walton, flatly denies it.

As if to prove his point, Walton has told the Justice Department that FISC has no authority to block a Freedom of Information Act request filed by privacy advocates.

Lawyers at the Electronic Frontier Foundation wanted to see copies of a government request to collect information on a foreign suspect on national security grounds. (To collect such data from businesses, terrorism investigators have to clear it with FISC first.) The Justice Department, meanwhile, shot back that the rules that govern the court prevent the release of the documents—and even if the rules allowed it, it wouldn't be up to FISC to decide, anyway.

Walton thinks that's bunk. In what's actually a rather amusing explanation if you sort through the legalese, the judge argues that previous cases give FISC every right to decide who gets access to "the Court's very own records and files."

The upshot, wrote Walton, is that unless something in the ordinary FOIA process gets in the way (something that's handled by the U.S. District Court for the District of Columbia, not FISC), transparency ought to win. This time.

Read the opinion in full here.

(Image via Andrey Burmakin/Shutterstock.com)

]]>

Leaker: NSA Has Been Snooping on China Since 2009

Brian Fung, National Journal — Wed, 12 Jun 2013 16:14:18 -0400

National Security Agency leaker Edward Snowden is contributing to Chinese complaints that the United States is engaged in acts of cyberespionage against Beijing.

Snowden, the 29-year-old former contractor for Booz Allen Hamilton, told the South China Morning Post that Washington has been monitoring "hundreds" of targets in Hong Kong and mainland China.

According to documents the Post says it possesses but hasn't yet verified, the use of PRISM to monitor Chinese electronic activity has been taking place since 2009.

"We hack backbones—huge Internet routers, basically—that give us access to the communications of hundreds of thousands of computers without having to hack every single one," Snowden said.

China recently stepped up its accusations of U.S. online snooping. If Snowden's account is true, this would be the first Western evidence to back those claims. A call to the Office of the Director of National Intelligence was not immediately returned Wednesday.

]]>

Google, Facebook to DOJ: Let Us Publish the Number of FISA Requests You Make

Brian Fung, National Journal — Wed, 12 Jun 2013 09:59:08 -0400

Google's top lawyer is asking Washington to let the company expand its transparency report to include secret court orders like the kind involved in the NSA surveillance scandal.

In a letter posted to Google's blog, David Drummond addresses Attorney General Eric Holder and FBI Director Robert Mueller, arguing that when the government allowed Google to disclose the number of National Security Letters the company gets (another form of data request), nothing bad happened. So why not extend the disclosure permissions to requests under the Foreign Intelligence Surveillance Act, too?

Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.
We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

Because FISA requests come with gag orders, Google and other tech companies can't even say whether they have received them. If the government grants Google's request, it would shine a great deal of light on the country's security apparatus.

Read the full letter here.

Facebook's general counsel later joined in Google's call for more government transparency—and he also implies that Facebook would prepare a periodic transparency report of its own if that happened.

"We would welcome the opportunity to provide a transparency report that allows us to share with those who use Facebook around the world a complete picture of the government requests we receive, and how we respond," said Ted Ullyot in a statement. "We urge the United States government to help make that possible by allowing companies to include information about the size and scope of national security requests we receive, and look forward to publishing a report that includes that information."

(Image via Flickr user marismith)

]]>

Commentary: The NSA leaker and Highly Skilled but Academically Ordinary Workers

Brian Fung, National Journal — Tue, 11 Jun 2013 14:21:33 -0400

Booz Allen Hamilton has released a new statement on Edward Snowden, its now-former employee and National Security Agency surveillance leaker. In addition to saying it fired Snowden yesterday over code-of-ethics violations, Booz Allen reports that the Maryland native's annual salary was $122,000—far less than the $200,000 Snowden himself claimed to be making.

That's still a lot of money, particularly for someone who reportedly never graduated from high school.

But the reality is, Snowden is part of a larger economy that tech companies and members of Congress ignore when they discuss high-skilled jobs and immigration. As more of the broader economy moves toward an IT-reliant future, many of the job market's more mundane openings are also falling into the science, technology, math, and engineering categories. You no longer have to be an academic genius to work in STEM fields, if that were ever the case; people like Snowden are evidence that an ability to do the job often trumps a shiny degree. College graduates, Ph.D.s, and patent-seekers inspire the mind with stories of entrepreneurship and innovation. Yet for every one of those supposed geniuses, new research finds, there is another STEM-related job that doesn't call for a bachelor's degree.

Fifty percent of all such jobs in the United States call for an associate's degree or less, according to a report yesterday by the Brookings Institution. What we think of as traditional STEM workers include people like nuclear engineers and biochemists. But also falling into that category are auto technicians, who are increasingly working on sophisticated automotive computer systems; registered nurses, who will be the first to feel the effects of a coming health-IT revolution; and, yes, computer-systems analysts—such as Snowden.

TheU.S. employs nearly 488,000 computer analysts, who make an average of $82,320 a year. In Hawaii, where Snowden spent his final months before fleeing to Hong Kong, noncollege graduates accounted for 49 percent of the STEM workforce. That figure drops to 30 percent for the Washington metropolitan area, which attracts academically qualified talent to a greater extent.

Congress has mostly referred to "high-skilled immigration" as a synonym for "tech-savvy degree-holders." But if this Brookings report is accurate, our use of academic achievement as a proxy for skills may be off the mark. It's becoming increasingly common to work a high-skilled job and not boast a degree from MIT.

]]>

NSA Leaks Shed Light on China's Complaints About U.S. Hacking

Brian Fung, National Journal — Mon, 10 Jun 2013 17:14:56 -0400

When it came to light that hackers had breached the networks of The New York Times, The Wall Street Journal, and other major U.S. institutions, one of Washington's first responses was to blame China. China's response? You guys do it, too!

"The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established," Geng Yansheng, a spokesperson for China's defense ministry, said in February. Of 144,000 website hacks the ministry sees each month, Geng added, 63 percent come from U.S.-based IP addresses.

Then, last week, China claimed to have a "mountain of data" proving that the United States is engaged in cyberespionage operations against Beijing.

It's important to point out that the kind of hacking Geng is talking about is fundamentally different from the kind of hacking Congress is worried about. If Geng is referring to the denial-of-service attacksthat we see often, this is something of an empty complaint. Bringing down a website by flooding it with traffic doesn't compromise an organization's security. It's annoying and disruptive, but it isn't espionage. The kind of hacking China has been accused of is far more sophisticated, involving deep network penetration in such a way that closely held government or corporate secrets can be stolen. In short, Beijing and Washington are blaming each other for two very different activities.

But just because we haven't had much reason to take China at its word doesn't mean there isn't a grain of truth to it.

"My feeling would be, there is no doubt, even before the weekend's revelations, that NSA conducted espionage against China," Adam Segal, a cybersecurity and China expert at the Council on Foreign Relations, wrote in an e-mail to National Journal.

We still don't know whether China really has the evidence of U.S. hacking that it claims to have. But the latest round of NSA leaks appears to confirm that the United States has the right set of capabilities—not just the motive—to spy on China. And that lends some credence to Beijing's protests.

(Image via karen roach/Shutterstock.com)

]]>

Why Insiders, Not Hackers, Are the Biggest Threat to Cybersecurity

Brian Fung, National Journal — Mon, 10 Jun 2013 14:05:56 -0400

The National Security Agency leaks by Edward Snowden will easily go down as one of the biggest revelations of the year, if not the decade. But the episode also raises new questions about the risk that insiders pose to government and corporate cybersecurity, in spite of the attention lavished on foreign hackers.

Snowden's case is unique in that it uncovered a previously unknown surveillance apparatus that's massive in size and scope.The way the whistle-blower did his deed, however, is not unique. Two-thirds of all reported data breaches involve internal actors wittingly or unwittingly bringing sensitive information to outsiders, according to industry analysts.

"It's not an either-or proposition," said Mike DuBose, a former Justice Department official who led the agency's efforts on trade-secret theft. "But amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders."

DuBose is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions. In February, his team authored a report warning that contractors, information-technology personnel, and disgruntled employees—all descriptors that fit Snowden pretty well—pose a greater threat than hackers, "both in frequency and in damage caused."

Not everyone agrees. Even though insiders generally play an outsized role across all reported data breaches, their role in confirmed data breaches is rather small, according to an annual study by Verizon. In 2012, specifically, internal actors accounted for 14 percent of confirmed data breaches. Of those, system administrators were responsible for 16 percent.

"Our findings consistently show," the Verizon report read, "that external actors rule."

However common they are, cases like Snowden's show how devastating one insider can be. The extent of the damage depends on what's being exfiltrated and from where, and there aren't many standards for calculating losses. Most companies estimate the value of their trade secrets based on how much money they sank into the research and development of that knowledge. But for the government, it's the potential security impact that takes precedence—and that turns the question into a matter of subjective debate.

Last month, The Washington Post reported that Chinese spies compromised the designs for some of the Pentagon's most sensitive weapons systems, including the F-35 Joint Strike Fighter, the V-22 Osprey tiltrotor aircraft, and the Navy's new Littoral Combat Ship.

If true, the report could have major consequences for national security. But Snowden's case is equally consequential, if for different reasons, and it bolsters DuBose's point about the relevance of insiders. Snowden may have rightfully uncovered evidence of government overreach, but if a mid-level contractor can steal top-secret information about the NSA and give it to the public in a gesture of self-sacrifice, someone else could do the same—but hand the intelligence to more nefarious actors.

(Image via Lucky Business/Shutterstock.com)

]]>

Cosponsor.gov Lets You Upvote the Bills You Want Passed

Brian Fung — Wed, 05 Jun 2013 09:17:33 -0400

It used to be that if you ran for Congress and lost, you’d have to crawl back to your opponent’s secure district and kiss your chance at legislating goodbye. With luck and enough money, you might try again next time.

But that’s all changed. Now, even the least electable candidate can have a say in bills moving through Washington with a tool called Cosponsor.gov. A year in the works and launched late yesterday by House Majority Leader Eric Cantor (R-Va.), the website attempts to list all the bills the House is currently working on.

“You can search by title, sponsor or bill number,” Cantor wrote in a blog post announcing the site, “or browse issue areas and the tracker shows you exactly where the bill stands.”

By logging in with your Facebook credentials, you can “cosponsor” any bill on the site with a single click. Your profile photo then shows up on a list of fellow cosponsors (along with any actual cosponsors working on the Hill.) It’s a bit gimmicky, to be sure — using fancy lawmaker language to describe a simple upvote system that pushes more popular bills to the top of the list. Some of the bills still lack links to the actual legislation, a problem that Cantor spokesperson Rory Cooper said was in the process of being fixed. But as a way to get people more involved in policy, this isn’t a bad start.

Cosponsor.gov is supposed to showcase both Democratic and Republican legislation. For the moment, there seems to be more of the latter than the former; on Tuesday, all six of the featured bills that greeted users on the landing page were proposals from members of the House majority.

Currently leading the pack is the Border Security Results Act, an immigration-related measure introduced by Rep. Mike McCaul (R-Texas), chairman of the Homeland Security Committee. That idea already has some 200 cosponsors from the general public. But some select Democratic proposals are gaining traction, too. So far, about a dozen people have cosponsored Colorado congressman Jared Polis’ bill that would—what else?—legalize marijuana. Because of course. It's the Internet.

]]>

Why Humans Still Can't Go to Mars

Brian Fung, National Journal — Fri, 31 May 2013 14:15:10 -0400

Long-distance human spaceflight is, famously, a bust. So far, anyway -- no doubt we'll figure it out someday. But the reason we haven't sent humans on five-year missions seeking out new life and new civilizations isn't because of cost, politics, or lack of warp drive. The real reason is that astronauts would probably be killed by radiation before they met their first gas giant.

They wouldn't be dead dead, of course. They might even make it back in time to die on Earth. Yet the outbound trip alone would be enough to send their risk for cancer shooting way beyond what NASA considers acceptable levels.

How do we know? Well, before they sent the Mars Curiosity rover to the red planet, scientists strapped on a sensor to measure the amount of radiation bombarding its ship. According to newly released data, for every day the vessel spent traveling to Mars, it recorded 1.8 milliSieverts of space radiation.

One thousand milliSieverts -- or more simply, 1 Sievert -- is enough to raise your risk for cancer by 5 percent.

With that, let's do some math. Given that Curiosity's interplanetary trip lasted 253 days, the rover accumulated 456 milliSieverts of radiation for the duration of the journey (which doesn't include time spent on the Mars surface). That's .46 Sieverts, or 46 percent of the 1 Sievert dosage linked to a 5-percent jump in cancer risk. By comparison, the average American absorbs an estimated 0.0036 Sieverts of radiation a year.

"The findings indicate radiation exposure for human explorers could exceed NASA's career limit for astronauts," NASA spokesperson Trent Perrotto wrote in an e-mail.

Even in Earth orbit, astronauts absorb radiation. Although we're pretty good at blocking dangerous particles emitted by the sun, our shielding technology isn't as good at blocking other types of space rays. NASA has, therefore, set a lifetime limit on the amount of time any person can spend up there. And that threshold is at the 3-percent-increased-risk-for-cancer mark.

The journey to Mars would therefore get you pretty close to your lifetime exposure cap, to say nothing of the radiation you'd suffer on the planet's surface or on the voyage home. It'd be 23 times the amount employees working for the Energy Department are allowed in a year, and 127 times what the ordinary person is exposed to annually.

We don't conclusively know what that level of exposure would mean for people on a mission to Mars—only that it would be very dangerous. Unless we develop better shielding (or faster-than-light travel), our first interplanetary travelers might never make a second trip.

]]>

How Hard Will Lisa Jackson Pressure Apple's Suppliers on the Environment?

Brian Fung, National Journal — Wed, 29 May 2013 17:06:31 -0400

Last night, Apple CEO Tim Cook let slip that his company has created a new executive position to oversee environmental issues. That post, Cook added, will be filled by Lisa Jackson, the former head of the Environmental Protection Agency. Jackson ran EPA for four years under President Obama before stepping down in February, and during her tenure managed to get carbon dioxide listed as a pollutant under the Clean Air Act. She also pushed through a more stringent set of fuel-economy standards for cars—a historic move.

Jackson's record on emissions and efficiency will provide some help to Apple as it tries to reduce its carbon footprint. The company has been upgrading its data centers and commercial facilities with greener materials and transitioning to renewable energy sources.

But according to Apple's own environmental reports, just 2 percent of the company's carbon footprint comes from its facilities. The remaining portion comes from its supply chain, meaning that Jackson's bigger task will likely be keeping an eye on Apple's contractors overseas rather than greening the company's buildings.

One way she could do that is by vastly expanding Apple's specialized environmental audit program. In 2011, the company conducted 14 such exams and found nearly a dozen cases where its partners had failed to update their environmental impact statements, register for pollutant permits, or make other changes to comply with Apple's supplier code of conduct. In 2012, the number of specialized environmental audits jumped to 55—a nearly 300 percent increase. It wouldn't be surprising if, under Jackson, that figure were to grow again.

Inspections are one thing; making sure Apple's partners actually comply is another. The corporation famously forces its contractors to get by on extremely thin margins, which raises their incentive to cut corners. There's a probation system—one company was reprimanded after it was discovered that waste oil was being flushed down a public toilet—but how often probation is imposed isn't always clear.

While it's great news that Apple has already trimmed its buildings' energy usage and transitioned to renewable power, any further improvements will produce diminishing returns. So, even as Jackson's experience at EPA leaves her with strong green credentials, succeeding at Apple will probably require a different approach.

Apple's first supplier-responsibility report, issued in 2007, was four pages long. Every year since then, it's gotten a little lengthier and more detailed. If Jackson lives up to her reputation, the next edition should offer a great deal to dig into.

]]>

Solar Energy's Sunny Future

Brian Fung, National Journal — Tue, 28 May 2013 16:05:39 -0400

Over the past several years, the solar industry has been trying to recover from a crash in the price of silicon—a key component in the construction of solar panels.

For most of us, the effects of the price drop were masked by the tinge of scandal: Among the victims of the crash was the infamous Solyndra, which went bankrupt at the cost to the country of hundreds of millions of dollars. Conservatives seized on the company's collapse as a reason for the government to divest itself from renewable-energy projects. Campaigning outside Solyndra's shuttered headquarters in Fremont, Calif., last year, Mitt Romney argued that the company was a symbol of "the president's failure to understand the basic nature of free enterprise in America."

But amid the right-wing outrage over President Obama's investment choices, we lost sight of what Solyndra's collapse really meant: A boon for solar energy in general.

The story begins and ends with China. Sensing vast opportunities in green technology, China began mass-producing solar panels in the last decade in ever greater quantities, flooding the international market. The United States joined Europe in pledging stiff tariffs against Chinese dumping, but not before dozens of Western solar-panel manufacturers went bankrupt. Beijing, because it can do this sort of thing, responded by buying up some of the excess and built lots of solar farms. The country plans to install 10,000 megawatts of solar capacity this year, three times as much as last year.

The intervention seems to be working; prices of solar panels appear to be recovering. And even better, the glut that closed Solyndra has helped drive the overall price of solar energy down to what economists regard as a magic number—about $1 per watt.

In the United States, politicians held up Solyndra as an example of why solar isn't a viable energy solution. But in fact, it may have been just the opposite. What caused the company to go belly-up has also made the solar industry more competitive relative to other forms of energy.

Still, solar panels aren't going to start cropping up on everyone's homes, said Danish statistician and climate skeptic-of-sorts Bjorn Lomborg.*

"The reality is, solar panel costs are only a tiny part of it. You also need installation in individual homes," Lomborg told me. "And the other part of it is, you need to have some sort of backup."

Learning to store solar energy for when it's cloudy has been one of the technology's biggest challenges. Still, the crash of silicon has some analysts predicting that solar energy will actually become a good investment—not just an ambitious one—by as early as 2020, if not sooner in some other countries. Here's a chart of what that might look like (click for an interactive version via Bloomberg).

Energy analysts predict that as the price of solar energy continues to fall, it'll start becoming an attractive investment. (Bloomberg New Energy Finance)

*In his defense, Lomborg isn't a climate-change denier; he simply believes the world would be better off addressing other problems first.

]]>

For Twitter Users, Two-Step Verification Is Finally Here

Brian Fung, National Journal — Thu, 23 May 2013 09:14:46 -0400

Twitter has finally rolled out a feature users have been clamoring for for months: two-factor authentication. The update adds a layer of security that should help defend you (and any news organizations that haven't changed their passwords yet) from unauthorized log-in attempts.

You can enable the feature when it's available by heading to your Twitter settings page and checking the box that says "Require a verification code when I sign in." (It might not be available yet; Twitter seems to be rolling out the feature gradually.) The next time you log in, Twitter will ask you to provide a shortcode that it'll send you via text message.

To grant access to third-party apps, you'll need something akin to Google's application-specific password, a unique key that isn't sent to your phone but allows the apps to bypass the two-step system.

It should help prevent embarassments like the Associated Press seeing its Twitter account hacked.

( Image via winui / Shutterstock.com )

]]>

Congress Demands to Know if Google Glass Will Violate Your Privacy

Brian Fung, National Journal — Fri, 17 May 2013 10:41:17 -0400

Google has just under a month to respond to a congressional letter questioning CEO Larry Page about the privacy implications of Google Glass. The letter, filed Thursday by the bipartisan privacy caucus, lays out eight questions for Schmidt. They range from the atmospheric ( Does Google plan to update its privacy policy for Glass? ) to the feature-specific ( How exactly will Glass' face-recognition technology gather information? ).

"We are curious whether this new technology could infringe on the privacy of the average American," wrote caucus chairman Rep. Joe Barton, R-Texas, and his seven colleagues.

A Google spokesperson wrote in by email: "We are thinking very carefully about how we design Glass because new technology always raises new issues. Our Glass Explorer program, which reaches people from all walks of life, will ensure that our users become active participants in shaping the future of this technology."

The company has until June 14 to provide a fuller response. While a more cordial exchange than the grilling Eric Schmidt received in 2011—a hearing on antitrust in which Sen. Mike Lee, R-Utah, accused the company of having "cooked it so that you're always third" in search results—the letter is a reminder that Congress is watching Glass with interest, just like the rest of us.

Read the full letter here:

]]>

What the AP Subpoena Scandal Means for Your Electronic Privacy

Brian Fung, National Journal — Wed, 15 May 2013 07:28:20 -0400

The Justice Department’s snooping on journalists working for the Associated Press is an abuse of power in the broadest sense. But one reason the whole episode is controversial at all is because the Obama administration technically broke no rules.

By law, companies that cooperate with government investigations—such as the telecom operators the AP concludes gave up its phone logs—are protected from lawsuits. The immunity is built into a 2008 revision of the Foreign Intelligence Surveillance Act—which President Obama, then a senator, opposed before backtracking and endorsing it.

“I support the compromise, but do so with a firm pledge that as president, I will carefully monitor the program,” Obama said shortly after the legislative update passed the House.

The flip-flop enraged civil libertarians at the time, but Monday's revelation from DOJ reveals how far the government has come since the days when going after journalists meant subpoenaing them head-on and causing a public spectacle in the process.

As recently as 2011, Attorney General Eric Holder was still plugging leaks the hard way, ordering New York Times reporter James Risen to show up in court to burn his own source. (Risen refused, and is still resisting the court.) It was all part of an aggressive Obama policy to pursue leakages that continues today. But now it seems as though the Justice Department is trying a different strategy. Rather than haul a resistant reporter before the court, it’s instead circumventing that circus altogether by going straight to the phone companies. That the telcos are able to deflect lawsuits under FISA only inflates the incentive to ask for their data. As Edward Wasserman, dean of the journalism school at UC-Berkeley, wrote in The Miami Herald last May:

... prosecutors aren’t hassling reporters as they once did. Thanks to the post-9/11 explosion in government intercepts, electronic surveillance, and data capture of all imaginable kinds — the NSA is estimated to have intercepted 15-20 trillion communications in the past decade — the secrecy police have vast new ways to identify leakers.

So they no longer have to force journalists to expose confidential sources. As a national security representative told Lucy Dalglish, director of the Reporters Committee for Freedom of the Press, “We’re not going to subpoena reporters in the future. We don’t need to. We know who you’re talking to.”

The government’s supposed to make a reasonable effort to get the forensic information it’s looking for without resorting to press-related subpoenas. Whether those reasonable efforts were made this time is going to be an important question moving forward. But even more important is whether they’ll make the efforts next time. Whatever you believe about the morality of prosecuting leakers—and even if the Obama administration really did exhaust its other options before turning to the telecom operators—the temptation to seize phone logs as a first resort rather than the last is only growing in proportion to the amount of data that carriers are collecting and storing on us all.

It’s not just journalists and their sources who stand to suffer from an erosion of the legal barriers between government and businesses. Here’s a short list of your personal information companies can hand over to the feds without repercussion, and on little more than a subpoena: geolocation data, the PCs you’ve accessed, emails you’ve sent and text messages and content you’ve placed on cloud services like Dropbox.

Some companies have taken steps to counteract this trend. Dropbox, Twitter and LinkedIn have all promised to tell you when the government asks for data about you. Every year, the Electronic Frontier Foundation grades major tech firms along these lines.

But even this approach requires businesses to put the users’ interests before the government’s (or their own) which is a lot to ask of firms that often face heavy regulation. It's hard to be defiant to the Department of Justice while you beg the Federal Communications Commission for a favor. Meanwhile, the costs of compliance sink to remarkably low levels when FISA is there to give you cover.

Now it’s fallen to the nation’s least-functioning body to address the problem. The Senate’s working on a bill that would require at least a warrant for some types of electronic data and would close a loophole that currently lets law enforcement access your emails if they’re more than 180 days old. It might pass, and it might not. But you can expect the Obama administration to drag its feet the whole way.

]]>