Topic: Telecom, Internet & Information Policy

Bulk-Scanning E-mail for Spy Agencies

Reuters dropped a bombshell story Tuesday afternoon, reporting that in 2015 Yahoo agreed to scan all their users’ incoming e-mails on behalf of a U.S. intelligence agency, hunting for a particular “character string” and turning over messages where it found a match to the government. Yet the vagueness of the story—which appears to be based on sources with limited access to the details of the surveillance—leaves a maddening number of unanswered questions.  Yahoo did not greatly help matters with a meticulously worded non-denial, calling the story “misleading” without calling it substantively false, and asserting that the “scanning described in the article does not exist on our systems.” (Obvious follow-up questions: Did it exist in 2015? Does it now exist on some other systems?)  Then, on Wednesday, Charlie Savage and Nicole Perlroth of The New York Times published a follow-up article fleshing out some of the details: The bulk scan was conducted pursuant to an order from the secretive Foreign Intelligence Surveillance Court, and hunted for a “digital signature” associated with a foreign state-sponsored terror group.

Of Millionaire “Fugitives” and the Rule of Law

Megaupload.com was once the 13th most popular website on the internet, with more than 82 million unique visitors and a billion total page views during its seven-year operation. The site allowed people to store files on the cloud for later use—and some users inevitably stored copyrighted TV shows, films, songs, and software. In 2012, the U.S. government charged the site’s owner, Kim Dotcom, and its operators with conspiracy to commit copyright infringement. The defendants are currently resisting extradition to the United States (Dotcom lives in New Zealand), as is their right under extradition treaties.

In 2014, the seemingly frustrated government moved to seize the defendants’ considerable assets in a civil-forfeiture action, claiming that the assets are probably connected to the alleged criminal activity. The government had a major problem, however, as the assets that they were seeking to seize were not located in the United States, but in Hong Kong and New Zealand. Under traditional rules of in rem jurisdiction—a legal theory that allows courts to gain jurisdiction over property—the court must have “control” over the property to entertain the claims, which the district court did not have in this case.

The district court, however, ignored fundamental principles of statutory construction, and agreed with the government’s argument that a federal statute—conferring only venue to the district courts in cases where property was located outside of the United States—also expanded the court’s jurisdiction and fundamentally altered the traditional requirement that courts have control over the property to assert jurisdiction over it.

This misreading of the statute also created a serious constitutional issue under Article III. It is a fundamental constitutional rule that federal courts can’t issue mere “advisory” opinions. When a court lacks control over property located in a foreign country, it necessarily relies on another sovereign to enforce that order, making it advisory as to how the other sovereign should enforce the judgement.

To make matters worse, the court here also “disentitled” the defendants from presenting evidence that their property was not subject to seizure. Under civil-forfeiture laws, the government can take property without an underlying criminal conviction based only on the allegation of a crime. Those whose property has been seized can get it back by proving that their property is “innocent.” The government, however, is preventing the defendants from even making that argument. Using the “fugitive disentitlement” doctrine, the government is blocking the defendants from challenging the forfeiture.

The “Pardon Snowden” Case Just Got Stronger

Yesterday, the Department of Justice Inspector General (DoJ IG) issued a long overdue Congressionally-mandated report on FBI compliance with the PATRIOT Act’s Section 215 “business records” provision between 2012 and 2014. It is the first such report issued that covers the initial period of Edward Snowden’s revelations about widespread domestic mass surveillance by the federal government. Since his indictment for leaking the information to the press, Snowden’s lawyers have argued that he should not be prosecuted under the WW I-era Espionage Act because his revelations served the public interest. The DoJ IG report provides the clearest evidence yet that Snowden’s lawyers are correct (p. 6):

In June 2013, information about the NSA’s bulk telephony metadata program was publicly disclosed by Edward Snowden. These disclosures revealed, among other things, that the FISA Court had approved Section 215 orders authorizing the bulk collection of call detail records. The telephony metadata collected by the NSA included information from local and long-distance telephone calls, such as the originating and terminating telephone number and the date, time, and duration of each call. The disclosures prompted widespread public discussion about the bulk telephony metadata program and the proper scope of government surveillance, and ultimately led Congress to end bulk collection by the government in the USA Freedom Act.

Associated Press Finds Police Database Abuse

This morning, the Associated Press published results of their investigation into the unauthorized access of law enforcement databases by police officers. They found egregious abuses including stalking, harassment, and selling of personal information.

Unspecified discipline was imposed in more than 90 instances reviewed by AP. In many other cases, it wasn’t clear from the records if punishment was given at all. The number of violations was surely far higher since records provided were spotty at best, and many cases go unnoticed.

Among those punished: an Ohio officer who pleaded guilty to stalking an ex-girlfriend and who looked up information on her; a Michigan officer who looked up home addresses of women he found attractive; and two Miami-Dade officers who ran checks on a journalist after he aired unflattering stories about the department.

“It’s personal. It’s your address. It’s all your information, it’s your Social Security number, it’s everything about you,” said Alexis Dekany, the Ohio woman whose ex-boyfriend, a former Akron officer, pleaded guilty last year to stalking her. “And when they use it for ill purposes to commit crimes against you — to stalk you, to follow you, to harass you … it just becomes so dangerous.”

Law enforcement discipline and self-monitoring is notoriously opaque and varies jurisdiction to jurisdiction, so it is impossible to know how often these abuses happen. While it would be unfair to say that most police officers violate these laws and rules, it is unfortunately not uncommon either. Police departments should regularly audit the logins and access to sensitive personal data to protect the privacy of individuals and maintain the integrity of their own agencies.

You can read the whole AP story here. You can scroll through many of the cases Cato’s National Police Misconduct Reporting Project found that document the phenomenon on Twitter here. You can follow the project on Twitter at @NPMRP or on the web at PoliceMisconduct.net.

This is a version cross-posted from a piece at PoliceMisconduct.net

Continuing Resolution to Fund the National ID

If as expected Congress passes a continuing resolution in coming weeks to fund the government into December, take note of how neatly our elected officials are side-stepping responsibility for government spending. The votes that should have come in the summer ahead of the election, giving them some electoral salience, will happen in December, after you’ve made your “choice.”

But let’s home in on another way that the failed appropriations process undercuts fiscal rectitude and freedom. A “CR” will almost certainly continue funding for implementation of the REAL ID Act, the federal national ID program.

From 2008 to 2011, direct funding for REAL ID was included in the DHS appropriations bills, typically at the level of $50 million per fiscal year. That process was evidently too transparent, so from 2011 on appropriators have folded REAL ID funding into the “State Homeland Security Grant Program” (SHSGP). That’s a $400 million discretionary fund. Combining the SHSGP with other funds, there’s a nearly $700 million pool of money for DHS to tap into in order to build a national ID.

The Terrorism Risk of Asylum-Seekers and Refugees: The Minnesota, New York, and New Jersey Terrorist Attacks

News stories are now suggesting that the Minnesota stabber Dahir Adan entered the United States as a Somali refugee when he was 2 years old.  Ahmad Khan Rahami, the suspected bomber in New York and New Jersey, entered as an Afghan asylum-seeker with his parents when he was 7 years old.  The asylum and refugee systems are the bedrocks of the humanitarian immigration system and they are under intense scrutiny already because of fears over Syrian refugees.    

The vetting procedure for refugees, especially Syrians, is necessarily intense because they are overseas while they are being processed.  The security protocols have been updated and expanded for them.  This security screening should be intense.  The process for vetting asylum-seekers, who show up at American ports of entry and ask for asylum based on numerous criteria, is different.  Regardless, no vetting system will prevent or detect child asylum-seekers or child refugees from growing up and becoming terrorists any more than a child screening program for U.S.-born children will be able to prevent or detect those among us will grow up to be a terrorist. 

Adan and Rahami didn’t manage to murder anyone due to their incompetence, poor planning, potential mental health issues, luck, armed Americans, and the quick responses by law enforcement.  Regardless, some may want to stop all refugees and asylum seekers unless they are 100 percent guaranteed not to be terrorists or to ever become terrorists.  Others are more explicit in their calls for a moratorium on all immigration due to terrorism.  These folks should know that the precautionary principle is an inappropriate standard for virtually every area of public policy, even refugee screening.   

State ID Databases Hacked

It won’t surprise anyone who follows data security to know that this past summer saw a hack of databases containing Louisiana driver information. A hacker going by the ironic handle “NSA” offered the data for sale on a “dark web” marketplace.

Over 290,000 residents of Louisiana were apparently affected by the data breach. The information stolen was typical of that which is held by motor vehicle bureaus: first name, middle name, last name, date of birth, driver’s license number, state in which the driver’s license was issued, address, phone number, email address, a record of driving offenses and infractions, and any and all fines paid to settle tickets and other fines.

This leak highlights the risks of state participation in the REAL ID Act. One of the problems with linking together the databases of every state to create a national ID is that the system will only be as secure as the state with the weakest security.

REAL ID mandates that states require drivers to present multiple documents for proof of identity, proof of legal presence in the United States, and proof of their Social Security number. The information from these documents and digital copies of the documents themselves are to be stored state-run databases just like the one that was hacked in Louisiana.

For the tiniest increment in national security—inconveniencing any foreign terrorist who might use a driver’s license in the U.S.—REAL ID increases the risk of wholesale data breaches and wide-scale identity fraud. It’s not a good trade-off.