NSA surveillance and "foreigners"
A keynote that is not directly related to KDE and the work that it does is a tradition at Akademy. While that tradition was upheld again this year, Eva Galperin of the Electronic Frontier Foundation gave a talk that was both timely and applicable to everyone in the room: US National Security Agency (NSA) surveillance and what it means for non-US people. There was plenty of interest in her talk for the largely European audience, but the overview of the NSA "surveillance state" was useful to those from the US as well.
![[Eva Galperin]](https://static.lwn.net/images/2013/akad-galperin-sm.jpg)
The US government, in conjunction with the telecommunications carriers and large internet companies like Facebook, Yahoo, Google, and Microsoft, has been carrying out "illegal surveillance" on internet and other communication for quite some time, Galperin said. We started hearing about it in 2005 from news reports that AT&T had allowed the NSA access to its network. The collection of records of phone calls was being done at an AT&T facility that is, coincidentally, just blocks from her house in San Francisco.
That led the EFF to file lawsuits against AT&T and, eventually, the NSA, over this warrantless wiretapping. The AT&T lawsuit was dismissed on national security grounds, but the other case EFF filed, Jewel v. NSA, is still ongoing. In fact, in the week prior to her talk, the courts rejected the US government request that the suit be dismissed because of national security issues. The Jewel case moving forward is "great news", she said.
The "rest of us"
But, "what about the rest of us?", she asked. For people outside of the US, whose data traverses the US or is stored there, what protections exist? The surveillance is governed by the US Foreign Intelligence Surveillance Act (FISA), which created a secret court (FIS Court, or FISC) to oversee the surveillance operations. Since it targets "foreign intelligence", FISA has "zero protections" for foreigner's data in the US. It contains "slim protections" for those in the US, but those outside are "out in the cold".
The recently released PRISM information (by way of Edward Snowden) shows that these agencies talk of the US "home field advantage" in that much of the internet's information passes through US facilities. The data stored by US cloud storage facilities as well as internet services, such as Twitter, Facebook, Skype, and those from Google, are all fair game for "extra-territorial" people.
It is not just the US that is doing this kind of surveillance, she said; "lots of countries" are doing it. There are various malware-based attacks that we know about, which have not been proved to be state-sponsored but are strongly suspected to be. She mentioned China, Libya, and Syria as countries suspected of targeting both citizens and foreigners. The German government is known to have an email-based malware attack that targets foreigners. Increasingly, domestic laws are allowing this kind of extra-territorial surveillance and those laws are increasing their reach.
FISA is cloaked in secrecy, such that internet companies like Google and Microsoft can't even report on the kinds of information they have been required to produce. Some of the most recent Snowden leaks (as of the time of Galperin's talk) have shown a great deal of cooperation between Microsoft and the NSA.
"Just" metadata
In addition, US phone carrier Verizon has reportedly turned over seven years worth of "metadata" on all calls that it handled which started or ended in the US. Metadata is defined "quite broadly" to include routing information, phone numbers, call durations, and so on, but not the actual contents of the calls. That it is "only metadata" is the justification used by the NSA, but it is no real protection, she said, noting that US Central Intelligence Agency chief David Petraeus resigned based on evidence gathered from metadata. As an example, Galperin said: "We know you called the phone sex line, and we know you talked for 30 minutes, but we don't know what you said."
The PRISM surveillance was initially suspected of being a "back door" for the NSA into various internet services. It still is not clear if any exist, but internet services do have to respond to FISA orders and may do so via these back door portals—possibly in realtime. Even without realtime access, PRISM targets email, online chats (text, audio, and video), files downloaded, and more. It only requires 51% confidence that the target is not a US citizen, which is quite a low standard.
The NSA is building a data center "the size of a small village" to analyze and store this information. In one recent month, it collected some 97 billion intelligence data items; 3 billion for US citizens, the rest is for people in the rest of the world. This data isn't only being used by US agencies, either. The UK GCHQ signals intelligence agency made 197 requests for PRISM data (that we know of). It's not clear that GCHQ is allowed to set up its own PRISM system, but it can access US PRISM data. And, as Galperin noted, it is not at all clear that the US can legally set up a system like PRISM.
FISA basics
FISA was enacted in the late 1970s in reaction to a US Supreme Court ruling in 1972 that required a warrant to do surveillance even for national security reasons. The "Church committee" of the US Senate had found widespread abuse of surveillance within the US. It illegally targeted journalists, activists, and others during the 1960s and 1970s. Initially, there were fairly strong provisions against domestic surveillance, but these have been weakened by amendments to FISA over the years.
There are two main powers granted to agencies under FISA: the "business records" and "general acquisition" powers. The business records power allows the government to compel production of any records held by a business as long as it is in furtherance of "foreign intelligence". That has been secretly decided to cover metadata. The general acquisition power allows the government to request (and compels anyone to produce) "any tangible thing" for foreign intelligence purposes.
One of the biggest problems is the secretive way that these laws and powers are interpreted. Because there is a non-adversarial interpretation process (i.e. no one is empowered to argue against the government's interpretation) the most favorable reading is adopted. The request must be "reasonably believed" to be related to foreign intelligence, which has been interpreted to mean a 51% likelihood, for example. Beyond that, the restrictions (such as they are) only apply to US citizens. The safeguards are few and it is unlikely that a foreigner could even take advantage of any that apply.
FISC is required to minimize the gathering and retention of data on US citizens, but the government "self-certifies" that any data is foreign-intelligence-oriented. The general acquisition power allows the government to request "just about anything" with low standards for "reasonable grounds" and "relevance". To challenge any of this surveillance, one must show that they have been actively targeted. With these low standards, the requests made to FISC are rarely turned down; of the 31,000 requests over the last 30 years, eleven have been declined, Galperin said.
The "tl;dr" of her talk is that there is a broad definition of intelligence, and the laws apply to foreigners differently than to US citizens. The fourth amendment to the US Constitution (which covers searches and warrants) may not apply to foreigners, for example. The congressional oversight of FISA is weak and the executive branch (US President and agencies) handles it all secretly so the US people (and everyone else) are in the dark about what is being done. Galperin mentioned a US congresswoman who recently said that everything that has been leaked so far is only "the tip of the iceberg" in terms of these surveillance activities.
What can be done?
A group of foreign non-profits has gathered together to ask the US Congress to protect foreign internet users. They also expressed "grave concern" over sharing the intelligence gathered with other governments including the Netherlands, UK, and others. Human rights include the right to privacy, Galperin said, and standing up for that right is now more important than ever. The US government was caught spying in the 1960s and 1970s, so Congress had a committee look into it and curb some of the abuses; that needs to happen again, she said.
For individuals, "use end-to-end encryption", she said. It is rare that she speaks to a group where she doesn't have to explain that term, but Akademy is one of those audiences. Encryption "does not guarantee privacy", but it makes the NSA's job much harder.
The most useful thing that people in the audience could do is to make tools that are secure—make encryption standard. The EFF is making the same pitch to Silicon Valley companies, but it is counting on free software: "Help us free software, you are our last and only hope". Please build new products, and "save us", she concluded.
[Thanks to KDE e.V. for travel assistance to Bilbao for Akademy.]
| Index entries for this article | |
|---|---|
| Security | Privacy |
| Conference | Akademy/2013 |