Category Archives: Security
There’s a Secret Patriot Act, Senator Says
You think you understand how the Patriot Act allows the government to spy on its citizens. Sen. Ron Wyden says it’s worse than you know.
Congress is set to reauthorize three controversial provisions of the surveillance law as early as Thursday. Wyden (D-Oregon) says that powers they grant the government on their face, the government applies a far broader legal interpretation — an interpretation that the government has conveniently classified, so it cannot be publicly assessed or challenged. But one prominent Patriot-watcher asserts that the secret interpretation empowers the government to deploy ”dragnets” for massive amounts of information on private citizens; the government portrays its data-collection efforts much differently.
“We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,” Wyden told Danger Room in an interview in his Senate office. “When you’ve got that kind of a gap, you’re going to have a problem on your hands.”
What exactly does Wyden mean by that? As a member of the intelligence committee, he laments that he can’t precisely explain without disclosing classified information. But one component of the Patriot Act in particular gives him immense pause: the so-called “business-records provision,” which empowers the FBI to get businesses, medical offices, banks and other organizations to turn over any “tangible things” it deems relevant to a security investigation.
“It is fair to say that the business-records provision is a part of the Patriot Act that I am extremely interested in reforming,” Wyden says. “I know a fair amount about how it’s interpreted, and I am going to keep pushing, as I have, to get more information about how the Patriot Act is being interpreted declassified. I think the public has a right to public debate about it.”
That’s why Wyden and his colleague Sen. Mark Udall offered an amendment on Tuesday to the Patriot Act reauthorization.
The amendment, first reported by Marcy Wheeler, blasts the administration for “secretly reinterpret[ing] public laws and statutes.” It would compel the Attorney General to “publicly disclose the United States Government’s official interpretation of the USA Patriot Act.” And, intriguingly, it refers to “intelligence-collection authorities” embedded in the Patriot Act that the administration briefed the Senate about in February.
Wyden says he “can’t answer” any specific questions about how the government thinks it can use the Patriot Act. That would risk revealing classified information — something Wyden considers an abuse of government secrecy. He believes the techniques themselves should stay secret, but the rationale for using their legal use under Patriot ought to be disclosed.
“I draw a sharp line between the secret interpretation of the law, which I believe is a growing problem, and protecting operations and methods in the intelligence area, which have to be protected,” he says.
Surveillance under the business-records provisions has recently spiked. The Justice Department’s official disclosure on its use of the Patriot Act, delivered to Congress in April, reported that the government asked the Foreign Intelligence Surveillance Court for approval to collect business records 96 times in 2010 — up from just 21 requests the year before. The court didn’t reject a single request. But it “modified” those requests 43 times, indicating to some Patriot-watchers that a broadening of the provision is underway.
Story Continues -> There’s a Secret Patriot Act, Senator Says
Six rising threats from cybercriminals
Watch out for these cyberattacks that can turn smartphones into texting botnets, shut off electricity, jam GPS signals and more
Computerworld - Hackers never sleep, it seems. Just when you think you’ve battened down the hatches and fully protected yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or a stalker who dogs your every step online. Or maybe it’s an emerging technology like in-car Wi-Fi that suddenly creates a whole new attack vector.
Whether you’re an IT manager protecting employees and corporate systems or you’re simply trying to keep your own personal data safe, these threats — some rapidly growing, others still emerging — pose a potential risk. Fortunately, there are some security procedures and tools available to help you win the fight against the bad guys.
1. Text-message malware
While smartphone viruses are still fairly rare, text-messaging attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group coalition of security researchers. PCs are now fairly well protected, he says, so some hackers have moved on to mobile devices. Their incentive is mostly financial; text messaging provides a way for them to break in and make money.
Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are becoming more common as people rely more on mobile devices. It’s not just consumers who are at risk from these attacks, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business’s network and data, and perhaps cause a compliance violation.
“This is a similar type of attack as [is used on] a computer — an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it,” Nguyen explains. “Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user.”
In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pocketbook of the hacker selling the ring tones.
Another ruse, says Nguyen, is a text-message link to download an app that supposedly allows free Internet access but is actually a Trojan that sends hundreds of thousands of SMS messages (usually at “premium SMS” rates of $2 each) from the phone.
Article continues -> Six Rising Threats from cybercriminals
Six rising threats from cybercriminals
Government uses social networking to infiltrate people''s lives
By David Gomez
As part of a lawsuit against half a dozen federal agencies, the Electronic Frontier Foundation (EFF) has obtained chilling documents that reveal how the government routinely monitors people online.
According to an EFF blog post, government officials have been using surveillance of social networks to investigate citizenship petitions and the Department of Homeland Security established a “Social Networking Monitoring Cente” to collect and analyze online public communication during President Obama’s inauguration.
In the information the EFF received, there is a memo (dated May 2008) by the U.S. Citizenship and Immigration Services entitled “Social Networking Sites and Their Importance to FDNS” (Office of Fraud Detection and National Security).
This memo is disturbing because of the assumptions the government makes about people who use social networking. The government uses deception to friend people with pending applications for citizenship in the US, and then they use social networking to gather information about that person’s life.
Their hope is to catch people engaged in lying to USCIS. They want to catch people whose relationships might not live up to the USCIS standard of a legitimate marriage. So while using social networking to expose people who scam the system isn’t an act of pure evil, it does make one suspicious of government monitoring of social networking.
This memo makes no mention of how solid the government’s information on a person has to be before surveillance is conducted. This makes is seem as if everyone who uses social networking is a potential target for spying. It also doesn’t say if the government officials who make friend requests to the people they want to spy on actually have to admit their connection to the government.
Based on the memo it would be easy for the government to use social networking to spy not only on individuals who have a citizenship application pending, but their friends and families also.
The EFF also received another bit of information in the form of some slides from a presentation about the Department of Homeland Security starting a Social Networking Monitoring Center. SNMC was created before President Obama’s inauguration to monitor social networking sites for so-called “items of interest.”
The slides describe the tremendous amount of information that DHS collected from social networking sites about people who have accounts. As you might have guessed, nearly every popular form of social networking is being watched.
SNMN goes a bit further than just profiling general social networking sites. They have also been targeting sites with a specific demographic as well. Sites like MiGente and BlackPlanet have been subjected to government profiling as well as political sites like DailyKos.
The slides released to the EFF suggest that the government was collecting information on social networking tied to political events and people’s political beliefs prior to and during the president’s inauguration.
And while the slides attempt to minimize the action of collecting of “Personally Identifiable Information,” it also says “openly divulged information excluding PII will be used for future corroboration purposes and trend analysis during the Inauguration period.”
So, yeah, it’s kind of hard to understand based on the contradictory language in the slides, when the government keeps and deletes certain personal information obtained from social networking.
While some people will gripe and defend the government’s recently revealed activities; the language in the government documents is too unclear to justify any kind of monitoring of social networks.
The thin line between evil spying and government protection is getting erased by this type of activity. The EFF shouldn’t have to file a Freedom of Information Act lawsuit just to find out that the government is sitting around taking copious notes about Facebook and Twitter.
Why all the secrecy over the last few years?
The US electrical grid is too crappy to be vulnerable to terrorist attack, say physicists
The US government worries that terrorists could take down the country”s electrical grid just by hitting a small node in the system. But a new study reveals the grid is too unreliable for that kind of attack.
Last year, network theorists published some papers suggesting that terrorists could take down the entire US electrical grid by attacking a small, remote power station. But new research shows that network theory models, which great for analyzing many complex systems, don”t work for patchwork systems like the US electrical grid. Basically, the grid was set up so haphazardly that you”d have to take out a major node before you”d affect the entire thing. (Want to see a map of the US electrical grid? Check out this one on NPR.)
Science Daily sums up:
[The] electric grid is probably more secure that many people realize — because it is so unpredictable. This, of course, makes it hard to improve its reliability (in another line of research, Hines has explored why the rate of blackouts in the United States hasn”t improved in decades), but the up-side of this fact is that it would be hard for a terrorist to bring large parts of the grid down by attacking just one small part.
The researchers based their conclusions on real-world data from the power grid in the eastern U.S.
Read the full scientific paper via Chaos: An Interdisciplinary Journal of Nonlinear Science (via Science Daily)
Send an email to Annalee Newitz, the author of this post, at annalee@io9.com.
Hackers can remotely disable your car’s brakes, create sensationalist headlines
By Tim Stevens
We think you’re going to be hearing a lot about this one over the next few days… or weeks. A team of researchers at the University of Washington and the University of California San Diego have determined that, with physical access to your car’s ECU, a hacker could “adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.” For example, the team was able to connect a computer to a car’s ODB-II port, access that computer wirelessly, and then disable the brakes in the first car while driving down the road in a separate vehicle. The conclusion is that these in-car systems have few if any safeguards in place and, with physical access, nearly anything is possible. The solution, of course, is to prevent physical access. So, if you see a hacker hanging around in your car looking all shady, or a laptop computer sitting in the footwell that totally wasn’t there before, well, you know who to call.
http://www.engadget.com/2010/05/14/hackers-can-remotely-disable-your-cars-brakes-create-sensation/
The cloud and the future of the Fourth Amendment
In mid-April, a coalition of privacy groups filed a brief in federal district court in Colorado, defending Yahoo against attempts by the federal government to obtain the contents of Yahoo Mail messages without first obtaining a warrant. One month earlier, the Justice Department filed a 17-page brief arguing that Yahoo Mail messages do not fall under current statutory protection because, once opened, those messages are not considered to be in “electronic storage.”
The privacy coalition—which included Google—came to Yahoo’s defense, arguing that users with e-mail stored in the cloud have a reasonable expectation of privacy in the contents of that e-mail, and should thus be protected from warrantless searches by the government. (Hopefully the irony of Google opposing robust searches is not lost on Google’s attorneys.)
Unfortunately, the protections afforded by the warrant requirement have not yet been fully extended to the digital “cloud.” This handy metaphor for the ethereal Internet as a storage and access hub is coming to have other implications: can we really conceal our data inside this cloud, shielding it from government intrusion?
In fact, there is not even any guarantee that e-mails stored locally on a personal home computer will be afforded such protection. But as this novel question has remained unanswered by the sloth-like pace of legal innovation, a dozen more questions have cropped up. Meanwhile, the technological innovators are demanding faster answers.
The fourth amendment and reasonable expectations of privacy
The Fourth Amendment to the US Constitution provides that the people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” The Fourth Amendment also provides a method by which an otherwise unreasonable search might be characterized as “reasonable” and, therefore, constitutionally valid: by aid of a warrant, issued “upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Requiring law enforcement to properly justify itself before conducting invasive searches offers an essential layer of constitutional privacy protection which, if breached, renders the improperly seized evidence inadmissible in court against the person whose privacy was violated. But a warrant is not always necessary to make a search reasonable. In some situations a search and seizure is reasonable without the need for a warrant, such as when items are in plain view, or when a person consents to being searched.
Over time, the courts have developed a standard for determining when a search requires a warrant and when it is reasonable on its own. This standard, which requires a warrant only if there exists a “reasonable expectation of privacy,” originated from a 1967 Supreme Court case involving the wiretapping of a phone booth. In that case, because the phone booth had a door which could be shut behind the user, he was deemed to have reasonably expected that nobody was listening in. The presence of a physical barrier also acted as a legal one.
The “reasonable expectation of privacy” test actually has two requirements. First, the person must have had a subjectively reasonable expectation that the item was private. Second, that item must also be something that society in general is willing to objectively recognize as reasonably private. In other words, it’s not enough that you think your fenced-in backyard is private if society as a whole would find it unreasonable to think so. Sunbathers beware.
Nuances in this standard have developed in the years since the phone booth case. One such nuance is the “third-party doctrine.” For example, the police do not need a warrant to obtain a list of the phone numbers you have dialed and when those calls were made, because, unlike the content of your calls, the transactional data is part of the business records of a third party—the service provider.
Similarly, receipts and checks exchanged with a bank or retailer are not considered to enjoy Fourth Amendment protection, because society is not prepared to reasonably expect privacy in those documents. This third-party doctrine has narrowed the situations in which a warrant is required to conduct a search.
Of course as the courts have narrowed these protections vis-à-vis the Constitution, Congress has passed legislation fortifying the constitutional protections and filling in the gaps created by new technologies. But there are two major problems with those fortifications. First, statutes can be overturned or repealed, whereas constitutional protections provide more permanent safeguards. Second, most of these laws are decades old and have hardly been updated to account for changing technologies.
Among these laws is the Stored Communications Act (SCA), which was passed in 1986. The SCA is at the heart of the dispute between Yahoo and the Justice Department, and the government’s position is that e-mails in the cloud that have already been opened are no longer in “electronic storage,” and thus fall outside the protection of the statute.
Updating these statutes is one short-term option. But, just as Google and the other groups defending Yahoo have argued, there is a basis for interpreting the “reasonable expectation of privacy” standard to cover these new cloud computing and storage uses, shielding at least parts of the cloud with the protection of the warrant requirement.
The differing evolutions of technology and law
The linchpin in extending Fourth Amendment protection to the cloud rests with the reasonableness of society’s expectations governing privacy in the cloud. But societal expectations change over time, especially as technology and our uses of that technology change.
With massive increases in bandwidth, wireless access, and mobile device use over the past decade, remote storage (and cloud computing generally) has changed the way in which the Internet is used. Rather than being a purely public medium, the Internet has become a means of private storage and mobile or remote access.
This is in stark contrast to ten or fifteen years ago, when data was often uploaded for the intended purpose of sharing it with a mass audience. Bandwidth and access limitations made it unfeasible for everyday Internet users to rely on the cloud to efficiently store and access their private files, and mobile devices were not yet powerful enough or pervasive enough for consumers to even need such “everywhere access.”
Unfortunately, the law generally does not evolve as quickly as technology. The 1967 phone booth case was the first time telephone conversations were recognized as constitutionally protected from unreasonable searches—nearly one hundred years after the telephone was invented. The Internet and cloud computing have taken a fraction of that time to reach wide market penetration, and show little sign of slowing down. But since Moore’s Law does not apply to legal innovation, the disparities between technology and the law are likely to become even greater.
Take, for example, the case City of Ontario v. Quon, currently pending before the US Supreme Court. Although the case is not precisely within the scope of what we often think of as “cloud computing” (online storage and manipulation of e-mails, photos, documents, and so on), it deals in a similar realm—the storage of text messages within the servers of a service provider. The city of Ontario, California, contracted with Arch Wireless to provide text messaging services for, among others, the city’s police department. Although the police department had no official policy regarding use of the pagers for personal versus work-related messaging, the unofficial policy was that if an officer went over the limit but paid the overcharge fee, their messages would not be audited.
The department later decided it would audit some of these texts and found a significant number of sexually explicit personal messages. Several officers sued, claiming their Fourth Amendment rights were violated because the department, being an agent of the government, should have been required to obtain a warrant first. The district court and the Ninth Circuit Court of Appeals both agreed that the officers had a reasonable expectation of privacy in the content of their texts, and analogized the stored text messages to e-mail, among other things.
The Supreme Court just heard oral arguments in Quon on April 19th, and based on the Justices’ questions and demeanors, they did not seem overly sympathetic to the officers’ privacy concerns—at least not enough to extend Fourth Amendment protections to their stored text messages. In part this may be because the facts in this case were simply not compelling enough; society is likely not prepared to recognize that police officers should have an expectation of privacy in their city-issued (and taxpayer-funded) work pagers.
Though the future of Fourth Amendment protection in the cloud will probably not be foreclosed by this case, it may create a hurdle for privacy groups and entities such as Yahoo and Google who are looking for more favorable Fourth Amendment treatment by the Supreme Court. The Court’s decision in Quon should come out later this summer. Whatever the ultimate decision may be, these groups will undoubtedly be looking for any……
Article Continues ->
http://arstechnica.com/tech-policy/news/2010/04/the-cloud-and-the-future-of-the-fourth-amendment.ars
Visa targets online marketing ‘scam’
(Credit: Greg Sandoval/CNET)
by Greg Sandova
Visa, one of the world’s largest credit card companies, is taking aim at “scam” marketing practices that were quietly used by some of the Internet’s largest retailers in recent years.
Retailers will no longer be able to allow third parties to charge a customer’s card without the card owner re-entering credit card information, Visa said Tuesday. This is Visa’s response to one of the biggest scandals to rock online retailing in years.
Last year, the U.S. Senate Committee on Commerce, Science, and Transportation launched an investigation after learning that thousands of consumers had complained about receiving mysterious credit card charges.
The committee concluded that millions of consumers were misled into signing up for so-called loyalty programs with the help of companies such as as Classmates.com, Continental Airlines, Priceline, Orbitz, Buy.com, and many others. Lawmakers said during hearings that these merchants had made an unholy but profitable alliance with one or more of three so-called post-transaction marketing firms: Webloyalty, Affinion, and Vertrue.
Under most of the agreements between the marketing firms and retailers, an advertising page is presented to shoppers while they complete a transaction at the retailer’s online store. Many shoppers say they entered their e-mail address and pushed a large “Yes” button on the ad because it appeared to be a $10 cash-back offer or coupon. Many of those who complained say they thought they were being rewarded by the retailer for making a purchase.
Buried in the fine print are the full terms of the deal. Customers are notified that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20. Many people said they didn’t see this notice.
Visa’s new requirement is designed to send a “clear signal to cardholders that a second purchase is being initiated and protects them from questionable marketing practices,” the company said.
With the government leaning on them, many of the merchants involved have severed ties with the post-transaction marketers, which have also taken steps to alter their business practices. They haven’t gone far enough, however, critics have said.
http://news.cnet.com/8301-31001_3-20003489-261.html?tag=newsEditorsPicksArea.0
Art of the Steal: On the Trail of World’s Most Ingenious Thief
Gerald Blanchard could hack any bank, swipe any jewel. There was no security system he couldn’t beat. Illustration: Justin Wood
By Joshuah Bearman
The plane slowed and leveled out about a mile aboveground. Up ahead, the Viennese castle glowed like a fairy tale palace. When the pilot gave the thumbs-up, Gerald Blanchard looked down, checked his parachute straps, and jumped into the darkness. He plummeted for a second, then pulled his cord, slowing to a nice descent toward the tiled roof. It was early June 1998, and the evening wind was warm. If it kept cooperating, Blanchard would touch down directly above the room that held the Koechert Diamond Pearl. He steered his parachute toward his target.
A couple of days earlier, Blanchard had appeared to be just another twentysomething on vacation with his wife and her wealthy father. The three of them were taking a six-month grand European tour: London, Rome, Barcelona, the French Riviera, Vienna. When they stopped at the Schloss Schönbrunn, the Austrian equivalent of Versailles, his father-in-law’s VIP status granted them a special preview peek at a highly prized piece from a private collection. And there it was: In a cavernous room, in an alarmed case, behind bulletproof glass, on a weight-sensitive pedestal — a delicate but dazzling 10-pointed star of diamonds fanned around one monstrous pearl. Five seconds after laying eyes on it, Blanchard knew he would try to take it.
The docent began to describe the history of the Koechert Diamond Pearl, better known as the Sisi Star — it was one of many similar pieces specially crafted for Empress Elisabeth to be worn in her magnificently long and lovely braids. Sisi, as she was affectionately known, was assassinated 100 years ago. Only two stars remain, and it has been 75 years since the public had a glimpse of…
Blanchard wasn’t listening. He was noting the motion sensors in the corner, the type of screws on the case, the large windows nearby. To hear Blanchard tell it, he has a savantlike ability to assess security flaws, like a criminal Rain Man who involuntarily sees risk probabilities at every turn. And the numbers came up good for the star. Blanchard knew he couldn’t fence the piece, which he did hear the guide say was worth $2 million. Still, he found the thing mesmerizing and the challenge irresistible.
He began to work immediately, videotaping every detail of the star’s chamber. (He even coyly shot the “No Cameras” sign near the jewel case.) He surreptitiously used a key to loosen the screws when the staff moved on to the next room, unlocked the windows, and determined that the motion sensors would allow him to move — albeit very slowly — inside the castle. He stopped at the souvenir shop and bought a replica of the Sisi Star to get a feel for its size. He also noted the armed guards stationed at every entrance and patrolling the halls.
But the roof was unguarded, and it so happened that one of the skills Blanchard had picked up in his already long criminal career was skydiving. He had also recently befriended a German pilot who was game for a mercenary sortie and would help Blanchard procure a parachute. Just one night after his visit to the star, Blanchard was making his descent to the roof.
Aerial approaches are a tricky business, though, and Blanchard almost overshot the castle, slowing himself just enough by skidding along a pitched gable. Sliding down the tiles, arms and legs flailing for a grip, Blanchard managed to save himself from falling four stories by grabbing a railing at the roof’s edge. For a moment, he lay motionless. Then he took a deep breath, unhooked the chute, retrieved a rope from his pack, wrapped it around a marble column, and lowered himself down the side of the building.
Carefully, Blanchard entered through the window he had unlocked the previous day. He knew there was a chance of encountering guards. But the Schloss Schönbrunn was a big place, with more than 1,000 rooms. He liked the odds. If he heard guards, he figured, he would disappear behind the massive curtains.
The nearby rooms were silent as Blanchard slowly approached the display and removed the already loosened screws, carefully using a butter knife to hold in place the two long rods that would trigger the alarm system. The real trick was ensuring that the spring-loaded mechanism the star was sitting on didn’t register that the weight above it had changed. Of course, he had that covered, too: He reached into his pocket and deftly replaced Elisabeth’s bejeweled hairpin with the gift-store fake.
Within minutes, the Sisi Star was in Blanchard’s pocket and he was rappelling down a back wall to the garden, taking the rope with him as he slipped from the grounds. When the star was dramatically unveiled to the public the next day, Blanchard returned to watch visitors gasp at the sheer beauty of a cheap replica. And when his parachute was later found in a trash bin, no one connected it to the star, because no one yet knew it was missing. It was two weeks before anyone realized that the jewelry had disappeared.
Later, the Sisi Star rode inside the respirator of some scuba gear back to his home base in Canada, where Blanchard would assemble what prosecutors later called, for lack of a better term, the Blanchard Criminal Organization. Drawing on his encyclopedic knowledge of surveillance and electronics, Blanchard became a criminal mastermind. The star was the heist that transformed him from a successful and experienced thief into a criminal virtuoso.
“Cunning, clever, conniving, and creative,” as one prosecutor would call him, Blanchard eluded the police for years. But eventually he made a mistake. And that mistake would take two officers from the modest police force of Winnipeg, Canada, on a wild ride of high tech capers across Africa, Canada, and Europe. Says Mitch McCormick, one of those Winnipeg investigators, “We had never seen anything like it.”
In Depth article Continues ->
http://www.wired.com/magazine/2010/03/ff_masterthief_blanchard/
Second-hand copiers can spill secrets
by CBS Interactive staff
At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports that almost every one of them holds a secret.
Nearly every digital copier built since 2002 contains a hard drive–like the one on your personal computer–storing an image of every document copied, scanned, or e-mailed by the machine.
In the process, it’s turned an office staple into a digital time-bomb packed with highly personal or sensitive data.
Read more of “ Digital Photocopiers Loaded With Secrets” at CBSNews.com, or follow the link to watch the video:
http://news.cnet.com/8301-1009_3-20002904-83.html?tag=newsEditorsPicksArea.0
Google: U.S. Demanded User Info 3,500 Times in Six Months
By Ryan Singel
For years, search engines and ISPs have refused to tell the public how many times the cops and feds have forced them to turn over information on users.
But on Tuesday, Google broke that unwritten code of silence, unveiling a Government Requests Tool that shows the public how often individual goverments around the world have asked for user information, and how often they’ve asked Google to remove content from their sites or search index for reasons other than copyright violation.
The answer for U.S. users is 3,580 total requests for information over a six month period from July 2009 to December 2009. That number comes to about 20 a day, and includes subpoenas and search warrants from state, local and federal law enforcement officials. Brazil just edges out the U.S. in the number of requests for data about users, with 3,663 over that six months. That’s due to the continuing Brazilian popularity of Google’s social networking site, Orkut.
Google Vice President David Drummond announced the tool in a blog post Tuesday, casting it as a tool to cut down on censorship — not surprising given that Google says it’s been censored by 25 of the 100 countries it operates in.
[G]overnment censorship of the web is growing rapidly: from the outright blocking and filtering of sites, to court orders limiting access to information and legislation forcing companies to self-censor content.
So it’s no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.
Google is also releasing information about the number of times governments ask the company to take down content or remove links. These include requests to take down defamatory videos, such as the one that led to prosecution of Google executives in Italy. The statistics do not include requests based on copyright or from reports of child pornography, since Google automatically takes down the latter whenever it detects it.
Google has long pledged its allegiance to transparency and believes this announcement will add to the long-running debate about how much power law enforcement and governments should have to see what citizens do online.
A broad consortium of tech companies and privacy groups recently announced a push to modernize the nation’s privacy laws so that data stored by third parties, especially by so-called cloud computing services like Gmail, are treated just like data stored on citizens’ home computers. Currently, e-mails stored online lose much of their legal protection after 6 months, and the Justice Department recently tried to get at unopened mail online without having to get a proper search warrant.
The numbers reflect only criminal investigations, and do not include national security investigation powers such as National Security Lettters or FISA warrants, which companies are often not legally allowed to disclose.
The numbers also do not include the number of people named in the requests, whether Google fought the request or which products the requests apply to. The company says it plans to release that information after out it figures out how to create meaningful statistics, since a single request can apply to mulitple people using multiple products, or conversely, Google can receive multiple requests concerning the same person.
ISPs and large tech companies have long used the excuse that they don’t publish this information because no one else does.
Now that Google has taken the first step, that argument no longer works. And we are looking at you, Yahoo, Microsoft, Amazon and AT&T, when we say that.
See Also:
- Google Talks Transparency, But Hides Surveillance Stats
- Google’s Half-Hearted Commitment to Transparency
- Google, Microsoft Push Feds to Fix Privacy Laws
http://www.wired.com/threatlevel/2010/04/google-warrants-transparency
