There’s a Secret Patriot Act, Senator Says

By Spencer Ackerman

You think you understand how the Patriot Act allows the government to spy on its citizens. Sen. Ron Wyden says it’s worse than you know.

Congress is set to reauthorize three controversial provisions of the surveillance law as early as Thursday. Wyden (D-Oregon) says that powers they grant the government on their face, the government applies a far broader legal interpretation — an interpretation that the government has conveniently classified, so it cannot be publicly assessed or challenged. But one prominent Patriot-watcher asserts that the secret interpretation empowers the government to deploy ”dragnets” for massive amounts of information on private citizens; the government portrays its data-collection efforts much differently.

“We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,” Wyden told Danger Room in an interview in his Senate office. “When you’ve got that kind of a gap, you’re going to have a problem on your hands.”

What exactly does Wyden mean by that? As a member of the intelligence committee, he laments that he can’t precisely explain without disclosing classified information. But one component of the Patriot Act in particular gives him immense pause: the so-called “business-records provision,” which empowers the FBI to get businesses, medical offices, banks and other organizations to turn over any “tangible things” it deems relevant to a security investigation.

“It is fair to say that the business-records provision is a part of the Patriot Act that I am extremely interested in reforming,” Wyden says. “I know a fair amount about how it’s interpreted, and I am going to keep pushing, as I have, to get more information about how the Patriot Act is being interpreted declassified. I think the public has a right to public debate about it.”

That’s why Wyden and his colleague Sen. Mark Udall offered an amendment on Tuesday to the Patriot Act reauthorization.

The amendment, first reported by Marcy Wheeler, blasts the administration for “secretly reinterpret[ing] public laws and statutes.” It would compel the Attorney General to “publicly disclose the United States Government’s official interpretation of the USA Patriot Act.” And, intriguingly, it refers to “intelligence-collection authorities” embedded in the Patriot Act that the administration briefed the Senate about in February.

Wyden says he “can’t answer” any specific questions about how the government thinks it can use the Patriot Act. That would risk revealing classified information — something Wyden considers an abuse of government secrecy. He believes the techniques themselves should stay secret, but the rationale for using their legal use under Patriot ought to be disclosed.

“I draw a sharp line between the secret interpretation of the law, which I believe is a growing problem, and protecting operations and methods in the intelligence area, which have to be protected,” he says.

Surveillance under the business-records provisions has recently spiked. The Justice Department’s official disclosure on its use of the Patriot Act, delivered to Congress in April, reported that the government asked the Foreign Intelligence Surveillance Court for approval to collect business records 96 times in 2010 — up from just 21 requests the year before. The court didn’t reject a single request. But it “modified” those requests 43 times, indicating to some Patriot-watchers that a broadening of the provision is underway.

Story Continues -> There’s a Secret Patriot Act, Senator Says


Six rising threats from cybercriminals

Watch out for these cyberattacks that can turn smartphones into texting botnets, shut off electricity, jam GPS signals and more

By John Brandon

Computerworld – Hackers never sleep, it seems. Just when you think you’ve battened down the hatches and fully protected yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or a stalker who dogs your every step online. Or maybe it’s an emerging technology like in-car Wi-Fi that suddenly creates a whole new attack vector.


Whether you’re an IT manager protecting employees and corporate systems or you’re simply trying to keep your own personal data safe, these threats — some rapidly growing, others still emerging — pose a potential risk. Fortunately, there are some security procedures and tools available to help you win the fight against the bad guys.

1. Text-message malware

While smartphone viruses are still fairly rare, text-messaging attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group coalition of security researchers. PCs are now fairly well protected, he says, so some hackers have moved on to mobile devices. Their incentive is mostly financial; text messaging provides a way for them to break in and make money.

Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are becoming more common as people rely more on mobile devices. It’s not just consumers who are at risk from these attacks, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business’s network and data, and perhaps cause a compliance violation.

“This is a similar type of attack as [is used on] a computer — an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it,” Nguyen explains. “Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user.”

In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pocketbook of the hacker selling the ring tones.

Another ruse, says Nguyen, is a text-message link to download an app that supposedly allows free Internet access but is actually a Trojan that sends hundreds of thousands of SMS messages (usually at “premium SMS” rates of $2 each) from the phone.

Article continues -> Six Rising Threats from cybercriminals

Six rising threats from cybercriminals

Government uses social networking to infiltrate people''s lives

By David Gomez

As part of a lawsuit against half a dozen federal agencies, the Electronic Frontier Foundation (EFF)  has obtained chilling documents that reveal how the government routinely monitors people online.

According to an EFF blog post, government officials have been using surveillance of social networks to investigate citizenship petitions and the Department of Homeland Security established a “Social Networking Monitoring Cente” to collect and analyze online public communication during President Obama’s inauguration.

In the information the EFF received, there is a memo (dated May 2008) by the U.S. Citizenship and Immigration Services entitled “Social Networking Sites and Their Importance to FDNS” (Office of Fraud Detection and National Security).

This memo is disturbing because of the assumptions the government makes about people who use social networking. The government uses deception to friend people with pending applications for citizenship in the US, and then they use social networking to gather information about that person’s life.

Their hope is to catch people engaged in lying to USCIS. They want to catch people whose relationships might not live up to the USCIS standard of a legitimate marriage. So while using social networking to expose people who scam the system isn’t an act of pure evil, it does make one suspicious of government monitoring of social networking.

This memo makes no mention of how solid the government’s information on a person has to be before surveillance is conducted. This makes is seem as if everyone who uses social networking is a potential target for spying. It also doesn’t say if the government officials who make friend requests to the people they want to spy on actually have to admit their connection to the government.

Based on the memo it would be easy for the government to use social networking to spy not only on individuals who have a citizenship application pending, but their friends and families also.

The EFF also received another bit of information in the form of some slides from a presentation about the Department of Homeland Security starting a Social Networking Monitoring Center. SNMC was created before President Obama’s inauguration to monitor social networking sites for so-called “items of interest.”

The slides describe the tremendous amount of information that DHS collected from social networking sites about people who have accounts. As you might have guessed, nearly every popular form of social networking is being watched.

SNMN goes a bit further than just profiling general social networking sites. They have also been targeting sites with a specific demographic as well. Sites like MiGente and BlackPlanet have been subjected to government profiling as well as political sites like DailyKos.

The slides released to the EFF suggest that the government was collecting information on social networking tied to political events and people’s political beliefs prior to and during the president’s inauguration.

And while the slides attempt to minimize the action of collecting of “Personally Identifiable Information,” it also says “openly divulged information excluding PII will be used for future corroboration purposes and trend analysis during the Inauguration period.”

So, yeah, it’s kind of hard to understand based on the contradictory language in the slides, when the government keeps and deletes certain personal information obtained from social networking.

While some people will gripe and defend the government’s recently revealed activities; the language in the government documents is too unclear to justify any kind of monitoring of social networks.

The thin line between evil spying and government protection is getting erased by this type of activity. The EFF shouldn’t have to file a Freedom of Information Act lawsuit just to find out that the government is sitting around taking copious notes about Facebook and Twitter.

Why all the secrecy over the last few years?

The US electrical grid is too crappy to be vulnerable to terrorist attack, say physicists

The US government worries that terrorists could take down the country”s electrical grid just by hitting a small node in the system. But a new study reveals the grid is too unreliable for that kind of attack.

Last year, network theorists published some papers suggesting that terrorists could take down the entire US electrical grid by attacking a small, remote power station. But new research shows that network theory models, which great for analyzing many complex systems, don”t work for patchwork systems like the US electrical grid. Basically, the grid was set up so haphazardly that you”d have to take out a major node before you”d affect the entire thing. (Want to see a map of the US electrical grid? Check out this one on NPR.)

Science Daily sums up:

[The] electric grid is probably more secure that many people realize — because it is so unpredictable. This, of course, makes it hard to improve its reliability (in another line of research, Hines has explored why the rate of blackouts in the United States hasn”t improved in decades), but the up-side of this fact is that it would be hard for a terrorist to bring large parts of the grid down by attacking just one small part.

The researchers based their conclusions on real-world data from the power grid in the eastern U.S.

Read the full scientific paper via Chaos: An Interdisciplinary Journal of Nonlinear Science (via Science Daily)

Send an email to Annalee Newitz, the author of this post, at

Hackers can remotely disable your car’s brakes, create sensationalist headlines

By Tim Stevens

We think you’re going to be hearing a lot about this one over the next few days… or weeks. A team of researchers at the University of Washington and the University of California San Diego have determined that, with physical access to your car’s ECU, a hacker could “adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.” For example, the team was able to connect a computer to a car’s ODB-II port, access that computer wirelessly, and then disable the brakes in the first car while driving down the road in a separate vehicle. The conclusion is that these in-car systems have few if any safeguards in place and, with physical access, nearly anything is possible. The solution, of course, is to prevent physical access. So, if you see a hacker hanging around in your car looking all shady, or a laptop computer sitting in the footwell that totally wasn’t there before, well, you know who to call.

The cloud and the future of the Fourth Amendment

By David A. Couillard

In mid-April, a coalition of privacy groups filed a brief in federal district court in Colorado, defending Yahoo against attempts by the federal government to obtain the contents of Yahoo Mail messages without first obtaining a warrant. One month earlier, the Justice Department filed a 17-page brief arguing that Yahoo Mail messages do not fall under current statutory protection because, once opened, those messages are not considered to be in “electronic storage.”

The privacy coalition—which included Google—came to Yahoo’s defense, arguing that users with e-mail stored in the cloud have a reasonable expectation of privacy in the contents of that e-mail, and should thus be protected from warrantless searches by the government. (Hopefully the irony of Google opposing robust searches is not lost on Google’s attorneys.)

Unfortunately, the protections afforded by the warrant requirement have not yet been fully extended to the digital “cloud.” This handy metaphor for the ethereal Internet as a storage and access hub is coming to have other implications: can we really conceal our data inside this cloud, shielding it from government intrusion?

In fact, there is not even any guarantee that e-mails stored locally on a personal home computer will be afforded such protection. But as this novel question has remained unanswered by the sloth-like pace of legal innovation, a dozen more questions have cropped up. Meanwhile, the technological innovators are demanding faster answers.

The fourth amendment and reasonable expectations of privacy

The Fourth Amendment to the US Constitution provides that the people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” The Fourth Amendment also provides a method by which an otherwise unreasonable search might be characterized as “reasonable” and, therefore, constitutionally valid: by aid of a warrant, issued “upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Requiring law enforcement to properly justify itself before conducting invasive searches offers an essential layer of constitutional privacy protection which, if breached, renders the improperly seized evidence inadmissible in court against the person whose privacy was violated. But a warrant is not always necessary to make a search reasonable. In some situations a search and seizure is reasonable without the need for a warrant, such as when items are in plain view, or when a person consents to being searched.

Over time, the courts have developed a standard for determining when a search requires a warrant and when it is reasonable on its own. This standard, which requires a warrant only if there exists a “reasonable expectation of privacy,” originated from a 1967 Supreme Court case involving the wiretapping of a phone booth. In that case, because the phone booth had a door which could be shut behind the user, he was deemed to have reasonably expected that nobody was listening in. The presence of a physical barrier also acted as a legal one.

The “reasonable expectation of privacy” test actually has two requirements. First, the person must have had a subjectively reasonable expectation that the item was private. Second, that item must also be something that society in general is willing to objectively recognize as reasonably private. In other words, it’s not enough that you think your fenced-in backyard is private if society as a whole would find it unreasonable to think so. Sunbathers beware.

Nuances in this standard have developed in the years since the phone booth case. One such nuance is the “third-party doctrine.” For example, the police do not need a warrant to obtain a list of the phone numbers you have dialed and when those calls were made, because, unlike the content of your calls, the transactional data is part of the business records of a third party—the service provider.

Similarly, receipts and checks exchanged with a bank or retailer are not considered to enjoy Fourth Amendment protection, because society is not prepared to reasonably expect privacy in those documents. This third-party doctrine has narrowed the situations in which a warrant is required to conduct a search.

Of course as the courts have narrowed these protections vis-à-vis the Constitution, Congress has passed legislation fortifying the constitutional protections and filling in the gaps created by new technologies. But there are two major problems with those fortifications. First, statutes can be overturned or repealed, whereas constitutional protections provide more permanent safeguards. Second, most of these laws are decades old and have hardly been updated to account for changing technologies.

Among these laws is the Stored Communications Act (SCA), which was passed in 1986. The SCA is at the heart of the dispute between Yahoo and the Justice Department, and the government’s position is that e-mails in the cloud that have already been opened are no longer in “electronic storage,” and thus fall outside the protection of the statute.

Updating these statutes is one short-term option. But, just as Google and the other groups defending Yahoo have argued, there is a basis for interpreting the “reasonable expectation of privacy” standard to cover these new cloud computing and storage uses, shielding at least parts of the cloud with the protection of the warrant requirement.

The differing evolutions of technology and law

The linchpin in extending Fourth Amendment protection to the cloud rests with the reasonableness of society’s expectations governing privacy in the cloud. But societal expectations change over time, especially as technology and our uses of that technology change.

With massive increases in bandwidth, wireless access, and mobile device use over the past decade, remote storage (and cloud computing generally) has changed the way in which the Internet is used. Rather than being a purely public medium, the Internet has become a means of private storage and mobile or remote access.

This is in stark contrast to ten or fifteen years ago, when data was often uploaded for the intended purpose of sharing it with a mass audience. Bandwidth and access limitations made it unfeasible for everyday Internet users to rely on the cloud to efficiently store and access their private files, and mobile devices were not yet powerful enough or pervasive enough for consumers to even need such “everywhere access.”

Unfortunately, the law generally does not evolve as quickly as technology. The 1967 phone booth case was the first time telephone conversations were recognized as constitutionally protected from unreasonable searches—nearly one hundred years after the telephone was invented. The Internet and cloud computing have taken a fraction of that time to reach wide market penetration, and show little sign of slowing down. But since Moore’s Law does not apply to legal innovation, the disparities between technology and the law are likely to become even greater.

Take, for example, the case City of Ontario v. Quon, currently pending before the US Supreme Court. Although the case is not precisely within the scope of what we often think of as “cloud computing” (online storage and manipulation of e-mails, photos, documents, and so on), it deals in a similar realm—the storage of text messages within the servers of a service provider. The city of Ontario, California, contracted with Arch Wireless to provide text messaging services for, among others, the city’s police department. Although the police department had no official policy regarding use of the pagers for personal versus work-related messaging, the unofficial policy was that if an officer went over the limit but paid the overcharge fee, their messages would not be audited.

The department later decided it would audit some of these texts and found a significant number of sexually explicit personal messages. Several officers sued, claiming their Fourth Amendment rights were violated because the department, being an agent of the government, should have been required to obtain a warrant first. The district court and the Ninth Circuit Court of Appeals both agreed that the officers had a reasonable expectation of privacy in the content of their texts, and analogized the stored text messages to e-mail, among other things.

The Supreme Court just heard oral arguments in Quon on April 19th, and based on the Justices’ questions and demeanors, they did not seem overly sympathetic to the officers’ privacy concerns—at least not enough to extend Fourth Amendment protections to their stored text messages. In part this may be because the facts in this case were simply not compelling enough; society is likely not prepared to recognize that police officers should have an expectation of privacy in their city-issued (and taxpayer-funded) work pagers.

Though the future of Fourth Amendment protection in the cloud will probably not be foreclosed by this case, it may create a hurdle for privacy groups and entities such as Yahoo and Google who are looking for more favorable Fourth Amendment treatment by the Supreme Court. The Court’s decision in Quon should come out later this summer. Whatever the ultimate decision may be, these groups will undoubtedly be looking for any……

Article Continues ->

Visa targets online marketing ‘scam’

(Credit: Greg Sandoval/CNET)

by Greg Sandova

Visa, one of the world’s largest credit card companies, is taking aim at “scam” marketing practices that were quietly used by some of the Internet’s largest retailers in recent years.

Retailers will no longer be able to allow third parties to charge a customer’s card without the card owner re-entering credit card information, Visa said Tuesday. This is Visa’s response to one of the biggest scandals to rock online retailing in years.

Last year, the U.S. Senate Committee on Commerce, Science, and Transportation launched an investigation after learning that thousands of consumers had complained about receiving mysterious credit card charges.

The committee concluded that millions of consumers were misled into signing up for so-called loyalty programs with the help of companies such as as, Continental Airlines, Priceline, Orbitz,, and many others. Lawmakers said during hearings that these merchants had made an unholy but profitable alliance with one or more of three so-called post-transaction marketing firms: Webloyalty, Affinion, and Vertrue.

Under most of the agreements between the marketing firms and retailers, an advertising page is presented to shoppers while they complete a transaction at the retailer’s online store. Many shoppers say they entered their e-mail address and pushed a large “Yes” button on the ad because it appeared to be a $10 cash-back offer or coupon. Many of those who complained say they thought they were being rewarded by the retailer for making a purchase.

Buried in the fine print are the full terms of the deal. Customers are notified that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20. Many people said they didn’t see this notice.

Visa’s new requirement is designed to send a “clear signal to cardholders that a second purchase is being initiated and protects them from questionable marketing practices,” the company said.

With the government leaning on them, many of the merchants involved have severed ties with the post-transaction marketers, which have also taken steps to alter their business practices. They haven’t gone far enough, however, critics have said.