Why installing software updates makes us WannaCry

File 20170515 7005 1kosynyPeople don’t want to be interrupted to update their software.
irin73bal via Shutterstock.com

Elissa Redmiles, University of Maryland

The global ransomware attack called “WannaCry,” which began last week and continues today, could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The attack’s spread demonstrates how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable. The victims include Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry. The Conversation

The security flaw that allowed the attack to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the U.S. National Security Agency.

Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.

Updating is a pain

All people had to do to stay safe from WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.

Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – always the second Tuesday of every month, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.”

Some people may also be concerned that updating software could cause problems with programs they rely on regularly. This is a particular concern for companies with large numbers of computers running specialized software.

Adrienne Porter Felt Tweet

Is it necessary?

It can also be very hard to tell whether a new update is truly necessary. The software that fixed the WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that people ignore repeated security warning messages. Consequently, these monthly updates may be especially easy to ignore.

The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.

Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel suggested prioritizing four of the 18 updates – but not the one fixing WannaCry. Security company Qualys also failed to include that specific update in its list of the most important March updates.

Security pros, and everyone else


The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only 64 percent of security experts update their software automatically or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.

Another research project analyzed software-update records from 8.4 million computers and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.

Making updates easier

Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts.

Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, installs updates silently and automatically – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.

That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.

Getting the message out

So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by producing and evaluating entertaining and informative videos about computer security.

An entertainment-education video about software updating produced by researchers at the University of Maryland.

In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even security comics, may be a first step toward helping us stay safer online.

Elissa Redmiles, Ph.D. Student in Computer Science, University of Maryland

This article was originally published on The Conversation. Read the original article.


Cybersecurity of the Power Grid: A growing challenge

A cyber attack on the electricity grid happened in Ukraine – could it happen here too? Valentyn Ogirenko/Reuters
A cyber attack on the electricity grid happened in Ukraine – could it happen here too? Valentyn Ogirenko/Reuters

Manimaran Govindarasu, Iowa State University and Adam Hahn, Washington State University

Called the “largest interconnected machine,” the U.S. electricity grid is a complex digital and physical system crucial to life and commerce in this country. Today, it is made up of more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines. This web of generators, substations and power lines is organized into three major interconnections, operated by 66 balancing authorities and 3,000 different utilities. That’s a lot of power, and many possible vulnerabilities.

The grid has been vulnerable physically for decades. Today, we are just beginning to understand the seriousness of an emerging threat to the grid’s cybersecurity. As the grid has become more dependent on computers and data-sharing, it has become more responsive to changes in power demand and better at integrating new sources of energy. But its computerized control could be abused by attackers who get into the systems.

Until 2015, the threat was hypothetical. But now we know cyberattacks can penetrate electricity grid control networks, shutting down power to large numbers of people. It happened in Ukraine in 2015 and again in 2016, and it could happen here in the U.S., too.

As researchers of grid security, we know the grid has long been designed to withstand random problems, such as equipment failures and trees falling on lines, as well as naturally occurring extreme events including storms and hurricanes. But as a new document from the National Institute of Standards and Technology suggests, we are just beginning to determine how best to protect it against cyberattacks.

Understanding the Ukraine attacks

On Dec. 23, 2015, a cyberattack penetrated electricity distribution control centers in Ukraine using software vulnerabilities, stolen credentials and sophisticated malware. The attackers were able to open dozens of circuit breakers and shut off power to more than 200,000 customers for several hours.

A year later, the country’s electricity transmission facilities were attacked. That attack also cut off electricity service, though to a much smaller geographic area, and for only about an hour. In both cases, it is widely reported that hackers aligned with the Russian government were responsible.

How can we prevent this sort of attack in the U.S.?

Protecting the American electricity grid from cyberattacks is challenging not just because it is made up of so many physical and computerized elements connecting nearly every building in the country. It’s difficult because the grid has to continue to operate in real time, making adjustments to ensure the right amount of electricity gets where it needs to go at every moment.

And it’s especially hard because the electricity industry is used to a slower pace of technological advance: While computer technologies like smartphones and servers are updated every two to three years, grid infrastructure typically must operate for over a decade.

Increasingly computerized: electricity transmission lines.
Powerlines via shutterstock.com

Over time, though, older traditional electricity meters have given way to digital smart meters. Similarly, power substations that are crucial for converting electricity from high-voltage transmission lines to lower voltage for household use, are increasingly controlled via internet-enabled networks and software.

Security standards can help ensure utility companies keep their protection strong. The North American Electric Reliability Corporation, which oversees the grid in the U.S. and Canada, has rules, known as Critical Infrastructure Protection (CIP) compliance, for how electric companies must protect the power grid both physically and electronically. This includes monitoring the grid for attacks, as well as requiring safeguards such as multi-factor user authentication to keep unauthorized intruders from accessing control networks.

NERC also hosts regular tabletop simulation exercises, where electricity companies can practice defending against major attacks. The U.S. National Institute of Standards and Technology has its own recommendations, though they are not mandatory for utilities. A draft version of a new set of guidelines was just released, adding both urgency and detail for utility companies.

These standards, guidelines and exercises have significantly improved the security of the larger elements of the power system, such as power plants and high-voltage transmission networks. But they have done little to protect the low-voltage distribution networks that supply power directly to our homes and workplaces. Attacks on these low-voltage parts of the overall system cover less territory than intrusions at higher levels, but they can still cause large-scale power outages, like in Ukraine in 2015.

Defending the edges of distribution system is much more complicated than protecting its center. Not only are there many more physical locations to safeguard, but there are also many more companies involved in operating them. Municipal governments and utility cooperatives, for example, are significant distributors of electricity, and yet have limited security requirements. In addition, they may not have the money or expertise to protect their systems against cyberattacks.

Joining forces

The grid depends on a number of key control systems and algorithms, each of which presents its own unique vulnerabilities. The growing scale of this problem requires techniques to manage and reduce the number of vulnerable points the grid has.

Research into grid security is moving away from investigating ways to better handle equipment failures and natural disasters, and toward creating a well-defended power grid for the future. One approach could be to add more redundancy – additional equipment that can fill in when an attack takes out a power plant or a transmission line. That is very expensive, though.

The other approach involves systematically analyzing the risks inherent in critical systems and methodically defending against each of them. Key elements of this approach involve developing techniques that can prevent attacks, detect and respond to them when they happen, and allow us to investigate what happened after an attack has ended. That will help us to improve protection for the future.

This approach will require the industry to ensure each new device it connects to the grid is protected, no matter how small or how big. We’ll also have to develop new systems that can detect anomalous grid communications and create more secure network architectures for critical grid control systems.

In addition, regulators will need to keep updating the rules governing the industry to raise minimum security standards over time. Schools and universities will need to teach people to be not only electricity experts but cybersecurity defenders. Our ability to flip a switch and turn on the lights depends on it.

The Conversation

Manimaran Govindarasu, Professor of Electrical and Computer Engineering, Iowa State University and Adam Hahn, Assistant Professor of Electrical Engineering and Computer Science, Washington State University

This article was originally published on The Conversation. Read the original article.

Political Scrutiny 101 Top Stories in your inbox. Subscribe.

Six Myths About National Security Intelligence

At CIA headquarters on Jan. 17, Drumpf said the ‘dishonest media’ made it appear he was having a feud with the intel community. Olivier Douliery/AP via CNP
At CIA headquarters on Jan. 17, Drumpf said the ‘dishonest media’ made it appear he was having a feud with the intel community. Olivier Douliery/AP via CNP

Frederic Lemieux, Georgetown University

President Trump has gotten off to a rough start with the intelligence community.

The day after being sworn in, Trump spoke at CIA headquarters in an apparent attempt to mend his relationship with the agency. The relationship was frayed in large part due to Trump’s skepticism about an intelligence assessment that suggested Russia had hacked into the emails of the Democratic National Committee and Democratic presidential candidate Hillary Clinton’s campaign.

Where did this skepticism come from? Trump – along with some security experts – has expressed doubt about the complexity of cyberattack attribution and the reliability of the intelligence sources. This skepticism seems to be fueled by the desire for irrefutable evidence of Russia interference in the election.

At Georgetown University, I study and teach how the intelligence community collects, analyzes and circulates sensitive information to policymakers and elected officials. I’d like to point out some of the misunderstandings about intelligence activities exhibited not only by the new president, but in the media coverage of the Russian interference in the presidential election of 2016.

Correcting these persistent myths is important because they set unrealistic expectations about intelligence production and analysis. These false expectations could damage the credibility of the U.S. intelligence community and its ability to fulfill its mission.

Myth #1: Intelligence and evidence are the same

Intelligence and evidence are starkly different.

Intelligence analysts are tasked with understanding situations that are often multifaceted, forming a judgment about that situation and informing policymakers.

On the other hand, law enforcement investigators produce evidence required to meet legal standards of the burden of proof. In a courtroom, direct proof of a crime – such as DNA, fingerprints, witness testimony or a confession – is the best evidence.

In the intelligence community, analysts have to deal with foreign intelligence agencies and terrorist groups who have the ability to use counterintelligence measures and disinformation campaigns to deceive U.S. intelligence officers and create uncertainty.

It would be unrealistic to expect intelligence agency to always provide “fully proved evidence” in their assessment.

Another reason people are skeptical of intelligence is the lack of explanation on how analysts draw their conclusions.

For example, the Office of the Director of National Intelligence declassified a report on Russia’s role in influencing the U.S. election in early January. In response, Robert Graham, an analyst for a cybersecurity firm, told Wired: “Knowing what data they probably have, they could have given us more details. And that really pisses me off.”

Susan Hennessey, a fellow at the Brookings Institution, sent out the following tweet in response to the report.


But these criticisms are misguided, in my opinion. The techniques used by the intelligence agencies must be kept secret to avoid revealing U.S. methods and analysis capabilities to our adversaries.

Myth #2: Intelligence can predict the future

Former President Barack Obama has been criticized for not releasing detailed intelligence assessment about the Russian hacks before the election. Some have said that the intelligence community should have warned the public – sooner and more forcefully – about the impact of Russian interference.

But these criticisms can be attributed to 20/20 hindsight and illustrate the myth that intelligence officials can somehow predict the future.

Despite all the technology available to the intelligence community, we are not yet in the scenario of the movie “Minority Report,” in which special units prevent murders seconds before they happen with the help of psychics and visualization technology.

In fact, the intelligence community has had many failures. It failed to foresee the rapid collapse of the Soviet Union, the rise of the Arab Spring and more recently the invasion of Crimea. The intelligence community could not predict the intensity of Russian interference or how close the election would be.

Here’s what they can do. Intelligence agencies produce what is called “national security estimates” which represent an combination of analysts’ opinions. These are rated on a confidence level scale that varies from “almost no chance” to “almost certain.” The rating is based on the quality of information, depth of analysts’ knowledge on the issue, the credibility and reliability of the sources used to produce the intelligence and the ability to corroborate with other sources.

In other words, intelligence estimates are carefully weighed against rigorous criteria to ensure validity and credibility of the assessment. Even so, intelligence agencies deal with plausible scenarios, not predictions.

Myth #3: Intelligence results from covert operations

Perhaps surprisingly, approximately 80 percent of the intelligence used by security agencies is not secret and does not require covert operations.

Most intelligence is gathered through “open sources intelligence,” like internet content; traditional mass media, including television, radio, newspapers and magazines; specialized journals, conference proceedings and think tank studies; photos; maps and commercial imagery; and publicly accessible databases.

There are two main challenges with “open source intelligence.” Sometimes the information needed isn’t available in digital format, and sometimes it’s not in English.

These limitations may sometimes trigger covert operations. But in the majority of cases, intelligence estimates are rather dry reading that includes little bombshell information.

Myth #4: The intelligence community is mainly composed of spies

Since intelligence requirements can be addressed through open sources, the need for spies is relatively low.

Only about 10 percent of the employees of the CIA are covert operatives.

Ninety percent are analysts, managers, scientists and support staff. The vast majority of intelligence employees work at a desk and often possess high-level expertise in geopolitical issues, history and international relations. Very few play James Bond in a foreign country.

Myth #5: Top secret intelligence is seen by small number of people

In the United States, approximately 5.1 million people have security clearance to handle sensitive information. Among this group, 1.4 million received a “top secret” clearance.

“Top secret” is not the most secret clearance. There are also an unknown number of individuals that carry clearance above “top secret” such as “sensitive compartmental information” and “special access programs.”

Such “crowded intelligence environment” increases the risk that sensitive information gets released intentionally or unintentionally.

Myth #6: Only presidents get presidential daily briefings

During the transition period, President Trump created another precedent by delegating the so-called “presidential daily briefing” to Vice President Mike Pence. While this precedent does mean the intel community is losing a regular appointment with the president, it is not unusual for the presidential daily briefing to be read by other people.

It has been reported that, during the Obama administration, this document was seen by more than 30 people, including senior intelligence analysts, White House senior advisers, department secretaries and selected ranking members of Congress.

Despite the number of reviewers, the intelligence community had daily access to Obama for the briefing – something that, so far, President Trump has withheld from them.

The Conversation

Frederic Lemieux, Professor and Program Director of the Master’s degree in Applied Intelligence, Georgetown University

This article was originally published on The Conversation. Read the original article.

Is Part of Chelsea Manning’s Legacy Increased Surveillance?

Via shutterstock.com
Via shutterstock.com

Sanjay Goel, University at Albany, State University of New York

The military’s most prolific leaker of digital documents has ushered in an age of even more increased surveillance over government workers. The legacy of Chelsea Manning’s actions is under discussion in the wake of the announcement that the former Army private will be released from military prison in May. In one of his last official acts, President Obama commuted her sentence for violations of the Espionage Act and copying and disseminating classified information. The commutation reduced her sentence from 35 years to the seven years she has already served, plus four additional months needed to effect her release.

In 2010, Manning, then presenting as male and going by the first name Bradley, was an intelligence analyst serving in Iraq. Disillusioned by callous behavior and indiscriminate killing of people in Afghanistan and Iraq by American soldiers, Manning copied and digitally released a massive trove of classified information. The data included 250,000 cables from American diplomats stationed around the world, 470,000 Iraq and Afghanistan battlefield reports and logs of military incident reports, assessment files of detainees held at Guantanamo Bay and war zone videos of airstrikes in Afghanistan and Iraq war in which civilians were killed.

Government officials immediately expressed concerns about damage to national security, international relations and military personnel because of the information contained in the material. There appears to have been relatively little lasting damage to American diplomacy. The military revelations were more damaging, with documents discussing prisoner torture and an assassination squad made up of American special forces operators. Those enraged American citizens and the international community alike, and may have hardened the resolve of adversaries.

But the most lasting effect will likely be a powerful new fear of so-called “insider threats” – leaks by people like Manning, working for the U.S. and having passed security clearance background checks. In the wake of Manning’s actions, the military and intelligence communities have been ramping up digital surveillance of their own personnel to unprecedented levels, in hopes of detecting leakers before they let their information loose on the world.

Embarrassing to diplomats

The initial official response was that the release of State Department cables – internal communications between officials with candid assessments of international situations and even individual leaders’ personalities – would be so debilitating to foreign relations that repair would take decades.

In reality, the cables were more embarrassing than destructive. A political uproar met the news that the U.S. and its purported ally Pakistan were working at cross-purposes: American forces were trying to fight against the Taliban and al-Qaida, while Pakistan was trying to offer them protection and even weapons. But overall, it didn’t significantly increase the existing tensions in American-Pakistani relations. Other foreign officials may have become more wary about sharing information with Americans, but over time, new people come into key posts, the leak is forgotten and business continues as it has always done.

Foreign leaders about whom U.S. officials had made blunt and disparaging comments in the cables did suffer. For example, the cables revealed a secret agreement in which the U.S. conducted drone strikes in Yemen while that country’s President Ali Abdullah Saleh publicly took the blame. Two years later, in 2012, a popular revolution ousted him. A similar fate befell the Tunisian President Zine El Abidine Ben Ali, whose lavish lifestyle – and lack of American support – was discussed in the cables.

Revealing military misdeeds

More damaging to the U.S. was what was revealed in the battlefield reports Manning released, and called evidence of American soldiers’ “bloodlust.” For instance, Manning’s leaks disclosed the activities of an American assassination squad in Afghanistan. Called Task Force 373, the unit comprised specially trained U.S. personnel from elite forces such as the Navy SEALs and the Army’s Delta Force. Its goal was to assassinate a range of targets including drug barons, drug makers and al-Qaida and Taliban figures.

The documents also showed U.S. military personnel shooting innocent civilians on the ground and from the air – among them a Reuters journalist. They showed that American authorities ignored extreme torture inflicted on Iraqi prisoners, including sexual abuse and physical mistreatment, such as hanging detainees upside-down. Allegations of child trafficking by U.S. military contractors also came to light.

Surveilling the potential messenger

Manning is being hailed as a hero and as a traitor. There are arguments for both. The public has a right to know about official misdeeds carried out by the government and military. But those kinds of revelations can jeopardize our defense strategy and hurt our standing in the world community.

Manning’s leaks raised alarms across the government because they came from a trusted insider. In 2011, Obama issued Executive Order 13587, directing Executive Branch departments and agencies to be on guard against insider threats.

National Security Agency contractor Edward Snowden’s leaks of NSA documents in 2013 only heightened official fears. As a result, government organizations have increased surveillance and are closely monitoring their employees’ online activity.

With software and techniques also in use in the private sector, government agencies and contractors use computer systems that monitor when employees are accessing, copying, deleting and transferring files.

Computers’ external media ports are also being watched, to detect an employee connecting a USB thumb drive that could be used to smuggle documents out of a secure system. Workers’ keystrokes and other actions on their computers are being analyzed in real time to detect unauthorized activity, such as accessing restricted files or even connecting to file-sharing or social media sites.

Agencies and private companies with government contracts will also have to keep their employees’ after-work lives under greater surveillance, looking for behavior or situations that might compromise government security. The effectiveness of these efforts is not yet clear.

Leniency or mercy?

Chelsea Manning.
U.S. Army

Obama characterized Manning’s release as a humanitarian gesture because of her personal circumstances. The day after she was sentenced, Manning revealed that she is transgender and identifies as a woman; nevertheless, she was held in a men’s military prison.

The military was under increasing public and even international pressure to allow her to make a physical and biological transition – a procedure neither the military nor any U.S. prison has ever dealt with or paid for before. (She is likely to lose her military medical coverage upon her release from prison, leaving her medical care in question.)

Despite Obama’s perspective, Manning’s release could be viewed as an act of leniency, a signal that others might escape decades of prison time if they, too, were to violate their oaths of secrecy and reveal confidential public information. But fewer might get the chance to do so, because insiders are trusted less and being watched more.

The Conversation

Sanjay Goel, Professor of Information Technology Management, University at Albany, State University of New York

This article was originally published on The Conversation. Read the original article.

Judgment Day for the U.S. Surveillance State #CyberSecurity #NSA #PatriotAct

Judgment Day for the U.S. Surveillance State
assetContent (1)
A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. Kacper Pempel/Reuters

When James A. Baker, the Federal Bureau of Investigation’s newly appointed general counsel, met for dinner with Google Executive Chairman Eric Schmidt a couple of months ago, the topic of national security and government surveillance came up. “He was deeply, deeply, deeply frustrated with the U.S. government, with what it’s willing to talk about and what it’s not willing to talk about” in terms of how it spies on Americans, Baker recalls.

He told this anecdote in late April at a cybersecurity conference in New York at Fordham Law’s Center on National Security before arriving at his main point: “Government surveillance is not that bad.” Schmidt’s well-publicized response? “Encrypt everything.”

Last week saw the first response to the issue by an appeals court outside the country’s secretive Foreign Intelligence Surveillance Court: The court ruled that the U.S. government’s long-held justification for the National Security Agency’s (NSA) bulk collection of Americans’ phone records and other data is illegal under the USA Patriot Act.

Specifically, the New York federal court found that the government’s broad interpretation of a provision of the Patriot Act, Section 215, did not provide sufficient legal cover for its sprawling surveillance program, which scoops up and stores for up to five years the “metadata” of Americans’ phone calls, such as who they call, how frequently and for how long. “The statutes to which the government points have never been interpreted to authorize anything approaching the breadth of the sweeping surveillance at issue here,” the U.S. Court of Appeals for the Second Circuit’s three-judge panel said. It added: “Congress cannot reasonably be said to have ratified the program of which many members of Congress—and all members of the public—were not aware.”

In other words, when Congress first passed the Patriot Act in 2001 and reauthorized it in 2011, it had no idea what it was agreeing to.

“It is a far stretch to say that Congress was aware of the [Foreign Intelligence Surveillance Court’s] legal interpretation of Section 215 when it reauthorized the statute,” the panel stated in its decision.

As is now well known, most members of Congress were not told of the government’s interpretation of Section 215 of the Patriot Act—including the member of Congress who wrote the legislation, Wisconsin Republican Jim Sensenbrenner. The interpretation remained classified for more than a decade, until June 2013, when former NSA contractor Edward Snowden exposed how it was being used by the U.S. intelligence community to justify monitoring Americans’ bulk communications.

Last week’s appeals court ruling not only struck a major blow against America’s national security apparatus, but it now sets the stage for what is expected to be a tough battle this month in Congress, which must decide whether to raze, renew or revise some of the most contentious portions of the Patriot Act, including Section 215, before they expire on June 1.

For the uninitiated, Section 215 allows the director of the Federal Bureau of Investigation (FBI), or a designee, to apply for orders requiring companies holding business records to produce “any tangible things” that might help the government conduct foreign-intelligence gathering or international terrorism investigations. Under the government’s interpretation of Section 215, the FBI—which has partnered up with the NSA in amassing and organizing the data—should be allowed to access any records deemed “relevant to an authorized investigation.”

“Somehow, they convinced the U.S. Foreign Intelligence Surveillance Court, which is supposed to prevent this from happening, that you cannot do this kind of data-mining without all the records, so all the records are relevant,” says Lee Tien, a senior lawyer at the Electronic Frontier Foundation, a nonprofit privacy-rights group based in San Francisco. “It’s hard to believe. How can you use a statute that has a ‘relevant’ standard to do a blanket collection?”

The appeals court, which overturned a lower district court ruling, agreed. “We hold that the text of 215 cannot bear the weight the government asks us to assign it, and that it does not authorize the telephone metadata program,” the judges said. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so, and to do so unambiguously.”

Sensenbrenner has publicly stated that the interpretation of his language in Section 215 was stretched well beyond the intended meaning. He and Senator Patrick Leahy, a Democrat of Vermont, have introduced a bill, the USA Freedom Act, to rein in what they call the “eavesdropping, dragnet collection and online monitoring” of Americans. In late April, Republican Senate Majority Leader Mitch McConnell and Senate Intelligence Committee Chairman Richard Burr countered with a bill to extend Section 215 to the year 2020 without making any changes to it—legislation that looks a good deal shakier after the recent ruling.

The National Security Council (NSC) said in response to last week’s ruling that it’s working with Congress on reform legislation. “The President has been clear that he believes we should end the Section 215 bulk telephony metadata program as it currently exists by creating an alternative mechanism to preserve the program’s essential capabilities without the government holding bulk data,” said NSC spokesman Edward Price. Reached by Newsweek, NSA spokeswoman Vanee Vines deferred to the NSC’s statement.

Calling Section 215 “badly drafted,” “unnecessary” and “unproductive” (as in, it does not seem to do very much to catch terrorists), Richard Clarke, former counterterrorism adviser to presidents Bush and Clinton, told Newsweek that reforming Section 215 is at the very top of the list of 46 changes he proposed while part of a presidential panel convened by the Obama administration to review the NSA’s surveillance methods. “The government should not be holding that data,” he said.

The panel’s final review warned that if the U.S. continues on this track, it risks becoming a “police state.”

Fourth Amendment and free-speech advocates are quick to warn of the “chilling effect” on Americans’ freedom of speech and freedom of movement in the face of such surveillance—in effect, that they would no longer feel at liberty to act freely if they know they are being systematically watched and listened to.

Another concern, says the Electronic Frontier Foundation’s Tien, is that while the Patriot Act was originally intended to target terrorists in the aftermath of the September 11 attacks, there is growing evidence that its powers are being used in domestic law enforcement to target Americans. For instance, the NSA is permitted to pass on information and tips to the FBI and other agencies.

“The privacy and civil liberty concerns of all this information-sharing on Americans by the intelligence community and law-enforcement agencies is very real,” says Tien. “And our country has not yet had an opportunity to have an honest social and political debate about it.”

While the extent of information-sharing among U.S. agencies is not fully known, he says, it is clear there have been cases in which Americans have been unjustifiably caught in dragnets.

I witnessed such a case in 2003, when I received a panicked phone call at work from someone very close to me. This person—who does not want to be named, even today, because of what subsequently happened to her—had just arrived home after an evening away to find concerned neighbors informing her that her townhouse on a quiet block in Jersey City, New Jersey, had received a visit at dawn from police who were shouting and banging on her door.

Right away, we called the Jersey City police. They had no record of anyone coming to that address. She tried to find out if anyone knew anything else, but to no avail. “I work with children,” she said. “What would the police want with me?”

A week passed. Then, she received a phone call from a federal agent accusing her of evading arrest. “They said, ‘You’re a fugitive,’ even though I hadn’t gone anywhere,” she tells Newsweek. “They wanted information. I had nothing to give them, because I didn’t know what they were talking about.”

She was taken into custody and accused of being a key operator in a vast conspiracy to smuggle drugs into the U.S. under the direction of a high-ranking Mexican drug lord.

How did this happen? It turns out federal officials had misinterpreted her end of an intercepted phone conversation in which the caller—the father of a former college friend—asked her while visiting New Jersey where he might be able to buy recreational drugs. She told him she didn’t know, and that was that. Or so she thought. Apparently, the caller was a bad guy—previously imprisoned for drug-related offenses and, unbeknownst to her, one of 240 individuals being apprehended in connection with the Mexican drug lord. Her mistake? Picking up the phone.

Federal agents told her if she didn’t cooperate, she would face time in prison, possibly decades. Regardless of a lack of any physical evidence connecting her to drugs, the agents gave her a choice: accept a federal misdemeanor and a fine of $1,000 for simply talkingabout drugs on the phone, or be implicated in the wider conspiracy. On the advice of her lawyer, she took the former. “My lawyer said I was incredibly lucky,” she says. “I got to get on with my life.”

On July 31, 2003, U.S. Attorney General John Ashcroft announced the indictment of Ismael Zambada-Garcia, the head of one of the most powerful and ruthless drug-trafficking organizations in Mexico, as part of Operation Trifecta, along with the arrests of 62 other suspects in the U.S. and one very frightened young woman in Jersey City. He credited the success of the operation to nearly a dozen agencies and the same heightened surveillance powers as are found in the Patriot Act. “Wiretaps, pen registers and delayed notification warrants, are the same tools provided by the USA Patriot Act,” Ashcroft said, “which help law enforcement to prosecute successfully the war on terrorism.”

But Operation Trifecta was not part of the war on terrorism. It was a 19-month investigation that, according to Ashcroft, focused on “a nationwide effort on the communications of domestic cells.” Reached by Newsweek, the DOJ and the Drug Enforcement Administration, which led the probe, had no comment.

Such actions illustrate some of the possible problems of building cases based on Americans’ phone records. In the case of the woman from Jersey City, who had no criminal record, the real dangers of such sweeping powers are not just the violation of privacy and civil liberties, but the risk that the government becomes so reliant on those powers that it misleads itself.

“I am just grateful it’s over,” she says. “But I feel like if they’d researched who I was a little more instead of just relying on phone records, they probably would not have put me through all that. In the end, they didn’t know anything about me; that I was a straight-A student, that I worked with kids or how I was really living my life.”


Continue reading Judgment Day for the U.S. Surveillance State #CyberSecurity #NSA #PatriotAct