The Transportation Security Administration (TSA) has begun collecting information on travelers through a program that monitors citizens not on a terror watch list or suspected of a crime, The Boston Globe reported.
The Globe reported Saturday that the program, titled “Quiet Skies,” aims to eliminate threats posed by “unknown or partially known terrorists.”
Undercover air marshals reportedly document passengers’ behavior, including whether they use technology when traveling, whether they change clothes at the airport, how closely they stand to the boarding area and other patterns…
FILE PHOTO: The National Security Agency (NSA) headquarters is seen in Fort Meade, Maryland, U.S. February 14, 2018. REUTERS/Sait Serkan Gurbuz
The U.S. National Security Agency collected 534 million records of phone calls and text messages of Americans last year, more than triple gathered in 2016, a U.S. intelligence agency report released on Friday said.
The sharp increase from 151 million occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk.
The spike in collection of call records coincided with an increase reported on Friday across other surveillance methods, raising questions from some privacy advocates who are concerned about potential government overreach and intrusion into the lives of U.S. citizens.
The 2017 call records tally remained far less than an estimated billions of records collected per day under the NSA’s old bulk surveillance system, which was exposed by former U.S. intelligence contractor Edward Snowden in 2013.
The records collected by the NSA include the numbers and time of a call or text message, but not their content.
Overall increases in surveillance hauls were both mystifying and alarming coming years after Snowden’s leaks, privacy advocates said.
“The intelligence community’s transparency has yet to extend to explaining dramatic increases in their collection,” said Robyn Greene, policy counsel at the Washington-based Open Technology Institute that focuses on digital issues …
Friday’s report also showed a rise in the number of foreigners living outside the United States who were targeted under a warrantless internet surveillance program, known as Section 702 of the Foreign Intelligence Surveillance Act, that Congress renewed earlier this year.
That figure increased to 129,080 in 2017 from 106,469 in 2016, the report said, and is up from 89,138 targets in 2013, or a cumulative rise over five years of about 45 percent.
U.S. intelligence agencies consider Section 702 a vital tool to protect national security, but privacy advocates say the program incidentally collects an unknown number of communications belonging to Americans.
“Florida authorities went to a funeral home and used a dead man’s finger to try to unlock his cellphone as part of their investigation.
Thirty-year-old Linus Phillip was killed by a Largo police officer last month after authorities say he tried to drive away before an officer could search him.
At the funeral home, two detectives held the man’s hands up to the phone’s fingerprint sensor … a professor at Stetson University College of Law, tells the Tampa Bay Times that dead people can’t assert their Fourth Amendment protections because you can’t own property when you’re dead. But those rights could apply to whoever inherits the property…”
Every day, journalists face serious consequences including physical violence, imprisonment and death. A few days ago, the Committee to Protect Journalists launched its annual Free The Press campaign to raise awareness about imprisoned journalists throughout the world. On May 3, UNESCO will once again mark World Press Freedom Day “to inform citizens of violations of press freedom — a reminder that in dozens of countries around the world, publications are censored, fined, suspended and closed down, while journalists, editors and publishers are harassed, attacked, detained and even murdered.”
Meanwhile, the United States government, traditionally one of the bastions of press freedom, is about to compile a list of professional journalists and “top media influencers”, which would seem to include bloggers and podcasters, and monitor what they’re putting out to the public.
What could possibly go wrong? A lot.
DHS’ “Media Monitoring” Plan
As part of its “media monitoring”, the DHS seeks to track more than 290,000 global news sources as well as social media in over 100 languages, including Arabic, Chinese and Russian, for instant translation into English. The successful contracting company will have “24/7 access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.” in order to “identify any and all media coverage related to the Department of Homeland Security or a particular event.”
“Any and all media coverage”, as you might imagine, is quite broad and includes “online, print, broadcast, cable, radio, trade and industry publications, local sources, national/international outlets, traditional news sources, and social media.”
The database will be browseable by “location, beat and type of influencer”, and for each influencer, the chosen contractor should “present contact details and any other information that could be relevant, including publications this influencer writes for, and an overview of the previous coverage published by the media influencer.”
One aspect of the media coverage to be gathered is its “sentiment.”
Why “Media Monitoring” and Why Now?
DHS says the “NPPD/OUS [National Protection and Programs Directorate/Office of the Under Secretary] has a critical need to incorporate these functions into their programs in order to better reach Federal, state, local, tribal and private partners.” Who knows what that means, but the document also states the NPPD’s mission is “to protect and enhance the resilience of the nation’s physical and cyberinfrastructure.”
That line makes it sound as if the creation of this database could be a direct response to the rampant allegations of Russian interference in the 2016 U.S. presidential election — though President Donald Trump, who has normalized the term “fake news”, can’t seem to decide whether that’s even an issue or not.
Facebook CEO Mark Zuckerberg thinks it is. Earlier this week, he announced the social networking site would remove “more than 270 pages and accounts operated by a Russian organization called the Internet Research Agency” in an effort “to protect the integrity of elections around the world”.
Within the context of increasing concerns over “fake news” and foreign interference in elections, an action such as the DHS’ database might seem, at first glance, to be a sensible approach.
Unfortunately, increasing government encroachment on the freedom of the press is the sinister backdrop to all of this. Freedom House, which has monitored the status of the press for nearly 40 years, recently concluded that global media freedom has reached its lowest level in the past 13 years. The independent watchdog organization blames “new threats to journalists and media outlets in major democracies” as well as “further crackdowns on independent media in authoritarian countries like Russia and China.” And then it goes one step further.
“But it is the far-reaching attacks on the news media and their place in a democratic society by Donald Trump, first as a candidate and now as president of the United States, that fuel predictions of further setbacks in the years to come”, the report said.
Could the DHS media database be such a setback?
Possibly, and it’s not even the first time potential regulation of journalists has drifted across the American political scene.
Last October, an Indiana lawmaker proposed that journalists be licensed. Representative Jim Lucas’ bill was mostly a publicity stunt, but could this DHS action be a way for the government to keep track of American and foreign journalists as well as “citizen journalists”, threatening not only the freedom of the press but also individual freedom of speech?
The real question, of course, is what the government plans to do with the information it compiles, and there’s been no comment on that beyond what is in the posting, which, by the way, has interest from at least seven companies. Will those on the DHS media database be questioned more harshly coming in and out of the country? Will they have trouble getting visas to go to certain countries for their own reporting or personal vacations? Worse?
Speaking of visas — and showing that social media activity is squarely on the radar of this Administration — earlier this week, the State Department placed two notices in the Federal Register seeking comments on its proposal to require that all visa applicants to the U.S. turn over their social media information for the previous five years.
Regarding the DHS media database, we are entering potentially dangerous territory with the government keeping track of the “sentiment” of citizens and foreign nationals. If not legal challenges from organizations that defend press freedom and freedom of speech interests, the government should expect, at the very least, backlash from the public.
And that means you. If you think the idea of the U.S. government’s compiling and monitoring a list of media professionals and “top media influencers” is a potential threat to democracy, now would be the perfect time to call your local and congressional representatives to let them know how much you value a free press and the freedom of speech, just in case they’ve forgotten.
Genetic testing companies could give up you DNA for criminal investigations
The DNA you send in the mail through genetics kits and ancestry programs like 23andMe and Ancestry.com can be used by police in a criminal investigation, but it doesn’t happen very often.
More than 1.2 million customers have sent their saliva to 23andMe to learn about their own genetics, though not everyone is aware that police can potentially have access to their DNA.
“We try to make information available on the website in various forms, so through Frequently Asked Questions, through information in our privacy center,” 23andMe privacy officer Kate Black told Action News Jax.
Police have only requested information from 23andMe for five Americans and according to 23andMe reports, the company didn’t turn over any information.
“In each of these cases, 23andMe successfully resisted the request and protected our customers’ data from release to law enforcement,” Black and colleague Zerina Curevac wrote in a blog post last year.
But Black said she wouldn’t rule out the possibility in the future and seeks to review requests on “a case-by-case basis.”
In the 23andMe blog post, Black and Curevac address multiple privacy concerns and questions involving law enforcement and their DNA.
They write that typically police will collect the DNA of an unknown suspect at a crime scene and compare it to the federal government’s genetic information database, the Combined DNA Index System or “CODIS.”
Using CODIS, police can run a search to see if the DNA matches that of a convicted offender or arrestee profile in the database. They can also run a “familial search” to identify close biological relatives.
If no matches are found, police may turn to privately owned databases.
But 23andMe and other ancestry tools aren’t likely to be useful to law enforcement or to the government, Black and Curevac wrote.
Their genetic tests can’t be used to match CODIS information or information in other governmental databases because the genotyping technology is very different.
And, even if police are presented a situation in which their testing would be useful, they would still face tough legal and technical limitations.
These limitations are usually enough to persuade police to back off their requests, according to the blog.
While police have been unable to obtain DNA information from 23andMe, in 2014, Ancestry self-reported that it released a customer’s DNA sample to police in compliance with a search warrant.
According toAncestry’s website, the company “requires valid legal process in order to produce information about our users. We comply with legitimate requests in accordance with applicable law.”
The investigation involved the 1996 murder and rape of 18-year-old Angie Dodge in Idaho Falls, Idaho, Mashable reported. Police believed there was another suspect involved in addition to Christopher Tapp, who was sentenced to life in prison in 1998.
The 2014 Ancestry results found a close (but not exact) match, which police believed to be Tapp’s relative.
After showing up at donor Michael Usry Jr.’s doorstep in New Orleans, Louisiana, for a six-hour interrogation and blood drawing, police determined it wasn’t a match, Mashable reported.
Ancestry’s Transparency Report states that the company received nine valid law enforcement requests in 2016 and provided information on eight of the requests to government agencies. All were related to credit card misuse and identity theft.
CLICK HERE to learn how to delete you results from 23andMe and CLICK HERE to learn how to do the same for Ancestry.
Legitimate downloads of popular software including WhatsApp, Skype and VLC Player are allegedly being hacked at an internet service provider (ISP) level to spread an advanced form of surveillance software known as “FinFisher”, cybersecurity researchers warn.
FinFisher is sold to global governments and intelligence agencies and can be used to snoop on webcam feeds, keystrokes, microphones and web browsing. Documents, previously published by WikiLeaks, indicate that one tool called “FinFly ISP” may be linked to the case.
The digital surveillance tools are peddled by an international firm called Gamma Group and have in the past been sold to repressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE).
In March this year, the company attended a security conference sponsored by the UK Home Office.
This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISPlevel – packaging real downloads with spyware.
Companies hit included WhatsApp, Skype, Avast, VLCPlayer and WinRAR, it said, adding that “virtually any application could be misused in this way.”
When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.
When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.
The stealthy infection process was described as being “invisible to the naked eye.”
The seven countries were not named for security reasons, Eset said. WhatsApp and VLC Player did not respond to request for comment by the time of publication.
A Microsoft spokesperson, referencing the Skype infections, told IBTimes UK: “Windows Defender antivirus cloud protection already automatically identifies and blocks the malware.
“For non-cloud customers, we’ve deployed signatures to protect against this in our free antivirus software”, the statement added.
An Avast spokesperson said: “Attackers will always focus on the most prominent targets.
“Wrapping official installers of legitimate apps with malware is not a new concept and we aren’t surprised to see the PC apps mentioned in this report.”
“What’s new is that this seems to be happening at a higher level.”
“We don’t know if the ISPs are in cooperation with the malware distributors or whether the ISPs’ infrastructure has been hijacked.”
The latest version of FinFisher was spotted with new customized code which kept it from being discovered, what Eset described as “tactical improvements”. Some tricks, it added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools.
One such application was Threema, a secure messaging service.
“The geographical dispersion of Eset’s detections of FinFisher variants suggests the MitM attack is happening at a higher level—an ISP arises as the most probable option”, the team said.
“One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn’t hard to implement from a technical perspective”, FilipKafka, a malware researcher at Eset, told IBTimes UK.
“Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilized in the monitoring of citizens in the affected countries.”
Breaking encryption has become a major talking point of governments around the world, many of which conduct bulk communications collection. Politicians argue, often without evidence, that software from companies such as WhatsApp has become a burden on terror probes.
The software’s brochure boasted: “FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software.”
It added that it “can be installed on an internet service provider’s network” and listed one use case when it was previously deployed by an unnamed intelligence agency.
Eset found that all affected targets within one of the countries were using the same ISP.
“The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed – until now”, the researchers said in their analysis.
“If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach.”
It remains unknown who was behind the fresh hacking campaigns, but FinFisher is almost exclusively tailored to government, police or intelligence agency use.
“We cannot say for sure who is behind the campaign but the ISP re-direction could be a service ordered from FinFisher”, Kafka said.
“This question should be addressed to FinFisher.”
“We [have] very limited information on this, who specifically was targeted, but generally the targets were catered to what FinFisher is generally used for”, he added.
Gamma Group did not immediately respond to a request for comment from IBTimes UK.
This is not the first time that the company, which has offices in Europe, has been linked to questionable business practices.
In 2013, tech firm Mozilla sent it a cease and desist letter after its software was caught posing as a version of its Firefox browser.
“We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy”, it complained in a blog post.
The same year, Reporters without Borders branded Gamma Group as one of the “Corporate Enemies of the Internet” in an annual report. The creepy and invasive spyware can also be spread via more traditional means – malicious email attachments, for example.
Back in 2011, it emerged that Gamma International, a UK subsidiary, was selling a malware Trojan disguised as an update for Apple’s iTunes media player.
Before being patched, the gaping vulnerability had been exploited for approximately three years, found security journalist Brian Krebs at the time.
Facebook wants to get up close and personal with its users after a patent was revealed detailing a desire to secretly watch users through their webcam or smartphone camera, spying on your mood in order to sell you tailored content or advertisements.
The purpose behind the invasive idea is to analyze people through the camera in real time while they browse online and if it recognizes you looking happy, bored or sad, it would deliver an advert fitting your emotion. If you were forlorn, for example, it would be able to serve an ad to perk you up, or know what products you had previously looked at online and put them under your nose at just the right time.
Facebook explains in the patent application that a user who looked away during certain content (in their fictional case it was a kitten video) algorithms for the social network would know to not show more of that type of content. In another example it describes how the technology could tell if a user’s expression changed while looking at posts or pictures from a certain person and would show more or less of these in the future.
The social network has filed several patents over the years on emotion-based technology but this, based on ‘passive imaging data’ is perhaps the most unnerving, considering it would take control of cameras that weren’t even switched on by the user.
As described by CB Insights: “This patent proposes capturing images of the user through smartphone or laptop cameras, even when the user is not actively using the camera. By visually tracking a user’s facial expression, Facebook aims to monitor the user’s emotional reactions to different types of content.”
The New York-based intelligence firm went on to say: “On the one hand, they want to identify which content is most engaging and respond to audience’s reactions, on the other emotion-detection is technically difficult, not to mention a PR and ethical minefield.”
Other patents listed by Facebook include a text messaging platform to detect a user’s mood by measuring how hard and fast they were typing, then augment the message format, such as adding emojis or changing the font size, to match their emotion.
The patent for taking control of the camera of a user’s device was granted back in 2015 but there has been no introduction of the technology in the wild. Facebook, however, will always have to notify members in advance of any changes. Yet, this would likely be a hard sell.
A Facebook spokesperson provided IBTimesUK with the following statement: “We often seek patents for technology we never implement, and patents should not be taken as an indication of future plans.”
With the danger of online privacy edging its way to the foreground of public awareness many would no doubt be wary about giving away such intimate access. After all, even Facebook CEO Mark Zuckerberg is alert to the dangers of being spied on after a picture he posted online showed his laptop’s webcam and microphone port taped over.
“They spent a fortune tracking 26 people and recording three million conversations and apparently got nothing … I’d love to see the probable cause affidavit for that one and wonder what the court thought on its 10 day reviews when zip came in … I’m not surprised by the results because on average, a very very low percentage of conversations are incriminating, and a very very low percent results in conviction”. When reached, a spokesperson for the Justice Department did not comment.
‘Forget enforced password complexity. Forget forced periodic #password changes—These don’t work! Do have passwords checked against a list of commonly “hacked” #passwords that regularly show up in stolen account data troves…’
Here is a quick look at the three main changes the NIST has proposed:
No more periodic password changes. This is a huge change of policy as it removes a significant burden from both users and IT departments. It’s been clear for a long time that periodic changes do not improve password security but only make it worse, and now NIST research has finally provided the proof.
No more imposed password complexity (like requiring a combination of letters, numbers, and special characters). This means users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security.
Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Users will be prevented from setting passwords like “password”, “12345678”, etc. which hackers can easily guess.
So why haven’t we seen any coverage of the changes considering how much of a departure they are from previous advice — and considering every average user is going to be affected?
‘Soon every mistake you’ve ever made online will not only be available to your internet service provider (ISP) — it will be available to any corporation or foreign government who wants to see those mistakes.
Thanks to last week’s US Senate decision (update March 28: and today’s House decision), ISPs can sell your entire web browsing history to literally anyone without your permission. The only rules that prevented this are all being repealed, and won’t be reinstated any time soon (it would take an act of congress).
You might be wondering: who benefits from repealing these rules? Other than those four monopoly ISPs that control America’s “last mile” of internet cables and cell towers? … these politicians — who have received millions of dollars in campaign contributions from the ISPs for decades — have sold us out.
VPN company Private Internet Access paid $600,000 to run this full-page ad in Sunday’s New York Times — even though they would make a ton of money if these rules were repealed. That’s how this CRA is — even the VPN companies are campaigning against it.
…ISPs can now continue doing these things as much as they want…
Sell your browsing history to basically any corporation or government that wants to buy it
Hijack your searches and share them with third parties
Monitor all your traffic by injecting their own malware-filled ads into the websites you visit
Stuff undetectable, undeletable tracking cookies into all of your unencrypted traffic
Pre-install software on phones that will monitor all traffic — even HTTPS traffic — before it gets encrypted. AT&T, Sprint, and T-Mobile have already done this with some Android phones …
How VPNs can protect you
VPN stands for Virtual Private Network.
Virtual because you’re not creating a new physical connection with your destination — your data is just traveling through existing wires between you and your destination.
Private because it encrypts your activity before sending it, then decrypts it at the destination.
People have traditionally used VPNs as a way to get around websites that are blocked in their country (for example, Medium is blocked in Malaysia) or to watch movies that aren’t available in certain countries. But VPNs are extremely useful for privacy, too.
There are several types of VPN options, with varying degrees of convenience and security.
Most VPNs are services that cost money, but the following options are convenient and free to use, with some limited functionality:
Desktop VPN apps
Probably the most secure, trustworthy free VPN you can install (as of when this article was last updated) is ProtonVPN. It’s made by the folks who also make the most secure free email, ProtonMail(which we also highly recommend)
Opera VPN – While there are definitely better VPNs available, OperaVPN is one of the very few that offer free ulimited bandwitdh. See BestVPN’s Review
Opera is a popular web browser that comes with some excellent privacy features, like a free built-in VPN and a free ad blocker (and as you may know, ads can spy on you).
Opera’s free VPN service offers a choice of ‘virtual’ country locations to connect through.
I recommend setting the U.S. as your location for Americans, unless you’re quite familiar with the ins & outs of how VPNs work.
Also be advised that you will likely need to disable your VPN in order to use certain websites or apps.
If you just want a secure way to browse the web without ISPs being able to easily snoop on you and sell your data, Opera is a great start. Let’s install and configure it real quick. This takes less than 5 minutes.
Before you get started, note that this will only anonymize the things you do within the Opera browser. Also, I’m obligated to point out that even though Opera’s parent company is European, it was recently purchased by a consortium of Chinese tech companies, and there is a non-zero risk that it could be compromised by the Chinese government.
Having said that, here’s how to browse securely with Opera:
“FOR ALMOST FOUR years, a cottage industry of media conspiracists has devoted itself to accusing Edward Snowden of being a spy for either Russia and/or China at the time he took and then leaked documents from the National Security Agency. There has never been any evidence presented to substantiate this accusation…
…Newly obtained documents conclusively prove that the central tale invented by these Snowden-accusing commentators is a wholesale fabrication. These documents negate the edifice on which this entire fiction has been based from the start…”