Search the Community
Showing results for tags 'u.s. government'.
Found 2 results
steven36 posted a topic in General NewsLate last year, the U.S. government accidentally revealed that a sealed complaint had been filed against Julian Assange, the founder of WikiLeaks. Shortly before this was made public, the FBI reconfirmed its investigation of WikiLeaks was ongoing, and the Wall Street Journal reported that the Department of Justice was optimistic that it would be able to extradite Assange. Soon after, portions of sealed transcripts leaked that implicate WikiLeaks and Assange in directing hackers to target governments and corporations. The charges against Assange have not been officially revealed, though it’s plausible that the offenses are related to Russian hacking and the DNC emails. The alleged offenses in the complaint notwithstanding, the government has an abundance of data to work with: over a dozen WikiLeaks’ computers, hard drives, and email accounts, including those of the organization’s current and former editors-in-chief, along with messages exchanged with alleged Russian hackers about DNC emails. Through a series of search warrants, subpoenas, equipment seizures, and cooperating witnesses, the federal government has collected internal WikiLeaks data covering the majority of the organization’s period of operations, from 2009 at least through 2017. The filing that committed a copy and paste error revealing charges against Assange. In some instances, the seized data has been returned and allegedly destroyed, such as in the case of David House, a technologist and friend of Chelsea Manning when she famously became a source for WikiLeaks. In others, the seized materials include communications between WikiLeaks and their sources. Some of these discussions show WikiLeaks discussing their other sources and specific identifying details about them. A copy of a chat log between Chelsea Manning and a WikiLeaks staff member IDed as Assange by government prosecutors and witnesses. Other seizures gave authorities a deeper view of the internal workings of WikiLeaks, including one of the earliest known seizures of WikiLeaks-related data, executed on December 14, 2010, when the messages and user information of several WikiLeaks-linked Twitter accounts were ordered. This search-and-seizure order included direct messages associated with WikiLeaks and its founder, former Army private first class and WikiLeaks source Chelsea Manning, WikiLeaks editor Rop Gongrijp, former WikiLeaks associate Jacob Appelbaum, and former WikiLeaks associate and Icelandic MP Birgitta Jonsdottir, between November 1, 2009, and the order’s execution. A couet order for information relating to people associated with WikiLeaks. On January 4, 2011, a sealed order filed in the Eastern District of Virginia requested all emails, address book, subscriber information, and other account information associated with Appelbaum’s email address [email protected], and another order would target his internet traffic. Appelbaum was a friend and confidant of Assange as well as a WikiLeaks volunteer. In 2010, Appelbaum was known as “the American WikiLeaks hacker,” and he was, at that time, referred to as WikiLeaks’ only known American member. In a private chat in 2015, WikiLeaks described Appelbaum as being “sort of” part of the group, though following multiple accusations of sexual abuse, the group publicly distanced itself from him. The emails obtained by the government extended from November 2010 at least through January 2011. The timing of the government’s acknowledgment of the order, along with other similar orders, suggest that the monitoring of the account may have continued through late 2014, when it and several orders were made public. A copy of a court order for information relating to Jacob Appelbaum, a hacker who worked with WikiLeaks (now credibly accused of multiple sexual assaults). Publicly released and leaked documents from Assange and his legal team allege that several laptops and hard drives belonging to the organization were intercepted by an intelligence agency during this time period. According to an affidavit from Assange, “three laptops ... assorted electronics [and] additional encrypted hard drives” were taken along with his suitcase in late September 2010. Assange’s legal team produced several additional affidavits and supporting documents detailing the existence and disappearance of the suitcase. The suitcase contained at least five hard drives, all of which were encrypted, according to Assange. However, the government has had eight years to guess or recover the passwords or break the encryption on the hard drives. Several other drives, numerous emails, and at least one cooperating witness may have aided in the process. Affadavit from Julian Assange. In mid-2011, the FBI had developed a major source who would become at least their second information with an eye into WikiLeaks’ operations. Soon after the arrest and cooperation of Hector Xavier Monsegur, a.k.a. Sabu, his hacking group (LulzSec) made contact with WikiLeaks. Sabu and LulzSec would become some of WikiLeaks’ most significant sources. The Syria files and Global Intelligence files LulzSec provided WikiLeaks increased their number of publications tenfold and still account for roughly half of their total number of publications. Communications between Sabu and WikiLeaks were monitored by the FBI. And some of the group’s communications with others were later seized in their arrest or turned over by Sigurdur Thordarson, a WikiLeaks volunteer who became an informant for the FBI that August. A section from the sentencing document for “Sabu.” It was later ID’d by WikiLeaks as about them. In addition to briefing the FBI in a series of meetings, Thordarson reportedly provided them with thousands of pages of WikiLeaks chat logs. Further, in March 2012, Thordarson allegedly provided the FBI with eight WikiLeaks hard drives containing up to 1020GB of data, according to a purported FBI document. Officials have not confirmed the authenticity of the document, though the amount of data provided is corroborated by additional sources. In an interview with Ars Technica, Thordarson claimed that Icelandic authorities had seized an additional 2 TB of WikiLeaks-related data from him, which he assumed was then shared with the U.S. American and Icelandic authorities had previously cooperated on Thordarson’s case and portions of the WikiLeaks investigation. According to leaked letters from WikiLeaks’ legal team, at least some of the hard drives had belonged to Assange. Thordarson’s debriefings and the hard drives of up to 3 TB of data may have contained the decryption keys or passwords needed to decrypt the hard drives Assange alleged had been seized earlier. A receipt given to Sigurdur Thordarson from the FBI for WikiLeaks hard drives. There are several hints as to the contents of these drives. According to the affidavit from Assange, the information on the hard drives included, in addition to the possible staff emails, “chat communications ... copies of passports [and] video footage taken in secret.” Following an Associated Press article based off of a cache of “WikiLeaks emails, chat logs, financial records, secretly recorded footage and other documents” from within the organization, WikiLeaks alleged that the cache was the same that had been provided to the FBI. In October 2011, amidst Thordarson and Sabu’s tenure as cooperating witnesses, American authorities issued a search warrant for the contents of WikiLeaks volunteer Herbert Snorrason’s Gmail account. The warrant requested all of the account’s information, “including stored or preserved copies of e-mails sent to and from the account, draft e-mails, deleted e-mails, emails preserved pursuant to a request made under 18 U.S.C. § 2703(f), the source and destination addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail.” The volunteer had helped WikiLeaks with a minor technical issue. After learning that his account’s contents had been seized by the U.S. government, Snorrason told Mother Jones that he thought “pretty much everyone with both a Google account and a WikiLeaks connection will be getting one of those notices eventually.” Snorrason was correct in that other WikiLeaks-associated Google accounts had their information seized by the government. Six months after the order for Snorrason’s emails was issued, a trio of search orders were issued for the email accounts of senior WikiLeaks personnel. On April 5, 2012, sealed warrants were executed for the Google accounts of WikiLeaks editors Sarah Harrison and Joseph Farrell, as well as then-spokesman and future editor-in-chief Kristinn Hrafnsson on suspicion of espionage and violating the Computer Fraud and Abuse Act, as well as conspiracy and theft of government property. The warrants appear to have covered the entirety of the accounts and were disclosed by Google at the close of 2014. A court order for information relating to Kristinn Hrafnsson, current editor in chief of WikiLeaks, on suspicion if charges including but not limited to espionage. In late October 2017, a new government request was issued for portions of WikiLeaks’ communications. A letter from Sen. Diane Feinstein requested that Twitter provide copies of all direct messages that were over 180 days to or from the accounts belonging to WikiLeaks, the WikiLeaks Task Force, “Guccifer 2.0,” Assange, and Margaret Ratner Kunstler. As written, the request would include some of my communications with WikiLeaks and “Guccifer 2.0.” Ultimately, at least some messages between WikiLeaks and the “Guccifer 2.0” were obtained by the U.S. government, although the method of communication for those messages remains unconfirmed. In late October 2017, a new government request was issued for portions of WikiLeaks’ communications. A letter from Sen. Diane Feinstein requested that Twitter provide copies of all direct messages that were over 180 days to or from the accounts belonging to WikiLeaks, the WikiLeaks Task Force, “Guccifer 2.0,” Assange, and Margaret Ratner Kunstler. As written, the request would include some of my communications with WikiLeaks and “Guccifer 2.0.” Ultimately, at least some messages between WikiLeaks and the “Guccifer 2.0” were obtained by the U.S. government, although the method of communication for those messages remains unconfirmed. According to what’s informally known as “the GRU indictment,” WikiLeaks sent Guccifer 2.0 a message on June 22, 2016. The message instructed Guccifer 2.0, a persona the U.S. government believes was used by Russian operatives, to send new material to them so it would “have a much higher impact.” On approximately July 6, the organization sent another message encouraging Guccifer 2.0 to send “anything [H]illary related” in time for the Democratic National Convention, which WikiLeaks thought Clinton would use to solidify support. The quoted portion of the exchange ends with WikiLeaks saying they thought conflict between Sen. Bernie Sanders and Clinton would be “interesting.” These exchanges, about maximizing impact and damage, are relevant to one of the theories of Assange’s potential prosecution outlined by noted national security journalist Marcy Wheeler. An excerpt from a Mueller indictment. If the charges against Assange are related to Russian hacking and the Democratic National Committee email leak, this exchange could be one of the most likely pieces of evidence to be directly relevant to the initial charges against him. However, the entirety of the government’s evidence, including materials seized from alleged Vault 7 leaker Joshua Schulte and the alleged recordings of him transferring additional files to WikiLeaks regarding the organization, may be used to help make the case. Past statements and communications may be used to help establish a modus operandi, a pattern or an intent. As noted by the AP, some of the materials may point to the early beginnings of Assange’s reported relationship with Russia. Leaked copies of sealed files, statements by people familiar with the grand juries, and documents released through FOIA by independent journalist Alexa O’Brien—who also identified a number of sealed search orders—all indicate that the investigations converged and pooled evidence at times. The government’s information could be further augmented by recent surveillance of Assange in the Ecuadorian Embassy, where he has lived under asylum since 2012, the fruits of which may have reportedly been shared with the United States. Regardless of what the charges against Assange are, the government has terabytes of data with which to try to make its case, data that’s come from WikiLeaks supporters, sources, key personnel, and Assange himself. The full depth of the government’s sources, however, have yet to be revealed. Emma Best is a national security reporter and transparency activist. She has published millions of pages of government documents and is a member of the leak collective Distributed Denial of Secrets (DDoSecrets). Source
steven36 posted a topic in Security & Privacy NewsThe government’s long-awaited proposal for addressing cross-border data requests, in the form of draft legislation, is finally here. The government also provided a section-by-section analysis and a description of a U.S.-U.K. agreement that would be the first specific application of the legislation if it is enacted. The government’s cover letter explains that it is going forward with the proposal despite yesterday’s decision in the Microsoft case in the Second Circuit (discussed by Andrew Woods here), but lays down a pretty clear marker that it will be addressing that decision soon. From a very quick read, the new legislation removes U.S. legal barriers to direct access to U.S. communications providers by foreign governments that have entered into executive agreements with the U.S., where the agreements meet certain requirements that the U.S. Attorney General must certify to Congress. The law applies only to non-U.S. person targets reasonably believed to be located abroad; can be used only in support of criminal investigations (in other words, not for affirmative foreign intelligence, but including for the prevention of crime); reaches both contents and metadata; covers real-time interception as well as access to stored data; and forbids bulk collection. It does not address encryption one way or the other. The draft legislation also has an anti-cat’s paw provision, under which the U.S. government cannot misuse a foreign government to obtain information it would not otherwise be able to obtain. It does allow the U.S. government to block access—i.e., to veto direct access—in any given case where it concludes that the foreign government’s request is outside the scope of the executive agreement. Both the access and veto rights apply reciprocally, meaning that (subject to veto rights) the foreign government must remove barriers blocking U.S. access to data held by its providers. And providers remain free to challenge the requesting government’s orders, on a case-by-case basis, under that government’s own law (i.e., the new legislation merely removes barriers to access by foreign governments, it does not itself affirmatively compel production to foreign governments). For those who aren’t familiar, the problem of cross-border data requests arises when one government’s laws compel the production of information while another government’s laws simultaneously forbid that same production. For example, the UK has been terribly frustrated by its inability to compel American communications providers, like Microsoft, to provide email that resides on servers in the United States but is from the account of a suspected terrorist located in Britain and planning attacks there. UK law can be used to compel such production, but current U.S. law forbids it. Another example involves Brazil, where Microsoft has been fined millions of dollars, and its employees threatened with criminal prosecution, for following a U.S. law that makes it a crime to obey a Brazilian court order demanding information about a suspected criminal in Brazil. Microsoft’s Chief Legal Officer, Brad Smith, testified in Congress in February, asking the House Judiciary Committee to “magine the kind of meeting that I have had to have with a Brazilian employee [of Microsoft] who is being prosecuted [for refusing to comply with Brazilian law]. And imagine trying to talk about the fact that we cannot, in fact, take the steps that would bring the prosecution to an end in Brazil, because it would require that we commit a felony in the United States.” This problem is not unprecedented, but it is getting much worse. In the 1980s, our courts heard a few cases in which foreign banks, with branches here, resisted subpoenas for records on the ground that the records were protected by foreign bank secrecy laws. Today, however, the conflicts are growing in both frequency and intensity. As the U.S. has become increasingly anti-surveillance in the aftermath of Edward Snowden’s leaks, Europe has moved in the other direction, expanding surveillance laws in response to the rise of the Islamic State. At the same time, encryption has made European governments more dependent on companies for access to readable data, such as email. The result has been a very significant increase in foreign demands for American companies to produce information. As the government’s explanation says, “[t]he current situation is unsustainable.” Today’s draft legislation is an attempt to address those concerns. There have been many Lawfare posts and other papers written on this topic (including one by me), and Congress has held hearings. The issue has been pretty thoroughly explored by academics, industry, and the U.S. and foreign governments. The draft legislation represents progress and should be applauded because it allows for a more focused debate on the particulars of a proposed solution. Below, I provide a very quick summary and some initial thoughts. The heart of the proposed legislation is section 4, which allows for executive agreements between the U.S. and foreign governments. Where a satisfactory agreement is in place, the barriers to access in the Wiretap Act, Stored Communications Act, and criminal Pen Register statute are removed (by section 3). For an executive agreement to satisfy the statutory requirements, the Attorney General, with the concurrence of the Secretary of State, must determine and certify to Congress several elements concerning the foreign government, the nature of the agreement, the types of foreign orders or directives affected by the agreement, and the foreign government’s treatment of the information it obtains. None of these determinations is subject to judicial review (or any other review, it appears), but the certifications are due to appropriate committees of Congress 60 days before taking effect, and must be published in the Federal Register. Experts will recognize many of the requirements in extant U.S. or international law. Indeed, although the proposed legislation was surely coordinated with the British government, one can imagine Brexit supporters—and others in the UK—objecting to it as a new form of legal imperialism. Here are the main requirements as I understand them based on an initial review: The Attorney General’s certification to Congress must be based on a determination that the foreign government “affords robust substantive and procedural protections for privacy and civil liberties” in both its law and the implementation of its law (and this determination must be renewed every five years). This determination may depend in part on whether the foreign government has acceded to the Budapest Convention on Cybercrime (or has equivalent domestic-law analogues), and “adheres to applicable international human rights obligations” including “prohibitions on arbitrary arrest and detention [and] prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.” The foreign government must have adopted “procedures to minimize the acquisition, retention and dissemination of information concerning United States persons subject to the agreement.” This minimization requirement comes directly from FISA, 50 U.S.C. 1801(h), which similarly refers to minimization at the three stages of “acquisition, retention and dissemination.” Some U.S. minimization procedures are public, and it is easy to imagine foreign governments using those as a model for their own. The agreement must forbid the foreign government from intentionally targeting a U.S. person or a person located in the U.S., forbid reverse targeting, and forbid acting as a cat’s paw for the U.S. or another government. These targeting requirements come directly from the FISA Amendments Act (FAA), 50 U.S.C. 1881a, and the cat’s paw provision has an analogue in Section 2.12 of Executive Order 12333 and its subordinate procedures. The proposed legislation requires targeting procedures, just as the FAA requires them. The foreign orders authorized by the agreement must meet several specific requirements. First, they must pertain to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism.” This means that affirmative foreign intelligence gathering is out of bounds. Conceptually, the idea here seems similar to the split in FISA’s two definitions of “foreign intelligence information,” 50 U.S.C. 1801(e)(1)-(2). Note, however, that counter-intelligence, expressly including counter-terrorism but also probably including counter-espionage, is included, because the language refers not only to “investigation” and “prosecution,” but also to “prevention” and “detection” of crime. With the FISA Wall down, this is a familiar idea in U.S. law. Second, the foreign orders must use a “specific” identifier such as a name or account as the “object of the order.” This comes from the USA Freedom Act’s amendments to FISA, designed to prevent bulk collection, 50 U.S.C. 1841, 1861. However, there is no authority for multiple-hop collection, as there is in the Freedom Act. Third, the orders must be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and must be subject to “review or oversight” by a judge or other “independent authority.” These elements seem to be derived in part from several U.S. constitutional requirements—e.g., those governing a stop and frisk (Terry v. Ohio, 392 U.S. 1 (1967)), the definition of probable cause (Illinois v. Gates, 462 U.S. 213 (1983)), the requirements for a search warrant (including particularity and a neutral and detached magistrate, see Maryland v. Garrison, 480 U.S. 79 (1987)), and a proportionality requirement. Of course, the requirements are not exactly the same as those the Fourth Amendment would compel—for example, the reference to “review or oversight” by a judge or other “independent authority” would seem to permit after-the-fact review by a Parliamentary body rather than advance review of orders by a judge. Fourth, the orders must be of fixed and limited duration and issued only when necessary if concerning live interception; and they may not be used to infringe freedom of speech. These requirements have analogues in the Wiretap Act and FISA, 18 U.S.C. 2518(3)(c), 50 U.S.C. 1804(a)(6)(E)(ii), 1805(a)(2)(A). The foreign government must promptly review and properly store the information collected, must “segregate, seal or delete” (and not disseminate) the non-pertinent information, may disseminate a U.S. person’s communications to U.S. authorities only in certain circumstances, must provide reciprocal access rights to the U.S. government with respect to data held by foreign providers, must submit to periodic auditing of its compliance with the agreement by the U.S. (in support of a requirement that the U.S. review its certification every five years), and is subject to a veto on direct access by the U.S. government in any particular case. Some of these requirements likewise find their roots in FISA’s minimization procedures. From what I can determine, based on an initial read, the government has produced a very credible document that seems designed to solve a serious problem without indulging in opportunistic overreach. There are lots of points in the proposal that are worthy of debate, however, and it will no doubt provoke serious debate. Three issues, in particular, strike me as likely candidates for attention. First, the proposed legislation allows wiretapping of live communications, not merely access to stored data. In this respect, it is broader than the current system of Mutual Legal Assistance Treaties (MLATs). Some observers will feel intuitively that foreign-government wiretaps (albeit actually conducted by U.S. providers, likely in much the same way that they conduct wiretaps for the U.S. government) are more invasive than collection of stored data. On the other hand, a 90-day wiretap is likely to collect much less information than a sweep of someone’s email inbox and outbox, which could have years of communications in it. In other words, there may be an intuitive concern about live interception, but it’s not inescapable that live wiretaps for limited periods are actually more invasive of privacy interests than collection of stored data, especially in the modern world of texting and other short-form communications that function more like an oral chat call but can still result in digital footprints of content. But I expect it to be an area of focused discussion. Second, the proposed legislation does not address encryption. This will likely disappoint observers on both sides of the issue, but in my view it’s the only way the bill could pass in the short run. Encryption is a big challenge, and my sense is that we’re not yet in a position, as a country, to resolve it. Nonetheless, pressure may come to compel decryption (provision of plaintext) in this bill. Jim Comey and the FBI, among others, have made no secret of the fact that they would like the issue resolved (acknowledging that there are pros and cons to the issue). Senators Burr and Feinstein have a bill, but it has not progressed much. There may be some desire, by pro-surveillance/anti-encryption advocates, to tackle the issue in this bill. Pressure on encryption may come from the other direction as well. By removing U.S. legal barriers to access, this legislation will allow encryption issues to be resolved under UK law (or other foreign law), rather than U.S. law, with respect to U.S. providers. Knowing this, and fearing that the UK may be less supportive of encryption legally or politically, some will likely argue that encryption needs to be addressed in order to limit foreign authority to insist on decryption. One way that position might be expressed would be as a requirement that foreign governments only be allowed to obtain what the U.S. itself could obtain under U.S. law. But this may be even more unpalatable to British people who believe they are allowed to have their own laws in their own country, and risks making the U.S. appear to be even more of a legal imperialist. It also won’t fool anyone for long, and so will risk opening up an explicit encryption debate, which will mean this bill does not pass in the short run. Third and finally, there are the anti-cat’s paw provisions. These provisions appear to be very carefully drafted, which makes me think the government gave them a lot of attention, which in turn makes me think they may get a lot of attention in the public debates. The first requirement is that the “foreign government may not issue an order at the request of or to obtain information to provide to the United States government or any third-party government,” and cannot be “required to share any information produced with the United States government or a third-party government.” Section 4(a)(3)(iii). The second is that the foreign government “may not disseminate the content of a communication of a U.S. person to U.S. authorities unless it is relevant to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person,” and also “relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.” Section 4(a)(3)(xii)-(xiii). As a practical matter, these provisions should permit sufficient two-way information sharing. The U.S. government apparently cannot “request” the UK to issue an order—or, perhaps more precisely, if the U.S. does ask, the British must issue the order for their own reasons, not merely to provide the information to the U.S. But it can share information about someone whom the British may decide for their own reasons to target—e.g., where the U.S. has information about a person in Washington discussing terrorism with a person in London, it can tell the British about the person in London. Looking at it from the other direction, if the British collect information under their laws (with U.S. barriers removed by the new legislation), they cannot be “required” to share information with the U.S. But if the British find someone in London talking terrorism with someone in Washington who is unknown to U.S. authorities, they may inform the FBI and pass the contents of the communications. That is because such information would be relevant to preventing serious crime and would relate to significant harm. I can imagine some challenges at the margins of the rules governing what the foreign government may pass back to the U.S., but in general the idea of two-way information sharing seems likely to prevail. It’s increasingly important in an increasingly connected world, and I would expect the U.S. government to fight hard for this. Regardless of how these or other issues are resolved, this draft bill represents progress because it will allow debate to proceed based on something specific. In fact, based on my own experience, I am pretty sure this draft legislation required a massive effort, within the Department of Justice, in the U.S. inter-agency community, with the private sector, and internationally with the British and perhaps others. Its shepherds deserve a lot of credit for giving us a very good step forward. Source https://www.lawfareblog.com/us-government-presents-draft-legislation-cross-border-data-requests