The US authorities are set to add questions to immigration arrivals forms asking for IDs used on social media such as Facebook and Twitter. Reports suggest that it is supposedly voluntary to provide such information, but it wouldn't be difficult to drop
a few hints, that those not providing such info may not be granted entry, to make it more or less mandatory.
A Notice by the U.S. Customs and Border Protection (CBP) on 06/23/2016 detailed the new question:
Forms I-94 (Arrival/Departure Record) and I-94W (Nonimmigrant Visa Waiver Arrival/Departure Record) are used to document a traveler's admission into the United States. These forms are filled out by aliens and are used to collect information on
citizenship, residency, passport, and contact information. The data elements collected on these forms enable the Department of Homeland Security (DHS) to perform its mission related to the screening of alien visitors for potential risks to national
security and the determination of admissibility to the United States.
DHS proposes to add the following question to ESTA and to Form I-94W:
Please enter information associated with your online presence -- Provider/Platform -- Social media identifier.
It will be an optional data field to request social media identifiers to be used for vetting purposes, as well as applicant contact information. Collecting social media data will enhance the existing investigative
process and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case.
The latest surveillance battle gripping the technology industry is focused on a rewrite of US surveillance law that would mean the justice department would be able to access a citizen's web browsing history, location data and some email records without
approval from a judge using a so-called national security letters (NSLs).
The FBI contends that such data is covered implicitly under current statute, which was written years ago and only explicitly covers data normally associated with
Director James Comey now is lobbying Congress to extend the current definition to include internet data.
Technology companies including Google, Facebook and Yahoo have sent a letter warning Congress that they would oppose
any efforts to rewrite law in the FBI's favor.
This expansion of the NSL statute has been characterized by some government officials as merely fixing a 'typo' in the law, the companies wrote:
however, it would dramatically expand the ability of the FBI to get sensitive information about users' online activities without court oversight.
A sly attempt to grant the FBI warrantless access to people's browser histories in the US has been shot down by politicians.
Unfortunately, the Electronic Communications Privacy Act (ECPA) Amendments Act of 2015, which would have brought in some
privacy safeguards for Americans, was cut down in the crossfire.
The bill was halted because of an amendment tacked on by Senator John Cornyn on Tuesday that would allow the FBI to obtain someone's internet browsing history and the metadata of all
their internet use without a warrant. If Cornyn's amendment was passed, the Feds would simply have to issue a National Security Letter (NSL) to get the information.
The bill's sponsors, Senators Patrick Leahy and Mike Lee, told a session of the
Senate Committee on the Judiciary that Cornyn's amendment had wrecked years of careful bipartisan negotiations and would seriously harm US citizens' privacy. As such, they weren't prepared to let the bill go forward.
The US Senate has struck down an amendment that would have allowed the FBI to track internet histories and communications without judicial oversight, but a re-vote could be called under Senate rules.
The amendment to the Commerce, Justice,
Science, and Related Agencies Appropriations Act would have given the FBI the right to use National Security Letters (NSLs), which compel communications companies to hand over a customer's transactional records, including their browsing history,
time spent online, and email metadata, but not the content of messages.
In addition, it would have made permanent a provision in the Patriot Act that would allow the same powers for those deemed to be individual terrorists to be treated as
agents of foreign powers, a measure aimed at tracking so-called lone wolf operators.
It was introduced on Monday by Senators John McCain and Richard Burr. Senator John Cornyn has named the issue the FBI's top legislative priority and has
tabled a further amendment to allow similar powers to law enforcement.
East Lothian Council has adopted the policy of using fake Facebook profiles enabling council employees to spy on law-abiding resident.
A new policy has enabled investigating officers at East Lothian Council to use false Facebook identities to
befriend targets and? scour social media pages not protected by privacy settings.
The nine-page surveillance through social media policy agreed by officials has been branded beyond creepy by critics who have questioned whether
it infringes privacy rights.
Human rights lawyers and civil liberties groups have blasted the move, describing it as a sign that powers normally only used by police were spreading into other areas.
Daniel Nesbitt, research director of Big
Brother Watch, said the council needs to say why these tactics are necessary, why they think they are proportionate and what safeguards will be in place. He added:
For years now councils have been criticised for
using heavy-handed snooping tactics, and a nine-page document simply isn't good enough.
Jason Rose, who stood for the Greens in the East Lothian constituency in last year's Westminster elections said the? policy was beyond creepy
I cannot believe our councillors have agreed this policy. It speaks volumes that a council which is so poor at communicating with the public and does not make its meetings available to view online agrees a covert
surveillance policy in such a secretive way.
Estonian commissioner Andrus Ansip has re-introduced one of his favourite suggestions: using national ID cards to log in to online services: Online platforms need to accept credentials issued or recognised by national public authorities, such as
electronic ID cards, citizen cards, bank cards or mobile IDs .
He claims that this is nothing to do with making mass surveillance easier, its apparently just to help users with their password management.
Estonia introduced online ID in
2012 and it is claimed that subjects are happy with it too.
The EEF is a campaign group supporting people's rights in the digital world. The group writes:
The US government hacking into phones and seizing computers remotely? It's not the plot of a dystopian blockbuster summer movie. It's a
proposal from an obscure committee that proposes changes to court procedures--and if we do nothing, it will go into effect in December.
The proposal comes from the advisory committee on criminal rules for the Judicial Conference
of the United States. The amendment would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law
enforcement's ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country. This is part of
a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a "rules enabling act." 1
The Federal Rules of Criminal Procedure set the
ground rules for federal criminal prosecutions. The rules cover everything from correcting clerical errors in a judgment to which holidays a court will be closed on --all the day-to-day procedural details that come with running a judicial system.
The key word here is "procedural." By law, the rules and proposals are supposed to be procedural and must not change substantive rights. But the amendment to Rule 41 isn't procedural at all. It creates new avenues for
government hacking that were never approved by Congress.
The proposal would grant a judge the ability to issue a warrant to remotely access, search, seize, or copy data when the district where the media or information is
located has been concealed through technological means or when the media are on protected computers that have been damaged without authorization and are located in five or more districts. It would grant this authority to any judge in any
district where activities related to the crime may have occurred.
To understand all the implications of this rule change, let's break this into two segments.
The first part of this change would grant
authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one's location. Many different commonly used tools might fall into
this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated. It might also extend to people who deny access to location data for smartphone apps because they don't feel like sharing their
location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.
countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for both safety and
security. Millions of people who have nothing in particular to hide may also choose to use privacy tools just because they're concerned about government surveillance of the Internet, or because they don't like leaving a data trail around haphazardly.
If this rule change is not stopped, anyone who is using any technological means to safeguard their location privacy could find themselves suddenly in the jurisdiction of a prosecutor-friendly or technically-na´ve judge, anywhere in
The second part of the proposal is just as concerning. It would grant authorization to a judge to issue a search warrant for hacking, seizing, or otherwise infiltrating computers that may be part of a botnet . This
means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation. Even
with the best of intentions, a government agent could well cause as much or even more harm to a computer through remote access than the malware that originally infected the computer. Malicious actors may even be able to hijack the malware the government
uses to infiltrate botnets, because the government often doesn't design its malware securely . Government access to the computers of botnet victims also raises serious privacy concerns, as a wide range of sensitive, unrelated personal data could well be
accessed during the investigation. This is a dangerous expansion of powers, and not something to be granted without any public debate on the topic.
Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders.
This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet. People both inside and outside of the United States should be equally
concerned about this proposal.
The change to Rule 41 isn't merely a procedural update. It significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials.
If members of the intelligence community believe these tools are necessary to advancing their investigations, then this is not the path forward. Only elected members of Congress should be writing laws, and they should be doing so in a matter that
considers the privacy, security, and civil liberties of people impacted.
Rule 41 seeks to sidestep the legislative process while making sweeping sacrifices in our security. Congress should reject the proposal completely.
The Haystack is a new documentary , released today by Scenes of Reason , bringing together leading lights for and against the UK's Investigatory Powers Bill. This unprecedented piece of legislation, which is now under parliamentary scrutiny, seeks to
affirm and expand the surveillance remit of UK security services and other departments, including new powers for the police to access internet connection records -- a database of the public's online activity over the previous 12 months.
The film provides an excellent roundup of arguments on both sides of the tortuous surveillance debate, including Conservative MP Johnny Mercer echoing the well-worn refrain, if you have nothing to hide, you have nothing to fear. Jim
Killock of the Open Rights Group , speaking at the film's launch, quipped that Mr Mercer might feel a bit different if it were the left-wing government of Jeremy Corbyn and
John McDonnell wielding these powers. Indeed, as far-right parties attract support around Europe and the world, the likelihood increases of tremendous state surveillance becoming the plaything of ever more abusive regimes.
immense capabilities contained within the bill are unpalatable in the hands of any authority -- they are all too easily harnessed to undermine perfectly reasonable political opposition and judicial work. By way of example, the film outlines one such case
where the current UK government improperly gained access to privileged details of a court case against it. In this light, the bill seems an intolerable threat to democracy and free expression.
Voices of concern from the security
community , such as Sir David Omand, ex-GCHQ chief, explain that precautions against terrorism require more spying. Others reject this, noting that security services have failed to act on intelligence when they do have it -- spending enormous sums on
digital surveillance only reduces their efficacy in the realm of traditional detective work. Moreover, those costs, to be borne by government and industry, are excessive at a time of cuts to other public services designed to protect us from more
conventional enemies, such as disease.
The legality of Britain's surveillance laws used for the mass snooping of communications come unders the intense scrutiny of 15 European judges on Tuesday in a politically sensitive test case that could limit powers to gather online data.
outcome of the hearing at the European court of justice (ECJ) in Luxembourg is likely to influence the final shape of the government's investigatory powers bill and will test judicial relationships within the EU.
Around a dozen EU states including
the UK have intervened in the challenge against the government's Data Retention and Investigatory Powers Act 2014 (Dripa) that was originally brought by two MPs , the Conservative David Davis and Labour's deputy leader, Tom Watson.
case is being heard in conjunction with a Swedish case based on similar principles.
A draft copy of a US law to criminalize strong encryption has been leaked online. And the internet is losing its shit.
The proposed legislation hasn't been formally published yet: the document is still being hammered out by the Senate intelligence
select committee. The proposal reads:
The underlying goal is simple, when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No
individual or company is above the law. We're still in the process of soliciting input from stakeholders and hope to have final language ready soon.
The draft legislation, first leaked to Washington DC insider blog The Hill, is named
the Compliance with Court Orders Act of 2016 , and would require anyone who makes or programs a communications product in the US to provide law enforcement with any data they request in an intelligible format, when presented with a court
The bill stems from Apple's refusal to help the FBI break into the San Bernardino shooter's iPhone, but goes well beyond that case. The bill would require companies to either build a backdoor into their encryption systems or use an
encryption method that can be broken by a third party.
On example of the tech community response was from computer forensics expert Jonathan Dziarski who said:
The absurdity of this bill is beyond words. Due to
the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America's technology infrastructure.
At least two other
countries--Pakistan and Turkey--already have versions of such laws on the books. The Pakistan Telecommunications Authority has previously instructed the country's internet service providers to ban encrypted communication, though it's largely VPN use,
which can be used to circumvent location-based internet censorship, that has been actively restricted there, and WhatsApp is still popular. Turkey takes the anti-encryption law on its books more seriously, and used it to initially charge Vice journalists
arrested in southeastern Turkey in September 2015.
Meanwhile, France's National Assembly passed a bill in May to update its Penal Code to fine companies that don't find a way to undo their own encryption when served with a warrant in a terrorism
investigation. The french? Senate version of this bill excludes this provision, and seven members from each house will now begin a compromise.
Thanks to the attention
brought to the importance of encryption via Apple vs FBI from Fight for the Future and other strong voices, Compliance with Court Orders Act of 2016 - one of the worst national security bills ever drafted - is stalled.
The Hungarian ruling party wants to ban all working crypto. The parliamentary vice-president from Fidesz has asked parliament to:
Ban communication devices that [law enforcement agencies] are not able to surveil despite
having the legal authority to do so.
Since any working cryptographic system is one that has no known vulnerabilities, whose key length is sufficient to make brute force guessing impractical within the lifespan of the universe, this
amounts to a ban on all file-level encryption and end-to-end communications encryption, as well as most kinds of transport encryption (for example, if your browser makes a SSL connection to a server that the Hungarian government can't subpoena, it would
have no means of surveiling your communication).
Messaging app WhatsApp has announced that it has added encryption for all voice calls and file transfers for all users.
It renders messages generally unreadable if they are intercepted, for example by criminals or law enforcement. No doubt if the
security services throw all their computing might at a message then they may be able to decrypt it by brute force.
The Facebook-owned company said protecting private communication of its one billion users worldwide was one of its core beliefs
. Whatsapp said:
The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not
hackers. Not oppressive regimes. Not even us.
Users with the latest version of the app were notified about the change when sending messages on Tuesday. The setting is enabled by default.
Users should be aware that snoopers can
still see a whole host of non-content data about the communication, such as who was using the app, who was being called, and for how long.
Amnesty International called the move a huge victory for free speech:
Whatsapp's roll out of the Signal Protocol, providing end to end encryption for its one billion users worldwide, is a major boost for people's ability to express themselves and communicate without fear.
a huge victory for privacy and free speech, especially for activists and journalists who depend on strong and trustworthy communications to carry out their work without putting their lives at greater risk.