On Q Professional Investigations

They look like ordinary streetlights, shining down on Las Vegas sidewalks after the sun has set. But Sin City’s new streetlights have a few special capabilities that have civil libertarians up in arms.

The city is installing Intellistreets, a brand of street lighting that is capable of recording video and audio of pedestrians and motorists. What happens in Vegas, it seems, no longer stays in Vegas.

“We want to develop more than just the street lighting component. We want to develop an experience for the people who come downtown,” Neil Rohleder of the Public Works Department told NBC News affiliate KSNV. The lamps are equipped with large video monitors that display ads or other messages, and speakers that broadcast muBut people like civil liberties advocate Daphne Lee have concerns that Big Brother is watching — and recording. “This technology is taking us to a place where you’ll essentially be monitored from the moment you leave your home until the moment you get home,” Lee told KSNV.

Although Illuminating Concepts, the Farmington Hills, Mich.-based company that developed Intellistreets, does make streetlights with video and audio recording capabilities, those features will not be present on the lamps in Las Vegas, according to city officials.

“Right now, our intention is not to have any cameras or recording devices … it’s just to provide output out there, not to get any feed or video feed coming back,” Las Vegas public works director Jorge Cervantes told KSNV.

Techno-shaming?

Similar streetlights have been installed in a handful of European cities. In Middlesbrough, England, lamps equipped with a full suite of monitoring equipment were installed in 2006. When monitoring operators saw a cyclist riding his bicycle through a crowded pedestrian area, they broadcast a message over the loudspeaker: “Would the young man on the bike please get off and walk, as he is riding in a pedestrian area?”

The admonished young man shamefacedly dismounted and walked his bicycle as instructed, according to the Daily Mail. Among people disturbed by anti-social behavior — biking on sidewalks, littering, fist fighting — the smart streetlights are a big hit. “Put it this way: We never have requests to remove them,” manager Jack Bonner told the Mail.

Intellistreets lamps operate over a Wi-Fi network that’s linked to a central server; each lamp can be individually controlled. The LED lights, remote dimming controls and other energy-saving features of the streetlamps can cut electricity use by 70 percent, according to the manufacturer. They can also be equipped with pollution monitors, emergency call buttons and optical recognition software.

Emergency information

And in the event of an emergency, Intellistreets can provide useful information, such as Amber Alerts, threats including natural disasters or chemical spills, real-time evacuation procedures and other security concerns through visual monitors and audio messages.

In addition to Las Vegas, Intellistreets have been installed at the Mercedes-Benz Superdome in New Orleans, Sony Pictures in Culver City, Calif., and the Navy Pier in Chicago.

Illuminating Concepts founder Ron Harwood told CBS Detroit that the Intellistreets system was “born in the parks of Disney and Universal,” where “imagineers” (engineers working in design and development) needed an integrated network that could guide large crowds while also giving them information in an emergency.

Nonetheless, in an era where security watchdogs at the National Security Agency are spying on everyone from heads of state to their girlfriends, some are raising concerns that a streetlight that can watch and listen to your conversations is more than a little unsettling.

“At what point do we say, ‘this is the land of the free,’” Lee told KSNV. “People have a right to a reasonable amount of privacy.”

Follow Marc Lallanilla on Twitter and Google+. Follow us @livescience, Facebook & Google+. Original article on LiveScience.sic or voice messages.

View Source

It’s an unfortunate truth of the cell phone era that sometimes, employees will abuse their access to these devices. Whether their employer owns the device, or allows “bring your own device” (BYOD) to work, the convenience and ubiquity to an individual’s day-to-day means that sometimes, devices will be used inappropriately.

In the law enforcement arena, several very recent news stories highlight this truth:

Chicopee (Massachusetts) police officers were investigated after leaking crime-scene images of murder victim Amanda Plasse. The photos were taken with officers’ personal mobile devices and shared with people outside the Chicopee Police Department.
In Denver (Colorado), an officer was given a desk assignment after allegedly using his department-issued mobile device to sexually harass a woman.
Connell (Washington)’s chief of police is under investigation for allegedly watching pornography on a city-issued cellphone.
A Roseville (California) police officer used his cell phone to stalk and harass a woman.

How can you protect yourself and your agency in the event of these types of allegations?

Establish proactive and reactive policies

Whether you issue devices or allow BYOD, have policies that establish acceptable use. In either case, personal communications should not interfere with official duties. Require employees to password-protect their devices, and possibly even encrypt potentially sensitive data, such as text messages between officers and witnesses.

Clearly lay out what behavior will not be tolerated. This can be as obvious as pornography viewing on duty (or even off duty on a government-issued device), or as “gray” as limiting personal communications only to family emergencies.

In Connell as well as in many other communities, employees can use their city-issued phones for some personal use as long as it doesn’t add to maintenance costs, and/or if they agree to pick up the tab for additional accrued costs. However, employees also have a limited expectation of privacy in the use of employer-issued devices, as the US Supreme Court ruled in City of Ontario v. Quon in 2010.

BYOD policies are a little different. These should stipulate:

What devices are permitted. As government employees, everyone in your agency may need to adhere to any policy already in place for your city, county or state. Devices that are allowed can affect any support issues officers may have with connecting to work email or other internal resources, as well as potential security issues.
What apps are permitted. Especially on Android devices, it’s possible that some apps may not be as secure as you’d like them to be when a device is accessing your network.A BYOD policy should also include language that allows the agency or government to search the employee’s device. There should be cause to do so, of course, and the policy should state that the scope of a search will be limited to relevant data (not a wholesale scouring of employee personal data, which could leave you liable if you uncover personal health information or other protected data). This part of the policy should also cover what happens when employees leave the department.

Employees should also be compelled to turn over any evidentiary data on their personal devices as soon as possible after obtaining it. It may be, in some situations, that a personal device is the only means of recording a crime scene, a victim’s injuries, a confrontation of some kind, or other evidence. But policy should dictate when this type of use is allowable and what should happen to the evidence following the recording.

Policy should also dictate how to handle mobile devices in certain situations, like officer-involved shootings or other use of force encounters. It may be that the device contains no evidence. Then again, the nature of text messages or other communications can help to establish an officer’s frame of mind leading up to an encounter.

Have a standard search procedure
Policy only goes so far. Also understand how you’re going to obtain the data. Just as with a civilian’s device, it’s not appropriate to “thumb through” text messages, images, or other data. That would be like thumbing through all the pictures, files and personal effects within an officer’s home.

“Digital first responder” training is imperative for everyone in the agency, including any officer or commander responsible for conducting internal investigations. This training helps the investigator understand how to preserve digital evidence.

For instance, it would not be enough to put an iPhone in Airplane Mode. The investigator also needs to turn off its wi-fi. Doing one but not the other would still allow the device to send and receive data from wi-fi access points, changing data on the device.

Investigators should also be sure to collect data and power cables for all relevant devices. While Android phones use micro USB and therefore have interchangeable power cords, other makes and models do not; Apple iOS devices, for instance, do not have consistent power cabling. If you don’t collect the right cables, you may face having to purchase one.

Keep cables with the devices they’re meant to go with, separate from other devices and cables. Label everything: device make and model, whose it is, case control number. If for some reason you could not collect the cable, note that too.

Internal investigations may start in the field rather than in the office. In this event, a small “first responder” kit (which should be standard issue in all field vehicles) should be maintained. The kit should include a Faraday bag or box to help you isolate the device as you transport it from the scene to the office or forensic lab.

If the device is locked, obtain its password. This may be part of consent to search — be sure to maintain consent forms for BYOD scenarios — or the employee may be compelled to provide the password. Keep in mind that the officer may be unwilling or unable (if physically injured) to provide the password. In this event, know whether your agency’s or government’s IT staff maintains device passwords, and whether they can be reset over the network.

Finally, once you have the device and all necessary legal authority, examine or assign the examination like you would any other evidence device. Know who in your agency or region can perform mobile forensic examinations, and how to contact the on-call specialist.

If you are the one doing the examination, it is wise to undergo training on how to use the forensic tool, including obtaining any necessary certifications. It may also be wise to perform any search in the presence of the officer’s union representative or attorney, or request independent examination by a district attorney’s or attorney general’s investigative staff.

Communicate with employees

Employees should understand that nothing on their personal mobile device is truly “private.” It could become discoverable for any reason at all. Employees should be taught to assume their mobile devices may be searched at any time, and that the old saying “better to ask forgiveness than permission” may not be true of mobile device usage.

Clearly communicate what policies exist and why, along with any changes that are made as soon as they are made. Make sure employees also understand the SOP that goes along with those policies and what their rights are. Know how to answer any questions they might ask, which means working with the city attorney to address them.
Annual in-house training, complete with scenarios and/or role-play, can help in this regard. Regular briefings on offenses, right and wrong responses, implications and consequences of each, and what officers are required to report should all be built into this type of training.

Just like social media posts, mobile device content can affect your credibility as a witness in court, and your usage habits can affect the public’s perception of your professionalism. Strong policies, procedures, and training can help both officers and agencies protect themselves and one another from damaging mobile device misuse.

View Source

Dorset England Oct 1 2013 A PRIVATE security firm is to guard major crime scenes under a four-month trial being carried out by Dorset Police.

The force said guarding the scenes of major crimes, such as murder and serious assault, was currently taking officers away from front-line policing.

It said the decision to outsource the role to Securitas Ltd had the potential to release between 2,600 and 3,600 police hours to front line services each year.

Detective Chief Superintendent Mark Cooper, head of Dorset Police criminal justice department, said: “Protecting the scene is an integral part of an investigation ensuring that evidence is not disrupted, destroyed or contaminated.

“Outsourcing has been tried and tested by other forces for a number of years and it has been found to be a very effective way of securing evidence as well as ensuring robust frameworks on contamination or interference at the scenes of crime.

“Specially trained scene officers will be able to perform this task to a high standard and release police officers back to the front line to perform other essential tasks.

“The outsourcing of scene guarding to Securitas Ltd has the potential to impact positively upon the service we can provide to the communities of Dorset.”

Dorset Police and Crime Commissioner Martyn Underhill said: “I welcome this trial which will put more officers back into core policing. It will also cut force costs and strengthen our ties with Avon and Somerset, and Devon and Cornwall Police Forces who have already adopted this scheme.”

Mike Clancy, south west area director of Securitas, said: “This tried and tested method since 2008 has seen a hugely successful relationship between two forces grow now into a third as we welcome Dorset Police.

“The work our crime scene officers conduct is of the highest standard, having been police-vetted and specifically trained for such a role prior to any deployment.

“Our density of branch network and front line staff enables us to deploy with pace, professionalism and the reliability you would expect from an organisation of our strength, depth and expertise.”

If the trial proves successful, Dorset hopes to use professional scene officers permanently from 2014.
It could also consider deploying them to other crime scenes.

View Source

Sept. 20–Many police departments around the country have been using body-mounted cameras to record their interactions with the community, and with a new push from the City Council and Police Commission, the Los Angeles Police Department may soon be testing the technology aimed at reducing the number of officer-involved complaints and lawsuits.

The idea for the small body-mounted cameras was thrust to the forefront last week when Police Commissioner Steve Soboroff announced he was raising private funding pay for the items, and City Councilman Mitch Englander said the first cameras for testing might be available as early as next week.

“What we’re looking at is an enhancement to the technology that is already out there with the dash cameras in the black-and-whites,” Englander said in an interview. “More is better in this case. We’re paying out tens of millions of dollars in lawsuits, and these cameras have been shown to lower that amount in other departments. There’s a new energy around this technology, and we want to move forward with it.”

One recent study in Rialto showed an 80 percent drop in the number of complaints against officers during a year-long pilot program, as well as a reduction in use-of-force incidents from 60 to just 25 year over year.

Two weeks ago, Soboroff had said the goal was to have cameras on all officers within the next 18 months, but last week he revised that time frame to one year.

“A couple of things went into that,” Soboroff said in an interview. “(Police Chief Charlie Beck) thinks the results will be so apparent once these things are up and running that the testing period doesn’t need to be that long. We thought it would take six months after we got them to test them — now it’s at three months.”

While he cautioned that the department still has to establish procedures for use of the cameras, including what divisions will test the technology and standards for privacy concerns when officers enter residences, he said the goal is still to move quickly on implementation.

The current plan is to acquire 25 cameras on loan from a manufacturer. Those will be worn in the field for 90 days, and then the department will report back to the City Council’s Public Safety Commission. By then, Soboroff hopes to have raised the money necessary to purchase the hardware, warranties and cloud storage space for the massive amount of data the cameras record.

Funding has consistently been a hang-up in adding the once much touted dashboard cameras to patrol cars, and a similar challenge faces body-camera proposals, even though Chief Beck has voiced his enthusiastic support for both.

Currently, about a fifth of the fleet’s vehicles have in-car cameras, but Beck said last week the department is moving forward with plans for more, on a separate track from the push for body cameras.

To sidestep money concerns over body cameras, Soboroff has taken his pitch private, securing pledges from some high-profile Angelenos, including $250,000 from media mogul Casey Wasserman and an undisclosed amount from DreamWorks co-founder and CEO Jeffrey Katzenberg.

“The goal is for the city to have no financial impact at all,” Soboroff said. “That includes warranties, maintenance, downloading and (data) storage … I have people calling me every day.”

The total cost to acquire 500 of the cameras Englander and Soboroff have been eyeing is about $1 million, including warranties that cover upgrades as technology advances, several years of data storage and monitoring and maintenance. Because those 500 will rotate among officers at shift changes, up to 1,500 officers will be able to use them.
The eventual goal is to equip all on-shift officers with the devices. Englander points out that many have already outfitted themselves with cameras or other recording devices at their own expense.

The Los Angeles Police Protective League, the union that represents the majority of sworn officers, has not yet taken a position on the cameras.The most popular manufacturer is an Arizona-headquartered company, Taser International Inc., which supplied the LAPD with its brand of stun guns and is providing the cameras for the initial testing period.

The company makes two versions of the cameras: the Axon Body, a rectangular device that mounts to an officer’s shirt pocket and costs about $299; and the Axon Flex, which runs between $700 and $800 and can be mounted on hats, collars, belts or specially designed Oakley sunglasses using a magnetic attachment, as well as on the dashboard of a patrol car to act as a dash cam.

Currently, dozens of U.S. police departments have incorporated the cameras — including Greensboro, N.C., Topeka, Kansas, and Houston — and have made public their drop in complaints against officers.

“Last month, there was an officer-involved shooting in Topeka, and the District Attorney and the police chief were able to watch the video of the incident at the same time,” said Steve Tuttle, a spokesman for Taser International. “Now, I don’t know the outcome of the case, but I know that they’ve tripled their purchase (of cameras) since that time. There’s a reason for that.”

Tuttle points out that the Axon Flex can be used as a replacement for dash cams with a mount similar to a GPS stand that affixes to the dashboard of a vehicle. In the case of motorcycle officers, the on-body camera becomes the default dash cam and records both audio and video.

“We’ve had officers out there going 100 mph, and the camera stays affixed,” he said.

Once the camera is turned on, it is always recording video but captures audio only when a police officer turns on that feature.

Despite the manufacturer’s indication that body cams are able to supplant dash cams, locals involved say they want to move forward with adding both to the LAPD’s equipment arsenal.”There are so many benefits to having these,” said Councilman Englander. “You can Bluetooth link the body cameras to your smart phone, which would allow officers to roll up to a scene with an operational perspective. They can use it when they are going around a corner or up into an attic. Instead of putting their head up in the attic and getting it shot at, they can put the camera up there. But we still want the perspective of both the officer and the suspect when you’re in the car. You want to have as many perspectives as possible, and this technology makes that possible.”

Copyright 2013 – Daily News, Los Angeles
View Source

A Russian-speaking man casually shows on camera how he can download a punter’s bank-card details and PIN from a hacked card reader.

In a video demonstrating a tampered sales terminal, a card is swiped through the handheld device and a PIN entered – just as any customer would in a restaurant or shop. Later, after a series of key-presses, the data is transferred to a laptop via a serial cable.

Account numbers and other sensitive information appear on the computer screen, ready to be exploited. And the data can be texted to a phone, if a SIM card is fitted to the handheld.

We’re told the footage, apparently shown on an underworld bazaar, is used to flog the compromised but otherwise working kit for $3,000 apiece – or a mere $2,000 if you’re willing to share 20 per cent of the ill-gotten gains with the sellers under a form of hired-purchase agreement.

Crucially, the gang selling this device offers a money-laundering service to drain victims’ bank accounts for newbie fraudsters: a network of corrupt merchants are given the harvested card data and extract the money typically by buying fake goods and then cashing out refunds. The loot eventually works its way back to the owner of the hacked card reader.

A copy of the web video was passed to The Reg, and is embedded below. We have rotated part of the footage so it’s easier to read the on-screen text.

Electronic security consultancy Group-IB said the modified Verifone VX670 point-of-sale terminal, shown above, retains in memory data hoovered from tracks 1 and 2 of the magnetic stripe on the back of swiped bank cards, as well as the PIN entered on the keypad – enough information for fraudsters to exploit.

The setup suggests the sellers are based in Russia. In the video, a credit card from Sberbank, the country’s largest bank and the third largest in Europe, is used to demonstrate the hacked terminal’s capabilities.

If a SIM card for a GSM mobile phone network is fitted to the doctored device, the information can be sent by SMS rather than transferred over a serial cable, explained Andrey Komarov, head of international projects at Group-IB.

He told us crooks tampering with point-of-sale (POS) terminals and selling them isn’t new – but the bundling of money-stealing support services, allowing fraud to be carried out more easily, is a new development in the digital underground.

“We have detected a new group that sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own ‘grey’ merchants: it seems they buy fake stuff, and then cash-out money,” Komarov said.

“It takes less than three hours. According to our information, this kind of service is really new, and it is also being used by different cyber-criminals against the Russian bank Sberbank.”

Komarov told El Reg that the emergence of hacked card readers is due to banks improving their security against criminals’ card-skimming hardware hidden in cash machines and similar scams. Planting data-swiping malware in POS handhelds out in the field is possible, but it is fairly tricky to find vulnerable terminals and infiltrate them reliably without being caught.

It’s a touch easier to buy a tampered device and get it installed in a shop or restaurant with the help of staff or bosses on the take. This creates a huge potential market for fraudsters, according to Komarov.

Scam warnings

Banking giant Visa has issued several alerts about this kind of fraud along with occasional warnings about device vulnerabilities – such as this warning from 2009 [PDF]. And social-engineering tricks [PDF] in which fraudsters pose as Visa employees carrying out adjustments to terminals – while actually compromising them – has been going on for years.

One alert [PDF] from Visa, dating from 2010, explains how thieves worked in the past and the steps merchants can take to defend against the fraud: anti-tampering advice from this year can be found here [PDF], an extract of which is below:

Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.
The impact of this type of crime can be significant to all key parties involved in card acceptance. An attack can not only undermine the integrity of the payment system, but diminish consumer trust in a merchant’s business. In response to this emerging threat, acquirers, merchants and their processors need to proactively secure their POS terminals and make them less vulnerable to tampering.

A more recent advisory on combating this type of fraud, issued earlier this year by Visa, can be found here [PDF].

Avivah Litan, a Gartner Research vice-president and an expert in banking security and related topics, said that tampering with card readers has been going on for years. She agreed with Group-IB’s observation that since banks are investing more in securing cashpoints, penetrating point-of-sale terminals can be an easier way to make money for criminals.

“The bad guys will go after anything they can, but it can be easier to find dishonest merchants to cooperate in running tampered terminals [to harvest bank details] than going after ATMs,” Litan told El Reg, adding that this kind of fraud was rife in South America, particularly in countries such as Brazil.

But Group-IB’s Komarov believes the Russian-speaking fraudsters behind the black-market sale of hacked sales terminals are targeting the international market as well as crims in the motherland. “The example they showed for Sberbank was just because they also use it against Russian-speaking countries, as they have Russian-speaking roots,” he explained.

We passed on Group-IB’s research to Verifone at the start of this month, along with a request for comment on what could be done to frustrate the trade of tampered card readers through underground markets and similar scams. We have yet to hear back from the device manufacturer. We’ll update this story if we hear more. ®

View Source

Unless you’ve been living under a rock, you’ve heard the National Security Agency vehemently denying that its spy program is trampling on the constitutional rights of citizens, while privacy advocates bellow about the rise of Orwellian dictatorships. They do love trotting out the 1984 metaphors.

Frankly, there are hypocrisies on both sides. But retailers using data mining and loyalty programs, could get caught in the wringer if they don’t police themselves and those that gather the data. More disturbing is what I’ve heard in retail circles recently about reining in customer analytics for fear of incurring the wrath of privacy activists.

I sincerely hope that government surveillance is more concerned with terrorist plots than people’s personal proclivities. But surveillance isn’t new. It just went electronic with George Orwell’s vision of an authoritarian utopia and the Internet has simply made it easier.

The fact is that someone, somewhere keeps tabs on you from the time you’re born to when you open your first checking account, use your first credit card, switch on your first computer, or make your first cellphone call.

Contrary to popular opinion, the Constitution doesn’t guarantee the right to privacy, although the Supreme Court said it’s implied in several Amendments. This was brought to an illogical and frankly, dumb, conclusion in 2011 by the California Supreme Court in the case of Pineda v. Williams-Sonoma where the plaintiff alleged that the store lied about needing her zip code to complete a credit card transaction. She said it was used it to track down her home address for marketing purposes and that her information was being sold.

The takeaway is that where there’s a will, there’s a lawyer and a court that will consider the legal ramifications of a tempest in a teapot.

Where does that leave retailers? Customer surveillance, or customer analytics to use a gentler term, has become a rallying cry throughout the industry and one of the most valuable tools in the retail arsenal.

But the furor over the NSA’s actions, will likely unleash a spate of data privacy bills in Congress this year. The latest is the “Apps Act,” which requires consumers to sign off on privacy policies before using them. This moves the industry closer to European privacy laws, with very strict rules about what companies can and can’t do. At the very least, it’s another barrier between customers and the checkout. And, as we have seen, people will simply abandon their carts if the process becomes too cumbersome or inquisitive.

Congress simply isn’t capable of coming to grips with complex privacy issues. As I said, the industry is more than capable of policing itself and making the best use of the data for itself and its customers. But in the immortal words of comic book icon Stan Lee: “With great power comes great responsibility”.

Never take consumers for granted and don’t keep secrets. Tell them how the information helps create a better, more rewarding shopping experience. Assure them that the data is safe and not for sale to outsiders. Make sure all IT security systems are up-to-date—even surpassing industry norms—and initiate oversight of your own IT departments. Most important, don’t abandon data gathering for fear of backlash—real or imagined.

Collecting and analyzing shopper data is not an option. It is a business imperative for improving operations, sales and profits and anticipating customer demand. The competition for reliable information is intense, but cheaper to obtain from reliable outsiders then ever. Why not use it to its fullest?

Sometimes having a Big Brother watching is not such a bad thing.

View Source

National Security Agency personnel regularly searched call tracking data using thousands of numbers that had not been vetted in accordance with court-ordered procedures, according to previously secret legal filings and court opinions released by the Obama administration Tuesday.

The agency also falsely certified to the Foreign Intelligence Surveillance Court that analysts and technicians were complying with the court’s insistence that searches only be done with numbers that had a “reasonable, articulable suspicion” of terrorism, according to a senior intelligence official who briefed reporters prior to release of the documents .

The unauthorized searches went on for about three years until they were discovered in March 2009.

An internal inquiry into the misstatements also found that no one at the NSA understood how the entire call-tracking program worked. “There was nobody at NSA who really had a full idea of how the program was operating at the time,” said the official, who spoke on condition of anonymity.

Former NSA contractor Edward Snowden disclosed the program in June by leaking a top-secret FISA Court order authorizing it. The program — sometimes referred to as “business records FISA” or “Section 215” — collected information on the time, duration and numbers connected in virtually every call made to, from or within the United States. It did not authorize or involve listening to calls, which required a separate court order when involving people in the U.S. or U.S. residents overseas.

Despite the regular assurances offered to the court, NSA personnel were querying every day’s new batch of telephone company calling data using an “alert list” that at times included about 17,000 numbers, the documents show. Most of the numbers on that list — about 15,000 — had not been established to meet the “reasonable, articulable suspicion, officials said.

Director of National Intelligence James Clapper emphasized Tuesday that the breach of procedure was discovered by the NSA on its own initiative and, once the violation was found, was promptly disclosed to the court and Congress.

“The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned,” Clapper said in a statement. “These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC.”

However, the new disclosures give weight to claims that the FISA Court was ill-suited to oversee the complex program. The information could fuel calls for more rigorous oversight of the program.

In an opinion made public in part last month, Judge John Bates discussed the “alert list” practice in vague terms and said it indicated that the court’s orders “had been ‘so frequently and systematically violated that it can be said that this critical element of the overall…regime has never functioned effectively.’”

The breach clearly angered the judges serving on the court.

“The court is exceptionally concerned about what appears to be a flagrant violation of its Order in this matter,” Judge Reggie Walton wrote in a January 2009 order demanding more information about the offending practice.

The officials who briefed reporters Tuesday did not make clear where the “alert list” came from or precisely how numbers got on it. They did indicate it originated outside the NSA.

The court filings suggest that the “alert list” was something the NSA used when targeting communications between parties outside the United States under the agencies’ traditional, “signals intelligence” capabilities.

The practice was reported to the court in January 2009 and halted on the court’s order in March of that year.

As a result of the breach of the court’s orders, the FISA Court essentially put the NSA on probation by requiring it to come to the court in advance for permission for each new number to be searched, officials said. That advance-approval process — which did allow for exceptions in emergencies — continued through September 2009, officials added.

The fact that a process requiring advance, “case by case” approval was in place for a time could also support arguments from civil liberties groups and other critics that the courts should be involved each time a number is added to the list of those to be searched.

Officials emphasized that the “alert list” queries were not like the regular queries of the call database. Those often pored through five years of data and looked for patterns in calls that could be removed by up to “three hops” from the original number searched. By contrast, the “alert list” searches were confined to the incoming day’s data and numbers in direct contact with those searched.

“This was a much narrower, sort of rolling-basis query just to try to identify numbers of interest, so it didn’t go out multiple hops,” the senior official said.

The approximately court documents released Tuesday, which officials said totaled about 1,800 pages including some duplicates, were disclosed in connection with a Freedom of Information Act lawsuit brought by the Electronic Frontier Foundation. The Obama administration long resisted calls to release the documents even in redacted form, saying they would be incoherent after sensitive information was deleted.

However, after Snowden’s leaks about the program, officials said they were reviewing the legal records again and would be able to make some disclosures. Officials said the document release Tuesday was being made at President Barack Obama’s instruction.

View Source

You’re trying to be a good parent. You’ve explained the importance of treating people with respect online as well as face-to-face and the permanence of online comments, photos and videos. And in the spirit of trust but verify, you may occasionally scroll through your kid’s email or Google+ account, or pick up their phone to glance at recent texts. One would think this behavior it protected by law. Surprisingly, wiretap laws don’t have carve outs for parental snooping.

Before diving into the law, allow me to explain in one word why the law and court cases on snooping in the home are so muddled: Divorce. In the cage match that is divorce and custody battles, snooping and taping are as much staples as roundhouse kicks and choke holds. If parents had unfettered access to their children’s communications, they then would have such access to those communications with the opposing parent. Because this is not always in the best interest of the child, courts cannot say as a rule that parental snooping is okay in all instances.

The law actually starts by saying that snooping is not okay. There are both Federal laws and state laws covering wiretapping. For Federal law, we look at the Electronic Communications Privacy Act (ECPA). The ECPA covers both the interception of electronic communications in transit (Title III of the ECPA) and unauthorized access of those communications while in storage (Title II of the ECPA, also known as the Stored Communications Act). Courts have found an expectation of privacy in electronic communications while in transit (Title III), but that expectation diminishes once the transmission is complete and the communication is stored (Title II). What this means is that looking through your kid’s email is going to be looked at more favorably than putting a tap on their phone line and recording calls.

Let’s take a closer look at the Stored Communications Act. It says: 18 USC § 2701 – Unlawful access to stored communications (a) Offense.— Except as provided in subsection (c) of this section whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

Putting this into English, you can go to jail for up to 10 years if you intentionally access stored communications where you don’t have the authority to access them or you exceed your authority by accessing them. The question then becomes whether or not parents have the authority under the law to access their children’s stored communications. This is where courts come in.

The United States is a common law country. Common law means that the courts help make law by interpreting the laws written by the legislature. This is why you hear lawyers reciting case names when arguing for their clients. They are arguing what is called case law. The case law on snooping on kids centers on taping phone conversations rather than accessing stored communications, but the court would use the same logic in a stored communications case.

In a 1998 court case Pollock v. Pollock, the court used the concept of vicarious consent to justify the interception of a minor child’s conversation. Recording of conversation is permitted when one of the parties involved consents to the recording. Vicarious consent occurs in this context when a parent consents to wiretapping on behalf of their child and when the parent’s snooping is motivated by the genuine, good faith concern for the child’s welfare. Therefore, if a parent is acting in the best interest of the child, courts should find that snooping is justified and allowable by law because the parent is consenting to their own snooping.

It’s a good thing parents have legal protection via the courts for good faith snooping because a lot of parents do it. A new study from the Digital Future Project finds 70% of parents say they monitor their child’s online activity while on Facebook and other social media sites and 46% have password access to their children’s accounts. The author falls into both camps but not on a regular basis. There’s a balance to be stuck between trust and monitoring. At least now I know I won’t be spending 10 years in jail for doing a bit of looking if I feel it’s in the best interest of my child.

View Source

BERLIN (AP) — The U.S. National Security Agency is able to crack protective measures on iPhones, BlackBerry and Android devices, giving it access to users’ data on all major smartphones, according to a report Sunday in German news weekly Der Spiegel.

The magazine cited internal documents from the NSA and its British counterpart GCHQ in which the agencies describe setting up dedicated teams for each type of phone as part of their effort to gather intelligence on potential threats such as terrorists.

The data obtained this way includes contacts, call lists, SMS traffic, notes and location information, Der Spiegel reported. The documents don’t indicate that the NSA is conducting mass surveillance of phone users but rather that these techniques are used to eavesdrop on specific individuals, the magazine said.

The article doesn’t explain how the magazine obtained the documents, which are described as “secret.” But one of its authors is Laura Poitras, an American filmmaker with close contacts to NSA leaker Edward Snowden who has published several articles about the NSA in Der Spiegel in recent weeks.

The documents outline how, starting in May 2009, intelligence agents were unable to access some information on BlackBerry phones for about a year after the Canadian manufacturer began using a new method to compress the data. After GCHQ cracked that problem, too, analysts celebrated their achievement with the word “Champagne,” Der Spiegel reported.

The magazine printed several slides alleged to have come from an NSA presentation referencing the film “1984,” based on George Orwell’s book set in a totalitarian surveillance state. The slides — which show stills from the film, former Apple Inc. chairman Steve Jobs holding an iPhone, and iPhone buyers celebrating their purchase — are captioned: “Who knew in 1984…that this would be big brother…and the zombies would be paying customers?”

Snowden’s revelations have sparked a heated debate in Germany about the country’s cooperation with the United States in intelligence matters.

On Saturday, thousands of people in Berlin protested the NSA’s alleged mass surveillance of Internet users. Many held placards with slogans such as “Stop watching us.”

Separately, an incident in which a German police helicopter was used to photograph the roof of the American consulate in Frankfurt has caused a minor diplomatic incident between the two countries.

German magazine Focus reported Sunday that U.S. Ambassador John B. Emerson complained about the overflight, which German media reported was ordered by top officials after reports that the consulate housed a secret espionage site.

A U.S. embassy spokesman downplayed the story, saying “the helicopter incident was, naturally enough, the subject of embassy conversation with the Foreign Ministry, but no demarche or letter of complaint about the incident was sent to the German government.”

View Source

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”

An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.

In recent months, the documents disclosed by Mr. Snowden have described the N.S.A.’s reach in scooping up vast amounts of communications around the world. The encryption documents now show, in striking detail, how the agency works to ensure that it is actually able to read the information it collects.

The agency’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.

The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.

Just in recent weeks, the Obama administration has called on the intelligence agencies for details of communications by leaders of Al Qaeda about a terrorist plot and of Syrian officials’ messages about the chemical weapons attack outside Damascus. If such communications can be hidden by unbreakable encryption, N.S.A. officials say, the agency cannot do its work.

Read More