On Q Professional Investigations

A company that markets video cameras designed to allow consumers to monitor their homes remotely has settled Federal Trade Commission charges that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the “Internet of Things.”

The FTC’s complaint alleges that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring, and claimed in numerous product descriptions that they were “secure.” In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.

“The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet,” said FTC Chairwoman Edith Ramirez.

In its complaint, the FTC alleges that, from at least April 2010, TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras’ password requirement. As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet.

“…hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives.”

According to the complaint, in January 2012, a hacker exploited this flaw and made it public, and, eventually, hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives. Once TRENDnet learned of this flaw, it uploaded a software patch to its website and sought to alert its customers of the need to visit the website to update their cameras.

The FTC also alleged that, from at least April 2010, TRENDnet transmitted user login credentials in clear, readable text over the Internet, even though free software was available to secure such transmissions. In addition, the FTC alleged that TRENDnet’s mobile applications for the cameras stored consumers’ login information in clear, readable text on their mobile devices.

Under the terms of its settlement with the Commission, TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit. In addition, the company is barred from misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.

In addition, TRENDnet is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.

The settlement also requires TRENDnet to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.

View Source

George Clooney revealed details last week about “his” spy satellite over Sudan, which he funds to keep an eye on the Sudanese president Omar al-Bashir, who has been accused of war crimes.

The Satellite Sentinel Project (SSP), which Clooney co-founded, has been innovatively using information from satellites to help prevent humanitarian disasters before they happen—rather than reporting the aftermath of a conflict. Near real-time satellite data, provided free by one of the worlds biggest commercial satellite operators, DigitalGlobe, is used to deter atrocities and to monitor military movements along the troubled border of Sudan and South Sudan, enabling responses that avoid civilian casualties. As the SSP motto goes: “The world is watching because you are watching.”

Other advocacy groups like Amnesty International and Human Rights Watch also use satellite images to monitor human rights abuses. Images taken of Burma, Syria and Zimbabwe have shown the destruction of civilian areas, including razed villages and bomb damage. These can be quite powerful for those seeking to raise public awareness and pressure for political intervention, aid or sanctions. Their increasing value in this area is supported by the fact that the Office of the Prosecutor of the International Criminal Court now has its own in-house team with an expertise in satellite data.

Steep changes in satellite technologies, particularly the increased availability of data at scales which allow the identification of ground-based objects, are obviously providing exciting new opportunities for NGOs to monitor remotely. But they also raise questions about who else is using satellite images for monitoring purposes, and what they are using them for.

In practice, governments have used satellites for many years, especially to police extensive areas where ground inspections would be a burdensome logistical exercise with high associated costs. Within Europe they are used by regulatory bodies to monitor fraud for farming subsidy payments, to patrol borders for oil spills and boats carrying illegal immigrants, and to check compliance with legislation concerning the environment, deforestation, and water usage. There are also examples of the police using archives of satellite images to investigate crimes.

View Source

WASHINGTON — THE future of technological surveillance is fast approaching — and we are doing far too little to prepare ourselves.

Last week, thanks in part to documents that I and the Electronic Privacy Information Center obtained under the Freedom of Information Act, the American public learned that the Department of Homeland Security is making considerable progress on a computerized tool called the Biometric Optical Surveillance System. The system, if completed, will use video cameras to scan people in public (or will be fed images of people from other sources) and then identify individuals by their faces, presumably by cross-referencing databases of driver’s license photos, mug shots or other facial images cataloged by name.

While this sort of technology may have benefits for law enforcement (recall that the suspects in the Boston Marathon bombings were identified with help from camera footage), it also invites abuse. Imagine how easy it would be, in a society increasingly videotaped and monitored on closed-circuit television, for the authorities to identify antiwar protesters or Tea Party marchers and open dossiers on them, or for officials to track the public movements of ex-lovers or rivals. “Mission creep” often turns crime-fighting programs into instruments of abuse.

At the moment, there is little to no regulation or legal oversight of technologies like the Biometric Optical Surveillance System. We need to implement safeguards to protect our civil liberties — in particular, our expectation of some degree of anonymity in public.

The Department of Homeland Security is not the only agency developing facial-surveillance capacities. The Federal Bureau of Investigation has spent more than $1 billion on its Next Generation Identification program, which includes facial-recognition technology. This technology is expected to be deployed as early as next year and to contain at least 12 million searchable photos. The bureau has partnerships with at least seven states that give the agency access to facial-recognition-enabled databases of driver’s license photos.

State agencies are also participating in this technological revolution, though not yet using video cameras. On Monday, Ohio’s attorney general, Mike DeWine, confirmed reports that law enforcement officers in his state, without public notice, had deployed facial-recognition software on its driver’s license photo database, ostensibly to identify criminal suspects.

A total of 37 states have enabled facial-recognition software to search driver’s license photos, and only 11 have protections in place to limit access to such technologies by the authorities.

Defenders of this technology will say that no one has a legitimate expectation of privacy in public. But as surveillance technology improves, the distinction between public spaces and private spaces becomes less meaningful. There is a vast difference between a law enforcement officer’s sifting through thousands of hours of video footage in search of a person of interest, and his using software to instantly locate that person anywhere, at any time.

A person in public may have no reasonable expectation of privacy at any given moment, but he certainly has a reasonable expectation that the totality of his movements will not be effortlessly tracked and analyzed by law enforcement without probable cause. Such tracking, as the federal appellate judge Douglas H. Ginsburg once ruled, impermissibly “reveals an intimate picture of the subject’s life that he expects no one to have — short perhaps of his wife.”

Before the advent of these new technologies, time and effort created effective barriers to surveillance abuse. But those barriers are now being removed. They must be rebuilt in the law.

Two policies are necessary. First, facial-recognition databases should be populated only with images of known terrorists and convicted felons. Driver’s license photos and other images of “ordinary” people should never be included in a facial-recognition database without the knowledge and consent of the public.

Second, access to databases should be limited and monitored. Officers should be given access only after a court grants a warrant. The access should be tracked and audited. The authorities should have to publicly report what databases are being mined and provide aggregate numbers on how often they are used.

We cannot leave it to law enforcement agencies to determine, behind closed doors, how these databases are used. With the right safeguards, facial-recognition technology can be employed effectively without sacrificing essential liberties.

View Source

The Glendale Unified School District in Southern California outsources keeping tabs on troublemakers as well as identifying kids in trouble. At least these are its justifications.

Safety has rather become the mantra of authorities over the last few years.

Government exists, so we’re told, to keep the people safe. As opposed to, say, happy, employed, strong, proud or free.

A school district in Southern California is also committed to the safety of its kids. And, given that social media sites are where kids are at these days, it’s decided to keep tabs on every single public post its kids are making.

Naturally, the Glendale Unified School District doesn’t have the time to do this itself. So it’s hired an outside company to do its tab-keeping for it.

As CBS Los Angeles reports, the district chose Geo Listening, a company that specializes in following kids’ Facebook, Twitter, Instagram, and YouTube feeds.

“The whole purpose is student safety,” the district’s superintendent Richard Sheehan told CBS.

So now every single piece of social blurting is now being watched by Big Geo.

Sheehan explained that the system works by looking for keywords. He gave examples of how potentially suicidal kids have been the subject of interventions thanks to the system.

Some, though, might feel a touch chilled by his description of the system’s breadth.

“We do monitor on and off campus, but we do pay attention during school hours. We do pay more attention to the school computers,” he said.

In legal terms, any public posting is fair game. The Geo Listening Web site helpfully explains: “The students we can help are already asking for you. All of the individual posts we monitor on social media networks are already made public by the students themselves. Therefore, no privacy is violated.”

Every single public posting made by every one of the district’s 13,000 students is being monitored, although the company insists it doesn’t peek at “privatized pages, SMS, MMS, email, phone calls, voicemails.”

Geo Listening says that its role is to provide “timely” information, so that a school can act, whether it’s a case of bullying, potential self-harm, vandalism, substance abuse or truancy.

However, the company is surely able to build up a huge trove of information about all individuals which, at least theoretically, might prove to be valuable (to someone) in the future.

What lazy, neurotic employer wouldn’t love to know if a potential hire was a school bully a few years ago? Might the employer be able to contact the school district and demand a record of all social media activity that took place in a potential employee’s youth?

When kids grow up, there will be parts of their lives they want to erase. Yet here will be records that keep that past alive.

The twin-pronged fork of surveillance is currently being examined for the potential of its worth.

The problem is that, ultimately, there are no guarantees — be it Google, the NSA or Geo Listening — about what information is actually being collected and how it might be used.

Why do you think that kids (and Wall Street) are so enamored with Snapchat?

View Source

The New York Times is working to make its website available again for all readers after it was disrupted by a group calling itself the Syrian Electronic Army in an exploit that also affected Twitter Inc.

The group disrupted traffic to the websites by hacking yesterday into registration-services provider Melbourne IT Ltd. (MLB), which handles the online addresses of nytimes.com and twitter.co.uk, according to Tony Smith, a spokesman for the Melbourne-based company. The Times instructed readers who can’t access its home page to go to an alternate site.

Some users initially reported being redirected to the Syrian group’s sites. Many were simply unable to access the pages at all. The Syrian Electronic Army, which backs the country’s president, Bashar al-Assad, has also claimed responsibility for hacking the Washington Post this month and the Financial Times in early May, redirecting readers to its own websites and videos.

“The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems,” Smith wrote in an e-mail. He said the login information was obtained through phishing, a technique used to obtain private data by imitating legitimate websites.

It may take time before all users can get normal access to the newspaper’s site, Smith said. Times employees have been instructed to use caution when sending sensitive e-mails, the newspaper said.

Caching Quirk

A quirk in the way that domain information is updated across the Internet has meant that the Times website is still inaccessible to many users today even though the site is functioning normally. Many corporations and browsers on personal computers cache domain data for 24 hours to speed up connections, preventing access to the news site until those caches are cleared.

On its website, Twitter said its domain registration provider “experienced an issue in which it appears DNS records for various organizations were modified,” including the twimg.com domain it uses to host images. The original domain record for that site has since been restored, and no user information was affected, it said. While Twitter’s site operated normally, twitter.co.uk was inaccessible for some users.

The Huffington Post, owned by AOL Inc. (AOL), also experienced a hack attempt and “minimal disruption of service,” said Rhoades Alderson, a spokesman for the online publisher. The site was working normally today, he said.

AP Hack

Unidentified hackers hijacked the Associated Press Twitter account in April, sending stock markets down 1 percent in a matter of seconds by posting a false claim of an attack on the White House. The fake message — saying that President Barack Obama had been injured after his residence was bombed — followed repeated attempts by hackers to gain access to AP reporters’ passwords, the news agency said in a report. While the Syrian Electronic Army claimed responsibility for the intrusion, that couldn’t be confirmed, the AP said.

The Times has been increasingly focusing on its website for growth as the industry reels from a print-advertising slump. Digital subscribers to the Times and its international edition increased 35 percent to 699,000 at the end of the last quarter. The company averaged about 14 new paying online readers every hour from the beginning of January to the end of June.

On Aug. 14, the newspaper’s website and e-mail systems crashed for more than two hours because of an internal malfunction with its servers.

New York Times Co. dropped 1.4 percent to $11.42 at 12:52 p.m. in New York. The shares had gained 36 percent this year through yesterday.

View Source

Seems like everything gets hacked these days. Baby monitors. White House employees’ personal email. Toilets.

If it’s connected to the Internet, it seems at least a little vulnerable.

But surely we can trust that workhorse selfie-generator, the iSight webcam built into the top bezel of Mac laptops. Or… Maybe not. Yesterday, security researchers Steve Glass and Christopher Soghoian were passing around a National Security Administration factsheet with a little bit of advice for Mac users on how to “harden” their computers to attacks.

Among the tips, we find the following suggestion: “Disable Integrated iSight and Sound Input.”

“The best way to disable an integrated iSight camera is to have an Apple-certified technician remove it,” the NSA writes (emphasis added). Then, you might try “placing opaque tape over the camera” or try the software-only method of removing one of the components of Quicktime’s files. And if the NSA doesn’t trust a particular piece of hardware can’t be used for surveillance, it’s probably safe to assume an average user shouldn’t either.

View Source

For several years, the National Security Agency unlawfully gathered tens of thousands of e-mails and other electronic communications between Americans as part of a now-revised collection method, according to a 2011 secret court opinion.

The redacted 85-page opinion, which was declassified by U.S. intelligence officials on Wednesday, states that, based on NSA estimates, the spy agency may have been collecting as many as 56,000 “wholly domestic” communications each year.

In a strongly worded opinion, the chief judge of the Foreign Intelligence Surveillance Court expressed consternation at what he saw as a pattern of misleading statements by the government and hinted that the NSA possibly violated a criminal law against spying on Americans.

“For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe,” John D. Bates, then the surveillance court’s chief judge, wrote in his Oct. 3, 2011, opinion.

The court, which meets in secret, oversees the Foreign Intelligence Surveillance Act, the law authorizing such surveillance in the United States. It has been criticized by some as a “rubber stamp” for the government, but the opinion makes clear the court does not see itself that way.

Bates’s frustration with the government’s lack of candor extended beyond the program at issue to other NSA surveillance efforts.

“The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program,” Bates wrote in a scathing footnote.

The Washington Post reported last week that the court had ruled the collection method unconstitutional. The declassified opinion sheds new light on the volume of Americans’ communications that were obtained by the NSA and the nature of the violations, as well as the FISA court’s interpretation of the program.

The release marks the first time the government has disclosed a FISA court opinion in response to a Freedom of Information Act lawsuit. The lawsuit was brought a year ago by the Electronic Frontier Foundation, a privacy group.

“It’s unfortunate it took a year of litigation and the most significant leak in American history to finally get them to release this opinion,” said foundation staff attorney Mark Rumold, “but I’m happy that the administration is beginning to take this debate seriously.”

The pressure to release the opinion was heightened by a series of recent revelations about government surveillance based on documents leaked to The Washington Post and Britain’s Guardian newspaper by former NSA contractor Edward Snowden.

Over the past 21 / 2 months, those revelations have reignited a national debate on the balance between privacy and security, and President Obama has promised to assuage concerns about government overreach, in part through more transparency.

Read More

Like any other industry, it is hard to say what the future holds for video security. Global political developments, economic crises and similar events are influencing factors that can play a key role. Of course, it is possible to draw some conclusions from current developments.

Network without boundaries

You don’t have to be a fortune teller to assume that more and more applications will run over the network in the future. This also applies to video security as the trend toward digital solutions continues to be strong. Users are set to profit from the flexibility, higher image quality and new options digital technology has to offer. It is possible to combine and control many applications over the network in a large system. However, the network then becomes a bottleneck because more and more applications are running over the same network. If you take into account the trend toward higher image qualities in video systems, you then have very large amounts of data that require a well-dimensioned network for rapid data transfer. This should not be reason to refrain from increasing image quality, or modernizing and extending the network. A sound, cost-efficient balance between feasibility, technical concepts and actual requirements will be the best solution in the future. In terms of image quality, I anticipate five- to 10-megapixel resolution will be the standard of the future.

More mobile, more flexible

The mobility trend is likely to continue to increase. Customer and integrator requirements of the future are likely to include the ability to directly control cameras and access camera data, set up the complete system remotely and import updates or make other changes in the system configuration. Providers have to react. However, in doing so, they cannot afford to lose sight of a key factor: User friendliness. One solution is a special app that allows complete video management or the setup of complete systems via mobile end devices, without any restrictions in the data transfer rate or image quality. This requires new codices and streaming methods, as well as a certain degree of product intelligence.

The flexibility of the system is crucial. It has to be flexible in terms of expansion capabilities with new cameras as well as in terms of sustainability. It must be possible to add new functions to old models using updates. Flexibility will mean even more in the future as development efforts move toward the idea of a platform rather than an individual product. In a nutshell, it means that the customer does not have to define unchangeable camera features when choosing a camera. Instead, the user can select the sensor modules from a kind of construction kit. This way, systems can be quickly adapted to new requirements or technical changes.

This creates enormous advantages for systems integrators. On the one hand, it puts them in a position to generate updates and added value for customers without incurring major additional costs. On the other, they can implement future customer requirements into appropriate solutions with lower storage capacity.

What will generate added value?

Future video system requirements are sure to include video analysis, which is set to become more popular. Analytics such as heat maps or counting lines will deliver additional information in many areas. Providers with integrated added value features can score points where users want to pay as little as possible or demand these services in the overall package without additional costs.

Where will data be stored?

Will data be stored within the camera itself, in the cloud or via a DVR? One thing is certain: An increasing amount of data will be stored inside the camera in the not too distant future. It will be stored in HDTV resolution and for up to several weeks. Data storage in the cloud is also set to increase. The advantages are plain to see. DVRs are no longer necessary for data storage and users can look at video from anywhere using Internet-enabled devices. Hosted video is likely to be a growth market, particularly for smaller companies and private individuals. Does this development mark the end of DVR and on-site data storage? Not quite. Large companies in particular will either want to store sensitive data inside the camera on a permanent basis or in the supposedly less secure global data cloud.

Buy or lease?

It will be interesting to see whether users will have to purchase video systems outright, if leasing will be an option or if other remuneration models will come into play. It is likely that we will see a mix based on user requirements. These customized offerings will open up other market segments that did without video surveillance in the past due to the costs involved. Cost-effective leasing models, probably in connection with hosted video, are sure to make video security an attractive option for private users in the future. Where it goes from here heavily depends on manufacturer offerings and prices.

Where will growth come from?

Today, most video security systems are in operation in retail stores. With innovative improvements to network cameras and their range of applications, this technology will be interesting for many other industries and markets. I expect high growth rates in a number of different areas, including public security. Looking at current developments and ongoing discussions, it is safe to assume that video is set to become standard in public areas, airports, train stations and other places where large numbers of people are present. In terms of image quality for video surveillance in public spaces, it is likely that we will see legislation in place by 2020 that will ensure minimum image resolution standards. A minimum resolution of one megapixel would be appropriate in order to guarantee that the images can be used to prosecute offenders. Other growth industries include transportation, healthcare and education. Private users are also increasingly seen as customers.

The most important sales regions

Europe and the U.S. will remain the core markets for video systems. The markets are already saturated, however, the technological conversion from analog to digital systems by 2020 will continue to bring high turnover. India and China with their huge population base and high growth rates will be the key drivers in the Asian market. A high level of demand for digital video systems can also be expected in regions with strong broadband infrastructure growth. Fiber optics is a keyword here. I think research firm RNCOS’ prediction of annual growth of 14 percent through 2017 is absolutely realistic.

Who benefits?

It’s impossible to say, however, it is clear that users will definitely benefit from the technical innovations and new options, be it higher image quality, mobile solutions or other analysis options. From a manufacturer’s point-of-view, one thing is certain: Customer requirements are key. Surveillance solution providers must orient themselves toward customer requirements and not the other way around. Success in the market requires providers to face a number of challenges that need to be taken into account in the company’s corporate strategy. They have to deliver technological solutions that can fulfill current and future requirements, making it necessary to continuously reinvent the company. This requires a balance between the synergies and uniqueness of the products. Manufacturers need a portfolio that has an attractive mix of “bestsellers” for the majority of applications and innovative “high-end” solutions that will gradually develop into bestsellers. At the same time, it is important to strike the right balance between price and product features. Corporate success requires technological developments as well as continuous growth, both in terms of market shares and an international presence. To this end, it is crucial to retain control over all of the key processes and new structures that come hand-in-hand with growth. This is the means to an end: The goal is to be competitive in the future.

View Source

A Palestinian security researcher gained unauthorized access, last week, to Mark Zuckerberg’s Facebook (NASDAQ:FB) page to prove the legitimacy of his bug report, after the social network giant’s security team ignored his previous reports on the vulnerability.

On Facebook, users are not permitted to share or post anything on the profile pages of people that are not on one’s friends list. But, the security expert, who goes by the name of Khalil Shreateh, discovered a bug that allowed an intruder to post on anyone’s Facebook “Wall,” even without being that person’s “Friend” on the social networking site.

In an initial bug report to Facebook, Shreateh tried to demonstrate the vulnerability by sharing a link on the wall of Sarah Goodin, who is a college friend of the Facebook founder. A member of the Facebook’s online security team, who was not on Goodin’s friends list, clicked on Shreateh’s link but could not view his post as Goodin’s wall was set to be visible to her friends only.

Shreateh sent another bug report, explaining that anyone inspecting the vulnerability on Goodin’s wall needed to be her friend, or would have to use administrative access to view the post. However, the Facebook security official responded to Shreateh saying what he had pointed out was not a bug.

However, Shreateh, convinced of the bug he had discovered and to prove the legitimacy of his discovery, decided to take it to the next level by posting on Zuckerberg’s own profile page.

On Thursday, a note from Shreateh was visible on Zuckerberg’s timeline, saying: “Sorry for breaking your privacy to your wall,” it read, “i no other choice to make after all the reports I sent to Facebook team.”

As Shreateh expected, this generated a reaction from Facebook, leading the company to fix the flaw.

According to Facebook’s whitehat exploit disclosure program, Shreateh could qualify for a reward of at least $500 as the discoverer of a bug on the site. But, Shreateh might be disqualified from receiving the bug bounty, Facebook said.

According to Facebook’s bug disclosure policy, a security researcher should use test accounts, rather than real accounts of Facebook users, to work on the site’s vulnerabilities and bug reports. Shreateh, according to the company, violated this rule by accessing Goodin’s and Zuckerberg’s profiles.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site,” TechCrunch quoted Facebook as saying.

Facebook said also that Shreateh’s bug report did not have enough technical information to convince its in-house security experts. In addition, the company receives hundreds of bug reports on a daily basis, it added, making it difficult for the company’s security team to separate the genuine reports from the fake ones.

However, Matt Jones, one of Facebook’s engineers on the security team, admitted in an online forum, Hacker News, that the social network did not follow up with Shreateh properly. “We should have pushed back asking for more details here,” he wrote.

View Source

Prior to President Obama’s press conference on potential surveillance reform today, two important stories were published showing National Security Agency (NSA) surveillance has gone farther than government officials have admitted publicly. Now that the President has promised transparency on NSA surveillance, it’s time for the NSA to come completely clean to the American public. They can start by explaining—in detail—how and why they are obtaining the content of communications transiting telecom networks, which then go into the databases behind NSA programs.

First, the background: on Thursday, the New York Times published a blockbuster story on its front page, detailing how the NSA “is searching the contents of vast amounts of Americans’ e-mail and text communications into and out of the country.” Today, the Guardian published more secret documents and an interview with Sen. Ron Wyden (D-Ore) showing that the NSA has secret permission to search its vast databases of individual Americans’ communications without a warrant.

These stories add to the towering pile of revelations showing that the NSA and the administration are not being honest with the American public – not just omitting classified information, but affirmatively misleading. The government has implied, on numerous occasions, that the content program was narrow, and required a court order for United States persons.

The New York Times explained how the NSA could technically search such vast quantities of email:

Computer scientists said that it would be difficult to systematically search the contents of the communications without first gathering nearly all cross-border text-based data; fiber-optic networks work by breaking messages into tiny packets that flow at the speed of light over different pathways to their shared destination, so they would need to be captured and reassembled.

Sound familiar? That’s because we have known since 2006 that the NSA built a secret room in AT&T’s facilities in San Francisco to do this gathering (plus more). The facilities, including a bank of fiber optic splitters, make a copy of all communications traveling over AT&T’s fiber optic cables connecting AT&T’s network to the Internet.

AT&T whistleblower Mark Klein gave us blueprints and photos of the room, plus descriptions of the filtering and selection technologies inside at the time and we’ve been involved in two long running lawsuits over it ever since. Mark Klein’s evidence indicates several other facilities exist in the Western U.S. plus one in Atlanta. In addition, former NSA mathematician William Binney estimates the NSA did something similar in 10-20 key telecom switches around the country. NSA slides published by the Guardian confirm the NSA has this type of access, and the New York Times story this week just provides the latest evidence.

Nevertheless, the Administration has failed to engage in an honest debate about the splitters. Congress needs to pick up the ball and demand public answers, including:

-how many fiber optic splitters are in operation in the U.S.
-how many splitters (anywhere) divert the communications of U.S. persons?
-how much content is diverted each day? (measured by number of people, number of message, and number of petabytes).
-how much content is stored?
-what type of filters are used, and at what point in the process?

The time for vague dismissals of these charges, or vague, misleading discussions, has past.

View Source