December 23, 2024

Dropbox Got Up to 249 National Security Requests in First Half of 2014

Posted on September 12, 2014 by in Security

Dropbox released another transparency report on Thursday and announced that moving forward, it will do so every six months in an effort to keep the public informed of its interactions with authorities.

Bart Volkmer, a lawyer with the company, revealed in a blog post that Dropbox had received 268 request for user information from law enforcement agencies between January and June of this year. In addition, while he hasn’t specified an exact number due to restrictions, the Dropbox representative said there had been 0-249 national security requests.

The company received a total of 120 search warrants and provided content (files stored in users’ accounts) and non-content (subscriber information) in 103 cases. In response to 109 subpoenas, the company hasn’t provided law enforcement with any content, but it has produced subscriber details in 89 cases. While many of the requests came from the United States, the report shows that there have been a total of 37 requests from agencies in other countries.

Volkmer has pointed out that while these numbers are small considering that the company has 300 million customers, Dropbox only complies with such requests if all legal requirements are satisfied. He claims cases in which agencies request too much information or haven’t followed proper procedures are “pushed back.”

The report also shows that the rate of data requests from governments remains steady. An interesting aspect is that agencies keep asking Dropbox not to notify targeted users. However, customers are notified as per the company’s policies, except for cases where there’s a valid court order. A total of 42 users were notified when the file sharing service was presented with search warrants, and 47 individuals were informed in the case of subpoenas.

There haven’t been any requests from governments targeting Dropbox for Business accounts, the company said.

“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” Volkmer said. “Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”

While many companies publish transparency reports to keep the public informed of requests from governments, interesting details can also emerge from court documents. A perfect example are a series of recently unsealed documents showing that US authorities threatened to fine Yahoo $ 250,000 a day if it failed to comply with PRISM, the notorious surveillance program whose existence was brought to light last year by former NSA contractor Edward Snowden.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Apple iPhone ‘Threat to National Security’: Chinese Media

Posted on July 12, 2014 by in Security

BEIJING  – Chinese state broadcaster CCTV has accused US technology giant Apple of threatening national security through its iPhone’s ability to track and time-stamp a user’s location.

The “frequent locations” function, which can be switched on or off by users, could be used to gather “extremely sensitive data”, and even state secrets, said Ma Ding, director of the Institute for Security of the Internet at People’s Public Security University in Beijing.

The tool gathers information about the areas a user visits most often, partly to improve travel advice. In an interview broadcast Friday, Ma gave the example of a journalist being tracked by the software as a demonstration of her fears over privacy.

“One can deduce places he visited, the sites where he conducted interviews, and you can even see the topics which he is working on: political and economic,” she said.

The frequent locations function is available on iOS 7, the operating system used by the current generation of iPhones released in September 2013. “CCTV has only just discovered this?” said one incredulous Chinese microblogger.

The dispute is not the first time Apple has been embroiled in controversy in China, where its products are growing in popularity in a marketplace dominated by smartphones running Google’s Android operating system.

Apple lost a lawsuit against a Chinese state regulator over patent rights to voice recognition software such as the iPhone’s “Siri” just this week.

In March 2013 the Californian company was notably the target of criticism orchestrated by the Chinese media on behalf of consumers, who were critical of poor after-sales service.

And in 2012 the US firm paid $ 60 million to settle a dispute with another Chinese firm over the iPad trademark.

The privacy scare also reflects mutual distrust between the US and China after a series of allegations from both sides on the extent of cyber-espionage.

Leaks by former US government contractor Edward Snowden have alleged widespread US snooping on China, and this month it was reported Chinese hackers had penetrated computer networks containing personal information on US federal employees.

Apple did not immediately respond when contacted by AFP for comment.

Related: Obama Not Allowed an iPhone for Security Reasons

 

RelatedNSA Tracks Mobile Phone Locations Worldwide

© AFP 2013


SecurityWeek RSS Feed

Secret Documents Say NSA Had Broad Scope, Scant Oversight: Report

Posted on July 1, 2014 by in Security

WASHINGTON – The US National Security Agency has been authorized to intercept information “concerning” all but four countries worldwide, top-secret documents say, according to The Washington Post.

“The United States has long had broad no-spying arrangements with those four countries – Britain, Canada, Australia and New Zealand,” the Post reported Monday.

Yet “a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through US companies not just the communications of its overseas targets but any communications about its targets as well.”

The certification – approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — says 193 countries are “of valid interest for US intelligence.”

The certification also let the agency gather intelligence about entities such as the World Bank, the International Monetary Fund, European Union and the International Atomic Energy Agency, the report said.

“These documents show both the potential scope of the government’s surveillance activities and the exceedingly modest role the court plays in overseeing them,” Jameel Jaffer, deputy legal director for the American Civil Liberties Union who had the documents described to him, told the Post.

The report stresses the NSA did not necessarily target nearly all countries but had authorization to do so.

It should come as cold comfort to Germany which was outraged by revelations last year that the NSA eavesdropped on Chancellor Angela Merkel’s mobile phone, as well as about wider US surveillance programs of Internet and phone communications.

Germany’s parliament is investigating the extent of spying by the US National Security Agency and its partners on German citizens and politicians, and whether German intelligence aided its activities.

The privacy issue is a particularly sensitive one in formerly divided Germany.

Ties between Washington and Europe more broadly, as well as other nations such as Brazil, have been strained since the revelations, despite assurances from US President Barack Obama that he is ending spy taps on friendly world leaders.

The Obama administration has insisted the NSA needs tools to be able to thwart terror attacks not just against the United States, but also its allies.

Snowden, a 30-year-old former NSA contractor was granted temporary asylum by Russia last August after shaking the American intelligence establishment to its core with a series of devastating leaks on mass surveillance in the US and around the world.

© AFP 2013


SecurityWeek RSS Feed

NSA Scoops Up Images for Facial Recognition Programs: Report

Posted on June 1, 2014 by in Security

WASHINGTON – The US National Security Agency is scooping up large quantities of images of people for use in facial recognition programs, the New York Times reported Sunday, citing top secret documents.

The Times said documents, which were obtained from fugitive former US intelligence analyst Edward Snowden, show a significant increase in reliance on facial recognition technology at the agency over the past four years.

The report said the NSA was using new software to exploit a flood of images included in intercepted emails, text messages, social media posts, video conferences and other communications.

It cited leaked 2011 documents as saying the NSA intercepts “millions of images per day,” including 55,000 “facial recognition quality images.”

The images represented “tremendous untapped potential,” according to the report, which said NSA officials believe advances in technology could revolutionize the way the agency finds intelligence targets.

“It’s not just the traditional communications we’re after: It’s taking a full-arsenal approach that digitally exploits the clues a target leaves behind in their regular activities on the net to compile biographic and biometric information” that can help “implement precision targeting,” a 2010 document quoted by the newspaper said.

The Times said it wasn’t clear how many people, including how many Americans, had been caught up in the effort, but noted that neither US privacy laws nor US surveillance laws provide specific protections for facial images.

A NSA spokeswoman said, however, that the agency would be required to get court approval for imagery of Americans it collects through its surveillance programs.

The agency has been at the center of controversy over the scope of its global electronic surveillance program since they were first revealed by Snowden in June 2013.

The former intelligence contractor is in Russia, where he was granted temporary political asylum last year.

© AFP 2013


SecurityWeek RSS Feed

Yahoo CISO Says Now Encrypting Traffic Between Datacenters, More Encryption Coming

Posted on April 3, 2014 by in Security

Yahoo’s recently-appointed VP of Information Security and CISO said that, as of this week, Internet traffic moving between Yahoo’s data centers is now fully encrypted.

Alex Stamos, who joined the company last month and has been tasked with securing Yahoo’s online products, provided a status update Wednesday on the company’s initiatives to protect users and their data.

The efforts by Yahoo are the latest as Internet and technology firms scramble to boost their security efforts and up encryption after Edward Snowden began to leak classified details on the scope of US government spying.

According to Stamos, the company has accomplished the following:

• Made Yahoo Mail more secure by making browsing over HTTPS the default.

• Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.

• The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.

• Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.

He also said that users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.

“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

A new, encrypted, version of Yahoo Messenger will be available in the months ahead, Stamos said.

“In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months,” Stamos continued. “This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.” 

Late last month, Google announced that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

US ‘Restrained’ in Cyber Operations – Pentagon Chief

Posted on March 28, 2014 by in Security

WASHINGTON – The United States will show “restraint” in cyber operations outside of US government networks, Secretary of Defense Chuck Hagel said Friday, urging other countries to do the same.

Hagel, speaking at the National Security Agency (NSA) headquarters at Fort Meade, Maryland, said that the Pentagon “does not seek to ‘militarize’ cyberspace.”

Instead, Hagel said that the US government “is promoting the very qualities of the Internet — integrity, reliability, and openness — that have made it a catalyst for freedom and prosperity in the United States, and around the world.”

Overview of PentagonThe remarks came at the retirement ceremony for outgoing NSA chief, General Keith Alexander.

The Pentagon “will maintain an approach of restraint to any cyber operations outside the US government networks. We are urging other nations to do the same,” Hagel said.

He also said that the United States “will continue to take steps to be open and transparent about our cyber capabilities” with Americans, US allies, “and even competitors.”

The idea is to “use the minimal amount of force possible” in cyber operations, a senior defense official told reporters, speaking on condition of anonymity.

This would take place only when it would “either prevent conflict, de-escalate conflict or allow us to use the minimal amount of force,” the official said.

“That is not always the approach that other nations in the world use,” the official said. Although he emphasized that there was “a clear difference” between espionage and cyber operations, restraint is also applicable “for espionage and communications intelligence” at both the NSA and Cyber Command, the official said.

“We think very carefully about the things we do outside of our own network,” the official said. The budget for the Pentagon’s Cyber Command for fiscal 2015 is $ 5.1 billion. The Command must have 6,000 soldiers by 2016.

Alexander’s successor is a US Navy officer, Vice Admiral Michael Rogers, who will take over as both head of the NSA and Cyber Command.

Hagel is set to begin next week a tour of Asia with a stop in China, where cyberspying will be a hot topic following a report in The New York Times and Germany’s Der Spiegel that the NSA had secretly tapped Chinese telecoms giant Huawei for years.

The NSA had access to Huawei’s email archive, communications between top company officials, and even the secret source code of some of its products, according to the reports based on information provided by fugitive former NSA contractor Edward Snowden.

© AFP 2013


SecurityWeek RSS Feed

NSA Spies on China Telecoms Giant Huawei: Report

Posted on March 23, 2014 by in Security

WASHINGTON – The US National Security Agency has secretly tapped into the networks of Chinese telecom and internet giant Huawei, the New York Times and Der Spiegel reported on their websites Saturday.

The NSA accessed Huawei’s email archive, communication between top company officials internal documents, and even the secret source code of individual Huawei products, read the reports, based on documents provided by fugitive NSA contractor Edward Snowden.

“We currently have good access and so much data that we don’t know what to do with it,” states one internal document cited by Der Spiegel.

Huawei — founded in 1987 by former People’s Liberation Army engineer Ren Zhengfei — has long been seen by Washington as a potential security Trojan Horse due to perceived close links to the Chinese government, which it denies.

The United States and Australia have barred Huawei from involvement in broadband projects over espionage fears.

RelatedChina’s Huawei Denies US Spies Compromised its Equipment

Shenzhen-based Huawei is one of the world’s leading network equipment providers and is the world’s third-largest smartphone vendor.

The original goal of Operation “Shotgiant” was to find links between Huawei and the Chinese military, according to a 2010 document cited by The Times.

But it then expanded with the goal of learning how to penetrate Huawei computer and telephone networks sold to third countries.

“Many of our targets communicate over Huawei-produced products,” the NSA document read, according to The Times.

“We want to make sure that we know how to exploit these products,” it added, to “gain access to networks of interest” around the world.

Huawei is a major competitor to US-based Cisco Systems Inc. – but US officials insist that the spy agencies are not waging an industrial espionage campaign on behalf of US companies, as Snowden has alleged.

“The fact that we target foreign companies for intelligence is not part of any economic espionage,” a senior intelligence official told reporters Thursday.

The goal of economic intelligence efforts is “to support national security interests,” and “not to try to help Boeing,” the official said.

RelatedChina’s Huawei Denies US Spies Compromised its Equipment

RelatedHuawei Founder Breaks Silence to Reject Security Concerns

RelatedPLA Concerns Lead to Huawei Being Blocked in Australia 

RelatedHuawei Calls for Global Security Standards

RelatedChina’s Huawei Responds to US Hackers

Related: China’s Huawei to Curb Business In Iran 

Insight: A Convenient Scapegoat – Why All Cyber Attacks Originate in China

© AFP 2013


SecurityWeek RSS Feed

Canada’s Eavesdropping Agency Blasts Tradecraft Leak

Posted on February 2, 2014 by in Security

OTTAWA – Canada’s ultra-secret eavesdropping agency on Friday blasted the disclosure of its tradecraft, after it was reported the agency had tracked airline passengers connected to Wi-Fi services at airports.

Communications Security Establishment Canada said: “The unauthorized disclosure of tradecraft puts our techniques at risk of being less effective when addressing threats to Canada and Canadians.”

On Thursday, the Canadian Broadcasting Corporation said documents leaked by fugitive NSA contractor Edward Snowden showed that the CSEC could follow the movements of people who passed through airports and connected to Wi-Fi systems with mobile phones, tablets and laptops.

The documents showed the agency could track the travellers for a week or more as they and their wireless devices showed up in other Wi-Fi “hot spots” in cities across Canada and beyond.

This included people visiting other airports, hotels, coffee shops and restaurants, libraries and ground transportation hubs and other places with public wireless Internet access.

Under Canadian law, the CSEC is prohibited from domestic spying.

But the agency said it is authorized to collect and analyze metadata — the identifying data generated by calls from wireless devices such as called ID, telephone numbers and user location.

The leaked classified document was “a technical presentation between specialists exploring mathematical models built on everyday scenarios to identify and locate foreign terrorist threats.”

According to the documents, older software took too long to locate targets to be useful. The new software cut the time from more than two hours to several seconds, in tests.

“It is important to note that no Canadian or foreign travelers were tracked. No Canadian communications were, or are, targeted, collected or used,” the CSEC added.

Defense Minister Rob Nicholson meanwhile in Parliament said the CSEC is in “complete compliance with Canadian law.”

© AFP 2013


SecurityWeek RSS Feed

US Allows Tech Giants to Reveal Spy Agency Demands

Posted on January 28, 2014 by in Security

WASHINGTON – The United States agreed to give technology firms the ability to publish broad details of how their customer data has been targeted by US spy agencies, officials said Monday.

Facing a legal challenge and a furious public debate, Attorney General Eric Holder and Director of National Intelligence James Clapper said the companies would now be allowed to disclose figures on consumer accounts requested.

“The administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers,” the officials said in a joint statement.

In a letter to tech giants Facebook, Google, LinkedIn, Microsoft and Yahoo, the Justice Department freed them to release the approximate number of customer accounts targeted.

President Barack Obama’s administration has faced pressure from the tech sector following leaked documents outlining vast surveillance of online and phone communications. The companies have said the reports have already begun to affect their business.

Facebook, Google, LinkedIn, Microsoft and Yahoo, which sued for the right to publish more data, said in a joint statement they were pleased with the settlement.

“We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive,” the companies said.

“We’re pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”

Under the agreement filed with the secretive Foreign Intelligence Surveillance Court the companies will be able to disclose the numbers, within ranges.

They will have an option to reveal within bands of 1,000 the numbers of “national security letters” and specific court orders. Another option will be to disclose, in bands of 250, all the national security requests, lumped together.

The reports will have a six-month lag time, so data for the second half of 2014 may be published in mid-2015, according to the agreement.

Previously, the existence of orders made by the secret for access to private online data was itself classified, to the outrage of the firms.

In addition to the bare numbers of targeted consumers, the companies will also be permitted to disclose the number but not the nature of selection criteria for broader Internet sweeps.

Civil liberties groups welcomed the deal, while arguing for even more transparency.

“This is a victory for transparency and a critical step toward reining in excessive government surveillance,” said Alex Abdo, an ACLU attorney.

But Abdo said more is needed: “Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies’ involvement.”

Kevin Bankston of the New America Foundation’s Open Technology Institute, called the news “an important victory in the fight for greater transparency around the NSA’s surveillance programs” but said the agreement “falls far short of the level of transparency that an unprecedented coalition of Internet companies, privacy advocates and civil liberties organizations called for this summer.”

“Meaningful transparency means giving companies the ability to publish the specific number of requests they receive for specific types of data under specific legal authorities,” Bankston said.

“Fuzzing the numbers into ranges of a thousand — and even worse, lumping all of the different types of surveillance orders into a single number — serves no national security purpose while making it impossible to effectively evaluate how those powers are being used.”

US tech firms have claimed that reports on the US government’s secretive data collection programs have distorted how they work with intelligence and law enforcement. The firms have been asking for permission to disclose more on the nature of the requests and what is handed over.

Google’s petition said that despite reports to the contrary, the US government “does not have direct access to its servers” and that it only complies with “lawful” requests.

The issue caught fire after Edward Snowden, a former IT contractor at the National Security Agency, revealed that US authorities were tapping into Internet user data.

[Updated]

© AFP 2013


SecurityWeek RSS Feed

US Lawmakers Say Snowden Was ‘Helped’ by Foreign Power

Posted on January 20, 2014 by in Security

WASHINGTON – Edward Snowden may have acted in concert with a foreign power in exposing US surveillance programs, two Republican lawmakers suggested Sunday.

“I think there are some interesting questions we have to answer that certainly would lend one to believe that the Russians had at least in some part something to do” with the affair, House Intelligence Committee chairman Mike Rogers told CBS’s “Face the Nation.”

Rogers, a Republican, said “everything from how he prepared to leave, his route of departure and how he quickly ended up in Moscow” put Snowden’s ties at question.

Edward Snowden
Fugitive NSA Leaker Edward Snowden

The “vast majority” of the information leaked by Snowden, Rogers said “had nothing to do with the NSA program and everything to do with our military capabilities, army, navy, air force, marines.”

Rogers, appearing in a second interview on NBC’s “Meet the Press,” said he didn’t think “it was a gee-whiz luck event that he ended up in Moscow under the handling of the FSB” state security agency in Russia.

Michael McCaul, chairman of the House Homeland Security Committee, told ABC’s “This Week” that he didn’t believe “Mr Snowden was capable of doing everything himself.

“I believe he was helped by others,” the congressman said in an interview from Moscow.

McCaul, a Republican, said he could not say “definitively” that Russia was involved, “but I believe he was cultivated.”

US President Barack Obama curtailed the reach of massive US National Security Agency phone surveillance sweeps Friday, in a long-awaited speech designed to quell a furor over the programs exposed by Snowden.

The president, however, also said bulk data collection must go on to protect America from terrorists.

© AFP 2013


SecurityWeek RSS Feed